enUShttp://beta-us.battle.net/en/info/digital-purchase
eu
http://beta-eu.battle.net/en/info/digital-purchase
Also here is a preview of the new SC2 profile site
enUS
http://beta-us.battle.net/sc2/en/ (http://beta-us.battle.net/sc2/en/)
eu
http://beta-eu.battle.net/sc2/en/ (http://beta-us.battle.net/sc2/en/)
Looks sweet, really like the design.
hopefully somebody will find a way around their check routines
before the 27th.
Quote from: espionage724 on July 15, 2010, 10:53:06 AM
enUShttp://beta-us.battle.net/en/info/digital-purchase (http://beta-us.battle.net/en/info/digital-purchase)
eu
http://beta-eu.battle.net/en/info/digital-purchase (http://beta-eu.battle.net/en/info/digital-purchase)
Also here is a preview of the new SC2 profile site
enUS
http://beta-us.battle.net/sc2/en/ (http://beta-us.battle.net/sc2/en/)
eu
http://beta-eu.battle.net/sc2/en/ (http://beta-us.battle.net/sc2/en/)
QuoteOn 07/27/2010 10:00 AM PDT, when sales of digital copies begin in North America and Latin America, start the installer program.
Not now on 07/27/2010 :bangshead: :bangshead: :bangshead: :bangshead: :bangshead: :bangshead: :bangshead: :bangshead: :bangshead: :bangshead: :bangshead: :bangshead: :bangshead: :bangshead:
Kids read before posting :P
Quote from: CraniX on July 15, 2010, 08:55:03 PM
Not now on 07/27/2010 :bangshead: :bangshead: :bangshead: :bangshead: :bangshead: :bangshead: :bangshead: :bangshead: :bangshead: :bangshead: :bangshead: :bangshead: :bangshead: :bangshead:
Kids read before posting :P
(http://j.imagehost.org/0181/retailcrkV7.jpg)
Obviously there is no way around July 27th thingo. NO WAY~
:D :D
thats my picture lol
i cracked the installation last night.... and as i said i will NOT release ANY retail crack, at least not before 27-7.
dont pm me asking crks plz.
Super easy to crack the time and no not by changing windows time but other way
Quote from: Vernam7 on July 16, 2010, 02:21:26 AM
:D :D
thats my picture lol
i cracked the installation last night.... and as i said i will NOT release ANY retail crack, at least not before 27-7.
dont pm me asking crks plz.
then what's the point in posting it here ?
Found that Blue is using this one : http://eu.battle.net/static/mediakey/sc2-authenticationcode-enGB.txt (http://eu.battle.net/static/mediakey/sc2-authenticationcode-enGB.txt)
just a date so far but.
@Switchathe point my friend is to inform you tha tis do able like it or not i will not release any crack for the retail before release.
@tomsons26 i dont know what you did and if you did it, but wasnt that super easy inmho. it took me 1+hour to figure out the verisign security[/size]
If you did it. already im sure a scene group is working on it.
Im going to give it a wurl at cracking it now. ill let u know on my successfulness
did u have any other problems when u when to play it?
Quote from: SIL3NT-DE4TH on July 16, 2010, 07:18:49 AM
If you did it. already im sure a scene group is working on it.
Im going to give it a wurl at cracking it now. ill let u know on my successfulness
did u have any other problems when u when to play it?
i dont hink the following consider to be problems...
1)if i dont have a valid cd registered in my b.net account i cant login into an online profile
2)so i can only play as guest with the sc2.exe cracked to avoid "validation" problems.
the method to crack the validation is working great and i use it allready in my launcher for beta patches, seems to be universal the "bytes" that need to be cracked and works well, still one slightly mistake and the game has not sounds no controls or even crashes.
to give you a hint look what is unpackaging in your TEMP files during the installation...a second installer!
anyway i thin kwe can cont this in PM, my current way works only for EnGB an needs to replace arround of 25MB so i cant actually say i have made a crack for the installer, just play arround.
if you have a more light way when you succedd you can PM me and i can make a patcher.
i willmake a patcher for the installer after 27-7 myself as well if no other groups do.
but i think there will be no need after 27-7 for the installer patch cause simply it will install,
and the other part that needs cracking i allready have that pattern figured out and works great....
so we will see if a group or other will release anything sooner.
but lets not talk details in here ;-)
GL!
Thanks for the info.
Vernam, I swear not to spoil anything.
Vernam7: Well I don't want "cr4ck" , but can you make screenshot of installed files ? I wanted first take video files from that 7GB MQPE file (and watch it ! :D ) , but MPQE have other "coding or is just too much compresed" and can't be openeded by MPQ programs .
Quote from: Kernel64 on July 16, 2010, 08:41:08 AM
Vernam, I swear not to spoil anything.
As would i. " Nods and stares at His 2nd Monitor! As his Own Attempt to Crack it continues." As would i.
nvm.
Vernam, if you see it fit, so be it. I wish I had your skills though.
All i know is this is fun. Me and my friend are working on it together he knows a lot more then me and tough me a lot. Not giving up Till i get it or a scene release is out.
decryption can be bypassed.
i will have to stop on that, maybe was wrong from me to inform people i managed to install it i was just so exited didnt know i will cause so much panic i thought other will have figured it out allready!
this is the 2only time i use my skills to crack something like a game, usually i do the opposite in rl programming job.
and as SilentDeath said i did this because was so fun and interesting!
This is the type of game that i will buy anyways. Hopefully i will
have the patience to wait until the 27th.
Quote from: Switcha on July 16, 2010, 01:09:46 PM
This is the type of game that i will buy anyways. Hopefully i will
have the patience to wait until the 27th.
Yes. I love Starcraft. I have the collectors ed Paid in full already at my local gamestop!
Quote from: Vernam7 on July 16, 2010, 11:42:01 AM
i will have to stop on that, maybe was wrong from me to inform people i managed to install it i was just so exited didnt know i will cause so much panic i thought other will have figured it out allready!
this is the 2only time i use my skills to crack something like a game, usually i do the opposite in rl programming job.
and as SilentDeath said i did this because was so fun and interesting!
No. You were right to have protected yourself. I would have done the same. And to say it can be done would stir some waters into overflowing. ;)
I say, you did what you have to, and have done what you think is best. I can't wait till the 27th, and see for myself the awesome which is your crack and bypass-es. :)
Cheers!
/whisper, or maybe you could slip this thing through some torrent or something?
I personally have managed to bypass the date check but the installer won't open the MPQE file.
I thought changing win date is too easy so if you change BIOS date it should work
Yeah, I've edited the second installer in temp, but it keeps showing error 108 on opening installer ui 2.mpqe. Also I edited etc/hosts to redirect eu.battle.net and something like dist.blizzard.edgesuite.com to localhost. Next, I've run apache and supplied the installer with sc2-authenticationcode-enGB.txt with different date than MSG:07/27/2010 but no luck. Any hints?
Edit: Vernam or others: what sc2-authenticaioncode-enGB.txt should contain?
After looking through temps there is actually a second installer. Try to get the second installer to keep running, THAT is why error 108 keeps happening. The installer we see does nothing but act as GUI, the second installer does the networking and installing.
@bm-test, What IP are you using?
So... this includes the single player?! :O
This is the full game yes. most likely there will be a patch which needs downloading
when you start up the game but yes, its the final release.
@darkreign
in my C:\windows\system32\drivers\etc\hosts file:
127.0.0.1 80.239.186.40
127.0.0.1 dist.blizzard.com.edgesuite.net
127.0.0.1 eu.battle.net
and I run apache and created folders static -> mediakey -> sc2-authenticationcode-enGB.txt
I don't know what should be in that file, definitely something other than MSG:07/27/2010
what about MSG:07/17/2010 ?
entering anything with MSG:OK MSG:01/07/2010 etc. only changes what wil pop up when you click on install. so I suppose there must be some key code for install/auth/decrypt ? And I think it will not start with MSG:
We should work more on this, would be interesting to see what it can lead to...
Beside a small preview of the game cant hurt anyone (:
Hope a crack will come out soon for both Windows and Mac.
Guys there is much more complicated that u think to bypass that.
First of all "Vernam7 (http://darkblizz.org/Forum2/profile/?u=1797)" your a troll and u know that. You didn't bypassed anything and you are still a script kiddie not a real programmer. All u did is small changes inside the unecrypted MPQ file (not a real Install) anyway nice try.
the "bm-test" method to bypass the server check is corect in the only that u have to add in the file the key in this format 22222-222222-22222-22222-222222-22222 (it only supports alphanumericals without 1,i,o,0 for not creating confussion)
The problem stand for the two "mpqe" files which stands for Mo'PaQ Encrypted file. Is a new type of format and the key to decrypt that is the actual game key. I'm still play on dissansembling "Installer.exe" the sollution (if there is one) stands there.
Quote from: Blackcode on July 17, 2010, 07:28:33 AM
Guys there is much more complicated that u think to bypass that.
First of all "Vernam7 (http://darkblizz.org/Forum2/profile/?u=1797)" your a troll and u know that. You didn't bypassed anything and you are still a script kiddie not a real programmer. All u did is small changes inside the unecrypted MPQ file (not a real Install) anyway nice try.
the "bm-test" method to bypass the server check is corect in the only that u have to add in the file the key in this format 22222-222222-22222-22222-222222-22222 (it only supports alphanumericals without 1,i,o,0 for not creating confussion)
The problem stand for the two "mpqe" files which stands for Mo'PaQ Encrypted file. Is a new type of format and the key to decrypt that is the actual game key. I'm still play on dissansembling "Installer.exe" the sollution (if there is one) stands there.
i replied to people like you in nibbits no need to say more, :whistle:
and if you think i am a script kid, let me just inform you when i was scripting indeed you were NOT Even a sperm yet! not to mention not even born. :anono:
gl with your life. :whistle:
If it helps, don't bother looking at the first installer. There's a second installer that gets loaded that does the actual installing and everything. However after taking the second installer into a hex editor I can see 4 possible states for the installer to enter. Start and close, start and wait, start and attach, and something else.
Quote from: Vernam7 on July 17, 2010, 08:01:04 AM
Quote from: Blackcode on July 17, 2010, 07:28:33 AM
Guys there is much more complicated that u think to bypass that.
First of all "Vernam7 (http://darkblizz.org/Forum2/profile/?u=1797)" your a troll and u know that. You didn't bypassed anything and you are still a script kiddie not a real programmer. All u did is small changes inside the unecrypted MPQ file (not a real Install) anyway nice try.
the "bm-test" method to bypass the server check is corect in the only that u have to add in the file the key in this format 22222-222222-22222-22222-222222-22222 (it only supports alphanumericals without 1,i,o,0 for not creating confussion)
The problem stand for the two "mpqe" files which stands for Mo'PaQ Encrypted file. Is a new type of format and the key to decrypt that is the actual game key. I'm still play on dissansembling "Installer.exe" the sollution (if there is one) stands there.
i replied to people like you in nibbits no need to say more, :whistle:
and if you think i am a script kid, let me just inform you when i was scripting indeed you were NOT Even a sperm yet! not to mention not even born. :anono:
gl with your life. :whistle:
No Comment....
Vernam7, don't listen to the ones that offense you! I'm still trying to do it by myself. Can you give an example of auth key? or tell me which tools you used to 'backldoor' the installer and it cause to accept any key?
Greets.
@Darkrei9n
@Silent-Death
guys we can PM and if you (noene else) need any help on after installation stuck let me know, i may be able to help you with the validation errors.
good job and gl. :thumbsup:
@bm-test
the format of the authen key was given at nibbits in my latest(and final) comments on that subject.
Gl to you too and tnx.[/color]
If Vernam really cracked the game he posted the crack.But he is not going to give his crack to other guys that means that there is no crack.Maybe the picture was even done with PhotoShop.Or leaked from a guy who really cracked the game.
Well I believe him. His hints of second installer and verisign vaidation have gotten me as far as validating auth key. I just can't get installer to accept any key. I'm no coder (except for php/html and some borland pascal in high school)
I can't get to the installer part, I can't get to the authorization part. Must. Keep. Trying.
@vernam7
Could be good, you release new Blizzard A.I core to start convertion.
I'm ok with you, take care with Blizzard policies.
Thx
What I've figured out:
-using wireshark I've figured that Installer is trying to get file /static/mediakey/sc2-authenticationcode-enGB.txt from eu.battle.net or dist.blizzard.com.edgesuite.net. In it you have something like MSG:27/07/2010
-I edited windows/system32/drivers/etc/hosts file to reflect:
127.0.0.1 dist.blizzard.com.edgesuite.net
127.0.0.1 eu.battle.net
-I run apache and creted in its server root, corresponding directories static -> mediakey
-I created text file sc2-authenticationcode-enGB.txt and put in it: KEY:A9CAEFD3A5DD49B5C3DBEB7DBC2565A
-the key syntax is like 22222-222222-22222-22222-222222-22222 etc.
-I've found second installer in Documents and settings/user/Local settings/Temp/ Blizzard Installer Temporary Data - xxxxxxx
-messing with installer xml files got me to the install screen, but it keeps popping up 108 error.
the same error occurs when you don't edit any fle and just put random code in TXT file I've mentioned above.
If you have the north american version add 127.0.0.1 us.battle.net to your hosts file.
Quote from: bm-test on July 17, 2010, 09:52:09 AM
What I've figured out:
-using wireshark I've figured that Installer is trying to get file /static/mediakey/sc2-authenticationcode-enGB.txt from eu.battle.net or dist.blizzard.com.edgesuite.net. In it you have something like MSG:27/07/2010
-I edited windows/system32/drivers/etc/hosts file to reflect:
127.0.0.1 dist.blizzard.com.edgesuite.net
127.0.0.1 eu.battle.net
-I run apache and creted in its server root, corresponding directories static -> mediakey
-I created text file sc2-authenticationcode-enGB.txt and put in it: KEY:A9CAEFD3A5DD49B5C3DBEB7DBC2565A
-the key syntax is like 22222-222222-22222-22222-222222-22222 etc.
-I've found second installer in Documents and settings/user/Local settings/Temp/ Blizzard Installer Temporary Data - xxxxxxx
-messing with installer xml files got me to the install screen, but it keeps popping up 108 error.
the same error occurs when you don't edit any fle and just put random code in TXT file I've mentioned above.
yo bro maybe this helps
Modify hosts
127.0.0.1 tw.battle.net
127.0.0.1 tw.battle.net
到你本机。
To your local.
建立一个
A
static\mediakey\sc2-authenticationcode-zhTW.txt到 你的本机http
static \ mediakey \ sc2-authenticationcode-zhTW.txt to your local http
内容为KKKKK-KKKKKK-KKKKK-KKKKK-KKKKKK-KKKKK
Content KKKKK-KKKKKK-KKKKK-KKKKK-KKKKKK-KKKKK
0044CE0F |. 83BC24 880000>cmp dword ptr [esp+88], 3
0044CE0F |. 83BC24 880000> cmp dword ptr [esp +88], 3
0044D041 |. E8 BAC0FFFF call 00449100
0044D041 |. E8 BAC0FFFF call 00449100
0044D046 |. 84C0 test al, al
0044D046 |. 84C0 test al, al
0044D048 |. 0F84 24020000 je 0044D272
0044D048 |. 0F84 24020000 je 0044D272
0044CDDD |. E8 AE30FEFF call 0042FE90 进key
0044CDDD |. E8 AE30FEFF call 0042FE90 into the key
0044B2E1 /7F 25 jg short 0044B308
0044B2E1 / 7F 25 jg short 0044B308
nop
nop
0044B2C6 . 837C24 2C 10 cmp dword ptr [esp+2C], 10
0044B2C6. 837C24 2C 10 cmp dword ptr [esp +2 C], 10
最后附送几个 断点,大家玩的愉快哈,补丁就不出了
Finally comes with several breakpoints, you play happy and Kazakhstan, the patch is not out
i am sorry that didn't camed out right here is a screnshot
Perhaps this is the check against the key to test if its real?
esp+0ECh+var_64
:ticked:
Problem this is in an xml
ReplacementInstallerURL http://us.version.blizzard.com/installer/%s/%d.%s.%s.txt (http://us.version.blizzard.com/installer/%s/%d.%s.%s.txt)
AND
NewInstaller1 Downloading
NewInstaller2 New Installer...
Quote from: Cybertox on July 17, 2010, 09:23:30 AM
If Vernam really cracked the game he posted the crack.But he is not going to give his crack to other guys that means that there is no crack.Maybe the picture was even done with PhotoShop.Or leaked from a guy who really cracked the game.
Quote from: darkrei9n link=topic=2033.msg19106#msg19106 date=1279377403
I can't get to the installer part, I can't get to the authorization part. Must. Keep. Trying.
1. Open Installer UI 1.MPQ with your favorite MPQ editor.
2. Locate NotReleased.xml, found within InstallCD\Global\Unpack
3. Replace the text with
<?xml version="1.0" encoding="utf-8"?>
<overlay page="InstallerInfo.xml" />
</page>
4. Save and close it all.
5. There you go, you're where everyone has proven to have made it. By the way, installers and pretty much everything else in the Installer UI 1.MPQ appear in your temp folders, just like every other freaking Blizzard installer.
Quote from: tomsons26 on July 17, 2010, 12:16:58 PM
:ticked:
Problem this is in an xml
ReplacementInstallerURL http://us.version.blizzard.com/installer/%s/%d.%s.%s.txt (http://us.version.blizzard.com/installer/%s/%d.%s.%s.txt)
AND
NewInstaller1 Downloading
NewInstaller2 New Installer...
You can access this as well, if you replace the text in NotReleased.xml with
<?xml version="1.0" encoding="utf-8"?>
<overlay page="InstallerReplaced.xml" />
</page>There is no new installer download right now.
A lot of this stuff was already in the original beta installer by the way.
Have any of you considered the possibility that the installer simply doesn't know how to read the .MPQE files, and that there will be a small update for the installer on release day that allows it to be read? The most feasible thing is probably to figure out how to open the .MPQEs themselves, which would allow you to simply install because you would have the installer file list and accessible data files.
%s I think refers to enUS or enGB and %d I believe refers to sc2-authenticationcode
Well, I supose that you need to hack Installer to allow any key. I'll try to mess with exe tomorrow using decomplier/debugger. Wish me luck :)
Quote from: darkrei9n on July 17, 2010, 12:22:51 PM
%s I think refers to enUS or enGB and %d I believe refers to sc2-authenticationcode
:anono: http://
us.version. refers to localization and there should be an version number too
Can't someone change the code, so that it doesn't wait for 07-27, but an earlier date?
Just trying to help...
Quote from: tomsons26 on July 17, 2010, 12:16:58 PM
:ticked:
Problem this is in an xml
ReplacementInstallerURL http://us.version.blizzard.com/installer/%s/%d.%s.%s.txt (http://us.version.blizzard.com/installer/%s/%d.%s.%s.txt)
AND
NewInstaller1 Downloading
NewInstaller2 New Installer...
Here's Cataclysm's
http://us.installers.blizzard.com/installer/%s/%d.%s.txt (http://us.installers.blizzard.com/installer/%s/%d.%s.txt)
Quote from: Doomer3001 on July 17, 2010, 12:59:13 PM
Can't someone change the code, so that it doesn't wait for 07-27, but an earlier date?
Just trying to help...
The code isn't waiting for a date, it's waiting for an authentication code that will be at http://eu.battle.net/static/mediakey/sc2-authenticationcode-enGB.txt (http://eu.battle.net/static/mediakey/sc2-authenticationcode-enGB.txt)
If it doesn't get the authentication code, it displays the MSG found at the address.
The Code is used to decrypt the files we downloaded. So unless we find how to unencrypt them, we will be waiting until they release the authentication code.
yea , i don't think that somebody could decrypt the files without the keys from blizzard , at least not until game launches
Well, I already preorderd it, but I just want to play it as soon as possible :)
Quote from: Milenium on July 17, 2010, 01:23:47 PM
yea , i don't think that somebody could decrypt the files without the keys from blizzard , at least not until game launches
You don't seem to get it. The Auth key will be required just to allow the game install and therefor will be public. The game key(that you will receive within your game's box) has nothing to do with it.
Quote from: Doomer3001 on July 17, 2010, 01:31:06 PM
Well, I already preorderd it, but I just want to play it as soon as possible :)
most of us will buy this game... but nothing it's better like a homemade SC2 cracked version :D
Quote from: 2g4u on July 17, 2010, 01:33:46 PM
Quote from: Milenium on July 17, 2010, 01:23:47 PM
yea , i don't think that somebody could decrypt the files without the keys from blizzard , at least not until game launches
You don't seem to get it. The Auth key will be required just to allow the game install and therefor will be public. The game key(that you will receive within your game's box) has nothing to do with it.
i know the difference between the auth key that will install the game and the cd key that will activate the game , i was meaning that to decrypt the mpq files you need the auth key that will be delivered by blizzard on 27 and the installer will make use of it automaticaly or put in manualy by the user
Dont know if this helps its using crypt32.dll windows component
After using IDA Pro to look through the second installer I've noticed completely random strings of 64 bits, might have something to do with the key or encryption.
Btw all of those are fakes, aren't they ?
(http://i32.tinypic.com/25tkz5u.jpg)
(http://i32.tinypic.com/xkoqra.jpg)
And this video: Starcraft 2 digital download cracked? (http://www.youtube.com/watch?v=UP2txX3P1U8#ws) are all fake :(
the 2 pic isnt
The main thing is to make an app that can decrypt MPQE files or wait until 27 (10 days :( )
i have an idea about the in game crk if there's such needed
the video is fake , that is the beta installer and 7 gb of archived software doesn't install in 2 minutes
the pics are from the ui 1 mpq
check out 00:18, lol. 7GB doesn't install that fast, its the beta installer.
I can also confirm its the beta installer. Beta installer is teal where the retail installer is blue.
.rdata:006569E0 ; char aCryptacquireco[]
.rdata:006569E0 aCryptacquireco db 'CryptAcquireContextA',0 ; DATA XREF: sub_547590+7�o
.rdata:006569F5 align 4
.rdata:006569F8 ; char aCryptcreatehas[]
.rdata:006569F8 aCryptcreatehas db 'CryptCreateHash',0 ; DATA XREF: sub_547590:loc_5475A9�o
.rdata:00656A08 ; char aCryptdestroyha[]
.rdata:00656A08 aCryptdestroyha db 'CryptDestroyHash',0 ; DATA XREF: sub_547590+28�o
.rdata:00656A19 align 4
.rdata:00656A1C ; char aCryptdestroyke[]
.rdata:00656A1C aCryptdestroyke db 'CryptDestroyKey',0 ; DATA XREF: sub_547590+37�o
.rdata:00656A2C ; char aCrypthashdata[]
.rdata:00656A2C aCrypthashdata db 'CryptHashData',0 ; DATA XREF: sub_547590+46�o
.rdata:00656A3A align 4
.rdata:00656A3C ; char aCryptimportkey[]
.rdata:00656A3C aCryptimportkey db 'CryptImportKey',0 ; DATA XREF: sub_547590+55�o
.rdata:00656A4B align 4
.rdata:00656A4C ; char aCryptreleaseco[]
.rdata:00656A4C aCryptreleaseco db 'CryptReleaseContext',0 ; DATA XREF: sub_547590+64�o
.rdata:00656A60 ; char aCryptsignhasha[]
.rdata:00656A60 aCryptsignhasha db 'CryptSignHashA',0 ; DATA XREF: sub_547590+73�o
.rdata:00656A6F align 10h
.rdata:00656A70 ; char aCryptverifysig[]
Looks to me like the key to decrypt is clientside.
Quote from: 2g4u on July 17, 2010, 02:27:42 PM
Btw all of those are fakes, aren't they ?
(http://i32.tinypic.com/25tkz5u.jpg)
(http://i32.tinypic.com/xkoqra.jpg)
And this video: Starcraft 2 digital download cracked? (http://www.youtube.com/watch?v=UP2txX3P1U8#ws) are all fake :(
If by fake you mean simply edited .xml files and possible other simple changes to the installer that don't actually get anywhere, yes.
And the video isn't even the same installer.
I give up on this.
another reason why i cant see this being hacked untill the 27th apparently it needs to download another installer to open the mpqe files this is only an xml edit.
(http://img822.imageshack.us/img822/2111/capturemqb.th.png) (http://img822.imageshack.us/i/capturemqb.png/)
Uploaded with ImageShack.us (http://imageshack.us)
Ahh, been trying for almost 3 full days now to get this to work, Just had to try after I saw it was possible. Been stuck on the temp installer. Just can't figure out what I should be looking for in there.
But well, maybe that's my limit, never done anything likes this before, was interesting to see how far I would get.
Going to watch this topic and see if I can get any further. I Think my main problem is I don't know how to operate the hex editor, it is not that simple learn and I'm not sure if this is possible without it.
Bit random message but just had to leave a mark, hoping for some assistance if there is any chance that I would make it. :S
Quote from: Glorm on July 17, 2010, 08:59:25 PM
Ahh, been trying for almost 3 full days now to get this to work, Just had to try after I saw it was possible. Been stuck on the temp installer. Just can't figure out what I should be looking for in there.
But well, maybe that's my limit, never done anything likes this before, was interesting to see how far I would get.
Going to watch this topic and see if I can get any further. I Think my main problem is I don't know how to operate the hex editor, it is not that simple learn and I'm not sure if this is possible without it.
Bit random message but just had to leave a mark, hoping for some assistance if there is any chance that I would make it. :S
Well first of all people are trying to get around the authentication when that is not really the issue. The installer can't even open the .MPQE files. The focus should be on figuring out how to open those, which would allow people to make a regular .MPQ file with the same data and successfully install, and you would at least be able to see the unavailable assets and other data.
Nobody has actually installed the client, and nobody has even tried to Photoshop something up "proving" that they had.
Auth key is needed only for install, anyone figured out how to make the installer to accept any code? I'm faraid it needs hex editing, I've been trying with decompiler/debugger with no luck (I'm not a programer)
I found a forum about mpqe files and a way of opening them;
http://www.mmowned.com/forums/world-of-warcraft/emulator-servers/84020-dbc-files-mpqe-vista.html (http://www.mmowned.com/forums/world-of-warcraft/emulator-servers/84020-dbc-files-mpqe-vista.html)
I think this is worth checking out
EDIT; Sorry, it's about the MPQEditor...
Quote from: Doomer3001 on July 18, 2010, 01:26:53 AM
I found a forum about mpqe files and a way of opening them;
http://www.mmowned.com/forums/world-of-warcraft/emulator-servers/84020-dbc-files-mpqe-vista.html (http://www.mmowned.com/forums/world-of-warcraft/emulator-servers/84020-dbc-files-mpqe-vista.html)
I think this is worth checking out
EDIT; Sorry, it's about the MPQEditor...
Dude the mpqE there is the MPQEditor file... not the mpqe file.... sc2 is the first game from blizz using this type of file.... I asume E is from encrypted
Maybe I found that out myself, and that's why I edited it... ;)
very interesting reading
http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://3dmgame.chnren.com/bbs/showtopic.aspx%3Ftopicid%3D1364288%26page%3Dend&ei=MqJCTOX0M4WF4Qa437yjDg&sa=X&oi=translate&ct=result&resnum=7&ved=0CD4Q7gEwBg&prev=/search%3Fq%3Dmpqe%26hl%3Den%26sa%3DX%26tbo%3D1%26tbs%3Dqdr:d (http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://3dmgame.chnren.com/bbs/showtopic.aspx%3Ftopicid%3D1364288%26page%3Dend&ei=MqJCTOX0M4WF4Qa437yjDg&sa=X&oi=translate&ct=result&resnum=7&ved=0CD4Q7gEwBg&prev=/search%3Fq%3Dmpqe%26hl%3Den%26sa%3DX%26tbo%3D1%26tbs%3Dqdr:d)
one of the latest posts.....
Quote from: HolyPants on July 17, 2010, 09:17:14 PM
Well first of all people are trying to get around the authentication when that is not really the issue. The installer can't even open the .MPQE files. The focus should be on figuring out how to open those, which would allow people to make a regular .MPQ file with the same data and successfully install, and you would at least be able to see the unavailable assets and other data.
Thats what im tryng to say and to bypass the alth run installer click install go to temp folder make copy of InstallerInfo.xml delete NotReleased.xml and rename the InstallerInfo.xml to NotReleased.xml
So if MPQE are decrypted then clicking install will install the game and wont show errors because the UI 2.MPQE and Installer Tome 1.MPQE are readable now
And about the new installer it downloads an new UI 1.MPQ why am i saying this because the Installer UI 1.MPQ contains the ReadMe.htm but it says This will be the StarCraft 2 ReadMe
GUYS stop searching where u do not have... take a fucking debbuger and start there... the whole key is stating at 0044CD52
this is the part of code where we are interested in....
0044CD52 |. 68 8A046000 PUSH Installe.0060048A ; SE handler installation
0044CD57 |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0044CD5D |. 50 PUSH EAX
0044CD5E |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP
0044CD65 |. 81EC D0000000 SUB ESP,0D0
0044CD6B |. 53 PUSH EBX
0044CD6C |. 55 PUSH EBP
0044CD6D |. 56 PUSH ESI
0044CD6E |. 57 PUSH EDI
0044CD6F |. 68 98496100 PUSH Installe.00614998 ; /Arg2 = 00614998 ASCII "{Win32_InstallerData}"
0044CD74 |. 8D8424 C800000>LEA EAX,DWORD PTR SS:[ESP+C8] ; |
0044CD7B |. 8BF1 MOV ESI,ECX ; |
0044CD7D |. 50 PUSH EAX ; |Arg1
0044CD7E |. B9 98216B00 MOV ECX,Installe.006B2198 ; |
0044CD83 |. E8 58B30000 CALL Installe.004580E0 ; \Installe.004580E0
0044CD88 |. 8B8424 C800000>MOV EAX,DWORD PTR SS:[ESP+C8]
0044CD8F |. 33DB XOR EBX,EBX
0044CD91 |. BD 10000000 MOV EBP,10
0044CD96 |. 39AC24 DC00000>CMP DWORD PTR SS:[ESP+DC],EBP
0044CD9D |. 899C24 E800000>MOV DWORD PTR SS:[ESP+E8],EBX
0044CDA4 |. 73 07 JNB SHORT Installe.0044CDAD
0044CDA6 |. 8D8424 C800000>LEA EAX,DWORD PTR SS:[ESP+C8]
0044CDAD |> 68 90496100 PUSH Installe.00614990 ; ASCII "MPQE"
0044CDB2 |. 50 PUSH EAX
0044CDB3 |. E8 B8D60F00 CALL Installe.0054A470
0044CDB8 |. 83C4 04 ADD ESP,4
0044CDBB |. 50 PUSH EAX
0044CDBC |. E8 4FD20F00 CALL Installe.0054A010
0044CDC1 |. 83C4 08 ADD ESP,8
0044CDC4 |. 85C0 TEST EAX,EAX
0044CDC6 |. 75 27 JNZ SHORT Installe.0044CDEF
0044CDC8 |. 391D 34266B00 CMP DWORD PTR DS:[6B2634],EBX
0044CDCE |. 75 1F JNZ SHORT Installe.0044CDEF
0044CDD0 |. 68 20B24400 PUSH Installe.0044B220
0044CDD5 |. 68 802E4700 PUSH Installe.00472E80
0044CDDA |. 53 PUSH EBX
0044CDDB |. 6A 20 PUSH 20
0044CDDD |. E8 AE30FEFF CALL Installe.0042FE90
0044CDE2 |. 83C4 10 ADD ESP,10
0044CDE5 |. BF 0F000000 MOV EDI,0F
0044CDEA |. E9 48020000 JMP Installe.0044D037
0044CDEF |> 6A 01 PUSH 1
0044CDF1 |. 68 F4516100 PUSH Installe.006151F4 ; ASCII "hasValidDecryptionKey"
0044CDF6 |. B9 70206B00 MOV ECX,Installe.006B2070
0044CDFB |. E8 20CFFFFF CALL Installe.00449D20
0044CE00 |. 8D8C24 8800000>LEA ECX,DWORD PTR SS:[ESP+88]
0044CE07 |. 51 PUSH ECX
0044CE08 |. 8BCE MOV ECX,ESI
0044CE0A |. E8 31DCFFFF CALL Installe.0044AA40
0044CE0F |. 83BC24 8800000>CMP DWORD PTR SS:[ESP+88],3
0044CE17 |. C68424 E800000>MOV BYTE PTR SS:[ESP+E8],1
0044CE1F |. 0F8C ED010000 JL Installe.0044D012
0044CE25 |. 6A 02 PUSH 2 ; /Arg1 = 00000002
0044CE27 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14] ; |
0044CE2B |. E8 707CFEFF CALL Installe.00434AA0 ; \Installe.00434AA0
0044CE30 |. 68 EC536100 PUSH Installe.006153EC ; ASCII "<EULA>"
0044CE35 |. 68 D4536100 PUSH Installe.006153D4 ; ASCII "{CouldntCreateFolder%s}"
0044CE3A |. 8D7424 74 LEA ESI,DWORD PTR SS:[ESP+74]
0044CE3E |. C68424 F000000>MOV BYTE PTR SS:[ESP+F0],2
0044CE46 |. E8 F54CFFFF CALL Installe.00441B40
0044CE4B |. 50 PUSH EAX
0044CE4C |. 8D5424 3C LEA EDX,DWORD PTR SS:[ESP+3C]
0044CE50 |. 52 PUSH EDX
0044CE51 |. C68424 F800000>MOV BYTE PTR SS:[ESP+F8],3
0044CE59 |. E8 7265FEFF CALL Installe.004333D0
0044CE5E |. 83C4 10 ADD ESP,10
0044CE61 |. 8BF0 MOV ESI,EAX
0044CE63 |. 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
0044CE67 |. 3BC3 CMP EAX,EBX
0044CE69 |. C68424 E800000>MOV BYTE PTR SS:[ESP+E8],4
0044CE71 |. 74 0B JE SHORT Installe.0044CE7E
0044CE73 |. 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]
0044CE77 |. 2BC8 SUB ECX,EAX
0044CE79 |. C1F9 05 SAR ECX,5
0044CE7C |. 75 09 JNZ SHORT Installe.0044CE87
0044CE7E |> E8 88A60B00 CALL Installe.0050750B
0044CE83 |. 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
0044CE87 |> 8B16 MOV EDX,DWORD PTR DS:[ESI]
0044CE89 |. 6A FF PUSH -1
0044CE8B |. 53 PUSH EBX
0044CE8C |. 83C6 04 ADD ESI,4
0044CE8F |. 56 PUSH ESI
0044CE90 |. 8D48 04 LEA ECX,DWORD PTR DS:[EAX+4]
0044CE93 |. 8910 MOV DWORD PTR DS:[EAX],EDX
0044CE95 |. E8 C646FBFF CALL Installe.00401560
0044CE9A |. 396C24 4C CMP DWORD PTR SS:[ESP+4C],EBP
0044CE9E |. 72 0D JB SHORT Installe.0044CEAD
0044CEA0 |. 8B4424 38 MOV EAX,DWORD PTR SS:[ESP+38]
0044CEA4 |. 50 PUSH EAX
0044CEA5 |. E8 36A7FEFF CALL Installe.004375E0
0044CEAA |. 83C4 04 ADD ESP,4
0044CEAD |> 39AC24 8400000>CMP DWORD PTR SS:[ESP+84],EBP
0044CEB4 |. C74424 4C 0F00>MOV DWORD PTR SS:[ESP+4C],0F
0044CEBC |. 895C24 48 MOV DWORD PTR SS:[ESP+48],EBX
0044CEC0 |. 885C24 38 MOV BYTE PTR SS:[ESP+38],BL
0044CEC4 |. C68424 E800000>MOV BYTE PTR SS:[ESP+E8],2
0044CECC |. 72 0D JB SHORT Installe.0044CEDB
0044CECE |. 8B4C24 70 MOV ECX,DWORD PTR SS:[ESP+70]
0044CED2 |. 51 PUSH ECX
0044CED3 |. E8 08A7FEFF CALL Installe.004375E0
0044CED8 |. 83C4 04 ADD ESP,4
0044CEDB |> 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+14]
0044CEDF |. 3BCB CMP ECX,EBX
0044CEE1 |. 74 0E JE SHORT Installe.0044CEF1
0044CEE3 |. 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+18]
0044CEE7 |. 2BC1 SUB EAX,ECX
0044CEE9 |. C1F8 05 SAR EAX,5
0044CEEC |. 83F8 01 CMP EAX,1
0044CEEF |. 77 09 JA SHORT Installe.0044CEFA
0044CEF1 |> E8 15A60B00 CALL Installe.0050750B
0044CEF6 |. 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+14]
0044CEFA |> 8B9424 8800000>MOV EDX,DWORD PTR SS:[ESP+88]
0044CF01 |. 8D41 20 LEA EAX,DWORD PTR DS:[ECX+20]
0044CF04 |. 6A FF PUSH -1
0044CF06 |. 53 PUSH EBX
0044CF07 |. 8D8C24 9400000>LEA ECX,DWORD PTR SS:[ESP+94]
0044CF0E |. 51 PUSH ECX
0044CF0F |. 8D48 04 LEA ECX,DWORD PTR DS:[EAX+4]
0044CF12 |. 8910 MOV DWORD PTR DS:[EAX],EDX
0044CF14 |. E8 4746FBFF CALL Installe.00401560
0044CF19 |. 6A 28 PUSH 28
0044CF1B |. 53 PUSH EBX
0044CF1C |. 8D5424 38 LEA EDX,DWORD PTR SS:[ESP+38]
0044CF20 |. 68 BC536100 PUSH Installe.006153BC ; ASCII "Audio\InstallFailed.wav"
0044CF25 |. 52 PUSH EDX
0044CF26 |. E8 A5270100 CALL Installe.0045F6D0
0044CF2B |. 83C4 10 ADD ESP,10
0044CF2E |. 396C24 4C CMP DWORD PTR SS:[ESP+4C],EBP
0044CF32 |. 72 0D JB SHORT Installe.0044CF41
0044CF34 |. 8B4424 38 MOV EAX,DWORD PTR SS:[ESP+38]
0044CF38 |. 50 PUSH EAX
0044CF39 |. E8 A2A6FEFF CALL Installe.004375E0
0044CF3E |. 83C4 04 ADD ESP,4
0044CF41 |> 68 18446100 PUSH Installe.00614418 ; ASCII "{OK}"
0044CF46 |. 8D7424 70 LEA ESI,DWORD PTR SS:[ESP+70]
0044CF4A |. E8 F14BFFFF CALL Installe.00441B40
0044CF4F |. 8BF8 MOV EDI,EAX
0044CF51 |. 68 54466100 PUSH Installe.00614654 ; ASCII "{UnableToLoadData}"
0044CF56 |. 8D7424 58 LEA ESI,DWORD PTR SS:[ESP+58]
0044CF5A |. C68424 F000000>MOV BYTE PTR SS:[ESP+F0],5
0044CF62 |. E8 D94BFFFF CALL Installe.00441B40
0044CF67 |. 83C4 08 ADD ESP,8
0044CF6A |. 396F 18 CMP DWORD PTR DS:[EDI+18],EBP
0044CF6D |. C68424 E800000>MOV BYTE PTR SS:[ESP+E8],6
0044CF75 |. 72 05 JB SHORT Installe.0044CF7C
0044CF77 |. 8B7F 04 MOV EDI,DWORD PTR DS:[EDI+4]
0044CF7A |. EB 03 JMP SHORT Installe.0044CF7F
0044CF7C |> 83C7 04 ADD EDI,4
0044CF7F |> 3968 18 CMP DWORD PTR DS:[EAX+18],EBP
0044CF82 |. 72 05 JB SHORT Installe.0044CF89
0044CF84 |. 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]
0044CF87 |. EB 03 JMP SHORT Installe.0044CF8C
0044CF89 |> 83C0 04 ADD EAX,4
0044CF8C |> 53 PUSH EBX
0044CF8D |. 6A 01 PUSH 1
0044CF8F |. 53 PUSH EBX
0044CF90 |. 57 PUSH EDI
0044CF91 |. 50 PUSH EAX
0044CF92 |. 8D4C24 24 LEA ECX,DWORD PTR SS:[ESP+24]
0044CF96 |. 51 PUSH ECX
0044CF97 |. E8 C4FB0100 CALL Installe.0046CB60
0044CF9C |. 83C4 18 ADD ESP,18
0044CF9F |. 396C24 68 CMP DWORD PTR SS:[ESP+68],EBP
0044CFA3 |. 72 0D JB SHORT Installe.0044CFB2
0044CFA5 |. 8B5424 54 MOV EDX,DWORD PTR SS:[ESP+54]
0044CFA9 |. 52 PUSH EDX
0044CFAA |. E8 31A6FEFF CALL Installe.004375E0
0044CFAF |. 83C4 04 ADD ESP,4
0044CFB2 |> 39AC24 8400000>CMP DWORD PTR SS:[ESP+84],EBP
0044CFB9 |. BF 0F000000 MOV EDI,0F
0044CFBE |. 897C24 68 MOV DWORD PTR SS:[ESP+68],EDI
0044CFC2 |. 895C24 64 MOV DWORD PTR SS:[ESP+64],EBX
0044CFC6 |. 885C24 54 MOV BYTE PTR SS:[ESP+54],BL
0044CFCA |. C68424 E800000>MOV BYTE PTR SS:[ESP+E8],2
0044CFD2 |. 72 0D JB SHORT Installe.0044CFE1
0044CFD4 |. 8B4424 70 MOV EAX,DWORD PTR SS:[ESP+70]
0044CFD8 |. 50 PUSH EAX
0044CFD9 |. E8 02A6FEFF CALL Installe.004375E0
0044CFDE |. 83C4 04 ADD ESP,4
0044CFE1 |> E8 FA2BFEFF CALL Installe.0042FBE0
0044CFE6 |. 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
0044CFEA |. 3BC3 CMP EAX,EBX
0044CFEC |. 74 29 JE SHORT Installe.0044D017
0044CFEE |. 8B4C24 2C MOV ECX,DWORD PTR SS:[ESP+2C]
0044CFF2 |. 51 PUSH ECX
0044CFF3 |. 8B4C24 1C MOV ECX,DWORD PTR SS:[ESP+1C]
0044CFF7 |. 8D5424 14 LEA EDX,DWORD PTR SS:[ESP+14]
0044CFFB |. 52 PUSH EDX
0044CFFC |. 51 PUSH ECX
0044CFFD |. 50 PUSH EAX
0044CFFE |. E8 8D62FEFF CALL Installe.00433290
0044D003 |. 8B5424 24 MOV EDX,DWORD PTR SS:[ESP+24]
0044D007 |. 52 PUSH EDX
0044D008 |. E8 D3A5FEFF CALL Installe.004375E0
0044D00D |. 83C4 14 ADD ESP,14
0044D010 |. EB 05 JMP SHORT Installe.0044D017
0044D012 |> BF 0F000000 MOV EDI,0F
0044D017 |> 39AC24 A400000>CMP DWORD PTR SS:[ESP+A4],EBP
0044D01E |. 889C24 E800000>MOV BYTE PTR SS:[ESP+E8],BL
0044D025 |. 72 10 JB SHORT Installe.0044D037
0044D027 |. 8B8424 9000000>MOV EAX,DWORD PTR SS:[ESP+90]
0044D02E |. 50 PUSH EAX
0044D02F |. E8 ACA5FEFF CALL Installe.004375E0
0044D034 |. 83C4 04 ADD ESP,4
0044D037 |> 68 F4516100 PUSH Installe.006151F4 ; /Arg1 = 006151F4 ASCII "hasValidDecryptionKey"
0044D03C |. B9 70206B00 MOV ECX,Installe.006B2070 ; |
0044D041 |. E8 BAC0FFFF CALL Installe.00449100 ; \Installe.00449100
0044D046 |. 84C0 TEST AL,AL
0044D048 |. 0F84 24020000 JE Installe.0044D272
0044D04E |. E8 3DE80000 CALL Installe.0045B890
0044D053 |. E8 A8E80000 CALL Installe.0045B900
0044D058 |. 53 PUSH EBX
0044D059 |. 68 80A74400 PUSH Installe.0044A780
0044D05E |. E8 4D2CFEFF CALL Installe.0042FCB0
0044D063 |. 897C24 54 MOV DWORD PTR SS:[ESP+54],EDI
0044D067 |. 895C24 50 MOV DWORD PTR SS:[ESP+50],EBX
0044D06B |. 885C24 40 MOV BYTE PTR SS:[ESP+40],BL
0044D06F |. 895C24 38 MOV DWORD PTR SS:[ESP+38],EBX
0044D073 |. 6A 01 PUSH 1
0044D075 |. 8D4C24 3C LEA ECX,DWORD PTR SS:[ESP+3C]
0044D079 |. 51 PUSH ECX
0044D07A |. 8D5424 60 LEA EDX,DWORD PTR SS:[ESP+60]
0044D07E |. 68 B0536100 PUSH Installe.006153B0 ; ASCII "EULA.html"
0044D083 |. 52 PUSH EDX
0044D084 |. C68424 0001000>MOV BYTE PTR SS:[ESP+100],7
0044D08C |. E8 9FD20000 CALL Installe.0045A330
0044D091 |. 83C4 18 ADD ESP,18
0044D094 |. 3968 18 CMP DWORD PTR DS:[EAX+18],EBP
0044D097 |. C68424 E800000>MOV BYTE PTR SS:[ESP+E8],8
0044D09F |. 72 05 JB SHORT Installe.0044D0A6
0044D0A1 |. 8B50 04 MOV EDX,DWORD PTR DS:[EAX+4]
0044D0A4 |. EB 03 JMP SHORT Installe.0044D0A9
0044D0A6 |> 8D50 04 LEA EDX,DWORD PTR DS:[EAX+4]
0044D0A9 |> 8BC2 MOV EAX,EDX
0044D0AB |. 897C24 28 MOV DWORD PTR SS:[ESP+28],EDI
0044D0AF |. 895C24 24 MOV DWORD PTR SS:[ESP+24],EBX
0044D0B3 |. 885C24 14 MOV BYTE PTR SS:[ESP+14],BL
0044D0B7 |. 8D70 01 LEA ESI,DWORD PTR DS:[EAX+1]
0044D0BA |. 8D9B 00000000 LEA EBX,DWORD PTR DS:[EBX]
0044D0C0 |> 8A08 /MOV CL,BYTE PTR DS:[EAX]
0044D0C2 |. 83C0 01 |ADD EAX,1
0044D0C5 |. 3ACB |CMP CL,BL
0044D0C7 |.^75 F7 \JNZ SHORT Installe.0044D0C0
0044D0C9 |. 2BC6 SUB EAX,ESI
0044D0CB |. 50 PUSH EAX
0044D0CC |. 52 PUSH EDX
0044D0CD |. 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18]
0044D0D1 |. E8 6A45FBFF CALL Installe.00401640
0044D0D6 |. 396C24 68 CMP DWORD PTR SS:[ESP+68],EBP
0044D0DA |. C68424 E800000>MOV BYTE PTR SS:[ESP+E8],0A
0044D0E2 |. 72 0D JB SHORT Installe.0044D0F1
0044D0E4 |. 8B4424 54 MOV EAX,DWORD PTR SS:[ESP+54]
0044D0E8 |. 50 PUSH EAX
0044D0E9 |. E8 F2A4FEFF CALL Installe.004375E0
0044D0EE |. 83C4 04 ADD ESP,4
0044D0F1 |> 68 A4536100 PUSH Installe.006153A4 ; ASCII "{Disagree}"
0044D0F6 |. 8DB424 8C00000>LEA ESI,DWORD PTR SS:[ESP+8C]
0044D0FD |. 897C24 6C MOV DWORD PTR SS:[ESP+6C],EDI
0044D101 |. 895C24 68 MOV DWORD PTR SS:[ESP+68],EBX
0044D105 |. 885C24 58 MOV BYTE PTR SS:[ESP+58],BL
0044D109 |. E8 324AFFFF CALL Installe.00441B40
0044D10E |. 8BF8 MOV EDI,EAX
0044D110 |. 68 9C536100 PUSH Installe.0061539C ; ASCII "{Agree}"
0044D115 |. 8D7424 74 LEA ESI,DWORD PTR SS:[ESP+74]
0044D119 |. C68424 F000000>MOV BYTE PTR SS:[ESP+F0],0B
0044D121 |. E8 1A4AFFFF CALL Installe.00441B40
0044D126 |. 8BE8 MOV EBP,EAX
0044D128 |. 68 80536100 PUSH Installe.00615380 ; ASCII "{EndUserLicenseAgreement}"
0044D12D |. 8DB424 B400000>LEA ESI,DWORD PTR SS:[ESP+B4]
0044D134 |. C68424 F400000>MOV BYTE PTR SS:[ESP+F4],0C
0044D13C |. E8 FF49FFFF CALL Installe.00441B40
0044D141 |. 83C4 0C ADD ESP,0C
0044D144 |. BE 10000000 MOV ESI,10
0044D149 |. 3977 18 CMP DWORD PTR DS:[EDI+18],ESI
0044D14C |. C68424 E800000>MOV BYTE PTR SS:[ESP+E8],0D
0044D154 |. 72 05 JB SHORT Installe.0044D15B
0044D156 |. 8B7F 04 MOV EDI,DWORD PTR DS:[EDI+4]
0044D159 |. EB 03 JMP SHORT Installe.0044D15E
0044D15B |> 83C7 04 ADD EDI,4
0044D15E |> 3975 18 CMP DWORD PTR SS:[EBP+18],ESI
0044D161 |. 72 05 JB SHORT Installe.0044D168
0044D163 |. 8B6D 04 MOV EBP,DWORD PTR SS:[EBP+4]
0044D166 |. EB 03 JMP SHORT Installe.0044D16B
0044D168 |> 83C5 04 ADD EBP,4
0044D16B |> 3970 18 CMP DWORD PTR DS:[EAX+18],ESI
0044D16E |. 72 05 JB SHORT Installe.0044D175
0044D170 |. 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]
0044D173 |. EB 03 JMP SHORT Installe.0044D178
0044D175 |> 83C0 04 ADD EAX,4
0044D178 |> 397424 28 CMP DWORD PTR SS:[ESP+28],ESI
0044D17C |. 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+14]
0044D180 |. 73 04 JNB SHORT Installe.0044D186
0044D182 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
0044D186 |> 53 PUSH EBX
0044D187 |. 68 D0C74400 PUSH Installe.0044C7D0
0044D18C |. 57 PUSH EDI
0044D18D |. 55 PUSH EBP
0044D18E |. 50 PUSH EAX
0044D18F |. 51 PUSH ECX
0044D190 |. E8 6B2AFEFF CALL Installe.0042FC00
0044D195 |. 83C4 18 ADD ESP,18
0044D198 |. 39B424 C000000>CMP DWORD PTR SS:[ESP+C0],ESI
0044D19F |. 72 10 JB SHORT Installe.0044D1B1
0044D1A1 |. 8B8C24 AC00000>MOV ECX,DWORD PTR SS:[ESP+AC]
0044D1A8 |. 51 PUSH ECX
0044D1A9 |. E8 32A4FEFF CALL Installe.004375E0
0044D1AE |. 83C4 04 ADD ESP,4
0044D1B1 |> 39B424 8400000>CMP DWORD PTR SS:[ESP+84],ESI
0044D1B8 |. BF 0F000000 MOV EDI,0F
0044D1BD |. 89BC24 C000000>MOV DWORD PTR SS:[ESP+C0],EDI
0044D1C4 |. 899C24 BC00000>MOV DWORD PTR SS:[ESP+BC],EBX
0044D1CB |. 889C24 AC00000>MOV BYTE PTR SS:[ESP+AC],BL
0044D1D2 |. 72 0D JB SHORT Installe.0044D1E1
0044D1D4 |. 8B5424 70 MOV EDX,DWORD PTR SS:[ESP+70]
0044D1D8 |. 52 PUSH EDX
0044D1D9 |. E8 02A4FEFF CALL Installe.004375E0
0044D1DE |. 83C4 04 ADD ESP,4
0044D1E1 |> 39B424 A000000>CMP DWORD PTR SS:[ESP+A0],ESI
0044D1E8 |. 89BC24 8400000>MOV DWORD PTR SS:[ESP+84],EDI
0044D1EF |. 899C24 8000000>MOV DWORD PTR SS:[ESP+80],EBX
0044D1F6 |. 885C24 70 MOV BYTE PTR SS:[ESP+70],BL
0044D1FA |. 72 10 JB SHORT Installe.0044D20C
0044D1FC |. 8B8424 8C00000>MOV EAX,DWORD PTR SS:[ESP+8C]
0044D203 |. 50 PUSH EAX
0044D204 |. E8 D7A3FEFF CALL Installe.004375E0
0044D209 |. 83C4 04 ADD ESP,4
0044D20C |> 397424 28 CMP DWORD PTR SS:[ESP+28],ESI
0044D210 |. 72 0D JB SHORT Installe.0044D21F
0044D212 |. 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+14]
0044D216 |. 51 PUSH ECX
0044D217 |. E8 C4A3FEFF CALL Installe.004375E0
0044D21C |. 83C4 04 ADD ESP,4
0044D21F |> 397424 4C CMP DWORD PTR SS:[ESP+4C],ESI
0044D223 |. 897C24 28 MOV DWORD PTR SS:[ESP+28],EDI
0044D227 |. 895C24 24 MOV DWORD PTR SS:[ESP+24],EBX
0044D22B |. 885C24 14 MOV BYTE PTR SS:[ESP+14],BL
0044D22F |. 72 0D JB SHORT Installe.0044D23E
0044D231 |. 8B5424 38 MOV EDX,DWORD PTR SS:[ESP+38]
0044D235 |. 52 PUSH EDX
0044D236 |. E8 A5A3FEFF CALL Installe.004375E0
0044D23B |. 83C4 04 ADD ESP,4
0044D23E |> 8BEE MOV EBP,ESI
0044D240 |> 39AC24 DC00000>CMP DWORD PTR SS:[ESP+DC],EBP
0044D247 |. 5F POP EDI
0044D248 |. 5E POP ESI
0044D249 |. 5D POP EBP
0044D24A |. 5B POP EBX
0044D24B |. 72 10 JB SHORT Installe.0044D25D
0044D24D |. 8B8424 B800000>MOV EAX,DWORD PTR SS:[ESP+B8]
0044D254 |. 50 PUSH EAX
0044D255 |. E8 86A3FEFF CALL Installe.004375E0
0044D25A |. 83C4 04 ADD ESP,4
0044D25D |> 8B8C24 D000000>MOV ECX,DWORD PTR SS:[ESP+D0]
0044D264 |. 64:890D 000000>MOV DWORD PTR FS:[0],ECX
0044D26B |. 81C4 DC000000 ADD ESP,0DC
0044D271 |. C3 RETN
0044D272 |> B9 D0166B00 MOV ECX,Installe.006B16D0
0044D277 |. E8 34AAFEFF CALL Installe.00437CB0
0044D27C |. 53 PUSH EBX
0044D27D |. E8 FEF0FFFF CALL Installe.0044C380
0044D282 |. 83C4 04 ADD ESP,4
0044D285 \.^EB B9 JMP SHORT Installe.0044D240
http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://3dmgame.chnren.com/bbs/showtopic.aspx%3Ftopicid%3D1364288%26page%3Dend&ei=MqJCTOX0M4WF4Qa437yjDg&sa=X&oi=translate&ct=result&resnum=7&ved=0CD4Q7gEwBg&prev=/search%3Fq%3Dmpqe%26hl%3Den%26sa%3DX%26tbo%3D1%26tbs%3Dqdr:d (http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://3dmgame.chnren.com/bbs/showtopic.aspx%3Ftopicid%3D1364288%26page%3Dend&ei=MqJCTOX0M4WF4Qa437yjDg&sa=X&oi=translate&ct=result&resnum=7&ved=0CD4Q7gEwBg&prev=/search%3Fq%3Dmpqe%26hl%3Den%26sa%3DX%26tbo%3D1%26tbs%3Dqdr:d)
Seems like they are making huge progress from the looks of it?!
Guys. If any of you are using say IDA pro or whatever, if you see jz 006569F8 or that location referenced in any code that is what we are looking for. That goes to CryptCreateHash which I think is what we need.
is this useful?
00218D7A: extract repack
0021C517: key H5f
SSZ00614990_MPQE
SSZ006151C4_DecryptionKey
SSZ006151B4__DecryptionKey_
Crypto info
BASE64 table :: 0021A2B8 :: 0061A2B8
Referenced at 006112A3
BASE64 table :: 0021F3E8 :: 0061F3E8
Referenced at 004C87F1
Referenced at 004C8802
Referenced at 004C8825
Referenced at 004C8840
BZIP2 [long] :: 00288260 :: 00688260
Referenced at 005311E1
Referenced at 0053124E
Referenced at 005312BB
Referenced at 00531321
Referenced at 00531379
Referenced at 00533B95
Referenced at 00533DA6
Referenced at 005361FA
Referenced at 005362BE
Referenced at 0053635D
Referenced at 005363F6
Referenced at 00536486
CRC32 :: 0024E110 :: 0064E110
Referenced at 005C7216
Referenced at 005C7260
Referenced at 005C72A0
Referenced at 005C72DD
Referenced at 005C7314
Referenced at 005C734B
Referenced at 005C737C
Referenced at 005C73BB
Referenced at 005C73F2
Referenced at 005C743F
Referenced at 005C7471
CRC32b :: 00251BA8 :: 00651BA8
Referenced at 005DA044
Referenced at 005DA071
CRC32b :: 00287E60 :: 00687E60
Referenced at 00531162
Referenced at 00531441
Referenced at 005314BC
Referenced at 005316F7
Referenced at 00536135
Referenced at 00536502
Referenced at 00536882
Referenced at 00536958
CryptCreateHash [Name] :: 002569F8 :: 006569F8
Referenced at 005475AA
CryptHashData [Name] :: 00256A2C :: 00656A2C
Referenced at 005475D7
DCL Implode [word] :: 00251848 :: 00651848
Referenced at 005C7E06
MD5 :: 00148BC9 :: 00548BC9
The reference is above.
SHA1 [Compress] :: 000A6ED3 :: 004A6ED3
The reference is above.
SHA1 [Compress] :: 00155BE4 :: 00555BE4
The reference is above.
ZLIB deflate [word] :: 002509E8 :: 006509E8
Referenced at 005C675B
weird http://download.cnet.com/Deccan-Encryptor-Decryptor/3000-2092_4-10411521.html?tag=mncol (http://download.cnet.com/Deccan-Encryptor-Decryptor/3000-2092_4-10411521.html?tag=mncol)
says incorect pasword so that means it can read the cryption of Installer UI 2.MPQE
Quote from: tomsons26 on July 18, 2010, 08:46:44 AM
weird http://download.cnet.com/Deccan-Encryptor-Decryptor/3000-2092_4-10411521.html?tag=mncol (http://download.cnet.com/Deccan-Encryptor-Decryptor/3000-2092_4-10411521.html?tag=mncol)
says incorect pasword so that means it can read the cryption of Installer UI 2.MPQE
Dude read some fucking asm manuals, get some basic knowledge before talk without knowing... usually i am a patient guy but i see too many ppl trying to help without having the basic knowledge....
the encryption used by mpqe files is supesed to be salsa20. Bruteforcing that will lead to nowhere seeing the lenght of the key so we are trying to exploit that somehow else.
Vernam7 should drop us another hint.
Like what tools he used.
Guys just calm down im sure you will be able to crack it.
Cyber we're relatively calm compared to other places. We're not screaming at Vernam7 like some sites to release the crack or claiming he never did it.
Quote from: darkrei9n on July 18, 2010, 11:32:40 AM
Cyber we're relatively calm compared to other places. We're not screaming at Vernam7 like some sites to release the crack or claiming he never did it.
tnx dark
i dint use any specialy tool that you allready dont know
simple known tools like
W32DSM (way old i know but does the job)
HHD Hex Editor (its simple and with fast compairing methods i like it)
NO IIS installetion needed (because i had a private server to emulate and test few thinks)
and i Didnt do anything on runtime! not cracking or altering enything at runtime in memmory! i just watched very carefully, extract the second installer from the 1st one as allready told you, hex edit this one to the right addresses (no details as i said) and not replacing or doing renames stuff inside any MPQ file!
you can get the 2nd installer
replace it over the 1st on
just extract what file you need to edit or fake-skip from the mpq and place it to were you base installer.exe is it will read those and NOT the MPQ ones!
so you can do clone files that much the originals but have inside what ever you whant them to have to pass few steps!
no need to go back forward to temp folders and crap like that "copy pasting and self apointed crackers" here and there are saying!
imho the main focus should be to fake the installer that is ok to go on with the dycreption of the files
(look the header of the MPQE files!) calculate the size in HEX dont just copy paste information people say in other china forums without understanding what you read guys!
every region isntaller decrypts slightly different!
hope those are gona save you some more time...
GL!
vernam7 out.
damn it my last replay was not posted....fucking forum cokies.....
anyway in sort i was saying this is the 1st step then you have to crack the .exe of the game to avoid Validation Errors as i do in my last launcher version for the beta.
been in guest mode isnt that cool, i cant save any of my progress in campaign nor achievements and when some safegurds that i missed try to seek WAN authendication here and there i lag!
sure the 1st retail path will have lots of improvents and will complete the retail in many ways, and probably new safegurds :(
anyway gl.
Guys you are lucky you have the installer i have only 5% of it XD
I have a fast internet(DL 1MB/s) but nobody seeds they just downloaded the game and thats it no seed.Fuck them!
My average sped is 20 KB/s and im downloading 16 from 187 Peers WTF?
Quote from: Cybertox on July 18, 2010, 12:03:43 PM
Guys you are lucky you have the installer i have only 5% of it XD
I have a fast internet(DL 1MB/s) but nobody seeds they just downloaded the game and thats it no seed.Fuck them!
My average sped is 20 KB/s and im downloading 16 from 187 Peers WTF?
do you use the official blizzard downloader for the installer or some old torrent?
get Blizard downloader and from option uncheck Peer2Peer it will speed you way up!
:thumbsup:
Okay, I think I got this guys. At 004CDEF there is a boolean true or false that checks if the authentication key is authentic. If its true it moves onto the EULA and all that stuff. However if FALSE it moves onto location 0044D012 which means that the file never gets decrypted. Which means we need to get validdecryptionkey to come out to true. After looking at this there is two checks, the date check along with valid key check, if the key is invalid it SKIPS decryption.
Quote from: darkrei9n on July 18, 2010, 01:06:45 PM
Okay, I think I got this guys. At 004CDEF there is a boolean true or false that checks if the authentication key is authentic. If its true it moves onto the EULA and all that stuff. However if FALSE it moves onto location 0044D012 which means that the file never gets decrypted. Which means we need to get validdecryptionkey to come out to true. After looking at this there is two checks, the date check along with valid key check, if the key is invalid it SKIPS decryption.
recheck
004CDEF
0044D012
Quote from: Vernam7 on July 18, 2010, 12:10:06 PM
Quote from: Cybertox on July 18, 2010, 12:03:43 PM
Guys you are lucky you have the installer i have only 5% of it XD
I have a fast internet(DL 1MB/s) but nobody seeds they just downloaded the game and thats it no seed.Fuck them!
My average sped is 20 KB/s and im downloading 16 from 187 Peers WTF?
do you use the official blizzard downloader for the installer or some old torrent?
get Blizard downloader and from option uncheck Peer2Peer it will speed you way up!
:thumbsup:
Thank you so much i connected it first to ethernet because first i had wifi and after downloaded the downloader and then unchecked the peer to peer option and now it shows about 75 minutes the average speed is 1.25 MBs.Thank you!
I'm beginning to think that memory editing might be easier for this.
Quote from: darkrei9n on July 18, 2010, 03:14:15 PM
I'm beginning to think that memory editing might be easier for this.
to do it once and in a specific moment maybe, if this is permanent is more efficient inmho.
So vernam7, are those addresses I posted where we should be looking?
Quote from: darkrei9n on July 18, 2010, 03:22:33 PM
So vernam7, are those addresses I posted where we should be looking?
yes this is one of the spots! ;-)
from there you can find the other references ;-)
also instead off blocking the address the installer tryes to reach and redirect them into the hosts file, with time and been careful you can permanent hack them in the installer2 and make them look elsewhere! i think it even accepts address like file:\\c:\askdaksdj\asdad.txt not sure about that, but i pointed as i told you to my server ;-) that had the fake files it was looking for.but this is also not so important if you simply tell it to go on with the decryption after you enter anything in the text box!
just try to not write more byte that is needed! try to overwrite the existed one when you came to hex editing the installer. i believe size matters! and that sure for the mpqes as well! modiefied sized could cause problems!
i will log off now we have a thunderstorm here and my UPS isnt working properly LOL
Is it the second address mentioning valid decrypt key at 004D037?
Gah, I don't know how to do hex editing.
Quote from: Vernam7 on July 18, 2010, 03:25:57 PM
i will log off now we have a thunderstorm here and my UPS isnt working properly LOL
..oh god, they sent the templars.
Quoteimho the main focus should be to fake the installer that is ok to go on with the dycreption of the files
(look the header of the MPQE files!) calculate the size in HEX dont just copy paste information people say in other china forums without understanding what you read guys!
You mean 0x88649be5? 2nd installer dword value from the header... no idea what to do with it tho :P
Guys you are getting trolled. This guy has no reverse engineering skills and you are giving him way to much credit just because he wrote that launcher. That launcher involved no reverse engineering at all. At first it was just a GUI for lazylauncher (if any of you remember back that far). After patch 9 was released blizzard let you launch maps by passing the path of the map as an argument to the exe, so the lazylauncher was no longer needed. No reverse engineering involved here.
Somewhere along the timeline I reversed the exe a bit to let me set the speed of SC2 to make AI testing easier (I helped write the Starcrack AI). I then helped Vernman7 incorporate this into his launcher. We had a few conversations, it was bloody obvious that this guy knew nothing about how stuff worked in the lower level.
Lets come back to the present. In phase 2 blizzard decided that you can't launch maps via the commandline anymore without authenticating first. Sheppard cracked this. Afterwards Vernam7 incorporated this into his launcher. I'm willing to bet that all he did was rip off Sheppards work here. Again involving no reverse engineering on his part.
All his launcher does is modify a few files inside the map MPQ file. He didn't even reverse engineer the mapdetials stuff, that was all Blackcode- and some other people I can't remember right now(basttmp maybe?). These edits are pretty simple compared to some of the stuff people are working on at sc2mapster.com.
Vernam7 is an average VB.net coder, nothing less, nothing more. He has previously demonstrated no knowledge of reverse engineering, he couldn't even reverse engineer the speed setting in sc2 which was pretty basic. And now he claims to have hacked the installer and have a working game. When the Asian community can't do it, and they have people with actually technical knowledge trying to get this to work. Look at StarManager(i hope that's what it's called) it has one of the most complete replay structures which was obviously obtained by reversing the exe and not just trial and error.
The only proof he has shown is a screenshot of the installer which any noob can get by simply messing with a few xml files. No in-game screen shots. No screen shots of the installed directory. No screen shots of unpacked MPQ files or the contents of these MPQ files.
NOTHING.
Now lets look at some of the stuff he has said in this thread:
"decryption can be bypassed"
Are you guys reading this? That's one of the most ridiculous statements I've heard in my life. According to some chinese posts, blizzard used salsa20 : http://en.wikipedia.org/wiki/Salsa20 (http://en.wikipedia.org/wiki/Salsa20) . Read up on it. When you encrypt something the contents of the file are changed. If you bypass the decryption part and don't decrypt the files, you are left with garbage... come on.
"W32DSMHHD Hex Editor (its simple and with fast compairing methods i like it)"
W32DSM and a hex editor? Come on... Who the hell uses W32DSM, it's pretty much all Olly or IDA now days. Maybe syser if you need ring-0 debugging since softice support has died. Some of the stuff he says sounds like he is editing random bytes with a hex editor.
From an msn conversation we had:
"the most importand the installer crack is done while the installer is NOT running, so i actually wrote 0 line of code, i did it all manually with good hex editors and lots of reverse on other files ;) "
So he did this without debugging the installer at all, just dissembling it and editing random shit with a hex editor. Get real.
Don't get me wrong, he has done a great job at giving all the people who just want to play a 1-click solution to play and invested a lot of time to make sure it was easy to use and shit. But that's all he has done. Like I said earlier, he is an average VB.Net programmer. But right now he is being a total asshat by telling you guys a bunch of bullshit and pretending as if he has the game.
tl;dr verman7 didn't crack it. he is a vb.net programmer not a reverse engineering god.
............next page.............
Vernam7 is the second address we're looking for the second reference to hasvaliddecryptionkey?
Quote from: Doix on July 18, 2010, 04:53:31 PM
Guys you are getting trolled. This guy has no reverse engineering skills and you are giving him way to much credit just because he wrote that launcher. That launcher involved no reverse engineering at all. At first it was just a GUI for lazylauncher (if any of you remember back that far). After patch 9 was released blizzard let you launch maps by passing the path of the map as an argument to the exe, so the lazylauncher was no longer needed. No reverse engineering involved here.
....
So you say that he don't have any installing tool , or even installed game ?
Vernam7 : when you play this game , why you post some screenshots ? example screenshot of files from SC2 and some in-game that are not on internet ?
screenshots aren't bad to show .
@Doix this is your opinion about me 6 months ago!
i nevered said i was doing this all the time and surly i had luck of lots off stuff, but thank god i am a fast learner, and if you can recall you were the one didnt helped when challages where raised at the team, i wasnt the one that disappeared!
i staid untill the end even try to speak to some guys but everyone had abondon everything!
only freebot stayed at my side for support, i never blamed others for luck of knowledge!
i nevered came to a forum to "attack" you for that, on the other hand i tried to learn as much stuff as other knew and improve them!
i never stated i am a god, people respect me becaue i supported them and i was there when they needed me!
offering solutions without risking my head that much, when you and others like you were just playing the game because you got lucky to be in the BETA, but when the servers were down the tool that you now blame was the one you also used to play!
now about RE: reverse engineering my "friend" isnt something a software engineer cant develop!
you should know that!
and why a .net programmer mean is some how "lower" to an reverse angeer for you?
whats the unteachable and the unlearnable about doing backwords waht you do everyday farwards?
WHAT? few assembly commands and learn to read memmory bytes?
if your Brains spins its nothing but an other language!
and you dont really know me that well and making theories from 5 msn chats 6 months ago its at least not mature!
why? is it so hard to accept some can learn do do things sometimes you cant? who's pretending to be god now? me or you with this so ALL power Reverse Engineer style you are trying to proove?
also you are conflict in your own statment, from one part, i am not good to doo reverse engineering, on the other part i am good enought to reap shephard (who is he anyway? i really dont know) and steel his ideas-method and implemented in my launcher!?
decide what i am at last and keep it for your self plz!
i am really dissapointed, you never were an easy going dude but i liked you, coulnt imaging you turn against your fellow teammates so easilly and for what? pride? satisfaction? di i said something to you? you think will give you a prize? will remember your really confusing post after few weeks and give you money? what? people like you are looking for virtual friends and recognition maybe because in RL you are noone!? i dont know i dont care.
as long as you cant cracke it completly differently in places other than those i tip, unless you come to my place search my system and find no retail game, then and only THEN you could call someone lier!
untill you could proove something completly different than what i said, just ziiped it plz and keep the venom for your selves all of you! have your doubts no problem but dont jusdge my knowledges and my expereances nor my character! you simple cant!
how can you judge me? or my achievement? WHO do you think You are anyway? we work together? do you know me in RL? we seen its other? what? we talked 6 months ago i told you i dont to reverse on professional level, i was needing your help after a week you were gone, and now after 6 months you come here and say, ("hey his an average programmer i know that from when we spoke at msn he couldnt do that cracking think because i cant do it ! ")
anyway thank you for your assistance way back then, it helped me a lot like it or not.
and i feel really sad about your reaction. :-[
not gona say nothing more
thank you for your time.
p.s english is not my native and many things i said that you take it literally can confuse you, ok, that doesnt mean what i was trying to say is wrong! i just didnt typed it well, like the no ned to edit in memmory and the "bypassing" encryption are wrong words to use maybe but i DONT Care.
they way you try to make them look is really sad....
p.s 2 and just for the records why every little tip i gave to some guys helped them to move forward in the cracking process and found new interested thinks and now they are in the right direction! how could i know all those stuff in such sort time by luck???
since you like facts explain that fact you and others like your self!
i should then go and play a loto or something i have 100% chanches of winning if i am SO damn lucky!
Please people, stop the damn arguing, we have bigger things to worry about than whether the crack vernam has is real.
Cant see that it matters if Vernam7 did it or not, while he is not misleading people(which i doubt he is doing).
Better to focus on the task at hand, getting sc2 sp to work before 27th. Its more of a achievement for yourself than anything else. After that its up to you share it or not.
Don't want this post to go into useless argument.
Anyways I decided to keep trying, using this post for info. Not gotten any further as of yet. Tried a Debugger tool but did not know how to use it.
So now I'm just reading allot about hex editor. If you know of any good articles about how to use it that you could recommend I would love to hear about. Fun to learn it even though I doubt Ill manage to crack this.
But I have a feeling few of the posters here are getting pretty close to installing the game, will keep watching this post to see how it goes (really curious if the key - True/False will lead to something).
Okay, I'm gonna try to change the address from the jump location to the other direction, the default I believe skips a bunch of stuff, while the other one goes to Eula and stuff. I broke my xampp though.
I'm facing my kryptonite here. I am not good with hex editing a executable. Last time I just tried it messed it up bad.
Okay, think I have a break through again. I think Blizzard put in a trick path into something that will purposely fail.
In proof one we see along the red path it goes STRAIGHT into loading the MPQE file, without any decryption or anything. However when we move along the green path we end up at some more stuff however they lead to proof 2, the second hasvaliddecryptionkey. This one along its red path ends up doing some stuff BEFORE loading the MPQE and getting EULA.html, which I think is decryption. I also think that's why there are two websites, one has a invalid authentication key to skip the part that fails, and the other has a valid one that is valid.
The problem Vernam7 is the fact that you have yet to provide a lick of true evidence that you have bypassed the Digital Download security. You have shown us two pictures which we are able to reproduce in a matter of seconds saying that is all the proof that we need. I also kind of find it funny how people who do this normally or even on a professional level are stumped on how to hack there way past the securities and you expect us to believe that you managed to get past it so easily and in a matter of a day?
I have ripped the installer to shreds and ran it up and down wall to rip the secrets it contains, which for the matter of fact it has not a single secret on how to decrypt the .MPQE files. It does contain the code to decrypt it but it doesn't have the key stored inside of it, it uses the key it gets from the internet to decrypt those files. Brute forcing such a key would take over one thousand years with modern technology.
Also, as a side note releasing your crack after the game is released proves nothing since by that time there will be no point to it and it would take a matter of a minute to make a crack at the point since we would have the key needed.
Anyone else looking at the spot I was looking at? Because after the first validdecrypt key it is DOOMED to fail. Completely. No way around. Along that path is a call to play install failed and no way around it.
Quote from: darkrei9n on July 18, 2010, 08:25:35 PM
Anyone else looking at the spot I was looking at? Because after the first validdecrypt key it is DOOMED to fail. Completely. No way around. Along that path is a call to play install failed and no way around it.
I would but when i open installer.exe in ida i get only 303 lines in functions window...
Jibs Im opening the installer in temp, its basically the same thing but does the actual work.
Okay, this is what I'm gonna try, I'm gonna open the thing in IDA pro, change the jump address on where it goes to validate the key to where I think it decrypts.
Points out to .rdata:006151F4 aHasvaliddecryp db 'hasValidDecryptionKey',0 ; DATA XREF: .text:0044B2E5�o
can't do anything with that tho. Was thinking about changing 0 to 1 but it wont let me =/
I just need a bit more info until I get this cracked. I just need to know what kind of changes Im making, am I changing where the jumps jump to or changing the type of jumps.
Lol i found the tag Salsa20 in the 1 day i downloaded s2 but didnt know what it is lol
Info
http://cr.yp.to/snuffle.html (http://cr.yp.to/snuffle.html)
http://home.netsurf.de/wolfgang.ehrhardt/crypt_en.html (http://home.netsurf.de/wolfgang.ehrhardt/crypt_en.html)
http://www.statemaster.com/encyclopedia/Salsa20 (http://www.statemaster.com/encyclopedia/Salsa20)
The problem here is the greedy people are crying foul of Vernam's claim of cracking the installer. :tease: You greedy people need to get over it and wait for the 27th and buy the game. Otherwise wait for the crack to be released and sto being such a childish greey baby.
Quote from: steve30x on July 19, 2010, 02:27:48 AM
The problem here is the greedy people are crying foul of Vernam's claim of cracking the installer. :tease: You greedy people need to get over it and wait for the 27th and buy the game. Otherwise wait for the crack to be released and sto being such a childish greey baby.
I did too.
I gave the same amount of evidence.
Just a thought!! As I am new to this.
The installation throws out the date error for the 27th July only if you are connected to the internet.
So assuming this, it does not check your system date but the date elsewhere such as the blizzard server.
Maybe we need to look at this if it has not been looked at yet. :)
Read the previous posts and the E to MPQE stands for encypted and bizz is giving the key to decrypt them only on 27
Guys what are you going to do after you successfully install the game?Use the lazylauncher or try to hack the serial number?
Update. After some careful hex editing we have no bypassed the first error achieved, FAILURE TO OPEN <EULA>, it now opens the eula window properly and goes onto install WITHOUT any XML editing. We need to get it to decrypt however still.
I found a second reference to MPQE, think I found where it does decryption.
Nice.
Do you think the WoW MPQE can be examined for the process of decryption? If I remember correctly there was this thing about MPQE and WoW.
Maybe there is a way to directly manipulate the MPQE file without going through the install process.
Unfortunately I am pretty much in the dark when it comes to this kind of stuff. My only suggestion is that maybe by comparing the instructions in the beta installer to the retail one some clues may be revealed. Obviously some things have to be the same in both so then it will be easier to concentrate only on the differences. Sorry if this sounds silly.
Ok, to the people who are trying to crack Blizzard's SC2 - read the following.
MPQ - MoPaQ file archive format in which the files are compressed to decrease space and enhance ease of use.
MPQE - MoPaQ files first used by Blizzard. These files are encrypted.
After playing around with PeID and several plugins I found MPQE files to be encrypted in two ways. One - is a simple crc & header corruption which is easily reversible.
The other, however is a Salsa20 or ChaCha encryption, BOTH of which are as hard to decrypt as Themida 2.x. This encryption requires a 256-bit key which Blizzard DID NOT RELEASE. It is possible to try to crack the key if you have enough knowledge on the subject, but cracking the key could take months or more.
The Sc2 installer WILL DEPROTECT the files WHEN it has the key. So basically, even if you do modify the program so that it will accept any authorization key, the decryption will still require the 256-bit key that BLIZZARD HAS.
Vernam claims he cracked the program in a maximum of 3 days. He also said that he used an emulator server to help him with the cracking.
Why the hell would you need an emulation server if everything except the encryption-key can be accessed locally?
Finally, Blizzard wouldn't release a game before the actual release date with such weak protection that it can be cracked in less then a week!
Also, Vernam, I have 8 years of experience in C mask and psuedo code, not to mention a doctorate in computer science. I am currently taking classes in electric engineering, so denying my argument by calling me a script kiddie (Which is what you say to all logical arguments) will just make you an idiot.
IN SHORT - SC2 CANNOT BE CRACKED BEFORE THE RELEASE DATE!
Quote from: obliviron on July 19, 2010, 01:11:05 PM
Ok, to the people who are trying to crack Blizzard's SC2 - read the following.
MPQ - MoPaQ file archive format in which the files are compressed to decrease space and enhance ease of use.
MPQE - MoPaQ files first used by Blizzard. These files are encrypted.
After playing around with PeID and several plugins I found MPQE files to be encrypted in two ways. One - is a simple crc & header corruption which is easily reversible.
The other, however is a Salsa20 or ChaCha encryption, BOTH of which are as hard to decrypt as Themida 2.x. This encryption requires a 256-bit key which Blizzard DID NOT RELEASE. It is possible to try to crack the key if you have enough knowledge on the subject, but cracking the key could take months or more.
The Sc2 installer WILL DEPROTECT the files WHEN it has the key. So basically, even if you do modify the program so that it will accept any authorization key, the decryption will still require the 256-bit key that BLIZZARD HAS.
Vernam claims he cracked the program in a maximum of 3 days. He also said that he used an emulator server to help him with the cracking.
Why the hell would you need an emulation server if everything except the encryption-key can be accessed locally?
Finally, Blizzard wouldn't release a game before the actual release date with such weak protection that it can be cracked in less then a week!
Also, Vernam, I have 8 years of experience in C mask and psuedo code, not to mention a doctorate in computer science. I am currently taking classes in electric engineering, so denying my argument by calling me a script kiddie (Which is what you say to all logical arguments) will just make you an idiot.
IN SHORT - SC2 CANNOT BE CRACKED BEFORE THE RELEASE DATE!
Everything can be cracked!
This is the first time i see a guy that have 8 years experience and cannot hack a game calling its protection weak xD
Quote from: Cybertox on July 19, 2010, 01:17:21 PM
Quote from: obliviron on July 19, 2010, 01:11:05 PM
Ok, to the people who are trying to crack Blizzard's SC2 - read the following.
MPQ - MoPaQ file archive format in which the files are compressed to decrease space and enhance ease of use.
MPQE - MoPaQ files first used by Blizzard. These files are encrypted.
After playing around with PeID and several plugins I found MPQE files to be encrypted in two ways. One - is a simple crc & header corruption which is easily reversible.
The other, however is a Salsa20 or ChaCha encryption, BOTH of which are as hard to decrypt as Themida 2.x. This encryption requires a 256-bit key which Blizzard DID NOT RELEASE. It is possible to try to crack the key if you have enough knowledge on the subject, but cracking the key could take months or more.
The Sc2 installer WILL DEPROTECT the files WHEN it has the key. So basically, even if you do modify the program so that it will accept any authorization key, the decryption will still require the 256-bit key that BLIZZARD HAS.
Vernam claims he cracked the program in a maximum of 3 days. He also said that he used an emulator server to help him with the cracking.
Why the hell would you need an emulation server if everything except the encryption-key can be accessed locally?
Finally, Blizzard wouldn't release a game before the actual release date with such weak protection that it can be cracked in less then a week!
Also, Vernam, I have 8 years of experience in C mask and psuedo code, not to mention a doctorate in computer science. I am currently taking classes in electric engineering, so denying my argument by calling me a script kiddie (Which is what you say to all logical arguments) will just make you an idiot.
IN SHORT - SC2 CANNOT BE CRACKED BEFORE THE RELEASE DATE!
Everything can be cracked!
This is the first time i see a guy that have 8 years experience and cannot hack a game calling its protection weak xD
He never said that the protection was weak, he said Blizzard would never release a game before release with weak protection. He is indeed saying the opposite and that the protection is great.
Yes, everything can be cracked if you had time. But trying to brute force a key in less than a week is pure impossible.
This is where the authentication key is checked, if anyone can do anything with this.
cé�
; int __stdcall sub_4447E0(HINSTANCE hInstance, HWND hWndParent, int, char, int, int)
sub_4447E0 proc near
hInstance= dword ptr 4
hWndParent= dword ptr 8
arg_8= dword ptr 0Ch
arg_C= byte ptr 10h
arg_10= dword ptr 14h
arg_14= dword ptr 18h
mov eax, [esp+arg_8]
mov edx, [esp+arg_10]
push ebx
mov [ecx], eax
mov al, [esp+4+arg_C]
xor ebx, ebx
push ebx ; dwInitParam
mov [ecx+26h], al
mov eax, [esp+8+hWndParent]
push offset sub_4440A0 ; lpDialogFunc
mov [ecx+4], edx
mov edx, [esp+0Ch+arg_14]
push eax ; hWndParent
mov [ecx+24h], bl
mov [ecx+25h], bl
mov [ecx+28h], edx
mov ecx, [esp+10h+hInstance]
push 87h ; lpTemplateName
push ecx ; hInstance
call ds:DialogBoxParamW
cmp eax, 1
mov al, 1
jz short loc_444828
I want to play this game so badly.It is horrible thinking that Vernam is now playing the game and wont share his crack.
Im sorry that i dont understood about the protection next time will read carefully.
Quote from: darkrei9n on July 19, 2010, 02:04:22 PM
This is where the authentication key is checked, if anyone can do anything with this.
cé�
; int __stdcall sub_4447E0(HINSTANCE hInstance, HWND hWndParent, int, char, int, int)
sub_4447E0 proc near
hInstance= dword ptr 4
hWndParent= dword ptr 8
arg_8= dword ptr 0Ch
arg_C= byte ptr 10h
arg_10= dword ptr 14h
arg_14= dword ptr 18h
mov eax, [esp+arg_8]
mov edx, [esp+arg_10]
push ebx
mov [ecx], eax
mov al, [esp+4+arg_C]
xor ebx, ebx
push ebx ; dwInitParam
mov [ecx+26h], al
mov eax, [esp+8+hWndParent]
push offset sub_4440A0 ; lpDialogFunc
mov [ecx+4], edx
mov edx, [esp+0Ch+arg_14]
push eax ; hWndParent
mov [ecx+24h], bl
mov [ecx+25h], bl
mov [ecx+28h], edx
mov ecx, [esp+10h+hInstance]
push 87h ; lpTemplateName
push ecx ; hInstance
call ds:DialogBoxParamW
cmp eax, 1
mov al, 1
jz short loc_444828
There is nothing to do here, if the authentication code is a valid format then it moves on and tries to decrypt the files using it. There is only 1 valid code that will decrypt the files, it is only stored on the blizzard servers.
Quote from: 7H3LaughingMan on July 19, 2010, 02:29:43 PM
Quote from: darkrei9n on July 19, 2010, 02:04:22 PM
This is where the authentication key is checked, if anyone can do anything with this.
cé�
; int __stdcall sub_4447E0(HINSTANCE hInstance, HWND hWndParent, int, char, int, int)
sub_4447E0 proc near
hInstance= dword ptr 4
hWndParent= dword ptr 8
arg_8= dword ptr 0Ch
arg_C= byte ptr 10h
arg_10= dword ptr 14h
arg_14= dword ptr 18h
mov eax, [esp+arg_8]
mov edx, [esp+arg_10]
push ebx
mov [ecx], eax
mov al, [esp+4+arg_C]
xor ebx, ebx
push ebx ; dwInitParam
mov [ecx+26h], al
mov eax, [esp+8+hWndParent]
push offset sub_4440A0 ; lpDialogFunc
mov [ecx+4], edx
mov edx, [esp+0Ch+arg_14]
push eax ; hWndParent
mov [ecx+24h], bl
mov [ecx+25h], bl
mov [ecx+28h], edx
mov ecx, [esp+10h+hInstance]
push 87h ; lpTemplateName
push ecx ; hInstance
call ds:DialogBoxParamW
cmp eax, 1
mov al, 1
jz short loc_444828
There is nothing to do here, if the authentication code is a valid format then it moves on and tries to decrypt the files using it. There is only 1 valid code that will decrypt the files, it is only stored on the blizzard servers.
When you provide me proof is when I will listen to people like you. All you have to back you up are your claims.
Quote from: Cybertox on July 19, 2010, 02:18:11 PM
I want to play this game so badly.It is horrible thinking that Vernam is now playing the game and wont share his crack.
Im sorry that i dont understood about the protection next time will read carefully.
don't worry, he ain't playing it. Why do you think he won't release anything up to the release date? easy: he lacks the authentification key which blizzard sends to your computer once you try to install the game. (The authentification key is needed for the install, you can't bypass the protection without it).
The MPQE decryption is vital if you want to install the game, without it those files are nothing but incoherent data which has no direct relation to the real game data.
Now since we don't have the key, we must deduce it. Think of it like when you try to open a locker and you don't have the correct combination, you just go trying all possible combinations.
The same happens in this case, just that we have 2^256 combinations, the big problem is that a computer may at best try 1000000 combinations per second (I may be exagerating here, it may be way way less; haven't read Salsa20's algorithm yet) in other words in our best case we will be able to deduce 1 million combinations per second. Yet, we have 2^256 combinations, that means it takes 2^256/1000000 seconds to try all combinations, and that would be aprox 2^236 seconds which would be 2^224 hours pretty much. As you see, that's a lot of time, we may actually die before the computer could deduce the god damm key.
If you don't believe me and still think that everything is so easilly cracked, look for a .rar unlocking tool, you'll notice that all it will do is try all the possible passwords until it finds one.
Quote from: TehHawk on July 19, 2010, 02:47:10 PM
Quote from: Cybertox on July 19, 2010, 02:18:11 PM
I want to play this game so badly.It is horrible thinking that Vernam is now playing the game and wont share his crack.
Im sorry that i dont understood about the protection next time will read carefully.
don't worry, he ain't playing it. Why do you think he won't release anything up to the release date? easy: he lacks the authentification key which blizzard sends to your computer once you try to install the game. (The authentification key is needed for the install, you can't bypass the protection without it).
The MPQE decryption is vital if you want to install the game, without it those files are nothing but incoherent data which has no direct relation to the real game data.
Now since we don't have the key, we must deduce it. Think of it like when you try to open a locker and you don't have the correct combination, you just go trying all possible combinations.
The same happens in this case, just that we have 2^256 combinations, the big problem is that a computer may at best try 1000000 combinations per second (I may be exagerating here, it may be way way less; haven't read Salsa20's algorithm yet) in other words in our best case we will be able to deduce 1 million combinations per second. Yet, we have 2^256 combinations, that means it takes 2^256/1000000 seconds to try all combinations, and that would be aprox 2^236 seconds which would be 2^224 hours pretty much. As you see, that's a lot of time, we may actually die before the computer could deduce the god damm key.
If you don't believe me and still think that everything is so easilly cracked, look for a .rar unlocking tool, you'll notice that all it will do is try all the possible passwords until it finds one.
Exactly - and Blizzard will release the above key when the game launches. They probably released it 2 weeks earlier just to fuck with the people who think they can crack it.
So you are not going to be able to crack it before 27.
That really sucks!
Why there is just no other way!!!
Well sadly im going to wait till the 27.
Hope it will be not hard to crack the game after blizzard lets you install the game.
I think the serial number will be checked via battle.net and if you are offline you will be not able to play.
GUYS i had enough Vernam not Vernam... script kiddies or not.... we do not have any solution... if the encryption algoritm is salsa20 can't be broken. The only solution i have in my head is to launch a shared atack against this key.
A lot of computers to run a plain text atack against this key but we do not have technical knowledge to achive it
Anyway it is the only method i can think of to break this.
Nice of ya Doix for explaining Vernam who he really is... I think he has problems of alter ego. He thinks is somekind of programming God wich is not obviously. HE is just a SCAMMER and that's all.
Good luck everyone i think i'll quit here.
Its impossible to crack the installer before the 27th.
Everybody who was trying to crack it are giving up.
What can be worster, Vernam is a blizzard employ and he motivated us cracking this shit?
and others had ENOUGH with YOU all smart Asses! :ticked: :ticked: :ticked:
trying to a lower the only one still helping us play the game and stay active why you the genius are too busy to help and provide support!
Doix is a moron thinking can judge people from an msn half a year a go, and Blackcode is also very arrogant and rushes to results when he forgets that Vernam even he admited came a little late in this Beta crack "game" to help out, he found faults in your exploits Blackcode and he even go further by providing more info on the location system and decals etc by updating your posts, but always with a character and respect to others, never attacked or called names to everyone for making mistakes, he is always gentle and just because he got so much attention and supports globally, and not you over the last months (not now) you are trying now (bases on his word that cracking the installer is possible) to low down his entire character knowledge and past months work!
if what he does so damn easy to you why the hell he was asked to join sc team and help them out to spread the sc ai with his launcher, why the hell didnt you do it better that him your selves? you know why?! BECAUSE YOU CANT! (from laziness or luck of knowledge doesnt matter you cant).-
SO for God's name Please ZIP IT!
because he was in the center of the galaxy and not you?! he made a project as he said for him self and then learn more about the beta and improved it, and now all the sudden YOU few morons know him and calling him scam and low programmer? ???
you are all so full of shit trying to prove he is everywhere wrong and mistaken(when what ever tips he found and provided was true!), BUT on the other hand if you see a screenshot you are ALL willing to believe it is possible and he is again a good programmer? ??? ??
isnt this something a hard core super wow programmer like (as you claim) your self will so easily accept with a simple screenshot? suddenly encryption can cracked and workarounds are possible?
and its not only about vernam! forget the poor guy. there are some few other like darkReign individuals that are trying to see whats going on and you are shiting them in their face as well!
you dont belive some one? cool, same it nice!
"like i have serious dought thi is possible because this and that"
not like
"i know him through msn and irc he is a low level, i am better and i need your approval."
do you know the Asian site are laughing at as for fighting among each other? do you?
smart or not, been rude and rushing to assumptions characterizes you WEAK and real life failures!
goodbye "gentlemen" and be careful on the way out the Exit door,could be proven small for your Egos!
Quote from: uRstupid on July 19, 2010, 04:15:49 PM
and others had ENOUGH with YOU all smart Asses! :ticked: :ticked: :ticked:
..........................................
goodbye "gentlemen" and be careful on the way out the Exit door,could be proven small for your Egos!
just look at this vernam motherfucker ... he creates new 0 posts users to support himself omfg... same long shitty no points letters.... dude get a fucking life.. ur useless as ur programing skills are....
Summary - uRstupid
Date Registered: Today at 03:42:42 PM
Last Active: Today at 04:16:56 PM
Quote from: Blackcode on July 19, 2010, 04:37:17 PM
Quote from: uRstupid on July 19, 2010, 04:15:49 PM
and others had ENOUGH with YOU all smart Asses! :ticked: :ticked: :ticked:
..........................................
goodbye "gentlemen" and be careful on the way out the Exit door,could be proven small for your Egos!
just look at this vernam motherfucker ... he creates new 0 posts users to support himself omfg... same long shitty no points letters.... dude get a fucking life.. ur useless as ur programing skills are....
Summary - uRstupid
Date Registered: Today at 03:42:42 PM Last Active: Today at 04:16:56 PM
hey monkey some of your supporters here have also 1 posts as well! :P
it doest mean we are doing what you ARE! making new users just for trolling like you!if its posts that Count then your 121 and doix 5 compared to Vs 300+ here and 1500+ nibbits means you are the useless one! lmao
based on your theory always! LOLi came from and other site to say my own thought wheter you like it or not!and i am done with that, i am not gona start chat with you or your "friends". you are not my type!
Locked.
For organizational purposes and less chances of a long messy/flamey thread, please post all SC2 research discussion in the proper places.
- http://darkblizz.org/Forum2/starcraft-ii-beta/ (http://darkblizz.org/Forum2/starcraft-ii-beta/) -
thx-a-bunch
~Myst