###################################################################### Title: Quake III 1.32 net information protocol 0.1.1 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ###################################################################### 1) Introduction 2) Steps [A ... G] 3) Conclusion ______________________________________________________________________ 1) Introduction =============== In this little paper I will explain the steps made by Quake III to request and sending informations. This paper does NOT contain ALL the possible queries, but only the queries used by default (it is only a step by step through the dump of sniffer). The protocol used is the UDP and the default port is 27960. Each packet is sent with 4 0xff (\xff\xff\xff\xff) bytes above the real data. Default client port is 27960, however it is not important because you can use ANY port for sending and receiving Q3 data. I will refer only to LAN games, however the queries are the same of all the possible games (LAN, Mplayer, Internet). The utility written about the Quake III protocol is IDinfo that you can found on my web space aluigi.org. ______________________________________________________________________ 2) Steps [A ... G] ================== ------------------------------------ A] Client searches servers on subnet ------------------------------------ When we go on the multiplayer option, our client will start to search servers on LAN, Mplayer, Internet and Favourites. - LAN: 255.255.255.255 port: 27960, 27961, 27962, 27963 - Mplayer: 60.242.0.0 port: 27950 - Internet: 60.242.0.0 or master3.idsoftware.com port: 27950 For the moment I will talk only about LAN games. The request sended by the client is: "\xff\xff\xff\xffgetinfo xxxx" | | | | | name of the challenge (xxxx is default) | request OOB :CLIENT --> SERVER :27960 (see before) -------------------------------- B] Server answers to the request -------------------------------- If the server exist it will answer with a message containing the following fields (each field is divided by a backslash '\'): - \xff\xff\xff\xff OOB - infoResponse\n Identifier of the answer to a Info query - sv_allowAnonymous (???) default 0 - pure Pure server. Boolean. - gametype 0 = Free for all 1 = Tournament 3 = Team Deathmatch 4 = Capture the flag - sv_maxclients Max number of players (bots included) - clients Current number of players (bots included) - mapname Name of the map (files: .aas, .jpg and .bsp) - hostname Name of the server - protocol Network protocol Examples: 67 for 1.31 and 68 for 1.32 versions of Quake III game - challenge Identifier of the client request. If the client sends a request about a general challenge (xxxx) the server will answer with the same challenge key :SERVER --> CLIENT :27960 27960 ----------------- C] Status request ----------------- This is a request that is not so much used, however gives a lot of useful informations about current players, Q3 version and others. Message: "\xff\xff\xff\xffgetstatus" | | | Query OOB :CLIENT --> SERVER :27960 27960 ---------------- D] Status answer ---------------- The server answers with some informations that are getted from the q3config.cfg file. This is the message: - \xff\xff\xff\xff OOB - statusResponse Identifier of the answer to a Status query - g_blueTeam default: Pagans - g_redTeam default: Stroggs - sv_floodProtect Protection to flood attacks. Boolean. - sv_maxPing default: 0, I think it is like a policy - sv_minPing default: 0, I think it is like a policy - sv_maxRate default: 0, I think it is like a policy - sv_hostname Name of the server - g_maxGameClients (???) default 0 - sv_maxclients Max number of players (bots included) - timelimit 0 if not setted, used for time limited matches - fraglimit Number of frags to win - dmflags (???) default 0 - capturelimit Capture the flag limit - version Long string with the running version of Q3 1.31 = "Q3 1.31 win-x86 Dec 11 2001" - g_gametype 0 = Free for all 1 = Tournament 3 = Team Deathmatch 4 = Capture the flag - protocol Network protocol Examples: 67 for 1.31 and 68 for 1.32 versions of Quake III game - mapname Name of the map (files: .aas, .jpg and .bsp) - sv_privateClients (???) default 0 - sv_allowAnonymous (???) default 0 - sv_allowDownload 0 = No download, 1 = yes. Boolean. - bot_minplayers (???) default 0 - gamename MOD identification. If no MODs "baseq3" - g_needpass 0 = No password, 1 = yes. Boolean. (Players list) - 5 0 "player1" - 3 0 "player2" - ... - 7 0 "playerN" | | | | | player name | 0 = ??? Frags :SERVER --> CLIENT :27960 27960 -------------------- E] Challenge request -------------------- The client asks to the server the challenge key for play. This is a key that changes every time that a new match start. NOTE: The key also change for each client IP!!! Message: "\xff\xff\xff\xffgetchallenge" | | | Query OOB :CLIENT --> SERVER :27960 27960 ------------------- F] Challenge answer ------------------- Now the server sends the current key for the match: "\xff\xff\xff\xffchallengeResponse 1234567890" | | | | | The key | Response OOB :SERVER --> CLIENT :27960 27960 ------------------------- G] Client joins the match ------------------------- I think that everyone want to know this step... unfortunately I want too, because it is encoded with an algorithm (I have stopped the reversing on it because there is a fucking counter generated in a strange mode). The only thing that is possible to see is: "\xff\xff\xff\xffconnect [encoded data]" ______________________________________________________________________ 3) Conclusion ============= The QuakeIII network protocol is really similar to the Half-Life protocol (that in fact should be based on QuakeII). The only difference is in the connect step because Half-life doesn't use encoded data in that packet. If someone want to help me to continue the reversing of the encoding protocol of the connect step, I will be very happy. ______________________________________________________________________ Every feedback is welcome! BYEZ