I though of an idea, when making a bot it would be a good idea to check the username/password to see if there characters would even make a valid login (inclusive of iLLyz).
I know what can be permitted by Usernames, though I don't know what characters/orders are allowed for passwords. And with a bit of testing I wouldn't be able to find out what characters/orders old (from time of iLLyz) passwords used.
Anyone know much about them?
First off, "iLLyz"? And passwords can have any character you want in it. They're sent in a 256bit hash so it doesn't matter what you have your password as
Well for example you can no longer make accounts with $ in it.
So say the bot logged on and account didn't exist, I would then run it through a check which would determine that account cannot be created because of that character and it would just Disconnect with an error message.
By "iLLyz" I was just using slang to refer to accounts that contained illegal characters and haven't been permitted to be created for quite a few years now.
Anyway you answered my question, I should know better considering my last two passwords contained § and †. :-\
What the hell did he just say?
He wants to be able to determine if an account exists and if it doesn't, he wants to check the account name for banned characters before attempting to create it however the local implimentation of this would be pointless since both SID_LOGONRESPONSE2 and SID_CREATEACCOUNT2 have error responses which do exactly that.
I know they have login responces for it. I just through it would speed up some of the authentication upon logging in, if all the basic checks have been done to that details being sent.
For example say someone connects with local hashing, first check if they have hashes before even bothering to go any further. Kind of alone those lines.
At that moment I was thinking that passwords have limitations on certain characters (not there max length, 12). This way it could be checked before connecting.
Quote from: FrOzeN on January 05, 2006, 02:10 AM
At that moment I was thinking that passwords have limitations on certain characters (not there max length, 12). This way it could be checked before connecting.
On a side note, the lenth of a password is a client side thing. There is nothing in the protocol that has the length of the password transfered over network.
Note that the game clients impose a limit on the number of bytes that a password can consist of - something along the lines of 12 or 14 if I recall correctly. Game clients also use a locale-specific lowercase transform (as I recall, the exact function used was CharLowerBuffA, which has a behavior dependent on which locale you have configured locally). Passwords that do not meet these criteria will be unusable through the game clients.
The chat gateway also imposes some of these restrictions on passwords; for instance, the chat gateway will lowercase all passwords. This implies that if you have an exotic locale that does not match the chat server's locale, your password may not be usable via the chat gateway. The chat gateway may also have an arbitrary limit on the length of a password, though I don't recall for certain.
There are different restrictions and transforms applied to passwords used with the SRP-based system.
congratz skywing you went almost 2 months without posting!
What happens if you implement this into your bot and the user decides that they want to log in and create an account on a private Battle.net server. Such as a PvPgn server? Often times these servers support "illegal" characters that the regular servers do not. Checking the account before they actually connect would really be a useless feature. The user should know what they can and can't use in an account.
An idea that could possibly save time when connecting could be:
Decode cdkey's immediately after the user inputs it into a textbox, or if your bot only uses a file for such information, decode when the program loads
Quote from: Yegg on January 05, 2006, 02:20 PM
What happens if you implement this into your bot and the user decides that they want to log in and create an account on a private Battle.net server. Such as a PvPgn server? Often times these servers support "illegal" characters that the regular servers do not. Checking the account before they actually connect would really be a useless feature. The user should know what they can and can't use in an account.
An idea that could possibly save time when connecting could be:
Decode cdkey's immediately after the user inputs it into a textbox, or if your bot only uses a file for such information, decode when the program loads
Except in the case of the chat gateway, all of the logic for dealing with the password in textural form is only in the client and not on the server, so that shouldn't matter for binary interface clients.
I would expect that the time spent doing key decoding is insignificant compared to many of the other operations you would do during a binary client logon. If you are looking for ways to optimize you should really do some real profiling of your program first.
QuoteDecode cdkey's immediately after the user inputs it into a textbox, or if your bot only uses a file for such information, decode when the program loads
In most cases it's common practice to do as much as you can before you actually need to (providing that it's logical to do so) so that the only delay experienced is during the initial execution and/or connection, however the speed difference is often not very noticeable. The most significant bottlenecks are going to be the version check and your latency with the server.
Quote from: UserLoser on January 05, 2006, 12:11 AM
First off, "iLLyz"? And passwords can have any character you want in it. They're sent in a 256bit hash so it doesn't matter what you have your password as
Uh... they're sent in a 160-bit hash (SHA-1). The hash that's sent in SRP is hardly even related to the password, but the M1 value is 160-bit, as is the password hash sent with old-style logins.
If you really wanted to find out what characters are acceptable or not, just have your client fully parse the return data from the account login packet. If there are illegal characters, it will return which one(s) are invalid... However, I don't think this works for the password string..
Quote from: MyndFyre on January 05, 2006, 03:38 PM
Quote from: UserLoser on January 05, 2006, 12:11 AM
First off, "iLLyz"? And passwords can have any character you want in it. They're sent in a 256bit hash so it doesn't matter what you have your password as
Uh... they're sent in a 160-bit hash (SHA-1). The hash that's sent in SRP is hardly even related to the password, but the M1 value is 160-bit, as is the password hash sent with old-style logins.
Duh...160. Was thinking it was a 32 byte hash, oops.
Username: AnX)Ghost(15@Lordaeron
Password: *MyndFyre removed to stop breaking tables*
Length of Password: 1016
Maybe there isn't even a limit? Strange huh. :-\
[EDIT] I assumed it was 12 characters because of the TextBox (?) limit when typing in a password using StarCraft/BroodWar (The actual game, not a bot).
Sorry for table breakage, oh well.
Quote from: FrOzeN on January 06, 2006, 12:50 AM
Username: AnX)Ghost(15@Lordaeron
Password: *MyndFyre removed to stop breaking tables*
Length of Password: 1016
Maybe there isn't even a limit? Strange huh. :-\
I thought this was already covered: there's no limit because it's sent as a 32 byte hash.
Eh, I didn't realise that.
Could this be a way to flood Battle.net. By sending immensely oversized passwords rapidly? :P
Quote from: UserLoser on January 06, 2006, 12:52 AM
Quote from: FrOzeN on January 06, 2006, 12:50 AM
Username: AnX)Ghost(15@Lordaeron
Password: *removed because of table breaking*
Length of Password: 1016
Maybe there isn't even a limit? Strange huh. :-\
I thought this was already covered: there's no limit because it's sent as a 32 byte hash.
*20-byte. SHA-1 is 160 bit whether it's SHA-1 or X-SHA-1. Interleaved SHA found in SRP generates a 320-bit hash (40-byte).
What is it the rest of you don't understand about this? The plaintext password is never sent to Battle.net.
Quote from: FrOzeN on January 06, 2006, 12:53 AM
Eh, I didn't realise that.
Could this be a way to flood Battle.net. By sending immensely oversized passwords rapidly? :P
Your passwords is ran through a one-way hash function. This hash function returns a 20 byte output. The 20 byte output is recieved by server. Size of the password doesn't matter. You can have a blank password if you really wanted to
Quote from: UserLoser on January 06, 2006, 01:32 AM
You can have a blank password if you really wanted to
Since the hash output of SHA-1ing no data is always the same, I wonder if Bnet would notice.
Quote from: UserLoser on January 06, 2006, 01:32 AM
Size of the password doesn't matter.
Can you elaborate as to why the length of a password in the Warcraft III game client is limited to 12 characters?
Quote from: Newby on January 06, 2006, 06:28 PM
Quote from: UserLoser on January 06, 2006, 01:32 AM
Size of the password doesn't matter.
Can you elaborate as to why the length of a password in the Warcraft III game client is limited to 12 characters?
To help keep people from forgetting an incredibly long password?
Quote from: Lord[nK] on January 06, 2006, 06:49 PM
Quote from: Newby on January 06, 2006, 06:28 PM
Quote from: UserLoser on January 06, 2006, 01:32 AM
Size of the password doesn't matter.
Can you elaborate as to why the length of a password in the Warcraft III game client is limited to 12 characters?
To help keep people from forgetting an incredibly long password?
That's why there is password recovery.
Quote from: Newby on January 06, 2006, 09:49 PM
Quote from: Lord[nK] on January 06, 2006, 06:49 PM
Quote from: Newby on January 06, 2006, 06:28 PM
Quote from: UserLoser on January 06, 2006, 01:32 AM
Size of the password doesn't matter.
Can you elaborate as to why the length of a password in the Warcraft III game client is limited to 12 characters?
To help keep people from forgetting an incredibly long password?
That's why there is password recovery.
Eh, and then someone "forgets" their password a lot and this (http://www.x86labs.org:81/forum/index.php/topic,4476.msg49421/boardseen.html#new) happens.
Quote from: Joe on January 06, 2006, 10:37 PM
Eh, and then someone "forgets" their password a lot and this (http://www.x86labs.org:81/forum/index.php/topic,4476.msg49421/boardseen.html#new) happens.
There's a massive difference between a DDoS (if you're saying there are lots of "someone"'s who manage to forget their password) and someone simply asking for the password recovery e-mail to be sent to their machine. One copy is enough, really.
How do you know that he didn't post on his blog, asking a lot of "someones" to intentionally "forget" their password at a specific time, and request an account recovery email?
Quote from: Joe on January 07, 2006, 03:39 PM
How do you know that he didn't post on his blog, asking a lot of "someones" to intentionally "forget" their password at a specific time, and request an account recovery email?
There are
much easier ways to DDoS a server.