• Welcome to Valhalla Legends Archive.
 

0x4A?

Started by Registered, August 14, 2004, 05:07 PM

Previous topic - Next topic

Registered

Does anyone know what the bnet packet 0x4A does?  It's not on Bnetdocs, and i have no clue what it is. I've only started getting it a few days ago, so i'm guessing that bnet is sending a new packet.

Heres what i get:


[6:05:51 PM] Unhandled packet 0x4A
[6:05:51 PM] Packet data:
0000:  FF 4A 16 00 49 58 38 36 45 78 74 72 61 57 6F 72   ÿJ.IX86ExtraWor
0010:  6B 2E 6D 70 71 00                                 k.mpq...........


It looks like it contains some information on a file called ExtraWork.mpq.

I was also connecting with Starcraft Brood War at the time.

If i'm wrong about this packet, please tell me.

BaDDBLooD

#1
battle.net sends this packet every once in a while for a week or so at a time.  I am pretty sure the packet is used to collect information on the computer's used to play there games; in order to enhance and make there games more compatibile.  There is documentation on how to handle this packet, you just have to search for it.  

I hope i helped

- BaDDBLooD
There are only two kinds of people who are really fascinating: people who know absolutely everything, and people who know absolutely nothing.

Registered

Oh, i get it now.

Thanks BaDDBLooD  ;D.

BaDDBLooD

There are only two kinds of people who are really fascinating: people who know absolutely everything, and people who know absolutely nothing.

LordNevar

This file regards mostly to Diablo II, as for the other games I'm not real sure why they need it but it's Battle.net who knows what they think. This file is used in Diablo II to detect what hacks if any you have running when you connect to battle.net or use after connection, basically it's looking to see who has altered the game in there favor. Pretty handy if you ask me. They only use it once a month on Diablo II as far as I know, I know there using it again now only cause godmode is out, and as usual they intend to stop it.

A good fortune may forbode a bad luck, which may in turn disguise a good fortune.
The greatest trick the Devil ever pulled, was convincing the world he didn't exsist.

Soul Taker

Quote from: LordNevar on August 14, 2004, 06:06 PM
This file regards mostly to Diablo II, as for the other games I'm not real sure why they need it but it's Battle.net who knows what they think. This file is used in Diablo II to detect what hacks if any you have running when you connect to battle.net or use after connection, basically it's looking to see who has altered the game in there favor. Pretty handy if you ask me. They only use it once a month on Diablo II as far as I know, I know there using it again now only cause godmode is out, and as usual they intend to stop it.
And you pulled this all out the air or what?

BaDDBLooD

Quote from: Soul Taker on August 14, 2004, 06:13 PM
Quote from: LordNevar on August 14, 2004, 06:06 PM
This file regards mostly to Diablo II, as for the other games I'm not real sure why they need it but it's Battle.net who knows what they think. This file is used in Diablo II to detect what hacks if any you have running when you connect to battle.net or use after connection, basically it's looking to see who has altered the game in there favor. Pretty handy if you ask me. They only use it once a month on Diablo II as far as I know, I know there using it again now only cause godmode is out, and as usual they intend to stop it.
And you pulled this all out the air or what?

Yeah, spill!
There are only two kinds of people who are really fascinating: people who know absolutely everything, and people who know absolutely nothing.

pianka

I always thought this had something to do with WAR3/W3XP though I may be mistaken.

Falcon[anti-yL]

Its for all the clients.

Eric

#9
Quote from: Registered on August 14, 2004, 05:07 PM
Does anyone know what the bnet packet 0x4A does?  It's not on Bnetdocs, and i have no clue what it is. I've only started getting it a few days ago, so i'm guessing that bnet is sending a new packet.

Heres what i get:


[6:05:51 PM] Unhandled packet 0x4A
[6:05:51 PM] Packet data:
0000:  FF 4A 16 00 49 58 38 36 45 78 74 72 61 57 6F 72   ÿJ.IX86ExtraWor
0010:  6B 2E 6D 70 71 00                                 k.mpq...........


It looks like it contains some information on a file called ExtraWork.mpq.

I was also connecting with Starcraft Brood War at the time.

If i'm wrong about this packet, please tell me.

Quote from: LordNevar on August 14, 2004, 06:06 PM
This file regards mostly to Diablo II, as for the other games I'm not real sure why they need it but it's Battle.net who knows what they think. This file is used in Diablo II to detect what hacks if any you have running when you connect to battle.net or use after connection, basically it's looking to see who has altered the game in there favor. Pretty handy if you ask me. They only use it once a month on Diablo II as far as I know, I know there using it again now only cause godmode is out, and as usual they intend to stop it.

IX86ExtraWork.dll, which is extracted from IX86ExtraWork.mpq after it's downloaded from BNFTP, is used to gather system information for diagnostic reports and it doesn't have the ability to do anything other than that.  This is stated by Blizzard clients after installing a patch at which point you are given the option to allow or deny the sending of this information.
All Blizzard products that still undergo patching can receive the 0x4A packet which is usally only sent after a patch has been released for one or more of them.

For further information:
Search -> "0x4A"
Search -> "ExtraWork"

LordNevar

     Actually this involves all games, but it's main focus and point of discussion is on Diablo II. No I did not pull this out of the air. This file has been the center of attention in the Diablo II community since the release of 1.10.  Now whether or not this file is actually used in hack detection in the game clients, or does as stated by Userlooser just report OS information to Battle.net is not counted out. The real actuality of this file is unknown, and continues to be unless Battle.net spills the beans on it. Although it does report information to Battle.net, doesn't mean it can't be used for anything else. I.E. - Hack Detection, reading alterations in the games memory, and being able to shut it off, or deny connection to Battle.net.
    The only reason this file has made the attention of alot of people in the Diablo II community is cause it seems to come in play alot when a new multi-spread exploit leaks to the public eye that gives a big disadvantage over other players, and drastically alters online play for Diablo II players. I.E. - Godmode which was publicly released and shortly after our mysterious Extrawork came back into play.

A good fortune may forbode a bad luck, which may in turn disguise a good fortune.
The greatest trick the Devil ever pulled, was convincing the world he didn't exsist.

iago

The file is for all games.  And it's for sending Battle.net stastics about the people who are using it.  Officially.

There are rumours that it is also being used, now, to detect cheating.  I don't know of anybody who has confirmed this yet.

Skywing once had a special viewer that shows you the info it would send to battle.net, but I don't know where to find it.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Soul Taker

Why don't you just... check for yourself?  And I always loved how Blizzhackers went crazy after 1.10 and suddenly noticed it.  It was in use long before 1.10, and never had anything to do with hacks.

UserLoser.

#13
Quote from: iago on August 14, 2004, 10:36 PM
The file is for all games.  And it's for sending Battle.net stastics about the people who are using it.  Officially.

There are rumours that it is also being used, now, to detect cheating.  I don't know of anybody who has confirmed this yet.

Skywing once had a special viewer that shows you the info it would send to battle.net, but I don't know where to find it.

http://www.valhallalegends.com/pub/IX86ExtraWork.zip

No, it's not for all games.  Only Warcraft3, Starcraft, and Diablo II. Older versions (1.03) supported World of Warcraft too, but that's now gone in 1.06.  

Quote from: LordNevar on August 14, 2004, 06:06 PM
This file regards mostly to Diablo II, as for the other games I'm not real sure why they need it but it's Battle.net who knows what they think. This file is used in Diablo II to detect what hacks if any you have running when you connect to battle.net or use after connection, basically it's looking to see who has altered the game in there favor. Pretty handy if you ask me. They only use it once a month on Diablo II as far as I know, I know there using it again now only cause godmode is out, and as usual they intend to stop it.

Way off buddy. I've said this about 30 times too much throughout other forums: prove that this is related to hacks/detection/whatever you claim, because from what I, friends, and others have seen; it is nothing but a simple survey of information on your system.  IIRC, there was even a thread on BlizzHackers.com talking about how bad 0x33 (SID_GETFILETIME) is, wtf?

Don't spread rumors if you have no proof or evidence.  My proof: disassemble IX86ExtraWork.dll.

iago

Quote from: Kk)Blaze(kK on August 15, 2004, 03:14 AM
This packet is only sent if you left the check on when patching. There is no reason to belive that Blizzard is using it as an Anti-Hack. Blizzard could just do that when starting a game (joined game and it starts). Rumours are bad to start just like userloser. said...
Yeah, because the server knows which option you chose, so it knows whether or not to send it.  Duh.


UserLoser -- I've heard unconfirmed rumours that, shortly before they do a round of bans, IX86ExtraWork.dll is changed  for a couple days.  These are unsubstantiated, though.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*