Luigi Auriemma

Iv'e got a couple questions regarding BF2142's network protocol.

First of all, Is there any documentation on the protocol? Iv'e looked all over the web and your site is the best I've found so far. There are a couple sites that cover bits of GS query protocol, but I'm not interested in that. I'm more interested by the protocol for the underlying game play.

Second, I downloaded your BF2_sniff program in order to help me understand the protocols in use. I've been having troubles getting it to run properly. What I want to know is, does BF2_sniff capture the packets right before they are sent out onto the wire, resulting in similar data as a packet sniffer, or does it capture the data before some sort of format/encryption applied?

This is my first reverse engineering project and I was hoping to write some sort of program that could gleam extra data from the network. It would most likely run on another computer acting like a proxy/gateway.

as far as I know (I'm not part of the community) there is no public documentation about the bf2142 protocol.
a micro example is in my bf2fp tool (fake players) where I show how to build a connect packet compatible with both bf2 and bf2142 and any of their versions.

in fact one of the problems I have seen during the writing of my fake players tool for the battlefield series (bf1942fp and bf2fp) is that the fields of the protocol change a lot between the game versions (note, I talk just about "versions" like 1.0 and 1.1 and only about the "connect" packet so the rest can be even worst) and I reached that result only using some work-arounds.

as far as I know no compression or encryption is used in the packets.
the data in them is stored using bitstreams, so for example instead of occupying 8 or 32 bits for a number they use a smaller fixed bit size needed for each element.
the result is the saving of space in the packet but lack of "readability", in fact if you try to sniff some packets you will see almost no plain text strings due to the lost of the constant 8 bit padding.

bf2_sniff intercepts just the function which puts these elements in the packets and shows their exact size in bit and their content.

for example take the following connect packet sent by the client to the server in bf2:
(for the moment ignore the "packet size" value because is not realistic in the "SEND" column, while it's good for the "RECV" one).

reading this dump you can see that the first element in the packet is a number of 4 bits of value 1, the second has a size of 8 bits and a value of 1, the third a 32bit size and a value of 0x1002 (fixed value, the demo should use 0xf005) followed by another 32 bit number containing the version of the client 0x110b9500 ("1.1.2965.0") and so on.
the "dump" fields are referred to the strings contained in the packet, the first contains the password for joining the server (empty) and the second the mod in use.

now if you watch the source code of my bf2fp.c you will notice the same values and sizes:
anyway keep in mind that bf2_sniff is experimental so some fields in its output could be mixed or chaotic, it was mainly a proof-of-concept I wrote for curiosity

It's been a long time since my last post but I've finally made a small amount of progress. This little project got pushed to the back burner but I have some time to pick it back up.

So here is the deal, I have a no-cd version of BF2142.exe and Its working as far as I can tell (haven't tried Online, but I can login and play LAN). Bf2_sniff seams to be working, it injects without complaint, and while on a LAN server there is a noticeable but very insignificant lag (I assume this is an indication of bf2_sniff's proper operation). But when I'm done, I can't find the dump file :( Is it supposed to show up in the BF2142 main folder, or is it in some magic place? Is there something that I'm missing here. I'm running Vista (yeah, I know) and I have a feeling its "helping" me by keeping the file from being created.

uhmmm the file is created in the same folder of the game (which is considered the current folder), if in doubt the file to search is *bf2_sniff.txt
to know if it's working you must check that when you run bf2_sniff_server.exe it shows the messagebox which reports the readbits and writebits offsets and the name of the dump with the question "Do you want to continue?".
if such dialog box is not shown it means it's not working

I tried running it on my XP machine and it worked just fine. I was getting the messagebox in Vista but I'm not going to worry about it too much. I'm looking at the dump now and its very complex. There seams to be no standard packet during the actual game play. How does the receiving end know how to unpack the bitstream? Is there some information in the packet, or is it all hard coded in the game itself? Or do you even know?

yeah it's complex.
each udp packet can contain multiple blocks of data (visible in the dump generated by my code as single packets or blocks of informations), which are padded if I'm not in error (so the blocks are not consecutives).
but I have never focused more on the protocol due to the lack of interest

It looks like I have my work cut out for me then. I suppose that's were the fun is. I'll post any breakthroughs I make.