• Welcome to Valhalla Legends Archive.
 

Newest MBNCSUtil bits

Started by MyndFyre, October 09, 2007, 02:46 AM

Previous topic - Next topic

MyndFyre

This is not an official release.

I'm not quite sure that anyone wants these yet, but here's the latest info on MBNCSUtil.....

I've finally gotten around to working on Lockdown.  I'm about 70% complete porting the C code from rob into C#.  Presently, this *only* works with unsafe code, because there is a LOT of pointer math going on, and I'm way too lazy to move over to streams when I can just do the pointer math. :)

There's still a lot to be learned for anyone who might be interested - primarily in working with unmanaged memory, using unmanaged pointers to access structure data, and the like. 

It's now hosted on subversion, at https://svn2.hosted-projects.com/robpaveza/mbncsutil.  You can check out the code anonymously with the username mbncsutil_anonymous, no password.  There is also a Trac wiki online with access to post tickets, view the project roadmap and browse source; it's located at https://www2.hosted-projects.com/trac/robpaveza/mbncsutil.  There is also a subversion browser integrated into Trac, if you've never used it.
(You can log in with the same username).

New items in the latest bits include the /Util folder, an entirely-internal namespace dealing with the involved processing and unmanaged memory use.  Additionally, COM support has been removed officially from version 2.0 of MBNCSUtil - it was primarily meant as a learning experience for me, and I learned what I wanted to learn.  Finally, if anyone had used a prior beta of MBNCSUtil v2.0, the BnFTP namespace has been renamed to Net, so you now create MBNCSUtil.Net.BnFtpVersion1Request.

MPQ support is currently missing from the bits online, but will be there by the weekend.

If you would like to contribute to this project, please contact me with your experience and what you think would be relevant.

By the way: you may notice that 'rob' checked in these files.  That's me, not the other rob on the forum. :)
QuoteEvery generation of humans believed it had all the answers it needed, except for a few mysteries they assumed would be solved at any moment. And they all believed their ancestors were simplistic and deluded. What are the odds that you are the first generation of humans who will understand reality?

After 3 years, it's on the horizon.  The new JinxBot, and BN#, the managed Battle.net Client library.

Quote from: chyea on January 16, 2009, 05:05 PM
You've just located global warming.

Smarter

I of course am probably the most interested, and would love to help... but we both know I have nothing to offer lol ... I must say that Trac/SVN is quite nice!
Since '99

BrutalNet.Net

UserLoser

#2
Quote from: MyndFyre[vL] on October 09, 2007, 02:46 AM
If you would like to contribute to this project, please contact me with your experience and what you think would be relevant.

Perhaps I can contribute my patcher code...  I've had the code reversed now for probably almost two years just sitting there doing nothing.  Supports patching versioncheck files.  If someone implements a system to download the latest MPQ, they could run my patcher and automatically patch game files so they don't have to go out of their way to get them.  As far as the version code, that still has to be bruteforced (but most clients it increments by 1 if at all)

Works for everything except the latest Warcraft III patches--I never finished the final function on that.

Only thing is, this code will not be allowed to be public/open source for numerous reasons

Camel

The version byte increments at every major version update, not at minor version updates.

A safe way to predict version bytes is to take the original version byte and add the major version number.

UserLoser

Or better yet I can release a standalone DLL, which'll be super-encrypted & scrambled.

devcode

Quote from: UserLoser on October 09, 2007, 05:32 PM
Or better yet I can release a standalone DLL, which'll be super-encrypted & scrambled.
The noobs won't be bothered with reversing your DLL and the pros who can unpack/decrypt your DLL would find it easier to go through the 1st hand work themselves, so imo, it's pointless.

MyndFyre

#6
Anyone wanting to take a fun crack at fixing this, the lockdown implementation is completed, but not working.  (For those of you wishing to point out the irony in that statement, I mean that it doesn't crash, but it also doesn't result in the correct value).

The good news is that I seem to clean up all my pointers and the like. 

I'm testing againt rob's code (posted here).  Here's what he gets:

Lockdown file: c:\GameFiles\STAR\lockdown-IX86-08.dll
Checksum: 7afbfff8
Version: 10f0100
Digest: ead0367b2ce7f080b0cbe2f573d3c713

Here's what I get:
Checksum: a5d6cf16
Version: 010f0100 (correct)
Digest: d0 b7 d9 d7 15 6a 73 69  48 3f 3e 33 53 8d 85 87

I corrected a TON of errors in Sha1Transform() but that was just on the first pass of Sha1Update().  I haven't gotten to look at too much else; I've been working on this WAY too late.

Stuff can be checked out at the SVN repo listed above - be sure to check out both /trunk and /branches.  If you correct it, please compile a .patch and let's see what you have!

Trac Ticket with all details: https://www2.hosted-projects.com/trac/robpaveza/mbncsutil/ticket/6
QuoteEvery generation of humans believed it had all the answers it needed, except for a few mysteries they assumed would be solved at any moment. And they all believed their ancestors were simplistic and deluded. What are the odds that you are the first generation of humans who will understand reality?

After 3 years, it's on the horizon.  The new JinxBot, and BN#, the managed Battle.net Client library.

Quote from: chyea on January 16, 2009, 05:05 PM
You've just located global warming.

MyndFyre

#7
I've now gotten mine and rob's code to return the same values for the above values.  Now I'm getting vercheck 0x0101 INVALID_VERSION from SID_AUTH_CHECK.  Here's a packet capture with my cd key info removed:

D:\MBNCSUtil\mbncsutil\branches\ConnectionTest\bin\x86\Debug>connectiontest
0000   ff 50 3a 00 00 00 00 00  36 38 58 49 52 41 54 53    ÿP:.....68XIRATS
0010   d1 00 00 00 09 04 00 00  ac 14 01 86 00 00 00 00    Ñ.......¬.......
0020   00 00 00 00 53 55 6e 65  55 53 41 00 55 6e 69 74    ....SUneUSA.Unit
0030   65 64 20 53 74 61 74 65  73 00                      ed States.

Received ping challenge b85ceaa8
Received:
0000   00 00 00 00 ea a2 8a 01  9b b0 1a 00 00 ac d0 d2    ....ê¢...°...¬DO
0010   72 fc c6 01 6c 6f 63 6b  64 6f 77 6e 2d 49 58 38    rüÆ.lockdown-IX8
0020   36 2d 31 30 2e 6d 70 71  00 16 6e 70 d5 4d 59 e9    6-10.mpq..npOMYé
0030   83 0b 40 56 aa 82 bd 39  b3 00                      ..@Vª..9..

Enter CD key:
*************
Sending:
0000   ff 51 68 00 57 a4 78 58  00 01 0f 01 f1 76 93 1e    ÿQh.W☼xX....ñv..
0010   01 00 00 00 00 00 00 00  0d 00 00 00 01 00 00 00    ................
0020   ** ** ** ** 00 00 00 00  ** ** ** ** ** ** ** **    ****....********
0030   ** ** ** ** ** ** ** **  ** ** ** ** 73 74 61 72    ************star
0040   63 72 61 66 74 2e 65 78  65 20 37 2f 31 39 2f 30    craft.exe 7/19/0
0050   37 20 30 32 3a 33 30 3a  30 36 20 31 32 32 30 36    7 02:30:06 12206
0060   30 38 00 42 6c 61 68 00                              08.Blah.

Received: 00000101 (InvalidVersion)


Trac ticket: https://www2.hosted-projects.com/trac/robpaveza/mbncsutil/ticket/7
QuoteEvery generation of humans believed it had all the answers it needed, except for a few mysteries they assumed would be solved at any moment. And they all believed their ancestors were simplistic and deluded. What are the odds that you are the first generation of humans who will understand reality?

After 3 years, it's on the horizon.  The new JinxBot, and BN#, the managed Battle.net Client library.

Quote from: chyea on January 16, 2009, 05:05 PM
You've just located global warming.

Barabajagal

Uhm... ya, the exe info you're sending... "starcraft.exe 7/19/07 02:30:06 1220608"... shouldn't that be the CheckRevision result instead?

K

Wouldn't it have been more practical to remove your plain text CD key along with the hashed, decoded value? :P

brew

#10
how true :P
Thanks for the cdkey, mynd? And you aren't sending the proper exe info string.
The function should be something like this:

...
SHA1Update(&context, (const unsigned char *)"\x01\x00\x00\x00", 4);
SHA1Update(&context, (const unsigned char *)"\x00\x00\x00\x00", 4);
unsigned char dblhash_result[20];
double_hash(&context, dblhash_result);
memmove(&out_checksum, dblhash_result, 4);
unsigned int ret = 17;
if(!finish((unsigned char*)out_digest, &ret, dblhash_result + 4, 16))
return 10;
...

int finish(unsigned char *arg_output, unsigned int *arg_output_length, unsigned char *arg_heap, int arg_10h) {
unsigned char *var_output_byte = arg_output;
int var_return_value = 0, var_iterations1 = 0;
for(var_return_value = 1; 1; var_iterations1++) {
int var_heap_index = arg_10h;
if(!var_heap_index)
break;
do {
if(*(arg_heap + var_heap_index - 1) != 0)
break;
arg_10h = var_heap_index;
} while(var_heap_index--);
if(!var_heap_index)
break;
unsigned long eax = 0;
unsigned long var_unknown_0C = 0;
for(var_unknown_0C = 0; 1; eax = var_unknown_0C) {
var_heap_index--;
unsigned long cx = *(arg_heap + var_heap_index) & 0xFFFF;
eax = (eax << 8) + (cx & 0xFFFF);
unsigned long var_modified_heap_byte = eax;
finish_sub(&var_modified_heap_byte, &var_unknown_0C);
*(arg_heap + var_heap_index) = var_modified_heap_byte;
if(var_heap_index <= 0)
break;
}
if(var_iterations1 < *arg_output_length) {
            *var_output_byte = var_unknown_0C + 1;
} else {
var_return_value = 0;
}
var_output_byte++;
}
arg_output_length = (unsigned int*)(var_output_byte - arg_output);
return var_return_value;
}

unsigned long finish_sub(unsigned long *arg_one, unsigned long *arg_two) {
unsigned long edi = *arg_one;
unsigned long esi = *arg_two;
unsigned long eax = (edi & 0xffff);
unsigned long ecx = (eax & 0xff00) >> 8;
unsigned long edx = (eax & 0xff);
ecx += edx;
SET_MASKED_BITS(edx, 0xff, (ecx & 0xff));
ecx = ecx >> 8;
ecx += edx;
bool cf = false;
if((ecx & 0xff) == 0xff)
cf = true;
SET_MASKED_BITS(ecx, 0xff, ((ecx + 1) & 0xff));
if(!cf)
SET_MASKED_BITS(ecx, 0xff, ((ecx - 1) & 0xff));
eax -= ecx;
bool zf = false;
unsigned char ah = (unsigned char)(eax & 0xff00) >> 8;
if(ah == 0xff) {
SET_MASKED_BITS(eax, 0xff00, 0x0100);
} else {
SET_MASKED_BITS(eax, 0xff00, 0x0000);
}    
SET_MASKED_BITS(eax, 0xff, ~((eax) & 0xff) + 1);
*arg_one = (eax & 0xffff);
*arg_two = (ecx & 0xffff);
return *arg_one;
}


@Reality: Be careful with your terminology. The CheckRevision's actual result should be the boolean of the function's success. :/ This is the exe's info. (not really anymore, but a hash that takes the place of it)
<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P

MyndFyre

Quote from: Andy on October 11, 2007, 04:20 PM
Uhm... ya, the exe info you're sending... "starcraft.exe 7/19/07 02:30:06 1220608"... shouldn't that be the CheckRevision result instead?

Thanks.  Yeah, no official clients installed.  I wondered what the point of the digest was since it didn't seem to get included in the result based on the packet documentation.
QuoteEvery generation of humans believed it had all the answers it needed, except for a few mysteries they assumed would be solved at any moment. And they all believed their ancestors were simplistic and deluded. What are the odds that you are the first generation of humans who will understand reality?

After 3 years, it's on the horizon.  The new JinxBot, and BN#, the managed Battle.net Client library.

Quote from: chyea on January 16, 2009, 05:05 PM
You've just located global warming.

Barabajagal

No, the result is what I call the exe value. The return is the function's success.

MyndFyre

MBNCSUtil v2.0.3.15 Beta 1 is now available at release.  Here are the release notes:


  • Lockdown CheckRevision is now supported for Starcraft and Warcraft II: Battle.net Edition. This is a pre-release version of MBNCSUtil 2.0 that previews the MPQ, BnFTP, and Lockdown Checkrevision functionality of MBNCSUtil 2.0. Tests indicate that Lockdown currently incorrectly calculates the revision check 7.4% of its uses.
  • IMPORTANT - MBNCSUtil 2.0 does not support the .NET Framework 1.x; clients that wish to use MBNCSUtil 2.0 should target the .NET Framework 2.0.
  • MBNCSUtil is now hosted in a Subversion repository. Point your favorite SVN client at https://www2.hosted-projects.com/robpaveza/mbncsutil/trunk/ to download the latest bits. (Note that the SVN repository is updated much more frequently than the stable build list; for stable builds, be sure to download the software from the official site. Along with Subversion, there is now a Trac wiki and bug tracker. Visit it at https://www2.hosted-projects.com/trac/robpaveza/mbncsutil. Both Subversion and Trac require authentication; use the username mbncsutil_anonymous with no password.
  • MBNCSUtil 2.0 includes the ability to open MPQ archives! See the MBNCSUtil.Data namespace for implementation details. If you retrieve the solution from Subversion, you will find a project called mmpq in the trunk; this project demonstrates opening an MPQ and retrieving its listfile.
  • MBNCSUtil 2.0 includes an integrated ability to download files from Battle.net via the proprietary BnFTP protocol. See the MBNCSUtil.BnFtp namespace for implementation details. If you retrieve the solution from Subversion, you will find a project called mbnftp in the trunk; this project demonstrates downloading files from the BnFTP service.
QuoteEvery generation of humans believed it had all the answers it needed, except for a few mysteries they assumed would be solved at any moment. And they all believed their ancestors were simplistic and deluded. What are the odds that you are the first generation of humans who will understand reality?

After 3 years, it's on the horizon.  The new JinxBot, and BN#, the managed Battle.net Client library.

Quote from: chyea on January 16, 2009, 05:05 PM
You've just located global warming.

Barabajagal

Just wondering about the correctness... The Request and Result values are 15 to 17 characters. You're allowing for this variation, correct?