########################################################################

DirectPlay 8 Fake Players DoS
Author: Luigi Auriemma
        e-mail: aluigi@autistici.org
        web:    aluigi.org

########################################################################


1) DirectPlay 8 introduction
2) DirectPlay 8 Fake Players introduction
3) How to use
4) Examples
5) How to create the join_file
6) Limits
7) Collection


########################################################################

============================
1) DirectPlay 8 introduction
============================


First of all, DirectPlay is the network layer used by a big number of
DirectX games.
The version 8 of DirectPlay (now I will call it dp8 for brevity) is that
one available in both DirectX 8 and 9, so any current game in the market
from about the year 2000.

Usually dp8 is used to handle lobby multiplayers, so where exists a room
and people must enter in it before starting to play.

I repeat that the games using this network layer are a lot, and I'm
trying to list all of the them in the file dp8games.txt that you can (is
better to say, you "must") download here:

  http://aluigi.org/fakep/dp8games.zip


########################################################################

=========================================
2) DirectPlay 8 Fake Players introduction
=========================================


Naturally not all the dp8 games use the same packets to communicate and
letting people to join but luckily only one packet is different and is
needed so when you will launch my dplay8fp proof-of-concept, you will
notice a new command-line argument called <join_file>.
The join_file is simply the dump of the specific packet needed to join a
specific dp8 game.
For example the join packet of Judge Dredd vs Death is different than
that of Robot Arena 2.

I'm trying to collect as much join_files I can and they are available
and constantly updated in the link specified in the previous section of
this text.
However if you have a game not listed in dp8games.txt you can create the
join_file by yourself simply following the instructions in section 5 of
this text.

As you already know the Fake Players DoS is a type of security problem
in which are created infinite unexistent players on the remote server
without consuming sockets and with a minimum bandwidth usage.
The main effect is the complete filling of the server so no real players
can join that server, but in the case of dp8 games the other effect is
that the match cannot start until fake players are inside the server.
Another important effect is that if the admin tries to close the server
under the fake players attack, it will be extremely slow, so slow that
in some games are needed some minutes to return to the main menu while
others crash after some minutes of black screen.

On same games, like Operation Flashpoint, the server will crash when
will be inserted too much fake players!
While in others, like Judge Dredd vs Death and State of Emergency, the
server seems empty (the new fake players will not be listed, just
invisibles) but clients cannot join.

Note: in the moment I'm writing the only limit for this fake players
      tool are the servers protected by password because each game uses
      its method to send and handle passwords.
      Naturally exists a solution and read the section 6 for details.


########################################################################

=============
3) How to use
=============


  dplay8fp <join_file> <host> <port>

<join_file>
  this is the file containing the join packet specified in the previous
  two sections of this text.
  Some games, like SWINE and True Crime streets of LA, use the same
  minimal packet that can be selected simply specifying "default" (it is
  a packet stored into the proof-of-concept so not a real file).
  The join_files I'm collecting are located in the d8f folder and have a
  .d8f extension. When you download an updated dp8games package is good
  if you unzip it in the dplay8fp folder for a simpler usage.
  The link for the updated d8f package is available in the section 1.

<host>
  the server you want to test with fake players, can be an IP address or
  a hostname.

<port>
  Dp8 games use different ports so you must know the specific port of
  the server you wanna test (90% of the times it is ever the default
  game port).
  Default dp8 games ports are listed in dp8games.txt and are showed by
  my d8facp tool (watch section 5) when you dump a join packet.


########################################################################

===========
4) Examples
===========


- testing a server that uses a simple/default join packet (like SWINE
  and True Crime streets of LA):

    dplay8fp default 192.168.0.1 2302            (default SWINE port)
    dplay8fp default 192.168.0.1 28957           (default TCsoLA port)

  192.168.0.1 is the server, but it can also be a hostname like myserver
  or myserver.org and so on.

- testing a State of Emergency server:

    dplay8fp d8f\soe.d8f my_friend_server 6969

- testing a Robot Arena 2 server using the join packet robot_arena2.d8f
  available in the d8f folder:

    dplay8fp d8f\robot_arena2.d8f 192.168.0.1 9791

As you can see is very very simple to use this proof-of-concept.
Naturally in these examples the d8f folder is located in the same
directory where dplay8fp runs. The updated files in the d8f folder are
available in the link specified in section 1.


########################################################################

==============================
5) How to create the join_file
==============================


If you have a game that is not available in dp8games.txt you can create
the join_file by yourself.
Doing it in fact is extremely simple and you only need a sniffer.
The best sniffer (in my opinion, moreover because is multiplatform) is
Wireshark:

  http://www.wireshark.org

If you have problems to run it (for example crashs when you launch it)
try an older version and be sure it will work.

Launch the sniffer, select the interface from which you want to sniff
(if you use an ethernet adsl modem, select your PC ethernet card not
the adsl interface!) and start to sniff.

Now launch the game and connects to a server.
You don't need to stay connected for long time because the packet you
require has been already sent so disconnect and return to the sniffer.

Stop the sniffer.
Now you can choose if finding the packet manually or automatically using
my d8facp tool (available in the same package of dplay8fp).

If you choose to manually dump the packet search for an UDP packet
"starting" with the bytes 7f 00 01 00 c1 00 00 00 (you can use the
Edit->Find Packet function of Wireshark specifying this sequence of
bytes and selecting Hex value).
You will recognize it because usually contains the nickname used to join
the server in a wide chars format (so with a 0x00 after each char),
exactly like the following example:

 [Ethernet header][IP][UDP] and then the UDP data:
 7f00 0100 c100 0000 0200 0000 0700 0000  ................
 8d00 0000 0e00 0000 8c00 0000 0100 0000  ................
 0000 0000 0000 0000 5800 0000 3400 0000  ........X...4...
 0000 0000 0000 0000 0000 0000 0000 0000  ................
 0000 0000 0000 0000 6098 24f7 bed0 d211  ........`.$.....
 95ea 00a0 c9a5 7f0b 0000 0000 0000 0000  ................
 9200 0000 9100 0000 fc34 9710 7c8b 8710  .........4..|...
 3491 9910 140b 5300 708b 8710 e7cb 5300  4.....S.p.....S.
 708b 8710 0000 0000 0091 9910 9cf9 9a00  p...............
 f0ee 7100 0050 006c 0061 0079 0065 0072  ..q..P.l.a.y.e.r
 0000 00                                  ...

Now click on Data and with the right mouse button select Export Selected
Packet Bytes and choose the name of the file to create and that will
contain the packet.
For major comprehension choose a .d8f extension.

Instead if you want to do this operation automatically, simply saves the
sniff dump in a .acp file and launch my d8facp tool with the
following parameters:

  d8facp <sniff.ACP> <join_file.d8f>

where sniff.ACP is the file you have just saved and join_file.d8f must
be the name of the file to create and that will contain the join packet.
For example:

  d8facp dredd.acp dredd.d8f

The tool will display the destination port of the packet and how many
bytes it is big.
If exist more then one join packet, my tool will continue the scan
asking you if you want to overwrite <join_file.d8f>. Break the tool with
CTRL-C when it asks you to overwrite the file to avoid other requests.


########################################################################

=========
6) Limits
=========


Currently the only limitation is about password protected servers, in
fact each game uses a specific method to join servers.
These methods are implemented only in the join packet, so if you want to
use the DirectPlay 8 Fake Players DoS versus a server protected by
password you must naturally know the keyword, then you must dump the
join packet containing the specific data and the correct password used
to join the server and finally you can use the new join_file with the
proof-of-concept.
This is actually the only method to test password protected servers.

As already said dp8 games use different join packets, but this is not a
real limit, just only an operation more in some cases.


########################################################################

=============
7) Collection
=============


As already said, I'm trying to collect the major number of join_files
but naturally it's not easy because dp8 games are a lot also if
luckily creating the join_file is very easy.
So if you want to help me, please send me the join_file you create for a
game you have.

Remember that the join_files usually contain the nickname you use to
join a server so choose a funny nickname when you dump it 8-)

In some cases is important also the version of the game from which the
join packet has been dumped.

Naturally contact me if you have doubts, problems, suggestions and
moreover for sending your join_files!


########################################################################
