HaloMods "Classic" Read-only Archive

I was lying in bed this morning trying to think of a decent final year project for my degree and came up with the following. What I'd like to know is if it's feasible or not.

I've seen the AI mods and while they're quite impressive they're not as advanced as I'd like. As far as I can tell they involve injecting models and entities from sp levels into mp levels and whilst they're quite good at chasing and shooting they don't really participate in the game insofar as actively hunting for other players of flags etc.

What I want to do is write a PC program that mimics another xbox and tricks the host xbox into thinking another xbox is connected to the game, whereby I can use my own ai routines to control the virtual players. I realise that this isn't a traditional xbox mod per se, but see it as an interesting, if difficult, challange (Note that this doesn't have anything to do with the PC version of Halo!).

This will involve:

* intercepting state information network traffic from the host machine (the xbox)

* interpreting this info into the virtual halo on the pc

* working out the new ai positions, actions etc

* converting this data into network traffic and sending it back to the xbox

... all while handling timing and synchronisation issues.

This will take a fair amount of time reverse engineering the data in the network packets. I've been playing with EtherDetect Packet Sniffer all morning and while the header part of the packet makes sense, the attached data seems rather random at the moment i.e:

When Xbox Halo searches for other games, it sends a packet via UDP port 3074 that is 102 bytes long. The data itself is 60 bytes long, the first 8 bytes is always null (or FF), yet the following 52 bytes seems completely random and I can't as of yet determine any patterns in it. Which is confusing as you'd expect a simple "detect lan games" message to be fairly standard.

And of course I haven't taken into account different netcode standards yet, as in the different versions of the game (NTSC-J, NTSC-US, PAL-UK, PAL-GER and PAL-ITA) may or do use incompatible netcode?

I realise the details are quite sketchy and not entirely thought through yet, but I was just wondering what people's opinion of this would be, in regards to whether it's possible or not. Thanks!

i think all the halo network traffic is encrypted, and id bet it would be next to impossible to crack

Right. The network data being encrypted would explain the whole randomness I was talking about earlier. I managed to find this thread from the (now defunct?) xboxhacker forum cached in yahoo:

I'm not interested in Xbox Live my self but I'm more intereasted in Halo network debugging. Such as making your own network game or whatever to just play alone on multiplayer levels with a full screen! just knowing the code to send via the network

System link games should be easier, because if I understand things correctly, the LAN key thats stored in the xbe is used as the base key and gets combined with a random byte sequence from whoever is hosting the game. Since we can extract the LAN key, in theory it shouldn't be that hard to get access to the data. From what I've seen of programs like xbconnect, I wouldn't be surprised if they already have access to the data stream since it can show things like the number of players on a box.

Which gives me hope that the data can be decrypted. Now I've seen Caustik's xbe file format doc (http://www.caustik.com/cxbx/download/xbe.htm) and it says the Lan key is located at offset 0x00B0 of the certificate structure, and the certificate structure starts at 0x00101078 (? this value was found at 0x0118 which stores the 4bit address of the cert structure), so the Lan key is at location 0x00101128.

... which means that my version of halo has a lan key of ... *plays with hex editor some more* ... 00 8b 1c 90 8d 04 90 8b 54 24 18 8d 72 28 8b Fe.

And therefore I'm hoping that I can use this to help decrypt the network data so I can play around with it. Can anyone let me know if I'm on the right track or barking up a dead end? My hex skills are minimal at best.

I've made a little progress today. I'd better write this down in a semi-intelligible way before I forget what I've actually managed.

This is what I've discovered:

Ok, 2 xboxes. Xbox A has set up a game and is waiting for players and is idle. Xbox B is in the lobby and looking for games. B sends out a "any games?" broadcast packet which has 60 bytes of encrypted data. A returns with a "here's a game" broadcast packet that has 324 bytes of encrypted data. Every two seconds or so, B sends an "any games?" message and A responds with another "here's a game" message.

When Xbox B decides to join xbox A's game, it opens up a new connection that isn't broadcast (ip 255.255.255.255) but references Xbox A by its mac address. A responds in the same way and the two machines open up some sort of udp handshaking. This connection is then used for starting the game up and playing.

This is what I've done:

Using packet sniffing, I've saved a single 60 byte "any games?" packet by making my xbox search in an empty lobby. I then sent this package (using a modified WinPCap program) to my xbox whilst it was hosting a game and waiting for players. The xbox, to my surprise, actually returned a "here's a game" message.

I've not yet succesfully sent any other messages and got a reply from my xbox and am unlike to until I can decrypt the actual messages to see what's actually being sent ... and can then create my own messages. So what, you may ask. Well, one of the simpler(?) application of this might be to allow mod developers to test their own mods on their xbox with just one player i.e not have to resort to going splitscreen with a second player.

Again, any input on this would be much appreciated.

Um well i think i understand whats going on lol so if i can help pm me or talk to me on aim TvvIvvT...and the Lan Key is at offset 0x00101128 hmm ill have to look and good luck

I had the exact same idea a few weeks ago to make this xbox spoofer. It would be very advanced and to actually decrypt the data and act upon that while almost constantly sending packets. I'm not completely sure how the udp connection works, but after some googleing and more packet sniffing, im sure we can figure it out.

As a beginning, I was trying to figure out how to simply spoof another xbox via computer to make the real xbox believe that it was hosting, or joining a system link game so that people with 1 xbox could take pictures of mods with a full screen view. etc. etc.

Instant Message me on AIM @ bOb90A to talk

well if u wana learn this stuff i'd try and get in contact with the people who made xbconnect, kai, gamespy xbox online thing etc.

reason why is probs cos they have the tools neaded maybe 4 a program to trick the xbox into thinkin the pc is a xbox.

Actually guys(this doesn't have anything to do with AI, so keep at it for that!), I think you can tell Halo that the minimum number of players on an Xbox is "1" (instead of 2) and you could do it in split screen mode. I don't know where the tag is in an Xbox map, but I've found the data entry (in globals.globals i think) for "minimum number of players" with teh HEK.

I'll look into it real quick.

EDIT: upon further analysis, the "minimum number of players" tag is ALREADY set at 1 in the Xbox UI.map; so carry on.

-RunningRiot

check out the cxbx xbox emulator forums. they're trying to figure out halo's network packets as well (mainly to emulate xbox halo on a pc).

the networking can be fooled as shown by progams like XBC. what would be interesting is if you made your program represent itself as an xbox, therin allowing you to join, in other words do almost what XBC is doing, only it connects to your program instead of another server.

First of all ... apologies for going incommunicado - I've had to move house and have been without an internet connection for several weeks. Neither have I had the chance to work on this but hope to over the next few weeks to see where I get.

Bob - I'm glad that someone else has had the same idea. I've added you on AIM (danny1982y) so hopefully we can figure this out.

The way I see it as the best way to make progress is, as you said, to make a simple spoof program. Grabbing all the udp packets from the client xbox in a real 1 on 1 game might be a start ... and then writing the winPCap program to send these packets to the xbox hosting the game and see how it reacts. As written before, I had some very limited succes in having the xbox respond to the pc's "any games?" packet (but not the other way around).

Testing this is difficult at the moment as to collect the udp packets ideally I'd have two xboxes, but as of yet I've only been able to packet sniff whilst playing online via Xboxconnect or the rather excellent Kai. I did recently buy my girlfriend and xbox, but I doubt she'd be willing to let me borrow it for a few weeks, not after discovering the joy that is Halo for herself

I hope you figure this out mate. This would be a really big think for halo.

I've not had much time to play with this due to work and other commitments, but here's a small update:

Recently I've been porting an old win32 game I made to the xbox - EDGEworms - basically snake you'd get on your mobile phone (or the old qbasic game if anyone remembers that). EDGEwormsX is coming along fairly well - four players can battle with any number of AI (though I'll probably limit this to 8, maybe 16). On my menu I've got "Create Game" and "Join Game" options, with the idea that any game created can be a networked game by default (as apposed to menus in games which differentiate offline and online games i.e EDGEwormsX will abstract the networking gubbins away from the player).

What does this have to do with Halo? Well in developing network code for EDGEwormsX I'm beginning to learn a lot about how the xbox transmits network data, and hopefully I can use this knowledge to help intercept and decrypt halo network transmissions. Here's a snippet from a certain helpfile I've been using:

======

When the host starts a game, he must register a network session using XNetCreateKey and XNetRegisterKey. When the session is complete (game is done), the host unregisters the session using XNetUnregisterKey.

The host must acquire his XNADDR using XNetGetTitleXnAddr. The host then waits for clients to find and join his game.

Upon receiving a "find game" message from a potential client, the host cannot reply directly to the client, because no secure session has been established. He or she must instead broadcast a "found game" message. This means that the host must send back a value that the requesting client "knows" about. The method used by the sample is for the client to generate a nonce and send the nonce with the "find game" message. The host then resends the nonce back in its "found game" message. The client with the matching nonce knows that the "found game" message is for him.

When the host sends the "found game" message to the client, the host also sends his XNADDR and the session key information.

When the host receives a "join game" message, he calls XNetInAddrToXnAddr to convert the client's INADDR to an XNADDR. If this call is successful, then a secure session exists between the host and the client. From that moment on, the host can use the client's INADDR with normal Winsock calls to communicate with the client.

In response to the "join game" message, the host issues a list of all the existing players to the new client. The key elements of this list are the XNADDRs of each of the existing players.

=======

I was surprised and pleased to learn that a lot of what I'd assumed from tinkering around with packetsniffers turned out to be pretty accurate - the whole "any games?"/"here's a game" stuff. Also I'm hoping this will provide insight into the whole Lan Key concept which no one really seems to know much about.

So basically if I can get EDGEwormsX working with fully networked game then it bodes well for this Halo network spoofer project. The biggest obstacle I currently have is that I only have one xbox at this house which makes testing any networking code next to impossible (other than laboriously capturing packets and sending them back ... which doesn't really work when each networking session is supposed to have it's own unique Lan id).

Um, yeah, so there you have it. This post was mainly for my benefit to collect my thoughts and work out a clear direction ... which probably involves splashing out on my 4th xbox.