Main Menu
Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - usmc23

#1
Right now the SVN when you click create game after the c -> gs 0x00 the server sends a response and client crashes.  Its actually giving a assert called "Internal Battle.net Error".  Using ollydbg i put a bp on connect and than bp on the first recv here is what i got.


1) 5662B26C  -E9 D0EAF0FF      JMP Battle_n.56539D41 <-- Battle.Net Recieve

     a) 56539D41  -E9 2C150F00      JMP Battle_n.5662B272 <-- In bounds address unknown
             Jumps back and avoids a (5662B271   55 PUSH EBP)

2) 5662B272   381D EC156156    CMP BYTE PTR DS:[566115EC],BL
3) 5662B278   68 2EB36256      PUSH Battle_n.5662B32E
4) 5662B27D   51               PUSH ECX
5) 5662B27E   52               PUSH EDX
6) 5662B27F   E9 0AAC1100      JMP Battle_n.56745E8E

   a) 56745E8E   8B4C24 08        MOV ECX,DWORD PTR SS:[ESP+8]             ; Battle_n.5662B32E
   b) 56745E92   E9 00000000      JMP Battle_n.56745E97
   c) 56745E97   BA 2D9F5356      MOV EDX,Battle_n.56539F2D
   d) 56745E9C   0F44CA           CMOVE ECX,EDX                            ; Battle_n.56539F2D
   e) 56745E9F   894C24 08        MOV DWORD PTR SS:[ESP+8],ECX             ; Battle_n.56539F2D
   f) 56745EA3   5A               POP EDX                                  ; Battle_n.56539F2D
   g) 56745EA4   E9 02000000      JMP Battle_n.56745EAB
   h) 56745EAB   59               POP ECX                                  ; 190B4840
   i) 56745EAC   C3               RETN

   ECX Register Shows ASCII "scmv"
        Unknowns
   u)    56539F2D  -E9 24120F00      JMP Battle_n.5662B156
   u1)   5662B158   24 FC            AND AL,0FC
   u2)   5662B15A   E9 80AC1100      JMP Battle_n.56745DDF

7) 56745DDF   8D6424 FC        LEA ESP,DWORD PTR SS:[ESP-4]
8) 56745DE3   C605 ED156156 01 MOV BYTE PTR DS:[566115ED],1
9) 56745DEA   68 3B9F5356      PUSH Battle_n.56539F3B
10) 56745DEF  -FF25 80154856    JMP DWORD PTR DS:[<&KERNEL32.GetModuleHa>; kernel32.GetModuleHandleW
   
   After this it jumps here.
   a) 56539F3B  ^EB 80            JMP SHORT Battle_n.56539EBD
   b) 56539EBD  -E9 41130F00      JMP Battle_n.5662B203

11) 5662B203   3BC3             CMP EAX,EBX
12) 5662B205  -0F84 4FEDF0FF    JE Battle_n.56539F5A     <-- Possible modfication here.
13) 5662B20B   E9 77000000      JMP Battle_n.5662B287
14) 5662B28C   8D6424 FC        LEA ESP,DWORD PTR SS:[ESP-4] <-- ASSERT AND CRASH!!!
#2
For the password its "starcrack".
Progress Video 4, Quick Match works better, Join Game List Populates, Map list Partially populates, the next step is to get to the lobby screen.
emu_progress_4.wmv
#3
We got the quick game to partly work. Progress 3 Video: emu_progress_3.wmv
#4
You do not need to run it inside of a VM.  You need to have the loop back adapter installed, when thats done turn off netbios on that adapter and set the IP to be the b.net ip address.

Im Aware of the host file change, but when we hack passed the IP check SC2 crashes.
#5
Emulator Progress Video 2(Emulator doesnt have to be run in a VM if you use a LoopBack Adapter, MOTD shows, avater kind of shows, alot of fixes to the decryption code, buttons show on the multiplayer screen):
starcrack_progress_2.wmv
#6
Emulator Progress Video: starcrack_emu_progress.wmv
#7
Fixed the XXX got to the MOTD screen, got to the b.net screen :).

#8
This isnt in SVN yet, but thanks to undox on our team we got to the Avater charector screen.

#9
Fixed : ).

Also I unpacked the b.net.dll, its not cleaned up by any means but it atleast got me a full string dump of the DLL.

http://sc2c.pastebin.com/T8CGMQHs
#10
Revision 9.

SRP6 Implmentation for S -> C 0x02, s -> c 0x00 is still broken(packet the server sends back after you type in your password and click login). This blob contains M2 and the Second Server Challenge which we dont know how to calc yet.
#11
Quote from: masky007 on March 20, 2010, 01:01:12 PM
HOPEFULLY those who can WILL help you guys!
i just dont know something.. when this is over and the project is success and up and running.. what we can give ya for return!?

A promise that you will stop nagging : ).

What we need is to figure out what we are supposed to send to packet 5 and even packet 12.  Technically cause we are passed the password.dll and the password is sent with plain text with our loader, i dont think we have to encrypted decrypt packets with the emu.
#12
Starcrack SVN(EMU and Launcher):
http://starcrack.googlecode.com/svn/trunk/ starcrack-read-only
Make sure you read ReadMe_How_To_Setup.txt
#13
Starcrack SVN(EMU and Launcher):
http://starcrack.googlecode.com/svn/trunk/ starcrack-read-only
Make sure you read ReadMe_How_To_Setup.txt
#14
Starcraft II Beta / Re: Emulate Battle.net
March 19, 2010, 07:18:30 PM
Were going to open source our EMU sometime today or tomarrow we made some progress by putting our EMU in a VM(thanks d0ccrazy) we got to packet 0x05.

#15
Starcraft II Beta / Re: Emulate Battle.net
March 18, 2010, 01:11:02 AM
is the password, session keys transmitted in the 2nd packet from the c -> s and vice versa?