Friday, December 21, 2012

Portal connection

Portal connection


Time to dig into the specifics of Guild Wars 2's connection...

The portal connection starts off in clear text. The game client will connect, then send a /Sts/Connect command which will include information about the game client.

Example:


P /Sts/Connect STS/1.0
l:252

<Connect>
<ConnType>400</ConnType>
<Address>192.168.1.1</Address>
<ProductType>0</ProductType>
<ProductName>gw2</ProductName>
<AppIndex>1</AppIndex>
<Epoch>999999999</Epoch>
<Program>101</Program>
<Build>1002</Build>
<Process>9999</Process>
</Connect>
P /Auth/StartTls STS/1.0
s:1
l:11

This looks similar to how HTTP requests work. Th
e 'l:' specifies the length of the request and the 's:' is a sequence number. The server will reply and include a reference to this sequence number.

Example:

STS/1.0 400 Success
s:1R
l:46


<Error server="1001" module="2" line="1518"/>

The 's:1R' here, refers to the original client request. The 
/Auth/StartTls command starts the encryption handshake. From here the connection will switch from text to a binary protocol.

The client will begin by sending a buffer starting with:

16 03 03 xx xx

The first byte indicates what kind of packet this is:

14 = ack
15 = server error
16 = auth phase
17 = game packet

The 2 last bytes are the size of the sub buffer that follows.


So looking at the first response the client sends:
 

16 03 03 00 4e
01 00 00 4a 03 03 xx xx xx ...

Shows a subbuffer of size 0x4e (78 bytes). The first byte is the type of the buffer. If you look closely, it's apparent this buffer is also split up (ie. 0x00 0x4a is yet another size indicator of a sub part). I'm going to skip on some details, if you fire up wireshark you can more easily look at what's there.
There's 1 part that is important in this 0x01 sub buffer and that is a client seed that will be used further on. We need to save 0x20 bytes starting at xx as indicated above.

Also important, is that these sub buffers are used in the HMAC calculation, so we need to keep a sha256 hash of them, excluding the 0x14 sub buffer for digest1.

In code:

if (packet[0] != 0x14)
   digest1.process(packet);

digest2.process(packet);
The server will reply using a similar packet format. The first response is:
16 03 03 00 34

So we already know 00 34 is the size of the sub buffer, which contains:

02 00 00 30 03 03 xx xx xx
Like before, sub buffer 0x02 with a size of 0x30. Also similar as the client buffer, is that these first 0x20 bytes are a server seed, followed by some extra parameters which I'm going to skip here.

For what follows now, it's useful to read RFC5054 paragraph 2.2. and have a look at the SRP demo page.

The server follows up with a new large packet:

16 03 03 01 14
0c 00 01 10
   00 80 xx xx xx .....
   00 01 02
   08 yy yy yy yy yy yy yy yy
   00 80 zz zz zz .....
These are actually multi precision integers used for the SRP session server key exchange, more specifically the values N, g, s, B.
N = xx xx xx ...
g = 2
s = yy yy yy yy yy yy yy yy
B = zz zz zz ...
After these the server sends: 
16 03 03 00 04
   0e 00 00 00
The client will in return send it's A key to the server:
16 03 03 00 86
   10 00 00 82
      00 80 xx xx xx xx

 with A = xx xx xx ...


If you look at the SRP demo page (SRP-6a), you can see how all these values fit together. However GuildWars 2 uses a slightly different way to calculate value x, the RFC version uses:

x = H(salt || H(username||':'||password))

whereas Guild Wars 2 uses:

passhash = H(lowercase(unicode_pass||unicode_login))
Then converts this passhash buffer using htonl() and hashes it to form the password field to use in the calculation:
x = H(salt || H(lowercase(username)||':'||H(passhash)))

With all these values, we're able to calculate the shared key S.

The client will now activate encryption by sending the packet:

14 03 03 00 01 01
  
From now on, the buffers will be encrypted, however the shared key S isn't used as-is for the encryption. First a master key is generated from this and then a key expansion function is used to generate a send and a receive key.

But that's for another post...

Wednesday, December 12, 2012

Hmm it's been far too long since I posted something here...


GuildWars 2


So a while ago I got interested in seeing how game security was, more specifically how games these days protect people from snooping the traffic. But I was also interested in what counter measures are present to prevent or detect tampering, since bots/cheats are a big issue these days and can potentially ruin a game.

Since I was planning on playing Guild Wars 2 for a bit, I figured it would be a nice target to  investigate. The investigation was done on the beta client somewhere in march so my memory is already a bit fuzzy on some details. I've waited this long to post about it, since I didn't want to help bot makers, but I doubt it still matters today. A quick search on google will show there's already plenty of hacks out there, so anything posted here won't make much of a difference.


A First look


First thing I noticed was how much information was present in the binary. My initial thought was that this was due to it being a beta client, hence probably contained more debug info. Unfortunately a quick look at a recent binary shows this not to be the case.. there's still lots of useful information present.

For example, even just issuing strings gw2.exe is quite revealing:

!((m_view == VIEW_GAMEPLAY) && !CharClientContext()->GetControlledCharacter())
!iterator.IsValid()
DNot supported in this configuration!
..\..\..\Game\View\Headless\VhdContext.cpp
N@onRendered
..\..\..\Game\View\Default\VdfRender.cpp
metric < arrsize(m_metrics)
..\..\..\Game\View\Default\VdfLoad.cpp
m_state == STATE_LOAD_MANIFEST
m_state == STATE_MODELS_STREAM
m_mapId == mapId
m_state == STATE_LOAD_CONTENT || m_state == STATE_LOAD_MANIFEST || m_state == STATE_SERVER_WAIT
mapContentLoaded
mapDef != NULL
m_state == STATE_LOAD_CONTENT
m_state == STATE_SERVER_WAIT
m_state == STATE_MAP_STREAM

Even today's binary (16247) still shows all this detail. Anyone who has ever reversed code will understand how valuable this is during the reversing process.

The game was written in C++ with RTTI enabled, which is also a great source for information. (See Igor Skochinsky's post Recon 2012: Compiler Internals)

Anyway I'll explain the network protocols used by GuildWars 2 on here, which might help some people that are interested in writing a gw2 server emulator. I'll probably spread this over a couple of posts.

While reversing the client, I also discovered a security issue, which to this day is still present. Therefor I've notified ArenaNet today. I'll refrain from explaining the issue for some time, or until ArenaNet resolves the issue. Whichever comes first.

On to the nitty gritty now.


The connections


GuildWars 2 uses 2 ports for network communication:

- port 6600 : portal connection
- port 6112 : game server connection

Actually, ports 80 and 443 are also required, but those aren't involved in actual gameplay and it's pretty known which protocol is used on those :-)


Portal Connection


The portal connection starts as a clear text protocol, but immediately issues an AUTH TLS command, which initiates a secured connection. The actual data protocol used on this port is XML based. The game uses RapidXML to do the XML parsing.

Example XML piece:
<Reply>
<UserId>99999999-9999-9999-9999-999999999999</UserId>
<UserCenter>1</UserCenter>
<HasPhone>0</HasPhone>
</Reply>

The encryption used on this connection is AES in CBC mode. With a separate session key for incoming and outgoing traffic. An HMAC digest hash is also used, again one for incoming and one for outgoing communications.

The key exchange between the client and server is done via SRP (RFC5054, Secure Remote Password). Since SRP uses Diffie-Hellman, it won't prevent proxying this connection, which would allow people interested in writing cheats to get access to the communication on an external machine, without having to tamper with the actual client binary.

However this doesn't matter much as the game binary I investigated contained no security checks.

The game goes through some key expansion functions to generate the AES & HMAC keys.

NOTE: this is not vulnerable to MITM attacks, as one needs to know the password to be able to proxy the connection.

Game server connection


The connection to the game servers is over an RC4 encrypted connection. Again Diffie-Hellman is used as a key exchange, but in this case the server side packet is precomputed and stored in the game client, ie. the result of ga mod p has been precalculated and is stored in the game binary. Each release uses a new set of keys, so there's no point in trying to find the server key a (would take too long anyway).

The same key is used for transmitting and receiving data, but both paths use a separate state.

From what I heard, this is the same as how it was in GuildWars 1.

The actual data protocol used is a binary protocol with variable sized packets. The client has a MsgPack/Unpack function to (de)serialize the data to/from a C structure.

Again this is similar to how GuildWars 1 worked.


This is a quick overview of how the communication works, I'll go into greater detail in a following post.