• Welcome to Valhalla Legends Archive.
 

Transparent proxy over Warcraft3! Man In Middle attack foiled ?

Started by leax, June 06, 2010, 06:38 AM

Previous topic - Next topic

leax

hey guys
i tried relay war3 packets over a proxy run on localhost, through
1. mapped uswest.battle.net to 127.0.0.1 and the porxy server would connect to the real battle net ip and relay the packets in the middle
or
2. change the registry, the gateway Lorderon point to localhost, and relay the packets in the middle

now the proxy logged the 0x1 then 0x50 ID_AUTH_INFO packet being sent, but as soon as it relayed the received 0x50 from server the war3 client dc itself

so i tried the packet dump with and without the proxy, the results are
1. the 0x50 send is identical when war3 client connected to bnet or conencted to proxy
2. the 0x50 receive contain the same 128 byte Server Signiture

does any one know how the hell war3 client figure out that it is getting proxied ?

thanks









Warcarft3 Custom Game Host Bot Development
http://www.codelain.com

RealityRipple

The Server Signature at the end of SID_AUTH_INFO for WAR3 and W3XP is based on the server's IP. See this post for example code of checking a signature.

leax

thanks

but the sample code seems incomplete
1. what is sig string, and array K, variable key and mod seems to be undeclared
2. N i assume to be the private hash key, but didnt hdx say its 128bit not 128 byte
3. no clue what &HBB is used for

do u know the steps in general on how the signature is generated, i think i better off learning the concepts rather than figure out partial codes

thanks


Quote
Public Function checkServerSignature(sig As String, ip As String) As Boolean
    Dim I As Integer, Ret As Boolean
    Dim K() As Byte: Let K = Array(0, 1, 1, 0)
    Dim N() As Byte: Let N = Array(&HD5, &HA3, &HD6, &HAB, &HF, &HD, &HC5, &HF, &HC3, &HFA, &H6E, &H78, &H9D, &HB, &HE3, &H32, &HB0, &HFA, &H20, &HE8, &H42, &H19, &HB4, &HA1, &H3A, &H3B, &HCD, &HE, &H8F, &HB5, &H56, &HB5, &HDC, &HE5, &HC1, &HFC, &H2D, &HBA, &H56, &H35, &H29, &HF, &H48, &HB, &H15, &H5A, &H39, &HFC, &H88, &H7, &H43, &H9E, &HCB, &HF3, &HB8, &H73, &HC9, &HE1, &H77, &HD5, &HA1, &H6, &HA6, &H20, &HD0, &H82, &HC5, &H2D, &H4D, &HD3, &H25, &HF4, &HFD, &H26, &HFC, &HE4, &HC2, &H0, &HDD, &H98, &H2A, &HF4, &H3D, &H5E, &H8, &H8A, &HD3, &H20, &H41, &H84, &H32, &H69, &H8E, &H8A, &H34, &H76, &HEA, &H16, &H8E, &H66, &H40, &HD9, &H32, &HB0, &H2D, &HF5, &HBD, &HE7, &H57, &H51, &H78, &H96, &HC2, &HED, &H40, &H41, &HCC, &H54, &H9D, &HFD, &HB6, &H8D, &HC2, &HBA, &H7F, &H69, &H8D, &HCF)
   
    'Do the calculation
    byte []result = new BigIntegerEx(BigIntegerEx.LITTLE_ENDIAN, sig).modPow(key, mod).toByteArray();
   
    Dim CorrectResult As String: CorrectResult = String(Len(Result), Chr(&HBB))
    CorrectResult = ip & Mid(CorrectResult, 5)
       
    Ret = True
    For I = 0 To Len(Result) Step 1
        If Result(I) <> CorrectResult(I) Then
            Ret = False
        End If
    Next I
End Function


Warcarft3 Custom Game Host Bot Development
http://www.codelain.com

RealityRipple

Eh... I can't get a simple signature check working, so I can't invert the function... K = key, N = mod, for your reference, and that K appears to be wrong as well. Try using ValidateServerSignature from NLS.cs in MBNCSUtil.

Hdx

http://en.wikipedia.org/wiki/RSA
As I said in my old post its been a while, and again, it's been a while.
But it's 128-byte(1024-bit) not 128-bit.
N is the modulus which is agreed upon before hand, so is K. (In the image bellow, K is d)

QuoteDecryption:

Alice can recover m from c by using her private key exponent d by the following computation:

Given m, she can recover the original message M by reversing the padding scheme.
(In practice, there are more efficient methods of calculating cd using the pre computed values above.)
The 0xBB's are used to pad the message up to a 128 byte boundary. So basically after decryption the signature looks like this:
11223344BBBBBBBBBBBB......etc where 11223344 is the server's IP.
So the reason you are failing is because the Game is seeing:
3FF1530CBBBBBBBB.... When its expecting:
7F000001BBBBBBBB....

Anyways, if you're thinking of generating a fake signature, STOP NOW it uses a 1024-bit private key, which you will NEVER be able to figure out.
So your best bet is to remove the check itself from the client. This is actually rather simple, just look for the Modulus (N) in the game's files. (I think it's in Game.dll) track it around to where it's used, and then make that function 'return true;' You'l have to do your own checkrevision, but thats really simple these days.




Proud host of the JBLS server www.JBLS.org.
JBLS.org Status:
JBLS/BNLS Server Status