Register for your free account! | Forgot your password?


You last visited: Today at 05:28

  • Please register to post and access all features, it's quick, easy and FREE!

Advertisement



Reverse engineering

Discussion on Reverse engineering within the Need for Speed World forum part of the Other Online Games category.

Reply
 
Old 11/14/2016, 23:22   #31
 
elite*gold: 0
Join Date: Mar 2016
Posts: 174
Received Thanks: 265
Quote:
Originally Posted by joshdoe View Post
yo is need for speed world open again yet? omg if it does im gonna advertise like no mans business!
Not yet. Hopefully within the next year, though


Also, for anyone who's wondering: This is not a project to create a central server. That's illegal, AFAIK. This is a project to figure out how to restore freeroam gameplay, so people can play with their friends on their own servers.

Quote:
Originally Posted by michaelmikhalev View Post
I am not super good but I can do it too if ya want.
PM me
leorblx is offline  
Old 11/16/2016, 23:27   #32
 
elite*gold: 0
Join Date: Mar 2016
Posts: 174
Received Thanks: 265
Focusing on packet validation right now. I'm going to try and figure out the actual data of packets a bit later.


Okay, I need a little help here. Does anyone (@berkay2578, @ ???) know for sure what type of encryption the game uses for packets? Is it AES-256 or something else?

I've managed to find all of the different functions for validation (at least I think I have), some of them are insane to say the least.


I also got IDA's debugger to work without freezing the game, so I can use breakpoints and stuff.


In case anyone wants to know some of the functions to find in IDA:


sub_767B80 = where it begins
sub_5AAA40 = first new function that's called from sub_767B80, if a condition is true (won't go into detail)
sub_767960 = I'm not quite sure
sub_7676B0 = Also not sure about this one
sub_5B20E0 = simple helper function, returns the input value plus 12, as a DWORD pointer
sub_59AEB0 = I don't even want to talk about it. It's just insane.
sub_767650 = Seems to return the 2nd parameter? Not sure off the top of my head if it does anything with it
sub_5AC320 = Yet another helper, returns input + 4 as a DWORD pointer
sub_59B120 = Not sure.
sub_59AA30 = References OpenSSL a few times. Not quite sure what it does yet, though
sub_59AB90 = Haven't investigated yet.


If anyone wants to help, look for those functions, and try to figure out what they actually do. There are a lot of them, so be prepared to spend a while on this if you decide to help.


This is progress, though.
leorblx is offline  
Thanks
1 User
Old 11/17/2016, 03:19   #33
 
elite*gold: 0
Join Date: Jun 2015
Posts: 331
Received Thanks: 605
Quote:
Originally Posted by leorblx View Post
Focusing on packet validation right now. I'm going to try and figure out the actual data of packets a bit later.


Okay, I need a little help here. Does anyone (@berkay2578, @ ???) know for sure what type of encryption the game uses for packets? Is it AES-256 or something else?
It's a modded openssl version.

soapbox.exe (cracked nfsw.exe) have a jump to avoid the crypt/decrypt openssl functions in udp packets.
Nilzao is offline  
Thanks
4 Users
Old 11/17/2016, 11:36   #34
 
elite*gold: 0
Join Date: Jul 2015
Posts: 352
Received Thanks: 132
@ you can find the cracked nfsw.exe here
fabx24 is offline  
Old 11/17/2016, 15:56   #35
 
elite*gold: 15
Join Date: Aug 2012
Posts: 3,041
Received Thanks: 6,381
Quote:
Originally Posted by leorblx View Post
First called method isn't int (void *Dst, int, int, int, void *Src, int) as you think, 7691D0 is where the chain action begins: 7691D0 to 767CD0. 767CD0 doesn't have to call 767B80, it has one other call. You won't be able to get around this without disassembling everything needed; you need to figure out which conditions continues to what, and see if the called body is a continue-execution, a fail-safe, or a fail-fast.

There is also a ___security_cookie, fyi it's not the web cookie. Look into gs_cookie.c or .

Another thing, look into how stack variables are passed. When a function is called in 8086 assembly, function values are passed in the reverse order. Needless to say, some values might just not be passed; however, if that is the case, look into IDA for the default values and use them for the missing ones instead. IDA will try—and I emphasize on this, it will only try—to help you with the stack; e.g.:
Code:
767D0F                 mov     eax, [ebp+var_48]
767D12                 mov     edx, [ebp+arg_8]
767D15                 push    eax             ; int
767D16                 lea     ecx, [ebp+Src]
767D19                 push    ecx             ; Src
767D1A                 sub     edx, esi
767D1C                 push    edx             ; int
767D1D                 push    esi             ; int
767D1E                 push    ebx             ; int
767D1F                 push    esi             ; Dst
767D20                 lea     ecx, [edi+8]
767D23                 call    767B80

//function start -->

.text:00767B80 ; int __stdcall sub_767B80(void *Dst, int, int, int, void *Src, int)
.text:00767B80 ; don't be fooled into thinking that these 'int' declarations were intended, these are compiled and optimized fields, which is why everything is a dword and why the code directly uses registers like eax. 
.text:00767B80 ; asm loads the stack like so:
// https://en.wikibooks.org/wiki/X86_Disassembly/Functions_and_Stack_Frames
// dword ptr -4 means push [local_variable_1], -8 means push [local_variable_2] etc. these are members defined within the function, that means the parameters do not directly modify them
// dword ptr +8 means push [parameter_1], in this case Dst. +C(12) is push [parameter_2] etc. 
// i don't think i have to say this but dwords are 4 bytes and qwords are 8 bytes; and since this is compiled code, you will eventually see a "cdq" function, preceded by two "mov"s.
// this site will help you greatly if you don't know what's happening: https://en.wikibooks.org/wiki/X86_Disassembly
.text:00767B80 var_8           = dword ptr -8
.text:00767B80 var_4           = dword ptr -4
.text:00767B80 Dst             = dword ptr  8
.text:00767B80 arg_4           = dword ptr  0Ch
.text:00767B80 arg_8           = dword ptr  10h
.text:00767B80 arg_C           = dword ptr  14h
.text:00767B80 Src             = dword ptr  18h
.text:00767B80 arg_14          = dword ptr  1Ch
59AEB0 is an OpenSSL gateway it seems like, __cdecl just doesn't fit though so I'm not sure. Take a look at: . If you don't know the difference between stdcall and cdecl then take a look at:

Anyways, this is a highly optimized, highly mangled and hand-crafted function chain. I got bored halfway-in because it's just too redundant for me, even with no latency this function will manage to break the sync somehow. (or I just suck, I dunno) Cheers & good luck.
berkay2578 is offline  
Thanks
1 User
Old 11/19/2016, 18:06   #36
 
elite*gold: 0
Join Date: Mar 2016
Posts: 174
Received Thanks: 265
@ Thank you for that useful information. I hope to get this freeroam thing working within the next year. Will that happen? Who knows...
leorblx is offline  
Thanks
1 User
Old 11/19/2016, 18:36   #37
 
elite*gold: 0
Join Date: Jul 2015
Posts: 352
Received Thanks: 132
nothing is impossible, they saw nfsw offline was impossible but is out and it's more better like first, if the offline was not impossible, the online is possible too, keep up the great work man, if you are there now, this mean's is not impossible.
fabx24 is offline  
Old 11/20/2016, 03:07   #38
 
elite*gold: 0
Join Date: Mar 2016
Posts: 174
Received Thanks: 265
Thank you guys for all the support

I'm thinking about streaming "tinkering sessions" where I just mess around with stuff to see if I can make something happen. Would anyone be interested?


One last thing: If anyone can explain any of the following things about the current freeroam implementation, please tell me!
- Why can only one player can see the other player?
- Why does the current freeroam implementation only work with two players?


I think I can probably sort out the lag issue. I think the current server just sends packets too quickly for the client to handle.


I'm excited for anything that may happen in the future. If I get this to work, I will be extremely happy. Who knows... maybe it'll happen sooner than I think.
leorblx is offline  
Thanks
2 Users
Old 11/20/2016, 06:08   #39
 
elite*gold: 0
Join Date: Jan 2011
Posts: 193
Received Thanks: 75
Quote:
Originally Posted by fabx24 View Post
nothing is impossible, they saw nfsw offline was impossible but is out and it's more better like first, if the offline was not impossible, the online is possible too, keep up the great work man, if you are there now, this mean's is not impossible.
Well legally it's impossible.. (ToS)

But then you have people who go against to benefit of the community.
Or just plain' old data hording. XD
N/A is offline  
Old 11/20/2016, 13:00   #40
 
elite*gold: 15
Join Date: Aug 2012
Posts: 3,041
Received Thanks: 6,381
Quote:
Originally Posted by leorblx View Post
I'm thinking about streaming "tinkering sessions" where I just mess around with stuff to see if I can make something happen. Would anyone be interested?
please don't. Not that nobody would watch it, but you will pretty much get an instant c&d from EA.

Quote:
Originally Posted by leorblx View Post
Why can only one player can see the other player?
Sync issue in the udp relay. Openfire needs a custom written plugin to generate p2p pings, udp relay needs to read the p2p pings and send the packets accordingly.

Quote:
Originally Posted by leorblx View Post
Why does the current freeroam implementation only work with two players?
Because Nilzao had just enough time and support only for the 2 player lobbies. NFS:W changes a lot of stuff in the packets when it's 2+ players. We have a recorded team-escape relay with 4 players, contact Nilzao if you want to help with that.

Quote:
Originally Posted by leorblx View Post
I think I can probably sort out the lag issue. I think the current server just sends packets too quickly for the client to handle.
Need proper ping calculations and latency management, you basically need to revamp everything if you wanna do that. A funny issue, however, is that when I was on a 3mbps network @ could connect to me with literally no latency. It's the reason I just gave up on the UDP cracking, that function inside the game is just cancer. Here are the recorded sessions:
berkay2578 is offline  
Thanks
1 User
Old 11/20/2016, 14:09   #41
 
elite*gold: 0
Join Date: Mar 2016
Posts: 174
Received Thanks: 265
Quote:
Originally Posted by berkay2578 View Post
please don't. Not that nobody would watch it, but you will pretty much get an instant c&d from EA.

Sync issue in the udp relay. Openfire needs a custom written plugin to generate p2p pings, udp relay needs to read the p2p pings and send the packets accordingly.

Because Nilzao had just enough time and support only for the 2 player lobbies. NFS:W changes a lot of stuff in the packets when it's 2+ players. We have a recorded team-escape relay with 4 players, contact Nilzao if you want to help with that.

Need proper ping calculations and latency management, you basically need to revamp everything if you wanna do that. A funny issue, however, is that when I was on a 3mbps network @ could connect to me with literally no latency. It's the reason I just gave up on the UDP cracking, that function inside the game is just cancer. Here are the recorded sessions:
Alright. I wouldn't mind taking a look at team-escape with 4 players, I'll contact Nilzao later.


Also, I agree with you 100%, that function is cancer. I couldn't even look at it for five minutes before giving up, last time.
leorblx is offline  
Old 11/20/2016, 16:03   #42
 
elite*gold: 0
Join Date: Jun 2015
Posts: 136
Received Thanks: 52
Read here:
it is a lot of interesting, the server still crude, but also it wasn't possible to play the first bild of offline too, and now all are and even any online nevertheless is available, all directly, Moscow too was built not directly. If fucking bourgeoises all wouldn't destroy, all would be, and so it is necessary to be engaged in decoding of files of online, and on it time and knowledge in programming is necessary. And by the way there is a check on the dedicated server so test with companions for health.
Value after "a" only needs to be changed, depending on the number of players.
start /d "C:\Program Files (x86)\NFS World\Game\Data" nfsw.exe RU a 2
exit
hlyab is offline  
Old 11/20/2016, 17:03   #43
 
elite*gold: 0
Join Date: Jun 2015
Posts: 331
Received Thanks: 605
Quote:
Originally Posted by leorblx View Post
Thank you guys for all the support
And thank you for trying to evolve the study.
Quote:
Originally Posted by leorblx View Post
- Why can only one player can see the other player?
It's not fully implemented, it's an example to other hackers make it happen in the future.
Quote:
Originally Posted by leorblx View Post
- Why does the current freeroam implementation only work with two players?
Again, not fully implemented.
Quote:
Originally Posted by leorblx View Post
I think I can probably sort out the lag issue. I think the current server just sends packets too quickly for the client to handle.
It's not the real problem, freeroam and race servers are not fully implemented.
Quote:
Originally Posted by leorblx View Post
I'm excited for anything that may happen in the future. If I get this to work, I will be extremely happy. Who knows... maybe it'll happen sooner than I think.
Well... I can't work on servers now. Perhaps some day.

Good luck.
Nilzao is offline  
Old 11/20/2016, 20:17   #44
 
elite*gold: 0
Join Date: Mar 2016
Posts: 174
Received Thanks: 265
@ lol, i translated that page into english and they seem to be talking about this...
@
Thank you for wishing me luck. It means a lot to have support from the people that created this whole offline server thing.


Also, Berkay mentioned that you had a recorded 4-player team escape relay. Would you mind giving me that so I can investigate how the packets differ from 2-player team escape packets? It might help with this.
leorblx is offline  
Thanks
1 User
Old 11/21/2016, 00:28   #45
 
elite*gold: 0
Join Date: Jun 2015
Posts: 331
Received Thanks: 605
Quote:
Originally Posted by leorblx View Post
@
Also, Berkay mentioned that you had a recorded 4-player team escape relay. Would you mind giving me that so I can investigate how the packets differ from 2-player team escape packets? It might help with this.
Well, I can send you somehow... But it's useless at this point.

First we need to:
- make udp crc calc/checksum. Can be the official, or inject ours by hooking the process.
- implement the full nfsw udp handshake on server, to make 2 players start race without sync problems.

And one big problem with my team scape recording...
I have only one player recorded with 3 other racers, I don't know what the other racers are receiving, so it's just like the 2 players race...
Nilzao is offline  
Reply

Tags
freeroam, need for speed world, reverse engineering, udp


Similar Threads Similar Threads
Reverse Engineering
09/06/2016 - General Coding - 6 Replies
Hey, German: Hab gerade angefangen die Tutorialreihe von Lena 151 zu machen, nun bin ich schon beim 4 Tutorial auf ein Problem gestoßen, obwohl ich exakt das selbe wie Lena mache habe es mir auch schon 3 mal erneut angeschaut und dennoch nicht den Fehler gefunden. Da ich denke, dass keiner so hilfsbereit ist und das Tutorial extra nochmal anschaut: Es wird auf gedrückt und dann kommt die Fehlermeldung "You've reached the limit..." anschließend drückt man auf den Pause-Button in Ollydbg ->...
Looking for some reverse engineering help
12/19/2014 - Main - 3 Replies
I am looking for someone with knowledge in reverse engineering and creating a full emulator of Reel Deal Casino Live. I believe the task should be relatively simple but we shall see. I know it's not a well known game but its an online 3D casino world.
[Help] Getting into ASM/reverse engineering
12/11/2014 - SRO Private Server - 0 Replies
delete this topic please, found what I asked for.
[Buying] Reverse engineering
06/25/2014 - Coders Trading - 1 Replies
Hello everybody, I am searching for a reverse engineer+coder to help me out with something. We're paying a good amount of money if you're able to do the job. For more information PM me or add me on skype : jaxallods Thanks, - Jax
Reverse Engineering...
07/11/2011 - SRO Coding Corner - 5 Replies
Hi, I just wanted to ask, if those guides, on this web: Reverse Engineering | malprogramming.net are enough to learn about reverse engineering, or a bit, or atleast, as much as that, that I as example, can do later something with it. Or its just crap and some infos about reverse engineering on that website? Because I dont want read 3hours of something wrong.



All times are GMT +2. The time now is 05:28.


Powered by vBulletin®
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Support | Contact Us | FAQ | Advertising | Privacy Policy | Terms of Service | Abuse
Copyright ©2021 elitepvpers All Rights Reserved.