|
|
| Author |
Message |
Debug
Guest
88.203.44.x
|
 Posted: Sat Dec 16, 2006 7:47 pm Post subject: Re: NFS Carbon over LAN possible? (Client/Server) |
 |
|
| Well, if this can help, i think you should not sniff the data over the network, but the message before being ecrypted. Just put a breakpoint over 'send', and trace a bit before the call so that if will not be encryped and you can recognize the encryption because the algorithms is always the same |
|
| Back to top |
|
 |
schultzy
Guest
220.245.178.x
|
| Posted: Sun Dec 17, 2006 5:13 am Post subject: Re: NFS Carbon over LAN possible? (Client/Server) |
|
|
Well, I havent had much experience in coding at all, but i really would like to play NFSC over lan, so I will try to help out, though probably not much:)
Couldnt we all just have brute force and then one of us has to get the key
also coultnt you just edit the executable file or dll files to get the key or something
Probably wasnt much but i tried  |
|
| Back to top |
|
|
covo2k
Joined: 19 Nov 2006
Posts: 9
|
| Posted: Sun Dec 17, 2006 4:36 pm Post subject: Re: NFS Carbon over LAN possible? (Client/Server) |
|
|
Hey all. Sorry that i didn't write a post for such a long time but i had to do many other things.
So my SSL sever is ready.
I faked also the Certificate which comes from EA. It looks like this :
The root Certificate looks like this :
| Code: |
CommonName = OTG3 Certificate Authority
CountryName = US
StateOrProvinceName = California
LocalityName = Redwood City
OrganizationName = Electronic Arts, Inc.
OrganizationalUnitName = Online Technology Group
E-Mail = dirtysock-contact@ea.com
|
The certificate which is deduced from the root certificate looks like this
| Code: |
CommonName = fesl.ea.com
CountryName = US
StateOrProvinceName = California
OrganizationName = Electronic Arts, Inc.
OrganizationalUnitName = Online Technology Group
E-Mail = fesl@ea.com
|
I faked this certificates with the commandline tools from OpenSSL (http://www.openssl.org/)
and took it in my SSL Server.
I thought that now when the certificate is exactly the same which comes from EA he will connect but for poor he didn't.
And why ? Because the public key is incorrect. Now there are severall algorithms and functions to simulate and hack the public key. Because the public key is transmitted always. And you can see it. But the problem is you must have the private key and this is secure for all of us.
The private key and public key are addicted from another. But the algorithm to decrypt the public key you'll never have :/
So this is a very big problem.
When you want to do this with brute force how i said it will take a very long time and even when you have the key you need the algorithm to decrypt it.
When EA used a SSL certificate system with public/private key mechanism and hybrid en/decryption methods it will be very difficult.
When you want to know more about this mechanism here you have a link
http://tldp.org/HOWTO/SSL-Certificates-HOWTO/x64.html
So maybe someone have another idea.
Another thing what is unknowable. Normally by a SSL connection you have two certificates. One on the server machine and one on the Client machine. But in Carbon there is no certificate. I searched all directories but there is no certificate ... So they only have a private key which is completly in the source code of Carbon ...
Why there are private servers for WOW ? Yeah because Blizzard didn't use such a hard SSL mechanism so it was easier to simulate a server :/
But i still go on with my work on the server. Maybe i'll get it soon. But when someone have other ideas PLEASE write it down or write me in icq or email  |
|
| Back to top |
|
|
edasx
Site Admin
Joined: 16 Nov 2005
Posts: 65
|
| Posted: Mon Dec 18, 2006 3:32 am Post subject: Re: NFS Carbon over LAN possible? (Client/Server) |
|
|
first of all, thanks for your continuos effort.
| covo2k wrote: |
...Because the public key is incorrect. Now there are severall algorithms and functions to simulate and hack the public key. Because the public key is transmitted always. And you can see it. But the problem is you must have the private key and this is secure for all of us.
The private key and public key are addicted from another. But the algorithm to decrypt the public key you'll never have :/
So this is a very big problem.
|
well can't we just generate our own pair of keys and somehow hack them into the game "exe" or in the other game files...?
| covo2k wrote: |
When you want to do this with brute force how i said it will take a very long time and even when you have the key you need the algorithm to decrypt it.
|
yep, this is definitely not a way, unless they would use some weak keys.
according to this page ( http://www.keylength.com/ )in case they are using standard 128 symetrical ssl, we are out for "foreseeable future" - see also http://en.wikipedia.org/wiki/Key_size
i really think EA was really lazy to change the mechanism in any way. they probably downloaded some free framework and did it with it. i don't really think they would make it from scratch... that's like reinventing the wheel
| covo2k wrote: |
So they only have a private key which is completly in the source code of Carbon ...
|
You mean the source of their servers.
| covo2k wrote: |
But i still go on with my work on the server. Maybe i'll get it soon. But when someone have other ideas PLEASE write it down or write me in icq or email |
thanx! phew - 4:30 am - will look more deeply into it later =) |
|
| Back to top |
|
|
Schultzy
Guest
220.245.178.x
|
| Posted: Mon Dec 18, 2006 6:13 am Post subject: Re: NFS Carbon over LAN possible? (Client/Server) |
|
|
Can't We lobby pettition or something to EA for lan possible in Carbon, Cause i got it last tuesday, and dissapointed about no Lan games, i found myself here. and I have finished career mode and i would like to kick my brothers ass.
ps if you need a guinea pig for anything for this then email me at schultzy92@gmail.com and ill try it |
|
| Back to top |
|
|
edasx
Site Admin
Joined: 16 Nov 2005
Posts: 65
|
| Posted: Mon Dec 18, 2006 12:19 pm Post subject: Re: NFS Carbon over LAN possible? (Client/Server) |
|
|
| Schultzy wrote: | Can't We lobby pettition or something to EA for lan possible in Carbon, Cause i got it last tuesday, and dissapointed about no Lan games, i found myself here. and I have finished career mode and i would like to kick my brothers ass.
ps if you need a guinea pig for anything for this then email me at schultzy92@gmail.com and ill try it |
hehe, great idea. but imho this would probably take longer than actually cracking the keys =)))))))))))))) - this is a part of ea's marketing... sell crippled stuff, so next time you buy again (lan will be in, but something u r used to won't =) |
|
| Back to top |
|
|
Debug
Guest
88.203.44.x
|
| Posted: Mon Dec 18, 2006 3:32 pm Post subject: Re: NFS Carbon over LAN possible? (Client/Server) |
|
|
| Quote: | covo2k wrote:
So they only have a private key which is completly in the source code of Carbon ...
You mean the source of their servers. |
Since it is the private key, it cannot be transmitted therefore it's embedded in the game files itself. So it is not on their servers but on your computer. The public key is the one on the server. |
|
| Back to top |
|
|
Guest
87.119.161.x
|
| Posted: Thu Dec 21, 2006 10:36 pm Post subject: Re: NFS Carbon over LAN possible? (Client/Server) |
|
|
Private/Public key encryption I see is the main obstacle.
Well the whole thing is based on trust. EA has one master private key in their backpocket so that their servers have it and can hence validate if the clients which connect are valid. Now to overcome this obstacle one would need to generate a new private key (a random one as brute force on the EA one is almost impossible) and change all the parts of Carbon which send out stuff verifiable with the EA key.
What I would assume EA did is assume a role of CA in the PKI mechanism. CA is a central authority whose private key is very highly protected. When a client generates a private and public key, then the CA signs this public key to say that he has validated the owner of the key pair. I guess somewhere down the throat of carbon there is a public key which has the signature of EA private key in it. That means that this has also to be regenerated and signed using the newly generated private key.
Basically one has to take all of the authentication components and recreate them and then reinsert them. Once that is done, then there is no way the software is capable of checking that it isn't connecting to the correct server as its own trust base has been compromised.
Hope it helps...[url][/url] |
|
| Back to top |
|
|
edasx
Site Admin
Joined: 16 Nov 2005
Posts: 65
|
| Posted: Fri Dec 22, 2006 4:48 pm Post subject: Re: NFS Carbon over LAN possible? (Client/Server) |
|
|
what we could do if we could not find the keys in the files of the game is editing the memory of the running process and replace the keys there... as i guess there will be uncompressed/unencrypted and easily accessible to replace by our generated fake EA public key.
What do u thing about this approach?
covo2k, can you paste in how the public key looks like?
do i understand it correctly that now we have 3 keys out of four
client public/private
server public
missing is server private...
are the client keys somewhat connected to the server keys? or all we have to do is replacing that one single server public key...
is the server public key transfered by EA server to the client or it is hardcoded in the game?
thanks for clarifing this stuff out =) |
|
| Back to top |
|
|
covo2k
Joined: 19 Nov 2006
Posts: 9
|
| Posted: Sat Dec 23, 2006 6:59 pm Post subject: Re: NFS Carbon over LAN possible? (Client/Server) |
|
|
Hey all.
So first i want to answer you're questions edasx.
Your idea could run. But how i said, the private key is hardcoded in the game itself. So i think even when we can dump in the memory processes and change the keys there Carbon woudln't connect because the key is hardcoded in the game.
But i can try this variant, too.
A public key looks like this :
| Code: |
- subjectPublicKeyInfo
- algorithm (rsaEncryption)
Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
- Padding: 0
- subjectPublicKey:
3046024100F4240DFB9AA02DB3464DE30B8CE283030814E5...
|
So now i try to explain the client/server certificate system.
1. First of all you have a Root Certificate it's called: Certificate Authority
- The one from EA is called : OTG3 Certificate Authority
2. From this certificate it'll build a new Server Certificate
- The one from EA is called : fesl.ea.com
This two certificates lie one the servers from EA in California.
Now and this is the problem you have a private key and this private key is probably hardcoded in Carbon.
Now i'll make a sheme in which you can see the functionality of server/client certificate system.
1. First of all you select in Carbon custom match or quick match so he
wants to connect to the internet
2. Carbon sends now a ping to 159.153.235.75(the ipaddr of EA Nations
Server in Carlifornia) if he still alive
3. The Server sends back a ping that he is alive
4. Carbon sends a SSL Packet which is called : Client Hello
+ in this stands the Version of SSL (3.0)
+ Handshake Protocol
+ Cipher Suites(TLS_RSA_WITH_RC4_128_SHA (0x0005))
+ Compression Methods
5. The Server now sends back the whole certificate which is called :
Server Hello, Certificate, Server Hello Done
+ in this certificate stands all required informations also the public key
+ all other things i wrote a post above already
6. Now an extra packet is sending is called : Client Key Exchange
+ But you can't decrypt it
+ it looks like this
| Code: |
- SSLv3 Record Layer: Handshake Protocol: Client Key Exchange
Content Type: Handshake (22)
Version: SSL 3.0 (0x0300)
Length: 68
- Handshake Protocol: Client Key Exchange
Handshake Type: Client Key Exchange (16)
Length: 64
|
7. Carbon sends a request to change the cipher spec protocol, it's called :
Change Cipher Spec, Encrypted Handshake Message
8. Server changes cipher spec
9. A last encrypted Handshake Message which comes from the server
and now application data will be send
This is the complete functionality of client/server certificate mechansim.
By the way this method is the securest today :/
Another idea is, when we have the complete certificate which comes from EA and i can redirect it to my ssl server probably it'll works. But is there any possibility to "download" a certificate especially from EA Server ?
And is there not an checking which signed that this certificate is really sending from EA in California ?
Well so far at the moment
mfg coVo2k |
|
| Back to top |
|
|
Guest
82.161.97.x
|
| Posted: Sat Dec 23, 2006 10:01 pm Post subject: Re: NFS Carbon over LAN possible? (Client/Server) |
|
|
I've disassembled nfsc.exe, found this code:
| Code: |
.text:00876BDB inc crypto_ref_count
.text:00876BE1 push esi
.text:00876BE2 push 0A0h
.text:00876BE7 call malloc_1
.text:00876BEC mov esi, eax
.text:00876BEE test esi, esi
.text:00876BF0 pop ecx
.text:00876BF1 jz short loc_876C42
.text:00876BF3 and dword ptr [esi+9Ch], 0
.text:00876BFA push esi ; key
.text:00876BFB push 90h ; inlen
.text:00876C00 push offset ea_rsakey ; in
.text:00876C05 call rsa_import
.text:00876C0A add esp, 0Ch
.text:00876C0D test eax, eax
.text:00876C0F jz short loc_876C1A
.text:00876C11 push esi
.text:00876C12 call free_1
.text:00876C17 pop ecx
.text:00876C18 xor esi, esi
|
nfsc uses libtomcrypt (www.libtomcrypt.org)
this is the data imported by rsa_import (see rsa_import.c from libtomcrypt):
| Code: |
.data:00A7BA98 ea_rsakey db 98h, 3 dup(0), 1, 80h, 3 dup(0), 0D6h, 37h, 0AEh, 0E5h
.data:00A7BA98 db 0CCh, 10h, 0A5h, 8Fh, 0F0h, 2Ch, 33h, 0A9h, 0B3h, 0B6h ; type
.data:00A7BA98 db 13h, 17h, 9Eh, 0D0h, 0F2h, 77h, 58h, 0E2h, 0F6h, 2Fh
.data:00A7BA98 db 43h, 72h, 35h, 0C4h, 0ECh, 0Ch, 3Bh, 0D3h, 2Bh, 2Dh
.data:00A7BA98 db 0D3h, 0Ch, 0A9h, 0EAh, 0E8h, 0A7h, 1Bh, 1Ah, 63h, 2Bh
.data:00A7BA98 db 0BCh, 0DEh, 0A8h, 0D6h, 0FAh, 8Eh, 7, 82h, 0B5h, 0Dh
.data:00A7BA98 db 11h, 7Dh, 61h, 96h, 0D2h, 0BFh, 5Eh, 0FEh, 3Eh, 6Fh
.data:00A7BA98 db 94h, 0D9h, 50h, 0B3h, 0F5h, 0A0h, 77h, 6Dh, 0C1h, 64h
.data:00A7BA98 db 51h, 0E7h, 2, 40h, 0BCh, 55h, 9Fh, 0F6h, 2Ch, 69h, 93h
.data:00A7BA98 db 4Fh, 7Dh, 4Fh, 37h, 91h, 48h, 8Bh, 0E1h, 30h, 0C1h
.data:00A7BA98 db 0D3h, 0C4h, 5Dh, 6, 93h, 0CCh, 7Fh, 2Eh, 34h, 43h, 0D8h
.data:00A7BA98 db 0BDh, 3Bh, 9, 60h, 0E4h, 14h, 21h, 70h, 0B2h, 0D7h
.data:00A7BA98 db 8, 34h, 0Ah, 7Eh, 0EDh, 0B9h, 69h, 5Bh, 27h, 0EAh, 4Ah
.data:00A7BA98 db 71h, 3, 3 dup(0), 1, 0, 1
.data:00A7BB28 db 1 ;
.data:00A7BB29 db 0 ;
.data:00A7BB2A db 0 ;
.data:00A7BB2B db 0 ;
|
|
|
| Back to top |
|
|
Guest
82.161.97.x
|
| Posted: Sat Dec 23, 2006 10:03 pm Post subject: Re: NFS Carbon over LAN possible? (Client/Server) |
|
|
| to be exact libtomcrypt version 0.97b !!! |
|
| Back to top |
|
|
Guest
60.241.155.x
|
| Posted: Sun Dec 24, 2006 7:48 am Post subject: Re: NFS Carbon over LAN possible? (Client/Server) |
|
|
What about a case of elmination with different dll files and the nfsc executable, like trying or cracking different things
Like I mentioned b4 i aint a big coder yet, Im only 14 |
|
| Back to top |
|
|
Guest
82.161.97.x
|
| Posted: Sun Dec 24, 2006 11:57 am Post subject: Re: NFS Carbon over LAN possible? (Client/Server) |
|
|
what i posted before might be the public rsa key for the ad-server client.
I found another public rsa key at .rdata:009E8100
both rsakeys start with 0x98, 0x00, 0x00, 0x00, 0x01, 0x00000080 (big endian, mod len), 128 bytes mod, 0x00000003 (exp len), 0x01 0x00 0x01 (exp=65537)
(is this ASN.1 encoding ???) |
|
| Back to top |
|
|
Huhn
Guest
84.178.215.x
|
| Posted: Wed Dec 27, 2006 3:42 am Post subject: Re: NFS Carbon over LAN possible? (Client/Server) |
|
|
Hi There.
i was reading all this stuff here.
now, i hope i can explain what i am thinking, because my english is not very good, and i am from germany.
so, here we go.
it seems to me, like the only way to seperate each private key is, that some file of the game adds the whole, or a part of the cd key to a fix key, and then the whole thing gets encrypted. maybe just at the point of the installation when you putting in your cd key.
so, i think, the easiest way at this time would be to find that file what contains this client side basic key. and to do so, i think "we" 'll need to test thinks like:
cracking the cd key to values between 0000-0000-0000-0000-0000 (i think then the base key will be 0 too, if it gets multiplied) and 1000-0000-0000-0000...
like:
0000-0000-0000-0001
0000-0000-0000-0010
0000-0000-0000-0100
and this, until you get the key.
so, you will ask yourself how to put your cd key to values like that.
some days ago, i've seen a tool what can do this while being in game, but i just cant find it again !
...
OR we try to read out what files are opened at the point when you try to connect to the ea server, and then try to decrypt this file. whatever, i have no idea how to decrypt such a file.. :/
another way to find out how this works, is to know a member or an insider of any cracking-group, those guys who are also writing keygens and all this stuff. i'm sure there will be some guys who can get trough this encryption.
well..i seriously dont know a single one. crap.
an other, but very dangerous, hard and reeeaaaly bad sucking way would be, to hack the EA server, and get a copy of every f***kin file that runs on this machine. but, how to hack a server of a company that creates games, whose use savegame files with a MD5 hash?
i think this whole story is getting more and more difficult..
why oh why did EA do this to us?
sucks. |
|
| Back to top |
|
|
|
Index
FAQ
Search
Register
RSS
Log in
