Valhalla Legends Archive

I wrote this a little while back to do some tests on BNLS. it doesn't do any connections to bnet, it just connects to bnls server and sends a 7D packet. its really basic, but i thought it might be something good for a beginner to read.

http://www.mikeownage.com/downloads/sourcecodes/bnlstest.zip

Ok i just changed my packet processing loop, separating each segment into its own function so it would be more manageable. i havent finished checking it 100% but here is my problem:

i connect fine, get into channel, disconnect. reconnect without changing any settings, but this time i either get stopped at invalid cdkey or wrong password. when i get invalid cdkey i get IP banned (is that normal?)

edit:: went thru the functions and it is all good.......

edit2:: fixed! the problem was actually myndfyre's CDKey class, once you use the GetHash function i guess it is stored in the object, and is returned each time instead of recalculating. i solved by reloading the object each connection.

my question stands, is it normal to be IPbanned once you get invalid cdkey reply?

connecting thru wc3 tft, i get all the way through the process with successful results but when i send ENTERCHAT i get disconnected.


SEND 192.168.1.115:4876 -> 63.241.83.11:6112  24
0000  FF 54 18 00 9B 29 22 74  43 B3 23 B0 2C 1F A8 A5    ÿT..›)"tC³#°,.¨¥
0010  86 32 09 30 92 29 D5 38                             †2.0')Õ8

RECV 192.168.1.115:4876 <- 63.241.83.11:6112  39
0000  FF 33 27 00 06 00 00 80  00 00 00 00 00 2A 63 8E    ÿ3'....€.....*cŽ
0010  EF C9 C9 01 49 58 38 36  41 72 63 68 69 6D 6F 6E    ïÉÉ.IX86Archimon
0020  64 65 2E 6D 70 71 00                                de.mpq.

RECV 192.168.1.115:4876 <- 63.241.83.11:6112  28
0000  FF 54 1C 00 00 00 00 00  40 BC 39 E3 35 26 1C C6    ÿT......@¼9ã5&.Æ
0010  AA 63 11 AA 56 94 FA DB  0E F7 00 34                ªc.ªV"úÛ.÷.4

SEND 192.168.1.115:4876 -> 63.241.83.11:6112  8
0000  FF 45 08 00 E7 17 00 00                             ÿE..ç...

SEND 192.168.1.115:4876 -> 63.241.83.11:6112  6
0000  FF 0A 06 00 00 00                                   ÿ.....


wow i see it now. in 0x45 the port is suppost to be a WORD not DWORD. i set it as a short, not sure why it is adding it as 4 bytes....

do you need to reply to this? what does it do/what is it for?

edit:: did some research, it can be ignored. and i found its used by the server to request the client to download certain files... sorry, someone delete this.

i was sniffing some packets and caught this one:

0000   ff 44 09 00 07 01 00 00 00

bndocs doesn't list a 0x07, does anyone know what it means? my client sent it directly after sending 0x0a

bnet replied:
0000   ff 44 1d 00 07 01 00 00 00 01 00 34 0b c1 2b ea
0010   c9 01 fd de 00 00 00 00 00 00 02 19 00


on a very side note: i am tracking packets to madserver.net i have no idea what that is nor any way to stop it. ideas?

a little off topic, but whats good about python?

my problem is that i see no problem and yet there is one somewhere.
my function is this:

private void C_SID_AUTH_ACCOUNTLOGONPROOF()
        {
            /*
             * C->SID_AUTH_ACCOUNTLOGONPROOF
             * 0x54
             *
             * (BYTE[20]) CLIENT PASSWORD PROOF
             */

            Packet p = new Packet(0x54);
            byte[] loginProof = new byte[20];
            nls.LoginProof(loginProof, 0, 20, serverSalt, serverKeyB);
            p.add(loginProof);
            Enqueue(p);
            Output("BNET", "SID_AUTH_ACCOUNTLOGONPROOF SENT");
        }


very simple, but every time i log into battle.net i have the problem that i get invalid password, even though i know its right and that everything is extracted correctly. i logged into battle.net regular and sniffed a set of real serverSalt and serverKeyB to test.


0000   ff 53 48 00 00 00 00 00 73 90 aa 92 c9 25 00 18  .SH.....s....%..
0010   b7 50 39 20 1f 0b 05 14 c5 db 5c 28 fc 08 ab fd  .P9 ......\(....
0020   73 1e fb f7 0f 3f 84 04 5b 16 ee c4 73 19 aa ea  s....?..[...s...
0030   02 15 46 3a d9 b5 6f 28 95 02 4a 49 ae 91 72 bb  ..F:..o(..JI..r.
0040   bc 56 96 bf 13 9e 0e 6b                          .V.....k


added them into the function manually,

            serverSalt = new byte[] { 0x73, 0x90, 0xaa, 0x92, 0xc9, 0x25, 0x00, 0x18, 0xb7, 0x50, 0x39, 0x20, 0x1f, 0x0b, 0x05, 0x14, 0xc5, 0xdb, 0x5c, 0x28, 0xfc, 0x08, 0xab, 0xfd, 0x73, 0x1e, 0xfb, 0xf7, 0x0f, 0x3f, 0x84, 0x04 };
            serverKeyB = new byte[] { 0x5b, 0x16, 0xee, 0xc4, 0x73, 0x19, 0xaa, 0xea, 0x02, 0x15, 0x46, 0x3a, 0xd9, 0xb5, 0x6f, 0x28, 0x95, 0x02, 0x4a, 0x49, 0xae, 0x91, 0x72, 0xbb, 0xbc, 0x56, 0x96, 0xbf, 0x13, 0x9e, 0x0e, 0x6b };


and then debugged to see what the result.

my client sent this:

0000   ff 54 18 00 9c ac 23 1f 7e 20 4c fa 9b e5 6a 23  .T....#.~ L...j#
0010   90 2c b0 56 fd 66 54 b1                          .,.V.fT.


and my bot builds this (just the logon proof):

[0x00000000] 0x11 byte
[0x00000001] 0x1e byte
[0x00000002] 0x12 byte
[0x00000003] 0xd8 byte
[0x00000004] 0x90 byte
[0x00000005] 0x23 byte
[0x00000006] 0xba byte
[0x00000007] 0xee byte
[0x00000008] 0xbe byte
[0x00000009] 0xe9 byte
[0x0000000a] 0x12 byte
[0x0000000b] 0xcf byte
[0x0000000c] 0x3f byte
[0x0000000d] 0x21 byte
[0x0000000e] 0x9c byte
[0x0000000f] 0xa7 byte
[0x00000010] 0x83 byte
[0x00000011] 0xbd byte
[0x00000012] 0x6d byte
[0x00000013] 0x2a byte



I've been working on a bot, using MBNCSUtil, but when I send my 0x53 I get IP Banned


        private void C_SID_AUTH_ACCOUNTLOGON()
        {
            /*
             * C-> SID_AUTH_ACCOUNTLOGON
             * 0x53
             *
             * (BYTE[32]) CLIENT KEY ('A')
             * (STRING) USERNAME
             */

            Packet p = new Packet(0x53);
            byte[] loginAccount = new byte[32 + userName.Length + 1];
            nls.LoginAccount(loginAccount, 0, loginAccount.Length);
            p.add(loginAccount);
            Enqueue(p);
        }



Enqueue is just my method to add the packet to my outbound queue. Did I use the function wrong? The documentation is very lacking. If you cant help me with the MBNCSUtil part, if you want to tell me how to do this without it that would be appreciated too.



edit:: well i figured out it wasnt this at all, it was that i messed up my handling of S->SID_AUTH_CHECK, had the call to this function outside the switch instead of next to the passed result. my problem now is that my CDKey Public value's arent matching what i've sniffed and i'm getting "Invalid CDKey" results.


        private void C_SID_AUTH_CHECK()
        {
            /*
             * C->SID_AUTH_CHECK
             * 0x51
             *
             * (DWORD) Client Token
             * (DWORD) EXE Version
             * (DWORD) EXE Hash
             * (DWORD) Number of CDKeys in Packet
             * (BOOL) Spawn CDKey
             *
             * For Each CDKey:
             * (DWORD) Key Length
             * (DWORD) CDKey product
             * (DWORD) CDKey public value (Value1)
             * (DWORD) Unknown (0)
             * (DWORD) [5] Hashed Key Data
             *
             * (STRING) Exe Information
             * (STRING) CDKey Owner Name
             */

            Packet p = new Packet(0x51);
            clientToken = (uint)new Random().Next();

            p.add(clientToken);

            int version = CheckRevision.GetExeInfo((WAR3PATH + "war3.exe"), out exeInfoString);
            p.add(version);

            string[] files = new string[] { WAR3PATH + "War3.exe", WAR3PATH + "storm.dll", WAR3PATH + "Game.dll" };
            int mpqNum = Util.MpqNumber(mpqFileName);
            int checkSum = CheckRevision.DoCheckRevision(valueString, files, mpqNum);
            p.add(checkSum);

            p.add((int)2); // number of CD keys

            p.add((uint)0);

            // key 1
            p.add(CD1.Key.Length);
            p.add(CD1.Product);
            p.add(CD1.Value1);
            p.add((uint)0);
            p.add(CD1.GetHash(clientToken, serverToken));

            // key 2
            p.add(CD2.Key.Length);
            p.add(CD2.Product);
            p.add(CD2.Value1);
            p.add((uint)0);
            p.add(CD2.GetHash(clientToken, serverToken));

            p.add(exeInfoString);
            p.add("Sveet");

            Enqueue(p);
        }



edit2 :: well looking at my server and client tokens it noticed that my server token comes in as aabbccdd but is saved by BitConverter as ddccbbaa. should it be that way or should i find a different method of converting my bytes to ints?

edit3 :: i'm getting invalid cdkey with either endian-ness of the bytes...