Valhalla Legends Archive

Quote from: Kp on November 02, 2007, 11:46 PM
So either sockscap is buggy, or the D2GS protocol is not friendly to how you are performing the capture.  What is the purpose of this redirection?  What packets do you not receive when you employ a SOCKS redirection?

my packet log throught socks

Quote
0x1 size: 8 ( of 9
0x0 size: 1 (9) of 9
0x59 size: 26 (26) of 507
0xaa size: 12 (38) of 507
0x76 size: 6 (44) of 507
0x94 size: 57 (101) of 507
0x27 size: 40 (141) of 507
0x23 size: 13 (154) of 507
0x23 size: 13 (167) of 507
0x5e size: 38 (205) of 507
0x28 size: 103 (308) of 507
0x29 size: 97 (405) of 507
0xb size: 6 (411) of 507
0x5f size: 5 (416) of 507
0x1d size: 3 (419) of 507
0x1d size: 3 (422) of 507
0x1d size: 3 (425) of 507
0x1d size: 3 (428) of 507
0x1f size: 6 (434) of 507
0x1f size: 6 (440) of 507
0x1f size: 6 (446) of 507
0x1d size: 3 (449) of 507
0x1e size: 4 (453) of 507
0x9c size: 23 (476) of 507
0x9c size: 31 (507) of 507
0x9c size: 42 (42) of 494
0x9c size: 41 (83) of 494
0x9c size: 43 (126) of 494
0x9c size: 39 (165) of 494
0x9c size: 20 (185) of 494
0x9d size: 51 (236) of 494
0x9d size: 25 (261) of 494
0x9d size: 45 (306) of 494
0x9d size: 38 (344) of 494
0x9d size: 38 (382) of 494
0x9d size: 51 (433) of 494
0x9d size: 61 (494) of 494
0x67 size: 16 (16) of 16
0x67 size: 16 (16) of 32
0x67 size: 16 (32) of 32
0x6d size: 10 (10) of 10
0x67 size: 16 (16) of 16
0x6d size: 10 (10) of 10
0x67 size: 16 (16) of 25
0x96 size: 9 (25) of 25
0x6d size: 10 (10) of 10
0x67 size: 16 (16) of 16
0x6d size: 10 (10) of 10
0x6d size: 10 (10) of 10
0x7f size: 10 (10) of 10
0x67 size: 16 (16) of 16

and this here w/o socks5

Quote
0x1 size: 8 ( of 9
0x0 size: 1 (9) of 9
0x59 size: 26 (26) of 507
0xaa size: 12 (38) of 507
0x76 size: 6 (44) of 507
0x94 size: 57 (101) of 507
0x27 size: 40 (141) of 507
0x23 size: 13 (154) of 507
0x23 size: 13 (167) of 507
0x5e size: 38 (205) of 507
0x28 size: 103 (308) of 507
0x29 size: 97 (405) of 507
0xb size: 6 (411) of 507
0x5f size: 5 (416) of 507
0x1d size: 3 (419) of 507
0x1d size: 3 (422) of 507
0x1d size: 3 (425) of 507
0x1d size: 3 (428) of 507
0x1f size: 6 (434) of 507
0x1f size: 6 (440) of 507
0x1f size: 6 (446) of 507
0x1d size: 3 (449) of 507
0x1e size: 4 (453) of 507
0x9c size: 23 (476) of 507
0x9c size: 31 (507) of 507
0x9c size: 42 (42) of 494
0x9c size: 41 (83) of 494
0x9c size: 43 (126) of 494
0x9c size: 39 (165) of 494
0x9c size: 20 (185) of 494
0x9d size: 51 (236) of 494
0x9d size: 25 (261) of 494
0x9d size: 45 (306) of 494
0x9d size: 38 (344) of 494
0x9d size: 38 (382) of 494
0x9d size: 51 (433) of 494
0x9d size: 61 (494) of 494
0x9d size: 46 (46) of 492
0x9d size: 45 (91) of 492
0x9d size: 25 (116) of 492
0x9c size: 25 (141) of 492
0x9c size: 25 (166) of 492
0x9c size: 31 (197) of 492
0x9c size: 31 (228) of 492
0x9c size: 31 (259) of 492
0x9c size: 31 (290) of 492
0x9c size: 30 (320) of 492
0x9c size: 30 (350) of 492
0x9c size: 45 (395) of 492
0x9c size: 38 (433) of 492
0x9c size: 30 (463) of 492
0x9c size: 29 (492) of 492
0x9c size: 31 (31) of 510
0x9c size: 30 (61) of 510
0x9c size: 29 (90) of 510
0x9c size: 31 (121) of 510
0x9c size: 30 (151) of 510
0x9c size: 22 (173) of 510
0x9c size: 31 (204) of 510
0x9c size: 29 (233) of 510
0x9c size: 29 (262) of 510
0x9c size: 31 (293) of 510
0x9d size: 58 (351) of 510
0x9d size: 43 (394) of 510
0x7b size: 8 (402) of 510
0x7b size: 8 (410) of 510
0x7b size: 8 (418) of 510
0x7b size: 8 (426) of 510
0x23 size: 13 (439) of 510
0x23 size: 13 (452) of 510
0x1d size: 3 (455) of 510
0x1d size: 3 (458) of 510
0x1d size: 3 (461) of 510
0x1d size: 3 (464) of 510
0x1f size: 6 (470) of 510
0x1f size: 6 (476) of 510
0x1f size: 6 (482) of 510
0x1d size: 3 (485) of 510
0x1e size: 4 (489) of 510
0x95 size: 13 (502) of 510
0x1c size: 5 (507) of 510
0x1d size: 3 (510) of 510
0x1d size: 3 (3) of 511
0x1d size: 3 (6) of 511
0x1d size: 3 (9) of 511
0x3 size: 12 (21) of 511
0x53 size: 10 (31) of 511
0x7 size: 6 (37) of 511
0x7 size: 6 (43) of 511
0x7 size: 6 (49) of 511
0x7 size: 6 (55) of 511
0x7 size: 6 (61) of 511
0x7 size: 6 (67) of 511
0x7 size: 6 (73) of 511
0x15 size: 11 (84) of 511
0x7e size: 5 (89) of 511
0xac size: 25 (114) of 511
0xaa size: 12 (126) of 511
0xa0 size: 10 (136) of 511
0x9e size: 7 (143) of 511
0x9e size: 7 (150) of 511
0x9e size: 7 (157) of 511
0xa0 size: 10 (167) of 511
0xa0 size: 10 (177) of 511
0x9f size: 8 (185) of 511
0xa0 size: 10 (195) of 511
0xa0 size: 10 (205) of 511
0x9e size: 7 (212) of 511
0x9e size: 7 (219) of 511
0x9e size: 7 (226) of 511
0x9e size: 7 (233) of 511
0x9e size: 7 (240) of 511
0x9e size: 7 (247) of 511
0x6d size: 10 (257) of 511
0xae size: 40 (297) of 511
0xac size: 14 (311) of 511
0xaa size: 10 (321) of 511
0x6d size: 10 (331) of 511
0xac size: 14 (345) of 511
0xaa size: 10 (355) of 511
0x6d size: 10 (365) of 511
0xac size: 14 (379) of 511
0xaa size: 10 (389) of 511
0x6d size: 10 (399) of 511
0x51 size: 14 (413) of 511
0x51 size: 14 (427) of 511
0x51 size: 14 (441) of 511
0xac size: 14 (455) of 511
0xaa size: 12 (467) of 511
0x6d size: 10 (477) of 511
0xac size: 14 (491) of 511
0xaa size: 10 (501) of 511
0x6d size: 10 (511) of 511
0x12 size: 26 (26) of 20
0x15 size: 11 (11) of 11
0x67 size: 16 (16) of 16
0x67 size: 16 (16) of 32
0x67 size: 16 (32) of 32
0x67 size: 16 (16) of 16
0x7 size: 6 (6) of 18
0x7 size: 6 (12) of 18
0x7 size: 6 (18) of 18
0xac size: 14 (14) of 293
0xaa size: 12 (26) of 293
0x6d size: 10 (36) of 293
0x51 size: 14 (50) of 293
0x51 size: 14 (64) of 293
0x51 size: 14 (78) of 293
0x51 size: 14 (92) of 293
0x51 size: 14 (106) of 293
0x51 size: 14 (120) of 293
0x51 size: 14 (134) of 293
0xac size: 14 (148) of 293
0xaa size: 12 (160) of 293
0x6d size: 10 (170) of 293
0xac size: 17 (187) of 293
0xaa size: 12 (199) of 293
0x6d size: 10 (209) of 293
0x51 size: 14 (223) of 293
0x51 size: 14 (237) of 293
0x51 size: 14 (251) of 293
0x51 size: 14 (265) of 293
0x51 size: 14 (279) of 293
0x51 size: 14 (293) of 293
0x6d size: 10 (10) of 19
0x96 size: 9 (19) of 19
0x51 size: 14 (14) of 40
0x60 size: 7 (21) of 40
0xe size: 12 (33) of 40
0x60 size: 7 (40) of 40
0x67 size: 16 (16) of 32
0x67 size: 16 (32) of 32
0x67 size: 16 (16) of 16
0x6d size: 10 (10) of 10
0x7 size: 6 (6) of 204
0x15 size: 11 (17) of 204
0xa7 size: 7 (24) of 204
0x7 size: 6 (30) of 204
0x7 size: 6 (36) of 204
0x7 size: 6 (42) of 204
0x7 size: 6 (48) of 204
0x7 size: 6 (54) of 204
0xa size: 6 (60) of 204
0xa size: 6 (66) of 204
0xa size: 6 (72) of 204
0xa size: 6 (78) of 204
0xa size: 6 (84) of 204
0xa size: 6 (90) of 204
0x8 size: 6 (96) of 204
0xa size: 6 (102) of 204
0xa size: 6 (108) of 204
0x8 size: 6 (114) of 204
0xa size: 6 (120) of 204
0xa size: 6 (126) of 204
0xa size: 6 (132) of 204
0xa size: 6 (138) of 204
0x8 size: 6 (144) of 204
0xa size: 6 (150) of 204
0xa size: 6 (156) of 204
0xa size: 6 (162) of 204
0x8 size: 6 (168) of 204
0xa size: 6 (174) of 204
0xa size: 6 (180) of 204
0xa size: 6 (186) of 204
0xa size: 6 (192) of 204
0xa size: 6 (198) of 204
0x8 size: 6 (204) of 204
0x51 size: 14 (14) of 69
0x51 size: 14 (28) of 69
0x67 size: 16 (44) of 69
0x15 size: 11 (55) of 69
0x51 size: 14 (69) of 69
0x67 size: 16 (16) of 16
0x6d size: 10 (10) of 10
0x6d size: 10 (10) of 10
0x6d size: 10 (10) of 10
0x96 size: 9 (9) of 9

Quote from: squiggly on November 02, 2007, 06:32 PM
The server that acts as your proxy might be dropping packets, or you've implemented the protocol incorrectly

Well, when I run it throught sockscap it also makes troubles

Hello!

I have problems with the D2GS! When I connect throught socks5 I don't get all packets. If I do it throught my connection it works fine. Anyone knows why?

I have problems splitting the packets


BOOL Success = TRUE;
while(Success) {
if(*(BYTE*)&Buffer[0] != 0xAF || *(BYTE*)&Buffer[0] == 0x02) {
BYTE outdata[3000] = {0};
unsigned int Size,PacketSize,Offset,outsize;
BYTE* H1 = GamePacketSize((BYTE*)Buffer,&Size,&Offset);
DWORD H2 = GamePacketDecode((BYTE*)(Buffer + Offset), Size, (BYTE*)outdata,sizeof(outdata),&outsize);
// printf("[D2GS] Packet Size: %d Decompressed: %d\n",dwSize,outsize);
Packet_IncomeGS(outdata,outsize);

if(outsize + Offset > dwSize || Size == -1) {
Success = FALSE;
} else {
dwSize = dwSize - (outsize + Offset);
// printf("[D2GS] Compressed Size of the Packet: %d\n",Size + Offset);
Buffer = (CHAR*) Buffer + Offset + Size;
// printf("new dwSize = %d\n",dwSize);
Sleep(100);
}
}
else {
unsigned int newdwSize,PacketSize,DecompressedSize;
BYTE* Packet = GamePacketSize((BYTE*)Buffer,&newdwSize,&DecompressedSize);
// printf("[D2GS] 0xAF Packet Size: %d\n",DecompressedSize);
Packet_IncomeGS((BYTE*)Buffer,dwSize);
Buffer = (CHAR*) Buffer + dwSize;
dwSize = 0;
Sleep(100);
}
}



It doesn't split them correctly up :/

Quote from: Andy on September 14, 2007, 11:06 AM
3E C>S
I assume you're talking about the password hashing? It's not your character's password, it's the realm's password, which is always "password"

OH! Thanks!

I got a question. How is the hasing done in there? It is not the usual hash thought. Can anyone hook me up with informations? Thanks!

Quote from: Don Cullen on September 13, 2007, 01:45 PM

Quote from: Tejjoj on September 13, 2007, 01:38 PM
I just noticed.. I am grabbing the ServerToken from the wrong position .. It must be BNET.ServerToken = *(DWORD*)&data[8]; gosh ..

Glad to hear you solved it.

Thanks for all your help. This is a great community it works now fine :]

I just noticed.. I am grabbing the ServerToken from the wrong position .. It must be BNET.ServerToken = *(DWORD*)&data[8]; gosh ..

Quote from: l2k-Shadow on September 12, 2007, 08:38 PM
you're getting a response of 0x200 which is "Invalid CD Key". should be self-explanatory.

My BNLS Response is correct. You can see how I send the packet. If I would know where the problem is i wouldn't ask :|

The Sourecode of the function I use to encrypt the cdkey via BNLS

Quote
#define PACKET_GENERATE() BYTE PACKET_BUF[8000]; INT PACKET_POS; PACKET_POS=0; memset(PACKET_BUF,NULL,8000);
#define PACKET_ADDDWORD(x) *(DWORD*)&PACKET_BUF[PACKET_POS] = (DWORD)x; PACKET_POS+=sizeof(DWORD);
#define PACKET_ADDWORD(x) *(WORD*)&PACKET_BUF[PACKET_POS] = (WORD)x; PACKET_POS+=sizeof(WORD);
#define PACKET_ADDCHAR(x) *(CHAR*)&PACKET_BUF[PACKET_POS] = (CHAR)x; PACKET_POS+=sizeof(CHAR);
#define PACKET_ADDBYTE(x) *(BYTE*)&PACKET_BUF[PACKET_POS] = (BYTE)x; PACKET_POS+=sizeof(BYTE);
#define PACKET_ADDINT(x) *(INT*)&PACKET_BUF[PACKET_POS] = (INT)x; PACKET_POS+=sizeof(INT);
#define PACKET_ADDSTRING(x) strcpy((CHAR*)PACKET_BUF+PACKET_POS,x); PACKET_POS+=strlen(x);
#define PACKET_ADDNULLSTRING(x) strcpy((CHAR*)PACKET_BUF+PACKET_POS,x); PACKET_POS+=strlen(x) + 1;
#define PACKET_SEND(x) SendPacket(PACKET_BUF,x,PACKET_POS);
#define PACKET_CPY(x,y) memcpy(PACKET_BUF+PACKET_POS,x,y); PACKET_POS += y;



VOID BNLS_HashKey(CHAR* CDKey, BYTE KeyHash[9*4])
{
   BYTE CDKEY_HASH[100] = {0};
   DWORD pSize = 0;
   *(DWORD*)&CDKEY_HASH[0] = BNET.ServerToken;
   pSize += sizeof(DWORD);
   strcpy((char*)CDKEY_HASH+pSize,CDKey);
   pSize += strlen(CDKey) + 1;
   SendBNLSPacket(CDKEY_HASH,BNLS_CDKEY,pSize);
   printf("[BNLS] CDKey Hash sent!\n");

   pSize = 0;
   CHAR CDKEY_RESPONSE[100];

   DWORD dwSize = recv(BNLS.sock,CDKEY_RESPONSE,100,0);
   printf("[BNLS] CDKey Response! Packet Size: %d\n",dwSize);
   pSize = sizeof(BYTE) + sizeof(WORD); // Cutting away the Header
   printf("[BNLS] CDKey Hash Bool %d\n",CDKEY_RESPONSE[pSize]);
   pSize += sizeof(BOOL);
   printf("[BNLS] CDKey Client Session Key 0x%x\n",*(DWORD*)&CDKEY_RESPONSE[pSize]);
   BNET.ClientToken = *(DWORD*)&CDKEY_RESPONSE[pSize];
   pSize += sizeof(DWORD);
   memcpy(KeyHash,CDKEY_RESPONSE+pSize,sizeof(DWORD)*9);
}

VOID PrintKeyHash(BYTE* HashKey)
{
   DWORD Pos = 0;
   printf("[Info] Key Length: 0x%X\n",*(DWORD*)&HashKey[Pos]);
   Pos += sizeof(DWORD);
   printf("[Info] CD key's product value: 0x%X\n",*(DWORD*)&HashKey[Pos]);
   Pos += sizeof(DWORD);
   printf("[Info] CD key's public value: 0x%X\n",*(DWORD*)&HashKey[Pos]);
   Pos += sizeof(DWORD);
   printf("[Info] Unknown: 0x%X\n",*(DWORD*)&HashKey[Pos]);
   Pos += sizeof(DWORD);
   printf("[Info] Hash key Data(1): 0x%X\n",*(DWORD*)&HashKey[Pos]);
   Pos += sizeof(DWORD);
   printf("[Info] Hash key Data(2): 0x%X\n",*(DWORD*)&HashKey[Pos]);
   Pos += sizeof(DWORD);
   printf("[Info] Hash key Data(3): 0x%X\n",*(DWORD*)&HashKey[Pos]);
   Pos += sizeof(DWORD);
   printf("[Info] Hash key Data(4): 0x%X\n",*(DWORD*)&HashKey[Pos]);
   Pos += sizeof(DWORD);
   printf("[Info] Hash key Data(5): 0x%X\n",*(DWORD*)&HashKey[Pos]);
}

VOID BNLS_HashKeyEX(CHAR* CKey,DWORD SessionKey,BYTE* KeyHashBuffer)
{
   #define CDKEY_SAME_SESSION_KEY          (0x01)
   #define CDKEY_GIVEN_SESSION_KEY         (0x02)
   #define CDKEY_MULTI_SERVER_SESSION_KEYS (0x04)
   #define CDKEY_OLD_STYLE_RESPONSES       (0x08)

   BYTE CDKEY_HASH[100] = {0};
   DWORD pSize = 0;
   *(DWORD*)&CDKEY_HASH[pSize] = 0xDEADC0DE;            // Cookie
   pSize+= sizeof(DWORD);
   *(BYTE*)&CDKEY_HASH[pSize] = 1;                     // Amount of CDKeys
   pSize+= sizeof(BYTE);
   *(DWORD*)&CDKEY_HASH[pSize] = CDKEY_GIVEN_SESSION_KEY;   // Flag
   pSize+= sizeof(DWORD);
   *(DWORD*)&CDKEY_HASH[pSize] = BNET.ServerToken;         // Server Session Key
   pSize+= sizeof(DWORD);
   *(DWORD*)&CDKEY_HASH[pSize] = SessionKey;            // Client Session Key
   pSize+= sizeof(DWORD);
   strcpy((CHAR*)CDKEY_HASH+pSize,CKey);               // CD-Key
   pSize+= strlen(CKey) + 1;

   SendBNLSPacket(CDKEY_HASH,BNLS_CDKEY_EX,pSize);

   BYTE CDKEY_RESPONSE[1024] = {0};
   DWORD dwSize = recv(BNLS.sock,(CHAR*)CDKEY_RESPONSE,sizeof(CDKEY_RESPONSE),0);

   pSize = 3; // Cutting away the Header

   printf("[BNLS] BNLS_CDKEY_EX Response! Cookie: 0x%x\n",*(DWORD*)&CDKEY_RESPONSE[pSize]);
   pSize += sizeof(DWORD);
   printf("[BNLS] Requested CDKeys %d\n",*(BYTE*)&CDKEY_RESPONSE[pSize]);
   pSize += sizeof(BYTE);
   printf("[BNLS] Encrypted CDKeys %d\n",*(BYTE*)&CDKEY_RESPONSE[pSize]);
   pSize += sizeof(BYTE);
   printf("[BNLS] Bit Mask 0x%x\n",*(DWORD*)&CDKEY_RESPONSE[pSize]);
   pSize += sizeof(DWORD);
   printf("[BNLS] Client Session Key 0x%x\n",*(DWORD*)&CDKEY_RESPONSE[pSize]);
   BNET.ClientToken = *(DWORD*)&CDKEY_RESPONSE[pSize];
   pSize += sizeof(DWORD);
   memcpy(KeyHashBuffer,CDKEY_RESPONSE+pSize, 9 * sizeof(DWORD));
   pSize += sizeof(DWORD) * 9;
}

VOID BNLS_CheckRevision(VOID)
{
   DWORD pSize = 0;
   BYTE VERSIONCHECK[1024] = {0};
   BYTE VERSIONCHECK_RESPONSE[1024] = {0};

   *(DWORD*)&VERSIONCHECK[pSize] = PRODUCT_LORDOFDESTRUCTION;
   pSize += sizeof(DWORD);
   *(DWORD*)&VERSIONCHECK[pSize] = BNET.MPQNo;
   pSize += sizeof(DWORD);
   strcpy((CHAR*)VERSIONCHECK+pSize,BNET.ValueForma);
   pSize += strlen(BNET.ValueForma) + 1;

   SendBNLSPacket(VERSIONCHECK,BNLS_VERSIONCHECK,pSize);
   printf("[BNLS] VERSIONCHECK sent!\n");

   DWORD dwSize = recv(BNLS.sock,(CHAR*)VERSIONCHECK_RESPONSE,1024,0);
   printf("[BNLS] VERSIONCHECK response!\n");

   pSize = 3; // Remove the BNLS Header

   printf("[BNLS] VERSIONCHECK_RESPONSE %s(%d)\n", VERSIONCHECK_RESPONSE[pSize] ? "was sucessfull" : "failed", VERSIONCHECK_RESPONSE[pSize]);
   pSize+=sizeof(BOOL);

   BNET.EXEVersion = *(DWORD*)&VERSIONCHECK_RESPONSE[pSize];
   pSize+=sizeof(DWORD);
   BNET.EXEChecksum = *(DWORD*)&VERSIONCHECK_RESPONSE[pSize];
   pSize += sizeof(DWORD);
   strcpy(BNET.ExeInformations,(CHAR*)VERSIONCHECK_RESPONSE+pSize);
}


VOID SID_AUTH_INFO_HANDLER(BYTE* data,DWORD dwSize)
{
   printf("[BNET] AUTH_INFO response\n");

   CHAR ExeInfo[1024] = {0};
   CHAR Mpqname[1024] = {0};

   strcpy(Mpqname,(CHAR*)data + (sizeof(DWORD)*3) + sizeof(FILETIME) + 4);

   BNET.ServerToken = *(DWORD*)&data[7];   // Extracting the Server Token


   BNET.MPQNo = extractMPQNumber((CHAR*)data + (sizeof(DWORD)*3) + sizeof(FILETIME) + 4);
   strcpy(BNET.ValueForma,(CHAR*)data + ( (sizeof(DWORD)*3) + sizeof(FILETIME) + strlen((CHAR*)data + (sizeof(DWORD)*3) + sizeof(FILETIME) + 4) + 5));

   BNLS_HashKey(CDKEY_CLASSIC,BNET.KeyClassic);
   BNLS_HashKeyEX(CDKEY_LOD,BNET.ClientToken,BNET.KeyLoD);

   printf("ServerToken: 0x%x\nClientToken: 0x%x\nMPQNumber: %d (%s)\nValueForma: %s\n",BNET.ServerToken,BNET.ClientToken,BNET.MPQNo,(CHAR*)data + (sizeof(DWORD)*3) + sizeof(FILETIME) + 4,BNET.ValueForma);

   BNLS_CheckRevision();

   printf("EXEChecksum: 0x%x\nEXEVersion: 0x%x\nEXEInformations: %s\n",BNET.EXEChecksum,BNET.EXEVersion,BNET.ExeInformations);


   printf("Classic Key Infos: \n");
   PrintKeyHash(BNET.KeyClassic);
   printf("LoD Key Infos: \n");
   PrintKeyHash(BNET.KeyLoD);

   PACKET_GENERATE()               
   PACKET_ADDDWORD(BNET.ClientToken)         //   (DWORD) Client Token
   PACKET_ADDDWORD(BNET.EXEVersion)         //   (DWORD) EXE Version
   PACKET_ADDDWORD(BNET.EXEChecksum)         //   (DWORD) EXE Hash
   PACKET_ADDDWORD(2)                     //   (DWORD) Number of keys in this packet
   PACKET_ADDDWORD(0)                     //   (BOOLEAN) Using Spawn (32-bit)

   PACKET_CPY(BNET.KeyClassic,sizeof(DWORD)*9)   // Key Classic
   PACKET_CPY(BNET.KeyLoD,sizeof(DWORD)*9)      // Key LoD

   PACKET_ADDNULLSTRING(BNET.ExeInformations)   // (STRING) Exe Information
   PACKET_ADDNULLSTRING("Heiligeswasser")      // (STRING) CD Key owner name
   PACKET_SEND(SID_AUTH_CHECK)
}

The PacketLog:

Quote
00A308F8  FF 51 92 00 10 A1 4F 4B  ÿQ'.¡OK
00A30900  00 0B 00 01 61 C8 A0 6A  ..
aÈ j
00A30908  02 00 00 00 00 00 00 00  .......
00A30910  10 00 00 00 06 00 00 00  ......
00A30918  4F B9 D6 00 00 00 00 00  O¹Ö.....
00A30920  52 BA A4 A8 F1 DA 19 5F  Rº¤¨ñÚ_
00A30928  1A C0 9D 59 9C DE A5 36  À?YœÞ¥6
00A30930  2F DC 70 B8 10 00 00 00  /Üp¸...
00A30938  0A 00 00 00 F6 25 3E 00  ....ö%>.
00A30940  00 00 00 00 8A 7A CF 33  ....ŠzÏ3
00A30948  6F AD 03 AB 6F 5B 92 8C  o­«o['Œ
00A30950  53 FE DE 7C 5B C4 B5 49  SþÞ|[ĵI
00A30958  67 61 6D 65 2E 65 78 65  game.exe
00A30960  20 30 34 2F 30 39 2F 30   04/09/0
00A30968  37 20 32 32 3A 31 35 3A  7 22:15:
00A30970  33 34 20 32 31 32 39 39  34 21299
00A30978  32 30 00 48 65 69 6C 69  20.Heili
00A30980  67 65 73 77 61 73 73 65  geswasse
00A30988  72 00                    r.

I keep getting ip ban after i send the packet. I really don't know what is wrong there! I hope you guys can help me fixing this problem. I made a new Thread with all new informations because it seems no one looks into the old thread. Thanks guys

Okay! Here is my PacketLog:


001FDBA8  FF 51 92 00 1D 75 E5 4A  ÿQ'.uåJ
001FDBB0  00 0B 00 01 5D 3F 5E E2  ..
]?^â
001FDBB8  02 00 00 00 00 00 00 00  .......
001FDBC0  10 00 00 00 06 00 00 00  ......
001FDBC8  9B 40 23 00 00 00 00 00  ›@#.....
001FDBD0  13 9E B8 2B 40 6B 4C B9  ž¸+@kL¹
001FDBD8  AF 26 43 E2 2B 6A B2 9B  ¯&Câ+j²›
001FDBE0  EE A8 8B 97 10 00 00 00  —...
001FDBE8  0A 00 00 00 A1 F4 10 00  ....¡ô.
001FDBF0  00 00 00 00 F5 2A 3C C7  ....õ*<Ç
001FDBF8  C1 6F EB B0 A3 4F 02 D4  Áoë°£OÔ
001FDC00  BB 28 55 F1 BB A2 4C 09  »(Uñ»¢L.
001FDC08  67 61 6D 65 2E 65 78 65  game.exe
001FDC10  20 30 34 2F 30 39 2F 30   04/09/0
001FDC18  37 20 32 32 3A 31 35 3A  7 22:15:
001FDC20  33 34 20 32 31 32 39 39  34 21299
001FDC28  32 30 00 68 65 69 6C 69  20.heili
001FDC30  67 65 73 77 61 73 73 65  geswasse
001FDC38  72 00                    r.


the one of the Stealthbot


001FB150  FF 51 92 00 05 99 2D 07  ÿQ'.™-
001FB158  00 0B 00 01 24 D5 DB F2  ..
$ÕÛò
001FB160  02 00 00 00 00 00 00 00  .......
001FB168  10 00 00 00 06 00 00 00  ......
001FB170  9B 40 23 00 00 00 00 00  ›@#.....
001FB178  84 1C C0 AD 6C 76 3C 12  ,,À­lv<
001FB180  71 D2 EE 19 47 00 84 A0  qÒîG.,,
001FB188  A8 FD 65 1E 10 00 00 00  ¨ýe...
001FB190  0A 00 00 00 A1 F4 10 00  ....¡ô.
001FB198  00 00 00 00 EE 31 0B 07  ....î1
001FB1A0  9C 62 F7 E1 AD 52 76 E7  œb÷á­Rvç
001FB1A8  FE 1B 93 DF 75 82 86 C1  þ"ßu,†Á
001FB1B0  67 61 6D 65 2E 65 78 65  game.exe
001FB1B8  20 30 34 2F 30 39 2F 30   04/09/0
001FB1C0  37 20 32 32 3A 31 35 3A  7 22:15:
001FB1C8  33 34 20 32 31 32 39 39  34 21299
001FB1D0  32 30 00 68 65 69 6C 69  20.heili
001FB1D8  67 65 73 77 61 73 73 65  geswasse
001FB1E0  72 00                    r.


And here is my BNLS_CDKEY_EX and BNLS_CDKEY function


VOID BNLS_HashKey(CHAR* CDKey, BYTE KeyHash[9*4])
{
BYTE CDKEY_HASH[100] = {0};
DWORD pSize = 0;
*(DWORD*)&CDKEY_HASH[0] = BNET.ServerToken;
pSize += sizeof(DWORD);
strcpy((char*)CDKEY_HASH+pSize,CDKey);
pSize += strlen(CDKey) + 1;
SendBNLSPacket(CDKEY_HASH,BNLS_CDKEY,pSize);
printf("[BNLS] CDKey Hash sent!\n");

pSize = 0;
CHAR CDKEY_RESPONSE[100];

DWORD dwSize = recv(BNLS.sock,CDKEY_RESPONSE,100,0);
printf("[BNLS] CDKey Response! Packet Size: %d\n",dwSize);
pSize = 0x03; // Cutting away the Header
printf("[BNLS] CDKey Hash Bool %d\n",CDKEY_RESPONSE[pSize]);
pSize += sizeof(BOOL);
printf("[BNLS] CDKey Client Session Key 0x%x\n",*(DWORD*)&CDKEY_RESPONSE[pSize]);
BNET.ClientToken = *(DWORD*)&CDKEY_RESPONSE[pSize];
pSize += sizeof(DWORD);

for(UINT i = 0; i < 9*4; i++)
{
*(BYTE*)&KeyHash[i] = CDKEY_RESPONSE[pSize+i];
}
}

VOID BNLS_HashKeyEX(CHAR* CKey,DWORD SessionKey,BYTE* KeyHashBuffer)
{
#define CDKEY_SAME_SESSION_KEY          (0x01)
#define CDKEY_GIVEN_SESSION_KEY         (0x02)
#define CDKEY_MULTI_SERVER_SESSION_KEYS (0x04)
#define CDKEY_OLD_STYLE_RESPONSES       (0x08)

BYTE CDKEY_HASH[100] = {0};
DWORD pSize = 0;
*(DWORD*)&CDKEY_HASH[pSize] = 0xDEADC0DE; // Cookie
pSize+= sizeof(DWORD);
*(BYTE*)&CDKEY_HASH[pSize] = 1; // Amount of CDKeys
pSize+= sizeof(BYTE);
*(DWORD*)&CDKEY_HASH[pSize] = CDKEY_GIVEN_SESSION_KEY; // Flag
pSize+= sizeof(DWORD);
*(DWORD*)&CDKEY_HASH[pSize] = BNET.ServerToken; // Server Session Key
pSize+= sizeof(DWORD);
*(DWORD*)&CDKEY_HASH[pSize] = SessionKey; // Client Session Key
pSize+= sizeof(DWORD);
strcpy((CHAR*)CDKEY_HASH+pSize,CKey); // CD-Key
pSize+= strlen(CKey) + 1;

SendBNLSPacket(CDKEY_HASH,BNLS_CDKEY_EX,pSize);

BYTE CDKEY_RESPONSE[1024] = {0};
DWORD dwSize = recv(BNLS.sock,(CHAR*)CDKEY_RESPONSE,sizeof(CDKEY_RESPONSE),0);

pSize = 3; // Cutting away the Header

printf("[BNLS] BNLS_CDKEY_EX Response! Cookie: 0x%x\n",*(DWORD*)&CDKEY_RESPONSE[pSize]);
pSize += sizeof(DWORD);
printf("[BNLS] Requested CDKeys %d\n",*(BYTE*)&CDKEY_RESPONSE[pSize]);
pSize += sizeof(BYTE);
printf("[BNLS] Encrypted CDKeys %d\n",*(BYTE*)&CDKEY_RESPONSE[pSize]);
pSize += sizeof(BYTE);
printf("[BNLS] Bit Mask 0x%x\n",*(DWORD*)&CDKEY_RESPONSE[pSize]);
pSize += sizeof(DWORD);
printf("[BNLS] Client Session Key 0x%x\n",*(DWORD*)&CDKEY_RESPONSE[pSize]);
BNET.ClientToken = *(DWORD*)&CDKEY_RESPONSE[pSize];
pSize += sizeof(DWORD);
memcpy(KeyHashBuffer,CDKEY_RESPONSE+pSize, 9 * sizeof(DWORD));
pSize += sizeof(DWORD) * 9;
}



And this is the way i call them


VOID SID_AUTH_INFO_HANDLER(BYTE* data,DWORD dwSize)
{
printf("[BNET] AUTH_INFO response\n");

CHAR ExeInfo[1024] = {0};
CHAR Mpqname[1024] = {0};

strcpy(Mpqname,(CHAR*)data + (sizeof(DWORD)*3) + sizeof(FILETIME) + 4);

BNET.ServerToken = *(DWORD*)&data[7]; // Extracting the Server Token


BNET.MPQNo = extractMPQNumber((CHAR*)data + (sizeof(DWORD)*3) + sizeof(FILETIME) + 4);
strcpy(BNET.ValueForma,
(CHAR*)data + ( (sizeof(DWORD)*3) + sizeof(FILETIME)
+ strlen((CHAR*)data + (sizeof(DWORD)*3) + sizeof(FILETIME) + 4) + 5));

BNLS_HashKey(CDKEY_CLASSIC,BNET.KeyClassic);
BNLS_HashKeyEX(CDKEY_EXPANSION,BNET.ClientToken,BNET.KeyLoD);

printf("ServerToken: 0x%x\nClientToken: 0x%x\nMPQNumber: %d (%s)\nValueForma: %s\n",
BNET.ServerToken,BNET.ClientToken,BNET.MPQNo,
(CHAR*)data + (sizeof(DWORD)*3) + sizeof(FILETIME) + 4,BNET.ValueForma);

BNLS_CheckRevision();

printf("EXEChecksum: 0x%x\nEXEVersion: 0x%x\nEXEInformations: %s\n",
BNET.EXEChecksum,BNET.EXEVersion,BNET.ExeInformations);

PACKET_GENERATE();
PACKET_ADDDWORD(BNET.ClientToken)
PACKET_ADDDWORD(BNET.EXEVersion)
PACKET_ADDDWORD(BNET.EXEChecksum)
PACKET_ADDDWORD(0x02)
PACKET_ADDDWORD(0x00)
memcpy(PACKET_BUF+PACKET_POS,BNET.KeyClassic,sizeof(DWORD)*9);
PACKET_POS+=sizeof(DWORD)*9;
memcpy(PACKET_BUF+PACKET_POS,BNET.KeyLoD,sizeof(DWORD)*9);
PACKET_POS+=sizeof(DWORD)*9;

PACKET_ADDNULLSTRING(BNET.ExeInformations)
PACKET_ADDNULLSTRING("heiligeswasser");

PACKET_SEND(SID_AUTH_CHECK);
}



I really don't know what is wrong

Quote
[BNLS] Connecting...
[BNLS] Connected!
[BNET] Connecting... to europe.battle.net:6112
[BNLS] BNLS Keep-Alive Thread started!
[BNET] Connected!
[BNLS] Requesting VersionByte ..
[BNLS] VersionByte Response (11)! Version Byte is 0xb
[BNET] SID_AUTH_INFO sent!
Total PacketSize: 112
Packet Size: 8
[BNET] Ping Packet (
Packet Size: 8
[BNET] AUTH_INFO response
[BNLS] CDKey Hash sent!
[BNLS] CDKey Response! Packet Size: 47
[BNLS] CDKey Hash Bool 1
[BNLS] CDKey Client Session Key 0x4eea2bd4
[BNLS] BNLS_CDKEY_EX Response! Cookie: 0xdeadc0de
[BNLS] Requested CDKeys 1
[BNLS] Encrypted CDKeys 1
[BNLS] Bit Mask 0x1
[BNLS] Client Session Key 0x4eea2bd4
ServerToken: 0xe9f86800
ClientToken: 0x4eea2bd4
MPQNumber: 0 (ver-IX86-0.mpq)
ValueForma: B=3950895140 C=1114806514 A=3221168465 4 A=A^S B=B-C C=C+A A=A+B
[BNLS] VERSIONCHECK sent!
[BNLS] VERSIONCHECK response!
[BNLS] VERSIONCHECK_RESPONSE was sucessfull(1)
EXEChecksum: 0x6a58340c
EXEVersion: 0x1000b00
EXEInformations: game.exe 04/09/07 22:15:34 2129920
Total PacketSize: 9
Packet Size: 9
Type: 0x20000
[BNET] Connection Closed!

My Program output


[Kp edit: broke long lines.]

Quote from: Don Cullen on September 10, 2007, 06:45 AM
Ah, right, forgot Diablo's exe is called Game.exe. Interesting choice of a filename on Blizzard's part.

Edit: Tejjoj, can you paste your BNLS_CDKEY function here?

Also, you only gave us the packet log of what BNLS sends you, we also need the packet log of what you're sending to Battle.net. So please paste the packet log of what you're sending Battle.net right after processing what BNLS sent you.

The PacketLog is the one of the Client to Battle.Net it's the 0x51 Packet. The Hash function is included in my post


VOID BNLS_HashKey(CHAR* CDKey, BYTE KeyHash[9*4])
{
BYTE CDKEY_HASH[100] = {0};
DWORD pSize = 0;
*(DWORD*)&CDKEY_HASH[0] = BNET.ServerToken;
pSize += sizeof(DWORD);
strcpy((char*)CDKEY_HASH+pSize,CDKey);
pSize += strlen(CDKey) + 1;
SendBNLSPacket(CDKEY_HASH,BNLS_CDKEY,pSize);
printf("[BNLS] CDKey Hash sent!\n");

pSize = 0;
CHAR CDKEY_RESPONSE[100];

DWORD dwSize = recv(BNLS.sock,CDKEY_RESPONSE,100,0);
printf("[BNLS] CDKey Response! Packet Size: %d\n",dwSize);
pSize = 0x03; // Cutting away the Header
printf("[BNLS] CDKey Hash Bool %d\n",CDKEY_RESPONSE[pSize]);
pSize += sizeof(BOOL);
printf("[BNLS] CDKey Client Session Key 0x%x\n",*(DWORD*)&CDKEY_RESPONSE[pSize]);
pSize += sizeof(DWORD);

for(UINT i = 0; i < 9*4; i++)
{
*(BYTE*)&KeyHash[i] = CDKEY_RESPONSE[pSize+i];
}
}


Aight, I sorted the Packet like Andy did. I really don't know why it gives me IP ban


Client: 9C D6 4B 00
ExeVer: 00 0B 00 01
Checksum: 0E A7 80 B6
Keys: 02 00 00 00
Spawn: 00 00 00 00
Key 1 -
KeyLen: 10 00 00 00
KeyPrd: 06 00 00 00
KeyPub: 4F B9 D6 00
Unknwn: 00 00 00 00
Hash: 9B FF 37 2D
D5 55 AF AB
1B 4C B4 FA
F0 1C AF 96
CD 1B EE 54
Key 2-
KeyLen: 10 00 00 00
KeyPrd: 0A 00 00 00
KeyPub: F6 25 3E 00
Unkwn: 00 00 00 00
Hash: 52 9D 9A 51
6E DB 94 C8
47 5F 17 6E
50 0B 4E FA
06 17 4E 81
ExeInfo: 47 61 6D 65 2E 65 78 65 20 30 34 2F 30 39 2F 30 37 20 32 32 3A 31 35 3A 33 34 20 32 31 32 39 39 32 30
(Game.exe 04/09/07 22:15:34 2129920)
Owner: 53 6B 61 6C 62 6F 74
(Skalbot)


Thanks! I will go after that

EDIT:

I insert now the checksum I get from the BNLS server. But I still get 0x200 back inclusive IP Ban
The new packetlog

00A30908  FF 51 8B 00 9C D6 4B 00  ÿQ‹.œÖK.
00A30910  00 0B 00 01 0E A7 80 B6  ..
§€¶
00A30918  02 00 00 00 00 00 00 00  .......
00A30920  10 00 00 00 06 00 00 00  ......
00A30928  4F B9 D6 00 00 00 00 00  O¹Ö.....
00A30930  9B FF 37 2D D5 55 AF AB  ›ÿ7-ÕU¯«
00A30938  1B 4C B4 FA F0 1C AF 96  L´úð¯–
00A30940  CD 1B EE 54 10 00 00 00  ÍîT...
00A30948  0A 00 00 00 F6 25 3E 00  ....ö%>.
00A30950  00 00 00 00 52 9D 9A 51  ....R?šQ
00A30958  6E DB 94 C8 47 5F 17 6E  nÛ"ÈG_n
00A30960  50 0B 4E FA 06 17 4E 81  PNúN?
00A30968  47 61 6D 65 2E 65 78 65  Game.exe
00A30970  20 30 34 2F 30 39 2F 30   04/09/0
00A30978  37 20 32 32 3A 31 35 3A  7 22:15:
00A30980  33 34 20 32 31 32 39 39  34 21299
00A30988  32 30 00 53 6B 61 6C 62  20.Skalb
00A30990  6F 74 00                 ot.




00A308E8  FF 51 8B 00 00 00 00 00  ÿQ‹.....
00A308F0  00 0B 00 01 00 00 00 00  ..
....
00A308F8  02 00 00 00 00 00 00 00  .......
00A30900  10 00 00 00 06 00 00 00  ......
00A30908  4F B9 D6 00 00 00 00 00  O¹Ö.....
00A30910  EF FA 31 A7 E5 53 62 CF  ïú1§åSbÏ
00A30918  D7 82 CC C2 FC 49 0B C2  ×,ÌÂüIÂ
00A30920  CA 95 C8 34 10 00 00 00  Ê•È4...
00A30928  0A 00 00 00 F6 25 3E 00  ....ö%>.
00A30930  00 00 00 00 41 7B 36 0A  ....A{6.
00A30938  AC D6 60 7B CD 34 33 E0  ¬Ö`{Í43à
00A30940  FE 88 56 23 A1 85 99 47  þˆV#¡...™G
00A30948  47 61 6D 65 2E 65 78 65  Game.exe
00A30950  20 30 34 2F 30 39 2F 30   04/09/0
00A30958  37 20 32 32 3A 31 35 3A  7 22:15:
00A30960  33 34 20 32 31 32 39 39  34 21299
00A30968  32 30 00 53 6B 61 6C 62  20.Skalb
00A30970  6F 74 00                 ot.



I fished it out with ollydbg