Nmap Development mailing list archives
[NSE] Freelancer's game server version detection and info
From: Marin Maržić <marzic () gmail com>
Date: Tue, 12 Nov 2013 22:01:50 +0100
A version detection solution for Freelancer's game server, the cult space sim game that keeps on rolling. Here's what I'd gathered on the protocol: Offset Type Value Comment 0-3 uint32 0x26F10300 Presumably indicates a status query reply. 4-7 uint32 offset of server name’s last character 8-11 uint32 unknown 12-15 uint32 0x50 16-19 uint32 bit 7 (LSB is 0) indicates a password has_password = x & 128 20-23 uint32 max. players + 1 24-27 uint32 num. players + 1 28-31 uint32 0x58 32-35 uint32 unknown 36-59 bytes zeroes 60-75 bytes random? Changes with each server restart. 76-91 bytes 26 F0 90 A6 F0 26 57 4E AC A0 EC F8 68 E4 8D 21 92-(A-1) string server name UTF-16 string. A char allow players to harm other players True if ’1’, false if ’0’. A+1 char ’:’ A+2 char allow new players True if ’1’, false if ’0’. (A+3)-B string ":.*:.*:.*:" Doesn’t change on server restart. Server signature? (B+1)- string server description UTF-16 string. The script is attached. The nmap-service-probes stuff follows: # Freelancer game server status query # http://sourceforge.net/projects/gameq/ # (relevant files: games.ini, packets.ini, freelancer.php) Probe UDP FreelancerStatus q|\x00\x02\xf1\x26\x01\x26\xf0\x90\xa6\xf0\x26\x57\x4e\xac\xa0\xec\xf8\x68\xe4\x8d\x21| rarity 9 ports 2302 match freelancer m|^\x00\x03\xf1\x26.{88}(.*)\0\0(?:.*?:){5}(.*)\0\0$|s p/Freelancer/ i/name: $P(1); description: $P(2)/ Here's a nmap-payloads bit: # Freelancer game server status query # http://sourceforge.net/projects/gameq/ # (relevant files: games.ini, packets.ini, freelancer.php) udp 2302 "\x00\x02\xf1\x26\x01\x26\xf0\x90\xa6\xf0\x26\x57\x4e\xac\xa0\xec\xf8\x68\xe4\x8d\x21" Wouldn't recommend messing too much with the match lines on this one, or on the All-Seeing Eye thingy I'd just posted. The lines are tricky and have already been tested a bunch. Have a good one!
Attachment:
freelancer-info.nse
Description:
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Freelancer's game server version detection and info Marin Maržić (Nov 12)
- Re: [NSE] Freelancer's game server version detection and info Fyodor (Nov 19)