New Auth System on battle.net?

Logitech · November 13, 2006, 01:49 AM

Can I just check, you send 0x1A after you receive 0x50, right?

UserLoser · November 13, 2006, 01:53 AM

Quote from: Logitech on November 13, 2006, 01:49 AM
Can I just check, you send 0x1A after you receive 0x50, right?

You can send it whenever you like

Sending it after that is the ideal time to send it...so yes.

Jaquio · November 13, 2006, 03:10 AM

Quote from: l2k-Shadow on November 12, 2006, 11:58 PM
BNLS_VERSIONCHECKEX2 requires
(STRING) Version check archive filename.

Code Select Expand
Battle.net->Client 0x50 ff 50 3e 00 00 00 00 00 20 48 ...K...P>..... H 0040 8c 78 f2 dd 28 00 00 90 82 c4 72 fc c6 01 6c 6f .x..(.....r...lo 0050 63 6b 64 6f 77 6e 2d 49 58 38 36 2d 30 34 2e 6d ckdown-IX86-04.m 0060 70 71 00 2f 20 52 8b b5 28 2f 7b 5b 21 4f 35 da pq./ R..(/{[!O5. 0070 e0 0a 1f 00 .... Client->BNLS 0x1A 3d 00 1a 02 00 00 00 00 00 00 ......=......... 0040 00 00 00 00 00 00 90 82 c4 72 fc c6 01 6c 6f 63 .........r...loc 0050 6b 64 6f 77 6e 2d 49 58 38 36 2d 30 34 2e 6d 70 kdown-IX86-04.mp 0060 71 00 2f 20 52 8b b5 28 2f 7b 5b 21 4f 35 da e0 q./ R..(/{[!O5.. 0070 0a 1f 00 ...

Ohh, ok I didn't see that thought you still had to send the xx values(lockdown-IX86-xx.mpq). But it still didn't work, here is a full log(BNLS_CDKey removed).

Code Select


[BNLS] Connecting...
[BNLS] BNLS Server bnls.valhallalegends.com Connected on port 9367!
[BNLS] Sent:
07 00 10 02 00 00 00                             .......
Length: 7


[BNLS] Getting verbyte...
[BNLS] Received: 
0b 00 10 02 00 00 00 cf 00 00 00                 ...........
Length: 11


[BNLS] Using verbyte:0xcf
[BNET] Connecting...
[BNET] BNET Server useast.battle.net Connected on port 6112!
[BNET] Sent:
ff 50 3a 00 00 00 00 00 36 38 58 49 50 58 45 53  .P:.....68XIPXES
cf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 55 53 41 00 55 6e 69 74  ........USA.Unit
65 64 20 53 74 61 74 65 73 00                    ed States.
Length: 58


[BNET] Requesting authorization..
[BNET] Received: 
ff 25 08 00 ea 4a 03 10                          .%...J..
Length: 8


[BNET] Received: 
ff 50 3e 00 00 00 00 00 0f 26 63 c4 32 02 43 00  .P>......&c.2.C.
00 09 ef c0 72 fc c6 01 6c 6f 63 6b 64 6f 77 6e  ....r...lockdown
2d 49 58 38 36 2d 30 33 2e 6d 70 71 00 29 e8 27  -IX86-03.mpq.).'
3f b5 0a 9c 15 dd 94 76 70 25 f6 ce ea 00        ?......vp%....
Length: 62


[BNET] Sent:
ff 25 08 00 ea 4a 03 10                          .%...J..
Length: 8


[BNLS] Sent:
3f 00 1a 02 00 00 00 00 00 00 00 06 b9 b5 50 00  ?.............P.
09 ef c0 72 fc c6 01 6c 6f 63 6b 64 6f 77 6e 2d  ...r...lockdown-
49 58 38 36 2d 30 33 2e 6d 70 71 00 00 29 e8 27  IX86-03.mpq..).'
3f b5 0a 9c 15 dd 94 76 70 25 f6 ce ea 00 00     ?......vp%.....
Length: 63


[BNLS] Performing CheckRevision...
[BNLS] Received: 
28 00 1a 01 00 00 00 01 00 0e 01 ab 05 b4 13 81  (...............
ac 39 92 2d 9c 68 a6 c4 66 e1 04 df a3 93 76 00  .9.-.h..f.....v.
06 b9 b5 50 cf 00 00 00                          ...P....
Length: 40


[BNET] Sent:
ff 51 59 00 06 b9 b5 50 01 00 0e 01 ab 05 b4 13  .QY....P........
01 00 00 00 00 00 00 00 0d 00 00 00 01 00 00 00  ................
81 92 10 00 00 00 00 00 3e ff 69 24 86 ed 26 bc  ........>.i$..&.
f7 3c 2e c2 e3 1f 46 5d d0 e2 43 d6 81 ac 39 92  .<....F]..C...9.
2d 9c 68 a6 c4 66 e1 04 df a3 93 76 00 50 48 50  -.h..f.....v.PHP
42 6f 74 20 76 31 2e 30 00                       Bot v1.0.
Length: 89


[BNET] Attempting to answer challenge..
[BNET] Received: 
ff 51 09 00 01 01 00 00 00                       .Q.......
Length: 9


[BNET] Invalid version.

Any idea what could be wrong?

Ringo · November 13, 2006, 03:18 AM

Quote from: Jaquio on November 13, 2006, 03:10 AM
[BNLS] Sent:
3f 00 1a 02 00 00 00 00 00 00 00 06 b9 b5 50 00    ?.............P.
09 ef c0 72 fc c6 01 6c 6f 63 6b 64 6f 77 6e 2d    ...r...lockdown-
49 58 38 36 2d 30 33 2e 6d 70 71 00 00 29 e8 27    IX86-03.mpq..).'
3f b5 0a 9c 15 dd 94 76 70 25 f6 ce ea 00 00    ?......vp%.....

The problems right there I think, your nullstrings are double null'ed

[EDIT]: Shouldnt BNLS rejected an over sized request like that?

UserLoser · November 13, 2006, 03:33 AM

Quote from: Ringo on November 13, 2006, 03:18 AM
Quote from: Jaquio on November 13, 2006, 03:10 AM
[BNLS] Sent:
3f 00 1a 02 00 00 00 00 00 00 00 06 b9 b5 50 00    ?.............P.
09 ef c0 72 fc c6 01 6c 6f 63 6b 64 6f 77 6e 2d    ...r...lockdown-
49 58 38 36 2d 30 33 2e 6d 70 71 00 00 29 e8 27    IX86-03.mpq..).'
3f b5 0a 9c 15 dd 94 76 70 25 f6 ce ea 00 00    ?......vp%.....
The problems right there I think, your nullstrings are double null'ed

[EDIT]: Shouldnt BNLS rejected an over sized request like that?

I suppose if they designed the server to be strict like say, Battle.net, then sure, but I think their intention is to be user friendly and not worry about extra moot

Jaquio · November 13, 2006, 03:37 AM

Quote from: Ringo on November 13, 2006, 03:18 AM
Quote from: Jaquio on November 13, 2006, 03:10 AM
[BNLS] Sent:
3f 00 1a 02 00 00 00 00 00 00 00 06 b9 b5 50 00    ?.............P.
09 ef c0 72 fc c6 01 6c 6f 63 6b 64 6f 77 6e 2d    ...r...lockdown-
49 58 38 36 2d 30 33 2e 6d 70 71 00 00 29 e8 27    IX86-03.mpq..).'
3f b5 0a 9c 15 dd 94 76 70 25 f6 ce ea 00 00    ?......vp%.....
The problems right there I think, your nullstrings are double null'ed

[EDIT]: Shouldnt BNLS rejected an over sized request like that?

Only the ones at the end? If so, I just fixed that and now it is returning 0x203(Wrong product) any idea why on that one? Also is the ValueString always 16 bytes?

I kept refreshing the page and got cd-key hashing failed... Why different returns? Must be doing something wrong?

Ringo · November 13, 2006, 06:16 AM

Quote from: Jaquio on November 13, 2006, 03:37 AM
Quote from: Ringo on November 13, 2006, 03:18 AM
Quote from: Jaquio on November 13, 2006, 03:10 AM
[BNLS] Sent:
3f 00 1a 02 00 00 00 00 00 00 00 06 b9 b5 50 00    ?.............P.
09 ef c0 72 fc c6 01 6c 6f 63 6b 64 6f 77 6e 2d    ...r...lockdown-
49 58 38 36 2d 30 33 2e 6d 70 71 00 00 29 e8 27    IX86-03.mpq..).'
3f b5 0a 9c 15 dd 94 76 70 25 f6 ce ea 00 00    ?......vp%.....
The problems right there I think, your nullstrings are double null'ed

[EDIT]: Shouldnt BNLS rejected an over sized request like that?

Only the ones at the end? If so, I just fixed that and now it is returning 0x203(Wrong product) any idea why on that one? Also is the ValueString always 16 bytes?

I kept refreshing the page and got cd-key hashing failed... Why different returns? Must be doing something wrong?

Well, on BNLS, it says:

Code Select


(DWORD) Product ID.*
(DWORD) Flags.**
(DWORD) Cookie.
(ULONGLONG) Timestamp for version check archive.
(STRING) Version check archive filename.
(STRING) Checksum formula.

And when we compare it with your packet log:

Code Select


3f 00 1a 02 00 00 00 00 00 00 00 06 b9 b5 50 00  ?.............P.
09 ef c0 72 fc c6 01 6c 6f 63 6b 64 6f 77 6e 2d  ...r...lockdown-
49 58 38 36 2d 30 33 2e 6d 70 71 00 00 29 e8 27  IX86-03.mpq..).'
3f b5 0a 9c 15 dd 94 76 70 25 f6 ce ea 00 00     ?......vp%.....

You can see that BNLS wasnt reading/useing your supplyed version check string:

Code Select


(DWORD) 02 00 00 00       ....
(DWORD) 00 00 00 00       ....
(DWORD) 06 b9 b5 50       ...P
(ULONGLONG) 09 ef c0 72 fc c6 01      ....r...
(STRING) 6c 6f 63 6b 64 6f 77 6e 2d 49 58 38 36 2d 30 33 2e 6d 70 71 00   lockdown-IX86-03.mpq.
(STRING) 00    .

~~~ extra/over flow ~~~
(STRING) 29 e8 27 3f b5 0a 9c 15 dd 94 76 70 25 f6 ce ea 00    ).'?......vp%....
(STRING) 00      .

So just useing 1 null byte to terminate the string, rather than 2, will make it fall into place.

Aside from that, if your now getting 0x203 back in 0x51, then your passing the version check for bnet to be going onto the cdkey check

Now your next task would be, to try a differnt cdkey, check the cdkey is being decoded/handled/hashed correctly.

Quote from: UserLoser on November 13, 2006, 03:33 AM
I suppose if they designed the server to be strict like say, Battle.net, then sure, but I think their intention is to be user friendly and not worry about extra moot

I guess

, I was a little supprised BNLS sent him a result back, when the check version string was blank.
Or maybe it did, and he's parseing the responce as success all the time

Jaquio · November 13, 2006, 07:28 AM

Have tried W2BN,STAR and SEXP... None work all say wrong product. So I guess I have another problem to work out...

Code Select


[BNLS] Connecting...
[BNLS] BNLS Server bnls.valhallalegends.com Connected on port 9367!
[BNLS] Sent:
07 00 10 03 00 00 00                             .......
Length: 7

[BNLS] Getting verbyte...
[BNLS] Received: 
0b 00 10 03 00 00 00 4f 00 00 00                 .......O...
Length: 11

[BNLS] Using verbyte:0x4f
[BNET] Connecting...
[BNET] BNET Server useast.battle.net Connected on port 6112!
[BNET] Sent:
ff 50 3a 00 00 00 00 00 36 38 58 49 4e 42 32 57  .P:.....68XINB2W
4f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  O...............
00 00 00 00 00 00 00 00 55 53 41 00 55 6e 69 74  ........USA.Unit
65 64 20 53 74 61 74 65 73 00                    ed States.
Length: 58

[BNET] Requesting authorization..
[BNET] Received: 
ff 25 08 00 79 5c 6f 6a                          .%..y\oj
Length: 8

[BNET] Received: 
ff 50 3e 00 00 00 00 00 15 d7 48 ca ec 21 43 00  .P>.......H..!C.
00 ea e4 c6 72 fc c6 01 6c 6f 63 6b 64 6f 77 6e  ....r...lockdown
2d 49 58 38 36 2d 30 35 2e 6d 70 71 00 59 03 90  -IX86-05.mpq.Y..
e4 fb 2e e7 66 02 47 44 59 64 3e d3 86 00        ....f.GDYd>...
Length: 62

[BNET] Sent:
ff 25 08 00 79 5c 6f 6a                          .%..y\oj
Length: 8

[BNLS] Sent:
3d 00 1a 03 00 00 00 00 00 00 00 83 a0 a4 51 00  =.............Q.
ea e4 c6 72 fc c6 01 6c 6f 63 6b 64 6f 77 6e 2d  ...r...lockdown-
49 58 38 36 2d 30 35 2e 6d 70 71 00 59 03 90 e4  IX86-05.mpq.Y...
fb 2e e7 66 02 47 44 59 64 3e d3 86 00           ...f.GDYd>...
Length: 61

[BNLS] Performing CheckRevision...
[BNLS] Received: 
28 00 1a 01 00 00 00 00 02 00 02 b6 fa ff 22 27  (............."'
3d 31 01 e2 b3 14 2c 37 08 de 16 05 5e 62 f6 00  =1....,7....^b..
83 a0 a4 51 4f 00 00 00                          ...QO...
Length: 40

[BNET] Sent:
ff 51 59 00 83 a0 a4 51 00 02 00 02 b6 fa ff 22  .QY....Q......."
01 00 00 00 00 00 00 00 11 00 00 00 04 00 00 00  ................
f6 2c 2b 00 00 00 00 00 a7 bd 4b 86 d5 8c a5 27  .,+.......K....'
2c a6 e6 11 c9 64 96 29 2d 8a b0 0e 27 3d 31 01  ,....d.)-...'=1.
e2 b3 14 2c 37 08 de 16 05 5e 62 f6 00 50 48 50  ...,7....^b..PHP
42 6f 74 20 76 31 2e 30 00                       Bot v1.0.
Length: 89

[BNET] Attempting to answer challenge..
[BNET] Received: 
ff 51 09 00 03 02 00 00 00                       .Q.......
Length: 9
[BNET] Wrong product.

Ringo · November 13, 2006, 07:56 AM

Quote from: Jaquio on November 13, 2006, 07:28 AM
Have tried W2BN,STAR and SEXP... None work all say wrong product. So I guess I have another problem to work out...
Code Select Expand
[BNET] Sent: ff 51 59 00 83 a0 a4 51 00 02 00 02 b6 fa ff 22 .QY....Q......." 01 00 00 00 00 00 00 00 11 00 00 00 04 00 00 00 ................ ......

Think how the server reads the message, from start to finish:

Code Select


Stores Client token: 83 a0 a4 51 
Checks EXE version vs Product+Version byte: 00 02 00 02 
Checks Version Checksum:   b6 fa ff 22 
Stores/Checks number of cdkeys: 01 00 00 00
Stores Spawn flag: 00 00 00 00
Then for each cdkey:
Checks cdkey lengh: 11 00 00 00 
Failed. No current products have a cdkey with 17 characters

Jaquio · November 13, 2006, 08:49 AM

Heh, don't know why I am having trouble with this.. I got my VB bot working just fine, it's my PHPBot giving me problems.. I never used the keylength dword in 0x51 ever... But I added it in there and got a return of 0x101 again. Better then 0x203 I guess.. I am about to give up, because I cannot figure it out.

Code Select


[BNLS] Connecting...
[BNLS] BNLS Server bnls.valhallalegends.com Connected on port 9367!
[BNLS] Sent:
07 00 10 02 00 00 00                             .......
Length: 7

[BNLS] Getting verbyte...
[BNLS] Received: 
0b 00 10 02 00 00 00 cf 00 00 00                 ...........
Length: 11

[BNLS] Using verbyte:0xcf
[BNET] Connecting...
[BNET] BNET Server useast.battle.net Connected on port 6112!
[BNET] Sent:
ff 50 3a 00 00 00 00 00 36 38 58 49 50 58 45 53  .P:.....68XIPXES
cf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00 55 53 41 00 55 6e 69 74  ........USA.Unit
65 64 20 53 74 61 74 65 73 00                    ed States.
Length: 58

[BNET] Requesting authorization..
[BNET] Received: 
ff 25 08 00 d9 88 00 cb                          .%......
Length: 8

[BNET] Received: 
ff 50 3e 00 00 00 00 00 7b 66 27 0b 5c a7 49 00  .P>.....{f'.\.I.
00 6e bc de 72 fc c6 01 6c 6f 63 6b 64 6f 77 6e  .n..r...lockdown
2d 49 58 38 36 2d 31 35 2e 6d 70 71 00 9c 41 82  -IX86-15.mpq..A.
d1 77 8d fd 20 4a f1 97 d5 5c 1c 4e 29 00        .w.. J...\.N).
Length: 62

[BNET] Sent:
ff 25 08 00 d9 88 00 cb                          .%......
Length: 8

[BNET] Received authorization challenge.
[BNLS] Sent:
3d 00 1a 02 00 00 00 00 00 00 00 5c 08 e5 51 00  =..........\..Q.
6e bc de 72 fc c6 01 6c 6f 63 6b 64 6f 77 6e 2d  n..r...lockdown-
49 58 38 36 2d 31 35 2e 6d 70 71 00 9c 41 82 d1  IX86-15.mpq..A..
77 8d fd 20 4a f1 97 d5 5c 1c 4e 29 00           w.. J...\.N).
Length: 61

[BNLS] Performing CheckRevision...
[BNLS] Received: 
28 00 1a 01 00 00 00 01 00 0e 01 dc 46 63 b8 30  (...........Fc.0
d7 7d db b6 68 60 2a 8a 19 ea d8 d3 f9 3e 91 00  .}..h`*......>..
5c 08 e5 51 cf 00 00 00                          \..Q....
Length: 40

[BNET] Sent:
ff 51 61 00 5c 08 e5 51 01 00 0e 01 dc 46 63 b8  .Qa.\..Q.....Fc.
01 00 00 00 00 00 00 00 0d 00 00 00 00 00 00 00  ................
0e 00 00 00 01 00 00 00 81 92 10 00 00 00 00 00  ................
55 ee 61 73 a6 2b b9 aa db bf 57 92 72 4a c9 41  U.as.+....W.rJ.A
89 d8 ba 94 30 d7 7d db b6 68 60 2a 8a 19 ea d8  ....0.}..h`*....
d3 f9 3e 91 00 50 48 50 42 6f 74 20 76 31 2e 30  ..>..PHPBot v1.0
00                                               .
Length: 97

[BNET] Attempting to answer challenge..
[BNET] Received: 
ff 51 09 00 01 01 00 00 00                       .Q.......
Length: 9

[BNET] Invalid version.

Ringo · November 13, 2006, 09:01 AM

Quote from: Jaquio on November 13, 2006, 08:49 AM
Heh, don't know why I am having trouble with this.. I got my VB bot working just fine, it's my PHPBot giving me problems.. I never used the keylength dword in 0x51 ever... But I added it in there and got a return of 0x101 again. Better then 0x203 I guess.. I am about to give up, because I cannot figure it out.
Code Select Expand
[BNET] Sent: ff 51 61 00 5c 08 e5 51 01 00 0e 01 dc 46 63 b8 .Qa.\..Q.....Fc. 01 00 00 00 00 00 00 00 0d 00 00 00 00 00 00 00 ................ 0e 00 00 00 01 00 00 00 81 92 10 00 00 00 00 00 ................ 55 ee 61 73 a6 2b b9 aa db bf 57 92 72 4a c9 41 U.as.+....W.rJ.A 89 d8 ba 94 30 d7 7d db b6 68 60 2a 8a 19 ea d8 ....0.}..h`*.... d3 f9 3e 91 00 50 48 50 42 6f 74 20 76 31 2e 30 ..>..PHPBot v1.0 00 .

Whats that bit extra?

Code Select


ff 51 61 00 5c 08 e5 51 01 00 0e 01 dc 46 63 b8  .Qa.\..Q.....Fc.
01 00 00 00 00 00 00 00 0d 00 00 00 ?? ?? ?? ??  ................
?? ?? ?? ?? 01 00 00 00 81 92 10 00 00 00 00 00  ................
55 ee 61 73 a6 2b b9 aa db bf 57 92 72 4a c9 41  U.as.+....W.rJ.A
89 d8 ba 94 30 d7 7d db b6 68 60 2a 8a 19 ea d8  ....0.}..h`*....
d3 f9 3e 91 00 50 48 50 42 6f 74 20 76 31 2e 30  ..>..PHPBot v1.0
00                                               .

Code Select

Jaquio · November 13, 2006, 09:14 AM

Heh, it was that 'unknown(0)' tid-bit. Not sure why it was there, I removed it but still 0x101..

Code Select


     BNLS_CDKey($CDKey, $ServerKey);
     BNLS_VersionCheckEx2($Product, 0, $IX86FileTime, $IX86Filename, $CheckRevStr);
     insert_int32($ClientKey);
     insert_int32($VerHash);
     insert_int32($CheckSum);
     insert_int32(1); //Number of CD-Keys(1 for non-expansion games, 2 for expansion games)
     insert_int32(0); //Using Spawn(0 - no, 1 - yes)
     insert_int32(strlen($CDKey)); //CD-Key Length
     insert_void($KeyHash); //CD-Key Hash
     insert_string($EXEInfo); //EXE Info
     insert_string("PHPBot v1.0"); //CD-Key Owner
     BNCS_Send(0x51);

My 0x51, lol pretty shitty I know... But oh well. Just want it to work! Lol

Skywing · November 14, 2006, 10:21 AM

Assuming you are getting your CD-key data from BNLS, the blob that BNLS sends back to you should include the length of the CD-key, and you should not be sending that to Battle.net in addition to another field including the CD-key length.

The BNLS protocol specification includes details on where the blobs sent back by BNLS should be used when communicating with Battle.net. It should be your first choice when troubleshooting problems like this.

ThePro · November 15, 2006, 01:29 PM

I have the same Problem, I always get an invalid version error.
What do I have to send to bnet Server on 0x51 now?

BnetDocs say:
(DWORD)       Client Token (Generates BNLS in BNLS_CDKEY)
(DWORD)       EXE Version (Generates BNLS in BNLS_VERSIONCHECKEX2)
(DWORD)       EXE Hash (Generates BNLS in BNLS_VERSIONCHECKEX2)
(DWORD)       Number of keys in this packet (1)
(BOOLEAN)    Using Spawn (0)
(DWORD)       Key Length (13)
(DWORD)       CD key's product value (1 = Starcraft)
(DWORD)       CD key's public value (How can I calculate this? I copy and pasted it of my packet sniffer)
(DWORD)       Unknown (0)
(DWORD[5])    Hashed Key Data (Generates BNLS but BNLS Spec says DWORD[9] instead DWORD[5]!!?? I noticed, that blizzard removed the exe String)

(STRING)     Exe Information (seems to be removed)
(STRING)     CD Key owner name (ThePro)

1.) Do I just have to copy the result of BNLS_CDKEY (DWORD HashedKeyData[9]) into SID_AUTH_CHECK and send it to bnet?
2.) Where do I have to use the VersionCheckStatstring returned by BNLS_VERSIONCHECKEX2?

Skywing · November 15, 2006, 02:48 PM

The four cleartext and five digest ulong values are all included in the blob returned from BNLS, which contains all the CD-key related data you need to send to Battle.net. You should not duplicate any of this information in your SID_AUTHCHECK request; simply include the CD-key blob "as-is" with your SID_AUTHCHECK request. The only CD-key related data that you must supply are the count of CD-key blobs and the spawn/retail flag.

"Exe Information" and "VersionCheckStatstring" are synonomous in this particular context. "Exe Information" is the string value returned by BNLS_VERSIONCHECKEX2.