Lockdown Checkrevisions

Barabajagal · February 05, 2007, 06:58 PM

ok, now you're confusing me... Are you talking about the new lockdown values and old lockdown values, or the lockdown system and the ver system?

Hell-Lord · February 05, 2007, 08:07 PM

I think his talking about the new lockdown values.

Joe[x86] · February 05, 2007, 11:38 PM

Is it just me or do not all of you understand that the MPQs are sent to the client by random, and Blizzard is able to change anything about it at any time? $:-\$

Barabajagal · February 06, 2007, 12:37 AM

There are patterns to it, though. For instance, clients that don't use the SID_AUTH_* system have very easily visible patterns. Each server uses the same MPQ and request for about half an hour. Originally, there were about 2000 used values for SID_AUTH_* connections, but that number has risen to an unknown size. Since there are around 15^256+16^256+17^256 possible requests per MPQ per client, the list could be very large indeed. But they DO have some method to their madness. It's not random (yet).

Smarter · February 06, 2007, 12:53 AM

This all amazes me... the amount of time we put into figuring this all out, is just crazy. But I have a question, probably stupid, but i'm curious, you said BNLS always returns a value for what you send it (duh), but by sending it a value, and checking it's response, with enough before and after values, couldn't you caluclate the method used to generate the values? Thus finding out BNLS's method? Also, I believe we need to start a big DOC site, like BNETDocs, and call it CRevDocs

And put all confirmed and unconfirmed information in a clean easy to read setup, so our minds may all converse together.

Barabajagal · February 06, 2007, 01:26 AM

I've tried looking for a pattern. I don't see one.

Joe[x86] · February 06, 2007, 01:29 AM

lol, if you want to know the method BNLS uses, just ask Skywing. He's not going to take kindly to you bruteforcing his server to find out how it works.

Barabajagal · February 06, 2007, 01:42 AM

I'm not bruteforcing his server. I just made a program that requests any values you give it. Ended up with a rather large list of values that don't really exist... 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01... etc...

Ringo · February 06, 2007, 09:55 AM

Quote from: Ante on February 04, 2007, 04:57 PM
several weeks ago i found that there are only about 2000 different checksum formulas sent by the server. for some reason, they decided not to make it fully random.

about a week after i found that out, they increased it to about 50k-100k different checksum formulas sent by the server. it is still limited.

If they coulda done this in the first place, could someone whos got a good idea of the lockdown mpqs explain why they originally only stayed with 2000 checksum formulas?

and wouldn't it be more efficient if they made it took advantage of all values possible? (10^20-50s)

what do you think is limiting blizzard's checksum formulas?

Well, the lists were 1000 per client but they upped SC/BW lists to the same size as W3ROC and W3TFT (20k per client)

WAR3 -> 20000
W3XP -> 20000
D2DV -> 1000
D2XP -> 1000
STAR -> 20000
SEXP -> 20000
JSTR -> 1000
SSHR -> 1000
W2BN-> 1000
DSHR -> 1000
DRTL -> 1000

Inorder to make it random, Blizzard would have to do alot of modifications to battle.net.
At the end of the day, its inplace for checking a clients version, little if anything else

Hope that helps.

warz · February 06, 2007, 11:26 AM

It'd be quicker to just implement your own version of checkrevision. It'd also work 100% of the time.

brew · February 06, 2007, 03:35 PM

Quote from: Smarter on February 06, 2007, 12:53 AM
This all amazes me... the amount of time we put into figuring this all out, is just crazy. But I have a question, probably stupid, but i'm curious, you said BNLS always returns a value for what you send it (duh), but by sending it a value, and checking it's response, with enough before and after values, couldn't you caluclate the method used to generate the values? Thus finding out BNLS's method? Also, I believe we need to start a big DOC site, like BNETDocs, and call it CRevDocs And put all confirmed and unconfirmed information in a clean easy to read setup, so our minds may all converse together.

Don't people understand why you shouldn't brute force? Also, since the checksum is acually a message digest it's very doubtful you will find a pattern. See here for example, how one message can vary a great deal by even a single byte being changed.
@Ripple, Sorry for confusing you. I was talking about the new checkrevision formulas. And haha, Joe you gotta understand having the blizzard servers calculating thousands of checkrevision hashes per minute (they would have to create the checksum formula and compare the checksum on the fly) would be processor intensive. And while handling all other BNCS packets, at the same time.

Ante · February 07, 2007, 03:50 PM

Quote from: Ringo on February 06, 2007, 09:55 AM
Quote from: Ante on February 04, 2007, 04:57 PM
several weeks ago i found that there are only about 2000 different checksum formulas sent by the server. for some reason, they decided not to make it fully random.

about a week after i found that out, they increased it to about 50k-100k different checksum formulas sent by the server. it is still limited.

If they coulda done this in the first place, could someone whos got a good idea of the lockdown mpqs explain why they originally only stayed with 2000 checksum formulas?

and wouldn't it be more efficient if they made it took advantage of all values possible? (10^20-50s)

what do you think is limiting blizzard's checksum formulas?
Well, the lists were 1000 per client but they upped SC/BW lists to the same size as W3ROC and W3TFT (20k per client)

WAR3 -> 20000
W3XP -> 20000
D2DV -> 1000
D2XP -> 1000
STAR -> 20000
SEXP -> 20000
JSTR -> 1000
SSHR -> 1000
W2BN-> 1000
DSHR -> 1000
DRTL -> 1000

Inorder to make it random, Blizzard would have to do alot of modifications to battle.net.
At the end of the day, its inplace for checking a clients version, little if anything else
Hope that helps.

why do y ou think bnet didn't make it totally randomly generated when they implemented the lockdown checkrevision? why do you think they limited the values to 1000 or 20000?

Quote from: warz on February 05, 2007, 01:28 PM
hdx is right. the algorithm used by checkrevision skips through the main game files as loaded into the address space, adding segments of data to the SHA1 information. this is a hefty process to do every time a user logs into battlenet. i think ive already told you this - caching this information is nothing new. battlenet has been doing this for a while. you're not onto something, you're just running in circles. but, from a client perspective, it's fine to run through the selective memory hashing routines once every connection, since it's only being performed once.

what does this have to do with caching information?

brew · February 07, 2007, 05:16 PM

Quotewhy do y ou think bnet didn't make it totally randomly generated when they implemented the lockdown checkrevision? why do you think they limited the values to 1000 or 20000?

Because, like warz said. It's processor intensive and basically a waste of time :/ It's easier to make a hash table, which has everything in the world to do with catching information, and compare the expected checksum to the client's result.

warz · February 07, 2007, 05:40 PM

Quote from: Ante on February 07, 2007, 03:50 PMwhy do y ou think bnet didn't make it totally randomly generated when they implemented the lockdown checkrevision? why do you think they limited the values to 1000 or 20000?

what does this have to do with caching information?

come on man, put two and two together.

Lockdown Checkrevisions

Barabajagal

Barabajagal

Barabajagal

Barabajagal

warz

warz