• Welcome to Valhalla Legends Archive.
 

[C -> S] 0x51

Started by Trunning, May 07, 2010, 10:24 PM

Previous topic - Next topic
|

Trunning

That's 10 in total, not 9 :(

Trunning

Here's a question, from the page 0x51.

It says [5] Hashed Key Data, an array of five, then below it says that should contain:
The data that should be hashed for 'Hashed Key Data' is:

   1. Client Token
   2. Server Token
   3. Key Product (from decoded CD key)
   4. Key Public (from decoded CD key)
   5. (DWORD) 0
   6. Key Private (from decoded CD key)


That's 6 not 5, so which is right?

l)ragon

Quote from: Trunning on May 08, 2010, 10:53 AM
Here's a question, from the page 0x51.

It says [5] Hashed Key Data, an array of five, then below it says that should contain:
The data that should be hashed for 'Hashed Key Data' is:

   1. Client Token
   2. Server Token
   3. Key Product (from decoded CD key)
   4. Key Public (from decoded CD key)
   5. (DWORD) 0
   6. Key Private (from decoded CD key)


That's 6 not 5, so which is right?
No, that is what you are hashing.
the hash returned is 5 DWORDS.
*^~·.,¸¸,.·´¯`·.,¸¸,.-·~^*ˆ¨¯¯¨ˆ*^~·.,l)ragon,.-·~^*ˆ¨¯¯¨ˆ*^~·.,¸¸,.·´¯`·.,¸¸,.-·~^*

Trunning

Ok so this should work.

packet.KeyLength = pkt.Data[0];
packet.ProductVal = pkt.Data[1];
packet.PublicVal = pkt.Data[2];
packet.Unknown = pkt.Data[3];
packet.KeyData[0] = pkt.Data[4];
packet.KeyData[1] = pkt.Data[5];
packet.KeyData[2] = pkt.Data[6];
packet.KeyData[3] = pkt.Data[7];
packet.KeyData[4] = pkt.Data[8];

l)ragon

Quote from: Trunning on May 08, 2010, 11:01 AM
Ok so this should work.

packet.KeyLength = pkt.Data[0];
packet.ProductVal = pkt.Data[1];
packet.PublicVal = pkt.Data[2];
packet.Unknown = pkt.Data[3];
packet.KeyData[0] = pkt.Data[4];
packet.KeyData[1] = pkt.Data[5];
packet.KeyData[2] = pkt.Data[6];
packet.KeyData[3] = pkt.Data[7];
packet.KeyData[4] = pkt.Data[8];

If your pkt Data dosent include the packet header+result from bnls yes.
*^~·.,¸¸,.·´¯`·.,¸¸,.-·~^*ˆ¨¯¯¨ˆ*^~·.,l)ragon,.-·~^*ˆ¨¯¯¨ˆ*^~·.,¸¸,.·´¯`·.,¸¸,.-·~^*

Trunning

Fuck yeah, passed the challenge, thanks Dragon.

Trunning

Is BNLS 0x08 the right packet to hash my password for 0x3A?

l)ragon

look into using BNLS_HASHDATA for that.
*^~·.,¸¸,.·´¯`·.,¸¸,.-·~^*ˆ¨¯¯¨ˆ*^~·.,l)ragon,.-·~^*ˆ¨¯¯¨ˆ*^~·.,¸¸,.·´¯`·.,¸¸,.-·~^*

Trunning

That's the packet I provided lol, so I guess its right then?

l)ragon

Quote from: Trunning on May 08, 2010, 11:25 AM
That's the packet I provided lol, so I guess its right then?
yeah
*^~·.,¸¸,.·´¯`·.,¸¸,.-·~^*ˆ¨¯¯¨ˆ*^~·.,l)ragon,.-·~^*ˆ¨¯¯¨ˆ*^~·.,¸¸,.·´¯`·.,¸¸,.-·~^*

Trunning

Whenever I send packet 0x3A, I don't get a response.

CMSG_SID_LGOONRESPONSE re;
re.ClientToken = g_Cookie;
re.ServerToken = g_ServerToken;
re.PasswordHash[0] = pack.Data[0];
re.PasswordHash[1] = pack.Data[1];
re.PasswordHash[2] = pack.Data[2];
re.PasswordHash[3] = pack.Data[3];
re.PasswordHash[4] = pack.Data[4];
re.Username = (char*)malloc(13);
strcpy_s(re.Username, 13, "clientlessya");

buffer = (char*)malloc(sizeof(re) + 13);
memcpy(buffer, &re, sizeof(re));
strcpy_s(buffer + sizeof(re), 13, "clientlessya");

bncs_send(sockBNCS, 0x3A, buffer, sizeof(re) + 13);

Hdx

#26
Look at your packet log it should be oblivious.
Also, just as a note, it's usually standard practice to treat hash data as a byte[] not a dword array. Basically it'd let you condense 5 lines into 1:
memcpy(&re.PasswordHash[0], &pack.Data[0], 20); or the like.

Proud host of the JBLS server www.JBLS.org.
JBLS.org Status:
JBLS/BNLS Server Status

Trunning

Well my packet log looks fine, all I can see is the header being sent, then the rest.

CMSG_SID_LGOONRESPONSE re;
re.ClientToken = g_Cookie;
re.ServerToken = g_ServerToken;
re.PasswordHash[0] = pack.Data[0];
re.PasswordHash[1] = pack.Data[1];
re.PasswordHash[2] = pack.Data[2];
re.PasswordHash[3] = pack.Data[3];
re.PasswordHash[4] = pack.Data[4];
re.Username = (char*)malloc(13);
strcpy_s(re.Username, 13, "clientlessya");

buffer = (char*)malloc(sizeof(re) + 13);
memcpy(buffer, &re, sizeof(re));
strcpy(buffer + sizeof(re), "clientlessya");

bncs_send(sockBNCS, 0x3A, buffer, sizeof(re) + 13);

Hdx

Look at the 'rest' you are sending, and compare it to the packet structure.
You'll notice you're sending an extra 4 bytes before the username.

Proud host of the JBLS server www.JBLS.org.
JBLS.org Status:
JBLS/BNLS Server Status

Trunning

#29
So...

strcpy(buffer + sizeof(re) - 4, "clientlessya");

This worked after I took off 4 bytes from the malloc().

|