An Old Idea (Open Battle.net)

[shout]

The idea is nice, kinda like communsim on paper. But it is most likely not possible in real life. For one thing, you are giving out illegally obtained keys. For another, abuse is never totally prevented by something like that. I just think there is no possible way to do that.

[CrAz3D]

If people donate them, would it still be illegally obtained?

Maybe he could get cash donations & go buy the games over & over

[Lenny]

I guess I'm somewhat confused -- is this a BNCS emulator, or a gateway to allow people to illegally connect to Battle.net?

Even if it served as nothing more than a key repository, it'd be a collection of valid CDkeys which could be used to install illegal copies of the game(s) for which keys are hosted.

Someone would have to manually implement it into the client somehow.  My system uses the strengths of hashing to prevent key theft.  The user sends the proper seed values for the hashing and the server sends back the hash of a key, not the key itself.  The hash cannot be reversed.   

[Topaz]

Which would involve the only possible hashing algorithm available that can do that: SHA-1. That would ALSO involve 2^69 operations, so...its a bit complicated.

[Lenny]

Well, I'll just point out that this is a splendid recipie for eliciting a DMCA takedown.

Assuming that it were offered for public use, such a system would be patently illegal. It would even be illegal here, and we have reasonable legislation!

Well, I haven't fully considered the ethics of my system.  But it doesn't enable clients to connect to battle.net, it allows chat emulators to.  I'm not enabling users to use pirated software. 

[iago]

Just a comment, it's actually easy to reverse the SHA1 on cdkeys.  The reason is, cdkeys have a very limited value (numerical integers).  You wouldn't be so much reversing the hash as brute forcing it.  Either way, it's easy to obtain keys from hashes.

[Soul Taker]

Just a comment, it's actually easy to reverse the SHA1 on cdkeys.  The reason is, cdkeys have a very limited value (numerical integers).  You wouldn't be so much reversing the hash as brute forcing it.  Either way, it's easy to obtain keys from hashes.

I believe K showed some proof-of-concept on this a long time ago.

[Kp]

Well, I haven't fully considered the ethics of my system.  But it doesn't enable clients to connect to battle.net, it allows chat emulators to.  I'm not enabling users to use pirated software.

You aren't providing it to unmodified clients, but it'd be relatively easy to put an emulator on battle.net via your system, watch it log in, and capture the key that it used.  Then install the game with that key.  Voila, (potentially) pirated install with a working cdkey.

Just a comment, it's actually easy to reverse the SHA1 on cdkeys.  The reason is, cdkeys have a very limited value (numerical integers).  You wouldn't be so much reversing the hash as brute forcing it.  Either way, it's easy to obtain keys from hashes.

To expand on this: Starcraft keys are composed of three parts: the number 1 (a product ID), the key's magic number (which is sent in the clear), and the key's secret number (which is obfuscated by the hash).  There is a relation between the magic and secret numbers, which afaik no one has ever published (if it's even known outside of Blizzard).  The server validates the key by computing what the secret should be based on your magic, then checks to see if it gets the same hash as you did.  If it did, you and it agreed on the secret.

Why is this a problem for a scheme like Lenny's?  All secret numbers are in the range [0, 1000], so it only takes ~1000 trials to learn the secret that was used to generate a given hash.  The time required for that on a modern processor is trivial, so as iago said, you can easily brute force the secret.

[K]

Just a comment, it's actually easy to reverse the SHA1 on cdkeys. The reason is, cdkeys have a very limited value (numerical integers). You wouldn't be so much reversing the hash as brute forcing it. Either way, it's easy to obtain keys from hashes.

I believe K showed some proof-of-concept on this a long time ago.

Maybe not the same thing.  What I showed was that given the client token, server token, hash and public key value it takes very little time to brute force the private value.  Once you have those values it's really just a matter of encoding a cd key from them, which I never bothered to do.

[Lenny]

Was an interesting idea though...

That's all I can say 

[FrOzeN]

Maybe you could setup a website where each user who wants to use the system has to register. Then went they use this system to login to battlenet they have to provide BnetUsername/Password WebsiteUsername/Password.

That way if the key that they login with becomes muted/banned by them you can suspend there account until they provide you with a working cd-key in-replace of the one they muted/banned.

Also you could limit each Registered user to login a maximum of 1 account online at a time, but you would have to make it difficult for people to register and make it check there IP Authenticity and maybe make them provide a key?

Just giving some ideas to help with this

[QwertyMonster]

Or you could make it so, if they get a banned / muted cdkey, they can then email the cdkey and the problem with it and you will send a working one back.

And this couldnt be a scam for cdkeys, because the person would test the cdkey they gave them to see if it is actually banned or muted.

I still think my idea is better. But Fr0z3n's is just at the same standard. Binding our 2 ideas together and other peoples for adding touches, would make it actually pretty good tbh. But hey, this is my idea. 

[Kp]

Maybe you could setup a website where each user who wants to use the system has to register. Then went they use this system to login to battlenet they have to provide BnetUsername/Password WebsiteUsername/Password.

That way if the key that they login with becomes muted/banned by them you can suspend there account until they provide you with a working cd-key in-replace of the one they muted/banned.

Also you could limit each Registered user to login a maximum of 1 account online at a time, but you would have to make it difficult for people to register and make it check there IP Authenticity and maybe make them provide a key?

This really wouldn't scale well at all.  You'd need to check that the key they provided was not banned at the time it was provided, or else they'd have free service in the interim.  You can suspend their account with this service, but how do you avoid that they change their BNCS password regularly and randomly?  If they did, you'd have no way of suspending that, so they'd be out the sign-up key and no more.

[Archangel]

Well, actually if they are "donating" a key, why not just make the user use the key he donated?.

[vuther.de]

Hm, this might sound stupid to ya'll, but you could let each person have 1 account, and on their one account, they could put however CDKeys they wanted, and they would be the only ones that would use them, that way they wouldn't have to put in a CDKey to connect to Battle.net. That way if a CDKey is banned, it would be their bust not yours. You could also have a remove/add cdkey function so that the account could add/remove cdkeys. You would also have to have it as any client, so you would add the cdkey something like: CDKey/Product (ie: BMK6MPDBVZC2RCCERVV4JRBTKJ/3RAW)
This is what I would do If I wanted to create something like this.