• Welcome to Valhalla Legends Archive.
 

0x53/0x53 BNCSutil

Started by Hdx, March 09, 2005, 02:07 AM

Previous topic - Next topic

Hdx

Well, I decided to dink around with BCNCSutil.

I have been switching my bot from BnetAuth to BNCSutil one protocall at a time. The place I am stuck at is 0x54.
Here is how I send 0x53, And it gets accepted by BNCS:
Public Sub Send0x53(Index As Integer)
    Dim Pointer As Long, Buff As String
    Pointer = nls_init(Config(Index).Username, Config(Index).Password)
    If Pointer = 0 Then
        AddChat Index, vbRed, "[BNET] Failed to initalize NLS functions in 0x53 C->S. Bot Disconnecting."
        Bots(Index).mnuDisconnect_Click
        Exit Sub
    End If
    Buff = String(32, vbNull)
    Call nls_get_A(Pointer, Buff)
   
    PBuffer.InsertNonNTString Buff
    PBuffer.InsertNTString Config(Index).Username
    PBuffer.SendPacket Index, &H53
   
    nls_free Pointer
   
End Sub


I recive 0x53 back, with a status of 0x00(accepted)
Case &H53
    Select Case .removeDWORD
            Case &H0
                Call Send0x54(Index, .removeVOID(32), .removeVOID(32))
   End Select

note: I have all the others cases in there alos.

the .Remove functions are from the stupied little packet remver class I made.
the 2 .RemoveVOID() calls remove both the Salt and the Server Key.(respectivly) Having removed the Header, and the Status before hand.

I use this Sub to send my 0x54 packet:
Public Sub Send0x54(Index As Integer, S As String, B As String)
    Dim Pointe As Long, Buf As String
    Pointe = nls_init(Config(Index).Username, Config(Index).Password)
    If Pointe = 0 Then
        AddChat Index, vbRed, "[BNET] Failed to initalize NLS functions in 0x54 C->S. Bot Disconnecting."
        Bots(Index).mnuDisconnect_Click
        Exit Sub
    End If
   
    Buf = String(20, vbNull)
    Call nls_get_M1(Pointe, Buf, B, S)
   
    PBuffer.InsertNonNTString Buf
    PBuffer.SendPacket Index, &H54
   
    nls_free Pointe
   
End Sub


Ass you can see it passes the Salt and Server Key to the sub as strings, and then jsut passes those strings to the BNCSutil api call.

Here is a packetLog of the two packets. (It has a few others in it, but you can tell witch is witch:
9  192.168.0.11:3268  63.241.83.13:6112  54  Send 
0000  FF 2D 04 00 FF 53 32 00 A7 7B DE 9A 9B 61 29 91    .-...S2..{...a).
0010  F5 0A 5B D1 D6 62 AF B1 F4 38 7C DB 9D 3E D6 AD    ..[..b...8|..>..
0020  80 5F 2B FC 13 4B 60 16 48 64 78 45 76 69 6C 46    ._+..K`.HdxEvilF
0030  69 72 65 32 37 00                                  ire27.

10  63.241.83.13:6112  192.168.0.11:3268  27  Recv 
0000  FF 2D 1B 00 00 64 37 BB 78 DD C4 01 69 63 6F 6E    .-...d7.x...icon
0010  73 2D 57 41 52 33 2E 62 6E 69 00                   s-WAR3.bni.

11  63.241.83.13:6112  192.168.0.11:3268  72  Recv 
0000  FF 53 48 00 00 00 00 00 7B 13 41 1B FA 58 CA 29    .SH.....{.A..X.)
0010  B2 7D 15 74 A6 F7 6B 9D 3E E9 41 B1 56 D9 7F 9F    .}.t..k.>.A.V...
0020  36 9A 2A A6 E1 79 86 37 D1 F4 46 73 8D 6A A2 40    6.*..y.7..Fs.j.@
0030  08 A7 80 11 C3 44 78 5E 80 63 D6 D2 B2 BB 19 93    .....Dx^.c......
0040  90 08 54 4D 8B 30 B5 50                            ..TM.0.P

12  192.168.0.11:3268  63.241.83.13:6112  24  Send 
0000  FF 54 18 00 A4 45 93 23 D0 69 80 2E 05 6A BD 55    .T...E.#.i...j.U
0010  02 0F E7 24 1E CC 64 C2                            ...$..d.

13  63.241.83.13:6112  192.168.0.11:3268  28  Recv 
0000  FF 54 1C 00 02 00 00 00 00 00 00 00 00 00 00 00    .T..............
0010  00 00 00 00 00 00 00 00 00 00 00 00                ............


Do any of you have any suggestions as to what I might be doing wrong?

Oh and during doing this, I found the new Wc3 patch acually did change the VerHash. yet Bnet still allows for in accuret VerHashes.. So does that acually do anything or is it there just as an extra bit of information? (i'm still looking for a way to get the verhash in VB myself, not using a Hashing library.)

So can anyone enlighten me as to my errors? (besides the fact that VB = lame, I get that a lot, so please don't do it.)
~-~(HDX)~-~

Proud host of the JBLS server www.JBLS.org.
JBLS.org Status:
JBLS/BNLS Server Status

iago

If you're looking for information on how BNCSUtil works for War3 login packets, have a look at:
http://www.javaop.com/~iago/SRP.html

Or at the appropriate sections of BNetDocs.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


NetNX

Make sure you get the upgraded version :)

<3 BNCSUtil

if its not on the site yet msg me on aim when i get home and ill send ya it ~_^

Hdx

Well I'm using 0.2.3 witch is the latest. So iono. Anyone got suggestions?
~-~(HDX)~-~

Proud host of the JBLS server www.JBLS.org.
JBLS.org Status:
JBLS/BNLS Server Status

NetNX

ive been talking to eric about an example but he seems less then enthusastic to provide one :-/ i'll beg him agian today ~_^

Hdx

The example that he posted showed me what I was doing wrong. I missunderstood the nls_init() function. I was creating a new pointer for each packet. Simply initalizing the pointer on 0x53 C->S and then clearing it on 0x54 c->s fixed it :)

Now I have sucessuflly made my bot use ALL login types using local hashing. (Including spawns, and sharewares, and non-cdkeyed products)
~-~(HDX)~-~

Proud host of the JBLS server www.JBLS.org.
JBLS.org Status:
JBLS/BNLS Server Status

NetNX

Hdx, This is Zac ("Grim Reaper Ice") if you have successfully hashed all clients including spawns can i see what you have for hashing on your 0x36 (ive been trying to get that for a while without the use of another Hashing Library :-/) oh well ~_^ <3 Hdx

iago

BNCSutil is opensource, just find the sourcecode for it.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


shadypalm88

Quote from: NetNX on March 11, 2005, 09:35 AM
Hdx, This is Zac ("Grim Reaper Ice") if you have successfully hashed all clients including spawns can i see what you have for hashing on your 0x36 (ive been trying to get that for a while without the use of another Hashing Library :-/) oh well ~_^ <3 Hdx
I've already told NetNX/Zac this, but for the benefit of others, BNCSutil's kd_calculateHash and CDKeyDecoder::calculateHash functions only generate hashes for SID_AUTH_CHECK (0x51, for people who like the numbers), not for SID_CDKEY2 (0x36).  The information put into the hash is different between the two (I think SID_AUTH_CHECK just uses an extra zero DWORD).

Anyway, I came up with a suggestion for VB users who really want to use SID_CDKEY2 (I don't really think C users should have any trouble).  Have a look at the BnetDocs for SID_CDKEY2, where you'll find the list of things, in order, that are used to figure the CD-key hash.  Make a new packet buffer and add the things to it.  Then just run the buffer through calcHashBuf, something like this:

Dim Hash As String * 20 'note the * 20 allocates 20 bytes for Hash
' ... insert the stuff into the packet buffer ...
Call calcHashBuf(Buffer.GetData(), Buffer.GetLength(), Hash)

Where Buffer.GetData() gets the contents of the packet buffer and Buffer.GetLength() gets the length of the contents (obviously Len(Buffer.GetData()) would also work).