• Welcome to Valhalla Legends Archive.
 

Client Token and account creation

Started by OriOn, May 12, 2003, 06:38 AM

Previous topic - Next topic

OriOn

Hello everybody,

I have a simple question.
When you log in bnet, u use the "FF29" packet structure.
In this structure, the client send :

- u32 Client Session Token ( i use the time: (u32)time(NULL) )
- u32 Server Session Token   (u received this in the "FF50" packet)
- u32 PasswordHash[5]  (calculate with Client token, Server Token and the password)
- String account name

So ok, no probleme for this sequence. The server recalculate the hashing of the password with the data u send to it. ( Client Token and Server Token)

Now, when u create an account, u use "FF3D" packet structure but
in this packet structure, u never send the Client Token and Server Token. So with which data the hashing password is calculated ?
U have the Server Token and the bnetd server too but what's about the Client Token ? When U hash the password,  u use Client Token = 0 ?

Thanks and sorry for my poor english :)

OriOn


OriOn

Arf,
U use the same Client Token and Server Token sent in the "FF51" packet for the hashing of the CdKey ?

tA-Kane

Quote from: OriOn on May 12, 2003, 06:43 AMU use the same Client Token and Server Token sent in the "FF51" packet for the hashing of the CdKey ?
No. The account create hash is done with only the password.
Macintosh programmer and enthusiast.
Battle.net Bot Programming: http://www.bash.org/?240059
I can write programs. Can you right them?

http://www.clan-mac.com
http://www.eve-online.com

OriOn

Yes thanx kane, i have not enough thought about this question but it's very logical :)
the hash is stored on the server so without challenge data :p

vampgirl

could someone show me how to use PacketBuffer and wsock to create a new account on bnet?
On my bot I tried using packet id 0x04 and
SID_AUTH_ACCOUNTCREATE (0x52)
but it didnt work.  Could someone show me some code please.
Thank you.

tA-Kane

Quote from: vampgirl on May 13, 2003, 10:59 AMOn my bot I tried using packet id 0x04 and
SID_AUTH_ACCOUNTCREATE (0x52)
but it didnt work.
I'm not familiar with packet 0x04, nor 0x52. But, I do know that it's most likely only Skywing (and his BNLS server) which knows how to successfully create packet 0x52.

SID_AUTH_ACCOUNTCREATE is part of the new logon system, and as far as I know, can only be used by WarCraft 3 (would be cool if I'm wrong, though).
Macintosh programmer and enthusiast.
Battle.net Bot Programming: http://www.bash.org/?240059
I can write programs. Can you right them?

http://www.clan-mac.com
http://www.eve-online.com

vampgirl

so how can i create a bnet account without BNLS

tA-Kane

Quote from: vampgirl on May 13, 2003, 01:08 PMso how can i create a bnet account without BNLS
On WarCraft 3, you cannot, except for using the actual WarCraft 3 client.

Otherwise, you should use SID_CREATEACCOUNT2 (0x3D)
http://www.valhallalegends.com/arta/bnetdocs/content.php?id=3D&Sender=C
Macintosh programmer and enthusiast.
Battle.net Bot Programming: http://www.bash.org/?240059
I can write programs. Can you right them?

http://www.clan-mac.com
http://www.eve-online.com

vampgirl

i have read that but im not smart enough to understand
could you give me some sample code please
thank you so much :)

tA-Kane

Quote from: vampgirl on May 13, 2003, 02:14 PMi have read that but im not smart enough to understand
Keep trying, don't give up. You keep the knowledge you learn the longest when you learn it yourself instead of having someone else hand-feed you the knowledge.
Macintosh programmer and enthusiast.
Battle.net Bot Programming: http://www.bash.org/?240059
I can write programs. Can you right them?

http://www.clan-mac.com
http://www.eve-online.com

vampgirl

ok i tried but i cant get it ...
could you give me a little hint please?

i send chr(1)
then i send DWORD[0] = null
DWORD[1] = NULL
DWORD[2] = NULL
DWORD[3] = NULL
DWORD[4] = NULL
DWORD[5] = Password hash
then insert.ntstring (Username)

this will give a SID_AUTH_ACCOUNTCREATE (0x52) returned?
and how should i parse that ?

please give me a little hint ...

Yoni

vampgirl:

Did you write PacketBuffer?
If not, do you know how it works and/or what it does?
Are you sure? Try examining the PacketBuffer code and/or writing your own PacketBuffer class. It will give you a better understanding of buffers.

Also, you haven't said once what language you're writing in.

vampgirl

im using vb6 .. i am using packetbuffer class
i am writing a module to send the login sequence
i am using bnet + star hash
i got the version and everything completed

this is what i have so far after packet logging.
create account:
c->s ff 3d 22 00 something(password hash?) + username
s->c ff 3d 0b 00 00 00 00 00 00 e5 ff
login account:
c->s ff 29 2a 00 something(password hash?) + username
s->c ff 29 08 00 01 00 00 00

now I got the login working with a premade account
but I cant get the create account to work.

It seems the way the password is sent in the create account is different from the way it is send in the regular login.  or is it just a time factor?

So basically what Im looking for is some help to get this to work and I would greatly appreciate any hints.  
BTW:  I am IPBanned from the BnetDocs .. I dont know why.

Camel

Quote from: vampgirl on May 14, 2003, 09:26 PM
It seems the way the password is sent in the create account is different from the way it is send in the regular login.

correct. when you create account, you run the password through broken sha-1 once, and send the 160bit result to battle.net
when you log in, you take the 160bit hashed result, and hash it again with some salt. then, iirc, the 160 byte result is prepended by the salt


so, in 0x3D, the password is single hashed:
Public Sub SendCreateAccount(UserName As String, Password As String)
   SendPacket &H3D, CalcHashBuf(Password) & UserName & Chr(0)
End Sub


while in 0x29, the password is double hashed:
Public Function HashPass(ByVal password As String, Key As Long, seed As Long) As String
   Dim hashout As String * 20
   hashout = CalcHashBuf(password)
   HashPass = MKL(seed) & MKL(Key)
   HashPass = HashPass & CalcHashBuf(HashPass & hashout)
End Function


bnet's only record of a user's password, as discussed in some previous thread, is, under normal circumstances, the single-hashed version of the password. when bnet recieves 0x29, it takes its single hashed copy of the password, and hashes it with the 64 bits of salt sent, and compares it to the 160 bit double broken sha-1 hash.

condensed pseudocode:
create_account_buffer = brokensha1(password)
login_buffer = seed & key & brokensha1(seed & key & brokensha1(password))


also note that under some conditions you only send the seed and the hashed pass, but the server key is still used in hashing!! unless you are adding d2 realm support, however, you probably wont ever need to worry about this
realm_login_buffer = (dword)1 & brokensha1((dword)1 & key & brokensha1("password"))
you don't really need to calculate the hash of "password" because it's always going to be the same (ECC80D1D76E758C0B9DA8C25FF106AFF8E242916), but you need to calculate the hash of the seed and key prepended to that, because key will change from connection to connection

vampgirl

#14
Thank you for that last reply.  That was very helpful to me.  I understand how to hash the password and how to send the packets now.  I created my own packetbuffer class and my own secure hash module.  I tested it on my pvpgn and it did create the account, however it did not login.

I took a snapshot of Fyrebot's login sequence to create an account and login and it works as follows:
3a,3d,2d,3d,3a,0a

This is the snapshot of my sc game client making an account
c->s 51
s->c 51
c->s 2d
s->c 2d
33 (not important just the profile)
c->s 3d
s->c 3d
c->s 29
s->c 29
c->s ack <-- maybe im missing this in my bot packet login sequence
c->s 0a
s->c 0a

I send in my sequence:  2d,36,3d,29 <- after 29 I send FIN packet.  It is closing the connection because the account was not made to login, however after 5 mins the account shows up on the server.
What am I not getting here?