• Welcome to Valhalla Legends Archive.
 

[Resolved]0x3E Help(Again!)..

Started by Jaquio, March 08, 2006, 02:19 AM

Previous topic - Next topic

Jaquio

Alright, as I said in another post I went through and re-did all my packets since I had a new class that would make it easier. Because I was using stuff like.. "Mid(Data, blah, blah)" the blahs were not numbers not actual blahs.  :P Anyways, Hdx had given me a class with removedword and such. So I re-did my packets using them, however after doing so my 0x3E quit working for some reason.. Could someone tell me exactly what is wrong with this..


1  70.106.238.227:1352  63.161.183.205:9367  17  Send 
0000  11 00 0E 4A 61 71 20 42 6F 74 20 76 31 2E 30 30    ...Jaq Bot v1.00
0010  00                                                 .

2  63.161.183.205:9367  70.106.238.227:1352  7  Recv 
0000  07 00 0E 73 32 EF C2                               ...s2..

3  70.106.238.227:1352  63.161.183.205:9367  7  Send 
0000  07 00 0F 37 17 56 D7                               ...7.V.

4  63.161.183.205:9367  70.106.238.227:1352  7  Recv 
0000  07 00 0F 01 00 00 00                               .......

5  70.106.238.227:1352  63.161.183.205:9367  7  Send 
0000  07 00 10 04 00 00 00                               .......

6  63.161.183.205:9367  70.106.238.227:1352  11  Recv 
0000  0B 00 10 04 00 00 00 0B 00 00 00                   ...........

7  70.106.238.227:1353  63.241.83.109:6112  59  Send 
0000  01 FF 50 3A 00 00 00 00 00 36 38 58 49 56 44 32    ..P:.....68XIVD2
0010  44 0B 00 00 00 00 00 00 00 00 00 00 00 80 04 00    D...............
0020  00 33 10 00 00 33 10 00 00 55 53 41 00 55 6E 69    .3...3...USA.Uni
0030  74 65 64 20 53 74 61 74 65 73 00                   ted States.

8  63.241.83.109:6112  70.106.238.227:1353  8  Recv 
0000  FF 25 08 00 3F 45 2F CC                            .%..?E/.

9  63.241.83.109:6112  70.106.238.227:1353  99  Recv 
0000  FF 50 63 00 00 00 00 00 F1 21 0F 2A 2B 80 0E 00    .Pc......!.*+...
0010  00 AC 41 43 25 0B C5 01 49 58 38 36 76 65 72 35    ..AC%...IX86ver5
0020  2E 6D 70 71 00 41 3D 32 36 34 34 33 38 36 37 36    .mpq.A=264438676
0030  20 42 3D 38 39 35 34 37 37 39 35 39 20 43 3D 32     B=895477959 C=2
0040  37 36 33 34 36 36 36 36 20 34 20 41 3D 41 5E 53    76346666 4 A=A^S
0050  20 42 3D 42 2B 43 20 43 3D 43 5E 41 20 41 3D 41     B=B+C C=C^A A=A
0060  5E 42 00                                           ^B.

10  70.106.238.227:1352  63.161.183.205:9367  73  Send 
0000  49 00 09 04 00 00 00 05 00 00 00 41 3D 32 36 34    I..........A=264
0010  34 33 38 36 37 36 20 42 3D 38 39 35 34 37 37 39    438676 B=8954779
0020  35 39 20 43 3D 32 37 36 33 34 36 36 36 36 20 34    59 C=276346666 4
0030  20 41 3D 41 5E 53 20 42 3D 42 2B 43 20 43 3D 43     A=A^S B=B+C C=C
0040  5E 41 20 41 3D 41 5E 42 00                         ^A A=A^B.

11  63.161.183.205:9367  70.106.238.227:1352  50  Recv 
0000  32 00 09 01 00 00 00 00 0B 00 01 83 62 5A 7F 47    2...........bZ.G
0010  61 6D 65 2E 65 78 65 20 30 38 2F 31 37 2F 30 35    ame.exe 08/17/05
0020  20 30 31 3A 31 31 3A 34 33 20 32 31 32 35 38 32     01:11:43 212582
0030  34 00                                              4.

14  70.106.238.227:1353  63.241.83.109:6112  110  Send 
0000  FF 25 08 00 00 00 00 00 FF 51 66 00 30 D1 E4 3D    .%.......Qf.0..=
0010  00 0B 00 01 83 62 5A 7F 01 00 00 00 00 00 00 00    .....bZ.........
0020  10 00 00 00 06 00 00 00 08 7B C1 00 00 00 00 00    .........{......
0030  89 1E 5A 9A 50 3A 20 AD 94 8F 91 E7 4C F6 2D C9    ..Z.P: .....L.-.
0040  7A DC EA B5 47 61 6D 65 2E 65 78 65 20 30 38 2F    z...Game.exe 08/
0050  31 37 2F 30 35 20 30 31 3A 31 31 3A 34 33 20 32    17/05 01:11:43 2
0060  31 32 35 38 32 34 00 4A 61 71 75 69 6F 00          125824.Jaquio.

15  63.241.83.109:6112  70.106.238.227:1353  9  Recv 
0000  FF 51 09 00 00 00 00 00 00                         .Q.......

16  70.106.238.227:1352  63.161.183.205:9367  28  Send 
0000  1C 00 0B 09 00 00 00 02 00 00 00 XX XX XX XX XX    ...........XXXXX
0010  XX XX XX XX 30 D1 E4 3D F1 21 0F 2A                XXXX0..=.!.*

17  63.161.183.205:9367  70.106.238.227:1352  23  Recv 
0000  17 00 0B D7 1B 2F 36 58 8B DC 81 DC 6A 9D E4 70    ...../6X....j..p
0010  E1 71 D3 67 4D 41 79                               .q.gMAy

18  70.106.238.227:1353  63.241.83.109:6112  51  Send 
0000  FF 14 08 00 74 65 6E 62 FF 2D 04 00 FF 3A 27 00    ....tenb.-...:'.
0010  30 D1 E4 3D F1 21 0F 2A D7 1B 2F 36 58 8B DC 81    0..=.!.*../6X...
0020  DC 6A 9D E4 70 E1 71 D3 67 4D 41 79 4A 61 71 75    .j..p.q.gMAyJaqu
0030  69 6F 00                                           io.

19  63.241.83.109:6112  70.106.238.227:1353  22  Recv 
0000  FF 2D 16 00 00 08 16 BF E9 50 C3 01 69 63 6F 6E    .-.......P..icon
0010  73 2E 62 6E 69 00                                  s.bni.

20  63.241.83.109:6112  70.106.238.227:1353  8  Recv 
0000  FF 3A 08 00 00 00 00 00                            .:......

21  70.106.238.227:1353  63.241.83.109:6112  4  Send 
0000  FF 40 04 00                                        .@..

22  63.241.83.109:6112  70.106.238.227:1353  51  Recv 
0000  FF 40 33 00 00 00 00 00 01 00 00 00 01 00 00 00    .@3.............
0010  55 53 57 65 73 74 00 52 65 61 6C 6D 20 66 6F 72    USWest.Realm for
0020  20 74 68 65 20 55 53 20 57 65 73 74 20 43 6F 61     the US West Coa
0030  73 74 00                                           st.

23  70.106.238.227:1352  63.161.183.205:9367  27  Send 
0000  1B 00 0B 08 00 00 00 02 00 00 00 70 61 73 73 77    ...........passw
0010  6F 72 64 30 D1 E4 3D F1 21 0F 2A                   ord0..=.!.*

24  63.161.183.205:9367  70.106.238.227:1352  23  Recv 
0000  17 00 0B 30 17 F9 02 8E 0F 2F 3A 98 E4 5C A9 30    ...0...../:..\.0
0010  D7 53 C3 31 44 31 5D                               .S.1D1]

25  70.106.238.227:1353  63.241.83.109:6112  31  Send 
0000  FF 3E 1F 00 30 17 F9 02 8E 0F 2F 3A 98 E4 5C A9    .>..0...../:..\.
0010  30 D7 53 C3 31 44 31 5D 55 53 57 65 73 74 00       0.S.1D1]USWest.

26  63.241.83.109:6112  70.106.238.227:1353  12  Recv 
0000  FF 3E 0C 00 30 17 F9 02 01 00 00 80                .>..0.......


That is a packet log of an attempt to log onto a realm.. If you need the code I will post it, but perhaps someone could tell me what is wrong with that..

Ringo

#1
Quote from: Jaquio on March 08, 2006, 02:19 AM

25  70.106.238.227:1353  63.241.83.109:6112  31  Send 
0000  FF 3E 1F 00 30 17 F9 02 8E 0F 2F 3A 98 E4 5C A9    .>..0...../:..\.
0010  30 D7 53 C3 31 44 31 5D 55 53 57 65 73 74 00       0.S.1D1]USWest.

26  63.241.83.109:6112  70.106.238.227:1353  12  Recv 
0000  FF 3E 0C 00 30 17 F9 02 01 00 00 80                .>..0.......


At a quick glance, isnt the realm password hash ment to be 5 DWORD's?


[EDIT]
Quote from: Jaquio on March 08, 2006, 02:19 AM

12  70.106.238.227:1352  63.161.183.205:9367  24  Send 
0000  18 00 01 F1 21 0F 2A XX XX XX XX XX XX XX XX XX    ....!.*XXXXXXXXX
0010  XX XX XX XX XX XX XX 00                            XXXXXXX.

13  63.161.183.205:9367  70.106.238.227:1352  47  Recv 
0000  2F 00 01 01 00 00 00 ......................

Aside, wouldnt it be best to also blank out the decoded cdkey in the recv packet?
Or not include them at all unless needed?

Jaquio

Heh, didn't know you could reverse the decoded CDKey.. O_o.. Anyways, I removed that from my packet log. Ok, here is the code for sending the password hash.


        Case &H40
        'Debug.Print "Recv'd:0x40"
            With DB
                .SetData Data
                .StripHeader
                .rDWORD
                .rDWORD
                .rDWORD
                strBNetRealm = .rNTString
               
                HType = 3
                With PB
                    .InsertDWORD &H8
                    .InsertDWORD &H2
                    .InsertNonNTString "password"                   
                    .InsertDWORD ClientToken
                    .InsertDWORD ServerToken
                    .SendBNLSPacket &HB
                End With
            End With



Here is how I handle the data.


            ElseIf HType = 3 Then
                With DB
                    .SetData Data
                    .StripBNLSHeader
                End With
               
                With PB
                    .InsertNonNTString DB.rVOID(5 * 4)
                    .InsertNTString strBNetRealm
                    .SendPacket &H3E
                End With
            End If


Now.. what exactly is wrong with the code? Also, is there anything else I should post?

Ringo

#3
Quote from: Jaquio on March 08, 2006, 03:31 AM
Heh, didn't know you could reverse the decoded CDKey.. O_o
Clicky :)
Quote from: Jaquio on March 08, 2006, 03:31 AM
Here is how I handle the data.

            ElseIf HType = 3 Then
                With DB
                    .SetData Data
                    .StripBNLSHeader
                End With
               
                With PB
                    .InsertNonNTString DB.rVOID(5 * 4)
                    .InsertNTString strBNetRealm
                    .SendPacket &H3E
                End With
            End If

Now.. what exactly is wrong with the code? Also, is there anything else I should post?
Ye, like i said there is ment to be 5 DWORDs of hashed data, but in your 0x3E packet log, you only have 5 in total (Wheres the client token?!?)

                With PB
                    .InsertDWORD ClientToken
                    .InsertNonNTString DB.rVOID(5 * 4)
                    .InsertNTString strBNetRealm
                    .SendPacket &H3E
                End With

Its worth checking bnet docs when your unsure of somthing like this.

Hope this helps

Jaquio

Quote from: Ringo on March 08, 2006, 04:25 AM
Quote from: Jaquio on March 08, 2006, 03:31 AM
Heh, didn't know you could reverse the decoded CDKey.. O_o
Clicky :)
Hehe, that is pretty cool. But what would be the exact point of it? Lol, why would you need to decode a cdkey?

Quote from: Ringo on March 08, 2006, 04:25 AM
Quote from: Jaquio on March 08, 2006, 03:31 AM
Here is how I handle the data.

            ElseIf HType = 3 Then
                With DB
                    .SetData Data
                    .StripBNLSHeader
                End With
               
                With PB
                    .InsertNonNTString DB.rVOID(5 * 4)
                    .InsertNTString strBNetRealm
                    .SendPacket &H3E
                End With
            End If

Now.. what exactly is wrong with the code? Also, is there anything else I should post?
Ye, like i said there is ment to be 5 DWORDs of hashed data, but in your 0x3E packet log, you only have 5 in total (Wheres the client token?!?)

Erm, you have to add the clienttoken into it? I mean, SID_LOGONREALMEX(0x3E) says nothing about it. Just cookie,hashed realm password and realm title. I had just noticed the cookie dword, I thought it was optional.

Quote from: Ringo on March 08, 2006, 04:25 AM

                With PB
                    .InsertDWORD ClientToken
                    .InsertNonNTString DB.rVOID(5 * 4)
                    .InsertNTString strBNetRealm
                    .SendPacket &H3E
                End With

Its worth checking bnet docs when your unsure of somthing like this.

Hope this helps

I tried what you had suggested and now instead of getting 0x80000001(Realm is unavailable) I get 0x80000002(Realm logon failed). I take it, it is from inserting the ClientToken where the cookie was supposed to go? Or is it something else?

Ringo

Quote from: Jaquio on March 08, 2006, 04:38 AM
Hehe, that is pretty cool. But what would be the exact point of it? Lol, why would you need to decode a cdkey?
If you ment encode, so you can generate d2/w2 cdkeys from product, public and private value.

Quote from: Jaquio on March 08, 2006, 04:38 AM
I tried what you had suggested and now instead of getting 0x80000001(Realm is unavailable) I get 0x80000002(Realm logon failed). I take it, it is from inserting the ClientToken where the cookie was supposed to go? Or is it something else?
Hm?
Well, if its no longer saying realm unavalible, the realm can now see your chosen realm name, as its now at the right offset.
The only thing left to be causeing it now, is the hash and tokens used.
If your useing your client token as the "cookie" when you request BNLS hash the realm password, then you have to put it as the "cookie" in 0x3E bnet packet, other wise bnet will compute a hash differnt to yours, resullting in the realm failed responce.

Jaquio

#6
Quote from: Ringo on March 08, 2006, 04:55 AM
Quote from: Jaquio on March 08, 2006, 04:38 AM
Hehe, that is pretty cool. But what would be the exact point of it? Lol, why would you need to decode a cdkey?
If you ment encode, so you can generate d2/w2 cdkeys from product, public and private value.
No I did mean decode, because you said I shouldn't put the decoded CDKey in the log. So what you made, decodes and encodes right?

Edit: Oh nevermind I understand now, someone could take the decoded cdkey then re-encode it then have it, right?

Quote from: Ringo on March 08, 2006, 04:55 AM
Quote from: Jaquio on March 08, 2006, 04:38 AM
I tried what you had suggested and now instead of getting 0x80000001(Realm is unavailable) I get 0x80000002(Realm logon failed). I take it, it is from inserting the ClientToken where the cookie was supposed to go? Or is it something else?
Hm?
Well, if its no longer saying realm unavalible, the realm can now see your chosen realm name, as its now at the right offset.
The only thing left to be causeing it now, is the hash and tokens used.
If your useing your client token as the "cookie" when you request BNLS hash the realm password, then you have to put it as the "cookie" in 0x3E bnet packet, other wise bnet will compute a hash differnt to yours, resullting in the realm failed responce.

See that is the thing, I am not sending a cookie at all when I hash the data. For BNLS_HASHDATA(0x0B) cookie is only used for a cookie hash, therefore I don't need to sned the cookie if I am double hashing the realm password. I have never used my client token as cookie for anything in my code, so wouldn't need to use it as a cookie to respond with. So I am not sure what the heck I am doing wrong, when I had it working once before...


21  70.106.238.227:3928  63.240.202.127:6112  4  Send 
0000  FF 40 04 00                                        .@..

22  63.240.202.127:6112  70.106.238.227:3928  51  Recv 
0000  FF 40 33 00 00 00 00 00 01 00 00 00 01 00 00 00    .@3.............
0010  55 53 45 61 73 74 00 52 65 61 6C 6D 20 66 6F 72    USEast.Realm for
0020  20 74 68 65 20 55 53 20 45 61 73 74 20 43 6F 61     the US East Coa
0030  73 74 00                                           st.

23  70.106.238.227:3927  63.161.183.205:9367  27  Send 
0000  1B 00 0B 08 00 00 00 02 00 00 00 05 55 4A 43 B9    ............UJC.
0010  E9 A6 09 70 61 73 73 77 6F 72 64                   ...password

24  63.161.183.205:9367  70.106.238.227:3927  23  Recv 
0000  17 00 0B A4 5D 0C 88 FD B4 71 B4 38 1B 8C F6 38    ....]....q.8...8
0010  26 37 25 D1 51 10 00                               &7%.Q..

25  70.106.238.227:3928  63.240.202.127:6112  35  Send 
0000  FF 3E 23 00 05 55 4A 43 A4 5D 0C 88 FD B4 71 B4    .>#..UJC.]....q.
0010  38 1B 8C F6 38 26 37 25 D1 51 10 00 55 53 45 61    8...8&7%.Q..USEa
0020  73 74 00                                           st.

26  63.240.202.127:6112  70.106.238.227:3928  12  Recv 
0000  FF 3E 0C 00 05 55 4A 43 02 00 00 80                .>...UJC....


A new packet log using the client token as the cookie for sending to SID_LOGONREALMEX(0x3E)...

Ringo

Quote from: Jaquio on March 08, 2006, 05:03 AM
Edit: Oh nevermind I understand now, someone could take the decoded cdkey then re-encode it then have it, right?
yep.

Quote from: Jaquio on March 08, 2006, 05:03 AM

23  70.106.238.227:3927  63.161.183.205:9367  27  Send 
0000  1B 00 0B 08 00 00 00 02 00 00 00 05 55 4A 43 B9    ............UJC.
0010  E9 A6 09 70 61 73 73 77 6F 72 64                   ...password

Because........ HINT

Jaquio

#8
Quote from: Ringo on March 08, 2006, 05:12 AM
Quote from: Jaquio on March 08, 2006, 05:03 AM
Edit: Oh nevermind I understand now, someone could take the decoded cdkey then re-encode it then have it, right?
yep.
That is pretty cool, your really smart..  :o

Quote from: Ringo on March 08, 2006, 05:12 AM
Quote from: Jaquio on March 08, 2006, 05:03 AM

23  70.106.238.227:3927  63.161.183.205:9367  27  Send 
0000  1B 00 0B 08 00 00 00 02 00 00 00 05 55 4A 43 B9    ............UJC.
0010  E9 A6 09 70 61 73 73 77 6F 72 64                   ...password

Because........ HINT

Were you pointing out this fact... "the client key and server key DWORDs must be specified in the request after the data."... If so, that is what fixed it.. lmao. I was not thinking about the order of data.. Not sure why.. Thanks Ringo, I love yous!..  :P Have fun.

EDIT:

Err, nvm.. It seems that I recv'd back 0x3E with the information but.. I think the IP Address may be wrong because it is doing nothing at all after recving 0x3E, it is supposed to connect to the realm ip and then send MCP_STARTUP(0x01)..



23  70.106.238.227:4159  63.161.183.205:9367  27  Send 
0000  1B 00 0B 08 00 00 00 02 00 00 00 70 61 73 73 77    ...........passw
0010  6F 72 64 7E E5 67 43 C4 39 0F E5                   ord~.gC.9..

24  63.161.183.205:9367  70.106.238.227:4159  23  Recv 
0000  17 00 0B 5E 69 E6 E8 B9 39 DF 9E 39 22 67 73 C9    ...^i...9..9"gs.
0010  07 A7 AA 09 18 B7 78                               ......x

25  70.106.238.227:4160  63.240.202.126:6112  35  Send 
0000  FF 3E 23 00 7E E5 67 43 5E 69 E6 E8 B9 39 DF 9E    .>#.~.gC^i...9..
0010  39 22 67 73 C9 07 A7 AA 09 18 B7 78 55 53 45 61    9"gs.......xUSEa
0020  73 74 00                                           st.

26  63.240.202.126:6112  70.106.238.227:4160  85  Recv 
0000  FF 3E 55 00 7E E5 67 43 3B FF 65 D8 3F F0 CA 7E    .>U.~.gC;.e.?..~
0010  60 3F 0E 00 3F F0 CA 94 17 E0 00 00 00 00 00 00    `?..?...........
0020  08 7B C1 06 C0 8B D9 D3 56 44 32 44 36 38 58 49    .{......VD2D68XI
0030  3F F0 CA 7E 33 10 00 00 AC 27 0B BE 88 80 D7 54    ?..~3....'.....T
0040  4B 6A DC 2C 6E CE BD 5D 84 1C CF 09 4A 61 71 75    Kj.,n..]....Jaqu
0050  69 6F 00 02 F9                                     io...



There is a new Packet Log. I think everything is correct..

EDIT(Again):

I just found out, I recv this from my WinSock.


Error 10060
Description:The attempt to connect timed out


So.. bad IP Address I take it?

Jaquio

Erm, bump? Not sure if their allowed. But I have editted my post and the views haven't moved since I have.


Anyways, can anyone help?

teK

What are you sending after you receive 0x3E?

Jaquio

#11
Quote from: teK on March 08, 2006, 08:22 PM
What are you sending after you receive 0x3E?

I am not sending nothing, I get the realms IPAddr and try to connect with winsock. I recv this error from winsock when trying to connect to the decoded IPAddr.


Error 10060
Description:The attempt to connect timed out


It won't connect to the realm for some reason. I think I am getting the data wrong or making the server right. Here is my MakeServ function.


Public Function MakeServ(Data As String) As String
    Dim strIP(1 To 4) As String
    strIP(1) = Asc(Mid(Data, 1, 1))
    strIP(2) = Asc(Mid(Data, 2, 1))
    strIP(3) = Asc(Mid(Data, 3, 1))
    strIP(4) = Asc(Mid(Data, 4, 1))
    MakeServ = Join(strIP, ".")
End Function


And here is what I send to the function.


        Case &H3E
        Dim lngCookie As Long, lngStatus As Long, lngPort As Long
        'Debug.Print "Recv'd:0x3E"
                         
            With DB
                .SetData Data
                .StripHeader
                lngCookie = .rDWORD
                lngStatus = .rDWORD
               
                If lngStatus = &H80000001 Or lngStatus = &H80000002 Then
                Select Case lngStatus
                    Case &H80000001
                        AddChat vbLtGreen2, D2Red, "Realm is unavailable!"
                    Case &H80000002
                        AddChat vbLtGreen2, D2Red, "Realm logon failed!"
                End Select
                    frmMain.wsBnls.Close
                    frmMain.wsBnet.Close
                    Exit Sub
                End If
               
                strMCPP1 = .rVOID(2 * 4)
                ServIp = .rDWORD
                lngPort = .rDWORD
                strMCPP2 = .rVOID(12 * 4)
                strBNCSUN = .rNTString
                strMCPChunks = MakeDWORD(lngCookie) & MakeDWORD(lngStatus) & strMCPP1 & strMCPP2
               
                frmMain.wsRealm.Close
                frmMain.wsRealm.Connect MakeServ(ServIp), 6112
            End With


Also, the above packetlog is what I recv back. Am I doing something wrong?


Edit:

Nevermind I always end up fixing my own mistakes somehow... I forgot to return the string ServIP into a dword then send it through the function. All works fine now.. Sorry for all the trouble..

UserLoser

Quote

                If lngStatus = &H80000001 Or lngStatus = &H80000002 Then
                Select Case lngStatus
                    Case &H80000001
                        AddChat vbLtGreen2, D2Red, "Realm is unavailable!"
                    Case &H80000002
                        AddChat vbLtGreen2, D2Red, "Realm logon failed!"


Wtf

Jaquio


Hdx

He's asking why you have an if statement.
Take that out and use a full select case.
~-~(HDX)~-~

Proud host of the JBLS server www.JBLS.org.
JBLS.org Status:
JBLS/BNLS Server Status