Main components and key concepts - Aib0t/Bluriest GitHub Wiki

BitDemon services

BitDemon (hence, the "bd" prefix on everything) is online plug and play solution, made by Demonware. Created around 2004 it survived up until 2015 without drastic changes. The exact version of BD, used in Blur is unknown. But according to paths in Blur 2 executable it uses 2.3.5 version. //TODO: Compare versions in Blur 1 and Blur 2

BitDemon serverside framework consists of 4 services, that games connects to:

  1. Stun server (stun.au.demonware.net) - Stun servers are used to check NAT status of client and they communications are unencrypted and fairly simple to understand.
  2. Auth server (blur-pc-live.auth.mmp3.demonware.net) - Auth server is responsible for authentication of client and generation 2 tickets - game ticket and LSG ticket, that play the key role in whole process. Unlike in CoD conterpart, Blur is using login/pass auth, not a steam one.
  3. LSG server (blur-pc-live.lsg.mmp3.demonware.net) - Lobby-Storage-Group server. LSG server is central process of BitDemon. It's responsible for everything related to "playing the game" process. Matches, user stats, leaderbords, matchmaking, friends.
  4. Content server (blur.cs.demonware.net) - the least researched one. According to all evidence, on PC version it's responsible for player userpics, but seems to be broken. All other functionality is yet to be discovered.

Call of Duty legacy

BitDemon is used CoD series, since MW1. Which makes protocol fairly researched with existing emulation solutions. This makes working with Blur packets doable, without spending too much time on RE.

In terms of similarities up to 80% of existing IW4 and T5 (CoD MW2 and CoD BO1) emulators code can be reused.

The biggest obstacle in working emulator for Blur is differences and blank spots. So far, LSG packets, doesn't align with CoD counterparts.

Packets types values are vastly different, but structures are the same. Logic behind main services are identical.

Key concepts

Ports

Blur is using 3074 TCP fro Auth and LSG servers and 3074 UDP for stun. Occasionally, it uses http module to retrieve data. Ports are vary from game to game

Packet structure

BitDemon uses 2 types of writes and readers - bit sized and byte sized. This should be considered, while working with packages.

As an example we'll look at login message from client:

14000000000a51098dbf24daa40000e8b88aa104b55a9701

Every (unencrypted, more on that later) packet by BitDemon is composed using the following pattern:

Package payload size (14000000) Uint32 - 20

Payload size is used both by client and server and affecting the number of bytes, that gonna be readied by a reader. Everything else will not be consumed

Encryption flag (00) Uint8 - 0

Flow for package consuming differs between encrypted and unencrypted packets. Also should be noted - parts of unencrypted packets can be encrypted using other flows.

Message type (0a) Uint8 - 10

Package types. Nothing special.

Payload (1098dbf24daa40000e8b88aa104b55a9701) Bytes(Payload size - 2)

Payload can be vastly different form packet type to packet type and usually composed by bit writer, making direct analysis hard.