Clearing some things up...?

GoaL · February 01, 2007, 01:49 AM

Well, I try to keep my self updated with the current ideas and solutions to Blizzards constant battle against us rogue programmers, that continue to play tit for tat with them. However the recent solutions confuse me, to my knowledge there is only 3 solutions:

BNLS (Obvious)
A Connection Caching Databae (Which to my knowledge was fooled, but the way I understood it, they only added a few thousand more values, is that true or is this been completely patched out)
"warz"'s fix (Calling the data right out of the files themselves with some API calls, but I was told this was a theroy not a reality..)

I'm just looking for some clarification on what all is going on. I've been learning C#, and am awaiting MyndFyre's additon of BNLS to MBNCSUtil, however if there is a non-bnls solution, I would like to incorporate it into my projects. Thanks for anything you can tell me.

MysT_DooM · February 01, 2007, 09:32 AM

the database still works fine.

also i dont think warz fully reversed lockdown. you can check his website, i still think it has his research on it.

Smarter · February 02, 2007, 02:19 PM

Ok, my name is fixed now (Goal Here), which database is the most complete? Also, I only see usage sources out in VB... Porting isn't my special, lol.

l2k-Shadow · February 02, 2007, 07:57 PM

all you have to do is see how the file is arranged.. then you can write your own buffer for processing queries.

Ante · February 03, 2007, 12:33 PM

Quote from: GoaL on February 01, 2007, 01:49 AM

A Connection Caching Databae (Which to my knowledge was fooled, but the way I understood it, they only added a few thousand more values, is that true or is this been completely patched out)

it's been completely patched out. a friend of mine tested (on the 19th or something of january) all of the 1998 values that were logged by me (on the 6th to 9th of january) and converted to better form by hdx (on around the 14th).
of several thousand connection attempts, none were in the database of 1998 checkrevisions. this was done without the use of bnls.
this shows that bnet either switched the values to anotehr 2000, or made it fully random

MysT_DooM · February 03, 2007, 12:51 PM

no it hasnt been completely patched out.
Clicky

Ante · February 03, 2007, 02:29 PM

hm...if it works, does anyone have at least 50% of the checkrevisons?

unless connections are done en masse, logging them would be way too slow...

MysT_DooM · February 03, 2007, 02:31 PM

Quote from: Ante on February 03, 2007, 02:29 PM
hm...if it works, does anyone have at least 50% of the checkrevisons?

yes people do

Ante · February 03, 2007, 02:36 PM

if someone has it, could they post a link?

MysT_DooM · February 03, 2007, 02:49 PM

Quote from: Ante on February 03, 2007, 02:36 PM
if someone has it, could they post a link?

No, they shud keep it to themselves

Hell-Lord · February 03, 2007, 05:29 PM

http://rcb.realityripple.com/CREV/list.php

this should help

brew · February 03, 2007, 06:51 PM

hey guys, i'm back ;]
and no, topaz im not deleting my account again sorry

Okay, we know even if we do "collect" all the possible checksums we need, blizzard is just one click away from screwing it up on us again. This is a very, bad temporary solution seeing how they added a much larger amount of possible checksum "formulas". This was obviously directed torwards bots, because it was patched literally 2 days after all these checkrevision database .dlls or .ocxes started popping up. It seems the only (semi) permanent solution for the lockdown mpqs is to acually solve it. I just came up with this idea, a little while ago. Probably someone more experienced in reverse engineering can get the specifics.... But, the checkrevision is a function. And some value must be passed to it, such as a hash of the memory. This memory hash MUST be the exact same for every call of the checkrevision function (must be confirmed because of blizzard's new required work mpqs) since the bits of memory taken in account for are the same for every patch, and this value is passed to the mpq specific function which is then hashed with the checksum formula and then creates a viable value for the checksum, which blizzard's server calculates then compares your reported checksum with it's value. If it is the same, you pass. Different, you phail. So what I'm basically trying to say, is that someone with much experience with reverse engineering should be able to pull a value out, namely the one being passed to checkrevision then use the mpq's formula to calculate it then send to bnet. Correct me if I'm wrong with any of this.

Also please note, this ever growing collection of the checkrevision data is what Ante previously referred to as "brute forcing" the checkrevision, and had received bad publicity from vL-types in the past. I have no clue why you people are supporting it in lieu of a permanent and certainly more intelligable solution.

Barabajagal · February 03, 2007, 06:59 PM

Two problems:
1) the checksum hash is derived from memory values of (publicly) unknown size. if you do reverse the function and find out what memory it reads and hashes, that memory will have to be stored, and changed whenever a new update for a client comes out (similar to hash files of old).
2) once we reverse it, blizzard's just gonna release lockdown 2.0, or something worse. If they ever enforce perfect emulation in all forms, most all the bots are gonna be screwed, since most people don't even call SID_CHECKAD.

brew · February 03, 2007, 07:09 PM

1). I ment to also state this, but forgot. Yes, I know it would need to be re-fixed every patch, but that's what we had to do with what we called hash files in the past also, except this is "different" in some ways. In time, we will be able to find an easier way to retrieve this value. And yes, it may be varible length but don't forget some debuggers have advanced options to find values such as that. For now, I'm assuming it is 32 bits.
2). If Blizzard does enforce complete emulation, it wouldn't matter. All bots would have to evolve, along with the rest of Battle.net itself. And please, don't forget they hound these forums like dogs and you certainly don't want to give blizzard any new ideas, do you :]

My point is, we can't use BNLS for everything. Skywing should indeed release his way of formulating the checksum. There is no harm in it. And as for "massload" bots, they have been getting around fine using BNLS so far. Releasing the solution won't effect much but make bot development as a whole much easier.

Barabajagal · February 03, 2007, 07:15 PM

You can get the values yourself by running the game and spoofing the server. I've done so many times. It's how I get values for my online cache database for games that BNLS doesn't support. I don't know how Skywing does BNLS, but he could be doing the same thing using VMWare or something of the sort, or spoofing the games some other way without having the actual function.
Also, I highly doubt blizzard hasn't thought of almost any new ideas we have regarding their system. They just wait for us to catch up to them so they can push our faces in the mud and run ahead again.

NP topaz.

Clearing some things up...?

GoaL

Barabajagal

Barabajagal