BNLS "authorizer"

tA-Kane · January 10, 2005, 08:52 AM

Some bots (in particular, the one I'm using ... *cough*Spht*cough*) seem to not like it when BNLS returns 0x01 for the status to BNLS_AUTHORIZEPROOF reply (meaning that the bot's ID or password was invalid). Whether it's intentional (disable old versions or whatever) or not (didn't allow for nonzero statuscodes, accidental BNLS password change, etc), this can be annoying. If the bot you're using allows you to change the BNLS server to 127.0.0.1, then you could try this. It simply passes data between the bot and the real BNLS server, except that when the BNLS_AUTHORIZEPROOF reply is sent from the server, the status code always gets changed to 0x00 (bot is authorized), which makes the bot think it's allowed to move on.

BNLS seems to be down at the moment, so I'm not able to test it myself (eww...), so hopefully someone else will be able to, because I'm about to fall asleep.

By the way, this is my first Win32 app.

http://linkware.clan-mac.com/kanebot/misc/bnls_authorizer.zip

Mephisto · January 10, 2005, 08:56 AM

Or everyone can stop using the out-dated BNLS authorization packets (unless there's still some reason to use them...) and just dump all of their authorization processing and just move along the protocol. Besides, what caused SphtBotv3 to all of the sudden become unauthorized?

MyndFyre · January 10, 2005, 12:48 PM

Quote from: Mephisto on January 10, 2005, 08:56 AM
Or everyone can stop using the out-dated BNLS authorization packets (unless there's still some reason to use them...) and just dump all of their authorization processing and just move along the protocol. Besides, what caused SphtBotv3 to all of the sudden become unauthorized?

The reason for using them, as Kane pointed out, is to disable old versions. Change the password to disable old versions, eh?

Thanks, Kane. I've been having trouble with it lately myself; that helps!

Mephisto · January 10, 2005, 12:59 PM

That would be really easy to fix, and I think UL did it already.

dxoigmn · January 10, 2005, 01:03 PM

Quote from: Mephisto on January 10, 2005, 12:59 PM
That would be really easy to fix, and I think UL did it already.

It probably wouldn't be "really easy to fix" if you don't have access to the source code nor a plugin system (which even then might not be enough). The proxy-like application Kane created is a good solution to the problem.

UserLoser. · January 10, 2005, 01:59 PM

Just hack SphtBotv3 like i did. Goto offset 0xa3801 in your favorite hex editor and change it from a 0x74 to 0xeb

Mephisto · January 10, 2005, 02:01 PM

Thanks for finding the offset.

Arta · January 10, 2005, 02:10 PM

Ditto

MyndFyre · January 10, 2005, 02:21 PM

Quote from: UserLoser on January 10, 2005, 01:59 PM
Just hack SphtBotv3 like i did. Goto offset 0xa3801 in your favorite hex editor and change it from a 0x74 to 0xeb

There are a couple drawbacks to that:

1.) As a solution it only works for SphtBotv3.
2.) It doesn't address the actual cause of the problem, which is that Skywing has been eaten by WoW and Yoni by the Israeli government.

iago · January 10, 2005, 02:27 PM

Somebody should point out that this is one of the problems with relying on a third party server (vL's) for authentication. Not only is it a means of control (If you want a bot on Battle.net you HAVE to come through US), it's also a failure point if the technology isn't maintained.

If Blizzard updates one of their clients now, I wonder how long it'll take to update BNLS

Kp · January 10, 2005, 02:44 PM

Bypassing a failed authorize isn't necessarily wise, as historically it's been used to disable versions which had flaws discovered. For example, Spht found a logic bug that let anyone use setuser to grant privileges, so he changed his authorization password to force people to upgrade to a fixed version. That said, I don't know whether this incident is a case of passwords changed intentionally, accidentally, or simple lossage by the server. Also, be grateful I convinced UserLoser to use eb instead of 75 for the logic change.

MyndFyre · January 10, 2005, 03:00 PM

Quote from: Kp on January 10, 2005, 02:44 PM
Bypassing a failed authorize isn't necessarily wise, as historically it's been used to disable versions which had flaws discovered. For example, Spht found a logic bug that let anyone use setuser to grant privileges, so he changed his authorization password to force people to upgrade to a fixed version. That said, I don't know whether this incident is a case of passwords changed intentionally, accidentally, or simple lossage by the server. Also, be grateful I convinced UserLoser to use eb instead of 75 for the logic change.

Yeah I was going to point out an issue with using 75 for the logic change, but he didn't.

jnz -- what happens when the code gets fixed and goes back to zero? Another breakage!

tA-Kane · January 10, 2005, 03:05 PM

Quote from: Kp on January 10, 2005, 02:44 PM
Bypassing a failed authorize isn't necessarily wise, as historically it's been used to disable versions which had flaws discovered.

I'd hope that anyone using this tool would know the risks involved, I certainly do.

I wrote it because SphtBotv3 stopped working, I looked on his website, didn't see any updated news, so I still downloaded it again thinking maybe he simply forgot to add news about it... and it still wasn't able to connect. So, I delve further into the problem, and it turned out that SphtBotv3 would simply stop handling BNLS packets (not disconnect or anything) after it received 0x01 in msg 0x0F. So I wrote a small workaround for it.

Of course I realize that it could be a risk if it indeed is a security "lockdown" of old versions, but I also feel that I'm willing to take that risk and subject myself to the consequences if the risk turns into a nightmare.

I'd hope that anyone else using this tool would know the risks involved.

Edit: On a side note, I had tried using JBLS to remedy the problem, and it had seemed to work. Then I tried to logon my WarCraft III account with it, and it always got stuck at the logon sequence (Specifically, I think it was the LogonProof msg that it didn't seem to like), so I figured that this would be the best alternative.

UserLoser. · January 10, 2005, 03:42 PM

I originally was going to use jmp instead by writing an HDL to use whenever this issue came about. Turned out I figured it was just easier to modify the executable it's self because the HDL was failing to hook SphtBot for whatever reason && don't know jmp off top of head (do now, though)

R.a.B.B.i.T · January 10, 2005, 08:31 PM

Quote from: tA-Kane on January 10, 2005, 03:05 PMEdit: On a side note, I had tried using JBLS to remedy the problem, and it had seemed to work. Then I tried to logon my WarCraft III account with it, and it always got stuck at the logon sequence (Specifically, I think it was the LogonProof msg that it didn't seem to like), so I figured that this would be the best alternative.

JBLS is only the basic logon pieces of the BNLS protocol, and doesn't handle all of the packets. This is one of the reasons some bots don't work (such as SphtBot): they require other packets before they logon.

BNLS "authorizer"

UserLoser.

UserLoser.

R.a.B.B.i.T