Luigi Auriemma

After purchasing the full version of Call of Duty 5: World at War, I have been becoming more curious as to how client's connect to a server. I have been playing around with your dwbdcrypto tool but can't seem to successfully decrypt a bdticket string. I am running a dedicated server on 1 computer, and my client on another. I have access to the cd-key used to install the server (I actually just installed the client, and in it I choose 'start a server, dedicated, etc'... and it closes the client and starts a dedicated server). I couldn't find where to download the dedicated server anyway, but this works fine. I also have all the sniffed packets from a connect session. Here are 2 different connects (editing out my username and guid of course):

Sniff 1:

Client -> Server: ....getchallenge 0 "abcdef1234567890abcdef1234567890"
Client <- Server: ....challengeResponse 101721693 v/4Sg7+M820=
Client -> Server: ....connect "\cg_predictItems\1\cl_punkbuster\1\cl_voice\1\cl_wwwDownload\1\rate\25000\snaps\20\name\UserNameHere\protocol\96\challenge\101721693\qport\30297\bdTicket\cgRYRXKnG4EcJX7HcgopPr2SDuP4eDfi+F1NkrqNE04U8usMCzeaf6jpZqjZHpUfPY9sNhmQ14drT2B7Ub6fROo94QnTojzUfkQ2TyRHF6Vs83lPoPdkpiewrW9sS9W0rQaceCVmo6VtV2W0L4T/RNS4Qw20txXAAcXHIBtUthvDOsWB\bdTicketTime\379"
Client <- Server: ....connectResponse

Sniff 2:

1. Client -> Server: ....getchallenge 0 "abcdef1234567890abcdef1234567890"
2. Client <- Server: ....challengeResponse 368735854 v/4Sg7+M820=
3. Client -> Server: ....connect "\cg_predictItems\1\cl_punkbuster\1\cl_voice\1\cl_wwwDownload\1\rate\25000\snaps\20\name\UserNameHere\protocol\96\challenge\368735854\qport\30297\bdTicket\xHr2OTCAU0Vd953l12Hz+N2eMbAgR4gtvQq2yIsGNJp3GQ9whk/uTEfFXco6aP4/m1hl1EzYRjYiUhgDnt8izvy1bvNbw8BwGWVIXyPsDTJg8L/G5m9MSulzi+P0AaKWTdEk6GZD06MVBl0GcQbWnLDUqdbw4mpH+fOnv3S6v/BhkyNq\bdTicketTime\359"
4. Client <- Server: ....connectResponse

I know the tool is only experimental since we can't see how some of the data is obtained (probably from the master server as you said)... but I figured you might know of some checks or ideas that I could try to get it working since I have full access to both the client and server.

I have tried your tool a few times like so (using Sniff 1 as an example):
a) dwbdcrypto.exe 11112222333344445555 cgRYRXKnG4EcJX7HcgopPr2SDuP4eDfi+F1NkrqNE04U8usMCzeaf6jpZqjZHpUfPY9sNhmQ14drT2B7Ub6fROo94QnTojzUfkQ2TyRHF6Vs83lPoPdkpiewrW9sS9W0rQaceCVmo6VtV2W0L4T/RNS4Qw20txXAAcXHIBtUthvDOsWB

b) dwbdcrypto.exe 1111-2222-3333-4444-5555 cgRYRXKnG4EcJX7HcgopPr2SDuP4eDfi+F1NkrqNE04U8usMCzeaf6jpZqjZHpUfPY9sNhmQ14drT2B7Ub6fROo94QnTojzUfkQ2TyRHF6Vs83lPoPdkpiewrW9sS9W0rQaceCVmo6VtV2W0L4T/RNS4Qw20txXAAcXHIBtUthvDOsWB

c) dwbdcrypto.exe 62cc05cc40324f7205cd59407f550bf32e13c37c2c9d19bb cgRYRXKnG4EcJX7HcgopPr2SDuP4eDfi+F1NkrqNE04U8usMCzeaf6jpZqjZHpUfPY9sNhmQ14drT2B7Ub6fROo94QnTojzUfkQ2TyRHF6Vs83lPoPdkpiewrW9sS9W0rQaceCVmo6VtV2W0L4T/RNS4Qw20txXAAcXHIBtUthvDOsWB

d) dwbdcrypto.exe 0ede3d95caae022c0101756993e093bf956e4f29ad4a9599 cgRYRXKnG4EcJX7HcgopPr2SDuP4eDfi+F1NkrqNE04U8usMCzeaf6jpZqjZHpUfPY9sNhmQ14drT2B7Ub6fROo94QnTojzUfkQ2TyRHF6Vs83lPoPdkpiewrW9sS9W0rQaceCVmo6VtV2W0L4T/RNS4Qw20txXAAcXHIBtUthvDOsWB

a+c and b+d are pretty much the same, except one uses the tiger192 hash of that key and the other doesn't. I have tried with and without dashes, but no luck decrypting the bdticket string. In patch 1.1 there was a note that says "License key is no longer required to run a Dedicated Server". This may have changed the way things run. The only thing I can think of is the server cd-key I am providing is incorrect in some way (even though I am copying it right from the registry, and trying it in different ways) or I am using the tool incorrectly.

Lastly, I notice that the client makes a lot of connections to demonware servers such as cod5-pc.lsg.mmp3.demonware.net. There are 2 or 3 different servers I've noticed that it talks to, but always on port 3074 which is labeled in Wireshark as "xbox". However the data being send/received is encrypted and I don't know what type of encryption is being used. When starting a dedicated server, the server made a connection to cod5-pc.lsg.mmp3.demonware.net on that port and send some data. When the client first starts up, it also makes a few connections to different demonware servers on this port.. but the data is also encrypted. And when retrieving the server list, a connection is made yet again to a demonware server on port 3074, and the server replies with a big chunk of data (I am assuming this is all the servers + that hidden data you mentioned in the tool notes).

Anyways, I am just trying to get some life into this subject even though I think you are bored by it :P. So any additional info would be awesome. Or if anyone else has the game and wants to look into it, that would also be very cool!

although my research about the Demonware authentication/master server is not complete (and I highly doubt to continue due to the lack of interest) I guess I can link here a tool I wrote to "start" to analyze this data:

http://aluigi.org/papers/dwcryptonet.zip

it's totally useless for the people but it's a good start for understanding a bit about the protocol and the types of encryptions to expect to find.

quick usage: dump the content of ALL the connections made to port 3074 of the demonware master server in one raw file and then launch the tool specifiying it and the own "secretsauce".
if you don't know the secretsauce just use your nickname and the bracketsless cdkey (it will calculate it, it's just the XORing of these two parameters).
if the game doen'st use a secretsauce (like Enemy Territory Quake Wars demo) just put a zero or ""