login sequence

============================================================================================= Analysing the Diablo II Lord of Destruction 1.12a client behaviour with the goal of writing a fast command line botting program which does not require the Diablo II client

By binrapt, with support from FlamingCows/Cthulhon, Sheppard, Zoxc, McGod

Format:

The basic command byte format for BNCS packets is usually:

[ff] [command identifier byte] [packet size word] [command arguments ...]

The size of the packet includes the ff, the command identifier byte, the packet size word itself and the size of the arguments. All numbers are in little Endian format (least significant bit first).

This is what happens when you connect to Battle.net (this connects you to the BNCS - Battle.net Chat Server):

1. Client opens connection #1 to the Battle.net server on port 6112

2. [#1 Client -> server]

   01

   This initialises a normal logon conversation or so

3. [#1 Client -> server]

   ff 50 3a 00 00 00 00 00 36 38 58 49 50 58 32 44 .P:..... 68XIPX2D 0c 00 00 00 53 55 6e 65 55 b4 4a c9 88 ff ff ff ....SUne U.J..... 09 04 00 00 09 04 00 00 55 53 41 00 55 6e 69 74 ........ USA.Unit 65 64 20 53 74 61 74 65 73 00 ed State s.

   http://www.bnetdocs.org/?op=packet&pid=279 SID_AUTH_INFO

   Reverse 68XIPX2D and you get D2XPIX86, Diablo 2 Expansion, x86 USA, United States, specifies country/language, extracted from the Windows settings or so May make a difference to the channels you automatically join or none at all, no clue This packet is always the same really

4. [#1 Server -> client]

   ff 25 08 00 e1 26 9f 8b .%...&..

   http://www.bnetdocs.org/?op=packet&pid=164 SID_PING

   Comes with a random DWORD after [ff 25 08 00], which is [e1 26 9f 8b] in this case. The very same packet is sent back to the server in step 5.

5. [#1 Server -> client]

   http://www.bnetdocs.org/?op=packet&pid=146 SID_AUTH_INFO

   ff 50 68 00 00 00 00 00 a8 e0 76 f7 a1 40 1e 00 .Ph..... ..v..@.. 00 31 ef 00 70 5f c7 01 76 65 72 2d 49 58 38 36 .1..p_.. ver-IX86 2d 31 2e 6d 70 71 00 41 3d 31 30 38 35 31 35 33 -1.mpq.A =1085153 35 39 37 20 43 3d 33 37 32 32 36 39 36 34 39 34 597 C=37 22696494 20 42 3d 31 32 38 31 37 36 33 36 36 30 20 34 20 B=12817 63660 4 41 3d 41 2d 53 20 42 3d 42 5e 43 20 43 3d 43 5e A=A-S B= B^C C=C^ 41 20 41 3d 41 2b 42 00 A A=A+B.

   This packet contains four entries that concern us:

   1. a randomly generated server token, a8 e0 76 f7 in this case
   2. a randomly generated MPQ filetime, 00 31 ef 00 in 70 5f c7 01 in this case
   3. a randomly generated MPQ string, "ver-IX86-1.mpq" in this case (the pattern is ver-IX86-[n].mpq where n is in an integer 0 <= n <= 7)
   4. a randomly generated value string, "A=1085153597 C=3722696494 B=1281763660 4 A=A-S B=B^C C=C^A A=A+B" in this case

   The Diablo II Client opens a new connection Battle.net now in order to download the MPQ file specified in this packet. In order to perform that download, the server token and the MPQ filetime are used It will use the content of that MPQ file, the server token, the formulas specified in the value string and the content of the Diablo II Lord of Destruction files Game.exe, Bnclient.dll, D2Client.dll to calculate a checksum which is used in the reply to this packet.

6. Client opens connection #2 to the Battle.net server on port 6112

7. [#2 Client -> server]

   02

   This initialises a BNFTP file download conversation

8. [#2 Client -> server]

   http://www.bnetdocs.org/?op=doc&did=5

   2f 00 00 01 36 38 58 49 56 44 32 44 00 00 00 00 /...68XI VD2D.... 00 00 00 00 00 00 00 00 00 31 ef 00 70 5f c7 01 ........ .1..p_.. 76 65 72 2d 49 58 38 36 2d 31 2e 6d 70 71 00 ver-IX86 -1.mpq.

   The first word contains 2f 00, which is 0x2f, decimal 47, the packet is 47 bytes in length Protocol version is 1 apparently, there's a protocol version 2 but the D2 client doens't use it here The randomly generated 00 31 ef 00 70 5f c7 01 part is read in step 4, it is the MPQ filetime.

   The client requests to download the MPQ file in this step to download it.

9. [#2 Server -> client]

   27 00 00 00 fa 1a 00 00 00 00 00 00 00 00 00 00 '....... ........ 00 31 ef 00 70 5f c7 01 76 65 72 2d 49 58 38 36 .1..p_.. ver-IX86 2d 31 2e 6d 70 71 00 -1.mpq.

   It's just the response to our request and doesn't contain any relevant data yet.

10. [#2 Server -> client]

4d 50 51 1a 20 00 00 00 fa 1a 00 00 00 00 03 00 MPQ. ... ........ 9a 1a 00 00 da 1a 00 00 04 00 00 00 02 00 00 00 ........ ........ 1a aa 45 b6 58 5a 1f ab dd bf ed b7 45 21 3c bb ..E.XZ.. ....E!<. [... snip ...]

Now the actual MPQ data is sent to the client.

11. Connection #2 is closed.

12. [#1 Client -> server]

ff 25 08 00 e1 26 9f 8b .%...&..

http://www.bnetdocs.org/?op=packet&pid=268 SID_PING

It's just the same packet the server sent to the Diablo II client in step 3.

13. [#1 Client -> server]

ff 51 88 00 ae 75 19 49 01 00 00 01 e0 35 64 5c .Q...u.I .....5d
02 00 00 00 00 00 00 00 10 00 00 00 06 00 00 00 ........ ........ 6d 1f a8 00 00 00 00 00 m....... ........ 10 00 00 00 ........ ........ 0a 00 00 00 d1 8c 60 00 00 00 00 00 ........ ........ ........ ........ 47 61 6d 65 2e 65 78 65 20 30 38 2f 30 33 2f 30 Game.exe 08/03/0 38 20 32 33 3a 30 33 3a 33 34 20 36 31 34 34 30 8 23:03: 34 61440 00 30 33 2e 6d 70 71 00 .03.mpq.

[blanked some parts out because they contained key hashes and stuff]

http://www.bnetdocs.org/?op=packet&pid=408 SID_AUTH_CHECK

This is a challenging packet to send.

This shows which parts of the packet are static and which are dynamic:

ff 51 88 00 ?? ?? ?? ?? 01 00 00 01 ?? ?? ?? ?? 02 00 00 00 00 00 00 00 10 00 00 00 06 00 00 00 6d 1f a8 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 10 00 00 00 0a 00 00 00 d1 8c 60 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 47 61 6d 65 2e 65 78 65 20 30 35 2f 32 38 2f 30 38 20 30 31 3a 34 34 3a 30 32 20 36 31 34 34 30 00 30 33 2e 6d 70 71 00 [lol what ] [token ] [exe versi] [exe hash ] [2 keys ] [ spawn ] [ key len ] [ prodval ] [ pubval ] [ null ] [ key hash 20 bytes ] [key len ] [ prodval ] [ pubval ] [ unknown ] [ hashed cd key data, 20 bytes ] [ Game.exe data, doesn't really matter as it depends on the modification date of the file ] [owner name ]

The 'client token' is simply the current time(0) and it's reused later or something like that. The first key is the Diablo II key, the second key is the Diablo II Lord of Destruction key. The owner name string can obviously be chosen freely.

The EXE hash is generated from the formula, the MPQ file and the three Diablo II files Game.exe, Bnclient.dll, D2Client.dll. The first CD key hash is generated from the classic key, the client token and the server token. The second CD key hash is generated from the LoD key, the client token and the server token.

I have a working implementation of this now.

14. [#1 Server -> Client]

ff 51 09 00 00 00 00 00 00 .Q...... .

http://www.bnetdocs.org/?op=packet&pid=106 SID_AUTH_CHECK

The second DWORD 00 00 00 00 00 informs you about the result of your SID_AUTH_CHECK packet. 00 00 00 00 means that we successfully passed the challenge - CD keys are good and not in use, hooray!

15. [#1 Client -> Server]

ff 33 1e 00 04 00 00 80 00 00 00 00 62 6e 73 65 .3...... ....bnse 72 76 65 72 2d 44 32 44 56 2e 69 6e 69 00 rver-D2D V.ini.

http://www.bnetdocs.org/?op=packet&pid=382 SID_GETFILETIME

No clue what the fuck this is good for but it's static so whatever, copy paste job

04 00 00 80 for bnserver-D2DV.ini

16. [#1 Server -> Client]

ff 33 26 00 04 00 00 80 00 00 00 00 00 e5 ef e6 .3&..... ........ 6b e8 c0 01 62 6e 73 65 72 76 65 72 2d 44 32 44 k...bnse rver-D2D 56 2e 69 6e 69 00 V.ini.

http://www.bnetdocs.org/?op=packet&pid=195 SID_GETFILETIME

Returns the latest filetime quadword, uninteresting

Alright, at this point we're on the Diablo II Lord of Destruction closed Battle.net login screen where you can enter your account name and password. If you don't do anything else you receive special ping packets from the Battle.net server on a regular basis. This is what they look like:

Server sends ff 00 04 00, client sends back ff 00 04 00 immediately.

http://www.bnetdocs.org/?op=packet&pid=174 SID_NULL http://www.bnetdocs.org/?op=packet&pid=370

These packets are sent every 15-80 seconds or so, it appears to be rather random.

Let's move on to the login sequence:

17. [#1 Client -> Server]

ff 3a 2a 00 f6 3a e1 01 c7 87 0b 2f .:*..:.. .../!... ...?Tdwi 6G...g..

[blanked out account name and password hash]

http://www.bnetdocs.org/?op=packet&pid=225 SID_LOGONRESPONSE2

We don't know how the client token (here: f6 3a e1 01) is generated yet but you can probably use a random number. I think it's GetTickCount. c7 87 0b 2f is the good old server token we already got in step 4. It was a8 e0 76 f7 but I captured new packets for the logon sequence - sorry guys! I'm a lazy fuck! If I had logged on back then it would have used a8 e0 76 f7 and not c7 87 0b 2f of course. But be sure to understand that the server token always remains the same in the course of the conversation with the Battle.net server - I just made several recordings over several days while I was writing this.

The password hash is a double hashed thing, calculated from the client token, the server token and the password itself. Can't be arsed to post details, requires code.

18. [#1 Server -> Client]

ff 3a 08 00 00 00 00 00

http://www.bnetdocs.org/?op=packet&pid=377 SID_LOGONRESPONSE2

00 00 00 00 means we successfully logged into our account.

19. [#1 Client -> Server]

ff 40 04 00

http://www.bnetdocs.org/?op=packet&pid=322 SID_QUERYREALMS2

Queries the realms on this server. Europe has only one realm. Only Asia has several.

20. [#1 Server -> Client]

ff 40 28 00 00 00 00 00 01 00 00 00 01 00 00 00 .@(..... ........ 45 75 72 6f 70 65 00 52 65 61 6c 6d 20 66 6f 72 Europe.R ealm for 20 45 75 72 6f 70 65 00 Europe.

http://www.bnetdocs.org/?op=packet&pid=277 SID_QUERYREALMS2

21. [#1 Client -> Server]

ff 3e 23 00 01 00 00 00 5b 8b df 66 ee 4f 05 38 .>#..... [..f.O.8 9c 4b a0 18 27 54 f1 3b 7b c8 b5 32 45 75 72 6f .K..'T.; {..2Euro 70 65 00 pe.

http://www.bnetdocs.org/?op=packet&pid=144 SID_LOGONREALMEX

Log onto the realm of the server you want. Uses the same hash algorithm as step 17, uses the password "password" and a new client token, AGAIN. This is the THIRD client token generated by the Diablo II client during the logon sequence. It appears to be 01 00 00 00? This is the only client token that is fixed apparently.

22. [#1 Server -> Client]

ff 3e 58 00 01 00 00 00 82 8c 19 87 d5 f8 6a c8 .>X..... ......j. 86 e7 15 00 d5 f8 6a d0 17 e0 00 00 00 00 00 00 ......j. ........ 6d 1f a8 06 8a 55 37 84 50 58 32 44 36 38 58 49 m....U7. PX2D68XI d5 f8 6a c8 09 04 00 00 ee da 08 be 44 ed a6 5c ..j..... ....D..
e4 bd 72 28 3b 4d c1 97 98 6a 4a 91 6b ..r(;M.. .jJ.
00 00 00 ...

[blanked out account name, "Battle.net unique name" is the account name]

http://www.bnetdocs.org/?op=packet&pid=237 SID_LOGONREALMEX

Gives you the necessary MCP server data, realm server IP and port. IP: d5 f8 6a d0, that's 213.248.106.208, network byte order (Big Endian) Port: 17 e0 00 00, that's port 6112, it's actually a Big Endian word padded with zeroes, as you can see:

  (WORD) port (Big Endian)
  (WORD) 00 00

The Bnetdocs are a bit wrong on this one I think.

02:18:16 <~Cthulhon> Yeah. 02:18:26 <~Cthulhon> Well known flaw.

We now connect to the realm server specified in this packet to retrieve the character list:

23. Open a new connection #3 to the IP on the port we extracted in step 22.

Attention: The MCP server (that's the realm server) format is different:

[word: packet size] [command byte] [arguments ...]

24. [#3 Client -> Server]

01

Initialise conversation

25. [#3 Client -> Server]

4d 00 01 01 00 00 00 82 8c 19 87 d5 f8 6a c8 86 M....... .....j.. e7 15 00 00 00 00 00 6d 1f a8 06 8a 55 37 84 50 .......m ....U7.P 58 32 44 36 38 58 49 d5 f8 6a c8 09 04 00 00 ee X2D68XI. .j...... da 08 be 44 ed a6 5c e4 bd 72 28 3b 4d c1 97 98 ...D... .r(;M... [account name removed]

http://www.bnetdocs.org/?op=packet&pid=320 MCP_STARTUP

The most stuff of this packet is from step 22 apparently

Comparison:

ff 3e 58 00 01 00 00 00 82 8c 19 87 d5 f8 6a c8 86 e7 15 00 d5 f8 6a d0 [...] 4d 00 01 01 00 00 00 82 8c 19 87 d5 f8 6a c8 86 e7 15 00 00 00 00 00 [...] [---------------------------------------------]

As you can see that first part is identical. (4 dwords)

6d 1f a8 06 8a 55 37 84 50 58 32 44 36 38 58 49 d5 f8 6a c8 09 04 00 00 ee da 08 be 44 ed a6 5c e4 bd 72 28 3b 4d c1 97 98 6a 4a 91 6b 6d 1f a8 06 8a 55 37 84 50 58 32 44 36 38 58 49 d5 f8 6a c8 09 04 00 00 ee da 08 be 44 ed a6 5c e4 bd 72 28 3b 4d c1 97 98

Shit even more. It's a bit inaccurate because I sloppily removed my account name, but you'll figure it out. Just the IP/port thing interrupts it really, but it's the same shit all over again.

26. [#3 Server -> Client]

07 00 01 00 00 00 00

http://www.bnetdocs.org/?op=packet&pid=337 MCP_CHARLOGON

Success! \o/

27. [#3 Client -> Server]

07 00 19 08 00 00 00

http://www.bnetdocs.org/?op=packet&pid=261 MCP_CHARLIST2

List 8 characters...well duh. The maximum is 8 per account for Diablo II.

28. [#3 Server -> Client]

41 00 19 08 00 01 00 00 00 01 00 [...]

[blanked out characters]

http://www.bnetdocs.org/?op=packet&pid=189 MCP_CHARLIST2

This gives you the list and stats of all characters on your accounts. The stats string tells you the level of the character and the item graphics, etc.

stats[25] is the level byte I think.

Stats strings of an 80 sorceress, a dead 82 barb and an alive 83 barb.

84 80 3d 01 01 01 01 35 ff 51 02 02 ff 02 e7 44 44 44 44 ff ff ff 44 44 ff 50 e4 9e ff ff 05 ff ff 84 80 59 02 02 03 01 ff ff 4f 03 03 ff 05 ad ff ff ff ff ff ff ff ff ff ff 52 ec 9e ff ff 05 ff ff 84 80 5a 03 01 01 01 1d 1d ff 03 03 ff 05 ff ff ff ff ff 30 30 ff ff ff ff 53 e4 9e ff ff 05 ff ff

FlamingCows shared this with me: Update: Some of these values are definitely at wrong offsets, not sure about how uptodate this was

D2DV/D2XP (Diablo II) Statstrings

Client (VD2D/PX2D) Realm Comma (",") Character Name Comma (",")

Char Data (All Byte values): 01 Head Armor 02 Chest Armor 03 Leg Armor 04 Right Arm Armor 05 Left Arm Armor 06 Right Hand Weapon 07 Left Hand Weapon 08 Left Hand Shield 09 Right Shoulder Pad 10 Left Shoulder Pad 11 Blank 12 Class 13 Head Color 14 Chest Color 15 Leg Color 16 Right Arm Color 17 Left Arm Color 18 Right Hand Weapon Color 19 Left Hand Weapon Color 20 Left Hand Shield Color 21 Right Shoulder Color 22 Left Shoulder Color 23 Blank 24 Level 25 Character Flags 0x04 Hardcore 0x08 Dead 0x20 Expansion 26 Act Flags Normal: 0x80 Act 1 Normal 0x82 Act 2 Normal 0x84 Act 3 Normal 0x86 Act 4 Normal 0x88 Act 1 Nightmare 0x8A Act 2 Nightmare 0x8C Act 3 Nightmare 0x8E Act 4 Nightmare 0x90 Act 1 Hell 0x92 Act 2 Hell 0x94 Act 3 Hell 0x96 Act 4 Hell 0x98 All Acts Expansion: 0x80 Act 1 Normal 0x82 Act 2 Normal 0x84 Act 3 Normal 0x86 Act 4/5 Normal (Odd thing about this is that Act 4 and 5 have the same flag, and the next flag is skipped). 0x8A Act 1 Nightmare 0x8C Act 2 Nightmare 0x8E Act 3 Nightmare 0x90 Act 4/5 Nightmare 0x94 Act 1 Hell 0x96 Act 2 Hell 0x98 Act 3 Hell 0x9A Act 4/5 Hell 0x9E All Acts 27 Unknown 28 Unknown 29 Ladder character (Boolean) 30 Unknown 31 Unknown

This is not zero based, haha. Fail. But still complete.

Ok now things get STRANGE. Most of the relevant things you do from now on are sent to BOTH THE REALM SERVER AND THE CHAT SERVER.

29. [#1 Client -> Server]

ff 0b 08 00 50 58 32 44 ....PX2D

http://www.bnetdocs.org/?op=packet&pid=374 SID_GETCHANNELLIST

Download the channel list

30. [#1 Client -> Server]

ff 0a 2b 00 ..+.
00 45 75 72 6f 70 65 2c .Euro pe,
00 .

[removed account data]

http://www.bnetdocs.org/?op=packet&pid=145 SID_ENTERCHAT (STRING) character name (STRING) realm,character name

Enters the chat server, but doesn't actually "ENTER CHAT" yet, as the button would.

31. [#1 Server -> Client]

ff 0b 47 02 42 6c 69 7a 7a 61 72 64 20 54 65 63 ..G.Bliz zard Tec [snip]

http://www.bnetdocs.org/?op=packet&pid=363 SID_GETCHANNELLIST

Full channel list - who gives a flying FUCK.

32. [#1 Server -> Client]

ff 0a [snip, removed all account data]

http://www.bnetdocs.org/?op=packet&pid=186 SID_ENTERCHAT

Joins the chat.

33. [#3 Client -> Server]

ff 46 08 00 00 00 00 00 .F......

http://www.bnetdocs.org/?op=packet&pid=247 SID_NEWS_INFO

Requests the news spam.

34. [#3 Client -> Server]

ff 15 14 00 36 38 58 49 50 58 32 44 00 00 00 00 ....68XI PX2D.... b7 af 98 48 ...H

http://www.bnetdocs.org/?op=packet&pid=250 SID_CHECKAD

GREAT. FUCKING ADVERTISING CODE, LIKE FUCK OFF.

35. [#3 Server -> Client]

ff 46 d5 01 01 65 17 97 48 00 d0 1d 3f 40 dd 4e [snip]

http://www.bnetdocs.org/?op=packet&pid=101 SID_NEWS_INFO

News spam - BORING.

36. [#3 Server -> Client]

ff 15 8a 00 83 0c 00 00 2e 73 6d 6b 00 2f 16 50 ........ .smk./.P [snip]

http://www.bnetdocs.org/?op=packet&pid=272 SID_CHECKAD

BNet Ad Spam - like, FUCK OFF.

37. [#3 Client -> Server]

ff 21 12 00 36 38 58 49 50 58 32 44 83 0c 00 00 .!..68XI PX2D.... 00 00 ..

http://www.bnetdocs.org/?op=packet&pid=143 SID_DISPLAYAD

Great, this tells Blizzard, that a user is seeing their fucking ad. Hooray.

Simultaneously the following stuff happens on the realm server connection somehow, not entirely sure about the timing:

38. [#3 Client -> Server]

13 00 07

[Removed character name]

http://www.bnetdocs.org/?op=packet&pid=154 MCP_CHARLOGON

Simply add the name of your character, this will log you onto the realm server with your character.

39. [#3 Server -> Client]

07 00 07 00 00 00 00

http://www.bnetdocs.org/?op=packet&pid=337 MCP_CHARLOGON

Realm server reports: Success!

40. [#3 Client -> Server]

03 00 12

http://www.bnetdocs.org/?op=packet&pid=172 MCP_MOTD

Request MOTD from server.

41. [#3 Server -> Client]

ea 00 12 00 50 6c 65 61 73 65 20 6e 6f 74 65 3a ....Plea se note: [snip]

http://www.bnetdocs.org/?op=packet&pid=325 MCP_MOTD

Message of the day - uninteresting.

Ok, guys, this is it! Now we're fully logged in and ready to create a game. This, too, happens on both the chat server and the realm server simultaneously. Let's start with the realm server this time:

42. [#3 Client -> Server]

1f 00 03 02 00 00 20 00 00 01 ff 08 47 61 6d 65 ...... . ....Game 6e 61 6d 65 00 50 61 73 73 77 6f 72 64 00 00 name.Pas sword..

http://www.bnetdocs.org/?op=packet&pid=177 MCP_CREATEGAME

Gamename: Gamename Password: Password

Apparently the first bytes get capitalised - I did not capitalise them myself

43. [#3 Server -> Client]

0d 00 03 02 00 7e 00 00 00 00 00 00 00

http://www.bnetdocs.org/?op=packet&pid=351 MCP_CREATEGAME

Game created successfully.

44. [#3 Client -> Server]

17 00 04 03 00 47 61 6d 65 6e 61 6d 65 00 50 61 .....Gam ename.Pa 73 73 77 6f 72 64 00 ssword.

http://www.bnetdocs.org/?op=packet&pid=224 MCP_JOINGAME

Request ID is 0x0003 - why?! Does this make any difference at all? No clue Joins Gamename with password Password.

45. [#3 Server -> Client]

15 00 04 03 00 7e 00 00 00 d5 f8 6a 2a 56 c7 52 .....~.. ...j*V.R 27 00 00 00 00

http://www.bnetdocs.org/?op=packet&pid=107 MCP_JOINGAME

Game token: 7e 00 wtf is this good for? Game server IP: d5 f8 6a 2a - this is the IP of the server we will connect to! 213.248.106.42 Game hash: 56 c7 52 27, I suppose this is something that will be sent to the game server so it can match us or something...

04:06:27 Do you send it after connecting to the D2GS or so? 04:06:28 <+McGod> You send that to the D2GS when you first connect 04:06:30 I see 04:06:53 <+McGod> With: http://www.bnetdocs.org/?op=packet&pid=131

In the meantime the same shit happens on the chat server:

46. [#1 Client -> Server]

ff 1c 2b 00 01 00 00 00 00 00 00 00 00 00 00 00 ..+..... ........ 00 00 00 00 00 00 00 00 47 61 6d 65 6e 61 6d 65 ........ Gamename 00 50 61 73 73 77 6f 72 64 00 00 .Passwor d.. ..

http://www.bnetdocs.org/?op=packet&pid=265 SID_STARTADVEX3

State: 01 00 00 00 game is private (since it is passworded - WHICH IS WHAT WE WANT FOR BOTTING) Lots of 00s after that, then just Gamename and Password, capitalised - again...

47. [#1 Client -> Server]

ff 22 1e 00 50 58 32 44 0c 00 00 00 47 61 6d 65 ."..PX2D ....Game 6e 61 6d 65 00 50 61 73 73 77 6f 72 64 00 name.Pas sword.

http://www.bnetdocs.org/?op=packet&pid=194 SID_NOTIFYJOIN

Product ID and product version should be static, Gamename and Password again.

48. [#1 Client -> Server]

ff 10 04 00 ....

http://www.bnetdocs.org/?op=packet&pid=339 SID_LEAVECHAT

Leave the chat.

Time to connect to the D2 game server... Watch out, the D2GS packets are compressed with some Huffman algorithm. They have a more complex format that can only be described properly in code. Multiple actual packets are frequently contained in ONE encrypted package which is EXTREMELY annoying to figure out on your own. The RedVex core code by FooSoft explains this really well, I pretty much ripped off all of it.

49. Open connection #4 to the D2 game server specified in step 45, the game port is 4000

50. [#4 Server -> Client]

af 01

http://www.bnetdocs.org/?op=packet&pid=245 D2GS_STARTLOGON

Conversation starter.

Congratulations! You are in the game now! Go kill some stuff!