# Native Open Capture Server `tools\AVEVA.Historian.WcfCaptureServer` is a reverse-engineering-only WCF server that hosts: ```text net.tcp://localhost:33268/Hist ``` It implements the decompiled `HistoryServiceContract.IHistoryServiceContract` shape and logs `OpenConnection`/`Open2` argument metadata as JSON. Credential and opaque input buffers are not printed; the tool records lengths and SHA-256 hashes only. This tool is not referenced by the production SDK. ## Current result The server builds and listens successfully: ```powershell dotnet build tools\AVEVA.Historian.WcfCaptureServer\AVEVA.Historian.WcfCaptureServer.csproj tools\AVEVA.Historian.WcfCaptureServer\bin\Debug\net481\AVEVA.Historian.WcfCaptureServer.exe 33268 ``` Calling `ArchestrA.HistorianAccess.OpenConnection` with `TcpPort = 33268` against `localhost` returned success from the native wrapper but did not hit the capture server. A follow-up with `TcpPort = 1` also connected successfully to the real local Historian, proving the wrapper ignores `TcpPort` for the local machine path. Calling `127.0.0.1:33268` did not connect. Current interpretation: the public wrapper detects `localhost` as a local server name and uses the installed local Historian endpoint rather than the requested test port. The local mock server cannot intercept `Open2` without redirecting or stopping the real local endpoint, which is outside the safe automated path. ## Useful follow-up To use this capture server, the native wrapper must be made to treat the target as remote while routing traffic to this machine on the real Historian port, or the lower-level native client export must be called directly. The most useful targets are: - `CHistoryConnectionWCF::OpenConnection3` - `CClientInfo::SerializeOpenConnectionInParams3` - `CClientInfo::EncryptWithClientKey` - `CClientInfo::GetPwdString` Frida is installed on this machine and can attach to the native PowerShell process, but `aahClientManaged.dll` does not expose native symbols. The next step is address discovery for those internal functions, then Frida hooks for the serialized input buffer.