Starcraft II Crack

[JoeTheRogue]

Since the last forum crashed and burned from arguing.  I figured lets start a new thread about developing a crack and please lets just use this thread only for cracking purposes.

[TehHawk]

I think the last thread concluded that it's impossible without the 256 bits key.

end of the story.
Lesson: blizzard owned us....... for the time being...

[JoeTheRogue]

I think the last thread concluded that it's impossible without the 256 bits key.

end of the story.
Lesson: blizzard owned us....... for the time being...

you are probably right.  It just sucks having the full version of the game but can't do anything with it. Maybe we can a continue working on a crack and once the key comes out on the 27th, we can finish the crack.
In the meantime i'm going to brush up on my skills with some Brood War and continue working on a crack.

[Kernel64]

Okay, hold up. Has someone looked at the beta SWF yet and see if it has something of a key that can be used for Authenticating?

The auth key is the decrypt key right? Or is it something else entirely?

[darkrei9n]

Everything that I've seen points them out to be one of the same.

[Kernel64]

Hmm.. There must be something in the beta files that are encrypted which gets decrypted the same way.

[7H3LaughingMan]

Hmm.. There must be something in the beta files that are encrypted which gets decrypted the same way.

Nothing in the beta is encrypted with the same thing as this is the problem, there is not a single encryption in the beta. However with the Digital Download the important stuff is encrypted with the key that is going to be available on the blizzard servers on the 27th. Once the 27th rolls around there will be no need for a crack since you could install freely and without a battle.net account.

[obliviron]

It's amazing how many people just copied what i said about the key.

Anyways, since you guys are so into makin a crack, i'll post what i have found.

Salsa20 R(389) encryption for both mpqe files.
They corrupted the file header and run a crc32 check on file edit.

Memory dumps of the installer are NOT protected but still use a header corruption technique (I wasn't able to circumvent a hc on a memory dump, so this is all i got).

Modifying the authorization code isn't too difficult with the right tools, however, it still requires the 256 bit key for the tome decryption.

Useful tools:

Ollydbg
Phant0m
Peid with crc32 plugin
IDA PRO

IGNORE PEOPLE THAT SAY YOU NEED AN EMULATED SERVER - EVERYTHING EXCEPT THE 256-BIT KEY CAN BE FOUND LOCALLY.


Edit: You might wanna get Kerneldetective for dumping the sc2 installer.

[darkrei9n]

The 256 bit key I believe is retrieved somehow by the Authentication code for sure than. The Authentication Code and the Decryption code are the one and the same. As proof I present that there is no storage space for authentication code, however when you change a jump address from jz to jnz it opens a screen where you manually enter the authentication code, this than goes directly down to a section of code containing hasValidDecryptionKey.

This means that the authentication key is also checked. Then there are 3 characters that are restricted. So that narrows down the decryption key further.

[obliviron]

The 256 bit key I believe is retrieved somehow by the Authentication code for sure than. The Authentication Code and the Decryption code are the one and the same. As proof I present that there is no storage space for authentication code, however when you change a jump address from jz to jnz it opens a screen where you manually enter the authentication code, this than goes directly down to a section of code containing hasValidDecryptionKey.

This means that the authentication key is also checked. Then there are 3 characters that are restricted. So that narrows down the decryption key further.

Yeah, it's the auth code. Now all you gotta do is guess a 10 - 20 digit & alphanumerical number.

[darkrei9n]

The 256 bit key I believe is retrieved somehow by the Authentication code for sure than. The Authentication Code and the Decryption code are the one and the same. As proof I present that there is no storage space for authentication code, however when you change a jump address from jz to jnz it opens a screen where you manually enter the authentication code, this than goes directly down to a section of code containing hasValidDecryptionKey.

This means that the authentication key is also checked. Then there are 3 characters that are restricted. So that narrows down the decryption key further.

Yeah, it's the auth code. Now all you gotta do is guess a 10 - 20 digit & alphanumerical number.

30 digits. Its a 30 digit number. Also, the code is validated. So we can make a keygen based off of what is found acceptable and try all those.

[gzxaaa]

To darkrei9n, obliviron and other cracking pros:
The chinese cracking group made some progress on this and I'm going to translate what they currently get:

1. They also find authentication key and decription key is the same and get to the screen for manaully entering the authentication code. So everything still boils down to getting the salsa20 decription key.

2. What they found is that the mpqe file heads are NOT corrupted, and you can get plain text from them. With the plain text known, one can do a XOR with cipher text to get the Hash table.  With a second round of sorting on Hash table you can get decription key. They compare the mpqe file with the beta non-encrypted) ones. For example, the first row in beta mpq is 01 00 03 00. And in retail mpqe it's 01 00 05 00. If you do a XOR of 03 and 05 and use the result to XOR the other mpqe and you get the same result. This shows the key is valid. So we actually know the plain text. However, the second row of mpqe file is messed up so there's 8 bits out of 64 bits plain text missing.

3. Now the project is: Attack sala20 cryptography with complete knowledge of ciphertext and about 90% plain text.  Is there any algorithm optimized for computing that?

We hope the pros here can help us and share the knowledge and skills. I don't know much about the terminology in cryptography so the translation may be a little hard to understand. But you pros should be able to get it!

[darkrei9n]

gzxaaa. The installer validates the authentication key, which means that there's something in the installer that checks the authentication key, if you find this you can narrow down the possible authentication keys than that makes brute forcing it easier as you remove a bunch of invalid keys.

[2g4u]

...however when you change a   jump address from jz to jnz it opens a screen where you manually enter   the authentication code...

...
1. They also find authentication key and decription key is the same and get to the screen for manaully entering the authentication code. So everything still boils down to getting the salsa20 decription key.
...

To get to that screen(where you manually enter the auth key) you just need to restrict the SC2 installer from accessing the net(or simply unplug your network cable/turn off your modem). Then when you try to install the game you will get an error explaining that you need the authkey from internet. On that error screen when you click on the yellow triangle(with the exclamation mark on it)  in the bottom right corner and it opens the following screen:





No need to modify the exe in any way to get to that screen...

P.S.
Sry for the lame Paint editing just didn't wanted everyone to see the p0rn that I was downloading

[steve30x]

The other thread also crashed and burned because some members have no concept of respect and manners. I can see the same happening here.