{"id":102,"date":"2011-10-25T19:15:30","date_gmt":"2011-10-25T19:15:30","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=102"},"modified":"2011-10-25T19:15:30","modified_gmt":"2011-10-25T19:15:30","slug":"reversing-origin-p2","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2011\/10\/reversing-origin-p2\/","title":{"rendered":"Reversing Origin P2"},"content":{"rendered":"

The triumphant release of Battlefield 3 marks the second time in my life where I waited til midnight to purchase a game standing outside a store. The first of which being Fallout 3 (after all I did wait 10 years for a sequel). And with the newest game out you would think there would be some sort of update right? ….RIGHT?<\/p>\n

\"\"<\/a><\/p>\n

Nope. Well sorta, but not much. About the only noticeable difference I see is that they modified the UI slightly, but other than that no real code changes are present in the binary.<\/p>\n

 <\/p>\n

Now is as good a time as any to reveal some of my findings. For starters we have some call to a telemetry server. It was on port 9922. I noticed this while Iwas monitoring new threads with processmon. After doing a slow as hell text binary search through the code for any references to the IP (159.153.235.32) which was NOT in the strings table (why?) this is what I found:<\/p>\n

loc_4020A6:
\nlea\u00a0\u00a0\u00a0\u00a0 edx, [ebp+var_26C4]
\npush\u00a0\u00a0\u00a0 edx\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; int
\npush\u00a0\u00a0\u00a0 offset aTelemetryserve ; “TelemetryServer”
\npush\u00a0\u00a0\u00a0 offset aTelemetry ; “Telemetry”
\nlea\u00a0\u00a0\u00a0\u00a0 ecx, [ebp+var_249C]
\ncall\u00a0\u00a0\u00a0 sub_6D3230
\ncmp\u00a0\u00a0\u00a0\u00a0 eax, 0FFFFFFFFh
\njz\u00a0\u00a0\u00a0\u00a0\u00a0 short loc_4020D5<\/p>\n

mov\u00a0\u00a0\u00a0\u00a0 esi, [ebp+var_26C0]
\ncmp\u00a0\u00a0\u00a0\u00a0 [ebp+var_26C4], esi
\njnz\u00a0\u00a0\u00a0\u00a0 short loc_4020EB
\nloc_4020D5:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; “159.153.235.32”
\npush\u00a0\u00a0\u00a0 offset a159_153_235_32
\nlea\u00a0\u00a0\u00a0\u00a0 ecx, [ebp+var_26C4]
\ncall\u00a0\u00a0\u00a0 sub_408CE0
\nmov\u00a0\u00a0\u00a0\u00a0 esi, [ebp+var_26C0]<\/p>\n

 <\/p>\n

A telemetry server!<\/p>\n

EA owns the IP range so I assume this is part of their tracking system<\/p>\n

http:\/\/whois.arin.net\/rest\/net\/NET-159-153-0-0-1\/pft<\/p>\n

What does it send? XML of course! But what contents? This is what I have been able to extrapolate:<\/p>\n

Initial connection is made, it sends the following markup:<\/p>\n

<TELEMETRY_XML><\/p>\n

<!– new session: BEGIN –><\/p>\n

<internal persona=”%s” UUID=”%I64x” nucleusId=”%s” locale=”%s”\u00a0 \/><\/p>\n

<Metric Module=”%s(internal ID %u)”\u00a0 Group=”%s(internal ID %u)” String=”%s tm_API=”%i”<\/p>\n

timeStamp=”%I64x (%.4i-%.2i-%.2i %.2i:%.2i:%.2i)” \/><\/p>\n

<!– new session: END –><\/p>\n

Then it sends a bunch of binary data. This is likely the encoded information about your system. I have yet to decode it.<\/p>\n

Since this is a C based library its using format string identifiers. You see strings, integers and their widths. The persona field is your sign on name. The nucleus ID is the same thing.<\/p>\n

The locale is the region (in my case USA), the metric module is something (???) same with the internal and group ID’s. Not sure what they are for yet. The tm_API is just some number. Lastly we have the 64 bit time stamp. Easy enough to follow and easy enough to filter through with wireshark.<\/p>\n

There is other stuff that I see from time to time that connects or listens, but its mostly dumb stuff like news feeds and an amazon service.<\/p>\n

\"\"<\/a>
\nThe 50.19 address belongs to amazon according to ARIN:<\/p>\n

http:\/\/whois.arin.net\/rest\/net\/NET-50-16-0-0-1\/pft<\/p>\n

Connecting to it with a raw socket yields nothing in terms of a banner or header. Its a damn echo server.<\/p>\n

\"\"<\/a><\/p>\n

You can look up the other ip’s you want, but I already saw most of them – web site connections made by the clients.<\/p>\n

There is a lot more stuff to document so I will continue this with part 3 when we go over the browser plugin.<\/p>\n","protected":false},"excerpt":{"rendered":"

The triumphant release of Battlefield 3 marks the second time in my life where I waited til midnight to purchase a game standing outside a store. The first of which being Fallout 3 (after all I did wait 10 years for a sequel). And with the newest game out you would think there would be […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[5,7],"tags":[],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/102"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=102"}],"version-history":[{"count":3,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/102\/revisions"}],"predecessor-version":[{"id":108,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/102\/revisions\/108"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=102"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=102"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=102"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}