I get rejected with 0x51 packets. It gives me 0x101 in the s->c return. I am running essentially the DataHash function from prolix... and I don't believe that's the problem. I think maybe my cd key decoder is screwed up. I am using it directly from prolix, with a few compatibility adjustments. There was one line in the getcdvariables function (also from prolix, essentially) which required strcasecmp() which I don't have, so I just changed it to strcmp(). That's bothering me... because I think it may be the problem. Also, I need to make sure I'm getting the proper server token - that is bothering me as well. I'm trying to get it from the 2nd DWORD (bytes 8-11) of 0x50. Is that proper?
thanks for help.
Everything static appears to be included int he packet, but i KEEP getting same 0x101
I NEED HELP!!!!!
thanks
post a packet log of the 0x51 you sent (minus cd key hash of course :))
Quote from: Camel on June 17, 2003, 06:31 PM
post a packet log of the 0x51 you sent (minus cd key hash of course :))
Would it be feasible to even attempt to brute force the hash?
Quote from: kamakazie on June 17, 2003, 07:23 PM
Would it be feasible to even attempt to brute force the hash?
well assuming one had all of the correct codes and ONLY the five seeds were off...that would be 160 bits to mess with. that's about 1.46E48 different combinations. i'm not even going to attempt to calculate the odds if the operations aren't correct.
Quote from: kamakazie on June 17, 2003, 07:23 PM
Would it be feasible to even attempt to brute force the hash?
well 0x51 includes the product id and value 1, so you would only need to brute force value 2, ive done it before, it doesnt take that long; infact thats how eurijk started with his cdkey decoder.
Quote from: c0ol on June 18, 2003, 12:43 AM
well 0x51 includes the product id and value 1, so you would only need to brute force value 2, ive done it before, it doesnt take that long; infact thats how eurijk started with his cdkey decoder.
What about the server salt?
Quote from: kamakazie on June 18, 2003, 01:34 AM
What about the server salt?
why would one brute the salt? or should i ask, HOW would one brute the salt?
Public Function HashPass(ByVal password As String, Key As Long, seed As Long, prependkey As Boolean) As String
Dim hashout As String * 20
hashout = CalcHashBuf(password)
HashPass = MKL(seed) & MKL(Key)
HashPass = IIf(prependkey, HashPass, MKL(seed)) & CalcHashBuf(HashPass & hashout)
End Functionobviously that is vb, but it's the concept that counts
btw, the reason prependkey is there is because sometimes the key isn't sent with the hash (realm login)
Quote from: Camel on June 18, 2003, 12:46 PM
why would one brute the salt? or should i ask, HOW would one brute the salt?
Public Function HashPass(ByVal password As String, Key As Long, seed As Long, prependkey As Boolean) As String
Dim hashout As String * 20
hashout = CalcHashBuf(password)
HashPass = MKL(seed) & MKL(Key)
HashPass = IIf(prependkey, HashPass, MKL(seed)) & CalcHashBuf(HashPass & hashout)
End Function
obviously that is vb, but it's the concept that counts
btw, the reason prependkey is there is because sometimes the key isn't sent with the hash (realm login)
What does hashing passwords have anything to do with hashing a cdkey?
My point was, since there is a salt this makes the attempt to brute force the hash (looking for value2 and the server salt - which we don't know since he's only telling us the contents of SID_AUTH_CHECK he sent) much more difficult. The structure for hashing a cdkey is as follows:
** Indicates which values we know.
(DWORD) Client Salt **
(DWORD) Server Salt
(DWORD) ProgramId (decoded from CDKey) **
(DWORD) Value 1 (decoded from CDKey) **
(DWORD) 0 **
(DWORD) Value 2 (decoded from CDKey)
Is there something wrong I'm not seeing?
Quote from: kamakazie on June 18, 2003, 04:47 PM
What does hashing passwords have anything to do with hashing a cdkey?
it's basicly the same idea and i didn't want to post the answer, but since you already did...
HashThisCDKey = _
MKL(Len(CDKey)) & _
MKL(ProductID) & _
MKL(Val1) & _
MKL(0) & _
CalcHashBuf( _
MKL(seed) & _
ServerHash & _
MKL(ProductID) & _
MKL(Val1) & _
MKL(0) & _
MKL(Val2))
Camel, you're lost and frankly it seems like you don't know what you're talking about.
c0ol, how long does it take him to brute value2 + the server salt? I'm just wondering if this is worth anyone's time to do.
Isn't all this moot anyway? Retrieving the actual key from the decoded values is probably impractical, and using the values directly is just ew. Seems like a lot less effort just to go to the store and write a cdkey down from the back of the manual - especially since they so kindly break the seal so people can't steal the disc.
Quote from: kamakazie on June 18, 2003, 06:58 PM
Camel, you're lost and frankly it seems like you don't know what you're talking about.
c0ol, how long does it take him to brute value2 + the server salt? I'm just wondering if this is worth anyone's time to do.
i didnt see c0ol's post until after i posted, so i misunderstood the question
Quote from: Arta[vL] on June 19, 2003, 05:42 PM
Isn't all this moot anyway? Retrieving the actual key from the decoded values is probably impractical, and using the values directly is just ew. Seems like a lot less effort just to go to the store and write a cdkey down from the back of the manual - especially since they so kindly break the seal so people can't steal the disc.
Retrieving the actual key from the decoded values is very easy, comparable to decoding the key in the first place. Not a big brute force task or anything like that. What game is this about? What's the size of val2?
Hey guys,
I've been out for a little while that's why I havent said anything (been in Alaska =o).
Anyway, I believe i have everything correct EXCEPT for the hash, and thus i believe that I am doing something incorrect with the hash.
I know I am hashing the right theoritical values (in the proper order, and all), but what I do not know is
1) The server token. I think I have this right, but can someone pinpoint exactly where it is? I believe i posted my original thoughts about it in the first post.
2) If its not the server token, and I have all the other values correct, what could it be?
Oh, didn't realise that. Assumed decoding was comparable to hashing.
This is Starcraft, both values are DWORDs.
Quote from: Adron on June 21, 2003, 09:49 AM
Retrieving the actual key from the decoded values is very easy, comparable to decoding the key in the first place. Not a big brute force task or anything like that. What game is this about? What's the size of val2?
Really? Seems like re-encoding a cdkey would be fairly difficult...
Quote from: kamakazie on June 18, 2003, 06:58 PM
how long does it take him to brute value2 + the server salt? I'm just wondering if this is worth anyone's time to do.
(System: Athlon XP 2000+, 512mb RAM)
Did a test with my own Diablo 2 cd key from an old packet log. Since they included the server token, brute forcing just value 2 didn't take *that* long. My program took 16.2 seconds to try 0x01000000 values, so it would take around 1 hour and 17 minutes to try all the possible values. Wouldn't even want to guess if it didn't include the server token.
Well, it's not even that hard. If this is Starcraft, the unknown is just three decimal digits. Say 10 bits. The server seed is 32 bits. Total 42 bits, or 4.4e12 operations. Running at 1 GHz thus a bit over 1 hour worst case time for each cpu cycle/loop your optimized brute forcing algorithm needs.