Reverse engineering high tec games' network traffic - reverse-engineering

so I'm trying to deconstruct the messages passed by server-client interaction in a fairly old Halo game through LAN. I've been conducting tests with Wireshark and large packets. Although I am confused as to which type of data I should be analysing. In a chat message packet that was all a characters, I received this:
fe:fe:00:03:3a:00:11:19:39:1a:28:0d:b9:20:9d:7b:b8:59:52:90:e3:3e:93:7b:b8:59:52:90:e3:3e:93:7b:b8:59:52:90:e3:3e:93: [SNIP]
And in a message with all but the first 3 letters being 'a', I received this:
fe:fe:00:21:64:00:68:8f:02:6d:5f:ab:a7:cb:d0:78:0f:e9:6d:55:89:13:72:7b:b8:59:52:90:e3:3e:93:7b:b8:59:52:90:e3:3e:93: [SNIP]
Now, I can see some similarities between the packets at some stages (probably the a's), I've come to the conclusion that this:
7b:b8:59:52:90:e3
Might be an 'a' character. But have no way of proving it. How can I get the above strange string into a readable character, namely, back to 'a'? Is it possible?
Thanks for reviewing this question!
Protocol is UDP.

You just have to attach ollydbg to the process you are trying to understand, and set breakpoints at WSARecv (or recv) http://msdn.microsoft.com/de-de/library/windows/desktop/ms741688(v=vs.85).aspx
The next packet you receive will hit your breakpoint, follow the memory ptr to see it in a separate window and step over the call WSARecv. You should see a filled buffer now, set a memory breakpoint at the top of the new arrived data and if you press play you should get to the crypt function, if its crypted. (Its possible, that you have to reverse a bit more to get to that point) I hope its a starting point for you to get into reverse engineering assembly :)
Maybe my tut will help a bit, its for another game but i think it should show some ideas:
http://blog.praty.net/?p=315
Greetz defragger

Guessing the protocol by looking at network dumps is very inefficient. I recommend decompiling pieces of a game using modern tools such as Hex-Rays Decompiler and then combining knowledge of data structures used in networking modules with debugging live app using OllyDbg.

Related

Trouble framing Modbus data captured from analyzer?(Saleae Logic 2)

I’ve tapped into an RS-485 bus and dumped some data. I’d like to implement a strawman/MITM device to intercept the traffic and send commands independent of the existing master/slave.
Here are some screenshots of some logic samples I captured in Saleae Logic 2:
zoom 1
zoom 2
zoom 3
My problem is it doesn’t look like it’s framed properly. I’ve got the analyzer set to Modbus RTU master, 9600 baud, no parity bit, one stop bit.
Could anyone tell me if this looks correct or incorrect based on these screenshots? Is this Modbus protocol, or something different? Trying to see if I’m on the right path here. Thanks. Any additional info I’m happy to supply if requested.
Tried several different ways of applying analyzers trying to get a solid stream of info

Websockets over Protocol buffers(protobufs)/binary vs JSON/text performance

Are protobufs sent as binary data over WebSockets faster than JSON sent as text data over WebSockets? As on paper, this seems to be true, even taking into account the small overhead generated by handling bytes on both sides. Did anyone really had a chance to try this and has some concrete results? Thanks!
So I've made a small project for researching this and I've got some results. You can find the project here, you can find more information in the README and in the results package.
To answer the question; YES, protocol buffers are faster than JSON over 100_000 messages sent as ping pong (no processing over them except marshalling and unmarshalling). But the difference is not as notable as I would have expected.

Reversing Client and buiding a server from it

I have this very old online game client (MMO) that has gone offline, and I want to make a server to this client.
I saw a lot of this kind of servers like World of Warcraft private servers.
I think that is not illegal do this to this with this client because the company is long gone, and I will not distribute...
So, how do I start reversing this client to make a server? Do I need to capture the database requests and build a database based on the requests? I think that probably this go way further. Can you help me?
Can you give some examples?
Thanks everyone.
There was a good post on reverse engineering subreddit about this a little bit ago.
There are a few links with peoples experiences. Effectively you will play the game of trying to make your client happy by "answering" packets with your server if you dont have packet captures to go after. I would first identify packet parsing logic within the client. A good way of doing this is tracing recv() calls backwards and generally you will find a giant function (or a few functions) that contain a switch statement. Hopefully you'll find some useful strings, else you're just going to be playing the "keep the client happy" guessing game.

how to make a private game server?

i have always wanted to make a private server but i don't know how i would do this.
i know how a private server works, the game sends data packets to the server. the server will take the data and process it and send data to the other games connected.
my questions are,
how do you edit the game so it will go to your server/change game data.
how do you find what packets do what.
the game will be something like WOW, i have not desided yet.
If you are hoping to embark on creating your own MMORPG then you have a huge task ahead of you, and unfortunately to put it nicely you are probably being too ambitious especially if you are asking these sorts of questions.
You should probably read up on client server architecture.
Also, in answer to your questions about the structure of the data being sent and how it is interpreted, well, that's 100% up to the people that design the system. You will want to simulate the entire game on the server(s) and don't trust the clients at all.
For something as complex as a MMORPG it is really important to create a solid design for the system before anything else, this is very important.
Just to be clear your intent is to create an emulated MMO server to the effect of WOW?
That's not really a trivial task and carries with it its own ethical implications.
Just to get started will require a ton of research, inspection, decoding, an extreme attention to detail.
If you are serious about it, then I would suggest looking up networking tools that can help you inspect traffic across the network and creating a scientific process for operation inspection.
Again, it should be noted this is by no means a trivial task.
This will be fairly difficult as you do not have the communicaton protocol specification for the game's client/server communication.
If you want to start this, then create a server that is simply a pass through. That is, all client requests are forwarded to the particular server. Once you have generated a large enough sample size of packets to study, then you can begin to dissect the meaning of each byte (possibly). Of course, if the packets are encrypted in any way (even a simple XOR encryption) then you will have an even harder time trying to figure out what each byte means. You should capture a sample set using two clients running sniffers so you can see what happens when one client does something and it needs to be sent to all clients.
But if I were you, I would just abandon the idea and work on something else. My two cents..
If you'd like an inside look at how games do networking, there's always Ryzom, which went open-source earlier this year. If you're creating your own MMO you can begin right there, and if you're looking to reverse-engineer one you can practice with your own client and server.

How do I go about reverse engineering a UDP-based custom game protocol with nothing other than Wireshark?

How do I go about reverse engineering a UDP-based custom game protocol with nothing other than Wireshark? I can log a bunch of traffic, but then what? My goal is to write a dissector plugin for Wireshark that will eventually be able to decode the game commands. Does this seem feasible? What challenges might I face? Is it possible the commands are encrypted?
Yeah, it's feasible. But how practical it is will depend on the game in question. Compression will make your job harder, and encryption will make it impossible (at least through Wireshark - you can still get at the data in memory).
Probably the best way to go about this is to do it methodically - don't log 'a bunch of traffic' but instead perform a single action or command within the game and see what data is sent out to communicate that. Then you can look at the packet and try to spot anything of interest. Usually you won't learn much from that, so try another command and compare the new message with the first one. Which parts are in the same place? Which parts have moved? And which parts have changed entirely? Look especially for a value in a fixed position near the start of the packet that could be describing the message type. Generally speaking the start of the packet will be the generic stuff like the header and later parts of the packet will be the message-specifics. Consider that a UDP protocol often has its own hand-rolled ordering or reliability scheme and that you might find sequence numbers in there near the start.
Knowing your data types is handy. Integer values might be stored in big-endian or little-endian format, for example. And many games send data as floating point values, so be on the look-out for 2 or 3 floats in a row that might be describing a position or velocity.
Commercial games expect that people will try to hack the protocol as a means to cheat, so will generally use encryption and probably tamper-detection as well.
Stopping this type of activity is of great concern to game makers because it ruins the experience for the majority of players when a few players have super-tools. For games like online poker the consequences are even more severe.