Welcome
Ladies and Gents:

These forums are now closed and registration disabled.

Please join us at our new forum on Proboards. Our hope is that these new forums are more stable, provide more and better features, and allow continuation of the project forums in a safer, more secure, long term environment.

me3explorer.proboards.com

--The ME3Explorer Team

Current Research: Network

Technical research related to the structure of Mass Effect game files.

Re: Current Research: Network

Postby WarrantyVoider » 05 Jun 2014, 20:35

hey thanks, but slow down, so far this is MITM aka Man-In-The-Middle, means the game connects to my server and that connects to the online server. BUT, if it accepts my server, I can also send whatever I want (emulate the online server, thats next on my list), plus I have a tool to examine the traffic flow DECODED, I really have to thanks zlo for the help in that :D

greetz WV
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: Current Research: Network

Postby WarrantyVoider » 07 Jun 2014, 11:59

[Header]
Length: 0066
Component: 0001
Command: 001D
Error: 0000
QType: 0000 [Client Packet]
ID: 000B
Valid Header!

[Body]
000000A8[8B5A64 00] BUID : 0
000000AD[970CEE 00] EPSN : 1
000000B2[970CFA 00] EPSZ : 32
000000B7[974867 01] ETAG : BF3:PC:ADDSVETRANK
000000CF[9E4879 01] GDAY :
000000D5[9EEB33 04] GNLS : AddsVetRank
000000E8[A21D70 00] HAUP : 0
000000ED[C2AA64 01] PJID :
000000F3[C32A64 01] PRID :
000000F9[CA58F5 00] RECU : 0
000000FE[CF4874 00] STAT : 0
00000103[D25CA4 01] TERD :
00000109[D39C25 00] TYPE : 0


lol, what has ME3 to do with bf3, except sharing the same backend, wtf?!^^

greetz WV
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: Current Research: Network

Postby WarrantyVoider » 07 Jun 2014, 12:19

ok, here comes my first analyze of the packetflow, this is all before the actual "authentication" as some player...

warning: lots to scroll^^
Spoiler:
Image


greetz WV
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: Current Research: Network

Postby coolguyxp » 07 Jun 2014, 17:53

Hey WV,

I'm new to this site but I saw that you're working on developing a blaze emu of sorts. I'm doing the same thing, however, I'm doing it for BF3. Hopefully we can help each other out ;D

I've got a few interesting things you might like to look at. I analyzed BF3's Blaze logging output and I see some of it might be useful to you to cross reference. Take a look at this, for example:

BlazeSDK(0): "GameLoop": Info: -> req: ID[0], RedirectorComponent::getServerInstance [0x0005::0x0001]
BlazeSDK(0): "GameLoop": Info: ServerInstanceRequest = {
BlazeSDK(0): "GameLoop": Info: BSDK = "3.15.2.0"
BlazeSDK(0): "GameLoop": Info: BTIM = "Feb 15 2013 13:49:13"
BlazeSDK(0): "GameLoop": Info: CLNT = "bf3 server"
BlazeSDK(0): "GameLoop": Info: CLTP = CLIENT_TYPE_DEDICATED_SERVER (2) (0x00000002)
BlazeSDK(0): "GameLoop": Info: CSKU = "pc"
BlazeSDK(0): "GameLoop": Info: CVER = "VeniceXpack51149977final-1.0-60"
BlazeSDK(0): "GameLoop": Info: DSDK = "8.14.2.0"
BlazeSDK(0): "GameLoop": Info: ENV = "prod"
BlazeSDK(0): "GameLoop": Info: FPID (union : 127) = {
BlazeSDK(0): "GameLoop": Info: }
BlazeSDK(0): "GameLoop": Info: LOC = 1701729619 (0x656E5553)
BlazeSDK(0): "GameLoop": Info: NAME = "battlefield-3-pc"
BlazeSDK(0): "GameLoop": Info: PLAT = "Windows"
BlazeSDK(0): "GameLoop": Info: PROF = "standardSecure_v3"
BlazeSDK(0): "GameLoop": Info: }
BlazeSDK(0): "GameLoop": Info: <- resp: ID[0], RedirectorComponent::getServerInstance [0x0005::0x0001]
BlazeSDK(0): "GameLoop": Info: ServerInstanceInfo = {
BlazeSDK(0): "GameLoop": Info: ADDR (union : 0) = {
BlazeSDK(0): "GameLoop": Info: VALU = {
BlazeSDK(0): "GameLoop": Info: HOST = "373244-gosprapp357.ea.com"
BlazeSDK(0): "GameLoop": Info: IP = 1546943561 (0x5C347C49)
BlazeSDK(0): "GameLoop": Info: PORT = 10111 (0x277F)
BlazeSDK(0): "GameLoop": Info: }
BlazeSDK(0): "GameLoop": Info: }
BlazeSDK(0): "GameLoop": Info: AMAP = [
BlazeSDK(0): "GameLoop": Info: ]
BlazeSDK(0): "GameLoop": Info: MSGS = [
BlazeSDK(0): "GameLoop": Info: ]
BlazeSDK(0): "GameLoop": Info: NMAP = [
BlazeSDK(0): "GameLoop": Info: ]
BlazeSDK(0): "GameLoop": Info: SECU = true
BlazeSDK(0): "GameLoop": Info: XDNS = 0 (0x00000000)
BlazeSDK(0): "GameLoop": Info: }


You can prolly compare that back to this and figure out a few things:

00 BB 00 05  00 01 00 00 00 00 00 00

8B 39 2B 01 09 33 2E 31 35 2E 36 2E 30 00
3 . 1 5 . 6 . 0

8B 4A 6D 01 15 44 65 63 20 32 31 20 32 30 31 32 20 31 32 3A 34 37 3A 31 30 00
D e c 2 1 2 0 1 2 1 2 : 4 7 : 1 0

8E CB B4 01 0F 4D 61 73 73 45 66 66 65 63 74 33 2D 70 63 00
M a s s E f f e c t 3 - p c

8E CD 30 00 00
8F 3A F5 01 07 31 33 34 38 34 35 00
1 3 4 8 4 5

8F 69 72 01 0A 30 35 34 32 37 2E 31 32 34 00
0 5 4 2 7 . 1 2 4

93 39 2B 01 09 38 2E 31 34 2E 37 2E 31 00
8 . 1 4 . 7 . 1

96 ED 80 01 05 70 72 6F 64 00
p r o d

9B 0A 64 06 7F B2 F8 C0 00 85 91 F2 D6 0C
BA 1B 65 01 10 6D 61 73 73 65 66 66 65 63 74 2D 33 2D 70 63 00
m a s s e f f e c t - 3 - p c

C2 C8 74 01 08 57 69 6E 64 6F 77 73 00
W i n d o w s

C3 2B E6 01 12 73 74 61 6E 64 61 72 64 53 65 63 75 72 65 5F 76 33 00
s t a n d a r d S e c u r e _ v 3


Not sure if it helps or not or if you've already figured it out, but...
coolguyxp
User
 
Posts: 2
Joined: 25 May 2014, 03:16
Has thanked: 0 time
Have thanks: 0 time

Re: Current Research: Network

Postby coolguyxp » 07 Jun 2014, 19:23

Looking through it again, it seems BSDK is the version of Blaze SDK that the game is using. The verison that was leaked on unknowncheats was version 2.9.* something. It seems that ME3 uses a newer version than BF3, which I find odd (3.15.6 vs 3.15.2)
coolguyxp
User
 
Posts: 2
Joined: 25 May 2014, 03:16
Has thanked: 0 time
Have thanks: 0 time

Re: Current Research: Network

Postby WarrantyVoider » 07 Jun 2014, 20:08

lol, well you come late to the party, heres my first emulator (just the first packets for testing, but still), you can use my code to decode your packets. the name tags tell alot already, and theres isnt actually much to understand left. just ask what you wanna ask, all blaze related stuff comes here, but if its bf3 related, maybe goto "other games" section. thanks.

aaanyway, as I said, here my first emulation tries, looks like simple replay attacks are fine most of the time, because the content doesnt change in all packets (I simply emulated the graph above, until it asks for authentication)



greetz WV
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: Current Research: Network

Postby WarrantyVoider » 07 Jun 2014, 23:11

if anyone wants to test this out, here my first build (autogenerated build numbers are weird^^)

ME3PS_1.0.5271.37138.rar

its simple to use:
(0. on first run, use patching)
1.hosts/activate redirection
2.servers/start both
3.start game

it should create a folder "logs" and save the first 6-7 packet exchanges as binary blobs. let me know if it stops earlier than expected (see vid) or any other problems

greetz WV
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: Current Research: Network

Postby WarrantyVoider » 08 Jun 2014, 12:48

WarrantyVoider wrote:...
hex binary 

94 1001 0100
01 0000 0001
->
54 0101 0100

81 1000 0001
02 0000 0010
->
81 1000 0001

80 1000 0000
04 0000 0100
->
100 1 0000 0000


now I have to other side of this too, compressing integers...

Image

the implementation may be sloppy coding, but it works^^
Spoiler:
byte[] buff = StringToByteArray(textBox1.Text);
List<byte> tmp = new List<byte>(buff);
while (tmp.Count < 8)
tmp.Insert(0, 0);
tmp.Reverse();
buff = tmp.ToArray();
long l = BitConverter.ToInt64(buff, 0);
List<byte> result = new List<byte>();
if (l < 0x40)
{
result.Add((byte)(l & 0xFF));
}
else
{
byte curbyte = (byte)((l & 0x3F) | 0x80);
result.Add(curbyte);
long currshift = l >> 6;
while (currshift >= 0x80)
{
curbyte = (byte)((currshift & 0x3F) | 0x80);
currshift >>= 7;
result.Add(curbyte);
}
result.Add((byte)currshift);
}
while (result.Count < 4)
result.Insert(0, 0);
textBox2.Text = "";
for (int i = 0; i < 4; i++)
textBox2.Text += result[i].ToString("X2");

Download

greetz WV
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: Current Research: Network

Postby WarrantyVoider » 09 Jun 2014, 11:10

takes ages, but it works, ME3 thinks its connected to ea servers! :D (notice top right, theres no inet connection)



greetz WV
always backup your files!
mess with the best or die like the rest!
"I tried everything!" - "mkay, please list that..." ; please dont pm me for help, we have a help section

WarrantyVoider has been thanked by:
User avatar
WarrantyVoider
Emeritus
 
Posts: 2270
Joined: 22 Aug 2012, 11:33
Has thanked: 480 time
Have thanks: 626 time

Re: Current Research: Network

Postby giftfish » 09 Jun 2014, 13:20

Congrats!

Btw, that's how long mine normally takes to load up with Origin set to offline and manual exceptions built into my firewall as additional precautions, lol.

giftfish
 

PreviousNext

Return to Technical Research

Who is online

Users browsing this forum: No registered users and 0 guests

suspicion-preferred