[C -> S] 0x51

[Trunning]

That's 10 in total, not 9

[Trunning]

Here's a question, from the page 0x51.

It says [5] Hashed Key Data, an array of five, then below it says that should contain:

Code Select Expand

The data that should be hashed for 'Hashed Key Data' is:

   1. Client Token
   2. Server Token
   3. Key Product (from decoded CD key)
   4. Key Public (from decoded CD key)
   5. (DWORD) 0
   6. Key Private (from decoded CD key)

That's 6 not 5, so which is right?

[l)ragon]

Here's a question, from the page 0x51.

It says [5] Hashed Key Data, an array of five, then below it says that should contain:

Code Select Expand

The data that should be hashed for 'Hashed Key Data' is:

   1. Client Token
   2. Server Token
   3. Key Product (from decoded CD key)
   4. Key Public (from decoded CD key)
   5. (DWORD) 0
   6. Key Private (from decoded CD key)

That's 6 not 5, so which is right?

No, that is what you are hashing.
the hash returned is 5 DWORDS.

[Trunning]

Ok so this should work.

Code Select Expand

packet.KeyLength = pkt.Data[0];
packet.ProductVal = pkt.Data[1];
packet.PublicVal = pkt.Data[2];
packet.Unknown = pkt.Data[3];
packet.KeyData[0] = pkt.Data[4];
packet.KeyData[1] = pkt.Data[5];
packet.KeyData[2] = pkt.Data[6];
packet.KeyData[3] = pkt.Data[7];
packet.KeyData[4] = pkt.Data[8];

[l)ragon]

Ok so this should work.

Code Select Expand

packet.KeyLength = pkt.Data[0];
packet.ProductVal = pkt.Data[1];
packet.PublicVal = pkt.Data[2];
packet.Unknown = pkt.Data[3];
packet.KeyData[0] = pkt.Data[4];
packet.KeyData[1] = pkt.Data[5];
packet.KeyData[2] = pkt.Data[6];
packet.KeyData[3] = pkt.Data[7];
packet.KeyData[4] = pkt.Data[8];

If your pkt Data dosent include the packet header+result from bnls yes.

[Trunning]

Fuck yeah, passed the challenge, thanks Dragon.

[Trunning]

Is BNLS 0x08 the right packet to hash my password for 0x3A?

[l)ragon]

look into using BNLS_HASHDATA for that.

[Trunning]

That's the packet I provided lol, so I guess its right then?

[l)ragon]

That's the packet I provided lol, so I guess its right then?

yeah

[Trunning]

Whenever I send packet 0x3A, I don't get a response.

Code Select Expand

CMSG_SID_LGOONRESPONSE re;
re.ClientToken = g_Cookie;
re.ServerToken = g_ServerToken;
re.PasswordHash[0] = pack.Data[0];
re.PasswordHash[1] = pack.Data[1];
re.PasswordHash[2] = pack.Data[2];
re.PasswordHash[3] = pack.Data[3];
re.PasswordHash[4] = pack.Data[4];
re.Username = (char*)malloc(13);
strcpy_s(re.Username, 13, "clientlessya");

buffer = (char*)malloc(sizeof(re) + 13);
memcpy(buffer, &re, sizeof(re));
strcpy_s(buffer + sizeof(re), 13, "clientlessya");

bncs_send(sockBNCS, 0x3A, buffer, sizeof(re) + 13);

[Hdx]

Look at your packet log it should be oblivious.
Also, just as a note, it's usually standard practice to treat hash data as a byte[] not a dword array. Basically it'd let you condense 5 lines into 1:

Code Select Expand

memcpy(&re.PasswordHash[0], &pack.Data[0], 20); or the like.

[Trunning]

Well my packet log looks fine, all I can see is the header being sent, then the rest.

Code Select Expand

CMSG_SID_LGOONRESPONSE re;
re.ClientToken = g_Cookie;
re.ServerToken = g_ServerToken;
re.PasswordHash[0] = pack.Data[0];
re.PasswordHash[1] = pack.Data[1];
re.PasswordHash[2] = pack.Data[2];
re.PasswordHash[3] = pack.Data[3];
re.PasswordHash[4] = pack.Data[4];
re.Username = (char*)malloc(13);
strcpy_s(re.Username, 13, "clientlessya");

buffer = (char*)malloc(sizeof(re) + 13);
memcpy(buffer, &re, sizeof(re));
strcpy(buffer + sizeof(re), "clientlessya");

bncs_send(sockBNCS, 0x3A, buffer, sizeof(re) + 13);

[Hdx]

Look at the 'rest' you are sending, and compare it to the packet structure.
You'll notice you're sending an extra 4 bytes before the username.

[Trunning]

So...

Code Select Expand

strcpy(buffer + sizeof(re) - 4, "clientlessya");

This worked after I took off 4 bytes from the malloc().