Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 12:59

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 9 posts ] 
Author Message
 Post subject: Trackmania Nations ESWC
PostPosted: 10 Apr 2011 18:41 

Joined: 10 Apr 2011 18:20
Posts: 5
Hi,
i'm a newbie in reverse engineering and i wanted to learn something about it so i tried to exploit the old version of trackmania, based on your exploits (http://aluigi.org/adv/tm4never-adv.txt). I started comparing the two servers and finally (i hope) i found the right key for generating crc (it was a lot of work for me oO):
Image

I've tried to create a valid tcp-packet with that and after comparing with the original packets i noticed that the crc-check failed. I was using your code with my key. Like this:

Code:
u32 trackmania_crc(u8 *key, u8 *data, int datalen) {
    static u8 fixed_key[]   = "..."; //u can fill it out on your own :P
    u32     hash[4];

    if(!key) key = fixed_key;
    if(datalen < 0) datalen = strlen(data);
    md5_hmac(key, 16, data, datalen, (u8 *)hash);
    return(hash[0] + hash[1] + hash[2] + hash[3]);
}


Now my question: whats wrong with my idea? How do you get this code of generating crc (did the algorithm get changed in forever?)?! How u know how a tmn-package is getting splitted (1. size, 2. crc, 3. data...)?

The old TMN ESWC server can be accessed here: http://www.tm-forum.com/viewtopic.php?t=1350

Greets


Top
 Profile  
 
 
 Post subject: Re: Trackmania Nations ESWC
PostPosted: 11 Apr 2011 08:45 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
the idea is correct: change the key and you are ready to send packets to the old server.

at a first look it seems just the same:
4a95d1: get the key
419310: hmac (easy to see due to 0x36 and 0x5c)
4a9614: sum of the 4 32bit values

so I did a quick test and indeed seems just that the protocol is a bit different, which is enough normal.


Top
 Profile  
 
 Post subject: Re: Trackmania Nations ESWC
PostPosted: 11 Apr 2011 19:05 

Joined: 10 Apr 2011 18:20
Posts: 5
aluigi wrote:
so I did a quick test and indeed seems just that the protocol is a bit different, which is enough normal.


I was trying to solve this difference the whole day but i dont get it. Can you help me a little with this?
Following this algorithm of hashing in ollydbg ist nearly impossible for me as beginner. Maybe u can make a little video-tutorial how u solved it in forever, so i can see your workflow and learn much more than simple "trial and error" the whole day^^


Top
 Profile  
 
 Post subject: Re: Trackmania Nations ESWC
PostPosted: 12 Apr 2011 21:24 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
no sorry I can't help with it


Top
 Profile  
 
 Post subject: Re: Trackmania Nations ESWC
PostPosted: 12 Apr 2011 21:42 

Joined: 10 Apr 2011 18:20
Posts: 5
I finally got it.
(sum of the 4 32bit values = 3 parts of the hash + one part of the fixed_key - ive wasted a lot of time in comparing the md5 stuff :D)

You can close this now and many thanks for your great draft of forever.


Top
 Profile  
 
 Post subject: Re: Trackmania Nations ESWC
PostPosted: 12 Apr 2011 21:49 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
interesting, can you post the final code of the function?


Top
 Profile  
 
 Post subject: Re: Trackmania Nations ESWC
PostPosted: 12 Apr 2011 23:48 

Joined: 10 Apr 2011 18:20
Posts: 5
Dont know how to convert '\x08\xC4\x81\x30' to 813810696 - can you explain it?!

Code:
u32 trackmania_crc(u8 *key, u8 *data, int datalen) {
    //static u8 fixed_key[]   = "\xB8\x9D\xD7\x80\x72\x6B\x21\xBA\x98\x95\x43\x15\xFA\x1C\xEC\xE1"; // forever key
    static u8 fixed_key[] = "\x08\xC4\x81\x30\x3A\x12\x26\xAB\xAF\x1D\x6A\xE4\xFB\x65\xFB\xC9"; // nations key
    u32     hash[4];
   
    if(!key) key = fixed_key;
    if(datalen < 0) datalen = strlen(data);
    md5_hmac(key, 16, data, datalen, (u8 *)hash);
   
    //return(hash[0] + hash[1] + hash[2] + hash[3]); // forever crc
    return(hash[0] + hash[1] + hash[2] + 813810696); // nations crc; 813810696 == \x08\xC4\x81\x30 (first part of fixed key)
}


Top
 Profile  
 
 Post subject: Re: Trackmania Nations ESWC
PostPosted: 14 Apr 2011 09:16 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
replace 813810696 with *(u32 *)fixed_key

very interesting this modification, would be interesting why the developers choosed this modification and changed it with the next versions


Top
 Profile  
 
 Post subject: Re: Trackmania Nations ESWC
PostPosted: 14 Apr 2011 18:58 

Joined: 10 Apr 2011 18:20
Posts: 5
I dont know - at the end we can disassemble it all :P


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 9 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
cron