Staredit Network > Forums > General StarCraft > Topic: How does the game list hack work, and how to stop it?
How does the game list hack work, and how to stop it?
Jan 11 2016, 3:09 am
By: sethmachine  

Jan 11 2016, 3:09 am sethmachine Post #1



Hello,

Occasionally the game list on a given gateway (e.g. US East) is unusable. By that, someone uses a hack to redirect all the games to their own game, usually labeled A > B or A OWN YOU, where A is some variable.

My question is, how does this hack work? I'm a software engineer, so I'm curious what is actually going on (and really curious why another programmer would do something so malicious).

What I noticed defeats this hack is:

1. Making a private/password game.

2. Using some kind of Ip Blocker, which blocks certains IP addresses related to the hack.



None.

Jan 11 2016, 4:33 am Oh_Man Post #2

Find Me On Discord (Brood War UMS Community & Staredit Network)

Quote from sethmachine
(and really curious why another programmer would do something so malicious).





Jan 11 2016, 7:38 am iCCup.xboi209 Post #3



The server allows any user to change the game name of any game because it doesn't check who's the host. A malicious user can send packet 0x1C with the modified game name and the server will then reflect that to everyone. My guess is that the server at least checks to see if the user sending that packet is actually in the game lobby and denies the packet if the user isn't.
It's probably possible to counter this by continuously sending packets with the proper data which will overwrite the data from the packet that the malicious user sent, I'm just not sure if anti-flooding protection applies to this packet.

Post has been edited 3 time(s), last time on Jan 11 2016, 7:46 am by iCCup.xboi209.




Jan 15 2016, 3:02 am sethmachine Post #4



Quote from iCCup.xboi209
The server allows any user to change the game name of any game because it doesn't check who's the host. A malicious user can send packet 0x1C with the modified game name and the server will then reflect that to everyone. My guess is that the server at least checks to see if the user sending that packet is actually in the game lobby and denies the packet if the user isn't.
It's probably possible to counter this by continuously sending packets with the proper data which will overwrite the data from the packet that the malicious user sent, I'm just not sure if anti-flooding protection applies to this packet.

But how does a malicious user persist in doing this? Clearly nobody keeps checking the game list and changing the name of each one as it comes along. It sounds like someone wrote some software that monitors the game list and periodically sends out these packets to change the game name ?

Can this be used to redirect players to an authentic game? It seems when this hack is going, the game is redirected to a non-joinable map.




Jan 15 2016, 4:21 pm NudeRaider Post #5

We can't explain the universe, just describe it; and we don't know whether our theories are true, we just know they're not wrong. >Harald Lesch

Quote from sethmachine
It sounds like someone wrote some software that monitors the game list and periodically sends out these packets to change the game name ?
Exactly.




Jan 16 2016, 6:02 am iCCup.xboi209 Post #6



Quote from NudeRaider
Quote from sethmachine
It sounds like someone wrote some software that monitors the game list and periodically sends out these packets to change the game name ?
Exactly.
And that software is publicly available if you look hard enough.




Options
  Back to forum
Please log in to reply to this topic or to report it.
Members in this topic: None.
[02:02 pm]
Corbo -- Suicidal Insanity
Suicidal Insanity shouted: I had thought it loads it from the MPQs and parses it, so I was working on re-implmenting that with the MPQ code changes, and then noticed that it does grab the MPQ interface but then ignores it :X
nice
[09:23 am]
Suicidal Insanity -- I also still could use spec sheet for the formats to make sure I am using them correctly - it appears BWscript doesn't have string names? Or they are in a different spot?
[09:22 am]
Suicidal Insanity -- I had thought it loads it from the MPQs and parses it, so I was working on re-implmenting that with the MPQ code changes, and then noticed that it does grab the MPQ interface but then ignores it :X
[09:03 am]
Pr0nogo -- ok, i'll explore that when you have that changed
[08:54 am]
Suicidal Insanity -- if trigedit has such things
[08:54 am]
Suicidal Insanity -- Or maybe change it to a warning
[08:54 am]
Suicidal Insanity -- I just need to disable the verification, then it would allow arbitrary characters
[08:48 am]
Pr0nogo -- would be nice to change that and see if that allows arbitrary characters
[07:24 am]
Suicidal Insanity -- Pr0nogo
Pr0nogo shouted: trigedit won't compile or throw errors, i'll try with the custom aiscript files imported to the scmd mpq
Ya trigedit has the aiscript.bin file added to its resource - it doesn't load it from the MPQs
[06:13 am]
Pr0nogo -- agreed
Please log in to shout.


Members Online: Roy, Pr0nogo