C>S 0xDE SID_UNKNOWN_DE

Transport Layer:	Transmission Control Protocol (TCP)
Application Layer:	Battle.net v1 TCP Messages (SID)
Message Id:	`0xDE`
Message Name:	`SID_UNKNOWN_DE`
Direction:	Client to Server
Options:	In Research
Used By:	Diablo II, Diablo II Lord of Destruction
Message Format: ^{(does not include protocol header)}	`(UINT8) Constant 0x0A (UINT8) Data Size (UINT8) Optional Unknown 1; observed values: absent, 0x01 or 0x02 (UINT8) Unknown 2 (UINT16) Unknown 3 (UINT8) Unknown 4 (UINT8) Unknown 5 (UINT16) Unknown 6 (UINT8) Unknown 7 (UINT8) Unknown 8 (UINT8)[] Data (UINT8)[] Optional Data if Unknown 1 is 0x02`

Remarks

This message is sent by Diablo II in response to ExtraWork and is thought to be part of cheat detection. This message is largely undocumented and more research is needed.

ExtraWork is sent during the first login since the client has been opened and periodically every few minutes thereafter.

When ExtraWork is downloaded, stageb.dll is executed and runs stagec.dll's ExtraWork which produces the result data to send in this message. The ExtraWork function appears to read volatile memory from Diablo II. The message format is an educated guess but could be completely inaccurate.

Packet dump provided by Dzik: https://pastebin.com/RHqqujBJ

Nishimura_Katsuo created a basic visualizer for this message in research, available here and can take any pastebin link: https://www.nishicode.com/DEpackets/?pb=RHqqujBJ

Unknowns 4, 7, and 8 appear to be sequence numbers, since they only ever increase over time.

Friday, December 27, 2019 | Edited: Sunday, December 29, 2019

Caaaaarrrrlll

Comments

xboi209
Sun Nov 14, 2021 6:36am UTC

D2 sends 67 of these packets in a row before sending SID_EXTRAWORK. The length of the data, excluding the BNCS header, is approximately between 100 - 200 bytes.