Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

[NSE] Freelancer's game server version detection and info

From: Marin Maržić <marzic () gmail com>
Date: Tue, 12 Nov 2013 22:01:50 +0100
A version detection solution for Freelancer's game server,
the cult space sim game that keeps on rolling.

Here's what I'd gathered on the protocol:

Offset   Type   Value                                  Comment
0-3      uint32 0x26F10300                             Presumably indicates a status query reply.
4-7      uint32 offset of server name’s last character
8-11     uint32 unknown
12-15    uint32 0x50
16-19    uint32 bit 7 (LSB is 0) indicates a password  has_password = x & 128
20-23    uint32 max. players + 1
24-27    uint32 num. players + 1
28-31    uint32 0x58
32-35    uint32 unknown
36-59    bytes  zeroes
60-75    bytes  random?                                Changes with each server restart.
76-91    bytes  26 F0 90 A6 F0 26 57 4E AC A0 EC F8 68 E4 8D 21
92-(A-1) string server name UTF-16 string.
A        char   allow players to harm other players    True if ’1’, false if ’0’.
A+1      char   ’:’
A+2      char   allow new players                      True if ’1’, false if ’0’.
(A+3)-B  string ":.*:.*:.*:"                           Doesn’t change on server restart. Server signature?
(B+1)-   string server description UTF-16 string.

The script is attached. The nmap-service-probes stuff follows:

# Freelancer game server status query
# http://sourceforge.net/projects/gameq/
# (relevant files: games.ini, packets.ini, freelancer.php)
Probe UDP FreelancerStatus q|\x00\x02\xf1\x26\x01\x26\xf0\x90\xa6\xf0\x26\x57\x4e\xac\xa0\xec\xf8\x68\xe4\x8d\x21|
rarity 9
ports 2302

match freelancer m|^\x00\x03\xf1\x26.{88}(.*)\0\0(?:.*?:){5}(.*)\0\0$|s p/Freelancer/ i/name: $P(1); description: $P(2)/

Here's a nmap-payloads bit:

# Freelancer game server status query
# http://sourceforge.net/projects/gameq/
# (relevant files: games.ini, packets.ini, freelancer.php)
udp 2302 "\x00\x02\xf1\x26\x01\x26\xf0\x90\xa6\xf0\x26\x57\x4e\xac\xa0\xec\xf8\x68\xe4\x8d\x21"

Wouldn't recommend messing too much with the match lines on this one, or 
on the All-Seeing Eye thingy I'd just posted. The lines are tricky and 
have already been tested a bunch.

Have a good one!

Attachment: freelancer-info.nse
Description: 

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: