Emulate Battle.net

[waxypants]

i tried messing around a bit with ida.

it seems like we need to have a look at the requestpassword function, which provides a blob response for a blob request sent with the proof request

in code this looks like

sub_3896C9A0    proc near               ; DATA XREF: .rdata:3896D080o
.text:3896C9A0                 push    offset aRequestpasswor ; "RequestPassword"
.text:3896C9A5                 mov     ecx, offset unk_3896E428
.text:3896C9AA                 call    sub_38962A10
.text:3896C9AF                 push    offset nullsub_3
.text:3896C9B4                 call    sub_3896C190
.text:3896C9B9                 pop     ecx
.text:3896C9BA                 retn
.text:3896C9BA sub_3896C9A0    endp

still have to figure out what this does

Where did this code come from?

[Freundschaft]

disassembly of the auth file

[waxypants]

disassembly of the auth file

Sorry for being dumb, but which file exactly?  Reading through the thread I'm getting a little confused about which files you guys are talking about and where they are coming from.

[Freundschaft]

it's a file downloaded by the client during the authentication process.

check

http://darkblizz.org/wiki/doku.php?id=bnet2_protcol

ModuleId is the SHA1 hash of the contents of the file and also the name of the file, downloaded over HTTP from (realm).depot.battle.net:1119/(B1)/(B2)/(B3)/(B4)/(SHA1).ext i.e. 8f52906a2c85b416a595702251570f96d3522f39237603115f2f1ab24962043c.auth on realm USB (U.S. Beta) is http://usb.depot.battle.net:1119/8f/52/90/6a/8f52906a2c85b416a595702251570f96d3522f39237603115f2f1ab24962043c.auth . All realms appear to use the same auth file during the beta so far, but it is downloaded in this fashion presumably to make it easier for Blizzard to change the file, and thus the SRP6a auth seeds (N and g - http://srp.stanford.edu/design.html). This file is originally named "Password.dll" and contains cryptographic calls used for login. A second file is also downloaded and used during the login procedure.

[stormbreaker]

disassembly of the auth file

Sorry for being dumb, but which file exactly?  Reading through the thread I'm getting a little confused about which files you guys are talking about and where they are coming from.

Read the comment in http://darkblizz.org/wiki/doku.php?id=bnet2_protcol


LOL that was cool

[waxypants]

Ahhh thanks, I see now.  That code is really hard to follow 

[Draugur]

oTc SC2 research is now public: http://s2dev.onlythechosen.com/forum/index.php
You are welcome to hang out with us. And i hope this help to speed up the progress on this project.

[Freundschaft]

hey good job  :thumbsup:
you guys got any further than we have?

[Draugur]

hey good job  :thumbsup:
you guys got any further than we have?

Yes. Rob already emulated SC2 login authorization. With the information we provide you can successfully connect to battle.net 2.0 using Starcraft II protocol. Rob explains everything.

This is actually a big step, people can now focus on researching the rest of the packets, this should speed up the process for developing a server emulator.

[Fedoranimus]

hey good job  :thumbsup:
you guys got any further than we have?

Yes. Rob already emulated SC2 login authorization. With the information we provide you can successfully connect to battle.net 2.0 using Starcraft II protocol. Rob explains everything.

This is actually a big step, people can now focus on researching the rest of the packets, this should speed up the process for developing a server emulator.

Yes, Rob has done some fantastic documentation and a great deal of work very quickly. It's fantastic that he's releasing all the information as well.

[usmc23]

Thats alot of good info you guys have found, if guys want to continue this you can join the starcack IRC irc.rizon.com #sc2c, and make sure to PM me.  But right now im wondering if you guys got passed the Battlenet::Client::Authentication::ProofRequest, cause for us I can't figure out how to get passed the "bad server" error.

[Draugur]

Thats alot of good info you guys have found, if guys want to continue this you can join the starcack IRC irc.rizon.com #sc2c, and make sure to PM me.  But right now im wondering if you guys got passed the Battlenet::Client::Authentication::ProofRequest, cause for us I can't figure out how to get passed the "bad server" error.

Hey,
theres enough information on the forums to pass it.

You are welcome to join the forums, there Rob will assist you in anyway he cans.

[Freundschaft]

do i understand this correctly that rob has only provided emulation for the client side of bnet2?
meaning that he's managed to develop an applicaition that successfully authenticates with the official bnet2 server if you have correct credentials?

correct me if im wrong
but i think this step will unfortunately not help us developing a server emu, cause we can't look into what requestpassword does in detail for the key generation.
we just provide a plain text password here and get the response which is then sent in return to the server, we don't get any information about how the server should behave here

[stormbreaker]

Thats alot of good info you guys have found, if guys want to continue this you can join the starcack IRC irc.rizon.com #sc2c, and make sure to PM me.  But right now im wondering if you guys got passed the Battlenet::Client::Authentication::ProofRequest, cause for us I can't figure out how to get passed the "bad server" error.

I think the best way to do this is by modifying the auth file (password.dll) to bypass the SRP6 encryption or at least make it simplier. Maybe someone on your team can do it?


I think we should move this discussion here and work together. I'm sure we'll come up with something. I'm almost certain the password.dll makes the verification if the things in the blob are correct.

[brew]

not that hard, the same type of verification has been done before. i don't see how this is the stumbling point of anyone, since it's not obfuscated at all.
also, what you send for the 0x02 password module response is the key you both use to decrypt/encrypt packets, FYI.