Valhalla Legends Forums Archive | Battle.net Bot Development | W3GS Known Packets

AuthorMessageTime
For.Rest
// add more info if you know
[code]
// Packets Listing C/C++:

#pragma pack(1)

// its start part of all packets in Warcraft III Game Sysyem
struct sW3GS_PACKETINFO {
BYTE sig; // always 0xF7
BYTE psig; // packet signature (example: W3GS_SEARCHGAME)
WORD size; // packet size
BYTE pktData[1]; // packet data
};

// Local Network

// this is part of many packets
struct sW3GS_GAME {
DWORD gamesig; // game signature PX3W for example
DWORD crcount; // creation counter
};
struct sW3GS_GAMEP {
sW3GS_GAME data;
DWORD pcount; // players in game
};

#define W3GS_SEARCHGAME 0x2F // Sends to all local network to detect game
struct sW3GS_SEARCHGAME {
sW3GS_GAMEP data; // data.pcount always zero
};

#define W3GS_GAMEINFO 0x30 // Answer from host about game
struct sW3GS_GAMEINFO {
sW3GS_GAMEP data;
w_char* //..... game name, host name and other
// dont remember ... because not used it
};

#define W3GS_CREATEGAME 0x31 // Host spams local network about created game
struct sW3GS_CREATEGAME {
sW3GS_GAMEP data;
};

#define W3GS_REFRESHGAME 0x32 // Host spams local network about game (happens every 5 seconds or refresh slots)
struct sW3GS_REFRESHGAME {
sW3GS_GAMEP data;
DWORD slots; // total slots in game
};

#define W3GS_DECREATEGAME 0x33 // Host decreates game (spam local network)
struct sW3GS_DECREATEGAME {
sW3GS_GAME data;
};

// In game (after start and loadding)

#define W3GS_CLIENTSYNC 0x27 // Clients Sync packets (only if packet size = 9)

#define W3GS_CLIENTACTREQ 0x26 // Client requests action
struct sW3GS_CLIENTACTREQ {
SHORT sync; // dont know - maby sync value
SHORT crc16; // possible crc16
BYTE subPktData[1]; // sub packet data - consist game command
};

#define W3GS_HOSTSYNC 0x0C // Host Sync packets or/with actions (only sync when packet size = 6)
#define W3GS_HOSTACT  0x0C
struct sW3GS_HOSTACT {
SHORT sync; // 0x6D | 0x6E | 0x7D - possible sync
SHORT crc16; // possible crc16 value
BYTE playerNum; // 1 (for host)
SHORT subPktSize; // sub packet size = packet size - 11
BYTE subPktData[1]; // sub packet data - consist game command
};

// commands description and structures (not all)

// structure of any object in game (for example: Town Hall or Peon)
struct sW3GS_OBJECT {
BYTE  id1; // first part of object ID
SHORT race; // object race id
BYTE  zero1; // always zero
BYTE  id2; // second part of object ID
SHORT race_dup; // same as race (duplicate)
BYTE  zero2; // always zero
};
// so total object ID will be RACE:ID
// 0xFFFFFFFF 0xFFFFFFFF for unknow objects (all 0xFF) - it means no target or ground point

// commands list (not all)
#define W3GS_CMD_ACTION 0x10 // stop / hold position / auto cast on off / buy item ... and more
#define W3GS_CMD_CREATE       0x11 // build structure
#define W3GS_CMD_MOVE         0x12 // move unit
#define W3GS_CMD_DROPITEM     0x13 // drop item from slot
#define W3GS_CMD_SELECT       0x16 // change selection add or remove
#define W3GS_CMD_VIEW         0x1A // change view of unit or structure (TAB button changes view)
#define W3GS_CMD_BLINK        0x68 // blink on the map
#define W3GS_CMD_CANCEL       0x1E // cancel upgrade or something

// structure of any command
struct sW3GS_CMD_ANY {
BYTE cmd;    // Command (example: W3GS_CMD_ACTION)
BYTE opCode; // Command operation code - each command have self unique operation codes
BYTE data[1]; // consist command data
};

// operation codes for some commands
#define W3GS_CMD_SELECT_ADD 0x01 // Add selection
#define W3GS_CMD_SELECT_REM 0x02 // Remove selection
#define W3GS_CMD_VIEW_OP 0x19 // Change view group

struct sW3GS_CMD_SELECT {
BYTE cmd;    // Command W3GS_CMD_SELECT
BYTE opCode; // Command operation code - each command have self unique operation codes
SHORT count; // count of object to operate
sW3GS_OBJECT objects[1]; // one or more objects
};

struct sW3GS_CMD_VIEW {
BYTE cmd;    // Command W3GS_CMD_VIEW
BYTE opCode; // Command operation code - each command have self unique operation codes
DWORD type; // string type of object
sW3GS_OBJECT object; // first object in view group
};

struct sW3GS_CMD_BLINK {
BYTE cmd;    // Command W3GS_CMD_BLINK
FLOAT x;     // x y coordinates on the map
FLOAT y;
DWORD color; // possibly blink color
};

// modes and types of move for structure sW3GS_CMD_MOVE (any mode can be combined together)
#define W3GS_CMD_MOVE_MODE_QUED   0x01 // happens when shifting targets
#define W3GS_CMD_MOVE_MODE_INTO   0x02 // dont remember inside what?
#define W3GS_CMD_MOVE_MODE_CREATE 0x04 // create what? ...
#define W3GS_CMD_MOVE_MODE_GRP    0x08 // action on all group (not used for single units)
#define W3GS_CMD_MOVE_MODE_SAVEGRP 0x10 // save group form
#define W3GS_CMD_MOVE_MODE_NOMOVE 0x40 // dont move, target only to coordinates
#define W3GS_CMD_MOVE_TYPE_MOVE   0x03 // move units to x y
#define W3GS_CMD_MOVE_TYPE_ATTACK 0x0F // attack target at x y (if target hides this will be coodrinates to move)
#define W3GS_CMD_MOVE_TYPE_PATROL 0x16 // patrol to point x y

struct sW3GS_CMD_MOVE {
BYTE cmd;    // Command W3GS_CMD_MOVE
BYTE mode; // move mode
BYTE zero;   // always zero?
SHORT type;  // move type
SHORT unknow; // always 0x000D?
sW3GS_OBJECT objUnknow; // always 0xFFFFFFFF FFFFFFFF
FLOAT x;     // x y coordinates on the map
FLOAT y;
sW3GS_OBJECT target; // target object
};

struct sW3GS_CMD_CANCEL {
BYTE cmd;    // Command W3GS_CMD_CANCEL
BYTE zero;
DWORD type; // string type of object
};

#define W3GS_CMD_DROPITEM_TYPE_ITEM 0x44 // object type to drop

struct sW3GS_CMD_DROPITEM {
BYTE  cmd;   // Command W3GS_CMD_CANCEL
SHORT type;  // W3GS_CMD_DROPINTM_TYPE_ITEM
BYTE  slot;  // from 0x21 to 0x27
BYTE  zero;
BYTE  unknow; // always 0x000D?
sW3GS_OBJECT objUnknow; // always 0xFFFFFFFF FFFFFFFF?
FLOAT x;
FLOAT y;
sW3GS_OBJECT target; // target getting item or 0xFFFFFFFF FFFFFFFF for ground point (if target hides from view then ground point)
sW3GS_OBJECT item;   // item object to operate
};

#define W3GS_CMD_CREATE_MODE_BUILD 0x04

struct sW3GS_CMD_CREATE {
BYTE  cmd;  // Command W3GS_CMD_CREATE
SHORT mode; // W3GS_CMD_CREATE_MODE_BUILD
DWORD type; // string object type
sW3GS_OBJECT objUnknow; // always 0xFFFFFFFF FFFFFFFF?
FLOAT x;    // x y location to build/create
FLOAT y;
};

#define W3GS_CMD_ACTION_MODE_BATTLE   0x0000 // stop or hold position
#define W3GS_CMD_ACTION_MODE_CAST     0x0102 // autocast on off
#define W3GS_CMD_ACTION_MODE_DO       0x0040 // build / cancel build / buy item / upgrade ability
#define W3GS_CMD_ACTION_MODE_RESEARCH 0x0046 // upgrade building / train unit

struct sW3GS_CMD_ACTION {
BYTE  cmd;  // Command W3GS_CMD_ACTION
SHORT mode; // W3GS_CMD_CREATE_MODE_BUILD
DWORD type; // string object type or options (depends on command) object type for train unit or upgrade
sW3GS_OBJECT objUnknow; // always 0xFFFFFFFF FFFFFFFF?
};

// end of command list

#define W3GS_MAPCHECK 0x3D // check map size and path
struct sW3GS_MAPCHECK {
DWORD unknow; // dont remember
char mapPath[1]; // null terminated path
DWORD fileSize; // size of file (don use this pointer it must be calculated)
};

#define W3GS_MAPSIZE 0x42 // map size downloaded or have
struct sW3GS_MAPSIZE {
BYTE unknow[5]; // dont remember
DWORD fileSize; // got size of map file (you can block download if fileSize not equal fileSize in map check structure)
};

#define W3GS_STARTDOWNLOAD 0x3F // host or any other client sends this to prepare other client for download map

#define W3GS_MAPPART 0x43 // Part of map file
struct sW3GS_MAPPART {
BYTE unknow[6]; // dont remember
DWORD filePos;  // block position in file (blockSize = 1442, doneSize = blockSize + filePos)
BYTE data[1442]; // block data
};

#define W3GS_MAPPARTOK 0x44 // Part of map success downloaded (client sends this)
struct sW3GS_MAPPARTOK {
BYTE unknow[6];
DWORD filePos;
};

#define W3GS_REQJOIN 0x1E // Request join game
struct sW3GS_REQJOIN {
BYTE  unknow1[9];  // dont remember
SHORT gamePort; // player game port
DWORD playCounter; // count of game player joined
char  playerName;  // null terminated string
SHORT unknow2;
sockaddr_in internal; // internal player IP
};

#define W3GS_HOSTECHOREQ 0x01 // Host request echo from client (every 30 seconds)
#define W3GS_HOSTECHORES 0x46 // Host response echo from client
struct sW3GS_ECHO {
DWORD tickCount; // value from GetTickCount(); so ping = (GetTickCount()-tickCount)/2; for lan it can be 0
};

#define W3GS_CLIENTECHOREQ 0x35 // Client request echo from other client (every 10 seconds)
#define W3GS_CLIENTECHORES 0x36 // Client response echo from other client

// if you smart you can get ping to host simply

// most hard part is understand how slot system works when player joins game
#define W3GS_SLOTINFOJOIN 0x04 // Host sends this packet to say client all slots status and where he is joining
#define W3GS_SLOTINFO     0x09 // Host sends this packet to say client all slots status only
// check of this packets should be combined togetger in one pass
// better show part of my prog and 3 structures of packet, playerPos its player slot, playerNum its player unique number (0 for host)
/*
struct gameSlot {
  unsigned char playerNumber;   // 0 - if not human
  unsigned char download;       // 0x64 - 100%, 0xFF for not humans
  unsigned char slotStatus;     // 0 - open, 1 - closed, 2 - controlled
  unsigned char controller;     // 1 - computer, 0 - human or opened or closed
  unsigned char clan;           // Clan Number-1
  unsigned char color;          // Color from 0 to 11 // 12 - No Color for free slots
  unsigned char team;           // Team Number
  unsigned char controllerType; // 0 - easy comp, 2 - hard comp, 1 - human or normal comp
  unsigned char handicap;       // Handicap from 0 to 0x64=100
};
struct gameSlotsBegin {
  unsigned short size;
  unsigned char  slotCount;
  gameSlot       slot[1];
};
struct gameSlotsEnd {
  DWORD          hostTickCount;
  unsigned char  gameType;
  unsigned char  slotCount;
  unsigned char  addition[1];
};
struct gameSlotsAddition {
  unsigned char  playerNum; // Number of player (UID)
  sockaddr_in    addr;      // Player Address
};
*/
/* case 0x04:
case 0x09: {
if (gameState < 2) {
if ((dirin == true) && (pkt->type == 0x04)) {
startPingHost(si);
memset(&slots,0,sizeof(slots));
}
gameSlotsBegin *gsb = (gameSlotsBegin*)(pkt->data);
gameSlotsEnd *gse = NULL;
gameSlotsAddition *gsa = NULL;
if (gsb->size == 0) {
slots.slotCount = 0;
if (pkt->type == 0x04) gsa = (gameSlotsAddition*)&(gsb->slotCount);
} else {
slots.slotCount = gsb->slotCount;
if (slots.slotCount <= 12) {
memcpy(slots.slot,gsb->slot,sizeof(gameSlot)*slots.slotCount);
for (int i = 0; i < 12; i++) { slots.map[i] = -1; }
for (int i = 0; i < slots.slotCount; i++) {
int pn = (int)(slots.slot[i].playerNumber)-1;
if (pn >= 0) slots.map[pn] = i;
}
}
gse = (gameSlotsEnd*)((DWORD)gsb->slot + (gsb->slotCount*sizeof(gameSlot)));
if (pkt->type == 0x04) gsa = (gameSlotsAddition*)(gse->addition);
}
if (gsa) {
int playerPos = gsa->playerNum - 1;;
if ((playerPos >= 0) && (playerPos < 12)) {
// Inserting Player Info
slots.playCounter[playerPos] = si->playCounter;
strcpy(slots.playerNames[playerPos],si->playerName);
slots.sock[playerPos] = si->s;
si->playerPos = playerPos;
si->player = true;
if (dirin == true) {
slots.intAddr[playerPos] = si->internal;
slots.extAddr[playerPos] = si->internal;
slots.ping[playerPos] = bnetPing;
slots.myNum = playerPos;
strcpy(slots.from[playerPos],"--");
} else {
slots.intAddr[playerPos] = si->internal;
slots.extAddr[playerPos] = si->remote;
slots.ping[playerPos] = -1;
memset(slots.from[playerPos],0,2);
}
}
}
*/

#define W3GS_PLAYERINFO 0x06 // player name and number
struct sW3GS_PLAYERINFO {
DWORD playCounter;
BYTE  playerNum;
char  playerName[1]; // null terminated string
SHORT unknow;
sockaddr_in ext; // external IP (not for host, host always zero)
sockaddr_in int; // internal IP (not for host, host always zero)
};

// f737 1200 02000000 00000000 06 ff 5e000000
#define W3GS_CLIENTINFO 0x37 // client send to other client info about self when connected
struct sW3GS_CLIENTINFO {
DWORD playCounter;
DWORD zero;
BYTE  playerNum;
BYTE  unknow[5]; // first FF posibly status of player
};

#define W3GS_LEAVEREQ 0x21 // client requests leave
struct sW3GS_LEAVEREQ {
BYTE  playerNum;
BYTE  zero[3];
};
#define W3GS_LEAVERES 0x1B // host response (you can leave) after this connection terminated

#define W3GS_LEAVER 0x07 // host spams all clients about leaver
// only socket hook can detect is it Disconnect or Leaving of player
struct sW3GS_LEAVER {
BYTE  playerNum;
};

#define W3GS_  0x34  // messages from other players or change positions
#define W3GS_  0x28
#define W3GS_  0x0F

// im tired explaining ^^ (3 hours doing this)

#define W3GS_START     0x0A // Start game
#define W3GS_LOADDING  0x0B // Start loadding (after this you cannot leave game)
#define W3GS_CLIENTRDY 0x08 // Host spams to all that Player loadded and ready except loadded player
#define W3GS_READY     0x23 // Clients tells to host that they are ready

// i think its enough for me now
// ill complete it late and hope you help me
// sry for my bad english

// please dont use it for cheating
// posible cheats ... detect player destination ... and other tricks ...
// all information was got by me analysing packets long long time
[/code]
[size=1]Edit by MyndFyre: added code tags[/size]
May 12, 2006, 9:10 PM
bethra
Nice.
May 12, 2006, 9:59 PM
HeRo
oh god i love you!
May 12, 2006, 11:18 PM
DotA.For.Rest
unknown left only game commands. i mean W3GS_CMD_ ....
i cant catch them all playing one map. i think there are more of them. if u found them tell us here

i need help to design battle.net WC3 TFT Dedicated Game Host with vote system for clients. so need to search all info about W3GS for that. this type host will not move but can type game mode for maps such DotA Allstars. and maby host can be server but not player, like it does by ladder game. battlenet is server but not player in ladder.

also some packets structures only for Custom Games. Ladder have others. for example W3GS_SLOTINFOJOIN and W3GS_SLOTINFO

im not tryed to understand how Ladder works. if some one do research this way post it here.
May 13, 2006, 2:18 AM
DotA.For.Rest
For.Rest and DotA.For.Rest is same user. im just forgot my password and set wrong email. so cant restore it.
May 13, 2006, 2:20 AM
PaiD
o cool, Thanks. This helps :p
May 13, 2006, 3:43 AM
HeRo
shouldn't this be in references?
May 14, 2006, 3:50 AM
Myndfyr
[quote author=HeRo link=topic=14970.msg152425#msg152425 date=1147578618]
shouldn't this be in references?
[/quote]

It'll be moved after it's scruitinized by the community.  Wouldn't much like moving it there if the information is wrong.
May 14, 2006, 7:23 AM
DotA.For.Rest
Soon ill add examples of all known by me packets with description, except command packets, also try to explain BNE packet 0x09 which contains custom game list. Need time to collect and write all data. I hope this info will be added to Reference of this site with my Name.
from DotA.For.Rest@Northrend - Paul. Im real member of clan TDA, and working on programming side of this clan only on Europe realm.
we do not use cheats - we adding to game more functions. for example im Working on Project called WC3 GRest Mod wich adds some special command to chat, its like Banlist.NL but more futures.
May 15, 2006, 4:45 AM
UserLoser
Format of messages over network are basically the same as the replay file format...I guess if you're familiar with the replay file format (.w3g) this would be a breeze for you.  About two years ago I had written a client that hosted a custom game on Tides of Blood.  It was quite interesting, source was lost.

Edit: After disassemblying my old bot and patching the authentication:
[img]http://f5.putfile.com/5/13404381759.png
[/img]
May 15, 2006, 7:06 AM
DotA.For.Rest
working on explain text of all packets except command packet.
ty for information about w3g. ill try to found info about this file format. maby it will help to understand how it works
May 15, 2006, 9:29 AM
Myndfyr
Look into W3Chart for more info.  :)
May 15, 2006, 10:06 AM
DotA.For.Rest
ty for link. i will post packet explain part by part. cuz there are alot of explanations. also i will post moments where i need help to find out.
May 15, 2006, 10:53 AM
DotA.For.Rest
IPs of two computers that i used for testing and grabbing packets
192.168.0.1 - Host
192.168.0.3 - Client

Lookup LAN Game
W3GS_SEARCHGAME 0x2F
OUT 255.255.255.255:06112 LEN:16
[code]
·  /  · ·  P X 3 W  · · · ·  · · · ·
f7 2f 1000 50583357 14000000 00000000
|W3GS Signature
   |Packet Signature
      |Packet Size
           |Game Signature
                    |Always 0x14? Maby its game version
         |Zero
[/code]

Create LAN Game
W3GS_CREATEGAME 0x31
OUT 255.255.255.255:06112 LEN:16
[code]
·  1  · ·  P X 3 W  · · · ·  · · · ·
f7 31 1000 50583357 14000000 03000000
|W3GS Signature
   |Packet Signature
      |Packet Size
           |Game Signature
                    |Always 0x14? Maby its game version
         |Creation Counter
[/code]

Refresh LAN Game (every 5 seconds or slot change)
W3GS_REFRESHGAME 0x32
OUT 255.255.255.255:06112 LEN:16
[code]
·  2  · ·  · · · ·  · · · ·  · · · ·
f7 32 1000 03000000 01000000 04000000
|W3GS Signature
   |Packet Signature
      |Packet Size
           |Creation Counter
                    |Client players in game (host counted)
                             |Total client slots (do not counts computers or closed slots)
[/code]

Decreates LAN Game (happens when decrates game or game starts loadding)
W3GS_DECREATEGAME 0x33
OUT 255.255.255.255:06112 LEN:8
[code]
·  3  · ·  · · · ·
f7 33 0800 02000000
|W3GS Signature
   |Packet Signature
      |Packet Size
           |Creation Counter
[/code]
May 15, 2006, 10:55 AM
DotA.For.Rest
Response LAN Game Info (response on client game search W3GS_SEARCHGAME)
W3GS_GAMEINFO 0x30
OUT 192.168.000.003:06112 LEN:117
[code]
·  0  u ·  P X 3 W  · · · ·  · · · ·  · V · · · · · · · · · ·   ( F o r . R e s t ) ·
f7 30 7500 50583357 14000000 01000000 e4569f00d098d0b3d180d0b02028466f722e526573742900
|W3GS Signature
   |Packet Signature
      |Packet Size
           |Game Signature
                    |Always 0x14? Maby its game version
                             |Creation Counter
                                      |Game Name (UTF-8 Coded) null terminated string
[/code]
[code]
·  · · I ·  · · 
00 01034907 0101
|Zero
   |0x01010101 - Always
   |0x00000010 - Unit share
   |0x00000040 - Unknow - only set on map "(12)DivideAndConquer.w3m"
   |0x00000004 - Closed map
   |0x00000200 - Fast game speed
   |0x00030000 - Visibility: map explored
   |0x00050000 - Visibility: always visible (no fog of war)
   |0x00080000 - Visibility: default
   |0x00200000 - Observers on Defeat
   |0x00300000 - Additional players as observer allowed
   |0x00400000 - Teams Together (team members are placed at neighbored starting locations)
   |0x06000000 - Fixed teams
   |Default 0x07490301
            |Default 0x0101
            |0x0101 - Always
            |0x0040 - Referees
            |0x0002 - Random hero
            |0x0004 - Random races
[/code]
----Coded Part of Packet----
[code]
} ·  · } · · · · C M  · a q s ] ) 5 )  · M o s u U e m  · q m e / w 3 m  · · G o s / S e  · s u · · ·
7d01 997d01a3df1d434d 8b6171735d293529 cd4d6f737555656d e9716d652f77336d 8901476f732f5365 037375010100
|Coded tag (this tag same as coded data start)
        <----over here
     |Coded Data ends on 0x000101 over here -------------------------------------------------------->
     |last Zero is not Coded - it used only for detect end of Coded data
     |Decode is simple: all Coded data splited by 8 bytes blocks
     |First byte of each block is first bits of 7 bytes data bit0 always 1
     |Bit1 represents bit0 of byte1, bit2 represents bit0 of byte2 ...
     |Left 7 bytes bit0 set to 1 for coded data
     |Decoded result of our example will be:
     |               M a p s \ ( 5 ) L o s t T e m p l e . w 3 m   F o r . R e s t
     |7C00 A3DF1C42 4D6170735E2835294C6F737454656D706C652E77336D00 466F722E526573740000
     \unknow SHORT value High byte always 0 - so its seems CRC8 of CRC32?
          \Map file CRC32
                   \Map path (null terminated string)
                                                                  \Host Player name (null terminated)
[/code]
----End of Coded Part----                   
[code]
· · · ·  · · · ·  · · · ·  · · · ·  · · · ·  · ·
04000000 09000000 01000000 04000000 00000000 e017
|Total game slots (count all slots)
         |0x00000009 - Blizzard map tag
         |0x00000001 - Custom map tag
                  |Always 0x00000001?
                           |Free game slots (aviable for player connection)
                                    |Hosting time in seconds
                                             |Hosts client port
[/code]

Now i need help to understad what means part of decoded data 7C00 A3DF1C42
its not depends on packet data at all, i think it depends on map file size or CRC32 of map file ... need to find out
May 15, 2006, 11:59 AM
maldn
those bytes you dont know are gamesettings (first 64bit) and map-checksum (4 byte)
see w3g_format.txt for more information.
May 15, 2006, 12:16 PM
DotA.For.Rest
thanks but still unknown 2 bytes before map checksum
May 15, 2006, 1:01 PM
maldn
did you check w3g_format.txt?

the bytes right after the 0x00 after the gamename up to the next 0x00 are all one encoded string.
well... they are 3 actually. so those 2 bytes you think are unknown are just those 2 bytes you have more before decoding.

but i have spotted something else...
after the gameID field there are some interesting bytes:
[code]
e4569f00d098d0b3d180d0b0
these are your bytes.
lets do a bit of formating...

e4 56 9f 00 | those bytes are most likely a timestamp / uptime of your wc3-client

bur now comes something i can not see in my dumps.
d0 98 d0 b3 | == htonl(179 208 152 208)
d1 80 d0 b0 | == htonl(176 208 128 209)

looks like ip-adresses to me... but i cant find them in my dumps... those 16 bytes are simply missing

here is one of mine:
maldn@malte ~/pcap $ hexdump -C dieses-game-hab-ich-fuer-dich
00000000  f7 30 73 00 50 58 33 57  14 00 00 00 02 00 00 00  |.0s.PX3W........|
00000010  3a 04 47 00 4c 6f 6b 61  6c 65 73 20 53 70 69 65  |:.G.Lokales Spie|
00000020  6c 20 28 6d 61 6c 64 6e  70 29 00 00 01 03 49 07  |l (maldnp)....I.|
00000030  01 01 a1 01 89 49 01 0f  cd 6b 35 4d 8b 61 71 73  |.....I...k5M.aqs|
00000040  5d 29 33 29 ad 43 6f 6f  75 79 43 61 bb 79 2f 77  |])3).CoouyCa.y/w|
00000050  33 6d 01 6d 03 61 6d 65  6f 71 01 01 00 02 00 00  |3m.m.ameoq......|
00000060  00 09 00 00 00 01 00 00  00 02 00 00 00 15 00 00  |................|
00000070  00 e0 17                                          |...|


also the packets send by waaaghtv doesnt seem to include those bytes too:
f7          | wc3-packet start
30          | packet-type (gameinfo)
82 00       | length (130)
50 58 33 57 | PX3W (Frozen-Throne game)
14 00 00 00 | version 0x14=20 -> 1.20
ef 1f 00 01 | gameid

ff 2e 80 00 | timestamp (?)
21 57 43 43 | gamename
4c 20 55 57 | null terminated string:
4b 20 76 73 |    21 57 43 43 4c 20 55 57 4b 20 76 73 2e 20 53 4b 20 23 36 00
2e 20 53 4b | => !  W  C  C  L  _  U  W  K  _  v  s  .  _  S  K  _  #  6  '\0'
20 23 36 00 | (sorry, this was borrowed from wtv ;-) )

00          | allways 0x00
   01 03 79 | <- start of encoded string
07 41 01 93 | see section for decoding/encoding those strings.

--snip--
[/code]

oh, and i have some docs about wc3-lan-games and packets and such, but havent posted them b/c they are not complete nor very polished. but since this is now an active topic here in the forums i might post them in the next few days.
May 15, 2006, 1:22 PM
DotA.For.Rest
Request Join Game (clients send this on every try to join game)
W3GS_REQJOIN 0x1E
IN 192.168.000.003:01040 LEN:42
[code]
·  ·  3 ·  · · · ·  · · 8 ·  ·  · ·  · · · ·  R u s s i a . O n l i n e ·  · ·  · · · · · · · ·  · · · ·  · · · ·
f7 1e 3300 05000000 fed83814 00 e117 02000000 5275737369612e4f6e6c696e6500 0100 020017e0c0a80003 00000000 00000000
|W3GS Signature
   |Packet Signature
      |Packet Size
           |Join game counter of client
                    |GetTickCount WinAPI value only for LAN games (Zero for battle.net games)
                             |Always zero?
                               |External game port (used by others Game clients to connect to this client)
                                    |Total game join/create counter
                                             |Client name (null terminated string)
                                                                           |Always 0x0001?
                                                                                |Internal client IP and Port (sockaddr_in structure)
                                                                                                 |Always zero?
                                                                                                          |Always zero?
[/code]

Reject Join Game (host Rejects join game request W3GS_REQJOIN)
W3GS_REJECTJOIN 0x05
OUT 192.168.000.003:01047 LEN:8
[code]
·  ·  · ·  · · · ·
f7 05 0800 09000000
|W3GS Signature
   |Packet Signature
      |Packet Size
           |Always 0x0000009?
[/code]

Accept Join Game with Slot info (host send this to client on W3GS_REQJOIN)
W3GS_SLOTINFOJOIN 0x04
Update Slot info (host send this to client on slot changes)
W3GS_SLOTINFO 0x09
OUT 192.168.000.003:01046 LEN:48
[code]
·  ·  0 ·  · ·
f7 04 3000 1900
|W3GS Signature
   |Packet Signature
      |Packet Size
|SlotsInfo size (can be 0 if host updating slots at this moment)
[/code]
----SlotsInfo---- (optional for W3GS_SLOTINFOJOIN)
[code]
·  · d · · · · ` · d  · · · · · · ` · d
02 016402000000600164 00ff0000010c600164
    016402000000600164
    026402000101410164
    016402000000600164
    026402000001410164
    016402000000600164
    026402000101480164
|Count of slots (can be 0 for example in ladder game)
   |Slot1 (9 bytes)   |Slot2 (9 bytes) ...
    \PID - Player ID (0 - not client, 1 - host)
      \Download status (0x64 - 100%, 0xFF - not client)
        \SlotStatus (0 - open, 1 - closed, 2 - controlled)
          \Controller (1 - computer, 0 - human/open/closed)
            \Team Number from 0 to 11 (12 - free/observer/referee)
              \Color Number from 0 to 11 (12 - free/observer/referee)
                \Race flags
                \0x01 - Human
                \0x02 - Orc
                \0x04 - Night Elf
                \0x08 - Undead
                \0x20 - Random
                \0x40 - Race selected or fixed by map or ladder game
                  \Controller Type (0 - easy comp, 2 - hard comp, 1 - human/normal comp)
                    \Handicap from (valid values: 0x32, 0x3C, 0x46, 0x50, 0x5A, 0x64)
- · · ·  ·  ·
2dd21302 00 02
|GetTickCount WinAPI value of host
         |Always zero? ( 0xCC for ladder game)
            |Count of slots (end tag?) (0xCC for ladder game)
[/code]
----SlotsInfo End----
----JoinInfo---- (only for W3GS_SLOTINFOJOIN)
[code]
·  · · · · · · · ·  · · · ·  · · · ·
02 02000416c0a80003 00000000 00000000
|PID - Player ID that host gives to client
   |Host side client IP and Port (sockaddr_in structure)
                    |Always zero?
                             |Always zero?
[/code]
----JoinInfo End----

Player information (host send this to each client on every player)
W3GS_PLAYERINFO 0x06
OUT 192.168.000.003:01053 LEN:52
[code]
·  ·  4 ·  · · · ·  ·  F o r . R e s t ·  · ·  · · · · · · · ·  · · · ·  · · · ·  · · · · · · · ·  · · · ·  · · · ·
f7 06 3400 12000000 01 466f722e5265737400 0100 0000000000000000 00000000 00000000 0000000000000000 00000000 00000000
|W3GS Signature
   |Packet Signature
      |Packet Size
           |Player join/create counter
                    |PID
                       |Player name (null terminated)
                                          |Always 0x0001?
                                               |External player IP and Port (sockaddr_in structure) (Zero for host)
                                                                |Always Zero?
                                                                         |Always Zero?
                                                                                  |Internal player IP and Port (sockaddr_in structure) (Zero for host)
                                                                                                   |Always Zero?
                                                                                                            |Always Zero?
[/code]
May 15, 2006, 3:02 PM
DotA.For.Rest
[quote author=maldn link=topic=14970.msg152496#msg152496 date=1147699374]
did you check w3g_format.txt?

the bytes right after the 0x00 after the gamename up to the next 0x00 are all one encoded string.
well... they are 3 actually. so those 2 bytes you think are unknown are just those 2 bytes you have more before decoding.

but i have spotted something else...
after the gameID field there are some interesting bytes:

oh, and i have some docs about wc3-lan-games and packets and such, but havent posted them b/c they are not complete nor very polished. but since this is now an active topic here in the forums i might post them in the next few days.

[/quote]

yes i found all documentation on w3g and have readed it.
about 2 or 3 bytes it depends on Decoded data size. Decoded data always ends with 2 zeroes, but if size of Decoded data for example 8 with counting zeroes, then last zero is next coded block. and as it says first byte is represends bits0 of all data bytes. but we have zero there so result last block will be 010100. String data will be any 6 bytes and 2 zero, first 7 bytes - first block + 1 coder byte, last block 1 byte (zero) + 1 coder byte. this is moment where you think that data have 3 zeroes. but its fake.

about game packets - no need this here cuz i have all packets info, just need time to make it english. last question was COMMAND packets in game, but after reading W3G format there is no more questons. just wait all my info, or find bugs, or help to find field explain if i have no it

im posting all W3GS packets info, not only LAN, lan is easy to start explain
May 15, 2006, 3:12 PM
maldn
first of all: please(!) change your formating to something readable. yours is barely readable...

[quote author=DotA.For.Rest link=topic=14970.msg152499#msg152499 date=1147705334]
Request Join Game (clients send this on every try to join game)
W3GS_REQJOIN 0x1E
IN 192.168.000.003:01040 LEN:42
[code]
·  ·  3 ·  · · · ·  · · 8 ·  ·  · ·  · · · ·  R u s s i a . O n l i n e ·  · ·  · · · · · · · ·  · · · ·  · · · ·
f7 1e 3300 05000000 fed83814 00 e117 02000000 5275737369612e4f6e6c696e6500 0100 020017e0c0a80003 00000000 00000000
|W3GS Signature
   |Packet Signature
      |Packet Size
           |Join game counter of client
                    |GetTickCount WinAPI value only for LAN games (Zero for battle.net games)
                             |Always zero?
                               |External game port (used by others Game clients to connect to this client)
                                    |Total game join/create counter
                                             |Client name (null terminated string)
                                                                           |Always 0x0001?
                                                                                |Internal client IP and Port (sockaddr_in structure)
                                                                                                 |Always zero?
                                                                                                          |Always zero?
[/code]
[/quote]
read https://davnit.net/bnet/vL/index.php?topic=14964.0 and comment there.

[quote author=DotA.For.Rest link=topic=14970.msg152499#msg152499 date=1147705334]
Reject Join Game (host Rejects join game request W3GS_REQJOIN)
W3GS_REJECTJOIN 0x05
OUT 192.168.000.003:01047 LEN:8
[code]
·  ·  · ·  · · · ·
f7 05 0800 09000000
|W3GS Signature
   |Packet Signature
      |Packet Size
           |Always 0x0000009?
[/code]
[/quote]
oh, and go read some more about endianess, ntohl(0x09000000) != 0x00000009 ! its 0x00000090

[quote author=DotA.For.Rest link=topic=14970.msg152499#msg152499 date=1147705334]
Accept Join Game with Slot info (host send this to client on W3GS_REQJOIN)
W3GS_SLOTINFOJOIN 0x04
Update Slot info (host send this to client on slot changes)
W3GS_SLOTINFO 0x09
OUT 192.168.000.003:01046 LEN:48
[code]
·  ·  0 ·  · ·
f7 04 3000 1900
|W3GS Signature
   |Packet Signature
      |Packet Size
|SlotsInfo size (can be 0 if host updating slots at this moment)
[/code]
----SlotsInfo---- (optional for W3GS_SLOTINFOJOIN)
[code]
·  · d · · · · ` · d  · · · · · · ` · d
02 016402000000600164 00ff0000010c600164
    016402000000600164
    026402000101410164
    016402000000600164
    026402000001410164
    016402000000600164
    026402000101480164
|Count of slots (can be 0 for example in ladder game)
   |Slot1 (9 bytes)   |Slot2 (9 bytes) ...
    \PID - Player ID (0 - not client, 1 - host)
      \Download status (0x64 - 100%, 0xFF - not client)
        \SlotStatus (0 - open, 1 - closed, 2 - controlled)
          \Controller (1 - computer, 0 - human/open/closed)
            \Team Number from 0 to 11 (12 - free/observer/referee)
              \Color Number from 0 to 11 (12 - free/observer/referee)
                \Race flags
                \0x01 - Human
                \0x02 - Orc
                \0x04 - Night Elf
                \0x08 - Undead
                \0x20 - Random
                \0x40 - Race selected or fixed by map or ladder game
                  \Controller Type (0 - easy comp, 2 - hard comp, 1 - human/normal comp)
                    \Handicap from (valid values: 0x32, 0x3C, 0x46, 0x50, 0x5A, 0x64)
- · · ·  ·  ·
2dd21302 00 02
|GetTickCount WinAPI value of host
         |Always zero? ( 0xCC for ladder game)
            |Count of slots (end tag?) (0xCC for ladder game)
[/code]
[/quote]
see https://davnit.net/bnet/vL/index.php?topic=14965.0 and comment there please.
i have some slightly different stuff there... especially after the player-records i have captured some more bytes.
can you please post your original dump in that thread?
and can you also post there some more info about the SlotInfo size field? i dont get why this can be zero, never seen that. do you get a 0x09 for all players then?

[quote author=DotA.For.Rest link=topic=14970.msg152499#msg152499 date=1147705334]
[code]
·  · · · · · · · ·  · · · ·  · · · ·
02 02000416c0a80003 00000000 00000000
|PID - Player ID that host gives to client
   |Host side client IP and Port (sockaddr_in structure)
                    |Always zero?
                             |Always zero?
[/code]

[/quote]

when/where do you get this? can you please post full dump?
May 16, 2006, 2:17 PM
DotA.For.Rest
i understand what about you talking ... ill change all formating my info to more readable. also ill post it in new topic where i will change first post on every change. i will call it W3GS_format.txt. and there ill try post all diferent packets to understand how they comes.
sry my bad english.
this topic was my first in my life of this type, i mean information type, about structure of packets.
and ntohl(0x09000000) = 0x00000009; cuz 09 00 00 00 is hex format, each 2 symbols is byte, only bytes reverts theyr positions.
im programming 18 years and beleave me i know it!
try simple ASM code:
mov eax, 0x09000000
bswap eax // which means ntohl(eax)
after this eax will be 0x00000009
its just example.
i love assembler, and maby most of my examles will be asm coded.
assembler code works much faster than compiled C/C++ code, thats why i used it.

THIS TOPICK IS CLOSED FOR NOW. PLEASE WAIT WHILE I OPEN NEW TOPICK WITH NAME: W3GS_Format.txt
May 16, 2006, 2:39 PM
maldn
[quote author=DotA.For.Rest link=topic=14970.msg152500#msg152500 date=1147705950]
... Decoded data always ends with 2 zeroes, but if size of Decoded data for example 8 with counting zeroes, then last zero is next coded block. and as it says first byte is represends bits0 of all data bytes. but we have zero there so result last block will be 010100. String data will be any 6 bytes and 2 zero, first 7 bytes - first block + 1 coder byte, last block 1 byte (zero) + 1 coder byte. this is moment where you think that data have 3 zeroes. but its fake.
[/quote]
wtf?!?
i doubt anyone, even yourself, has understood that beast-of-a-textblock!

i just wanted to say, that you are not decoding the gameSettings. you start too late. read w3g_format.txt again.

also, if you actually checked the checksum, you would have noticed that this is not crc32...
or your LT is different. mine has fbbe9d57.

[quote author=DotA.For.Rest link=topic=14970.msg152500#msg152500 date=1147705950]
about game packets - no need this here cuz i have all packets info, just need time to make it english. last question was COMMAND packets in game, but after reading W3G format there is no more questons. just wait all my info, or find bugs, or help to find field explain if i have no it

im posting all W3GS packets info, not only LAN, lan is easy to start explain
[/quote]
I strongly advise you to not make that information public. if you have understood the actual game-data, you know why.
I can understand that its hard to not say: "hey look how cool i am, i decoded this all!"
but one can do just too much harm to the game with this...
problem is: you provide stupid kids with info (or better even, code) that can be very easily misused (cheat).
and worst: blizzard cant do anything against it!
so, reconsider publishing this!

perhaps such a discussion had already taken place here on this forum, or maybe we start one :P

p.s. if you do not believe that this is serious shit, i can post a screenshot of some PoC code of mine i had written in like 3-4 hours showing a serious threat to wc3/battle.net.

p.p.s DONT CHEAT!
May 16, 2006, 3:07 PM
maldn
[code]
maldn@localhost ~ $ cat mooh.c && echo "--" && gcc mooh.c && echo "--" && ./a.out
#include <stdio.h>
#include <arpa/inet.h>

int main()
{
        printf("0x%08x\n", ntohl(0x90000000));
}

--
--
0x00000090
maldn@localhost ~ $
[/code]

nevermind ;-)

maldn


EDIT: omfg, i guess i should have gone to bed long ago :P

my eyes cant differentiate 0x09 and 0x90 ...

sry :)
May 16, 2006, 3:10 PM
DotA.For.Rest
this topick moved to https://davnit.net/bnet/vL/index.php?topic=14994.0

you sad kids can use it for cheating ... you are wrong ...
game sends only target commands (while in game) all path, damage, and other is calculated by warcraft client,
so even u will know where other player moves - it will not let u spuff packet to attack him for example if he invisible.
also you should know that most of kids use MapHack... its more easy way to see what enemy do...
also you should know that MoneyHack can pool money from player to player without understand packet strucrures.
also you should know that DropHack and many others cheats done!
all cheats aviable ... so there is no reason to do this again
this documentation will help many of smart guys to create theyr own Banlists programs, or AMP calculators in game,
or some other usefull addons.
you cant do BOT without understand how War3 client works!

beat me if im not right!
May 16, 2006, 4:03 PM
maldn
its not about hacks like bots or true maphack or something....
but knowing what race, hero starting position, expansions etc. your enemy is going is a cheat...

see http://img207.imageshack.us/my.php?image=info19hd.png

this screenshot was taken while playing against my roommate who took random. and dont tell me this sort of info is no help. note: this should work in battle.net games as well, and is undetectable by blizzard!

@ mods: remove the link to the image if you feel like this may inspire kids do bad things...
May 16, 2006, 8:08 PM
DotA.For.Rest
man . theres alot of cheats that blizzard cant detect. one of them MapHack - will not give link to this one.
i just want to say that all this hacks aviable for download. if u need - you will find what u need.

and one more -- as good TDA DotA player i can say, the CHEATS will not save yours hero against smart and skilled player.
skilled players never use CHEATS - cuz there is no reason to play then.
in ladder - good players do harras, so they know what you have every moment, and where u are.
you can call them CHEATERS cuz they have such skill.
only noob will use CHEAT, and he will die without skill.
its TWO different sides CHEATER and SKILLED. and real skill always own cheat.
I never cry when i see MapHackers in DotA games, cuz they always lose.
Let them play with Cheats. When they grow, they will turn it off. MapHack helps to learn skill.
Where better to go at start, what to build, but better look replay after game.
You cant kill all CHEATs - Never! Its same as you cant catch all HACKERs.
So relax and use this info for yours own purpose, but remember SKILL OWN CHEAT!
Better make some usefull mod like Banlist.NL, but without Country Detection.
im from Russia, and when im joining most of Custom Public games - they kick me cuz im Russian,
i ban such hosts on TDA Channel, so i will never see them again in Private Games.
........
plz dont post here replys ... i did new topick ... ask all Q there.
May 17, 2006, 12:49 AM

Search