3RAW / PX3W / MD3W Packet Logs

[Ringo]

Hm would anyone care to explain how to load this bnFTPv2?
Im finding my self having to file read it for clues
I can see commands like: bnftp -g SEXP -p IX86 useast.battle.net SEXP_IX86_1xx_111b.mpq
but how to load it in the commandline? (sry is this is a stupid question)

Thanks again

[Arta]

Go to Start->Run, type cmd, press enter. Use the cd command to change the directory to wherever you have put bnftp.exe, for example: cd c:\bnftp\. Type bnftp -h for help using the program. You'll probably want to do something like bnftp -2 -g WAR3 -p IX86 <Warcraft III cd key> useast.battle.net icons_WAR3.bni.

[Ringo]

Thanks, i was able to download a txt file, but it is impossible for me to packet log it...

I cant really carry on with my bot untill i have this packet - unless i remove the whole 3RAW and PX3W clients altogether.
The things inline im going to add will leave no room for me to come back to and do this at a later date and i cant keep kidding my self that somone on this forum is going to send me a packet log of it.
This packet must be like trying to get hold of rocking horse shit or somthing. (none existant) or not many people around here can use a packet logger or somthin..

but thank you to Arta, Soul and lord, as between you 3 have said more than everything i need to know to do this. but im still short of the most basic aspect needed to do it. (the packet log)

I guess i could have added this yesterday if i had the log, but im probly going to have to rid the whole client tomorow, oh well.


[edit]
I was just looking through some FTP version 1 packet logs when i just noticed i got the log from starcraft shareware ages ago, then it struck me, even tho war3 demo is a few years old it should still use the same ftp protocol and should still need to download the tos. (so i reinstalled the demo)

Code Select Expand


Send 
14 00 00 02 36 38 58 49 4D 44 33 57 00 00 00 00    ....68XIMD3W....
00 00 00 00                                        ....

Send 
00 00 00 00 00 69 13 B8 F3 59 C2 01 AE 63 3E 00    .....i...Y...c>.
00 00 00 00 4B 09 00 00 FB 98 1C 02 00 00 00 00    ....K...........
70 A0 C1 02 A5 15 C6 A7 FA 9D F5 14 4C D6 74 B0    p...........L.t.
3A 8F 61 4C 74 65 72 6D 73 6F 66 73 65 72 76 69    :.aLtermsofservi
63 65 2D 65 6E 55 53 2E 74 78 74 00                ce-enUS.txt.


Altho the demo doesnt need a cdkey, i should beable to pull somthing outa this based on what has been said allready in this topic.
This should give me somthing to do tomorow, thanks again.

[Ringo]

Hm this is strange, cos this morning i wrote the packets for the ftp version 2 and downloaded a file 1st try.
But that wasnt what i found strange:

Code Select Expand


[08:39:22] Sent
02                                                 .
[08:39:22] Sent 
14 00 00 02 36 38 58 49 4D 44 33 57 00 00 00 00    ....68XIMD3W....
00 00 00 00                                        ....
[08:39:22] Sent
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00 00 00 00 74 65 72 6D 73 6F 66 73 65 72 76 69    ....termsofservi
63 65 2D 65 6E 55 53 2E 74 78 74 00                ce-enUS.txt.
[08:39:22] Uncollected
66 FD F8 45                                        f..E
[08:39:23] Uncollected
30 00 00 00 F1 48 00 00 00 00 00 00 00 00 00 00    0....H..........
00 69 13 B8 F3 59 C2 01 74 65 72 6D 73 6F 66 73    .i...Y..termsofs
65 72 76 69 63 65 2D 65 6E 55 53 2E 74 78 74 00    ervice-enUS.txt.
42 61 74 74 6C 65 2E 6E 65 74 20 54 65 72 6D 73    Battle.net Terms
20 6F 66 20 55 73 65 20 41 67 72 65 65 6D 65 6E     of Use Agreemen
untill it ended.


I tryed chaning the client dword to that of 3RAW and the server closed conenction.
The w3 shareware seems to generate a 20 bit hash tho, and it verys every logon (alot) and a few other values.

The shareware client looks like it basicly can log the whole way onto the west battle.net server in this null to Serverside fashion (but stops when a client would normaly send logon proof)
Im yet to write a w3 shareware logon tho, but i might add it into my bot anyway (after all its a semi battle.net client and it supports the game protocol)
I think it would also be worth doing, just to see if blizzard have put a block on chat registration (0x0A), knowing blizzard probly not..

I will carry on adding the hasing to the packet and try download the file on 3RAW or PX3W, but i think this w3 shareware might be worth taking alook into.

[Ringo]

I had a quick mess around with the W3 shareware and i was right in thinking nothing is checked.
The things i did find to be needed was a correct version byte, and a 3 chr contry code in 0x50.
Other than that, its protocol mainly just checks the lengh.
I also found that the server it connects to is not a normal average battle.net server, but its own server (right in the middle of the west range)

Code Select Expand


63.241.83.7
63.241.83.8
63.241.83.9
63.241.83.11
63.241.83.12
63.241.83.13
63.241.83.103 <---
63.241.83.107
63.241.83.108
63.241.83.109
63.241.83.110
63.241.83.111
63.241.83.112

Those were the servers i could connect to on an average client (west servers) but the server this demo uses will only accept a w3 demo client.
Im guessing this server is only built to support the basic eliment of the logon, FTP downloading and gaming, so i dont think sending 0x0A would be such a great idea, it got me ip banend from the server for 4 hours, but i was still able to logon the west servers.

As for the logon it can be done with out preforming checkrevision on the games hash files.
(I kinda figgerd this out after BNCSuti.dll faield to preform checkrevision on the demo hash, but fine on all others)
This was how i logged on:

Code Select Expand


1  192.168.0.4:3337  63.241.83.103:6112  1  Send 
0000  01                                                 .

2  192.168.0.4:3337  63.241.83.103:6112  53  Send 
0000  FF 50 35 00 00 00 00 00 36 38 58 49 4D 44 33 57    .P5.....68XIMD3W
0010  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0020  00 00 00 00 00 00 00 00 4F 4D 47 00 48 6F 6D 65    ........OMG.Home
0030  6C 65 73 73 00                                     less.

3  63.241.83.103:6112  192.168.0.4:3337  8  Recv 
0000  FF 25 08 00 31 FE F8 5E                            .%..1..^

4  192.168.0.4:3337  63.241.83.103:6112  8  Send 
0000  FF 25 08 00 31 FE F8 5E                            .%..1..^

5  63.241.83.103:6112  192.168.0.4:3337  230  Recv 
0000  FF 50 E6 00 02 00 00 00 8B 6A 0C DC E2 4D 06 00    .P.......j...M..
0010  00 3C 5B A5 63 E8 C0 01 49 58 38 36 76 65 72 33    .<[.c...IX86ver3
0020  2E 6D 70 71 00 41 3D 32 32 31 31 39 39 35 37 35    .mpq.A=221199575
0030  38 20 42 3D 33 32 32 36 31 35 35 34 39 37 20 43    8 B=3226155497 C
0040  3D 31 31 38 36 39 35 38 31 34 39 20 34 20 41 3D    =1186958149 4 A=
0050  41 2B 53 20 42 3D 42 5E 43 20 43 3D 43 2D 41 20    A+S B=B^C C=C-A
0060  41 3D 41 5E 42 00 BE 8B 94 4A E9 BA 61 81 77 A8    A=A^B....J..a.w.
0070  31 10 B3 4E C7 33 E2 F8 B3 45 12 63 61 D7 A7 B0    1..N.3...E.ca...
0080  C8 C8 70 D8 5F A7 6A 96 CB 04 D5 0B 4D E4 34 EC    ..p._.j.....M.4.
0090  E9 EE 97 91 53 E6 44 8C 98 17 B4 31 E3 76 F8 CE    ....S.D....1.v..
00A0  99 C6 8B B1 DE FE DC 34 39 76 90 DD 64 B6 D1 E2    .......49v..d...
00B0  97 58 91 36 C7 19 96 2B 46 D4 C5 B3 6A 8A 66 EC    .X.6...+F...j.f.
00C0  20 2F B4 75 AA C1 09 10 C0 DD 3D F8 3D F0 1F BC     /.u......=.=...
00D0  F1 DC 10 AE A1 AB E5 12 E1 43 A2 98 84 80 5B 8B    .........C....[.
00E0  D5 55 4A 68 50 C6                                  .UJhP.

6  192.168.0.4:3337  63.241.83.103:6112  26  Send 
0000  FF 51 1A 00 00 00 00 00 00 00 00 00 00 00 00 00    .Q..............
0010  00 00 00 00 00 00 00 00 00 00                      ..........

7  63.241.83.103:6112  192.168.0.4:3337  9  Recv 
0000  FF 51 09 00 00 00 00 00 00                         .Q.......

8  192.168.0.4:3337  63.241.83.103:6112  48  Send 
0000  FF 53 30 00 00 00 00 00 00 00 00 00 00 00 00 00    .S0.............
0010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0020  00 00 00 00 53 69 72 4E 75 6C 6C 41 6C 6F 74 00    ....SirNullAlot.

9  63.241.83.103:6112  192.168.0.4:3337  28  Recv 
0000  FF 54 1C 00 00 00 00 00 00 00 00 00 00 00 00 00    .T..............
0010  00 00 00 00 00 00 00 00 00 00 00 00                ............


I dont see much more to figger out from the client, other than you can micky mouse the logon.
If for example the server was to introduce a version 2.0 for the demo, im asuming it would do this check on the version byte, or once the patch was uploaded, they start checking the clients 0x51 info?

I cant help think this relates to this topic in some way, even tho it uses a differnt server.

[Arta]

BnFTP Version 2 has now been published. I've only just put it up, so it'll probably need some tweaking. Let me know what you think.

[Ringo]

BnFTP Version 2 has now been published. I've only just put it up, so it'll probably need some tweaking. Let me know what you think.

Thanks, u probly guessed my luck with FTPv2 wasnt going to great, seems i got drawn into this demo
I had a quick look and it and it looks very well documented and compleat, thank you.
(DWORD)      Server Token
That has hit the nail right on the head, i get it now, thank you.

[UserLoser]

Well, it would seem UserLoser wont/doesnt want to talk about this subject, or at least not with me.

Am i asking to much? i dont want source codes, intence documentation or a back ride all the way through the connection.
I just want a few simple answers and a few packet logs so i can get on with it..

This is 1 main good reassion why i do not use bnetdocs unless i really have to, because bnet docs never documents the packet ur trying to reverse.
And in this case it would seem its because a editor is with holding the infomation (why doesnt that supprise me)

I never needed bnet docs when i steped through 80 + D2GS packet types / lenghs and all the internal values by my self and i dont expect i will need it to do this.
(Plz do not take this as a dig at bnet docs.. bnet docs is all good)

One thing i didnt need for this topic was UserLoser trying to proove a point in it.
Its just a FTP Game Server.... its not like im asking about online banking encryption ...

Thanks to Lord for telling me there is hashing involved and to soul for telling me its to do with the cdkey hash i now know what it intails, but they are 2 very valuable points that UserLoser failed to point out in his 1st post. (Asuming he was trying to proove somthing rather than being helpfull)
But his 1st post really didnt contribute to the descution in hand at all...

I really dont have the money to buy the client just so i can do this, and "this" is no big deal.. like i said its just a gaming FTP server, and blizzards hashing is some what basic as hashing goes.

Im asuming that UserLoser wasnt purely dependant on other people's knolage when he wrote the connection, and that he infact does remember some of it but is not willing to talk about it.

Im hoping somone can bring some more much needed infomation about this to the table, a packet log of the requests would be a great start, or anything about the hashing.

I expect UL will be quick to reply to this, as he will feel his point must be proven valid in some way...
I hope you can explain why you cant remember anything (When you were ment to have reversed it in the past)
Or why your not willing to talk about it.

Again thanks to ppl who have contributed to this topic and anyone who can do so in the not so distant future.

Thanks again

I just read this now, never read this post before.  So I want to reply just so you don't think I was ignoring you.  I infact do remember how the system worked and I figured it out independently and wrote a standalone Ftpv2 client and implemented it into my bot.  Just as far as the format, I didn't have at the time of my first posts in this thread because I lost all my previous source codes and basically everything on my computer (it's now on BnetDocs anyways thanks to someone else).