Author | Message | Time |
---|---|---|
Tac | I've been wading through all the technical documents on the Bnet protocol, but I'm still having trouble figuring out where and how to start. For reference, I only know C++ (not VB). Alright, my first major question was what port to use when connecting to a Bnet server. Using WinDump and watching myself log on through my copy of TFT, I see a few ports being used (6112 and 1913), but I don't know what the purpose of each is. I couldn't find any references to port numbers in the tech docs either. Second, BnetDocs shows logon procedures for everything *before* Warcraft3. I don't have a copy of Starcraft ready at the moment (I have to look for it sometime). Is there any resources explaining how to log on through War3? Lastly, when I WinDump'ed my network logging on to Bnet, I could locate the log on sequence starting with 0xFF50, but I also kept seeing lots of packets starting with 4500 00xx where xx were all numbers around 0x30. Example: 4500 0030 4dbc 4000 8006 e08f c0a8 0165 E..0M.@........e Can someone explain to me what kind of packet this is? Any help is appriciated. I apologize if the information is sitting somewhere online, but it is difficult to piece this stuff together for a beginner. | July 25, 2004, 12:02 AM |
Adron | Are you sure that those 4500 packets are really data packets on port 6112? Perhaps they're acks? Perhaps they belong to some other protocol? | July 25, 2004, 12:09 AM |
Tac | Here's the first few lines of the captured output up until the Logon Procedure. http://www.geocities.com/trainee40/windump01.txt | July 25, 2004, 12:47 AM |
Maddox | It looks like the start of the IP header. That's not your real interest. Start looking at offset 40 (0x50FF), which is where your data payload is and what you need to understand. | July 25, 2004, 1:02 AM |
Tac | Cool, I can stop worrying about that now. Still, is there any difference between logging on as a WC3 or TFT client vs a Starcraft client? | July 25, 2004, 1:07 AM |
Maddox | [quote author=Tac link=board=17;threadid=7859;start=0#msg72328 date=1090717640] Cool, I can stop worrying about that now. Still, is there any difference between logging on as a WC3 or TFT client vs a Starcraft client? [/quote] Yes. Warcraft III clients use a different method of decoding the CD-Key, hashing the data, and authenticating users. | July 25, 2004, 1:10 AM |
St0rm.iD | Tac, here's what you should do. METHOD ONE: - Rig up a simple client using the CHAT protocol. It's simple; telnet useast.battle.net 6112 and type ctrl+c and figure it out from there - Rig up a packet buffer, and download starcraft shareware, and figure out the binary protocol etc. (hint: you probably won't need BNLS) - Figure out how to understand war3 packets - Ask for help METHOD 2: steal some source code | July 25, 2004, 3:26 AM |
Grok | [quote author=Tac link=board=17;threadid=7859;start=0#msg72328 date=1090717640]Cool, I can stop worrying about that now.[/quote] No, you can START worrying about that now! Regarding the port 1913 ... it is registered to a service 'armadp', for which I can google no description. Maybe it is some old application that registered their service and went defunct. But why are you seeing traffic now? I found at least one Intrusion Detection Service that is showing July spikes in traffic on 1913. For a registered, but long-unused port, this probably means a new trojan. I would suggest you go to Trend Micro's Housecall and scan your PC immediately. | July 25, 2004, 1:31 PM |
Stealth | That looks like the winsock-randomly-selected local port, because it's communicating with 63.240.202.126:6112 which is a Battle.net server... Grok, have you been hitting the bottle lately? Still, scan your PC just because it's good practice. :) | July 25, 2004, 9:43 PM |
Tac | [quote author=Grok link=board=17;threadid=7859;start=0#msg72417 date=1090762287]I found at least one Intrusion Detection Service that is showing July spikes in traffic on 1913. For a registered, but long-unused port, this probably means a new trojan. I would suggest you go to Trend Micro's Housecall and scan your PC immediately. [/quote] I always knew Blizzard was hacking into my computer! =-D I probably should scan, since I haven't scanned in a long while. I did a little more research and I now realize what those 45xx xx ... packets are (they *were* the TCP/IP headers) and more importantly, I realize how long they are so I can filter them out when looking at packets. I downloaded SSHR and using a short code example was able to log on to it with a trinket program I wrote. Hopefully I can start doing cool things now. I'm still totally lost as to what kinds of packets I'm looking for or sending, but at least I can read the new traffic now. Thanks for all the help! | July 25, 2004, 9:55 PM |
LordNevar | Port: 1913 Type: armadp Ip: 216.218.102.3 //.CA Ping: 233ms Host: Starlight Networks Multimedia (Transport Protocol) Notice: You are trying to read information on a closed DNIS server, please contact technical support for more information. Email: Support@SNM.com That's all the info I managed to get out of who setup active port 1913, I don't think it's harmful but I would still check on it more. | July 26, 2004, 4:42 PM |