I've done it to log in and stuff but when i do something similar it doesn't work. Look below for the code:
Public Sub ChangePassword()
Dim ClientToken As Long
Dim pwHash3 As String
Dim Password As Integer
ClientToken = GetTickCount()
Password = BotVar.NewPassword
pwHash3 = String(7 * 4, vbNullChar)
a pwHash3, BotVar.ServerTokenMCP, Password
With pBuffer
.InsertDWORD ClientToken
.InsertDWORD BotVar.ServerTokenMCP
.InsertDWORD BotVar.PasswordHash
.InsertDWORD pwHash3
.InsertNTString BotVar.UserNameLAP
.SendPacketLAP &H31
End With
End Sub
What am I doing wrong?
I'm NUB no flaming please :'(
Make sure it's converted to lowercase... and what's with the 7*4?
Also, What's with the ServerTokenMCP? MCP is for realm servers, not for bnet servers. Change Password goes like this:
Client Token DWORD
Server Token DWORD
Double Hash (Password, Client Token, and Server Token) STRING
Hash (Password) STRING
Username NTSTRING
I'm pretty sure the hashes are STRINGs, not DWORDs.
My problem is that I can't hash the passwords correctly. Like...
Public Declare Function a Lib "bnetauth.dll" Alias "A" (ByVal outbuf As String, ByVal ServerKey As Long, ByVal Password As String) As Long
Public Declare Function A2 Lib "bnetauth.dll" (ByVal outbuf As String, ByVal Key As Long) As Long
Public Declare Function C Lib "bnetauth.dll" (ByVal outbuf As String, ByVal serverhash As Long, ByVal prodid As Long, ByVal val1 As Long, ByVal val2 As Long, ByVal Seed As Long) As Long
Public Declare Function X Lib "bnetauth.dll" (ByVal outbuf As String, ByVal Password As String) As Long
Public Declare Function z Lib "bnetauth.dll" Alias "Z" (ByVal FileExe As String, ByVal FileStormDll As String, ByVal FileBnetDll As String, ByVal HashText As String, ByRef Version As Long, ByRef CheckSum As Long, ByVal EXEInfo As String, ByVal MPQName As String) As Long
Those are the declares for BnetAuth.. I don't really know which one to use for Double Hashing and can I not use the hash from when I logged in with the account?
The double-hash is the same as the logon. The single hash is the new password.
Hashes are DWORD arrays.
Single Hash = Hash(Password)
Double Hash = Hash(ClientToken & ServerToken & Hash(Password))
I'm just wondering... What the HELL is the point of hashing the password, if all you need to log in or change the password is the hash? I mean... say you have a packetlogger trojan on a computer. A user logs in and changes their password. You get the new password hash through the logger. You get a bot's source (or more likely write a bot) and make it hash the password with the clienttoken and servertoken. Bam, you log in without knowing their password. Or am I missing something somewhere?
You are correct.
Except for the fact that people USUALLY don't change there passwords. So they only send the single hashed password when they create the account, and if the account is jsut created, whats the point of nabbing it?
~Hdx
PS: FreeGeek is fun!
Ok so here is the new code..
Public Sub ChangePassword()
Dim ClientToken As Long
Dim NewHash As String
ClientToken = GetTickCount()
Password = LCase(BotVar.NewPassword)
X NewHash, Password
With pBuffer
.InsertDWORD ClientToken
.InsertDWORD BotVar.ServerTokenMCP
.InsertDWORD BotVar.PasswordHash
.InsertDWORD NewHash
.InsertNTString BotVar.UserNameLAP
.SendPacketLAP &H31
End With
End Sub
Has client token, X is the function on BnetAuth for a single pass hash Newhash being the hash and Password being the pass. I set the password lowercase like you said I should. Made both hashes DWORDS. Is all this correct?
(BotVar.ServerTokenMCP IS the ServerToken.. long story.. & BotVar.PasswordHash is the old Pass hash from login which I stored in there.)
EDIT: Error! ByRef argument type mismatch. Its highlighting NewHash and I assume maybe its not declared correctly.
you're passing a string to a function which accepts a 32-bit signed integer.
So Dim NewHash as String should be an Integer instead?
Long.
Quote from: Goran on April 14, 2007, 07:43 PM
So Dim NewHash as String should be an Integer instead?
you're clueless about what you're attempting to achieve.
Quote
(DWORD) Client Token
(DWORD) Server Token
(DWORD[5]) Old password hash
(DWORD[5]) New password hash
(STRING) Account name
Quote(InsertDWORD) =ClientToken
(InsertDWORD) = ServerToken
(InsertString) =doubleHashPassword (Old Password)
(InsertString) = hashPassword (New Password)
(InsertNTString) = Username
That would work to right?
It really is easier to deal with them as a non-null terminated string in VB...
We all start somewhere, Shadow. :)
Yep thats true. Anyway have you got anywhere after some of the suggestions?
yeah but don't confuse what the data type string is in the first place.. it is a character array terminated by a null character.
Dim ClientToken As Long
Dim Password As String
Dim NewHash As Long
ClientToken = GetTickCount()
Password = LCase(BotVar.NewPassword)
X NewHash, Password
With pBuffer
.InsertDWORD ClientToken
.InsertDWORD BotVar.ServerTokenMCP
.InsertDWORD BotVar.PasswordHash
.InsertDWORD NewHash
.InsertNTString BotVar.UserNameLAP
.SendPacketLAP &H31
End With
Getting type mismatch at BotVar.PasswordHash
When i put my mouse over it I see the hash info, strange characters blah blah.. sooo.. I guess I don't really know what type mismatch means. If someone would kindly explain as I am a novice :)
Type mismatch means that you are trying to assign a value to a variable which is unfit to be assigned to that variable or that you are trying to pass a variable to a function which accepts different variable type.
Ex:
Option Explicit
Sub Form_Load()
Dim a As String
a = "SHIT"
Call ExampleFunction(a)
End Sub
Sub ExampleFunction(ByVal a As Integer)
MsgBox a
End Sub
You will get a type mismatch error on the function call line.
Quote from: Goran on April 14, 2007, 08:34 PM
Dim ClientToken As Long
Dim Password As String
Dim NewHash As Long
ClientToken = GetTickCount()
Password = LCase(BotVar.NewPassword)
X NewHash, Password
With pBuffer
.InsertDWORD ClientToken
.InsertDWORD BotVar.ServerTokenMCP
.InsertDWORD BotVar.PasswordHash
.InsertDWORD NewHash
.InsertNTString BotVar.UserNameLAP
.SendPacketLAP &H31
End With
Getting type mismatch at BotVar.PasswordHash
When i put my mouse over it I see the hash info, strange characters blah blah.. sooo.. I guess I don't really know what type mismatch means. If someone would kindly explain as I am a novice :)
(DWORD) Client Token
(DWORD) Server Token
(DWORD[5]) Old password hash
(DWORD[5]) New password hash
(STRING) Account name
Hrmm well lets see. DWORD[5], first off do you know what this means? Second off your passing a string to and sub that's expecting a long. Same with the new password hash. Alot of people handle this as a Non Null Terminated string because its eazier then 5 DWORDS, So put InsertNonNTString Oldhash and InsertNonNTSting newhash
And see what it gets you ;)
"BotVar.ServerTokenMCP" lmao?
No more Type Mismatch but now I'm getting ByRef Argument Type Mismatch and its highlighting NewHash.
Public Sub ChangePassword()
Dim ClientToken As Long
Dim NewPassword As Long
Dim NewHash As Long
ClientToken = GetTickCount()
NewPassword = LCase(BotVar.NewPassword)
X NewHash, NewPassword
With pBuffer
.InsertDWORD ClientToken
.InsertDWORD BotVar.ServerTokenMCP
.InsertNonNTString BotVar.PasswordHash
.InsertNonNTString NewHash <--- Highlighted :\
.InsertNTString BotVar.UserNameLAP
.SendPacketLAP &H31
End With
End Sub
Oh and the ServerTokenMCP is a long story and I don't feel like telling it...
I've thought about this before, but I have no desire to create such a thing. With relative ease, someone could create a simple program that grabs the client and server token and the hash of a password and easily obtain the password correct? Of course, they would have to write a reverse of the hashing function, but that shouldn't really be too difficult. This idea is very practical, is it?
Quote from: Yegg on April 14, 2007, 09:28 PM
I've thought about this before, but I have no desire to create such a thing. With relative ease, someone could create a simple program that grabs the client and server token and the hash of a password and easily obtain the password correct? Of course, they would have to write a reverse of the hashing function, but that shouldn't really be too difficult. This idea is very practical, is it?
no, it's a
hash, not an
encryption.
Quote from: l2k-Shadow on April 14, 2007, 07:51 PM
you're clueless about what you're attempting to achieve.
Quote
(DWORD) Client Token
(DWORD) Server Token
(DWORD[5]) Old password hash
(DWORD[5]) New password hash
(STRING) Account name
"If CreateHash <> "" Then
InsertNonNTString CreateHash
InsertNTString Username
SendPacket &H3D"
- l2uthless ops
Yegg: the point of a hash is that it's not supposed to be reversible. That's the entire point of them. If a hash can be reversed, it should no longer be used.
Goran: the hashes are DWORD[5]'s, which means they are an array of 5 dwords (20 bytes of pure data). "String", "Non-Null Terminated String", etc... just means pure data. It's a bit misleading. A better name for the type would be Null, I guess. Your function looks like it expects a string. So what do you do? Set the hashes to Strings equal to 20 bytes of empty data (strHash = String$(20,0))
Dim NewHash As String
Quote from: Yegg on April 14, 2007, 09:28 PM
I've thought about this before, but I have no desire to create such a thing. With relative ease, someone could create a simple program that grabs the client and server token and the hash of a password and easily obtain the password correct? Of course, they would have to write a reverse of the hashing function, but that shouldn't really be too difficult. This idea is very practical, is it?
Uh... Reality is right. It's not ment to be reversed. Please, TRY to find the original value of ANY md5 hash without using a rainbow table. Also another hole in your theory: How would the person "decoding" the hash know the client token and server token? Now please tell me, HOW the hell is decoding a double broken sha-1 hash pratical at all?
Public Sub ChangePassword()
Dim ClientToken As Long
Dim NewPassword As String
Dim NewHash As String
NewHash = String$(20, 0)
ClientToken = GetTickCount()
NewPassword = LCase(BotVar.NewPassword)
X NewHash, NewPassword
With pBuffer
.InsertDWORD ClientToken
.InsertDWORD BotVar.ServerTokenMCP
.InsertNonNTString BotVar.PasswordHash
.InsertNonNTString NewHash
.InsertNTString BotVar.UserNameLAP
.SendPacketLAP &H31
End With
End Sub
Ok so this is what I got, it seems to be loading and connecting without errors but I'm getting IP banned so I assume I'm building the packet incorrectly. Any ideas?
Make sure your client/server tokens AREN'T 0, and make sure the length of your hashes are both 20 characters long. Other then that, I have no idea how you can possibly get ipbanned.
Quote from: Goran on April 14, 2007, 10:19 PM
Public Sub ChangePassword()
Dim ClientToken As Long
Dim NewPassword As String
Dim NewHash As String
NewHash = String$(20, 0)
ClientToken = GetTickCount()
NewPassword = LCase(BotVar.NewPassword)
X NewHash, NewPassword
With pBuffer
.InsertDWORD ClientToken
.InsertDWORD BotVar.ServerTokenMCP
.InsertNonNTString BotVar.PasswordHash
.InsertNonNTString NewHash
.InsertNTString BotVar.UserNameLAP
.SendPacketLAP &H31
End With
End Sub
Ok so this is what I got, it seems to be loading and connecting without errors but I'm getting IP banned so I assume I'm building the packet incorrectly. Any ideas?
This is where everyone says "packet log."
Quote from: brew on April 14, 2007, 10:02 PM
Quote from: Yegg on April 14, 2007, 09:28 PM
I've thought about this before, but I have no desire to create such a thing. With relative ease, someone could create a simple program that grabs the client and server token and the hash of a password and easily obtain the password correct? Of course, they would have to write a reverse of the hashing function, but that shouldn't really be too difficult. This idea is very practical, is it?
Uh... Reality is right. It's not ment to be reversed. Please, TRY to find the original value of ANY md5 hash without using a rainbow table. Also another hole in your theory: How would the person "decoding" the hash know the client token and server token? Now please tell me, HOW the hell is decoding a double broken sha-1 hash pratical at all?
IIRC, the client and server token are located in another packet.
Quote from: brew on April 14, 2007, 09:46 PM
Quote from: l2k-Shadow on April 14, 2007, 07:51 PM
you're clueless about what you're attempting to achieve.
Quote
(DWORD) Client Token
(DWORD) Server Token
(DWORD[5]) Old password hash
(DWORD[5]) New password hash
(STRING) Account name
"If CreateHash <> "" Then
InsertNonNTString CreateHash
InsertNTString Username
SendPacket &H3D"
- l2uthless ops
Those were my bad coding habits 2 and half years ago when I was learning to program, however it did do the job, while Goran's function obviously is not doing the job.
@Yegg: When double hashing you hash the hash of the password hence the term "double hash", which is why you still can't obtain plain text even if you know client and server tokens.
Quote from: l2k-Shadow on April 14, 2007, 11:18 PM
Quote from: brew on April 14, 2007, 09:46 PM
Quote from: l2k-Shadow on April 14, 2007, 07:51 PM
you're clueless about what you're attempting to achieve.
Quote
(DWORD) Client Token
(DWORD) Server Token
(DWORD[5]) Old password hash
(DWORD[5]) New password hash
(STRING) Account name
"If CreateHash <> "" Then
InsertNonNTString CreateHash
InsertNTString Username
SendPacket &H3D"
- l2uthless ops
Those were my bad coding habits 2 and half years ago when I was learning to program, however it did do the job, while Goran's function obviously is not doing the job.
@Yegg: When double hashing you hash the hash of the password hence the term "double hash", which is why you still can't obtain plain text even if you know client and server tokens.
Ya, makes sense. Thanks.
1:12:56 AM) 0000: FF 25 08 00 9E 3F 02 34 ÿ%�.ž?�4........
(1:12:56 AM) 0000: FF 50 66 00 00 00 00 00 87 1C 40 F0 94 E2 15 00 ÿPf.....‡�@ð"â�.
0010: 00 4D 89 7E 99 CB C6 01 76 65 72 2D 49 58 38 36 .M‰~™ËÆ�ver-IX86
0020: 2D 37 2E 6D 70 71 00 43 3D 32 34 32 34 39 38 35 -7.mpq.C=2424985
0030: 32 36 20 41 3D 32 38 32 32 35 35 30 38 30 31 20 26 A=2822550801
0040: 42 3D 31 36 30 39 39 39 36 38 32 20 34 20 41 3D B=160999682 4 A=
0050: 41 2D 53 20 42 3D 42 5E 43 20 43 3D 43 2D 41 20 A-S B=B^C C=C-A
0060: 41 3D 41 5E 42 00 A=A^B...........
(1:12:56 AM) 0000: FF 51 09 00 00 00 00 00 00 ÿQ..............
(1:12:56 AM) 0000: FF 4C 16 00 49 58 38 36 4D 69 6E 64 53 69 67 68 ÿL�.IX86MindSigh
0010: 74 2E 6D 70 71 00 t.mpq...........
(1:12:56 AM) 0000: FF 3A 08 00 00 00 00 00 ÿ:�.............
Looks like its getting caught on Login...
I know I'm supposed to send it before EnterChat which I'm doing. I'm doing it on &H0 is received for 3A. Doing both...
BNCSPacketsLAP.ChangePass
BNCSPacketsLAP.EnterChat
Right after eachother.. should I be putting change pass somewhere else?
You shouldn't send enter chat until you've received the ChangePass response.
oooh.... nice job goran. (sarcastic)
You CAN'T send these packets after the 0x3a (if 0x00 response):
0x31
0x3D
You CAN send these packets before the 0x3a
0x31
0x3D
If you pass the 0x3a, you can only send the packets 0x0A, 0x0C
Also, just a note: Any value higher then 0x02 in the 0x0C for join flags will result in a default of 0x01 (firstjoin)
If you fail the 0x3a for any reason, you could send these:
0x31
0x3A
0x3D
You can also send 0x0B, but that's almost not worth mentioning.
I'm hoping BNCSPacketsLAP is something you wrote yourself?