Jump to content

Recommended Posts

Posted

Pictures are worth more than words. This one doubles as a hyperlink.

E61eG6I.png

 

Additionally, you can view individual packet opcode summaries, such as this for RequestBR_GamePoint:

fbhvlVr.png

 

(also accessible from a protocol version's overview)

 

The lists are made for NA L2, which should be fine for NA/EU/RU servers. Neither PTS nor Korean protocols are included. So if you are looking for (e.g. KR-only) 597, 598, 599, 19, 21 or similar ones, you're out of luck.

Posted (edited)

Very nice job! You are getting those packets from client directly?

Technically, yes and no. Yes, these opcode mappings were generated automatically. No, because I did some manual validation, as in certain protocol versions, there have been some issues (the generator was being updated, so older lists of older protocols had some opcodes incorrectly skipped/assigned, or doubly assigned some opcodes). I also tried to synchronize packet names with reality, so a few might not exactly match what's in that exact client – the name would come from a later client (see the large explanation below), because the original name is misleading due to changes to logic.

 

For packets that never had a name (some private store packets) had their names assigned manually. 'DummyPacket's that to this day serve a very specific purpose had a name assigned based on how equivalent packets for other features were named.

 

And the biggest letdown you may notice, is the missing SendPrivateStoreBuyBuyList (replaced with SendPrivateStoreSellList).

 

Excellent work. Any way you can suck up the structures as well?

NOT THIS AGAIN.

Look. The strings are manually maintained by NC employees. So if someone forgets to update some packet, e.g. 'RequestPartyMatchConfig' for like 3 years after it's structure and logic has been already changed to 'RequestListPartyWaiting', it does not mean that packet still is 'RequestPartyMatchConfig' for these additional 3 years.

 

The same applies to structure strings, EXCEPT it seems that on updates, NC omits certain fields ON PURPOSE. That's why usually the structure presented for widely used packets like ItemList, CI, UI and similar will be outright wrong.

 

E.g. with CI and UI, it is often that you see something like this:

  • You start with some baseline protocol version (some fields may be omitted)
  • A protocol version update arrives, which does not specify CI/UI structure change
  • In reality, you find out new fields have been added, and not necessarily at the end of the packet
  • Another protocol version update arrives, which does specify new fields in CI/UI, but omits those you already found
  • In reality, you find out that the omitted fields are still there
  • Another protocol version update arrives, which specifies even more new fields in CI/UI, but those you found are still nowhere to be seen
  • In reality, you find out that omitted fields are there, and not all new fields are specified AGAIN
  • Another protocol update; both omissions are nowhere to be found, but new fields have arrived
  • This goes on and on with various packets…
So really, NC with its project-based workflow and employee migration between them (some employees simply leave) DOES NOT CARE to maintain those structure strings properly (sometimes, that also applies to packet names).

 

Since there is no way to automatically check whether the structure string is up-to-date (esp. if 'x' is involved), I'd rather not present them. Yes, for a fair amount of "simpler" packets, that would work. But that can easily cause people to believe that those strings are actually correct, and fall right into a trap.

 

 

If someone would like, I could try to jog my memory and check up my validated structs against NC (client) structs to give you at least 10 packets over various protocol versions, where the client struct is just wrong (and continues to be wrong for extended amounts of time).

Edited by Zeeyo
Posted

Wrong client structure ? I would love to see that.

 

Since its net pro related, do you handle packet obfuscation ?

Posted

Technically, yes and no. Yes, these opcode mappings were generated automatically. No, because I did some manual validation, as in certain protocol versions, there have been some issues (the generator was being updated, so older lists of older protocols had some opcodes incorrectly skipped/assigned, or doubly assigned some opcodes). I also tried to synchronize packet names with reality, so a few might not exactly match what's in that exact client – the name would come from a later client (see the large explanation below), because the original name is misleading due to changes to logic.

 

For packets that never had a name (some private store packets) had their names assigned manually. 'DummyPacket's that to this day serve a very specific purpose had a name assigned based on how equivalent packets for other features were named.

 

And the biggest letdown you may notice, is the missing SendPrivateStoreBuyBuyList (replaced with SendPrivateStoreSellList).

 

 

NOT THIS AGAIN.

Look. The strings are manually maintained by NC employees. So if someone forgets to update some packet, e.g. 'RequestPartyMatchConfig' for like 3 years after it's structure and logic has been already changed to 'RequestListPartyWaiting', it does not mean that packet still is 'RequestPartyMatchConfig' for these additional 3 years.

 

The same applies to structure strings, EXCEPT it seems that on updates, NC omits certain fields ON PURPOSE. That's why usually the structure presented for widely used packets like ItemList, CI, UI and similar will be outright wrong.

 

E.g. with CI and UI, it is often that you see something like this:

  • You start with some baseline protocol version (some fields may be omitted)
  • A protocol version update arrives, which does not specify CI/UI structure change
  • In reality, you find out new fields have been added, and not necessarily at the end of the packet
  • Another protocol version update arrives, which does specify new fields in CI/UI, but omits those you already found
  • In reality, you find out that the omitted fields are still there
  • Another protocol version update arrives, which specifies even more new fields in CI/UI, but those you found are still nowhere to be seen
  • In reality, you find out that omitted fields are there, and not all new fields are specified AGAIN
  • Another protocol update; both omissions are nowhere to be found, but new fields have arrived
  • This goes on and on with various packets…
So really, NC with its project-based workflow and employee migration between them (some employees simply leave) DOES NOT CARE to maintain those structure strings properly (sometimes, that also applies to packet names).

 

Since there is no way to automatically check whether the structure string is up-to-date (esp. if 'x' is involved), I'd rather not present them. Yes, for a fair amount of "simpler" packets, that would work. But that can easily cause people to believe that those strings are actually correct, and fall right into a trap.

 

 

If someone would like, I could try to jog my memory and check up my validated structs against NC (client) structs to give you at least 10 packets over various protocol versions, where the client struct is just wrong (and continues to be wrong for extended amounts of time).

 

I've got absolutely 0 knowledges when it comes to reverse engineering, was hoping it was possible, too bad it isn't. %5E1.gif
Posted

Wrong client structure ? I would love to see that.

I have opened this thread in the morning to check up on what's new, but I'll have to go soon. Please check this post later today, I will edit it to include cases that I have already stumbled upon.

 

Since its net pro related, do you handle packet obfuscation ?

Yes. That's why you have these special 'constant' opcodes in protocol definitions, e.g.

	<protocol id="54" alias="Infinite Odyssey" category="IO">
		<version date="2015-04-22">24</version>
		<primary>
			<constant>0x12</constant>
			<constant>0xB1</constant>
			<constant>0x11</constant>
			<constant>0xD0</constant>
		</primary>
		<secondary count="269">
			<constant>0x70</constant>
			<constant>0x71</constant>
		</secondary>
		<definitions dir="infinite_odyssey" />
	</protocol>
As these are known to not participate in CM opcode shuffling. Plus, without this obfuscation, NP would be pretty much useless.

 

No matter how packts are encrpyted they will be decrypted before being added to network queue

I honestly have no clue what you are talking about.

 

I've got absolutely 0 knowledges when it comes to reverse engineering, was hoping it was possible, too bad it isn't. %5E1.gif

While doing manual validation, I do take note of what are the client-known structures of certain packets (due to the aforementioned reasons, I only include them as found in the latest client). See the XML comments in this file.

Posted (edited)

What's about the packet structure? You plan to add structure of packets?

I do plan to do that eventually. After all, the reason I made the opcode site was because the incremental loading in NP meant that without actually using NP (or checking out and using ctrl+shift+r) it becomes somewhat hard to follow which opcodes and structures are used for a specific protocol version.

 

For now, you can just browse the NP source for structure XMLs. But beware: most packets in HF folder were validated from non-builder perspective, and the rest were filled in from l2j sources (which means they are most likely wrong).

Most new packets in valiance folder were generated from GDL & later non-incremental loading XML files. THERE WERE ISSUES with opcode assignment, so some definitions are lost or incorrect (I still have the file in legacy format, but I never actually re-validated them).

Most new packets in ertheia folder were generated from korean Ertheia non-incremental loading XML file. Same issues as with Epeisodion (a.k.a Valiance).

 

Right now, I am finishing up with validating C4 packets (though there are still a few left to validate from C2). After that, I'll move to GF, though I will try my best to investigate C5 (due to so many pledge features originally implemented there) to Gracia P2 while dealing with GF.

 

After that, I plan to review HF, legacy GoD, GDL and kr Ertheia files. Only then would I publish the structures in a format similar to how this opcode website works.

Edited by Zeeyo
Posted

I do plan to do that eventually. After all, the reason I made the opcode site was because the incremental loading in NP meant that without actually using NP (or checking out and using ctrl+shift+r) it becomes somewhat hard to follow which opcodes and structures are used for a specific protocol version.

 

For now, you can just browse the NP source for structure XMLs. But beware: most packets in HF folder were validated from non-builder perspective, and the rest were filled in from l2j sources (which means they are most likely wrong).

Most new packets in valiance folder were generated from GDL & later non-incremental loading XML files. THERE WERE ISSUES with opcode assignment, so some definitions are lost or incorrect (I still have the file in legacy format, but I never actually re-validated them).

Most new packets in ertheia folder were generated from korean Ertheia non-incremental loading XML file. Same issues as with Epeisodion (a.k.a Valiance).

 

Right now, I am finishing up with validating C4 packets (though there are still a few left to validate from C2). After that, I'll move to GF, though I will try my best to investigate C5 (due to so many pledge features originally implemented there) to Gracia P2 while dealing with GF.

 

After that, I plan to review HF, legacy GoD, GDL and kr Ertheia files. Only then would I publish the structures in a format similar to how this opcode website works.

 

And how are you validates the packet structure? By L2J forks?

Posted (edited)

I honestly have no clue what you are talking about.

 

What i was talkin about was how L2 manages the packets internally. It listens with one thread which is responsible for writing the data buffer, then decrypting it and adding to "NewtorkQueue" (thats how its called inside game) which parses the packet and calls appropriate handler for it :)

 

Does it work only for clean client with default encryption? And do u sniff it with external sniffer or you are inside process?

Edited by Szakalaka

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Posts

    • NEWVPS — 20% OFF New VPS Orders Promo code: NEWVPS • Get 20% off all new VPS orders • Offer valid until July 16 (inclusive) Enter the promo code NEWVPS during checkout to receive your discount  
    • Update: Advanced Rate Limiting Rate limiting is now applied to: Login attempts Account registration Password recovery Email confirmation resends WhatsApp verification Checkout access The system maintains independent counters by IP address and user identity, helping prevent traditional brute-force attacks as well as distributed credential-stuffing attempts using multiple proxies. Brute-Force and Credential-Stuffing Protection Protection is not limited to the visitor's IP address. The system also tracks attempts associated with the account, username, or email address, reducing the effectiveness of attacks performed through rotating IP addresses, proxies, or VPN services. Global HTTP Security Headers Security headers are applied across the entire website: X-Frame-Options X-Content-Type-Options Referrer-Policy HTTP Strict Transport Security These headers help protect the website against clickjacking, MIME-type confusion, insecure referrer exposure, and HTTP downgrade attempts. Secure Error Handling Internal exceptions are recorded in protected security logs while visitors receive sanitized error messages. This prevents the accidental exposure of: Internal file paths Database information SQL errors Server configuration Application stack traces Private Storage Exposure Monitoring The system automatically checks whether the private storage directory is publicly accessible in production. If exposure is detected, a security warning is recorded for the administrator without interrupting the website. This directory may contain licensing information, rate-limit records, and security logs and must never be publicly accessible. OAuth Request Protection Google and Facebook authentication flows use cryptographically random state values stored in the user's session. Returned state values are validated using constant-time comparison, helping prevent OAuth request forgery and unauthorized account-linking attacks. Telegram Authentication Validation Telegram login information is protected through: HMAC signature validation Constant-time hash comparison Authentication timestamp verification Expired-login rejection Secure Verification Tokens Email, password recovery, and WhatsApp verification systems include: Cryptographically secure random tokens Hashed WhatsApp verification codes Automatic expiration Limited verification attempts Resend cooldowns One-time token invalidation Account Activation Protection When email or WhatsApp verification is required, the game account remains restricted until all required verification steps are completed. Unverified users cannot bypass the confirmation process through standard or social login. Secure Upload Processing Administrative image uploads include: Real MIME-type inspection Image-content validation File-size limits Extension allowlists Server-generated random filenames Rejection of invalid or disguised files Original user-provided filenames are never used as the final stored filename. Path Traversal Protection Theme and template identifiers are restricted to validated slugs and must exist in the internal list of allowed themes. This prevents directory traversal and unauthorized local-file access through manipulated template names. Atomic Ticket Transfer Protection Ticket transfers use transactional and durable delivery processing. The balance is conditionally debited, the delivery is recorded before communication with the game database, and failed deliveries remain pending for safe reprocessing. This helps prevent: Free-item delivery Inconsistent balances Duplicate delivery Partial transaction failures Lost transfer records Concurrent Balance Protection Administrative balance adjustments use database transactions and row-level locking. This prevents simultaneous balance operations from overwriting each other or creating inconsistent account balances. Secure Redirect Handling Redirect values are sanitized against header injection, and external redirects are restricted to HTTPS destinations. Password Security Improvements The website uses modern password hashing for player-panel accounts and bcrypt with a configurable cost for supported game-server account systems. Compatibility is included for game-server implementations requiring the $2a$ bcrypt prefix. Duplicate Payment Prevention Built-in protections include: Idempotency control Transaction reference validation Payment status verification Unique external payment references Database transactions and rollback Durable payment history Completed-order verification These protections prevent: Double credits Repeated processing Duplicate payment callbacks Incomplete financial operations Signed Payment Callback Protection Payment callbacks are protected through: HMAC-SHA256 authentication Constant-time signature comparison Signed callback timestamps Callback freshness validation Shared callback secrets This helps prevent forged payment notifications, callback manipulation, and replay attacks. SQL Injection Protection The database layer uses: PDO Prepared statements Parameter binding Controlled internal allowlists for dynamic identifiers User-controlled values are not directly concatenated into SQL queries. XSS Protection Output and form data are protected through: HTML escaping Attribute escaping Input filtering HttpOnly session cookies MIME-sniffing protection Frame embedding restrictions These measures reduce the risk of Cross-Site Scripting, malicious HTML injection, session theft, and clickjacking. CSRF Protection Sensitive forms and administrative operations use session-based CSRF tokens. Requests without a valid token are rejected, helping prevent unauthorized actions performed through malicious external websites. Secure Session Protection The session system includes: HttpOnly cookies Secure cookie support SameSite restrictions Session ID regeneration Authentication state validation Session timeout controls These protections reduce the risks of session fixation, session theft, and unauthorized account reuse. reCAPTCHA Protection Google reCAPTCHA may be enabled on sensitive public forms to reduce: Automated account registrations Spam submissions Bot login attempts Automated password recovery abuse Confirmation Resend Limits Email and WhatsApp confirmation resends are protected through: Cooldown periods Rate limiting Expiring verification codes Attempt counters This prevents verification-message flooding and excessive external API usage. Licensing and Anti-Cloning Protection The website includes centralized licensing controls with: License-key validation Domain binding Signed license responses Cached license validation Temporary offline grace period Circuit-breaker protection Unauthorized-domain rejection These measures help prevent unauthorized installation, cloning, and redistribution of the system.
    • Tool that allows you to download the Lineage 2 game client directly from the official publisher CDNs. It fetches the CDN's file list and downloads every patch file, decompresses it (LZMA / Zip) and writes the finished client to disk — and can resume or repair an existing installation instead of starting over. It runs several client downloads at once through a batch queue, so you can prepare multiple regions or versions in a single session.   Supported: NCSoft CDNs (TW / KR / JP / NA) and  4game CDNs(RU / EU)   Download: https://drive.google.com/file/d/11SDcNASqO2GKOBT79LFu7mqvSRSJZvBS
    • https://l2avokado.com/ Hello everyone,   After some time of development, we've decided to open L2Avokado to the public in its current development stage. We're looking for players who enjoy Interlude and would like to help shape the project before its official release.   This isn't a "launch" announcement. Instead, we're inviting the community to log in, explore the server, test the systems we've built, and provide honest feedback. Whether it's bug reports, balance suggestions, progression ideas, or quality-of-life improvements, we'd love to hear them.   Our goal has always been to create an Interlude server that feels familiar while offering a fresh progression experience. We've intentionally avoided custom weapons, armor, and client modifications. Instead, we've focused on redesigning progression through reworked hunting grounds, quests, crafting, and gameplay systems while remaining compatible with a clean Interlude client.   At this stage, the core progression path has been implemented, including the main hunting grounds, quests, custom systems, and events. However, as the project is still under active development, there will inevitably be bugs, balance issues, and areas that require further polishing.   This is exactly why we'd like your help.   We're looking for players who are willing to: Test gameplay and progression. Report bugs and exploits. Suggest balance improvements. Share ideas for new features or quality-of-life changes. Help us build a server that the community genuinely enjoys playing.   The Client and System downloads are already available on our website, so you can jump straight into the game. We're also working on a dedicated launcher that will simplify installation and future updates.   If you're interested in helping develop a unique Interlude project and want your feedback to genuinely influence the direction of the server, we'd love to have you with us.   We look forward to seeing you in-game and hearing your thoughts on Discord. https://l2avokado.com/
  • Topics

×
×
  • Create New...

Important Information

This community uses essential cookies to function properly. Non-essential cookies and third-party services are used only with your consent. Read our Privacy Policy and We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue..