Lockdown Checkrevisions

Ante · February 04, 2007, 04:57 PM

several weeks ago i found that there are only about 2000 different checksum formulas sent by the server. for some reason, they decided not to make it fully random.

about a week after i found that out, they increased it to about 50k-100k different checksum formulas sent by the server. it is still limited.

If they coulda done this in the first place, could someone whos got a good idea of the lockdown mpqs explain why they originally only stayed with 2000 checksum formulas?

and wouldn't it be more efficient if they made it took advantage of all values possible? (10^20-50s)

what do you think is limiting blizzard's checksum formulas?

Barabajagal · February 04, 2007, 05:01 PM

My guess is that it has something to do with making sure the values are correct, which might mean they use a database list of values that they check against.

brew · February 04, 2007, 07:57 PM

Wouldn't it be most efficient (as in acual work done by the processor) to randomly generate a checksum formula and have the server hash the expected result on-the-spot then compare it with the client? Unless, ofcourse Blizzard is just cycling through a list of checksum formulas which was randomized after being initally created. (which would explain why Ante never got a repeated checksum formula until now)

Barabajagal · February 04, 2007, 08:05 PM

That's what I thought they did at first, but how does the server hash the results? That's sort of the key, isn't it? If they have a big database, they can get the results from the game. If they have a different function that gets the same results somehow, then there's another way to crack this thing.

l2k-Shadow · February 05, 2007, 12:08 AM

Quote from: [RealityRipple] on February 04, 2007, 08:05 PM
That's what I thought they did at first, but how does the server hash the results? That's sort of the key, isn't it? If they have a big database, they can get the results from the game. If they have a different function that gets the same results somehow, then there's another way to crack this thing.

It's already been done. BNLS has been functional right after the release of new hash values by Battle.net, therefore BNLS does not use a large database, but rather has a function to calculate the correct results, or forces lockdown dlls to return the correct results.

Barabajagal · February 05, 2007, 12:15 AM

I know, bnls will return any request you give it, I've written a program that does that. the question is, is there another way to get values?

topaz · February 05, 2007, 01:27 AM

If you generate a new one all the time, it all ends up being very processor intensive. Better to just have a massive hashtable to look up every time you want a result

Hdx · February 05, 2007, 02:10 AM

you have to find the happy midpoint.
If you have 1 user connecting every second, then doing it on the fly is fine.
But if the function takes 500MS, and you have 100 people connecting every second.. it would be logical to have 2-4 'seeds' or w/e you wana call it. And have them be newly generated every 500ms or so.
It all depends on how much of a load you have both for the function and useage wise.
~Hdx

warz · February 05, 2007, 01:28 PM

hdx is right. the algorithm used by checkrevision skips through the main game files as loaded into the address space, adding segments of data to the SHA1 information. this is a hefty process to do every time a user logs into battlenet. i think ive already told you this - caching this information is nothing new. battlenet has been doing this for a while. you're not onto something, you're just running in circles. but, from a client perspective, it's fine to run through the selective memory hashing routines once every connection, since it's only being performed once.

Barabajagal · February 05, 2007, 01:32 PM

Final answer: There's no special function to get the values without memory hashes, otherwise the values would be randomly generated and the server wouldn't have a problem checking if the result was correct. It's probably a big cache database. Nothing accomplished!

warz · February 05, 2007, 02:49 PM

Quote from: [RealityRipple] on February 05, 2007, 01:32 PM
Final answer: There's no special function to get the values without memory hashes, otherwise the values would be randomly generated and the server wouldn't have a problem checking if the result was correct. It's probably a big cache database. Nothing accomplished!

No, you're completely wrong. There is a function that creates the digest values and returns them. That function is called checkrevision. And, on the server's side, I'm sure there's even a function that grabs their cached values, too!

Barabajagal · February 05, 2007, 02:52 PM

i said there is no function to get it without the memory hashes. checkrevision uses memory values from the client's memory, hashes them, runs them through a function, and returns the result string and checksum

brew · February 05, 2007, 03:14 PM

So, where are we? There's still one huge question: is there any signifcance at all to the new so-called checksum "formulas?" Or are they just originally randomly generated seed values put into a hash value with the expected checksum?

Barabajagal · February 05, 2007, 03:26 PM

Quote from: BreW on February 05, 2007, 03:14 PM
So, where are we? There's still one huge question: is there any signifcance at all to the new so-called checksum "formulas?" Or are they just originally randomly generated seed values put into a hash value with the expected checksum?

the new values are just like the old values...

brew · February 05, 2007, 05:25 PM

They are...? How would the checkrevision function parse the values within the checksum formula? I've never really looked into them... Or, better yet. Are the values within the checksum formula used at all for anything besides as a seed to be hashed with the other values of the CR?

Lockdown Checkrevisions

Barabajagal

Barabajagal

Barabajagal

warz

Barabajagal

warz

Barabajagal

Barabajagal