Emulate Battle.net

stormbreaker · March 11, 2010, 12:07:13 PM

I confirmed that these Ng values aren't in the packet itself. Also confirmed that the first and the second salt are unique for every account and the moduleData for the second module is constant. The other things are different each time.

There is a thing in the moduleData blob that isn't documented. The blob length field says its 321 bytes long. But the first byte is always null (0x00). After it we can read the two 32 byte salts and the two 128 things (I still don't know which are these but they differ every time so one must be the server proof). When we do the math 2 * 32 + 2 * 128 = 320 exactly the blob size minus the null byte at the beginning.
If we don't account for the null byte we get out of sync and get the wrong values.

I made a little packet comparer for debugging inside my emu code. Logger.LogDebug(message, packet1 as Byte(), packet2 as Byte())
You can run tests to compare my packets and these from the user that posted dumps.

Just write in the console window:
"runtest 1" - disect packet I captured
"runtest 2" - disect packet dump from other user

"runtest diff 1" - disect and compare two packets from different users
"runtest diff 2" - same as above but with different second packet

"runtest diff 22" - compare the two packets from two dumps with the same account

Almost forgot... http://www.multiupload.com/56OS9AJ6IQ

Freundschaft · March 11, 2010, 07:54:33 PM

i tried messing around a bit with ida.

it seems like we need to have a look at the requestpassword function, which provides a blob response for a blob request sent with the proof request

in code this looks like

sub_3896C9A0 proc near ; DATA XREF: .rdata:3896D080o
.text:3896C9A0 push offset aRequestpasswor ; "RequestPassword"
.text:3896C9A5 mov ecx, offset unk_3896E428
.text:3896C9AA call sub_38962A10
.text:3896C9AF push offset nullsub_3
.text:3896C9B4 call sub_3896C190
.text:3896C9B9 pop ecx
.text:3896C9BA retn
.text:3896C9BA sub_3896C9A0 endp

still have to figure out what this does

Draugur · March 12, 2010, 12:48:44 AM

Quote from: Freundschaft on March 11, 2010, 07:54:33 PM
i tried messing around a bit with ida.

it seems like we need to have a look at the requestpassword function, which provides a blob response for a blob request sent with the proof request

in code this looks like

sub_3896C9A0 proc near ; DATA XREF: .rdata:3896D080o
.text:3896C9A0 push offset aRequestpasswor ; "RequestPassword"
.text:3896C9A5 mov ecx, offset unk_3896E428
.text:3896C9AA call sub_38962A10
.text:3896C9AF push offset nullsub_3
.text:3896C9B4 call sub_3896C190
.text:3896C9B9 pop ecx
.text:3896C9BA retn
.text:3896C9BA sub_3896C9A0 endp

still have to figure out what this does

+1

stormbreaker · March 12, 2010, 05:36:38 AM

Maybe you can modify the function to send the raw password or just a sha1 hash for example. This way we can send the client a different modified password.dll and make things much easier.

I will write a module in my server to handle delivering the auth file so you can test modifying it.

Gamewiz · March 12, 2010, 11:41:53 AM

Just a random thought... After looking at this site: http://www.code-gen.net/sc2beta/ it looks like they are getting really close. Do you think it would help to try and share some info with each other? Maybe you can help them speed up their progress. I dunno, just throwing it out there. Keep up the good work guys.

Draugur · March 12, 2010, 12:02:44 PM

Quote from: Gamewiz on March 12, 2010, 11:41:53 AM
Just a random thought... After looking at this site: http://www.code-gen.net/sc2beta/ it looks like they are getting really close. Do you think it would help to try and share some info with each other? Maybe you can help them speed up their progress. I dunno, just throwing it out there. Keep up the good work guys.

lol.... i just see a kid trying to get a BETA KEY.

Gamewiz · March 12, 2010, 12:03:51 PM

Quote from: Draugur on March 12, 2010, 12:02:44 PM
Quote from: Gamewiz on March 12, 2010, 11:41:53 AM
Just a random thought... After looking at this site: http://www.code-gen.net/sc2beta/ it looks like they are getting really close. Do you think it would help to try and share some info with each other? Maybe you can help them speed up their progress. I dunno, just throwing it out there. Keep up the good work guys.

lol.... i just see a kid trying to get a BETA KEY.

It's possible, but you could say the same about DarkBlizz, or Teknogod's Team Lazytown. They are asking for keys as well. Are they just kids wanting a key?

newbiz · March 12, 2010, 12:11:04 PM

This guy shows nothing, absolutely nothing.

I mean, i *could* understand that he does not want to release something, but he doesn't even give any technical information.

This really _is_ a fake.

stormbreaker · March 12, 2010, 12:11:49 PM

Hey. Please don't argue in this topic. As for:

Quote from: Gamewiz on March 12, 2010, 11:41:53 AM
Just a random thought... After looking at this site: http://www.code-gen.net/sc2beta/ it looks like they are getting really close. Do you think it would help to try and share some info with each other? Maybe you can help them speed up their progress. I dunno, just throwing it out there. Keep up the good work guys.

In order to do so, both sides must be willing to share. As you can see we have everything public here... even if it's not much of a progress and they probably have this figured out weeks ago.

Freundschaft, making any progress?

Gamewiz · March 12, 2010, 12:16:19 PM

Quote from: newbiz on March 12, 2010, 12:11:04 PM
This guy shows nothing, absolutely nothing.

I mean, i *could* understand that he does not want to release something, but he doesn't even give any technical information.

This really _is_ a fake.

Believe what you will.

Quote from: stormbreaker on March 12, 2010, 12:11:49 PM

Hey. Please don't argue in this topic. As for:

Quote from: Gamewiz on March 12, 2010, 11:41:53 AM
Just a random thought... After looking at this site: http://www.code-gen.net/sc2beta/ it looks like they are getting really close. Do you think it would help to try and share some info with each other? Maybe you can help them speed up their progress. I dunno, just throwing it out there. Keep up the good work guys.
In order to do so, both sides must be willing to share. As you can see we have everything public here... even if it's not much of a progress and they probably have this figured out weeks ago.

Freundschaft, making any progress?

Sorry, never intended to get off topic. Maybe try emailing them (they have a link for email) to see if you could join forces? I'll leave you to your work now.

Freundschaft · March 12, 2010, 01:57:32 PM

QuoteFreundschaft, making any progress?

sorry, im having exams right now, will have more time after next wednesday

stormbreaker · March 12, 2010, 02:07:08 PM

Quote from: Freundschaft on March 12, 2010, 01:57:32 PM
QuoteFreundschaft, making any progress?

sorry, im having exams right now, will have more time after next wednesday

Aboslutely no problem

iZOTOPE · March 12, 2010, 03:59:41 PM

if sc2 has the same auth method as wow .. then here goes the wow srp6 auth

stormbreaker · March 12, 2010, 04:21:44 PM

Quote from: iZOTOPE on March 12, 2010, 03:59:41 PM
if sc2 has the same auth method as wow .. then here goes the wow srp6 auth

It doesn't. And that's the problem.

Freundschaft · March 13, 2010, 08:47:15 AM

btw, AccountSalt & PasswordSalt are clear to me, they're some value unique to the account & pw, but what's the ServerChallenge & Secondarychallenge?
If I try to compute B with some dummy values for N and g, I only get a 32 byte long B, but where's the missing 256 bytes for both challenges coming from?