FacebookTwitterGoogle+Share

Prejudice

This post was written by Karl.

Last week, I was exhausted and bored and thought I’d try out a new MMORPG. Many people, such as Brad, would decry such a pastime — but I can find it enjoyable at times.

Long ago I would play a relatively simple Asian MMORPG known only as Pristontale. I found, in my search, that by now they had made a Pristontale II. Cool. I downloaded it.

It was big. I ran out of time to play it in by the time it had finished downloading and installing, so I decided I’d try it out later.

Lo and behold, “later” turned out to mean Today. This morning, I registered an account, patched my client, and went to log in. Unfortunately, I encountered an “authentication error”. My password was correct — it turns out that the deities that run Pristontale have an IP ban put in place. If you’re from the USA, you can’t play in the open beta, for licensing reasons.

We all know about IP bans. IP bans are preposterous because one can simply connect through a proxy exiting in the appropriate country. TOR has exit nodes in every country one would ever need, and is my solution of choice at times like these.

A problem arises, however — there’s no obvious way to tell the application in question to use a proxy when connecting. With a free Linux box and some kernel recompilation, it’s doable to automatically route a given set of packets through a given proxy; I am, however, stuck on Windows Vista at the moment.

There are still solutions — programs such as SocksCap and FreeCap will inject code in a given application to wrap the socket calls with a proxy. I tried these programs out. They crashed PristonTale 2 pretty reliably.

Not a problem; FreeCap is open source, apparently. I open PristonTale 2 up in IDA Pro and find that it’s not using normal socket calls; instead it uses something silly Microsoft has, known as “Windows Internet“. Just have to patch FreeCap to wrap these other calls.

Oop. FreeCap is written in Delphi. Delphi? What’s Delphi? Brad knows what Delphi is — he wrote DemonBane in it. Unfortunately, I am not Brad. I do not know what Delphi is.

So that’s out. All right. In Linux, there’s a cool app called socat. It lets you chain internet connections in basically any way you desire, e.g. routing an incoming connection to localhost:port via 4 socks proxies and coming out at remotehost:otherport. Quite fine. If I am lucky, I could get this building on cygwin, or even find a prebuilt Windows binary, then convince PristonTale to connect to localhost rather than its server, and route it through an appropriate proxy.

It’s pretty easy to convince a given app to connect to the wrong IP address. Most applications do a host lookup on a domain name, and then connect to the ip address associated with the domain name. Changing that ip address to 127.0.0.1 is as easy as adding another entry to your local hosts file. I boot up Wireshark and packet log Pristontale to see what domain it’s connecting to.

Strange. No domain lookups. It must have the IP address stored numerically.

Stored. Numerically. Indeed. I then proceed to spend the rest of the day trying to find where this IP address is numerically stored. It’s not in the registry. It’s not downloaded from anywhere. It’s passed on the command line from the launcher process to the game process (awesome!) but a private token referencing a dynamically generated piece of memory is also passed, to ensure that the game is only run from the launcher (man…). I trace the server IPs through the launcher executable to see where they come from, and it is not easy. Things are copied from one buffer, to another buffer, only held at runtime, so many times, in ways that I, personally, found incredibly confusing. Luckily IDA supports data breakpoints for both writing and reading, making this task much easier than it would be otherwise by allowing me to set execution to halt when a given area of memory is referenced.

Finally I trace the IP down to its origin. It’s stored as a “pt2://a.b.c.d:port” format url in the binary, with each character of the string separately encrypted into a four byte value. But wait, that’s not encryption — it’s just XOR’d with 0x5d! Finally, at the end of the run, they leave me with a copout. Thankfully.

I used Codepaste 2 and a blog draft with a <script src=""> tag to make a javascript utility to “encrypt” a new server URL, as you can see below. There’s a big byteblob of XOR’d strings they don’t want people changing easily, and the gameserver url is about halfway down. Changing the characters in the url updates the xor’d bytes at the bottom, which are shown in the same format a hex-editor would for easy copying. The public key for the code is a62fad0ce5f2c134f2fd898baa79212c, and the script below dynamically references codepaste, so if anybody updates the code on codepaste it will update below as well, which I think is pretty cool.

Altering the url from pt2://93.90.20.196:7300 to pt2://127.0.0.1:7300 and filling in the extra space with %00 to terminate the string, finally — finally — let me into the game, proxied through socat and tor.

Now, the day is over, and I have made no progress on the things I actually need to do. Perhaps I can try PristonTale 2 out some later week, now that I can actually get in.

Comments

  1. Shaun says:

    Is Tor generally fast enough for streaming video/audio? I would like a proxy that is good enough to use hulu and/or pandora.

  2. Brad says:

    Man. Those guys ripped off your brother’s name. Thoughts?

    You went to great lengths to defeat those MMORPG guys, and I’m glad because it makes for an awesome post! Which is cool because this was post 100. 😀

    Also, I’ve marked that paste as permanent, so it will not be automatically deleted in thirty days.

  3. k says:

    You need to tweak Tor a bit to get it really fast. It has a bazillion nodes: some are fast, some are slow, some are congested at different times. It has a control protocol that can be scripted to select nodes etc., but it takes some effort. Alternatively one can just try different paths until you find something as fast as needed.

    Aye, there was indeed a name conflict. Luckily they are in separate namespaces?

    I didn’t know this was post 100 =O I stole it =S

You must be logged in to post a comment.