Trackmania Nations ESWC

pingpong · **Joined:** 10 Apr 2011 18:20 **Posts:** 5

Hi,
i'm a newbie in reverse engineering and i wanted to learn something about it so i tried to exploit the old version of trackmania, based on your exploits (http://aluigi.org/adv/tm4never-adv.txt). I started comparing the two servers and finally (i hope) i found the right key for generating crc (it was a lot of work for me oO):

I've tried to create a valid tcp-packet with that and after comparing with the original packets i noticed that the crc-check failed. I was using your code with my key. Like this:

Code:

u32 trackmania_crc(u8 *key, u8 *data, int datalen) {
    static u8 fixed_key[]   = "..."; //u can fill it out on your own :P
    u32     hash[4];

    if(!key) key = fixed_key;
    if(datalen < 0) datalen = strlen(data);
    md5_hmac(key, 16, data, datalen, (u8 *)hash);
    return(hash[0] + hash[1] + hash[2] + hash[3]);
}

Now my question: whats wrong with my idea? How do you get this code of generating crc (did the algorithm get changed in forever?)?! How u know how a tmn-package is getting splitted (1. size, 2. crc, 3. data...)?

The old TMN ESWC server can be accessed here: http://www.tm-forum.com/viewtopic.php?t=1350

Greets

aluigi · **Posted:** 11 Apr 2011 08:45

the idea is correct: change the key and you are ready to send packets to the old server.

at a first look it seems just the same:
4a95d1: get the key
419310: hmac (easy to see due to 0x36 and 0x5c)
4a9614: sum of the 4 32bit values

so I did a quick test and indeed seems just that the protocol is a bit different, which is enough normal.

pingpong · **Joined:** 10 Apr 2011 18:20 **Posts:** 5

aluigi wrote:

so I did a quick test and indeed seems just that the protocol is a bit different, which is enough normal.

I was trying to solve this difference the whole day but i dont get it. Can you help me a little with this?
Following this algorithm of hashing in ollydbg ist nearly impossible for me as beginner. Maybe u can make a little video-tutorial how u solved it in forever, so i can see your workflow and learn much more than simple "trial and error" the whole day^^

aluigi · **Posted:** 12 Apr 2011 21:24

no sorry I can't help with it

pingpong · **Joined:** 10 Apr 2011 18:20 **Posts:** 5

I finally got it.
(sum of the 4 32bit values = 3 parts of the hash + one part of the fixed_key - ive wasted a lot of time in comparing the md5 stuff :D)

You can close this now and many thanks for your great draft of forever.

aluigi · **Posted:** 12 Apr 2011 21:49

interesting, can you post the final code of the function?

pingpong · **Joined:** 10 Apr 2011 18:20 **Posts:** 5

Dont know how to convert '\x08\xC4\x81\x30' to 813810696 - can you explain it?!

Code:

u32 trackmania_crc(u8 *key, u8 *data, int datalen) {
    //static u8 fixed_key[]   = "\xB8\x9D\xD7\x80\x72\x6B\x21\xBA\x98\x95\x43\x15\xFA\x1C\xEC\xE1"; // forever key
    static u8 fixed_key[] = "\x08\xC4\x81\x30\x3A\x12\x26\xAB\xAF\x1D\x6A\xE4\xFB\x65\xFB\xC9"; // nations key
    u32     hash[4];
    
    if(!key) key = fixed_key;
    if(datalen < 0) datalen = strlen(data);
    md5_hmac(key, 16, data, datalen, (u8 *)hash);
    
    //return(hash[0] + hash[1] + hash[2] + hash[3]); // forever crc
    return(hash[0] + hash[1] + hash[2] + 813810696); // nations crc; 813810696 == \x08\xC4\x81\x30 (first part of fixed key)
}

aluigi · **Posted:** 14 Apr 2011 09:16

replace 813810696 with *(u32 *)fixed_key

very interesting this modification, would be interesting why the developers choosed this modification and changed it with the next versions

pingpong · **Joined:** 10 Apr 2011 18:20 **Posts:** 5

I dont know - at the end we can disassemble it all :P

Luigi Auriemma

Trackmania Nations ESWC