You are not logged in.

#26 30 Oct 2006 10:22 am

MadHatter
Administrator
From: Dallas TX
Registered: Jun 2006
Posts: 529
Website

Re: bf2142 stat query protocol

Craigins :

I had a co worker suggest it might be as simple as using a DES encyption algorithm.

I tried the sample Tubar posted using des as the encryption alg, but it didnt spit out the same output that he posted.  looking at the assembly it looks more like aes then des (esp if the loop does go 10 times, DES uses 16 rounds and Rijndael does a 10 round iteration w/ a 128 bit key, and Rijndael should produce a 16 byte result).

the biggest problem I have in considering it to be an actual encryption algorithm is what do you use as the key or IV (without matching ones on either end, you're not going to be able to decrypt it correctly)?  it would have to be pre-agreed upon and hard coded because the web service has to know before hand what key(or IV) to use.

Offline

 

#27 30 Oct 2006 11:17 am

Tubar
Senior Member
From: Slovakia
Registered: Oct 2006
Posts: 26
Website

Re: bf2142 stat query protocol

Craigins :

I had a co worker suggest it might be as simple as using a DES encyption algorithm.

http://www.aci.net/Kalliste/des.htm

anyone care to check it out?

Here some sample in C, and of course in Assembler:
http://dev.mysql.com/sources/doxygen/my … ource.html

Hard too find algorithm sad hehe,
must all people help who want smile

PS: And here DES algortihm in assembler: http://www.anders.com/projects/netatalk … 04b.tag.gz

Here is interation 16x. But our is only 10x

Last edited by Tubar (30 Oct 2006 11:22 am)

Offline

 

#28 30 Oct 2006 11:25 am

Craigins
Extreme Member
From: Chicago, IL
Registered: Oct 2006
Posts: 58
Website

Re: bf2142 stat query protocol

I'll see if i can get that debugger up and running and catch all the values I need

on another note, did EA take down their stats site?

Offline

 

#29 30 Oct 2006 11:51 am

Tubar
Senior Member
From: Slovakia
Registered: Oct 2006
Posts: 26
Website

Re: bf2142 stat query protocol

MadHatter :

Craigins :

I had a co worker suggest it might be as simple as using a DES encyption algorithm.

I tried the sample Tubar posted using des as the encryption alg, but it didnt spit out the same output that he posted.  looking at the assembly it looks more like aes then des (esp if the loop does go 10 times, DES uses 16 rounds and Rijndael does a 10 round iteration w/ a 128 bit key, and Rijndael should produce a 16 byte result).

the biggest problem I have in considering it to be an actual encryption algorithm is what do you use as the key or IV (without matching ones on either end, you're not going to be able to decrypt it correctly)?  it would have to be pre-agreed upon and hard coded because the web service has to know before hand what key(or IV) to use.

You are right, it's Rijndael algorithm 16bit / 10 rounds. Now I analyze that. And try make C sample of functions.

Offline

 

#30 30 Oct 2006 12:10 pm

MadHatter
Administrator
From: Dallas TX
Registered: Jun 2006
Posts: 529
Website

Re: bf2142 stat query protocol

the more I look at the assembly the more I think thats right.

so whats the encryption key?  possibly the array used in the initial xor operation?

Craigins :

on another note, did EA take down their stats site?

yea I think they took it down.  when I go to the link from BF2Tech it asks me for a log on (in one of those pop up boxes, and wont accept my ea login).  When I chatted w/ the guy who wrote this auth token stuff, he mentioned that they were going to put up some community feeds that we could use (still a little ways off though it sounded like).

Offline

 

#31 30 Oct 2006 1:51 pm

Tubar
Senior Member
From: Slovakia
Registered: Oct 2006
Posts: 26
Website

Re: bf2142 stat query protocol

MadHatter :

...so whats the encryption key?  possibly the array used in the initial xor operation?

Yes, I think, it is this "xor" key

XOR data are this:

Code:

4C  01BF9E33
BB  01BF9E32
56  01BF9E31
AA  01BF9E30
78  01BF9E31
00  01BF9E32
00  01BF9E33
C3  01BF9E34
65  01BF9E38
FF  01BF9E39
EF  01BF9E3A
44  01BF9E3B
23  01BF9E3C
12  01BF9E3D
2C  01BF9E3E
2C  01BF9E3F

Here is PHP sample to coding, encoding in AES:

Code:

<?php
    /* Open the cipher */
    $td = mcrypt_module_open('rijndael-256', '', 'ofb', '');
    /* Create the IV and determine the keysize length, used MCRYPT_RAND
     * on Windows instead */
    $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_DEV_RANDOM);
    $ks = mcrypt_enc_get_key_size($td);
    /* Create key */
    $key = substr(md5('very secret key'), 0, $ks);
    /* Intialize encryption */
    mcrypt_generic_init($td, $key, $iv);
    /* Encrypt data */
    $encrypted = mcrypt_generic($td, 'This is very important data');
    /* Terminate encryption handler */
    mcrypt_generic_deinit($td);
    /* Initialize encryption module for decryption */
    mcrypt_generic_init($td, $key, $iv);
    /* Decrypt encrypted string */
    $decrypted = mdecrypt_generic($td, $encrypted);
    /* Terminate decryption handle and close module */
    mcrypt_generic_deinit($td);
    mcrypt_module_close($td);
    /* Show string */
    echo trim($decrypted) . "\n";
?>

Last edited by Tubar (30 Oct 2006 1:54 pm)

Offline

 

#32 30 Oct 2006 3:05 pm

MadHatter
Administrator
From: Dallas TX
Registered: Jun 2006
Posts: 529
Website

Re: bf2142 stat query protocol

This is what I'm using for testing...

Tubar :

Sample 1:

Code:

Input data (Timestamp: 45419B10, 00000064, PID: 04E26AF9, 548F0001)
01BFA21C  10 9B 41 45 64 00 00 00 F9 6A E2 04 01 00 8F 54  AEd...ůj.ŹT
Coded data:
014DAA04  9B 80 EB 44 08 1C C3 A8 72 C7 72 D1 AA F5 6E 94  DĂrrŃŞőn
Converted data into Base64 from 014DAA04:
07B39C64  6D 34 44 72 52 41 67 63 77 36 68 79 78 33 4C 52  m4DrRAgcw6hyx3LR
07B39C74  71 76 56 75 6C 41 5F 5F                          qvVulA__

You can see, auth code
Sample1: m4DrRAgcw6hyx3LRqvVulA__

I still cant get it to produce the same array as the byte array under Coded data:

I'm using Rijndael 128 w/ the xor array as the IV and key.  I've also tested it w/ out a specified IV (still no good).

anyone else have any luck?

Offline

 

#33 30 Oct 2006 3:17 pm

Tubar
Senior Member
From: Slovakia
Registered: Oct 2006
Posts: 26
Website

Re: bf2142 stat query protocol

MadHatter :

This is what I'm using for testing...

Tubar :

Sample 1:

Code:

Input data (Timestamp: 45419B10, 00000064, PID: 04E26AF9, 548F0001)
01BFA21C  10 9B 41 45 64 00 00 00 F9 6A E2 04 01 00 8F 54  AEd...ůj.ŹT
Coded data:
014DAA04  9B 80 EB 44 08 1C C3 A8 72 C7 72 D1 AA F5 6E 94  DĂrrŃŞőn
Converted data into Base64 from 014DAA04:
07B39C64  6D 34 44 72 52 41 67 63 77 36 68 79 78 33 4C 52  m4DrRAgcw6hyx3LR
07B39C74  71 76 56 75 6C 41 5F 5F                          qvVulA__

You can see, auth code
Sample1: m4DrRAgcw6hyx3LRqvVulA__

I still cant get it to produce the same array as the byte array under Coded data:

I'm using Rijndael 128 w/ the xor array as the IV and key.  I've also tested it w/ out a specified IV (still no good).

anyone else have any luck?

I think here is used another codig table, not PHI table.
Here:

Code:

006E7CE0   8B0485 A82F8000  MOV EAX,DWORD PTR DS:[EAX*4+802FA8]
...

802FA8, ... is this table used in coding.

Offline

 

#34 30 Oct 2006 3:20 pm

Craigins
Extreme Member
From: Chicago, IL
Registered: Oct 2006
Posts: 58
Website

Re: bf2142 stat query protocol

could they be swapping bytes around before running the encryption?

So they are encrypting a total of what, 16 bytes(4 4byte integers).  That would allow for a possibility of 16! possible combination of bytes to check against.

From a programmer's stand point, get the encryption algorithm and do something lazy like that so it isn't straight up encryption then send it through the encryption.

Offline

 

#35 30 Oct 2006 3:42 pm

MadHatter
Administrator
From: Dallas TX
Registered: Jun 2006
Posts: 529
Website

Re: bf2142 stat query protocol

I dont believe he's swapping anything around before the encryption.  I'm not totally sold on Rijndael, but it does look very similar (from what little I can decipher from the assembler).  If this was Rijndael, wouldnt this code be from crypt32 and not embedded in bf2142?

technically there are more possible combinations because the IV is used to xor the original data (like we were thinking in the beginning), then the key is used to substitute the data around (in rijndael).  so changing the IV or key will produce a different outcome.

IF he is using rijndael then we still have to solidify what key and IV are being used (I think we have the IV, but not the encryption key).

I really wish I could run the game from olly debugger.  for some reason, it crashes everytime I attempt to debug into it (I have the 64 bit version of windows and I dont think the 32bit emulator likes olly much).

Offline

 

#36 30 Oct 2006 4:46 pm

Craigins
Extreme Member
From: Chicago, IL
Registered: Oct 2006
Posts: 58
Website

Re: bf2142 stat query protocol

are you guys debugging the server or the client?

I'm having trouble finding the location when i debug the client.

Offline

 

#37 30 Oct 2006 10:16 pm

Tubar
Senior Member
From: Slovakia
Registered: Oct 2006
Posts: 26
Website

Re: bf2142 stat query protocol

Craigins :

are you guys debugging the server or the client?

I'm having trouble finding the location when i debug the client.

No client! Server!

Just start client in window, start dedicated server in same PC. Start olly, attach dedicated server to olly, make hardware breakpoint on execution in address where I write, run in olly. After that join to IP 127.0.0.1 with client. After that is in olly automaticylly server stoped at this position. And now just debug.

Offline

 

#38 31 Oct 2006 7:10 am

Craigins
Extreme Member
From: Chicago, IL
Registered: Oct 2006
Posts: 58
Website

Re: bf2142 stat query protocol

that might be a problem for me, I tried running the server and client on the same PC during the demo and it didn't like it.  Not sure why, i have an AMD x2 4400 with 2gb of ram.  I might have to set up my other box to run a server and debug it on there.

Couldn't you do the same thing in the client, and check when you hit BFHQ in game to see how it is encrypting the auth codes to send to get stats?

Offline

 

#39 31 Oct 2006 10:50 am

Tubar
Senior Member
From: Slovakia
Registered: Oct 2006
Posts: 26
Website

Re: bf2142 stat query protocol

So guys, with formula I am cca. 70% complete. 1-2 days and I can have whole encrypt formula.
Here are used 4x1024bytes Hash and 1x160bytes Hash for crypting. That is not problem big_smile
I try write one example in PHP for generate authentication key.

But with what I need help (no time to check, find that):
On this address 01BFA21C who is TIMESTAMP (4 bytes), 0x00000064, PID (4bytes) and last 4 bytes so: 01 00 xx yy.
I think xx and yy are check sum for all above.
I need find how is this check sum calculated. It's needed for authentication this number right.
When is not right, we got error message from gamespy that this key is corupted.

How you can find that? Just only set memery write breakpoint on this two bytes address and start. Than you find who and how is that stored.

Thx.

Offline

 

#40 31 Oct 2006 11:23 am

MadHatter
Administrator
From: Dallas TX
Registered: Jun 2006
Posts: 529
Website

Re: bf2142 stat query protocol

so are you saying that its not using rijndael?

I can try a few checksum algorithms.  first to try will be crc16.  if that doesn't work then we can try a few others.

Offline

 

#41 31 Oct 2006 2:39 pm

Craigins
Extreme Member
From: Chicago, IL
Registered: Oct 2006
Posts: 58
Website

Re: bf2142 stat query protocol

they seem to like the MD5 checksum too(they use it for all their file verification).  Might want to check that out.

Ok nevermind.  going off of the CRC list at http://en.wikipedia.org/wiki/List_of_ch … algorithms and the fact that it is 16 bits long, it narrows it down to

bsd 16 bits
crc16 16 bits
UNIX V checksum 16 bits
http://en.wikipedia.org/wiki/Fletcher%27s_checksum

I guess they could have made up their own as well.

on a side note, where do you get the dedicated server install?

Last edited by Craigins (31 Oct 2006 2:50 pm)

Offline

 

#42 31 Oct 2006 3:45 pm

Tubar
Senior Member
From: Slovakia
Registered: Oct 2006
Posts: 26
Website

Re: bf2142 stat query protocol

Craigins :

...on a side note, where do you get the dedicated server install?

http://largedownloads.ea.com/pub/patches/BF2142/


I am done with loop coding (in PHP), now just only last round coding. And of course calculating this checksum number.

PS: 16bits = 2 bytes, that is what we need smile

Last edited by Tubar (31 Oct 2006 3:47 pm)

Offline

 

#43 31 Oct 2006 7:59 pm

MadHatter
Administrator
From: Dallas TX
Registered: Jun 2006
Posts: 529
Website

Re: bf2142 stat query protocol

crc 16 of timestamp: 10 9B 41 45 = e3 59
crc 16 of pid: F9 6A E2 04 = 8c 84
crc 16 of (timestamp  pid) 10 9B 41 45 F9 6A E2 04 = e6 67
crc 16 of (pid timestamp) F9 6A E2 04 10 9B 41 45 = f8 b0
crc 16 of (first 14 bytes): 10 9B 41 45 64 00 00 00 F9 6A E2 04 01 00 = d9 4a
crc 32 of (first 12 bytes): 10 9B 41 45 64 00 00 00 F9 6A E2 04 = 0a 18 95 af (thinking maybe the 00 and 01 were consequential...)

so, so far, nothing to equal 8F 54

can you think of any other ways to combine them?

Offline

 

#44 01 Nov 2006 2:21 am

Tubar
Senior Member
From: Slovakia
Registered: Oct 2006
Posts: 26
Website

Re: bf2142 stat query protocol

Some data for testing:
Sample1: 8B 66 48 45 64 00 00 00 F9 6A E2 04 01 00 2B 24
Sample2: 63 69 48 45 64 00 00 00 F9 6A E2 04 01 00 1C EF
Sample3: B7 69 48 45 64 00 00 00 F9 6A E2 04 01 00 8F A8
Sample4: C0 6C 48 45 64 00 00 00 F9 6A E2 04 01 00 C0 E8
Sample5: CB 6F 48 45 64 00 00 00 F9 6A E2 04 01 00 AD 41

Offline

 

#45 01 Nov 2006 7:29 am

Craigins
Extreme Member
From: Chicago, IL
Registered: Oct 2006
Posts: 58
Website

Re: bf2142 stat query protocol

have you tried pid+timestamp?

I just tried every permutation of the timestamp and pid bytes and it doesn't look like any straight up crc16/crc_ccitt checksum:

Code:

PID=81947385

4548668B = 1162372747 81947385

CRC16:
Matches = 0 / 40320
CRC_CCITT:
Byte[0] = 249 | 0xF9 | 11111001 
Byte[1] =   4 | 0x04 | 00000100 
Byte[2] = 102 | 0x66 | 01100110 
Byte[3] =  69 | 0x45 | 01000101 
Byte[4] = 139 | 0x8B | 10001011 
Byte[5] = 106 | 0x6A | 01101010 
Byte[6] = 226 | 0xE2 | 11100010 
Byte[7] =  72 | 0x48 | 01001000 

Matches = 1 / 40320

45486963 = 1162373475 81947385

crc16:
Byte[0] =   4 | 0x04 | 00000100 
Byte[1] = 226 | 0xE2 | 11100010 
Byte[2] =  72 | 0x48 | 01001000 
Byte[3] = 249 | 0xF9 | 11111001 
Byte[4] = 106 | 0x6A | 01101010 
Byte[5] = 105 | 0x69 | 01101001 
Byte[6] =  69 | 0x45 | 01000101 
Byte[7] =  99 | 0x63 | 01100011 

Byte[0] = 105 | 0x69 | 01101001 
Byte[1] = 249 | 0xF9 | 11111001 
Byte[2] = 226 | 0xE2 | 11100010 
Byte[3] = 106 | 0x6A | 01101010 
Byte[4] =  69 | 0x45 | 01000101 
Byte[5] =  72 | 0x48 | 01001000 
Byte[6] =  99 | 0x63 | 01100011 
Byte[7] =   4 | 0x04 | 00000100 

Matches = 2 / 40320

CRC_CCITT
Matches = 0 / 40320


454869B7 = 1162373559 81947385

CRC16:
Byte[0] = 249 | 0xF9 | 11111001 
Byte[1] = 226 | 0xE2 | 11100010 
Byte[2] =  69 | 0x45 | 01000101 
Byte[3] = 183 | 0xB7 | 10110111 
Byte[4] = 106 | 0x6A | 01101010 
Byte[5] =  72 | 0x48 | 01001000 
Byte[6] =   4 | 0x04 | 00000100 
Byte[7] = 105 | 0x69 | 01101001 

Byte[0] = 249 | 0xF9 | 11111001 
Byte[1] = 106 | 0x6A | 01101010 
Byte[2] =  69 | 0x45 | 01000101 
Byte[3] = 183 | 0xB7 | 10110111 
Byte[4] =   4 | 0x04 | 00000100 
Byte[5] = 226 | 0xE2 | 11100010 
Byte[6] =  72 | 0x48 | 01001000 
Byte[7] = 105 | 0x69 | 01101001 

Byte[0] =  72 | 0x48 | 01001000 
Byte[1] = 226 | 0xE2 | 11100010 
Byte[2] =  69 | 0x45 | 01000101 
Byte[3] = 183 | 0xB7 | 10110111 
Byte[4] = 105 | 0x69 | 01101001 
Byte[5] =   4 | 0x04 | 00000100 
Byte[6] = 106 | 0x6A | 01101010 
Byte[7] = 249 | 0xF9 | 11111001 

Matches = 3 / 40320

CRC_CCITT:
Byte[0] =   4 | 0x04 | 00000100 
Byte[1] =  72 | 0x48 | 01001000 
Byte[2] = 226 | 0xE2 | 11100010 
Byte[3] = 249 | 0xF9 | 11111001 
Byte[4] = 183 | 0xB7 | 10110111 
Byte[5] =  69 | 0x45 | 01000101 
Byte[6] = 106 | 0x6A | 01101010 
Byte[7] = 105 | 0x69 | 01101001 

Byte[0] = 249 | 0xF9 | 11111001 
Byte[1] = 226 | 0xE2 | 11100010 
Byte[2] = 106 | 0x6A | 01101010 
Byte[3] =  72 | 0x48 | 01001000 
Byte[4] =   4 | 0x04 | 00000100 
Byte[5] = 183 | 0xB7 | 10110111 
Byte[6] = 105 | 0x69 | 01101001 
Byte[7] =  69 | 0x45 | 01000101 

Byte[0] =  69 | 0x45 | 01000101 
Byte[1] =  72 | 0x48 | 01001000 
Byte[2] = 183 | 0xB7 | 10110111 
Byte[3] = 249 | 0xF9 | 11111001 
Byte[4] = 105 | 0x69 | 01101001 
Byte[5] =   4 | 0x04 | 00000100 
Byte[6] = 226 | 0xE2 | 11100010 
Byte[7] = 106 | 0x6A | 01101010 

Matches = 3 / 40320



45486CC0 = 1162374336 81947385

CRC16
Byte[0] =  72 | 0x48 | 01001000 
Byte[1] =   4 | 0x04 | 00000100 
Byte[2] = 108 | 0x6C | 01101100 
Byte[3] = 106 | 0x6A | 01101010 
Byte[4] = 249 | 0xF9 | 11111001 
Byte[5] = 192 | 0xC0 | 11000000 
Byte[6] = 226 | 0xE2 | 11100010 
Byte[7] =  69 | 0x45 | 01000101 

Matches = 1 / 40320

CRC_CCITT:
Matches = 0 / 40320



45486FCB = 1162375115 81947385

CRC16:
Byte[0] = 226 | 0xE2 | 11100010 
Byte[1] =  69 | 0x45 | 01000101 
Byte[2] =   4 | 0x04 | 00000100 
Byte[3] =  72 | 0x48 | 01001000 
Byte[4] = 249 | 0xF9 | 11111001 
Byte[5] = 111 | 0x6F | 01101111 
Byte[6] = 203 | 0xCB | 11001011 
Byte[7] = 106 | 0x6A | 01101010 

Byte[0] = 106 | 0x6A | 01101010 
Byte[1] =  72 | 0x48 | 01001000 
Byte[2] = 203 | 0xCB | 11001011 
Byte[3] = 226 | 0xE2 | 11100010 
Byte[4] =  69 | 0x45 | 01000101 
Byte[5] = 111 | 0x6F | 01101111 
Byte[6] =   4 | 0x04 | 00000100 
Byte[7] = 249 | 0xF9 | 11111001 

Byte[0] = 249 | 0xF9 | 11111001 
Byte[1] = 111 | 0x6F | 01101111 
Byte[2] =   4 | 0x04 | 00000100 
Byte[3] = 203 | 0xCB | 11001011 
Byte[4] = 226 | 0xE2 | 11100010 
Byte[5] =  72 | 0x48 | 01001000 
Byte[6] = 106 | 0x6A | 01101010 
Byte[7] =  69 | 0x45 | 01000101 

Byte[0] = 203 | 0xCB | 11001011 
Byte[1] =   4 | 0x04 | 00000100 
Byte[2] = 249 | 0xF9 | 11111001 
Byte[3] =  69 | 0x45 | 01000101 
Byte[4] = 106 | 0x6A | 01101010 
Byte[5] = 226 | 0xE2 | 11100010 
Byte[6] = 111 | 0x6F | 01101111 
Byte[7] =  72 | 0x48 | 01001000 

Byte[0] = 203 | 0xCB | 11001011 
Byte[1] = 249 | 0xF9 | 11111001 
Byte[2] = 226 | 0xE2 | 11100010 
Byte[3] = 111 | 0x6F | 01101111 
Byte[4] =   4 | 0x04 | 00000100 
Byte[5] =  69 | 0x45 | 01000101 
Byte[6] =  72 | 0x48 | 01001000 
Byte[7] = 106 | 0x6A | 01101010 

Matches = 5 / 40320

CRC_CCITT:

Byte[0] =   4 | 0x04 | 00000100 
Byte[1] = 106 | 0x6A | 01101010 
Byte[2] = 226 | 0xE2 | 11100010 
Byte[3] = 203 | 0xCB | 11001011 
Byte[4] = 249 | 0xF9 | 11111001 
Byte[5] = 111 | 0x6F | 01101111 
Byte[6] =  69 | 0x45 | 01000101 
Byte[7] =  72 | 0x48 | 01001000 

Byte[0] = 249 | 0xF9 | 11111001 
Byte[1] =  69 | 0x45 | 01000101 
Byte[2] = 106 | 0x6A | 01101010 
Byte[3] = 226 | 0xE2 | 11100010 
Byte[4] =  72 | 0x48 | 01001000 
Byte[5] = 203 | 0xCB | 11001011 
Byte[6] = 111 | 0x6F | 01101111 
Byte[7] =   4 | 0x04 | 00000100 

Byte[0] =  72 | 0x48 | 01001000 
Byte[1] = 106 | 0x6A | 01101010 
Byte[2] = 226 | 0xE2 | 11100010 
Byte[3] = 249 | 0xF9 | 11111001 
Byte[4] =   4 | 0x04 | 00000100 
Byte[5] =  69 | 0x45 | 01000101 
Byte[6] = 111 | 0x6F | 01101111 
Byte[7] = 203 | 0xCB | 11001011 

Matches = 3 / 40320

next i'll check the permutations of the bytes in timestamp and pid separatly.

EDIT: pid doesn't change so i skipped that.  I ran the timestamps themselves and none of them CRC16/CCITT into the last 2 mystery bytes.

Trying pid+timestamp now

EDIT2:
its not the crc16/ccitt of pid+timestamp or (timestamp - pid, pid-timestamp).

EDIT3:
just tried the combination of pid | timestamp, pid ^ timestamp, and pid & timestamp and all permutations of bytes against crc16/ccitt and no match.  So unless they are shuffling bytes and oring them together to get 1 32 bit int then doing crc16 on that....

Last edited by Craigins (01 Nov 2006 8:00 am)

Offline

 

#46 01 Nov 2006 11:40 am

Tubar
Senior Member
From: Slovakia
Registered: Oct 2006
Posts: 26
Website

Re: bf2142 stat query protocol

So guys, with coding auth key I am done, input is 16 bytes TIMESTAMP[4],64000000,PID[4],0100XXYY
Have testet, works fine, auth key is generated ok.
But what is problem, is this XXYY check sum.

Tomorow I post here PHP code for generatig to AUTH key, and get PID,TIMESTAMP from AUTH key funktions.

Offline

 

#47 01 Nov 2006 11:45 am

MadHatter
Administrator
From: Dallas TX
Registered: Jun 2006
Posts: 529
Website

Re: bf2142 stat query protocol

how do I enable the hardware breakpoint in olly?  I cant debug it from home because I have a 64 bit machine and the injection that allows olly to run in debug mode fails and ends up bluescreening my machine.  I try it here at work but the hardware breakpoint dialog is disabled.

I started to ask the guy who wrote the auth what these 2 bytes were, but I want to look at it a little longer before I ask.

Offline

 

#48 01 Nov 2006 12:01 pm

Craigins
Extreme Member
From: Chicago, IL
Registered: Oct 2006
Posts: 58
Website

Re: bf2142 stat query protocol

think it is crc16?  should I modify my code to test every possible  OR between the 14 bytes that the key is generated from?

Offline

 

#49 01 Nov 2006 12:11 pm

MadHatter
Administrator
From: Dallas TX
Registered: Jun 2006
Posts: 529
Website

Re: bf2142 stat query protocol

cant say for sure.  if you have something to test permutations, then yea, try every combination of the byte sequence itself with and without the 64 00 00 00 sequence.  I don't have time or my test harness here at work to test it.

I broke down and asked for a hint from the guy at IGN that wrote it.  I'd personally like to solve it w/ out his help, but I'm kind of perplexed at what it could be.

kind of wish I could step through the code and have a look around, but I cant set any breakpoints through the UI (and my memory addresses are different than the ones Tubar posted).

Offline

 

#50 01 Nov 2006 1:00 pm

MadHatter
Administrator
From: Dallas TX
Registered: Jun 2006
Posts: 529
Website

Re: bf2142 stat query protocol

Initially, I tried taking the auth value from one query and using it in another (ex: the auth token from getbackendinfo and using it w/ getunlocksinfo) and the results that came back were wrong / nothing.

perhaps we should look to see if they have a table in memory (search for string values for getplayerinfo, getbackendinfo...) and see if they have any values which are associated with them in making up those 2 bytes.

Offline

 



© 2003 - 2018 NullFX
Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License