Unreal.Tournament.2003 Multiplaying

**chase** · 30th September 2002

Ok the stats thing does work BUT, when i try to join a server it says "Servers version is outdated". Whats that mean?

Edit, nevermind i guess their demo servers.

**Zander** · 30th September 2002

gunhero,

I'd love to see such a thing happen, and honestly I don't think it would be that difficult to do. Just analyze some GOOD server query data traffic and you could possibly emulate what the master server does.

chase,

That's usually what happens when you try to join a server running the demo. Alot of the servers on that servers.php web page on epic's site are demo servers, just so ya know.

Anyway... I found a MUCH better packet writer called Rafale X by some french guys. Freeware too. woot. At least now I can send tcp data packets.

This should give me some stuff to play with.

Z

**chase** · 30th September 2002

Yeah i fgured that out. BTW I found a couple that works

Hopefully they wont patch this.

**gob** · 30th September 2002

Originally posted by gunhero
hello
this might be a stupid idea but what the heck

why dont anyone of you with good programming skills make your own master server program

like somekind of program that you run with unreal 2003 that sends your ip to a privat server if your host a game..
and then that server could send out the whole list like on a website or into the program to everyone that wants to play..

i hope you know what i meen =)

in my head it doesnt seem hard to make
i would if i had the c++ skills =)
ohh well
=)

or even better, just have a program that you run yourself, and the game connects to 127.0.0.1 to check the key. make the program open source so other games with similar procedures work with it

**gob** · 30th September 2002

btw, isnt there a key or somthing that the demo uses to connect to the master server?? could that be used in the full version?

**gunhero** · 30th September 2002

Originally posted by gob

or even better, just have a program that you run yourself, and the game connects to 127.0.0.1 to check the key. make the program open source so other games with similar procedures work with it

but then you still have to trick the true master server that you have a good key..
the server should be independent so that epic cant patch the server so it wont work after a while
hehehehe

**XtasyO** · 30th September 2002

Originally posted by gunhero

but then you still have to trick the true master server that you have a good key..
the server should be independent so that epic cant patch the server so it wont work after a while
hehehehe

no, didn't you read the post on page 4?

A server connection works as follows:

code:
Packet #1
0x0000 06 00 00 00 05 35 34 36-31 00 .....5461.

Packet #2
0x0000 55 00 00 00 21 37 62 33-32 66 33 62 34 65 35 66 U...!7b32f3b4e5f
0x0010 61 63 30 35 65 61 37 63-65 31 65 38 30 37 38 64 ac05ea7ce1e8078d
0x0020 61 61 38 34 64 00 21 xx-xx xx xx xx xx xx xx xx aa84d.!xxxxxxxxx
0x0030 xx xx xx xx xx xx xx xx-xx xx xx xx xx xx xx xx xxxxxxxxxxxxxxxx
0x0040 xx xx xx xx xx xx xx 00-07 53 45 52 56 45 52 00 a7c851e..SERVER.
0x0050 3B 08 00 00 FF FF FF FF-04 ;...��.

Packet #3
0x0000 0A 00 00 00 09 41 50 50-52 4F 56 45 44 00 .....APPROVED.

Here we see the same CD Key is used (as the first hash is the same), but this time the master server will allow it.

Apparently the master server allows servers to be listed regardless of key (as we already knew from experimentation).

So it would be theoretically possible to spoof the client as being a server.

therefore, if you ran some kind of local server on 127.0.0.1 and it authenticated with the master server it wouldn't matter what the key was, you could get your listing form 127.0.0.1 ;) good work guys.

**twistedps** · 30th September 2002

why dont you just poison your nameserver, and have it point to the 127.0.0.1 as the master server... it will probably time out... and just go through anyways.

**twistedps** · 30th September 2002

Originally posted by Hellkeeper
Research shows there is a hole though.

A client authenciation goes as follows:

Code:

Packet #1 0x0000 07 00 00 00 06 32 36 35-37 34 00 .....26574. Packet #2 0x0000 51 00 00 00 21 37 62 33-32 66 33 62 34 65 35 66 Q...!7b32f3b4e5f 0x0010 61 63 30 35 65 61 37 63-65 31 65 38 30 37 38 64 ac05ea7ce1e8078d 0x0020 61 61 38 34 64 00 21 xx-xx xx xx xx xx xx xx xx aa84d.!xxxxxxxxx 0x0030 xx xx xx xx xx xx xx xx-xx xx xx xx xx xx xx xx xxxxxxxxxxxxxxxx 0x0040 xx xx xx xx xx xx xx 00-07 43 4C 49 45 4E 54 00 xxxxxxx..CLIENT. 0x0050 3B 08 00 00 04 ;....

After the challenge there simply is no response from the master server. Effectively blocking the client in the "Querying master server" state, which we see in the menu.

A server connection works as follows:

Code:

Packet #1 0x0000 06 00 00 00 05 35 34 36-31 00 .....5461. Packet #2 0x0000 55 00 00 00 21 37 62 33-32 66 33 62 34 65 35 66 U...!7b32f3b4e5f 0x0010 61 63 30 35 65 61 37 63-65 31 65 38 30 37 38 64 ac05ea7ce1e8078d 0x0020 61 61 38 34 64 00 21 xx-xx xx xx xx xx xx xx xx aa84d.!xxxxxxxxx 0x0030 xx xx xx xx xx xx xx xx-xx xx xx xx xx xx xx xx xxxxxxxxxxxxxxxx 0x0040 xx xx xx xx xx xx xx 00-07 53 45 52 56 45 52 00 a7c851e..SERVER. 0x0050 3B 08 00 00 FF FF FF FF-04 ;...��. Packet #3 0x0000 0A 00 00 00 09 41 50 50-52 4F 56 45 44 00 .....APPROVED.

Here we see the same CD Key is used (as the first hash is the same), but this time the master server will allow it.

Apparently the master server allows servers to be listed regardless of key (as we already knew from experimentation).

So it would be theoretically possible to spoof the client as being a server. The master server might not put connections in a certain client or server pool and work fine. Its certainly worth the research. This can be achieved by writing either a gateway master server (which changes CLIENT to SERVER on the fly). Or modifiying the executable code to send SERVER. Both should be easily possible as the strings are of the same length.

On a side note:
Zander no other forums come to mind right now, I looked at other Unreal Tournament 2003 forums, but they are all about how do I cheat in multiplayer shit. So I decided not to mess with that

If this is true.... do you know the reply string it gives? that way you could have it forward to localhost, and have a perl script or something listen on the server and give the

0x0000 0A 00 00 00 09 41 50 50-52 4F 56 45 44 00 .....APPROVED.

I doubt it just spits out APPROVED.... also, you could try netcat, and have it listen on the port, change the master server to localhost, and wait to see what it prints out... and then type back APPROVED and see what happens...
... i think i may try that out myself hehe..

**twistedps** · 1st October 2002

hmmm, well i changed that

[IpDrv.MasterServerLink]
LANPort=11777
LANServerPort=10777
CurrentMasterServer=1
MasterServerPort[0]=28902
MasterServerAddress[0]=x.x.x.x
MasterServerPort[1]=28902
MasterServerAddress[1]=x.x.x.x

put in my ip, and had netcat listening on like 5 different ports, 28902, 2623, 2624, 2550, and another one... although none got any information sent to them by the unreal program, i checked my packet sniffer and it was infact sending it to my ip, yet none of the information was being recieved by netcat... i tried both udp & tcp, am i listening on the wrong port(s) or something???? Anyone test this out!?!?!

**Kerin** · 1st October 2002

U guy's are fucking umbelivable. I mean... wow ?
Im no computer wizz and i understand some shit bo man, i don't ha ve a clue about the things u analyzing.

But guessing... your'e thinking of writing a program that would emulate the epic master server and let u browse the server list, yeh?

WELL, ill think ill save my 79 (canadian) bucks. Wait another 5 days and see what come's out. There is a saying...

"If they give TAKE, if they TAKE SHOUT"

**twistedps** · 1st October 2002

hmmmm...
loaded up socket workbench...
connected to it an waited for a response

it spits out
\06\00\00\00\056253\00

basically its
ACK
NUL
NUL
NUL
056253
NUL

just an acknowledgement as people said before..... but what the hell is 056253? I dont believe thats a hexieciamal number... heh, wtf..

Check out IpDrv.u, and the .int files also in the /SYSTEM folder of unreal, has some cool stuff that you could possibly play around with... networking commands and such, some are predefined... some that caught my attention were...
[MasterServerCommandlet]
HelpCmd=masterserver
HelpOneLiner="Maintain master list of servers."
HelpUsage=masterserver [-option...] [parm=value]
HelpParm[0]=ConfigFile
HelpDesc[0]="Configuration file to use. Default: MasterServer.ini"

Maybe you could change one of the predefined variables to print out masterserver.ini or spit out the help usage...

apparently if you load up unreals debuggerr too, and try to connect to master server... you see something like.
Init: WinSock: version 1.1 (2.2), MaxSocks=32767, MaxUdp=65467
Init: WinSock: I am Computer1 (192.168.1.1)
Log: Resolving ut2003master2.epicgames.com...
Log: Scanning and building mutator list
ScriptLog: GUIController::SetControllerStatus: True
Log: Resolved ut2003master2.epicgames.com -> 207.135.145.2
Log: Connect() returned SOCKET_ERROR: 10035
Log: Connection established.

SOCKET_ERROR: 10035 is like a "try again" error from what i can remember, looks like they are just logging the ips to probably take later action.. OH FREAKING WELL

have fun guys.

**slaman** · 1st October 2002

respect to you network gurus out there... I haven't even leeched this game yet, but getting around the master server seems an intriguing challenge I might want to fool around with.

**Bratok** · 1st October 2002

GL to you guys, I really hope you find something. In the meantime, we can still play with i.p. Plus, when Gamespy is done with ut2k3, we can play it, right?

**Wulf** · 1st October 2002

Interesting.. I am going to buy the game tomorow, but I am interested to see if any of you crack it

**acme420** · 1st October 2002

Originally posted by gunhero
hello
this might be a stupid idea but what the heck

why dont anyone of you with good programming skills make your own master server program

like somekind of program that you run with unreal 2003 that sends your ip to a privat server if your host a game..
and then that server could send out the whole list like on a website or into the program to everyone that wants to play..

i hope you know what i meen =)

in my head it doesnt seem hard to make
i would if i had the c++ skills =)
ohh well
=)

How come you registeres like 19 days ago and you are a regular but i registered back in march or so and im still a rookie??

**gunhero** · 1st October 2002

Originally posted by acme420

How come you registeres like 19 days ago and you are a regular but i registered back in march or so and im still a rookie??

becuase im the king baby

no just kidding..
maybe becuase i post alot and start all the topics for the lame games that no one cares about..
who knows? =)

**Zander** · 1st October 2002

While I was working on this stuff tonight (I got about 1/2 through fabricating authentication to the master so I could do key queries) I just saw that GameSpy Arcade NOW supports the UT2K3 final. So woot then I guess. Gamespy3d still doesn't appear to have support yet, but I bet that will change soon.

Although I was kinda hoping on actually doing some good hacking, back to gaming I 'spose.

Z