OOB IP Spoofing exploits: Referee hack & Unban
Enemy Territory uses the Quake3 network protocol.
When you connect to a server, the communication is initialized by an OOB (Out of Band) message, which format is:
The ���� is the packet header, it is equal to
0xFF 0xFF 0xFF 0xFFand is used to identify the packet type.
connect is the command intended.
The userinfo is a key-value string which format is
The userinfo contains
- g_password: the server password
- cl_guid: the etkey
- cl_wwwDownload: whether the client allow pk3 download
- name: the player name
- rate: the packet transfer rate
- snaps: the ping adjustement ?
- cl_punkbuster: whether punkbuster is enabled
- protocol: the protocol version, here 84
- qport: the client port used
- challenge: a random number ?
The raw line looks like this:
Now, when the server receive the connect query message, it appends another value at the end of your userinfo, your IP
There is two ways to alter this value
The <userinfo> is a char array of size 1024
#define MAX_INFO_STRING 1024
and thought of adding a long key-value of (1024 - the current <userinfo>) length char at the end of the sent userinfo.
It looks like this
So, here, my <userinfo> followed by
\421 × A\420 × A
When the server receive that, it will add you IP after your userinfo, but as it's stored in a char variable, a buffer overflow occurs and your IP is discarded.
The server does not know your current IP anymore, and if you were IP banned, now you're not.
Duplicate field exploit
If the server receive the same key in the userinfo string, it will remove the last duplicated key.
after the name key (for example) will make the server remove the last ip key, which is your real ip, keeping the one you inserted in your fake userinfo.
The raw line would looks like that
This method makes it possible to spoof IP.
Now, another exploit can be used with IP spoofing.
Instead of spoofing the IP to a random IP like
220.127.116.11, spoofing it to localhost will automatically promote the player to Referee status.
Does it still work?
@DrWindows On some servers yes
I dont get how it works? Can u explain that ref hack?`
You can use Simple UDP proxy/pipe 0.4.1 (sudppipe) with Quake 3 engine "connect" modifier 0.2 (q3conmod_sudp) (compatible with Enemy Territory as it uses quake3 network protocol)
plugin for sudppipe which allows a simple customization of the "connect" packet for the games which use the Quake 3 engine:
sudppipe -l q3conmod_sudp.dll -L "\parameter1\value1\parameter2\value2" IP PORT 1234
(use -L "" for the runtime help) then from the console of the game type:
the following is an example for joining a server which uses PunkBuster with PB disabled (the client will be kicked after some seconds/minutes):
sudppipe -l q3conmod_sudp.dll -L "\cl_punkbuster\1" SERVER PORT 1234
then from the client:
So to spoof your IP address, you can use
sudppipe -l q3conmod_sudp.dll -L "\ip\18.104.22.168:60252\ip\22.214.171.124:60252" SERVER PORT 1234
/connect 127.0.0.1 1234
@Annihil I dont get anything xD where do i need to type that?
@DrWindows In the Windows Command Prompt (cmd)
Its really confusing.
Can u write a tutorial with like.
1st u do this
2nd this etc?
sekenbeken last edited by
You do not know why it causes a cmd failure? I do everything according to your guide.
(4 is port)
Connecting to server:
@playerx99 never mind again corrupt .pk3 file all good
Got a new modeum now my F9 key wont bring up menu, not sure why is it something with program thinks someone else using and locked out? Can you check, I downloaded again installed new put in username and password wont work. Tried several servers that I know works on. Let me know
@userasdf It's alright, it's life.
it has nothing to do with the guide
the F | A servers introduced a private anti cheat because I raged 24/7
the anti cheat will check the cgame.dll md5 checksum if it does not match the server that the slot will block you to join the team
nexus annihil, however, needs his manipulated cgame.dll to make the hooks work
annihil has to find a completely new method to bypass that