|
Hello everyone,
so first of all, I would like to clarify that I am by far no expert in this kind of analysis. I just have some basic knowledge about whats going on in an operating system. And all I'm asking for here, is for someone to help me put things into perspective and explain to me what might be going on or what I might have misinterpreted.
What happened? Lately, while playing Starcraft: Remastered, I recognised some unusually heavy upload activity, originating from my Computer and going towards my wifi router. It can nicely be observed within the wifi workload of the router. Download speed remains as usual.
Taking a look into the network activites using a monitoring tool, I found that in fact the process of Starcraft is responsible for the upload. Using the UDP protocol, it seems to send a lot of data to 37.244.54.234. Alongside with some other IP addresses, which most likely apply to the other players. A lookup of the, by far most active, IP address unsurprisingly reveals that its a static IP address of Blizzard. (Btw. blocking that IP does not work. Starcraft just switches to another one within the 37.244.54.X range. I don't know how many excalty, but a lot of them seem to belong to Blizzard. And if I block the entire range, I am no longer able to join any games - but surprisingly still able to join Battle.Net and chat.)
The interesting part is, that the upload starts as soon as I join a game Lobby, peaks at the start of a game and starts to lower after some minutes into the game.
Curiosity sparked, I decided to monitor all activities of the Starcraft process for a while. After some time, there was something interesting. Right at the moment when I joined another game lobby, Starcraft.exe read in a lot of files, which it actually should not have any interest in.
The executables of Deamon Tools Lite, HP Scanning Software, WPS Office, Windows System Binaries... and so on. And like the ones marked in the Screenshot, Starcraft.exe did not only probe the mentioned files; it completely read them in. So I am wondering, what does it do with that data? Is that normal behavior for a game executable?
Not sure about the file reading thing, but the crazy upload behavior started since the last update of Starcraft: Remastered via the Battle.Net Launcher.
Can someone help me understand?
|
If I had to speculate, probably some sort of check to make help against people hacking on ladder. Just speculation.
|
Warden (Blizzard's propriety antihack) has been in BW since the remastered prepatch ((i think?) and is known to scan memory for malicious programs and send them to Blizz servers for comparison.
|
How the do you know it started since last patch? Do you analyze this frequently or have a data quota alarm?
|
The UDP connection you're seeing I think is just the game traffic (and the fact it is going to Blizzard is probably just because the connection is being proxied).
There's no good reason why they would do telemetry over UDP, it doesn't make sense. The TCP connections on 443 are much more likely (especially given the hostnames) to be uploading telemetry data.
This isn't Blizzard deploying or running spyware, reading executables on your machine is normal for a game that tries to prevent hacking.
Also, the numbers you're seeing are not what I would call "crazy upload behaviour" at all, not even close. I think you're jumping the gun in a big way here.
|
On April 26 2021 08:51 prOxi.swAMi wrote: The UDP connection you're seeing I think is just the game traffic (and the fact it is going to Blizzard is probably just because the connection is being proxied).
There's no good reason why they would do telemetry over UDP, it doesn't make sense. The TCP connections on 443 are much more likely (especially given the hostnames) to be uploading telemetry data.
This isn't Blizzard deploying or running spyware, reading executables on your machine is normal for a game that tries to prevent hacking.
Also, the numbers you're seeing are not what I would call "crazy upload behaviour" at all, not even close. I think you're jumping the gun in a big way here. Pretty much this. If you were on a turn-rate of 24 in a 2 player game and every packet was the maximum it could be without fragmentation (~1500 bytes), one would expect a send speed of 24 * 1500 / 1024 = ~35kbps, and your task manager is showing less than half that, so why exactly is that worrying?
As far as the file reads, I don't believe "Warden" is a thing any more and is not active in SC:R at all, they rely on an off-the-shelf anti-debugger and obfuscation technology now, not active protection. What those look like to me is mostly programs injecting themselves into the StarCraft process and doing initialization.
Certainly, above all else, this was not something that began in the last update. The last update only changed the ladder map pool.
|
Hello everyone,
I would like to pick up on this thread once more, in the hopes that someone else might find the information useful which I discovered.
The problem I describe in my first post got way worse. In most games, the Up -and Download speed is quite low. But "sometimes" the Starcraft: Remastered process randomly starts to go apeshit. It happens, I would say, every 5th to 10th game. Almost exclusively in 3v3 or 4v4. It can happen at every point within a running game, but mostly within the first 5 or so minutes. The Starcraft process starts to download with up to 35 KiB/s and also a very high Upload-rate. Always from/to a Blizzard IP. When it happens, in-game, the game stops immediately and I start to lag. Within the infamous 45 seconds before one can be dropped from a game, it continues maybe 3 or 4 times for a very short moment. After that, the other players cannot kick me, nor can I drop out of the game myself. (No need to mention how often I was called a hacker due to that.)
After a lot of analysis without any clear results, I started to randomly kill other processes once the problem occurred. And that's when I found the cause: Its the ASUS ROG GameFirst V Utility, running as GameFirst_V.exe! In its description it says: "ROG GameFirst V is an exclusive Asus tool that optimizes network traffic to increase latency and speed in the game." Yeah, well done ASUS...
I didn't even know something like that was running on my PC. Otherwise it would have immediately come under my suspicion. And I still have no idea how a completely different process can manage to cause something like that to a game process like Starcraft.
Since there have been a lot of people whose games this problem has ruined so far, I would like to apologize for the inconveniences, in case one of you happens to read this post.
Have a nice weekend.
|
On May 28 2022 07:45 Mindflayer wrote: Hello everyone,
I would like to pick up on this thread once more, in the hopes that someone else might find the information useful which I discovered.
<sic>
After a lot of analysis without any clear results, I started to randomly kill other processes once the problem occurred. And that's when I found the cause: Its the ASUS ROG GameFirst V Utility, running as GameFirst_V.exe! In its description it says: "ROG GameFirst V is an exclusive Asus tool that optimizes network traffic to increase latency and speed in the game." Yeah, well done ASUS...
I didn't even know something like that was running on my PC. Otherwise it would have immediately come under my suspicion. And I still have no idea how a completely different process can manage to cause something like that to a game process like Starcraft.
Since there have been a lot of people whose games this problem has ruined so far, I would like to apologize for the inconveniences, in case one of you happens to read this post.
Have a nice weekend.
It's awesome that you returned with your result a whole month later once you found the cause. This makes the thread far more helpful for anyone else that may encounter similar network issues in brood war in the future!
Hopefully this marks the end of any issues you encounter
|
On May 30 2022 02:09 3FFA wrote:Show nested quote +On May 28 2022 07:45 Mindflayer wrote: Hello everyone,
I would like to pick up on this thread once more, in the hopes that someone else might find the information useful which I discovered.
<sic>
After a lot of analysis without any clear results, I started to randomly kill other processes once the problem occurred. And that's when I found the cause: Its the ASUS ROG GameFirst V Utility, running as GameFirst_V.exe! In its description it says: "ROG GameFirst V is an exclusive Asus tool that optimizes network traffic to increase latency and speed in the game." Yeah, well done ASUS...
I didn't even know something like that was running on my PC. Otherwise it would have immediately come under my suspicion. And I still have no idea how a completely different process can manage to cause something like that to a game process like Starcraft.
Since there have been a lot of people whose games this problem has ruined so far, I would like to apologize for the inconveniences, in case one of you happens to read this post.
Have a nice weekend.
It's awesome that you returned with your result a whole month later once you found the cause. This makes the thread far more helpful for anyone else that may encounter similar network issues in brood war in the future! Hopefully this marks the end of any issues you encounter
A whole month.. and a whole year, too :D
|
|
|
|