Battle.net v2 Research

1. Battle.net 2 Packet Research:
2.  
3. Data stream is a bit-based protocol. Reading and writing functions as in the following example:
4.  
5. For data: 0x40 0x01
6. As binary: 01000000 00000001
7.  
8. If you were to read the first 11 bits, it would be done like so:
9. 01000000 #####001 - resulting in 0x201.
10.  
11. If you were to read 6 bits, 1 bit, and then 4 bits, it would be:
12. ##000000 ########
13. #1###### ########
14. 0####### #####001
15. Resulting in 0, 1, and 1.
16.  
17. As you can see, bits are read left to right across bytes, but the bits that are read begin counting from the right end of the byte.
18.  
19. Some fields align to the byte border before being read or written, skipping the remaining bits in a byte (if any). These are mostly strings and byte arrays.
20.  
21. Types:
22. Packets contain multiple types, which alter the way the above system works in the following way: a single type spans an entire section of bits, ignoring byte organization until after the type is complete.
23. Example:
24. Read 32 bit DWORD from 0x40 0x00 0x00 0x0A 0x66 0x02, starting after the 11 bit header:
25. As binary: 01000000 00000000 00000000 00001010 01100110 00000010
26. Correctly: ######## RRRRR### RRRRRRRR RRRRRRRR RRRRRRRR #####RRR - all R bits are read and squished together to form 00000000 00000000 01010011 00110010, aka the string "..S2" [.=null byte].
27. Incorrect: ######## 11111### 22222111 33333222 44444333 #####444 - You might think to read an array of bytes byte by byte, but this is incorrect and gives you a completely wrong set: 00000000 00000010 00001110 01100010.
28. So remember, these types are extremely important to be read in full, and not as multiples of bytes.
29.  
30. Type List:
31. (BOOLEAN): a single bit, 1 = true, 0 = false
32. (DWORD): 32 bit value containing 4 characters. Also called a FourCC value in some docs. Values less than 4 characters are preceeded by null characters as in the case of the Starcraft 2 product ID: 0x00005332 [..S2 (see above)]
33. (INT:#): a custom length integer. As BNet2 is a bit-based protocol, there are no longer only BYTEs, WORDs, DWORDs, and QWORDs. The lengths can literally be anything from a bit onward.
34. (STRING): These are preceeded by a length value of some sort in the packet structure, and are often aligned to the byte border.
35. (NTSTRING): Unconfirmed at the moment, but strings with a null terminator can be seen in packets, though more research is needed to see if reading will actually rely on the null terminator. These are also often aligned to the byte border.
36. (BYTE[#]): A byte array of varying length (described in packet structure). Sometimes aligned to the byte border.
37. |: Means that the item is aligned to the byte border.
38.  
39. Note: Some values have a [minus] or [plus], which means that the actual value is the given value minus or plus the listed offset. Usually, you will subtract a value that says minus on outgoing packets, and add a value that says minus on incoming packets (think about it, it makes sense).
40.  
41. Packet Documentation:
42.  
43. Packet headers are 7 or 11 bits:
44. 6 bit Packet ID
45. 1 bit Channel Boolean
46. > 4 bit Channel ID (Optional)
47.  
48. Known packets:
49. C > S CLIENT_AUTH_INFOREQUEST [Packet 0, Channel 0]
50. (DWORD) Product
51. (DWORD) Platform
52. (DWORD) Locale
53. (INT:6) Components
54. For 1 to Components
55. (DWORD) Product
56. (DWORD) Platform
57. (INT:32) Build
58. Next
59. (BOOLEAN) HasAccountName
60. If HasAccountName
61. (INT:9) EMail Address Length [minus 3]
62. |(STRING) EMail Address (lowercase)
63. End If
64.  
65. S > C CLIENT_AUTH_COMPLETE [Packet 0, Channel 0]
66. (BOOLEAN) Failure
67. If Failure
68. (BOOLEAN) HasOptModule
69. If HasOptModule
70. |(DWORD) Type
71. (DWORD) Locale
72. (INT:32) ModuleID
73. End If
74. (INT:2) Fail Type
75. If Fail Type = 1
76. (INT:16) ErrorCode
77. (INT:32) Unknown [minus 2147483648]
78. Else
79. UNKNOWN - More Research Needed
80. End IF
81. Else
82. (INT:3) Modules
83. For 1 to Modules
84. |(DWORD) Type
85. (DWORD) Locale
86. (INT:32) ModuleID
87. (INT:10) BlobSize
88. |(BYTE[BlobSize]): Blob
89. Next
90. (INT:32) PingTimeout [minus 2147483648]
91. (BOOLEAN) OptionalSegment
92. If OptionalSegment
93. (BOOLEAN) Parameters
94. If Parameters
95. (INT:32) Threshold
96. (INT:32) Rate
97. End If
98. End If
99. (INT:8) First Name Length
100. |(STRING) First Name
101. (INT:8) Last Name Length
102. |(STRING) Last Name
103. (INT:32) A number...
104. (BYTE[10]) Unknown, first byte and last byte are 1, all between are 0.
105. (INT:8) String Length
106. (STRING) The same number as a string with a # at the end.
107. (BYTE[12]) Unknown, again with the 0s...
108. End If
109.  
110. C > S CLIENT_AUTH_PROOFRESPONSE [Packet 2, Channel 0]
111. (INT:3) Modules
112. For 1 to Modules
113. (INT:10) BlobSize
114. |(BYTE[BlobSize]): Blob
115. Next
116.  
117. S > C CLIENT_AUTH_PROOFREQUEST [Packet 2, Channel 0]
118. (INT:3) Modules
119. For 1 to Modules
120. |(DWORD) Type
121. (DWORD) Locale
122. (INT:32) ModuleID
123. (INT:10) BlobSize
124. |(BYTE[BlobSize]): Blob
125. Next
126.  
127. S > UNKNOWN [Packet 5, Channel 1]
128. [INT:5] Unknown (0)
129. After this comes the encrypted packets.
130.  
131. Module Research:
132. Modules are downloaded through HTTP using the ModuleID provided by Battle.net packets. The address is http://REALM.depot.battle.net:1119/hexdata.type where REALM is the realm you're on, like us or eu, hexdata is a lowercase hexadecimal display of the ModuleID, and type is the type value (thus far, always "auth").
133. These auth modules are standard C++ DLLs with a CreateModule function.
134. Before running CreateModule, the following buffer data must be set:
135. 0x7A7D7B79: 128-byte SALT value (randomly generated).
136. 0x59F8A2FC: E-mail address (lower case).
137.