[GWA2] How to chase after updated header values?

Hi all,

First post, but have been following the tips all over this forum for about 6 months since I started writing my own bots.

Recently the server headers changed, and although it looks like the community have pulled through and released a new version of GWA2 to reflect it, there are other headers that I'm using, that aren't in the vanilla GWA2 code.

SendPacket(0x14, 0x6F, $lItemID, $lQuantity, $lBagID, $aSlot - 1)

The above command would have previously told GW to move $lQuantity items of $lItemID into bag $lBagID , slot $aSlot

Of course, with the header change, 0x6F no longer means the same thing.

My question:
How do you guys debug the changed headers? Is there a way of going about it that doesn't mean crashing your GW client over and over until you find the correct header value?

Apologies if this has been asked before or it seems like an obvious question, but I've never had to look into this before and would really be grateful for any feedback.

The moveItem function in GWA2 does exactly what you have. You COULD look in that function to see what header is used there but the better way would be to just use that function.

The function could have been updated since I last checked (or the version I was using was borked) but when developing, if I used MoveItem (instead of MoveItemEx, which is the function the above example is from but isn't included in GWA2), it moves a whole stack instead of being supplied a quantity to move.

MoveItem($aItem, $aBag, $aSlot) - No ability to tell quantity

In my current (old) version, MoveItem uses header 0x6C which is different to the 0x6F seen in my previous post.

I've found the headers I need in the above example by going on rheek123's API Patcher example file @ [Only registered and activated users can see links. Click Here To Register...]

My question wasn't specifically how to I find and update this particular header - I want to be able to contribute by finding and identifying these types of headers myself. Is there a tool I can use to sniff the headers that my client sends?

There are several ways to do this. If you did it from scratch, you'd want to fire up a Debugger/Disassembler such as OllyDbg, or more recently x32dbg and attach it to GW. Then look for the w32 network traffic receive function, and see what the program does with this [it is encrypted and you want to follow up to after GW has decrypted it for you].

Luckily many people have done this before, so that there's tons of little hacks that log this network traffic.

In the attachment, you can find a very minimalistic DLL source code, which allocates a console window and prints out the network stream. The first 2 bytes are the header that you're looking for. Take care of the size, as several packets may be sent in one recv-sequence.

Get Visual Studio Community (Free), start a new project, configure it as a DLL, add the attached source code, and compile. Then use any of the thousands of DLL injectors on the web to load it into GW, and voila, you can reverse both CtoS (Client to Server) and StoC (Server to Client) packets yourself.

You may want to deactivate StoC logging as it generates a lot of noise, especially if you're only interested in CtoS packets. Do this by adding a return at the right place in the Packet() function.

You'll have to go on your own from here, good luck.

[Only registered and activated users can see links. Click Here To Register...]

Will show you all Gameserver-Packets.
CtoGS does what you are actually searching for.

Thanks for the feedback guys, will go through this info and will post a reply if I have any other questions

Quote:

Originally Posted by 3vangelist The function could have been updated since I last checked (or the version I was using was borked) but when developing, if I used MoveItem (instead of MoveItemEx, which is the function the above example is from but isn't included in GWA2), it moves a whole stack instead of being supplied a quantity to move. MoveItem($aItem, $aBag, $aSlot) - No ability to tell quantity In my current (old) version, MoveItem uses header 0x6C which is different to the 0x6F seen in my previous post. I've found the headers I need in the above example by going on rheek123's API Patcher example file @ [Only registered and activated users can see links. Click Here To Register...] My question wasn't specifically how to I find and update this particular header - I want to be able to contribute by finding and identifying these types of headers myself. Is there a tool I can use to sniff the headers that my client sends?

MoveItemEx the header is +3 higher than MoveItem(). MoveItemEx is also called SplitStack by some people.

Just an update on this one, I've ended up using BotDeveloper and used the gwtoolbox++ injector to inject the DLL to debug CtoGS

Thanks again for the help :)

Hi all,

So headers have changed a few times since my last post, and although now I can actively contribute to GWA2 to keep these up-to-date, I can't reply on the BotDeveloper to work - its broken with the latest GW update, too.

I've been trying to use OllyDbg to add a breakpoint at the SendPacket function, and from there inspect the header value being sent, but I'm having trouble picking these things out.

I'm using an archived GR page at [Only registered and activated users can see links. Click Here To Register...] to help, but it doesn't have the original images that were included in the post (replace the ***'s in the URL)

The attached image is a screenshot of how far I've got, adding a breakpoint for the packetsend function, and then having it break when the character moves. Somehow I should be able to find out the header for the MoveTo function from this code.

[Only registered and activated users can see links. Click Here To Register...]

Is someone able to give some pointers on how to proceed?

Quote:

Originally Posted by 3vangelist Hi all, So headers have changed a few times since my last post, and although now I can actively contribute to GWA2 to keep these up-to-date, I can't reply on the BotDeveloper to work - its broken with the latest GW update, too. I've been trying to use OllyDbg to add a breakpoint at the SendPacket function, and from there inspect the header value being sent, but I'm having trouble picking these things out. I'm using an archived GR page at [Only registered and activated users can see links. Click Here To Register...] to help, but it doesn't have the original images that were included in the post (replace the ***'s in the URL) The attached image is a screenshot of how far I've got, adding a breakpoint for the packetsend function, and then having it break when the character moves. Somehow I should be able to find out the header for the MoveTo function from this code. [Only registered and activated users can see links. Click Here To Register...] Is someone able to give some pointers on how to proceed?

Uploaded a new Version of BotDeveloper.

If you wanna do it with a Olly do this:
1. Breakpoint the Sendpacket-Func @58E840 (you did it already)
2. Do smth you wanna analyze (eg toggle Hard-/Normal Mode).
3. Olly should pause GW (show you on buttom right (yellow)).
4. In the Register-Window (Top Right) EDX gives you the size of the Packet.
5. In the Buttom Right Window right click the 2nd entry from Top and click "Follow in Dump".
6. The Bottom Left Window shows you the Byte String of the Packet. 1st Element is the Header followed by the parameters (if they are given).
You only need to read size (EDX) entries. Watch out Endianness.

Thankyou for filling in the blanks :) Out of interest, why is it the second address in the stack, not the first?

Quote:

Originally Posted by Sleipnir Xiv There are several ways to do this. If you did it from scratch, you'd want to fire up a Debugger/Disassembler such as OllyDbg, or more recently x32dbg and attach it to GW. Then look for the w32 network traffic receive function, and see what the program does with this [it is encrypted and you want to follow up to after GW has decrypted it for you]. Luckily many people have done this before, so that there's tons of little hacks that log this network traffic. In the attachment, you can find a very minimalistic DLL source code, which allocates a console window and prints out the network stream. The first 2 bytes are the header that you're looking for. Take care of the size, as several packets may be sent in one recv-sequence. Get Visual Studio Community (Free), start a new project, configure it as a DLL, add the attached source code, and compile. Then use any of the thousands of DLL injectors on the web to load it into GW, and voila, you can reverse both CtoS (Client to Server) and StoC (Server to Client) packets yourself. You may want to deactivate StoC logging as it generates a lot of noise, especially if you're only interested in CtoS packets. Do this by adding a return at the right place in the Packet() function. You'll have to go on your own from here, good luck.

I tried using this in 2024 and injected the dll but the console window is empty. I'm guessing the CtoS/StoC PacketCrypterCode arrays have changed?