Naturally, I had to correct them:
http://www.skullsecurity.org/blog/2012/battle-net-authentication-misconceptions (http://www.skullsecurity.org/blog/2012/battle-net-authentication-misconceptions)
It's been awhile, was fun to dig up my old code and remember how stuff worked. :)