Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ThalissonTMora/shaiya-chat-native-re/llms.txt

Use this file to discover all available pages before exploring further.

After completing the static reverse-engineering pass, five runtime validation items (D1–D5) were flagged as requiring live or on-disk evidence that could not be fully satisfied by disassembly alone. This page documents the results of the automated search across the repository and WSL filesystem, records what was found and vendored, and provides concrete closure strategies for every item that remains open.

Search Scope

The automated search covered three locations:
  • /home/Thalisson/shaiya-paradise — recursive, depth 6
  • /mnt/c/Users — recursive, depth 5
  • Byte scan of Shaiya-Core RAR archives — searched for opcode constants and known magic bytes

Summary Table

IDItemFound?Notes
D1Guild 0x1104 wire capture (padding)Static closedui_session_20260526_static.log; live hex optional
D2data/cn_string.DB (zone script text)Yes (Windows mount)/mnt/c/ShaiyaServer/PSM_Client/Bin/Data/cn_string.DB (31 entries); vendored as test/fixtures/cn_string_stock.db
D2′sysmsg-uni.txt (client sys messages)Yes (outside RE repo).features/Shaiya-Core-V7/sysmsg-uni.txt — UTF-16, tab format; NOT a cn_string.DB substitute
D3Login 0xA101 pcap + PRNG captureNoNo tcpdump/pcap in tree
D4NPC script 0x1109 wire captureNo
D5Binary that sends C→S 0xF108NoGame.exe / ps_game.exe / ps_login.exe: 0 mov $0xF108 send sites
D1 and D2 are closed. D2 has been vendored to test/fixtures/cn_string_stock.db; D1 is satisfied by the MSVC debug-fill static proxy and the existing ui_session_20260526_static.log. Live captures remain optional.
D3, D4, and D5 are still open. Each requires either a live packet capture session or identification of a GM/admin binary not currently vendored in the monorepo. See the individual sections below for step-by-step closure strategies.

D1 — Padding Capture

Status: Closed (static proxy) The best static proxy is the MSVC debug fill 0xCC on a simulated Pattern B packet — generated by: 
python3 tools/padding/build_pattern_b_packet.py --tail stock
This produces a 21-byte guild chat payload with the trailing pad bytes set to 0xCC, matching the compiler’s uninitialised-stack fill pattern observed in the disassembly of SConnection_Send.
If a live capture is still desired (takes ~5 minutes in-game), follow WIRE_CAPTURE_GUIDE.md §3: set a breakpoint at 0x004ED0E0 on ps_game.exe, send one guild chat message, then hexdump 21 bytes starting at payload+2.

D2 — cn_string.DB

Status: Closed (vendored)
cn_string.DB was located at /mnt/c/ShaiyaServer/PSM_Client/Bin/Data/cn_string.DB (31 entries) and has been vendored to test/fixtures/cn_string_stock.db.
PropertyValue
Expected server pathdata/cn_string.DB
Loader symbolZoneChat_TableLoader @ 0x00408C70 in ps_game.exe
Found at/mnt/c/ShaiyaServer/PSM_Client/Bin/Data/cn_string.DB
Vendored totest/fixtures/cn_string_stock.db
Parse any server-side copy with the bundled utility: 
python3 tools/zonechat/parse_cn_string_db.py /path/to/server/data/cn_string.DB --limit 50

D2′ — sysmsg-uni.txt Comparison

sysmsg-uni.txt was found at .features/Shaiya-Core-V7/sysmsg-uni.txt during the filesystem sweep. It is not a substitute for cn_string.DB — the two files serve distinct subsystems and have incompatible formats.
Propertysysmsg-uni.txtcn_string.DB
EncodingUTF-16 LEASCII / ANSI
Row formatid TAB "text"fscanf("%d\n") + fgets
Client pathdata/sysmsg-uni.txtdata/cn_string.DB
Primary useSystem / UI messages (GetMsg tags)Zone script / 0x1109 resolver
sysmsg-uni.txt covers the UI message subsystem; cn_string.DB is the lookup table for the zone-chat script push (0x1109) opcode. Neither file can substitute for the other.

D3 — Login Crypto Capture

Status: Open
No tcpdump output, pcap file, or PRNG seed dump was found anywhere in the search scope. A live capture session is required to close this item.
1

Capture the login handshake

Run tcpdump on the login port while the client connects:
tcpdump -i eth0 -w login_capture.pcap port <login_port>
2

Dump the PRNG seed

In x64dbg with Game.exe attached, set a breakpoint at 0x00404610 (Crypto_PRNGFill) and dump 128 bytes of the seed buffer when it fires.
3

Dump the 0xA101 plaintext

Set a second breakpoint at 0x005E3D60 and dump 197 bytes of the plaintext 0xA101 login packet before encryption.
4

Validate the counter

Run the validation script against both dumps:
python3 tools/crypto/validate_a101_counter.py \
    --file dump.bin \
    --offset N \
    --prng-hex <256 hex chars>

D4 — Script Push Capture

Status: Open
No 0x1109 packet capture was found in the search scope. A brief in-game session against a server that triggers NPC script pushes is required.
Follow WIRE_CAPTURE_GUIDE.md §4: hook SConnection_Send at 0x004ED0E0 and filter for packets where *(u16*)buf == 0x1109. A single NPC interaction that triggers a script response is sufficient to close this item.

D5 — F108 Sender

Status: Open
0xF108 (C→S whisper relay / GM command) has no send sites in any of the scanned PE binaries. This opcode is almost certainly dispatched from a GM panel or admin tool that is not vendored in the monorepo.
BinaryC→S mov $0xF108Role
bin/Game.exeNoNo dispatcher case
bin/ps_game.exeNo (recv handler only)Relays inbound packet to 0xF102
bin/ps_login.exeNo
Inferred: the tool that originates 0xF108 is a GM panel or standalone admin binary not currently vendored. The server-side handling is documented in ADMIN_F108_WHISPER_RELAY.md.

Typical Server Layout (Windows)

For reference when locating artifacts on a local Windows Shaiya server installation: 
C:\Server\data\cn_string.DB
C:\Server\data\sysmsg-uni.txt

Helper Script

To scan both a bare server data directory and a WSL-mounted Windows path in one pass: 
./tools/artifacts/find_missing.sh /path/to/server/data /mnt/c/Server/data
The script checks for all D1–D5 target files and prints a colour-coded found / missing summary.

Undocumented Area

The largest remaining undocumented area in the chat subsystem is the GM notice opcode range 0xF9010xF90C. The server dispatch entry point (0x0047509F, jump table 0x004833F4) and several client send VAs are identified statically, but the per-opcode handler decompilations and the client recv display path have not been added to the RE corpus. See RE Gaps for the full gap register and prioritisation notes.

Build docs developers (and LLMs) love

Get started for freeTalk to us