Unknown decoding of credentials for HTTP Post request

Question

I have a 15 years old internet game and when it is open you can put in your username and password to connect with the server of the game. On the website of the game you can always see which users are connected.

I want to have a button on my app or website to give users the possibility to connect with the server without to start the game first.

With the help of Wireshark I know the HTTP request:

POST http://registry.mygame.com/userverification_web.php HTTP/1.0
Accept: \*/*
Accept-Language: sv
Content-type: application/x-www-form-urlencoded
Accept-encoding: gzip, deflate
User-Agent: mygame
Host: registry.mygame.com
Proxy-Connection: close
Pragma: No-Cache

data=0AQ7aA0iQQQQQQZSKOds1ZX280kW2lCznNUD9wjIInF2pX114v8E0bdRZtVMzkkdCiQeSTysCJYUjVGMYTzdMlOe0x2uhE30<MmnhP5ZZYQQ

The following link would exactly do what I want

http://registry.mygame.com/userverification_web.php?data=0AQ7aA0iQQQQQQZSKOds1ZX280kW2lCznNUD9wjIInF2pX114v8E0bdRZtVMzkkdCiQeSTysCJYUjVGMYTzdMlOe0x2uhE30

But I need to know how to build the link or request dynamically with just the username and password.

I have found out that the data parameter will always change, also when the username and password are always the same.

Here are 10 examples for un=user and pw=pass:

0AQ7aA0iQQQQQQZSKOds1ZX280kW2lCznNUD9wjIInF2pX114v8E0bdRZtVMzkkdCiQeSTysCJYUjVGMYTzdMlOe0x2uhE30<MmnhP5ZZYQQ

eA0QQAiAQQQQQQZSdt3B>u7K9HLkiqtNF5yfaJdi2wO>BeyE4kh>lGJY58wWDspycSu>HXckytHjk2CmNuiWgd0vH2>yJkkf3kApwCtikQQQ

eaV<eVilQQQQQQZSdV7m148ZQPHlPqol4H>CMbMAx>wi7LPv0z29zQh2QPpSuot0ivEPYtJmvkjJG9iMc3mNo3xz24<rx9v01PptOa<ILYQQ

SSo00l<iQQQQQQZSzwpUPC7moyJnbnBwhBwvFWSmdbIYDcTmD9aA2Nt46Ahz>SAdUpR2fsp5EuXyTZXSxKQUZ3DKHAJ1xU>Az9kEtBi7fjQQ

oCoCa<e>QQQQQQZSb7rDbY6m2WqZiq0>VdIUPQ37XlnPL1Hx27EKalQL2eh9qHEXjKZm4UCNdCMrXtcw>LVnw0jquYSXI53fMwsXnWJOgQQQ

V77l0Qa1QQQQQQZSM0GEa2KWpXmIlxnkmdThdy7XpTsbKiqKsRNGqzzUVS<Xkk1yk9xvIUHXogcZTalOtCS6N0MrIsrtDlPdy5fkD355xYQQ

VQQle7ZVQQQQQQZSW09bHYjoICZ>ma1G1AYQk34P5aozsb6Q7WAcu5wr2pwa6gWACx0x8hC6rmysq6S2AkYehy<w4JOsW<cJP8gruWROxYQQ

Zi7oeZeQQQQQQQZSan<g9HK74Ap4pAatxM6GPxIv3MYc4byvtBo6D5W7X7iCtVh377NabGBOPlAPrdUh5<dgKaxFKxBbr3Du4NwicGvvXTQQ

eQAiS7o>QQQQQQZSwqZCtiR1>G>FE0hdkye>ywjpe2D6Q>6dxZWrj5Szx0F4KikHdA3hGS8BZuakyD4Ya8OX7poOe1fDaqMmKqcoZiAZsjQQ

QlCZeZSSQQQQQQZSXOKdnNFTDy2Y9Ip5qHBiKJKuZjOReSn3xrC8AX1td41dWnDMM1RJSi6eK9NpHqWFq6PfTU7dgNM6Cj9iOWNg>BE<<TQQ

Here are 5 examples for un=username and pw=password:

a>ViQe>lQQQQQQZ1LgSTcziSVG4vzpOrs7aK90X8NVtDYvCjzZiDd<KsldGgCVRGABKEHf5YMYKb4jL6CMmbGZdxbZS<FTdmrhewdQkGP0ng9xFXBnt>

eiSlSi0SQQQQQQZ1AAoSDC2d8DERRoAaDmEup>ApqrSmBfVGNoZ8IZLBkkFk5VBt0dI5S<985fgvu<sY0uD1VcFno5bYIBWm<1wPOe2je>f9yq2AWH2E

ZoCSS<1CQQQQQQZ1xGPeYGqe7Vmz1puFNGMQdHmU7IRI9sNjOcSha0uW>XKrGfp5c2PcfquV>7x>WTWpRBVBa4A4eiB7GXchw53>UV9Ss6p2QE5paL4a

QiZVoi>AQQQQQQZ1BGDGltDMqisnMzMYnUjysh5iXoNo<5<7AU5rkoVgUPrCVqigjkAK6wbLpo4hVNsO<ORk96LYYZhswqz1vRwSFfsC7DP3JTdyjqBw

aQa1eli1QQQQQQZ15EclRMTZooyBgFp1VHiX8NsoKZjdH6jEVWZ63mCbC2Rd8o2fcscp1WiFhtK9HZvjJHYdpX2xu2adYMgQseHa83a3ycnOo7WiikaB

Here are 10 examples for un=username12345678 and pw=password12345678(maximum length for both):

Ql>ZaClQQQQQQQe12js2OuA7Xxt04qIIF<tVTqxYmfkBYv7Yl3UAykQiGeMB4Yl9XQUnisQ<DmDlIKK9JDbsjet2K>LbqJrH3jvb3lmt24fxLs5S6oZQRqh13P28xwAGXUvENIBLlQQQ

0aAZo07iQQQQQQe1C>asdqcRlEBTsMfp9<1ntl90myrvvHTlVRZt9HpbHUDp5mBHBjYUjcKORGL38N0GmEtaxH7CxglgH78m72Qd7b3NuwMMJwIlm3zV>FiAIOvT4vHDLRP4W<<MQYQQ

eZAAaQloQQQQQQe19HAT284ZfwNL6piwZ1Vjn>6QL0Rx81Xw1X>barJLavfjmU3PMO1Z<VwheSTmiCbyZ2IQjSt0n6hxKoawYsC2BUCiJUVDPBbD40yN0hknqBiDV2DmcBuIHAU1RQQQ

S>A>ei>>QQQQQQe1WQT2gv511HIyf79uihupoGcDC0rWgV332Q9lTc>Icu5fXrIT5MKBAKgIEJjLRaT1i7JsSUsF<H>tf<pL7d5pX1WLxLV0R7D<aXps1IxCQ<NSE40idMN>IwqaMjQQ

o1V<07<0QQQQQQe18Ie6goKPVT9AUWInpsmCeEnErAOwLxSJOe3FKhkbXwzR3zMTVTMk7sXGBPZsyb7YfgSq19XgwmMFW8HN>8PSsOSPFYA5YqUiPNYGygt5rtg09JWEkb<VGyI>XYQQ

aSAl0<Q0QQQQQQe1I>DpHYNFIkn58DiGpd9C7SQDk<I3u>q24PTG05XUZm3JM>GKbX2qBw9dEjFU17HSiM3WGkqqn6MnF3ondonZ85eubUPp5qof3DKX35RvIABudO6oFM5uA4pYUQQQ

eSola>a0QQQQQQe1kVT<jAANyYlT0G8i6nNg>bRAyERU0BMjZqn9MlPQUcNfN0GKQzHrsikxPSZUWJfMD7okYAu85UVK0CjEc9FU4Fo2bxt07hYu<jqX6Gpf4R5jpRO6ukU6ziDIOQQQ

ZZ<<QCV7QQQQQQe1lYukgPlKXDS9Se1KvoNd3JK9RRZ05pVPobowZupMwXEdGeSH6rEYLORfAbJujIHnjsItw4geLH5Hm7bgpyFmx0MTbqKKF87Rr5IdezDRkcXRYpAF9ZEIBG4cpTQQ

oiQlZZZaQQQQQQe12EmQbyfnlYxJ8<36>cNo4>C1Lp2qJB2gSiCieytdXBZaBId0MA3WbANmh<VLZqIqy0AOhf1QZnEuk7cYAh0Rrs45unuB12BBz4inJgpZ4grtTsV<1CS91eKi3YQQ

QCo<a<eQQQQQQQe11hkx90MGMJtvzUx2JiyOQUyHwPnN03QxZ7FULKnOkPAvb>38psB1RWc8uadYSWkbNraTw5XUxcD0RpT3f7vbu4nfPfoIt7no>XyHpaRwjUvdv<LmvhdT2xbFpTQQ

Anyone know what's going on here? Do I have to care about "gzip" and "deflate" or is this not from interest to solve the "code"? What I think to know is that obviously the username and password are encoded and server has to know how to decode it. Due the fact that the "code" for the same credentials seems to be never the same I think that in the "code" must be a key, too.

Any idea what the developers have used for an algorithm? Maybe the key is that what is before the "QQQQQQ".

I have opened the game.exe file with an editor. The game seems to be compiled with Visual Studio 6.0 and is written in c++. Most things are not readable, but the HTTP request definition is. But that are the same what I could see with Wireshark, too. And I can't see of what the parameter is the result of. All I can read is "data=%s".

Answer 1

Anyone know what's going on here?

The login data is likely being hashed/encrypted. The only way to decipher it is to look at the original source code for the website, or else reverse engineer the algorithm from the game's compiled machine code.

Do I have to care about "gzip" and "deflate" or is this not from interest to solve the "code"?

No, you do not have to care about that. All that is doing is telling the server that the HTTP response is allowed to be compressed using the gzip or deflate algorithm. That is not relevant to the issue at hand.

What I think to know is that obviously the username and password are encoded and server has to know how to decode it. Due the fact that the "code" for the same credentials seems to be never the same I think that in the "code" must be a key, too.

Most likely, yes. On the other hand, the "key" may also be hashed/encrypted with a private secret that only the game and server know.

Any idea what the developers have used for an algorithm?

There is no way to know just by looking at the encoded data.

Maybe the key is that what is before the "QQQQQQ".

Possibly. That is likely a delimiter to separate the key and the payload. But that still does not tell you what the key actually is or how to use it.

I have opened the game.exe file with an editor. The game seems to be compiled with Visual Studio 6.0 and is written in c++. Most things are not readable

You have to use a disassembler, like IDA.

but the HTTP request definition is. But that are the same what I could see with Wireshark, too. And I can't see of what the parameter is the result of. All I can read is "data=%s".

Using IDA, or other debugger/disassembler tool chain, you can find out what memory pointer is being passed to the %s parameter, and work backwards to find out how that memory is being allocated and formatted. But now you are getting into low-level hacking.