• Welcome to Valhalla Legends Archive.
 

0x51 rejection - 0x101 - need help.

Started by HydraPride, June 17, 2003, 04:57 AM

Previous topic - Next topic

HydraPride

I get rejected with 0x51 packets. It gives me 0x101 in the s->c return. I am running essentially the DataHash function from prolix... and I don't believe that's the problem. I think maybe my cd key decoder is screwed up. I am using it directly from prolix, with a few compatibility adjustments. There was one line in the getcdvariables function (also from prolix, essentially) which required strcasecmp() which I don't have, so I just changed it to strcmp(). That's bothering me... because I think it may be the problem. Also, I need to make sure I'm getting the proper server token - that is bothering me as well. I'm trying to get it from the 2nd DWORD (bytes 8-11) of 0x50. Is that proper?

thanks for help.

HydraPride

#1
Everything static appears to be included int he packet, but i KEEP getting same 0x101
I NEED HELP!!!!!
thanks

Camel

post a packet log of the 0x51 you sent (minus cd key hash of course :))

dxoigmn

Quote from: Camel on June 17, 2003, 06:31 PM
post a packet log of the 0x51 you sent (minus cd key hash of course :))

Would it be feasible to even attempt to brute force the hash?

Camel

Quote from: kamakazie on June 17, 2003, 07:23 PM
Would it be feasible to even attempt to brute force the hash?

well assuming one had all of the correct codes and ONLY the five seeds were off...that would be 160 bits to mess with. that's about 1.46E48 different combinations. i'm not even going to attempt to calculate the odds if the operations aren't correct.

c0ol

Quote from: kamakazie on June 17, 2003, 07:23 PM
Would it be feasible to even attempt to brute force the hash?

well 0x51 includes the product id and value 1, so you would only need to brute force value 2, ive done it before, it doesnt take that long; infact thats how eurijk started with his cdkey decoder.

dxoigmn

Quote from: c0ol on June 18, 2003, 12:43 AM
well 0x51 includes the product id and value 1, so you would only need to brute force value 2, ive done it before, it doesnt take that long; infact thats how eurijk started with his cdkey decoder.

What about the server salt?

Camel

Quote from: kamakazie on June 18, 2003, 01:34 AM
What about the server salt?

why would one brute the salt? or should i ask, HOW would one brute the salt?
Public Function HashPass(ByVal password As String, Key As Long, seed As Long, prependkey As Boolean) As String
   Dim hashout As String * 20
   hashout = CalcHashBuf(password)
   HashPass = MKL(seed) & MKL(Key)
   HashPass = IIf(prependkey, HashPass, MKL(seed)) & CalcHashBuf(HashPass & hashout)
End Function


obviously that is vb, but it's the concept that counts
btw, the reason prependkey is there is because sometimes the key isn't sent with the hash (realm login)

dxoigmn

Quote from: Camel on June 18, 2003, 12:46 PM
why would one brute the salt? or should i ask, HOW would one brute the salt?
Public Function HashPass(ByVal password As String, Key As Long, seed As Long, prependkey As Boolean) As String
   Dim hashout As String * 20
   hashout = CalcHashBuf(password)
   HashPass = MKL(seed) & MKL(Key)
   HashPass = IIf(prependkey, HashPass, MKL(seed)) & CalcHashBuf(HashPass & hashout)
End Function


obviously that is vb, but it's the concept that counts
btw, the reason prependkey is there is because sometimes the key isn't sent with the hash (realm login)

What does hashing passwords have anything to do with hashing a cdkey?  

My point was, since there is a salt this makes the attempt to brute force the hash (looking for value2 and the server salt - which we don't know since he's only telling us the contents of SID_AUTH_CHECK he sent) much more difficult.  The structure for hashing a cdkey is as follows:

** Indicates which values we know.

(DWORD) Client Salt **
(DWORD) Server Salt
(DWORD) ProgramId (decoded from CDKey) **
(DWORD) Value 1 (decoded from CDKey) **
(DWORD) 0 **
(DWORD) Value 2 (decoded from CDKey)


Is there something wrong I'm not seeing?

Camel

Quote from: kamakazie on June 18, 2003, 04:47 PM
What does hashing passwords have anything to do with hashing a cdkey?
it's basicly the same idea and i didn't want to post the answer, but since you already did...

   HashThisCDKey = _
       MKL(Len(CDKey)) & _
       MKL(ProductID) & _
       MKL(Val1) & _
       MKL(0) & _
       CalcHashBuf( _
           MKL(seed) & _
           ServerHash & _
           MKL(ProductID) & _
           MKL(Val1) & _
           MKL(0) & _
           MKL(Val2))

dxoigmn

Camel, you're lost and frankly it seems like you don't know what you're talking about.

c0ol, how long does it take him to brute value2 + the server salt?  I'm just wondering if this is worth anyone's time to do.

Arta

Isn't all this moot anyway? Retrieving the actual key from the decoded values is probably impractical, and using the values directly is just ew. Seems like a lot less effort just to go to the store and write a cdkey down from the back of the manual - especially since they so kindly break the seal so people can't steal the disc.

Camel

Quote from: kamakazie on June 18, 2003, 06:58 PM
Camel, you're lost and frankly it seems like you don't know what you're talking about.

c0ol, how long does it take him to brute value2 + the server salt?  I'm just wondering if this is worth anyone's time to do.

i didnt see c0ol's post until after i posted, so i misunderstood the question

Adron

Quote from: Arta[vL] on June 19, 2003, 05:42 PM
Isn't all this moot anyway? Retrieving the actual key from the decoded values is probably impractical, and using the values directly is just ew. Seems like a lot less effort just to go to the store and write a cdkey down from the back of the manual - especially since they so kindly break the seal so people can't steal the disc.

Retrieving the actual key from the decoded values is very easy, comparable to decoding the key in the first place. Not a big brute force task or anything like that. What game is this about? What's the size of val2?

HydraPride

Hey guys,
I've been out for a little while that's why I havent said anything (been in Alaska =o).
Anyway, I believe i have everything correct EXCEPT for the hash, and thus i believe that I am doing something incorrect with the hash.
I know I am hashing the right theoritical values (in the proper order, and all), but what I do not know is

1) The server token. I think I have this right, but can someone pinpoint exactly where it is? I believe i posted my original thoughts about it in the first post.
2) If its not the server token, and I have all the other values correct, what could it be?