DarkBlizz

btw, AccountSalt & PasswordSalt are clear to me, they're some value unique to the account & pw, but what's the ServerChallenge & Secondarychallenge?
If I try to compute B with some dummy values for N and g, I only get a 32 byte long B, but where's the missing 256 bytes for both challenges coming from?

QuoteFreundschaft, making any progress?

sorry, im having exams right now, will have more time after next wednesday

i tried messing around a bit with ida.

it seems like we need to have a look at the requestpassword function, which provides a blob response for a blob request sent with the proof request

in code this looks like

sub_3896C9A0    proc near               ; DATA XREF: .rdata:3896D080o
.text:3896C9A0                 push    offset aRequestpasswor ; "RequestPassword"
.text:3896C9A5                 mov     ecx, offset unk_3896E428
.text:3896C9AA                 call    sub_38962A10
.text:3896C9AF                 push    offset nullsub_3
.text:3896C9B4                 call    sub_3896C190
.text:3896C9B9                 pop     ecx
.text:3896C9BA                 retn
.text:3896C9BA sub_3896C9A0    endp

still have to figure out what this does

btw i dont know if we need it but here's the sc2.exe that starts without launcher
(version 14259)
http://www.multiupload.com/5JJ9IZHRV8
just copy to StarCraft II Beta\Versions\Base14259 and run


EDIT:
I'm reading http://www.woodmann.com/crackz/Tutorials/IdaTut.zip now, dont konw if this will give me some benefit over the matter

QuoteDoes one of you have experience with memory hacking?

absolutely not sorry, if i had more time I'd surely try to learn it, but unfortunately exam time strikes in a week, so no chance for this. 

okay, so as far as i can see, we need the N and g values?
im not sure wheather i completely understand this. with default SRP-6, the values of N and g are sent to the client. If this were the case, the client would not be able to distinguish our server from the original one, cause we could directly sniff N and g off the network.
But with SC2, the N and g values are not sent directly, but instead are stored in the auth file. That's why we have to determine the correct N and g values from this auth file?
and regarding this, additional packet traces with passwords probably won't help us either, cause as far as i see it, there is no possibility to calculate N and g based on the network trace, even if the password is known.
Am i correct?

the http://github.com/kow/Starcraft-2-Battle.Net-Wrapper
contains a C++ library which accesses password.dll and exposes some functions for key retrieval, if this works, this would basically be it
http://github.com/kow/Starcraft-2-Battle.Net-Wrapper/blob/master/AuthInterface/AuthInterface/Main.cpp
ill check out if they work later on.

plus there is the wiki page http://darkblizz.org/wiki/doku.php?id=password.dll i dont really understand what it means though.

ah cool, thanks 
as the logon mechanism is pretty similar, i think we should at least be able to get a succesful login to work somehow, ill have a look at some old wow dev stuff that i might find.
i think if we can handle that salt / hashes thingy, we should get past the problem.

regarding http://sc2c.pastebin.com/E30JdTCE i do understand that the first module is the auth file, what is the second one?
btw, is that the output of the auth client that has been written? is there an output of the thing with a succesful logon somewhere?

EDIT:
think this might help?
http://forum.gamedeception.net/threads/14426-wow-SRP6-challenge-lookup?14426-=Array

further reading
http://www.mmowned.com/forums/wow-memory-editing/231740-understanding-wow-communication-protocol.html
http://trevp.net/tls_srp/draft-ietf-tls-srp-10.html#intro
http://arcemu.info/trac/arcemu/browser/trunk/src/arcemu-shared/Auth/WowCrypt.cpp?rev=2078

anyone had luck on disassembling password.dll? which is basically the auth file

link for ms packet tracer:
http://www.microsoft.com/downloads/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f&displaylang=en

anyone here who managed to perform a correct logon?
I am having problems with the AUTH_COMPLETE blob response to the PROOF_REQUEST of the client.
it has to be hashed with the challenge sent by the client somehow, but i wasnt able to get it from the wow source. anyone got a good documentation on the topic?

btw if you want to mess around with some packets, ive uploaded my server source
http://www.multiupload.com/DGCYEATMAM

i use the microsoft network analyzer which performs traces on a process/application basis, so basically i get all of the traffic caused by the starcraft application

i did some traces, joined a custom game and played a game with 4 players.
the only ip i was able to trace during the game was the ip of a server located somewhere at telia (presumably battle.net server)
what could also be possible though is that one player is hosting the game and that all players connect to the hosting player, but i'd have to figure this out

you should as well mask your ip, as blizzard might be able to trace your account just by correlating your ip with the login time

btw as far as i figured, the games are not p2p at all, but are completely hosted on blizzard servers (even custom games)

i think the logindetails are only sent in a hash or something similar, so the original credentials, like the password won't be extrable from a network trace.

btw use microsoft network monitor (http://www.microsoft.com/downloads/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f&displaylang=en) for the tracing as it is capable of filtering network traces on a per-process basis, so you can basically just retrieve the network traffic generated by SCII.exe.