• Welcome to Valhalla Legends Archive.
 

Password Proof (for 0x54)

Started by Strilanc, January 01, 2008, 11:14 PM

Previous topic - Next topic

Strilanc

Using MBNCSUtil I've managed to get all the way to the last logon step in WC3. I need to compute the password proof.

After searching for awhile I managed to find a cached page with an explanation: http://64.233.167.104/search?q=cache:0iTY9kDpd0EJ:www.jbls.org/bnetdocs/content4323.html%3FSection%3Dd%26id%3D18+NLS/SRP+Protocol&hl=en&ct=clnk&cd=1

I implemented this in VB.net:

    Public Function getPasswordProof() As Byte()
        Dim bb As Byte()
        'Compute values
        'strings not null terminated, is that correct?
        bb = packBytes(packString(username.ToUpper()), packString(":"), packString(password.ToUpper()))
        bb = SHA1(bb)
        bb = packBytes(salt, bb)
        bb = SHA1(bb)
        Dim x As BigNum = New BigNum(bb)
        Dim v As BigNum = G.powerMod(x, N)
        bb = SHA1(remoteKey.bytes)
        bb = chopBytes(bb, 4)(0)
        Dim u As BigNum = New BigNum(bb)
        Dim S As BigNum = ((N + remoteKey - v) Mod N).powerMod(privateKey + u * x, N)

        'Separate S into odd and even bytes
        Dim bb1(0 To 15) As Byte, bb2(0 To 15) As Byte
        For i As Integer = 0 To 15
            bb1(i) = S.byteVal(2 * i)
            bb2(i) = S.byteVal(2 * i + 1)
        Next i

        'Hash the odds and the evens
        bb1 = SHA1(bb1)
        bb2 = SHA1(bb2)
        Dim K(0 To 19) As Byte

        'Put evens to evens and odds to odds
        For i As Integer = 0 To 9
            'I assumed 'combine the buffers' meant this, but it could mean a ton of other things
            K(2 * i) = bb1(2 * i)
            K(2 * i + 1) = bb2(2 * i + 1)
        Next i

        'Xor the hashes of G and N together
        bb1 = SHA1(G.bytes)
        bb2 = SHA1(N.bytes)
        For i As Integer = 0 To bb1.Length - 1
            bb1(i) = bb1(i) Xor bb2(i)
        Next i

        'Get the full hash
        bb = SHA1(packString(username.ToUpper()))
        bb = packBytes(bb1, bb, salt, publicKey.bytes, remoteKey.bytes, k)
        bb = SHA1(bb)

        Return bb
    End Function


But I get an "incorrect password" flag when I try to log on.

Is the algorithm on that page correct?
Have I implemented it correctly? (assume the BigNum class works)
Can someone provide the values I should be getting for some given password/key combo?
Don't pay attention to this signature, it's contradictory.

iago

I haven't looked at your implementation, but this will tell you how to implement it in a high level way:
http://www.javaop.com/~ron/documents/SRP.html

This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Strilanc

#2
What a great link.

Thanks a lot!

Update: I was computing K incorrectly, and my BigNum class was doing powerMod incorrectly. It works now.
Don't pay attention to this signature, it's contradictory.