• Unfortunately, we have experienced significant hard drive damage that requires urgent maintenance and rebuilding. The forum will be a state of read only until we install our new drives and rebuild all the configurations needed. Please follow our Facebook page for updates, we will be back up shortly! (The forum could go offline at any given time due to the nature of the failed drives whilst awaiting the upgrades.) When you see an Incapsula error, you know we are in the process of migration.

[Help] Reversing Client Packets Structure

Jul 8, 2009
Reaction score
[Help] Find Opcodes Client decompiled

Hello i dont have enought knowledge in ASM to do this so i am here to ask if someone with theses knowledge would help me to do this ! i have de client decompiled but each fuction like this :
//----- (005629A0) --------------------------------------------------------
signed __int64 __cdecl sub_5629A0(int a1)
  unsigned __int8 v1; // al@1
  int v2; // edi@5
  signed __int64 result; // rax@5

  v1 = sub_5624F0(a1);
  if ( (signed int)v1 > 80 )
    sub_55E990(*(_DWORD *)a1, "%s too new: read version %d.%d; expected at most %d.%d", *(_DWORD *)(a1 + 16));
  if ( (signed int)v1 < 80 )
    sub_55E990(*(_DWORD *)a1, "%s too old: read version %d.%d; expected at least %d.%d", *(_DWORD *)(a1 + 16));
  v2 = (unsigned __int8)sub_5624F0(a1);
  *(_DWORD *)(a1 + 12) = sub_562B80() != v2;
  sub_562B40(a1, 4);
  sub_562B40(a1, 4);
  sub_562B40(a1, 4);
  sub_562B40(a1, 6);
  sub_562B40(a1, 8);
  sub_562B40(a1, 9);
  sub_562B40(a1, 9);
  sub_562B40(a1, 8);
  result = (signed __int64)sub_562980(a1);
  if ( (_DWORD)result != 31415926 )
    sub_55E990(*(_DWORD *)a1, "unknown number format in %s", *(_DWORD *)(a1 + 16));
  return result;

So how i will find exemple Opcode 0x03 and etc...
Last edited:
Initiate Mage
May 2, 2017
Reaction score
You need to first understand that most clients do not rely on their own code to implement server communication. Clients will use some external library. You need to be able to view the import table and look at what libraries are being imported. Look at what functions are being referenced. There are more than likely library functions for sending and receiving data like winsock library.

Try using a debugger and set breakpoints on all references on these library calls. This should be able to show you data as soon as it is available on the buffer to be sent/recvd. You will need to understand how to trace in the debugger from that point and go backwards to the point where data is not manipulated. Eventually, you should be able to find the point where data is normal :)

Then, you should be able to trace back to the function that zips/encrypts/manipulates data. You can take a look at the data before that encryption, and then use something to dump that data which should represent the packet. If the protocol is unknown, then you will need to figure out the protocol, and somewhere in there should be opcode. Perhaps the opcode is within the first few bytes or towards the end (unlikely).

good luck~