Sanity Free Coding

MadHatter · 25 Oct 2006 2:19 pm

EDIT: I'll try to keep this post up to date w/ whats discussed in the following pages.

WARNING:
USING INFORMATION IN THIS THREAD TO PULL YOUR STATS MAY RESULT IN YOU BEING BLOCKED FROM THE STATS SERVERS! USE THIS INFORMATION AT YOUR OWN RISK, WE ARE NOT RESPONSIBLE FOR YOUR ACTIONS! If your IP does get blocked from the stats servers, your game stats will still update but you will never be able to view your stats or choose unlocks as long as you have that IP.

For those not wanting to dig through these threads to figure things out, here's a quick how-to:

Generating the auth token

download Tubar's Encryption Library here or here.

Follow the sample written by BobbyCZ here. I have a quick auth token generator at: http://sanity-free.org/bf2142auth/ the source code for that (taken from BobbyCZ's example) can be viewed here

All auth tokens are made using the PID EXCEPT the token for getbackendinfo and playersearch (both of these can use a player id of '00000000')

I finally put up the somewhat thorough list of stat queries & needed parameters over on bf2tech which was derived from a list compiled by AmbassadorKosh here

getplayerinfo takes a pToken parameter which we've yet to document, but other than this, you should be able to pull all the other stats.

If you do decide to dig through the posts, please give points to those who did all the hard work getting this done for you.

--MH

~~~~
[ORIGINAL POST BELOW]

I've been looking at the stats functionality of battlefield 2142, unfortunately unlike bf2 2142 uses some sort of single sign on like functionality. here's a list of my objectives to understand how and what they're doing.

To do list:

find format of auth and token

find what auth is made of

determine if the auth token has anything to do w/ the encryption of the Token value

determine what method of encryption is used for the Token encoding (and what key or possible IV is used)

what fields are passed into the Token field (should be pretty easy from seeing what fields are returned from the query

Resolved:

base 64 encoded w/ 3 character substitutions

'base64 char' => 'EA's substitution'

'=' => '_'

'/' => ']'

'+' => '['

so that the original base64 index string:

Code:

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=

looks like:

Code:

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789[]_

(where the last character is not actually part of the encoding string but is the padding character)

its a 16 byte token comprised of:

bytes 1 - 4 = unix time stamp (in seconds)
bytes 5 - 8 = magic number 00000064
bytes 9 - 12 = player id
bytes 13 - 16 = ####00[01|00] the 2 ## bytes are the crc16 ccitt checksum (using 00 00 as the intial value instead of FF FF) of the first 14 bytes.

the above array is encrypted using Rijndael (AES) encryption (more on this later).

then base 64 encoded (using replacement characters shown above).

The token parameter is "a payload of the users email/nickname/countrycode/and a few other fiddly bits".

More on this later.

There is a challenge / response (over TCP) that occurs prior to sending the HTTP request, and this data is gathered there I assume. The payload is encoded (I'm assuming its the same way auth is encoded)

... (assuming Rijndael but haven't tested this yet)

From speaking with an inside source, the token parameter (as mentioned in point #3) does not sound like it contains query parameters at all (or at least like bf2 does)

Last edited by MadHatter (22 Nov 2006 6:11 pm)

MadHatter · 25 Oct 2006 9:50 pm

I have a suspicion that the auth parameter is different based on what you're querying. I can confirm that by taking the results of a packet capture when the game is running, and switching the auth value between queries (like getunlocks and getplayerinfo) where the auth value which was generated by the game for that query returns valid results, and the switched value returns my player name and nothing else (see the above edited post).

I'm going to post the entire packet dump of the game here (so I can work on it at home or at work)

requests are seperated by a tilda line "~~~~"

Code:

GET /getbackendinfo.aspx?auth=iXZI3e9NRrcK6mkHY2YkNg__ HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 00:24:32 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web1
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7819

O
H    asof    tid    serverip    cb
D    1161822271    0    71.252.218.197    client
H    config
D    swiffHost.setLatestGameVersion 1.0.9.1
rankSettings.setRank 0 0
rankSettings.setRank 1 40
rankSettings.setRank 2 80
rankSettings.setRank 3 120
rankSettings.setRank 4 200
rankSettings.setRank 5 330
rankSettings.setRank 6 520
rankSettings.setRank 7 750
rankSettings.setRank 8 1050
rankSettings.setRank 9 1400
rankSettings.setRank 10 1800
rankSettings.setRank 11 2250
rankSettings.setRank 12 2850
rankSettings.setRank 13 3550
rankSettings.setRank 14 4400
rankSettings.setRank 15 5300
rankSettings.setRank 16 6250
rankSettings.setRank 17 7250
rankSettings.setRank 18 8250
rankSettings.setRank 19 9300
rankSettings.setRank 20 10400
rankSettings.setRank 21 11550
rankSettings.setRank 22 12700
rankSettings.setRank 23 14000
rankSettings.setRank 24 15300
rankSettings.setRank 25 16700
rankSettings.setRank 26 18300
rankSettings.setRank 27 20100
rankSettings.setRank 28 22100
rankSettings.setRank 29 24200
rankSettings.setRank 30 26400
rankSettings.setRank 31 28800
rankSettings.setRank 32 31500
rankSettings.setRank 33 34200
rankSettings.setRank 34 37100
rankSettings.setRank 35 40200
rankSettings.setRank 36 43300
rankSettings.setRank 37 46900
rankSettings.setRank 38 50500
rankSettings.setRank 39 54100
rankSettings.setRank 40 57700
rankSettings.setRank 41 0
rankSettings.setRank 42 0
rankSettings.setRank 43 0
rankSettings.save
awards.setData 100_1 "6,1, ,12"
awards.setData 100_2 "6,1, ,20" "9,23,ktt-3,54000"
awards.setData 100_3 "6,1, ,30" "9,23,ktt-3,180000"
awards.setData 101_1 "6,2, ,12"
awards.setData 101_2 "6,2, ,20" "9,20,ktt-0,54000"
awards.setData 101_3 "6,2, ,30" "9,20,ktt-0,180000"
awards.setData 102_1 "6,3, ,12"
awards.setData 102_2 "6,3, ,20" "9,21,ktt-1,54000"
awards.setData 102_3 "6,3, ,30" "9,21,ktt-1,180000"
awards.setData 103_1 "6,4, ,12"
awards.setData 103_2 "6,4, ,20" "9,22,ktt-2,54000"
awards.setData 103_3 "6,4, ,30" "9,22,ktt-2,180000"
awards.setData 104_1 "6,50, ,10"
awards.setData 104_2 "6,50, ,20" "1,113,slpts,300"
awards.setData 104_3 "6,50, ,30" "1,113,slpts,600"
awards.setData 105_1 "6,5, ,7"
awards.setData 105_2 "6,5, ,10" "1,5,wkls-12,50"
awards.setData 105_3 "6,5, ,17" "1,5,wkls-12,150"
awards.setData 106_1 "6,7, ,5"
awards.setData 106_2 "6,7, ,7" "1,7,wkls-5;wkls-11,50"
awards.setData 106_3 "6,7, ,18" "1,7,wkls-5;wkls-11,300"
awards.setData 107_1 "6,8, ,10"
awards.setData 107_2 "6,8, ,15" "1,8,klse,50"
awards.setData 107_3 "6,8, ,20" "1,8,klse,300"
awards.setData 108_1 "10,18, ,180"
awards.setData 108_2 "6,9, ,15" "9,148,vtp-12;vtp-3;wtp-30,72000"
awards.setData 108_3 "6,9, ,30" "9,148,vtp-12;vtp-3;wtp-30,180000"
awards.setData 109_1 "6,40, ,30"
awards.setData 109_2 "10,150, ,1200" "1,40,csgpm-0,1000"
awards.setData 109_3 "10,150, ,1500" "1,40,csgpm-0,4000"
awards.setData 110_1 "6,39, ,30"
awards.setData 110_2 "10,149, ,1200" "1,39,csgpm-1,1000"
awards.setData 110_3 "10,149, ,1500" "1,39,csgpm-1,4000"
awards.setData 111_1 "6,42, ,8"
awards.setData 111_2 "6,42, ,10" "9,128,etpk-1,36000"
awards.setData 111_3 "6,42, ,15" "9,128,etpk-1,216000" "1,42,rps,200"
awards.setData 112_1 "6,43, ,8"
awards.setData 112_2 "6,43, ,10" "9,129,etpk-5;etpk-0;etpk-2,36000"
awards.setData 112_3 "6,43, ,15" "9,129,etpk-5;etpk-0;etpk-2,216000" "1,43,hls,400"
awards.setData 113_1 "6,45, ,8"
awards.setData 113_2 "6,45, ,10" "9,130,etpk-6,36000"
awards.setData 113_3 "6,45, ,15" "9,130,etpk-6,180000" "1,45,resp,400"
awards.setData 114_1 "10,141, ,900"
awards.setData 114_2 "6,11, ,15" "9,114,atp,90000"
awards.setData 114_3 "6,11, ,35" "9,114,atp,180000"
awards.setData 115_1 "10,142, ,900"
awards.setData 115_2 "6,12, ,15" "9,25,vtp-10;vtp-4,90000"
awards.setData 115_3 "6,12, ,35" "9,25,vtp-10;vtp-4,180000"
awards.setData 116_1 "10,151, ,600"
awards.setData 116_2 "6,116, ,5" "9,115,vtp-1;vtp-4;vtp-6,90000"
awards.setData 116_3 "6,116, ,12" "9,115,vtp-1;vtp-4;vtp-6,144000"
awards.setData 117_1 "6,46, ,8"
awards.setData 117_2 "6,46, ,15" "9,27,tgpm-1,108000"
awards.setData 117_3 "6,46, ,30" "9,27,tgpm-1,216000"
awards.setData 118_1 "6,47, ,8"
awards.setData 118_2 "6,47, ,15" "9,27,tgpm-1,108000"
awards.setData 118_3 "6,47, ,30" "9,27,tgpm-1,216000"
awards.setData 119_1 "6,48, ,2"
awards.setData 119_2 "6,49, ,1" "1,48,tcd,10"
awards.setData 119_3 "6,48, ,3" "6,49, ,1" "1,48,tcd,40"
awards.setData 200 "6,127, ,"
awards.setData 201 "6,126, ,"
awards.setData 202 "6,125, ,"
awards.setData 203 "6,41, ,30" "9,19,tac,180000" "9,28,tasl,180000" "9,29,tasm,180000"
awards.setData 204 "6,59, ,1" "5,62,100_1,1" "5,63,101_1,1" "5,64,102_1,1" "5,65,103_1,1" "5,66,105_1,1" "5,67,106_1,1" "5,68,107_1,1"
awards.setData 205 "6,59, ,1" "5,69,100_2,1" "5,70,101_2,1" "5,71,102_2,1" "5,72,103_2,1" "5,73,105_2,1" "5,74,106_2,1" "5,75,107_2,1"
awards.setData 206 "6,59, ,1" "5,76,100_3,1" "5,77,101_3,1" "5,78,102_3,1" "5,79,103_3,1" "5,80,105_3,1" "5,81,106_3,1" "5,82,107_3,1"
awards.setData 207 "11,30,tt,540000" "3,51,cpt,1000" "3,52,dcpt,400" "3,41,twsc,5000"
awards.setData 208 "10,145, ,180" "11,31,attp-0,540000" "1,54,awin-0,300"
awards.setData 209 "10,146, ,180" "11,32,attp-1,540000" "1,55,awin-1,300"
awards.setData 210 "6,60, ,1" "11,26,tgpm-0,288000" "1,13,kgpm-0,8000" "1,15,bksgpm-0,25"
awards.setData 211 "6,61, ,1" "11,27,tgpm-1,288000" "1,14,kgpm-1,8000" "1,16,bksgpm-1,25"
awards.setData 212 "6,12, ,30" "9,25,vtp-10;vtp-4,360000" "1,12,vkls-10;vkls-4,8000"
awards.setData 213 "6,11, ,25" "9,24,vtp-0;vtp-1;vtp-2,360000" "1,11,vkls-0;vkls-1;vkls-2,8000"
awards.setData 214 "6,17, ,27" "6,83, ,0" "9,30,tt,648000"
awards.setData 215 "11,30,tt,360000" "3,43,hls,400" "3,42,rps,400" "3,45,resp,400"
awards.setData 216 "6,85, ,0.25"
awards.setData 217 "6,86, ,10" "9,33,vtp-4,90000"
awards.setData 218 "6,14, ,10" "11,27,tgpm-1,540000" "1,133,mbr-1-0;mbr-1-1;mbr-1-2;mbr-1-3;mbr-1-5,70"
awards.setData 219 "6,17, ,20" "1,51,cpt,100" "1,42,rps,200"
awards.setData 300 "10,18, ,300" "6,9, ,15"
awards.setData 301 "10,142, ,600" "6,12, ,20"
awards.setData 302 "6,120, ,10"
awards.setData 303 "10,143, ,1200" "9,28,tasl,144000"
awards.setData 304 "10,38, ,1200" "6,34, ,40" "9,19,tac,288000"
awards.setData 305 "6,41, ,15" "9,29,tasm,36000" "9,28,tasl,36000" "9,19,tac,36000"
awards.setData 306 "10,144, ,1080" "6,41, ,40" "9,29,tasm,72000"
awards.setData 307 "6,41, ,55" "9,29,tasm,90000" "9,28,tasl,180000"
awards.setData 308 "6,34, ,45" "9,19,tac,216000" "5,87,wlr,2"
awards.setData 309 "10,141, ,1200" "6,11, ,20"
awards.setData 310 "6,110, ,10" "9,121,vtp-0;vtp-1;vtp-2;vtp-6,36000"
awards.setData 311 "9,99,mtt-0-0;mtt-1-0,0" "9,101,mtt-0-2;mtt-1-2,0" "9,103,mtt-0-4,0" "9,104,mtt-0-5;mtt-1-5,0" "9,108,mtt-0-9,0" "9,32,attp-1,432000"
awards.setData 312 "9,100,mtt-0-1;mtt-1-1,0" "9,102,mtt-0-3;mtt-1-3,0" "9,105,mtt-0-6,0" "9,106,mtt-0-7,0" "9,107,mtt-0-8,0" "9,31,attp-0,432000"
awards.setData 313 "6,17, ,20" "1,88,bksgpm-0;bksgpm-1,10"
awards.setData 314 "6,17, ,10" "6,83, ," "11,30,tt,180000"
awards.setData 315 "6,17, ,10" "11,30,tt,432000" "1,88,bksgpm-0;bksgpm-1,10"
awards.setData 316 "3,10,vkls-7,200"
awards.setData 317 "6,86, ,15" "9,33,vtp-4,90000"
awards.setData 318 "6,138, ,15" "9,137,vtp-12,36000"
awards.setData 319 "6,39, ,10" "11,36,ctgpm-1,90000"
awards.setData 400 "6,89, ,5"
awards.setData 401 "6,89, ,10"
awards.setData 402 "6,48, ,4"
awards.setData 403 "6,109, ,4"
awards.setData 404 "6,86, ,10"
awards.setData 406 "6,47, ,7"
awards.setData 407 "6,139, ,5"
awards.setData 408 "6,110, ,5"
awards.setData 409 "6,93, ,8"
awards.setData 410 "6,8, ,8"
awards.setData 411 "6,44, ,8"
awards.setData 412 "6,124, ,"
awards.setData 413 "6,7, ,4"
awards.setData 414 "6,9, ,10"
awards.setData 415 "6,6, ,10"

$    7473    $


~~~~

GET /getplayerinfo.aspx?auth=hsAYJAG[dgkSiQfkKhF[fA__&mode=base&pToken=2fn3pt3nMR[A8SPyUKQhVZnQJ2]kSugbJMWAM9EW[dauTp3XY7vpedOQnTY]U6m[O5mlaEJpAoqt]LbEY6zQow__ HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 00:24:34 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web4
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 239

O
H    asof    cb
D    1161797074    client
H    pid    nick    tid    gsco    crpt    rnk    rnkcg    ent-1    ent-2    ent-3    unavl
D    81246737    MadHatter2142    0    691    1097    8    0    0    0    1    0
H    award    level    when    first
D    302    0    1161663780    0
D    102_1    0    1161493620    0
D    108_1    0    1161220740    0
$    180    $



~~~~

GET /getunlocksinfo.aspx?&auth=WMPGObVgmQFOUigYZyNnRw__ HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 00:24:36 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web1
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 109

O
H    pid    nick    asof
D    81246737    MadHatter2142    1161822276
H    Avcred
D    0
H    UnlockID
D    523
D    111
D    221
D    123
$    79    $



~~~~

GET /getawardsinfo.aspx?pid=81246737&auth=WMPGObVgmQFOUigYZyNnRw__ HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 00:24:36 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web1
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 184

O
H    pid    nick    asof
D    81246737    MadHatter2142    1161822276
H    award    level    when    first
D    102_1    0    1161468479    0
D    108_1    0    1161195590    0
D    302    0    1161638632    0
D    400    4    1161640639    1161467677
$    142    $



~~~~

GET /getplayerprogress.aspx?mode=point&scale=game&auth=8e26HVmZGRthTzwBLMcrFw__ HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 00:24:44 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web2
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 258

O
H    pid    asof
D    81246737    1161822284
H    date    points    globalscore    experiencepoints    awaybonus
D    1161129600    70    66    4    0
D    1161216000    407    245    162    0
D    1161302400    673    415    258    0
D    1161388800    858    515    343    0
D    1161561600    1055    649    378    28
D    1161648000    1097    691    378    28
$    201    $



~~~~

GET /getplayerprogress.aspx?mode=score&scale=game&auth=OwLTkf3YNNKSyoHbDP3KZQ__ HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 00:24:47 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web4
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 157

O
H    pid    asof
D    81246737    1161822287
H    date    score
D    1161129600    66
D    1161216000    245
D    1161302400    415
D    1161388800    515
D    1161561600    649
D    1161648000    691
$    121    $



~~~~

GET /getplayerprogress.aspx?mode=ttp&scale=game&auth=Un0OVwDuqpANkLtdDtHw2A__ HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 00:24:48 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web3
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 164

O
H    pid    asof
D    81246737    1161822288
H    date    ttp
D    1161129600    4199
D    1161216000    5154
D    1161302400    6515
D    1161388800    9883
D    1161561600    18338
D    1161648000    20434
$    128    $



~~~~

GET /getplayerprogress.aspx?mode=kills&scale=game&auth=Un0OVwDuqpANkLtdDtHw2A__ HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 00:24:48 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web1
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 196

O
H    pid    asof
D    81246737    1161822288
H    date    kpm    dpm
D    1161129600    0.22    0.62
D    1161216000    0.22    0.58
D    1161302400    0.25    0.60
D    1161388800    0.40    0.60
D    1161561600    0.41    0.53
D    1161648000    0.44    0.53
$    153    $



~~~~

GET /getplayerprogress.aspx?mode=spm&scale=game&auth=3CR[CIClsFA6bIEPqghpKQ__ HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 00:24:49 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web2
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 162

O
H    pid    asof
D    81246737    1161822289
H    date    spm
D    1161129600    0.96
D    1161216000    2.88
D    1161302400    3.84
D    1161388800    3.14
D    1161561600    2.13
D    1161648000    2.03
$    126    $



~~~~

GET /getplayerprogress.aspx?mode=role&scale=game&auth=3CR[CIClsFA6bIEPqghpKQ__ HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 00:24:49 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web2
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 290

O
H    pid    asof
D    81246737    1161822289
H    date    cotime    sltime    smtime    lwtime    ttp
D    1161129600    0    3175    856    167    4199
D    1161216000    0    4130    856    167    5154
D    1161302400    0    4303    2044    167    6515
D    1161388800    0    6417    3143    320    9883
D    1161561600    99    11198    6632    403    18338
D    1161648000    99    11773    7957    695    20434
$    226    $



~~~~

GET /getplayerprogress.aspx?mode=flag&scale=game&auth=Wq[wb1fQGAnWp]KoQ4etxA__ HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 00:24:50 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web3
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 199

O
H    pid    asof
D    81246737    1161822290
H    date    captures    assist    defend
D    1161129600    18    18    0
D    1161216000    19    18    0
D    1161302400    21    27    1
D    1161388800    21    27    2
D    1161561600    45    42    3
D    1161648000    55    47    6
$    149    $



~~~~

GET /getplayerprogress.aspx?mode=waccu&scale=game&auth=Wq[wb1fQGAnWp]KoQ4etxA__ HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 00:24:50 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web3
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 152

O
H    pid    asof
D    81246737    1161822290
H    date    waccu
D    1161129600    17
D    1161216000    16
D    1161302400    19
D    1161388800    19
D    1161561600    17
D    1161648000    16
$    116    $



~~~~

GET /getplayerprogress.aspx?mode=wl&scale=game&auth=p5UWGglGAsln9Sb36S9oZQ__ HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 00:24:51 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web4
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 167

O
H    pid    asof
D    81246737    1161822291
H    date    wins    losses
D    1161129600    0    3
D    1161216000    1    3
D    1161302400    1    4
D    1161388800    5    6
D    1161561600    9    10
D    1161648000    10    13
$    124    $



~~~~

GET /getplayerprogress.aspx?mode=twsc&scale=game&auth=p5UWGglGAsln9Sb36S9oZQ__ HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 00:24:51 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web1
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 153

O
H    pid    asof
D    81246737    1161822291
H    date    twsc
D    1161129600    51
D    1161216000    54
D    1161302400    71
D    1161388800    75
D    1161561600    148
D    1161648000    167
$    117    $



~~~~

GET /getplayerprogress.aspx?mode=sup&scale=game&auth=RM0orxS6feg[L[qXDREYug__ HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 00:24:52 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web1
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 193

O
H    pid    asof
D    81246737    1161822292
H    date    hls    rps    rvs    resp
D    1161129600    0    0    0    6
D    1161216000    0    0    0    6
D    1161302400    0    0    1    6
D    1161388800    3    0    3    6
D    1161561600    6    0    9    6
D    1161648000    6    0    9    6
$    136    $



~~~~

GET /getplayerinfo.aspx?auth=CsJwQ9RPk46kmWxa9CTeYA__&mode=ovr HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 00:24:53 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web1
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 215

O
H    asof    cb
D    1161797093    client
H    pid    nick    tid    gsco    tt    crpt    fgm    fm    fe    fv    fk    fw    win    los    acdt    lgdt    brs    etp-3    pdt    pdtc
D    81246737    MadHatter2142    0    691    20524    1097    1    2    5    6    1    1    10    13    1161167627    1161725891    33    0    6    6
$    158    $



~~~~

GET /getplayerinfo.aspx?auth=xU2qDk[zXk]BWGehdT4y4w__&mode=ply HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 00:24:55 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web1
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 307

O
H    asof    cb
D    1161797095    client
H    pid    nick    tid    klls    klla    dths    suic    klstrk    dstrk    spm    kdr    kpm    dpm    akpr    adpr    tots    toth    ovaccu    ktt-0    ktt-1    ktt-2    ktt-3    kkls-0    kkls-1    kkls-2    kkls-3
D    81246737    MadHatter2142    0    148    24    181    1    7    7    2.032    0.818    0.435    0.532    3.364    4.114    5085    774    0.152    202    16289    1660    854    2    138    7    1
$    238    $



~~~~

GET /getleaderboard.aspx?auth=yY6RhSt3AI[gBtRkc67Ulw__&pos=1&after=17&type=overallscore HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 00:25:07 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web3
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 943

O
H    size    asof
D    251354    1161796167
H    rank    pos    pid    nick    globalscore    playerrank    countrycode    Vet
D    56947    56947    81246737    MadHatter2142    691    8    US    1
H    rank    pos    pid    nick    globalscore    playerrank    countrycode    Vet    dt
D    1    1    81263270    imotbh    11148    26    AU    1    0
D    2    2    65896813    S_Jackson    11085    29    GB    1    0
D    3    3    81212991    szam0ca    11062    32    HU    1    0
D    4    4    80865647    SimonMoon    11025    31    CH    1    0
D    5    5    81278799    Skunk_2142    11021    27    CA    0    0
D    6    6    81209964    KAIN    11019    28    DE    0    0
D    7    7    81242951    WoKeN    10587    30    US    1    0
D    8    8    81260470    coathanger    10435    31    US    1    0
D    9    9    81346180    DualNuke    10247    22    DE    1    0
D    10    10    81239550    RA4EVAH    10055    29    NL    0    0
D    11    11    81158290    Strategizah    9697    28    US    1    0
D    12    12    81346902    xXx[GER]    9629    26    DE    0    0
D    13    13    81243016    serguinho    9401    26    AT    1    0
D    14    14    81146847    Vibesfr    9386    27    FR    1    0
D    15    15    81286874    Pallares    9317    25    ES    1    0
D    16    16    81181481    LtSmash2032    9092    28    US    1    0
D    17    17    81285161    HITMAN-    9018    24    US    1    0
D    18    18    81165525    GodfishB16    8942    27    US    1    0
$    720    $



~~~~

GET /getleaderboard.aspx?auth=XxfEcvG2RYQ0J5V6mLnTng__&pos=1&after=17&type=overallscore&dogTagFilter=1 HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 00:25:09 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web2
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 505

O
H    size    asof
D    251354    1161796167
H    rank    pos    pid    nick    globalscore    playerrank    countrycode    Vet
D    56947    56947    81246737    MadHatter2142    691    8    US    1
H    rank    pos    pid    nick    globalscore    playerrank    countrycode    Vet    dt
D    31470    1    81624909    Spiv    1084    9    CA    0    1
D    36738    2    81306093    Wolverine-B-    979    9    US    1    1
D    36774    3    64334057    ak1knight    978    9    US    1    1
D    45284    4    81452916    H3LL-R4ZER    841    8    US    1    1
D    56947    5    81246737    MadHatter2142    691    8    US    1    0
D    90921    6    81312600    BearAxe    409    6    US    1    1
D    115552    7    81865105    Nefar2    282    5    US    0    1
$    392    $



~~~~

GET /getleaderboard.aspx?auth=rtXtz6QGp[ufCxJWMrYS5w__&pos=1&after=17&type=overallscore HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 00:25:10 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web4
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 943

O
H    size    asof
D    251354    1161796167
H    rank    pos    pid    nick    globalscore    playerrank    countrycode    Vet
D    56947    56947    81246737    MadHatter2142    691    8    US    1
H    rank    pos    pid    nick    globalscore    playerrank    countrycode    Vet    dt
D    1    1    81263270    imotbh    11148    26    AU    1    0
D    2    2    65896813    S_Jackson    11085    29    GB    1    0
D    3    3    81212991    szam0ca    11062    32    HU    1    0
D    4    4    80865647    SimonMoon    11025    31    CH    1    0
D    5    5    81278799    Skunk_2142    11021    27    CA    0    0
D    6    6    81209964    KAIN    11019    28    DE    0    0
D    7    7    81242951    WoKeN    10587    30    US    1    0
D    8    8    81260470    coathanger    10435    31    US    1    0
D    9    9    81346180    DualNuke    10247    22    DE    1    0
D    10    10    81239550    RA4EVAH    10055    29    NL    0    0
D    11    11    81158290    Strategizah    9697    28    US    1    0
D    12    12    81346902    xXx[GER]    9629    26    DE    0    0
D    13    13    81243016    serguinho    9401    26    AT    1    0
D    14    14    81146847    Vibesfr    9386    27    FR    1    0
D    15    15    81286874    Pallares    9317    25    ES    1    0
D    16    16    81181481    LtSmash2032    9092    28    US    1    0
D    17    17    81285161    HITMAN-    9018    24    US    1    0
D    18    18    81165525    GodfishB16    8942    27    US    1    0
$    720    $



~~~~

GET /getleaderboard.aspx?auth=IA65[l5DqWS]khmcwMcfKQ__&pos=1&after=17&type=overallscore&ccFilter=US HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 00:25:11 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web2
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 961

O
H    size    asof
D    98318    1161796167
H    rank    pos    pid    nick    globalscore    playerrank    countrycode    Vet
D    56947    56947    81246737    MadHatter2142    691    8    US    1
H    rank    pos    pid    nick    globalscore    playerrank    countrycode    Vet    dt
D    7    1    81242951    WoKeN    10587    30    US    1    0
D    8    2    81260470    coathanger    10435    31    US    1    0
D    11    3    81158290    Strategizah    9697    28    US    1    0
D    16    4    81181481    LtSmash2032    9092    28    US    1    0
D    17    5    81285161    HITMAN-    9018    24    US    1    0
D    18    6    81165525    GodfishB16    8942    27    US    1    0
D    21    7    81230621    snakeyes    8748    23    US    0    0
D    27    8    80899180    DominoNation    8270    25    US    1    0
D    40    9    81271191    FullMetalPanik    7580    24    US    1    0
D    42    10    81242348    Badel    7502    25    US    1    0
D    43    11    81351733    Snofru78    7496    24    US    1    0
D    49    12    81273878    Strafe1    7245    23    US    1    0
D    53    13    81269430    HarveyCamper    7122    22    US    1    0
D    63    14    81246378    Edge.    6911    23    US    0    0
D    67    15    81264340    teknochild    6887    25    US    1    0
D    69    16    81143272    Madtactics    6810    22    US    1    0
D    72    17    81243907    TehMyke    6775    23    US    1    0
D    75    18    81295837    IILiLItalyIIJR    6697    22    US    0    0
$    738    $



~~~~

GET /getleaderboard.aspx?auth=6swGutaWIeRWF]MUK8rRzw__&pos=1&after=17&type=overallscore HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 00:25:12 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web4
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 943

O
H    size    asof
D    251354    1161796167
H    rank    pos    pid    nick    globalscore    playerrank    countrycode    Vet
D    56947    56947    81246737    MadHatter2142    691    8    US    1
H    rank    pos    pid    nick    globalscore    playerrank    countrycode    Vet    dt
D    1    1    81263270    imotbh    11148    26    AU    1    0
D    2    2    65896813    S_Jackson    11085    29    GB    1    0
D    3    3    81212991    szam0ca    11062    32    HU    1    0
D    4    4    80865647    SimonMoon    11025    31    CH    1    0
D    5    5    81278799    Skunk_2142    11021    27    CA    0    0
D    6    6    81209964    KAIN    11019    28    DE    0    0
D    7    7    81242951    WoKeN    10587    30    US    1    0
D    8    8    81260470    coathanger    10435    31    US    1    0
D    9    9    81346180    DualNuke    10247    22    DE    1    0
D    10    10    81239550    RA4EVAH    10055    29    NL    0    0
D    11    11    81158290    Strategizah    9697    28    US    1    0
D    12    12    81346902    xXx[GER]    9629    26    DE    0    0
D    13    13    81243016    serguinho    9401    26    AT    1    0
D    14    14    81146847    Vibesfr    9386    27    FR    1    0
D    15    15    81286874    Pallares    9317    25    ES    1    0
D    16    16    81181481    LtSmash2032    9092    28    US    1    0
D    17    17    81285161    HITMAN-    9018    24    US    1    0
D    18    18    81165525    GodfishB16    8942    27    US    1    0
$    720    $



~~~~

GET /getleaderboard.aspx?auth=Ok2ca63[qDe142so3B0ZzQ__&pos=1&after=17&type=overallscore&buddiesFilter=81168298,81242994,81306093,81465904 HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 00:25:13 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web1
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 426

O
H    size    asof
D    5    1161796167
H    rank    pos    pid    nick    globalscore    playerrank    countrycode    Vet
D    56947    56947    81246737    MadHatter2142    691    8    US    1
H    rank    pos    pid    nick    globalscore    playerrank    countrycode    Vet    dt
D    36738    1    81306093    Wolverine-B-    979    9    US    1    1
D    56947    2    81246737    MadHatter2142    691    8    US    1    0
D    71347    3    81242994    DirtyKurt    551    7    US    1    0
D    119866    4    81465904    Tank_    263    5    US    1    0
D    137153    5    81168298    TheShermanTank    198    5    US    1    0
$    333    $



~~~~

GET /getleaderboard.aspx?auth=NHFg9sIAp5Z[euaT6CA7KA__&pos=1&after=17&type=overallscore HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 00:25:14 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web1
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 943

O
H    size    asof
D    251354    1161796167
H    rank    pos    pid    nick    globalscore    playerrank    countrycode    Vet
D    56947    56947    81246737    MadHatter2142    691    8    US    1
H    rank    pos    pid    nick    globalscore    playerrank    countrycode    Vet    dt
D    1    1    81263270    imotbh    11148    26    AU    1    0
D    2    2    65896813    S_Jackson    11085    29    GB    1    0
D    3    3    81212991    szam0ca    11062    32    HU    1    0
D    4    4    80865647    SimonMoon    11025    31    CH    1    0
D    5    5    81278799    Skunk_2142    11021    27    CA    0    0
D    6    6    81209964    KAIN    11019    28    DE    0    0
D    7    7    81242951    WoKeN    10587    30    US    1    0
D    8    8    81260470    coathanger    10435    31    US    1    0
D    9    9    81346180    DualNuke    10247    22    DE    1    0
D    10    10    81239550    RA4EVAH    10055    29    NL    0    0
D    11    11    81158290    Strategizah    9697    28    US    1    0
D    12    12    81346902    xXx[GER]    9629    26    DE    0    0
D    13    13    81243016    serguinho    9401    26    AT    1    0
D    14    14    81146847    Vibesfr    9386    27    FR    1    0
D    15    15    81286874    Pallares    9317    25    ES    1    0
D    16    16    81181481    LtSmash2032    9092    28    US    1    0
D    17    17    81285161    HITMAN-    9018    24    US    1    0
D    18    18    81165525    GodfishB16    8942    27    US    1    0
$    720    $



~~~~

GET /getleaderboard.aspx?auth=UCdBNgv2uDFFMTrq0HLQxA__&pos=1&after=17&type=overallscore&buddiesFilter=81168298,81242994,81306093,81465904 HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 00:25:15 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web3
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 426

O
H    size    asof
D    5    1161796167
H    rank    pos    pid    nick    globalscore    playerrank    countrycode    Vet
D    56947    56947    81246737    MadHatter2142    691    8    US    1
H    rank    pos    pid    nick    globalscore    playerrank    countrycode    Vet    dt
D    36738    1    81306093    Wolverine-B-    979    9    US    1    1
D    56947    2    81246737    MadHatter2142    691    8    US    1    0
D    71347    3    81242994    DirtyKurt    551    7    US    1    0
D    119866    4    81465904    Tank_    263    5    US    1    0
D    137153    5    81168298    TheShermanTank    198    5    US    1    0
$    333    $



~~~~

GET /getleaderboard.aspx?auth=OambPiPNcGuCzsSlnZRF6w__&pos=1&after=17&type=overallscore&buddiesFilter=81168298,81242994,81306093,81465904&dogTagFilter=1 HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 00:25:16 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web2
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 297

O
H    size    asof
D    5    1161796167
H    rank    pos    pid    nick    globalscore    playerrank    countrycode    Vet
D    56947    56947    81246737    MadHatter2142    691    8    US    1
H    rank    pos    pid    nick    globalscore    playerrank    countrycode    Vet    dt
D    36738    1    81306093    Wolverine-B-    979    9    US    1    1
D    56947    2    81246737    MadHatter2142    691    8    US    1    0
$    234    $



~~~~

GET /getleaderboard.aspx?auth=apr3cK9vZGLV[SjCz[7ikg__&pos=1&after=17&type=overallscore&ccFilter=US&buddiesFilter=81168298,81242994,81306093,81465904&dogTagFilter=1 HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 00:25:17 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web2
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 297

O
H    size    asof
D    5    1161796167
H    rank    pos    pid    nick    globalscore    playerrank    countrycode    Vet
D    56947    56947    81246737    MadHatter2142    691    8    US    1
H    rank    pos    pid    nick    globalscore    playerrank    countrycode    Vet    dt
D    36738    1    81306093    Wolverine-B-    979    9    US    1    1
D    56947    2    81246737    MadHatter2142    691    8    US    1    0
$    234    $

here's a second one for another account (no actual stats, because its a new player. I'll update this one w/ real stats later):

Code:

GET /getbackendinfo.aspx?auth=Tz[wyu88es8eq3P22aB9wQ__ HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 05:11:25 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web3
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 7819

O
H    asof    tid    serverip    cb
D    1161839485    0    71.252.218.197    client
H    config
D    swiffHost.setLatestGameVersion 1.0.9.1
rankSettings.setRank 0 0
rankSettings.setRank 1 40
rankSettings.setRank 2 80
rankSettings.setRank 3 120
rankSettings.setRank 4 200
rankSettings.setRank 5 330
rankSettings.setRank 6 520
rankSettings.setRank 7 750
rankSettings.setRank 8 1050
rankSettings.setRank 9 1400
rankSettings.setRank 10 1800
rankSettings.setRank 11 2250
rankSettings.setRank 12 2850
rankSettings.setRank 13 3550
rankSettings.setRank 14 4400
rankSettings.setRank 15 5300
rankSettings.setRank 16 6250
rankSettings.setRank 17 7250
rankSettings.setRank 18 8250
rankSettings.setRank 19 9300
rankSettings.setRank 20 10400
rankSettings.setRank 21 11550
rankSettings.setRank 22 12700
rankSettings.setRank 23 14000
rankSettings.setRank 24 15300
rankSettings.setRank 25 16700
rankSettings.setRank 26 18300
rankSettings.setRank 27 20100
rankSettings.setRank 28 22100
rankSettings.setRank 29 24200
rankSettings.setRank 30 26400
rankSettings.setRank 31 28800
rankSettings.setRank 32 31500
rankSettings.setRank 33 34200
rankSettings.setRank 34 37100
rankSettings.setRank 35 40200
rankSettings.setRank 36 43300
rankSettings.setRank 37 46900
rankSettings.setRank 38 50500
rankSettings.setRank 39 54100
rankSettings.setRank 40 57700
rankSettings.setRank 41 0
rankSettings.setRank 42 0
rankSettings.setRank 43 0
rankSettings.save
awards.setData 100_1 "6,1, ,12"
awards.setData 100_2 "6,1, ,20" "9,23,ktt-3,54000"
awards.setData 100_3 "6,1, ,30" "9,23,ktt-3,180000"
awards.setData 101_1 "6,2, ,12"
awards.setData 101_2 "6,2, ,20" "9,20,ktt-0,54000"
awards.setData 101_3 "6,2, ,30" "9,20,ktt-0,180000"
awards.setData 102_1 "6,3, ,12"
awards.setData 102_2 "6,3, ,20" "9,21,ktt-1,54000"
awards.setData 102_3 "6,3, ,30" "9,21,ktt-1,180000"
awards.setData 103_1 "6,4, ,12"
awards.setData 103_2 "6,4, ,20" "9,22,ktt-2,54000"
awards.setData 103_3 "6,4, ,30" "9,22,ktt-2,180000"
awards.setData 104_1 "6,50, ,10"
awards.setData 104_2 "6,50, ,20" "1,113,slpts,300"
awards.setData 104_3 "6,50, ,30" "1,113,slpts,600"
awards.setData 105_1 "6,5, ,7"
awards.setData 105_2 "6,5, ,10" "1,5,wkls-12,50"
awards.setData 105_3 "6,5, ,17" "1,5,wkls-12,150"
awards.setData 106_1 "6,7, ,5"
awards.setData 106_2 "6,7, ,7" "1,7,wkls-5;wkls-11,50"
awards.setData 106_3 "6,7, ,18" "1,7,wkls-5;wkls-11,300"
awards.setData 107_1 "6,8, ,10"
awards.setData 107_2 "6,8, ,15" "1,8,klse,50"
awards.setData 107_3 "6,8, ,20" "1,8,klse,300"
awards.setData 108_1 "10,18, ,180"
awards.setData 108_2 "6,9, ,15" "9,148,vtp-12;vtp-3;wtp-30,72000"
awards.setData 108_3 "6,9, ,30" "9,148,vtp-12;vtp-3;wtp-30,180000"
awards.setData 109_1 "6,40, ,30"
awards.setData 109_2 "10,150, ,1200" "1,40,csgpm-0,1000"
awards.setData 109_3 "10,150, ,1500" "1,40,csgpm-0,4000"
awards.setData 110_1 "6,39, ,30"
awards.setData 110_2 "10,149, ,1200" "1,39,csgpm-1,1000"
awards.setData 110_3 "10,149, ,1500" "1,39,csgpm-1,4000"
awards.setData 111_1 "6,42, ,8"
awards.setData 111_2 "6,42, ,10" "9,128,etpk-1,36000"
awards.setData 111_3 "6,42, ,15" "9,128,etpk-1,216000" "1,42,rps,200"
awards.setData 112_1 "6,43, ,8"
awards.setData 112_2 "6,43, ,10" "9,129,etpk-5;etpk-0;etpk-2,36000"
awards.setData 112_3 "6,43, ,15" "9,129,etpk-5;etpk-0;etpk-2,216000" "1,43,hls,400"
awards.setData 113_1 "6,45, ,8"
awards.setData 113_2 "6,45, ,10" "9,130,etpk-6,36000"
awards.setData 113_3 "6,45, ,15" "9,130,etpk-6,180000" "1,45,resp,400"
awards.setData 114_1 "10,141, ,900"
awards.setData 114_2 "6,11, ,15" "9,114,atp,90000"
awards.setData 114_3 "6,11, ,35" "9,114,atp,180000"
awards.setData 115_1 "10,142, ,900"
awards.setData 115_2 "6,12, ,15" "9,25,vtp-10;vtp-4,90000"
awards.setData 115_3 "6,12, ,35" "9,25,vtp-10;vtp-4,180000"
awards.setData 116_1 "10,151, ,600"
awards.setData 116_2 "6,116, ,5" "9,115,vtp-1;vtp-4;vtp-6,90000"
awards.setData 116_3 "6,116, ,12" "9,115,vtp-1;vtp-4;vtp-6,144000"
awards.setData 117_1 "6,46, ,8"
awards.setData 117_2 "6,46, ,15" "9,27,tgpm-1,108000"
awards.setData 117_3 "6,46, ,30" "9,27,tgpm-1,216000"
awards.setData 118_1 "6,47, ,8"
awards.setData 118_2 "6,47, ,15" "9,27,tgpm-1,108000"
awards.setData 118_3 "6,47, ,30" "9,27,tgpm-1,216000"
awards.setData 119_1 "6,48, ,2"
awards.setData 119_2 "6,49, ,1" "1,48,tcd,10"
awards.setData 119_3 "6,48, ,3" "6,49, ,1" "1,48,tcd,40"
awards.setData 200 "6,127, ,"
awards.setData 201 "6,126, ,"
awards.setData 202 "6,125, ,"
awards.setData 203 "6,41, ,30" "9,19,tac,180000" "9,28,tasl,180000" "9,29,tasm,180000"
awards.setData 204 "6,59, ,1" "5,62,100_1,1" "5,63,101_1,1" "5,64,102_1,1" "5,65,103_1,1" "5,66,105_1,1" "5,67,106_1,1" "5,68,107_1,1"
awards.setData 205 "6,59, ,1" "5,69,100_2,1" "5,70,101_2,1" "5,71,102_2,1" "5,72,103_2,1" "5,73,105_2,1" "5,74,106_2,1" "5,75,107_2,1"
awards.setData 206 "6,59, ,1" "5,76,100_3,1" "5,77,101_3,1" "5,78,102_3,1" "5,79,103_3,1" "5,80,105_3,1" "5,81,106_3,1" "5,82,107_3,1"
awards.setData 207 "11,30,tt,540000" "3,51,cpt,1000" "3,52,dcpt,400" "3,41,twsc,5000"
awards.setData 208 "10,145, ,180" "11,31,attp-0,540000" "1,54,awin-0,300"
awards.setData 209 "10,146, ,180" "11,32,attp-1,540000" "1,55,awin-1,300"
awards.setData 210 "6,60, ,1" "11,26,tgpm-0,288000" "1,13,kgpm-0,8000" "1,15,bksgpm-0,25"
awards.setData 211 "6,61, ,1" "11,27,tgpm-1,288000" "1,14,kgpm-1,8000" "1,16,bksgpm-1,25"
awards.setData 212 "6,12, ,30" "9,25,vtp-10;vtp-4,360000" "1,12,vkls-10;vkls-4,8000"
awards.setData 213 "6,11, ,25" "9,24,vtp-0;vtp-1;vtp-2,360000" "1,11,vkls-0;vkls-1;vkls-2,8000"
awards.setData 214 "6,17, ,27" "6,83, ,0" "9,30,tt,648000"
awards.setData 215 "11,30,tt,360000" "3,43,hls,400" "3,42,rps,400" "3,45,resp,400"
awards.setData 216 "6,85, ,0.25"
awards.setData 217 "6,86, ,10" "9,33,vtp-4,90000"
awards.setData 218 "6,14, ,10" "11,27,tgpm-1,540000" "1,133,mbr-1-0;mbr-1-1;mbr-1-2;mbr-1-3;mbr-1-5,70"
awards.setData 219 "6,17, ,20" "1,51,cpt,100" "1,42,rps,200"
awards.setData 300 "10,18, ,300" "6,9, ,15"
awards.setData 301 "10,142, ,600" "6,12, ,20"
awards.setData 302 "6,120, ,10"
awards.setData 303 "10,143, ,1200" "9,28,tasl,144000"
awards.setData 304 "10,38, ,1200" "6,34, ,40" "9,19,tac,288000"
awards.setData 305 "6,41, ,15" "9,29,tasm,36000" "9,28,tasl,36000" "9,19,tac,36000"
awards.setData 306 "10,144, ,1080" "6,41, ,40" "9,29,tasm,72000"
awards.setData 307 "6,41, ,55" "9,29,tasm,90000" "9,28,tasl,180000"
awards.setData 308 "6,34, ,45" "9,19,tac,216000" "5,87,wlr,2"
awards.setData 309 "10,141, ,1200" "6,11, ,20"
awards.setData 310 "6,110, ,10" "9,121,vtp-0;vtp-1;vtp-2;vtp-6,36000"
awards.setData 311 "9,99,mtt-0-0;mtt-1-0,0" "9,101,mtt-0-2;mtt-1-2,0" "9,103,mtt-0-4,0" "9,104,mtt-0-5;mtt-1-5,0" "9,108,mtt-0-9,0" "9,32,attp-1,432000"
awards.setData 312 "9,100,mtt-0-1;mtt-1-1,0" "9,102,mtt-0-3;mtt-1-3,0" "9,105,mtt-0-6,0" "9,106,mtt-0-7,0" "9,107,mtt-0-8,0" "9,31,attp-0,432000"
awards.setData 313 "6,17, ,20" "1,88,bksgpm-0;bksgpm-1,10"
awards.setData 314 "6,17, ,10" "6,83, ," "11,30,tt,180000"
awards.setData 315 "6,17, ,10" "11,30,tt,432000" "1,88,bksgpm-0;bksgpm-1,10"
awards.setData 316 "3,10,vkls-7,200"
awards.setData 317 "6,86, ,15" "9,33,vtp-4,90000"
awards.setData 318 "6,138, ,15" "9,137,vtp-12,36000"
awards.setData 319 "6,39, ,10" "11,36,ctgpm-1,90000"
awards.setData 400 "6,89, ,5"
awards.setData 401 "6,89, ,10"
awards.setData 402 "6,48, ,4"
awards.setData 403 "6,109, ,4"
awards.setData 404 "6,86, ,10"
awards.setData 406 "6,47, ,7"
awards.setData 407 "6,139, ,5"
awards.setData 408 "6,110, ,5"
awards.setData 409 "6,93, ,8"
awards.setData 410 "6,8, ,8"
awards.setData 411 "6,44, ,8"
awards.setData 412 "6,124, ,"
awards.setData 413 "6,7, ,4"
awards.setData 414 "6,9, ,10"
awards.setData 415 "6,6, ,10"

$    7473    $


~~~~

GET /getplayerinfo.aspx?auth=HoEwn2lJbn0bvp6bDh]wjQ__&mode=base&pToken=Hux8422ifB5Gp9IL2OeKFKOvCfEl[O4BI3XwFw8dMGYVZYfIX8G0fqK6lRNRD6H4[PyvQu4v8Gnj16kEV2[MIg__ HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 05:11:54 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web2
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 134

O
H    asof    cb
D    1161814314    client
H    pid    nick    tid    gsco    crpt    rnk    rnkcg    ent-1    ent-2    ent-3    unavl
D    82188143    Qw4z0    0    0    40    1    0    0    0    2    1
$    96    $


~~~~

GET /getunlocksinfo.aspx?&auth=2d3SIIXPHH40QC6w9DrR6w__ HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 05:11:56 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web4
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 77

O
H    pid    nick    asof
D    82188143    Qw4z0    1161839516
H    Avcred
D    1
H    UnlockID
$    55    $


~~~~

GET /getawardsinfo.aspx?pid=82188143&auth=2d3SIIXPHH40QC6w9DrR6w__ HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 05:11:56 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web1
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 78

O
H    pid    nick    asof
D    82188143    Qw4z0    1161839516
H    award    level    when    first
$    57    $


~~~~

GET /getplayerprogress.aspx?mode=point&scale=game&auth=q6D3E5nkRF1]OnmOU8W7Yg__ HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 05:12:10 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web3
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 13

E    104    
$    4    $


~~~~

GET /getleaderboard.aspx?auth=K5N9nf4JQdQ8L3cb[BVnpg__&pos=1&after=17&type=overallscore HTTP/1.1
Host: stella.prod.gamespy.com
User-Agent: GameSpyHTTP/1.0
Connection: close

HTTP/1.1 200 OK
Date: Thu, 26 Oct 2006 05:12:27 GMT
Server: Microsoft-IIS/6.0
cluster-server: bf2142web3
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 904

O
H    size    asof
D    254462    1161814087
H    rank    pos    pid    nick    globalscore    playerrank    countrycode    Vet
D                            
H    rank    pos    pid    nick    globalscore    playerrank    countrycode    Vet    dt
D    1    1    65896813    S_Jackson    11785    29    GB    1    0
D    2    2    81278799    Skunk_2142    11487    27    CA    0    0
D    3    3    80865647    SimonMoon    11323    32    CH    1    0
D    4    4    81209964    KAIN    11159    28    DE    0    0
D    5    5    81263270    imotbh    11148    26    AU    1    0
D    6    6    81212991    szam0ca    11062    32    HU    1    0
D    7    7    81242951    WoKeN    11058    31    US    1    0
D    8    8    81260470    coathanger    10989    31    US    1    0
D    9    9    81346180    DualNuke    10524    22    DE    1    0
D    10    10    81239550    RA4EVAH    10055    29    NL    0    0
D    11    11    81158290    Strategizah    9813    28    US    1    0
D    12    12    81243016    serguinho    9753    26    AT    1    0
D    13    13    81346902    xXx[GER]    9629    26    DE    0    0
D    14    14    81146847    Vibesfr    9605    27    FR    1    0
D    15    15    81285161    HITMAN-    9543    25    US    1    0
D    16    16    81286874    Pallares    9359    25    ES    1    0
D    17    17    81165525    GodfishB16    9317    27    US    1    0
D    18    18    81181481    LtSmash2032    9092    28    US    1    0
$    682    $

Tubar · 26 Oct 2006 12:54 pm

Hi guys, I have find some things with ollydebuger by windows server, but i need some help.

So is my result: (windows server - patch 1.01)

Here is call function which create 16 bytes array for Base64 encoding and write it on address 014DAA04

Code:

006E82A0  E83BF9FFFF  CALL 006E7BE0

and here is Base64 encoding (read from bytes from address 014DAA04 (16 bytes) and encode it to 24bytes Base64 encoding.
Of course for encoding at end are used two empty bytes, so 16bytes from address 014DAA04 + 2 empty bytes (=0) 18bytes => 24bytes
(every 3bytes are coded to 4bytes asci table, which is storen on memory in 007ED210)

Code:

005AE44E  E8FDA10500  CALL 00608650

So, CALL 00608650 - than we dont need, that is standart Base64 encoding, but what we need know is that CALL 006E7BE0.

In this function ist at first tail read data from 01BFA21C (16bytes), example:

Code:

01BFA21C  74 FD 40 45 64 00 00 00 F8 45 12 04 01 00 FC E4

Where first 4 bytes is TIMESTAMP from 1.1.1970 in seconds (4540FD74 in decimal is 1161887092 seconds)
Next 4 bytes 00000064 is every time used that same - I dont know what is that
Next 4 bytes 041245F8 is players PID in hexa - 041245F8 in decimal is for example 68306424 PID player
And last 4 bytes xxxx0001 is I think only random number.

All these DWORD are used in this function for coding

1/ Store bytes into CPU registry

Code:

EBX = 74FD4045 (00..03)
ESI = 64000000 (04..07)
ECX = F8451204 (08..11)
EDX = 0100FCE4 (12..15)

2/ XOR this data with:

Code:

EBX xor 4CBB56AA = X1
ESI xor 780000C3 = X2
ECX xor 65FFEF44 = X3
EDX xor 23122C2C = X4

3/ Write result into memory:

Code:

0012F354 = X1
0012F35C = X2
0012F350 = X3
0012F358 = X4
0012F34C = 0000000A (ESI)  ESI = 0000000A
0012F368 = 00000009 (ESI - 1)

4/ Code??? Into address 014DAA04

Code:

006E7CC7   83C7 30          ADD EDI,30
006E7CCA   83C6 FF          ADD ESI,-1
006E7CCD   8975 08          MOV DWORD PTR SS:[EBP+8],ESI
006E7CD0   8B55 F0          MOV EDX,DWORD PTR SS:[EBP-10]
006E7CD3   C1EA 10          SHR EDX,10
006E7CD6   0FB675 F3        MOVZX ESI,BYTE PTR SS:[EBP-D]
006E7CDA   0FB6D2           MOVZX EDX,DL
006E7CDD   0FB6C4           MOVZX EAX,AH
006E7CE0   8B0485 A82F8000  MOV EAX,DWORD PTR DS:[EAX*4+802FA8]
006E7CE7   330495 A82B8000  XOR EAX,DWORD PTR DS:[EDX*4+802BA8]
006E7CEE   0FB655 FF        MOVZX EDX,BYTE PTR SS:[EBP-1]
006E7CF2   330495 A8278000  XOR EAX,DWORD PTR DS:[EDX*4+8027A8]
006E7CF9   8BD3             MOV EDX,EBX
006E7CFB   81E2 FF000000    AND EDX,0FF
006E7D01   330495 A8338000  XOR EAX,DWORD PTR DS:[EDX*4+8033A8]
006E7D08   8B55 F8          MOV EDX,DWORD PTR SS:[EBP-8]
006E7D0B   C1EA 10          SHR EDX,10
006E7D0E   0FB6D2           MOVZX EDX,DL
006E7D11   8B1495 A82B8000  MOV EDX,DWORD PTR DS:[EDX*4+802BA8]
006E7D18   3314B5 A8278000  XOR EDX,DWORD PTR DS:[ESI*4+8027A8]
006E7D1F   0FB6F7           MOVZX ESI,BH
006E7D22   3314B5 A82F8000  XOR EDX,DWORD PTR DS:[ESI*4+802FA8]
006E7D29   8B75 FC          MOV ESI,DWORD PTR SS:[EBP-4]
006E7D2C   0FB65D FD        MOVZX EBX,BYTE PTR SS:[EBP-3]
006E7D30   81E6 FF000000    AND ESI,0FF
006E7D36   3314B5 A8338000  XOR EDX,DWORD PTR DS:[ESI*4+8033A8]
006E7D3D   0FB675 FB        MOVZX ESI,BYTE PTR SS:[EBP-5]
006E7D41   8B34B5 A8278000  MOV ESI,DWORD PTR DS:[ESI*4+8027A8]
006E7D48   33349D A82F8000  XOR ESI,DWORD PTR DS:[EBX*4+802FA8]
006E7D4F   0FB65D F6        MOVZX EBX,BYTE PTR SS:[EBP-A]
006E7D53   33349D A82B8000  XOR ESI,DWORD PTR DS:[EBX*4+802BA8]
006E7D5A   3347 FC          XOR EAX,DWORD PTR DS:[EDI-4]
006E7D5D   3317             XOR EDX,DWORD PTR DS:[EDI]
006E7D5F   8BD9             MOV EBX,ECX
006E7D61   81E3 FF000000    AND EBX,0FF
006E7D67   33349D A8338000  XOR ESI,DWORD PTR DS:[EBX*4+8033A8]
006E7D6E   0FB65D FE        MOVZX EBX,BYTE PTR SS:[EBP-2]
006E7D72   3377 04          XOR ESI,DWORD PTR DS:[EDI+4]
006E7D75   0FB6CD           MOVZX ECX,CH
006E7D78   8B0C8D A82F8000  MOV ECX,DWORD PTR DS:[ECX*4+802FA8]
006E7D7F   330C9D A82B8000  XOR ECX,DWORD PTR DS:[EBX*4+802BA8]
006E7D86   0FB65D F7        MOVZX EBX,BYTE PTR SS:[EBP-9]
006E7D8A   330C9D A8278000  XOR ECX,DWORD PTR DS:[EBX*4+8027A8]
006E7D91   8B5D F8          MOV EBX,DWORD PTR SS:[EBP-8]
006E7D94   81E3 FF000000    AND EBX,0FF
006E7D9A   330C9D A8338000  XOR ECX,DWORD PTR DS:[EBX*4+8033A8]
006E7DA1   8945 FC          MOV DWORD PTR SS:[EBP-4],EAX
006E7DA4   334F F8          XOR ECX,DWORD PTR DS:[EDI-8]
006E7DA7   8BC6             MOV EAX,ESI
006E7DA9   8BD9             MOV EBX,ECX
006E7DAB   8BCA             MOV ECX,EDX
006E7DAD   83C7 20          ADD EDI,20
006E7DB0   836D 08 01       SUB DWORD PTR SS:[EBP+8],1
006E7DB4   895D F4          MOV DWORD PTR SS:[EBP-C],EBX
006E7DB7   894D F0          MOV DWORD PTR SS:[EBP-10],ECX
006E7DBA   8945 F8          MOV DWORD PTR SS:[EBP-8],EAX
006E7DBD  ^0F85 0DFFFFFF    JNZ BF2142_w.006E7CD0
006E7DC3   8B75 EC          MOV ESI,DWORD PTR SS:[EBP-14]
006E7DC6   8B7D E8          MOV EDI,DWORD PTR SS:[EBP-18]
006E7DC9   8B55 F4          MOV EDX,DWORD PTR SS:[EBP-C]
006E7DCC   C1EA 18          SHR EDX,18
006E7DCF   C1E6 05          SHL ESI,5
006E7DD2   8B5C3E 08        MOV EBX,DWORD PTR DS:[ESI+EDI+8]
006E7DD6   8BC3             MOV EAX,EBX
006E7DD8   8D743E 08        LEA ESI,DWORD PTR DS:[ESI+EDI+8]
006E7DDC   C1F8 18          SAR EAX,18
006E7DDF   3282 A8258000    XOR AL,BYTE PTR DS:[EDX+8025A8]
006E7DE5   0FB67D FF        MOVZX EDI,BYTE PTR SS:[EBP-1]
006E7DE9   8845 0B          MOV BYTE PTR SS:[EBP+B],AL
006E7DEC   8B45 0C          MOV EAX,DWORD PTR SS:[EBP+C]
** EAX = 014DAA04
006E7DEF   0FB655 0B        MOVZX EDX,BYTE PTR SS:[EBP+B]
006E7DF3   895D 08          MOV DWORD PTR SS:[EBP+8],EBX
006E7DF6   8810             MOV BYTE PTR DS:[EAX],DL
006E7DF8   8B55 FC          MOV EDX,DWORD PTR SS:[EBP-4]
006E7DFB   C1FB 10          SAR EBX,10
006E7DFE   C1EA 10          SHR EDX,10
006E7E01   0FB6D2           MOVZX EDX,DL
006E7E04   329A A8258000    XOR BL,BYTE PTR DS:[EDX+8025A8]
006E7E0A   0FB6D5           MOVZX EDX,CH
006E7E0D   8858 01          MOV BYTE PTR DS:[EAX+1],BL
006E7E10   8B5D 08          MOV EBX,DWORD PTR SS:[EBP+8]
006E7E13   894D 08          MOV DWORD PTR SS:[EBP+8],ECX
006E7E16   8BCB             MOV ECX,EBX
006E7E18   C1F9 08          SAR ECX,8
006E7E1B   328A A8258000    XOR CL,BYTE PTR DS:[EDX+8025A8]
006E7E21   8B55 F8          MOV EDX,DWORD PTR SS:[EBP-8]
006E7E24   8848 02          MOV BYTE PTR DS:[EAX+2],CL
006E7E27   81E2 FF000000    AND EDX,0FF
006E7E2D   0FB692 A8258000  MOVZX EDX,BYTE PTR DS:[EDX+8025A8]
006E7E34   32D3             XOR DL,BL
006E7E36   8850 03          MOV BYTE PTR DS:[EAX+3],DL
006E7E39   8B56 04          MOV EDX,DWORD PTR DS:[ESI+4]
006E7E3C   8BDA             MOV EBX,EDX
006E7E3E   C1FB 18          SAR EBX,18
006E7E41   329F A8258000    XOR BL,BYTE PTR DS:[EDI+8025A8]
006E7E47   0FB67D F2        MOVZX EDI,BYTE PTR SS:[EBP-E]
006E7E4B   8858 04          MOV BYTE PTR DS:[EAX+4],BL
006E7E4E   8BDA             MOV EBX,EDX
006E7E50   C1FB 10          SAR EBX,10
006E7E53   329F A8258000    XOR BL,BYTE PTR DS:[EDI+8025A8]
006E7E59   0FB67D F9        MOVZX EDI,BYTE PTR SS:[EBP-7]
006E7E5D   8858 05          MOV BYTE PTR DS:[EAX+5],BL
006E7E60   8BDA             MOV EBX,EDX
006E7E62   C1FB 08          SAR EBX,8
006E7E65   329F A8258000    XOR BL,BYTE PTR DS:[EDI+8025A8]
006E7E6B   8B7D F4          MOV EDI,DWORD PTR SS:[EBP-C]
006E7E6E   8858 06          MOV BYTE PTR DS:[EAX+6],BL
006E7E71   81E7 FF000000    AND EDI,0FF
006E7E77   0FB69F A8258000  MOVZX EBX,BYTE PTR DS:[EDI+8025A8]
006E7E7E   0FB67D F3        MOVZX EDI,BYTE PTR SS:[EBP-D]
006E7E82   32DA             XOR BL,DL
006E7E84   8858 07          MOV BYTE PTR DS:[EAX+7],BL
006E7E87   8B56 08          MOV EDX,DWORD PTR DS:[ESI+8]
006E7E8A   8BDA             MOV EBX,EDX
006E7E8C   C1FB 18          SAR EBX,18
006E7E8F   329F A8258000    XOR BL,BYTE PTR DS:[EDI+8025A8]
006E7E95   0FB67D FA        MOVZX EDI,BYTE PTR SS:[EBP-6]
006E7E99   8858 08          MOV BYTE PTR DS:[EAX+8],BL
006E7E9C   8BDA             MOV EBX,EDX
006E7E9E   C1FB 10          SAR EBX,10
006E7EA1   329F A8258000    XOR BL,BYTE PTR DS:[EDI+8025A8]
006E7EA7   0FB67D F5        MOVZX EDI,BYTE PTR SS:[EBP-B]
006E7EAB   8858 09          MOV BYTE PTR DS:[EAX+9],BL
006E7EAE   8BDA             MOV EBX,EDX
006E7EB0   C1FB 08          SAR EBX,8
006E7EB3   329F A8258000    XOR BL,BYTE PTR DS:[EDI+8025A8]
006E7EB9   8B7D FC          MOV EDI,DWORD PTR SS:[EBP-4]
006E7EBC   8858 0A          MOV BYTE PTR DS:[EAX+A],BL
006E7EBF   81E7 FF000000    AND EDI,0FF
006E7EC5   0FB69F A8258000  MOVZX EBX,BYTE PTR DS:[EDI+8025A8]
006E7ECC   32DA             XOR BL,DL
006E7ECE   8858 0B          MOV BYTE PTR DS:[EAX+B],BL
006E7ED1   8B56 0C          MOV EDX,DWORD PTR DS:[ESI+C]
006E7ED4   0FB675 FB        MOVZX ESI,BYTE PTR SS:[EBP-5]
006E7ED8   8BDA             MOV EBX,EDX
006E7EDA   C1FB 18          SAR EBX,18
006E7EDD   329E A8258000    XOR BL,BYTE PTR DS:[ESI+8025A8]
006E7EE3   0FB675 F6        MOVZX ESI,BYTE PTR SS:[EBP-A]
006E7EE7   8858 0C          MOV BYTE PTR DS:[EAX+C],BL
006E7EEA   8BDA             MOV EBX,EDX
006E7EEC   8B4D 08          MOV ECX,DWORD PTR SS:[EBP+8]
006E7EEF   C1FB 10          SAR EBX,10
006E7EF2   329E A8258000    XOR BL,BYTE PTR DS:[ESI+8025A8]
006E7EF8   0FB675 FD        MOVZX ESI,BYTE PTR SS:[EBP-3]
006E7EFC   8858 0D          MOV BYTE PTR DS:[EAX+D],BL
006E7EFF   8BDA             MOV EBX,EDX
006E7F01   C1FB 08          SAR EBX,8
006E7F04   329E A8258000    XOR BL,BYTE PTR DS:[ESI+8025A8]
006E7F0A   81E1 FF000000    AND ECX,0FF
006E7F10   8858 0E          MOV BYTE PTR DS:[EAX+E],BL
006E7F13   8A89 A8258000    MOV CL,BYTE PTR DS:[ECX+8025A8]
006E7F19   5E               POP ESI
006E7F1A   32CA             XOR CL,DL
006E7F1C   5B               POP EBX
006E7F1D   8848 0F          MOV BYTE PTR DS:[EAX+F],CL
006E7F20   33C0             XOR EAX,EAX
006E7F22   5F               POP EDI
006E7F23   8BE5             MOV ESP,EBP
006E7F25   5D               POP EBP
006E7F26   C2 0800          RETN 8

After this coding exist on address 014DAA04 coded information which is used for Base64 encoding

Butcher · 26 Oct 2006 1:48 pm

I'm gonna be completely honest, after reading it I am certain it is a way to get a processor to make phone calls illegally... Better see what Madhatter says, he can probably make it all sound very logical, .

MadHatter · 26 Oct 2006 1:51 pm

LOL butcher. over on BF2 Tech we've been trying to figure out the way we can talk to the bf2142 stat servers. each request has a "cryptic" auth parameter that Tubar just showed whats going on.

wow! nice work Tubar!

I have a couple of questions:

I've noticed that I cannot use the same auth value between different queries. is the 00000064 value (bytes 5-8) is this used for every query? if not, is the last set of numbers (seemingly random) based on which query is this is being generated for or does it seem purely random. I'm positive each query has its own identifier...

where are the xor numbers from (step 2)? are they "magic numbers" hard coded or are they produced by some other segment of code?

do you have any idea of what step 4 is doing? it seems like some sort of manipulation of the bytes, but I never learned assembler.

Craigins · 26 Oct 2006 3:00 pm

I'll take a look at part 4. I'm not that fluent in assembly but I have written some basic compilers in it. I'll have to brush up, it looks like a slightly different assembly syntax than i'm used to.

Not to be picky or anything but do you have the complete function call in assembly? Basically i'm looking for something that says:

PUSH EBP

...... lots of code here

006E7F25 5D POP EBP
006E7F26 C2 0800 RETN 8

It'll help get the whole scope of the function instead of jumping in the middle.

Edit, well in theory it would be nice to get the section of code right before the call to function(006E7BE0) this will tell us what the parameters are for the function as well.

Another edit: even with the other code, I'd have to do a lot more research, they are using many registers that I have never used before(AH/AL/DL etc. they hold data from certain operations that are performed, like overflow and carry)

Last edited by Craigins (27 Oct 2006 12:50 pm)

MadHatter · 26 Oct 2006 7:24 pm

I dont believe those are cpu registers (most likely stack). they're more like debug symbols. he used ollydbg which you can get from here: http://www.ollydbg.de/ it actually looks pretty nice, so you may want to give it a try.

I'm looking through it on my machine.

Craigins · 26 Oct 2006 7:49 pm

they are cpu registers. I debugged in Microsoft Visual Studios 2005.

http://webster.cs.ucr.edu/AoA/Windows/H … rlda3.html

The 80x86 (Intel family) CPUs provide several general purpose registers for application use. These include eight 32-bit registers that have the following names:

EAX, EBX, ECX, EDX, ESI, EDI, EBP, and ESP

The "E" prefix on each name stands for extended. This prefix differentiates the 32-bit registers from the eight 16-bit registers that have the following names:

AX, BX, CX, DX, SI, DI, BP, and SP

Finally, the 80x86 CPUs provide eight 8-bit registers that have the following names:

AL, AH, BL, BH, CL, CH, DL, and DH

http://webster.cs.ucr.edu/AoA/Windows/HTML/images/HelloWorld5.gif

The compiler is doing some hefty register manipulation. I'm thinking if we get the full function we might, MIGHT be able to compile the function and just use it to generate the codes. That way we don't have to figure out what it does.

Tubar · 26 Oct 2006 11:59 pm

MadHatter :
I have a couple of questions:
I've noticed that I cannot use the same auth value between different queries. is the 00000064 value (bytes 5-8) is this used for every query? if not, is the last set of numbers (seemingly random) based on which query is this is being generated for or does it seem purely random. I'm positive each query has its own identifier...

where are the xor numbers from (step 2)? are they "magic numbers" hard coded or are they produced by some other segment of code?

do you have any idea of what step 4 is doing? it seems like some sort of manipulation of the bytes, but I never learned assembler.

No, you can use same auth, but only 15-30 minuts. I think, authentication work so. For creating is used server actual TIMESTAMP. But of course by server can't by atom actual time. For that is on gamespy time tolerance. I have try request with authkey more time, and every time i got data. That was in interwal nearly 30 minuts! After that I got message that authetication is OLD. I think, in gamespy is check how old is this auth, when is < 30 minuts, is ok, when > 30 minuts, than dont get data. Data 00000064 - yes, is used for every query. and next 0100xxxx is too used for every query, so bytes 01 00 yes, next two are "random" ?

xor

are every time same "magic numbers", i think that is "coding key"

Code:

EBX = 74FD4045 (00..03)
ESI = 64000000 (04..07)
ECX = F96AE204 (08..11)
EDX = 0100FCE4 (12..15)

and xor

Code:

EDI = 01BF9E28 - pointer to memory to "magic numbers"
EBX xor [EDI+08] => 74FD4045 xor 4CBB56AA = 384616EF =  X1
ESI xor [EDI+0C] => 64000000 xor 780000C3 = 1C0000C3 =  X2
ECX xor [EDI+10] => F96AE204 xor 65FFEF44 = 9C950D40 =  X3
EDX xor [EDI+14] => 0100FCE4 xor 23122C2C = 2212D0C8 =  X4

I analyze this code now, but when someone is good in assembler too, can me help too.

Tubar · 27 Oct 2006 12:07 am

Craigins :
It'll help get the whole scope of the function instead of jumping in the middle.

Whole function is here:

Code:

006E82A0   E8 3BF9FFFF      CALL BF2142_w.006E7BE0

Just watch address 006E7BE0 here start this coding:

Code:

006E7BE0   55               PUSH EBP
006E7BE1   8BEC             MOV EBP,ESP
006E7BE3   83EC 18          SUB ESP,18
006E7BE6   57               PUSH EDI
006E7BE7   8BF9             MOV EDI,ECX
006E7BE9   807F 04 00       CMP BYTE PTR DS:[EDI+4],0
006E7BED   897D E8          MOV DWORD PTR SS:[EBP-18],EDI
006E7BF0   75 0C            JNZ SHORT BF2142_w.006E7BFE
006E7BF2   B8 01000000      MOV EAX,1
006E7BF7   5F               POP EDI
006E7BF8   8BE5             MOV ESP,EBP
006E7BFA   5D               POP EBP
006E7BFB   C2 0800          RETN 8
006E7BFE   8B45 08          MOV EAX,DWORD PTR SS:[EBP+8]   <= Tu sa nastavuje EAX na 01BFA21C ?
006E7C01   0FB648 01        MOVZX ECX,BYTE PTR DS:[EAX+1]
006E7C05   83C0 01          ADD EAX,1
006E7C08   33D2             XOR EDX,EDX
006E7C0A   8A70 01          MOV DH,BYTE PTR DS:[EAX+1]
006E7C0D   83C0 01          ADD EAX,1
006E7C10   53               PUSH EBX
006E7C11   0FB658 FE        MOVZX EBX,BYTE PTR DS:[EAX-2]
006E7C15   83C0 01          ADD EAX,1
006E7C18   C1E1 10          SHL ECX,10
006E7C1B   83C0 01          ADD EAX,1
006E7C1E   56               PUSH ESI
006E7C1F   0FB630           MOVZX ESI,BYTE PTR DS:[EAX]
006E7C22   C1E3 18          SHL EBX,18
006E7C25   0BD9             OR EBX,ECX
006E7C27   0FB648 FF        MOVZX ECX,BYTE PTR DS:[EAX-1]
006E7C2B   0BDA             OR EBX,EDX
006E7C2D   0FB650 01        MOVZX EDX,BYTE PTR DS:[EAX+1]
006E7C31   83C0 01          ADD EAX,1
006E7C34   0BD9             OR EBX,ECX
006E7C36   83C0 01          ADD EAX,1
006E7C39   C1E2 10          SHL EDX,10
006E7C3C   33C9             XOR ECX,ECX
006E7C3E   8A28             MOV CH,BYTE PTR DS:[EAX]
006E7C40   C1E6 18          SHL ESI,18
006E7C43   0BF2             OR ESI,EDX
006E7C45   0FB650 01        MOVZX EDX,BYTE PTR DS:[EAX+1]
006E7C49   83C0 01          ADD EAX,1
006E7C4C   0BF1             OR ESI,ECX
006E7C4E   0FB648 01        MOVZX ECX,BYTE PTR DS:[EAX+1]
006E7C52   0BF2             OR ESI,EDX
006E7C54   3377 0C          XOR ESI,DWORD PTR DS:[EDI+C]
006E7C57   83C0 01          ADD EAX,1
006E7C5A   0FB650 01        MOVZX EDX,BYTE PTR DS:[EAX+1]
006E7C5E   83C0 01          ADD EAX,1
006E7C61   C1E2 10          SHL EDX,10
006E7C64   C1E1 18          SHL ECX,18
006E7C67   0BCA             OR ECX,EDX
006E7C69   33D2             XOR EDX,EDX
006E7C6B   8A70 01          MOV DH,BYTE PTR DS:[EAX+1]
006E7C6E   83C0 01          ADD EAX,1
006E7C71   83C0 01          ADD EAX,1
006E7C74   83C0 01          ADD EAX,1
006E7C77   8975 FC          MOV DWORD PTR SS:[EBP-4],ESI
006E7C7A   0FB630           MOVZX ESI,BYTE PTR DS:[EAX]
006E7C7D   0BCA             OR ECX,EDX
006E7C7F   0FB650 FF        MOVZX EDX,BYTE PTR DS:[EAX-1]
006E7C83   0BCA             OR ECX,EDX
006E7C85   0FB650 01        MOVZX EDX,BYTE PTR DS:[EAX+1]
006E7C89   83C0 01          ADD EAX,1
006E7C8C   335F 08          XOR EBX,DWORD PTR DS:[EDI+8]
006E7C8F   334F 10          XOR ECX,DWORD PTR DS:[EDI+10]
006E7C92   C1E2 10          SHL EDX,10  (EDX = 00000000)
006E7C95   C1E6 18          SHL ESI,18  (ESI = 01000000)
006E7C98   0BF2             OR ESI,EDX
006E7C9A   33D2             XOR EDX,EDX
006E7C9C   8A70 01          MOV DH,BYTE PTR DS:[EAX+1]
006E7C9F   83C0 01          ADD EAX,1
006E7CA2   895D F4          MOV DWORD PTR SS:[EBP-C],EBX
006E7CA5   894D F0          MOV DWORD PTR SS:[EBP-10],ECX
006E7CA8   8A50 01          MOV DL,BYTE PTR DS:[EAX+1]
006E7CAB   0BD6             OR EDX,ESI
006E7CAD   3357 14          XOR EDX,DWORD PTR DS:[EDI+14]
006E7CB0   8BB7 D0030000    MOV ESI,DWORD PTR DS:[EDI+3D0]
006E7CB6   83FE 01          CMP ESI,1
006E7CB9   8BC2             MOV EAX,EDX
006E7CBB   8945 F8          MOV DWORD PTR SS:[EBP-8],EAX
006E7CBE   8975 EC          MOV DWORD PTR SS:[EBP-14],ESI
006E7CC1   0F8E 02010000    JLE BF2142_w.006E7DC9
006E7CC7   83C7 30          ADD EDI,30
006E7CCA   83C6 FF          ADD ESI,-1
006E7CCD   8975 08          MOV DWORD PTR SS:[EBP+8],ESI
006E7CD0   8B55 F0          MOV EDX,DWORD PTR SS:[EBP-10]
006E7CD3   C1EA 10          SHR EDX,10
006E7CD6   0FB675 F3        MOVZX ESI,BYTE PTR SS:[EBP-D]
006E7CDA   0FB6D2           MOVZX EDX,DL
006E7CDD   0FB6C4           MOVZX EAX,AH
006E7CE0   8B0485 A82F8000  MOV EAX,DWORD PTR DS:[EAX*4+802FA8]
006E7CE7   330495 A82B8000  XOR EAX,DWORD PTR DS:[EDX*4+802BA8]
006E7CEE   0FB655 FF        MOVZX EDX,BYTE PTR SS:[EBP-1]
006E7CF2   330495 A8278000  XOR EAX,DWORD PTR DS:[EDX*4+8027A8]
006E7CF9   8BD3             MOV EDX,EBX
006E7CFB   81E2 FF000000    AND EDX,0FF
006E7D01   330495 A8338000  XOR EAX,DWORD PTR DS:[EDX*4+8033A8]
006E7D08   8B55 F8          MOV EDX,DWORD PTR SS:[EBP-8]
006E7D0B   C1EA 10          SHR EDX,10
006E7D0E   0FB6D2           MOVZX EDX,DL
006E7D11   8B1495 A82B8000  MOV EDX,DWORD PTR DS:[EDX*4+802BA8]
006E7D18   3314B5 A8278000  XOR EDX,DWORD PTR DS:[ESI*4+8027A8]
006E7D1F   0FB6F7           MOVZX ESI,BH
006E7D22   3314B5 A82F8000  XOR EDX,DWORD PTR DS:[ESI*4+802FA8]
006E7D29   8B75 FC          MOV ESI,DWORD PTR SS:[EBP-4]
006E7D2C   0FB65D FD        MOVZX EBX,BYTE PTR SS:[EBP-3]
006E7D30   81E6 FF000000    AND ESI,0FF
006E7D36   3314B5 A8338000  XOR EDX,DWORD PTR DS:[ESI*4+8033A8]
006E7D3D   0FB675 FB        MOVZX ESI,BYTE PTR SS:[EBP-5]
006E7D41   8B34B5 A8278000  MOV ESI,DWORD PTR DS:[ESI*4+8027A8]
006E7D48   33349D A82F8000  XOR ESI,DWORD PTR DS:[EBX*4+802FA8]
006E7D4F   0FB65D F6        MOVZX EBX,BYTE PTR SS:[EBP-A]
006E7D53   33349D A82B8000  XOR ESI,DWORD PTR DS:[EBX*4+802BA8]
006E7D5A   3347 FC          XOR EAX,DWORD PTR DS:[EDI-4]
006E7D5D   3317             XOR EDX,DWORD PTR DS:[EDI]
006E7D5F   8BD9             MOV EBX,ECX
006E7D61   81E3 FF000000    AND EBX,0FF
006E7D67   33349D A8338000  XOR ESI,DWORD PTR DS:[EBX*4+8033A8]
006E7D6E   0FB65D FE        MOVZX EBX,BYTE PTR SS:[EBP-2]
006E7D72   3377 04          XOR ESI,DWORD PTR DS:[EDI+4]
006E7D75   0FB6CD           MOVZX ECX,CH
006E7D78   8B0C8D A82F8000  MOV ECX,DWORD PTR DS:[ECX*4+802FA8]
006E7D7F   330C9D A82B8000  XOR ECX,DWORD PTR DS:[EBX*4+802BA8]
006E7D86   0FB65D F7        MOVZX EBX,BYTE PTR SS:[EBP-9]
006E7D8A   330C9D A8278000  XOR ECX,DWORD PTR DS:[EBX*4+8027A8]
006E7D91   8B5D F8          MOV EBX,DWORD PTR SS:[EBP-8]
006E7D94   81E3 FF000000    AND EBX,0FF
006E7D9A   330C9D A8338000  XOR ECX,DWORD PTR DS:[EBX*4+8033A8]
006E7DA1   8945 FC          MOV DWORD PTR SS:[EBP-4],EAX
006E7DA4   334F F8          XOR ECX,DWORD PTR DS:[EDI-8]
006E7DA7   8BC6             MOV EAX,ESI
006E7DA9   8BD9             MOV EBX,ECX
006E7DAB   8BCA             MOV ECX,EDX
006E7DAD   83C7 20          ADD EDI,20
006E7DB0   836D 08 01       SUB DWORD PTR SS:[EBP+8],1
006E7DB4   895D F4          MOV DWORD PTR SS:[EBP-C],EBX
006E7DB7   894D F0          MOV DWORD PTR SS:[EBP-10],ECX
006E7DBA   8945 F8          MOV DWORD PTR SS:[EBP-8],EAX
006E7DBD  ^0F85 0DFFFFFF    JNZ BF2142_w.006E7CD0
006E7DC3   8B75 EC          MOV ESI,DWORD PTR SS:[EBP-14]
006E7DC6   8B7D E8          MOV EDI,DWORD PTR SS:[EBP-18]
006E7DC9   8B55 F4          MOV EDX,DWORD PTR SS:[EBP-C]
006E7DCC   C1EA 18          SHR EDX,18
006E7DCF   C1E6 05          SHL ESI,5
006E7DD2   8B5C3E 08        MOV EBX,DWORD PTR DS:[ESI+EDI+8]
006E7DD6   8BC3             MOV EAX,EBX
006E7DD8   8D743E 08        LEA ESI,DWORD PTR DS:[ESI+EDI+8]
006E7DDC   C1F8 18          SAR EAX,18
006E7DDF   3282 A8258000    XOR AL,BYTE PTR DS:[EDX+8025A8]
006E7DE5   0FB67D FF        MOVZX EDI,BYTE PTR SS:[EBP-1]
006E7DE9   8845 0B          MOV BYTE PTR SS:[EBP+B],AL
006E7DEC   8B45 0C          MOV EAX,DWORD PTR SS:[EBP+C]
006E7DEF   0FB655 0B        MOVZX EDX,BYTE PTR SS:[EBP+B]
006E7DF3   895D 08          MOV DWORD PTR SS:[EBP+8],EBX
006E7DF6   8810             MOV BYTE PTR DS:[EAX],DL
006E7DF8   8B55 FC          MOV EDX,DWORD PTR SS:[EBP-4]
006E7DFB   C1FB 10          SAR EBX,10
006E7DFE   C1EA 10          SHR EDX,10
006E7E01   0FB6D2           MOVZX EDX,DL
006E7E04   329A A8258000    XOR BL,BYTE PTR DS:[EDX+8025A8]
006E7E0A   0FB6D5           MOVZX EDX,CH
006E7E0D   8858 01          MOV BYTE PTR DS:[EAX+1],BL
006E7E10   8B5D 08          MOV EBX,DWORD PTR SS:[EBP+8]
006E7E13   894D 08          MOV DWORD PTR SS:[EBP+8],ECX
006E7E16   8BCB             MOV ECX,EBX
006E7E18   C1F9 08          SAR ECX,8
006E7E1B   328A A8258000    XOR CL,BYTE PTR DS:[EDX+8025A8]
006E7E21   8B55 F8          MOV EDX,DWORD PTR SS:[EBP-8]
006E7E24   8848 02          MOV BYTE PTR DS:[EAX+2],CL
006E7E27   81E2 FF000000    AND EDX,0FF
006E7E2D   0FB692 A8258000  MOVZX EDX,BYTE PTR DS:[EDX+8025A8]
006E7E34   32D3             XOR DL,BL
006E7E36   8850 03          MOV BYTE PTR DS:[EAX+3],DL
006E7E39   8B56 04          MOV EDX,DWORD PTR DS:[ESI+4]
006E7E3C   8BDA             MOV EBX,EDX
006E7E3E   C1FB 18          SAR EBX,18
006E7E41   329F A8258000    XOR BL,BYTE PTR DS:[EDI+8025A8]
006E7E47   0FB67D F2        MOVZX EDI,BYTE PTR SS:[EBP-E]
006E7E4B   8858 04          MOV BYTE PTR DS:[EAX+4],BL
006E7E4E   8BDA             MOV EBX,EDX
006E7E50   C1FB 10          SAR EBX,10
006E7E53   329F A8258000    XOR BL,BYTE PTR DS:[EDI+8025A8]
006E7E59   0FB67D F9        MOVZX EDI,BYTE PTR SS:[EBP-7]
006E7E5D   8858 05          MOV BYTE PTR DS:[EAX+5],BL
006E7E60   8BDA             MOV EBX,EDX
006E7E62   C1FB 08          SAR EBX,8
006E7E65   329F A8258000    XOR BL,BYTE PTR DS:[EDI+8025A8]
006E7E6B   8B7D F4          MOV EDI,DWORD PTR SS:[EBP-C]
006E7E6E   8858 06          MOV BYTE PTR DS:[EAX+6],BL
006E7E71   81E7 FF000000    AND EDI,0FF
006E7E77   0FB69F A8258000  MOVZX EBX,BYTE PTR DS:[EDI+8025A8]
006E7E7E   0FB67D F3        MOVZX EDI,BYTE PTR SS:[EBP-D]
006E7E82   32DA             XOR BL,DL
006E7E84   8858 07          MOV BYTE PTR DS:[EAX+7],BL
006E7E87   8B56 08          MOV EDX,DWORD PTR DS:[ESI+8]
006E7E8A   8BDA             MOV EBX,EDX
006E7E8C   C1FB 18          SAR EBX,18
006E7E8F   329F A8258000    XOR BL,BYTE PTR DS:[EDI+8025A8]
006E7E95   0FB67D FA        MOVZX EDI,BYTE PTR SS:[EBP-6]
006E7E99   8858 08          MOV BYTE PTR DS:[EAX+8],BL
006E7E9C   8BDA             MOV EBX,EDX
006E7E9E   C1FB 10          SAR EBX,10
006E7EA1   329F A8258000    XOR BL,BYTE PTR DS:[EDI+8025A8]
006E7EA7   0FB67D F5        MOVZX EDI,BYTE PTR SS:[EBP-B]
006E7EAB   8858 09          MOV BYTE PTR DS:[EAX+9],BL
006E7EAE   8BDA             MOV EBX,EDX
006E7EB0   C1FB 08          SAR EBX,8
006E7EB3   329F A8258000    XOR BL,BYTE PTR DS:[EDI+8025A8]
006E7EB9   8B7D FC          MOV EDI,DWORD PTR SS:[EBP-4]
006E7EBC   8858 0A          MOV BYTE PTR DS:[EAX+A],BL
006E7EBF   81E7 FF000000    AND EDI,0FF
006E7EC5   0FB69F A8258000  MOVZX EBX,BYTE PTR DS:[EDI+8025A8]
006E7ECC   32DA             XOR BL,DL
006E7ECE   8858 0B          MOV BYTE PTR DS:[EAX+B],BL
006E7ED1   8B56 0C          MOV EDX,DWORD PTR DS:[ESI+C]
006E7ED4   0FB675 FB        MOVZX ESI,BYTE PTR SS:[EBP-5]
006E7ED8   8BDA             MOV EBX,EDX
006E7EDA   C1FB 18          SAR EBX,18
006E7EDD   329E A8258000    XOR BL,BYTE PTR DS:[ESI+8025A8]
006E7EE3   0FB675 F6        MOVZX ESI,BYTE PTR SS:[EBP-A]
006E7EE7   8858 0C          MOV BYTE PTR DS:[EAX+C],BL
006E7EEA   8BDA             MOV EBX,EDX
006E7EEC   8B4D 08          MOV ECX,DWORD PTR SS:[EBP+8]
006E7EEF   C1FB 10          SAR EBX,10
006E7EF2   329E A8258000    XOR BL,BYTE PTR DS:[ESI+8025A8]
006E7EF8   0FB675 FD        MOVZX ESI,BYTE PTR SS:[EBP-3]
006E7EFC   8858 0D          MOV BYTE PTR DS:[EAX+D],BL
006E7EFF   8BDA             MOV EBX,EDX
006E7F01   C1FB 08          SAR EBX,8
006E7F04   329E A8258000    XOR BL,BYTE PTR DS:[ESI+8025A8]
006E7F0A   81E1 FF000000    AND ECX,0FF
006E7F10   8858 0E          MOV BYTE PTR DS:[EAX+E],BL
006E7F13   8A89 A8258000    MOV CL,BYTE PTR DS:[ECX+8025A8]
006E7F19   5E               POP ESI
006E7F1A   32CA             XOR CL,DL
006E7F1C   5B               POP EBX
006E7F1D   8848 0F          MOV BYTE PTR DS:[EAX+F],CL
006E7F20   33C0             XOR EAX,EAX
006E7F22   5F               POP EDI
006E7F23   8BE5             MOV ESP,EBP
006E7F25   5D               POP EBP
006E7F26   C2 0800          RETN 8

From 006E7BE0 to 006E7CD0 just only read TIMESTAMP, PID, ... into registry
After that from 006E7CD0 is coding. This coding use loop for this parameter:
0012F34C = 0000000A (ESI) - so 10x
Here is that check:

Code:

006E7DBD  0F85 0DFFFFFF    JNZ BF2142_w.006E7CD0

After that is final write coded bytes into address 014DAA04.

Tubar · 27 Oct 2006 12:10 am

And some tips to use ollydebuger:

Just start win server, start client BF2142. After that start ollydebuger, attach game server to ollydebug, click on Run in Debug. In memory dump address 006E82A0, add at byte E8 at this address hardware breakpoint for execution.

Now try join with client to your local win server - join to IP 127.0.0.1 (of course with online account, not offline)

After join you go into debug, now is server stoped by your breakpoint. Now F7 - go into this function, and watch what is going

Tubar · 27 Oct 2006 12:26 am

And here some test result what I try:

Sample 1:

Code:

Input data (Timestamp: 45419B10, 00000064, PID: 04E26AF9, 548F0001)
01BFA21C  10 9B 41 45 64 00 00 00 F9 6A E2 04 01 00 8F 54  ›AEd...ůjâ.ŹT
Coded data:
014DAA04  9B 80 EB 44 08 1C C3 A8 72 C7 72 D1 AA F5 6E 94  ›€ëDĂ¨rÇrŃŞőn”
Converted data into Base64 from 014DAA04:
07B39C64  6D 34 44 72 52 41 67 63 77 36 68 79 78 33 4C 52  m4DrRAgcw6hyx3LR
07B39C74  71 76 56 75 6C 41 5F 5F                          qvVulA__

Sample 2 (here I change just Timestamp +1 second 10=>11:

Code:

Input data (Timestamp: 45419B10, 00000064, PID: 04E26AF9, 548F0001)
01BFA21C  11 9B 41 45 64 00 00 00 F9 6A E2 04 01 00 8F 54  ›AEd...ůjâ.ŹT
Coded data:
014DAA04  D4 01 4D 01 34 AA 4D 01 D4 01 4D 01 70 40 D3 07  ÔM4ŞMÔMp@Ó
Converted data into Base64 from 014DAA04:
07B39C64  69 6A 61 6B 31 32 6B 76 5D 72 57 38 37 30 6F 71  ijak12kv]rW870oq
07B39C74  35 38 73 6D 39 41 5F 5F                          58sm9A__

You can see, auth code
Sample1: m4DrRAgcw6hyx3LRqvVulA__
Sample2: ijak12kv]rW870oq58sm9A__
Are very diferent, and that was just only 1 second time stamp changed!

Last edited by Tubar (27 Oct 2006 6:34 am)

Craigins · 27 Oct 2006 7:41 am

Can someone confirm what I'm thinking:

The addressing like:

BYTE PTR DS:[EAX+1]

is base indexed addressing, where the register DS contains an address, and we are reading a byte from the offset of the value stored in EAX+1. I've never seen that syntax and it is really hard to google(at least for me) for assembly language references.

From memory i believe i have only used base indexed as DS(%eax,1) .

But anyways, do you happen to know the parameters passed to the function? should be a bunch of push statements before, and then a add to the esp after it returns to pop the parameters off the stack.

Anytime you see EBP+# is accessing a parameter to the function call. EBP- is referencing local variables to the function(18 bytes worth of local space from the subl esp, 18 call).

It's slowly coming back to me, I should have better luck figuring it out tonight after work.

Found a good site to reference registers:
http://www.xs4all.nl/~smit/asm01001.htm

DS and SS are going to be tricky to decode, they point to the current data segment and stack segment loaded into memory. meaning 2 forms of global variables to account for.

Last edited by Craigins (27 Oct 2006 7:53 am)

MadHatter · 27 Oct 2006 8:23 am

yea I'm no help there. I started trying to work it out last night, but stopped for the exact same thing. I get the overall concept that its an xor shift hash but which bits they're shifting gets kind of confusing because of the addr+offset info.

Craigins · 27 Oct 2006 1:45 pm

MadHatter :
thats embarrassing. the strike bbcode was a recent addition.

the bug gnome must have visited just after I added it

shhh if you won't tell i wont! anyways i don't get the strike through button on my reply form and i tried coding a closing strike through on my first post but the BBCode parser must have thrown it out.

MadHatter · 27 Oct 2006 2:25 pm

heh, yea the parser strips out html. I had just added the list and the strike out bbcode the other day... hadn't put it on the help or reply buttons yet but there ya go

Craigins · 27 Oct 2006 6:03 pm

I must say, this encryption algorithm is <insert colorful metaphore here>

I've gone over the first 30 or so lines and the post saying its simple on the wiki board must be an encryption guy who knows a ton of encryption algorithms.
Here is a sample of what i have so far

Code:

006E7BFE    8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]    ;put     parameter    into EAX
006E7C01    0FB648 01    MOVZX ECX,BYTE PTR DS:[EAX+1]    ;put     2nd byte    into ecx
006E7C05    83C0 01        ADD EAX,1            ;add     1     to eax
006E7C08    33D2        XOR EDX,EDX            ;set     edx =    0
006E7C0A    8A70 01        MOV DH,BYTE PTR DS:[EAX+1]    ;put     3rd byte    int dh
006E7C0D    83C0 01        ADD EAX,1            ;add     1    to eax
006E7C10    53        PUSH EBX            ;save    ebx    
006E7C11    0FB658 FE    MOVZX EBX,BYTE PTR DS:[EAX-2]    ;put     parameter    into ebx
006E7C15    83C0 01        ADD EAX,1            ;add     1    to eax
006E7C18    C1E1 10        SHL ECX,10            ;divide    ecx    by 1024
006E7C1B    83C0 01        ADD EAX,1            ;add     1    eax
006E7C1E    56        PUSH ESI            ;save    esi    
006E7C1F    0FB630        MOVZX ESI,BYTE PTR DS:[EAX]    ;put     parameter    into esi
006E7C22    C1E3 18        SHL EBX,18            ;divide    ebx    by 262144
006E7C25    0BD9        OR EBX,ECX            ;or    ebx    ecx
006E7C27    0FB648 FF    MOVZX ECX,BYTE PTR DS:[EAX-1]    ;put     4th byte    into ecx
006E7C2B    0BDA        OR EBX,EDX            ;or    ebx    edx

At least that is what i believe its doing. I'm not sure if we will be able to decode it, hopefully we can just encode to match.

MadHatter · 28 Oct 2006 1:24 am

the bits we're really interested in are from 006E7CD0 - 006E7DBD (006E7CD0 is the entry point to the function according to the other code).

according to the loop:

Code:

#-- start of loop --#
006E7CD0   8B55 F0          MOV EDX,DWORD PTR SS:[EBP-10]
006E7CD3   C1EA 10          SHR EDX,10
006E7CD6   0FB675 F3        MOVZX ESI,BYTE PTR SS:[EBP-D]
006E7CDA   0FB6D2           MOVZX EDX,DL
006E7CDD   0FB6C4           MOVZX EAX,AH
006E7CE0   8B0485 A82F8000  MOV EAX,DWORD PTR DS:[EAX*4+802FA8]
006E7CE7   330495 A82B8000  XOR EAX,DWORD PTR DS:[EDX*4+802BA8]
006E7CEE   0FB655 FF        MOVZX EDX,BYTE PTR SS:[EBP-1]
006E7CF2   330495 A8278000  XOR EAX,DWORD PTR DS:[EDX*4+8027A8]
006E7CF9   8BD3             MOV EDX,EBX
006E7CFB   81E2 FF000000    AND EDX,0FF
006E7D01   330495 A8338000  XOR EAX,DWORD PTR DS:[EDX*4+8033A8]
006E7D08   8B55 F8          MOV EDX,DWORD PTR SS:[EBP-8]
006E7D0B   C1EA 10          SHR EDX,10
006E7D0E   0FB6D2           MOVZX EDX,DL
006E7D11   8B1495 A82B8000  MOV EDX,DWORD PTR DS:[EDX*4+802BA8]
006E7D18   3314B5 A8278000  XOR EDX,DWORD PTR DS:[ESI*4+8027A8]
006E7D1F   0FB6F7           MOVZX ESI,BH
006E7D22   3314B5 A82F8000  XOR EDX,DWORD PTR DS:[ESI*4+802FA8]
006E7D29   8B75 FC          MOV ESI,DWORD PTR SS:[EBP-4]
006E7D2C   0FB65D FD        MOVZX EBX,BYTE PTR SS:[EBP-3]
006E7D30   81E6 FF000000    AND ESI,0FF
006E7D36   3314B5 A8338000  XOR EDX,DWORD PTR DS:[ESI*4+8033A8]
006E7D3D   0FB675 FB        MOVZX ESI,BYTE PTR SS:[EBP-5]
006E7D41   8B34B5 A8278000  MOV ESI,DWORD PTR DS:[ESI*4+8027A8]
006E7D48   33349D A82F8000  XOR ESI,DWORD PTR DS:[EBX*4+802FA8]
006E7D4F   0FB65D F6        MOVZX EBX,BYTE PTR SS:[EBP-A]
006E7D53   33349D A82B8000  XOR ESI,DWORD PTR DS:[EBX*4+802BA8]
006E7D5A   3347 FC          XOR EAX,DWORD PTR DS:[EDI-4]
006E7D5D   3317             XOR EDX,DWORD PTR DS:[EDI]
006E7D5F   8BD9             MOV EBX,ECX
006E7D61   81E3 FF000000    AND EBX,0FF
006E7D67   33349D A8338000  XOR ESI,DWORD PTR DS:[EBX*4+8033A8]
006E7D6E   0FB65D FE        MOVZX EBX,BYTE PTR SS:[EBP-2]
006E7D72   3377 04          XOR ESI,DWORD PTR DS:[EDI+4]
006E7D75   0FB6CD           MOVZX ECX,CH
006E7D78   8B0C8D A82F8000  MOV ECX,DWORD PTR DS:[ECX*4+802FA8]
006E7D7F   330C9D A82B8000  XOR ECX,DWORD PTR DS:[EBX*4+802BA8]
006E7D86   0FB65D F7        MOVZX EBX,BYTE PTR SS:[EBP-9]
006E7D8A   330C9D A8278000  XOR ECX,DWORD PTR DS:[EBX*4+8027A8]
006E7D91   8B5D F8          MOV EBX,DWORD PTR SS:[EBP-8]
006E7D94   81E3 FF000000    AND EBX,0FF
006E7D9A   330C9D A8338000  XOR ECX,DWORD PTR DS:[EBX*4+8033A8]
006E7DA1   8945 FC          MOV DWORD PTR SS:[EBP-4],EAX
006E7DA4   334F F8          XOR ECX,DWORD PTR DS:[EDI-8]
006E7DA7   8BC6             MOV EAX,ESI
006E7DA9   8BD9             MOV EBX,ECX
006E7DAB   8BCA             MOV ECX,EDX
006E7DAD   83C7 20          ADD EDI,20
006E7DB0   836D 08 01       SUB DWORD PTR SS:[EBP+8],1
006E7DB4   895D F4          MOV DWORD PTR SS:[EBP-C],EBX
006E7DB7   894D F0          MOV DWORD PTR SS:[EBP-10],ECX
006E7DBA   8945 F8          MOV DWORD PTR SS:[EBP-8],EAX
006E7DBD  ^0F85 0DFFFFFF    JNZ BF2142_w.006E7CD0
#-- end of loop --#

it seems he's xor'ing the array w/ itself. from what my untrained eyes can gather, its iterating over the byte array 4 bytes at a time (assuming ADD EDI,20 means add by 32, which if the code's using 4 32 bit ints means they're going from: time to magic number to pid to random# during the iteration).

Craigins · 28 Oct 2006 6:15 am

The function actually starts at:

006E7BE1 8BEC MOV EBP,ESP

then

006E7BE3 83EC 18 SUB ESP,18

allocates local variable space to the function

In order to start you have to save the previous EBP so that you can restore it when you retrun to the calling function.

By the time we get to that loop we are only looking at local variables(EBP-# == local variables). That means we have to go through the first part of the code to see what they put in the local variables before they got to the loop.

EBP+# == parameter to the function
EBP-# == local variable.

DS:

== global variable
SS:

== somewhere on the stack.

The : is for extended memory so its the the address of the first part * 16 + address of second part to get the full address of the pointer.

Tubar · 28 Oct 2006 1:22 pm

Craigins :

I must say, this encryption algorithm is <insert colorful metaphore here>

I've gone over the first 30 or so lines and the post saying its simple on the wiki board must be an encryption guy who knows a ton of encryption algorithms.
Here is a sample of what i have so far

Code:

006E7BFE    8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]    ;put     parameter    into EAX
006E7C01    0FB648 01    MOVZX ECX,BYTE PTR DS:[EAX+1]    ;put     2nd byte    into ecx
006E7C05    83C0 01        ADD EAX,1            ;add     1     to eax
006E7C08    33D2        XOR EDX,EDX            ;set     edx =    0
006E7C0A    8A70 01        MOV DH,BYTE PTR DS:[EAX+1]    ;put     3rd byte    int dh
006E7C0D    83C0 01        ADD EAX,1            ;add     1    to eax
006E7C10    53        PUSH EBX            ;save    ebx    
006E7C11    0FB658 FE    MOVZX EBX,BYTE PTR DS:[EAX-2]    ;put     parameter    into ebx
006E7C15    83C0 01        ADD EAX,1            ;add     1    to eax
006E7C18    C1E1 10        SHL ECX,10            ;divide    ecx    by 1024
006E7C1B    83C0 01        ADD EAX,1            ;add     1    eax
006E7C1E    56        PUSH ESI            ;save    esi    
006E7C1F    0FB630        MOVZX ESI,BYTE PTR DS:[EAX]    ;put     parameter    into esi
006E7C22    C1E3 18        SHL EBX,18            ;divide    ebx    by 262144
006E7C25    0BD9        OR EBX,ECX            ;or    ebx    ecx
006E7C27    0FB648 FF    MOVZX ECX,BYTE PTR DS:[EAX-1]    ;put     4th byte    into ecx
006E7C2B    0BDA        OR EBX,EDX            ;or    ebx    edx

At least that is what i believe its doing. I'm not sure if we will be able to decode it, hopefully we can just encode to match.

Hi,

Some info to assembler

ADD EAX,1 - just make pointer of memory read EAX = EAX+1. In this code is EAX used as pointer for read bytes from memory (coding key?)

SHL ECX,10 ;divide ecx by 1024
and
OR EBX,ECX ;or ebx ecx

Here is only this trick:
In ECX exist some data, SHIFT LEFT whole register, for example when you have in this register
ECX=22127809, SHL 10 make 78090000 - 4 bytes position left move (2212 is deleted, and new right site have 0000)
And OR with ECX, i think, in ECX is only some in 0000xxxx, than you got that
7809xxxx.
With this algoritmus is stored in one register 4 diferent bytes data from some memory
Sample: ECX=AABBCCDD, of course used for that more assembler commands.

I have now no time to analyze rest of code, but I try it tomorow, or on Monday.

Last edited by Tubar (28 Oct 2006 1:22 pm)

Tubar · 28 Oct 2006 1:25 pm

And some info to that:
PTR SS:[EBP+8]
SS - Stack Segment - Read from stack memory (variables, parameters), at position EBP+8

PTR DS:[EAX+1]
DS - Data Segment 0 Read from data memory (bytes), at position EAX+1

For example:

MOV EAX,DWORD PTR SS:[EBP+8]
Just only store to EAX register (variable) pointer where in data segment are storet what I want read

and

MOVZX ECX,BYTE PTR DS:[EAX+1] - read from data address EAX+1 2byte and store in register ECX, other two write zeros
MOV DH,BYTE PTR DS:[EAX+1] - read from data address EAX+1 one byte into DH (EDXregister), all other 3 bytes fill with zeros

Last edited by Tubar (28 Oct 2006 1:28 pm)

Craigins · 28 Oct 2006 2:05 pm

You're right, SHL is multiply by 2^# not divide.(or left shift, means the same thing when you truncate at 32 bits).

MadHatter · 30 Oct 2006 8:54 am

I've been highly tempted to just email the guy who wrote it and ask him what algorithm he used, but IMO that takes the fun out of it.

Craigins · 30 Oct 2006 9:35 am

I had a co worker suggest it might be as simple as using a DES encyption algorithm.

http://www.aci.net/Kalliste/des.htm

anyone care to check it out?

Tubar · 30 Oct 2006 9:41 am

bytes 13 - 16 R#R#0001 where R# is a random number (byte value between 0 - 255) xor'd with 2C2C1223

R# is not random number, i check now, when i write here some for example 01,01 and code string, i have get message:
DecryptionFailure: Authentication token decryption failure

I think, this two bytes are some as CRC check sum of PID and TIMESTAMP, and it's of course used for coding too.

Sanity Free Coding

#1 25 Oct 2006 2:19 pm

bf2142 stat query protocol

Code:

Code:

#2 25 Oct 2006 9:50 pm

Re: bf2142 stat query protocol

Code:

Code:

#3 26 Oct 2006 12:54 pm

Re: bf2142 stat query protocol

Code:

Code:

Code:

Code:

Code:

Code:

Code:

#4 26 Oct 2006 1:48 pm

Re: bf2142 stat query protocol

#5 26 Oct 2006 1:51 pm

Re: bf2142 stat query protocol

#6 26 Oct 2006 3:00 pm

Re: bf2142 stat query protocol

#7 26 Oct 2006 7:24 pm

Re: bf2142 stat query protocol

#8 26 Oct 2006 7:49 pm

Re: bf2142 stat query protocol

#9 26 Oct 2006 11:59 pm

Re: bf2142 stat query protocol

MadHatter :

Code:

Code:

#10 27 Oct 2006 12:07 am

Re: bf2142 stat query protocol

Craigins :

Code:

Code:

Code:

#11 27 Oct 2006 12:10 am

Re: bf2142 stat query protocol

#12 27 Oct 2006 12:26 am

Re: bf2142 stat query protocol

Code:

Code:

#13 27 Oct 2006 7:41 am

Re: bf2142 stat query protocol

#14 27 Oct 2006 8:23 am

Re: bf2142 stat query protocol

#15 27 Oct 2006 1:45 pm

Re: bf2142 stat query protocol

MadHatter :

#16 27 Oct 2006 2:25 pm

Re: bf2142 stat query protocol

#17 27 Oct 2006 6:03 pm

Re: bf2142 stat query protocol

Code:

#18 28 Oct 2006 1:24 am

Re: bf2142 stat query protocol

Code:

#19 28 Oct 2006 6:15 am

Re: bf2142 stat query protocol

#20 28 Oct 2006 1:22 pm

Re: bf2142 stat query protocol

Craigins :

Code:

#21 28 Oct 2006 1:25 pm

Re: bf2142 stat query protocol

#22 28 Oct 2006 2:05 pm

Re: bf2142 stat query protocol

#23 30 Oct 2006 8:54 am

Re: bf2142 stat query protocol

#24 30 Oct 2006 9:35 am

Re: bf2142 stat query protocol

#25 30 Oct 2006 9:41 am

Re: bf2142 stat query protocol