Based from the code that iago released.
This should work on any x86 system. Tested on windows/linux/freebsd.
http://www.onlythechosen.com/lockdown-src.zip
/me watches as bots magically attain lockdown hashing and new DLLs are made.
I like your "tweedle" and "twitter" functions ;)
Nice work Rob :)
Quote from: -RealityRipple- on July 30, 2007, 01:16 AM
I like your "tweedle" and "twitter" functions ;)
When I named those, I didn't know what they were doing :P
you remind me of my friend Warren. His error handlers were always named ZipadeeDooDahZipdadeeDayMyOhMyWhatAWonderfulDay or Hell, which was always fun to read... On Error GoTo Hell. And instead of commenting out code, he'd put it in an if statement that read "If 2 + 2 = 5 Then".
Quote from: -RealityRipple- on July 30, 2007, 01:16 AM
/me watches as bots magically attain lockdown hashing and new DLLs are made.
At least 3 different lockdown checkrevison sources were released since 3 months ago....
Quote from: -RealityRipple- on July 30, 2007, 01:16 AM
/me watches as bots magically attain lockdown hashing and new DLLs are made.
I like your "tweedle" and "twitter" functions ;)
Pretty sure that's the reason people like to release things openly--it's only a problem when people do not give credit when necessary
Quote from: -RealityRipple- on July 30, 2007, 08:08 PM
you remind me of my friend Warren. His error handlers were always named ZipadeeDooDahZipdadeeDayMyOhMyWhatAWonderfulDay or Hell, which was always fun to read... On Error GoTo Hell. And instead of commenting out code, he'd put it in an if statement that read "If 2 + 2 = 5 Then".
The names aren't that far off, because when I first started looking at them, it was clear that they were just pushing bits around and doing some other bitwise math. So "Twiddle" was born, since it was twiddling some bits. Then I looked at a second, similar function and giving it a similar name was logical, so out came "Tweedle". It basically made sense. :P
Quote from: brew on July 30, 2007, 09:15 PM
Quote from: -RealityRipple- on July 30, 2007, 01:16 AM
/me watches as bots magically attain lockdown hashing and new DLLs are made.
At least 3 different lockdown checkrevison sources were released since 3 months ago....
If you look at what rob was posted up there, and what iago released, you will notice that it will be much easier for people to implement what rob did.
PS. Don't be stupid and say, "but rob's is based off of iago's", because I know this.
Quote from: Yegg on July 30, 2007, 11:28 PM
Quote from: brew on July 30, 2007, 09:15 PM
Quote from: -RealityRipple- on July 30, 2007, 01:16 AM
/me watches as bots magically attain lockdown hashing and new DLLs are made.
At least 3 different lockdown checkrevison sources were released since 3 months ago....
If you look at what rob was posted up there, and what iago released, you will notice that it will be much easier for people to implement what rob did.
PS. Don't be stupid and say, "but rob's is based off of iago's", because I know this.
warz's version is by far the easiest to work with.
Quote from: brew on July 31, 2007, 07:20 AM
Quote from: Yegg on July 30, 2007, 11:28 PM
Quote from: brew on July 30, 2007, 09:15 PM
Quote from: -RealityRipple- on July 30, 2007, 01:16 AM
/me watches as bots magically attain lockdown hashing and new DLLs are made.
At least 3 different lockdown checkrevison sources were released since 3 months ago....
If you look at what rob was posted up there, and what iago released, you will notice that it will be much easier for people to implement what rob did.
PS. Don't be stupid and say, "but rob's is based off of iago's", because I know this.
warz's version is by far the easiest to work with.
It's also incomplete, Windows-only, and requires proprietary code to be run.
Mine, on the other hand, is complete, Windows-only, and is self-sustaining.
Rob's is complete, cross-platform, and self-sustaining.
So it depends how you define "easiest" :P
This is rather what I intended, thought. I wanted to release working code and let other people worry about making it good. :)
Why are you calling it incomplete? It worked completely, when I had posted it. Can't say that now, because I haven't looked at it since.
He's calling it incomplete because you are still using Blizzard's dll. Instead of reimplementing everything yourself.
Note: Don't start the argument again >.< it's annoying.
Hehe this source would of helped a lot when making my java port. But I learned way more about PE files then i ever wanted to so I'm happy :P
~Hdx
I'm assuming he's talking about something else when he mentions incomplete because he also adds "and requires proprietary code to be run. " Also, we're not arguing about anything, but if we were, adding your two cents and then calling it annoying is no way to go about telling somebody to quit arguing. I enjoyed learning about windows PE header sections while doing this.
I'm sorry, I just figured if I had the answer to a question I should say it. From all my communications with iago, that is what he is referring to. And I added the comment about arguments because the last few times that there were discussions about the use of propitiatory code in your implementation it turnd into 10 page arguments.
Sorry for posting my thoughts.
~Hdx
I don't recall ever arguing about that... because, well, it does use third party code - I wouldn't have ever denied that. I was asking iago, also. Although you may have given me what you think is the probable answer, it still cannot be the answer I'm looking for, considering the answer I'm looking for will not be coming from you. If it were coming from you, it would not have been the answer that I was looking for, therefor making it not the answer to my question at all. In the event that I thought iago would not give a reply, I would have refrained from asking the question all together, so that I may avoid receiving an answer that isn't really the answer. Sometimes, you have to be straight forward so that you get the answer that you're looking for. (which cannot be given by anyone other than the one)
Man, warz, stop being so lame.
It's incomplete because there's code missing.
It relies on proprietary code because it's incomplete.
It's not quite the same :P
(I'm not trying to complain or anything, I'm not exactly putting my version on a pedestal. I was just explaining what the differences are.)
incomplete in a sense, i guess. complete in another sense.
Quote from: brew on July 31, 2007, 06:44 PM
Man, warz, stop being so lame.
how's the vampire life style treating ya?
Quote from: betawarz on July 31, 2007, 11:20 PM
Quote from: brew on July 31, 2007, 06:44 PM
Man, warz, stop being so lame.
how's the vampire life style treating ya?
Dunno what you're talking about, I told you that was a joke about 100 times, how many more until you understand?
Heh. Your lockdown checkrevision code doesn't exactly work either, I keep getting invalid version:
Quote
Checksum == -1885853027
exeVersion == 17760257
exeInfo == $/�hÚÉf°ÃÚ=á@³#
[10:41:35 AM] [BNET] Sending 0x51...
[10:41:35 AM] [BNET] Received 0x51!
[10:41:35 AM] [BNET] Invalid product version.
[10:41:35 AM] [BNET] Disconnected.
Quote from: brew on August 01, 2007, 09:42 AM
Quote from: betawarz on July 31, 2007, 11:20 PM
Quote from: brew on July 31, 2007, 06:44 PM
Man, warz, stop being so lame.
how's the vampire life style treating ya?
Dunno what you're talking about, I told you that was a joke about 100 times, how many more until you understand?
Heh. Your lockdown checkrevision code doesn't exactly work either, I keep getting invalid version:
Quote
Checksum == -1885853027
exeVersion == 17760257
exeInfo == $/�hÚÉf°ÃÚ=á@³#
[10:41:35 AM] [BNET] Sending 0x51...
[10:41:35 AM] [BNET] Received 0x51!
[10:41:35 AM] [BNET] Invalid product version.
[10:41:35 AM] [BNET] Disconnected.
Quote from: brew on July 31, 2007, 07:20 AM
warz's version is by far the easiest to work with.
yeah. don't take anything brew says to heart. i don't think i have taken him seriously once, ever. also, any problems he mentions, or complains about, with anything he does, i generally assume it's an error he is making before i assume it's a problem with what he's using. my assumptions have been correct just about every time, also.
Quote from: betawarz on August 01, 2007, 11:52 AM
yeah. don't take anything brew says to heart. i don't think i have taken him seriously once, ever. also, any problems he mentions, or complains about, with anything he does, i generally assume it's an error he is making before i assume it's a problem with what he's using. my assumptions have been correct just about every time, also.
I know. I wasn't implying that your implementation was bad or less than anyone else's. Thought I'd remind brew know that yours was the "easiest to work with" according to him. I know it's not working due to his own mistake(s), I just find it funny that he makes that claim and about a day later he' s experiencing problems.
Grrr. Does it matter if i open the dx buffer with fopen() instead of fopen_s()? i heard i can't use it because it's in VC++ 7 and up only.
I don't think there's anything wrong with using fopen() as long as you're careful to check the return value to ensure the file actually opened.
Quote from: brew on August 01, 2007, 09:22 PM
Grrr. Does it matter if i open the dx buffer with fopen() instead of fopen_s()? i heard i can't use it because it's in VC++ 7 and up only.
no. i just dled and compiled the code and it works just fine. you must be doing something incorrectly.
Quote from: l2k-Shadow on August 01, 2007, 09:40 PM
Quote from: brew on August 01, 2007, 09:22 PM
Grrr. Does it matter if i open the dx buffer with fopen() instead of fopen_s()? i heard i can't use it because it's in VC++ 7 and up only.
no. i just dled and compiled the code and it works just fine. you must be doing something incorrectly.
With VC++ 6? That's what I have, it doesn't recognize fopen_s.
anyways..
void Parse0x50(char *data) {
char sdfg1[4], asdf[512], mpqName[32], ChecksumFormula[64], tmpCDKey[64], buf[256];
char *files[5];
int i = 0;
memcpy(sdfg1, data + 8, 4);
strcpy(mpqName, data + 24);
strcpy(ChecksumFormula, data + 25 + strlen(mpqName));
ClientToken = GetTickCount() + 7000;
ServerToken = GetDWORD(sdfg1);
strcpy(tmpCDKey, bot.cdkey);
if (!DecodeCDKey(tmpCDKey))
AddChat(vbRed, "[BNET] Invalid CDKey!");
HashCDKey(KeyHash, ServerToken, ProductValue, PublicValue, PrivateValue, ClientToken);
GetCurrentDirectory(sizeof(buf), buf);
strcat(buf, "\\Hashes\\STAR\\");
while (i < 5) {
files[i] = (char *)malloc(256);
strcpy(files[i], buf);
i++;
}
mpqName[strlen(mpqName) - 4] = 0;
strcat(mpqName, ".dll");
memset(buf, 0, sizeof(buf));
GetCurrentDirectory(sizeof(buf), buf);
strcat(buf, "\\Hashes\\DLLs\\");
strcat(buf, mpqName);
strcat(files[0], "starcraft.exe");
strcat(files[1], "storm.dll");
strcat(files[2], "battle.snp");
strcpy(files[3], buf);
strcat(files[4], "sexp.bin");
int crresult = CheckRevisionLD(files[0], files[1], files[2], ChecksumFormula, exeVersion, Checksum, exeInfo, files[3], files[4]);
if (crresult) {
memset(buf, 0, sizeof(buf));
sprintf(buf, "Failed Lockdown CheckRevision! [error %d]", crresult);
AddChat(vbRed, buf);
}
sprintf(asdf, "\nClientToken == %u\nServerToken == %u\nmpqName == %s\nChecksumFormula == %s\nCDKey == %s\nProductValue == %d\nPublicValue == %d\n"
"PrivateValue == %d\nKeyHash == %s\nChecksum == %d\nexeVersion == %d\nexeInfo == %s",
ClientToken, ServerToken, mpqName, ChecksumFormula, bot.cdkey, ProductValue,
PublicValue, PrivateValue, KeyHash, Checksum, exeVersion, exeInfo);
AddChat(vbCyan, asdf);
Send0x51();
}
amirite?
[Edit: broke up code statement to avoid breaking the table.]
brew: you are leaking memory. You are also using unchecked buffer operations, in some cases with the buffer input derived from a clearly untrustworthy source. You should fix both of those before you continue debugging the actual problem.
Okay so i added the following to the end of it
i ^= i;
while (i < 5) {
free(files[i]);
i++;
}
That should fix the memory leak, now what?? :(
and what do you mean by unchecked buffer operations, just not setting the array to 0 before using it?
I figured that'd be fine, as you can see i use strcat and strcpy so on (which tacks on the null char for you). So what's wrong with that? And what is the actual problem anyways?
What is the purpose of i ^= i? Why not just i = 0?
Quote from: Yegg on August 02, 2007, 10:42 AM
What is the purpose of i ^= i? Why not just i = 0?
Because it's more efficient then MOV (takes 7 less cpu cycles) and it doesn't have to store a constant value of 0.
That depends on the compiler you're using. I created some binary files from a simple C source I just wrote:
int main () {
int i;
i ^= i;
}
produces
00000000 8D4C2404 lea ecx,[esp+0x4]
00000004 83E4F0 and esp,byte -0x10
00000007 FF71FC push dword [ecx-0x4]
0000000A 55 push ebp
0000000B 89E5 mov ebp,esp
0000000D 51 push ecx
0000000E 83EC10 sub esp,byte +0x10
00000011 C745F800000000 mov dword [ebp-0x8],0x0
00000018 83C410 add esp,byte +0x10
0000001B 59 pop ecx
0000001C 5D pop ebp
0000001D 8D61FC lea esp,[ecx-0x4]
00000020 C3 ret
and
int main () {
int i;
i = 0;
}
produces
00000000 8D4C2404 lea ecx,[esp+0x4]
00000004 83E4F0 and esp,byte -0x10
00000007 FF71FC push dword [ecx-0x4]
0000000A 55 push ebp
0000000B 89E5 mov ebp,esp
0000000D 51 push ecx
0000000E 83EC10 sub esp,byte +0x10
00000011 C745F800000000 mov dword [ebp-0x8],0x0
00000018 83C410 add esp,byte +0x10
0000001B 59 pop ecx
0000001C 5D pop ebp
0000001D 8D61FC lea esp,[ecx-0x4]
00000020 C3 ret
You'll notice the two are identical. Perhaps there is some optimization argument gcc should be given?
Wow, that's pretty gay. Some optimization that is. From now on i'm going to turn off optimizations for Visual C++. Is this a good idea?
I don't know much about Visual C++. It sounds like a good idea to keep the optimizations on unless you're a pretty advanced guru with the language and software.
Optimizing C code like that is almost always stupid. If you're going to do that, you'd might as well start expanding your loops out.
Seriously, let the compiler/optimizer do what it's good for.
Anything that will work for vb6?
Quote from: iago on August 02, 2007, 02:45 PM
Optimizing C code like that is almost always stupid. If you're going to do that, you'd might as well start expanding your loops out.
Seriously, let the compiler/optimizer do what it's good for.
Quote from: brew on August 02, 2007, 01:48 PM
Wow, that's pretty gay. Some optimization that is. From now on i'm going to turn off optimizations for Visual C++. Is this a good idea?
You motherfucker, I thought I had posted today because I use this avatar in other places. You confused me you bastard.
Quote from: Newby on August 02, 2007, 06:18 PM
Quote from: brew on August 02, 2007, 01:48 PM
Wow, that's pretty gay. Some optimization that is. From now on i'm going to turn off optimizations for Visual C++. Is this a good idea?
You motherfucker, I thought I had posted today because I use this avatar in other places. You confused me you bastard.
....huh...?
Quote
Seriously, let the compiler/optimizer do what it's good for.
I say its not doing it's job good enough.
How come you're using while (i < 5) i thought you said != is way more efficient.
I know you feel all leet coding in C and everything but let it go man, little things like these make no difference, let the compiler do it's work.
Quote from: l2k-Shadow on August 02, 2007, 07:16 PM
How come you're using while (i < 5) i thought you said != is way more efficient.
I know you feel all leet coding in C and everything but let it go man, little things like these make no difference, let the compiler do it's work.
Don't always just "let the compiler do the work". It's educational to learn how certain parts of the compiler are actually done. brew, don't expect that those kinds of small details will improve your applications at all, because typically they won't, but it's still fun to learn little things like that. Look more into it.
Quote from: l2k-Shadow on August 02, 2007, 07:16 PM
How come you're using while (i < 5) i thought you said != is way more efficient.
I know you feel all leet coding in C and everything but let it go man, little things like these make no difference, let the compiler do it's work.
Of course! There is no middleground between pure ASM and...well, every time I think I've seen the worst solution possible, I learn something new...but you get the point.
Quote from: raylu on August 02, 2007, 08:47 PM
Quote from: l2k-Shadow on August 02, 2007, 07:16 PM
How come you're using while (i < 5) i thought you said != is way more efficient.
I know you feel all leet coding in C and everything but let it go man, little things like these make no difference, let the compiler do it's work.
Of course! There is no middleground between pure ASM and...well, every time I think I've seen the worst solution possible, I learn something new...but you get the point.
eh... MASM
I don't feel very leet coding in C...
But now when I go back to finish a project in VB i'm totally disgusted at how dumbed down it is.
That assembly looks grossly unoptimized. I could have done that in two instructions:
xor eax, eax
ret
brew: considering how concerned you are about manual optimization, I find it a little surprising you have not even considered security. Read up about buffer overflows, look at how many patches Microsoft has to issue because their programmers do not understand buffer overflows, then look at your code again. If you still think it is OK, then I will pick it apart and explain what is wrong.
Quote from: Yegg on August 02, 2007, 08:29 PM
Don't always just "let the compiler do the work". It's educational to learn how certain parts of the compiler are actually done. brew, don't expect that those kinds of small details will improve your applications at all, because typically they won't, but it's still fun to learn little things like that. Look more into it.
The problem is, if you make your code less readable but execute a fraction of no time faster, you lose. You're typically better off keeping your code readable rather than efficient.
That being said, efficient algorithms are important. If you bubblesort/insertionsort 100000000 items or quicksort/shellsort 100000000 items, it matters very little whether each instruction is fast or slow, the quicksort will always be faster. Algorithm choice is important in many cases.
Quote from: Kp on August 02, 2007, 10:44 PM
brew: considering how concerned you are about manual optimization, I find it a little surprising you have not even considered security. Read up about buffer overflows, look at how many patches Microsoft has to issue because their programmers do not understand buffer overflows, then look at your code again. If you still think it is OK, then I will pick it apart and explain what is wrong.
To be completely honest, I don't see anything wrong with that code. Maybe it is insecure, but honestly who cares. Not like everybody's going to be using it anyways. Anyways, I can't really think of a problem with that code. Please clue me in :9
Quote from: brew on August 03, 2007, 10:33 AM
To be completely honest, I don't see anything wrong with that code. Maybe it is insecure, but honestly who cares. Not like everybody's going to be using it anyways. Anyways, I can't really think of a problem with that code. Please clue me in :9
You should care, as should anyone who runs it or uses it as an example.
- None of your string copies are checked in any way, so if any of the inputs are too long, you will copy past the end of the allocated buffer. Once you have a buffer overrun, various things can happen. Since you are using an antiquated compiler without support for SSP, a buffer overrun can lead to arbitrary code execution. In this case, some of your inputs are clearly derived from data furnished by the server. Based on your responses thus far, I will assume that you do not have parameter checking code elsewhere. If that assumption is correct, then any server you connect to, whether battle.net or some rogue third-party BNCS emulation server, could take control of your program just by sending you a specially crafted packet. Once this happens, the attacker can do anything your user account can do.
- You are using sprintf, rather than snprintf. This is another form of unchecked string transfer.
- Your subscript operation on mpqName assumes the MPQ name will be at least four elements long. If it is less, you will overwrite part of the variable which precedes mpqName in memory.
- You are allocating from the heap for a fixed number of fixed size small buffers. Why bother? If the allocations are predictable and small, put them on the stack to simplify the logic.
- Your code is not const-correct. The variable 'data' is never written to, but is not marked as const.
- Your code is not Unicode-correct. You are using the TCHAR form of GetCurrentDirectory, but the argument is a char. You should use GetCurrentDirectoryA.
Never assume that external input can be trusted to be correct. Always validate it, even if you think it will come from a source that would not have an interest in breaking your program. Expect that eventually, you will make a mistake. Design your code to minimize the opportunity to make dangerous mistakes. For instance, even though an input is coming from a function which already validated it, you should still use a checked copy. Then, if you someday add a path where the input can come in without being validated, the checked copy will still catch an attack.
How would I access the "NX" or "XD" features of a CPU? That way, if i did have a buffer overrun, it wouldn't do anything harmful except overwrite a variable (maybe)? And what about DEP?
Quote
Your code is not const-correct. The variable 'data' is never written to, but is not marked as const.
What is the benefit of marking a variable as a const, anyways?
Also wouldn't a buffer overflow just (usually) result in an unhandled memory access violation exception?
If you mark a variable as const, the compiler won't let you modify it, thus keeping you from modifying variables that you didn't intend on modifying.
Quote from: brew on August 04, 2007, 10:58 AM
Also wouldn't a buffer overflow just (usually) result in an unhandled memory access violation exception?
No... if the payload is constructed properly it could do so much more.
Depending what it overflows into, anyways.
Quote from: brew on August 04, 2007, 10:58 AM
How would I access the "NX" or "XD" features of a CPU? That way, if i did have a buffer overrun, it wouldn't do anything harmful except overwrite a variable (maybe)? And what about DEP?
Quote
Your code is not const-correct. The variable 'data' is never written to, but is not marked as const.
What is the benefit of marking a variable as a const, anyways?
Also wouldn't a buffer overflow just (usually) result in an unhandled memory access violation exception?
You should read the classic paper "Smashing the Stack for Fun and Profit" by Aleph1 (aka, Elias Levy, who works at Symantec :) ). It'll explain in gory details why that isn't necessarily true.
You can get that paper by DJ_Ripper via IRC in #ebooks on irc.tehnet.org/6667.
Quote from: brew on August 04, 2007, 10:58 AM
How would I access the "NX" or "XD" features of a CPU? That way, if i did have a buffer overrun, it wouldn't do anything harmful except overwrite a variable (maybe)? And what about DEP?
Your operating system is responsible for enabling the feature and configuring the hardware appropriately. If I recall correctly, NX support is present in Windows XP SP2 and Windows Vista. It is probably supported in some version of Windows Server 2003, but I do not know which Service Pack introduced it. Even when DEP is on, Windows implements it in a way that is not that hard to bypass, which was necessary for compatibility with stupidly written copy prevention schemes. Finally, even supposing that DEP cannot be bypassed, an attacker can still transfer control to any other point in your program. Depending on the program, this could do any of a variety of bad things.
Think of DEP like the safety features on a car: good to have, will probably reduce the damage you sustain if you ever need it, but you are still better off just not needing it in the first place.