Time Stamps Cracked..

tri407tiny · 07/02/2011, 17:26

So ive decided to look into the time stamp function and found a a few things. Time-stamps are actually two 4byte int that never go over the limitations of a 3 byte int. The 4th and 8th byte thus are always zero, so the game replaces the 8th byte with part of the packet id, then following that, the 9th byte, happens to be packet id.

The time stamp, or as i like to refer to as the "key" is made this way, though i see no use. As the key is based on this "magic number" though i cant seem to find out how thats made, ill figure it out later.

Code:

extern int __cdecl MagicNumberGenerator(int last magic number)
{
New magic number = last magic number
Imul New Magic Number, New Magic Number, 000343fd
New Magic Number += 00269ec3
Last magic number = new magic number
int Temp_Magic number = new magic number
Temp_Magic number >>= 16
Temp_Magic number += 00007fff
return Temp_Magic number 
}

Once you have the magic number you divide 10000 by the magic number and store the remainder, then you get another magic number, divide 10000 by it and store the reminder, then you multiply the remainder together and some two other things, take the final product and copy it into key slot 1 or the first time stamp int, do this all over again for the second key(time stamp).

Note: Yes , i know that that is not "usable" code , though keep in mind i did all of this in 7 hours. It may not be perfect though i will try my hardest, when i get ahold of my computer as once i find how the magic number is originally generated i will post here.

Note: Hay what is the true use of this function if we are taking the remainder ?? we cannot reverse the multiplication of two remainder, thus the server could never really use this, unless im wrong.

Mega Byte · 07/02/2011, 18:59

server would do most of it in reverse

MagicNumber-0x00007FFF
MagicNumber <<= 16

etc im not too sure how to follow the rest of it as your names for things are confusing :P

tri407tiny · 07/02/2011, 19:41

:P Yea ill fix that up in a bit, but we dont send the magic number only use it .

Mega Byte · 07/02/2011, 20:31

This may be a long shot and I have not fully looked at it but what if these magic bytes and **** just get reversed down to packet count for send or recv packets :P the servers continously sending a number too client as well... so i donno

It just seems like alot of stuff that dosnt need to be there to obfuscate something.

Wazapoo · 07/03/2011, 13:42

Nice work, i found a error in your code though.

Code:

Temp_Magic number += 00007fff

should be

Code:

Temp_Magic number &= 00007fff

The server doesnt check the magic numbers at all though, it only checks the 8th byte, so i didnt do anything with this when i worked with packets when i reversed the magic number generation myself.

Mega Byte · 07/03/2011, 17:43

Fair enough :P and good spotting on the error

iktov2 · 07/03/2011, 18:41

Wtf is a magic number?

Wazapoo · 07/03/2011, 19:24

We are just calling the 8 first bytes in every packet magic numbers because they arent related to time (not sure though) so time stamp isnt a good name for them.

Mega Byte · 07/04/2011, 12:24

Agrees with Wazapoo :P
And i knew they wernt required for time stuff as i bp'ed send ages back and changed them to garbage and the packet still worked..

tri407tiny · 07/05/2011, 20:37

Thanks for the correction, adding now. Yea, though i cannot see using this in the server, probably will add my own code cave to make a better "Magic Number"