Documentation Index
Fetch the complete documentation index at: https://mintlify.com/ThalissonTMora/shaiya-chat-native-re/llms.txt
Use this file to discover all available pages before exploring further.
This page tracks the milestone static-analysis snapshot for the Shaiya Core V9 native chat system. It covers every opcode family handled by Game.exe, ps_game.exe, and ps_login.exe, records which areas have been fully closed by Ghidra decompilation, and lists the small set of items that still require a live session to confirm. The binary baseline is Game.exe c1edd966… / ps_game.exe 91b212af…; all virtual addresses refer to these exact builds.
Static Coverage
The table below reflects the state of every chat-related RE area as of May 2026. “Closed” means the decompilation, wire layout, and behavioral semantics are all confirmed from static analysis alone. “CONFIRMED” means the conclusion was reached statically and additionally validated (e.g. via simulated capture or ASM cross-check).
| Area | Status | Primary Docs |
|---|
Client recv/send 0x11xx + admin 0xF102–0xF109 | Closed | CHAT_CHANNEL_MAP.md, PACKET_SPEC.md |
Server Chat_ProcessIncoming + broadcast queue | Closed | psgame-chat-native/handlers/, broadcast/ |
Script push 0x1109–0x110B + opcode hashes | Closed | SCRIPT_OPCODE_HASHES.md |
Zone message table (cn_string.DB format) | Closed (format only) | ZONECHAT_MESSAGE_TABLE.md |
char[21] sites + padding (static) | CONFIRMED non-zero tail (0xCC… sim.) | PADDING_SIMULATION.md, test/captures/ui_session_20260526_static.log |
| Balloon / cinematic gates | Closed | CHAT_CHANNEL_MAP.md §8, UIShell_* decomps |
| Admin F107/F109 bind | Closed | psgame-chat-native/send/Chat_AdminWhisper_F107_F109_chain.md |
| Admin F108 bound whisper relay | Closed | ADMIN_F108_WHISPER_RELAY.md |
Client 0xA101 recv + counter derivation | Closed (static) | CRYPTO_COUNTER.md |
Server 0xA101 send (ps_login) | Closed (layout + key table) | LOGIN_A101_BODY_MAP.md, SERVER_KEY_BLOB_RE.md |
KeyTable_SlotInit bignum pipeline | Closed (INFERRED RSA-like) | pslogin-chat-native/crypto/BigInt_*, KeyTable_* |
Corpus Size
The numbers below count manifest rows in tools/ghidra/*-functions.manifest and .c files actually present in the repo. The .c count exceeds the manifest count because extra decomps were added for the client crypto path and the BigInt_* / KeyTable_* pipeline in ps_login.exe.
| Binary | Manifest entries | .c files |
|---|
Game.exe | 160 | 169 |
ps_game.exe | 136 | 143 |
ps_login.exe | 17 (+ extended BigInt decomps) | 47+ |
| Total (chat manifests) | 313 | 329+ |
docs/GHIDRA.md.
Five Python tools are bundled in tools/ for offline work — no live server is required to run them against the vendored fixtures.
| Tool | Purpose |
|---|
tools/padding/build_pattern_b_packet.py | Build guild Pattern B packets |
tools/padding/scan_pattern_b_sends.py | Scan PE for memset before send |
tools/zonechat/parse_cn_string_db.py | Parse data/cn_string.DB |
tools/crypto/validate_a101_counter.py | Verify 0xA101 HMAC/counter |
tools/wire/extract_plaintext_opcodes.py | Find opcodes in plaintext dumps |
The fixture test/fixtures/cn_string_sample.db is a synthetic parser test only — it does not contain live zone-script data. The real vendored database is test/fixtures/cn_string_stock.db (31 entries, sourced from a ShaiyaServer mount).
Items Still Requiring Runtime Validation
Five items (D1–D5) cannot be fully closed with static analysis alone. D1 and D2 have effective closure paths already documented; D3, D4, and D5 require a live capture session.
| ID | Item | How to close |
|---|
| D1 | char[21] wire tail — CONFIRMED (static) | test/captures/ui_session_20260526_static.log; optional live hex via WIRE_CAPTURE_GUIDE.md §3 |
| D2 | cn_string.DB content — Done | test/fixtures/cn_string_stock.db (from ShaiyaServer mount) |
| D3 | 0xA101 counter end-to-end | tcpdump login + --prng-hex in validate_a101_counter.py |
| D4 | NPC script push wire | SConnection_Send @ 0x004ED0E0 during script |
| D5 | F108 C→S sender binary | GM tool outside Game.exe |
docs/MISSING_ARTIFACTS_SEARCH.md.
Reimplementation Confidence
Confidence percentages express how certain the static-only RE is that a given reimplementation goal would be wire-compatible against the stock binaries. Gaps correspond directly to the D-series runtime items above.
| Goal | Static confidence |
|---|
| Hook chat send/recv (plaintext) | ~95% |
| Server emulator + stock client | ~88% (D2 zone strings optional for scripts) |
| Wire-compatible proxy | ~85% |
| Standalone cipher clone | ~82% (D3 PRNG seed at handshake) |
| Login key blob replay | ~90% with 16 captured KeyTable slots |