You are not logged in.

#51 01 Nov 2006 1:31 pm

Craigins
Extreme Member
From: Chicago, IL
Registered: Oct 2006
Posts: 58
Website

Re: bf2142 stat query protocol

you seem to like C#.  I threw together this program, i got some source from thecodeproject.com to do CRC16/32 in C#.  Then I took a recursive algorithm i wrote about 3 years ago to create permutations of a number.  Added in the code with my FunWithBytes project(read in numbers, spit out byte arrays in hex/binary/byte format) and looped it.  I had it testing the 8 byte combination of timestamp and pid, every possible combination, that was the results i posted above(8!=40320 possible combinations).  So if the crc16 code is correct(i tested a few of the ones that you manually did above and they matched) then it isn't just a straight reordering of bytes(unless it is the full 12-14 bytes instead of just the 8).  Anyways, you can get the whole source+solution files at http://www.velox-mortis.com/temp/FunWithBytes.zip should allow you to mofidy the algorithm to test anything.  Tonight I think i'll try to get an algorithm to create 4 byte arrays out of the 8 bytes by trying every possible combination of & | and ^.

Offline

 

#52 01 Nov 2006 2:22 pm

MadHatter
Administrator
From: Dallas TX
Registered: Jun 2006
Posts: 529
Website

Re: bf2142 stat query protocol

very nice.  yea I do more C# work than anything else (but also do quite a bit PHP and C++).  I was using the CRCTool class (though i think he has a bug in the ccitt method) as well, but hadn't put anything together on this scale.

Offline

 

#53 01 Nov 2006 3:15 pm

Craigins
Extreme Member
From: Chicago, IL
Registered: Oct 2006
Posts: 58
Website

Re: bf2142 stat query protocol

MadHatter :

how do I enable the hardware breakpoint in olly?  I cant debug it from home because I have a 64 bit machine and the injection that allows olly to run in debug mode fails and ends up bluescreening my machine.  I try it here at work but the hardware breakpoint dialog is disabled.

I started to ask the guy who wrote the auth what these 2 bytes were, but I want to look at it a little longer before I ask.

you should install WinXP pro32bit and dual boot.  Thats what I do, I rarely use my 64bit windows.  But the debugger works fine on my 64 bit processor(AMD 64bit X2 4400).

Offline

 

#54 01 Nov 2006 3:21 pm

MadHatter
Administrator
From: Dallas TX
Registered: Jun 2006
Posts: 529
Website

Re: bf2142 stat query protocol

I've been meaning to throw my old copy of xp (32 bit) on vmware, but just never got around to it.

Offline

 

#55 01 Nov 2006 4:58 pm

Craigins
Extreme Member
From: Chicago, IL
Registered: Oct 2006
Posts: 58
Website

Re: bf2142 stat query protocol

I found a part in memory which has the pages listed.

Debugging the client:
Block 009E0000


0090FCAC  67 65 74 70 6C 61 79 65 72 69 6E 66 6F 2E 61 73  getplayerinfo.as
0090FCBC  70 78                                            px

It has most of the pages listed in that area, anything specific you are looking for?

Offline

 

#56 01 Nov 2006 5:05 pm

MadHatter
Administrator
From: Dallas TX
Registered: Jun 2006
Posts: 529
Website

Re: bf2142 stat query protocol

I was hoping there was a table that listed the getplayerinfo.aspx to some # used for those 2 bytes. 

I suspect that the 2 missing bytes are related to the page somehow.  I don't know exactly how that is though.

Offline

 

#57 01 Nov 2006 6:25 pm

MadHatter
Administrator
From: Dallas TX
Registered: Jun 2006
Posts: 529
Website

Re: bf2142 stat query protocol

well I finally got xp (32 bit) installed on vmware, and got a server up and running, can attach and set the breakpoint where I need it, but now cant connect w/ my game client.  so I guess I have to install the game on the vm as well.  slow progress.

Offline

 

#58 01 Nov 2006 8:54 pm

Craigins
Extreme Member
From: Chicago, IL
Registered: Oct 2006
Posts: 58
Website

Re: bf2142 stat query protocol

Tubar :

Some data for testing:
Sample1: 8B 66 48 45 64 00 00 00 F9 6A E2 04 01 00 2B 24
Sample2: 63 69 48 45 64 00 00 00 F9 6A E2 04 01 00 1C EF
Sample3: B7 69 48 45 64 00 00 00 F9 6A E2 04 01 00 8F A8
Sample4: C0 6C 48 45 64 00 00 00 F9 6A E2 04 01 00 C0 E8
Sample5: CB 6F 48 45 64 00 00 00 F9 6A E2 04 01 00 AD 41

is the middle int always 100 and are the first 2 bytes of the last int always 1?  Are you trying multiple pages?  maybe the 100 refers to the type of query.  Or maybe the 1 does.  if those are all auths to the same page, then they wouldn't change at all.

Offline

 

#59 01 Nov 2006 11:56 pm

MadHatter
Administrator
From: Dallas TX
Registered: Jun 2006
Posts: 529
Website

Re: bf2142 stat query protocol

I was able to load it up and poke through the string section in both olly and PE Explorer.

in PE Explorer, I came across what looked like routines to calculate the bytes for each query type.  I couldnt find the exact same thing in olly, but I may have missed it.

we should be able to set access breakpoints on strings (like the ones I came across in PE Explorer and olly) and see if / what they do.

here's some stuff I found from that:

Code:

 008315D0  90287900                         dd    SSZ00792890_pers_plrRequestUnlocks
 008315D4  20335100                         dd    L00513320
 008315D8  01                               db    01h;
 008315D9  00                               db    00h;
 008315DA  00                               db    00h;
 008315DB  00                               db    00h;
 008315DC  00                               db    00h;
 008315DD  00                               db    00h;
 008315DE  00                               db    00h;
 008315DF  00                               db    00h;
 008315E0  78287900                         dd    SSZ00792878_pers_plrRequestStats
 008315E4  E0285100                         dd    L005128E0
 008315E8  01                               db    01h;
 008315E9  00                               db    00h;
 008315EA  00                               db    00h;
 008315EB  00                               db    00h;
 008315EC  00                               db    00h;
 008315ED  00                               db    00h;
 008315EE  00                               db    00h;
 008315EF  00                               db    00h;
 008315F0  60287900                         dd    SSZ00792860_pers_plrRequestAwards
 008315F4  302A5100                         dd    L00512A30
 008315F8  01                               db    01h;
 008315F9  00                               db    00h;
 008315FA  00                               db    00h;
 008315FB  00                               db    00h;
 008315FC  00                               db    00h;
 008315FD  00                               db    00h;
 008315FE  00                               db    00h;
 008315FF  00                               db    00h;
 00831600  4C287900                         dd    SSZ0079284C_pers_getStatsKeyVal
 00831604  702B5100                         dd    L00512B70
 00831608  01                               db    01h;
 00831609  00                               db    00h;
 0083160A  00                               db    00h;
 0083160B  00                               db    00h;
 0083160C  00                               db    00h;
 0083160D  00                               db    00h;
 0083160E  00                               db    00h;
 0083160F  00                               db    00h;
 00831610  34287900                         dd    SSZ00792834_pers_getRankExperience
 00831614  602F5100                         dd    L00512F60
 00831618  01                               db    01h;
 00831619  00                               db    00h;
 0083161A  00                               db    00h;
 0083161B  00                               db    00h;
 0083161C  00                               db    00h;
 0083161D  00                               db    00h;
 0083161E  00                               db    00h;
 0083161F  00                               db    00h;
 00831620  20287900                         dd    SSZ00792820_pers_getNumRanks
 00831624  B0265100                         dd    L005126B0
 00831628  01                               db    01h;
 00831629  00                               db    00h;
 0083162A  00                               db    00h;
 0083162B  00                               db    00h;
 0083162C  00                               db    00h;
 0083162D  00                               db    00h;
 0083162E  00                               db    00h;
 0083162F  00                               db    00h;

;----------------------------------------------------------------------------------------------------
 00513312  CCCCCCCCCCCCCCCCCCCC+             Align    16
 00513320                           L00513320:
 00513320  55                                push    ebp
 00513321  8BEC                              mov    ebp,esp
 00513323  83EC14                            sub    esp,00000014h
 00513326  56                                push    esi
 00513327  8B750C                            mov    esi,[ebp+0Ch]
 0051332A  57                                push    edi
 0051332B  8D45F8                            lea    eax,[ebp-08h]
 0051332E  50                                push    eax
 0051332F  BA01000000                        mov    edx,00000001h
 00513334  8BCE                              mov    ecx,esi
 00513336  E8951BF1FF                        call    SUB_L00424ED0
 0051333B  8D4DFC                            lea    ecx,[ebp-04h]
 0051333E  51                                push    ecx
 0051333F  33D2                              xor    edx,edx
 00513341  8BCE                              mov    ecx,esi
 00513343  8BF8                              mov    edi,eax
 00513345  E8861BF1FF                        call    SUB_L00424ED0
 0051334A  03F8                              add    edi,eax
 0051334C  752C                              jnz    L0051337A
 0051334E  8B0D809B8900                      mov    ecx,[L00899B80]
 00513354  8B45FC                            mov    eax,[ebp-04h]
 00513357  8B11                              mov    edx,[ecx]
 00513359  50                                push    eax
 0051335A  FF5220                            call    [edx+20h]
 0051335D  8BF8                              mov    edi,eax
 0051335F  85FF                              test    edi,edi
 00513361  751F                              jnz    L00513382
 00513363  8B0D50B67800                      mov    ecx,[dice_py.dll!PyExc_RuntimeError]
 00513369  8B11                              mov    edx,[ecx]
 0051336B  6888BE7C00                        push    SSZ007CBE88_no_such_player
 00513370  52                                push    edx
 00513371  FF15E4B67800                      call    [dice_py.dll!PyErr_SetString]
 00513377  83C408                            add    esp,00000008h
 0051337A                           L0051337A:
 0051337A  5F                                pop    edi
 0051337B  33C0                              xor    eax,eax
 0051337D  5E                                pop    esi
 0051337E  8BE5                              mov    esp,ebp
 00513380  5D                                pop    ebp
 00513381  C3                                retn
;----------------------------------------------------------------------------------------------------

;----------------------------------------------------------------------------------------------------
 005128D3  CCCCCCCCCCCCCCCCCCCC+             Align    16
 005128E0                           L005128E0:
 005128E0  55                                push    ebp
 005128E1  8BEC                              mov    ebp,esp
 005128E3  83EC2C                            sub    esp,0000002Ch
 005128E6  A140CA8300                        mov    eax,[L0083CA40]
 005128EB  56                                push    esi
 005128EC  57                                push    edi
 005128ED  8D4DE0                            lea    ecx,[ebp-20h]
 005128F0  8945FC                            mov    [ebp-04h],eax
 005128F3  FF1554B37800                      call    [MSVCP71.dll!??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ]
 005128F9  8B750C                            mov    esi,[ebp+0Ch]
 005128FC  8D45E0                            lea    eax,[ebp-20h]
 005128FF  50                                push    eax
 00512900  BA02000000                        mov    edx,00000002h
 00512905  8BCE                              mov    ecx,esi
 00512907  E86425F1FF                        call    SUB_L00424E70
 0051290C  8D4DDC                            lea    ecx,[ebp-24h]
 0051290F  51                                push    ecx
 00512910  BA03000000                        mov    edx,00000003h
 00512915  8BCE                              mov    ecx,esi
 00512917  8BF8                              mov    edi,eax
 00512919  E8B225F1FF                        call    SUB_L00424ED0
 0051291E  8D55D8                            lea    edx,[ebp-28h]
 00512921  52                                push    edx
 00512922  BA01000000                        mov    edx,00000001h
 00512927  8BCE                              mov    ecx,esi
 00512929  03F8                              add    edi,eax
 0051292B  E8A025F1FF                        call    SUB_L00424ED0
 00512930  03F8                              add    edi,eax
 00512932  8D45D4                            lea    eax,[ebp-2Ch]
 00512935  50                                push    eax
 00512936  33D2                              xor    edx,edx
 00512938  8BCE                              mov    ecx,esi
 0051293A  E89125F1FF                        call    SUB_L00424ED0
 0051293F  03F8                              add    edi,eax
 00512941  7530                              jnz    L00512973
 00512943  8B45D4                            mov    eax,[ebp-2Ch]
 00512946  3D00010000                        cmp    eax,00000100h
 0051294B  7D49                              jge    L00512996
 0051294D  8B0D809B8900                      mov    ecx,[L00899B80]
 00512953  8B11                              mov    edx,[ecx]
 00512955  50                                push    eax
 00512956  FF5220                            call    [edx+20h]
 00512959  85C0                              test    eax,eax
 0051295B  752F                              jnz    L0051298C
 0051295D  A150B67800                        mov    eax,[dice_py.dll!PyExc_RuntimeError]
 00512962  8B08                              mov    ecx,[eax]
 00512964  6888BE7C00                        push    SSZ007CBE88_no_such_player
 00512969  51                                push    ecx
 0051296A  FF15E4B67800                      call    [dice_py.dll!PyErr_SetString]
 00512970  83C408                            add    esp,00000008h
 00512973                           L00512973:
 00512973  8D4DE0                            lea    ecx,[ebp-20h]
 00512976  FF1584B27800                      call    [MSVCP71.dll!??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ]
 0051297C  5F                                pop    edi
 0051297D  33C0                              xor    eax,eax
 0051297F  5E                                pop    esi
 00512980  8B4DFC                            mov    ecx,[ebp-04h]
 00512983  E817B72400                        call    SUB_L0075E09F
 00512988  8BE5                              mov    esp,ebp
 0051298A  5D                                pop    ebp
 0051298B  C3                                retn
;----------------------------------------------------------------------------------------------------

;----------------------------------------------------------------------------------------------------
 00512A2F  CC                                Align    4
 00512A30                           L00512A30:
 00512A30  55                                push    ebp
 00512A31  8BEC                              mov    ebp,esp
 00512A33  83EC28                            sub    esp,00000028h
 00512A36  A140CA8300                        mov    eax,[L0083CA40]
 00512A3B  56                                push    esi
 00512A3C  57                                push    edi
 00512A3D  8D4DE0                            lea    ecx,[ebp-20h]
 00512A40  8945FC                            mov    [ebp-04h],eax
 00512A43  FF1554B37800                      call    [MSVCP71.dll!??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ]
 00512A49  8B750C                            mov    esi,[ebp+0Ch]
 00512A4C  8D45E0                            lea    eax,[ebp-20h]
 00512A4F  50                                push    eax
 00512A50  BA02000000                        mov    edx,00000002h
 00512A55  8BCE                              mov    ecx,esi
 00512A57  E81424F1FF                        call    SUB_L00424E70
 00512A5C  8D4DDC                            lea    ecx,[ebp-24h]
 00512A5F  51                                push    ecx
 00512A60  BA01000000                        mov    edx,00000001h
 00512A65  8BCE                              mov    ecx,esi
 00512A67  8BF8                              mov    edi,eax
 00512A69  E86224F1FF                        call    SUB_L00424ED0
 00512A6E  8D55D8                            lea    edx,[ebp-28h]
 00512A71  52                                push    edx
 00512A72  33D2                              xor    edx,edx
 00512A74  8BCE                              mov    ecx,esi
 00512A76  03F8                              add    edi,eax
 00512A78  E85324F1FF                        call    SUB_L00424ED0
 00512A7D  03F8                              add    edi,eax
 00512A7F  7530                              jnz    L00512AB1
 00512A81  8B45D8                            mov    eax,[ebp-28h]
 00512A84  3D00010000                        cmp    eax,00000100h
 00512A89  7D49                              jge    L00512AD4
 00512A8B  8B0D809B8900                      mov    ecx,[L00899B80]
 00512A91  8B11                              mov    edx,[ecx]
 00512A93  50                                push    eax
 00512A94  FF5220                            call    [edx+20h]
 00512A97  85C0                              test    eax,eax
 00512A99  752F                              jnz    L00512ACA
 00512A9B  A150B67800                        mov    eax,[dice_py.dll!PyExc_RuntimeError]
 00512AA0  8B08                              mov    ecx,[eax]
 00512AA2  6888BE7C00                        push    SSZ007CBE88_no_such_player
 00512AA7  51                                push    ecx
 00512AA8  FF15E4B67800                      call    [dice_py.dll!PyErr_SetString]
 00512AAE  83C408                            add    esp,00000008h
 00512AB1                           L00512AB1:
 00512AB1  8D4DE0                            lea    ecx,[ebp-20h]
 00512AB4  FF1584B27800                      call    [MSVCP71.dll!??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ]
 00512ABA  5F                                pop    edi
 00512ABB  33C0                              xor    eax,eax
 00512ABD  5E                                pop    esi
 00512ABE  8B4DFC                            mov    ecx,[ebp-04h]
 00512AC1  E8D9B52400                        call    SUB_L0075E09F
 00512AC6  8BE5                              mov    esp,ebp
 00512AC8  5D                                pop    ebp
 00512AC9  C3                                retn
;----------------------------------------------------------------------------------------------------

Offline

 

#60 02 Nov 2006 1:18 am

Tubar
Senior Member
From: Slovakia
Registered: Oct 2006
Posts: 26
Website

Re: bf2142 stat query protocol

Craigins :

Tubar :

Some data for testing:
Sample1: 8B 66 48 45 64 00 00 00 F9 6A E2 04 01 00 2B 24
Sample2: 63 69 48 45 64 00 00 00 F9 6A E2 04 01 00 1C EF
Sample3: B7 69 48 45 64 00 00 00 F9 6A E2 04 01 00 8F A8
Sample4: C0 6C 48 45 64 00 00 00 F9 6A E2 04 01 00 C0 E8
Sample5: CB 6F 48 45 64 00 00 00 F9 6A E2 04 01 00 AD 41

is the middle int always 100 and are the first 2 bytes of the last int always 1?  Are you trying multiple pages?  maybe the 100 refers to the type of query.  Or maybe the 1 does.  if those are all auths to the same page, then they wouldn't change at all.

This data I got only by join to server, I thing are for rank and unlock.
Today I finish DECODER for auth key, which give me this 16 bytes from Base64 Auth string.
After that we can watch if are  these bytes changed for other ask or are same.

Offline

 

#61 02 Nov 2006 6:08 am

Craigins
Extreme Member
From: Chicago, IL
Registered: Oct 2006
Posts: 58
Website

Re: bf2142 stat query protocol

fyi i did ever permutation of bytes for the first 12 bytes in the first 2 samples, and the crc16 didn't match any of them.

I'm trying the first 14 bytes but I don't think that will run.  495 million permutations for 12 bytes took 1.25 hrs, 14 bytes has a possible 87 billon permutations so i think i will end it when i get home whether it is finished or not.

Offline

 

#62 02 Nov 2006 12:08 pm

Tubar
Senior Member
From: Slovakia
Registered: Oct 2006
Posts: 26
Website

Re: bf2142 stat query protocol

Ok, coding and encoding 16 bytes is done.
You can try that here:
http://bf2142.bfstats.info/auth.php
CODE - is 16 bytes in hex format, so 32 characters 0..F -> encode to AUTH
AUTH - is auth base64 string -> decode to CODE

Tomorow I post here PHP code.

Decode is now without problem. But for Encode we need these last two bytes generate. How? I dont know at this time.

Offline

 

#63 02 Nov 2006 1:43 pm

MadHatter
Administrator
From: Dallas TX
Registered: Jun 2006
Posts: 529
Website

Re: bf2142 stat query protocol

very nice! 

this gives us a starting point for test data at least.

here's the dump of my auth requests posted on the second post of this thread:

it goes:

Code:

querypage
    auth token    bytes    (any additional parameters in the query)

Code:

getbackendinfo
    iXZI3e9NRrcK6mkHY2YkNg__    400040456400000000000000000006DD
    Tz[wyu88es8eq3P22aB9wQ__    7D43404564000000000000000000E47E

getplayerinfo
    hsAYJAG[dgkSiQfkKhF[fA__    430040456400000011BAD7040000FF42    (mode=base)
    CsJwQ9RPk46kmWxa9CTeYA__    570040456400000011BAD7040000AD79    (mode=ovr)
    xU2qDk[zXk]BWGehdT4y4w__    590040456400000011BAD7040000A199    (mode=ply)
    HoEwn2lJbn0bvp6bDh]wjQ__    9C434045640000006F17E6040000AD62    (mode=base)

getunlocksinfo
    WMPGObVgmQFOUigYZyNnRw__    460040456400000011BAD70400003BC4
    2d3SIIXPHH40QC6w9DrR6w__    9E434045640000006F17E60400006F94

getawardsinfo.aspx 
    WMPGObVgmQFOUigYZyNnRw__    460040456400000011BAD70400003BC4    (pid=81246737)
    2d3SIIXPHH40QC6w9DrR6w__    9E434045640000006F17E60400006F94    (pid=82188143)

getplayerprogress
    8e26HVmZGRthTzwBLMcrFw__    4E0040456400000011BAD7040000502F    (mode=point)
    OwLTkf3YNNKSyoHbDP3KZQ__    510040456400000011BAD7040000CA72    (mode=score)
    Un0OVwDuqpANkLtdDtHw2A__    520040456400000011BAD704000069FF    (mode=ttp)
    Un0OVwDuqpANkLtdDtHw2A__    520040456400000011BAD704000069FF    (mode=kills)
    3CR[CIClsFA6bIEPqghpKQ__    530040456400000011BAD70400000884    (mode=spm)
    3CR[CIClsFA6bIEPqghpKQ__    530040456400000011BAD70400000884    (mode=role)
    Wq[wb1fQGAnWp]KoQ4etxA__    540040456400000011BAD70400000EF4    (mode=flag)
    Wq[wb1fQGAnWp]KoQ4etxA__    540040456400000011BAD70400000EF4    (mode=waccu)
    p5UWGglGAsln9Sb36S9oZQ__    550040456400000011BAD70400006F8F    (mode=wl)
    p5UWGglGAsln9Sb36S9oZQ__    550040456400000011BAD70400006F8F    (mode=twsc)
    RM0orxS6feg[L[qXDREYug__    560040456400000011BAD7040000CC02    (mode=sup)
    q6D3E5nkRF1]OnmOU8W7Yg__    AC434045640000006F17E60400009539    (mode=point)

getleaderboard
    yY6RhSt3AI[gBtRkc67Ulw__    650040456400000011BAD704000057D4
    XxfEcvG2RYQ0J5V6mLnTng__    670040456400000011BAD70400009522    (dogTagFilter=1)
    rtXtz6QGp[ufCxJWMrYS5w__    680040456400000011BAD7040000F8B9    (type=overallscore)
    IA65[l5DqWS]khmcwMcfKQ__    690040456400000011BAD704000099C2    (type=overallscore&ccFilter=US)
    6swGutaWIeRWF]MUK8rRzw__    6A0040456400000011BAD70400003A4F    (type=overallscore)
    Ok2ca63[qDe142so3B0ZzQ__    6B0040456400000011BAD70400005B34    (type=overallscore&buddiesFilter=81168298,81242994,81306093,81465904)
    NHFg9sIAp5Z[euaT6CA7KA__    6C0040456400000011BAD70400005D44    (type=overallscore)
    UCdBNgv2uDFFMTrq0HLQxA__    6D0040456400000011BAD70400003C3F    (type=overallscore&buddiesFilter=81168298,81242994,81306093,81465904)
    OambPiPNcGuCzsSlnZRF6w__    6E0040456400000011BAD70400009FB2    (type=overallscore&buddiesFilter=81168298,81242994,81306093,81465904&dogTagFilter=1)
    apr3cK9vZGLV[SjCz[7ikg__    6F0040456400000011BAD7040000FEC9    (type=overallscore&ccFilter=US&buddiesFilter=81168298,81242994,81306093,81465904&dogTagFilter=1)
    K5N9nf4JQdQ8L3cb[BVnpg__    BD434045640000006F17E60400000384    (type=overallscore)

about the only thing that came out at a glance is that there is no PID in the getbackendinfo query, and the last 4 bytes of my auth token dont contain the same thing as Tubar's did (whcih when I drilled into the string data from inside PE Explorer last night, what I end up with here looks a lot like what they had there, so it looks like there's another hashing algorithm to understand).

Offline

 

#64 02 Nov 2006 1:54 pm

Craigins
Extreme Member
From: Chicago, IL
Registered: Oct 2006
Posts: 58
Website

Re: bf2142 stat query protocol

well it is only 2 bytes.  Try the same query over and over again so the time stamp changes to see if those 2 bytes change.

If they don't change, then the 2 bytes are dependant on the query.  This means that we can just run a brute force algorithm testing each byte to see which values correspond to which queries on which pages.  Might take awhile though.  Couple hours per auth depending on how fast we set the query interval(don't want to burden the server).

Offline

 

#65 02 Nov 2006 2:05 pm

Tubar
Senior Member
From: Slovakia
Registered: Oct 2006
Posts: 26
Website

Re: bf2142 stat query protocol

i think these two bytes have not to do with query tyme.
when i got auth key, i use this auth key for getplayerinfo and for getunlockinfo and both work fine on stella gamespy request.

Offline

 

#66 02 Nov 2006 2:09 pm

MadHatter
Administrator
From: Dallas TX
Registered: Jun 2006
Posts: 529
Website

Re: bf2142 stat query protocol

it makes sense to me now, because I think that when I got the odd results it was when I took the auth token from get backend info (which doesnt have a PID).

but odd that the last 4 bytes of mine (both accounts that I tried) differ from yours Tubar (there is no 01 00 XX XX, just 00 00 XX XX).  Is the account you're testing a BF2 Vet account (this may be the difference... both ones I tested are bf2 vet users)?

It will be interesting to see what the last 4 bytes of Craigins token show up as.

Offline

 

#67 02 Nov 2006 4:31 pm

Craigins
Extreme Member
From: Chicago, IL
Registered: Oct 2006
Posts: 58
Website

Re: bf2142 stat query protocol

Maybe the 0100 is a location code of sorts.

I threw up my packet capture program, grabbed the pages and query string for each request and then fed the auth codes through Tubar's page.  Here they are:

Code:

Page: getplayerprogress.aspx
    AuthCode: =mEt8kpDnJVLundp1ZWK42w__
    Bytes: 88884A4564000000E986D80400009B34
    mode: point
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =0sIoSzoQcihpqUgm083n5w__
    Bytes: 8B884A4564000000E986D804000038B9
    mode: score
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =A8YZ5oHdixMBagM[hFU1Yg__
    Bytes: 8C884A4564000000E986D80400003EC9
    mode: ttp
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =A8YZ5oHdixMBagM[hFU1Yg__
    Bytes: 8C884A4564000000E986D80400003EC9
    mode: kills
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =4fEBDwo5k68r2racrIPptg__
    Bytes: 8D884A4564000000E986D80400005FB2
    mode: spm
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =hCqB28pYW0MMRAbCAY9W4g__
    Bytes: 8E884A4564000000E986D8040000FC3F
    mode: role
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =hCqB28pYW0MMRAbCAY9W4g__
    Bytes: 8E884A4564000000E986D8040000FC3F
    mode: flag
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =t28MLsFZJOQYLSvFlHvxww__
    Bytes: 8F884A4564000000E986D80400009D44
    mode: waccu
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =t28MLsFZJOQYLSvFlHvxww__
    Bytes: 8F884A4564000000E986D80400009D44
    mode: wl
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =VXh]SNTKZcyolyzXQ9cKfQ__
    Bytes: 90884A4564000000E986D80400000719
    mode: twsc
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =VXh]SNTKZcyolyzXQ9cKfQ__
    Bytes: 90884A4564000000E986D80400000719
    mode: sup
    scale: game

Page: getplayerinfo.aspx
    AuthCode: =2]TKpMmglzZ8TLNqjwbo]Q__
    Bytes: A8884A4564000000E986D804000054A9
    mode: ovr

Page: getplayerinfo.aspx
    AuthCode: =I[AVk[4VK5J5OMzH0NpozQ__
    Bytes: AA884A4564000000E986D8040000965F
    mode: ply

Page: getplayerinfo.aspx
    AuthCode: =PMx7iqTEG9ZUO8rWeErJ0g__
    Bytes: AD884A4564000000E986D8040000902F
    mode: titan

Page: getplayerinfo.aspx
    AuthCode: =oggxXuy4v2]bE7oRHIee6g__
    Bytes: AF884A4564000000E986D804000052D9
    mode: wrk

Page: getplayerinfo.aspx
    AuthCode: =lFf7vXmsl5RxbxIhS7IZjw__
    Bytes: B1884A4564000000E986D8040000A9FF
    mode: com

Page: getplayerinfo.aspx
    AuthCode: =1yfkOjsV72gPz9tOELFiHw__
    Bytes: B4884A4564000000E986D80400006D79
    mode: wep

Page: getplayerinfo.aspx
    AuthCode: =Z2W5Qzn2PEmKJuQkVMj8Tg__
    Bytes: B6884A4564000000E986D8040000AF8F
    mode: veh

Page: getplayerinfo.aspx
    AuthCode: =QUXJFsQKyysYCVuH3QvV]Q__
    Bytes: B8884A4564000000E986D8040000A36F
    mode: map

Page: getleaderboard.aspx
    AuthCode: =ZI[USzdOZs[HqUs9CWuzNw__
    Bytes: C7884A4564000000E986D80400004984
    pos: 1
    after: 17
    type: overallscore

Page: getleaderboard.aspx
    AuthCode: =[dXsnBeejVJZ7Ik9urZ3og__
    Bytes: C8884A4564000000E986D8040000241F
    pos: 1
    after: 17
    type: weapon
    id: 0

Page: getleaderboard.aspx
    AuthCode: =yvr8B2wdNmE[FxqUbgqIdQ__
    Bytes: C9884A4564000000E986D80400004564
    pos: 1
    after: 17
    type: vehicle
    id: 0

Page: getleaderboard.aspx
    AuthCode: =DbQwerDlLFIGQkwnS9kNJw__
    Bytes: CA884A4564000000E986D8040000E6E9
    pos: 1
    after: 16
    type: supremecommander

Page: getleaderboard.aspx
    AuthCode: =YexuXME20sAhGzzFFgTdsg__
    Bytes: CC884A4564000000E986D804000081E2
    pos: 1
    after: 17
    type: vehicle
    id: 0

Page: getleaderboard.aspx
    AuthCode: =iYUcz6nzXXfaLoUMuUmjZw__
    Bytes: CE884A4564000000E986D80400004314
    pos: 1
    after: 17
    type: vehicle
    id: 0
    buddiesFilter: 81273635,81283179,81291832,81304838,81428658,82375860

Page: getleaderboard.aspx
    AuthCode: =O8nc2Yhtuur]VUIanykJoA__
    Bytes: CF884A4564000000E986D8040000226F
    pos: 1
    after: 17
    type: vehicle
    id: 0
    ccFilter: US
    buddiesFilter: 81273635,81283179,81291832,81304838,81428658,82375860

Page: getleaderboard.aspx
    AuthCode: =UytJU17z2O]TDlDfQ9HGsg__
    Bytes: D0884A4564000000E986D8040000B832
    pos: 1
    after: 17
    type: vehicle
    id: 0
    ccFilter: US

Page: getleaderboard.aspx
    AuthCode: =aEugYAOrEOSsQzhz6fUH1g__
    Bytes: D1884A4564000000E986D8040000D949
    pos: 1
    after: 17
    type: vehicle
    id: 0
    ccFilter: US
    dogTagFilter: 1

Page: getleaderboard.aspx
    AuthCode: =5]sIPWtND6ygN0hLT4RTtw__
    Bytes: D3884A4564000000E986D80400001BBF
    pos: 1
    after: 17
    type: vehicle
    id: 0
    dogTagFilter: 1

Page: getleaderboard.aspx
    AuthCode: =iW3E6N70EqhEAJhoc9tffg__
    Bytes: D4884A4564000000E986D80400001DCF
    pos: 1
    after: 17
    type: vehicle
    id: 0
    buddiesFilter: 81273635,81283179,81291832,81304838,81428658,82375860
    dogTagFilter: 1

Page: getleaderboard.aspx
    AuthCode: =wI64fNyBo]LZx4K0Q8pwoA__
    Bytes: D7884A4564000000E986D8040000BE42
    pos: 1
    after: 17
    type: weapon
    id: 0
    buddiesFilter: 81273635,81283179,81291832,81304838,81428658,82375860
    dogTagFilter: 1

Page: getleaderboard.aspx
    AuthCode: =lfMcFVv5zQndGL6fTn5OWA__
    Bytes: D8884A4564000000E986D8040000D3D9
    pos: 1
    after: 17
    type: weapon
    id: 0
    dogTagFilter: 1

Page: getleaderboard.aspx
    AuthCode: =6Zz69Y27kK2ndxrV4CuZMg__
    Bytes: D9884A4564000000E986D8040000B2A2
    pos: 1
    after: 17
    type: weapon
    id: 0

Page: getleaderboard.aspx
    AuthCode: =GfG8J0pbskUMJdRgR9dw[w__
    Bytes: DA884A4564000000E986D8040000112F
    pos: 1
    after: 17
    type: weapon
    id: 0
    ccFilter: US

Page: getleaderboard.aspx
    AuthCode: =OgcQDcZ0t30eJY62KBavOw__
    Bytes: DB884A4564000000E986D80400007054
    pos: 1
    after: 17
    type: weapon
    id: 0

Page: getleaderboard.aspx
    AuthCode: =3ZrRQyVAGAvIlmOk4E7J4g__
    Bytes: DC884A4564000000E986D80400007624
    pos: 1
    after: 17
    type: weapon
    id: 0
    buddiesFilter: 81273635,81283179,81291832,81304838,81428658,82375860

Page: getleaderboard.aspx
    AuthCode: =3ZrRQyVAGAvIlmOk4E7J4g__
    Bytes: DC884A4564000000E986D80400007624
    pos: 1
    after: 17
    type: weapon
    id: 0

Page: getleaderboard.aspx
    AuthCode: =hEeYdpzK5rnLdEbV]J1GhQ__
    Bytes: E0884A4564000000E986D80400008069
    pos: 1
    after: 17
    type: combatscore

Page: getleaderboard.aspx
    AuthCode: =jdV3JIFh1u]Wxxi]fMsLLg__
    Bytes: E4884A4564000000E986D80400002594
    pos: 1
    after: 17
    type: risingstar

Page: getleaderboard.aspx
    AuthCode: =16bssWU4VjFINTwPGYmw1A__
    Bytes: E8884A4564000000E986D8040000EB82
    pos: 1
    after: 17
    type: commanderscore

Page: getleaderboard.aspx
    AuthCode: =G3kchhw3s8jZNdjcqlEOsg__
    Bytes: EA884A4564000000E986D80400002974
    pos: 1
    after: 17
    type: teamworkscore

Page: getleaderboard.aspx
    AuthCode: =i9AL8v8TAm0FlI0GvDtRsw__
    Bytes: ED884A4564000000E986D80400002F04
    pos: 1
    after: 17
    type: efficiency

Page: getleaderboard.aspx
    AuthCode: =bqSWPpR09BWRQdK[jstoBg__
    Bytes: F2884A4564000000E986D8040000B559
    pos: 1
    after: 17
    type: efficiency
    buddiesFilter: 81273635,81283179,81291832,81304838,81428658,82375860

Page: getleaderboard.aspx
    AuthCode: =YGcfuim40euyIGIl4OcPjw__
    Bytes: F3884A4564000000E986D8040000D422
    pos: 1
    after: 17
    type: efficiency
    buddiesFilter: 81273635,81283179,81291832,81304838,81428658,82375860
    dogTagFilter: 1

Page: getleaderboard.aspx
    AuthCode: =8MPmH1RhhhOxIX1NcH[nvA__
    Bytes: F5884A4564000000E986D8040000B329
    pos: 1
    after: 17
    type: efficiency
    dogTagFilter: 1

I guess i'm out of ideas on what to do next.


Edit:
after playing for a few hours i captured the packets again just to see if the last 2 bytes matched at all:

Code:

Page: getplayerprogress.aspx
    AuthCode: =ycV6VToOYsBYtNRQTUMVfQ__
    Bytes: 7FC04A4564000000E986D8040000EE32
    mode: point
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =5mdU9llSQWRENGoIwvriQg__
    Bytes: 83C04A4564000000E986D8040000D903
    mode: point
    scale: game

Page: getleaderboard.aspx
    AuthCode: =eFZG7ThcjiNbZCPBHisA8w__
    Bytes: 8DC04A4564000000E986D8040000D5E3
    pos: 1
    after: 17
    type: overallscore

Page: getplayerprogress.aspx
    AuthCode: =PUi3D7mb1A3Je]q496ehqw__
    Bytes: 8FC04A4564000000E986D80400001715
    mode: point
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =3cj84xBXa[XWSeF7Hx]5qw__
    Bytes: 90C04A4564000000E986D80400008D48
    mode: score
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =3cj84xBXa[XWSeF7Hx]5qw__
    Bytes: 90C04A4564000000E986D80400008D48
    mode: ttp
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =2GF1QcPfURipI246TBTITA__
    Bytes: 91C04A4564000000E986D8040000EC33
    mode: kills
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =2GF1QcPfURipI246TBTITA__
    Bytes: 91C04A4564000000E986D8040000EC33
    mode: spm
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =WHr0i1uaw]1EDl2PKJB1[Q__
    Bytes: 92C04A4564000000E986D80400004FBE
    mode: role
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =WHr0i1uaw]1EDl2PKJB1[Q__
    Bytes: 92C04A4564000000E986D80400004FBE
    mode: flag
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =EpkEe3sxla35ClTnzUgsuQ__
    Bytes: 93C04A4564000000E986D80400002EC5
    mode: waccu
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =e7jhklDkxFAfFSQfSX0W5A__
    Bytes: 95C04A4564000000E986D804000049CE
    mode: wl
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =bLaQgnS1zdUfaEPb2d1j4w__
    Bytes: 96C04A4564000000E986D8040000EA43
    mode: twsc
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =f415wjcPQ2UjFWOpef6Xig__
    Bytes: 98C04A4564000000E986D8040000E6A3
    mode: sup
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =Y8DnY6VKCIEMvC2oHDZqoQ__
    Bytes: 9BC04A4564000000E986D8040000452E
    mode: role
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =3zLD185Jg2YAoRg0l]VNRw__
    Bytes: A3C04A4564000000E986D8040000169E
    mode: spm
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =pivRs83uPSwvwWkrEXrltA__
    Bytes: ACC04A4564000000E986D80400007B05
    mode: kills
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =]gi8lwcqtTz0a]X5uiLz8Q__
    Bytes: B4C04A4564000000E986D8040000E728
    mode: ttp
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =SU8iLDLw4HLA5jkfrPAqjQ__
    Bytes: B5C04A4564000000E986D80400008653
    mode: score
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =3jLi93LzHDA1haaLLjljfQ__
    Bytes: B7C04A4564000000E986D804000044A5
    mode: ttp
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =xM[pLn]qum9Ta2N]7kJFNw__
    Bytes: C3C04A4564000000E986D80400006628
    mode: ttp
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =xM[pLn]qum9Ta2N]7kJFNw__
    Bytes: C3C04A4564000000E986D80400006628
    mode: score
    scale: game

Page: getplayerprogress.aspx
    AuthCode: =1JEDRniXeEPhYBu3Z9sKNA__
    Bytes: C4C04A4564000000E986D80400006058
    mode: point
    scale: game

Page: getplayerinfo.aspx
    AuthCode: =FNBTXhzvmk]PV22gxIk1mw__
    Bytes: C5C04A4564000000E986D80400000123
    mode: ovr

Page: getplayerinfo.aspx
    AuthCode: =bHdwMtmfjUnxMSkCIzlKhQ__
    Bytes: C7C04A4564000000E986D8040000C3D5
    mode: ply

Page: getplayerinfo.aspx
    AuthCode: =tLLQZndZTkXsDrgaLJpC5g__
    Bytes: C9C04A4564000000E986D8040000CF35
    mode: titan

Page: getplayerinfo.aspx
    AuthCode: =fJ8EB1U2pFai444O2km0Yw__
    Bytes: CBC04A4564000000E986D80400000DC3
    mode: wrk

Page: getplayerinfo.aspx
    AuthCode: =xQLIwG6pjlZH[AdaIcYcJQ__
    Bytes: CDC04A4564000000E986D80400006AC8
    mode: com

Page: getplayerinfo.aspx
    AuthCode: =KlBpvzBXh1h6gJt8JIQaCA__
    Bytes: CEC04A4564000000E986D8040000C945
    mode: wep

Page: getplayerinfo.aspx
    AuthCode: =bZiH2]YoeT54stO2ooY8kg__
    Bytes: D1C04A4564000000E986D80400005318
    mode: veh

Page: getplayerinfo.aspx
    AuthCode: =TzsQYvmWbasnQnUuKe7BrA__
    Bytes: D4C04A4564000000E986D8040000979E
    mode: map

Page: getleaderboard.aspx
    AuthCode: =70AIsYIRRdQAEGoXrySZVQ__
    Bytes: D8C04A4564000000E986D80400005988
    pos: 1
    after: 17
    type: weapon
    id: 0

Page: getleaderboard.aspx
    AuthCode: =r71UdPhwOKndE6zlq3IbtQ__
    Bytes: D9C04A4564000000E986D804000038F3
    pos: 1
    after: 17
    type: vehicle
    id: 0

Page: getleaderboard.aspx
    AuthCode: =r71UdPhwOKndE6zlq3IbtQ__
    Bytes: D9C04A4564000000E986D804000038F3
    pos: 1
    after: 16
    type: supremecommander

Page: getleaderboard.aspx
    AuthCode: =573slAANsYkWWfHSZ]3nRQ__
    Bytes: DDC04A4564000000E986D80400009D0E
    pos: 1
    after: 17
    type: overallscore

Page: getleaderboard.aspx
    AuthCode: =xwvSSrv4jWRODAJoOYUyWg__
    Bytes: DEC04A4564000000E986D80400003E83
    pos: 1
    after: 17
    type: overallscore
    dogTagFilter: 1

Page: getleaderboard.aspx
    AuthCode: =HXhCZHo65c5AXXuM60N3Uw__
    Bytes: DFC04A4564000000E986D80400005FF8
    pos: 1
    after: 17
    type: overallscore
    ccFilter: US
    dogTagFilter: 1

Page: getleaderboard.aspx
    AuthCode: =HXhCZHo65c5AXXuM60N3Uw__
    Bytes: DFC04A4564000000E986D80400005FF8
    pos: 1
    after: 17
    type: overallscore
    ccFilter: US
    buddiesFilter: 81273635,81283179,81291832,81304838,81428658,82375860
    dogTagFilter: 1

Page: getleaderboard.aspx
    AuthCode: =uTjYQsrJoCkvQLylEqjcDg__
    Bytes: E0C04A4564000000E986D80400000A38
    pos: 1
    after: 17
    type: overallscore
    buddiesFilter: 81273635,81283179,81291832,81304838,81428658,82375860
    dogTagFilter: 1

Page: getleaderboard.aspx
    AuthCode: =8BD9spBro62fZmqYINs1mA__
    Bytes: E1C04A4564000000E986D80400006B43
    pos: 1
    after: 17
    type: overallscore
    buddiesFilter: 81273635,81283179,81291832,81304838,81428658,82375860

Page: getleaderboard.aspx
    AuthCode: =j9W06ypdAE0fFCQZfUTKvw__
    Bytes: E2C04A4564000000E986D8040000C8CE
    pos: 1
    after: 17
    type: overallscore
    buddiesFilter: 81273635,81283179,81291832,81304838,81428658,82375860
    dogTagFilter: 1

Page: getleaderboard.aspx
    AuthCode: =pKMbGGOafUqAmlXfxDqjSg__
    Bytes: E3C04A4564000000E986D8040000A9B5
    pos: 1
    after: 17
    type: overallscore
    dogTagFilter: 1

Page: getleaderboard.aspx
    AuthCode: =Vf]rIlm47PuyWHA5pblz3A__
    Bytes: E4C04A4564000000E986D8040000AFC5
    pos: 1
    after: 17
    type: overallscore
    ccFilter: US
    dogTagFilter: 1

Page: getleaderboard.aspx
    AuthCode: =D[Cerf]W5e6LKgHnQj[d7g__
    Bytes: E5C04A4564000000E986D8040000CEBE
    pos: 1
    after: 17
    type: overallscore
    ccFilter: US

Page: getleaderboard.aspx
    AuthCode: =l7PlctPECa5[VvW743D9QA__
    Bytes: E6C04A4564000000E986D80400006D33
    pos: 1
    after: 17
    type: overallscore
    ccFilter: US
    buddiesFilter: 81273635,81283179,81291832,81304838,81428658,82375860

Last edited by Craigins (02 Nov 2006 8:19 pm)

Offline

 

#68 02 Nov 2006 10:50 pm

Tubar
Senior Member
From: Slovakia
Registered: Oct 2006
Posts: 26
Website

Re: bf2142 stat query protocol

Hi again, so here are class source-code and one example (same as on web) for coding and decoding auth key.

http://bf2142.bfstats.info/files/ea_support.zip

Now just one last think, what are these last two bytes smile

Offline

 

#69 02 Nov 2006 10:56 pm

Tubar
Senior Member
From: Slovakia
Registered: Oct 2006
Posts: 26
Website

Re: bf2142 stat query protocol

One ask, all yours request was captured from client? When yes, than this last 4 bytes, these number 0100xxyy, so "01" by me, an "00" by you is I think just only flag if is client or server. My request are from server, so than "01".

Offline

 

#70 03 Nov 2006 1:04 am

MadHatter
Administrator
From: Dallas TX
Registered: Jun 2006
Posts: 529
Website

Re: bf2142 stat query protocol

Yes, I believe you are right.  00 from client 01 from server.  now for the last 2 bytes.

here are the functions that build up the query string that is used in the query (I think I got the whole function, IDA builds out an call tree, so the code here was taken from each node in the call tree, assuming they represent a subroutine or function).  perhaps yall can make better sense of this than I (this is generated from IDA Pro, so it looks a little different, but the addresses should let you step through it).

getawardsinfo: address 005AF988

Code:

005AF988
005AF988 loc_5AF988:
005AF988 lea     ecx, [esi+44h]
005AF98B call    sub_6037E0
005AF990 push    offset aGamespyauth ; "GameSpyAuth"
005AF995 lea     ecx, [ebp+var_58]
005AF998 call    ds:??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>>(char const *)
005AF99E mov     ecx, dword_892F60
005AF9A4 mov     edx, [ecx]
005AF9A6 lea     eax, [ebp+var_58]
005AF9A9 push    eax
005AF9AA call    dword ptr [edx+48h]
005AF9AD lea     ecx, [ebp+var_58]
005AF9B0 mov     esi, eax
005AF9B2 call    ds:__imp_??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string<char,std::char_traits<char>,std::allocator<char>>(void)
005AF9B8 lea     ecx, [ebp+var_3C]
005AF9BB push    ecx
005AF9BC mov     ecx, edi
005AF9BE call    sub_542F00
005AF9C3 push    offset aGetawardsinfo_ ; "getawardsinfo.aspx?pid="
005AF9C8 push    eax
005AF9C9 lea     ecx, [ebp+var_74]
005AF9CC call    ds:??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>>(basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>> const &)
005AF9D2 mov     ecx, eax
005AF9D4 call    ds:??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator+=(char const *)
005AF9DA push    eax
005AF9DB lea     ecx, [ebp+var_20]
005AF9DE call    ds:??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>>(basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>> const &)
005AF9E4 lea     ecx, [ebp+var_74]
005AF9E7 call    ds:__imp_??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string<char,std::char_traits<char>,std::allocator<char>>(void)
005AF9ED lea     ecx, [ebp+var_3C]
005AF9F0 call    ds:__imp_??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string<char,std::char_traits<char>,std::allocator<char>>(void)
005AF9F6 mov     eax, dword ptr [ebp+arg_C]
005AF9F9 mov     edx, [esi]
005AF9FB push    eax
005AF9FC push    ebx
005AF9FD mov     ecx, esi
005AF9FF call    dword ptr [edx+10h]
005AFA02 push    eax
005AFA03 push    offset aAuth    ; "&auth="
005AFA08 push    ebx             ; char
005AFA09 lea     ecx, [ebp+var_3C]
005AFA0C push    offset aD_4     ; "%d"
005AFA11 push    ecx             ; int
005AFA12 call    sub_61E1A0
005AFA17 add     esp, 0Ch
005AFA1A push    eax
005AFA1B lea     ecx, [ebp+var_20]
005AFA1E call    ds:?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::append(std::basic_string<char,std::char_traits<char>,std::allocator<char>> const &)
005AFA24 mov     ecx, eax
005AFA26 call    ds:?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::append(char const *)
005AFA2C mov     ecx, eax
005AFA2E call    ds:?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::append(std::basic_string<char,std::char_traits<char>,std::allocator<char>> const &)
005AFA34 lea     ecx, [ebp+var_3C]
005AFA37 call    ds:__imp_??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string<char,std::char_traits<char>,std::allocator<char>>(void)
005AFA3D mov     edx, [ebp+arg_8]
005AFA40 push    edx
005AFA41 lea     eax, [ebp+var_20]
005AFA44 push    eax
005AFA45 mov     ecx, edi
005AFA47 call    sub_542AB0
005AFA4C test    al, al
005AFA4E pop     edi
005AFA4F lea     ecx, [ebp+var_20]
005AFA52 jnz     short loc_5AFA6C

getunlocksinfo: address 005B4B3A

Code:

005B4B3A
005B4B3A loc_5B4B3A:
005B4B3A lea     ecx, [ebp+var_74]
005B4B3D push    ecx
005B4B3E mov     ecx, esi
005B4B40 call    sub_542F00
005B4B45 push    offset aGetunlocksinfo ; "getunlocksinfo.aspx?"
005B4B4A push    eax
005B4B4B lea     ecx, [ebp+var_58]
005B4B4E call    ds:??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>>(basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>> const &)
005B4B54 mov     ecx, eax
005B4B56 call    ds:??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator+=(char const *)
005B4B5C push    eax
005B4B5D lea     ecx, [ebp+var_20]
005B4B60 call    ds:??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>>(basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>> const &)
005B4B66 lea     ecx, [ebp+var_58]
005B4B69 call    ds:__imp_??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string<char,std::char_traits<char>,std::allocator<char>>(void)
005B4B6F lea     ecx, [ebp+var_74]
005B4B72 call    ds:__imp_??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string<char,std::char_traits<char>,std::allocator<char>>(void)
005B4B78 mov     ecx, [ebp+arg_0]
005B4B7B mov     edx, [edi]
005B4B7D test    ebx, ebx
005B4B7F setnz   al
005B4B82 push    eax
005B4B83 push    ecx
005B4B84 mov     ecx, edi
005B4B86 call    dword ptr [edx+10h]
005B4B89 push    eax
005B4B8A push    offset aAuth    ; "&auth="
005B4B8F lea     ecx, [ebp+var_20]
005B4B92 call    ds:?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::append(char const *)
005B4B98 mov     ecx, eax
005B4B9A call    ds:?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::append(std::basic_string<char,std::char_traits<char>,std::allocator<char>> const &)
005B4BA0 mov     edx, [ebp+arg_4]
005B4BA3 push    edx
005B4BA4 lea     eax, [ebp+var_20]
005B4BA7 push    eax
005B4BA8 mov     ecx, esi
005B4BAA call    sub_542AB0
005B4BAF test    al, al
005B4BB1 pop     esi
005B4BB2 lea     ecx, [ebp+var_20]
005B4BB5 jnz     short loc_5B4BCF

getunlocksinfo: address 005B4C41

Code:

005B4C41
005B4C41 loc_5B4C41:
005B4C41 lea     ecx, [esi+4Ch]
005B4C44 mov     byte ptr [esi+64h], 1
005B4C48 call    sub_6037E0
005B4C4D push    offset aGamespyauth ; "GameSpyAuth"
005B4C52 lea     ecx, [ebp+var_3C]
005B4C55 call    ds:??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>>(char const *)
005B4C5B mov     ecx, dword_892F60
005B4C61 mov     eax, [ecx]
005B4C63 lea     edx, [ebp+var_3C]
005B4C66 push    edx
005B4C67 call    dword ptr [eax+48h]
005B4C6A lea     ecx, [ebp+var_3C]
005B4C6D mov     esi, eax
005B4C6F call    ds:__imp_??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string<char,std::char_traits<char>,std::allocator<char>>(void)
005B4C75 lea     eax, [ebp+var_74]
005B4C78 push    eax
005B4C79 mov     ecx, edi
005B4C7B call    sub_542F00
005B4C80 push    offset aGetunlocksinfo ; "getunlocksinfo.aspx?"
005B4C85 push    eax
005B4C86 lea     ecx, [ebp+var_58]
005B4C89 call    ds:??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>>(basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>> const &)
005B4C8F mov     ecx, eax
005B4C91 call    ds:??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator+=(char const *)
005B4C97 push    eax
005B4C98 lea     ecx, [ebp+var_20]
005B4C9B call    ds:??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>>(basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>> const &)
005B4CA1 lea     ecx, [ebp+var_58]
005B4CA4 call    ds:__imp_??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string<char,std::char_traits<char>,std::allocator<char>>(void)
005B4CAA lea     ecx, [ebp+var_74]
005B4CAD call    ds:__imp_??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string<char,std::char_traits<char>,std::allocator<char>>(void)
005B4CB3 mov     eax, [ebp+arg_0]
005B4CB6 mov     edx, [esi]
005B4CB8 push    0
005B4CBA push    eax
005B4CBB mov     ecx, esi
005B4CBD call    dword ptr [edx+10h]
005B4CC0 push    eax
005B4CC1 push    offset aAuth    ; "&auth="
005B4CC6 lea     ecx, [ebp+var_20]
005B4CC9 call    ds:?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::append(char const *)
005B4CCF mov     ecx, eax
005B4CD1 call    ds:?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::append(std::basic_string<char,std::char_traits<char>,std::allocator<char>> const &)
005B4CD7 push    ebx
005B4CD8 lea     ecx, [ebp+var_20]
005B4CDB push    ecx
005B4CDC mov     ecx, edi
005B4CDE call    sub_542AB0
005B4CE3 test    al, al
005B4CE5 pop     edi
005B4CE6 pop     esi
005B4CE7 pop     ebx
005B4CE8 lea     ecx, [ebp+var_20]
005B4CEB jnz     short loc_5B4D03

playersearch address 005B6648

Code:

005B6648
005B6648 loc_5B6648:
005B6648 lea     ecx, [esi+44h]
005B664B call    sub_6037E0
005B6650 push    offset aGamespyauth ; "GameSpyAuth"
005B6655 lea     ecx, [ebp+var_58]
005B6658 call    ds:??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>>(char const *)
005B665E mov     ecx, dword_892F60
005B6664 mov     eax, [ecx]
005B6666 lea     edx, [ebp+var_58]
005B6669 push    edx
005B666A call    dword ptr [eax+48h]
005B666D lea     ecx, [ebp+var_58]
005B6670 mov     esi, eax
005B6672 call    ds:__imp_??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string<char,std::char_traits<char>,std::allocator<char>>(void)
005B6678 lea     eax, [ebp+var_3C]
005B667B push    eax
005B667C mov     ecx, edi
005B667E call    sub_542F00
005B6683 push    offset aPlayersearch_a ; "playersearch.aspx?nick="
005B6688 push    eax
005B6689 lea     ecx, [ebp+var_74]
005B668C call    ds:??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>>(basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>> const &)
005B6692 mov     ecx, eax
005B6694 call    ds:??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator+=(char const *)
005B669A push    eax
005B669B lea     ecx, [ebp+var_20]
005B669E call    ds:??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>>(basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>> const &)
005B66A4 lea     ecx, [ebp+var_74]
005B66A7 call    ds:__imp_??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string<char,std::char_traits<char>,std::allocator<char>>(void)
005B66AD lea     ecx, [ebp+var_3C]
005B66B0 call    ds:__imp_??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string<char,std::char_traits<char>,std::allocator<char>>(void)
005B66B6 mov     edx, [esi]
005B66B8 push    0
005B66BA push    0
005B66BC mov     ecx, esi
005B66BE call    dword ptr [edx+10h]
005B66C1 mov     ebx, [ebp+arg_0]
005B66C4 push    eax
005B66C5 push    offset aAuth    ; "&auth="
005B66CA lea     eax, [ebp+var_3C]
005B66CD push    eax
005B66CE call    sub_5B64F0
005B66D3 push    eax
005B66D4 lea     ecx, [ebp+var_20]
005B66D7 call    ds:?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::append(std::basic_string<char,std::char_traits<char>,std::allocator<char>> const &)
005B66DD mov     ecx, eax
005B66DF call    ds:?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::append(char const *)
005B66E5 mov     ecx, eax
005B66E7 call    ds:?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::append(std::basic_string<char,std::char_traits<char>,std::allocator<char>> const &)
005B66ED lea     ecx, [ebp+var_3C]
005B66F0 call    ds:__imp_??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string<char,std::char_traits<char>,std::allocator<char>>(void)
005B66F6 mov     ecx, [ebp+arg_8]
005B66F9 push    ecx
005B66FA lea     edx, [ebp+var_20]
005B66FD push    edx
005B66FE mov     ecx, edi
005B6700 call    sub_542AB0
005B6705 test    al, al
005B6707 pop     edi
005B6708 pop     esi
005B6709 pop     ebx
005B670A lea     ecx, [ebp+var_20]
005B670D jnz     short loc_5B6725

getplayerprogress address 005B84D1

Code:

005B84D1
005B84D1 loc_5B84D1:
005B84D1 lea     ecx, [edi+44h]
005B84D4 call    sub_6037E0
005B84D9 mov     eax, [edi+68h]
005B84DC mov     ecx, [eax+4]
005B84DF lea     esi, [edi+64h]
005B84E2 push    ecx
005B84E3 mov     ecx, esi
005B84E5 call    sub_5B95B0
005B84EA mov     eax, [esi+4]
005B84ED mov     edx, [ebp+arg_0]
005B84F0 mov     [eax+4], eax
005B84F3 mov     eax, [esi+4]
005B84F6 mov     dword ptr [esi+8], 0
005B84FD mov     [eax], eax
005B84FF mov     esi, [esi+4]
005B8502 mov     eax, [ebp+arg_8]
005B8505 mov     [esi+8], esi
005B8508 push    offset aGamespyauth ; "GameSpyAuth"
005B850D lea     ecx, [ebp+var_3C]
005B8510 mov     [edi+54h], edx
005B8513 mov     [edi+58h], ebx
005B8516 mov     [edi+5Ch], eax
005B8519 mov     dword ptr [edi+60h], 0FFFFFFFFh
005B8520 call    ds:??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>>(char const *)
005B8526 mov     ecx, dword_892F60
005B852C mov     edx, [ecx]
005B852E lea     eax, [ebp+var_3C]
005B8531 push    eax
005B8532 call    dword ptr [edx+48h]
005B8535 lea     ecx, [ebp+var_3C]
005B8538 mov     esi, eax
005B853A call    ds:__imp_??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string<char,std::char_traits<char>,std::allocator<char>>(void)
005B8540 mov     edi, [ebp+arg_4]
005B8543 lea     ecx, [ebp+var_74]
005B8546 push    ecx
005B8547 mov     ecx, edi
005B8549 call    sub_542F00
005B854E push    offset aGetplayerprogr ; "getplayerprogress.aspx"
005B8553 push    eax
005B8554 lea     ecx, [ebp+var_58]
005B8557 call    ds:??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>>(basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>> const &)
005B855D mov     ecx, eax
005B855F call    ds:??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator+=(char const *)
005B8565 push    eax
005B8566 lea     ecx, [ebp+var_20]
005B8569 call    ds:??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>>(basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>> const &)
005B856F lea     ecx, [ebp+var_58]
005B8572 call    ds:__imp_??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string<char,std::char_traits<char>,std::allocator<char>>(void)
005B8578 lea     ecx, [ebp+var_74]
005B857B call    ds:__imp_??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string<char,std::char_traits<char>,std::allocator<char>>(void)
005B8581 mov     eax, [ebp+arg_0]
005B8584 mov     edx, [esi]
005B8586 push    0
005B8588 push    eax
005B8589 mov     ecx, esi
005B858B call    dword ptr [edx+10h]
005B858E push    eax
005B858F mov     eax, [ebp+arg_8]
005B8592 lea     ecx, ds:0[eax*8]
005B8599 sub     ecx, eax
005B859B push    offset aAuth    ; "&auth="
005B85A0 lea     edx, unk_88B4D8[ecx*4]
005B85A7 push    edx
005B85A8 lea     eax, ds:0[ebx*8]
005B85AF sub     eax, ebx
005B85B1 push    offset aScale_0 ; "&scale="
005B85B6 lea     ecx, unk_88B548[eax*4]
005B85BD push    ecx
005B85BE push    offset a?mode   ; "?mode="
005B85C3 lea     ecx, [ebp+var_20]
005B85C6 call    ds:?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::append(char const *)
005B85CC mov     ecx, eax
005B85CE call    ds:?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::append(std::basic_string<char,std::char_traits<char>,std::allocator<char>> const &)
005B85D4 mov     ecx, eax
005B85D6 call    ds:?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::append(char const *)
005B85DC mov     ecx, eax
005B85DE call    ds:?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::append(std::basic_string<char,std::char_traits<char>,std::allocator<char>> const &)
005B85E4 mov     ecx, eax
005B85E6 call    ds:?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBD@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::append(char const *)
005B85EC mov     ecx, eax
005B85EE call    ds:?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@@Z ; std::basic_string<char,std::char_traits<char>,std::allocator<char>>::append(std::basic_string<char,std::char_traits<char>,std::allocator<char>> const &)
005B85F4 push    1
005B85F6 lea     edx, [ebp+var_20]
005B85F9 push    edx
005B85FA mov     ecx, edi
005B85FC call    sub_542AB0
005B8601 test    al, al
005B8603 pop     esi
005B8604 lea     ecx, [ebp+var_20]
005B8607 jnz     short loc_5B8621

there are a few more, but dont have anything to do w/ stats (they have to do w/ sending info like unlock or rank up and so on).


I'll wander through these functions tomorrow.


NICE WORK ON THE ENCODING / DECODING CODE TUBAR!!!

so I take it from the fact that you coded everything out by hand that the encryption algorithm is not Rijndael?

Offline

 

#71 03 Nov 2006 1:23 am

Tubar
Senior Member
From: Slovakia
Registered: Oct 2006
Posts: 26
Website

Re: bf2142 stat query protocol

MadHatter :

so I take it from the fact that you coded everything out by hand that the encryption algorithm is not Rijndael?

No, algorithm IS true Rijndael smile
But they use self key coding, self Hash coding/encoding table, not standart.

Last edited by Tubar (03 Nov 2006 1:24 am)

Offline

 

#72 03 Nov 2006 1:27 am

Tubar
Senior Member
From: Slovakia
Registered: Oct 2006
Posts: 26
Website

Re: bf2142 stat query protocol

Small offtopic, have somebody table of unlock from stella-gamespy to real unlocks in BF2142?
I mean what number for what unlock is from getunlocksinfo.aspx ?

For example: D\t211\n  211 - what is these unlock (kit, weapon)?

PS: I try over weekend find formula to generate these last two bytes.

Offline

 

#73 03 Nov 2006 6:21 am

Craigins
Extreme Member
From: Chicago, IL
Registered: Oct 2006
Posts: 58
Website

Re: bf2142 stat query protocol

and yes my info came from the client request not the server.

Tonight I'll seeif i can figure out the unlock number and what it means.  probably same with awards.

Offline

 

#74 03 Nov 2006 6:59 am

Dok
New Member
Registered: Nov 2006
Posts: 3

Re: bf2142 stat query protocol

Tubar :

Small offtopic, have somebody table of unlock from stella-gamespy to real unlocks in BF2142?
I mean what number for what unlock is from getunlocksinfo.aspx ?

For example: D\t211\n  211 - what is these unlock (kit, weapon)?

PS: I try over weekend find formula to generate these last two bytes.

Finally something I can contribute with.  wink

As per Battlefield2142\mods\bf2142\Localization\strings.cvs  (in all different languages as well, if you'd prefer something non-english)

NAME_UNLOCK_111    APM
NAME_UNLOCK_112    DysTek Hi-Scope x4
NAME_UNLOCK_113    Gruber 5 Stabilizer
NAME_UNLOCK_114    Zeller-H Advanced Sniper Rifle
NAME_UNLOCK_121    RDX DemoPak
NAME_UNLOCK_122    NetBat™ Fade Delay
NAME_UNLOCK_123    IT-33 Active Camouflage
NAME_UNLOCK_124    Lambert Carbine
NAME_UNLOCK_211    Herzog AR-Shotgun
NAME_UNLOCK_212    NetBat™ Infantry ID
NAME_UNLOCK_213    PK-74 AR-Rocket
NAME_UNLOCK_214    Baur H-AR
NAME_UNLOCK_221    AED-6 Defibrillator
NAME_UNLOCK_222    Advanced Med Hub
NAME_UNLOCK_223    SG-34 Grenade
NAME_UNLOCK_224    Voss L-AR
NAME_UNLOCK_311    AE Defuser
NAME_UNLOCK_312    NetBat™ Vehicle ID
NAME_UNLOCK_313    PDS-1
NAME_UNLOCK_314    Pilum H-AVR
NAME_UNLOCK_321    II-14 EMP
NAME_UNLOCK_322    DysTek Repair v2.0
NAME_UNLOCK_323    II-29 Motion Mine
NAME_UNLOCK_324    SAAW 86 Anti-Air
NAME_UNLOCK_411    V5 EMP Grenade
NAME_UNLOCK_412    NetBat™ Active Camo ID
NAME_UNLOCK_413    A12 Enforcer Sentry Gun
NAME_UNLOCK_414    Ganz HMG
NAME_UNLOCK_421    IPS Shield
NAME_UNLOCK_422    Advanced Ammo Hub
NAME_UNLOCK_423    DysTek Pulse Meter
NAME_UNLOCK_424    Clark 15B Shotgun
NAME_UNLOCK_511    FRG-1 Grenade
NAME_UNLOCK_512    Sprintcor 20 Enhanced Endurance
NAME_UNLOCK_513    Staminar 9 Recovery System
NAME_UNLOCK_514    MaxClip
NAME_UNLOCK_515    Extra Grenade
NAME_UNLOCK_521    SLSB
NAME_UNLOCK_522    RD-4 Otus
NAME_UNLOCK_523    SD-8 Accipiter

Also there's a DESCRIPTION_UNLOCK_xxx if you want to read about the unlocks.

As far as the numbering system goes:

NAME_UNLOCK_xyz
x = category (1=Sniper, 2=Assault, 3=Engineer, 4=Support, 5=General)
y = unlock path (1=first unlock path, 2=second unlock path)
z = order (1=first to unlock, etc)

Same file for awards:

AWARD_NAME_100_1    Support Service Badge
AWARD_NAME_101_1    Recon Service Badge
AWARD_NAME_102_1    Assault Service Badge
AWARD_NAME_103_1    Engineer Service Badge
AWARD_NAME_104_1    Squad Leader Badge
AWARD_NAME_105_1    Collectors Badge
AWARD_NAME_106_1    Pistol Commendation Badge
AWARD_NAME_107_1    Explosive Gallantry Badge
AWARD_NAME_108_1    Air Defense Badge
AWARD_NAME_109_1    Commander Excellence Badge
AWARD_NAME_110_1    Titan Commander Badge
AWARD_NAME_111_1    Engineer Excellence Badge
AWARD_NAME_112_1    Medic Excellence Badge
AWARD_NAME_113_1    Resupply Service Badge
AWARD_NAME_114_1    Armor Service Badge 
AWARD_NAME_115_1    Aircraft Service Badge
AWARD_NAME_116_1    Transport Service Badge
AWARD_NAME_117_1    Titan Combat Excellence Badge
AWARD_NAME_118_1    Titan Defense Excellence Badge
AWARD_NAME_119_1    Titan Destruction Achievement Badge
AWARD_NAME_200    Bronze Star
AWARD_NAME_201    Silver Star
AWARD_NAME_202    Gold Star
AWARD_NAME_203    Distinguished Service Medal
AWARD_NAME_204    Infantry Combat Medal
AWARD_NAME_205    Meritorious Infantry Combat Medal
AWARD_NAME_206    Infantry Combat of Merit Medal
AWARD_NAME_207    Medal of Gallantry
AWARD_NAME_208    European Honorific Cross
AWARD_NAME_209    Distinguished Pan Asian Star
AWARD_NAME_210    Meritorious Conquest Medal
AWARD_NAME_211    Meritorious Titan Medal
AWARD_NAME_212    Aircraft Combat Medal
AWARD_NAME_213    Armor Service Medal
AWARD_NAME_214    Good Conduct Medal
AWARD_NAME_215    Honorable Service Medal
AWARD_NAME_216    Purple Heart
AWARD_NAME_217    Air Transport Transfer Medal
AWARD_NAME_218    Titan Medallion
AWARD_NAME_219    Ground Base Medallion
AWARD_NAME_300    Air Defense Ribbon
AWARD_NAME_301    Aircraft Service Ribbon
AWARD_NAME_302    HALO Ribbon
AWARD_NAME_303    Infantry Officer Ribbon
AWARD_NAME_304    Combat Commander Ribbon
AWARD_NAME_305    Distinguished Unit Service Ribbon
AWARD_NAME_306    Meritorious Unit Service Ribbon
AWARD_NAME_307    Valorous Unit Service Ribbon
AWARD_NAME_308    War College Ribbon
AWARD_NAME_309    Armored Service Ribbon
AWARD_NAME_310    Crew Service Ribbon
AWARD_NAME_311    Pac Duty Ribbon
AWARD_NAME_312    European Duty Ribbon
AWARD_NAME_313    Soldier Merit Ribbon
AWARD_NAME_314    Good Conduct Ribbon
AWARD_NAME_315    Legion Of Merit Ribbon
AWARD_NAME_316    Ground Base Defense Ribbon
AWARD_NAME_317    Aerial Service Ribbon
AWARD_NAME_318    Titan Aerial Defense Ribbon
AWARD_NAME_319    Titan Commander Ribbon
AWARD_NAME_400    Combat Efficiency Pin
AWARD_NAME_401    Distinguished Combat Efficiency Pin
AWARD_NAME_402    Problem solver Pin
AWARD_NAME_403    Titan Destructor Pin
AWARD_NAME_404    Troop Transporter Pin
AWARD_NAME_406    Titan Defender Pin
AWARD_NAME_407    Infiltrator Pin   
AWARD_NAME_408    Wheels of Hazard Pin
AWARD_NAME_409    Collectors Pin
AWARD_NAME_410    Explosive Efficiency Pin
AWARD_NAME_411    Emergency Rescue Pin
AWARD_NAME_412    Titan survival Pin
AWARD_NAME_413    Firearm Efficiency Pin
AWARD_NAME_414    Clear skies Pin
AWARD_NAME_415    Close Combat Pin

And from that, we can determine:
AWARD_NAME_xyy_z
x = award type (1=badge, 2=medal, 3=ribbon, 4=pin)
yy = award id
z = badge level (1=basic, 2=veteran, 3=expert)

The Award_Criteria (in the Localization file) matches up with the results from /getbackendinfo.aspx:

awards.setData 106_3 "6,7, ,18" "1,7,wkls-5;wkls-11,300"
106_3 = award name
"6,7, ,18" "1,7,wkls-5;wkls-11,300" = requirements (quote separated)
1 = type of data (see below)
7 = award criteria name (see localization file)
wkls-5;wkls-11 = variable (optional)  (; means add values)
300 = requirement

types of data:
1= global number (scores, kills, etc)
3= global number (scores, kills, etc)
5= award requirement (like basic badge)
6= per round number (scores, kills, etc)
9= global time (hours)
10= per round time (minutes)
11= global time (hours)


I still prefer the medal_data file from ranked servers, as its more detailed.  http://files.filefront.com//;6126188;;/  (I just barely uploaded it and unsure how fast filefront distributes to its mirrors)

Last edited by Dok (03 Nov 2006 7:53 am)

Offline

 

#75 03 Nov 2006 8:29 am

Tubar
Senior Member
From: Slovakia
Registered: Oct 2006
Posts: 26
Website

Re: bf2142 stat query protocol

Dok :

...

Many thx.

Offline

 



© 2003 - 2018 NullFX
Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License