BNet logon procedure problems (BNLS_VERSIONCHECKEX2 fail)

Fatalshrooms · January 24, 2010, 06:22 PM

I'm learning about packet's and I thought a good place to start was to create a BNET bot. I'm using c++.

So far I've established a connection with the server, and made some packet transactions:

Code Select


    C > S [0x50] SID_AUTH_INFO
    S > C [0x25] SID_PING
    S > C [0x50] SID_AUTH_INFO
    C > S [0x25] SID_PING (Optional)


    C > S [0x51] SID_AUTH_CHECK

I'm at a point that seems to be an obvious problem for noobs like me

. C > S [0x51] SID_AUTH_CHECK. Here's the contents of the packet for reference:

Code Select


(DWORD) Client Token
(DWORD) EXE Version
(DWORD) EXE Hash
(DWORD) Number of CD-keys in this packet
(BOOLEAN) Spawn CD-key

For Each Key:

    (DWORD) Key Length
    (DWORD) CD-key's product value
    (DWORD) CD-key's public value
    (DWORD) Unknown (0)
    (DWORD) [5] Hashed Key Data


(STRING) Exe Information
(STRING) CD-Key owner name *

I have spent a day reading and I know what I need to do, I just dont know how to do it. So I can either get this information by
1)passing some of the s>c 0x50 packets data into a checkrevision() function. I'm guessing its located in storm.dll or something. That seems to be the harder way.
2)passing some of the s>c 0x50 packets data to a c>s BNLS_VERSIONCHECKEX2 transmission. This seems to be the easy way.

While trying method two I seem to always trip something with the server and get my IP temporarily banned.

Here's some of my packet data:

Code Select


C>S 0x50
                        ff 50  3a 00 00 00 00 00 36 38         .P :.....68
0040  58 49 50 58 33 57 18 00  00 00 53 55 6e 65 00 00   XIPX3W.. ..SUne..
0050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 55 53   ........ ......US
0060  41 00 55 6e 69 74 65 64  20 53 74 61 74 65 73 00   A.United  States.

S>C 0x50
                        ff 50  e8 00 02 00 00 00 7a 99         .P ......z.
0040  53 53 8b a3 25 00 00 31  ef 00 70 5f c7 01 76 65   SS..%..1 ..p_..ve
0050  72 2d 49 58 38 36 2d 35  2e 6d 70 71 00 41 3d 32   r-IX86-5 .mpq.A=2
0060  32 33 37 35 36 36 38 36  31 20 42 3d 33 35 38 30   23756686 1 B=3580
0070  35 34 38 31 35 39 20 43  3d 33 39 35 39 35 37 38   548159 C =3959578
0080  39 35 31 20 34 20 41 3d  41 2b 53 20 42 3d 42 5e   951 4 A= A+S B=B^
0090  43 20 43 3d 43 2b 41 20  41 3d 41 2d 42 00 43 02   C C=C+A  A=A-B.C.
00a0  ed ce 9b 37 2d 12 22 9a  86 25 6f 7b 05 c9 7e 4a   ...7-.". .%o{..~J
00b0  7d c6 76 23 90 03 97 95  7b c8 10 c6 78 e2 ec af   }.v#.... {...x...
00c0  fb 3a 87 b3 29 f0 d5 d7  de df 33 17 c3 7c 5d 76   .:..)... ..3..|]v
00d0  0d cb 31 65 35 e5 94 75  c5 9a ea 37 b2 a6 87 cc   ..1e5..u ...7....
00e0  70 0a 77 af 53 07 3f b7  42 19 07 f8 23 4c d1 fd   p.w.S.?. B...#L..
00f0  5f a6 17 76 3a bf 63 5b  cb 00 73 f6 2e c2 f4 eb   _..v:.c[ ..s.....
0100  ea b5 7d cb e1 ab 90 f4  44 ed a7 01 f1 10 0d c3   ..}..... D.......
0110  5d 77 fa 9a 0c 5b a3 36  73 d5 b5 e1 f9 25         ]w...[.6 s....%  

C>S 0x1A (BNLS_VERSIONCHECKEX2)
                        67 00  1a 08 00 00 00 00 00 00         g. ........
0040  00 00 00 00 00 00 31 ef  00 70 5f c7 01 76 65 72   ......1. .p_..ver
0050  2d 49 58 38 36 2d 35 2e  6d 70 71 00 00 3d 32 32   -IX86-5. mpq..=22
0060  33 37 35 36 36 38 36 31  20 42 3d 33 35 38 30 35   37566861  B=35805
0070  34 38 31 35 39 20 43 3d  33 39 35 39 35 37 38 39   48159 C= 39595789
0080  35 31 20 34 20 41 3d 41  2b 53 20 42 3d 42 5e 43   51 4 A=A +S B=B^C
0090  20 43 3d 43 2b 41 20 41  3d 41 2d 42 00 00         C=C+A A =A-B..  

Response: D/C with a temporary IP ban

I think I have the first byte totally wrong. I would be ok receiving the hashed data through checkrevision, I just dont know where to start... any help would be appreciated!!!

SIDE NOTE: im new to forum so I dont know hoe to do the equivilent of <code>some code</code>, tell me and I will edit this post!

(EDITED TO FIX/align packets ty dale

)

Dale · January 24, 2010, 09:01 PM

replace the "<" and ">" with "[" and "]"
no quotes...

brew · January 24, 2010, 09:48 PM

* brew facepalm

no, bnls is a different server designed to help you retrieve the values you need for crafting the 0x51 packet you need to send.

Fatalshrooms · January 24, 2010, 09:55 PM

OMG... so i need a different IP/port? rofl im dumb, and would I be correct to assume that that server is made by a 3rd party?

Fatalshrooms · January 24, 2010, 10:25 PM

Hmm I think i will try to do some local hashing, sending my CD-Key to a 3rd party is pretty iffy rofl...

Sixen · January 25, 2010, 02:23 AM

Quote from: Fatalshrooms on January 24, 2010, 09:55 PM
Quote from: Fatalshrooms on January 24, 2010, 10:25 PM
OMG... so i need a different IP/port? rofl im dumb, and would I be correct to assume that that server is made by a 3rd party?
Hmm I think i will try to do some local hashing, sending my CD-Key to a 3rd party is pretty iffy rofl...

That's correct. Hashing would solve that problem, if you know how to do it.

brew · January 25, 2010, 01:28 PM

Quote from: Fatalshrooms on January 24, 2010, 10:25 PM
Hmm I think i will try to do some local hashing, sending my CD-Key to a 3rd party is pretty iffy rofl...

You could mix and match the sources of your information for that packet. I would assume you would want to locally decode and hash your CDKey, while you retrieve the CheckRevision results from a BNLS server (yes, it is 3rd party).

According to http://www.d3scene.com/forum/stealthbot-support/6828-bnls-servers.html (the first result on google) some current BNLS servers are:

Quotepyro.no-ip.biz
jbls.org
hdx.jbls.org
haste.jbls.org
funnel.jbls.org
berz.jbls.org
logon.berzerkerjbls.com
sexydev.jbls.org
bas.jbls.org
bnls.valhallalegends.com

rabbit · January 25, 2010, 09:57 PM

http://toshley.net/py/status.php