C>S 0xDE SID_UNKNOWN_DE

Transport Layer:Transmission Control Protocol (TCP)
Application Layer:Battle.net v1 TCP Messages (SID)
Message Id:0xDE
Message Name:SID_UNKNOWN_DE
Direction:Client to Server
Options: In Research
Used By:Diablo II, Diablo II Lord of Destruction
Message Format:
(does not include protocol header)
 (UINT8)   Constant 0x0A
 (UINT8)   Data Size
 (UINT8)   Optional Unknown 1; observed values: absent, 0x01 or 0x02
 (UINT8)   Unknown 2
(UINT16)   Unknown 3
 (UINT8)   Unknown 4
 (UINT8)   Unknown 5
(UINT16)   Unknown 6
 (UINT8)   Unknown 7
 (UINT8)   Unknown 8
 (UINT8)[] Data
 (UINT8)[] Optional Data if Unknown 1 is 0x02

Remarks

This message is sent by Diablo II in response to ExtraWork and is thought to be part of cheat detection. This message is largely undocumented and more research is needed.

ExtraWork is sent during the first login since the client has been opened and periodically every few minutes thereafter.

When ExtraWork is downloaded, stageb.dll is executed and runs stagec.dll's ExtraWork which produces the result data to send in this message. The ExtraWork function appears to read volatile memory from Diablo II. The message format is an educated guess but could be completely inaccurate.

Packet dump provided by Dzik: https://pastebin.com/RHqqujBJ

Nishimura_Katsuo created a basic visualizer for this message in research, available here and can take any pastebin link: https://www.nishicode.com/DEpackets/?pb=RHqqujBJ

Unknowns 4, 7, and 8 appear to be sequence numbers, since they only ever increase over time.

| Edited: Caaaaarrrrlll

Comments

xboi209

D2 sends 67 of these packets in a row before sending SID_EXTRAWORK. The length of the data, excluding the BNCS header, is approximately between 100 - 200 bytes.