There's been a TON of discussion about how Darky's key checker queries for key validity / in use. I think I've found some more valuable information that could be used to create more key checkers.
Recently, a security site (seclists) did a report on how GameSpy's key checking is vulnerable. In this report, they detail exactly how to query GameSpy for validity.
Full Disclosure: Gamespy cd-key validation system: "Cd-key in use" DoS versus many games
They also have just a specific explanation of how the SDK validWhen the server receives the string from the client it contacts the
master server (usually master.gamespy.com to port 29910) to see if the
client uses a valid CD-KEY.
The contact happens with an UDP packet containing the following data:
- \auth\
- \pid\
- the PID, it is an unique number for each game. For example it is 302
for Gore and 659 for Need for Speed Hot Pursuit 2
- \ch\
- SERVER_TOKEN
- \resp\
- the string sent by the client
- \ip\
- IP address of the client in decimal format, for example 127.0.0.1 is
16777343 (0x100007F)
- \skey\
- the ID, it is a number used to track the master server reply for a
specific authorization request
With these values the server is able to do the same operations made by
the client in the previous 2 sections and then will say if the cd-key
of the client is valid or not reporting also an error (Invalid cd-key,
cd-key in use, Invalid authentication, Your CD Key is disabled and
others).
And an example:
The following is the UDP packet that the server will send (XORing it
with the string "gamespy") to the master server to know if the CD-KEY
1111-2222-3333-4444 is valid, it is based on the values of the previous
example (3) and the pid is that of Gore:
\auth\\pid\302\ch\aBcDeFg\resp\9a1d71b925b56b097f6 803c61ba2e21712345678567289f3392a21a37da23b139449a 2ff\ip\16777343\skey\1
Perhaps this will be useful?
---------- Post added at 12:57 AM ---------- Previous post was at 12:54 AM ----------
So, the method is this:
Send UDP packet to 69.10.30.248
Contents: XOR of the string they describe above
I think the next steps are to try and reverse-XOR the request and have a look at the PID.
---------- Post added at 01:03 AM ---------- Previous post was at 12:57 AM ----------
Gamespy PID list, done:
PID Game ------------------------------------------------------------------ - Pastebin.com
Arma 2: 3045
---------- Post added at 01:40 AM ---------- Previous post was at 01:03 AM ----------
I can confirm that this works. I've written c# code to check the status of a CD key (banned, valid, in use, clean).
---------- Post added at 02:02 AM ---------- Previous post was at 01:40 AM ----------
Screw analyzing the hex, I'm now literally getting responses like \unok\\cd\keyhere\skey\42\errmsg\Invalid authentication