Valhalla Legends Archive

Hello everybody,

I have a simple question.
When you log in bnet, u use the "FF29" packet structure.
In this structure, the client send :

- u32 Client Session Token ( i use the time: (u32)time(NULL) )
- u32 Server Session Token   (u received this in the "FF50" packet)
- u32 PasswordHash[5]  (calculate with Client token, Server Token and the password)
- String account name

So ok, no probleme for this sequence. The server recalculate the hashing of the password with the data u send to it. ( Client Token and Server Token)

Now, when u create an account, u use "FF3D" packet structure but
in this packet structure, u never send the Client Token and Server Token. So with which data the hashing password is calculated ?
U have the Server Token and the bnetd server too but what's about the Client Token ? When U hash the password,  u use Client Token = 0 ?

Thanks and sorry for my poor english

OriOn

Arf,
U use the same Client Token and Server Token sent in the "FF51" packet for the hashing of the CdKey ?

Quote from: OriOn on May 12, 2003, 06:43 AMU use the same Client Token and Server Token sent in the "FF51" packet for the hashing of the CdKey ?

No. The account create hash is done with only the password.

Yes thanx kane, i have not enough thought about this question but it's very logical
the hash is stored on the server so without challenge data :p

could someone show me how to use PacketBuffer and wsock to create a new account on bnet?
On my bot I tried using packet id 0x04 and
SID_AUTH_ACCOUNTCREATE (0x52)
but it didnt work.  Could someone show me some code please.
Thank you.

Quote from: vampgirl on May 13, 2003, 10:59 AMOn my bot I tried using packet id 0x04 and
SID_AUTH_ACCOUNTCREATE (0x52)
but it didnt work.

I'm not familiar with packet 0x04, nor 0x52. But, I do know that it's most likely only Skywing (and his BNLS server) which knows how to successfully create packet 0x52.

SID_AUTH_ACCOUNTCREATE is part of the new logon system, and as far as I know, can only be used by WarCraft 3 (would be cool if I'm wrong, though).

so how can i create a bnet account without BNLS

Quote from: vampgirl on May 13, 2003, 01:08 PMso how can i create a bnet account without BNLS

On WarCraft 3, you cannot, except for using the actual WarCraft 3 client.

Otherwise, you should use SID_CREATEACCOUNT2 (0x3D)
http://www.valhallalegends.com/arta/bnetdocs/content.php?id=3D&Sender=C

i have read that but im not smart enough to understand
could you give me some sample code please
thank you so much

Quote from: vampgirl on May 13, 2003, 02:14 PMi have read that but im not smart enough to understand

Keep trying, don't give up. You keep the knowledge you learn the longest when you learn it yourself instead of having someone else hand-feed you the knowledge.

ok i tried but i cant get it ...
could you give me a little hint please?

i send chr(1)
then i send DWORD[0] = null
DWORD[1] = NULL
DWORD[2] = NULL
DWORD[3] = NULL
DWORD[4] = NULL
DWORD[5] = Password hash
then insert.ntstring (Username)

this will give a SID_AUTH_ACCOUNTCREATE (0x52) returned?
and how should i parse that ?

please give me a little hint ...

vampgirl:

Did you write PacketBuffer?
If not, do you know how it works and/or what it does?
Are you sure? Try examining the PacketBuffer code and/or writing your own PacketBuffer class. It will give you a better understanding of buffers.

Also, you haven't said once what language you're writing in.

im using vb6 .. i am using packetbuffer class
i am writing a module to send the login sequence
i am using bnet + star hash
i got the version and everything completed

this is what i have so far after packet logging.
create account:
c->s ff 3d 22 00 something(password hash?) + username
s->c ff 3d 0b 00 00 00 00 00 00 e5 ff
login account:
c->s ff 29 2a 00 something(password hash?) + username
s->c ff 29 08 00 01 00 00 00

now I got the login working with a premade account
but I cant get the create account to work.

It seems the way the password is sent in the create account is different from the way it is send in the regular login.  or is it just a time factor?

So basically what Im looking for is some help to get this to work and I would greatly appreciate any hints.  
BTW:  I am IPBanned from the BnetDocs .. I dont know why.

Quote from: vampgirl on May 14, 2003, 09:26 PM
It seems the way the password is sent in the create account is different from the way it is send in the regular login.

correct. when you create account, you run the password through broken sha-1 once, and send the 160bit result to battle.net
when you log in, you take the 160bit hashed result, and hash it again with some salt. then, iirc, the 160 byte result is prepended by the salt


so, in 0x3D, the password is single hashed:
Public Sub SendCreateAccount(UserName As String, Password As String)
   SendPacket &H3D, CalcHashBuf(Password) & UserName & Chr(0)
End Sub

while in 0x29, the password is double hashed:
Public Function HashPass(ByVal password As String, Key As Long, seed As Long) As String
   Dim hashout As String * 20
   hashout = CalcHashBuf(password)
   HashPass = MKL(seed) & MKL(Key)
   HashPass = HashPass & CalcHashBuf(HashPass & hashout)
End Function

bnet's only record of a user's password, as discussed in some previous thread, is, under normal circumstances, the single-hashed version of the password. when bnet recieves 0x29, it takes its single hashed copy of the password, and hashes it with the 64 bits of salt sent, and compares it to the 160 bit double broken sha-1 hash.

condensed pseudocode:
create_account_buffer = brokensha1(password)
login_buffer = seed & key & brokensha1(seed & key & brokensha1(password))


also note that under some conditions you only send the seed and the hashed pass, but the server key is still used in hashing!! unless you are adding d2 realm support, however, you probably wont ever need to worry about this
realm_login_buffer = (dword)1 & brokensha1((dword)1 & key & brokensha1("password"))
you don't really need to calculate the hash of "password" because it's always going to be the same (ECC80D1D76E758C0B9DA8C25FF106AFF8E242916), but you need to calculate the hash of the seed and key prepended to that, because key will change from connection to connection

Thank you for that last reply.  That was very helpful to me.  I understand how to hash the password and how to send the packets now.  I created my own packetbuffer class and my own secure hash module.  I tested it on my pvpgn and it did create the account, however it did not login.

I took a snapshot of Fyrebot's login sequence to create an account and login and it works as follows:
3a,3d,2d,3d,3a,0a

This is the snapshot of my sc game client making an account
c->s 51
s->c 51
c->s 2d
s->c 2d
33 (not important just the profile)
c->s 3d
s->c 3d
c->s 29
s->c 29
c->s ack <-- maybe im missing this in my bot packet login sequence
c->s 0a
s->c 0a

I send in my sequence:  2d,36,3d,29 <- after 29 I send FIN packet.  It is closing the connection because the account was not made to login, however after 5 mins the account shows up on the server.
What am I not getting here?