CoD 2 Encryption

[stevomitric]

Hello again...
i'm having problems with decrypting cod2 data. Actually its not a problem. I simply don't know the encryption key.

Okey here is what i've done so far (Language: Python):

I got 2 Computers connected together on LAN.

On the first one i've written the server script ( how the original cod server would responde )
Code:

Code:

import socket #importing module

IP = "192.168.1.119" #my Local IP
PORT = 28960 #Port of server

sock = socket.socket(socket.AF_INET, # Internet
					socket.SOCK_DGRAM) # UDP
					
sock.bind((IP, PORT)) #Creating the server ( opening the IP and PORT)

while True:
	data, addr = sock.recvfrom(7000) #listening for data to come
	print "received message:", data, addr #printing what i got
	if 'connec' in data: # if i get connect request from a client send him following:
		sock.sendto('\xff\xff\xff\xffconnectResponse', addr)
	if 'chal' in data: # if i get challange request from client send him following:
		sock.sendto('\xff\xff\xff\xffchallengeResponse 1253163161', addr)

And on the 2. computer i just started CoD2 and connected to 192.168.1.119:28960 (server created)

i get the following:

Code:

Code:

ÿÿÿÿgetchallenge 0 "2d0ac480dfee724400cbf515d4003c45"
ÿÿÿÿconnect "\cl_anonymous\0\cl_punkbuster\1\cl_voice\1\cl_wwwDownload\1\rate\5000\snaps\20\name\stEvo\protocol\118\challenge\1253163161\qport\2096"

   0         2õŒ
ž¢Ûø‘$…âTZ©R‰gñ�
îuíu¨¿ï¸	AóùÇ�ïíõaAúÕuÀ
^)úZ^‡úûþýýUÿ©ùWkÅ£¯åu¾’¢�â£|¨i�„⦄úyà�¢#
¼»
   0         2õŒ
ž¢Ûø‘$…âTZ©R‰gñ�
îuíu¨¿ï¸	AóùÇ�ïíõaAúÕuÀ
^)úZ^‡úûþýýUÿ©ùWkÅ£¯åu¾’¢�â£|¨i�„⦄úyà�¢#
¼»
   0         DõŒ
ž¢Ûø‘$…âTZ©R‰gñ�
îuíu¨¿ï¸	AóùÇ�ïíõaAúÕuÀ
^)úZ^‡úûþýýUÿ©ùWkÅ£¯åu¾’¢�â£|¨i�„⦄úyà�¢#
¼»Ë$ná˜o¡2
   0         DõŒ
ž¢Ûø‘$…âTZ©R‰gñ�
îuíu¨¿ï¸	AóùÇ�ïíõaAúÕuÀ
^)úZ^‡úûþýýUÿ©ùWkÅ£¯åu¾’¢�â£|¨i�„⦄úyà�¢#
¼»Ë$ná˜o¡2
   0         DõŒ
ž¢Ûø‘$…âTZ©R‰gñ�
îuíu¨¿ï¸	AóùÇ�ïíõaAúÕuÀ
^)úZ^‡úûþýýUÿ©ùWkÅ£¯åu¾’¢�â£|¨i�„⦄úyà�¢#
¼»Ë$ná˜o¡2
ÿÿÿÿgetstatus

first 2 lines i do get, but what is this rest stuff that is constantly sending ?
how do i see what are the requests that 2. computer is asking for ?
how do i decrypt this ?

~ thanks for taking your time to reads this.

[kung foo man]

It's probably some Huffman encoded client initialisation.

http://fabiensanglard.net/quake3/network.php

Might help: http://aluigi.altervista.org/papers/q3huff.h

You should become familiar with the Quake 3 network model (e.g. implement a simple Q3 client in python) and then you can try connecting to CoD2 and see where it differs (e.g. some different encryption).

Doing C structs in Python is gonna be aids though, so probably it would be easier to do it in C, because all the source code is available. But for faster testing you could still write a Python plugin for this.

[Tally]

It's probably some Huffman encoded client initialisation.

http://fabiensanglard.net/quake3/network.php

Might help: http://aluigi.altervista.org/papers/q3huff.h

You should become familiar with the Quake 3 network model (e.g. implement a simple Q3 client in python) and then you can try connecting to CoD2 and see where it differs (e.g. some different encryption).

Doing C structs in Python is gonna be aids though, so probably it would be easier to do it in C, because all the source code is available. But for faster testing you could still write a Python plugin for this.

Huffman is a compression algorithm - not an encryption algorithm. According to the link you provided to the network model, Quake 3 uses a Pre Shared Key encryption, which is in turn a symmetric key cryptographic algorithm. I have no idea what that key is, but it certainly isn't Huffman.

[kung foo man]

Yup, hence I said "encoding" in context of "Huffman encoded client initialisation". It is using a pre-defined table for best compression (optimized for the common data the game will send):

http://www.elho.net/games/q3/q3dspecs.htm#_Toc49066736

PHP Code:

//
// pre-defined frequency counts for all bytes [0..255]
//
static int huffCounts[256] = {
       0x3D1CB, 0x0A0E9, 0x01894, 0x01BC2, 0x00E92, 0x00EA6, 0x017DE, 0x05AF3,
       0x08225, 0x01B26, 0x01E9E, 0x025F2, 0x02429, 0x0436B, 0x00F6D, 0x006F2,
       0x02060, 0x00644, 0x00636, 0x0067F, 0x0044C, 0x004BD, 0x004D6, 0x0046E,
       0x006D5, 0x00423, 0x004DE, 0x0047D, 0x004F9, 0x01186, 0x00AF5, 0x00D90,
       0x0553B, 0x00487, 0x00686, 0x0042A, 0x00413, 0x003F4, 0x0041D, 0x0042E,
       0x006BE, 0x00378, 0x0049C, 0x00352, 0x003C0, 0x0030C, 0x006D8, 0x00CE0,
       0x02986, 0x011A2, 0x016F9, 0x00A7D, 0x0122A, 0x00EFD, 0x0082D, 0x0074B,
       0x00A18, 0x0079D, 0x007B4, 0x003AC, 0x0046E, 0x006FC, 0x00686, 0x004B6,
       0x01657, 0x017F0, 0x01C36, 0x019FE, 0x00E7E, 0x00ED3, 0x005D4, 0x005F4,
       0x008A7, 0x00474, 0x0054B, 0x003CB, 0x00884, 0x004E0, 0x00530, 0x004AB,
       0x006EA, 0x00436, 0x004F0, 0x004F2, 0x00490, 0x003C5, 0x00483, 0x004A2,
       0x00543, 0x004CC, 0x005F9, 0x00640, 0x00A39, 0x00800, 0x009F2, 0x00CCB,
       0x0096A, 0x00E01, 0x009C8, 0x00AF0, 0x00A73, 0x01802, 0x00E4F, 0x00B18,
       0x037AD, 0x00C5C, 0x008AD, 0x00697, 0x00C88, 0x00AB3, 0x00DB8, 0x012BC,
       0x00FFB, 0x00DBB, 0x014A8, 0x00FB0, 0x01F01, 0x0178F, 0x014F0, 0x00F54,
       0x0131C, 0x00E9F, 0x011D6, 0x012C7, 0x016DC, 0x01900, 0x01851, 0x02063,
       0x05ACB, 0x01E9E, 0x01BA1, 0x022E7, 0x0153D, 0x01183, 0x00E39, 0x01488,
       0x014C0, 0x014D0, 0x014FA, 0x00DA4, 0x0099A, 0x0069E, 0x0071D, 0x00849,
       0x0077C, 0x0047D, 0x005EC, 0x00557, 0x004D4, 0x00405, 0x004EA, 0x00450,
       0x004DD, 0x003EE, 0x0047D, 0x00401, 0x004D9, 0x003B8, 0x00507, 0x003E5,
       0x006B1, 0x003F1, 0x004A3, 0x0036F, 0x0044B, 0x003A1, 0x00436, 0x003B7,
       0x00678, 0x003A2, 0x00481, 0x00406, 0x004EE, 0x00426, 0x004BE, 0x00424,
       0x00655, 0x003A2, 0x00452, 0x00390, 0x0040A, 0x0037C, 0x00486, 0x003DE,
       0x00497, 0x00352, 0x00461, 0x00387, 0x0043F, 0x00398, 0x00478, 0x00420,
       0x00D86, 0x008C0, 0x0112D, 0x02F68, 0x01E4E, 0x00541, 0x0051B, 0x00CCE,
       0x0079E, 0x00376, 0x003FF, 0x00458, 0x00435, 0x00412, 0x00425, 0x0042F,
       0x005CC, 0x003E9, 0x00448, 0x00393, 0x0041C, 0x003E3, 0x0042E, 0x0036C,
       0x00457, 0x00353, 0x00423, 0x00325, 0x00458, 0x0039B, 0x0044F, 0x00331,
       0x0076B, 0x00750, 0x003D0, 0x00349, 0x00467, 0x003BC, 0x00487, 0x003B6,
       0x01E6F, 0x003BA, 0x00509, 0x003A5, 0x00467, 0x00C87, 0x003FC, 0x0039F,
       0x0054B, 0x00300, 0x00410, 0x002E9, 0x003B8, 0x00325, 0x00431, 0x002E4,
       0x003F5, 0x00325, 0x003F0, 0x0031C, 0x003E4, 0x00421, 0x02CC1, 0x034C0
}; 


I actually never saw any encryption code in Q3 source, so maybe he is really referring to this table as "encryption key"... then the terminology of the article is wrong of course.

Edit:

Quite nice article: http://trac.bookofhook.com/bookofhoo...ake3Networking

Compression, Encryption, and Packets

He has done some half-hearted work on encryption, but basically app/stream-level encryption is pointless because of the sophistication of hackers. In the future he'll probably rely on higher level inspection (a la Punkbusters for Counter-Strike) instead of cute bit-twiddling.