Emulate Battle.net

Started by MADCATX, February 22, 2010, 06:18:36 AM

Previous topic - Next topic
Print
Go Down Pages 1 ... 10 11 12 13 14 15
User actions

stormbreaker

#165
March 16, 2010, 09:12:16 AM
Quote from: brew on March 16, 2010, 08:39:29 AM
not that hard, the same type of verification has been done before. i don't see how this is the stumbling point of anyone, since it's not obfuscated at all.
also, what you send for the 0x02 password module response is the key you both use to decrypt/encrypt packets, FYI.


Which one and how did you get this information? Is it confirmed?
Perhaps you know why we all get "bad server" error when sending the rights (we think) data.

usmc23

#166
March 16, 2010, 01:54:13 PM
In the general interest of "sharing info", here is where im at.  The ProofRequest packet sends TWO auth modules, one is password.dll the other is thumbprint.dll.  ThumbPrint.dll recieves a 16byte IP address of the server if it doesn't match the hardcoded vals in ThumPrint.dll it fails(aka WoW).  Now the catch 22 is we can't modify that dll because teh b.net.dll does a integrity check, if it fails you get the same "bad server" error message.

My thought was doing a EAT patch on LoadLibrary and intercept the LoadLibrary calls to the auth modules, the hook works just fine but there isnt a direct call to those dll's.

stormbreaker

#167
March 16, 2010, 02:01:19 PM Last Edit: March 16, 2010, 02:05:45 PM by stormbreaker
Quote from: usmc23 on March 16, 2010, 01:54:13 PM
In the general interest of "sharing info", here is where im at.  The ProofRequest packet sends TWO auth modules, one is password.dll the other is thumbprint.dll.  ThumbPrint.dll recieves a 16byte IP address of the server if it doesn't match the hardcoded vals in ThumPrint.dll it fails(aka WoW).  Now the catch 22 is we can't modify that dll because teh b.net.dll does a integrity check, if it fails you get the same "bad server" error message.

My thought was doing a EAT patch on LoadLibrary and intercept the LoadLibrary calls to the auth modules, the hook works just fine but there isnt a direct call to those dll's.


I found out that, too. I managed to work around the second module easily.
It seems that the client uses it, but it doesn't REQUIRE it.


So by sending only the first auth module:



EDIT: I'm going to mess around with the next packets tomorrow.

usmc23

#168
March 16, 2010, 04:39:17 PM
Thats some good stuff, you should come into IRC : ), but right now im having trouble writing two bytes before the "auth" module struct.  Right now i have to force the two bytes to be "42 10", I thought it was just supposed to be int:3 numModules?

usmc23

#169
March 16, 2010, 07:58:16 PM
We got passed the ProofRequest packet and we sent both auth dll's : ).

Draugur

#170
March 16, 2010, 08:57:47 PM
Quote from: usmc23 on March 16, 2010, 07:58:16 PM
We got passed the ProofRequest packet and we sent both auth dll's : ).



congratulations :)

Fedoranimus

#171
March 16, 2010, 09:49:41 PM
Quote from: usmc23 on March 16, 2010, 07:58:16 PM
We got passed the ProofRequest packet and we sent both auth dll's : ).



Awesome, great job.

stormbreaker

#172
March 17, 2010, 06:41:43 AM
Quote from: usmc23 on March 16, 2010, 07:58:16 PM
We got passed the ProofRequest packet and we sent both auth dll's : ).




GJ. But what is the point in sending both packets if it doesn't need it?
Anyway, did you modify the dll or hack through it?

stormbreaker

#173
March 17, 2010, 06:49:50 AM Last Edit: March 17, 2010, 07:00:54 AM by stormbreaker
Quote from: usmc23 on March 16, 2010, 04:39:17 PM
Thats some good stuff, you should come into IRC : ), but right now im having trouble writing two bytes before the "auth" module struct.  Right now i have to force the two bytes to be "42 10", I thought it was just supposed to be int:3 numModules?


Are you putting there the header bytes?
Quoteint:6 PacketID; // The packet id of this packet.bool:1 HasChannel // Boolean value specifying whether or not the channel id is included in the header.

int:4 ChannelID; // The channel id of this packet.

I can't join the IRC because my ISP is redirecting all the IRC traffic to their server... And I never was a mirc fan.


OOps sorry for double posting....

2g4u

#174
March 17, 2010, 03:47:38 PM
It might be a lil old, but if it helps you its all good: http://0x1337.org/index.html?page=sciidbg
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former!" Albert Einstein

usmc23

#175
March 17, 2010, 05:01:49 PM
Quote from: 2g4u on March 17, 2010, 03:47:38 PM
It might be a lil old, but if it helps you its all good: http://0x1337.org/index.html?page=sciidbg

Does that work on the b.net screen?

We just got it so when you type the password in the client it sends out the next packet(Thanks Tom), you can't just not send the thumbprint.dll you have to make it return one when it tests against the hash in the dll vs ur servers IP. 

usmc23

#176
March 17, 2010, 08:09:29 PM
This was a combined effort of the entire Starcrack team, but here is what we have as of now:

Draugur

#177
March 17, 2010, 08:48:55 PM Last Edit: March 17, 2010, 11:06:53 PM by Draugur
Quote from: usmc23 on March 17, 2010, 08:09:29 PM
This was a combined effort of the entire Starcrack team, but here is what we have as of now:



Have you done some research on the packet encryption after login?

masky007

#178
March 17, 2010, 10:21:41 PM
human language please :)

actually how far is this? how much long.. CANT WAIT :))))

usmc23

#179
March 18, 2010, 01:11:02 AM
is the password, session keys transmitted in the 2nd packet from the c -> s and vice versa?
Print
Go Up Pages 1 ... 10 11 12 13 14 15
User actions