| Author | Message | Time |
|---|---|---|
| For.Rest | // add more info if you know [code] // Packets Listing C/C++: #pragma pack(1) // its start part of all packets in Warcraft III Game Sysyem struct sW3GS_PACKETINFO { BYTE sig; // always 0xF7 BYTE psig; // packet signature (example: W3GS_SEARCHGAME) WORD size; // packet size BYTE pktData[1]; // packet data }; // Local Network // this is part of many packets struct sW3GS_GAME { DWORD gamesig; // game signature PX3W for example DWORD crcount; // creation counter }; struct sW3GS_GAMEP { sW3GS_GAME data; DWORD pcount; // players in game }; #define W3GS_SEARCHGAME 0x2F // Sends to all local network to detect game struct sW3GS_SEARCHGAME { sW3GS_GAMEP data; // data.pcount always zero }; #define W3GS_GAMEINFO 0x30 // Answer from host about game struct sW3GS_GAMEINFO { sW3GS_GAMEP data; w_char* //..... game name, host name and other // dont remember ... because not used it }; #define W3GS_CREATEGAME 0x31 // Host spams local network about created game struct sW3GS_CREATEGAME { sW3GS_GAMEP data; }; #define W3GS_REFRESHGAME 0x32 // Host spams local network about game (happens every 5 seconds or refresh slots) struct sW3GS_REFRESHGAME { sW3GS_GAMEP data; DWORD slots; // total slots in game }; #define W3GS_DECREATEGAME 0x33 // Host decreates game (spam local network) struct sW3GS_DECREATEGAME { sW3GS_GAME data; }; // In game (after start and loadding) #define W3GS_CLIENTSYNC 0x27 // Clients Sync packets (only if packet size = 9) #define W3GS_CLIENTACTREQ 0x26 // Client requests action struct sW3GS_CLIENTACTREQ { SHORT sync; // dont know - maby sync value SHORT crc16; // possible crc16 BYTE subPktData[1]; // sub packet data - consist game command }; #define W3GS_HOSTSYNC 0x0C // Host Sync packets or/with actions (only sync when packet size = 6) #define W3GS_HOSTACT 0x0C struct sW3GS_HOSTACT { SHORT sync; // 0x6D | 0x6E | 0x7D - possible sync SHORT crc16; // possible crc16 value BYTE playerNum; // 1 (for host) SHORT subPktSize; // sub packet size = packet size - 11 BYTE subPktData[1]; // sub packet data - consist game command }; // commands description and structures (not all) // structure of any object in game (for example: Town Hall or Peon) struct sW3GS_OBJECT { BYTE id1; // first part of object ID SHORT race; // object race id BYTE zero1; // always zero BYTE id2; // second part of object ID SHORT race_dup; // same as race (duplicate) BYTE zero2; // always zero }; // so total object ID will be RACE:ID // 0xFFFFFFFF 0xFFFFFFFF for unknow objects (all 0xFF) - it means no target or ground point // commands list (not all) #define W3GS_CMD_ACTION 0x10 // stop / hold position / auto cast on off / buy item ... and more #define W3GS_CMD_CREATE 0x11 // build structure #define W3GS_CMD_MOVE 0x12 // move unit #define W3GS_CMD_DROPITEM 0x13 // drop item from slot #define W3GS_CMD_SELECT 0x16 // change selection add or remove #define W3GS_CMD_VIEW 0x1A // change view of unit or structure (TAB button changes view) #define W3GS_CMD_BLINK 0x68 // blink on the map #define W3GS_CMD_CANCEL 0x1E // cancel upgrade or something // structure of any command struct sW3GS_CMD_ANY { BYTE cmd; // Command (example: W3GS_CMD_ACTION) BYTE opCode; // Command operation code - each command have self unique operation codes BYTE data[1]; // consist command data }; // operation codes for some commands #define W3GS_CMD_SELECT_ADD 0x01 // Add selection #define W3GS_CMD_SELECT_REM 0x02 // Remove selection #define W3GS_CMD_VIEW_OP 0x19 // Change view group struct sW3GS_CMD_SELECT { BYTE cmd; // Command W3GS_CMD_SELECT BYTE opCode; // Command operation code - each command have self unique operation codes SHORT count; // count of object to operate sW3GS_OBJECT objects[1]; // one or more objects }; struct sW3GS_CMD_VIEW { BYTE cmd; // Command W3GS_CMD_VIEW BYTE opCode; // Command operation code - each command have self unique operation codes DWORD type; // string type of object sW3GS_OBJECT object; // first object in view group }; struct sW3GS_CMD_BLINK { BYTE cmd; // Command W3GS_CMD_BLINK FLOAT x; // x y coordinates on the map FLOAT y; DWORD color; // possibly blink color }; // modes and types of move for structure sW3GS_CMD_MOVE (any mode can be combined together) #define W3GS_CMD_MOVE_MODE_QUED 0x01 // happens when shifting targets #define W3GS_CMD_MOVE_MODE_INTO 0x02 // dont remember inside what? #define W3GS_CMD_MOVE_MODE_CREATE 0x04 // create what? ... #define W3GS_CMD_MOVE_MODE_GRP 0x08 // action on all group (not used for single units) #define W3GS_CMD_MOVE_MODE_SAVEGRP 0x10 // save group form #define W3GS_CMD_MOVE_MODE_NOMOVE 0x40 // dont move, target only to coordinates #define W3GS_CMD_MOVE_TYPE_MOVE 0x03 // move units to x y #define W3GS_CMD_MOVE_TYPE_ATTACK 0x0F // attack target at x y (if target hides this will be coodrinates to move) #define W3GS_CMD_MOVE_TYPE_PATROL 0x16 // patrol to point x y struct sW3GS_CMD_MOVE { BYTE cmd; // Command W3GS_CMD_MOVE BYTE mode; // move mode BYTE zero; // always zero? SHORT type; // move type SHORT unknow; // always 0x000D? sW3GS_OBJECT objUnknow; // always 0xFFFFFFFF FFFFFFFF FLOAT x; // x y coordinates on the map FLOAT y; sW3GS_OBJECT target; // target object }; struct sW3GS_CMD_CANCEL { BYTE cmd; // Command W3GS_CMD_CANCEL BYTE zero; DWORD type; // string type of object }; #define W3GS_CMD_DROPITEM_TYPE_ITEM 0x44 // object type to drop struct sW3GS_CMD_DROPITEM { BYTE cmd; // Command W3GS_CMD_CANCEL SHORT type; // W3GS_CMD_DROPINTM_TYPE_ITEM BYTE slot; // from 0x21 to 0x27 BYTE zero; BYTE unknow; // always 0x000D? sW3GS_OBJECT objUnknow; // always 0xFFFFFFFF FFFFFFFF? FLOAT x; FLOAT y; sW3GS_OBJECT target; // target getting item or 0xFFFFFFFF FFFFFFFF for ground point (if target hides from view then ground point) sW3GS_OBJECT item; // item object to operate }; #define W3GS_CMD_CREATE_MODE_BUILD 0x04 struct sW3GS_CMD_CREATE { BYTE cmd; // Command W3GS_CMD_CREATE SHORT mode; // W3GS_CMD_CREATE_MODE_BUILD DWORD type; // string object type sW3GS_OBJECT objUnknow; // always 0xFFFFFFFF FFFFFFFF? FLOAT x; // x y location to build/create FLOAT y; }; #define W3GS_CMD_ACTION_MODE_BATTLE 0x0000 // stop or hold position #define W3GS_CMD_ACTION_MODE_CAST 0x0102 // autocast on off #define W3GS_CMD_ACTION_MODE_DO 0x0040 // build / cancel build / buy item / upgrade ability #define W3GS_CMD_ACTION_MODE_RESEARCH 0x0046 // upgrade building / train unit struct sW3GS_CMD_ACTION { BYTE cmd; // Command W3GS_CMD_ACTION SHORT mode; // W3GS_CMD_CREATE_MODE_BUILD DWORD type; // string object type or options (depends on command) object type for train unit or upgrade sW3GS_OBJECT objUnknow; // always 0xFFFFFFFF FFFFFFFF? }; // end of command list #define W3GS_MAPCHECK 0x3D // check map size and path struct sW3GS_MAPCHECK { DWORD unknow; // dont remember char mapPath[1]; // null terminated path DWORD fileSize; // size of file (don use this pointer it must be calculated) }; #define W3GS_MAPSIZE 0x42 // map size downloaded or have struct sW3GS_MAPSIZE { BYTE unknow[5]; // dont remember DWORD fileSize; // got size of map file (you can block download if fileSize not equal fileSize in map check structure) }; #define W3GS_STARTDOWNLOAD 0x3F // host or any other client sends this to prepare other client for download map #define W3GS_MAPPART 0x43 // Part of map file struct sW3GS_MAPPART { BYTE unknow[6]; // dont remember DWORD filePos; // block position in file (blockSize = 1442, doneSize = blockSize + filePos) BYTE data[1442]; // block data }; #define W3GS_MAPPARTOK 0x44 // Part of map success downloaded (client sends this) struct sW3GS_MAPPARTOK { BYTE unknow[6]; DWORD filePos; }; #define W3GS_REQJOIN 0x1E // Request join game struct sW3GS_REQJOIN { BYTE unknow1[9]; // dont remember SHORT gamePort; // player game port DWORD playCounter; // count of game player joined char playerName; // null terminated string SHORT unknow2; sockaddr_in internal; // internal player IP }; #define W3GS_HOSTECHOREQ 0x01 // Host request echo from client (every 30 seconds) #define W3GS_HOSTECHORES 0x46 // Host response echo from client struct sW3GS_ECHO { DWORD tickCount; // value from GetTickCount(); so ping = (GetTickCount()-tickCount)/2; for lan it can be 0 }; #define W3GS_CLIENTECHOREQ 0x35 // Client request echo from other client (every 10 seconds) #define W3GS_CLIENTECHORES 0x36 // Client response echo from other client // if you smart you can get ping to host simply // most hard part is understand how slot system works when player joins game #define W3GS_SLOTINFOJOIN 0x04 // Host sends this packet to say client all slots status and where he is joining #define W3GS_SLOTINFO 0x09 // Host sends this packet to say client all slots status only // check of this packets should be combined togetger in one pass // better show part of my prog and 3 structures of packet, playerPos its player slot, playerNum its player unique number (0 for host) /* struct gameSlot { unsigned char playerNumber; // 0 - if not human unsigned char download; // 0x64 - 100%, 0xFF for not humans unsigned char slotStatus; // 0 - open, 1 - closed, 2 - controlled unsigned char controller; // 1 - computer, 0 - human or opened or closed unsigned char clan; // Clan Number-1 unsigned char color; // Color from 0 to 11 // 12 - No Color for free slots unsigned char team; // Team Number unsigned char controllerType; // 0 - easy comp, 2 - hard comp, 1 - human or normal comp unsigned char handicap; // Handicap from 0 to 0x64=100 }; struct gameSlotsBegin { unsigned short size; unsigned char slotCount; gameSlot slot[1]; }; struct gameSlotsEnd { DWORD hostTickCount; unsigned char gameType; unsigned char slotCount; unsigned char addition[1]; }; struct gameSlotsAddition { unsigned char playerNum; // Number of player (UID) sockaddr_in addr; // Player Address }; */ /* case 0x04: case 0x09: { if (gameState < 2) { if ((dirin == true) && (pkt->type == 0x04)) { startPingHost(si); memset(&slots,0,sizeof(slots)); } gameSlotsBegin *gsb = (gameSlotsBegin*)(pkt->data); gameSlotsEnd *gse = NULL; gameSlotsAddition *gsa = NULL; if (gsb->size == 0) { slots.slotCount = 0; if (pkt->type == 0x04) gsa = (gameSlotsAddition*)&(gsb->slotCount); } else { slots.slotCount = gsb->slotCount; if (slots.slotCount <= 12) { memcpy(slots.slot,gsb->slot,sizeof(gameSlot)*slots.slotCount); for (int i = 0; i < 12; i++) { slots.map[i] = -1; } for (int i = 0; i < slots.slotCount; i++) { int pn = (int)(slots.slot[i].playerNumber)-1; if (pn >= 0) slots.map[pn] = i; } } gse = (gameSlotsEnd*)((DWORD)gsb->slot + (gsb->slotCount*sizeof(gameSlot))); if (pkt->type == 0x04) gsa = (gameSlotsAddition*)(gse->addition); } if (gsa) { int playerPos = gsa->playerNum - 1;; if ((playerPos >= 0) && (playerPos < 12)) { // Inserting Player Info slots.playCounter[playerPos] = si->playCounter; strcpy(slots.playerNames[playerPos],si->playerName); slots.sock[playerPos] = si->s; si->playerPos = playerPos; si->player = true; if (dirin == true) { slots.intAddr[playerPos] = si->internal; slots.extAddr[playerPos] = si->internal; slots.ping[playerPos] = bnetPing; slots.myNum = playerPos; strcpy(slots.from[playerPos],"--"); } else { slots.intAddr[playerPos] = si->internal; slots.extAddr[playerPos] = si->remote; slots.ping[playerPos] = -1; memset(slots.from[playerPos],0,2); } } } */ #define W3GS_PLAYERINFO 0x06 // player name and number struct sW3GS_PLAYERINFO { DWORD playCounter; BYTE playerNum; char playerName[1]; // null terminated string SHORT unknow; sockaddr_in ext; // external IP (not for host, host always zero) sockaddr_in int; // internal IP (not for host, host always zero) }; // f737 1200 02000000 00000000 06 ff 5e000000 #define W3GS_CLIENTINFO 0x37 // client send to other client info about self when connected struct sW3GS_CLIENTINFO { DWORD playCounter; DWORD zero; BYTE playerNum; BYTE unknow[5]; // first FF posibly status of player }; #define W3GS_LEAVEREQ 0x21 // client requests leave struct sW3GS_LEAVEREQ { BYTE playerNum; BYTE zero[3]; }; #define W3GS_LEAVERES 0x1B // host response (you can leave) after this connection terminated #define W3GS_LEAVER 0x07 // host spams all clients about leaver // only socket hook can detect is it Disconnect or Leaving of player struct sW3GS_LEAVER { BYTE playerNum; }; #define W3GS_ 0x34 // messages from other players or change positions #define W3GS_ 0x28 #define W3GS_ 0x0F // im tired explaining ^^ (3 hours doing this) #define W3GS_START 0x0A // Start game #define W3GS_LOADDING 0x0B // Start loadding (after this you cannot leave game) #define W3GS_CLIENTRDY 0x08 // Host spams to all that Player loadded and ready except loadded player #define W3GS_READY 0x23 // Clients tells to host that they are ready // i think its enough for me now // ill complete it late and hope you help me // sry for my bad english // please dont use it for cheating // posible cheats ... detect player destination ... and other tricks ... // all information was got by me analysing packets long long time [/code] [size=1]Edit by MyndFyre: added code tags[/size] | May 12, 2006, 9:10 PM |
| bethra | Nice. | May 12, 2006, 9:59 PM |
| HeRo | oh god i love you! | May 12, 2006, 11:18 PM |
| DotA.For.Rest | unknown left only game commands. i mean W3GS_CMD_ .... i cant catch them all playing one map. i think there are more of them. if u found them tell us here i need help to design battle.net WC3 TFT Dedicated Game Host with vote system for clients. so need to search all info about W3GS for that. this type host will not move but can type game mode for maps such DotA Allstars. and maby host can be server but not player, like it does by ladder game. battlenet is server but not player in ladder. also some packets structures only for Custom Games. Ladder have others. for example W3GS_SLOTINFOJOIN and W3GS_SLOTINFO im not tryed to understand how Ladder works. if some one do research this way post it here. | May 13, 2006, 2:18 AM |
| DotA.For.Rest | For.Rest and DotA.For.Rest is same user. im just forgot my password and set wrong email. so cant restore it. | May 13, 2006, 2:20 AM |
| PaiD | o cool, Thanks. This helps :p | May 13, 2006, 3:43 AM |
| HeRo | shouldn't this be in references? | May 14, 2006, 3:50 AM |
| Myndfyr | [quote author=HeRo link=topic=14970.msg152425#msg152425 date=1147578618] shouldn't this be in references? [/quote] It'll be moved after it's scruitinized by the community. Wouldn't much like moving it there if the information is wrong. | May 14, 2006, 7:23 AM |
| DotA.For.Rest | Soon ill add examples of all known by me packets with description, except command packets, also try to explain BNE packet 0x09 which contains custom game list. Need time to collect and write all data. I hope this info will be added to Reference of this site with my Name. from DotA.For.Rest@Northrend - Paul. Im real member of clan TDA, and working on programming side of this clan only on Europe realm. we do not use cheats - we adding to game more functions. for example im Working on Project called WC3 GRest Mod wich adds some special command to chat, its like Banlist.NL but more futures. | May 15, 2006, 4:45 AM |
| UserLoser | Format of messages over network are basically the same as the replay file format...I guess if you're familiar with the replay file format (.w3g) this would be a breeze for you. About two years ago I had written a client that hosted a custom game on Tides of Blood. It was quite interesting, source was lost. Edit: After disassemblying my old bot and patching the authentication: [img]http://f5.putfile.com/5/13404381759.png [/img] | May 15, 2006, 7:06 AM |
| DotA.For.Rest | working on explain text of all packets except command packet. ty for information about w3g. ill try to found info about this file format. maby it will help to understand how it works | May 15, 2006, 9:29 AM |
| Myndfyr | Look into W3Chart for more info. :) | May 15, 2006, 10:06 AM |
| DotA.For.Rest | ty for link. i will post packet explain part by part. cuz there are alot of explanations. also i will post moments where i need help to find out. | May 15, 2006, 10:53 AM |
| DotA.For.Rest | IPs of two computers that i used for testing and grabbing packets 192.168.0.1 - Host 192.168.0.3 - Client Lookup LAN Game W3GS_SEARCHGAME 0x2F OUT 255.255.255.255:06112 LEN:16 [code] · / · · P X 3 W · · · · · · · · f7 2f 1000 50583357 14000000 00000000 |W3GS Signature |Packet Signature |Packet Size |Game Signature |Always 0x14? Maby its game version |Zero [/code] Create LAN Game W3GS_CREATEGAME 0x31 OUT 255.255.255.255:06112 LEN:16 [code] · 1 · · P X 3 W · · · · · · · · f7 31 1000 50583357 14000000 03000000 |W3GS Signature |Packet Signature |Packet Size |Game Signature |Always 0x14? Maby its game version |Creation Counter [/code] Refresh LAN Game (every 5 seconds or slot change) W3GS_REFRESHGAME 0x32 OUT 255.255.255.255:06112 LEN:16 [code] · 2 · · · · · · · · · · · · · · f7 32 1000 03000000 01000000 04000000 |W3GS Signature |Packet Signature |Packet Size |Creation Counter |Client players in game (host counted) |Total client slots (do not counts computers or closed slots) [/code] Decreates LAN Game (happens when decrates game or game starts loadding) W3GS_DECREATEGAME 0x33 OUT 255.255.255.255:06112 LEN:8 [code] · 3 · · · · · · f7 33 0800 02000000 |W3GS Signature |Packet Signature |Packet Size |Creation Counter [/code] | May 15, 2006, 10:55 AM |
| DotA.For.Rest | Response LAN Game Info (response on client game search W3GS_SEARCHGAME) W3GS_GAMEINFO 0x30 OUT 192.168.000.003:06112 LEN:117 [code] · 0 u · P X 3 W · · · · · · · · · V · · · · · · · · · · ( F o r . R e s t ) · f7 30 7500 50583357 14000000 01000000 e4569f00d098d0b3d180d0b02028466f722e526573742900 |W3GS Signature |Packet Signature |Packet Size |Game Signature |Always 0x14? Maby its game version |Creation Counter |Game Name (UTF-8 Coded) null terminated string [/code] [code] · · · I · · · 00 01034907 0101 |Zero |0x01010101 - Always |0x00000010 - Unit share |0x00000040 - Unknow - only set on map "(12)DivideAndConquer.w3m" |0x00000004 - Closed map |0x00000200 - Fast game speed |0x00030000 - Visibility: map explored |0x00050000 - Visibility: always visible (no fog of war) |0x00080000 - Visibility: default |0x00200000 - Observers on Defeat |0x00300000 - Additional players as observer allowed |0x00400000 - Teams Together (team members are placed at neighbored starting locations) |0x06000000 - Fixed teams |Default 0x07490301 |Default 0x0101 |0x0101 - Always |0x0040 - Referees |0x0002 - Random hero |0x0004 - Random races [/code] ----Coded Part of Packet---- [code] } · · } · · · · C M · a q s ] ) 5 ) · M o s u U e m · q m e / w 3 m · · G o s / S e · s u · · · 7d01 997d01a3df1d434d 8b6171735d293529 cd4d6f737555656d e9716d652f77336d 8901476f732f5365 037375010100 |Coded tag (this tag same as coded data start) <----over here |Coded Data ends on 0x000101 over here --------------------------------------------------------> |last Zero is not Coded - it used only for detect end of Coded data |Decode is simple: all Coded data splited by 8 bytes blocks |First byte of each block is first bits of 7 bytes data bit0 always 1 |Bit1 represents bit0 of byte1, bit2 represents bit0 of byte2 ... |Left 7 bytes bit0 set to 1 for coded data |Decoded result of our example will be: | M a p s \ ( 5 ) L o s t T e m p l e . w 3 m F o r . R e s t |7C00 A3DF1C42 4D6170735E2835294C6F737454656D706C652E77336D00 466F722E526573740000 \unknow SHORT value High byte always 0 - so its seems CRC8 of CRC32? \Map file CRC32 \Map path (null terminated string) \Host Player name (null terminated) [/code] ----End of Coded Part---- [code] · · · · · · · · · · · · · · · · · · · · · · 04000000 09000000 01000000 04000000 00000000 e017 |Total game slots (count all slots) |0x00000009 - Blizzard map tag |0x00000001 - Custom map tag |Always 0x00000001? |Free game slots (aviable for player connection) |Hosting time in seconds |Hosts client port [/code] Now i need help to understad what means part of decoded data 7C00 A3DF1C42 its not depends on packet data at all, i think it depends on map file size or CRC32 of map file ... need to find out | May 15, 2006, 11:59 AM |
| maldn | those bytes you dont know are gamesettings (first 64bit) and map-checksum (4 byte) see w3g_format.txt for more information. | May 15, 2006, 12:16 PM |
| DotA.For.Rest | thanks but still unknown 2 bytes before map checksum | May 15, 2006, 1:01 PM |
| maldn | did you check w3g_format.txt? the bytes right after the 0x00 after the gamename up to the next 0x00 are all one encoded string. well... they are 3 actually. so those 2 bytes you think are unknown are just those 2 bytes you have more before decoding. but i have spotted something else... after the gameID field there are some interesting bytes: [code] e4569f00d098d0b3d180d0b0 these are your bytes. lets do a bit of formating... e4 56 9f 00 | those bytes are most likely a timestamp / uptime of your wc3-client bur now comes something i can not see in my dumps. d0 98 d0 b3 | == htonl(179 208 152 208) d1 80 d0 b0 | == htonl(176 208 128 209) looks like ip-adresses to me... but i cant find them in my dumps... those 16 bytes are simply missing here is one of mine: maldn@malte ~/pcap $ hexdump -C dieses-game-hab-ich-fuer-dich 00000000 f7 30 73 00 50 58 33 57 14 00 00 00 02 00 00 00 |.0s.PX3W........| 00000010 3a 04 47 00 4c 6f 6b 61 6c 65 73 20 53 70 69 65 |:.G.Lokales Spie| 00000020 6c 20 28 6d 61 6c 64 6e 70 29 00 00 01 03 49 07 |l (maldnp)....I.| 00000030 01 01 a1 01 89 49 01 0f cd 6b 35 4d 8b 61 71 73 |.....I...k5M.aqs| 00000040 5d 29 33 29 ad 43 6f 6f 75 79 43 61 bb 79 2f 77 |])3).CoouyCa.y/w| 00000050 33 6d 01 6d 03 61 6d 65 6f 71 01 01 00 02 00 00 |3m.m.ameoq......| 00000060 00 09 00 00 00 01 00 00 00 02 00 00 00 15 00 00 |................| 00000070 00 e0 17 |...| also the packets send by waaaghtv doesnt seem to include those bytes too: f7 | wc3-packet start 30 | packet-type (gameinfo) 82 00 | length (130) 50 58 33 57 | PX3W (Frozen-Throne game) 14 00 00 00 | version 0x14=20 -> 1.20 ef 1f 00 01 | gameid ff 2e 80 00 | timestamp (?) 21 57 43 43 | gamename 4c 20 55 57 | null terminated string: 4b 20 76 73 | 21 57 43 43 4c 20 55 57 4b 20 76 73 2e 20 53 4b 20 23 36 00 2e 20 53 4b | => ! W C C L _ U W K _ v s . _ S K _ # 6 '\0' 20 23 36 00 | (sorry, this was borrowed from wtv ;-) ) 00 | allways 0x00 01 03 79 | <- start of encoded string 07 41 01 93 | see section for decoding/encoding those strings. --snip-- [/code] oh, and i have some docs about wc3-lan-games and packets and such, but havent posted them b/c they are not complete nor very polished. but since this is now an active topic here in the forums i might post them in the next few days. | May 15, 2006, 1:22 PM |
| DotA.For.Rest | Request Join Game (clients send this on every try to join game) W3GS_REQJOIN 0x1E IN 192.168.000.003:01040 LEN:42 [code] · · 3 · · · · · · · 8 · · · · · · · · R u s s i a . O n l i n e · · · · · · · · · · · · · · · · · · · f7 1e 3300 05000000 fed83814 00 e117 02000000 5275737369612e4f6e6c696e6500 0100 020017e0c0a80003 00000000 00000000 |W3GS Signature |Packet Signature |Packet Size |Join game counter of client |GetTickCount WinAPI value only for LAN games (Zero for battle.net games) |Always zero? |External game port (used by others Game clients to connect to this client) |Total game join/create counter |Client name (null terminated string) |Always 0x0001? |Internal client IP and Port (sockaddr_in structure) |Always zero? |Always zero? [/code] Reject Join Game (host Rejects join game request W3GS_REQJOIN) W3GS_REJECTJOIN 0x05 OUT 192.168.000.003:01047 LEN:8 [code] · · · · · · · · f7 05 0800 09000000 |W3GS Signature |Packet Signature |Packet Size |Always 0x0000009? [/code] Accept Join Game with Slot info (host send this to client on W3GS_REQJOIN) W3GS_SLOTINFOJOIN 0x04 Update Slot info (host send this to client on slot changes) W3GS_SLOTINFO 0x09 OUT 192.168.000.003:01046 LEN:48 [code] · · 0 · · · f7 04 3000 1900 |W3GS Signature |Packet Signature |Packet Size |SlotsInfo size (can be 0 if host updating slots at this moment) [/code] ----SlotsInfo---- (optional for W3GS_SLOTINFOJOIN) [code] · · d · · · · ` · d · · · · · · ` · d 02 016402000000600164 00ff0000010c600164 016402000000600164 026402000101410164 016402000000600164 026402000001410164 016402000000600164 026402000101480164 |Count of slots (can be 0 for example in ladder game) |Slot1 (9 bytes) |Slot2 (9 bytes) ... \PID - Player ID (0 - not client, 1 - host) \Download status (0x64 - 100%, 0xFF - not client) \SlotStatus (0 - open, 1 - closed, 2 - controlled) \Controller (1 - computer, 0 - human/open/closed) \Team Number from 0 to 11 (12 - free/observer/referee) \Color Number from 0 to 11 (12 - free/observer/referee) \Race flags \0x01 - Human \0x02 - Orc \0x04 - Night Elf \0x08 - Undead \0x20 - Random \0x40 - Race selected or fixed by map or ladder game \Controller Type (0 - easy comp, 2 - hard comp, 1 - human/normal comp) \Handicap from (valid values: 0x32, 0x3C, 0x46, 0x50, 0x5A, 0x64) - · · · · · 2dd21302 00 02 |GetTickCount WinAPI value of host |Always zero? ( 0xCC for ladder game) |Count of slots (end tag?) (0xCC for ladder game) [/code] ----SlotsInfo End---- ----JoinInfo---- (only for W3GS_SLOTINFOJOIN) [code] · · · · · · · · · · · · · · · · · 02 02000416c0a80003 00000000 00000000 |PID - Player ID that host gives to client |Host side client IP and Port (sockaddr_in structure) |Always zero? |Always zero? [/code] ----JoinInfo End---- Player information (host send this to each client on every player) W3GS_PLAYERINFO 0x06 OUT 192.168.000.003:01053 LEN:52 [code] · · 4 · · · · · · F o r . R e s t · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · f7 06 3400 12000000 01 466f722e5265737400 0100 0000000000000000 00000000 00000000 0000000000000000 00000000 00000000 |W3GS Signature |Packet Signature |Packet Size |Player join/create counter |PID |Player name (null terminated) |Always 0x0001? |External player IP and Port (sockaddr_in structure) (Zero for host) |Always Zero? |Always Zero? |Internal player IP and Port (sockaddr_in structure) (Zero for host) |Always Zero? |Always Zero? [/code] | May 15, 2006, 3:02 PM |
| DotA.For.Rest | [quote author=maldn link=topic=14970.msg152496#msg152496 date=1147699374] did you check w3g_format.txt? the bytes right after the 0x00 after the gamename up to the next 0x00 are all one encoded string. well... they are 3 actually. so those 2 bytes you think are unknown are just those 2 bytes you have more before decoding. but i have spotted something else... after the gameID field there are some interesting bytes: oh, and i have some docs about wc3-lan-games and packets and such, but havent posted them b/c they are not complete nor very polished. but since this is now an active topic here in the forums i might post them in the next few days. [/quote] yes i found all documentation on w3g and have readed it. about 2 or 3 bytes it depends on Decoded data size. Decoded data always ends with 2 zeroes, but if size of Decoded data for example 8 with counting zeroes, then last zero is next coded block. and as it says first byte is represends bits0 of all data bytes. but we have zero there so result last block will be 010100. String data will be any 6 bytes and 2 zero, first 7 bytes - first block + 1 coder byte, last block 1 byte (zero) + 1 coder byte. this is moment where you think that data have 3 zeroes. but its fake. about game packets - no need this here cuz i have all packets info, just need time to make it english. last question was COMMAND packets in game, but after reading W3G format there is no more questons. just wait all my info, or find bugs, or help to find field explain if i have no it im posting all W3GS packets info, not only LAN, lan is easy to start explain | May 15, 2006, 3:12 PM |
| maldn | first of all: please(!) change your formating to something readable. yours is barely readable... [quote author=DotA.For.Rest link=topic=14970.msg152499#msg152499 date=1147705334] Request Join Game (clients send this on every try to join game) W3GS_REQJOIN 0x1E IN 192.168.000.003:01040 LEN:42 [code] · · 3 · · · · · · · 8 · · · · · · · · R u s s i a . O n l i n e · · · · · · · · · · · · · · · · · · · f7 1e 3300 05000000 fed83814 00 e117 02000000 5275737369612e4f6e6c696e6500 0100 020017e0c0a80003 00000000 00000000 |W3GS Signature |Packet Signature |Packet Size |Join game counter of client |GetTickCount WinAPI value only for LAN games (Zero for battle.net games) |Always zero? |External game port (used by others Game clients to connect to this client) |Total game join/create counter |Client name (null terminated string) |Always 0x0001? |Internal client IP and Port (sockaddr_in structure) |Always zero? |Always zero? [/code] [/quote] read https://davnit.net/bnet/vL/index.php?topic=14964.0 and comment there. [quote author=DotA.For.Rest link=topic=14970.msg152499#msg152499 date=1147705334] Reject Join Game (host Rejects join game request W3GS_REQJOIN) W3GS_REJECTJOIN 0x05 OUT 192.168.000.003:01047 LEN:8 [code] · · · · · · · · f7 05 0800 09000000 |W3GS Signature |Packet Signature |Packet Size |Always 0x0000009? [/code] [/quote] oh, and go read some more about endianess, ntohl(0x09000000) != 0x00000009 ! its 0x00000090 [quote author=DotA.For.Rest link=topic=14970.msg152499#msg152499 date=1147705334] Accept Join Game with Slot info (host send this to client on W3GS_REQJOIN) W3GS_SLOTINFOJOIN 0x04 Update Slot info (host send this to client on slot changes) W3GS_SLOTINFO 0x09 OUT 192.168.000.003:01046 LEN:48 [code] · · 0 · · · f7 04 3000 1900 |W3GS Signature |Packet Signature |Packet Size |SlotsInfo size (can be 0 if host updating slots at this moment) [/code] ----SlotsInfo---- (optional for W3GS_SLOTINFOJOIN) [code] · · d · · · · ` · d · · · · · · ` · d 02 016402000000600164 00ff0000010c600164 016402000000600164 026402000101410164 016402000000600164 026402000001410164 016402000000600164 026402000101480164 |Count of slots (can be 0 for example in ladder game) |Slot1 (9 bytes) |Slot2 (9 bytes) ... \PID - Player ID (0 - not client, 1 - host) \Download status (0x64 - 100%, 0xFF - not client) \SlotStatus (0 - open, 1 - closed, 2 - controlled) \Controller (1 - computer, 0 - human/open/closed) \Team Number from 0 to 11 (12 - free/observer/referee) \Color Number from 0 to 11 (12 - free/observer/referee) \Race flags \0x01 - Human \0x02 - Orc \0x04 - Night Elf \0x08 - Undead \0x20 - Random \0x40 - Race selected or fixed by map or ladder game \Controller Type (0 - easy comp, 2 - hard comp, 1 - human/normal comp) \Handicap from (valid values: 0x32, 0x3C, 0x46, 0x50, 0x5A, 0x64) - · · · · · 2dd21302 00 02 |GetTickCount WinAPI value of host |Always zero? ( 0xCC for ladder game) |Count of slots (end tag?) (0xCC for ladder game) [/code] [/quote] see https://davnit.net/bnet/vL/index.php?topic=14965.0 and comment there please. i have some slightly different stuff there... especially after the player-records i have captured some more bytes. can you please post your original dump in that thread? and can you also post there some more info about the SlotInfo size field? i dont get why this can be zero, never seen that. do you get a 0x09 for all players then? [quote author=DotA.For.Rest link=topic=14970.msg152499#msg152499 date=1147705334] [code] · · · · · · · · · · · · · · · · · 02 02000416c0a80003 00000000 00000000 |PID - Player ID that host gives to client |Host side client IP and Port (sockaddr_in structure) |Always zero? |Always zero? [/code] [/quote] when/where do you get this? can you please post full dump? | May 16, 2006, 2:17 PM |
| DotA.For.Rest | i understand what about you talking ... ill change all formating my info to more readable. also ill post it in new topic where i will change first post on every change. i will call it W3GS_format.txt. and there ill try post all diferent packets to understand how they comes. sry my bad english. this topic was my first in my life of this type, i mean information type, about structure of packets. and ntohl(0x09000000) = 0x00000009; cuz 09 00 00 00 is hex format, each 2 symbols is byte, only bytes reverts theyr positions. im programming 18 years and beleave me i know it! try simple ASM code: mov eax, 0x09000000 bswap eax // which means ntohl(eax) after this eax will be 0x00000009 its just example. i love assembler, and maby most of my examles will be asm coded. assembler code works much faster than compiled C/C++ code, thats why i used it. THIS TOPICK IS CLOSED FOR NOW. PLEASE WAIT WHILE I OPEN NEW TOPICK WITH NAME: W3GS_Format.txt | May 16, 2006, 2:39 PM |
| maldn | [quote author=DotA.For.Rest link=topic=14970.msg152500#msg152500 date=1147705950] ... Decoded data always ends with 2 zeroes, but if size of Decoded data for example 8 with counting zeroes, then last zero is next coded block. and as it says first byte is represends bits0 of all data bytes. but we have zero there so result last block will be 010100. String data will be any 6 bytes and 2 zero, first 7 bytes - first block + 1 coder byte, last block 1 byte (zero) + 1 coder byte. this is moment where you think that data have 3 zeroes. but its fake. [/quote] wtf?!? i doubt anyone, even yourself, has understood that beast-of-a-textblock! i just wanted to say, that you are not decoding the gameSettings. you start too late. read w3g_format.txt again. also, if you actually checked the checksum, you would have noticed that this is not crc32... or your LT is different. mine has fbbe9d57. [quote author=DotA.For.Rest link=topic=14970.msg152500#msg152500 date=1147705950] about game packets - no need this here cuz i have all packets info, just need time to make it english. last question was COMMAND packets in game, but after reading W3G format there is no more questons. just wait all my info, or find bugs, or help to find field explain if i have no it im posting all W3GS packets info, not only LAN, lan is easy to start explain [/quote] I strongly advise you to not make that information public. if you have understood the actual game-data, you know why. I can understand that its hard to not say: "hey look how cool i am, i decoded this all!" but one can do just too much harm to the game with this... problem is: you provide stupid kids with info (or better even, code) that can be very easily misused (cheat). and worst: blizzard cant do anything against it! so, reconsider publishing this! perhaps such a discussion had already taken place here on this forum, or maybe we start one :P p.s. if you do not believe that this is serious shit, i can post a screenshot of some PoC code of mine i had written in like 3-4 hours showing a serious threat to wc3/battle.net. p.p.s DONT CHEAT! | May 16, 2006, 3:07 PM |
| maldn | [code] maldn@localhost ~ $ cat mooh.c && echo "--" && gcc mooh.c && echo "--" && ./a.out #include <stdio.h> #include <arpa/inet.h> int main() { printf("0x%08x\n", ntohl(0x90000000)); } -- -- 0x00000090 maldn@localhost ~ $ [/code] nevermind ;-) maldn EDIT: omfg, i guess i should have gone to bed long ago :P my eyes cant differentiate 0x09 and 0x90 ... sry :) | May 16, 2006, 3:10 PM |
| DotA.For.Rest | this topick moved to https://davnit.net/bnet/vL/index.php?topic=14994.0 you sad kids can use it for cheating ... you are wrong ... game sends only target commands (while in game) all path, damage, and other is calculated by warcraft client, so even u will know where other player moves - it will not let u spuff packet to attack him for example if he invisible. also you should know that most of kids use MapHack... its more easy way to see what enemy do... also you should know that MoneyHack can pool money from player to player without understand packet strucrures. also you should know that DropHack and many others cheats done! all cheats aviable ... so there is no reason to do this again this documentation will help many of smart guys to create theyr own Banlists programs, or AMP calculators in game, or some other usefull addons. you cant do BOT without understand how War3 client works! beat me if im not right! | May 16, 2006, 4:03 PM |
| maldn | its not about hacks like bots or true maphack or something.... but knowing what race, hero starting position, expansions etc. your enemy is going is a cheat... see http://img207.imageshack.us/my.php?image=info19hd.png this screenshot was taken while playing against my roommate who took random. and dont tell me this sort of info is no help. note: this should work in battle.net games as well, and is undetectable by blizzard! @ mods: remove the link to the image if you feel like this may inspire kids do bad things... | May 16, 2006, 8:08 PM |
| DotA.For.Rest | man . theres alot of cheats that blizzard cant detect. one of them MapHack - will not give link to this one. i just want to say that all this hacks aviable for download. if u need - you will find what u need. and one more -- as good TDA DotA player i can say, the CHEATS will not save yours hero against smart and skilled player. skilled players never use CHEATS - cuz there is no reason to play then. in ladder - good players do harras, so they know what you have every moment, and where u are. you can call them CHEATERS cuz they have such skill. only noob will use CHEAT, and he will die without skill. its TWO different sides CHEATER and SKILLED. and real skill always own cheat. I never cry when i see MapHackers in DotA games, cuz they always lose. Let them play with Cheats. When they grow, they will turn it off. MapHack helps to learn skill. Where better to go at start, what to build, but better look replay after game. You cant kill all CHEATs - Never! Its same as you cant catch all HACKERs. So relax and use this info for yours own purpose, but remember SKILL OWN CHEAT! Better make some usefull mod like Banlist.NL, but without Country Detection. im from Russia, and when im joining most of Custom Public games - they kick me cuz im Russian, i ban such hosts on TDA Channel, so i will never see them again in Private Games. ........ plz dont post here replys ... i did new topick ... ask all Q there. | May 17, 2006, 12:49 AM |