• Welcome to Valhalla Legends Archive.
 

Parsing 0x0F (ChatEvent) Specific Event 0x01

Started by Fr3DBr, September 19, 2006, 11:45 PM

Previous topic - Next topic

Fr3DBr

Ok, seen that event doesnt have a defined packet format since it can vary alot in its size im wanting some more information on that to parse it correctly, sometimes server merges up these packets so they are like glued (its not the tcp/ip effect) because the first packet has the lenght of all the packets that are on that stream and they do match !!!

Lets see what can we do around this ;)

Hdx

Do you have a packet log of this 'merged' packet? An actuall log, not your programs output. (Etheral, WPE, etc..)
~-~(HDX)~-~

Proud host of the JBLS server www.JBLS.org.
JBLS.org Status:
JBLS/BNLS Server Status

l2k-Shadow

Quote from: Fr3DBr on September 19, 2006, 11:45 PM
Ok, seen that event doesnt have a defined packet format since it can vary alot in its size im wanting some more information on that to parse it correctly, sometimes server merges up these packets so they are like glued (its not the tcp/ip effect) because the first packet has the lenght of all the packets that are on that stream and they do match !!!

Lets see what can we do around this ;)

In 3 years of Battle.net programming, I have never had once case of this, I am 99.9% positive it is your program stacking the packet length variable.
Quote from: replaced on November 04, 2006, 11:54 AM
I dunno wat it means, someone tell me whats ix86 and pmac?
Can someone send me a working bot source (with bnls support) to my email?  Then help me copy and paste it to my bot? ;D
Já jsem byl určenej abych tady žil,
Dával si ovar, křen a k tomu pivo pil.
Tam by ses povídaj jak prase v žitě měl,
Já nechci před nikym sednout si na prdel.

Já nejsem z USA, já nejsem z USA, já vážně nejsem z USA... a snad se proto na mě nezloběj.

Fr3DBr

its not let me provide a SS.


[S->C] [OPCODE : 0x0F] [LENGHT : 000443 BYTES]
OFFSET  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | 0123456789ABCDEF
--------------------------------------------------------------------------
000010  FF 0F BB 01 01 00 00 00 00 00 00 00 48 01 00 00   ............H... 
000020  00 00 00 00 0D F0 AD BA 0D F0 AD BA 2A 64 32 32   ............*d22 
000030  32 32 32 32 00 56 44 32 44 00 FF 0F 2C 00 01 00   2222.VD2D...,... 
000040  00 00 00 00 00 00 57 01 00 00 00 00 00 00 0D F0   ......W......... 
000050  AD BA 0D F0 AD BA 2A 64 32 32 32 32 32 32 23 32   ......*d222222#2 
000060  00 56 44 32 44 00 FF 0F 7B 00 01 00 00 00 00 00   .VD2D...{....... 
000070  00 00 EB 00 00 00 00 00 00 00 0D F0 AD BA 0D F0   ................ 
000080  AD BA 64 79 45 2D 52 61 6E 63 61 54 6F 63 6F 40   ..dyE-RancaToco@ 
000090  55 53 45 61 73 74 2A 72 61 6E 63 61 74 6F 63 6F   USEast*rancatoco 
000100  5B 64 79 65 5D 00 50 58 32 44 55 53 45 61 73 74   [dye].PX2DUSEast 
000110  2C 64 79 45 2D 52 61 6E 63 61 54 6F 63 6F 2C 84   ,dyE-RancaToco,. 
000120  80 53 03 03 02 03 0E FF 54 03 01 FF 05 EA 0A 0A   .S......T....... 
000130  0A 0A 51 FF 11 0A 0A FF 55 C8 98 FF FF 03 FF FF   ..Q.....U....... 
000140  00 FF 0F 7B 00 01 00 00 00 00 00 00 00 CC 00 00   ...{............ 
000150  00 00 00 00 00 0D F0 AD BA 0D F0 AD BA 54 72 69   .............Tri 
000160  4C 6F 75 63 6F 2D 63 41 70 65 74 41 40 55 53 45   Louco-cApetA@USE 
000170  61 73 74 2A 74 72 69 6C 6F 75 63 6F 2D 61 00 50   ast*trilouco-a.P 
000180  58 32 44 55 53 45 61 73 74 2C 54 72 69 4C 6F 75   X2DUSEast,TriLou 
000190  63 6F 2D 63 41 70 65 74 41 2C 84 80 53 02 02 01   co-cApetA,..S... 
000200  01 19 FF 54 02 02 FF 02 EA EA EA EA EA 26 FF 09   ...T.........&.. 
000210  EA EA FF 49 C8 98 FF FF 03 FF FF FF 0F 6F 00 01   ...I.........o.. 
000220  00 00 00 00 00 00 00 39 01 00 00 00 00 00 00 0D   .......9........ 
000230  F0 AD BA 0D F0 AD BA 6E 6F 69 65 72 61 2D 4E 44   .......noiera-ND 
000240  50 40 55 53 45 61 73 74 2A 61 6C 71 5B 6E 64 70   P@USEast*alq[ndp 
000250  5D 00 50 58 32 44 55 53 45 61 73 74 2C 6E 6F 69   ].PX2DUSEast,noi 
000260  65 72 61 2D 4E 44 50 2C 84 80 FF 02 02 03 01 0F   era-NDP,........ 
000270  FF FF 03 03 60 03 FF FF FF FF FF FF FF FF FF FF   ....`........... 
000280  FF 57 E8 9A FF FF 03 FF FF 00 00                  .W......... 
--------------------------------------------------------------------------


See ? It cant be a 400 bytes 0x0F size packet, and i dont change any of the bytes on the incomming packet... i got that using a external packet viewer !

Arta

Your offsets are wrong. Where are lines A0/B0/C0 ... and 1A0/1B0/1C0 etc? Also, your offsets ought to start a 0, not 16. Length is misspelled. Also, there are numerous headers within that dump ("FF 0F 7B 00") which indicate the start of new messages. The lengths of those messages appear, from a brief examination, to be correct.

What software did you use to obtain this data? Can you reproduce this data using a packet capture utility like Ethereal?

I also think you have a bug.

l2k-Shadow

Quote from: Fr3DBr on September 20, 2006, 12:18 AM
its not let me provide a SS.


[S->C] [OPCODE : 0x0F] [LENGHT : 000443 BYTES]
OFFSET  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | 0123456789ABCDEF
--------------------------------------------------------------------------
000010  FF 0F BB 01 01 00 00 00 00 00 00 00 48 01 00 00   ............H... 
000020  00 00 00 00 0D F0 AD BA 0D F0 AD BA 2A 64 32 32   ............*d22 
000030  32 32 32 32 00 56 44 32 44 00 FF 0F 2C 00 01 00   2222.VD2D...,... 
000040  00 00 00 00 00 00 57 01 00 00 00 00 00 00 0D F0   ......W......... 
000050  AD BA 0D F0 AD BA 2A 64 32 32 32 32 32 32 23 32   ......*d222222#2 
000060  00 56 44 32 44 00 FF 0F 7B 00 01 00 00 00 00 00   .VD2D...{....... 
000070  00 00 EB 00 00 00 00 00 00 00 0D F0 AD BA 0D F0   ................ 
000080  AD BA 64 79 45 2D 52 61 6E 63 61 54 6F 63 6F 40   ..dyE-RancaToco@ 
000090  55 53 45 61 73 74 2A 72 61 6E 63 61 74 6F 63 6F   USEast*rancatoco 
000100  5B 64 79 65 5D 00 50 58 32 44 55 53 45 61 73 74   [dye].PX2DUSEast 
000110  2C 64 79 45 2D 52 61 6E 63 61 54 6F 63 6F 2C 84   ,dyE-RancaToco,. 
000120  80 53 03 03 02 03 0E FF 54 03 01 FF 05 EA 0A 0A   .S......T....... 
000130  0A 0A 51 FF 11 0A 0A FF 55 C8 98 FF FF 03 FF FF   ..Q.....U....... 
000140  00 FF 0F 7B 00 01 00 00 00 00 00 00 00 CC 00 00   ...{............ 
000150  00 00 00 00 00 0D F0 AD BA 0D F0 AD BA 54 72 69   .............Tri 
000160  4C 6F 75 63 6F 2D 63 41 70 65 74 41 40 55 53 45   Louco-cApetA@USE 
000170  61 73 74 2A 74 72 69 6C 6F 75 63 6F 2D 61 00 50   ast*trilouco-a.P 
000180  58 32 44 55 53 45 61 73 74 2C 54 72 69 4C 6F 75   X2DUSEast,TriLou 
000190  63 6F 2D 63 41 70 65 74 41 2C 84 80 53 02 02 01   co-cApetA,..S... 
000200  01 19 FF 54 02 02 FF 02 EA EA EA EA EA 26 FF 09   ...T.........&.. 
000210  EA EA FF 49 C8 98 FF FF 03 FF FF FF 0F 6F 00 01   ...I.........o.. 
000220  00 00 00 00 00 00 00 39 01 00 00 00 00 00 00 0D   .......9........ 
000230  F0 AD BA 0D F0 AD BA 6E 6F 69 65 72 61 2D 4E 44   .......noiera-ND 
000240  50 40 55 53 45 61 73 74 2A 61 6C 71 5B 6E 64 70   P@USEast*alq[ndp 
000250  5D 00 50 58 32 44 55 53 45 61 73 74 2C 6E 6F 69   ].PX2DUSEast,noi 
000260  65 72 61 2D 4E 44 50 2C 84 80 FF 02 02 03 01 0F   era-NDP,........ 
000270  FF FF 03 03 60 03 FF FF FF FF FF FF FF FF FF FF   ....`........... 
000280  FF 57 E8 9A FF FF 03 FF FF 00 00                  .W......... 
--------------------------------------------------------------------------


See ? It cant be a 400 bytes 0x0F size packet, and i dont change any of the bytes on the incomming packet... i got that using a external packet viewer !

As far as what I can deduce, your problem is you are counting the length of the entire TCP clump that comes in from your winsock, not just the actual packet. Remember to parse the header... everything in that clump that starts with "FF 0F" is the beginning of a new packet. and the packet log is not right, your offsets are in decimal values, while the length of each line is 0x10 not 10.
Quote from: replaced on November 04, 2006, 11:54 AM
I dunno wat it means, someone tell me whats ix86 and pmac?
Can someone send me a working bot source (with bnls support) to my email?  Then help me copy and paste it to my bot? ;D
Já jsem byl určenej abych tady žil,
Dával si ovar, křen a k tomu pivo pil.
Tam by ses povídaj jak prase v žitě měl,
Já nechci před nikym sednout si na prdel.

Já nejsem z USA, já nejsem z USA, já vážně nejsem z USA... a snad se proto na mě nezloběj.

Cat Food

#6
Quote from: l2k-Shadow on September 20, 2006, 02:28 PM
As far as what I can deduce, your problem is you are counting the length of the entire TCP clump that comes in from your winsock, not just the actual packet. Remember to parse the header... everything in that clump that starts with "FF 0F" is the beginning of a new packet. and the packet log is not right, your offsets are in decimal values, while the length of each line is 0x10 not 10.

Genius, pure...brilliance!
Arta why didn't you think of that?

Arta


ShadowDancer

Quote from: MyndFyre-vL
No. We help people who help themselves.
http://sourceforge.net/projects/d2gs
http://assembla.com/space/d2gs

Arta

What are you talking about? The whole thread is about that header. Isn't it rather obvious that my comments related to the obvious wrongness of it? Tell you what:

Quote
I also think you have a bug [in relation to the anomolous initial header which is the subject of the thread].

Better?

Fr3DBr


--------------------------------------------------------------------------
[S->C] [OPCODE : 0x0F] [LENGHT : 000241 BYTES]
OFFSET  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | 0123456789ABCDEF
--------------------------------------------------------------------------
000010  FF 0F F1 00 05 00 00 00 00 00 00 00 8D 00 00 00   ................ 
000020  00 00 00 00 0D F0 AD BA 0D F0 AD BA 43 4C 41 4E   ............CLAN 
000030  5F 4D 41 4E 40 55 53 45 61 73 74 2A 43 4C 41 4E   _MAN@USEast*CLAN 
000040  4D 41 4E 23 32 00 40 40 40 40 40 40 40 40 40 40   MAN#2.@@@@@@@@@@ 
000050  40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40   @@@@@@@@@@@@@@@@ 
000060  40 40 40 20 40 40 40 40 40 40 40 40 40 40 40 40   @@@ @@@@@@@@@@@@ 
000070  40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40   @@@@@@@@@@@@@@@@ 
000080  40 20 40 40 40 40 40 40 40 40 40 40 40 40 40 40   @ @@@@@@@@@@@@@@ 
000090  40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 20   @@@@@@@@@@@@@@@   
0000A0  40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40   @@@@@@@@@@@@@@@@ 
0000B0  40 40 40 40 40 40 40 40 40 40 40 40 40 20 40 40   @@@@@@@@@@@@@ @@ 
0000C0  40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40   @@@@@@@@@@@@@@@@ 
0000D0  40 40 40 40 40 40 40 40 40 40 20 57 20 57 20 57   @@@@@@@@@@ W W W 
0000E0  20 2E 20 43 20 4C 20 41 20 4E 20 4D 20 41 20 4E    . C L A N M A N 
0000F0  20 2E 20 43 20 4A 20 42 20 2E 20 4E 20 45 20 54    . C J B . N E T 
000100  00                                                . 
--------------------------------------------------------------------------


Everything is fine now ;)

Cat Food

Quote from: Arta[vL] on September 21, 2006, 03:47 AM
Why didn't I think of what?

Was mocking l2k-shadow, being that he said the same thing you said.

Arta