About bnet 2 login return LOGIN_BAD_SERVER_PROOF

chivalry · July 16, 2011, 09:03:40 AM

i dump then login packets when paly wow game logon to battle.net server.

then set hosts file battle.net to 127.0.0.1 ,and run my emulator server.

start wow.exe with my battle.net account email and login.

my emulator server response the same packets with battle.net server.

but the wow client show LOGIN_BAD_SERVER_PROOF .

i suspect the packet has some verify.

when wow client login to battle.net server , it send

Code Select

Frist packet client to server for login 

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000000   40 00 0A ED EA 07 0A ED  2D 7E 4D 08 69 1E 00 2B   @  黻  ?~M i  +
00000010   B7 AB 01 2B B4 B7 00 00  1B D5 00 2B B7 AB 63 30   帆 +捶   ?+帆c0
00000020   B9 B2 01 00 1B D5 00 2B  B7 AB 7B 34 21 A7 00 00   共   ?+帆{4!? 
00000030   1B D5 00 2B B7 AB 65 B7  21 A7 00 00 1B D5 54 37    ?+帆e??  誘7
00000040   B7 B6 00 2B B4 B7 00 00  04 E8 43 37 32 BA 00 2B   范 +捶   鐲72?+
00000050   B4 B7 00 00 30 8C 06 00  31 32 33 40 31 32 33 2E   捶  0? 123@123.
00000060   63 6F 6D                                           com

Quote
0x40=0 1 0 0 0 0 0 0
0x00=0 0 0 0 0 0 0 0
0x0A=0 0 0 0 1 0 1 0
0xED=1 1 1 0 1 1 0 1
0xEA=1 1 1 0 1 0 1 0
0x07=0 0 0 0 0 1 1 1
0x0A=0 0 0 0 1 0 1 0
0xED=1 1 1 0 1 1 0 1
0x2D=0 0 1 0 1 1 0 1
0x7E=0 1 1 1 1 1 1 0
0x4D=0 1 0 0 1 1 0 1
0x08=0 0 0 0 1 0 0 0
0x69=0 1 1 0 1 0 0 1
0x1E=0 0 0 1 1 1 1 0
0x00=0 0 0 0 0 0 0 0
0x2B=0 0 1 0 1 0 1 1
0xB7=1 0 1 1 0 1 1 1
0xAB=1 0 1 0 1 0 1 1
0x01=0 0 0 0 0 0 0 1
0x2B=0 0 1 0 1 0 1 1
0xB4=1 0 1 1 0 1 0 0
0xB7=1 0 1 1 0 1 1 1
0x00=0 0 0 0 0 0 0 0
0x00=0 0 0 0 0 0 0 0
0x1B=0 0 0 1 1 0 1 1
0xD5=1 1 0 1 0 1 0 1
0x00=0 0 0 0 0 0 0 0
......here omitted thousands of words......
0x06=0 0 0 0 0 1 1 0
0x00=0 0 0 0 0 0 0 0

-------------------------------------packet header------------------------------------------------
packetId = 0 0 0 0 0 0 = 0
bhaschannelid = 1 = 1 = TRUE
channelId = 0 0 0 0 = 0
-------------------------------------packet context------------------------------------------------
Program= 0 0 0 0 0 0 0 0 | 0 1 0 1 0 1 1 1 | 0 1 1 0 1 1 1 1 | 0 1 0 1 0 1 1 1 = 00 57 6F 57 = WoW
Platform= 0 0 0 0 0 0 0 0 | 0 1 0 1 0 1 1 1 | 0 1 1 0 1 0 0 1 | 0 1 1 0 1 1 1 0 = 00 57 69 6E = Win
Locale= 0 1 1 1 1 0 1 0 | 0 1 1 0 1 0 0 0 | 0 1 0 0 0 0 1 1 | 0 1 0 0 1 1 1 0 = 7A 68 43 4E = zhCN
Componentnum = 0 0 0 1 1 0 = 6
Component1.Program = 0 0 0 0 0 0 0 0 | 0 1 0 1 0 1 1 1 | 0 1 1 0 1 1 1 1 | 0 1 0 1 0 1 1 1 = 00 57 6F 57 = WoW
Component1.Platform = 0 0 0 0 0 0 0 0 | 0 1 0 1 0 1 1 1 | 0 1 1 0 1 0 0 1 | 0 1 1 0 1 1 1 0 = 00 57 69 6E = Win
Component1.Build = 0 0 0 0 0 0 0 0 | 0 0 0 0 0 0 0 0 | 0 0 1 1 0 1 1 1 | 1 0 1 0 1 0 1 0 = 00 00 37 AA = 14250
.................................here omitted thousands of words.........................................
bhasaccount = 1 = 1 = TRUE
accountlen = 0 0 0 0 0 1 0 0 0 = 8 //real accountlen need add 3 to this , it's 11
//align by byte for read account
account = 31 32 33 40 31 32 33 2E 63 6F 6D = 123@123.com

then the battle.net server or my emulator server response packet

Code Select


Frist packet server to client for login

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000000   42 10 61 75 74 68 00 00  43 4E 8F 52 90 6A 2C 85   B auth  CN R j,?
00000010   B4 16 A5 95 70 22 51 57  0F 96 D3 52 2F 39 23 76   ?p"QW 栍R/9#v
00000020   03 11 5F 2F 1A B2 49 62  04 3C 50 01 00 93 A4 B1     _/ 睮b <P  摛?
00000030   F4 DA 37 11 F8 AC 6A DB  0B 7D 44 E4 F6 8E C8 95   糈7 j?}D漩幦?
00000040   03 3E 4E F6 75 9E 25 07  21 96 6A F6 B4 50 9E 14    >N鰑? !杍龃P?
00000050   5D 12 74 65 A9 BA 72 2C  8A 60 A9 97 13 AF EC 77   ] te┖r,奰 w
00000060   1B 62 38 B4 E5 81 AB 4E  A2 E2 03 76 92 17 4A F0    b8村 玁⑩ v?J?
00000070   E1 DA 40 FF 26 01 90 AB  F7 D1 78 24 89 89 E8 76   嶷@&  褁$墘鑦
00000080   31 82 12 8D CA 28 6D FE  46 80 8C 3D 46 99 A0 7D   1? ?m﨔€?F櫊}
00000090   3A 3C D6 04 D7 3A 2C 03  8A 37 39 72 B0 FD ED 2C   :<??, ?9r褒?
000000A0   DF 3C 0E 71 69 96 26 85  37 AA E7 9F 42 B4 B2 7C   ? qi??烞床|
000000B0   AD D9 DC 60 60 56 32 E1  AE D2 CD DD 00 DA 4C 70   躟`V2岙彝?贚p
000000C0   33 49 91 CC F0 C8 75 06  88 A8 71 EB EF 12 18 C0   3I懱鹑u 埁q腼  ?
000000D0   14 E7 F1 AB F2 B9 48 53  38 4D 8A 7C C1 7D C1 AD    珩笻S8M妡羮镰
000000E0   5E 32 43 67 26 B9 6D C7  BF 89 3F 79 77 09 9C 2B   ^2Cg&筸强?yw ?
000000F0   AA F0 13 0D DB 09 70 E8  DA 84 D0 64 7E 9B BF 27     ?p柃勑d~浛'
00000100   E0 BF 15 90 77 95 7B 77  79 3B 0F D3 A6 EB 9E 28   嗫  w晎wy; 应霝(
00000110   9C 8D 00 1D CA 59 C8 D6  A8 DD E6 76 D1 33 61 C3   ?  蔣戎ㄝ鎣?a?
00000120   92 9D 47 7C CF 28 A4 BE  BC 7F 03 FD 82 CB D0 79   ?G|?ぞ? 齻诵y
00000130   C8 72 02 27 45 01 76 68  D2 2B 36 BF 6F 89 69 25   萺 'E vh?6縪塱%
00000140   B0 53 1B A5 5D 1C F2 1A  73 4A 58 54 78 37 9E E5   癝  ?sJXTx7炲
00000150   06 74 C5 8D 8B 8A F4 EB  D3 9C B4 FF E5 0D B0 3E    t?媻綦訙???
00000160   14 7D 3B 53 00 D4 05 55  2A 85 19 6F 89 61 75 74    };S ?U*?o塧ut
00000170   68 00 00 43 4E 36 B2 7C  D9 11 B3 3C 61 73 0A 8B   h  CN6瞸??as ?
00000180   82 C8 B2 49 5F D1 6E 80  24 FC 3B 2D DE 08 86 1C   側睮_裯€$?-??
00000190   77 A8 52 94 1C 80 00 D4  56 AD F4 59 A4 11 D8 72   w≧?€ 訴Y?豶
000001A0   6B 69 95 E2 20 13 9E 7D  9A F4 58 C6 F6 66 A7 F9   ki曗  瀩汈X砌f
000001B0   DF 0D AF 9F B1 1C CA 4D  3A 7A 3D 45 D6 5E C2 1E   ?療?蔒:z=E謂?
000001C0   65 B0 60 D7 4C 8A 02 F7  00 FF 2D 1F EA B3 F8 43   e癭譒??- 瓿鳦
000001D0   8B 54 E8 D8 D3 A5 32 FF  CC 5F 3B 6F 32 06 89 A0   婽柝鹰2蘝;o2 墵
000001E0   73 21 3E D9 D9 D3 86 EE  4D CC 72 3C F7 FF DF 02   s!>儋訂頜蘲<??
000001F0   F4 E0 E8 34 EE 69 66 0B  82 91 85 C1 38 DE 39 F8   羿?頸f 倯吜8??
00000200   F8 46 8F A9 01 5B 09 7C  E1 A4 22 DE D7 95 35 91   鳩 ?[ |幛"拮??
00000210   5E 56 1B 50 9F 9F 2D 04  D5 B6 3C C9 17 3B E3 87   ^V P煙- 斩<?;銍
00000220   C1 33 97 C8 DE 2D 37 49  76 C4 48 40 8A 61 97 5F   ?椚?7Iv腍@奱梍
00000230   C1 FC 52 DD A5 99 A9 F6  10 64 69 BB B9 CB 35 DD   咙R荪櫓?di还??
00000240   94 00 2E 8F 3A E6 3B 42  24 40 A2 9C 5A D0 05 D1   ?. :?B$@Z??
00000250   4A 86 B8 15 09 3C EF 98  F7 5F 06 46 40 C0 6F 0D   J喐  <飿鱛 F@纎 
00000260   A7 78 FA 8A 33 00 C6 83  FF 6E 83 F2 29 0C 31 F0   鷬3 苾n凃) 1?
00000270   1D E4 93 20 06 65 C2 5A  FE 16 E0 A2 A4 27 80 4A    鋼  e耑?啖?€J
00000280   4C D6 FA 5B 56 4E 80 12  99 4B 70 68 1B 1C A1 36   L助[VN€ 橩ph  ?
00000290   7C A8 8D AE E4 E7 87 C4  23 FE 22 E7 11 03 13 EE   |?鐕???  ?
000002A0   42 1D 6D FD 08 36 0D EB  AD BE 5A D9 AC 31 94 12   B m?6 氕綵佻1?
000002B0   CB 63 2C 94 14 B3 D3 32  CD 84 10 7F A3 90 2F F1   薱,?秤2蛣  ?/?
000002C0   81 B1 94 9B 66 65 80 E2  7D 4D BF 6D 89 72 54 6F    睌沠e€鈣M縨塺To
000002D0   2A 6B 8C 4A 04 23 47 F1  A4 E3 3C 52 E8 DA 32 C2   *k孞 #G瘠?R柃2?
000002E0   C4 BE 56 3A 97 AD 1F 87  66 AE F2 93 5C ED 56 8B   木V:棴 噁揬鞻?
000002F0   DB 65 87 38 73 73 00 A4  8E 81 BA 4C EA 14 F2 1D   踖?ss  篖??
00000300   EF 73 2B A6 98 02 E5 0B  5C D7 2E 3A D0 9B 12 40   飐+ ?\?:袥 @
00000310   05 53 30 10 76 AF 4C 66  17 A8 B3 01 0C 6A 63 75    S0 v疞f ǔ  jcu
00000320   99 9C C3 10 DC E0 7F FB  42 ED 9C A3 38 74 22 7D   櫆?茑 鸅頊?t"}
00000330   BA D0 91 69 44 E5 12 65  C0 BF AC 50 79 5A B5 9A   盒慽D?e揽琍yZ禋
00000340   2D 01 34 9A 32 1A 0D 7E  44 9A E6 CB 7A E2 A3 78   - 4?  ~D氭藌猓x
00000350   03 6E EA FB A4 12 36 5B  B6 B8 02 25 3F CE 0F 1D    n犒?6[陡 %?? 
00000360   6D 9B 04 A5 94 08 58 19  87 0F A1 48 FB AF EE ED   m? X ?铐
00000370   4B 03 83 46 C4 10 F1 14  B1 62 11 C0 11 25 C6 0E   K 僃??眀 ?%?
00000380   E5 71 44 0F E8 7F 62 BC  38 E6 47 6B D3 3E 5E 5A   錻D ?b?鍳k?^Z
00000390   D6 E2 2B D9 65 2A 59                               肘+賓*Y

Quote
0x42=0 1 0 0 0 0 1 0
0x10=0 0 0 1 0 0 0 0
-------------------------------------packet header------------------------------------------------
packetId = 0 0 0 0 1 0 = 2
bhaschannelid = 1 = 1 = TRUE
channelId = 0 0 0 0 = 0
mouldcount = 0 1 0 = 2
//align by byte
------------------------------------mould 1 context-----------------------------------------------
FileType= 61 75 74 68 = auth
Locale= 00 00 43 4E = CN
MouldID = 8F 52 90 6A 2C 85 B4 16 A5 95 70 22 51 57 0F 96 D3 52 2F 39 23 76 03 11 5F 2F 1A B2 49 62 04 3C
0x50=0 1 0 1 0 0 0 0
0x01=0 0 0 0 0 0 0 0
MouldDataLen= 0 1 0 1 0 0 0 0 0 0 = <int>0x140 = 320
//align by byte
0x00 unk
AccountSalt = 93 A4 B1 F4 DA 37 11 F8 AC 6A DB 0B 7D 44 E4 F6 8E C8 95 03 3E 4E F6 75 9E 25 07 21 96 6A F6 B4
PasswordSalt = 50 9E 14 5D 12 74 65 A9 BA 72 2C 8A 60 A9 97 13 AF EC 77 1B 62 38 B4 E5 81 AB 4E A2 E2 03 76 92
ServerChallenge=17 4A F0 E1 DA 40 FF 26 01 90 AB F7 D1 78 24 89 89 E8 76 31 82 12 8D CA 28 6D FE 46 80 8C 3D 46
99 A0 7D 3A 3C D6 04 D7 3A 2C 03 8A 37 39 72 B0 FD ED 2C DF 3C 0E 71 69 96 26 85 37 AA E7 9F 42
B4 B2 7C AD D9 DC 60 60 56 32 E1 AE D2 CD DD 00 DA 4C 70 33 49 91 CC F0 C8 75 06 88 A8 71 EB EF
12 18 C0 14 E7 F1 AB F2 B9 48 53 38 4D 8A 7C C1 7D C1 AD 5E 32 43 67 26 B9 6D C7 BF 89 3F 79 77
09 9C 2B AA F0 13 0D DB 09 70 E8 DA 84 D0 64 7E 9B BF 27 E0 BF 15 90 77 95 7B 77 79 3B 0F D3 A6
EB 9E 28 9C 8D 00 1D CA 59 C8 D6 A8 DD E6 76 D1 33 61 C3 92 9D 47 7C CF 28 A4 BE BC 7F 03 FD 82
CB D0 79 C8 72 02 27 45 01 76 68 D2 2B 36 BF 6F 89 69 25 B0 53 1B A5 5D 1C F2 1A 73 4A 58 54 78
37 9E E5 06 74 C5 8D 8B 8A F4 EB D3 9C B4 FF E5 0D B0 3E 14 7D 3B 53 00 D4 05 55 2A 85 19 6F 89
------------------------------------mould 2 context-----------------------------------------------
FileType= 61 75 74 68 = auth
Locale= 00 00 43 4E = CN
MouldID = 36 B2 7C D9 11 B3 3C 61 73 0A 8B 82 C8 B2 49 5F D1 6E 80 24 FC 3B 2D DE 08 86 1C 77 A8 52 94 1C
0x80=1 0 0 0 0 0 0 0
0x00=0 0 0 0 0 0 0 0
MouldDataLen= 1 0 0 0 0 0 0 0 0 0 = <int>0x200 = 512
//align by byte
MouldData = D4 56 AD F4 59 A4 11 D8 72 6B 69 95 E2 20 13 9E 7D 9A F4 58 C6 F6 66 A7 F9 DF 0D AF 9F B1 1C CA
4D 3A 7A 3D 45 D6 5E C2 1E 65 B0 60 D7 4C 8A 02 F7 00 FF 2D 1F EA B3 F8 43 8B 54 E8 D8 D3 A5 32
FF CC 5F 3B 6F 32 06 89 A0 73 21 3E D9 D9 D3 86 EE 4D CC 72 3C F7 FF DF 02 F4 E0 E8 34 EE 69 66
0B 82 91 85 C1 38 DE 39 F8 F8 46 8F A9 01 5B 09 7C E1 A4 22 DE D7 95 35 91 5E 56 1B 50 9F 9F 2D
04 D5 B6 3C C9 17 3B E3 87 C1 33 97 C8 DE 2D 37 49 76 C4 48 40 8A 61 97 5F C1 FC 52 DD A5 99 A9
F6 10 64 69 BB B9 CB 35 DD 94 00 2E 8F 3A E6 3B 42 24 40 A2 9C 5A D0 05 D1 4A 86 B8 15 09 3C EF
98 F7 5F 06 46 40 C0 6F 0D A7 78 FA 8A 33 00 C6 83 FF 6E 83 F2 29 0C 31 F0 1D E4 93 20 06 65 C2
5A FE 16 E0 A2 A4 27 80 4A 4C D6 FA 5B 56 4E 80 12 99 4B 70 68 1B 1C A1 36 7C A8 8D AE E4 E7 87
C4 23 FE 22 E7 11 03 13 EE 42 1D 6D FD 08 36 0D EB AD BE 5A D9 AC 31 94 12 CB 63 2C 94 14 B3 D3
32 CD 84 10 7F A3 90 2F F1 81 B1 94 9B 66 65 80 E2 7D 4D BF 6D 89 72 54 6F 2A 6B 8C 4A 04 23 47
F1 A4 E3 3C 52 E8 DA 32 C2 C4 BE 56 3A 97 AD 1F 87 66 AE F2 93 5C ED 56 8B DB 65 87 38 73 73 00
A4 8E 81 BA 4C EA 14 F2 1D EF 73 2B A6 98 02 E5 0B 5C D7 2E 3A D0 9B 12 40 05 53 30 10 76 AF 4C
66 17 A8 B3 01 0C 6A 63 75 99 9C C3 10 DC E0 7F FB 42 ED 9C A3 38 74 22 7D BA D0 91 69 44 E5 12
65 C0 BF AC 50 79 5A B5 9A 2D 01 34 9A 32 1A 0D 7E 44 9A E6 CB 7A E2 A3 78 03 6E EA FB A4 12 36
5B B6 B8 02 25 3F CE 0F 1D 6D 9B 04 A5 94 08 58 19 87 0F A1 48 FB AF EE ED 4B 03 83 46 C4 10 F1
14 B1 62 11 C0 11 25 C6 0E E5 71 44 0F E8 7F 62 BC 38 E6 47 6B D3 3E 5E 5A D6 E2 2B D9 65 2A 59

when the wow client to any server , it always send the same packet except account name.

when the battle.net server response data always 919 bytes.

and use the same account to reconnect ,the battle.net server response data only 256 bytes not same.

it's ServerChallenge data.

in other words , the ServerChallenge data has some verify for client.

Continuous research for it .

..............................................here omitted thousands of secound for study................................................

the china battle server is : 122.198.64.130 cn.logon.battlenet.com.cn

i set my computer ip address to 122.198.64.130 , and set hosts file for cn.logon.battlenet.com.cn to 127.0.0.1

that means when wow client connect to cn.logon.battlenet.com.cn , it's realy connect to 127.0.0.1 (my localhost)

then my ip address is 122.198.64.130 , it's actually connect to 122.198.64.130 (my localhost)

for these setting, i run my emulator server . and start wow.exe to connect .

my emulator server response the same packets with battle.net server.

client show LOGIN_UNKNOWN_ACCOUNT

than, it's ok .

----------------------------------------------Gorgeous split line----------------------------------------------

it's means the ServerChallenge data has contained the server ip address .

when the client received the ServerChallenge data ,

it verify current connected server ip address is or isn't the ServerChallenge data ip address.

at the last, if anyone research the bnet 2 protocol , i hope Communicate this protocol

DarkBlizz

About bnet 2 login return LOGIN_BAD_SERVER_PROOF

chivalry