How Can I Reverse Engineer a Network Protocol (Metatrader 4)?

down vote Actually, there is an (official) MT4 Server API. It consists of an .dll-file with some example code in C++ and Delphi. The .dll exposes functions for logging in, place orders, get your balance, etc. You don't need MetaTrader installed, but only that .dll-file. Unfortunately, the documentation for this API is virtually non-existant. Sometimes source code is only commented in Russian. Apparently some documentation is available in a special support area on MetaQuote's website, but this requires a login- which you'll only get if you bought a MT4 server licence (which I don't have). Now to answer your original question: If you want to reverse-engineer the protocol you definately need to disassemble the binary and have a look at the code. The communication is scrambled by an unkown algorithm. What I have found out so far: Although they are using port 443 for communication, they are not using SSL or even HTTPS. If you look at captured traffic it sometimes looks like they are using 16 bytes blocksize without cbc. (You can easily spot patterns which repeat every 16 bytes with slight differences). Transport is simply TCP, you can stream multiple commands with one connection until you are finished. Commands (before encryption) are readable ASCII-texts finished with a line feed (\n) Connection is properly terminated by sending QUIT\n The first byte after opening the connection specifies the protocol mode. Possible values are (at least) W, Z for clear text or 0x0 for encrypted transport. Beginning a connection with W starts the "Web Service"-mode. You can receive at least quotes and a list of symbols with that. You can easily try this out with telnet: $ telnet 216.93.169.220 443 Trying 216.93.169.220... Connected to 216.93.169.220. Escape character is '^]'. WINFO MetaTrader Server 4.00 build 391 Ava Financial Ltd. QUOTES-EURUSD,EURGBP, up EURUSD 1.4105 1.4106 2011.03.24 02:02:49 down EURGBP 0.8673 0.8675 2011.03.24 02:02:41 2011.03.24 02:02:49 LIST CONFIRMLISTS-EURUSDEURGBPAms.AEGNAms.AHLNAms.AKZOAms.ASMLAms.BAMNAms.BOSNAms.CORAms.DSMNAms.ELSNAms.FUGRcAms.HEINAms.INGAms.ISPAAms.KPNAms.PHGAms.RANDAms.RDSaAms.SBMOAms.TNTAms.TOM2Ams.UNcAms.WEHAAms.WLSNcCBOT.WFft.BMWGFft.VOWGHel.NOK1VLSE.AALLSE.ABFLSE.ADMLLSE.AMECLSE.ANTOLSE.AUTNLSE.AVLSE.AZNLSE.BAESLSE.BALFLSE.BARCLSE.BATSLSE.BAYLSE.BGLSE.BLTLSE.BNZLLSE.BPLSE.BSYLSE.BTLSE.CCLLSE.CNALSE.CNELSE.COBLSE.CPGLSE.CPILSE.CWLSE.DGELSE.ENRCLSE.EXPNLSE.FRCLLSE.FRESLSE.GFSLSE.GSKLSE.HOMELSE.HSBALSE.IAPLSE.IHGLSE.IIILSE.IMTLSE.IPRLSE.ISALSE.ISYSLSE.ITRKLSE.JMATLSE.KAZLSE.KGFLSE.LGENLSE.LMILSE.LSELSE.MKSLSE.MRWLSE.NGLSE.NXTLSE.OMLLSE.PFCLSE.PNNLSE.PRULSE.PSONLSE.RBLSE.RDSaLSE.RDSbLSE.RELLSE.REXLSE.RIOLSE.RRLSE.RRSLSE.RSALSE.SABLSE.SBRYLSE.SGELSE.SHPLSE.SLLSE.SMINLSE.SNLSE.SRPLSE.SSELSE.STANLSE.SVTLSE.TCGLSE.TLWLSE.TSCOLSE.TTLSE.ULVRLSE.UULSE.VEDLSE.VODLSE.WOSLSE.WPPLSE.XTAMad.ABEMad.ABGMad.ACSMad.ACXMad.ANAMad.BB QUIT Connection closed by foreign host. Bold text is what I've typed in the telnet session. Z instead of W works also for the INFO command. Note that you have to end the list of symbols for the QUOTES command with a comma. The QUOTES command seems to be unavailable in builds prior to 391 (found a lot of servers running build 344). I know about the QUOTES command (and the W) directly from the docs, saw the INFO command by sniffing the MT4 client and found out about LIST just by trying out some keywords. Let me know if you find more. There should be at least a command to receive the bars for the charts.