Time Stamps Cracked..

07/02/2011 17:26 tri407tiny#1

So ive decided to look into the time stamp function and found a a few things. Time-stamps are actually two 4byte int that never go over the limitations of a 3 byte int. The 4th and 8th byte thus are always zero, so the game replaces the 8th byte with part of the packet id, then following that, the 9th byte, happens to be packet id.

The time stamp, or as i like to refer to as the "key" is made this way, though i see no use. As the key is based on this "magic number" though i cant seem to find out how thats made, ill figure it out later.

Code:

extern int __cdecl MagicNumberGenerator(int last magic number)
{
New magic number = last magic number
Imul New Magic Number, New Magic Number, 000343fd
New Magic Number += 00269ec3
Last magic number = new magic number
int Temp_Magic number = new magic number
Temp_Magic number >>= 16
Temp_Magic number += 00007fff
return Temp_Magic number 
}

Once you have the magic number you divide 10000 by the magic number and store the remainder, then you get another magic number, divide 10000 by it and store the reminder, then you multiply the remainder together and some two other things, take the final product and copy it into key slot 1 or the first time stamp int, do this all over again for the second key(time stamp).

Note: Yes , i know that that is not "usable" code , though keep in mind i did all of this in 7 hours. It may not be perfect though i will try my hardest, when i get ahold of my computer as once i find how the magic number is originally generated i will post here.

Note: Hay what is the true use of this function if we are taking the remainder ?? we cannot reverse the multiplication of two remainder, thus the server could never really use this, unless im wrong.

07/02/2011 18:59 Mega Byte#2

server would do most of it in reverse

MagicNumber-0x00007FFF
MagicNumber <<= 16

etc im not too sure how to follow the rest of it as your names for things are confusing :P

07/02/2011 19:41 tri407tiny#3

:P Yea ill fix that up in a bit, but we dont send the magic number only use it .

07/02/2011 20:31 Mega Byte#4

This may be a long shot and I have not fully looked at it but what if these magic bytes and shit just get reversed down to packet count for send or recv packets :P the servers continously sending a number too client as well... so i donno :D
It just seems like alot of stuff that dosnt need to be there to obfuscate something.

07/03/2011 13:42 Wazapoo#5

Nice work, i found a error in your code though.

Code:

Temp_Magic number += 00007fff

should be

Code:

Temp_Magic number &= 00007fff

The server doesnt check the magic numbers at all though, it only checks the 8th byte, so i didnt do anything with this when i worked with packets when i reversed the magic number generation myself.

07/03/2011 17:43 Mega Byte#6

Fair enough :P and good spotting on the error :D

07/03/2011 18:41 iktov2#7

Wtf is a magic number?

07/03/2011 19:24 Wazapoo#8

We are just calling the 8 first bytes in every packet magic numbers because they arent related to time (not sure though) so time stamp isnt a good name for them.

07/04/2011 12:24 Mega Byte#9

Agrees with Wazapoo :P
And i knew they wernt required for time stuff as i bp'ed send ages back and changed them to garbage and the packet still worked..

07/05/2011 20:37 tri407tiny#10

Thanks for the correction, adding now. Yea, though i cannot see using this in the server, probably will add my own code cave to make a better "Magic Number"