Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 13:04

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 63 posts ]  Go to page 1, 2, 3  Next
Author Message
 Post subject: bf1942
PostPosted: 19 Aug 2007 13:37 

Joined: 16 Aug 2007 16:44
Posts: 24
<snip>


Last edited by staticline on 21 Sep 2007 19:17, edited 1 time in total.

Top
 Profile  
 
 
 Post subject:
PostPosted: 19 Aug 2007 20:49 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
What version of the dedicated server you run?
and on what platform?
I can try to write a tool for modifying the current number of players in the server, now I check if I can do it with my windows dedicated server 1.6.19 which is the latest version as far as I know


Top
 Profile  
 
 Post subject:
PostPosted: 20 Aug 2007 13:12 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
then yesterday I have made a quick and simple modification to the win dedicated server for forcing it to display 23 players on the server.
if you want to try it the following is the list of bytes to change, you can copy the following lines in a .lpatch file to use with my Lpatch tool:

EDIT 03 Oct 2008... again:
Code:
====================================================================================
TITLE
    BF1942_w32ded.exe 23 players 0.3
FILE
    BF1942_w32ded.exe
OFFSET
    00002456   74       BF
    00002457   1C       17
    00002458   8B       00
    00002459   4E       00
    0000245A   08       00
    0000245B   E8       EB
    0000245C   40       17
====================================================================================


The md5 hash of the original BF1942_w32ded.exe was 1f75eb8b55ab5bb4d6782dd6f3be2e45


Top
 Profile  
 
 Post subject:
PostPosted: 31 Aug 2007 20:57 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
I have released an invisibile fake players DoS for all the Battlefield 1942 family

The program simply fills the players slot using one single UDP packet and the players are just invisible, so for example a server with 0 players could be full.

The only limitation is that this packet is also the one containing the password for accessing the server so you need to know the keyword for filling protected servers.

As already said all the 1942 family is supported: Battlefield 1942, Road to Rome, Secret Weapons of WW2 and Vietnam
At the moment there is no support for the 2* family but if you can post here the first "magic" packet about I refer I can add them too


Top
 Profile  
 
 Post subject:
PostPosted: 07 Sep 2007 05:49 

Joined: 16 Aug 2007 06:25
Posts: 367
I tried this out, and it seemed to work on some servers... but I couldn't actually test because I don't have any of the 1942 games installed at the moment. But it appeared to be working. These were also empty servers.

This would be REALLY awesome for the BF2 series. I'm not really sure what packet to show for you to achieve this though. But is it just the FIRST udp packet sent to the server when connecting? If so, I can scan with wireshark and post it.


Top
 Profile  
 
 Post subject:
PostPosted: 07 Sep 2007 09:52 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
Yes it's just one of the first packets sent to the server, if you can collect a few (just 4 or 5) would be very useful, and if you want you can send them via PM or mail or just in this thread.
Here I have the dedicated server but is not very easy to understand how it handles the incoming packets.

What is really interesting in the players handling mechanism of bf1942 (but could be the same in bf2x too) is that it's enough one packet for occupying the slot, which means that although the attack seems anonymous (no IP visualized in the server as far as I know) is also possible to use spoofed packets.

Instead of a sniffer you can also use WPE which gets only the packets of that specific game and you can easily select the packets you want


Top
 Profile  
 
 Post subject:
PostPosted: 08 Sep 2007 00:02 

Joined: 16 Aug 2007 06:25
Posts: 367
Hopefully this will help for BF2. This is the first of the packets sent AFTER joining the server. I have only included the data of the packet in hex format, since the headers with the source/destination IP and such shouldn't really matter.

1) Client to Server: 11200001000050b910110000000000000000000000000000000000000000000000000000000000000000000000a0ed8d6cee45cc4c06000000000000000000000000000000000000000000000000
2) Server to Client: 0230c084a2dc1b
3) Client to Server: 3420
4) Client to Server: 3f100000000000040006000310
5) Server to Client: 07f003000000000e51947bc1
6) Client to Server: 381000000000000f51947be900000000
7) Server to Client: 3f1000000000001100060001b9b8bb35b3393637358001313319
8) Client to Server: 3f2004010000005800060402b31999b1309b981a339bb118339a191bb298301a32331a99b01bb29a329c191a191b9bb099191a199a309b1bb1b0b19831339b1a1c9b18b3999c9a1b329898999cb0b018189c181a00b9b8bb3580ca850823040000

I also applied a filter to the session to show only packets sent and received to and from the client and server. I exported this data to a .txt file and am going to sent it to your PM after I post this message. That pm will be the full packets (instead of just the data)... and all of them that I encountered during the session instead of just the first 8.

Thanks!


Top
 Profile  
 
 Post subject:
PostPosted: 08 Sep 2007 13:20 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
excellent work my friend, the first packet was just all I needed 8-)
The tool is ready on my website


Top
 Profile  
 
 Post subject:
PostPosted: 08 Sep 2007 21:09 

Joined: 16 Aug 2007 06:25
Posts: 367
Wow, it works perfectly.

I went to a BF2 server with 0/20 and joined manually. It started to connect so I disconnected and started the Fake players DoS on the server. Tried to connect again a few seconds later... and it was full =)

Great work luigi!!


Top
 Profile  
 
 Post subject:
PostPosted: 09 Sep 2007 04:38 

Joined: 16 Aug 2007 06:25
Posts: 367
Hey sorry for the double post, but I am having some problems with it on my ubuntu linux machine. However, I think it's just the way I might be compiling it, because your version of the compiled .exe works perfectly fine under Windows XP, and even in Ubuntu if I run it with WINE. I didn't modify any of the code, and I ran this command to compile it: gcc -o bf2fp bf2fp.c

After that, it outputted the compiled file "bf2fp" without any errors in terminal. I ran the compiled file in terminal with the following command: ./bf2fp -f serverip

And it seems to start out ok, but it stops working after sending 2 or 3 "fake player packets". I would see a few dots echoed in the terminal meaning it sent a few packets, but then the client just stopped echoing the dots, and stopped sending the correct packets. I did a scan with wireshark to see what was happening behind the scenes... and I see the first few packets sending ok and getting a reply from the server... but after that it seems the client starts sending "ICMP Destination Unreachable" packets, and the server will respond with a UDP packet of some sort, usually about 12 bytes in length that is different every time. It seems to continue doing this until the script is manually stopped.

But I don't think its a problem with the Ubuntu operating system, network cards, firewalls, etc.. because YOUR compiled version is perfect, even when running under WINE. It's just my compiled version that runs weird.

I would just like to be able to compile my own version in case I want to tweak something, or run it without having to use the WINE emulator :P.

Also, this is off-topic from what I was just talking about, but I noticed that the program doesn't work with the BF2 demo, probably because the UDP packet is formed differently than the real game. However many people still play the demo, so it would be cool to have it work with the demo too. If you were interested in getting it to work with the demo, here is the first packet sent from the client (data only):

1) 0151000f00c0e0980011000000000000000000000000000000000000000000000000000000000000000000000000


I double checked that, and it was the same thing both times :)! Thanks a bunch, this thing is awesome! Keep up the great work


Top
 Profile  
 
 Post subject:
PostPosted: 10 Sep 2007 13:44 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
Ok, I have added support for the demo in the new version released some minutes ago.

The problem you have on Linux is really strange and watching the tests you have made seems to be a bug in my code (probably a buffer problem) but I have rechecked it and have found nothing.


Top
 Profile  
 
 Post subject:
PostPosted: 10 Sep 2007 23:01 

Joined: 16 Aug 2007 06:25
Posts: 367
Tested the new version for bf2 demo, and it works great! Thanks


Top
 Profile  
 
 Post subject:
PostPosted: 14 Sep 2007 22:49 

Joined: 16 Aug 2007 16:44
Posts: 24
<snip>


Last edited by staticline on 21 Sep 2007 19:17, edited 1 time in total.

Top
 Profile  
 
 Post subject:
PostPosted: 15 Sep 2007 13:15 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
Sure, if you confirm that everything works as you needed is possible to write a simple memory patcher which can change the number in real time with any value you want.

The "invisible to visible" fake players idea takes more resources so the memory patching solution is in my opinion the best and more simple.
Just let me know if the example code works as you needed (showing just 23 current users).


Top
 Profile  
 
 Post subject:
PostPosted: 16 Sep 2007 00:41 

Joined: 16 Aug 2007 16:44
Posts: 24
<snip>


Last edited by staticline on 21 Sep 2007 19:19, edited 1 time in total.

Top
 Profile  
 
 Post subject:
PostPosted: 16 Sep 2007 14:18 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
the memory patcher is available here:

http://aluigi.org/patches/bf1942fakefull.zip

if the link doesn't work copy it in the browser's bar.

It does exactly what I wrote in the first patch, so any user which queries the server from outside will see a custom amount of current players decided by you.
This is the most simple solution.


Top
 Profile  
 
 Post subject:
PostPosted: 18 Sep 2007 15:01 

Joined: 16 Aug 2007 16:44
Posts: 24
<snip>


Last edited by staticline on 21 Sep 2007 19:18, edited 1 time in total.

Top
 Profile  
 
 Post subject:
PostPosted: 18 Sep 2007 15:05 

Joined: 16 Aug 2007 16:44
Posts: 24
<snip>


Last edited by staticline on 21 Sep 2007 19:18, edited 1 time in total.

Top
 Profile  
 
 Post subject:
PostPosted: 18 Sep 2007 15:27 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
The link works, while for the first look idea I have no solutions at the moment


Top
 Profile  
 
 Post subject:
PostPosted: 29 Sep 2007 02:25 

Joined: 16 Aug 2007 06:25
Posts: 367
Hey I'm working on porting this to a php script (CLI), and am trying to figure out how the string (the client sends) is generated from the gamever. I tried reading the C code, but just get confused because I never program in C.

So for BF2 a sample string is:
11200001000050b910110000000000000000000000000000000000000000000000000000000000000000000000a0ed8d6cee45cc4c06000000000000000000000000000000000000000000000000

And for BF2 demo a sample string is:
1120000100c0e09800110000000000000000000000000000000000000000000000000000000000000000000000a0ed8d6cee45cc4c06000000000000000000000000000000000000000000000000

So it looks like the only thing that changed between the 2 is:
0050b910
c0e09800

But for BF2, the gamever for this sample string was: 110b9500
and for the BF2 demo it was: 10098e0c

So basically I need to know how you get from 1.1.2965-797.0 --> 110b9500 --> whatever needs to be in the final string. Once I know how, I should be able to just make a php function on my own to generate the full string to be sent. If you could explain it in simple terms that would be awesome :).

Thanks


Top
 Profile  
 
 Post subject:
PostPosted: 29 Sep 2007 15:30 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
oh it's very very simple, in my C tool the "conversion" job is made by the setver() function.
In short as you can see the version is composed by 4 numbers: n1.n2.n3.n4
The 32 bit number you need to created is composed by the following fields in bits:
4 bits: n1
4 bits: n2
16 bits: n3
8 bits: n4

so 1.1.2965-797.0 becomes 110b9500: 1.1.0b95.00
(0b95 is 2965 in hex)


Top
 Profile  
 
 Post subject:
PostPosted: 03 Oct 2007 01:33 

Joined: 16 Aug 2007 06:25
Posts: 367
Thanks for the reply :). Still a bit confused, as I don't really understand the 'bit' concept. I mean I know a bit is a 0 or 1, and there's 8 bits in a byte.. but that's really it.

So for 1.1.2965-797.0 I guess I can see how you get n1 and n2 (11). But I dont see how they are 4 bits each since I thought a single bit was either a 1 or 0. I could probably understand it if explained, but I never learned about that stuff in-depth.

And then I see "2965-797" somehow becomes 0b95 for n3. As you said, 0b95 is just 2965 in hex, but what happened to the -797? Also, how does 0b95 equal out to 16 bits?

And same for n4, I dont see how 0 becomes 00.

I'm sure you are correct because 110b9500 does equal 32 bits according to Keepass (when you put in a password it says the number of bits)... but just need further explaining on how this is done. Thanks!


Top
 Profile  
 
 Post subject:
PostPosted: 03 Oct 2007 07:59 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
"-797" is just ignored.
The concept of the bits is simple in this case because you see the version number in hexadecimal mode and so it's all visible

n1 n2 n3 n4
1 1 0b95 0

PHP is very simple to C so I think you can just use my setver function with some minimal modifications.

4 bits are just from 0x0 to 0xf
8 bits from 0x00 to 0xff
16 bits from 0x0000 to 0xffff
so, for example, if our version is 15.15.65535.255 we will have just the number 0xffffffff (f f ffff ff)


Top
 Profile  
 
 Post subject:
PostPosted: 04 Oct 2007 22:53 

Joined: 16 Aug 2007 06:25
Posts: 367
Thanks for the help, here is the working result of my php function:

function setver($gamever)
{
$v = array(0, 0, 0, 0);
sscanf($gamever, "%d.%d.%d.%d", $v[0], $v[1], $v[2], $v[3]);
$decimal = (($v[0] & 0xf) << 28) | (($v[1] & 0xf) << 24) | (($v[2] & 0xffff) << 8) | ($v[3] & 0xff);
return(dechex($decimal));
}


Very similar, indeed!


Top
 Profile  
 
 Post subject:
PostPosted: 05 Oct 2007 04:38 

Joined: 16 Aug 2007 06:25
Posts: 367
Sorry for the double post, but how does it get from the 110b9500 into the string that is sent to the server? The function I degined works to get it into the 110b9500 form... but I noticed that it appears to be scrambled some how in the FINAL string that's sent to the server.

I could probably guess which characters go where by using elimination... but I don't want to mess up since there are three 0s, and two 1s, etc... that I could put in the wrong spot.

Thanks! And I'll scan your code to see if I can find anything too.


Top
 Profile  
 
 Post subject:
PostPosted: 05 Oct 2007 10:27 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
It's not scrambled, Battlefield uses bitfields for using less space in the packet.
In this case you need to check my source code to know how much bits you must use for each parameter:

b = 0;
b = write_bits(1, 4, buff, b);
b = write_bits(par1, 8, buff, b);
b = write_bits(par2, 32, buff, b);
b = write_bits(ver, 32, buff, b);
b = write_bits(1, 1, buff, b);
b = write_bits(0, 32, buff, b);
b = write_bstr(pass, 32, buff, b);
b = write_bstr(mod, 32, buff, b);

the first parameter of the write_bits function is the number to place in the packet, then its size in bits, the packet and the position (in bits) where storing it.
so you must place the 32 bit version number at offset (in bits) 44, after par2 which is 0x1002 for retail and 0xf005 for the demo.


Top
 Profile  
 
 Post subject:
PostPosted: 05 Oct 2007 15:49 

Joined: 16 Aug 2007 16:44
Posts: 24
I'm getting this:

[code]
Player: ..
Alert: wrong reply from the server 26 1000 00001002 000003e8
[/code]

on a lot of servers i've tried this on - any ideas why? It just repeats over and over, once a second or so.


Top
 Profile  
 
 Post subject:
PostPosted: 06 Oct 2007 00:16 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
that's a problem of bf1942fp, in short what you see there is your same packet, that means the server is offline or the port is wrong... you receive no reply.
Probably I need to fix it to avoid confusion


Top
 Profile  
 
 Post subject:
PostPosted: 06 Oct 2007 19:54 

Joined: 16 Aug 2007 16:44
Posts: 24
ah righty. a patch/fix would be great:)


Top
 Profile  
 
 Post subject:
PostPosted: 18 Oct 2007 16:12 

Joined: 16 Aug 2007 16:44
Posts: 24
I'd also like to see this where we can provide a list of players taken (perhaps) from the Gamespy cd-key validation system: "Cd-key in use" DoS exploit? and use that to publically show a populated server, even when it's empty.

Do you think that can be done?


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 63 posts ]  Go to page 1, 2, 3  Next

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: