• Welcome to Valhalla Legends Archive.
 

Newbie Startup Questions

Started by Tac, July 24, 2004, 07:02 PM

Previous topic - Next topic

Tac

I've been wading through all the technical documents on the Bnet protocol, but I'm still having trouble figuring out where and how to start. For reference, I only know C++ (not VB).

Alright, my first major question was what port to use when connecting to a Bnet server. Using WinDump and watching myself log on through my copy of TFT,  I see a few ports being used (6112 and 1913), but I don't know what the purpose of each is. I couldn't find any references to port numbers in the tech docs either.

Second, BnetDocs shows logon procedures for everything *before* Warcraft3. I don't have a copy of Starcraft ready at the moment (I have to look for it sometime). Is there any resources explaining how to log on through War3?

Lastly, when I WinDump'ed my network logging on to Bnet, I could locate the log on sequence starting with 0xFF50, but I also kept seeing lots of packets starting with 4500 00xx where xx were all numbers around 0x30.

Example:
4500 0030 4dbc 4000 8006 e08f c0a8 0165  [email protected]

Can someone explain to me what kind of packet this is?

Any help is appriciated. I apologize if the information is sitting somewhere online, but it is difficult to piece this stuff together for a beginner.



Adron

Are you sure that those 4500 packets are really data packets on port 6112? Perhaps they're acks? Perhaps they belong to some other protocol?

Tac

Here's the first few lines of the captured output up until the Logon Procedure.

http://www.geocities.com/trainee40/windump01.txt

Maddox

#3
It looks like the start of the IP header. That's not your real interest. Start looking at offset 40 (0x50FF), which is where your data payload is and what you need to understand.
asdf.

Tac

Cool, I can stop worrying about that now.

Still, is there any difference between logging on as a WC3 or TFT client vs a Starcraft client?

Maddox

Quote from: Tac on July 24, 2004, 08:07 PM
Cool, I can stop worrying about that now.

Still, is there any difference between logging on as a WC3 or TFT client vs a Starcraft client?

Yes. Warcraft III clients use a different method of decoding the CD-Key, hashing the data, and authenticating users.
asdf.

Banana fanna fo fanna

Tac, here's what you should do.

METHOD ONE:

- Rig up a simple client using the CHAT protocol. It's simple; telnet useast.battle.net 6112 and type ctrl+c and figure it out from there

- Rig up a packet buffer, and download starcraft shareware, and figure out the binary protocol etc. (hint: you probably won't need BNLS)

- Figure out how to understand war3 packets

- Ask for help

METHOD 2:

steal some source code

Grok

#7
Quote from: Tac on July 24, 2004, 08:07 PMCool, I can stop worrying about that now.

No, you can START worrying about that now!

Regarding the port 1913 ... it is registered to a service 'armadp', for which I can google no description.  Maybe it is some old application that registered their service and went defunct.  But why are you seeing traffic now?  I found at least one Intrusion Detection Service that is showing July spikes in traffic on 1913.  For a registered, but long-unused port, this probably means a new trojan.  I would suggest you go to Trend Micro's Housecall and scan your PC immediately.

Stealth

#8
That looks like the winsock-randomly-selected local port, because it's communicating with 63.240.202.126:6112 which is a Battle.net server... Grok, have you been hitting the bottle lately?

Still, scan your PC just because it's good practice. :)
- Stealth
Author of StealthBot

Tac

Quote from: Grok on July 25, 2004, 08:31 AMI found at least one Intrusion Detection Service that is showing July spikes in traffic on 1913.  For a registered, but long-unused port, this probably means a new trojan.  I would suggest you go to Trend Micro's Housecall and scan your PC immediately.

I always knew Blizzard was hacking into my computer! =-D
I probably should scan, since I haven't scanned in a long while.  

I did a little more research and I now realize what those 45xx xx ... packets are (they *were* the TCP/IP headers) and more importantly, I realize how long they are so I can filter them out when looking at packets.

I downloaded SSHR and using a short code example was able to log on to it with a trinket program I wrote. Hopefully I can start doing cool things now. I'm still totally lost as to what kinds of packets I'm looking for or sending, but at least I can read the new traffic now.

Thanks for all the help!

LordNevar

Port: 1913
Type: armadp
Ip: 216.218.102.3 //.CA
Ping: 233ms
Host: Starlight Networks Multimedia (Transport Protocol)

Notice: You are trying to read information on a closed DNIS server, please contact technical support for more information.

Email: [email protected]

That's all the info I managed to get out of who setup active port 1913, I don't think it's harmful but I would still check on it more.


A good fortune may forbode a bad luck, which may in turn disguise a good fortune.
The greatest trick the Devil ever pulled, was convincing the world he didn't exsist.