Wolfram|Alpha: Systematic knowledge, immediately computable.

Thursday, April 29, 2010

I Scream, You Scream, We All Scream for DICE Scream!

Doing some mathematical work with Maple 13 tonight and needed a break. Thinking of the recent fiasco with DICE and their new game Battlefield Bad Company 2 (see Pings? We Don't Need No Stinkin' Pings!), I decided to see how hard it would be to connect to EA's central server (where the information for the game server browser comes from - the one that doesn't work properly in the game) using Maple. I'd already done some work reverse engineering the traffic for this and the patcher, looking to ease the pain of users with the  game browser and the patch process (yay for Steam - patches there just work, no worries of overloaded, flaky EA servers!)

Maple, for those not familiar with it, is an extremely sophisticated application for doing all things mathematical. The product has an amazing list of capabilities for mathematical analysis, graphing, and programming. It is however primarily a mathematical tool, competing with the likes of Mathematica and Matlab. I use all three, Mathematica being my personal favorite. For quick and dirty, however, I find the 'Document Mode' in Maple to be ideal for rapid exploration. I often do proof of concepts there, and when the ideas are fleshed out, move them to Matlab or Mathematica.

So how hard would it be to get to the Electronic Arts centralized server, using a tool completely out of its domain (kind of like using a champagne bottle for a baseball bat), without any of the raw socket nonsense that the game developers used? See for yourself - seven lines of Maple gets you the initial connection and response. A handful more lines would get you a complete server browser. Without the hassles the game introduces by using raw sockets. Pretty powerful tool, doing things out of its real domain. It makes me wonder even more: what were the game developers thinking when they chose to use raw sockets?

Maple Code:

with(Sockets);
sid := Open("159.153.235.12", 18395);
reply := Array(1 .. 65, datatype = integer[1]);

WriteBinary(sid, Array([67, 79, 78, 78, 64, 0, 0, 0, 0, 0, 0, 91, 80, 82, 79, 84, 61, 50, 10, 80, 82, 79, 68, 61, 98, 102, 98, 99, 50, 45, 112, 99, 10, 86, 69, 82, 83, 61, 49, 46, 48, 10, 80, 76, 65, 84, 61, 80, 67, 10, 76, 79, 67, 65, 76, 69, 61, 101, 110, 95, 85, 83, 10, 83, 68, 75, 86, 69, 82, 83, 73, 79, 78, 61, 53, 46, 49, 46, 50, 46, 48, 46, 48, 10, 84, 73, 68, 61, 49, 10, 0], datatype = integer[1]));

ReadBinary(reply, sid);
Close(sid);
convert(subs(0 = 32, 10 = 32, convert(reply, list)), bytes);

EA Server Response:

"CONN ATIME=1272627041 TID=1 activityTimeoutSecs=240 PROT=2"

Hello, EA! All your base are belong to us!

2 comments:

  1. What the heck is the Magic Sauce you used for the hello part? How did you figure that out? Would you consider making a post with a tutorial for that kind of thing? There are some games I would like to build some stat tools for.

    Thanks!

    ReplyDelete
  2. @Anonymous 4/30/10 12:30:
    Just the bytes for the initial hello. I used a sniffer to figure this out. The stuff I used is a couple of Fluke (Etherscope/Optiview), not usually in consumer hands. You can do the same with something like Wireshark for free, just can be more work piecing 'conversations' together when things get deep. That's why the hardware analyzers are priced like cars...they make those kinds of things much less tedious, plus they can capture at wire speed without losing traffic.

    Not sure a tutorial is likely - each case is different, it's really just grabbing traffic, putting together the 'conversations', and then decoding the meaning. Kind of like crossword / anagram / crypto puzzles rolled into one.

    ReplyDelete