I need help decompressing D2 packets

Juniper · June 08, 2006, 07:54 AM

I don't like to bounce threads, but I'm really stuck without some help on my previous post

Can anyone help me out?

thanks,
J

Sorc.Polgara · June 08, 2006, 10:50 AM

Meh, your name reminds me of the Cartoon Network show with the Asian girl Juniper Lee T_T;

Yegg · June 08, 2006, 02:36 PM

Quote from: Sorc.Polgara on June 08, 2006, 10:50 AM
Meh, your name reminds me of the Cartoon Network show with the Asian girl Juniper Lee T_T;

Why not send him a private message saying that instead of adding a useless post to this thread?

Warrior · June 08, 2006, 03:05 PM

Yea you're going to send a PM with something as dumb as that, I'd rather make an OT post.

Yegg · June 08, 2006, 03:33 PM

Quote from: Warrior on June 08, 2006, 03:05 PM
Yea you're going to send a PM with something as dumb as that, I'd rather make an OT post.

If it's going to be a stupid post then why do we all need to se it? There are so many stupid posts out there by many people, not necessarily you, but I see them from quite the variety of people. If it "must" be said, then they should just PM it to the other user.

Ringo · June 08, 2006, 04:04 PM

Juniper, check out this post (the packet dumps), it might help you get your head round it.

Spilled · June 09, 2006, 09:05 PM

I honestly dont know why this post is still alive, as shadow as already said. If you do get into a game the warden client will kick you out within a minute so what is the point? I've already been through all of this before and it's just a dead end. There is plenty of post of helping you with decompression around the forum. Read.

Warrior · June 10, 2006, 05:42 AM

Quote from: Yegg on June 08, 2006, 03:33 PM
Quote from: Warrior on June 08, 2006, 03:05 PM
Yea you're going to send a PM with something as dumb as that, I'd rather make an OT post.

If it's going to be a stupid post then why do we all need to se it? There are so many stupid posts out there by many people, not necessarily you, but I see them from quite the variety of people. If it "must" be said, then they should just PM it to the other user.

I'd much rather have it as an offtopic post. If someone would PM me "Wow your name sounds like xxxxx" I'd think they were weird stalkers..

Sorc.Polgara · June 10, 2006, 11:11 AM

Yegg, you need to chill out bro. I don't see a mod tag under your name so stfu. You remind me of a uptight bastard I know.

teK · June 10, 2006, 11:38 AM

Quote from: Spilled on June 09, 2006, 09:05 PM
I honestly dont know why this post is still alive, as shadow as already said. If you do get into a game the warden client will kick you out within a minute so what is the point? I've already been through all of this before and it's just a dead end. There is plenty of post of helping you with decompression around the forum. Read.

There are many ways to get around Warden..Ringo posted one here.

Juniper · June 12, 2006, 04:03 PM

Hi everybody,

Something else/new is bothering me at the moment. I am happily decompressing/decoding a lot of D2 packets already, but every
now and then I stumble on a packet that throws everything out of wack.
Let me paint you some context.

Here are 2 subsequent D2 payloads that my capture prog (tcpdump) is feeding into my script. I feel I should mention that I am
looking at traffic coming from b.net on TCP port 4000 (so D2GS S>C traffic).

OK, here come the packets:

Code Select

[D2 PAYLOAD] 12 44 02 8f ad 40 ba 22 e1 f5 a8 17 44 3f 9f 5a 81 70

Code Select

[D2 PAYLOAD] f2 05 04 60 c8 3f 07 02 8b 30 4c 6a 3e 1b 2d 35 0d c2 a6 08 5c 19 07 e0 e0 51 48 ac 35 ba b0 64 1f 83 81 44 c0 13 1a 8f 86 da

Code Select

[D2 PAYLOAD] 0c 2f 05 e1 e0 32 00 a2 c8 0b 1e 1c

Code Select

[D2 PAYLOAD] 1a 52 08 81 a0 65 2f b8 56 35 04 06 cf 4a 2c d8 2f 05 c7 0c 00 28 64 31 00 ce

SO we have 4 packet payloads here. They are the data portions of 4 TCP segments following eachother in the TCP flow coming from port 4000.
The size byte of our first packet is 0x12, which is 17 decimal, so everything is there. I am decoding this to:

Code Select

DECODE] 07 88 03 80 04 02 07 90 03 80 04 02 07 98 03 80 04 02 (18 bytes)
And then splitting it into real D2 packets:

Code Select

[DECODE] SPLIT: 07 88 03 80 04 02 (6 bytes) = [ACTION] MAPADD (= 07)
[DECODE] SPLIT: 07 90 03 80 04 02 (6 bytes) = [ACTION] MAPADD (= 07)
[DECODE] SPLIT: 07 98 03 80 04 02 (6 bytes) = [ACTION] MAPADD (= 07)

This completes the processing of our first payload. Untill now, everything for me looks OK (of course, please correct me if I am wrong).

OK, now, our next payload:

Code Select

[D2 PAYLOAD] f2 05 04 60 c8 3f 07 02 8b 30 4c 6a 3e 1b 2d 35 0d c2 a6 08 5c 19 07 e0 e0 51 48 ac 35 ba b0 64 1f 83 81 44 c0 13 1a 8f 86 da

The first byte is greater than 0xF0, thus we use the first 2 bytes to calculate the size. I won't go into details here, since all of you are familiar with how it's done, but the size calculated from 0xF2 0x05 is 517.
Now, we only have 40 bytes here, so to get to our 517, I will have to append some packets to this one, before I actual start to decode/decompress it. I do this (with more packets than the 3 in my example, since those 3 don't add up to 517 yet, I just didn't want to spam too much).

About 5 seconds (and a lot of TCP segments) later I have enough bytes to make it add up to 517.
The end result is:

Code Select

[DECODE] [DEBUG] Was passed array 'f2 05 04 60 c8 3f 07 02 8b 30 4c 6a 3e 1b 2d 35 0d c2 a6 08 5c 19 07 e0 e0 51 48 ac 35 ba b0 64 1f 83 81 44 c0 13 1a 8f 86 da 0c 2f 05 e1 e0 32 00 a2 c8 0b 1e 1c 1a 52 08 81 a0 65 2f b8 56 35 04 06 cf 4a 2c d8 2f 05 c7 0c 00 28 64 31 00 ce 1a 52 41 82 f1 dc 77 70 72 6a 09 cd 9e 94 59 b0 5e 0b 63 c0 5c 46 31 98 8f 30 07 1f 7f ff ff ff c0 19 52 08 81 a0 65 2f b8 53 35 03 c6 cf 4a 2c d8 2f 05 a7 0b 28 c6 23 13 ee 11 52 14 00 50 e6 5d 70 94 6a 0d 0d 9e 94 79 94 80 09 04 10 a0 02 87 32 e9 2c 67 44 b4 fa d4 0b a2 5a 7c 05 20 5d 12 d3 e5 c4 0b a4 70 d6 09 82 88 30 48 e1 a8 0c 03 41 71 23 86 71 40 77 04 c9 1c 31 83 40 5c 04 61 40 05 0e 65 d2 a3 86 53 50 6a 6c b4 8e 03 cf 9d 8f fc 89 01 a0 7c 5c 30 04 2e 14 00 50 e6 5d 0e 43 f1 15 6a 20 f9 21 1a 52 08 83 f0 dc 86 70 60 6a 05 4d 9e 94 59 b0 5e 0b 0e 44 00 a0 06 62 bb 80 10 52 08 81 a0 65 2f b9 10 6a 06 cd 9e 94 59 b0 0f 2e 83 20 0e 18 09 c3 a2 d1 28 79 09 0b e0 10 52 08 81 a0 65 2f b9 0e 6a 07 8d 9e 94 59 b0 10 52 41 82 f1 dc 77 70 74 6a 0a 8d 9e 94 59 b0 23 03 f0 a0 02 87 32 e9 a9 2c 36 1d 90 03 12 20 33 03 d2 28 e8 ba 0c 80 38 5c 27 0e 8b 44 a1 e4 24 2f 80 10 52 0d 8b ad 81 47 0a 86 a0 6c d9 e9 45 9b 00 34 02 b3 63 46 c1 68 5e 18 0d 0e c8 08 ca 64 25 8f 21 21 74 a2 1a 14 0a c8 30 5e 3b 8e e8 c1 d1 a8 2a 36 4a 94 d6 14 00 50 e6 1a 58 14 00 50 e6 5d 09 46 a0 d0 d9 69 74 19 80 70 c4 4e 1d 16 89 43 c8 48 5f 10 52 08 83 f0 dc 86 70 5e 6a 05 4d 9e 94 59 b0 10 52 0d 8b ad 81 47 0a 46 a0 70 d9 e9 45 9b 00 10 52 08 81 a0 65 2f b9 10 6a 08 4d 9e 94 59 b0 1f 52 14 00 50 e6 5d 72 18 d4 0f 1b 3d' for processing

So now the above packet is decoded to:

Code Select

[DECODE] AC BD 2A C5 41 13 00 AF 11 8A 16 80 11 1C E4 00 00 AA 01 BD 2A C5 41 0A 69 FE 01 69 BD 2A C5 41 09 AF 11 8A 16 00 00 04 00 00 EF EF 81 F6 88 63 8B 81 01 BF 00 0A 32 FB 65 97 01 E6 11 A9 16 01 00 0D 4B 00 05 96 ED 01 F2 88 61 0B 84 01 FC 0A 00 BB 02 00 7F 7F 01 C6 11 B1 16 01 00 0D 4B 00 05 96 EC 81 ED 08 60 0B 82 00 5C 00 8F 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5C 52 00 AB BF F7 97 01 E3 11 A7 16 01 00 0D 4B 00 05 96 EB 01 EA 08 5F 0B 03 01 D3 0A 45 88 7A 95 01 D8 11 BF 16 01 00 0D 82 00 4D 4F B0 D0 00 2F 00 06 00 00 0C 00 00 00 0A 00 05 00 00 1F 30 15 00 00 80 04 02 07 80 03 88 04 02 07 80 03 90 04 02 0A 01 FE AF DF BB 0A 01 FD 9F BF 57 0A 01 FA 3F 7F AF 0A 01 F5 BF B9 94 00 DE 88 7A 95 52 01 F7 11 C1 16 80 19 91 03 20 98 00 00 00 E8 8D A8 57 09 AA 01 DE 88 7A 95 22 2A 33 80 07 29 0A 0E 00 4D D2 93 75 06 00 18 09 11 9C 16 01 00 0D 4B 00 05 96 E9 01 E2 88 5C 0B 02 01 4F B3 AB BF F7 97 01 E2 11 A4 16 01 00 0D 4B 00 05 C9 00 01 04 00 00 A0 18 05 DC 7C 80 38 82 D6 02 00 00 71 42 D2 FB 65 97 01 E0 11 A7 16 01 00 0D 4B 00 05 CF 0A 00 BB 02 00 7F 7F 01 C7 11 B4 16 01 00 0D 4B 00 05 34 CC DE 88 7A 95 11 30 1B 7E 04 BC E2 F9 CA F0 1F 95 BD 85 ED 40 7C 80 38 82 D6 02 00 00 4F B3 C3 95 FF 9B 01 E4 11 A4 16 01 00 0D 4B 00 05 8D 7B 13 00 05 00 00 08 05 64 5A 5D 10 20 A0 00 65 0C 39 82 D6 02 0D 2E 06 04 69 B8 BA 7F 7F 08 C7 11 B4 16 0D 0D 11 00 DE 88 7A FC 05 3F 88 7A 95 D8 11 BF 16 80 95 BE 85 F4 40 7C 80 38 82 D6 02 00 00 2C 0A 32 93 75 06 00 18 96 14 00 9C 16 01 00 0D 4B 00 05 CF 0A 73 02 80 00 9B 01 E1 11 A5 16 01 00 0D 4B 00 05 71 42 D2 FB 65 97 01 E2 11 AA 16 01 00 0D 4B 00 05 29 00 0A 45 88 7A 95 01 CE 11 A7 16 01 00 (566 bytes)

And then I start splitting it up:

Code Select

[ACTION] [DEBUG] The action ID is AC which has the length of 17 bytes.
[DECODE] SPLIT: AC BD 2A C5 41 13 00 AF 11 8A 16 80 11 1C E4 00 00 (17 bytes)
[ACTION] COMASIGNMENT - A computer player has been  assigned a location in our view (= AC) 

[ACTION] [DEBUG] The action ID is AA which has the length of 10 bytes.
[DECODE] SPLIT: AA 01 BD 2A C5 41 0A 69 FE 01 (10 bytes)
[ACTION] COMINFOADD - An object came into our 4 screen view (= AA)

[ACTION] [DEBUG] The action ID is 69 which has the length of 12 bytes. 
[DECODE] SPLIT: 69 BD 2A C5 41 09 AF 11 8A 16 00 00 (12 bytes)
[ACTION] COMSTATEASIGN - A computer player stats have changed (= 69)

[ACTION] [DEBUG] The action ID is 04 which has the length of 1 bytes.
[DECODE] SPLIT: 04 (1 bytes) 
[ACTION] Message ID 04: *** UNKNOWN ***

[ACTION] [DEBUG] The action ID is 00 which has the length of 1 bytes.
[DECODE] SPLIT: 00 (1 bytes)
[ACTION] Message ID 00: *** UNKNOWN ***

[ACTION] [DEBUG] The action ID is 00 which has the length of 1 bytes. 
[DECODE] SPLIT: 00 (1 bytes)
[ACTION] Message ID 00: *** UNKNOWN ***

And here my script fails. The next byte, after splitup is 0xEF and that's something that, as far as I know, is just not right, I should never bump on a 0xEF packet.
Now, I have no idea, really, where I went wrong exactly. Ringo posted something a while ago (http://forum.valhallalegends.com/index.php?topic=11756.msg123533#msg123533) that had some code there as an example to show people how packets were split up. I used this and changed the input array to hold my packet (the F2 05 04 ... one). The output then shows the packet being decoded the same way as I do it. You see it being split up exactly like my script is doing and then you see it crash ... at the same byte (0xEF) as my script.
Now, since I don't think that there is actually anything wrong with what Ringo coded, I am thinking that I am being wrong in trying to decode/process the F2 05 04 ... packet. But I don't find any reason why I shouldn't be doing it. That's just where the packet(s) start and I have no idea why or if I should skip anything.

I know this is probably a longshot, but does anybody have a clue what I might be doing wrong here?

Thanks in advance!

Juniper

Ringo · June 14, 2006, 05:34 AM

Quote from: Juniper on June 12, 2006, 04:03 PM
Code Select Expand
[DECODE] [DEBUG] Was passed array 'f2 05 04 60 c8 3f 07 02 8b 30 4c 6a 3e 1b 2d 35 0d c2 a6 08 5c 19 07 e0 e0 51 48 ac 35 ba b0 64 1f 83 81 44 c0 13 1a 8f 86 da 0c 2f 05 e1 e0 32 00 a2 c8 0b 1e 1c 1a 52 08 81 a0 65 2f b8 56 35 04 06 cf 4a 2c d8 2f 05 c7 0c 00 28 64 31 00 ce 1a 52 41 82 f1 dc 77 70 72 6a 09 cd 9e 94 59 b0 5e 0b 63 c0 5c 46 31 98 8f 30 07 1f 7f ff ff ff c0 19 52 08 81 a0 65 2f b8 53 35 03 c6 cf 4a 2c d8 2f 05 a7 0b 28 c6 23 13 ee 11 52 14 00 50 e6 5d 70 94 6a 0d 0d 9e 94 79 94 80 09 04 10 a0 02 87 32 e9 2c 67 44 b4 fa d4 0b a2 5a 7c 05 20 5d 12 d3 e5 c4 0b a4 70 d6 09 82 88 30 48 e1 a8 0c 03 41 71 23 86 71 40 77 04 c9 1c 31 83 40 5c 04 61 40 05 0e 65 d2 a3 86 53 50 6a 6c b4 8e 03 cf 9d 8f fc 89 01 a0 7c 5c 30 04 2e 14 00 50 e6 5d 0e 43 f1 15 6a 20 f9 21 1a 52 08 83 f0 dc 86 70 60 6a 05 4d 9e 94 59 b0 5e 0b 0e 44 00 a0 06 62 bb 80 10 52 08 81 a0 65 2f b9 10 6a 06 cd 9e 94 59 b0 0f 2e 83 20 0e 18 09 c3 a2 d1 28 79 09 0b e0 10 52 08 81 a0 65 2f b9 0e 6a 07 8d 9e 94 59 b0 10 52 41 82 f1 dc 77 70 74 6a 0a 8d 9e 94 59 b0 23 03 f0 a0 02 87 32 e9 a9 2c 36 1d 90 03 12 20 33 03 d2 28 e8 ba 0c 80 38 5c 27 0e 8b 44 a1 e4 24 2f 80 10 52 0d 8b ad 81 47 0a 86 a0 6c d9 e9 45 9b 00 34 02 b3 63 46 c1 68 5e 18 0d 0e c8 08 ca 64 25 8f 21 21 74 a2 1a 14 0a c8 30 5e 3b 8e e8 c1 d1 a8 2a 36 4a 94 d6 14 00 50 e6 1a 58 14 00 50 e6 5d 09 46 a0 d0 d9 69 74 19 80 70 c4 4e 1d 16 89 43 c8 48 5f 10 52 08 83 f0 dc 86 70 5e 6a 05 4d 9e 94 59 b0 10 52 0d 8b ad 81 47 0a 46 a0 70 d9 e9 45 9b 00 10 52 08 81 a0 65 2f b9 10 6a 08 4d 9e 94 59 b0 1f 52 14 00 50 e6 5d 72 18 d4 0f 1b 3d' for processing

I think your compression buffer is broken, because the message is only 106 bytes long, followed by a singlely compressed ping responce (07 1f 7f ff ff ff c0).
So i would say that F2 05 is part of a broken compressed packet. (check your recv buffer, that handles incoming data from the socket)

[EDIT]:
eh, i think your compressed data (quoted data), is currrupt through out.

warz · June 14, 2006, 07:26 AM

D2 game server programming looks fun. Hm. Reverse engineering warden might be fun too.

Juniper · June 14, 2006, 07:35 AM

Quote from: warz on June 14, 2006, 07:26 AM
D2 game server programming looks fun. Hm. Reverse engineering warden might be fun too.

Perhaps, but I'm still at a point where I'm trying to figure out why my script for dcoding/decompressing data comming for b.net isn't working perfectly

J

Ringo · June 14, 2006, 08:14 AM

Quote from: Juniper on June 14, 2006, 07:35 AM
Perhaps, but I'm still at a point where I'm trying to figure out why my script for dcoding/decompressing data comming for b.net isn't working perfectly

J

Lets see it then :p

Quote from: warz on June 14, 2006, 07:26 AM
D2 game server programming looks fun. Hm. Reverse engineering warden might be fun too.

It might, but i bet it will become a nightmare

I was trying to make my own waren client awhile back (but got board, due to lack of interest and problems porting the RC4 functions)

Heres what iv found out about warden so far: (apart from warden being pritty dumb)
the payloads of S>C and C>S are both encrpyted with the same RC4 encryption algorithm, so i thought i would try port some random google'ed RC4 source code to vb so i could try de-encrypt the payloads.
(The encryption key, is the game hash (issued by the realm))

Code Select


To: [email protected]
Subject: Thank you Bob Anderson
From: nobody@ jpunix.com
Date: Fri, 9 Sep 1994 22:11:49 -0500
Complaints-To: [email protected]
Remailed -By: remailer@ jpunix.com
Sender: [email protected]

--------------------------------------------------------------------------------

SUBJECT:  RC4 Source Code


i 've tested this.  It is compatible with the RC4 object module
that comes in the various RSA toolkits.

/* rc4.h */
typedef struct rc4_key
{
     unsigned char state[256];
     unsigned char x;
     unsigned char y;
} rc4_key;
void prepare_key(unsigned char *key_data_ptr,int key_data_len,
rc4_key *key);
void rc4(unsigned char *buffer_ptr,int buffer_len,rc4_key * key);


/*rc4.c */
#include "rc4.h"
static void swap_byte(unsigned char *a, unsigned char *b);
void prepare_key(unsigned char *key_data_ptr, int key_data_len,
rc4_key *key)
{
     unsigned char swapByte;
     unsigned char index1;
     unsigned char index2;
     unsigned char* state;
     short counter;
     
     state = &key->state[0];
     for(counter = 0; counter < 256; counter++)
     state[counter] = counter;
     key->x = 0;
     key->y = 0;
     index1 = 0;
     index2 = 0;
     for(counter = 0; counter < 256; counter++)
     {
          index2 = (key_data_ptr[index1] + state[counter] +
index2) % 256;
          swap_byte(&state[counter], &state[index2]);

          index1 = (index1 + 1) % key_data_len;
     }
 }
 
 void rc4(unsigned char *buffer_ptr, int buffer_len, rc4_key
*key)
 {
     unsigned char x;
     unsigned char y;
     unsigned char* state;
     unsigned char xorIndex;
     short counter;
     
     x = key->x;
     y = key->y;
     
     state = &key->state[0];
     for(counter = 0; counter < buffer_len; counter ++)
     {
          x = (x + 1) % 256;
          y = (state[x] + y) % 256;
          swap_byte(&state[x], &state[y]);
               
          xorIndex = state[x] + (state[y]) % 256;
               
          buffer_ptr[counter] ^= state[xorIndex];
      }
      key->x = x;
      key->y = y;
 }
 
 static void swap_byte(unsigned char *a, unsigned char *b)
 {
     unsigned char swapByte;
     
     swapByte = *a;
     *a = *b;
     *b = swapByte;
 }

idk if this is the right encryption algorithm, but reverse engineering the one d2 uses is the 1st big step i spose.