Analyzing the Game Network Protocol - Pwn Adventure 3
Вставка
- Опубліковано 5 лип 2018
- Part 10: With our TCP Proxy we can now parse the packets and analyse the protocol.
Parser on GitHub: github.com/LiveOverflow/PwnAd...
🌴 Playlist: • Pwn Adventure 3: Pwnie...
=[ 🔴 Stuff I use ]=
→ Microphone:* geni.us/ntg3b
→ Graphics tablet:* geni.us/wacom-intuos
→ Camera#1 for streaming:* geni.us/sony-camera
→ Lens for streaming:* geni.us/sony-lense
→ Connect Camera#1 to PC:* geni.us/cam-link
→ Keyboard:* geni.us/mech-keyboard
→ Old Microphone:* geni.us/mic-at2020usb
US Store Front:* www.amazon.com/shop/liveoverflow
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Website: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
=[ 📄 P.S. ]=
All links with "*" are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.
#PwnAdventure #CTF
It might not be the game merging packets together, it might be the TCP protocol with option nodelay false. It merges sent packets together and thats why you get the data combined in one receive.
Even with TCP_NODELAY you cannot expect send() calls to match recv() calls one to one since TCP is a stream-based protocol. But having reverse engineered a lot of the code, I can say the problem isn't even that in this case. Before the data even makes it to send(), the bytes get concatenated into a stream. The function GameServerConnection::MoveAndGetEvents() is called by the game thread. It samples the current position and rotation and enqueues an action to be executed by the ServerConnection thread. That action starts by appending a move packet to the stream containing the sampled position/rotation and then flushing the WriteStream which does the socket send() and then empties the buffer to prepare for next time. But any data in the stream from before that action, from a jump or item pick up or item use, will also be part of the same send() call. Incidentally, after appending the move packet and doing the flush, it processes any new event packets from the server and takes appropriate action. The 0x0000 packet ID that he mentions in the video is what terminates MoveAndGetEvents; once the infinite loop sees that packet ID, it breaks.
I'm guessing he gets to this later in the series (I haven't watched beyond this video yet), but here's the move packet format:
float x; float y; float z; float pitch; float yaw; float roll; int8 fwd; int8 strafe;
The only non-obvious fields should be fwd and strafe, which encode the current movement button states. It's a float encoded as an int8 by multiplying by 127 and quantizing. So +1.0/0.0/-1.0 correspond to forward/nothing/backward for fwd and left/nothing/right for strafe. The button states control movement for players on the server as you'd expect; that happens on the UE4 side via the member variables m_forwardMovementFraction and m_strafeMovementFraction, not in GameLogic.dll, so it's presumably just normal UE4 physics. In an earlier video he tried to cancel out gravity by setting the actor velocity. The reason that didn't work is that the actor velocity isn't replicated from the client to the server, unlike the position. You can directly manipulate your position, but you can only indirectly manipulate your velocity through fwd/strafe and jump.
Yup, for those interested in learning more this is known as TCP multiplexing and it typically follows Nagle's algorithm
So cool. This whole game and the all the ideas around it are awesome. Great video as always, my friend.
You literally read hex to ascii on the fly? That's some matrix level amazing!
checkout my video "ey! Look for patterns" video: ua-cam.com/video/Jpaq0QkepgA/v-deo.html
It wouldn't surprise me, but what I think he might have meant is that you learn to pay attention to when the bytes are within the range of printable ascii characters.
As someone else said, ascii can be pretty easily identified by looking for characters in the common range [I personally know the general ranges to look for numbers, capitals, lowercase, periods, and space] and when something is largely out of that range (0xFF, 0x01, or 0x00 if you know it isnt null terminated) it can be easily labeled 'not ascii'
It's not that difficult honestly once you looked at it for a moment. the letters are all sequential starting at 0x41 (A) and 0x61 (a). So after knowing that 0x41/0x61 = A/a you can convert Hex to ascii in your head just by counting. What's 0x6A? Let's count: 0x61 = a, 0x62 = b, 0x63 = c, 0x64 = d, 0x65 = e, 0x66 = f, 0x67 = g, 0x68 = h, 0x69 = i, 0x6A = j
Btw "6d 76" = "mv" (prob move)
Mate, I have to say, you are amazing! I've been following you for some time now, and with every video, I'm more impressed with what you do! Congrats and keep up the good work!
PLEASE PLEASE PLEAAAAASE make more content like this. I know there won't always be an opportunity to dissect a CTF game but the way this was set up as a long journey makes it so much more interesting and informative because we see every aspect of the process. This was by far the most inspiring video/series I have seen from you or any other UA-cam hacker. I don't want to finish it!
13:17 I love how he just added "60 FPS" in the top right corner xDDDD
Been waiting so long for this video! Awesome as always
This series is so cool, keep up this level of amazingness !
Superb skills man, this is some high quality debugging show, thank you very much. Can't wait for the next ones. Great work.
I love this series keep it up man you're great at explaining this stuff
I'm always really motivated to work on challenges myself after watching your videos :D
Woow, I have never learned this much about networking before! Really awesome to see how something like this is implemented.
I love these videos. Cant wait to try this game myself
Awesome job on this one!! Loved it.
Wow, like always awesome! Thanks so much for this great series!
Mach weiter so!
Your tutorials are so amzing. Thank very much.
More Pwn Adventure :D
I understand alot of the Python area but still would never think of some of the things you thought of well done.
These videos are super interesting! Keep it going!
I absolutly love this series
Awesome series! Keep up the good work!
I somehow don't think that the packet id is a short. That looks like 2 char in ascii.
h_position 0x6d76 = 'mv' i.e. move
h_jump 0x6a70 = 'jp' i.e. jump
h_weapon_change 0x733d = 's=' i.e. slot equal
h_static_link 0x6672 = 'fr' might be short for 'fire'
h_shoot 0x2a69 = '*i' maybe 'interaction' or 'use inventory'.
Okay don't know about the last two, they may just have run out of letter identifier to use or something. Looking at the letters may be helpful for figuring out something more about the packet.
well... eventually I noticed that too. But that is a few episodes away :D
the *i might be a hint to the length of the name string
mv and jp was seen from the third episode as well, unfortunately he missed it
this is an amazing video , great work and awesom explanation 👍
Neat, I learned about another useful python library that I never knew existed. I'm starting to think that I should take time to read through all of the Python libraries... Great video!
to your outro: you are right but your ability to adapt to new findings is astonishing :)
This is amazing! These videos should be shown to CS college students.
I love your videos. Make more! ❤❤❤
Great Video, in fact this maybe the best parse tcp packets video i have ever seen.
That said, I do think you went over the handler a little fast considering how important it was to the video.
Cool video. This Series is awesome :)
Very nice!
Congratz !! For 100,000 sub button, Live ! We wish you 1M (mega ;) ) subs !!
A jednak coś jest
Matrix 89 tylko oszukuje !
I just loved that. Now trying to create a proxy in c# between dota 1 server and my computer
Thank you very much, love it.
Very nice, but what I usually struggle with in such cases is the encryption layer and getting over it. It would be super useful if you could make a video on that some time :)
What happens when you replace the weapon name on the fly and observe from another user on the server? Maybe you can use weapons that are not in your inventory.
There's maybe a check, as the server knows which slot are you using, but worth a try
Awesome!
About that looking direction in the move packet,
it can be that it's just two shorts, one representing heading(Yaw) and another elevation(Pitch). With 65536 values you get a good accuracy(65536/360 ~ 182 steps in a degree) and need only 4 bytes.
As for the weapons, i suspect that those 12 bytes at the end are 3 floats - components of (i guess normalized) shooting direction vector
You are just awesome!
Usually to avoid confusion over the bundled stream I directly dll-inject the game to log the send() and recv() call. Very accurate but modern aaa games are quite resilient to this though
need tips , still looking to do the same.
I assume it's out of the scope of your video series but hooking the Encode/Decode functions for the packet handler in the process is my favorite way to figure out packet structures. It auto-formats things for you so all that's left for the attacker is interpretation.
Either way, I normally do much better interpreting spaced hex bytes especially for packet inspection, is there a reason you are printing it unspaced?
Really cool using a dictionary to call a function selectively depending on data.
I needed this when I was dissecting data packets a few years ago. I spent about a day being confused by data not being what I expected when I then learnt was the little endian big endian
The 12 bytes at the end may encode yaw, pitch and roll as 3 floats for the rotation.
Also, it could be a unit 3D vector indicating the direction the camera is looking at. Since the position is also sent, it would be easy to calculate the angle from it and this unit vector.
Edit: extra thought
knowing how graphics libraries are working, i suppose your guess is wrong by 2 things
1. this game does not support all 3-axis rotation or that was be 'space-like' game
2. view matrix is pointed to some spot in x,y,z, like in opengl:
createfovprespective(fov, x, y, z, t_x, t_y, t_z, u_x, u_y, u_z); i really do not remember right name
x, y, z - spot of 'camera' in world (we already know)
t_x, t_y, t_z - target spot where camera is looking
u_x, u_y, u_z, - a direction vector which is pointing at the top direction of a camera, often that is (0, 1, 0) and a const 3D vector
so i think that data is really containing target position
EDIT: i didn't saw you're edited xd
Most games encode 3D angles as quaternions tho
This is exactly what I need in my life
Do I know what's going on?
No.
Am I enjoying this?
Yes, soo much.
You make coding look fun (yes yes I know editing, lots of work, trial and error behind the scene, but still). Currently in a rut but this hypes me up lol
Coding IS fun tho
dude ur amazing
You are awesome
6:52 such excitement :O
Looking at the character rotation in prev videos, I'm pretty sure the "looking" part is just a yaw float, since it looks like the head never pitches, it only turns with the body. I could be wrong, but it's worth a try.
Came to say this
When you look at the hex data, it seems pretty easy to read.. Is it like this for packets from RakNet? I have had the idea of exploiting a game (ToS allows it) but some of the professionals I talk to say it would be very hard and nearly impossible to do. Would you know anything about this?
I'm a camp leader, teaching video games to my guys all july. I think i'm gonna advise them to learn english cause of your kind of content. You're really good a explaining stuff mate :3
that sounds cool! What language are they speaking?
I think the looking direction is based upon a known 0° mark that is possibly aligned with the Y Axis and is then just the degrees that you are looking away from that known axis
is it possible that the position on the projectiles is a vector for a parametric function that the game uses to determine where the projectile goes?
awesome
Just a noob but could you cause a buffer overflow/underflow by sending the wrong string length along with the weapon id field?
Maybe, but I am pretty sure devs took care of this. After all, they knew what their "playerbase" would be
Definitely possible if the developers used strcpy or memcpy instead of strncpy or memcpy_s
Overflow makes no sense
If you specify a smaller length, the server will just interpret part of the string as packet data and reads invalid packet ids. The player will just get kicked
I'd be interested in seeing how you would go about detecting and reversing things like compression and encryption in TCP packets
Would that be possible
Haven't looked into it, but the "looking data" is probably pitch (looking down or up) and yaw (left right) in degress.
Quick noob question: how did you do the long selector line?
(The big one like this | because I am interested so yeah)
It's not just one selector line. They are multiple and can be "created" by holding down and left clicking at the different positions in the file. (Sublime Text is the used editor.)
Select lines and press shitf+ctr+L
Looking: a quaternion has 4 values: w,x,y,z.. 1 byte for each?
Any references for where to study/parse if there's encryption involved? Please. It'd be helpful.
nice vids
thank you !
... What was that sound at 6:51? XD did you change your pants after that? Lolll
the trick is to never play CTFs with pants on!
My guess is that your four "looking" bytes + the next two simply is the pitch, yaw and the roll of the camera represented by two bytes each.
The data shown in the video was a bit limited to verify, but that's what I'd do at least. (could be half floats or simply a range)
I am quite inexperienced and new to this, but a 1 number value representing a looking direction could be 0 to 360 degrees from a constant north?
Question, can we assume that there are long sessions of same src ip , same dst ip and same src port and same dest port with UDP traffic ? or all those packets are a payload of changing and jumping src port / dest port ?
you are a god
6:51 - You good bro? Hahahahaha
Gosh, If that is "Easy", I am scared with the hard stuff LOL.
The looking data probably makes uese of a Quaterion, its a format to prevent gimble lock in rotation. It uses 4 floats instead of normal euler angles
Hey! @7:13 if you say that those are the looking bytes, it might be coded as Roll, Pitch and Yaw!
The way I understand it is that those final bytes might be:
Looking -> actually 6 bytes (2 for each component) [Maybe Roll, Pitch and Yaw, but try different combinations]
Key -> 2 bytes
Fabio Silva They could also be coded as a quaternion (x,y,z,w), each of these values consisting of two bytes
That's is true! But as he said, the way I find it most simple to implement, would be with Roll, Pitch and Yaw
There is probably no roll in an FPS...
But yes, I agree otherwise, probably a horizontal direction and angle to the horizon (~= Yaw & Pitch)
Not by the player, but it might use the same logic if there are items that roll over the X axis. I didn't notice if it there was any value that changed from 0. But if there is one that is fixed at 0, probably a good chance it is Roll.
Also I have an idea, when you join the game is there an initial packet? Because if there is the location might be zeroed out and then you can see with move according with the looking around.
after we know the packet from server, andif we expert, its can be make a own private server online game right?
Shouldn't all the hexdump contain all kinds of protocol data (ARP, IP, TCP protocol details etc) along with the game data? How come your parser is only showing data related to the game being sent to the proxy? Can anyone please help me understand this?
Grt
The looking data could probably be two numbers indicating angles - one angle indicating which direction you’re looking at, one angle indicating whether you’re looking up or down.
The lash one is the direction you are looking at in the game (0-360 degrees (or maybe radians)). It's actually doesn't matter to server where are you looking height-vise, but direction you are facing is important for the game. At least, I believe so.
Could the looking Direktion be again two values?
I would maybe implement it as compass-like-float for the horizontal orientation (angle relative to North - maybe as percent of 360 degree) and another float for ‚height of view‘
(Just a noob idea)
It's too short for that, but there aren't many possibilities:
- If it encodes 2 values (roll & pitch), then it must be 2x2 bytes, which can not be floats, maybe shorts?
- If it only encodes one value, then it may be a float, maybe horisontal rotation
Fuchsfalke It could be four one-byte values. Rotations in 3D space can be represented with quaternions (x,y,z,w) as well.
4 one-byte values? I don't think so, and we also know that this game uses some custom game logic and networking, so I don't think it's sending 4 dimensional values.
Sasszem That's true, dividing 360° into 256 parts would not be pleasant
One-byte float quaternions? Good luck with precision lol
P.s. maybe fixed points be better
What i would tell you for future reference is that you should only listen for clients anthen connect to the server as there would be normaly some safety measurements against mim-attacks
The "looking" data is most likely something such as 'float ViewMatrix[2];'
The game maybe doesn't allow the camera to be 'tilted' in the z axis
was it not possible to see how the client packs data to be sent to the server?
intuition is telling me look variables are probably 2-3 bytes
since you are going to subtract it by half 3 byte long would probably give you the proper values you would need for yaw and pitch for rotation... I dont know how granular the rotation is on the server side... but that would be my guess
though I could be WAY off
wouldnt it be easier to reverse the send/recieve data method of the client especially when there is some encryption or tampering prevention in place? Anyways great video i really love the series so far :)
nice wideo
oh my god this is so helpful now that I'm making an among us client
The 8 bytes for looking is possibly a quaternion
2:56 how did u indent all the lines at once like that?
Multi-cursor... Select the text and press Ctrl+Shift+L in Sublime Text editor.
If you just want to analyze network packets using wireshark and writing just a custom plugin (a so called dissector) in lua is very easy. You then have the nice UI of wireshark with its filter mechanisms, while being able to modify your packet parsing and even applying it to captured traffic instead of just on live traffic. Probably in many cases easier than writing your own proxy, which cannot easily capture. Besides stuff like TCP splitting and reassembling is already built into wireshark, so your dissector just have to tell wireshark where a packets ends.
i have an question, can i make an anti-aim with this?
@@weeeeeeeeeeeewAre you asking about wireshark or the video in general? Wireshark is just a debugging tool, for network traffic. In the video he didn't use a tool he wrote just his own program, but as I stated a tool like wireshark can have some nice advantages.
But to develop an anti-aim hack/cheat there are several possibilities. One beeing as shown in the video to reverse engineer the network protocol, which might be the most promising attack vector. So after reverse engineering the protocol you can implement your own proxy to create an anti-aim.
He kind of started with the process in his video, however developing the proxy isn't the hard part or much work. It is the protocol analyzing.
is it even doable when encryption is involved?
"firebal" TYPO TYPO xD
2:00 What is that editor and how did you do that (editing multiple lines in parallel)?
Sublime, and that is a feature in a few editors. In sublime you can just CMD + CLICK to select multiple cursors, or use CMD+D to search and select for the same word. And if you highlight multiple lines, with CMD+SHIFT+L I get a cursor in each line
Is the CMD just CTRL on windows?
but why would jumping be along the Z axis? usually in any kind of game Y is the vertical axis while X and Z are horizonal. that's also why the middle of the packet changed when jumping... XYZ, in that order
Welches Programm nutzt du zum programmieren?( im Video)
J3ker PlayZ looks like sublime
Can someone link the previous videos pls
some thoughts on the "looking" part.
It's possible that the game don't use any fancy quaternions, but instead uses 2 values: pitch and yaw. the game don't need "roll" because the players can't roll anyway, therefore needing only 2 x 4bytes,
just my 2cents
What's the intro song?
Wish you would show how to handle obfuscation
Maybe the looking direction is just the heading, with no up/down data?
Just noticed that the packet id actually is ascii:
7d 76 = mv (move)
6a 70 = jp (jump)
73 3d = s= (slot assign)
2a 69 = *i (interaction?)
77 72 = fr (fire)
There is a way to make an aimbot, One Hit One Kill or something like that using Packet editing on Ps4 games like Rainbow Six Siege??
What if i face encryption layer ?