• Welcome to Valhalla Legends Archive.
 

NLS Stuff

Started by UserLoser., February 02, 2004, 07:13 PM

Previous topic - Next topic

UserLoser.

Not doing any real research..but, just how similar is the hashing for the NLS to the OLS?

In D2 v1.10's Bnclient.dll, in the sub for 0x51 & 0x53:

I renamed all the functions in the order I see them (NLSHashXX):

Edit: Look for the "*****"


.text:6FF086C0 loc_6FF086C0:                           ; CODE XREF: sub_6FF01C70+25j
.text:6FF086C0                 sub     esp, 320h
.text:6FF086C6                 mov     dword_6FF1DA50, 0
.text:6FF086D0                 push    esi
.text:6FF086D1                 push    edi
.text:6FF086D2                 mov     esi, ecx
.text:6FF086D4                 push    100h
.text:6FF086D9                 push    esi
.text:6FF086DA                 push    offset unk_6FF1D950
.text:6FF086DF                 mov     edi, edx
.text:6FF086E1                 call    Storm_501
.text:6FF086E6                 push    0BCh
.text:6FF086EB                 push    offset unk_6FF1DA58
.text:6FF086F0                 call    Storm_494
.text:6FF086F5                 lea     eax, [esp+8]
.text:6FF086F9                 push    100h
.text:6FF086FE                 push    esi
.text:6FF086FF                 push    eax
.text:6FF08700                 call    Storm_501
.text:6FF08705                 lea     ecx, [esp+8]
.text:6FF08709                 push    ecx
.text:6FF0870A                 call    Storm_510
.text:6FF0870F                 lea     edx, [esp+108h]
.text:6FF08716                 push    100h
.text:6FF0871B                 push    edi
.text:6FF0871C                 push    edx
.text:6FF0871D                 call    Storm_501
.text:6FF08722                 lea     eax, [esp+108h]
.text:6FF08729                 push    eax
.text:6FF0872A                 call    Storm_510
.text:6FF0872F                 lea     ecx, [esp+108h]
.text:6FF08736                 lea     edx, [esp+8]
.text:6FF0873A                 push    ecx
.text:6FF0873B                 push    edx
.text:6FF0873C                 push    offset unk_6FF1DA58
.text:6FF08741                 mov     ecx, offset unk_6FF1D948
.text:6FF08746                 call    NLSHash         ; Seen in 0x55 also *****
.text:6FF0874B                 lea     eax, [esp+208h]
.text:6FF08752                 push    20h
.text:6FF08754                 push    offset unk_6FF1DAB8
.text:6FF08759                 push    eax
.text:6FF0875A                 call    Storm_491
.text:6FF0875F                 lea     ecx, [esp+228h]
.text:6FF08766                 push    100h
.text:6FF0876B                 push    esi
.text:6FF0876C                 push    ecx
.text:6FF0876D                 call    Storm_501
.text:6FF08772                 add     eax, 21h
.text:6FF08775                 lea     edx, [esp+208h]
.text:6FF0877C                 push    eax
.text:6FF0877D                 mov     cl, 53h         ; SID_AUTH_ACCOUNTLOGON
.text:6FF0877F                 call    SendPacket





.text:6FF13D70 NLSHash         proc near               ; CODE XREF: .text:6FF08746p
.text:6FF13D70                                         ; Send0x55+BEp
.text:6FF13D70
.text:6FF13D70 arg_0           = dword ptr  4
.text:6FF13D70 arg_4           = dword ptr  8
.text:6FF13D70
.text:6FF13D70                 mov     eax, [esp+arg_4]
.text:6FF13D74                 push    ebx
.text:6FF13D75                 push    ebp
.text:6FF13D76                 push    esi
.text:6FF13D77                 mov     esi, [esp+0Ch+arg_0]
.text:6FF13D7B                 push    edi
.text:6FF13D7C                 push    7FFFFFFFh
.text:6FF13D81                 push    eax
.text:6FF13D82                 push    esi
.text:6FF13D83                 mov     ebx, ecx
.text:6FF13D85                 call    Storm_501
.text:6FF13D8A                 mov     ecx, [esp+1Ch]
.text:6FF13D8E                 push    7FFFFFFFh
.text:6FF13D93                 lea     edx, [esi+20h]
.text:6FF13D96                 push    ecx
.text:6FF13D97                 push    edx
.text:6FF13D98                 call    Storm_501
.text:6FF13D9D                 lea     edi, [esi+40h]
.text:6FF13DA0                 push    20h
.text:6FF13DA2                 push    edi
.text:6FF13DA3                 mov     ecx, ebx
.text:6FF13DA5                 call    NLSHash2 *****
.text:6FF13DAA                 mov     edx, 20h
.text:6FF13DAF                 mov     ecx, edi
.text:6FF13DB1                 call    NLSHash9
.text:6FF13DB6                 xor     ecx, ecx
.text:6FF13DB8                 mov     ebp, eax
.text:6FF13DBA                 call    sub_6FF158C0
.text:6FF13DBF                 mov     ebx, [ebx]
.text:6FF13DC1                 mov     edi, eax
.text:6FF13DC3                 mov     ecx, edi
.text:6FF13DC5                 mov     eax, [ebx+8]
.text:6FF13DC8                 mov     edx, [ebx+4]
.text:6FF13DCB                 push    eax
.text:6FF13DCC                 push    ebp
.text:6FF13DCD                 call    NLSHash10
.text:6FF13DD2                 mov     ecx, ebp
.text:6FF13DD4                 call    NLSHash6
.text:6FF13DD9                 push    20h
.text:6FF13DDB                 lea     edx, [esi+60h]
.text:6FF13DDE                 mov     ecx, edi
.text:6FF13DE0                 call    NLSHash5
.text:6FF13DE5                 mov     ecx, edi
.text:6FF13DE7                 call    NLSHash6
.text:6FF13DEC                 pop     edi
.text:6FF13DED                 pop     esi
.text:6FF13DEE                 pop     ebp
.text:6FF13DEF                 pop     ebx
.text:6FF13DF0                 retn    0Ch
.text:6FF13DF0 NLSHash         endp ; sp = -18h


In NLSHash2, which is the one that look's very very familar...

About halfway down in NLSHash2:


.text:6FF13748                 call    SetHashTable


Hmm, where have we all seen these?


.text:6FF13F70 SetHashTable    proc near               ; CODE XREF: .text:6FF136B0p
.text:6FF13F70                                         ; NLSHash2+48p ...
.text:6FF13F70                 xor     eax, eax
.text:6FF13F72                 mov     dword ptr [ecx], 67452301h
.text:6FF13F78                 mov     dword ptr [ecx+4], 0EFCDAB89h
.text:6FF13F7F                 mov     dword ptr [ecx+8], 98BADCFEh
.text:6FF13F86                 mov     dword ptr [ecx+0Ch], 10325476h
.text:6FF13F8D                 mov     dword ptr [ecx+10h], 0C3D2E1F0h
.text:6FF13F94                 mov     [ecx+18h], eax
.text:6FF13F97                 mov     [ecx+14h], eax
.text:6FF13F9A                 retn
.text:6FF13F9A SetHashTable    endp



These are seen in the hashing function located at: .text:6FF14060...

NLSHash11 - Largest function where those 5 values are found, can be found here (way to long to post) and what looks like a few new ones: Here...

0x52 = an XXSHA-1? :P (Shown in link)
0x53 = an XXSHA-1? :P (Shown in link)
0x54 = Hell if I know
0x55 = an XXSHA-1? :P (Shown in link)
0x56 = Hell if I know
0x57 = No hashing? (Empty packet)
0x58 = XSHA-1? (current hash function)

Yoni


UserLoser.

#2
Quote from: dRAgoN on February 03, 2004, 12:16 AM
Neat and very large 8\
btw shoulden't this be on the asm board.

Edit: Link was down.

No, I don't think this should be in the ASM board because this is one of the few topics that has never been covered, has to do with bots & development, doesn't have to do with CSB, or topics that have been covered many times...

Link was down last night because I was testing a new ISAPI dll on my webserver.. If i wanted to unload the DLL i'd have to shut it down/restart it..

l)ragon

#3
Quote from: UserLoser. on February 04, 2004, 10:55 AM
Quote from: dRAgoN on February 03, 2004, 08:09 PM
Quote from: UserLoser. on February 03, 2004, 10:34 AM

No, I don't think this should be in the ASM board because this is one of the few topics that has never been covered, has to do with bots & development, doesn't have to do with CSB, or topics that have been covered many times...

Link was down last night because I was testing a new ISAPI dll on my webserver.. If i wanted to unload the DLL i'd have to shut it down/restart it..

True, but you stated that you weren't doing any real research on it.

And you're not contributing anything here, or in any other threads here so just take your mouth elsewhere

Edit: If you care that much, me and a friend are looking into it
Realy lol, and if thats regarding the d2-ingame packet thread sure, perhaps if a spot wasent restricted on bnetdocs maybe I would actualy contribute to it, but some of us don't have access to that, there for wont contribute to it, also if you dont like somone pointing out little things then, before posting crap that will annoy that somone maybe you should read what that somone has posted and figure out why they posted it.
Anyways I think I'm done typeing more to this, seeing as it turned into a random bitching comment.
*^~·.,¸¸,.·´¯`·.,¸¸,.-·~^*ˆ¨¯¯¨ˆ*^~·.,l)ragon,.-·~^*ˆ¨¯¯¨ˆ*^~·.,¸¸,.·´¯`·.,¸¸,.-·~^*

UserLoser.

#4
Quote from: dRAgoN on February 03, 2004, 08:09 PM
Quote from: UserLoser. on February 03, 2004, 10:34 AM

No, I don't think this should be in the ASM board because this is one of the few topics that has never been covered, has to do with bots & development, doesn't have to do with CSB, or topics that have been covered many times...

Link was down last night because I was testing a new ISAPI dll on my webserver.. If i wanted to unload the DLL i'd have to shut it down/restart it..

True, but you stated that you weren't doing any real research on it.

And you're not contributing anything here, or in any other threads here so just take your mouth elsewhere

Edit: If you care that much, me and a friend are looking into it

Arthas

THAT is the kind of code that makes me think long drops with solid bottoms are an option to escape hashing.

Yikes. *Wishes he knew ASM*