Reverse engineering

leorblx · 11/14/2016, 23:22

Quote:

Originally Posted by joshdoe

yo is need for speed world open again yet? omg if it does im gonna advertise like no mans business!

Not yet. Hopefully within the next year, though

Also, for anyone who's wondering: This is not a project to create a central server. That's illegal, AFAIK. This is a project to figure out how to restore freeroam gameplay, so people can play with their friends on their own servers.

Quote:

Originally Posted by michaelmikhalev

I am not super good but I can do it too if ya want.

PM me

leorblx · 11/16/2016, 23:27

Focusing on packet validation right now. I'm going to try and figure out the actual data of packets a bit later.

Okay, I need a little help here. Does anyone (@berkay2578, @

???) know for sure what type of encryption the game uses for packets? Is it AES-256 or something else?

I've managed to find all of the different functions for validation (at least I think I have), some of them are insane to say the least.

I also got IDA's debugger to work without freezing the game, so I can use breakpoints and stuff.

In case anyone wants to know some of the functions to find in IDA:

sub_767B80 = where it begins
sub_5AAA40 = first new function that's called from sub_767B80, if a condition is true (won't go into detail)
sub_767960 = I'm not quite sure
sub_7676B0 = Also not sure about this one
sub_5B20E0 = simple helper function, returns the input value plus 12, as a DWORD pointer
sub_59AEB0 = I don't even want to talk about it. It's just insane.
sub_767650 = Seems to return the 2nd parameter? Not sure off the top of my head if it does anything with it
sub_5AC320 = Yet another helper, returns input + 4 as a DWORD pointer
sub_59B120 = Not sure.
sub_59AA30 = References OpenSSL a few times. Not quite sure what it does yet, though
sub_59AB90 = Haven't investigated yet.

If anyone wants to help, look for those functions, and try to figure out what they actually do. There are a lot of them, so be prepared to spend a while on this if you decide to help.

This is progress, though.

Nilzao · 11/17/2016, 03:19

Quote:

Originally Posted by leorblx

Focusing on packet validation right now. I'm going to try and figure out the actual data of packets a bit later.

Okay, I need a little help here. Does anyone (@berkay2578, @ ???) know for sure what type of encryption the game uses for packets? Is it AES-256 or something else?

It's a modded openssl version.

soapbox.exe (cracked nfsw.exe) have a jump to avoid the crypt/decrypt openssl functions in udp packets.

fabx24 · 11/17/2016, 11:36

@

you can find the cracked nfsw.exe here

berkay2578 · 11/17/2016, 15:56

Quote:

Originally Posted by leorblx

Spoiler

sub_767B80 = where it begins
sub_5AAA40 = first new function that's called from sub_767B80, if a condition is true (won't go into detail)
sub_767960 = I'm not quite sure
sub_7676B0 = Also not sure about this one
sub_5B20E0 = simple helper function, returns the input value plus 12, as a DWORD pointer
sub_59AEB0 = I don't even want to talk about it. It's just insane.
sub_767650 = Seems to return the 2nd parameter? Not sure off the top of my head if it does anything with it
sub_5AC320 = Yet another helper, returns input + 4 as a DWORD pointer
sub_59B120 = Not sure.
sub_59AA30 = References OpenSSL a few times. Not quite sure what it does yet, though
sub_59AB90 = Haven't investigated yet.

First called method isn't int (void *Dst, int, int, int, void *Src, int) as you think, 7691D0 is where the chain action begins: 7691D0 to 767CD0. 767CD0 doesn't have to call 767B80, it has one other call. You won't be able to get around this without disassembling everything needed; you need to figure out which conditions continues to what, and see if the called body is a continue-execution, a fail-safe, or a fail-fast.

There is also a ___security_cookie, fyi it's not the web cookie. Look into gs_cookie.c or

.

Another thing, look into how stack variables are passed. When a function is called in 8086 assembly, function values are passed in the reverse order. Needless to say, some values might just not be passed; however, if that is the case, look into IDA for the default values and use them for the missing ones instead. IDA will try—and I emphasize on this, it will only try—to help you with the stack; e.g.:

Code:

767D0F                 mov     eax, [ebp+var_48]
767D12                 mov     edx, [ebp+arg_8]
767D15                 push    eax             ; int
767D16                 lea     ecx, [ebp+Src]
767D19                 push    ecx             ; Src
767D1A                 sub     edx, esi
767D1C                 push    edx             ; int
767D1D                 push    esi             ; int
767D1E                 push    ebx             ; int
767D1F                 push    esi             ; Dst
767D20                 lea     ecx, [edi+8]
767D23                 call    767B80

//function start -->

.text:00767B80 ; int __stdcall sub_767B80(void *Dst, int, int, int, void *Src, int)
.text:00767B80 ; don't be fooled into thinking that these 'int' declarations were intended, these are compiled and optimized fields, which is why everything is a dword and why the code directly uses registers like eax. 
.text:00767B80 ; asm loads the stack like so:
// https://en.wikibooks.org/wiki/X86_Disassembly/Functions_and_Stack_Frames
// dword ptr -4 means push [local_variable_1], -8 means push [local_variable_2] etc. these are members defined within the function, that means the parameters do not directly modify them
// dword ptr +8 means push [parameter_1], in this case Dst. +C(12) is push [parameter_2] etc. 
// i don't think i have to say this but dwords are 4 bytes and qwords are 8 bytes; and since this is compiled code, you will eventually see a "cdq" function, preceded by two "mov"s.
// this site will help you greatly if you don't know what's happening: https://en.wikibooks.org/wiki/X86_Disassembly
.text:00767B80 var_8           = dword ptr -8
.text:00767B80 var_4           = dword ptr -4
.text:00767B80 Dst             = dword ptr  8
.text:00767B80 arg_4           = dword ptr  0Ch
.text:00767B80 arg_8           = dword ptr  10h
.text:00767B80 arg_C           = dword ptr  14h
.text:00767B80 Src             = dword ptr  18h
.text:00767B80 arg_14          = dword ptr  1Ch

59AEB0 is an OpenSSL gateway it seems like, __cdecl just doesn't fit though so I'm not sure. Take a look at:

. If you don't know the difference between stdcall and cdecl then take a look at:

Anyways, this is a highly optimized, highly mangled and hand-crafted function chain. I got bored halfway-in because it's just too redundant for me, even with no latency this function will manage to break the sync somehow. (or I just suck, I dunno) Cheers & good luck.

leorblx · 11/19/2016, 18:06

@

Thank you for that useful information. I hope to get this freeroam thing working within the next year. Will that happen? Who knows...

fabx24 · 11/19/2016, 18:36

nothing is impossible, they saw nfsw offline was impossible but is out and it's more better like first, if the offline was not impossible, the online is possible too, keep up the great work man, if you are there now, this mean's is not impossible.

leorblx · 11/20/2016, 03:07

Thank you guys for all the support

I'm thinking about streaming "tinkering sessions" where I just mess around with stuff to see if I can make something happen. Would anyone be interested?

One last thing: If anyone can explain any of the following things about the current freeroam implementation, please tell me!
- Why can only one player can see the other player?
- Why does the current freeroam implementation only work with two players?

I think I can probably sort out the lag issue. I think the current server just sends packets too quickly for the client to handle.

I'm excited for anything that may happen in the future. If I get this to work, I will be extremely happy. Who knows... maybe it'll happen sooner than I think.

N/A · 11/20/2016, 06:08

Quote:

Originally Posted by fabx24

nothing is impossible, they saw nfsw offline was impossible but is out and it's more better like first, if the offline was not impossible, the online is possible too, keep up the great work man, if you are there now, this mean's is not impossible.

Well legally it's impossible.. (ToS)

But then you have people who go against to benefit of the community.
Or just plain' old data hording. XD

berkay2578 · 11/20/2016, 13:00

Quote:

Originally Posted by leorblx

I'm thinking about streaming "tinkering sessions" where I just mess around with stuff to see if I can make something happen. Would anyone be interested?

please don't. Not that nobody would watch it, but you will pretty much get an instant c&d from EA.

Quote:

Originally Posted by leorblx

Why can only one player can see the other player?

Sync issue in the udp relay. Openfire needs a custom written plugin to generate p2p pings, udp relay needs to read the p2p pings and send the packets accordingly.

Quote:

Originally Posted by leorblx

Why does the current freeroam implementation only work with two players?

Because Nilzao had just enough time and support only for the 2 player lobbies. NFS:W changes a lot of stuff in the packets when it's 2+ players. We have a recorded team-escape relay with 4 players, contact Nilzao if you want to help with that.

Quote:

Originally Posted by leorblx

I think I can probably sort out the lag issue. I think the current server just sends packets too quickly for the client to handle.

Need proper ping calculations and latency management, you basically need to revamp everything if you wanna do that. A funny issue, however, is that when I was on a 3mbps network @

could connect to me with literally no latency. It's the reason I just gave up on the UDP cracking, that function inside the game is just cancer. Here are the recorded sessions:

Spoiler

leorblx · 11/20/2016, 14:09

Quote:

Originally Posted by berkay2578

please don't. Not that nobody would watch it, but you will pretty much get an instant c&d from EA.

Sync issue in the udp relay. Openfire needs a custom written plugin to generate p2p pings, udp relay needs to read the p2p pings and send the packets accordingly.

Because Nilzao had just enough time and support only for the 2 player lobbies. NFS:W changes a lot of stuff in the packets when it's 2+ players. We have a recorded team-escape relay with 4 players, contact Nilzao if you want to help with that.

Need proper ping calculations and latency management, you basically need to revamp everything if you wanna do that. A funny issue, however, is that when I was on a 3mbps network @ could connect to me with literally no latency. It's the reason I just gave up on the UDP cracking, that function inside the game is just cancer. Here are the recorded sessions:

Alright. I wouldn't mind taking a look at team-escape with 4 players, I'll contact Nilzao later.

Also, I agree with you 100%, that function is cancer. I couldn't even look at it for five minutes before giving up, last time.

hlyab · 11/20/2016, 16:03

Read here:

it is a lot of interesting, the server still crude, but also it wasn't possible to play the first bild of offline too, and now all are and even any online nevertheless is available, all directly, Moscow too was built not directly. If fucking bourgeoises all wouldn't destroy, all would be, and so it is necessary to be engaged in decoding of files of online, and on it time and knowledge in programming is necessary. And by the way there is a check on the dedicated server so test with companions for health.

file of bat

Value after "a" only needs to be changed, depending on the number of players.
start /d "C:\Program Files (x86)\NFS World\Game\Data" nfsw.exe RU

a 2
exit

Nilzao · 11/20/2016, 17:03

Quote:

Originally Posted by leorblx

Thank you guys for all the support

And thank you for trying to evolve the study.

Quote:

Originally Posted by leorblx

- Why can only one player can see the other player?

It's not fully implemented, it's an example to other hackers make it happen in the future.

Quote:

Originally Posted by leorblx

- Why does the current freeroam implementation only work with two players?

Again, not fully implemented.

Quote:

Originally Posted by leorblx

I think I can probably sort out the lag issue. I think the current server just sends packets too quickly for the client to handle.

It's not the real problem, freeroam and race servers are not fully implemented.

Quote:

Originally Posted by leorblx

I'm excited for anything that may happen in the future. If I get this to work, I will be extremely happy. Who knows... maybe it'll happen sooner than I think.

Well... I can't work on servers now. Perhaps some day.

Good luck.

leorblx · 11/20/2016, 20:17

@

lol, i translated that page into english and they seem to be talking about this...
@

Thank you for wishing me luck. It means a lot to have support from the people that created this whole offline server thing.

Also, Berkay mentioned that you had a recorded 4-player team escape relay. Would you mind giving me that so I can investigate how the packets differ from 2-player team escape packets? It might help with this.

Nilzao · 11/21/2016, 00:28

Quote:

Originally Posted by leorblx

@
Also, Berkay mentioned that you had a recorded 4-player team escape relay. Would you mind giving me that so I can investigate how the packets differ from 2-player team escape packets? It might help with this.

Well, I can send you somehow... But it's useless at this point.

First we need to:
- make udp crc calc/checksum. Can be the official, or inject ours by hooking the process.
- implement the full nfsw udp handshake on server, to make 2 players start race without sync problems.

And one big problem with my team scape recording...
I have only one player recorded with 3 other racers, I don't know what the other racers are receiving, so it's just like the 2 players race...