Spoof  v0.50      For D2HackIt 

Spoof is a general purpose packet hacking tool.
-----------------------------------------------------------------------------------------
Revision History:
  
0.31   First public release (OK, not *very* public, but it still counts)
       Blocks, Replies, Triggers active.
0.41   Adds byte replacement, fixes a crash bug on server blocks
0.50   Adds delayed replies, sync replies, delay/sync send & receive, fixed multi-reply
       bug.
-----------------------------------------------------------------------------------------
Note: all commands are case insensitive (but trigger response sequences are not!)

All packet values are in HEX

Commands:
-----------------------------------------------------------------------------------------
   .spoof block <c | s> <packet bytes>

     	< c | s> - block packets from (c)lient, or (s)erver
     	<packet bytes> - Packet (in hex) no spaces

     	Block will block all packets that start with the specified bytes

     example:  ".spoof block s 1d"  will block all server packets that
               start with 1d
               ".spoof block c 1805" will block all client packets that
               begin with 1805
-----------------------------------------------------------------------------------------
   .spoof reply <c | s> <Packet bytes> <Response bytes> {delay}
 
     < c | s > - reply to packets from (c)lient or (s)erver
     <Packet bytes> - Packet (in Hex) to reply to
     <Response bytes> - Response to send when packet is received
     {delay} - optional - delay time in milliseconds, or 's' for sync replies

     Reply will reply to any packet that starts with the specified bytes

     example:  ".spoof reply c 181C00 191C00"
               will send 191C00 to client whenever client sends a packet
		starting with 181C00  
-----------------------------------------------------------------------------------------
   .spoof trigger <c | s> <packet bytes> [command]
     
     < c | s > - trigger on (c)lient or (s)erver packets
     <packet bytes> - Packet (in hex) to trigger on
     [command] - command to execute with packet received
     
     Trigger waits until the specified packet is received, and then issues
     
     example: ".spoof trigger c 9c bind set 70 70 send a300"
               will wait for an incoming packet starting with 9c, and
               when it arrives executes the "bind set ...." command
----------------------------------------------------------------------------------------- 
   .spoof list
     lists all active blocks/replies/triggers
-----------------------------------------------------------------------------------------
   .spoof clear all    - clears everything

   .spoof clear <c | s> <b | r |t > <packet bytes> or "ALL"

     <c | s> - clear blocks/replies for (c)lient or (s)erver
     <b | r | t> - (b)lock, (r)eply, or (t)rigger
     <Packet bytes> - bytes to match
      
     Clear will remove any block/reply that begins with the specified bytes

     example: ".spoof clear c r 0A" will remove all client replies that begin
               with 0A
              ".spoof clear s b ALL" will remove all server blocks
----------------------------------------------------------------------------------------
   .spoof load {section}
     Loads all from .ini file {section}
     If {section} is ommitted, load from "[Default]"
----------------------------------------------------------------------------------------
   .spoof save <c | s | all> {section name}

     <c | s | all> - save (c)lient, (s)erver, or all packets
     {section name} - .ini file section
     if {section name} is ommitted, saves to "[Default]"
----------------------------------------------------------------------------------------
   .spoof display {text}
     Displays {text} on the screen
----------------------------------------------------------------------------------------
   .spoof notify <b | r | t | all> <on | off>
    <b | r | t | all>  (b)locks, (r)eplies, (t)riggers, all

   Turns on/off event notification (i.e. with notify on, each time a given block, reply,
   trigger is activates, it will display the fact on screen).
---------------------------------------------------------------------------------------
   .spoof send [packet] {delay}

    [packet] - packet to send to server
    {delay} - optional - delay time in milliseconds, or 's' for sync send

    Note: unless you are using the {delay} option, it's more efficient to use
    D2HackIt's own "send" command.
---------------------------------------------------------------------------------------
   .spoof receive [packet] {delay}

    [packet] - packet for game to receive
    {delay} - optional - delay time in milliseconds, or 's' for sync receive

   Note: unless you are using the {delay} option, it's more efficient to use
   D2HackIt's own "receive" command.
-----------------------------------------------------------------------------------
   .spoof sync {arm | disarm | pulse}

   ".spoof sync" will display status of synchonization (armed, disarmed)

   arm - enable "roadblock"
   disarm - disable "roadblock", release any held packets
   pulse - release all waiting packets, but hold any future packets

------------------------------------------------------------------------------------
Synchronization:

Sync occurs on a SYSTEM-WIDE basis.  This means that sync can be used to coordinate
between multiple "-multiclient" windows on the same machine.  The procedure for using
sync is as follows:

  1. Arm synchronization:  ".spoof sync arm"
  2. Specify packets to be synchronized:   ".spoof reply s 9c 17[4,4] s"
                                           ".spoof send 1738000000 s"
                                           ".spoof receive 7706 s"
  3. Pulse sync: ".sync pulse"

Pulsing sync will release any packet that is currently being held at the "roadblock" 
point.  Any packets that have not yet reached that point will continue to be held.
Disarming sync removes the "roadblock" entirely - sync packets will proceed just like
normal packets.

Sync was added to explore the possibilities of "what happens when two clients perform
a certain action at exactly the same time".  Because of the reality of TCP/IP links, it's
not actually possible to get these events to happen at *exactly* the same time - what 
really happens is that the command packets arrive at the server right after each other.
Depending on what you're trying to do, this may be enough that the server responds as
if the two packets *were* simultaneously received.  Server load is also a factor - 
certain possibilities work best when the servers are heavily loaded, and cannot respond
quickly to incoming packets, while other possibilites rely on a light server load and a 
very fast response.  The speed of the network connection to Battle.net is also significant,
as a slow connection may allow the first packet to be processed before the second is 
completely received by the server.
---------------------------------------------------------------------------------------   

Byte Replacement:

For Replies and Triggers, you may specify that the reply or trigger include part or 
all of the packet that caused the reply/trigger to activate.  For example:

spoof reply c 6a 7706[0,5]0000  Will take 5 bytes, starting at byte 0, and plug them
into the response where the [0,5] is located.

[##,##]  - The first number is the Byte number, which is ZERO BASED:

	6A D1 FF C7 A8 F3 00 00 00 00
        0  1  2  3  4  5  6  7  8  9

The second number is the number of bytes to copy.  If the original packet isn't long 
enough to meet the length specified, the replacement will be truncated:

spoof reply c 6a 7706[5,8]0000

With a packet of 6A 55 44 33 22 11 00 FF EE there are only 9 bytes, while the replace is
trying to grab bytes 5 through 12.  Instead the replace will pull bytes 5 through 8 (3 
bytes instead of 8) and plug them in.

Note: Because of the use of [ to indicate the start of byte replacement, it cannot be 
safely used as part of a display/say/overhead command within a trigger.  The ] 
(by itself) is still safe - it's the [ character that invokes the replacement processing.

An obvious application of this trick (combined with triggers):
   spoof trigger c 24 bind set 70 70 [0,5]
will sniff and bind the "potion pickup" packet used with the recently deceased 
socket/personalize dupe.

--------------------------------------------------------------------------------------

Order of precedence:  When a packet is received, it is first compared against the 
"reply" list for that source.  Multiple replies may exist for a given packet - if 
so, they are sent in the order they were entered (i.e. in the order they appear in 
the "list" command).  Once all replies are processed, the packet is compared against 
active triggers.  Once again, there may be multiple triggers, and they will be executed
in the order they were entered.  Finally, the packet is compared against the list of 
blocks.  The first block encountered will cause the packet not be sent/received (there 
may be multiple blocks, but only the first one has any effect).

------------------------------------------------------------------------------------     
Autosave:

Every time that spoof shuts down properly (spoof unloaded, D2HackIt unloaded), it will 
save all current entries to the .ini file, under the section [Autosave]

-------------------------------------------------------------------------------------
Installation:
  Copy Spoof.d2h to the D2HackIt folder
  ".load spoof" to load it


====> Sonata <=====

  Email: sonata_d2@hotmail.com
Website: sonatahacks.50megs.com