D2GS Packet Research

LivedKrad · August 10, 2005, 02:34 AM

So basically, the 0xAE packet is just a plaintext list of "no no DLLs" that have been encrypted with the RC4 cipher?

l2k-Shadow · August 10, 2005, 04:08 PM

I'm sure this has already been covered but I spent about 30 minutes working with 0x68, the response to 0xAE (now 0xAF) packet and came out with the following, and so far working, conclusion that I posted in comment on bnetdocs.

http://bnetdocs.valhallalegends.com/content.php?Section=m&Code=447

Hope that helps updating your bot.

dxoigmn · August 10, 2005, 08:12 PM

Quote from: l2k-Shadow on August 10, 2005, 04:08 PM
I'm sure this has already been covered but I spent about 30 minutes working with 0x68, the response to 0xAE (now 0xAF) packet and came out with the following, and so far working, conclusion that I posted in comment on bnetdocs.

http://bnetdocs.valhallalegends.com/content.php?Section=m&Code=447

Hope that helps updating your bot.

Just some notes: 0x91A519B6 is hardcoded into the game. 0xED5DCC50 results from calling Fog.dll#10227 and then doing some arithmetic on the return value to get the value. As for the extra bytes in the username, I doubt they matter much. You could probably get away with filling in the rest of bytes with nulls. There just needs to be 16 byte since there are no packet lengths and thus the length of the packet must be fixed.

l2k-Shadow · August 10, 2005, 08:47 PM

All true, but that's the way the client does it so I'd figure it'd be best to do it that way.

hi.times · August 12, 2005, 09:20 AM

I'm getting a timeout after about 15-20 seconds in game. I'm assuming this is due to not sending the 0x66 warden packet, or am i the only one?

I tried filling the packet with nulls, with same result. Through debugging and assembler analysis, i was able to locate a few different functions which are involved with sending 0x66, however i have not yet determined the specific code to generate the data contents.

From what i have seen, the format is this.

BYTE 0x66 - Packet ID
BYTE XX - Variable data size, usually 5.
BYTE 00 - Null
VARIABLE - Data contents

As mentioned earlier in this thread, this packet is sent in response to 0xAE. I will continue my analysis, and attempt to reverse the functions used to generate this packet.

dxoigmn · August 12, 2005, 12:33 PM

Quote from: hi.times on August 12, 2005, 09:20 AM
I'm getting a timeout after about 15-20 seconds in game. I'm assuming this is due to not sending the 0x66 warden packet, or am i the only one?

I tried filling the packet with nulls, with same result. Through debugging and assembler analysis, i was able to locate a few different functions which are involved with sending 0x66, however i have not yet determined the specific code to generate the data contents.

From what i have seen, the format is this.

BYTE 0x66 - Packet ID
BYTE XX - Variable data size, usually 5.
BYTE 00 - Null
VARIABLE - Data contents

As mentioned earlier in this thread, this packet is sent in response to 0xAE. I will continue my analysis, and attempt to reverse the functions used to generate this packet.

Have any offsets others can take a look at?

hi.times · August 12, 2005, 01:55 PM

I did a few stack traces, and came up with these. I'm detailing the stack from top to bottom order.

This is all in d2client.dll

I detected a complete 0x66 packet was constructed in this procedure and passed
as the first argument to *D2Client.6FB23260*, which in turn just passes it to the d2net send procedure. ESP is a pointer to the packet buffer, so when you see [ESP+X] dereference statements it's accessing the packet buffer.

Code Select


6FB235A0  /$ 55             PUSH    EBP
6FB235A1  |. 8BEC           MOV     EBP, ESP
6FB235A3  |. 83E4 F8        AND     ESP, FFFFFFF8
6FB235A6  |. 81EC 04020000  SUB     ESP, 204
6FB235AC  |. 85C9           TEST    ECX, ECX
6FB235AE  |. 53             PUSH    EBX
6FB235AF  |. 56             PUSH    ESI
6FB235B0  |. 57             PUSH    EDI
6FB235B1  |. 7C 4C          JL      SHORT D2Client.6FB235FF
6FB235B3  |. 81F9 FD010000  CMP     ECX, 1FD
6FB235B9  |. 7F 44          JG      SHORT D2Client.6FB235FF
6FB235BB  |. 8D59 03        LEA     EBX, DWORD PTR [ECX+3]
6FB235BE  |. 81FB 00020000  CMP     EBX, 200
6FB235C4  |. 76 07          JBE     SHORT D2Client.6FB235CD
6FB235C6  |. 68 43040000    PUSH    443
6FB235CB  |. EB 37          JMP     SHORT D2Client.6FB23604
6FB235CD  |> 8B75 08        MOV     ESI, DWORD PTR [EBP+8]
6FB235D0  |. 66:894C24 11   MOV     WORD PTR [ESP+11], CX
6FB235D5  |. 8BC1           MOV     EAX, ECX
6FB235D7  |. C1E9 02        SHR     ECX, 2
6FB235DA  |. C64424 10 66   MOV     BYTE PTR [ESP+10], 66                    ; Packet ID
6FB235DF  |. 8D7C24 13      LEA     EDI, DWORD PTR [ESP+13]
6FB235E3  |. F3:A5          REP     MOVS DWORD PTR ES:[EDI], DWORD P>
6FB235E5  |. 8BC8           MOV     ECX, EAX
6FB235E7  |. 83E1 03        AND     ECX, 3
6FB235EA  |. F3:A4          REP     MOVS BYTE PTR ES:[EDI], BYTE PTR>
6FB235EC  |. 8D4C24 10      LEA     ECX, DWORD PTR [ESP+10]
6FB235F0  |. 51             PUSH    ECX                              ; Complete 0x66 packet pointer
6FB235F1  |. E8 6AFCFFFF    CALL    D2Client.6FB23260                ; Calls d2net.dll send function
6FB235F6  |. 5F             POP     EDI
6FB235F7  |. 5E             POP     ESI
6FB235F8  |. 5B             POP     EBX
6FB235F9  |. 8BE5           MOV     ESP, EBP
6FB235FB  |. 5D             POP     EBP
6FB235FC  |. C2 0400        RETN    4

Now this is the procedure preceding the one above in the call stack.

Code Select


6FB02A30   . 8B4424 04      MOV     EAX, DWORD PTR [ESP+4]
6FB02A34   . 8B4C24 08      MOV     ECX, DWORD PTR [ESP+8]
6FB02A38   . 50             PUSH    EAX
6FB02A39   . E8 620B0200    CALL    D2Client.6FB235A0

It just appears to setup the various registers. Note eax contains a pointer to the actual data portion of the 0x66 packet, and ecx was 5 (the length of the data when i debugged it).

This is the last procedure i managed to trace back to, it gets a little hazy around here. When i was steping through the code it was jumping around quite alot, and seemed to lead to dead ends. But i'm pretty sure this has something todo with it.

I just need to spend some more time analysing it, but if anyone else wants to help, that would be great, more brains the better.

Code Select


6FB02E10  /$ 51             PUSH    ECX
6FB02E11  |. A1 10C3BC6F    MOV     EAX, DWORD PTR [6FBCC310]
6FB02E16  |. 85C0           TEST    EAX, EAX
6FB02E18  |. 0F84 83000000  JE      D2Client.6FB02EA1
6FB02E1E  |. 56             PUSH    ESI
6FB02E1F  |. 90             NOP
6FB02E20  |> A1 0CC3BC6F    /MOV     EAX, DWORD PTR [6FBCC30C]
6FB02E25  |. 85C0           |TEST    EAX, EAX
6FB02E27  |. 74 36          |JE      SHORT D2Client.6FB02E5F
6FB02E29  |. 8B48 0C        |MOV     ECX, DWORD PTR [EAX+C]
6FB02E2C  |. 8B01           |MOV     EAX, DWORD PTR [ECX]
6FB02E2E  |. FF50 04        |CALL    DWORD PTR [EAX+4]
6FB02E31  |. 8B35 0CC3BC6F  |MOV     ESI, DWORD PTR [6FBCC30C]
6FB02E37  |. E8 248A0300    |CALL    D2Client.6FB3B860
6FB02E3C  |. A1 0CC3BC6F    |MOV     EAX, DWORD PTR [6FBCC30C]
6FB02E41  |. 85C0           |TEST    EAX, EAX
6FB02E43  |. 8BF0           |MOV     ESI, EAX
6FB02E45  |. 74 18          |JE      SHORT D2Client.6FB02E5F
6FB02E47  |. 50             |PUSH    EAX
6FB02E48  |. E8 43FBFAFF    |CALL    D2Client.6FAB2990
6FB02E4D  |. 6A 00          |PUSH    0
6FB02E4F  |. 68 17010000    |PUSH    117
6FB02E54  |. 68 6061B86F    |PUSH    D2Client.6FB86160               ;  ASCII "..\Source\D2Client\WARDEN\WardenClient.cpp"
6FB02E59  |. 56             |PUSH    ESI
6FB02E5A  |. E8 2D8FFBFF    |CALL    <JMP.&Storm.#403>
6FB02E5F  |> A1 10C3BC6F    |MOV     EAX, DWORD PTR [6FBCC310]
6FB02E64  |. B9 EC9DBA6F    |MOV     ECX, D2Client.6FBA9DEC
6FB02E69  |. A3 0CC3BC6F    |MOV     DWORD PTR [6FBCC30C], EAX
6FB02E6E  |. C705 10C3BC6F >|MOV     DWORD PTR [6FBCC310], 0
6FB02E78  |. 8D70 0C        |LEA     ESI, DWORD PTR [EAX+C]
6FB02E7B  |. FF50 10        |CALL    DWORD PTR [EAX+10]
6FB02E7E  |. 8B0D F448B96F  |MOV     ECX, DWORD PTR [6FB948F4]
6FB02E84  |. 8906           |MOV     DWORD PTR [ESI], EAX
6FB02E86  |. 894C24 04      |MOV     DWORD PTR [ESP+4], ECX
6FB02E8A  |. 8B0E           |MOV     ECX, DWORD PTR [ESI]
6FB02E8C  |. 8B11           |MOV     EDX, DWORD PTR [ECX]
6FB02E8E  |. 6A 04          |PUSH    4
6FB02E90  |. 8D4424 08      |LEA     EAX, DWORD PTR [ESP+8]
6FB02E94  |. 50             |PUSH    EAX
6FB02E95  |. FF12           |CALL    DWORD PTR [EDX]
6FB02E97  |. A1 10C3BC6F    |MOV     EAX, DWORD PTR [6FBCC310]
6FB02E9C  |. 85C0           |TEST    EAX, EAX
6FB02E9E  |.^75 80          \JNZ     SHORT D2Client.6FB02E20
6FB02EA0  |. 5E             POP     ESI
6FB02EA1  |> 59             POP     ECX
6FB02EA2  \. C3             RETN

LivedKrad · August 13, 2005, 12:15 PM

According to monitoring decompressed packets I receive, I never see 0xAE at all. Is there something I'm doing wrong?

NetNX · August 13, 2005, 06:17 PM

Definitely.

LivedKrad · August 13, 2005, 08:19 PM

Additionally, the 0x6D ping packet sent to me by Arta (from shadow) seems to be wrong. The data my Diablo 2 sends is:

(DWORD) TC
(DWORD) Unknown - (not null)
(DWORD) NULL

hi.times · August 14, 2005, 02:51 AM

Quote from: LivedKrad.fe on August 13, 2005, 08:19 PM
Additionally, the 0x6D ping packet sent to me by Arta (from shadow) seems to be wrong. The data my Diablo 2 sends is:

(DWORD) TC
(DWORD) Unknown - (not null)
(DWORD) NULL

Thats the new 0x6D format. I have found from packet logging that the first byte of the second DWORD contains a value, and the remaining 3 BYTES are null. So this is the format i use.

(BYTE) 0x6D - ID
(DWORD) Random - Cookie
(DWORD) Random - First byte has a value, the rest are nulls.
(DWORD) Null - Unknown

I believe you have to update the ping format, and send the new 0x66 warden packet to stay in the game.

LivedKrad · August 14, 2005, 10:37 AM

So you must send the 0x66 packet? I thought 0xAE was received first and then replied to..
Again I'm no sure, because I actually never receive 0xAE, so maybe I'm supposed to send 0x66 first?

hi.times · August 14, 2005, 11:09 AM

Quote from: LivedKrad.fe on August 14, 2005, 10:37 AM
So you must send the 0x66 packet? I thought 0xAE was received first and then replied to..
Again I'm no sure, because I actually never receive 0xAE, so maybe I'm supposed to send 0x66 first?

You send 0x66 once you have entered a game, and receive compressed content containing 0xAE. You should receive it about every 5 seconds, around about the same interval used for the 0x6D keepalive.

If you are not receiving 0xAE, you have 2 possible problems, either you did not successfully enter the game, or a problem exists with your decoding/parsing routines.

NetNX · August 14, 2005, 11:17 AM

Quote from: hi.times on August 14, 2005, 11:09 AM
Quote from: LivedKrad.fe on August 14, 2005, 10:37 AM
So you must send the 0x66 packet? I thought 0xAE was received first and then replied to..
Again I'm no sure, because I actually never receive 0xAE, so maybe I'm supposed to send 0x66 first?

You send 0x66 once you have entered a game, and receive compressed content containing 0xAE. You should receive it about every 5 seconds, around about the same interval used for the 0x6D keepalive.

If you are not receiving 0xAE, you have 2 possible problems, either you did not successfully enter the game, or a problem exists with your decoding/parsing routines.

Eactly; This kinda makes me want to learn asm... I feel so incapible

Michael · August 14, 2005, 12:36 PM

why do we need to know about d2 game packets? i mean who really wants to play that old crappy game anymore let alone waste time making bots and or hacks for it -.-