github.com/kingkeule/vpnubt
Our tool "copies" udp broadcasts on the selected port to udp unicasts which are sent to the specific IP address to bypass the VPN router barrier.
We love to play old school games like Warcraft 3 with friends. Since we can't do a LAN session like in our youth, we play over the internet via VPN without using Battle.Net. The problem with e.g. Warctaft 3 is that the server could not be found even if we are connected via VPN.
(VPN means here classic OSI layer 3 VPNs and not a OSI layer 2 bridge VPN.)
The game server sends an udp broadcast to notify all player in the LAN. When you play over internet via VPN there is normaly a consumer router which do not relay this braodcast otherwise the network/internet would be flooded.
(Only professional routers could do this with a directed broadcast)
We have programmed a tool that listen on the selected network interface for udp broadcasts. If an udp broadcast is detected, its payload is copied into an udp unicast packet and then sent to the VPN receiver, because a unicast is not filtered by the router.
All of the following tools solve the problem, but in a different way. They do not "convert" the broadcast and instead send an fixed predefined communication specifically for Warcraft 3.
Some of the programs mentioned above only work specifically for one game. Our tool on the other hand can be used universally and is not limited to Warcraft 3, for example. In addition, we wanted to realize the implementation in a current programming language (GO).
If you want to know how we reengineered it, read on here.
Identify the communication port of the game (on Windows 10)
Start the game (Warcraft 3) and entert he multiplayer lobby
Switch to windows and open the command line and type: tasklist | findstr war3.exe
Note the displayed process id of Warcraft 3
Type in command line: netstat -ano | findstr <Warcraft 3 process id>
So finally we find out that Warcraft is listen only for UDP communication on port 6112
Understand the Warcraft 3 communication on UDP port 6112
Install and start Wireshark
Set the Wireshark displayfilter to: udp.port == 6112
You can divide it in 3 Parts:
"Hello" information"
When you enter the network lobby, Warcraft will only send a notifcation boradcast once:
(the data is always the same for each warcraft pc)
"Server waiting"
When you open a LAN game, the server sends every 5 seconds (may depend on the patch version) a notifcation boradcast:
Source: local IP of server
Destination: 255.255.255.255
Port: UDP 6112
Data: 0xf7321000010000000100000003000000
The data is defined as:
| # (byte) | Data | dynamic | Description |
|---|---|---|---|
| 01 | f7 | no | W3 identification (fix) |
| 02 | 32 | no | W3 identification (fix) |
| 03 | 10 | no | W3 identification (fix) |
| 04 | 00 | no | Reserved |
| 05 | 01 | yes | Number of opened LAN games since Warcraft started. (here 1) |
| 06 | 00 | no | Reserved |
| 07 | 00 | no | Reserved |
| 08 | 00 | no | Reserved |
| 09 | 01 | no | Total number of (joined) players in the game. (here only the server himself) |
| 10 | 00 | no | Reserved |
| 11 | 00 | no | Reserved |
| 12 | 00 | no | Reserved |
| 13 | 03 | no | Number of possible players on the map. (here 3) |
| 14 | 00 | no | Reserved |
| 15 | 00 | no | Reserved |
| 16 | 00 | no | Reserved |
"Abort"
When you abort the open game:
Proof of Concept
Try to inform the game server by sending an unicast instead of broadcast by an external tool. For this PoC we used the software nping
We got the answer from the server with the information about the open LAN game. So we could join the game.
The PoC works! :thumbsup: :smile:
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Ransomware negotiators share how modern cybercriminals operate like corporations, using specialized teams, negotiation tactics, and reputation management.
Security News
PyPI confirms no security flaws were exploited in the Ultralytics supply chain attack and highlights improvements for safer package publishing.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
