Jump to content
MaxCheaters Official Group on Discord
Top.MaxCheaters.com is now OPEN – Lineage 2 Top Listing

L2 Packet Opcode Lists

Zeeyo
 Share

Recommended Posts

Zeeyo Newbie

Zeeyo

Posted
Posted

Pictures are worth more than words. This one doubles as a hyperlink.

E61eG6I.png

 

Additionally, you can view individual packet opcode summaries, such as this for RequestBR_GamePoint:

fbhvlVr.png

 

(also accessible from a protocol version's overview)

 

The lists are made for NA L2, which should be fine for NA/EU/RU servers. Neither PTS nor Korean protocols are included. So if you are looking for (e.g. KR-only) 597, 598, 599, 19, 21 or similar ones, you're out of luck.

Zeeyo Newbie

Zeeyo

Posted
  • Author
Posted (edited)

Very nice job! You are getting those packets from client directly?

Technically, yes and no. Yes, these opcode mappings were generated automatically. No, because I did some manual validation, as in certain protocol versions, there have been some issues (the generator was being updated, so older lists of older protocols had some opcodes incorrectly skipped/assigned, or doubly assigned some opcodes). I also tried to synchronize packet names with reality, so a few might not exactly match what's in that exact client – the name would come from a later client (see the large explanation below), because the original name is misleading due to changes to logic.

 

For packets that never had a name (some private store packets) had their names assigned manually. 'DummyPacket's that to this day serve a very specific purpose had a name assigned based on how equivalent packets for other features were named.

 

And the biggest letdown you may notice, is the missing SendPrivateStoreBuyBuyList (replaced with SendPrivateStoreSellList).

 

Excellent work. Any way you can suck up the structures as well?

NOT THIS AGAIN.

Look. The strings are manually maintained by NC employees. So if someone forgets to update some packet, e.g. 'RequestPartyMatchConfig' for like 3 years after it's structure and logic has been already changed to 'RequestListPartyWaiting', it does not mean that packet still is 'RequestPartyMatchConfig' for these additional 3 years.

 

The same applies to structure strings, EXCEPT it seems that on updates, NC omits certain fields ON PURPOSE. That's why usually the structure presented for widely used packets like ItemList, CI, UI and similar will be outright wrong.

 

E.g. with CI and UI, it is often that you see something like this:

  • You start with some baseline protocol version (some fields may be omitted)
  • A protocol version update arrives, which does not specify CI/UI structure change
  • In reality, you find out new fields have been added, and not necessarily at the end of the packet
  • Another protocol version update arrives, which does specify new fields in CI/UI, but omits those you already found
  • In reality, you find out that the omitted fields are still there
  • Another protocol version update arrives, which specifies even more new fields in CI/UI, but those you found are still nowhere to be seen
  • In reality, you find out that omitted fields are there, and not all new fields are specified AGAIN
  • Another protocol update; both omissions are nowhere to be found, but new fields have arrived
  • This goes on and on with various packets…
So really, NC with its project-based workflow and employee migration between them (some employees simply leave) DOES NOT CARE to maintain those structure strings properly (sometimes, that also applies to packet names).

 

Since there is no way to automatically check whether the structure string is up-to-date (esp. if 'x' is involved), I'd rather not present them. Yes, for a fair amount of "simpler" packets, that would work. But that can easily cause people to believe that those strings are actually correct, and fall right into a trap.

 

 

If someone would like, I could try to jog my memory and check up my validated structs against NC (client) structs to give you at least 10 packets over various protocol versions, where the client struct is just wrong (and continues to be wrong for extended amounts of time).

Edited by Zeeyo
Sdw Newbie

Sdw

Posted
Posted

Wrong client structure ? I would love to see that.

 

Since its net pro related, do you handle packet obfuscation ?

Ghost Newbie

Ghost

Posted
Posted

Technically, yes and no. Yes, these opcode mappings were generated automatically. No, because I did some manual validation, as in certain protocol versions, there have been some issues (the generator was being updated, so older lists of older protocols had some opcodes incorrectly skipped/assigned, or doubly assigned some opcodes). I also tried to synchronize packet names with reality, so a few might not exactly match what's in that exact client – the name would come from a later client (see the large explanation below), because the original name is misleading due to changes to logic.

 

For packets that never had a name (some private store packets) had their names assigned manually. 'DummyPacket's that to this day serve a very specific purpose had a name assigned based on how equivalent packets for other features were named.

 

And the biggest letdown you may notice, is the missing SendPrivateStoreBuyBuyList (replaced with SendPrivateStoreSellList).

 

 

NOT THIS AGAIN.

Look. The strings are manually maintained by NC employees. So if someone forgets to update some packet, e.g. 'RequestPartyMatchConfig' for like 3 years after it's structure and logic has been already changed to 'RequestListPartyWaiting', it does not mean that packet still is 'RequestPartyMatchConfig' for these additional 3 years.

 

The same applies to structure strings, EXCEPT it seems that on updates, NC omits certain fields ON PURPOSE. That's why usually the structure presented for widely used packets like ItemList, CI, UI and similar will be outright wrong.

 

E.g. with CI and UI, it is often that you see something like this:

  • You start with some baseline protocol version (some fields may be omitted)
  • A protocol version update arrives, which does not specify CI/UI structure change
  • In reality, you find out new fields have been added, and not necessarily at the end of the packet
  • Another protocol version update arrives, which does specify new fields in CI/UI, but omits those you already found
  • In reality, you find out that the omitted fields are still there
  • Another protocol version update arrives, which specifies even more new fields in CI/UI, but those you found are still nowhere to be seen
  • In reality, you find out that omitted fields are there, and not all new fields are specified AGAIN
  • Another protocol update; both omissions are nowhere to be found, but new fields have arrived
  • This goes on and on with various packets…
So really, NC with its project-based workflow and employee migration between them (some employees simply leave) DOES NOT CARE to maintain those structure strings properly (sometimes, that also applies to packet names).

 

Since there is no way to automatically check whether the structure string is up-to-date (esp. if 'x' is involved), I'd rather not present them. Yes, for a fair amount of "simpler" packets, that would work. But that can easily cause people to believe that those strings are actually correct, and fall right into a trap.

 

 

If someone would like, I could try to jog my memory and check up my validated structs against NC (client) structs to give you at least 10 packets over various protocol versions, where the client struct is just wrong (and continues to be wrong for extended amounts of time).

 

I've got absolutely 0 knowledges when it comes to reverse engineering, was hoping it was possible, too bad it isn't. %5E1.gif
Zeeyo Newbie

Zeeyo

Posted
  • Author
Posted

Wrong client structure ? I would love to see that.

I have opened this thread in the morning to check up on what's new, but I'll have to go soon. Please check this post later today, I will edit it to include cases that I have already stumbled upon.

 

Since its net pro related, do you handle packet obfuscation ?

Yes. That's why you have these special 'constant' opcodes in protocol definitions, e.g.

	<protocol id="54" alias="Infinite Odyssey" category="IO">
		<version date="2015-04-22">24</version>
		<primary>
			<constant>0x12</constant>
			<constant>0xB1</constant>
			<constant>0x11</constant>
			<constant>0xD0</constant>
		</primary>
		<secondary count="269">
			<constant>0x70</constant>
			<constant>0x71</constant>
		</secondary>
		<definitions dir="infinite_odyssey" />
	</protocol>
As these are known to not participate in CM opcode shuffling. Plus, without this obfuscation, NP would be pretty much useless.

 

No matter how packts are encrpyted they will be decrypted before being added to network queue

I honestly have no clue what you are talking about.

 

I've got absolutely 0 knowledges when it comes to reverse engineering, was hoping it was possible, too bad it isn't. %5E1.gif

While doing manual validation, I do take note of what are the client-known structures of certain packets (due to the aforementioned reasons, I only include them as found in the latest client). See the XML comments in this file.

Zeeyo Newbie

Zeeyo

Posted
  • Author
Posted (edited)

What's about the packet structure? You plan to add structure of packets?

I do plan to do that eventually. After all, the reason I made the opcode site was because the incremental loading in NP meant that without actually using NP (or checking out and using ctrl+shift+r) it becomes somewhat hard to follow which opcodes and structures are used for a specific protocol version.

 

For now, you can just browse the NP source for structure XMLs. But beware: most packets in HF folder were validated from non-builder perspective, and the rest were filled in from l2j sources (which means they are most likely wrong).

Most new packets in valiance folder were generated from GDL & later non-incremental loading XML files. THERE WERE ISSUES with opcode assignment, so some definitions are lost or incorrect (I still have the file in legacy format, but I never actually re-validated them).

Most new packets in ertheia folder were generated from korean Ertheia non-incremental loading XML file. Same issues as with Epeisodion (a.k.a Valiance).

 

Right now, I am finishing up with validating C4 packets (though there are still a few left to validate from C2). After that, I'll move to GF, though I will try my best to investigate C5 (due to so many pledge features originally implemented there) to Gracia P2 while dealing with GF.

 

After that, I plan to review HF, legacy GoD, GDL and kr Ertheia files. Only then would I publish the structures in a format similar to how this opcode website works.

Edited by Zeeyo
Rootware Enthusiast

Rootware

Posted
Posted

I do plan to do that eventually. After all, the reason I made the opcode site was because the incremental loading in NP meant that without actually using NP (or checking out and using ctrl+shift+r) it becomes somewhat hard to follow which opcodes and structures are used for a specific protocol version.

 

For now, you can just browse the NP source for structure XMLs. But beware: most packets in HF folder were validated from non-builder perspective, and the rest were filled in from l2j sources (which means they are most likely wrong).

Most new packets in valiance folder were generated from GDL & later non-incremental loading XML files. THERE WERE ISSUES with opcode assignment, so some definitions are lost or incorrect (I still have the file in legacy format, but I never actually re-validated them).

Most new packets in ertheia folder were generated from korean Ertheia non-incremental loading XML file. Same issues as with Epeisodion (a.k.a Valiance).

 

Right now, I am finishing up with validating C4 packets (though there are still a few left to validate from C2). After that, I'll move to GF, though I will try my best to investigate C5 (due to so many pledge features originally implemented there) to Gracia P2 while dealing with GF.

 

After that, I plan to review HF, legacy GoD, GDL and kr Ertheia files. Only then would I publish the structures in a format similar to how this opcode website works.

 

And how are you validates the packet structure? By L2J forks?

Szakalaka Newbie

Szakalaka

Posted
Posted (edited)

I honestly have no clue what you are talking about.

 

What i was talkin about was how L2 manages the packets internally. It listens with one thread which is responsible for writing the data buffer, then decrypting it and adding to "NewtorkQueue" (thats how its called inside game) which parses the packet and calls appropriate handler for it :)

 

Does it work only for clean client with default encryption? And do u sniff it with external sniffer or you are inside process?

Edited by Szakalaka

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing


  • Posts

    • FunBasec
      PlayCMS is a website management system for Lineage 2 gaming

      By FunBasec · Posted

      Added the protection module to the demo.   DDoS Guard Pro v2.0 is a system protection module for PlayMMO CMS designed to reduce the load on the website during HTTP floods, bot activity, suspicious frequent requests, and attacks on individual pages or API methods. Unlike simple global limiters, DDoS Guard Pro v2.0 supports flexible rules based on routes and HTTP methods. This allows you to block the entire site in a targeted manner, rather than blocking the entire site equally. You can set up protection for specific areas of the site, such as login, registration, APIs, administration, forms, and other sensitive areas. What is the purpose of the module? DDoS Guard Pro v2.0 helps protect your site from basic L7 attacks at the HTTP request level. The module is useful when your site receives: frequent requests from a single IP address; HTTP page floods; login or registration form flooding; automatic requests from bots; URL scanning; frequent API requests; suspicious activity spikes; load on individual CMS methods or pages. The module helps to reduce the load on PHP and CMS by limiting suspicious activity before it starts to create a serious load on the site. Main features Per-route and per-method Rate Limit In the new version, protection is configured not only globally, but also according to specific rules. You can set limits separately for: GET; POST; PUT; PATCH; DELETE; ALL. This allows you to flexibly protect different parts of your website. For example: for the login page, you can set a strict limit; for registration, you can set a separate limit; for the API, you can set a limit for reading and a limit for changing data; for regular website pages, you can set a soft limit or not set a limit at all. This approach reduces the risk of accidentally blocking regular users and makes the protection more accurate. Flexible rule system The module supports setting rules in the following format: METHODS|PATTERN|LIMIT|WINDOW|BURST_LIMIT|BURST_WINDOW|BLOCK_SECONDS|IDENTITY|NAME Example of rules: POST|*login*|10|60|5|10|600|ip|login_post POST|*register*|8|60|4|10|600|ip|register_post GET|*api*|300|60|80|10|120|ip|api_get PUT,PATCH,DELETE|*api*|80|60|20|10|300|ip|api_write This allows you to specify exactly: which HTTP methods to protect; which URLs or URL patterns to consider; how many requests are allowed; over what time period; what burst limit to use;  how many seconds to block the offender;  by which ID to count the limit;  what the rule is called. Burst protection against sharp spikes  In addition to the regular request limit, the module monitors sharp spikes of activity.  This is useful when a bot makes many requests in a few seconds. In this case, the protection can be activated faster, without waiting for the overall limit per minute.  Burst protection is especially useful for: authorization pages; registration; API; search; data submission forms; administrative sections. Support for different types of requests DDoS Guard Pro v2.0 works not only with POST requests. The module can control: GET — regular pages, API requests, search; POST — forms, login, registration, data submission; PUT — updating data via API; PATCH — partial data update; DELETE — data deletion; ALL — all methods at once. This makes the module suitable not only for regular sites, but also for CMS with API, personal accounts, game panels and administrative actions. Limit storage: Redis, APCu and file fallback In the new version, the module supports several options for storing temporary data. Available modes: Redis; APCu; file fallback. The auto mode tries to use the most suitable option: Redis; APCu; file storage as a fallback. Redis or APCu are suitable for more efficient operation, while the file storage is left as a fallback option for simple hosting environments that do not have additional extensions. JSONL logging The module records protection events in JSON Lines format. Logs are saved in the following file: storage/logs/ddos_guard.jsonl This format is more convenient than a regular text log, because each event is stored as a separate JSON record. The logs can record the following information: event time; IP address; HTTP method; URL; name of the triggered rule; reason for blocking; number of requests; action status; user-agent; protection mode. The JSONL format is convenient for analysis by external tools, log agents, and monitoring systems. Prometheus metrics DDoS Guard Pro v2.0 adds an endpoint for receiving metrics in Prometheus format. Endpoint: /?ddos_guard_metrics=TOKEN The token is set in the module settings. Metrics allow you to track: the number of processed requests; the number of rule activations; the number of blocks; activity by limits; protection events; module status. This allows you to connect monitoring and configure alerts so that the administrator can see when suspicious activity starts on the site. LOG ONLY mode The module has a LOG ONLY mode. In this mode, DDoS Guard Pro does not block users, but only records events and potential triggers in the log. This mode is recommended to be used after installation, in order to first see which rules are triggered, and only then to enable the real blocking.  This helps to avoid too strict limits and random blocking of regular users.  Support for Cloudflare and proxy  The module supports working behind Cloudflare or another reverse proxy.  With proper configuration, it is possible to take into account the real IP of the user, and not the IP of the proxy server.  This is important for sites that use:  Cloudflare; nginx reverse proxy; load balancers; CDN; hosting proxy protection. Nginx-recommendations DDoS Guard Pro v2.0 contains an example nginx-config: modules/ddos_guard/nginx-ddos-guard-example.conf This allows you to use the module as an additional application layer of protection, and to move the main coarse limits to the nginx level. Recommended protection scheme: Cloudflare / nginx / firewall → DDoS Guard Pro → PlayMMO CMS This approach is more correct than trying to solve all problems only at the PHP level.
    • eMommy
      Needing DEV.

      By eMommy · Posted

    • RMTgold
      Buying & Selling POE & POE2 Divine-Mirrors

      By RMTgold · Posted

      PAYPAL& BINANCE
    • RMTgold
      Buying & Selling Wynncraft Stx

      By RMTgold · Posted

      PAYPAL& BINANCE
    • RMTgold
      Buying & Selling Torn City Cash

      By RMTgold · Posted

      PAYPAL& BINANCE

  • Topics

×
×
  • Create New...

Important Information

This community uses essential cookies to function properly. Non-essential cookies and third-party services are used only with your consent. Read our Privacy Policy and We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue..