SID_AUTH_INFO Signature

PunK · May 25, 2009, 03:24 PM

I'm looking for some information on the 0x50 128-bit signature that battle.net includes at the end of the packet. I've done countless hours of trying to find documentation on this, but have found close to none. I talked this over with brew and we came to the conclusion that the signature is generated by the servers ipaddress in conjuction with powmod.

I'm relatively new to encryption so right now I'm stuck at a brick wall. I'm trying to write a gateway (in C or VB6, haven't decided yet) for Warcraft III. Unfortunately, in order to do this, I have to update the signature battle.net sends to the client, else wise, the Warcraft III client will pop an error informing me that the server I am trying to connect to doesn't appear to be a battle.net server.

So, ultimately, I need a way to generate the 128-bit signature.

Hdx · May 25, 2009, 03:33 PM

The Server signature uses RSA? [Its been a while] Anyways, it uses a 128-bit private key that only the server knows to generate the signature. It's piratically impossible to generate your own signature. IIRC things like PVPGN use a modified version of WC3's files to remove the sig check.

brew · May 25, 2009, 06:45 PM

As I stated over AIM, it's just impossible. stop trying unless you have a cluster of 4000 supercomputers. finding the socket descriptor is a much better way to go about everything.
Question to people who might know: battle.snp seems to have anything related to wc3 logon, but it's not at all included in the warcraft 3 client's binaries. game.dll is responsible for battle.net logon, yes? That's the conclusion i came to. But look at that file, it's honkin'. Takes me 2 hours to disassemble and analyze in IDA. What's worse is that from what i was able to tell in 5 minutes of analysis, the socket descriptor is stored in some large-ish dynamically allocated struct, and it's just so huge the filesize itself is extremely discouraging. crap.

l2k-Shadow · May 28, 2009, 05:55 PM

Wouldn't a much easier way be to memory tweak the war3 binary into jumping over this check?

Hdx · May 28, 2009, 05:57 PM

yes that would be an easier way. Which is how pvpgn does it.
What someone needs to do is find out exactly where this check is. Then it's a simple return true;

brew · May 28, 2009, 09:22 PM

Hey chris, i found something for you...

6F6A0C50h

enjoy :-D!

xpeh · May 29, 2009, 01:52 PM

Quote from: Hdx on May 25, 2009, 03:33 PMIt's piratically impossible

islanti · May 29, 2009, 11:59 PM

Quote
Public Function checkServerSignature(sig As String, ip As String) As Boolean
Dim I As Integer, Ret As Boolean
Dim K() As Byte: Let K = Array(0, 1, 1, 0)
Dim N() As Byte: Let N = Array(&HD5, &HA3, &HD6, &HAB, &HF, &HD, &HC5, &HF, &HC3, &HFA, &H6E, &H78, &H9D, &HB, &HE3, &H32, &HB0, &HFA, &H20, &HE8, &H42, &H19, &HB4, &HA1, &H3A, &H3B, &HCD, &HE, &H8F, &HB5, &H56, &HB5, &HDC, &HE5, &HC1, &HFC, &H2D, &HBA, &H56, &H35, &H29, &HF, &H48, &HB, &H15, &H5A, &H39, &HFC, &H88, &H7, &H43, &H9E, &HCB, &HF3, &HB8, &H73, &HC9, &HE1, &H77, &HD5, &HA1, &H6, &HA6, &H20, &HD0, &H82, &HC5, &H2D, &H4D, &HD3, &H25, &HF4, &HFD, &H26, &HFC, &HE4, &HC2, &H0, &HDD, &H98, &H2A, &HF4, &H3D, &H5E, &H8, &H8A, &HD3, &H20, &H41, &H84, &H32, &H69, &H8E, &H8A, &H34, &H76, &HEA, &H16, &H8E, &H66, &H40, &HD9, &H32, &HB0, &H2D, &HF5, &HBD, &HE7, &H57, &H51, &H78, &H96, &HC2, &HED, &H40, &H41, &HCC, &H54, &H9D, &HFD, &HB6, &H8D, &HC2, &HBA, &H7F, &H69, &H8D, &HCF)

'Do the calculation
byte []result = new BigIntegerEx(BigIntegerEx.LITTLE_ENDIAN, sig).modPow(key, mod).toByteArray();

Dim CorrectResult As String: CorrectResult = String(Len(Result), Chr(&HBB))
CorrectResult = ip & Mid(CorrectResult, 5)

Ret = True
For I = 0 To Len(Result) Step 1
If Result(I) <> CorrectResult(I) Then
Ret = False
End If
Next I
End Function