Luigi Auriemma

Softman · **Joined:** 24 Jun 2009 10:38 **Posts:** 6

Hi all
Does anybody here know how to Query one of the new AA3 game servers?

I have talked to a server but am not getting the challenge string back that I expected from the Unreal engine driving the server, so it looks like AA may have modified the response as I am only getting 4 bytes returned and was expecting at least 5 if not more
Using the resources found here http://unreal.student.utwente.nl/UT2003-queryspec.html

I have spent the last week trying to find a way to do it without any luck, can you help

Andrew · **Joined:** 22 Mar 2009 06:59 **Posts:** 5

Hi,

I think its encrypted unfortunately - perhaps Aluigi can help!

I noticed this thread on the AA3 forums, it may help: http://forum.americasarmy.com/viewtopic.php?t=300305

Softman · **Joined:** 24 Jun 2009 10:38 **Posts:** 6

Hi Andrew

Yer I had already looked at that post, (but being banned from AA forums a long time ago could not reply, Why was I banned ??? I just hate it when moderators complain about old threads being bumped because you respond to them, I did a search and found users looking for something I had created so posted to the thread and bumped it, rather than start a new one.
I did this on three or four threads got a warning from one mod and a kick from another when he came on duty, if they do not want you to bump old threads then lock or delete them, rant over.) as well as many other ways of querying a UT engine than the one mentioned above

did not realy understand the AA post, he has not included enough information to work on.

aluigi · **Posted:** 24 Jun 2009 14:46

it's not encrypted, it's simply compressed with zlib:

Code:

offzip.exe packet.dat output.dat 14

http://aluigi.org/mytoolz.htm#offzip

Softman · **Joined:** 24 Jun 2009 10:38 **Posts:** 6

Oh I like it, it's great when someone knows what they are doing, and it's the man himself, hello aluigi thank you.

I still don't understand though how he communicated with it, I tried his method and got the usual response of 4 bytes that I seem to get every time.

Any idea???s

aluigi · **Posted:** 24 Jun 2009 16:24

I don't have the game so I can't say more at the moment.
what are these 4 bytes returned by the server?
are they ever the same?
are you sure that the port you contacted is the same contacted by that guy?

if necessary I can download the beta and give it a look but 3 gigabytes and half are not a pleasure :)

Softman · **Joined:** 24 Jun 2009 10:38 **Posts:** 6

Yes it is a bit well over the top size, unfortunately I don???t know what port he is using but would assume 8777

If I send 0x0FE 0x0FD 0x09 0x01 0x02 0x03 0x04 0x0FF 0x0FF 0x0FF 0x01
I always get back

First return
0x0
0x40
0xFF
0x3E

Second return
0x1
0x40
0xFF
0x3E

Third return
0x2
0x40

And any other returns are the same as ???Third return??? except it now increment the first byte.

List of server addresses http://login.aa3.americasarmy.com/servers
I just pick one and try it out

Even if I send \info\ I get the same back, in fact have tried many different formats with no luck.
Still can???t work out what or how he is sending that, can???t create an account a AA because there is something wrong with there pages and they are just blank to me, so can???t get his email address to talk on a more personal level.

aluigi · **Posted:** 24 Jun 2009 16:49

P.S.: I was forgetting another suggestion.
since you are registerd on that AA forum I guess you can send PMs so you can contact directly that guy giving him the info he needed and asking him more info about the protocol.
maybe he would also like to discuss about it here because in my opinion the AA forum (like any game forum) is not technically preparated.

musikit · **Joined:** 26 Jun 2009 18:15 **Posts:** 6

hey. whats up.

yeah the AA3 guys deleted all my posts. :(

sry :(

but i'll repost everything here.

the server ip:port:queryport i was using is 66.209:32:242:8777:39300

Softman if you were the one that contacted me through email thxs ^_^. if not then sry to who ever i am misquoting here...

softman stated he believe the protocol to be zlib encrypted. now i tried zlib decrypting it from the data start (after the AA3SplitPacket end) but it did not produce plain text. which to me indicates i have the wrong start position, it has additional encyption before, additional encyption after, or i had an arguement wrong to zlib.

i've never used zlib before but this is what i pulled together from examples

Code:

Byte *ZLibDecompress(Byte *data, UInt32 dataLen)
{
    Byte *retVal = new Byte[dataLen * 10];
    z_stream c_stream;

    c_stream.zalloc = (alloc_func)0;
    c_stream.zfree = (free_func)0;
    c_stream.opaque = (voidpf)0;

    GSInt32 err = deflateInit(&c_stream, Z_DEFAULT_COMPRESSION);

    c_stream.next_in  = (Bytef*)data;
    c_stream.next_out = retVal;

    while (c_stream.total_in != 50000 && c_stream.total_out < dataLen) {
        c_stream.avail_in = c_stream.avail_out = dataLen;
        err = deflate(&c_stream, Z_NO_FLUSH);
    }
    for (;;) {
        c_stream.avail_out = 1;
        err = deflate(&c_stream, Z_FINISH);
        if (err == Z_STREAM_END) break;
    }

    err = deflateEnd(&c_stream);
   return retVal;
}

the general request/response goes like this

client --> query request --> server
server --> 1 or more possible encrypted packets containing query response--> client
client --> logout --> server
server --> resultCode --> client

The AA3 Packet Header:

Code:

struct AA3PacketHeader
{
   Byte byte0XE1;         //1
   Byte byte0X6F;         //2
   Int16 encyptionVector;   //3, 4
   UInt32 commandId;      //5, 6, 7, 8   // AA3Commands
   Int16 keyValueEntries;   //9, 10
};

the AA3 Packet command Ids

Code:

enum AA3Commands
{
   AA3_LOGOUT               = 0x01000100,
   AA3_QUERY_SERVER            = 0x01000200,
   AA3_UNENCRYPTED_QUERY_RESP   = 0x01000200,
   AA3_SINGLE_PACKET_QUERY_RESP   = 0x01020200,   //encrypted
   AA3_MULTI_PACKET_QUERY_RESP   = 0x01030200,   //encrypted
};

the response packets come in three types.
1. just header. seems to be used if the query response is unsplit
2. a command packet
3. a multiple packet response

Code:

struct AA3CommandPacket
{
   AA3PacketHeader hdr;
   Int16 commandLength;      //11, 12
};

struct AA3SplitPacket
{
   AA3PacketHeader hdr;
   Int16 packetNum;         //11, 12
   Int16 numPackets;         //13, 14
};

a command seems to look like the following

Code:

struct AA3Command
{
   Char command[commandLength];
   Int8 minStringLen;
   Int8 maxStringLen;
   Int8 unknown; //seems to be a null term
   AA3String commandParam;
};

struct AA3String
{
   char str[];
   char nullterm;
};

an example query request

Code:

e1 6f 00 00 01 00 02 00 01 00 0a 00 70 6c 61 79 65 72 4e 61 6d 65 06 08 00 71 75 65 72 79 69 74 00  ??o..........playerName...queryit.

an example encrypted packet

Code:

e1 6f 6c ff 01 03 02 00 03 00 00 00 02 00 78 da 95 57 5b 4f dc 46 14 3e 40 48 9a 34 40 08 b9 56 aa ba 7d ae 70 67 f6 be 0f  ??ol??..........x??.W[O??F.>@H??4@..V????}??pg??..
48 dd 90 05 b6 0a 2c c5 2b 90 1a 45 68 b0 87 65 82 ed d9 8c 6d 60 53 f5 b5 bf bb c7 5e df b1 a3 0d 5a 90 cf 77 ce 7c e7 32  H??..??.,??+..Eh??.e.??????m`S??????????^??????.Z.??w??|??2
9f 87 d9 75 60 9e a7 c4 85 ef f1 23 66 73 f7 d1 7f b0 0e 2e 57 37 5c 9d 72 e5 0a e9 c0 b3 c8 1e 4e fb a6 a9 b8 eb c2 46 84  ??.??u`??????.????#fs????.??..W7\.r??.????.??.N????????????F.
1c 48 d7 3b 96 ca 4b 42 fe f2 b9 9a 85 c8 f3 08 39 b6 d8 8c ab 5d e9 3b 69 d4 07 39 11 4e 90 2d 41 fa a6 2d 9c 81 cd 84 b5  .H??;?????KB????.??.????.9????????]??;i??.9.N.-A????-??.??.??
91 45 82 98 cd 08 78 e7 0b cb 3c f2 ed 0b ae e2 55 7b 16 9b ec 5e 71 e6 b9 eb 59 44 ca e9 ab 8c fd 81 33 97 9b 7a 68 bf c9  ???E.????.x??.??<????.????U{..??^q??.??YD??????????.3???.zh????
e0 a3 cb 4b 61 08 66 cd 3d cf 33 9e 63 e6 ba b7 52 99 2f b2 98 ef 5c 5f f8 ae c7 d5 cb 0c aa 0b db 77 84 87 53 ca 95 70 3a  ??????Ka.f??=??3??c??????R???/.????\_??????????.??.??w..S??.p:
1a 1e c7 f6 3e f6 10 f4 b1 9e 99 59 60 bf 2c d8 03 c7 90 26 37 d7 22 f8 90 4d 03 f4 6d 62 de cd 27 39 b8 9b 72 25 b8 63 f0  ..????>??.?????????Y`??,??.??.&7??"??.M.??mb????'9??.r%??c??
67 45 97 bb 95 22 fa 94 1b 1e f3 a4 72 13 06 e1 14 19 36 13 97 1b 6c b4 2e be f2 ad 3c 34 96 be 1a be 2f c4 8d 67 53 fe 22  gE?????."?????..????r..??..6.???.l??..????<4???.../??.gS??"
0f 9d 32 25 98 e3 c5 3d 8d 30 03 f3 84 33 d1 67 38 31 fb 97 44 1d cc 12 38 74 16 0c ec 84 7f f1 85 e2 36 77 3c 37 6e e5 84  ..2%??????=.0.??.3??g81?????D.??.8t..??..??.??6w<7n??.
4f 7d 2f f4 c6 29 f5 6b 61 59 27 21 57 1c 94 b6 f6 14 a6 61 47 c1 a0 08 6c 45 96 2e 2d 53 c4 e0 46 04 46 5a 26 f0 3a 8e ca  O}/????)??kaY'!W.???????.??aG?? .lE???.-S????F.FZ&??:????
4b 3a 8d 8c 06 4f 60 33 02 76 2d 94 c3 89 b4 10 fa 39 82 06 0e b7 67 47 dc f7 14 36 f4 15 c5 65 48 85 ee b7 59 b7 ce 0d 5f  K:.??.O`3.v-?????.??.??9...??gG????.6??.??eH.????Y????._
25 ae e7 b1 2b 19 3e 81 97 11 b6 87 63 18 73 66 0f 1d 93 df 11 f8 29 86 51 48 81 cb 43 17 6a d8 e4 2a b3 24 d0 5e 3c 87 b4  %??????+.>.???.??.c.sf..?????.??).QH.??C.j????*.$??^<.??
a9 10 fe e2 33 33 8e 8f 7b c8 f4 19 8f 69 1e 52 28 ef 90 9b c2 88 b0 57 11 36 ba f8 8c 89 c4 0d 8f f0 78 ea c7 b8 27 04 d6  ??.????33??.{????..i.R(??..??????W.6??????.??..??x??????'.??
e2 79 ce 9d af b3 a6 7e 25 3d 37 68 c1 4c 2b 4f 1d 07 c2 cb c0 59 d1 a7 39 82 b1 a4 5d 64 86 14 17 3c 16 36 0f 65 6d a6 8b  ??y??.??.??~%=7h??L+O..??????Y????9.????]d...<.6.em??.
02 0a 5a 26 07 5a 94 03 ad 92 03 2d ca 81 de 97 03 fd b6 1c 68 b5 1c 68 89 1c 68 b9 1c e8 37 e4 40 cb e5 40 ab e4 40 ef cb  ..Z&.Z???.?????.-??.?????.????.h??.h..h..??7??@????@????@????
81 96 c9 81 96 c8 81 56 c8 81 e6 e4 40 f3 72 a0 55 72 a0 e5 72 a0 e5 72 a0 39 39 d0 fb 72 a0 25 72 a0 39 39 d4 cb e4 50 2f  .?????.?????.V??.????@??r Ur ??r ??r 99????r %r 99??????P/
ca a1 5e 25 87 7a 51 0e f5 1c 7b a3 8c bd 51 64 6f 54 b1 37 8a ec 8d 1c 7b b3 8c bd 59 64 6f 56 b1 37 8b ec cd 1c 7b ab 8c  ????^%.zQ.??.{????.QdoT??7????..{.??.YdoV??7.????.{????
bd 55 64 6f 55 b1 b7 8a ec ad 1c 7b bb 8c bd 5d 64 6f 57 b1 b7 8b ec ed 1c 7b a7 8c bd 53 64 ef 54 b1 77 8a ec 9d 1c 7b b7  .UdoU??????????.{????.]doW????.????.{????.Sd??T??w????..{??
8c bd 5b 64 ef 56 b1 77 8b ec dd 1c 7b af 8c bd 57 64 ef 55 b1 f7 8a ec bd e4 d5 0b 5f 19 02 2f 4a ce 3f 82 17 ae fc 01 48  ??.[d??V??w.????.{????.Wd??U????????.????._../J???..????.H
e0 4d c5 09 98 c6 c6 af 21 c9 a7 a0 a5 29 e8 bd 14 b4 32 05 bd 97 22 38 77 93 fb e8 29 b3 fc f0 42 fa 10 1a 1a d1 08 5e 4c  ??M??.????????!???? ??)??..??2..???"8w???????).????B??...??.^L
db 5d ad de a8 6b b4 4d b5 6e 1b 56 a1 db e9 74 02 77 af 41 08 ac 00 0d de cb 49 70 8d 0d 33 b9 08 1d fd de 0f ff 3c 06 d2  ??]??????k??M??n.V??????t.w??A.??..????Ip..3...????.??<.??
3c 27 6d da 25 bd 25 20 e1 87 86 1f 92 fc 7d 04 1f 07 b5 51 ed fd a7 df a0 ef 48 ef 8a ab 5a 70 79 9b 57 ed 6a 86 b4 6b fd  <'m??%.% ??...?????}...??Q???????? ??H??????Zpy.W??j.??k??
7e a3 36 b7 6b c2 ad bd 93 ca f9 35 59 b5 09 43 7b ca 0c ef dc 64 b3 73 c3 92 be 39 7b 0c bd f8 67 19 8b 5b 02 fc 90 55 b0  ~??6??k????.???????5Y??.C{??.????d.s?????.9{..??g..[.??.U??
98 9a f0 15 10 ce e5 32 30 f9 00 4c 7e 83 c9 cf 84 63 ca 5b 77 05 93 cf 96 a0 31 2f 6b 03 b6 77 06 67 3b db 9f f1 9a 29 d5  ??????..????20??.L~??????.c??[w.???????? 1/k.??w.g;????????)??
f9 04 9e c0 be 62 9f f9 ad 7b 2d 2a e7 52 b4 1f c2 98 ec 91 13 ba 0c 2d 12 37 9f b4 4d d6 a0 de d4 68 af 83 bf 6d ad 4e cd  ??.????.b??????{-*??R??.?????????.??.-.7????M?? ????h??????m??N??

an example unencrypted data response.

Code:

e1 6f b6 c2 01 00 02 00 03 00 0e 00 61 74 74 72 69 62 75 74 65 4e 61 6d 65 73 07 22 00 0e 00 73 65 72 76 65 72 56 65 72 73  ??o????........attributeNames."...serverVers
6f 6e 00 10 00 73 65 72 76 65 72 49 70 41 64 64 72 65 73 73 00 0f 00 73 65 72 76 65 72 48 6f 73 74 50 6f 72 74 00 10 00  ion...serverIpAddress...serverHostPort...
65 72 76 65 72 51 75 65 72 79 50 6f 72 74 00 12 00 73 65 72 76 65 72 50 6c 61 79 65 72 43 6f 75 6e 74 00 10 00 73 65 72  serverQueryPort...serverPlayerCount...ser
65 72 4c 6f 67 69 6e 4e 61 6d 65 00 10 00 73 65 72 76 65 72 41 64 6d 69 6e 45 6d 61 69 6c 0f 00 73 65 72 76 65 72 41 64  verLoginName...serverAdminEmail..serverAd
6d 69 6e 4e 61 6d 65 11 00 73 65 72 76 65 72 42 75 69 6c 64 4e 75 6d 62 65 72 10 00 73 65 72 76 65 72 46 6c 61 67 43 68 65  minName..serverBuildNumber..serverFlagChe
74 73 0e 00 73 65 72 76 65 72 46 6c 61 67 43 6f 6f 70 16 00 73 65 72 76 65 72 46 6c 61 67 4c 65 61 73 65 64 53 65 72 76  ats..serverFlagCoop..serverFlagLeasedServ
72 18 00 73 65 72 76 65 72 46 6c 61 67 4f 66 66 69 63 69 61 6c 53 65 72 76 65 72 12 00 73 65 72 76 65 72 46 6c 61 67 50  er..serverFlagOfficialServer..serverFlagP
73 73 77 6f 72 64 14 00 73 65 72 76 65 72 46 6c 61 67 50 75 6e 6b 62 75 73 74 65 72 15 00 73 65 72 76 65 72 46 6c 61 67  assword..serverFlagPunkbuster..serverFlag
69 6d 75 6e 69 74 69 6f 6e 73 0e 00 73 65 72 76 65 72 46 6c 61 67 56 4f 49 50 0e 00 73 65 72 76 65 72 47 61 6d 65 4e 61  Simunitions..serverFlagVOIP..serverGameNa
6d 65 0e 00 73 65 72 76 65 72 48 6f 73 74 4e 61 6d 65 15 00 73 65 72 76 65 72 48 6f 73 74 4e 61 6d 65 45 6e 63 6f 64 65 64  me..serverHostName..serverHostNameEncoded
0d 00 73 65 72 76 65 72 4d 61 70 4e 61 6d 65 19 00 73 65 72 76 65 72 4d 61 78 50 6c 61 79 65 72 45 78 70 65 72 69 65 6e 63  ..serverMapName..serverMaxPlayerExperienc
10 00 73 65 72 76 65 72 4d 61 78 50 6c 61 79 65 72 73 13 00 73 65 72 76 65 72 4d 61 78 53 70 65 63 74 61 74 6f 72 73 19  e..serverMaxPlayers..serverMaxSpectators.
73 65 72 76 65 72 4d 69 6e 50 6c 61 79 65 72 45 78 70 65 72 69 65 6e 63 65 11 00 73 65 72 76 65 72 4d 69 73 73 69 6f 6e  .serverMinPlayerExperience..serverMission
69 7a 65 13 00 73 65 72 76 65 72 4d 69 73 73 69 6f 6e 54 6f 75 72 49 44 11 00 73 65 72 76 65 72 4d 69 73 73 69 6f 6e 54  Size..serverMissionTourID..serverMissionT
70 65 14 00 73 65 72 76 65 72 4d 69 73 73 69 6f 6e 56 61 72 69 61 6e 74 15 00 73 65 72 76 65 72 4f 70 65 72 61 74 69 6e  ype..serverMissionVariant..serverOperatin
53 79 73 74 65 6d 1f 00 73 65 72 76 65 72 51 75 61 6c 69 66 69 63 61 74 69 6f 6e 52 65 71 75 69 72 65 6d 65 6e 74 73 10  gSystem..serverQualificationRequirements.
73 65 72 76 65 72 52 65 70 75 74 61 74 69 6f 6e 11 00 73 65 72 76 65 72 53 6b 69 6c 6c 52 61 74 69 6e 67 10 00 73 65 72  .serverReputation..serverSkillRating..ser
65 72 53 70 65 63 74 61 74 6f 72 73 0f 00 61 74 74 72 69 62 75 74 65 56 61 6c 75 65 73 07 22 00 06 00 33 2e 30 2e 30 00  verSpectators..attributeValues."...3.0.0.
0e 00 36 38 2e 32 33 32 2e 31 36 31 2e 38 36 00 05 00 38 37 37 37 00 06 00 33 39 33 30 30 00 02 00 30 00 0c 00 67 61 6d 65  ..68.232.161.86...8777...39300...0...game
65 72 76 65 72 73 00 03 00 4e 2f 41 03 00 4e 2f 41 09 00 30 34 5f 30 36 31 38 30 39 01 00 30 01 00 30 01 00 31 01 00 31  servers...N/A..N/A..04_061809..0..0..1..1
00 30 01 00 31 01 00 30 01 00 31 07 00 5b 45 20 4f 20 44 5d 2b 00 41 6e 6f 74 68 65 72 20 47 61 6d 65 53 65 72 76 65 72  ..0..1..0..1..[E O D]+.Another GameServer
2e 63 6f 6d 20 41 41 33 20 53 65 72 76 65 72 20 69 73 20 42 6f 72 6e 21 07 00 5b 45 20 4f 20 44 5d 11 00 49 6d 70 61 63  s.com AA3 Server is Born!..[E O D]..Impac
5f 64 61 79 5f 63 6c 6f 75 64 79 09 00 39 39 39 39 39 39 39 39 39 02 00 31 32 01 00 32 01 00 30 05 00 6c 61 72 67 65 03  t_day_cloudy..999999999..12..2..0..large.
69 6e 66 02 00 61 6f 04 00 64 65 76 31 07 00 57 69 6e 64 6f 77 73 03 00 41 6e 79 01 00 33 01 00 30 01 00 30 0a 00 72 65  .inf..ao..dev1..Windows..Any..3..0..0..re
75 6c 74 43 6f 64 65 02 01 00 00 00                                                                                      sultCode.....        

aluigi · **Posted:** 26 Jun 2009 18:39

you must use inflate for decompressing the data and deflate for compressing it.
anyway zlib has a very nice function which does these jobs with only one instructions, in your case the suggested one is "uncompress":

Code:

uLongf  retlen;

retlen = dest_size;
if(uncompress(dest_buffer, &retlen, source_buffer, source_size) != Z_OK) {
    printf("failed\n");
    exit(1);
}
dest_size = retlen;

the offset of the compressed data (source_buffer) is 14 (like in the above offzip example), you can recognize it by the presence of the 0x78 byte which is the common marker of zlib deflated data.

P.S.: I was forgotting that the size of the uncompressed data is not available in the packet you pasted so I suggest you to set dest_size at 0xffff (because I don't know what is the exact max amount of output data) and allocate this amount of bytes in dest_buffer.

musikit · **Joined:** 26 Jun 2009 18:15 **Posts:** 6

it appears as if the zlib stream is split across all the packets. still looking more into this.

musikit · **Joined:** 26 Jun 2009 18:15 **Posts:** 6

yup. put all 3 packets together (in proper order) and decode that using the zlib you posted and it just flat decodes. now to parse the data.

aluigi · **Posted:** 26 Jun 2009 19:35

luckily the format looks enough simple :)

*edit* the following BMS script for quickbms is an example for a tip about the format and moreover for who is interesting in a BMS example (so I have made it in general):

Code:

for ELEMENTS = 0
    get NAMESZ short
    getdstring NAME NAMESZ

    if NAME == "attributeNames"
        get DUMMY threebyte
        savepos NAMES_OFF
    endif
    if NAME == "attributeValues"
        get DUMMY threebyte
        savepos VALUES_OFF
        break
    endif
next ELEMENTS

for i = 0 < ELEMENTS
    goto NAMES_OFF
    get NAMESZ short
    getdstring NAME NAMESZ
    savepos NAMES_OFF

    goto VALUES_OFF
    get VALUESZ short
    getdstring VALUE VALUESZ
    savepos VALUES_OFF

    print "%NAME%: %VALUE%"
next i

musikit · **Joined:** 26 Jun 2009 18:15 **Posts:** 6

yup. real easy. here are some of the keyvalues.

serverVersion 3.0.0
serverIpAddress 63.209.32.242
serverHostPort 8777
serverQueryPort 39300
serverPlayerCount 0
serverLoginName gameservers
serverAdminEmail N/A
serverAdminName N/A
serverBuildNumber 02_062309
serverFlagCheats 0
serverFlagCoop 0
serverFlagLeasedServer 1
serverFlagOfficialServer 1
serverFlagPassword 0
serverFlagPunkbuster 0
serverFlagSimunitions 0
serverFlagVOIP 1
serverGameName Texas ...TeamPlayers... AA3
serverHostName America's Army 3 Server
serverHostNameEncoded Texas ...TeamPlayers... AA3
serverMapName Pipeline_dawn_clear
serverMaxPlayerExperience 999999999
serverMaxPlayers 20
serverMaxSpectators 0
serverMinPlayerExperience 0
serverMissionSize large
serverMissionTourID inf
serverMissionType tah
serverMissionVariant dev
serverOperatingSystem Windows
serverQualificationRequirements Any
serverReputation 3
serverSkillRating 0
serverSpectators 0
serverTeamPlayers 0

musikit · **Joined:** 26 Jun 2009 18:15 **Posts:** 6

got player info

basically
fieldnameplayerid fieldvalue

playerName21 leuri
playerSoldierName21 [MG]-Perses-
playerVersion21 3.0.0
playerServerIpAddress21 94.75.230.200
playerMapName21 94.75.230.200
playerClassRole21 T0F0R3
playerEnemyNeutralizedScore21 0
playerEnemySecuredScore21 0
playerExperience21 0
playerFireTeamIndex21 0
playerFlagFireteamLeader21 0
playerFlagSpectator21 0
playerFlagSquadLeader21 0
playerIpAddress21 XXX.XXX.XXX.XXX //ip address player connected from x'd out because i do kind like people sometimes
playerLeaderScore21 0
playerMedicScore21 0
playerObjectiveScore21 320
playerPing21 21
playerScore21 320
playerScoreShotsFired21 0
playerScoreShotsHit21 0
playerServerMapName21 Alley_day_cloudy
playerTeam21 Gold Team
playerTeamIndex21 1
playerTimePlayed21 62

aluigi · **Posted:** 26 Jun 2009 21:01

the fact that the IP addresses of the clients are public is really strange and dangerous (for example some years ago I found a bug in an open source game which could be used to kick directly any client connected to the server just because the IP addresses were public).
would be interesting to know why the AA3 developers have adopted this bad solution

musikit · **Joined:** 26 Jun 2009 18:15 **Posts:** 6

i just wish they were nicer on their forums. they were real jerks to me because of this. but i got my executable able to query AA3 servers. thanks to you guys!

Softman · **Joined:** 24 Jun 2009 10:38 **Posts:** 6

Forgive me for being thick here, but for the life of me I can not uncompress these packets

Packet1
Packet2
Packet3

I know they should all be together in one large packet and the key token &78 is at the 15 character in the first packet
meaning to me i would strip all 14 characters up to the 15

then add packet 2, -14 character from the begining
then add packet 3, -14 characters

but when I try to decompress it fails, so i have posted here all three raw packets as they come in, can any one help?

aluigi · **Posted:** 27 Jun 2009 22:07

remove the last 4 bytes at the end of the packet file and the result of the concatenating of them is a full zlib stream.

aluigi · **Posted:** 27 Jun 2009 22:25

ah redshak, I finished on your website some months ago when I saw/read there that some antivirus (kaspersky blah) recognized my poor ventstat tool as something bad... oh my poor stuff.

Softman · **Joined:** 24 Jun 2009 10:38 **Posts:** 6

Hi aluigi
Well got it going at last, the problem was me as always, I usually program in VB because I know that very well and can move around in it very quickly, I would then push it to .net for my purposes.
Anyway the VB side got the compressed packets in a string and sent it in to zlib but kept failing to get the uncompressed data out until I sent it in, in byte format ??? Bang straight decompression no problem. Doh how much time wasted ??? must learn c or at least c# better.

As to Redsack yes your app did cause me a bit of hassle for awhile as I wrote a tracking tool and added that ventstat as an external add on to save me the time doing it my self, and then report started coming back in from player about their virus scanners (kaspersky) kicking off, got me worried for a while that I had uninvitingly infected player PC with a virus, on more research the ???ventstat??? became to source of the problem, Now I had checked it already against McAfee and Trendmicro with no problems and it seems a kaspersky was just reading the name ???Luigi Auriemma??? as a false positive.

So I just stated to who ever wants to download my app if they don???t use Ventrilo delete ventstat, job sorted, but it is a great little app and did just what I wanted.
Just crappy Antivirus programs that scan for key words and not code.

phantom · **Joined:** 03 Jul 2009 17:07 **Posts:** 4

Hello all, I am sorry but I am not understanding much of this. Can someone please send me the code for this query. I would appreciate it.

Thanks,
adam(a t)inet-sol.com

aluigi · **Posted:** 03 Jul 2009 17:12

this is a forum so the stuff is shared to anyone, no personal requests

phantom · **Joined:** 03 Jul 2009 17:07 **Posts:** 4

I am sorry aluigi, I just do not understand much of that up there, I know pretty much just some php.

UnnamedPlayer · **Joined:** 21 Feb 2009 15:32 **Posts:** 8

Can someone please post a valid IP:Port combination of a running AA3 server, so i can try to query it. Do i have to use Gamespy 4 Querymethod like it is used in UT3 for the query request? The 3 querybuffer i will recieve then are added together like this, if i get it right:

(all buffers are char arrays, all len* are integer)

len = len_buffer1 - 14 - 4;
len_all = len;
memcyp(&buffer_all, &buffer1[15], len);
len = len_buffer2 - 14 - 4;
len_all += len;
memcyp(&buffer_all[len1], &buffer2[15], len);
len = len_buffer3 - 14 - 4;
len_all += len;
memcyp(&buffer_all[len1+len2], &buffer3[15], len);

phantom · **Joined:** 03 Jul 2009 17:07 **Posts:** 4

IP: 216.180.236.163
Game Port: 8777
Query Port: 39300

There are usually players on there as well.

UnnamedPlayer · **Joined:** 21 Feb 2009 15:32 **Posts:** 8

Thx man, do you also know what querystring i hve to send?

aluigi · **Posted:** 05 Jul 2009 22:53

that "example query request" posted by musikit to port 39300.
any other gamespy 1/2/3 query is not accepted by the server

aluigi · **Posted:** 05 Jul 2009 22:58

ehmmm I have a doubt...
I don't have the game but my doubt is about the attached packet where I have simply used an oversized 16 bit length value (so only the 2 size bytes, the rest is unchanged) and now the server no longer replies.
can someone (with a server) verify if there are problems with this packet?

for the test: nc 127.0.0.1 39300 -v -v -u < crash.dat

*update*
advisory: http://aluigi.org/adv/aa3blah-adv.txt
I have released also an unofficial fix.

aluigi · **Posted:** 06 Jul 2009 10:19

bug confirmed (port 9002 in my test server), I will release an advisory in the next hours