Nice, got some questions
alexis-evelyn opened this issue · comments
I've decided I want to try my hand at creating a custom Among Us server and would like to know how one deciphers the packets. So far I figured out that Visual Tasks take 60 bytes in the data portion when it comes to config.
I've also figured out that the game hardcodes the ip addresses for Master and some game servers (I haven't been able to find every ip address I found out about in the game files).
I would like to ask how you do this and I may be able to have your proxy be the basis of connecting to a custom server.
Edit: I should mention, all the ip addresses I've found are located in global-metadata.dat (at least for the apk version, should be the same for the windows version).
I should mention, i want to create a custom server to have custom game modes. My two options for connecting to the custom server are, vpn app for every device that's supported or using a lan based proxy.
Hi there!,
I don't know if you have checked to the protocol description I'm writing (I have to upload some fixes on that description, hahaha), and a hacky message parser implementation.
Regarding on how to understand among us protocol, I have started using wireshark (you have probably heard of it, it's one of the most known network analyzer tools). As the main readme says the games sends packages to the 22023 udp port, so if you filter by that port you'll see all the game's traffic (bare in mind that wireshark shows all the network message, not just the user layer).
But, then I've built a tool in order to make it easier:
cd packages/among-us-proxy
node src/main.js --debug guest among-us://HOST-IP(HOST-IP should be replaced with the ip of the host).
You should run the game on the same computer that you are running this tool and host a game on another device on the same local network. On the PC you should connect to the local multiplayer Proxy game. You'll then get all the messages printed on the console and the result of the hacky parser implementation.
Talking about the options for doing what you want. The only problem of using the same approach as this proxy uses (the lan based proxy) is that I don't know if you can run an Android background process in order to do it. I'm not an android dev, so, I really don't know if it can be done. But, I'm willing to help if you plan to make an open source implementation!.
For Android, there's a built-in vpn feature that lets you redirect traffic without needing to root your phone. It's as easy as having the user click the accept vpn button.
I've also noticed that port 22024 is sometimes used for Among Us. I'll have to send a copy of my ip list I've been making when I get to my computer.
Among Us IP Addresses (No DNS as IP Hardcoded)
Rawish String: 66.175.220.120Master-345.79.40.75Master-2104.237.135.186Master-150.116.1.42Asia139.162.111.196Asia-Master-1Europe172.105.251.170Europe-Master-1
Master 3: 66.175.220.120 (global-metadata.dat)
Master 2: 45.79.40.75 (global-metadata.dat) (Confirmed) - 22023
Master 1: 104.237.135.186 (global-metadata.dat) (Confirmed) - 22024
America: 50.116.1.42 (global-metadata.dat)
America: 104.237.157.81 (Missing From Game Files) (Confirmed) - 22023
America: 198.58.99.71 (Missing From Game Files) (Confirmed) - 22024
America: 173.237.17.172 (Missing From Game Files) (Confirmed) - 22023
Asia Master 1: 139.162.111.196 (global-metadata.dat) (Confirmed) - 22024 and 22023
Asia: 172.105.163.93 (Missing From Game Files) (Confirmed) - 22023
Europe: 176.58.110.231 (Missing From Game Files) (Confirmed) - 22023
Europe Master 1: 172.105.251.170 (global-metadata.dat) (Confirmed) - 22023
Port Number: 22023 and Sometimes 22024
Confirmed means I found the ip in a packet capture. global-metadata.dat is the game file I found the ip in when searching using grep. Well, Missing... just means I found the ip in a packet capture, but have not successfully found it in the game files yet.
I should mention, all of these captures were made with tcpdump running on Bluestacks with a version of the game directly from Google Play Store. I then copied the dump over to my laptop for Wireshark to read.
If you would like, I can send you the link to all the packet captures and game files on Google Drive. I just ask to be able to dm it, as well, I have copyrighted files in the drive folder.
The ips that I was able to extract from the desktop .dat files were the following:
66.175.220.12045.79.40.75104.237.135.18650.116.1.42139.162.111.196172.105.251.170
If you start a handshake with the server, it sends a description of what server is (all of them send you an answer after sending packets to the 22023 port).
$ node fake.js 104.237.135.186
Ip: 104.237.135.186
<- 08 00 01 00 46 d2 02 03 05 66 61 6b 65 72 | ....FÒ...faker
<- 01 00 02 05 00 01 20 00 00 00 07 | ...... ....
-> 00 8e 00 0e 01 07 11 00 00 08 4d 61 73 74 65 72 2d 35 c6 3a 63 47 07 56 95 | ..........Master-5Æ:cG.V.
20 11 00 00 08 4d 61 73 74 65 72 2d 36 2d 4f 05 06 07 56 98 30 11 00 00 08 | ....Master-6-O...V.0....
4d 61 73 74 65 72 2d 37 2d 4f 43 7c 07 56 a2 22 11 00 00 08 4d 61 73 74 65 | Master-7-OC|.V¢"....Maste
72 2d 34 c6 3a 73 39 07 56 b1 1d 11 00 00 08 4d 61 73 74 65 72 2d 33 2d 4f | r-4Æ:s9.V±.....Master-3-O
28 4b 07 56 d3 22 11 00 00 08 4d 61 73 74 65 72 2d 32 68 ed 87 ba 07 56 d4 | (K.VÓ"....Master-2hí.º.VÔ
27 11 00 00 08 4d 61 73 74 65 72 2d 31 32 74 01 2a 07 56 81 24 | '....Master-12t.*.V.$
-> 01 00 01 04 00 01 03 00 00 00 | ..........
Error: implement t: 1
On the previous example I just sent the local multiplayer handshake to the online multiplayer server. It really won't work but the server is sending a response, so apparently it understands the messages I'm sending. I'll have to make further investigations to figure out the differences between the local and online handshake. I believe that the in game messages should be the same. (here you can find the fake.js script)
I've not done an in depth analysis of the online multiplayer protocol, but I think that is rather similar to the local multiplayer which only uses 22023 port. Perhaps servers are listening to several ports. I really don't know.
Regarding the Android topic, I really don't know, so, I'll trust what you are saying.
If you want to contact me, you can find my email and twitter handle on my github profile.
Apparently there are at least 12 masters?
➜ among-us-proxy git:(master) node fake.js 198.58.99.71
Ip: 198.58.99.71
<- 08 00 01 00 46 d2 02 03 05 66 61 6b 65 72 | ....FÒ...faker
-> 00 8e 00 0e 01 07 11 00 00 08 4d 61 73 74 65 72 2d 35 c6 3a 63 47 07 56 ad | ..........Master-5Æ:cG.V
39 11 00 00 08 4d 61 73 74 65 72 2d 36 2d 4f 05 06 07 56 ba 3c 11 00 00 08 | 9....Master-6-O...Vº<....
4d 61 73 74 65 72 2d 37 2d 4f 43 7c 07 56 d1 59 11 00 00 08 4d 61 73 74 65 | Master-7-OC|.VÑY....Maste
72 2d 34 c6 3a 73 39 07 56 c9 53 11 00 00 08 4d 61 73 74 65 72 2d 33 2d 4f | r-4Æ:s9.VÉS....Master-3-O
28 4b 07 56 8a 48 11 00 00 08 4d 61 73 74 65 72 2d 32 68 ed 87 ba 07 56 ad | (K.V.H....Master-2hí.º.V
4c 11 00 00 08 4d 61 73 74 65 72 2d 31 32 74 01 2a 07 56 c4 3a | L....Master-12t.*.VÄ:
<- 01 00 02 05 00 01 20 00 00 00 07 | ...... ....
-> 01 00 01 04 00 01 03 00 00 00 | ..........
Error: implement t: 1And country specific masters too.
➜ among-us-proxy git:(master) node fake.js 139.162.111.196
Ip: 139.162.111.196
<- 08 00 01 00 46 d2 02 03 05 66 61 6b 65 72 | ....FÒ...faker
<- 01 00 02 05 00 01 20 00 00 00 07 | ...... ....
-> 00 34 00 0e 01 02 16 00 00 0d 41 73 69 61 2d 4d 61 73 74 65 72 2d 31 8b a2 | .4........Asia-Master-1.¢
6f c4 07 56 e1 2a 16 00 00 0d 41 73 69 61 2d 4d 61 73 74 65 72 2d 32 ac 68 | oÄ.Vá*....Asia-Master-2¬h
60 63 07 56 88 2d | `c.V.-
-> 01 00 01 04 00 01 03 00 00 00 | ..........
Error: implement t: 1Since I now have PlayOnMac installed and tested Among Us working on it, I'm going to try to use the proxy settings on PlayOnMac to single out Among Us traffic. I have not been able to get this proxy to run on PlayOnMac because .NET keeps failing to install and Mono for some reason is not good enough to be used to launch this proxy.
If successful, I can then start capturing Among Us traffic live and may be able to learn how to write a Wireshark protocol analyzer for Among Us.
Edit: Nope, the proxy doesn't seem to work for UDP traffic. I set it to a non-existent proxy which stopped the download panel from working, but Among Us worked fine.
Edit: So, for capturing traffic, turns out Apples version of tcpdump allows filtering by process. tcpdump -Q proc=wine32on64-prelo -k for using PlayOnMac with Among Us. I just need to figure out how to feed it live into Wireshark.
Edit: Got it, I just created a named pipe and had tcpdump save to the pipe with -w then I read from the pipe with Wireshark. I left another pcap with two chat messages and then me kicking my phone's account with the name Alexis and the color purple. The laptop's account was named POM and was red.
The proxy is built in node + electron, so you can run it natively on mac, there is no need to use wine (or play on mac) to run the proxy.
In order to run the proxy ui:
npm install
npm run bootstrap
cd packages/gui
npm startAnd you should get the UI running.
Regarding the game, I'm debugging it on Linux, the game runs correctly using the official build from Steam vía their proton integration (you have to set some command line arguments in the proton config, but, apart from that, it runs correctly out of the box).
Anyway, with wireshark you should be able to capture the game's network traffic. Just start recording traffic and then filter by the udp port 22023. Be aware that wireshark shows the full packet (including udp headers), you should only pay attention to the application layer.
Using a combination of https://github.com/NickCis/among-us-proxy/blob/master/packages/among-us-proxy/src/parse.js and wireshark, I have determined that packets starting with 0c are client initiated pings and they always start with the two bytes 0c 00 with the third byte being incremented by one every ping.
As for game join codes, I have no idea what format the data is being stored in. I've captured several captures with only loading the game and immediately quitting after screenshot and have not found the code in any of the packets so far. I may have to wait until other packets are deciphered first.
As for packets that start with 0a, they appear to be server initiated pings and always start with the bytes 0a 00 with the third byte working just like the client init ping. However, the 4th byte always appears to be ff.
Edit: I should mention, to anyone else wondering where these captures are at. I sent the GDrive link to @NickCis. I'm not sure about the legality of releasing packet captures, so I've just kept the link to link only and not publishing it here.
Edit: From a ping standpoint, client side init is always 3 bytes of length and server side is always 4 bytes of length. As can be seen for client side init from the Len = 3 in the screenshot above.
I started work on a wiki to help me keep track of how the protocol works. If you want to contribute to it too, let me know.
Talking about the ping, I'm not sure that is how you are describing. Client and server send both types of ping, I think that it may be some ping request / response, which both parties send in order to check that the other is still alive.
Regarding your wiki, as I've said previously, I'm writing a description on this markdown file, so probably I won't send any commit to your wiki.
Anyway, the parse.js script is more updated than the markdown file, you can also find some message dumps on the script's test file
I can confirm that packets starting with 00 83 do have the ip addresses of other Among Us servers in them.
For example,
0000 00 8e 00 0e 01 07 11 00 00 08 4d 61 73 74 65 72 ..........Master
0010 2d 35 c6 3a 63 47 07 56 fa 2c 11 00 00 08 4d 61 -5.:cG.V.,....Ma
0020 73 74 65 72 2d 36 2d 4f 05 06 07 56 c3 2f 11 00 ster-6-O...V./..
0030 00 08 4d 61 73 74 65 72 2d 37 2d 4f 43 7c 07 56 ..Master-7-OC|.V
0040 c2 53 11 00 00 08 4d 61 73 74 65 72 2d 34 c6 3a .S....Master-4.:
0050 73 39 07 56 8c 32 11 00 00 08 4d 61 73 74 65 72 s9.V.2....Master
0060 2d 33 2d 4f 28 4b 07 56 d8 2d 11 00 00 08 4d 61 -3-O(K.V.-....Ma
0070 73 74 65 72 2d 32 68 ed 87 ba 07 56 c2 38 11 00 ster-2h....V.8..
0080 00 08 4d 61 73 74 65 72 2d 31 32 74 01 2a 07 56 ..Master-12t.*.V
0090 c1 2b .+
In the above dump, c6 3a 63 47 translates to 198 58 99 71 by converting the hexadecimal to decimal for each separate byte. That translates to the ip 198.58.99.71 which has been seen in an Among Us Packet Capture.
Edit: Interesting thing is, Master-12 does not seem to be an existing ip address while the bytes 0e 01 07 11 points to a Japanese server according to reverse dns lookup. It's possible that the ip may come first, then the ASCII text second.
As far as I understood, the handshake is very similar to the local multiplayer you'll find implemented on the fake.js script. The match's code is encoded on one message and the server responds with a message that contains the new server ip. After getting that ip, the client performs the same handshake but to that new ip.
You can check the messages at the end of this post.
I'm not being able to figure out how the match's code is encoded. The code consists of 6 letters, which get encoded on 4 bytes. I've printed several examples, if you find out how it is encoded, please post the solution.
Europe: 172.105.251.170
- Client -> Server (E) Handshake (same as local)
0000 08 00 01 00 46 d2 02 03 04 4f 74 72 6f ....F....Otro
- Server (E) -> Client
0000 00 38 00 0e 01 02 18 00 00 0f 45 75 72 6f 70 65 .8........Europe
0010 2d 4d 61 73 74 65 72 2d 32 ac 69 f9 19 07 56 f6 -Master-2.i...V.
0020 15 18 00 00 0f 45 75 72 6f 70 65 2d 4d 61 73 74 .....Europe-Mast
0030 65 72 2d 31 ac 69 fb aa 07 56 f8 14 er-1.i...V..
-
Server starts ping (
0a 00 01 ff) -
Client -> Server (E)
CKUHXQ
0000 01 00 02 05 00 01 b3 a1 1a 80 07 ...........
CC CC CC CC
VIBQQQ
0000 01 00 02 05 00 01 50 56 00 80 07 ......PV...
VUPLQQ
0000 01 00 02 05 00 01 80 8d 02 80 07 ...........
MRRTQQ
0000 01 00 02 05 00 01 66 ac 01 80 07 ......f....
KLOXWQ
0000 01 00 02 05 00 01 ac a8 0b 80 07 ...........
KAGDRQ
0000 01 00 02 05 00 01 9a f2 23 80 07 ........#..
EDTTWQ
0000 01 00 02 05 00 01 0c 41 0c 80 07 .......A...
AAAAAA
0000 01 00 02 05 00 01 a3 3e e4 9b 07 .......>...
AAAAAB
0000 01 00 02 05 00 01 a3 be 99 97 07 ...........
AAAAAC
0000 01 00 02 05 00 01 a3 7e 74 95 07 .......~t..
QQQQQQ
0000 01 00 02 05 00 01 00 00 00 80 07 ...........
QQQQQZ
0000 01 00 02 05 00 01 00 a0 3c 92 07 ........<..
QQQQQR
0000 01 00 02 05 00 01 00 e0 37 83 07 ........7..
RQQQQQ
0000 01 00 02 05 00 01 03 00 00 80 07 ...........
SQQQQQ
0000 01 00 02 05 00 01 09 00 00 80 07 ...........
QRQQQQ
0000 01 00 02 05 00 01 4e 00 00 80 07 ......N....
(I've dumped several messages, but I'm not figuring out how the game is encoding the match code).
- Server (E) -> Client
0000 01 00 01 06 00 0d 97 ec dd 9e 07 56 ...........V
II II II II
II II II II: Ip address 151.236.221.158
- Client -> Server (E) (The server also sends this close message)
0000 09 .
- Client -> Another Server (
151.236.221.158)
0000 08 00 01 00 46 d2 02 03 04 4f 74 72 6f ....F....Otro
-
Server starts ping (
0a 00 01 ff) -
Client -> Server (Another)
0000 01 00 02 05 00 01 b3 a1 1a 80 07 ...........
- Server (Another) -> Client
0000 01 00 01 10 00 07 b3 a1 1a 80 5c cc 10 00 33 cc ..........\...3.
0010 10 00 01 b3 98 43 06 00 0a b3 a1 1a 80 01 00 .....C.........
- Server (Another) -> Client
0000 01 00 02 0b 00 05 b3 a1 1a 80 04 00 02 04 12 00 ................
0010 ff .
- Client -> Server (Another)
0000 01 00 03 15 00 05 b3 a1 1a 80 0e 00 06 dc 98 43 ...............C
0010 0a 4f 6e 6c 69 6e 65 47 61 6d 65 .OnlineGame
- Server (Another) -> Client
0000 01 00 03 5b 00 06 b3 a1 1a 80 dc 98 43 0c 00 04 ...[........C...
0010 02 fe ff ff ff 0f 00 01 01 00 00 01 21 00 04 03 ............!...
0020 fe ff ff ff 0f 00 02 02 10 00 01 01 00 07 61 6e ..............an
0030 64 72 6f 69 64 07 1c 00 00 00 00 03 01 00 01 00 droid...........
0040 1e 00 04 04 b3 98 43 01 03 04 02 00 01 00 00 05 ......C.........
0050 00 00 01 06 0a 00 01 06 00 fd 7a 8f 87 ff 7f ff ..........z.....
0060 7f .
- Server (Another) -> Client
0000 01 00 04 66 00 05 b3 a1 1a 80 1e 00 04 04 dc 98 ...f............
0010 43 01 03 07 02 00 01 01 01 08 00 00 01 09 0a 00 C...............
0020 01 00 00 ff 7f ff 7f ff 7f ff 7f 2f 00 02 07 02 .........../....
0030 2c 03 0a 02 00 00 00 00 00 00 80 3f 00 00 80 3f ,..........?...?
0040 00 00 c0 3f 00 00 34 42 01 01 02 01 00 00 00 02 ...?..4B........
0050 01 0f 00 00 00 78 00 00 00 01 0f 01 01 0c 00 02 .....x..........
0060 02 1e 07 00 01 00 00 00 00 00 00 00 ............
- Client -> Server (Another)
0000 01 00 04 11 00 06 b3 a1 1a 80 b3 98 43 07 00 02 ............C...
0010 07 05 04 4f 74 72 6f ...Otro
- Client -> Server (Another)
0000 01 00 05 0d 00 06 b3 a1 1a 80 b3 98 43 03 00 02 ............C...
0010 07 07 04 ...
- Client -> Server (Another)
0000 01 00 06 16 00 05 b3 a1 1a 80 03 00 02 07 11 00 ................
0010 03 00 02 07 09 46 03 00 02 07 0a 08 .....F......
- Server (Another) -> Client
0000 01 00 05 27 00 05 b3 a1 1a 80 07 00 02 07 06 04 ...'............
0010 4f 74 72 6f 03 00 02 07 08 04 10 00 02 02 1e 0b Otro............
0020 00 01 04 4f 74 72 6f 04 00 00 00 00 00 ...Otro......
- Server (Another) -> Client
0000 01 00 06 17 00 05 b3 a1 1a 80 10 00 02 02 1e 0b ................
0010 00 01 04 4f 74 72 6f 04 46 00 08 00 00 ...Otro.F....
This may be a job for a decompiler or a debugger to figure out how the codes are processed.
Edit: The client to server packet between both of these sessions are the same exact bytes, so I don't think the client is replying sending with a game code.
I couldn't understand what you've said.
The client does send the code to the server. Handshake on local multiplayer and online multiplayer are very similar. On local, the client sends the 20 00 00 00 code. As far as I understand, this code is then repeated on mostly every message.
The main difference between the online and the local multiplayer, is that in the online the server might send a message to signal the client to connect to another ip.
I was saying that between the two captures I made, the bytes the client sent in the data portion of the packet were the exact same bytes. That may not always be true, it was just something I noted.
Something else to note is the frowning here. I do not know if the frowning emoticon is intentional or coincidental. The bytes seem similar enough to this custom message sent from being idle in the lobby, but it doesn't match the pattern perfectly.
Ahh, are you asking about the 08 ... message? As far as I understand, that message shouldn't change between sessions. It's like the start of the handshake, it has the client's user name, you can check more about it on the fake script
The message that contains the game code is the one that the client sends after the 08 one. It's a 01 message, not a 08. Eg:
0000 01 00 02 05 00 01 b3 a1 1a 80 07
You can read more about the 01 message structure here (20 00 00 00 should be the game's code).
I'll definitely have to check it out in a few days. I should mention I am sending my laptop in for repair tomorrow and don't know how long the repair will take. I'll see if I can view pcaps on my phone or at the very least capture them while waiting for my laptop to be repaired.
Hello! I just came across this repo and issue thread and thought I'd share that AeonLucid has pretty well reverse engineered the game and has a server implementation which would perhaps be of interest to yall: https://github.com/AeonLucid/Impostor
Nice, I'll have to check it out when I get my laptop back from repairs.
@pau101 I didn't know that repo existed, thanks! :)
So, the game code is some sort of data compression. Credit to Discord user @MooMan#4477 for providing this file on my discord.
Apparently mobile won't let me upload non-image files, so here's the paste. https://hastebin.com/sebogoloxe.yaml
I've not got some spare time to analyze what's doing the code transformation. The function that you provided is very similar to the one AeonLucid/Impostor project has. You can check it out here. I'll implement it on js when I get some free time :).
I just got notice that my laptop will arrive tomorrow, so I can check out the findings from the people on my Discord server.
If you also want to take a look at the findings @NickCis , you can join the server at https://discord.gg/DFUaVMx. I totally did not expect to have a bunch of people find the server for Among Us.
From what it looks like, someone just managed to make a "working" server (quoted by them) which is able to dump data about the current game into json format.
I just learned that network library for Among Us is this fork of Hazel. https://github.com/willardf/Hazel-Networking