This page documents every known gap in the Shaiya Core V9 chat RE corpus and provides a priority-ranked roadmap for closing what remains. The goal is chat 100% — full wire compatibility, complete server broadcast rules, and an accurate client pipeline model — without reopening areas already closed inDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/ThalissonTMora/shaiya-chat-native-re/llms.txt
Use this file to discover all available pages before exploring further.
WIRE_CRYPTO.md or pslogin-chat-native/ (client 0xA101 recv and ps_login send are both fully closed). Priorities use a P0/P1/P2 scale: P0 blocks emulator and proxy work entirely, P1 is required for fully stock-compatible behavior, and P2 is UI polish or tooling outside the minimum wire-compat scope.
Priority Summary
| Priority | Theme | Status |
|---|---|---|
| P0 | char[21] recv/send + padding wire | CONFIRMED (static) — tail ≠ zeros (0xCC…); see test/captures/ui_session_20260526_static.log + validate_d1_padding.py |
| P0 | Admin recv 0xF102–0xF109 | Closed — 7× .c files + vtable +0x334 / stubs +0x344 / +0x348 |
| P1 | Balloon gates DAT_* → map §8 | Closed — +0x1D0 = cinematic suppress CONFIRMED; DAT_007c0d8c = [VIDEO] WATER |
| P1 | Chat_BroadcastNamed / megaphone 0x1108 | Closed — stub → World_BroadcastTradeCore queue mode 3, view 7 |
| P1 | Whisper server patch +0x0B | Closed — byte 0x16 cleared; Pattern C dir 0/1 CONFIRMED |
| P1 | Balloon 0x1101/0x1107 recv path | CONFIRMED — vtable chain → balloon create @ 0x4126D0 → tick @ 0x412780 |
| P1 | NativeChatSendUI vs ChatWindow_SubmitChatInput | CONFIRMED — FX 3D vs ChatWindow_SubmitChatInput → PacketSend_* |
| P1 | Server push 0x1109–0x110B | Closed — 4× builders in psgame-chat-native/send/; layouts D/E/G in PACKET_SPEC.md |
| P2 | UI pixel-perfect / hooks render | Partial — out of scope for minimum wire-compat |
| P2 | 0xF107/0xF109 client effect | Closed — stub vfn; server bind @ CUser+0x5810; chain doc |
| P1 | 0xF108 bound whisper relay | Closed — C→S Pattern I @ 0x00480462; S→C dual 0xF102; ADMIN_F108_WHISPER_RELAY.md |
| P1 | DAT_022aa816 faction global | CONFIRMED — single write @ 0x0048BFEA from local entity+0xBF4 |
Scope
The table below defines what is in scope for this gap analysis versus what is tracked elsewhere.| Artifact | Scope |
|---|---|
game-chat-native/handlers/*, vtable/*, balloon/*, send/*, ui/* | Client |
psgame-chat-native/handlers/Chat_ProcessIncoming_0047f400.c, broadcast/* | Server |
0xA101/0xA102 game client, ps_login key blob, crypto counter wire | Out of scope (already closed in WIRE_CRYPTO.md / pslogin-chat-native/) |
Key Findings
char[21] CONFIRMED — client recv uses PacketRead_String with count=0x15
char[21] CONFIRMED — client recv uses PacketRead_String with count=0x15
Five client recv handlers all call
Opcodes that do not use
PacketRead_String (@ 0x005F4780) with a hard-coded count of 0x15 (21 bytes). The function performs a fixed-size memcpy up to param_2 bytes with no null terminator written on the wire.| Opcode | Handler VA | Evidence |
|---|---|---|
0x1102 Whisper | 0x005E5180 | FUN_005f4780(&local_9c, 0x15) after PacketRead_Scalar 1 B dir |
0x1103 Trade | 0x005E5250 | FUN_005f4780(local_a0+1, 0x15) |
0x1104 Guild | 0x005E5310 | Same pattern |
0x1108 Megaphone | 0x005E5540 | Same pattern |
0x1111 Area | 0x005E57D0 | Same pattern |
char[21]: 0x1101, 0x1105, 0x1107 (Pattern A: u32 charId); 0x1109 (Pattern D); 0x110A (u32 + u16); 0x110B (char[32] @ +0x20).Client send — only whisper places 21 bytes on wire
Client send — only whisper places 21 bytes on wire
PacketSend_Whisper @ 0x005ED160 copies param_2[0..4] (5×u32) plus *(param_2+5) — totalling 21 bytes — into the outgoing buffer. NetworkSend is called with size param_3 + 0x18 (24 bytes = 2 opcode + 21 name + 1 len byte). This layout is inferred to match the recv-side char[21] field exactly (5 dwords + 1 byte, not a length-prefixed string).Server broadcast — null-terminated copy into char[21] stack buffer
Server broadcast — null-terminated copy into char[21] stack buffer
Three confirmed broadcast sites on the server copy a name from
Wire name+text total:
CUser+0x184 into a char[21] stack buffer using a do-while null-terminating loop. Crucially, there is no memset or rep stosd of the tail before SConnection_Send, which means bytes [strlen..20] in the wire name field contain whatever was on the stack — confirmed as 0xCC… in the MSVC debug simulation.| Site | VA | Evidence |
|---|---|---|
Guild + alliance 0x812 | 0x00432530 | char local_a2[21], loop do { *dst = *src; } while (*src++ != '\0') |
Megaphone repack 0x1108 | 0x0047F400 case 0x1101 | Copies CUser+0x184 → buffer; FUN_004d55b0(&local_14c, bVar1 + 0x18) |
Trade 0x1103 | 0x0047F400 | Same param_1+0x184 copy pattern |
len + 0x18 (24 bytes = 2 opcode + 21 name + 1 len) — CONFIRMED in FUN_004d55b0(..., bVar1+0x18).Emulator implication: must accept arbitrary tail bytes on recv (client uses C-string semantics); stock server does not zero the tail on send.Admin opcodes 0xF102–0xF109 — all closed
Admin opcodes 0xF102–0xF109 — all closed
All seven admin receive handlers are decompiled in
game-chat-native/handlers/Handler_Chat_Admin_F*.c. The vtable layout is:+0x334: main admin recv vfn+0x344,+0x348: stub entries
- F107/F109: send opcode+
char[21], size0x17; server stores bind @CUser+0x5810= target+0x128; F109 C→S is opcode-only (no body). - F108: handler at
0x00480462; requiresCUser+0x5810 != 0; relays to target as dual0xF102, never0xF108; no bind or offline →0x1106size 3. - Stock
Game.execontains zeromov $0xF107/$0xF108/$0xF109send sites — those opcodes originate from a GM tool not bundled in the client.
P2 Items (Out of Minimum Wire-Compat Scope)
The following P2 items are documented for completeness but are not required to achieve basic wire compatibility with a stock server.| # | Item | Notes |
|---|---|---|
| P2-1 | Rename NativeChatSendUI → ChatWorldFX_SendUI | ✅ Done — manifest + ui/ChatWorldFX_SendUI_0045bbe0.c; no network path in body |
| P2-2 | Hooks ChatWindow_Render_* @ 0x47DB8D | Hide native UI; landmarks present but not decomped |
| P2-3 | GmCommand_Dispatch / staff overlay | Outside minimum wire scope |
| P2-4 | Pixel-perfect tabs / IME | ChatUIFont_*, InputCapture — visual only |
NativeChatSendUI @ 0x0045BBE0 and ChatWindow_SubmitChatInput @ 0x0047A4B0 are not alternatives for the same chat send. The former spawns 3D world FX / object queues with no NetworkSend call in its body; the latter handles the Enter-key submit path that ultimately calls PacketSend_*. The symbol was renamed to ChatWorldFX_SendUI to eliminate this confusion.Actionable Roadmap
P0 — Blocks emulator / proxy 100% compat
| # | Task | Status |
|---|---|---|
| P0-1 | char[21] padding on wire — confirm tail in live guild 0x1104 capture | CONFIRMED (static); live hex optional |
| P0-2 | Decompile admin recv 0xF102–0xF109 | ✅ game-chat-native/handlers/Handler_Chat_Admin_F*.c |
| P0-3 | Wire layouts for admin recv | ✅ PACKET_SPEC.md + CHAT_CHANNEL_MAP.md §2 |
P1 — Full stock chat behavior
| # | Task | Status |
|---|---|---|
| P1-1 | Decompile Chat_PacketBuilder_1109/110A/110B | ✅ psgame-chat-native/send/*.c |
| P1-2 | Balloon gate booleans | ✅ CHAT_CHANNEL_MAP.md §8 |
| P1-3 | Chat_BroadcastNamed real body | ✅ Chat_BroadcastNamed_chain.md |
| P1-4 | Whisper server patch +0x0B | ✅ PACKET_SPEC.md § Whisper + handler L105/L138 |
P2 — UI / Polish
| # | Task | Notes |
|---|---|---|
| P2-1 | Rename NativeChatSendUI | ✅ Complete |
| P2-2 | Render hooks | Landmarks exist; out of wire scope |
| P2-3 | GM command full list | 3139-line decomp available; only notice subset tested |
| P2-4 | Pixel-perfect IME | ChatUIFont_*, InputCapture |