Diablo II Game Bot Discussion

[Skywing]

To answer the question about the status of huffman compression in 1.10.  It appears to be the exact same huffman compression table.  I haven't had any problems with my 1.09 and 1.10 beta huffman compression/decompression routines on the realms.

I do have a question though... has anybody bothered to extract the new packet length tables for server and client packets?  I did this in 1.10 beta, and can do it again... but it is a pain in the a$$.

Thanks,
smoke

That's on my list of things to do in order to revamp my in-game support for D2, but I haven't yet done a whole lot with it.  I do, however, have a few leads on the subject.  Feel free to mail me or somesuch if you want to work together on this.

[smoke]

If you are interesting in where the tables are located.  They are at address 6FC08148 and 6FC08418 in D2Net.dll.  All entries with value of 0xFFFFFFFF have to be treated in special ways since they are of variable length.  The first table appears to be server to client packet lengths and the second table is the opposite.

-smoke

[smoke]

I have the rest of the packet size calculations complete.  The main one is server to client packet sizes... since many packets can be clumped in the compressed packets.  If you are interested in these, please contanct me directly via AIM: smokehl or message me on this forum.

-smoke

[Skywing]

If you are interesting in where the tables are located.  They are at address 6FC08148 and 6FC08418 in D2Net.dll.  All entries with value of 0xFFFFFFFF have to be treated in special ways since they are of variable length.  The first table appears to be server to client packet lengths and the second table is the opposite.

-smoke

Are you sure about them being in D2Net?  I'm fairly certain that there's a version in D2Client...

Consider the following research of mine:

Code Select Expand


0000
0000 SCMD_HANDLER    struc ; (sizeof=0xc)    ; XREF: .data:6FB76274r
0000 SCmdLength      dd ?                    ; base 16
0004 SCmdHandler1    dd ?                    ; offset (FFFFFFFF)
0008 SCmdHandler2    dd ?                    ; offset (FFFFFFFF)
000C SCMD_HANDLER    ends
000C


.text:6FAB50B0 D2GetSCmdLength proc near               ; CODE XREF: sub_6FAA9AF0+397p

...

.text:6FAB5109                 cmp     bl, 0AEh        ; SCmd ID
.text:6FAB510C                 mov     [esp+64h+var_4C], ecx
.text:6FAB5110                 jnb     D2GetSCmdLength_BadSCmd
.text:6FAB5116                 mov     ebx, [esp+64h+SCmdId]
.text:6FAB511A                 and     ebx, 0FFh
.text:6FAB5120                 lea     edx, [ebx+ebx*2]
.text:6FAB5123                 mov     eax, dword ptr D2LengthTable_110a.SCmdLength[edx*4]
.text:6FAB512A                 lea     esi, off_6FB76270[edx*4]
.text:6FAB5131                 cmp     eax, 0FFFFFFFFh
.text:6FAB5134                 mov     dword ptr [esp+64h+var_40], esi
.text:6FAB5138                 jz      short D2GetSCmdLength_VariableLength

...

.text:6FAB53BF D2GetSCmdLength_BadSCmd:                ; CODE XREF: D2GetSCmdLength+60j
.text:6FAB53BF                 push    1442h
.text:6FAB53C4                 push    offset aCProjectsD2_22 ; "C:\\projects\\D2\\head\\Diablo2\\Source\\D2Cl"...
.text:6FAB53C9                 push    offset aBcmdNum_scmds ; "bCmd < NUM_SCMDS"
.text:6FAB53CE                 call    Fog_10023
.text:6FAB53D3                 add     esp, 0Ch
.text:6FAB53D6                 push    0FFFFFFFFh      ; int
.text:6FAB53D8                 call    _exit

; (Nice error handling here, Blizzard....)

...

.data:6FB76274 D2LengthTable_110a dd 1                    ; SCmdLength
.data:6FB76274                                         ; DATA XREF: D2GetSCmdLength+73r
.data:6FB76274                                         ; sub_6FAB54C0+11o ...
.data:6FB76274                 dd 0                    ; SCmdHandler1
.data:6FB76274                 dd offset sub_6FAB2130  ; SCmdHandler2
.data:6FB76274                 dd 8                    ; SCmdLength
.data:6FB76274                 dd 0                    ; SCmdHandler1
.data:6FB76274                 dd offset sub_6FAB2180  ; SCmdHandler2
.data:6FB76274                 dd 1                    ; SCmdLength
.data:6FB76274                 dd 0                    ; SCmdHandler1
.data:6FB76274                 dd offset sub_6FAB2160  ; SCmdHandler2
.data:6FB76274                 dd 0Ch                  ; SCmdLength

...

; There are a number of other places that use the above table in a similar manner:

.text:6FAB5677                 cmp     al, 0AEh
.text:6FAB5679                 mov     [esp+10h], al
.text:6FAB567D                 jnb     short loc_6FAB56F1
.text:6FAB567F                 mov     eax, [esp+10h]
.text:6FAB5683                 and     eax, 0FFh
.text:6FAB5688                 lea     ecx, [eax+eax*2]
.text:6FAB568B                 lea     eax, off_6FB76270[ecx*4]
.text:6FAB5692                 mov     ecx, dword ptr D2LengthTable_110a.SCmdLength[ecx*4]
.text:6FAB5699                 cmp     ecx, 0FFFFFFFFh
.text:6FAB569C                 jz      short loc_6FAB56AC


[smoke]

I am 100% sure they are now in D2Net.dll.  Infact both tables are in D2Net.dll.  It kind of shocked me as well, as I expected to find them in D2Client.dll.  Anyways, a little IDA Pro magic should get the the tables you need as well as the assembly subroutine that decodes variable length packet sizes.  The tables have changed significantly enough it is not entirely simple to post the changes.

-smoke

[Skywing]

I am 100% sure they are now in D2Net.dll.  Infact both tables are in D2Net.dll.  It kind of shocked me as well, as I expected to find them in D2Client.dll.  Anyways, a little IDA Pro magic should get the the tables you need as well as the assembly subroutine that decodes variable length packet sizes.  The tables have changed significantly enough it is not entirely simple to post the changes.

-smoke

FWIW, the table I found matches the table you found, at least the packet length parts (recv table).