Main Menu
Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - brew

#1
The Playhouse / Re: Proxier v1.0
January 30, 2011, 11:42:26 PM
Quote from: Heinermann on September 21, 2010, 09:57:02 PM
Can we only use a single IP address?

Hmm.. I can't seem to get it to work for Starcraft and battle.snp.

EDIT: it was the loader that failed to work
Also note that it won't work unless ordinals are specified, not names.
Also, even when I do get the hooks working, Battle.net still connects directly.

Basically, it's impossible for this program to work.

I still can't get it to fail for me by using the names. I have no clue.  ┐('~`;)┌
The loader is fine. That code is bulletproof.
I fixed the big problem in the proxier dll, thank you so much for pointing that out. I finally got around to fixing it now that Myst reminded me about this thing :). I updated the links.
As always, this program is released under no warranty, it hasn't been tested at all, I'll be happy to fix any bugs, blah blah blah blah.
#2
Suggestions / Re: mandate.cpp
January 30, 2011, 07:52:08 PM
........what?
You must be confused. This is not how open source works, if that's what you're trying to get at with this thread. You don't just post a source file with absolutely nothing else and then expect people to code away for you, and then when they don't, post a "well, c'mon people, i'm waiting... code away..." That's what's wrong here, and it blows my mind that you can't see this yourself.
#4
General Discussion / Re: Blizzard suing Hackers
October 17, 2010, 09:29:38 PM
More than likely the case will just be thrown out before anything actually happens and life will go on.
#5
Starcraft / The Lost Packets
August 06, 2010, 07:52:23 PM
I know of 5 completely undocumented (that is, not widely known and not on BnetDocs) packets that I'd like to share with everyone. It isn't until recently that I've aggregated enough information about their structure, function, and usage until now. While it is true that none of these have been seen, nevertheless they provide some historical background of Battle.net and may be interesting to a few people and undoubtedly deserve documented status.
I found these a while ago while researching Warden, but didn't really think much of them. Hdx recently made a thread about them on Valhalla Legends, and I believe iago posted about them at one point, too. Neither are anywhere near complete descriptions nor are they of documentation quality, however.
Without further adieu:

---------------------------------------------------------------------

0x17 - SID_READMEMORY

Structure:

(S -> C)
    (DWORD) Request ID
    (DWORD) Address
    (DWORD) Length

(C -> S)
    (DWORD) Request ID
    (VOID) Memory


Purpose:
Rudimentary hack detection system. Was never used probably due to terrible implementation with little security. Yes, it is possible for a PvPGN server to read _EVERYTHING_ that is in the process' memory, including sensitive information such as your CDKey.

Found at:
battle!1901D470h (as of 1.16.1)

---------------------------------------------------------------------

0x20 SID_ANNOUNCEMENT

Structure:

(S -> C)
    (STRING) Text


Purpose:
Very simply prints out text with the string at 1903B9FBh (the default string, used anyway if the username field is NULL in the chat event struct -- currently a single 0x7F char) as the username. Used to send announcements and arbitrary messages to the user, but this was soon superseded by SID_CHAT subcommands such as EID_INFO, EID_ERROR, and EID_BROADCAST. Printed out with the same color and style as an EID_BROADCAST.

Found at:
battle!1901DDA0h (as of 1.16.1)

---------------------------------------------------------------------

0x23 SID_WRITECOOKIE

Structure:

(S -> C)
    (DWORD) unknown/unparsed -- Flags, Request ID?
    (DWORD) unknown/unparsed -- Timestamp?
    (STRING) Registry key name
    (STRING) Registry key value



0x24 SID_READCOOKIE

(S -> C)
    (DWORD) Echoed back, Request ID?
    (DWORD) Echoed back, Timestamp?
    (STRING) Registry key name

(C -> S)
    (DWORD) First DWORD from S -> C
    (DWORD) Second DWORD from S -> C
    (STRING) Registry key name
    (STRING) Registry key value


Purposes:
Much like a website cookie, simply stores some arbitrary string to a 'cookie jar' to save preferences et al. which can be retrieved later by the server. Not used because it was quickly discovered that storing preferences produces less problems and were faster by storing them server-side, associating them with the account. It is somewhat curious that these packet IDs are close to SID_PROFILE/SID_WRITEPROFILE (0x26 & 0x27).

Found at: battle!190216FBh and battle!1901D660h, respectively.

---------------------------------------------------------------------

0x43 SID_WARCRAFTSOMETHING

(S -> C)
    (DWORD) Unknown (0)


Purpose:
Unknown. I am unable to disassemble Warcraft 3's game.dll without a lot of trouble, and therefore I have limited knowledge of it. It has been seen once, after SID_LOGONPROOF (0x54) in the NLS logon sequence.

Found at: game.dll

---------------------------------------------------------------------


It would be nice if somebody updated BnetDocs with this information.
#6
Starcraft / The truth behind SID_PING
August 06, 2010, 02:52:06 AM
SID_PING, better known as "the 0x25 packet", does more than just a ping.

Pinging is sent in 20-second intervals, provided the initial ping packet was responded to correctly (not spoofed to be -1 or 0) AND SID_NULL packets are sent on a regular interval.
If the regular interval of null packets is broken, battle.net detects it as a connection that's "almost lost", and sends a ping packet once every 5 seconds until they have been responded to and the interval of null packets is reestablished.
In order to get an accurate ping, both the client and server temporarily disable the Nagle algorithm since a packet could be held up as long as 5 seconds with a rather idle connection (do note that the constant value of 1 is in fact TCP_NODELAY with level == IPPROTO_TCP, whereas 1 is SO_DEBUG with the level SOL_SOCKET):

.text:1901D4F0 Send0x25        proc near               ; CODE XREF: ServerThreadProc+2F8p
.text:1901D4F0
.text:1901D4F0 optval          = byte ptr -4
.text:1901D4F0
.text:1901D4F0                 push    ebp
.text:1901D4F1                 mov     ebp, esp
.text:1901D4F3                 push    ecx
.text:1901D4F4                 test    edi, edi
.text:1901D4F6                 jz      short loc_1901D53B
.text:1901D4F8                 mov     ecx, sck
.text:1901D4FE                 push    esi
.text:1901D4FF                 mov     esi, ds:setsockopt
.text:1901D505                 push    4               ; optlen
.text:1901D507                 lea     eax, [ebp+optval]
.text:1901D50A                 push    eax             ; optval
.text:1901D50B                 push    1               ; optname == TCP_NODELAY
.text:1901D50D                 push    6               ; level == IPPROTO_TCP
.text:1901D50F                 push    ecx             ; s
.text:1901D510                 mov     dword ptr [ebp+optval], 1
.text:1901D517                 call    esi ; setsockopt
.text:1901D519                 push    edi
.text:1901D51A                 push    25h
.text:1901D51C                 call    SendPacket
.text:1901D521                 mov     eax, sck
.text:1901D526                 push    4               ; optlen
.text:1901D528                 lea     edx, [ebp+optval]
.text:1901D52B                 push    edx             ; optval
.text:1901D52C                 push    1               ; optname
.text:1901D52E                 push    6               ; level
.text:1901D530                 push    eax             ; s
.text:1901D531                 mov     dword ptr [ebp+optval], 0
.text:1901D538                 call    esi ; setsockopt
.text:1901D53A                 pop     esi
.text:1901D53B
.text:1901D53B loc_1901D53B:                           ; CODE XREF: Send0x25+6j
.text:1901D53B                 mov     esp, ebp
.text:1901D53D                 pop     ebp
.text:1901D53E                 retn
.text:1901D53E Send0x25        endp


This creates the 'other' purpose I was talking about before, to synchronize the buffer used by recv in ServerThreadProc:


          case 0x21:
            Send0x25(packetid_minus_4, pktdata, pktlen - 4);
            pkg_align_variance = *(_DWORD *)lpTmp;
            ws_buf = ws_buf_base;
            break;

Code like this suggests that battle.snp knows the server's send buffer is flushed after an 0x25 send. SID_PING is not the only packet to have this buffer reset, though. Others are 0x28 SID_LOGONCHALLENGE, and 0x68 SID_FRIENDSREMOVE.
This means that you are guaranteed to never have a packet clumped after an 0x25, 0x28, or 0x68. Cool stuff.

Muchos kudos to Hdx, he pointed out the massive screwup I made earlier of thinking that 1 was SO_DEBUG here. Things make a lot more sense now.
#7
Starcraft / The *real* way to determine latency tiers
August 06, 2010, 02:00:10 AM
A lot of people wonder how exactly the 'lag bars' in Starcraft are determined - there are arguments of the precise range, in particular (i.e., is it 300-400, or is it 300-399, is it 299-399, etc). As a result, people would typically code a function to get the lag bar icon like this:

int GetPingIcon(uint32_t ping, uint32_t flags) {
    if (flags & 0x10)
        return ICON_LAG_PLUG;
    else if (ping == 0xFFFFFFFF)
        return ICON_LAG_NEG1;
    else if (ping == 0)
        return ICON_LAG_0;
    else if (ping <= 200)
        return ICON_LAG_1G;
    else if (ping <= 300)
        return ICON_LAG_2G;
    else if (ping <= 400)
        return ICON_LAG_3Y;
    else if (ping <= 500)
        return ICON_LAG_4Y;
    else if (ping <= 600)
        return ICON_LAG_5R;
    else
        return ICON_LAG_6R;
}


At the behest of Myst, I dug this up from Starcraft's battle.snp:


...
    v4 = GetDlgItem(dword_19045640, 1003);
    lpResult = sub_1902E200(v3, v5, *(_DWORD *)v2);
    if ( lpResult == -1 ) {
      v6 = *(_DWORD *)v2;
      if ( sub_1902E0B0(v3, *(_DWORD *)v2) )
        *(_DWORD *)(v2 + 8) |= 0x20u;
      ping = *(_DWORD *)(v2 + 12);
      if ( ping >= 10 ) {
        pingstep = ping / 100;
        if ( ping / 100 < 6 ) {
          if ( !pingstep )
            pingstep = 1;
        } else {
          pingstep = 6;
        }
      } else {
        pingstep = 0;
      }
      sprintf(&lParam, "%s\t%d %d\t%s", v6, *(_DWORD *)(v2 + 8), pingstep, *(_DWORD *)(v2 + 4));
      SendMessageA(v4, ((*(_DWORD *)(v2 + 8) & 0xF) != 0) + 384, 0, (LPARAM)&lParam);
...

(1.16.1, battle!19030420)

So as you can see, Starcraft doesn't assign any icon to latencies that are below 10, and for anything else, takes the quotient of the ping value after integer division by 100.

Knowing this, a better and more correct way to code the same GetPingIcon function above would be like so (this is, of course, assuming that the ping icons are consecutive in nature):

int GetPingIcon(uint32_t ping, uint32_t flags) {
    if (flags & 0x10)
        return ICON_LAG_PLUG;
    if (ping < 10)
        return ICON_LAG_0;
    return ICON_LAG_1G + ((ping < 600) ? (ping / 100) : 6);
}


That is all.
#8
Support / Re: MSWINSCK.OCX is missing
July 23, 2010, 11:47:01 AM
Quote from: zdzichi on July 23, 2010, 06:46:35 AM
when i start bot i see information : Component 'MSWINSCK.OCX' or one of its despendencies not correctly registered: a file is missing or invaild. What can i do?
Perhaps you could register the component MSWINSCK.OCX or one of its dependencies. That would be a start.
#9
1). 2000
2). Opehlia
3). Diablo
4). Zerg terran protoss
5). Zealot
6). Operating CWAL
7). Ghost
8). T for Teen
9). Viviendi Corporation
10). Brood
#10
Fun Forum / Re: StarCraft II Beta Key Break Up
April 12, 2010, 12:20:06 PM
she's hot
#11
Starcraft II Beta / Re: Emulate Battle.net
March 16, 2010, 08:39:29 AM
not that hard, the same type of verification has been done before. i don't see how this is the stumbling point of anyone, since it's not obfuscated at all.
also, what you send for the 0x02 password module response is the key you both use to decrypt/encrypt packets, FYI.
#12
Site News / Re: MightySeed
February 05, 2010, 11:56:36 PM
Way to totally miss why I was singling out Windows...
You asked me to justify my reasoning that Windows is not robust - there we go.

Whereas you answered my question with another question, I gave you a bunch of really solid answers. I don't think this should be called an "anti-Windows campaign", but rather "proper rhetoric". You proved unable to articulate your reasoning, therefore you lose.
Good day sir.
#13
Site News / Re: MightySeed
February 05, 2010, 11:04:29 PM
Quote from: Fapiko on February 05, 2010, 08:51:34 PM
You make Windows 7 sound like it's not robust.  Can you justify this?  I leave my Windows 7 desktop running for 30+ days at a time, usually with 20 or more applications open.  Seems pretty robust to me.
Well.... here we go again, I guess.

'30+ days at a time with 20 or more applications open' (which really isn't too amazing in today's de facto standard protected mode computing environment) has hardly anything to do with robustness. I think you believe the definition of 'robust' is almost exactly that of 'stability'; this is not so:
Quote from: http://en.wikipedia.org/wiki/Robust
Robustness is the quality of being able to withstand stresses, pressures, or changes in procedure or circumstance. A system, organism or design may be said to be "robust" if it is capable of coping well with variations (sometimes unpredictable variations) in its operating environment with minimal damage, alteration or loss of functionality.
With that in mind, I'll list some reasons off the top of my head. Also, do remember I'm listing things specific to Windows Server (not 7).

Portability
Windows:
x86/x64, ia64

Everything else:
All popular modern architectures (x86, ia64, mips, arm, sparc, alpha, pc98...)

------------------------------------------------------------------------------------

File systems

Windows Server 2008 R2:
FAT12/16/32
exFAT
NTFS

Pretty much other operating system out there that isn't in the Windows family:
FAT12/16/32
NTFS
ext2/3/4
UFS
HFS+
ReiserFS
btrfs
XFS
JFS
ZFS

------------------------------------------------------------------------------------

Updates and patches

New for Windows Server 2008:
Improved hot patching, a feature that allows non-kernel patches to occur without the need for a reboot.

Technology the rest of the world had for a while:
Typically don't need to reboot for changes to take effect unless the kernel had been patched/recompiled

------------------------------------------------------------------------------------

Backups

Windows Server 2008:
NT Backup is replaced by Windows Server Backup, and no longer supports backing up to tape drives
-- Wait, what? Are tape drives really that old? I could've sworn I saw an ad for them in last month's issue of PC World... um...

Unix-like OSes:
dump/restore
tar
cpio
pax

------------------------------------------------------------------------------------

Dynamic Hardware Partitioning
Windows:
New for 2008

Others:
I can't say with any level of certainty that everything else supports this, but I know Solaris does, and I have seen FreeBSD gulp up the addition of another ram module with no problem on a Dell PowerEdge.


------------------------------------------------------------------------------------

Misc.

Andrew Mason, a program manager on the Windows Server team, noted that a primary motivation for producing a Server Core variant of Windows Server 2008 was to reduce the attack surface of the operating system, and that about 70% of the security vulnerabilities in Microsoft Windows from the prior five years would not have affected Server Core.

Oh wait...
#14
Site News / Re: MightySeed
February 05, 2010, 06:43:22 PM
Quote from: Fapiko on February 04, 2010, 11:20:19 PM
Actually, it's loosely based on Windows 7 with much more than a "cupple of server management tools" different from a desktop operating system.
Both you and your website specified Windows Server 2008. This is indeed based on Vista, in the sense that it shares the same exact kernel and other core binaries. Windows Server 2008 R2, however, uses Windows 7 as its base.
By what you say, you make Windows Server editions seem oh-so-much-more robust than their desktop counterparts - can you justify this?
#15
Rogue of Diablo / Re: Report Bugs
February 03, 2010, 02:40:37 PM
Quote from: Myst on December 12, 2009, 12:52:28 PM
Also, if you want the right appearance of the bot, put the font files which are located in the bots folder into your Font folder: C:\WINDOWS\Fonts
AddFontResource()