lockdown-IX86-XX.mpq update?

Zakath · November 01, 2006, 11:01 PM

Yes. Quite clever, actually.

Joe[x86] · November 02, 2006, 12:06 AM

No, they did use a patch. They've done it before too. They refer to it as patching on the server-side, as opposed to what is a normal "patch" to us, a clientside patch. For those who don't know (none of you?), CheckRevision is done completely independant of the game itself, except for downloading and calling it, but from a DLL downloaded over Battle.net File Transfer Protocol.

I'm not sure where my old post went, but I feel this is still constructive to ask: UserLoser, does your bot work following this patch, still?

EDIT -
If someone can get me a few packet logs of S>C 0x50, and if available, the corresponding A, B, C values for the valuestrings after decoding, that'd be nice.

Michael · November 02, 2006, 12:14 AM

You guys think war3 is next?

MyndFyre · November 02, 2006, 12:21 AM

Quote from: Joex86] link=topic=15929.msg160467#msg160467 date=1162447573]
No, they did use a patch. They've done it before too. They refer to it as patching on the server-side, as opposed to what is a normal "patch" to us, a clientside patch. For those who don't know (none of you?), CheckRevision is done completely independant of the game itself, except for downloading and calling it, but from a DLL downloaded over Battle.net File Transfer Protocol.

I'm not sure where my old post went, but I feel this is still constructive to ask: UserLoser, does your bot work following this patch, still?

EDIT -
If someone can get me a few packet logs of S>C 0x50, and if available, the corresponding A, B, C values for the valuestrings after decoding, that'd be nice.

There is no more a, b, or c value and no more valuestring. The string that used to be a value string is now a seed for a memory hash (basically).

Eric · November 02, 2006, 12:26 AM

Quote from: Joex86] link=topic=15929.msg160467#msg160467 date=1162447573]
No, they did use a patch. They've done it before too. They refer to it as patching on the server-side, as opposed to what is a normal "patch" to us, a clientside patch. For those who don't know (none of you?), CheckRevision is done completely independant of the game itself, except for downloading and calling it, but from a DLL downloaded over Battle.net File Transfer Protocol.

I'm not sure where my old post went, but I feel this is still constructive to ask: UserLoser, does your bot work following this patch, still?

EDIT -
If someone can get me a few packet logs of S>C 0x50, and if available, the corresponding A, B, C values for the valuestrings after decoding, that'd be nice.

You can't refer to an update as purely server-side if it requires updates be made on the client-side as well.

RealityRipple · November 02, 2006, 12:37 AM

So, basically the change is that it requests a value in memory and expects correct information from that memory location... Effectively destroying the ability to use hacking tools that edit memory and getting rid of bots... both seem to be temporary setbacks, since you can enable hack tools after logging in... and bots will eventually spoof this somehow (i hope)....

Also, I'm sure they'll eventually change all these over like they did for the old-new ver-ix86-# naming.

Also #2, it doesn't update on the client side. It just downloads different files than it did before. Since the files are never stored for longer than it takes to run them, they're not part of the program, thus, not updated. I guess it's actually a matter of opinion, and NOT IMPORTANT.

warz · November 02, 2006, 12:39 AM

It's an update, christ. The reason it does not require any physical changes to the game files is because they just incorporated it into the existing logon method. The a, b and c values, as well as the value string, are all gone like MyndFyre said. They took out the value string, and replaced it with this so called seed value. CheckRevision is still exported, and still called in the same manner that it used to be.

Eric · November 02, 2006, 12:43 AM

Quote from: RealityRipple on November 02, 2006, 12:37 AM
Also, it doesn't update on the client side. It just downloads different files than it did before. Since the files are never stored for longer than it takes to run them, they're not part of the program, thus, not updated. I guess it's actually a matter of opinion, and NOT IMPORTANT.

The client only downloads the checkrevision files if one does not currently exist in BNCache.dat or if the one that does exist is outdated.

RealityRipple · November 02, 2006, 12:45 AM

So we just need to spoof that CheckRevision correctly. Then if/when they change it again, we'll just wait around some more, have the same discussions on it again, and eventually spoof it correctly, too. Isn't there a more accurate way to spoof these things?

And like i said, IT'S NOT IMPORTANT IF IT'S AN UPDATE OR NOT.

RealityRipple · November 02, 2006, 01:21 AM

Some more things of note:
It would seem that No-CD cracks will no longer work, as they edit certain values in Storm.dll. These values are now checked as part of the CheckRevision, so they fail. The only way to play without a CD is with a mounted ISO.
Hacks can no longer be turned on until after you log in to Battle.net. Same reason as above.
It doesn't make sense that they'd only check on login, but it will hinder some people... SC supposedly has warden inside it now, and the new CheckRevision gets rid of the ability to disable warden through editing a value (similar to the no-cd). It follows that they most likely will update d2 and war3 soon.

It's interesting to log in and see how empty channels are...

FrOzeN · November 02, 2006, 01:55 AM

If I can throw my 2-cents in, when one of you do create a solution please don't open-source it. I'm not suggesting just keep it to yourself, but possibly hand it to trusted few or something (Hdx, Ringo, w/e). This has solved a lot of the flooding issues with battle.net and it would be nice to see that these bots do not come back.

@DeTails: ws2_32.dll is the library for Winsock 2. I'm not sure about the erroring.

Zakath · November 02, 2006, 02:10 AM

Quote from: FrOzeN on November 02, 2006, 01:55 AM
If I can throw my 2-cents in, when one of you do create a solution please don't open-source it. I'm not suggesting just keep it to yourself, but possibly hand it to trusted few or something (Hdx, Ringo, w/e). This has solved a lot of the flooding issues with battle.net and it would be nice to see that these bots do not come back.

@DeTails: ws2_32.dll is the library for Winsock 2. I'm not sure about the erroring.

Yeesh, have I been absent from the bot 'market' so long that those are the examples of "trusted few?" Eeek.

Anyways, I think most if not all of the people I expect might be able to figure this out in a timely fashion share that sentiment. Although most of them probably don't care by this point. Or it was trivial enought that they've already solved it.

FrOzeN · November 02, 2006, 02:30 AM

Quote from: Zakath on November 02, 2006, 02:10 AM
Quote from: FrOzeN on November 02, 2006, 01:55 AM
..., but possibly hand it to trusted few or something (Hdx, Ringo, w/e). ...

Yeesh, have I been absent from the bot 'market' so long that those are the examples of "trusted few?" Eeek.

Anyways, I think most if not all of the people I expect might be able to figure this out in a timely fashion share that sentiment. Although most of them probably don't care by this point. Or it was trivial enought that they've already solved it.

I specifically picked two people who I'd considered would be trusted with it, and are probably* just short of the knowledge to be able to solve this themselves.

I just think it would be best, as a community we are able to share knowledge around as well as preventing the abuse of it. I'm avoiding listing all the names who'd I'd consider as I wouldn't consider myself as someone here in the position of making that decision, as many of you would probably agree with. I'm also trying to keep it concise without making it look as if I'm thinking too far ahead as we don't currently* have that knowledge, just trying to assure when it is attained that it doesn't popup everywhere suddenly and then lead to abuse.

warz · November 02, 2006, 03:33 PM

This thread went from being interesting, and productive, to being horribly off-topic and wasteful.

To get this back on the right track, anyone have some sample seed values to be passed to CheckRevision?

topaz · November 02, 2006, 05:11 PM

Quote from: warz on November 02, 2006, 03:33 PM
To get this back on the right track, anyone have some sample seed values to be passed to CheckRevision?

I answered your question before you asked it

"\xff\xbe'\xb2\x8ft\x8e-\x9c\xb0\xd2^\xd6\x9f@\xc3"

Edit:

and here's some more, and the MPQ it corresponds to:

\x90_&}^\x1a\xd2\xcc\x1d6\xa9\xa7~o3] lockdown-IX86-02.mpq
\xd5\xf3\xf8G\xac)&\x04\xdd@\x98OS\xd1e\x1a lockdown-IX86-08.mpq
\xba}\xce\x01\x83\xb5\xe1\xec\x04u\xd3g\xcd\xb0S\xf6 lockdown-IX86-02.mpq
\xa9\x8c\xf7\xf7\xdbYu\xafdb\x8f\xdbt\xb7+ lockdown-IX86-04.mpq
\xf5\xaa\x9eTpv\xbe0\xd3\xeca\xbe\xb75\x9a\xca lockdown-IX86-12.mpq
\xef\xfc\xbc\xe1\xa1#\xbef)s|x`B\xd7\xcf lockdown-IX86-04.mpq
\x0f\xd6\xbd\xfb\x93\x0c\t\xf9r\x82\x10g\xaa\xca\xbfl lockdown-IX86-02.mpq
\xdc\x85\x06\x13a\xb9\xdf\xce\\v\x82\xf0}\x05\xbe\xc4 lockdown-IX86-18.mpq