Jump to content
  • Advertisement
Sign in to follow this  
Tonni

analyzing a protocol

This topic is 4230 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

hi there, it may be the wrong froum for this thread, but i think it is placed best here. i always was curious about analyzing a game's communication with the server. so, finally, i downloaded wireshark to observe the packages sent while playing gunz. i chose this game because the traffic while playing is peer to peer, so it would be easier to analyze the client-server communication, which is where the login, character saving and the game lobby is controlled. after a while i got used to wireshark and managed to manipulate the game's starting screen by setting up my webserver to handle the requests sent. to do that, i redirected www.gunzonline.com in my hosts file (i'm using windows xp) to 127.0.0.1. this approach actually works well with domain redirection, but the game seems to connect to one of these three ips randomly (i "crippled" the ips because i don't know the policy of this forum about that): xxx.145.yyy.134 xxx.145.yyy.135 xxx.145.yyy.136 so, what i would like to do, is redirect the ips to localhost, like i did for the domain. how can i achieve that? of course, if someone knows a useful resource for analyzing unknown protocols, please hand over some links to me :)

Share this post


Link to post
Share on other sites
Advertisement
Well, if you're on a linux box, you could always take your machine offline and declare that it has 3 IP addresses named thusly. I don't recall the exact details of how to do that, precisely.

I'm also not sure how to approach the problem from a Windows box, except that you could always just have a small local network (of 1, even), with those IP addresses defined, then wait for it to randomly pick the right one of the three.

There's probably a better way.

Share this post


Link to post
Share on other sites
Guest Anonymous Poster
The client knows where to connect to, so it mst be stored there somewhere. It may be as a domain name like the other, or just the plain IP. If its the domain, easy enough to ping -a and obtain it to stick in your hosts file.
If the IPs are stored, they will probably be in an external file somewhere, as storing them in the binary isn't very maintainable. If they are stored in the binary though, you can use a hex editor to search for the strings or numerical values (4 byte).

Alternative ways to intercept the connection include:
-Hook WSAConnect or connect in ws2_32.dll.
-Set up an SPI namespace and hijack the socket.

Share this post


Link to post
Share on other sites
Quote:
Original post by Ozymandias42
Well, if you're on a linux box, you could always take your machine offline and declare that it has 3 IP addresses named thusly. I don't recall the exact details of how to do that, precisely.

I'm also not sure how to approach the problem from a Windows box, except that you could always just have a small local network (of 1, even), with those IP addresses defined, then wait for it to randomly pick the right one of the three.

There's probably a better way.

of course, i could build a network or set up linux on my pc, but i think there has to be a more conveniant way to do it.

Quote:
Original post by Anonymous Poster
The client knows where to connect to, so it mst be stored there somewhere. It may be as a domain name like the other, or just the plain IP. If its the domain, easy enough to ping -a and obtain it to stick in your hosts file.
If the IPs are stored, they will probably be in an external file somewhere, as storing them in the binary isn't very maintainable. If they are stored in the binary though, you can use a hex editor to search for the strings or numerical values (4 byte).

Alternative ways to intercept the connection include:
-Hook WSAConnect or connect in ws2_32.dll.
-Set up an SPI namespace and hijack the socket.

i searched nearly every file with a hex editor for both domains (including unicode strings) and the ips (4 byte, both little and big endian), but still i could not find the place in the executable where the addresses are defined.

i think that the ips are generated somehow in runtime, since the only value that changes is the last digit. i would have to disassemble the binary to find out but unfortunately i have no clue about asm.

hooking the connection api sounds very interesting. have you got a good link explaining how to do it?

Share this post


Link to post
Share on other sites
Sounds like DNS load balancing to me. You can associate more than one A record with a given DNS name, and "at random" one of those records will be "first" in a reply. Thus, if you can sniff DNS look-up traffic in your network (clear the DNS cache, then wireshark port 53) you might find that the game just uses a regular DNS name look-up.

Or they decided that they'll NEVER EVER change their IP numbers (and neither will their ISP :-/) and hard-coded the first three bytes of the address. That'd be kind-of inflexible, though -- IP addresses do change every so often.

If you want to re-direct a given IP address (not name), you either have to write a net filter driver, or a VPN driver, or use DNAT on your gateway server. DNAT is simplest to set up, assuming your gateway is Linux (with iptables).

Share this post


Link to post
Share on other sites
Guest Anonymous Poster
actually, regardless of your platform, you could simply set up a DNS locally, which you could easily set up with arbitrary custom entries, you only need to ensure that your local DNS will have priority over other name servers, which under windows can be usually achieved by server name ordering

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

Participate in the game development conversation and more when you create an account on GameDev.net!

Sign me up!