You are not logged in.
#1 25 Oct 2006 2:19 pm
bf2142 stat query protocol
EDIT: I'll try to keep this post up to date w/ whats discussed in the following pages.
WARNING:
USING INFORMATION IN THIS THREAD TO PULL YOUR STATS MAY RESULT IN YOU BEING BLOCKED FROM THE STATS SERVERS! USE THIS INFORMATION AT YOUR OWN RISK, WE ARE NOT RESPONSIBLE FOR YOUR ACTIONS! If your IP does get blocked from the stats servers, your game stats will still update but you will never be able to view your stats or choose unlocks as long as you have that IP.
For those not wanting to dig through these threads to figure things out, here's a quick how-to:
If you do decide to dig through the posts, please give points to those who did all the hard work getting this done for you.
--MH
~~~~
[ORIGINAL POST BELOW]
I've been looking at the stats functionality of battlefield 2142, unfortunately unlike bf2 2142 uses some sort of single sign on like functionality. here's a list of my objectives to understand how and what they're doing.
To do list:
Resolved:
so that the original base64 index string:
Code:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=
looks like:
Code:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789[]_
(where the last character is not actually part of the encoding string but is the padding character)
bytes 1 - 4 = unix time stamp (in seconds)
bytes 5 - 8 = magic number 00000064
bytes 9 - 12 = player id
bytes 13 - 16 = ####00[01|00] the 2 ## bytes are the crc16 ccitt checksum (using 00 00 as the intial value instead of FF FF) of the first 14 bytes.
the above array is encrypted using Rijndael (AES) encryption (more on this later).
then base 64 encoded (using replacement characters shown above).
There is a challenge / response (over TCP) that occurs prior to sending the HTTP request, and this data is gathered there I assume. The payload is encoded (I'm assuming its the same way auth is encoded)
Last edited by MadHatter (22 Nov 2006 6:11 pm)
Offline
#2 25 Oct 2006 9:50 pm
Re: bf2142 stat query protocol
I have a suspicion that the auth parameter is different based on what you're querying. I can confirm that by taking the results of a packet capture when the game is running, and switching the auth value between queries (like getunlocks and getplayerinfo) where the auth value which was generated by the game for that query returns valid results, and the switched value returns my player name and nothing else (see the above edited post).
I'm going to post the entire packet dump of the game here (so I can work on it at home or at work)
requests are seperated by a tilda line "~~~~"
Code:
GET /getbackendinfo.aspx?auth=iXZI3e9NRrcK6mkHY2YkNg__ HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 00:24:32 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web1 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 7819 O H asof tid serverip cb D 1161822271 0 71.252.218.197 client H config D swiffHost.setLatestGameVersion 1.0.9.1 rankSettings.setRank 0 0 rankSettings.setRank 1 40 rankSettings.setRank 2 80 rankSettings.setRank 3 120 rankSettings.setRank 4 200 rankSettings.setRank 5 330 rankSettings.setRank 6 520 rankSettings.setRank 7 750 rankSettings.setRank 8 1050 rankSettings.setRank 9 1400 rankSettings.setRank 10 1800 rankSettings.setRank 11 2250 rankSettings.setRank 12 2850 rankSettings.setRank 13 3550 rankSettings.setRank 14 4400 rankSettings.setRank 15 5300 rankSettings.setRank 16 6250 rankSettings.setRank 17 7250 rankSettings.setRank 18 8250 rankSettings.setRank 19 9300 rankSettings.setRank 20 10400 rankSettings.setRank 21 11550 rankSettings.setRank 22 12700 rankSettings.setRank 23 14000 rankSettings.setRank 24 15300 rankSettings.setRank 25 16700 rankSettings.setRank 26 18300 rankSettings.setRank 27 20100 rankSettings.setRank 28 22100 rankSettings.setRank 29 24200 rankSettings.setRank 30 26400 rankSettings.setRank 31 28800 rankSettings.setRank 32 31500 rankSettings.setRank 33 34200 rankSettings.setRank 34 37100 rankSettings.setRank 35 40200 rankSettings.setRank 36 43300 rankSettings.setRank 37 46900 rankSettings.setRank 38 50500 rankSettings.setRank 39 54100 rankSettings.setRank 40 57700 rankSettings.setRank 41 0 rankSettings.setRank 42 0 rankSettings.setRank 43 0 rankSettings.save awards.setData 100_1 "6,1, ,12" awards.setData 100_2 "6,1, ,20" "9,23,ktt-3,54000" awards.setData 100_3 "6,1, ,30" "9,23,ktt-3,180000" awards.setData 101_1 "6,2, ,12" awards.setData 101_2 "6,2, ,20" "9,20,ktt-0,54000" awards.setData 101_3 "6,2, ,30" "9,20,ktt-0,180000" awards.setData 102_1 "6,3, ,12" awards.setData 102_2 "6,3, ,20" "9,21,ktt-1,54000" awards.setData 102_3 "6,3, ,30" "9,21,ktt-1,180000" awards.setData 103_1 "6,4, ,12" awards.setData 103_2 "6,4, ,20" "9,22,ktt-2,54000" awards.setData 103_3 "6,4, ,30" "9,22,ktt-2,180000" awards.setData 104_1 "6,50, ,10" awards.setData 104_2 "6,50, ,20" "1,113,slpts,300" awards.setData 104_3 "6,50, ,30" "1,113,slpts,600" awards.setData 105_1 "6,5, ,7" awards.setData 105_2 "6,5, ,10" "1,5,wkls-12,50" awards.setData 105_3 "6,5, ,17" "1,5,wkls-12,150" awards.setData 106_1 "6,7, ,5" awards.setData 106_2 "6,7, ,7" "1,7,wkls-5;wkls-11,50" awards.setData 106_3 "6,7, ,18" "1,7,wkls-5;wkls-11,300" awards.setData 107_1 "6,8, ,10" awards.setData 107_2 "6,8, ,15" "1,8,klse,50" awards.setData 107_3 "6,8, ,20" "1,8,klse,300" awards.setData 108_1 "10,18, ,180" awards.setData 108_2 "6,9, ,15" "9,148,vtp-12;vtp-3;wtp-30,72000" awards.setData 108_3 "6,9, ,30" "9,148,vtp-12;vtp-3;wtp-30,180000" awards.setData 109_1 "6,40, ,30" awards.setData 109_2 "10,150, ,1200" "1,40,csgpm-0,1000" awards.setData 109_3 "10,150, ,1500" "1,40,csgpm-0,4000" awards.setData 110_1 "6,39, ,30" awards.setData 110_2 "10,149, ,1200" "1,39,csgpm-1,1000" awards.setData 110_3 "10,149, ,1500" "1,39,csgpm-1,4000" awards.setData 111_1 "6,42, ,8" awards.setData 111_2 "6,42, ,10" "9,128,etpk-1,36000" awards.setData 111_3 "6,42, ,15" "9,128,etpk-1,216000" "1,42,rps,200" awards.setData 112_1 "6,43, ,8" awards.setData 112_2 "6,43, ,10" "9,129,etpk-5;etpk-0;etpk-2,36000" awards.setData 112_3 "6,43, ,15" "9,129,etpk-5;etpk-0;etpk-2,216000" "1,43,hls,400" awards.setData 113_1 "6,45, ,8" awards.setData 113_2 "6,45, ,10" "9,130,etpk-6,36000" awards.setData 113_3 "6,45, ,15" "9,130,etpk-6,180000" "1,45,resp,400" awards.setData 114_1 "10,141, ,900" awards.setData 114_2 "6,11, ,15" "9,114,atp,90000" awards.setData 114_3 "6,11, ,35" "9,114,atp,180000" awards.setData 115_1 "10,142, ,900" awards.setData 115_2 "6,12, ,15" "9,25,vtp-10;vtp-4,90000" awards.setData 115_3 "6,12, ,35" "9,25,vtp-10;vtp-4,180000" awards.setData 116_1 "10,151, ,600" awards.setData 116_2 "6,116, ,5" "9,115,vtp-1;vtp-4;vtp-6,90000" awards.setData 116_3 "6,116, ,12" "9,115,vtp-1;vtp-4;vtp-6,144000" awards.setData 117_1 "6,46, ,8" awards.setData 117_2 "6,46, ,15" "9,27,tgpm-1,108000" awards.setData 117_3 "6,46, ,30" "9,27,tgpm-1,216000" awards.setData 118_1 "6,47, ,8" awards.setData 118_2 "6,47, ,15" "9,27,tgpm-1,108000" awards.setData 118_3 "6,47, ,30" "9,27,tgpm-1,216000" awards.setData 119_1 "6,48, ,2" awards.setData 119_2 "6,49, ,1" "1,48,tcd,10" awards.setData 119_3 "6,48, ,3" "6,49, ,1" "1,48,tcd,40" awards.setData 200 "6,127, ," awards.setData 201 "6,126, ," awards.setData 202 "6,125, ," awards.setData 203 "6,41, ,30" "9,19,tac,180000" "9,28,tasl,180000" "9,29,tasm,180000" awards.setData 204 "6,59, ,1" "5,62,100_1,1" "5,63,101_1,1" "5,64,102_1,1" "5,65,103_1,1" "5,66,105_1,1" "5,67,106_1,1" "5,68,107_1,1" awards.setData 205 "6,59, ,1" "5,69,100_2,1" "5,70,101_2,1" "5,71,102_2,1" "5,72,103_2,1" "5,73,105_2,1" "5,74,106_2,1" "5,75,107_2,1" awards.setData 206 "6,59, ,1" "5,76,100_3,1" "5,77,101_3,1" "5,78,102_3,1" "5,79,103_3,1" "5,80,105_3,1" "5,81,106_3,1" "5,82,107_3,1" awards.setData 207 "11,30,tt,540000" "3,51,cpt,1000" "3,52,dcpt,400" "3,41,twsc,5000" awards.setData 208 "10,145, ,180" "11,31,attp-0,540000" "1,54,awin-0,300" awards.setData 209 "10,146, ,180" "11,32,attp-1,540000" "1,55,awin-1,300" awards.setData 210 "6,60, ,1" "11,26,tgpm-0,288000" "1,13,kgpm-0,8000" "1,15,bksgpm-0,25" awards.setData 211 "6,61, ,1" "11,27,tgpm-1,288000" "1,14,kgpm-1,8000" "1,16,bksgpm-1,25" awards.setData 212 "6,12, ,30" "9,25,vtp-10;vtp-4,360000" "1,12,vkls-10;vkls-4,8000" awards.setData 213 "6,11, ,25" "9,24,vtp-0;vtp-1;vtp-2,360000" "1,11,vkls-0;vkls-1;vkls-2,8000" awards.setData 214 "6,17, ,27" "6,83, ,0" "9,30,tt,648000" awards.setData 215 "11,30,tt,360000" "3,43,hls,400" "3,42,rps,400" "3,45,resp,400" awards.setData 216 "6,85, ,0.25" awards.setData 217 "6,86, ,10" "9,33,vtp-4,90000" awards.setData 218 "6,14, ,10" "11,27,tgpm-1,540000" "1,133,mbr-1-0;mbr-1-1;mbr-1-2;mbr-1-3;mbr-1-5,70" awards.setData 219 "6,17, ,20" "1,51,cpt,100" "1,42,rps,200" awards.setData 300 "10,18, ,300" "6,9, ,15" awards.setData 301 "10,142, ,600" "6,12, ,20" awards.setData 302 "6,120, ,10" awards.setData 303 "10,143, ,1200" "9,28,tasl,144000" awards.setData 304 "10,38, ,1200" "6,34, ,40" "9,19,tac,288000" awards.setData 305 "6,41, ,15" "9,29,tasm,36000" "9,28,tasl,36000" "9,19,tac,36000" awards.setData 306 "10,144, ,1080" "6,41, ,40" "9,29,tasm,72000" awards.setData 307 "6,41, ,55" "9,29,tasm,90000" "9,28,tasl,180000" awards.setData 308 "6,34, ,45" "9,19,tac,216000" "5,87,wlr,2" awards.setData 309 "10,141, ,1200" "6,11, ,20" awards.setData 310 "6,110, ,10" "9,121,vtp-0;vtp-1;vtp-2;vtp-6,36000" awards.setData 311 "9,99,mtt-0-0;mtt-1-0,0" "9,101,mtt-0-2;mtt-1-2,0" "9,103,mtt-0-4,0" "9,104,mtt-0-5;mtt-1-5,0" "9,108,mtt-0-9,0" "9,32,attp-1,432000" awards.setData 312 "9,100,mtt-0-1;mtt-1-1,0" "9,102,mtt-0-3;mtt-1-3,0" "9,105,mtt-0-6,0" "9,106,mtt-0-7,0" "9,107,mtt-0-8,0" "9,31,attp-0,432000" awards.setData 313 "6,17, ,20" "1,88,bksgpm-0;bksgpm-1,10" awards.setData 314 "6,17, ,10" "6,83, ," "11,30,tt,180000" awards.setData 315 "6,17, ,10" "11,30,tt,432000" "1,88,bksgpm-0;bksgpm-1,10" awards.setData 316 "3,10,vkls-7,200" awards.setData 317 "6,86, ,15" "9,33,vtp-4,90000" awards.setData 318 "6,138, ,15" "9,137,vtp-12,36000" awards.setData 319 "6,39, ,10" "11,36,ctgpm-1,90000" awards.setData 400 "6,89, ,5" awards.setData 401 "6,89, ,10" awards.setData 402 "6,48, ,4" awards.setData 403 "6,109, ,4" awards.setData 404 "6,86, ,10" awards.setData 406 "6,47, ,7" awards.setData 407 "6,139, ,5" awards.setData 408 "6,110, ,5" awards.setData 409 "6,93, ,8" awards.setData 410 "6,8, ,8" awards.setData 411 "6,44, ,8" awards.setData 412 "6,124, ," awards.setData 413 "6,7, ,4" awards.setData 414 "6,9, ,10" awards.setData 415 "6,6, ,10" $ 7473 $ ~~~~ GET /getplayerinfo.aspx?auth=hsAYJAG[dgkSiQfkKhF[fA__&mode=base&pToken=2fn3pt3nMR[A8SPyUKQhVZnQJ2]kSugbJMWAM9EW[dauTp3XY7vpedOQnTY]U6m[O5mlaEJpAoqt]LbEY6zQow__ HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 00:24:34 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web4 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 239 O H asof cb D 1161797074 client H pid nick tid gsco crpt rnk rnkcg ent-1 ent-2 ent-3 unavl D 81246737 MadHatter2142 0 691 1097 8 0 0 0 1 0 H award level when first D 302 0 1161663780 0 D 102_1 0 1161493620 0 D 108_1 0 1161220740 0 $ 180 $ ~~~~ GET /getunlocksinfo.aspx?&auth=WMPGObVgmQFOUigYZyNnRw__ HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 00:24:36 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web1 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 109 O H pid nick asof D 81246737 MadHatter2142 1161822276 H Avcred D 0 H UnlockID D 523 D 111 D 221 D 123 $ 79 $ ~~~~ GET /getawardsinfo.aspx?pid=81246737&auth=WMPGObVgmQFOUigYZyNnRw__ HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 00:24:36 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web1 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 184 O H pid nick asof D 81246737 MadHatter2142 1161822276 H award level when first D 102_1 0 1161468479 0 D 108_1 0 1161195590 0 D 302 0 1161638632 0 D 400 4 1161640639 1161467677 $ 142 $ ~~~~ GET /getplayerprogress.aspx?mode=point&scale=game&auth=8e26HVmZGRthTzwBLMcrFw__ HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 00:24:44 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web2 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 258 O H pid asof D 81246737 1161822284 H date points globalscore experiencepoints awaybonus D 1161129600 70 66 4 0 D 1161216000 407 245 162 0 D 1161302400 673 415 258 0 D 1161388800 858 515 343 0 D 1161561600 1055 649 378 28 D 1161648000 1097 691 378 28 $ 201 $ ~~~~ GET /getplayerprogress.aspx?mode=score&scale=game&auth=OwLTkf3YNNKSyoHbDP3KZQ__ HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 00:24:47 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web4 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 157 O H pid asof D 81246737 1161822287 H date score D 1161129600 66 D 1161216000 245 D 1161302400 415 D 1161388800 515 D 1161561600 649 D 1161648000 691 $ 121 $ ~~~~ GET /getplayerprogress.aspx?mode=ttp&scale=game&auth=Un0OVwDuqpANkLtdDtHw2A__ HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 00:24:48 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web3 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 164 O H pid asof D 81246737 1161822288 H date ttp D 1161129600 4199 D 1161216000 5154 D 1161302400 6515 D 1161388800 9883 D 1161561600 18338 D 1161648000 20434 $ 128 $ ~~~~ GET /getplayerprogress.aspx?mode=kills&scale=game&auth=Un0OVwDuqpANkLtdDtHw2A__ HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 00:24:48 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web1 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 196 O H pid asof D 81246737 1161822288 H date kpm dpm D 1161129600 0.22 0.62 D 1161216000 0.22 0.58 D 1161302400 0.25 0.60 D 1161388800 0.40 0.60 D 1161561600 0.41 0.53 D 1161648000 0.44 0.53 $ 153 $ ~~~~ GET /getplayerprogress.aspx?mode=spm&scale=game&auth=3CR[CIClsFA6bIEPqghpKQ__ HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 00:24:49 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web2 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 162 O H pid asof D 81246737 1161822289 H date spm D 1161129600 0.96 D 1161216000 2.88 D 1161302400 3.84 D 1161388800 3.14 D 1161561600 2.13 D 1161648000 2.03 $ 126 $ ~~~~ GET /getplayerprogress.aspx?mode=role&scale=game&auth=3CR[CIClsFA6bIEPqghpKQ__ HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 00:24:49 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web2 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 290 O H pid asof D 81246737 1161822289 H date cotime sltime smtime lwtime ttp D 1161129600 0 3175 856 167 4199 D 1161216000 0 4130 856 167 5154 D 1161302400 0 4303 2044 167 6515 D 1161388800 0 6417 3143 320 9883 D 1161561600 99 11198 6632 403 18338 D 1161648000 99 11773 7957 695 20434 $ 226 $ ~~~~ GET /getplayerprogress.aspx?mode=flag&scale=game&auth=Wq[wb1fQGAnWp]KoQ4etxA__ HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 00:24:50 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web3 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 199 O H pid asof D 81246737 1161822290 H date captures assist defend D 1161129600 18 18 0 D 1161216000 19 18 0 D 1161302400 21 27 1 D 1161388800 21 27 2 D 1161561600 45 42 3 D 1161648000 55 47 6 $ 149 $ ~~~~ GET /getplayerprogress.aspx?mode=waccu&scale=game&auth=Wq[wb1fQGAnWp]KoQ4etxA__ HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 00:24:50 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web3 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 152 O H pid asof D 81246737 1161822290 H date waccu D 1161129600 17 D 1161216000 16 D 1161302400 19 D 1161388800 19 D 1161561600 17 D 1161648000 16 $ 116 $ ~~~~ GET /getplayerprogress.aspx?mode=wl&scale=game&auth=p5UWGglGAsln9Sb36S9oZQ__ HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 00:24:51 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web4 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 167 O H pid asof D 81246737 1161822291 H date wins losses D 1161129600 0 3 D 1161216000 1 3 D 1161302400 1 4 D 1161388800 5 6 D 1161561600 9 10 D 1161648000 10 13 $ 124 $ ~~~~ GET /getplayerprogress.aspx?mode=twsc&scale=game&auth=p5UWGglGAsln9Sb36S9oZQ__ HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 00:24:51 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web1 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 153 O H pid asof D 81246737 1161822291 H date twsc D 1161129600 51 D 1161216000 54 D 1161302400 71 D 1161388800 75 D 1161561600 148 D 1161648000 167 $ 117 $ ~~~~ GET /getplayerprogress.aspx?mode=sup&scale=game&auth=RM0orxS6feg[L[qXDREYug__ HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 00:24:52 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web1 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 193 O H pid asof D 81246737 1161822292 H date hls rps rvs resp D 1161129600 0 0 0 6 D 1161216000 0 0 0 6 D 1161302400 0 0 1 6 D 1161388800 3 0 3 6 D 1161561600 6 0 9 6 D 1161648000 6 0 9 6 $ 136 $ ~~~~ GET /getplayerinfo.aspx?auth=CsJwQ9RPk46kmWxa9CTeYA__&mode=ovr HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 00:24:53 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web1 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 215 O H asof cb D 1161797093 client H pid nick tid gsco tt crpt fgm fm fe fv fk fw win los acdt lgdt brs etp-3 pdt pdtc D 81246737 MadHatter2142 0 691 20524 1097 1 2 5 6 1 1 10 13 1161167627 1161725891 33 0 6 6 $ 158 $ ~~~~ GET /getplayerinfo.aspx?auth=xU2qDk[zXk]BWGehdT4y4w__&mode=ply HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 00:24:55 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web1 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 307 O H asof cb D 1161797095 client H pid nick tid klls klla dths suic klstrk dstrk spm kdr kpm dpm akpr adpr tots toth ovaccu ktt-0 ktt-1 ktt-2 ktt-3 kkls-0 kkls-1 kkls-2 kkls-3 D 81246737 MadHatter2142 0 148 24 181 1 7 7 2.032 0.818 0.435 0.532 3.364 4.114 5085 774 0.152 202 16289 1660 854 2 138 7 1 $ 238 $ ~~~~ GET /getleaderboard.aspx?auth=yY6RhSt3AI[gBtRkc67Ulw__&pos=1&after=17&type=overallscore HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 00:25:07 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web3 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 943 O H size asof D 251354 1161796167 H rank pos pid nick globalscore playerrank countrycode Vet D 56947 56947 81246737 MadHatter2142 691 8 US 1 H rank pos pid nick globalscore playerrank countrycode Vet dt D 1 1 81263270 imotbh 11148 26 AU 1 0 D 2 2 65896813 S_Jackson 11085 29 GB 1 0 D 3 3 81212991 szam0ca 11062 32 HU 1 0 D 4 4 80865647 SimonMoon 11025 31 CH 1 0 D 5 5 81278799 Skunk_2142 11021 27 CA 0 0 D 6 6 81209964 KAIN 11019 28 DE 0 0 D 7 7 81242951 WoKeN 10587 30 US 1 0 D 8 8 81260470 coathanger 10435 31 US 1 0 D 9 9 81346180 DualNuke 10247 22 DE 1 0 D 10 10 81239550 RA4EVAH 10055 29 NL 0 0 D 11 11 81158290 Strategizah 9697 28 US 1 0 D 12 12 81346902 xXx[GER] 9629 26 DE 0 0 D 13 13 81243016 serguinho 9401 26 AT 1 0 D 14 14 81146847 Vibesfr 9386 27 FR 1 0 D 15 15 81286874 Pallares 9317 25 ES 1 0 D 16 16 81181481 LtSmash2032 9092 28 US 1 0 D 17 17 81285161 HITMAN- 9018 24 US 1 0 D 18 18 81165525 GodfishB16 8942 27 US 1 0 $ 720 $ ~~~~ GET /getleaderboard.aspx?auth=XxfEcvG2RYQ0J5V6mLnTng__&pos=1&after=17&type=overallscore&dogTagFilter=1 HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 00:25:09 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web2 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 505 O H size asof D 251354 1161796167 H rank pos pid nick globalscore playerrank countrycode Vet D 56947 56947 81246737 MadHatter2142 691 8 US 1 H rank pos pid nick globalscore playerrank countrycode Vet dt D 31470 1 81624909 Spiv 1084 9 CA 0 1 D 36738 2 81306093 Wolverine-B- 979 9 US 1 1 D 36774 3 64334057 ak1knight 978 9 US 1 1 D 45284 4 81452916 H3LL-R4ZER 841 8 US 1 1 D 56947 5 81246737 MadHatter2142 691 8 US 1 0 D 90921 6 81312600 BearAxe 409 6 US 1 1 D 115552 7 81865105 Nefar2 282 5 US 0 1 $ 392 $ ~~~~ GET /getleaderboard.aspx?auth=rtXtz6QGp[ufCxJWMrYS5w__&pos=1&after=17&type=overallscore HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 00:25:10 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web4 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 943 O H size asof D 251354 1161796167 H rank pos pid nick globalscore playerrank countrycode Vet D 56947 56947 81246737 MadHatter2142 691 8 US 1 H rank pos pid nick globalscore playerrank countrycode Vet dt D 1 1 81263270 imotbh 11148 26 AU 1 0 D 2 2 65896813 S_Jackson 11085 29 GB 1 0 D 3 3 81212991 szam0ca 11062 32 HU 1 0 D 4 4 80865647 SimonMoon 11025 31 CH 1 0 D 5 5 81278799 Skunk_2142 11021 27 CA 0 0 D 6 6 81209964 KAIN 11019 28 DE 0 0 D 7 7 81242951 WoKeN 10587 30 US 1 0 D 8 8 81260470 coathanger 10435 31 US 1 0 D 9 9 81346180 DualNuke 10247 22 DE 1 0 D 10 10 81239550 RA4EVAH 10055 29 NL 0 0 D 11 11 81158290 Strategizah 9697 28 US 1 0 D 12 12 81346902 xXx[GER] 9629 26 DE 0 0 D 13 13 81243016 serguinho 9401 26 AT 1 0 D 14 14 81146847 Vibesfr 9386 27 FR 1 0 D 15 15 81286874 Pallares 9317 25 ES 1 0 D 16 16 81181481 LtSmash2032 9092 28 US 1 0 D 17 17 81285161 HITMAN- 9018 24 US 1 0 D 18 18 81165525 GodfishB16 8942 27 US 1 0 $ 720 $ ~~~~ GET /getleaderboard.aspx?auth=IA65[l5DqWS]khmcwMcfKQ__&pos=1&after=17&type=overallscore&ccFilter=US HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 00:25:11 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web2 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 961 O H size asof D 98318 1161796167 H rank pos pid nick globalscore playerrank countrycode Vet D 56947 56947 81246737 MadHatter2142 691 8 US 1 H rank pos pid nick globalscore playerrank countrycode Vet dt D 7 1 81242951 WoKeN 10587 30 US 1 0 D 8 2 81260470 coathanger 10435 31 US 1 0 D 11 3 81158290 Strategizah 9697 28 US 1 0 D 16 4 81181481 LtSmash2032 9092 28 US 1 0 D 17 5 81285161 HITMAN- 9018 24 US 1 0 D 18 6 81165525 GodfishB16 8942 27 US 1 0 D 21 7 81230621 snakeyes 8748 23 US 0 0 D 27 8 80899180 DominoNation 8270 25 US 1 0 D 40 9 81271191 FullMetalPanik 7580 24 US 1 0 D 42 10 81242348 Badel 7502 25 US 1 0 D 43 11 81351733 Snofru78 7496 24 US 1 0 D 49 12 81273878 Strafe1 7245 23 US 1 0 D 53 13 81269430 HarveyCamper 7122 22 US 1 0 D 63 14 81246378 Edge. 6911 23 US 0 0 D 67 15 81264340 teknochild 6887 25 US 1 0 D 69 16 81143272 Madtactics 6810 22 US 1 0 D 72 17 81243907 TehMyke 6775 23 US 1 0 D 75 18 81295837 IILiLItalyIIJR 6697 22 US 0 0 $ 738 $ ~~~~ GET /getleaderboard.aspx?auth=6swGutaWIeRWF]MUK8rRzw__&pos=1&after=17&type=overallscore HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 00:25:12 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web4 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 943 O H size asof D 251354 1161796167 H rank pos pid nick globalscore playerrank countrycode Vet D 56947 56947 81246737 MadHatter2142 691 8 US 1 H rank pos pid nick globalscore playerrank countrycode Vet dt D 1 1 81263270 imotbh 11148 26 AU 1 0 D 2 2 65896813 S_Jackson 11085 29 GB 1 0 D 3 3 81212991 szam0ca 11062 32 HU 1 0 D 4 4 80865647 SimonMoon 11025 31 CH 1 0 D 5 5 81278799 Skunk_2142 11021 27 CA 0 0 D 6 6 81209964 KAIN 11019 28 DE 0 0 D 7 7 81242951 WoKeN 10587 30 US 1 0 D 8 8 81260470 coathanger 10435 31 US 1 0 D 9 9 81346180 DualNuke 10247 22 DE 1 0 D 10 10 81239550 RA4EVAH 10055 29 NL 0 0 D 11 11 81158290 Strategizah 9697 28 US 1 0 D 12 12 81346902 xXx[GER] 9629 26 DE 0 0 D 13 13 81243016 serguinho 9401 26 AT 1 0 D 14 14 81146847 Vibesfr 9386 27 FR 1 0 D 15 15 81286874 Pallares 9317 25 ES 1 0 D 16 16 81181481 LtSmash2032 9092 28 US 1 0 D 17 17 81285161 HITMAN- 9018 24 US 1 0 D 18 18 81165525 GodfishB16 8942 27 US 1 0 $ 720 $ ~~~~ GET /getleaderboard.aspx?auth=Ok2ca63[qDe142so3B0ZzQ__&pos=1&after=17&type=overallscore&buddiesFilter=81168298,81242994,81306093,81465904 HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 00:25:13 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web1 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 426 O H size asof D 5 1161796167 H rank pos pid nick globalscore playerrank countrycode Vet D 56947 56947 81246737 MadHatter2142 691 8 US 1 H rank pos pid nick globalscore playerrank countrycode Vet dt D 36738 1 81306093 Wolverine-B- 979 9 US 1 1 D 56947 2 81246737 MadHatter2142 691 8 US 1 0 D 71347 3 81242994 DirtyKurt 551 7 US 1 0 D 119866 4 81465904 Tank_ 263 5 US 1 0 D 137153 5 81168298 TheShermanTank 198 5 US 1 0 $ 333 $ ~~~~ GET /getleaderboard.aspx?auth=NHFg9sIAp5Z[euaT6CA7KA__&pos=1&after=17&type=overallscore HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 00:25:14 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web1 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 943 O H size asof D 251354 1161796167 H rank pos pid nick globalscore playerrank countrycode Vet D 56947 56947 81246737 MadHatter2142 691 8 US 1 H rank pos pid nick globalscore playerrank countrycode Vet dt D 1 1 81263270 imotbh 11148 26 AU 1 0 D 2 2 65896813 S_Jackson 11085 29 GB 1 0 D 3 3 81212991 szam0ca 11062 32 HU 1 0 D 4 4 80865647 SimonMoon 11025 31 CH 1 0 D 5 5 81278799 Skunk_2142 11021 27 CA 0 0 D 6 6 81209964 KAIN 11019 28 DE 0 0 D 7 7 81242951 WoKeN 10587 30 US 1 0 D 8 8 81260470 coathanger 10435 31 US 1 0 D 9 9 81346180 DualNuke 10247 22 DE 1 0 D 10 10 81239550 RA4EVAH 10055 29 NL 0 0 D 11 11 81158290 Strategizah 9697 28 US 1 0 D 12 12 81346902 xXx[GER] 9629 26 DE 0 0 D 13 13 81243016 serguinho 9401 26 AT 1 0 D 14 14 81146847 Vibesfr 9386 27 FR 1 0 D 15 15 81286874 Pallares 9317 25 ES 1 0 D 16 16 81181481 LtSmash2032 9092 28 US 1 0 D 17 17 81285161 HITMAN- 9018 24 US 1 0 D 18 18 81165525 GodfishB16 8942 27 US 1 0 $ 720 $ ~~~~ GET /getleaderboard.aspx?auth=UCdBNgv2uDFFMTrq0HLQxA__&pos=1&after=17&type=overallscore&buddiesFilter=81168298,81242994,81306093,81465904 HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 00:25:15 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web3 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 426 O H size asof D 5 1161796167 H rank pos pid nick globalscore playerrank countrycode Vet D 56947 56947 81246737 MadHatter2142 691 8 US 1 H rank pos pid nick globalscore playerrank countrycode Vet dt D 36738 1 81306093 Wolverine-B- 979 9 US 1 1 D 56947 2 81246737 MadHatter2142 691 8 US 1 0 D 71347 3 81242994 DirtyKurt 551 7 US 1 0 D 119866 4 81465904 Tank_ 263 5 US 1 0 D 137153 5 81168298 TheShermanTank 198 5 US 1 0 $ 333 $ ~~~~ GET /getleaderboard.aspx?auth=OambPiPNcGuCzsSlnZRF6w__&pos=1&after=17&type=overallscore&buddiesFilter=81168298,81242994,81306093,81465904&dogTagFilter=1 HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 00:25:16 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web2 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 297 O H size asof D 5 1161796167 H rank pos pid nick globalscore playerrank countrycode Vet D 56947 56947 81246737 MadHatter2142 691 8 US 1 H rank pos pid nick globalscore playerrank countrycode Vet dt D 36738 1 81306093 Wolverine-B- 979 9 US 1 1 D 56947 2 81246737 MadHatter2142 691 8 US 1 0 $ 234 $ ~~~~ GET /getleaderboard.aspx?auth=apr3cK9vZGLV[SjCz[7ikg__&pos=1&after=17&type=overallscore&ccFilter=US&buddiesFilter=81168298,81242994,81306093,81465904&dogTagFilter=1 HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 00:25:17 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web2 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 297 O H size asof D 5 1161796167 H rank pos pid nick globalscore playerrank countrycode Vet D 56947 56947 81246737 MadHatter2142 691 8 US 1 H rank pos pid nick globalscore playerrank countrycode Vet dt D 36738 1 81306093 Wolverine-B- 979 9 US 1 1 D 56947 2 81246737 MadHatter2142 691 8 US 1 0 $ 234 $
here's a second one for another account (no actual stats, because its a new player. I'll update this one w/ real stats later):
Code:
GET /getbackendinfo.aspx?auth=Tz[wyu88es8eq3P22aB9wQ__ HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 05:11:25 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web3 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 7819 O H asof tid serverip cb D 1161839485 0 71.252.218.197 client H config D swiffHost.setLatestGameVersion 1.0.9.1 rankSettings.setRank 0 0 rankSettings.setRank 1 40 rankSettings.setRank 2 80 rankSettings.setRank 3 120 rankSettings.setRank 4 200 rankSettings.setRank 5 330 rankSettings.setRank 6 520 rankSettings.setRank 7 750 rankSettings.setRank 8 1050 rankSettings.setRank 9 1400 rankSettings.setRank 10 1800 rankSettings.setRank 11 2250 rankSettings.setRank 12 2850 rankSettings.setRank 13 3550 rankSettings.setRank 14 4400 rankSettings.setRank 15 5300 rankSettings.setRank 16 6250 rankSettings.setRank 17 7250 rankSettings.setRank 18 8250 rankSettings.setRank 19 9300 rankSettings.setRank 20 10400 rankSettings.setRank 21 11550 rankSettings.setRank 22 12700 rankSettings.setRank 23 14000 rankSettings.setRank 24 15300 rankSettings.setRank 25 16700 rankSettings.setRank 26 18300 rankSettings.setRank 27 20100 rankSettings.setRank 28 22100 rankSettings.setRank 29 24200 rankSettings.setRank 30 26400 rankSettings.setRank 31 28800 rankSettings.setRank 32 31500 rankSettings.setRank 33 34200 rankSettings.setRank 34 37100 rankSettings.setRank 35 40200 rankSettings.setRank 36 43300 rankSettings.setRank 37 46900 rankSettings.setRank 38 50500 rankSettings.setRank 39 54100 rankSettings.setRank 40 57700 rankSettings.setRank 41 0 rankSettings.setRank 42 0 rankSettings.setRank 43 0 rankSettings.save awards.setData 100_1 "6,1, ,12" awards.setData 100_2 "6,1, ,20" "9,23,ktt-3,54000" awards.setData 100_3 "6,1, ,30" "9,23,ktt-3,180000" awards.setData 101_1 "6,2, ,12" awards.setData 101_2 "6,2, ,20" "9,20,ktt-0,54000" awards.setData 101_3 "6,2, ,30" "9,20,ktt-0,180000" awards.setData 102_1 "6,3, ,12" awards.setData 102_2 "6,3, ,20" "9,21,ktt-1,54000" awards.setData 102_3 "6,3, ,30" "9,21,ktt-1,180000" awards.setData 103_1 "6,4, ,12" awards.setData 103_2 "6,4, ,20" "9,22,ktt-2,54000" awards.setData 103_3 "6,4, ,30" "9,22,ktt-2,180000" awards.setData 104_1 "6,50, ,10" awards.setData 104_2 "6,50, ,20" "1,113,slpts,300" awards.setData 104_3 "6,50, ,30" "1,113,slpts,600" awards.setData 105_1 "6,5, ,7" awards.setData 105_2 "6,5, ,10" "1,5,wkls-12,50" awards.setData 105_3 "6,5, ,17" "1,5,wkls-12,150" awards.setData 106_1 "6,7, ,5" awards.setData 106_2 "6,7, ,7" "1,7,wkls-5;wkls-11,50" awards.setData 106_3 "6,7, ,18" "1,7,wkls-5;wkls-11,300" awards.setData 107_1 "6,8, ,10" awards.setData 107_2 "6,8, ,15" "1,8,klse,50" awards.setData 107_3 "6,8, ,20" "1,8,klse,300" awards.setData 108_1 "10,18, ,180" awards.setData 108_2 "6,9, ,15" "9,148,vtp-12;vtp-3;wtp-30,72000" awards.setData 108_3 "6,9, ,30" "9,148,vtp-12;vtp-3;wtp-30,180000" awards.setData 109_1 "6,40, ,30" awards.setData 109_2 "10,150, ,1200" "1,40,csgpm-0,1000" awards.setData 109_3 "10,150, ,1500" "1,40,csgpm-0,4000" awards.setData 110_1 "6,39, ,30" awards.setData 110_2 "10,149, ,1200" "1,39,csgpm-1,1000" awards.setData 110_3 "10,149, ,1500" "1,39,csgpm-1,4000" awards.setData 111_1 "6,42, ,8" awards.setData 111_2 "6,42, ,10" "9,128,etpk-1,36000" awards.setData 111_3 "6,42, ,15" "9,128,etpk-1,216000" "1,42,rps,200" awards.setData 112_1 "6,43, ,8" awards.setData 112_2 "6,43, ,10" "9,129,etpk-5;etpk-0;etpk-2,36000" awards.setData 112_3 "6,43, ,15" "9,129,etpk-5;etpk-0;etpk-2,216000" "1,43,hls,400" awards.setData 113_1 "6,45, ,8" awards.setData 113_2 "6,45, ,10" "9,130,etpk-6,36000" awards.setData 113_3 "6,45, ,15" "9,130,etpk-6,180000" "1,45,resp,400" awards.setData 114_1 "10,141, ,900" awards.setData 114_2 "6,11, ,15" "9,114,atp,90000" awards.setData 114_3 "6,11, ,35" "9,114,atp,180000" awards.setData 115_1 "10,142, ,900" awards.setData 115_2 "6,12, ,15" "9,25,vtp-10;vtp-4,90000" awards.setData 115_3 "6,12, ,35" "9,25,vtp-10;vtp-4,180000" awards.setData 116_1 "10,151, ,600" awards.setData 116_2 "6,116, ,5" "9,115,vtp-1;vtp-4;vtp-6,90000" awards.setData 116_3 "6,116, ,12" "9,115,vtp-1;vtp-4;vtp-6,144000" awards.setData 117_1 "6,46, ,8" awards.setData 117_2 "6,46, ,15" "9,27,tgpm-1,108000" awards.setData 117_3 "6,46, ,30" "9,27,tgpm-1,216000" awards.setData 118_1 "6,47, ,8" awards.setData 118_2 "6,47, ,15" "9,27,tgpm-1,108000" awards.setData 118_3 "6,47, ,30" "9,27,tgpm-1,216000" awards.setData 119_1 "6,48, ,2" awards.setData 119_2 "6,49, ,1" "1,48,tcd,10" awards.setData 119_3 "6,48, ,3" "6,49, ,1" "1,48,tcd,40" awards.setData 200 "6,127, ," awards.setData 201 "6,126, ," awards.setData 202 "6,125, ," awards.setData 203 "6,41, ,30" "9,19,tac,180000" "9,28,tasl,180000" "9,29,tasm,180000" awards.setData 204 "6,59, ,1" "5,62,100_1,1" "5,63,101_1,1" "5,64,102_1,1" "5,65,103_1,1" "5,66,105_1,1" "5,67,106_1,1" "5,68,107_1,1" awards.setData 205 "6,59, ,1" "5,69,100_2,1" "5,70,101_2,1" "5,71,102_2,1" "5,72,103_2,1" "5,73,105_2,1" "5,74,106_2,1" "5,75,107_2,1" awards.setData 206 "6,59, ,1" "5,76,100_3,1" "5,77,101_3,1" "5,78,102_3,1" "5,79,103_3,1" "5,80,105_3,1" "5,81,106_3,1" "5,82,107_3,1" awards.setData 207 "11,30,tt,540000" "3,51,cpt,1000" "3,52,dcpt,400" "3,41,twsc,5000" awards.setData 208 "10,145, ,180" "11,31,attp-0,540000" "1,54,awin-0,300" awards.setData 209 "10,146, ,180" "11,32,attp-1,540000" "1,55,awin-1,300" awards.setData 210 "6,60, ,1" "11,26,tgpm-0,288000" "1,13,kgpm-0,8000" "1,15,bksgpm-0,25" awards.setData 211 "6,61, ,1" "11,27,tgpm-1,288000" "1,14,kgpm-1,8000" "1,16,bksgpm-1,25" awards.setData 212 "6,12, ,30" "9,25,vtp-10;vtp-4,360000" "1,12,vkls-10;vkls-4,8000" awards.setData 213 "6,11, ,25" "9,24,vtp-0;vtp-1;vtp-2,360000" "1,11,vkls-0;vkls-1;vkls-2,8000" awards.setData 214 "6,17, ,27" "6,83, ,0" "9,30,tt,648000" awards.setData 215 "11,30,tt,360000" "3,43,hls,400" "3,42,rps,400" "3,45,resp,400" awards.setData 216 "6,85, ,0.25" awards.setData 217 "6,86, ,10" "9,33,vtp-4,90000" awards.setData 218 "6,14, ,10" "11,27,tgpm-1,540000" "1,133,mbr-1-0;mbr-1-1;mbr-1-2;mbr-1-3;mbr-1-5,70" awards.setData 219 "6,17, ,20" "1,51,cpt,100" "1,42,rps,200" awards.setData 300 "10,18, ,300" "6,9, ,15" awards.setData 301 "10,142, ,600" "6,12, ,20" awards.setData 302 "6,120, ,10" awards.setData 303 "10,143, ,1200" "9,28,tasl,144000" awards.setData 304 "10,38, ,1200" "6,34, ,40" "9,19,tac,288000" awards.setData 305 "6,41, ,15" "9,29,tasm,36000" "9,28,tasl,36000" "9,19,tac,36000" awards.setData 306 "10,144, ,1080" "6,41, ,40" "9,29,tasm,72000" awards.setData 307 "6,41, ,55" "9,29,tasm,90000" "9,28,tasl,180000" awards.setData 308 "6,34, ,45" "9,19,tac,216000" "5,87,wlr,2" awards.setData 309 "10,141, ,1200" "6,11, ,20" awards.setData 310 "6,110, ,10" "9,121,vtp-0;vtp-1;vtp-2;vtp-6,36000" awards.setData 311 "9,99,mtt-0-0;mtt-1-0,0" "9,101,mtt-0-2;mtt-1-2,0" "9,103,mtt-0-4,0" "9,104,mtt-0-5;mtt-1-5,0" "9,108,mtt-0-9,0" "9,32,attp-1,432000" awards.setData 312 "9,100,mtt-0-1;mtt-1-1,0" "9,102,mtt-0-3;mtt-1-3,0" "9,105,mtt-0-6,0" "9,106,mtt-0-7,0" "9,107,mtt-0-8,0" "9,31,attp-0,432000" awards.setData 313 "6,17, ,20" "1,88,bksgpm-0;bksgpm-1,10" awards.setData 314 "6,17, ,10" "6,83, ," "11,30,tt,180000" awards.setData 315 "6,17, ,10" "11,30,tt,432000" "1,88,bksgpm-0;bksgpm-1,10" awards.setData 316 "3,10,vkls-7,200" awards.setData 317 "6,86, ,15" "9,33,vtp-4,90000" awards.setData 318 "6,138, ,15" "9,137,vtp-12,36000" awards.setData 319 "6,39, ,10" "11,36,ctgpm-1,90000" awards.setData 400 "6,89, ,5" awards.setData 401 "6,89, ,10" awards.setData 402 "6,48, ,4" awards.setData 403 "6,109, ,4" awards.setData 404 "6,86, ,10" awards.setData 406 "6,47, ,7" awards.setData 407 "6,139, ,5" awards.setData 408 "6,110, ,5" awards.setData 409 "6,93, ,8" awards.setData 410 "6,8, ,8" awards.setData 411 "6,44, ,8" awards.setData 412 "6,124, ," awards.setData 413 "6,7, ,4" awards.setData 414 "6,9, ,10" awards.setData 415 "6,6, ,10" $ 7473 $ ~~~~ GET /getplayerinfo.aspx?auth=HoEwn2lJbn0bvp6bDh]wjQ__&mode=base&pToken=Hux8422ifB5Gp9IL2OeKFKOvCfEl[O4BI3XwFw8dMGYVZYfIX8G0fqK6lRNRD6H4[PyvQu4v8Gnj16kEV2[MIg__ HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 05:11:54 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web2 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 134 O H asof cb D 1161814314 client H pid nick tid gsco crpt rnk rnkcg ent-1 ent-2 ent-3 unavl D 82188143 Qw4z0 0 0 40 1 0 0 0 2 1 $ 96 $ ~~~~ GET /getunlocksinfo.aspx?&auth=2d3SIIXPHH40QC6w9DrR6w__ HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 05:11:56 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web4 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 77 O H pid nick asof D 82188143 Qw4z0 1161839516 H Avcred D 1 H UnlockID $ 55 $ ~~~~ GET /getawardsinfo.aspx?pid=82188143&auth=2d3SIIXPHH40QC6w9DrR6w__ HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 05:11:56 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web1 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 78 O H pid nick asof D 82188143 Qw4z0 1161839516 H award level when first $ 57 $ ~~~~ GET /getplayerprogress.aspx?mode=point&scale=game&auth=q6D3E5nkRF1]OnmOU8W7Yg__ HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 05:12:10 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web3 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 13 E 104 $ 4 $ ~~~~ GET /getleaderboard.aspx?auth=K5N9nf4JQdQ8L3cb[BVnpg__&pos=1&after=17&type=overallscore HTTP/1.1 Host: stella.prod.gamespy.com User-Agent: GameSpyHTTP/1.0 Connection: close HTTP/1.1 200 OK Date: Thu, 26 Oct 2006 05:12:27 GMT Server: Microsoft-IIS/6.0 cluster-server: bf2142web3 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 904 O H size asof D 254462 1161814087 H rank pos pid nick globalscore playerrank countrycode Vet D H rank pos pid nick globalscore playerrank countrycode Vet dt D 1 1 65896813 S_Jackson 11785 29 GB 1 0 D 2 2 81278799 Skunk_2142 11487 27 CA 0 0 D 3 3 80865647 SimonMoon 11323 32 CH 1 0 D 4 4 81209964 KAIN 11159 28 DE 0 0 D 5 5 81263270 imotbh 11148 26 AU 1 0 D 6 6 81212991 szam0ca 11062 32 HU 1 0 D 7 7 81242951 WoKeN 11058 31 US 1 0 D 8 8 81260470 coathanger 10989 31 US 1 0 D 9 9 81346180 DualNuke 10524 22 DE 1 0 D 10 10 81239550 RA4EVAH 10055 29 NL 0 0 D 11 11 81158290 Strategizah 9813 28 US 1 0 D 12 12 81243016 serguinho 9753 26 AT 1 0 D 13 13 81346902 xXx[GER] 9629 26 DE 0 0 D 14 14 81146847 Vibesfr 9605 27 FR 1 0 D 15 15 81285161 HITMAN- 9543 25 US 1 0 D 16 16 81286874 Pallares 9359 25 ES 1 0 D 17 17 81165525 GodfishB16 9317 27 US 1 0 D 18 18 81181481 LtSmash2032 9092 28 US 1 0 $ 682 $
Offline
#3 26 Oct 2006 12:54 pm
Re: bf2142 stat query protocol
Hi guys, I have find some things with ollydebuger by windows server, but i need some help.
So is my result: (windows server - patch 1.01)
Here is call function which create 16 bytes array for Base64 encoding and write it on address 014DAA04
Code:
006E82A0 E83BF9FFFF CALL 006E7BE0
and here is Base64 encoding (read from bytes from address 014DAA04 (16 bytes) and encode it to 24bytes Base64 encoding.
Of course for encoding at end are used two empty bytes, so 16bytes from address 014DAA04 + 2 empty bytes (=0) 18bytes => 24bytes
(every 3bytes are coded to 4bytes asci table, which is storen on memory in 007ED210)
Code:
005AE44E E8FDA10500 CALL 00608650
So, CALL 00608650 - than we dont need, that is standart Base64 encoding, but what we need know is that CALL 006E7BE0.
In this function ist at first tail read data from 01BFA21C (16bytes), example:
Code:
01BFA21C 74 FD 40 45 64 00 00 00 F8 45 12 04 01 00 FC E4
Where first 4 bytes is TIMESTAMP from 1.1.1970 in seconds (4540FD74 in decimal is 1161887092 seconds)
Next 4 bytes 00000064 is every time used that same - I dont know what is that
Next 4 bytes 041245F8 is players PID in hexa - 041245F8 in decimal is for example 68306424 PID player
And last 4 bytes xxxx0001 is I think only random number.
All these DWORD are used in this function for coding
1/ Store bytes into CPU registry
Code:
EBX = 74FD4045 (00..03) ESI = 64000000 (04..07) ECX = F8451204 (08..11) EDX = 0100FCE4 (12..15)
2/ XOR this data with:
Code:
EBX xor 4CBB56AA = X1 ESI xor 780000C3 = X2 ECX xor 65FFEF44 = X3 EDX xor 23122C2C = X4
3/ Write result into memory:
Code:
0012F354 = X1 0012F35C = X2 0012F350 = X3 0012F358 = X4 0012F34C = 0000000A (ESI) ESI = 0000000A 0012F368 = 00000009 (ESI - 1)
4/ Code??? Into address 014DAA04
Code:
006E7CC7 83C7 30 ADD EDI,30 006E7CCA 83C6 FF ADD ESI,-1 006E7CCD 8975 08 MOV DWORD PTR SS:[EBP+8],ESI 006E7CD0 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10] 006E7CD3 C1EA 10 SHR EDX,10 006E7CD6 0FB675 F3 MOVZX ESI,BYTE PTR SS:[EBP-D] 006E7CDA 0FB6D2 MOVZX EDX,DL 006E7CDD 0FB6C4 MOVZX EAX,AH 006E7CE0 8B0485 A82F8000 MOV EAX,DWORD PTR DS:[EAX*4+802FA8] 006E7CE7 330495 A82B8000 XOR EAX,DWORD PTR DS:[EDX*4+802BA8] 006E7CEE 0FB655 FF MOVZX EDX,BYTE PTR SS:[EBP-1] 006E7CF2 330495 A8278000 XOR EAX,DWORD PTR DS:[EDX*4+8027A8] 006E7CF9 8BD3 MOV EDX,EBX 006E7CFB 81E2 FF000000 AND EDX,0FF 006E7D01 330495 A8338000 XOR EAX,DWORD PTR DS:[EDX*4+8033A8] 006E7D08 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] 006E7D0B C1EA 10 SHR EDX,10 006E7D0E 0FB6D2 MOVZX EDX,DL 006E7D11 8B1495 A82B8000 MOV EDX,DWORD PTR DS:[EDX*4+802BA8] 006E7D18 3314B5 A8278000 XOR EDX,DWORD PTR DS:[ESI*4+8027A8] 006E7D1F 0FB6F7 MOVZX ESI,BH 006E7D22 3314B5 A82F8000 XOR EDX,DWORD PTR DS:[ESI*4+802FA8] 006E7D29 8B75 FC MOV ESI,DWORD PTR SS:[EBP-4] 006E7D2C 0FB65D FD MOVZX EBX,BYTE PTR SS:[EBP-3] 006E7D30 81E6 FF000000 AND ESI,0FF 006E7D36 3314B5 A8338000 XOR EDX,DWORD PTR DS:[ESI*4+8033A8] 006E7D3D 0FB675 FB MOVZX ESI,BYTE PTR SS:[EBP-5] 006E7D41 8B34B5 A8278000 MOV ESI,DWORD PTR DS:[ESI*4+8027A8] 006E7D48 33349D A82F8000 XOR ESI,DWORD PTR DS:[EBX*4+802FA8] 006E7D4F 0FB65D F6 MOVZX EBX,BYTE PTR SS:[EBP-A] 006E7D53 33349D A82B8000 XOR ESI,DWORD PTR DS:[EBX*4+802BA8] 006E7D5A 3347 FC XOR EAX,DWORD PTR DS:[EDI-4] 006E7D5D 3317 XOR EDX,DWORD PTR DS:[EDI] 006E7D5F 8BD9 MOV EBX,ECX 006E7D61 81E3 FF000000 AND EBX,0FF 006E7D67 33349D A8338000 XOR ESI,DWORD PTR DS:[EBX*4+8033A8] 006E7D6E 0FB65D FE MOVZX EBX,BYTE PTR SS:[EBP-2] 006E7D72 3377 04 XOR ESI,DWORD PTR DS:[EDI+4] 006E7D75 0FB6CD MOVZX ECX,CH 006E7D78 8B0C8D A82F8000 MOV ECX,DWORD PTR DS:[ECX*4+802FA8] 006E7D7F 330C9D A82B8000 XOR ECX,DWORD PTR DS:[EBX*4+802BA8] 006E7D86 0FB65D F7 MOVZX EBX,BYTE PTR SS:[EBP-9] 006E7D8A 330C9D A8278000 XOR ECX,DWORD PTR DS:[EBX*4+8027A8] 006E7D91 8B5D F8 MOV EBX,DWORD PTR SS:[EBP-8] 006E7D94 81E3 FF000000 AND EBX,0FF 006E7D9A 330C9D A8338000 XOR ECX,DWORD PTR DS:[EBX*4+8033A8] 006E7DA1 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 006E7DA4 334F F8 XOR ECX,DWORD PTR DS:[EDI-8] 006E7DA7 8BC6 MOV EAX,ESI 006E7DA9 8BD9 MOV EBX,ECX 006E7DAB 8BCA MOV ECX,EDX 006E7DAD 83C7 20 ADD EDI,20 006E7DB0 836D 08 01 SUB DWORD PTR SS:[EBP+8],1 006E7DB4 895D F4 MOV DWORD PTR SS:[EBP-C],EBX 006E7DB7 894D F0 MOV DWORD PTR SS:[EBP-10],ECX 006E7DBA 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 006E7DBD ^0F85 0DFFFFFF JNZ BF2142_w.006E7CD0 006E7DC3 8B75 EC MOV ESI,DWORD PTR SS:[EBP-14] 006E7DC6 8B7D E8 MOV EDI,DWORD PTR SS:[EBP-18] 006E7DC9 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] 006E7DCC C1EA 18 SHR EDX,18 006E7DCF C1E6 05 SHL ESI,5 006E7DD2 8B5C3E 08 MOV EBX,DWORD PTR DS:[ESI+EDI+8] 006E7DD6 8BC3 MOV EAX,EBX 006E7DD8 8D743E 08 LEA ESI,DWORD PTR DS:[ESI+EDI+8] 006E7DDC C1F8 18 SAR EAX,18 006E7DDF 3282 A8258000 XOR AL,BYTE PTR DS:[EDX+8025A8] 006E7DE5 0FB67D FF MOVZX EDI,BYTE PTR SS:[EBP-1] 006E7DE9 8845 0B MOV BYTE PTR SS:[EBP+B],AL 006E7DEC 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] ** EAX = 014DAA04 006E7DEF 0FB655 0B MOVZX EDX,BYTE PTR SS:[EBP+B] 006E7DF3 895D 08 MOV DWORD PTR SS:[EBP+8],EBX 006E7DF6 8810 MOV BYTE PTR DS:[EAX],DL 006E7DF8 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] 006E7DFB C1FB 10 SAR EBX,10 006E7DFE C1EA 10 SHR EDX,10 006E7E01 0FB6D2 MOVZX EDX,DL 006E7E04 329A A8258000 XOR BL,BYTE PTR DS:[EDX+8025A8] 006E7E0A 0FB6D5 MOVZX EDX,CH 006E7E0D 8858 01 MOV BYTE PTR DS:[EAX+1],BL 006E7E10 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8] 006E7E13 894D 08 MOV DWORD PTR SS:[EBP+8],ECX 006E7E16 8BCB MOV ECX,EBX 006E7E18 C1F9 08 SAR ECX,8 006E7E1B 328A A8258000 XOR CL,BYTE PTR DS:[EDX+8025A8] 006E7E21 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] 006E7E24 8848 02 MOV BYTE PTR DS:[EAX+2],CL 006E7E27 81E2 FF000000 AND EDX,0FF 006E7E2D 0FB692 A8258000 MOVZX EDX,BYTE PTR DS:[EDX+8025A8] 006E7E34 32D3 XOR DL,BL 006E7E36 8850 03 MOV BYTE PTR DS:[EAX+3],DL 006E7E39 8B56 04 MOV EDX,DWORD PTR DS:[ESI+4] 006E7E3C 8BDA MOV EBX,EDX 006E7E3E C1FB 18 SAR EBX,18 006E7E41 329F A8258000 XOR BL,BYTE PTR DS:[EDI+8025A8] 006E7E47 0FB67D F2 MOVZX EDI,BYTE PTR SS:[EBP-E] 006E7E4B 8858 04 MOV BYTE PTR DS:[EAX+4],BL 006E7E4E 8BDA MOV EBX,EDX 006E7E50 C1FB 10 SAR EBX,10 006E7E53 329F A8258000 XOR BL,BYTE PTR DS:[EDI+8025A8] 006E7E59 0FB67D F9 MOVZX EDI,BYTE PTR SS:[EBP-7] 006E7E5D 8858 05 MOV BYTE PTR DS:[EAX+5],BL 006E7E60 8BDA MOV EBX,EDX 006E7E62 C1FB 08 SAR EBX,8 006E7E65 329F A8258000 XOR BL,BYTE PTR DS:[EDI+8025A8] 006E7E6B 8B7D F4 MOV EDI,DWORD PTR SS:[EBP-C] 006E7E6E 8858 06 MOV BYTE PTR DS:[EAX+6],BL 006E7E71 81E7 FF000000 AND EDI,0FF 006E7E77 0FB69F A8258000 MOVZX EBX,BYTE PTR DS:[EDI+8025A8] 006E7E7E 0FB67D F3 MOVZX EDI,BYTE PTR SS:[EBP-D] 006E7E82 32DA XOR BL,DL 006E7E84 8858 07 MOV BYTE PTR DS:[EAX+7],BL 006E7E87 8B56 08 MOV EDX,DWORD PTR DS:[ESI+8] 006E7E8A 8BDA MOV EBX,EDX 006E7E8C C1FB 18 SAR EBX,18 006E7E8F 329F A8258000 XOR BL,BYTE PTR DS:[EDI+8025A8] 006E7E95 0FB67D FA MOVZX EDI,BYTE PTR SS:[EBP-6] 006E7E99 8858 08 MOV BYTE PTR DS:[EAX+8],BL 006E7E9C 8BDA MOV EBX,EDX 006E7E9E C1FB 10 SAR EBX,10 006E7EA1 329F A8258000 XOR BL,BYTE PTR DS:[EDI+8025A8] 006E7EA7 0FB67D F5 MOVZX EDI,BYTE PTR SS:[EBP-B] 006E7EAB 8858 09 MOV BYTE PTR DS:[EAX+9],BL 006E7EAE 8BDA MOV EBX,EDX 006E7EB0 C1FB 08 SAR EBX,8 006E7EB3 329F A8258000 XOR BL,BYTE PTR DS:[EDI+8025A8] 006E7EB9 8B7D FC MOV EDI,DWORD PTR SS:[EBP-4] 006E7EBC 8858 0A MOV BYTE PTR DS:[EAX+A],BL 006E7EBF 81E7 FF000000 AND EDI,0FF 006E7EC5 0FB69F A8258000 MOVZX EBX,BYTE PTR DS:[EDI+8025A8] 006E7ECC 32DA XOR BL,DL 006E7ECE 8858 0B MOV BYTE PTR DS:[EAX+B],BL 006E7ED1 8B56 0C MOV EDX,DWORD PTR DS:[ESI+C] 006E7ED4 0FB675 FB MOVZX ESI,BYTE PTR SS:[EBP-5] 006E7ED8 8BDA MOV EBX,EDX 006E7EDA C1FB 18 SAR EBX,18 006E7EDD 329E A8258000 XOR BL,BYTE PTR DS:[ESI+8025A8] 006E7EE3 0FB675 F6 MOVZX ESI,BYTE PTR SS:[EBP-A] 006E7EE7 8858 0C MOV BYTE PTR DS:[EAX+C],BL 006E7EEA 8BDA MOV EBX,EDX 006E7EEC 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 006E7EEF C1FB 10 SAR EBX,10 006E7EF2 329E A8258000 XOR BL,BYTE PTR DS:[ESI+8025A8] 006E7EF8 0FB675 FD MOVZX ESI,BYTE PTR SS:[EBP-3] 006E7EFC 8858 0D MOV BYTE PTR DS:[EAX+D],BL 006E7EFF 8BDA MOV EBX,EDX 006E7F01 C1FB 08 SAR EBX,8 006E7F04 329E A8258000 XOR BL,BYTE PTR DS:[ESI+8025A8] 006E7F0A 81E1 FF000000 AND ECX,0FF 006E7F10 8858 0E MOV BYTE PTR DS:[EAX+E],BL 006E7F13 8A89 A8258000 MOV CL,BYTE PTR DS:[ECX+8025A8] 006E7F19 5E POP ESI 006E7F1A 32CA XOR CL,DL 006E7F1C 5B POP EBX 006E7F1D 8848 0F MOV BYTE PTR DS:[EAX+F],CL 006E7F20 33C0 XOR EAX,EAX 006E7F22 5F POP EDI 006E7F23 8BE5 MOV ESP,EBP 006E7F25 5D POP EBP 006E7F26 C2 0800 RETN 8
After this coding exist on address 014DAA04 coded information which is used for Base64 encoding
Offline
#4 26 Oct 2006 1:48 pm
- Butcher
- Moderator
- From: Norway
- Registered: Jul 2006
- Posts: 308
Re: bf2142 stat query protocol
I'm gonna be completely honest, after reading it I am certain it is a way to get a processor to make phone calls illegally... Better see what Madhatter says, he can probably make it all sound very logical, .
Offline
#5 26 Oct 2006 1:51 pm
Re: bf2142 stat query protocol
LOL butcher. over on BF2 Tech we've been trying to figure out the way we can talk to the bf2142 stat servers. each request has a "cryptic" auth parameter that Tubar just showed whats going on.
wow! nice work Tubar!
I have a couple of questions:
Offline
#6 26 Oct 2006 3:00 pm
Re: bf2142 stat query protocol
I'll take a look at part 4. I'm not that fluent in assembly but I have written some basic compilers in it. I'll have to brush up, it looks like a slightly different assembly syntax than i'm used to.
Not to be picky or anything but do you have the complete function call in assembly? Basically i'm looking for something that says:
PUSH EBP
...... lots of code here
006E7F25 5D POP EBP
006E7F26 C2 0800 RETN 8
It'll help get the whole scope of the function instead of jumping in the middle.
Edit, well in theory it would be nice to get the section of code right before the call to function(006E7BE0) this will tell us what the parameters are for the function as well.
Another edit: even with the other code, I'd have to do a lot more research, they are using many registers that I have never used before(AH/AL/DL etc. they hold data from certain operations that are performed, like overflow and carry)
Last edited by Craigins (27 Oct 2006 12:50 pm)
Offline
#7 26 Oct 2006 7:24 pm
Re: bf2142 stat query protocol
I dont believe those are cpu registers (most likely stack). they're more like debug symbols. he used ollydbg which you can get from here: http://www.ollydbg.de/ it actually looks pretty nice, so you may want to give it a try.
I'm looking through it on my machine.
Offline
#8 26 Oct 2006 7:49 pm
Re: bf2142 stat query protocol
they are cpu registers. I debugged in Microsoft Visual Studios 2005.
http://webster.cs.ucr.edu/AoA/Windows/H … rlda3.html
The 80x86 (Intel family) CPUs provide several general purpose registers for application use. These include eight 32-bit registers that have the following names:
EAX, EBX, ECX, EDX, ESI, EDI, EBP, and ESP
The "E" prefix on each name stands for extended. This prefix differentiates the 32-bit registers from the eight 16-bit registers that have the following names:
AX, BX, CX, DX, SI, DI, BP, and SP
Finally, the 80x86 CPUs provide eight 8-bit registers that have the following names:
AL, AH, BL, BH, CL, CH, DL, and DH

The compiler is doing some hefty register manipulation. I'm thinking if we get the full function we might, MIGHT be able to compile the function and just use it to generate the codes. That way we don't have to figure out what it does.
Offline
#9 26 Oct 2006 11:59 pm
Re: bf2142 stat query protocol
MadHatter :
I have a couple of questions:
I've noticed that I cannot use the same auth value between different queries. is the 00000064 value (bytes 5-8) is this used for every query? if not, is the last set of numbers (seemingly random) based on which query is this is being generated for or does it seem purely random. I'm positive each query has its own identifier... where are the xor numbers from (step 2)? are they "magic numbers" hard coded or are they produced by some other segment of code? do you have any idea of what step 4 is doing? it seems like some sort of manipulation of the bytes, but I never learned assembler.

Code:
EBX = 74FD4045 (00..03) ESI = 64000000 (04..07) ECX = F96AE204 (08..11) EDX = 0100FCE4 (12..15)
and xor
Code:
EDI = 01BF9E28 - pointer to memory to "magic numbers" EBX xor [EDI+08] => 74FD4045 xor 4CBB56AA = 384616EF = X1 ESI xor [EDI+0C] => 64000000 xor 780000C3 = 1C0000C3 = X2 ECX xor [EDI+10] => F96AE204 xor 65FFEF44 = 9C950D40 = X3 EDX xor [EDI+14] => 0100FCE4 xor 23122C2C = 2212D0C8 = X4
Offline
#10 27 Oct 2006 12:07 am
Re: bf2142 stat query protocol
Whole function is here:Craigins :
It'll help get the whole scope of the function instead of jumping in the middle.
Code:
006E82A0 E8 3BF9FFFF CALL BF2142_w.006E7BE0
Just watch address 006E7BE0 here start this coding:
Code:
006E7BE0 55 PUSH EBP 006E7BE1 8BEC MOV EBP,ESP 006E7BE3 83EC 18 SUB ESP,18 006E7BE6 57 PUSH EDI 006E7BE7 8BF9 MOV EDI,ECX 006E7BE9 807F 04 00 CMP BYTE PTR DS:[EDI+4],0 006E7BED 897D E8 MOV DWORD PTR SS:[EBP-18],EDI 006E7BF0 75 0C JNZ SHORT BF2142_w.006E7BFE 006E7BF2 B8 01000000 MOV EAX,1 006E7BF7 5F POP EDI 006E7BF8 8BE5 MOV ESP,EBP 006E7BFA 5D POP EBP 006E7BFB C2 0800 RETN 8 006E7BFE 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] <= Tu sa nastavuje EAX na 01BFA21C ? 006E7C01 0FB648 01 MOVZX ECX,BYTE PTR DS:[EAX+1] 006E7C05 83C0 01 ADD EAX,1 006E7C08 33D2 XOR EDX,EDX 006E7C0A 8A70 01 MOV DH,BYTE PTR DS:[EAX+1] 006E7C0D 83C0 01 ADD EAX,1 006E7C10 53 PUSH EBX 006E7C11 0FB658 FE MOVZX EBX,BYTE PTR DS:[EAX-2] 006E7C15 83C0 01 ADD EAX,1 006E7C18 C1E1 10 SHL ECX,10 006E7C1B 83C0 01 ADD EAX,1 006E7C1E 56 PUSH ESI 006E7C1F 0FB630 MOVZX ESI,BYTE PTR DS:[EAX] 006E7C22 C1E3 18 SHL EBX,18 006E7C25 0BD9 OR EBX,ECX 006E7C27 0FB648 FF MOVZX ECX,BYTE PTR DS:[EAX-1] 006E7C2B 0BDA OR EBX,EDX 006E7C2D 0FB650 01 MOVZX EDX,BYTE PTR DS:[EAX+1] 006E7C31 83C0 01 ADD EAX,1 006E7C34 0BD9 OR EBX,ECX 006E7C36 83C0 01 ADD EAX,1 006E7C39 C1E2 10 SHL EDX,10 006E7C3C 33C9 XOR ECX,ECX 006E7C3E 8A28 MOV CH,BYTE PTR DS:[EAX] 006E7C40 C1E6 18 SHL ESI,18 006E7C43 0BF2 OR ESI,EDX 006E7C45 0FB650 01 MOVZX EDX,BYTE PTR DS:[EAX+1] 006E7C49 83C0 01 ADD EAX,1 006E7C4C 0BF1 OR ESI,ECX 006E7C4E 0FB648 01 MOVZX ECX,BYTE PTR DS:[EAX+1] 006E7C52 0BF2 OR ESI,EDX 006E7C54 3377 0C XOR ESI,DWORD PTR DS:[EDI+C] 006E7C57 83C0 01 ADD EAX,1 006E7C5A 0FB650 01 MOVZX EDX,BYTE PTR DS:[EAX+1] 006E7C5E 83C0 01 ADD EAX,1 006E7C61 C1E2 10 SHL EDX,10 006E7C64 C1E1 18 SHL ECX,18 006E7C67 0BCA OR ECX,EDX 006E7C69 33D2 XOR EDX,EDX 006E7C6B 8A70 01 MOV DH,BYTE PTR DS:[EAX+1] 006E7C6E 83C0 01 ADD EAX,1 006E7C71 83C0 01 ADD EAX,1 006E7C74 83C0 01 ADD EAX,1 006E7C77 8975 FC MOV DWORD PTR SS:[EBP-4],ESI 006E7C7A 0FB630 MOVZX ESI,BYTE PTR DS:[EAX] 006E7C7D 0BCA OR ECX,EDX 006E7C7F 0FB650 FF MOVZX EDX,BYTE PTR DS:[EAX-1] 006E7C83 0BCA OR ECX,EDX 006E7C85 0FB650 01 MOVZX EDX,BYTE PTR DS:[EAX+1] 006E7C89 83C0 01 ADD EAX,1 006E7C8C 335F 08 XOR EBX,DWORD PTR DS:[EDI+8] 006E7C8F 334F 10 XOR ECX,DWORD PTR DS:[EDI+10] 006E7C92 C1E2 10 SHL EDX,10 (EDX = 00000000) 006E7C95 C1E6 18 SHL ESI,18 (ESI = 01000000) 006E7C98 0BF2 OR ESI,EDX 006E7C9A 33D2 XOR EDX,EDX 006E7C9C 8A70 01 MOV DH,BYTE PTR DS:[EAX+1] 006E7C9F 83C0 01 ADD EAX,1 006E7CA2 895D F4 MOV DWORD PTR SS:[EBP-C],EBX 006E7CA5 894D F0 MOV DWORD PTR SS:[EBP-10],ECX 006E7CA8 8A50 01 MOV DL,BYTE PTR DS:[EAX+1] 006E7CAB 0BD6 OR EDX,ESI 006E7CAD 3357 14 XOR EDX,DWORD PTR DS:[EDI+14] 006E7CB0 8BB7 D0030000 MOV ESI,DWORD PTR DS:[EDI+3D0] 006E7CB6 83FE 01 CMP ESI,1 006E7CB9 8BC2 MOV EAX,EDX 006E7CBB 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 006E7CBE 8975 EC MOV DWORD PTR SS:[EBP-14],ESI 006E7CC1 0F8E 02010000 JLE BF2142_w.006E7DC9 006E7CC7 83C7 30 ADD EDI,30 006E7CCA 83C6 FF ADD ESI,-1 006E7CCD 8975 08 MOV DWORD PTR SS:[EBP+8],ESI 006E7CD0 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10] 006E7CD3 C1EA 10 SHR EDX,10 006E7CD6 0FB675 F3 MOVZX ESI,BYTE PTR SS:[EBP-D] 006E7CDA 0FB6D2 MOVZX EDX,DL 006E7CDD 0FB6C4 MOVZX EAX,AH 006E7CE0 8B0485 A82F8000 MOV EAX,DWORD PTR DS:[EAX*4+802FA8] 006E7CE7 330495 A82B8000 XOR EAX,DWORD PTR DS:[EDX*4+802BA8] 006E7CEE 0FB655 FF MOVZX EDX,BYTE PTR SS:[EBP-1] 006E7CF2 330495 A8278000 XOR EAX,DWORD PTR DS:[EDX*4+8027A8] 006E7CF9 8BD3 MOV EDX,EBX 006E7CFB 81E2 FF000000 AND EDX,0FF 006E7D01 330495 A8338000 XOR EAX,DWORD PTR DS:[EDX*4+8033A8] 006E7D08 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] 006E7D0B C1EA 10 SHR EDX,10 006E7D0E 0FB6D2 MOVZX EDX,DL 006E7D11 8B1495 A82B8000 MOV EDX,DWORD PTR DS:[EDX*4+802BA8] 006E7D18 3314B5 A8278000 XOR EDX,DWORD PTR DS:[ESI*4+8027A8] 006E7D1F 0FB6F7 MOVZX ESI,BH 006E7D22 3314B5 A82F8000 XOR EDX,DWORD PTR DS:[ESI*4+802FA8] 006E7D29 8B75 FC MOV ESI,DWORD PTR SS:[EBP-4] 006E7D2C 0FB65D FD MOVZX EBX,BYTE PTR SS:[EBP-3] 006E7D30 81E6 FF000000 AND ESI,0FF 006E7D36 3314B5 A8338000 XOR EDX,DWORD PTR DS:[ESI*4+8033A8] 006E7D3D 0FB675 FB MOVZX ESI,BYTE PTR SS:[EBP-5] 006E7D41 8B34B5 A8278000 MOV ESI,DWORD PTR DS:[ESI*4+8027A8] 006E7D48 33349D A82F8000 XOR ESI,DWORD PTR DS:[EBX*4+802FA8] 006E7D4F 0FB65D F6 MOVZX EBX,BYTE PTR SS:[EBP-A] 006E7D53 33349D A82B8000 XOR ESI,DWORD PTR DS:[EBX*4+802BA8] 006E7D5A 3347 FC XOR EAX,DWORD PTR DS:[EDI-4] 006E7D5D 3317 XOR EDX,DWORD PTR DS:[EDI] 006E7D5F 8BD9 MOV EBX,ECX 006E7D61 81E3 FF000000 AND EBX,0FF 006E7D67 33349D A8338000 XOR ESI,DWORD PTR DS:[EBX*4+8033A8] 006E7D6E 0FB65D FE MOVZX EBX,BYTE PTR SS:[EBP-2] 006E7D72 3377 04 XOR ESI,DWORD PTR DS:[EDI+4] 006E7D75 0FB6CD MOVZX ECX,CH 006E7D78 8B0C8D A82F8000 MOV ECX,DWORD PTR DS:[ECX*4+802FA8] 006E7D7F 330C9D A82B8000 XOR ECX,DWORD PTR DS:[EBX*4+802BA8] 006E7D86 0FB65D F7 MOVZX EBX,BYTE PTR SS:[EBP-9] 006E7D8A 330C9D A8278000 XOR ECX,DWORD PTR DS:[EBX*4+8027A8] 006E7D91 8B5D F8 MOV EBX,DWORD PTR SS:[EBP-8] 006E7D94 81E3 FF000000 AND EBX,0FF 006E7D9A 330C9D A8338000 XOR ECX,DWORD PTR DS:[EBX*4+8033A8] 006E7DA1 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 006E7DA4 334F F8 XOR ECX,DWORD PTR DS:[EDI-8] 006E7DA7 8BC6 MOV EAX,ESI 006E7DA9 8BD9 MOV EBX,ECX 006E7DAB 8BCA MOV ECX,EDX 006E7DAD 83C7 20 ADD EDI,20 006E7DB0 836D 08 01 SUB DWORD PTR SS:[EBP+8],1 006E7DB4 895D F4 MOV DWORD PTR SS:[EBP-C],EBX 006E7DB7 894D F0 MOV DWORD PTR SS:[EBP-10],ECX 006E7DBA 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 006E7DBD ^0F85 0DFFFFFF JNZ BF2142_w.006E7CD0 006E7DC3 8B75 EC MOV ESI,DWORD PTR SS:[EBP-14] 006E7DC6 8B7D E8 MOV EDI,DWORD PTR SS:[EBP-18] 006E7DC9 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] 006E7DCC C1EA 18 SHR EDX,18 006E7DCF C1E6 05 SHL ESI,5 006E7DD2 8B5C3E 08 MOV EBX,DWORD PTR DS:[ESI+EDI+8] 006E7DD6 8BC3 MOV EAX,EBX 006E7DD8 8D743E 08 LEA ESI,DWORD PTR DS:[ESI+EDI+8] 006E7DDC C1F8 18 SAR EAX,18 006E7DDF 3282 A8258000 XOR AL,BYTE PTR DS:[EDX+8025A8] 006E7DE5 0FB67D FF MOVZX EDI,BYTE PTR SS:[EBP-1] 006E7DE9 8845 0B MOV BYTE PTR SS:[EBP+B],AL 006E7DEC 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] 006E7DEF 0FB655 0B MOVZX EDX,BYTE PTR SS:[EBP+B] 006E7DF3 895D 08 MOV DWORD PTR SS:[EBP+8],EBX 006E7DF6 8810 MOV BYTE PTR DS:[EAX],DL 006E7DF8 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] 006E7DFB C1FB 10 SAR EBX,10 006E7DFE C1EA 10 SHR EDX,10 006E7E01 0FB6D2 MOVZX EDX,DL 006E7E04 329A A8258000 XOR BL,BYTE PTR DS:[EDX+8025A8] 006E7E0A 0FB6D5 MOVZX EDX,CH 006E7E0D 8858 01 MOV BYTE PTR DS:[EAX+1],BL 006E7E10 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8] 006E7E13 894D 08 MOV DWORD PTR SS:[EBP+8],ECX 006E7E16 8BCB MOV ECX,EBX 006E7E18 C1F9 08 SAR ECX,8 006E7E1B 328A A8258000 XOR CL,BYTE PTR DS:[EDX+8025A8] 006E7E21 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] 006E7E24 8848 02 MOV BYTE PTR DS:[EAX+2],CL 006E7E27 81E2 FF000000 AND EDX,0FF 006E7E2D 0FB692 A8258000 MOVZX EDX,BYTE PTR DS:[EDX+8025A8] 006E7E34 32D3 XOR DL,BL 006E7E36 8850 03 MOV BYTE PTR DS:[EAX+3],DL 006E7E39 8B56 04 MOV EDX,DWORD PTR DS:[ESI+4] 006E7E3C 8BDA MOV EBX,EDX 006E7E3E C1FB 18 SAR EBX,18 006E7E41 329F A8258000 XOR BL,BYTE PTR DS:[EDI+8025A8] 006E7E47 0FB67D F2 MOVZX EDI,BYTE PTR SS:[EBP-E] 006E7E4B 8858 04 MOV BYTE PTR DS:[EAX+4],BL 006E7E4E 8BDA MOV EBX,EDX 006E7E50 C1FB 10 SAR EBX,10 006E7E53 329F A8258000 XOR BL,BYTE PTR DS:[EDI+8025A8] 006E7E59 0FB67D F9 MOVZX EDI,BYTE PTR SS:[EBP-7] 006E7E5D 8858 05 MOV BYTE PTR DS:[EAX+5],BL 006E7E60 8BDA MOV EBX,EDX 006E7E62 C1FB 08 SAR EBX,8 006E7E65 329F A8258000 XOR BL,BYTE PTR DS:[EDI+8025A8] 006E7E6B 8B7D F4 MOV EDI,DWORD PTR SS:[EBP-C] 006E7E6E 8858 06 MOV BYTE PTR DS:[EAX+6],BL 006E7E71 81E7 FF000000 AND EDI,0FF 006E7E77 0FB69F A8258000 MOVZX EBX,BYTE PTR DS:[EDI+8025A8] 006E7E7E 0FB67D F3 MOVZX EDI,BYTE PTR SS:[EBP-D] 006E7E82 32DA XOR BL,DL 006E7E84 8858 07 MOV BYTE PTR DS:[EAX+7],BL 006E7E87 8B56 08 MOV EDX,DWORD PTR DS:[ESI+8] 006E7E8A 8BDA MOV EBX,EDX 006E7E8C C1FB 18 SAR EBX,18 006E7E8F 329F A8258000 XOR BL,BYTE PTR DS:[EDI+8025A8] 006E7E95 0FB67D FA MOVZX EDI,BYTE PTR SS:[EBP-6] 006E7E99 8858 08 MOV BYTE PTR DS:[EAX+8],BL 006E7E9C 8BDA MOV EBX,EDX 006E7E9E C1FB 10 SAR EBX,10 006E7EA1 329F A8258000 XOR BL,BYTE PTR DS:[EDI+8025A8] 006E7EA7 0FB67D F5 MOVZX EDI,BYTE PTR SS:[EBP-B] 006E7EAB 8858 09 MOV BYTE PTR DS:[EAX+9],BL 006E7EAE 8BDA MOV EBX,EDX 006E7EB0 C1FB 08 SAR EBX,8 006E7EB3 329F A8258000 XOR BL,BYTE PTR DS:[EDI+8025A8] 006E7EB9 8B7D FC MOV EDI,DWORD PTR SS:[EBP-4] 006E7EBC 8858 0A MOV BYTE PTR DS:[EAX+A],BL 006E7EBF 81E7 FF000000 AND EDI,0FF 006E7EC5 0FB69F A8258000 MOVZX EBX,BYTE PTR DS:[EDI+8025A8] 006E7ECC 32DA XOR BL,DL 006E7ECE 8858 0B MOV BYTE PTR DS:[EAX+B],BL 006E7ED1 8B56 0C MOV EDX,DWORD PTR DS:[ESI+C] 006E7ED4 0FB675 FB MOVZX ESI,BYTE PTR SS:[EBP-5] 006E7ED8 8BDA MOV EBX,EDX 006E7EDA C1FB 18 SAR EBX,18 006E7EDD 329E A8258000 XOR BL,BYTE PTR DS:[ESI+8025A8] 006E7EE3 0FB675 F6 MOVZX ESI,BYTE PTR SS:[EBP-A] 006E7EE7 8858 0C MOV BYTE PTR DS:[EAX+C],BL 006E7EEA 8BDA MOV EBX,EDX 006E7EEC 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 006E7EEF C1FB 10 SAR EBX,10 006E7EF2 329E A8258000 XOR BL,BYTE PTR DS:[ESI+8025A8] 006E7EF8 0FB675 FD MOVZX ESI,BYTE PTR SS:[EBP-3] 006E7EFC 8858 0D MOV BYTE PTR DS:[EAX+D],BL 006E7EFF 8BDA MOV EBX,EDX 006E7F01 C1FB 08 SAR EBX,8 006E7F04 329E A8258000 XOR BL,BYTE PTR DS:[ESI+8025A8] 006E7F0A 81E1 FF000000 AND ECX,0FF 006E7F10 8858 0E MOV BYTE PTR DS:[EAX+E],BL 006E7F13 8A89 A8258000 MOV CL,BYTE PTR DS:[ECX+8025A8] 006E7F19 5E POP ESI 006E7F1A 32CA XOR CL,DL 006E7F1C 5B POP EBX 006E7F1D 8848 0F MOV BYTE PTR DS:[EAX+F],CL 006E7F20 33C0 XOR EAX,EAX 006E7F22 5F POP EDI 006E7F23 8BE5 MOV ESP,EBP 006E7F25 5D POP EBP 006E7F26 C2 0800 RETN 8
From 006E7BE0 to 006E7CD0 just only read TIMESTAMP, PID, ... into registry
After that from 006E7CD0 is coding. This coding use loop for this parameter:
0012F34C = 0000000A (ESI) - so 10x
Here is that check:
Code:
006E7DBD 0F85 0DFFFFFF JNZ BF2142_w.006E7CD0
After that is final write coded bytes into address 014DAA04.
Offline
#11 27 Oct 2006 12:10 am
Re: bf2142 stat query protocol
And some tips to use ollydebuger:
Just start win server, start client BF2142. After that start ollydebuger, attach game server to ollydebug, click on Run in Debug. In memory dump address 006E82A0, add at byte E8 at this address hardware breakpoint for execution.
Now try join with client to your local win server - join to IP 127.0.0.1 (of course with online account, not offline)
After join you go into debug, now is server stoped by your breakpoint. Now F7 - go into this function, and watch what is going
Offline
#12 27 Oct 2006 12:26 am
Re: bf2142 stat query protocol
And here some test result what I try:
Sample 1:
Code:
Input data (Timestamp: 45419B10, 00000064, PID: 04E26AF9, 548F0001) 01BFA21C 10 9B 41 45 64 00 00 00 F9 6A E2 04 01 00 8F 54 ›AEd...ůjâ.ŹT Coded data: 014DAA04 9B 80 EB 44 08 1C C3 A8 72 C7 72 D1 AA F5 6E 94 ›€ëDèrÇrŃŞőn” Converted data into Base64 from 014DAA04: 07B39C64 6D 34 44 72 52 41 67 63 77 36 68 79 78 33 4C 52 m4DrRAgcw6hyx3LR 07B39C74 71 76 56 75 6C 41 5F 5F qvVulA__
Sample 2 (here I change just Timestamp +1 second 10=>11:
Code:
Input data (Timestamp: 45419B10, 00000064, PID: 04E26AF9, 548F0001) 01BFA21C 11 9B 41 45 64 00 00 00 F9 6A E2 04 01 00 8F 54 ›AEd...ůjâ.ŹT Coded data: 014DAA04 D4 01 4D 01 34 AA 4D 01 D4 01 4D 01 70 40 D3 07 ÔM4ŞMÔMp@Ó Converted data into Base64 from 014DAA04: 07B39C64 69 6A 61 6B 31 32 6B 76 5D 72 57 38 37 30 6F 71 ijak12kv]rW870oq 07B39C74 35 38 73 6D 39 41 5F 5F 58sm9A__
You can see, auth code
Sample1: m4DrRAgcw6hyx3LRqvVulA__
Sample2: ijak12kv]rW870oq58sm9A__
Are very diferent, and that was just only 1 second time stamp changed!
Last edited by Tubar (27 Oct 2006 6:34 am)
Offline
#13 27 Oct 2006 7:41 am
Re: bf2142 stat query protocol
Can someone confirm what I'm thinking:
The addressing like:
BYTE PTR DS:[EAX+1]
is base indexed addressing, where the register DS contains an address, and we are reading a byte from the offset of the value stored in EAX+1. I've never seen that syntax and it is really hard to google(at least for me) for assembly language references.
From memory i believe i have only used base indexed as DS(%eax,1) .
But anyways, do you happen to know the parameters passed to the function? should be a bunch of push statements before, and then a add to the esp after it returns to pop the parameters off the stack.
Anytime you see EBP+# is accessing a parameter to the function call. EBP- is referencing local variables to the function(18 bytes worth of local space from the subl esp, 18 call).
It's slowly coming back to me, I should have better luck figuring it out tonight after work.
Found a good site to reference registers:
http://www.xs4all.nl/~smit/asm01001.htm
DS and SS are going to be tricky to decode, they point to the current data segment and stack segment loaded into memory. meaning 2 forms of global variables to account for.
Last edited by Craigins (27 Oct 2006 7:53 am)
Offline
#14 27 Oct 2006 8:23 am
Re: bf2142 stat query protocol
yea I'm no help there. I started trying to work it out last night, but stopped for the exact same thing. I get the overall concept that its an xor shift hash but which bits they're shifting gets kind of confusing because of the addr+offset info.
Offline
#15 27 Oct 2006 1:45 pm
Re: bf2142 stat query protocol
shhh if you won't tell i wont! anyways i don't get the strike through button on my reply form and i tried coding a closing strike through on my first post but the BBCode parser must have thrown it out.MadHatter :
thats embarrassing. the strike bbcode was a recent addition.
the bug gnome must have visited just after I added it
Offline
#17 27 Oct 2006 6:03 pm
Re: bf2142 stat query protocol
I must say, this encryption algorithm is <insert colorful metaphore here>
I've gone over the first 30 or so lines and the post saying its simple on the wiki board must be an encryption guy who knows a ton of encryption algorithms.
Here is a sample of what i have so far
Code:
006E7BFE 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ;put parameter into EAX 006E7C01 0FB648 01 MOVZX ECX,BYTE PTR DS:[EAX+1] ;put 2nd byte into ecx 006E7C05 83C0 01 ADD EAX,1 ;add 1 to eax 006E7C08 33D2 XOR EDX,EDX ;set edx = 0 006E7C0A 8A70 01 MOV DH,BYTE PTR DS:[EAX+1] ;put 3rd byte int dh 006E7C0D 83C0 01 ADD EAX,1 ;add 1 to eax 006E7C10 53 PUSH EBX ;save ebx 006E7C11 0FB658 FE MOVZX EBX,BYTE PTR DS:[EAX-2] ;put parameter into ebx 006E7C15 83C0 01 ADD EAX,1 ;add 1 to eax 006E7C18 C1E1 10 SHL ECX,10 ;divide ecx by 1024 006E7C1B 83C0 01 ADD EAX,1 ;add 1 eax 006E7C1E 56 PUSH ESI ;save esi 006E7C1F 0FB630 MOVZX ESI,BYTE PTR DS:[EAX] ;put parameter into esi 006E7C22 C1E3 18 SHL EBX,18 ;divide ebx by 262144 006E7C25 0BD9 OR EBX,ECX ;or ebx ecx 006E7C27 0FB648 FF MOVZX ECX,BYTE PTR DS:[EAX-1] ;put 4th byte into ecx 006E7C2B 0BDA OR EBX,EDX ;or ebx edx
At least that is what i believe its doing. I'm not sure if we will be able to decode it, hopefully we can just encode to match.
Offline
#18 28 Oct 2006 1:24 am
Re: bf2142 stat query protocol
the bits we're really interested in are from 006E7CD0 - 006E7DBD (006E7CD0 is the entry point to the function according to the other code).
according to the loop:
Code:
#-- start of loop --# 006E7CD0 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10] 006E7CD3 C1EA 10 SHR EDX,10 006E7CD6 0FB675 F3 MOVZX ESI,BYTE PTR SS:[EBP-D] 006E7CDA 0FB6D2 MOVZX EDX,DL 006E7CDD 0FB6C4 MOVZX EAX,AH 006E7CE0 8B0485 A82F8000 MOV EAX,DWORD PTR DS:[EAX*4+802FA8] 006E7CE7 330495 A82B8000 XOR EAX,DWORD PTR DS:[EDX*4+802BA8] 006E7CEE 0FB655 FF MOVZX EDX,BYTE PTR SS:[EBP-1] 006E7CF2 330495 A8278000 XOR EAX,DWORD PTR DS:[EDX*4+8027A8] 006E7CF9 8BD3 MOV EDX,EBX 006E7CFB 81E2 FF000000 AND EDX,0FF 006E7D01 330495 A8338000 XOR EAX,DWORD PTR DS:[EDX*4+8033A8] 006E7D08 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] 006E7D0B C1EA 10 SHR EDX,10 006E7D0E 0FB6D2 MOVZX EDX,DL 006E7D11 8B1495 A82B8000 MOV EDX,DWORD PTR DS:[EDX*4+802BA8] 006E7D18 3314B5 A8278000 XOR EDX,DWORD PTR DS:[ESI*4+8027A8] 006E7D1F 0FB6F7 MOVZX ESI,BH 006E7D22 3314B5 A82F8000 XOR EDX,DWORD PTR DS:[ESI*4+802FA8] 006E7D29 8B75 FC MOV ESI,DWORD PTR SS:[EBP-4] 006E7D2C 0FB65D FD MOVZX EBX,BYTE PTR SS:[EBP-3] 006E7D30 81E6 FF000000 AND ESI,0FF 006E7D36 3314B5 A8338000 XOR EDX,DWORD PTR DS:[ESI*4+8033A8] 006E7D3D 0FB675 FB MOVZX ESI,BYTE PTR SS:[EBP-5] 006E7D41 8B34B5 A8278000 MOV ESI,DWORD PTR DS:[ESI*4+8027A8] 006E7D48 33349D A82F8000 XOR ESI,DWORD PTR DS:[EBX*4+802FA8] 006E7D4F 0FB65D F6 MOVZX EBX,BYTE PTR SS:[EBP-A] 006E7D53 33349D A82B8000 XOR ESI,DWORD PTR DS:[EBX*4+802BA8] 006E7D5A 3347 FC XOR EAX,DWORD PTR DS:[EDI-4] 006E7D5D 3317 XOR EDX,DWORD PTR DS:[EDI] 006E7D5F 8BD9 MOV EBX,ECX 006E7D61 81E3 FF000000 AND EBX,0FF 006E7D67 33349D A8338000 XOR ESI,DWORD PTR DS:[EBX*4+8033A8] 006E7D6E 0FB65D FE MOVZX EBX,BYTE PTR SS:[EBP-2] 006E7D72 3377 04 XOR ESI,DWORD PTR DS:[EDI+4] 006E7D75 0FB6CD MOVZX ECX,CH 006E7D78 8B0C8D A82F8000 MOV ECX,DWORD PTR DS:[ECX*4+802FA8] 006E7D7F 330C9D A82B8000 XOR ECX,DWORD PTR DS:[EBX*4+802BA8] 006E7D86 0FB65D F7 MOVZX EBX,BYTE PTR SS:[EBP-9] 006E7D8A 330C9D A8278000 XOR ECX,DWORD PTR DS:[EBX*4+8027A8] 006E7D91 8B5D F8 MOV EBX,DWORD PTR SS:[EBP-8] 006E7D94 81E3 FF000000 AND EBX,0FF 006E7D9A 330C9D A8338000 XOR ECX,DWORD PTR DS:[EBX*4+8033A8] 006E7DA1 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 006E7DA4 334F F8 XOR ECX,DWORD PTR DS:[EDI-8] 006E7DA7 8BC6 MOV EAX,ESI 006E7DA9 8BD9 MOV EBX,ECX 006E7DAB 8BCA MOV ECX,EDX 006E7DAD 83C7 20 ADD EDI,20 006E7DB0 836D 08 01 SUB DWORD PTR SS:[EBP+8],1 006E7DB4 895D F4 MOV DWORD PTR SS:[EBP-C],EBX 006E7DB7 894D F0 MOV DWORD PTR SS:[EBP-10],ECX 006E7DBA 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 006E7DBD ^0F85 0DFFFFFF JNZ BF2142_w.006E7CD0 #-- end of loop --#
it seems he's xor'ing the array w/ itself. from what my untrained eyes can gather, its iterating over the byte array 4 bytes at a time (assuming ADD EDI,20 means add by 32, which if the code's using 4 32 bit ints means they're going from: time to magic number to pid to random# during the iteration).
Offline
#19 28 Oct 2006 6:15 am
Re: bf2142 stat query protocol
The function actually starts at:
006E7BE1 8BEC MOV EBP,ESP
then
006E7BE3 83EC 18 SUB ESP,18
allocates local variable space to the function
In order to start you have to save the previous EBP so that you can restore it when you retrun to the calling function.
By the time we get to that loop we are only looking at local variables(EBP-# == local variables). That means we have to go through the first part of the code to see what they put in the local variables before they got to the loop.
EBP+# == parameter to the function
EBP-# == local variable.
DS:
SS:
The : is for extended memory so its the the address of the first part * 16 + address of second part to get the full address of the pointer.
Offline
#20 28 Oct 2006 1:22 pm
Re: bf2142 stat query protocol
Hi,Craigins :
I must say, this encryption algorithm is <insert colorful metaphore here>
I've gone over the first 30 or so lines and the post saying its simple on the wiki board must be an encryption guy who knows a ton of encryption algorithms.
Here is a sample of what i have so farCode:
006E7BFE 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ;put parameter into EAX 006E7C01 0FB648 01 MOVZX ECX,BYTE PTR DS:[EAX+1] ;put 2nd byte into ecx 006E7C05 83C0 01 ADD EAX,1 ;add 1 to eax 006E7C08 33D2 XOR EDX,EDX ;set edx = 0 006E7C0A 8A70 01 MOV DH,BYTE PTR DS:[EAX+1] ;put 3rd byte int dh 006E7C0D 83C0 01 ADD EAX,1 ;add 1 to eax 006E7C10 53 PUSH EBX ;save ebx 006E7C11 0FB658 FE MOVZX EBX,BYTE PTR DS:[EAX-2] ;put parameter into ebx 006E7C15 83C0 01 ADD EAX,1 ;add 1 to eax 006E7C18 C1E1 10 SHL ECX,10 ;divide ecx by 1024 006E7C1B 83C0 01 ADD EAX,1 ;add 1 eax 006E7C1E 56 PUSH ESI ;save esi 006E7C1F 0FB630 MOVZX ESI,BYTE PTR DS:[EAX] ;put parameter into esi 006E7C22 C1E3 18 SHL EBX,18 ;divide ebx by 262144 006E7C25 0BD9 OR EBX,ECX ;or ebx ecx 006E7C27 0FB648 FF MOVZX ECX,BYTE PTR DS:[EAX-1] ;put 4th byte into ecx 006E7C2B 0BDA OR EBX,EDX ;or ebx edxAt least that is what i believe its doing. I'm not sure if we will be able to decode it, hopefully we can just encode to match.
Some info to assembler
ADD EAX,1 - just make pointer of memory read EAX = EAX+1. In this code is EAX used as pointer for read bytes from memory (coding key?)
SHL ECX,10 ;divide ecx by 1024
and
OR EBX,ECX ;or ebx ecx
Here is only this trick:
In ECX exist some data, SHIFT LEFT whole register, for example when you have in this register
ECX=22127809, SHL 10 make 78090000 - 4 bytes position left move (2212 is deleted, and new right site have 0000)
And OR with ECX, i think, in ECX is only some in 0000xxxx, than you got that
7809xxxx.
With this algoritmus is stored in one register 4 diferent bytes data from some memory
Sample: ECX=AABBCCDD, of course used for that more assembler commands.
I have now no time to analyze rest of code, but I try it tomorow, or on Monday.
Last edited by Tubar (28 Oct 2006 1:22 pm)
Offline
#21 28 Oct 2006 1:25 pm
Re: bf2142 stat query protocol
And some info to that:
PTR SS:[EBP+8]
SS - Stack Segment - Read from stack memory (variables, parameters), at position EBP+8
PTR DS:[EAX+1]
DS - Data Segment 0 Read from data memory (bytes), at position EAX+1
For example:
MOV EAX,DWORD PTR SS:[EBP+8]
Just only store to EAX register (variable) pointer where in data segment are storet what I want read
and
MOVZX ECX,BYTE PTR DS:[EAX+1] - read from data address EAX+1 2byte and store in register ECX, other two write zeros
MOV DH,BYTE PTR DS:[EAX+1] - read from data address EAX+1 one byte into DH (EDXregister), all other 3 bytes fill with zeros
Last edited by Tubar (28 Oct 2006 1:28 pm)
Offline
#24 30 Oct 2006 9:35 am
Re: bf2142 stat query protocol
I had a co worker suggest it might be as simple as using a DES encyption algorithm.
http://www.aci.net/Kalliste/des.htm
anyone care to check it out?
Offline
#25 30 Oct 2006 9:41 am
Re: bf2142 stat query protocol
bytes 13 - 16 R#R#0001 where R# is a random number (byte value between 0 - 255) xor'd with 2C2C1223
R# is not random number, i check now, when i write here some for example 01,01 and code string, i have get message:
DecryptionFailure: Authentication token decryption failure
I think, this two bytes are some as CRC check sum of PID and TIMESTAMP, and it's of course used for coding too.
Offline