Luigi Auriemma

Hey everyone,

Can anyone help me in generating the correct Punkbuster CD-Key hash for Battlefield 2? I have looked at the code for key2pb (http://aluigi.altervista.org/papers/key2pb.zip), and if I am correct all that needs to be changed depending on the game is the seed. Well I have no idea how to find the seed that BF2 uses, but I was reading the code and there was a note that said you could load the pbcl.dll file and it would try all available hashes in it as seeds. Well I have the pbcl.dll file that was in the BF2 folder but I don't know how to scan it with the program... I don't think there was an option to do so. I can send this to anyone who needs it, but it was too big to be uploaded

Anyways I have a legit CD key, and I know the hash it SHOULD end up being when the calculations are all done (found via the in-game console after connecting to a server). I just don't know what seed to use to generate this hash. I have uploaded the pbcl.dll file for Battlefield 2 if anyone wants to take a look at it. Maybe you guys can find the correct seed for me that BF2 uses.

What would be nice is if Luigi or someone could make a "seed finder" brute force application. It would work like so:

1) Enter the CD Key exactly as you want it
2) Enter the hash that it SHOULD end up being when done
3) Start a brute force of seeds and try ALL possible hashes until a match is made.
4) If a match is made, inform the user of the seed used. If the no matches are made, then inform the user to try modifying the cd key (use lowercase, use dashes, etc.)

And you could set a limit for the size of the hash to be used. Like 8 could be default, since the sample code uses seeds that are 0x and then 8 characters (0x00b684a3)

I would love to see something like this =) I might actually want to get the seeds for a few other games that use Punkbuster too, so this would be cool.

Thanks for reading, hope someone can help, maybe even Luigi :-P

take a look to the new version of key2pb I have released.
I have made a quick scan of the seeds available in all the games supported by PB and I think those are all.
Sure it's still generic but if users want to add more info or seeds they can here.
Let me know what you think about this new version

Hey luigi,

The program works great, and I like the idea of how you do upper and lower case for the hashes 8) Unfortunately I did not see the expected md5 hash I wanted from the cdkey I used :(. I tied it with and without dashes too, and checked all the results that were given for all games too instead of just BF2.

I went ahead and PM'd you my Battlefield 2 cd key and the hash the game reports in my console (using the command PB_MyGUID), so hopefully you can use that information to help find the seed :P Thanks a bunch for the help so far!

p.s. - if the brute force were to be made, there would be about 4.3 billion seeds to try if the seeds were all lowercase, hex digits, and 8 characters long after the 0x

no luck with the brute forcing solution (scanned all 0xffffffff)... I think the only solution is reversing the stuff

Damn, alright. Thanks for checking 8) Let me know if you guys find any other info on this

Hey,

Sorry to bring an old topic back to life, but I have been thinking about this a little and still think there's hope in finding the seed.

Do you think that BF2 might use seeds shorter or longer than 8? For example, maybe it could use something shorter like 0x123abc or 0x123ab or even longer?

I don't think they would alter the way it's done just for BF2, so maybe if we try more seeds we could get a match. Just a thought :D

edit: ah nevermind, I guess 0x00123abc is the same as 0x123abc, so it would be the same. I still wish I could figure out how BF2 generates the GUIDs :(.

It's also possible that the guid is calculated on the hash of the cdkey or something similar.
Anyway I can't check it because I don't have the game

Hi, i am wondering whats 0x3b9ac617, 0x3b9ac616 etc and how are these used in bf2?

they are seeds for initialize the md5 algorithm

i am sorry but i do not understand what you mean by seed, is seed like a password you need to get the correct hash of ur cd-key?

In short the seed is a number which is applied to the initialization of the MD5 algorithm so the result differs from the classical MD5.
It can be considered something like a salt.
Anyway I don't know exactly what BF2 does so my key2pb code probably doesn't calculate the correct guid for this game (while Quake 3/RTCW and some other games are ok)

oh ok, and how do you go about finding it?

use a debugger and place a breakpoint at the beginning of the MD5 initialization function (you can find that function with my signsrch tool) where you will say the seed, the input data and its length.
But naturally you must have a bit of experience with debugging and assembly otherwise is useless (although it's a simple thing to do).

Sorry to bump an old topic, but I figured it's better than starting a new one. I have been looking more into this, trying to find out any information I can to help me figure out how this is done.

I decided to install my own local server and use modmanager (an admin plugin) to better monitor clients and their information. I connected to my own server, and right away the modmanager program (BF2CC) reported that my clients cd-key hash was: 60b1fed928c356127af668bfb8c2c30a

This is the pure md5 hash of my full cd key, in all caps, without dashes. However, this is not the punkbuster hash. The punkbuster guid is assigned later on after already connecting. Soon after a client connects, the server console reports that it has computed the guid, and a packet scan shows that the server sends the guid to the client.

So this could mean that you are correct in saying the game might generate the final punkbuster hash based off the pure md5 hash of the cd-key.

Considering that, can would be able to run another brute force for me on all the seeds in 0xffffffff? The cd-key this time would be: 60b1fed928c356127af668bfb8c2c30a

and the final punkbuster hash would be: 85e39828f8347f9fe7030614b735858d

So if you can get a match based off that data, the mystery is solved. If you can't get a match, then you can also try it in all caps, or try only the first X characters of the md5 (like call of duty 4 appears to do by only using the first 16).

Also, after opening pbsv.dll in ollydbg and doing a search for strings, you can find the exact string where the server's console reports "guid computed". Here is a screenshot of that:



Here is what the server console shows shortly after a client connects:



Hopefully some of that information might help you see something I don't Luigi. Thanks for the help!

Another boring different Punkbuster cl_guid... Enemy Territory:

- get the key from etkey, which looks like 0000001002123456789012345678
- get the last 18 chars of the key, like 123456789012345678
- calculate the PB md5 of 123456789012345678 using the seed 0x00b684a3
- calculate the PB md5 of the resulted hash (32d9745fc64f1f67b13b33590548cad9) using seed 0x00051a56
- the result is cl_guid (c5b16ff05ea6838c8ffa997a302ffc1a in my example)