0x51 rejection - 0x101 - need help.

HydraPride · June 17, 2003, 04:57 AM

I get rejected with 0x51 packets. It gives me 0x101 in the s->c return. I am running essentially the DataHash function from prolix... and I don't believe that's the problem. I think maybe my cd key decoder is screwed up. I am using it directly from prolix, with a few compatibility adjustments. There was one line in the getcdvariables function (also from prolix, essentially) which required strcasecmp() which I don't have, so I just changed it to strcmp(). That's bothering me... because I think it may be the problem. Also, I need to make sure I'm getting the proper server token - that is bothering me as well. I'm trying to get it from the 2nd DWORD (bytes 8-11) of 0x50. Is that proper?

thanks for help.

HydraPride · June 17, 2003, 12:00 PM

Everything static appears to be included int he packet, but i KEEP getting same 0x101
I NEED HELP!!!!!
thanks

Camel · June 17, 2003, 06:31 PM

post a packet log of the 0x51 you sent (minus cd key hash of course

)

dxoigmn · June 17, 2003, 07:23 PM

Quote from: Camel on June 17, 2003, 06:31 PM
post a packet log of the 0x51 you sent (minus cd key hash of course )

Would it be feasible to even attempt to brute force the hash?

Camel · June 17, 2003, 07:31 PM

Quote from: kamakazie on June 17, 2003, 07:23 PM
Would it be feasible to even attempt to brute force the hash?

well assuming one had all of the correct codes and ONLY the five seeds were off...that would be 160 bits to mess with. that's about 1.46E48 different combinations. i'm not even going to attempt to calculate the odds if the operations aren't correct.

c0ol · June 18, 2003, 12:43 AM

Quote from: kamakazie on June 17, 2003, 07:23 PM
Would it be feasible to even attempt to brute force the hash?

well 0x51 includes the product id and value 1, so you would only need to brute force value 2, ive done it before, it doesnt take that long; infact thats how eurijk started with his cdkey decoder.

dxoigmn · June 18, 2003, 01:34 AM

Quote from: c0ol on June 18, 2003, 12:43 AM
well 0x51 includes the product id and value 1, so you would only need to brute force value 2, ive done it before, it doesnt take that long; infact thats how eurijk started with his cdkey decoder.

What about the server salt?

Camel · June 18, 2003, 12:46 PM

Quote from: kamakazie on June 18, 2003, 01:34 AM
What about the server salt?

why would one brute the salt? or should i ask, HOW would one brute the salt?

Code Select

Public Function HashPass(ByVal password As String, Key As Long, seed As Long, prependkey As Boolean) As String
    Dim hashout As String * 20
    hashout = CalcHashBuf(password)
    HashPass = MKL(seed) & MKL(Key)
    HashPass = IIf(prependkey, HashPass, MKL(seed)) & CalcHashBuf(HashPass & hashout)
End Function

obviously that is vb, but it's the concept that counts
btw, the reason prependkey is there is because sometimes the key isn't sent with the hash (realm login)

dxoigmn · June 18, 2003, 04:47 PM

Quote from: Camel on June 18, 2003, 12:46 PM
why would one brute the salt? or should i ask, HOW would one brute the salt?
Code Select Expand
Public Function HashPass(ByVal password As String, Key As Long, seed As Long, prependkey As Boolean) As String Dim hashout As String * 20 hashout = CalcHashBuf(password) HashPass = MKL(seed) & MKL(Key) HashPass = IIf(prependkey, HashPass, MKL(seed)) & CalcHashBuf(HashPass & hashout) End Function

obviously that is vb, but it's the concept that counts
btw, the reason prependkey is there is because sometimes the key isn't sent with the hash (realm login)

What does hashing passwords have anything to do with hashing a cdkey?

My point was, since there is a salt this makes the attempt to brute force the hash (looking for value2 and the server salt - which we don't know since he's only telling us the contents of SID_AUTH_CHECK he sent) much more difficult. The structure for hashing a cdkey is as follows:

Code Select


** Indicates which values we know.

(DWORD) Client Salt **
(DWORD) Server Salt
(DWORD) ProgramId (decoded from CDKey) **
(DWORD) Value 1 (decoded from CDKey) **
(DWORD) 0 **
(DWORD) Value 2 (decoded from CDKey)

Is there something wrong I'm not seeing?

Camel · June 18, 2003, 06:11 PM

Quote from: kamakazie on June 18, 2003, 04:47 PM
What does hashing passwords have anything to do with hashing a cdkey?

it's basicly the same idea and i didn't want to post the answer, but since you already did...

Code Select

    HashThisCDKey = _
        MKL(Len(CDKey)) & _
        MKL(ProductID) & _
        MKL(Val1) & _
        MKL(0) & _
        CalcHashBuf( _
            MKL(seed) & _
            ServerHash & _
            MKL(ProductID) & _
            MKL(Val1) & _
            MKL(0) & _
            MKL(Val2))

dxoigmn · June 18, 2003, 06:58 PM

Camel, you're lost and frankly it seems like you don't know what you're talking about.

c0ol, how long does it take him to brute value2 + the server salt? I'm just wondering if this is worth anyone's time to do.

Arta · June 19, 2003, 05:42 PM

Isn't all this moot anyway? Retrieving the actual key from the decoded values is probably impractical, and using the values directly is just ew. Seems like a lot less effort just to go to the store and write a cdkey down from the back of the manual - especially since they so kindly break the seal so people can't steal the disc.

Camel · June 19, 2003, 06:27 PM

Quote from: kamakazie on June 18, 2003, 06:58 PM
Camel, you're lost and frankly it seems like you don't know what you're talking about.

c0ol, how long does it take him to brute value2 + the server salt? I'm just wondering if this is worth anyone's time to do.

i didnt see c0ol's post until after i posted, so i misunderstood the question

Adron · June 21, 2003, 09:49 AM

Quote from: Arta[vL] on June 19, 2003, 05:42 PM
Isn't all this moot anyway? Retrieving the actual key from the decoded values is probably impractical, and using the values directly is just ew. Seems like a lot less effort just to go to the store and write a cdkey down from the back of the manual - especially since they so kindly break the seal so people can't steal the disc.

Retrieving the actual key from the decoded values is very easy, comparable to decoding the key in the first place. Not a big brute force task or anything like that. What game is this about? What's the size of val2?

HydraPride · June 21, 2003, 11:33 AM

Hey guys,
I've been out for a little while that's why I havent said anything (been in Alaska =o).
Anyway, I believe i have everything correct EXCEPT for the hash, and thus i believe that I am doing something incorrect with the hash.
I know I am hashing the right theoritical values (in the proper order, and all), but what I do not know is

1) The server token. I think I have this right, but can someone pinpoint exactly where it is? I believe i posted my original thoughts about it in the first post.
2) If its not the server token, and I have all the other values correct, what could it be?

Valhalla Legends Archive

0x51 rejection - 0x101 - need help.

HydraPride

HydraPride

Camel

dxoigmn

Camel

c0ol

dxoigmn

Camel

dxoigmn

Camel

dxoigmn

Arta

Camel

Adron

HydraPride