D3 Protobuf Problem/Question

[vbaddicts]

So I've been analyzing d3 recieve packet handling (the handler which inserts into queue and the handler which processes the queue). Anyways, I got a lot of stuff documented and I'm starting to understand everything, but I'm still having one problem. Here is a packet from IDA in memory:

D3 code from IDA /w offsets removed

Code:

mov     ecx, [ebp+PacketBuffer]
mov     ebx, eax
mov     eax, [ebp+PacketLength]

Code:

note: first four bytes is just the serialized length prefix
{ 00, 00, 00, 17, 27, 01, 00, 06, a9, 03, 00, 01, 76, 43, 48, 00, 00, 47, 01, 00, 53, 13, 00 }

Code:

note: this is really psuedo-code
struct D3RPCHEADER {
uint8 service
varint32 method
uint16 requestid
varint64 unknown
varint32 datasize
}

now following googles tutorial on base-128 variant encoding/decoding and the RPC header structure I keep receiving unexpected results. The RPC header structure I grabbed from somewhere. It has to be incorrect, am I right? Do i need to investigate the structure myself in IDA?

Some info on what i'm doing wrong would be much appreciated. Thanks.

[PyGuy]

I don't know how you're reading the protobuffer, but did you remember that each value is preceded by the field number and that the field can be missing if the value is not needed. For example: if they sent a header with service 5, method 21, no requestId, no unknown and a datasize of 512, the encoder would encode the following values:
1 5 2 21 5 512

P.S. I hope you're using a protobuffer implementation to read the data which would handle all that for you. There's really not much point in rolling your own.

[raistlinthewiz]

why re-inventing? mooege got already decoded all the stuff.

[vbaddicts]

I've already solved this issue, no more need for replys. To answer your raist: I don't like to take code from mooege and just copy/paste. I'm writing a hack framework, part of this is a packet tool for analyzing packets and injecting, and copy/paste isn't the best solution. I need to understand how it works, and now that I do I will probably reference mooge in the future. I have my focus on other things right now though. I'm trying to approach things one step at a time and this is a few steps down the line.

[raistlinthewiz]

I didn't told you to copy/paste from mooege but instead it already decrypted the protocol. That's the part you can use it as a reference or guide.