W3GS Known Packets

[For.Rest]

// add more info if you know

Code Select Expand


// Packets Listing C/C++:

#pragma pack(1)

// its start part of all packets in Warcraft III Game Sysyem
struct sW3GS_PACKETINFO {
BYTE sig; // always 0xF7
BYTE psig; // packet signature (example: W3GS_SEARCHGAME)
WORD size; // packet size
BYTE pktData[1]; // packet data
};

// Local Network

// this is part of many packets
struct sW3GS_GAME {
DWORD gamesig; // game signature PX3W for example
DWORD crcount; // creation counter
};
struct sW3GS_GAMEP {
sW3GS_GAME data;
DWORD pcount; // players in game
};

#define W3GS_SEARCHGAME 0x2F // Sends to all local network to detect game
struct sW3GS_SEARCHGAME {
sW3GS_GAMEP data; // data.pcount always zero
};

#define W3GS_GAMEINFO 0x30 // Answer from host about game
struct sW3GS_GAMEINFO {
sW3GS_GAMEP data;
w_char* //..... game name, host name and other
// dont remember ... because not used it
};

#define W3GS_CREATEGAME 0x31 // Host spams local network about created game
struct sW3GS_CREATEGAME {
sW3GS_GAMEP data;
};

#define W3GS_REFRESHGAME 0x32 // Host spams local network about game (happens every 5 seconds or refresh slots)
struct sW3GS_REFRESHGAME {
sW3GS_GAMEP data;
DWORD slots; // total slots in game
};

#define W3GS_DECREATEGAME 0x33 // Host decreates game (spam local network)
struct sW3GS_DECREATEGAME {
sW3GS_GAME data;
};

// In game (after start and loadding)

#define W3GS_CLIENTSYNC 0x27 // Clients Sync packets (only if packet size = 9)

#define W3GS_CLIENTACTREQ 0x26 // Client requests action
struct sW3GS_CLIENTACTREQ {
SHORT sync; // dont know - maby sync value
SHORT crc16; // possible crc16
BYTE subPktData[1]; // sub packet data - consist game command
};

#define W3GS_HOSTSYNC 0x0C // Host Sync packets or/with actions (only sync when packet size = 6)
#define W3GS_HOSTACT  0x0C
struct sW3GS_HOSTACT {
SHORT sync; // 0x6D | 0x6E | 0x7D - possible sync
SHORT crc16; // possible crc16 value
BYTE playerNum; // 1 (for host)
SHORT subPktSize; // sub packet size = packet size - 11
BYTE subPktData[1]; // sub packet data - consist game command
};

// commands description and structures (not all)

// structure of any object in game (for example: Town Hall or Peon)
struct sW3GS_OBJECT {
BYTE  id1; // first part of object ID
SHORT race; // object race id
BYTE  zero1; // always zero
BYTE  id2; // second part of object ID
SHORT race_dup; // same as race (duplicate)
BYTE  zero2; // always zero
};
// so total object ID will be RACE:ID
// 0xFFFFFFFF 0xFFFFFFFF for unknow objects (all 0xFF) - it means no target or ground point

// commands list (not all)
#define W3GS_CMD_ACTION 0x10 // stop / hold position / auto cast on off / buy item ... and more
#define W3GS_CMD_CREATE       0x11 // build structure
#define W3GS_CMD_MOVE         0x12 // move unit
#define W3GS_CMD_DROPITEM     0x13 // drop item from slot
#define W3GS_CMD_SELECT       0x16 // change selection add or remove
#define W3GS_CMD_VIEW         0x1A // change view of unit or structure (TAB button changes view)
#define W3GS_CMD_BLINK        0x68 // blink on the map
#define W3GS_CMD_CANCEL       0x1E // cancel upgrade or something

// structure of any command
struct sW3GS_CMD_ANY {
BYTE cmd;    // Command (example: W3GS_CMD_ACTION)
BYTE opCode; // Command operation code - each command have self unique operation codes
BYTE data[1]; // consist command data
};

// operation codes for some commands
#define W3GS_CMD_SELECT_ADD 0x01 // Add selection
#define W3GS_CMD_SELECT_REM 0x02 // Remove selection
#define W3GS_CMD_VIEW_OP 0x19 // Change view group

struct sW3GS_CMD_SELECT {
BYTE cmd;    // Command W3GS_CMD_SELECT
BYTE opCode; // Command operation code - each command have self unique operation codes
SHORT count; // count of object to operate
sW3GS_OBJECT objects[1]; // one or more objects
};

struct sW3GS_CMD_VIEW {
BYTE cmd;    // Command W3GS_CMD_VIEW
BYTE opCode; // Command operation code - each command have self unique operation codes
DWORD type; // string type of object
sW3GS_OBJECT object; // first object in view group
};

struct sW3GS_CMD_BLINK {
BYTE cmd;    // Command W3GS_CMD_BLINK
FLOAT x;     // x y coordinates on the map
FLOAT y;
DWORD color; // possibly blink color
};

// modes and types of move for structure sW3GS_CMD_MOVE (any mode can be combined together)
#define W3GS_CMD_MOVE_MODE_QUED   0x01 // happens when shifting targets
#define W3GS_CMD_MOVE_MODE_INTO   0x02 // dont remember inside what?
#define W3GS_CMD_MOVE_MODE_CREATE 0x04 // create what? ...
#define W3GS_CMD_MOVE_MODE_GRP    0x08 // action on all group (not used for single units)
#define W3GS_CMD_MOVE_MODE_SAVEGRP 0x10 // save group form
#define W3GS_CMD_MOVE_MODE_NOMOVE 0x40 // dont move, target only to coordinates
#define W3GS_CMD_MOVE_TYPE_MOVE   0x03 // move units to x y
#define W3GS_CMD_MOVE_TYPE_ATTACK 0x0F // attack target at x y (if target hides this will be coodrinates to move)
#define W3GS_CMD_MOVE_TYPE_PATROL 0x16 // patrol to point x y

struct sW3GS_CMD_MOVE {
BYTE cmd;    // Command W3GS_CMD_MOVE
BYTE mode; // move mode
BYTE zero;   // always zero?
SHORT type;  // move type
SHORT unknow; // always 0x000D?
sW3GS_OBJECT objUnknow; // always 0xFFFFFFFF FFFFFFFF
FLOAT x;     // x y coordinates on the map
FLOAT y;
sW3GS_OBJECT target; // target object
};

struct sW3GS_CMD_CANCEL {
BYTE cmd;    // Command W3GS_CMD_CANCEL
BYTE zero;
DWORD type; // string type of object
};

#define W3GS_CMD_DROPITEM_TYPE_ITEM 0x44 // object type to drop

struct sW3GS_CMD_DROPITEM {
BYTE  cmd;   // Command W3GS_CMD_CANCEL
SHORT type;  // W3GS_CMD_DROPINTM_TYPE_ITEM
BYTE  slot;  // from 0x21 to 0x27
BYTE  zero;
BYTE  unknow; // always 0x000D?
sW3GS_OBJECT objUnknow; // always 0xFFFFFFFF FFFFFFFF?
FLOAT x;
FLOAT y;
sW3GS_OBJECT target; // target getting item or 0xFFFFFFFF FFFFFFFF for ground point (if target hides from view then ground point)
sW3GS_OBJECT item;   // item object to operate
};

#define W3GS_CMD_CREATE_MODE_BUILD 0x04

struct sW3GS_CMD_CREATE {
BYTE  cmd;  // Command W3GS_CMD_CREATE
SHORT mode; // W3GS_CMD_CREATE_MODE_BUILD
DWORD type; // string object type
sW3GS_OBJECT objUnknow; // always 0xFFFFFFFF FFFFFFFF?
FLOAT x;    // x y location to build/create
FLOAT y;
};

#define W3GS_CMD_ACTION_MODE_BATTLE   0x0000 // stop or hold position
#define W3GS_CMD_ACTION_MODE_CAST     0x0102 // autocast on off
#define W3GS_CMD_ACTION_MODE_DO       0x0040 // build / cancel build / buy item / upgrade ability
#define W3GS_CMD_ACTION_MODE_RESEARCH 0x0046 // upgrade building / train unit

struct sW3GS_CMD_ACTION {
BYTE  cmd;  // Command W3GS_CMD_ACTION
SHORT mode; // W3GS_CMD_CREATE_MODE_BUILD
DWORD type; // string object type or options (depends on command) object type for train unit or upgrade
sW3GS_OBJECT objUnknow; // always 0xFFFFFFFF FFFFFFFF?
};

// end of command list

#define W3GS_MAPCHECK 0x3D // check map size and path
struct sW3GS_MAPCHECK {
DWORD unknow; // dont remember
char mapPath[1]; // null terminated path
DWORD fileSize; // size of file (don use this pointer it must be calculated)
};

#define W3GS_MAPSIZE 0x42 // map size downloaded or have
struct sW3GS_MAPSIZE {
BYTE unknow[5]; // dont remember
DWORD fileSize; // got size of map file (you can block download if fileSize not equal fileSize in map check structure)
};

#define W3GS_STARTDOWNLOAD 0x3F // host or any other client sends this to prepare other client for download map

#define W3GS_MAPPART 0x43 // Part of map file
struct sW3GS_MAPPART {
BYTE unknow[6]; // dont remember
DWORD filePos;  // block position in file (blockSize = 1442, doneSize = blockSize + filePos)
BYTE data[1442]; // block data
};

#define W3GS_MAPPARTOK 0x44 // Part of map success downloaded (client sends this)
struct sW3GS_MAPPARTOK {
BYTE unknow[6];
DWORD filePos;
};

#define W3GS_REQJOIN 0x1E // Request join game
struct sW3GS_REQJOIN {
BYTE  unknow1[9];  // dont remember
SHORT gamePort; // player game port
DWORD playCounter; // count of game player joined
char  playerName;  // null terminated string
SHORT unknow2;
sockaddr_in internal; // internal player IP
};

#define W3GS_HOSTECHOREQ 0x01 // Host request echo from client (every 30 seconds)
#define W3GS_HOSTECHORES 0x46 // Host response echo from client
struct sW3GS_ECHO {
DWORD tickCount; // value from GetTickCount(); so ping = (GetTickCount()-tickCount)/2; for lan it can be 0
};

#define W3GS_CLIENTECHOREQ 0x35 // Client request echo from other client (every 10 seconds)
#define W3GS_CLIENTECHORES 0x36 // Client response echo from other client

// if you smart you can get ping to host simply

// most hard part is understand how slot system works when player joins game
#define W3GS_SLOTINFOJOIN 0x04 // Host sends this packet to say client all slots status and where he is joining
#define W3GS_SLOTINFO     0x09 // Host sends this packet to say client all slots status only
// check of this packets should be combined togetger in one pass
// better show part of my prog and 3 structures of packet, playerPos its player slot, playerNum its player unique number (0 for host)
/*
struct gameSlot {
  unsigned char playerNumber;   // 0 - if not human
  unsigned char download;       // 0x64 - 100%, 0xFF for not humans
  unsigned char slotStatus;     // 0 - open, 1 - closed, 2 - controlled
  unsigned char controller;     // 1 - computer, 0 - human or opened or closed
  unsigned char clan;           // Clan Number-1
  unsigned char color;          // Color from 0 to 11 // 12 - No Color for free slots
  unsigned char team;           // Team Number
  unsigned char controllerType; // 0 - easy comp, 2 - hard comp, 1 - human or normal comp
  unsigned char handicap;       // Handicap from 0 to 0x64=100
};
struct gameSlotsBegin {
  unsigned short size;
  unsigned char  slotCount;
  gameSlot       slot[1];
};
struct gameSlotsEnd {
  DWORD          hostTickCount;
  unsigned char  gameType;
  unsigned char  slotCount;
  unsigned char  addition[1];
};
struct gameSlotsAddition {
  unsigned char  playerNum; // Number of player (UID)
  sockaddr_in    addr;      // Player Address
};
*/
/* case 0x04:
case 0x09: {
if (gameState < 2) {
if ((dirin == true) && (pkt->type == 0x04)) {
startPingHost(si);
memset(&slots,0,sizeof(slots));
}
gameSlotsBegin *gsb = (gameSlotsBegin*)(pkt->data);
gameSlotsEnd *gse = NULL;
gameSlotsAddition *gsa = NULL;
if (gsb->size == 0) {
slots.slotCount = 0;
if (pkt->type == 0x04) gsa = (gameSlotsAddition*)&(gsb->slotCount);
} else {
slots.slotCount = gsb->slotCount;
if (slots.slotCount <= 12) {
memcpy(slots.slot,gsb->slot,sizeof(gameSlot)*slots.slotCount);
for (int i = 0; i < 12; i++) { slots.map[i] = -1; }
for (int i = 0; i < slots.slotCount; i++) {
int pn = (int)(slots.slot[i].playerNumber)-1;
if (pn >= 0) slots.map[pn] = i;
}
}
gse = (gameSlotsEnd*)((DWORD)gsb->slot + (gsb->slotCount*sizeof(gameSlot)));
if (pkt->type == 0x04) gsa = (gameSlotsAddition*)(gse->addition);
}
if (gsa) {
int playerPos = gsa->playerNum - 1;;
if ((playerPos >= 0) && (playerPos < 12)) {
// Inserting Player Info
slots.playCounter[playerPos] = si->playCounter;
strcpy(slots.playerNames[playerPos],si->playerName);
slots.sock[playerPos] = si->s;
si->playerPos = playerPos;
si->player = true;
if (dirin == true) {
slots.intAddr[playerPos] = si->internal;
slots.extAddr[playerPos] = si->internal;
slots.ping[playerPos] = bnetPing;
slots.myNum = playerPos;
strcpy(slots.from[playerPos],"--");
} else {
slots.intAddr[playerPos] = si->internal;
slots.extAddr[playerPos] = si->remote;
slots.ping[playerPos] = -1;
memset(slots.from[playerPos],0,2);
}
}
}
*/

#define W3GS_PLAYERINFO 0x06 // player name and number
struct sW3GS_PLAYERINFO {
DWORD playCounter;
BYTE  playerNum;
char  playerName[1]; // null terminated string
SHORT unknow;
sockaddr_in ext; // external IP (not for host, host always zero)
sockaddr_in int; // internal IP (not for host, host always zero)
};

// f737 1200 02000000 00000000 06 ff 5e000000
#define W3GS_CLIENTINFO 0x37 // client send to other client info about self when connected
struct sW3GS_CLIENTINFO {
DWORD playCounter;
DWORD zero;
BYTE  playerNum;
BYTE  unknow[5]; // first FF posibly status of player
};

#define W3GS_LEAVEREQ 0x21 // client requests leave
struct sW3GS_LEAVEREQ {
BYTE  playerNum;
BYTE  zero[3];
};
#define W3GS_LEAVERES 0x1B // host response (you can leave) after this connection terminated

#define W3GS_LEAVER 0x07 // host spams all clients about leaver
// only socket hook can detect is it Disconnect or Leaving of player
struct sW3GS_LEAVER {
BYTE  playerNum;
};

#define W3GS_  0x34  // messages from other players or change positions
#define W3GS_  0x28
#define W3GS_  0x0F

// im tired explaining ^^ (3 hours doing this)

#define W3GS_START     0x0A // Start game
#define W3GS_LOADDING  0x0B // Start loadding (after this you cannot leave game)
#define W3GS_CLIENTRDY 0x08 // Host spams to all that Player loadded and ready except loadded player
#define W3GS_READY     0x23 // Clients tells to host that they are ready

// i think its enough for me now
// ill complete it late and hope you help me
// sry for my bad english

// please dont use it for cheating
// posible cheats ... detect player destination ... and other tricks ...
// all information was got by me analysing packets long long time

Edit by MyndFyre: added code tags

[Sorc.Polgara]

Nice.

[Hero]

oh god i love you!

[DotA.For.Rest]

unknown left only game commands. i mean W3GS_CMD_ ....
i cant catch them all playing one map. i think there are more of them. if u found them tell us here

i need help to design battle.net WC3 TFT Dedicated Game Host with vote system for clients. so need to search all info about W3GS for that. this type host will not move but can type game mode for maps such DotA Allstars. and maby host can be server but not player, like it does by ladder game. battlenet is server but not player in ladder.

also some packets structures only for Custom Games. Ladder have others. for example W3GS_SLOTINFOJOIN and W3GS_SLOTINFO

im not tryed to understand how Ladder works. if some one do research this way post it here.

[DotA.For.Rest]

For.Rest and DotA.For.Rest is same user. im just forgot my password and set wrong email. so cant restore it.

[PaiD]

o cool, Thanks. This helps :p

[Hero]

shouldn't this be in references?

[MyndFyre]

shouldn't this be in references?

It'll be moved after it's scruitinized by the community.  Wouldn't much like moving it there if the information is wrong.

[DotA.For.Rest]

Soon ill add examples of all known by me packets with description, except command packets, also try to explain BNE packet 0x09 which contains custom game list. Need time to collect and write all data. I hope this info will be added to Reference of this site with my Name.
from DotA.For.Rest@Northrend - Paul. Im real member of clan TDA, and working on programming side of this clan only on Europe realm.
we do not use cheats - we adding to game more functions. for example im Working on Project called WC3 GRest Mod wich adds some special command to chat, its like Banlist.NL but more futures.

[UserLoser]

Format of messages over network are basically the same as the replay file format...I guess if you're familiar with the replay file format (.w3g) this would be a breeze for you.  About two years ago I had written a client that hosted a custom game on Tides of Blood.  It was quite interesting, source was lost.

Edit: After disassemblying my old bot and patching the authentication:

[DotA.For.Rest]

working on explain text of all packets except command packet.
ty for information about w3g. ill try to found info about this file format. maby it will help to understand how it works

[MyndFyre]

Look into W3Chart for more info. 

[DotA.For.Rest]

ty for link. i will post packet explain part by part. cuz there are alot of explanations. also i will post moments where i need help to find out.

[DotA.For.Rest]

IPs of two computers that i used for testing and grabbing packets
192.168.0.1 - Host
192.168.0.3 - Client

Lookup LAN Game
W3GS_SEARCHGAME 0x2F
OUT 255.255.255.255:06112 LEN:16

Code Select Expand


·  /  · ·  P X 3 W  · · · ·  · · · ·
f7 2f 1000 50583357 14000000 00000000
|W3GS Signature
   |Packet Signature
      |Packet Size
           |Game Signature
                    |Always 0x14? Maby its game version
         |Zero


Create LAN Game
W3GS_CREATEGAME 0x31
OUT 255.255.255.255:06112 LEN:16

Code Select Expand


·  1  · ·  P X 3 W  · · · ·  · · · ·
f7 31 1000 50583357 14000000 03000000
|W3GS Signature
   |Packet Signature
      |Packet Size
           |Game Signature
                    |Always 0x14? Maby its game version
         |Creation Counter


Refresh LAN Game (every 5 seconds or slot change)
W3GS_REFRESHGAME 0x32
OUT 255.255.255.255:06112 LEN:16

Code Select Expand


·  2  · ·  · · · ·  · · · ·  · · · ·
f7 32 1000 03000000 01000000 04000000
|W3GS Signature
   |Packet Signature
      |Packet Size
           |Creation Counter
                    |Client players in game (host counted)
                             |Total client slots (do not counts computers or closed slots)


Decreates LAN Game (happens when decrates game or game starts loadding)
W3GS_DECREATEGAME 0x33
OUT 255.255.255.255:06112 LEN:8

Code Select Expand


·  3  · ·  · · · ·
f7 33 0800 02000000
|W3GS Signature
   |Packet Signature
      |Packet Size
           |Creation Counter


[DotA.For.Rest]

Response LAN Game Info (response on client game search W3GS_SEARCHGAME)
W3GS_GAMEINFO 0x30
OUT 192.168.000.003:06112 LEN:117

Code Select Expand


·  0  u ·  P X 3 W  · · · ·  · · · ·  · V · · · · · · · · · ·   ( F o r . R e s t ) ·
f7 30 7500 50583357 14000000 01000000 e4569f00d098d0b3d180d0b02028466f722e526573742900
|W3GS Signature
   |Packet Signature
      |Packet Size
           |Game Signature
                    |Always 0x14? Maby its game version
                             |Creation Counter
                                      |Game Name (UTF-8 Coded) null terminated string


Code Select Expand


·  · · I ·  · · 
00 01034907 0101
|Zero
   |0x01010101 - Always
   |0x00000010 - Unit share
   |0x00000040 - Unknow - only set on map "(12)DivideAndConquer.w3m"
   |0x00000004 - Closed map
   |0x00000200 - Fast game speed
   |0x00030000 - Visibility: map explored
   |0x00050000 - Visibility: always visible (no fog of war)
   |0x00080000 - Visibility: default
   |0x00200000 - Observers on Defeat
   |0x00300000 - Additional players as observer allowed
   |0x00400000 - Teams Together (team members are placed at neighbored starting locations)
   |0x06000000 - Fixed teams
   |Default 0x07490301
            |Default 0x0101
            |0x0101 - Always
            |0x0040 - Referees
            |0x0002 - Random hero
            |0x0004 - Random races

----Coded Part of Packet----

Code Select Expand


} ·  · } · · · · C M  · a q s ] ) 5 )  · M o s u U e m  · q m e / w 3 m  · · G o s / S e  · s u · · ·
7d01 997d01a3df1d434d 8b6171735d293529 cd4d6f737555656d e9716d652f77336d 8901476f732f5365 037375010100
|Coded tag (this tag same as coded data start)
        <----over here
     |Coded Data ends on 0x000101 over here -------------------------------------------------------->
     |last Zero is not Coded - it used only for detect end of Coded data
     |Decode is simple: all Coded data splited by 8 bytes blocks
     |First byte of each block is first bits of 7 bytes data bit0 always 1
     |Bit1 represents bit0 of byte1, bit2 represents bit0 of byte2 ...
     |Left 7 bytes bit0 set to 1 for coded data
     |Decoded result of our example will be:
     |               M a p s \ ( 5 ) L o s t T e m p l e . w 3 m   F o r . R e s t
     |7C00 A3DF1C42 4D6170735E2835294C6F737454656D706C652E77336D00 466F722E526573740000
     \unknow SHORT value High byte always 0 - so its seems CRC8 of CRC32?
          \Map file CRC32
                   \Map path (null terminated string)
                                                                  \Host Player name (null terminated)

----End of Coded Part----                   

Code Select Expand


· · · ·  · · · ·  · · · ·  · · · ·  · · · ·  · ·
04000000 09000000 01000000 04000000 00000000 e017
|Total game slots (count all slots)
         |0x00000009 - Blizzard map tag
         |0x00000001 - Custom map tag
                  |Always 0x00000001?
                           |Free game slots (aviable for player connection)
                                    |Hosting time in seconds
                                             |Hosts client port


Now i need help to understad what means part of decoded data 7C00 A3DF1C42
its not depends on packet data at all, i think it depends on map file size or CRC32 of map file ... need to find out