Sometimes when trying to hack a game it can be helpful to analyse the network traffic being sent and received by the game client. By analysing the network data we can reveal more about how the game operates. If the game connects to a server it can be possible to create applications to pull data from the server or even have a chat client without needing to open the game.
When I was younger I was really into StarCraft especially playing online. However there was a problem: my internet connection was terrible. StarCraft had unique feature (at the time) in that if you connected to a match with a map your game didn’t have your client would automatically download it.
So naturally when I visited my friends who had better internet connections I’d scour BattleNet looking for all the latest maps so I could practice offline for matches. However this practice was tedious and could lead to bans as joining a match simply to download a map and quitting was considered poor form.
Not wanting my ranked account to be banned and not wanting to manually do this by hand, I ended up writing a simple bot that would connect to BattleNet and find the most popular maps, connect then download the map then disconnect from the game.
The source code for this project is lost to time, however it demonstrates what you can accomplish with a bit of spare time, and network analyser and persistence. This tutorial will go over the basics of digging into a game’s network traffic to find interesting values and writing an application to use those values for something interesting.
First download and configure Wireshark. Wireshark is a powerful program for network analysis and even includes hundreds of protocol dissectors (which will make our life easier).
For this tutorial we’re going to use StarCraft: BroodWar and two separate PC’s running a LAN match. My setup looks like this:
192.168.1.88 (Me) 192.168.1.109 (Opponent)
Make sure both PCs have their firewalls set to allow StarCraft to freely communicate or simply disable the firewall on both PCs. Create a new network game and make sure you select UDP (if UDP is not available you need to patch your game). Make sure both PCs can join the game with no issues.
Close down StarCraft on your PC and open Wireshark. Double click on your network interface. In the picture below I’m connected via wireless so my network interface is wlp3s0 (I’m on Linux).
Wireshark will now begin capturing all data sent over that interface. Relaunch StarCraft and begin a match. Move some units around, send a few chat messages then shut the game down. Go back to Wireshark and click the “Stop Capturing” button (The red stop button).
From this page we know that StarCraft uses UDP port 6112. Click the display filter box and type “udp” (no quotes). This will instruct Wireshark to filter every packet that is not a UDP packet.
In the Internet Protocol v4 (IP) specification their are two common types of packet. The Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP). The primary difference between the two is TCP is reliable, ordered and error checked, whereas UDP is connection-less, fast and has no handshaking which makes it an order of magnitude faster than TCP.
Games tend to favour UDP because they need the speed UDP has to exchange data rapidly (player positions etc). On a LAN connection data corruption is very unlikely so it makes it the ideal candidate for network play.
Some common examples of what TCP and UDP are used for as follows:
TCP – HTTP/HTTPS (Port 80, 443)
UDP – DHCP/DNS/Bittorrent
More information can be found on Wikipedia.
Getting back to it
Now that we’ve filtered to only UDP Packets we can begin examining what was sent over the wire (or air in the case of wireless). Scrolling through the list you should see all the different IP addresses that sent traffic to your system.
The first packet that should catch your eye is something like the picture below:
You’ll notice something interesting about this packet. The destination address is a weird address “255.255.255.255”. This is a special address it is a broadcast address. When you send a UDP packet to 255.255.255.255 it will be sent to every IP within the current subnet.
Basically what is happening here is the game client is querying the network looking for active games to join. In this case it is using a magic string to identify itself as StarCraft: BroodWar version 1.14b:
In hex 50:58:45:53 equals the ASCII string PXES. So we’ve located what appears to be StarCraft’s broadcast announcement! What other interesting things can we find?
This looks interesting it appears to be an game advertisement from my PC:
You can see my name, what appears to be the map name and a few other values which probably indicate the game type, lobby size and what race I have selected.
Remember before we sent some chat messages? Let’s see if we can find one of those. Here we go:
What’s interesting is the byte 0x4c. This appears to be the control code to tell the game client that everything after this character is the start of an ASCII string containing the message from the player.
Now that we’ve found our in game message we can right click on the packet and select -> Follow -> UDP Stream. This will give you a box with a dump of all the packets in this sequence. At the top you should see game start and the various packets each PC is sending back and forth.
That’s it for now guys. In the next tutorial I’ll show you how can manipulate this data for our own purposes.
Support me on Patreon: