UDP support for StarCraft

Antarctica · June 30, 2008, 04:27 PM

I want to try to add UDP support for a program that routes the Starcraft's connection through a vb6 program. How do I use the UDP protocol for this? I have no idea how to use the Bind command. Please help.

Here's what i have for the two bind commands (sckMainUDP will connect to starcraft, sckBNETUDP will connect to Bnet)

Code Select


sckMainUDP.Bind "6112", "127.0.0.1"
sckBNETUDP.Bind

brew · June 30, 2008, 05:25 PM

UDP support? Connection? UDP is a stateless protocol. Perhaps you mean to use TCP.
It would help to know what you're trying to accomplish. Something on the order of capturing the UDP packets starcraft sends/receives during a game?

Antarctica · June 30, 2008, 05:39 PM

Yeah i just want to run my Starcraft's connection through a vb6 app to sniff the packets and maybe inject some. However, TCP doesn't seem to be enough, because with out it, SC wants to say "You do not have UDP support" and therefore I can't play any games.

MyndFyre · June 30, 2008, 06:36 PM

You'll need to hook Windows API calls within the Starcraft.exe process or inject yourself as a driver on the networking stack. I'm pretty sure you can't just man-in-the-middle it here.

Antarctica · June 30, 2008, 06:38 PM

And how would I hook Windows API calls within the Starcraft.exe process?

Kp · June 30, 2008, 10:32 PM

The same way you hook Windows API calls in any process. Rewrite the caller's IAT, detour the API, or put a detour in the caller (listed in order of easiest to hardest).

If you just want to see the traffic, get a network analyzer like tcpdump or Wireshark. Those will let you monitor the traffic without needing to manipulate the SC process in any way. However, they're read-only, so you can't use them to inject any new traffic.

On the other hand, the SC UDP protocol has a primitive integrity check built in, so hooking the send call won't let you inject traffic into a game without fixing up the integrity checksum. The other side will reject the packet because of the checksum mismatch, and the injected packet will be discarded.

Camel · July 01, 2008, 06:29 AM

Quote from: MyndFyre[vL] on June 30, 2008, 06:36 PM
I'm pretty sure you can't just man-in-the-middle it here.

Depends what UDP traffic you're trying to MITM; should be pretty easy to do it against the simple UDP ping, but actually performing this attack on game traffic would be pretty hard, since you'd have to intercept the game lsit packet and rewrite the ip address. Then, you'd have to make sure you're forwarding the UDP traffic to the right place.

Even if you accomplish that, what Kp said still holds true.

Antarctica · July 01, 2008, 04:40 PM

I was just looking for a way to, when creating a game, do /whereis <username> for every user that joins. Then, if the return is that the user is in any other place than the game I created, have the player automatically banned. How hard would that be?

Dale · July 01, 2008, 05:41 PM

Quote from: Antarctica on July 01, 2008, 04:40 PM
I was just looking for a way to, when creating a game, do /whereis <username> for every user that joins. Then, if the return is that the user is in any other place than the game I created, have the player automatically banned. How hard would that be?

You wouldn't necessarily have to intercept packets for that.

Kp · July 01, 2008, 10:06 PM

As Dale notes, you don't need to mess with the UDP stream for that. As such, it's pretty easy, albeit not completely accurate. Last I looked, the name advertised when joining didn't have the #number suffix that gets applied to clones, so you might end up banning legitimate players if they happen to join while cloned.

Hook in around the spot where SC sends the /astat command to query the new player's statistics. Replace it with the /whereis or add your own, as appropriate. Replacing is safer, since adding it doubles your transmissions and could more easily flood you off. Save a record that this player is in a provisional state, and check those records when you get /whereis responses. The only hard part is automatically banning the player on failure. If you're willing to just display a note to the user that he ought to ban that player, then it's trivially easy.

iago · July 02, 2008, 04:22 PM

Quote from: Antarctica on July 01, 2008, 04:40 PM
How hard would that be?

It would be fairly easy, for somebody who's experienced with that kind of thing.

It would be fairly difficult (steep learning curve) for anybody who isn't.

Camel · July 03, 2008, 05:50 PM

Quote from: Kp on July 01, 2008, 10:06 PM
As Dale notes, you don't need to mess with the UDP stream for that. As such, it's pretty easy, albeit not completely accurate. Last I looked, the name advertised when joining didn't have the #number suffix that gets applied to clones, so you might end up banning legitimate players if they happen to join while cloned.

Hook in around the spot where SC sends the /astat command to query the new player's statistics. Replace it with the /whereis or add your own, as appropriate. Replacing is safer, since adding it doubles your transmissions and could more easily flood you off. Save a record that this player is in a provisional state, and check those records when you get /whereis responses. The only hard part is automatically banning the player on failure. If you're willing to just display a note to the user that he ought to ban that player, then it's trivially easy.

/whois is exactly the same as /whereis, and is the same length as /astat

Be careful though, you're risking a warden failure when you do stuff like this. It seems unlikely that they'd be checking whether you're overwriting the /astat command, though

Kp · July 03, 2008, 09:54 PM

He seemed very focused on using /whereis, so I didn't want to confuse the issue by switching to a more appropriate command.

Even if Warden doesn't object to changing the text of the /astat, there's still the issue that he needs to be hooked into the returning data stream to parse the server responses. That almost guarantees a Warden failure. He never specifically said he wanted this to work on official BNCSs, though.

brew · July 04, 2008, 12:09 AM

As you may recall, the focus of most hacks, and consequentially warden, is within the module starcraft.exe. There is no reason modifying the Storm Network Provider at any time should be *unsafe* in terms of turning up a false positive for hacks. Although unlikely, Blizzard still can change easily change all of this with one warden request address update.

UserLoser · July 04, 2008, 04:15 AM

Quote from: Antarctica on June 30, 2008, 04:27 PM
I want to try to add UDP support for a program that routes the Starcraft's connection through a vb6 program. How do I use the UDP protocol for this? I have no idea how to use the Bind command. Please help.

Here's what i have for the two bind commands (sckMainUDP will connect to starcraft, sckBNETUDP will connect to Bnet)
Code Select Expand
sckMainUDP.Bind "6112", "127.0.0.1" sckBNETUDP.Bind

lol. try setting the address to the b.net server and dont use a port already in use

UDP support for StarCraft

UserLoser