So I've been analyzing d3 recieve packet handling (the handler which inserts into queue and the handler which processes the queue). Anyways, I got a lot of stuff documented and I'm starting to understand everything, but I'm still having one problem. Here is a packet from IDA in memory:
D3 code from IDA /w offsets removed
Code:
mov ecx, [ebp+PacketBuffer]
mov ebx, eax
mov eax, [ebp+PacketLength]
Code:
note: first four bytes is just the serialized length prefix
{ 00, 00, 00, 17, 27, 01, 00, 06, a9, 03, 00, 01, 76, 43, 48, 00, 00, 47, 01, 00, 53, 13, 00 }
Code:
note: this is really psuedo-code
struct D3RPCHEADER {
uint8 service
varint32 method
uint16 requestid
varint64 unknown
varint32 datasize
}
now following googles tutorial on base-128 variant encoding/decoding and the RPC header structure I keep receiving unexpected results. The RPC header structure I grabbed from somewhere. It has to be incorrect, am I right? Do i need to investigate the structure myself in IDA?
Some info on what i'm doing wrong would be much appreciated. Thanks.