Dealing with 0x51 on Linux without using BNLS

ThePro · July 02, 2009, 08:51 AM

Hey there!

Recently I've written a battle.net bot in python which runs on my linux server 24/7.
At the moment I'm using BNLS to deal with the logon sequence. But since I want to be independet of the availability of the BNLS servers I want to do this stuff by hand as a second option.

I wrote my first battle.net bot in 2003(?) using C++ on a Windows machine. I remember that there was a library called BNCSUtil.dll which did some hashing stuff for me.

Since my new bot is running on a linux machine I am not able to use this .dll anymore so it seems I have to do write a python hashing module, which I would public when it's done of course.

Now my questions:

1. (DWORD) EXE Hash
What does the battle.net excactly wants here? I remember that you originaly had to put the CRC32 hash of the Starcraft.exe file in here, but since some patch it is some value of the memory right!?

2. (DWORD) CD-key's public value
What is that? What does this "decoded cd-key" stuff mean? How to decode?

3. (DWORD) [5] Hashed Key Data

BnetDocs say:

Quote
The data that should be hashed for 'Hashed Key Data' is:

1. Client Token
2. Server Token
3. Key Product (from decoded CD key)
4. Key Public (from decoded CD key)
5. (DWORD) 0
6. Key Private (from decoded CD key)

1. clear
2. clear
3. decded CD key? (Keyproduct = 0x01 for Starcraft?)
4./6. public,private? sounds like an asymmetric encryption

I know that the hasing is done by "broken sha-1".
I also know that the password is hashed twice but I don't know the right order.

it is like:

hashed_pw = bsha1(password)
double_hash = bsha1( ? + hashed_pw)

4. last but not least, how to deal with the MPQ-Version and the Formula?

xpeh · July 02, 2009, 09:19 AM

Hello.

Can you share your bot lib, or whole bot?

You can watch any open source bot lib in language that you understand to get clear what you need to do. For example, BNCSUtil you mentioned.

AFAIK local crc32 calculation (aka lokal hashing) is useless - it doesn't work on battle.net, and on pvpgn you can make it much easier by placing values directly from versioncheck.conf. I almost never used bots on bnet, but i thing BNLS is your only option. Ask others to be sure.

As for starcraft,
HashPassword = bsha1(lowercase(pass))
DoubleHashPassword = bsha1(clienttoken . servertoken. HashPassword(pass))

Hashing cdkeys with external server is highly questional.
1. It can be easily made local. There were no changes in algorithm since ancient times.
2. Who knows what happens to CDKeys you send?

ThePro · July 02, 2009, 09:50 AM

Quote from: xpeh on July 02, 2009, 09:19 AM
Hello.

Can you share your bot lib, or whole bot?

It's not stable right now, so I still have to fix some things but I will release the source when its done.

Quote
You can watch any open source bot lib in language that you understand to get clear what you need to do. For example, BNCSUtil you mentioned.

LOL! I didn't know that BNCSutil is open source these days. When I looked a few years for it it wasn't. I found a c++ implementation which I will now convert to python.
When it's done I will realease the module here.

Quote
Hashing cdkeys with external server is highly questional.
1. It can be easily made local. There were no changes in algorithm since ancient times.
2. Who knows what happens to CDKeys you send?

Yea, thats another reason. I heard that some guy of a JBLS server has stolen CD-Keys by logging the traffic.

xpeh · July 02, 2009, 01:43 PM

Can you upload your work to svn, even if it's beta?

Or just give me a link

xpeh · July 02, 2009, 06:03 PM

Btw dont ask me how to auth on Bnet (0x51). Ask others. But i'm sure that local hashing is outdated.

Hdx · July 02, 2009, 07:15 PM

xeph, you're a moron, 'Local Hashing' can't be 'outdated'. Quit trying to get code from other people, and please stop posting.
ThePro:
BNCSutil is open source as is MBNCSutil and JBLS
If you want to work on it look at those three sources plus SkullSecurity, Lockdown Check Revision, It has a few other Bnet related pages.
neways to answer your questions.

Quote from: ThePro on July 02, 2009, 08:51 AM1. (DWORD) EXE Hash
What does the battle.net excactly wants here? I remember that you originaly had to put the CRC32 hash of the Starcraft.exe file in here, but since some patch it is some value of the memory right!?

For lockdown it's the 1st dword of the final SHA1 digest. For older checkrevisions it's the final checksum.

Quote from: ThePro on July 02, 2009, 08:51 AM2. (DWORD) CD-key's public value
What is that? What does this "decoded cd-key" stuff mean? How to decode?

Depends on the style of CDKey you are trying to decode. Look at a few of the sources linked to above for there decoding functions. They are rather simple.

Quote from: ThePro on July 02, 2009, 08:51 AM3. (DWORD) [5] Hashed Key Data

BnetDocs say:
Quote
The data that should be hashed for 'Hashed Key Data' is:

1. Client Token
2. Server Token
3. Key Product (from decoded CD key)
4. Key Public (from decoded CD key)
5. (DWORD) 0
6. Key Private (from decoded CD key)

1. clear
2. clear
3. decded CD key? (Keyproduct = 0x01 for Starcraft?)
4./6. public,private? sounds like an asymmetric encryption

All 3 of those values are decoded from the cdkey themselves. Do a little research into cdkey decoding and it'll become clear.

Quote from: ThePro on July 02, 2009, 08:51 AMI know that the hasing is done by "broken sha-1".
I also know that the password is hashed twice but I don't know the right order.

it is like:

hashed_pw = bsha1(password)
double_hash = bsha1( ? + hashed_pw)

XSHA1(ClientToken, ServerToken, XSHA1(Password))

Quote from: ThePro on July 02, 2009, 08:51 AM4. last but not least, how to deal with the MPQ-Version and the Formula?

That again falls under check revision, simply take a look at the functions from the sources i've linked you to/said. CheckRevision as a concept is pretty simple to get:
The Client Receives a File name, and a Seed string [more accurate to call it seed values then formula because of lockdown] It then downloads the file, Calls a exported function inside of it called CheckRevivion() Passing it the seed values, That function return 3 values, 2 32-bit ints and 1 Null terminated string.

In your case you would pass them to your implementation of the functions as needed.

If you have questions on a particular aspect rather then 10 different ones

I'd be more then happy to answer.

xpeh · July 03, 2009, 01:03 AM

Quote from: Hdx on July 02, 2009, 07:15 PM
xeph, you're a moron, 'Local Hashing' can't be 'outdated'.

I said extra - i'm not a specialist, since i dont use Bnet.

Quote from: Hdx on July 02, 2009, 07:15 PM
Quit trying to get code from other people, and please stop posting.

Quit telling me what i have to do, unless you want to eat cocks for the rest of your life, stupid peace of shit.

Quote from: Hdx on July 02, 2009, 07:15 PM
XSHA1(ClientToken, ServerToken, XSHA1(Password))

Don't you forget lowercase(), cockrider fag?

And write my nick properly next time, if such a fag like you with asshole diameter like metro tunnel can even copypaste.

Hdx · July 03, 2009, 01:36 AM

LCase is NOT needed. The clients do it yes, But not doing so allows you to have case sensitive passwords, which is always a good thing. Having to copy/paste someone name is just fucking sad. And calling me a fag, how original, your parents must be proud. If you have something actually intelligent and helpful to post then go for it, Aside from that, fuck right off.

xpeh · July 03, 2009, 01:55 AM

Quote from: Hdx on July 03, 2009, 01:36 AM
LCase is NOT needed. The clients do it yes, But not doing so allows you to have case sensitive passwords, which is always a good thing.

How nice, you'll be unable to log on with your game client..

Quote from: Hdx on July 03, 2009, 01:36 AM
Having to copy/paste someone name is just fucking sad. And calling me a fag, how original, your parents must be proud. If you have something actually intelligent and helpful to post then go for it, Aside from that, fuck right off.

So learn to write it properly without copy-paste.

Quote from: Hdx on July 03, 2009, 01:36 AM
And calling me a fag, how original, your parents must be proud.

I'm really sure you are one. Do you actually go to kidergarten or already to school?

Quote from: Hdx on July 03, 2009, 01:36 AM
If you have something actually intelligent and helpful to post then go for it, Aside from that, fuck right off.

If i need someone to make me blowjob, then you are welcome to open your mouth. Otherwise, please shut the fuck up, unless you need to get your shoulder toilet bowl to be filled, guess with what. If you still haven't undestood, i dont care about your stupid word diarrhea that you smear all over this thread.

ThePro · July 03, 2009, 06:46 PM

Quote from: Hdx
xeph, you're a moron, 'Local Hashing' can't be 'outdated'. Quit trying to get code from other people, and please stop posting.

I think he wanted to say, that local hashing isn't usual this days, because everyone uses BNLS/JBLS.

Quote from: xpeh
How nice, you'll be unable to log on with your game client..

This dont have to be a disadvantage. If you never plan to use a specific account with a blizzard client then it is a very good idea to choose a case sensitive password because only people hwo use 3rd party clients would be able to get your account by guessing your password, what increases the security alot.

Quote from: Hdx
If you have questions on a particular aspect rather then 10 different ones Tongue I'd be more then happy to answer.

Good to know, I will keep that in mind.

This are my first questions:

1. Arent you the guy hwo made this JBLS server?
2. If yes, will you add Warden support to JBLS?
3. What happend to JBLS.org, it seems to be down!?

Hdx · July 03, 2009, 06:57 PM

Quote from: ThePro on July 03, 2009, 06:46 PMI think he wanted to say, that local hashing isn't usual this days, because everyone uses BNLS/JBLS.

Thats irrelevant, 'Local Hashing' can't be outdated.

Quote from: ThePro on July 03, 2009, 06:46 PMThis dont have to be a disadvantage. If you never plan to use a specific account with a blizzard client then it is a very good idea to choose a case sensitive password because only people hwo use 3rd party clients would be able to get your account by guessing your password, what increases the security alot.

I personally have my main account use a case sensitive password, and then have my gaming accounts which do not have access to any bots use the normal lased() passwords.

Quote from: ThePro on July 03, 2009, 06:46 PMGood to know, I will keep that in mind.
This are my first questions:

1. Arent you the guy hwo made this JBLS server?
2. If yes, will you add Warden support to JBLS?
3. What happend to JBLS.org, it seems to be down!?

1) Yes, along with TheFool, Ron, etc.
2) No, I will not, atleast not anytime soon, It's written in Java which can not run Raw machiene code which is currently the only way to handle Warden.
3) The website is gone, never actually put anything on it so meh. But the server itself is running fine, just use it as a JBLS server.

Sixen · July 03, 2009, 11:27 PM

Quote from: Hdx on July 03, 2009, 06:57 PM
3) The website is gone, never actually put anything on it so meh. But the server itself is running fine, just use it as a JBLS server.

Throw up an index.html and put a little info on there imo.

"Server Status:"
"Current Server Time:"
"Number of connections:"
"Uptime:"
<Link to JBLS Tech Forums on sb.net>

Hdx · July 03, 2009, 11:37 PM

Quote from: Sixen on July 03, 2009, 11:27 PMThrow up an index.html and put a little info on there imo.

"Server Status:"
"Current Server Time:"
"Number of connections:"
"Uptime:"
<Link to JBLS Tech Forums on sb.net>

It's hosted on Ron's box, which the web page *should* show www.x86Labs.org So putting up a temp site won't work, and Theres no simple way to redirect things based on port :/ *wishes DNS resolution could be determined by port

*

xpeh · July 04, 2009, 12:14 AM

Quote from: ThePro on July 03, 2009, 06:46 PM
Quote from: xpeh
How nice, you'll be unable to log on with your game client..
This dont have to be a disadvantage. If you never plan to use a specific account with a blizzard client then it is a very good idea to choose a case sensitive password because only people hwo use 3rd party clients would be able to get your account by guessing your password, what increases the security alot.

ORLY? Select 6+ character letter-digit non-dictionary password, and it's highly questionally that it can be bruteforced. You dont need to break compability for this. Releasing this in public library is incompetent, since most users dont know about this issue, and those, who are bruteforcing other's passwords, can know about it.
If you are emulating battle.net clients, emulate them properly.

So is there a library that gives up-to-date working local hashing for battle.net?

Hdx · July 04, 2009, 12:33 AM

Its the actual text box itself that limits the characters to lower case IIRC. But anyways I *thought* this type of crap was common knowledge for people who actual knew anything about writing bots.

I am all for emulating things properly [i'm pretty sure you aren't doing the same EXACT things the games do as that's a bitch], but, this is a developers choice, If you're actually gunna have a 'hash password' function in whatever you're making, you might want to have both lcase and non. BUT if you do it as you *should* and simply have a XSHA1 class and let the bot programmer deal with utilizing it themselves, then this is a moot issue.