Hearthstone's girls in your area

Last Friday, I was in a boring class with Hime, and we were talking about our school's network. We pointed that it would be interesting to know what IP address is atributed to a certain student.
The network works as follow (for students): we are given an IP address through DHCP, then we connect to the school's VPN, where we get a different IP address. This IP address's PTR record contains the student's LDAP login.
The first thing that came to my mind was to start Wireshark, and see if some packets could help us identify what physical IP address matches with what VPN IP address. It did not, but instead, we found something pretty interesting that was broadcasted to the whole network...

Wireshark
Wireshark windows seeing an unknown packet

At this point, we did not know what corresponded this packet, but we roughly knew what it was about: SweetLuck is playing on eu.actual.battle.net.
We set up a wireshark filter to find more about those packets, and some familiar nicks showed up. ("Minimon", "Miwakage", "Boku") They are student from a different class who play Hearthstone. To see the packets better, I wrote a PHP script (And Hime wrote one in Ruby) that listened to a given port, and reported the packets it receives.

List of players
Survival0 plays on the Korean server, what a jerk

Those packets are sent by Hearthstone to advertise when a player is online in the neighborhood. (It has a "Player next to me" features even though you must be connected to play.)
Since those packets are CSV, we tried to understand what informations they contained. To do so, we took a real packet, and sent them to a player who would then tell us the outcome.

+---+---+---+--------+------+-----------+---------+--------+----------+---+
| ? | ? | ? | userid | nick | battle id | version | server | isBattle | ? |
+---+---+---+--------+------+-----------+---------+--------+----------+---+
  1. ?: always 72057594037927936 (256). May be a bit flag. Can be altered with no effects.
  2. ?: No idea what it is supposed to be. Maybe a station/unique ID? Can be altered with no effects.
  3. ?: No idea what it is supposed to be. Seems to be linked to the server. Can be altered with no effects.
  4. userid: User ID used to identify a packet owner: if two packets are sent with the same userid, it will create only one friend.
  5. nick: Nickname of the player
  6. battleid: Since 2 players may have the same nick, they are given a random number between 0 and 9999 that is displayed right after their nick.
  7. version: A 32 bits int that represents the version. Version 3 . 2 is 0x 03 02 0000 == 50462720
  8. server: Hostname of the server the player is connected to. Sending a bogus hostname won't show you up.
  9. isBattle: boolean. If 0, player is already playing, otherwise, you can invite them to play.
  10. ?: No idea. Must be > 1000000000.

Now that we know how the packets work, we started broadcasting few of them to send Hearthstone players a message ;)

Sending 10k bogus players
Go back to work!!!

We also noted that it is possible to make players lag by sending them many players with LONG name (no buffer overflows :( ). It seems that if the name is longer than 10k chars, the game will disable this feature until you restart the game.
Sending a nick with a NULL byte will glitch the name, and print XML-like tags.

Hime's GUI to see connected players
Hime made a script to beautify the packets

Even though it was not complicated reversing this "protocol", it was fun, and the courses sure got faster. Now, it may be interesting to gather more datas, and use them to extract informations from them: how long an average battle starts, if the what courses are the most favourable for a game of Hearthstone (according to the students), or who ragequits the most ;)