Onec Protocol Reverse
Use this workflow for unknown 1C protocols and for extending known RAC protocol mapping.
Quick Start
- •Build tools in the current workspace:
- •
cargo build --release
- •
- •Capture one command/session:
- •Use
scripts/capture_rac_command.shin this skill for RAC commands. - •Raw captures go under
./logs/. Extracted byte sequences go under./artifacts/. - •Or run equivalent proxy + client workflow for a different protocol.
- •Use
- •Decode streams:
- •
cargo run --bin rac_decode -- <session>/client_to_server.stream.bin - •
cargo run --bin rac_decode -- <session>/server_to_client.stream.bin
- •
- •Update method/framing notes using templates in
references/. - •Validate hypotheses by implementing minimal live client calls (
rac_litestyle).
Workflow
- •Read
references/reverse_workflow.mdat the start of each new protocol task. - •If protocol is RAC or RAC-like, read
references/rac_baseline.md. - •If mapping methods, read
references/rac_method_map.md. - •Before final conclusions, read
references/pitfalls_checklist.md. - •If task is static reverse/decomp-style analysis of
rac, readreferences/rac_static_reverse.md. - •Execute capture matrix:
- •Baseline list/info commands.
- •Same command with different entity IDs.
- •Empty-result vs non-empty-result cases.
- •Infer transport framing before field-level decoding:
- •Check fixed header markers.
- •Test
u8 lenvs varuint. - •Verify boundaries against full stream length.
- •Infer RPC envelope:
- •Identify stable prefixes.
- •Extract method IDs.
- •Separate context-setting calls from business calls.
- •Build/extend replacement client:
- •Implement handshake.
- •Implement one method end-to-end.
- •Re-test against live server.
Scripts
- •
scripts/capture_rac_command.sh- •Deterministic single-command capture via local proxy.
- •
scripts/method_map_from_sessions.sh- •Batch extract method IDs from session directories using
rac_decode.
- •Batch extract method IDs from session directories using
- •
scripts/map_rac_commands_to_methods.sh- •Run a capture matrix and generate
docs/documentation/rac_cli_method_map.generated.md.
- •Run a capture matrix and generate
- •
scripts/dump_rac_static_info.sh- •Dump static metadata from
racbinary (ELF profile, debuglink, IDS keys, supported modes).
- •Dump static metadata from
- •
docs/documentation/rac_help_methods.md- •Quick reference for
rac help <mode>commands, parameters, and descriptions.
- •Quick reference for
Run scripts from repository root unless user asks otherwise. Captures are written to ./logs/ by default via LOG_DIR.
Extracting Response Examples
Use scripts/extract_rac_response_example.sh to save response payload bytes into ./artifacts/ for documentation.
Capture/Decode Practices (Chat-Derived)
- •Keep raw capture data in
./logs/. Do not citelogs/as durable evidence; extract only the required byte sequences into./artifacts/and reference those in docs. - •When listing evidence in docs, prefer
artifacts/<label>.hexoverlogs/session_*. - •If a proxy listen port is in use, change
LISTEN_ADDR(e.g.,127.0.0.1:1566) before retrying. - •For
rac_decode, the correct invocation in this repo is:- •
cargo run -p rac_protocol --quiet --bin rac_decode -- <stream.bin>
- •
- •For multi-record list responses:
- •Determine record boundaries by locating repeating entity UUIDs (e.g.,
sessionUUID). - •Report offsets relative to each record start.
- •Build a “sequence line”:
field → gap → field → gap, and search gaps foru32_bevalues fromracoutput. - •Use multiple captures with activity (“load”) to turn zeros into non-zero values and confirm field offsets.
- •Determine record boundaries by locating repeating entity UUIDs (e.g.,
Output Requirements
When reporting protocol analysis:
- •Present confirmed facts first (bytes, offsets, method IDs, frame format).
- •Mark hypotheses explicitly.
- •Include concrete file references to captures.
- •Record new mappings in
references/for reuse. - •If building replacement behavior, show one verified live command/output.
- •When updating message format docs, update the
Order In Capturecolumn for field lists.