• Welcome to Valhalla Legends Archive.
 

[C -> S] 0x51

Started by Trunning, May 07, 2010, 10:24 PM

Previous topic - Next topic
|

Trunning

From the Data Array from 0x01 BNLS_CDKEY, what am I suppose to use for 0x51?

DWORD - ClientToken - Tracking Value
DWORD - Exe Version - Got this from 0x1A
DWORD - Exe Hash - Got this from 0x1a
DWORD - Key Count - Simple
DWORD - Spawn - Only 1 ( True ) for STAR or W2BN

Per Key // using 1 key
DWORD - Key Length - 16, Ex: AAAABBBBCCCCDDDD
DWORD - Key Product - D2DV Maybe?
DWORD - Key Public Value - The actual key?
DWORD - Unknown - Always zero

DWORD - Hashed Key Data -
   1. Client Token - Tracking Value
   2. Server Token - Got this from 0x50
   3. Key Product (from decoded CD key) - Don't know
   4. Key Public (from decoded CD key) - Don't know
   5. (DWORD) 0 - Always zero
   6. Key Private (from decoded CD key) - Don't Know

String - Exe Info - Got this from 0x1A
String - Owner - Well this isn't obvious at all ;)

l)ragon

   NumberOfCDKeys = GetNumberOfKeys(typ)
     
   CDKeyOneBuf = HashC.DoCDKeyOne(CDK1, sKey, cKey) 'CDKEY ONE
   
   Select Case NumberOfCDKeys
       Case 0
           'LTRD, RHSD, RHSS can also use this function, (proven fact pre-lockdown).
       Case 1
           CDKeyHashDat = CDKeyOneBuf
       Case 2
           CDKeyTwoBuf = HashC.DoCDKeyTwo(CDK2, sKey, cKey) 'CDKEY TWO
           CDKeyHashDat = CDKeyOneBuf & CDKeyTwoBuf
       Case Else
           'There are no products that have more then 2
           'cdkeys as of yet, But.. since the packet
           'could take more then 2, possibly they're
           'setting up for some expansion to an expansion
           'games?
   End Select
   
   
   With pb
       .InsertDWORD cKey
       .InsertDWORD version
       .InsertDWORD Checksum
       .InsertDWORD NumberOfCDKeys
       .InsertDWORD Spawn
       .InsertNonNTString CDKeyHashDat
       .InsertNTString exeinfo
       .InsertNTString CDKeyUsername
       .SendBuffer sck, Bnet, &H51
   End With
   
   Set pb = Nothing


Leave it to you to figure out what CDKeyHashDat actually is.
*^~·.,¸¸,.·´¯`·.,¸¸,.-·~^*ˆ¨¯¯¨ˆ*^~·.,l)ragon,.-·~^*ˆ¨¯¯¨ˆ*^~·.,¸¸,.·´¯`·.,¸¸,.-·~^*

Hdx

For Each Key:
  (DWORD) Key Length
  (DWORD) CD-key's product value
  (DWORD) CD-key's public value
  (DWORD) Unknown (0)
  (DWORD) [5] Hashed Key Data

1+1+1+1+5=?

Proud host of the JBLS server www.JBLS.org.
JBLS.org Status:
JBLS/BNLS Server Status

Trunning

Quote from: Hdx on May 07, 2010, 11:54 PM
For Each Key:
  (DWORD) Key Length
  (DWORD) CD-key's product value
  (DWORD) CD-key's public value
  (DWORD) Unknown (0)
  (DWORD) [5] Hashed Key Data

1+1+1+1+5=?

9, the array I'm getting from 0x01 ;)

Trunning

Damn I'm good, IPBanned from all four servers, ah well, this will a painfully long trial and error process.

lord2800

Quote from: Trunning on May 08, 2010, 01:20 AM
Damn I'm good, IPBanned from all four servers, ah well, this will a painfully long trial and error process.

PvPGN helps a lot when testing. Especially setting up a local instance.

Trunning

#6
I can change my Ip, otherwise I probably would ;)

I'm getting result 512 back from 0x51, ah well I got some work to do.

l)ragon

Quote from: lord2800 on May 08, 2010, 01:23 AM
Quote from: Trunning on May 08, 2010, 01:20 AM
Damn I'm good, IPBanned from all four servers, ah well, this will a painfully long trial and error process.

PvPGN helps a lot when testing. Especially setting up a local instance.
PvPGN is for failures, only way for you to get real results is by using and abusing the real system.
*^~·.,¸¸,.·´¯`·.,¸¸,.-·~^*ˆ¨¯¯¨ˆ*^~·.,l)ragon,.-·~^*ˆ¨¯¯¨ˆ*^~·.,¸¸,.·´¯`·.,¸¸,.-·~^*

l)ragon

Quote from: Trunning on May 08, 2010, 01:26 AM
I can change my Ip, otherwise I probably would ;)

I'm getting result 512 back from 0x51, ah well I got some work to do.
0x200 = Invalid CDKey
*^~·.,¸¸,.·´¯`·.,¸¸,.-·~^*ˆ¨¯¯¨ˆ*^~·.,l)ragon,.-·~^*ˆ¨¯¯¨ˆ*^~·.,¸¸,.·´¯`·.,¸¸,.-·~^*

Trunning

#9
Edit: Wasn't putting in the client token and server token into the HashedKeyData array, trying that now.

Can't see why, I sent 0x01 to BNLS, got the Data array, and assigned it like so.

packet.KeyLength = pkt.Data[0];
packet.CDKeyProduct = pkt.Data[1];
packet.CDKeyPublic = pkt.Data[2];
packet.Unknown = pkt.Data[3]; // 0 either way
packet.HashedKeyData[0] = pkt.Data[4];
packet.HashedKeyData[1] = pkt.Data[5];
packet.HashedKeyData[2] = pkt.Data[6];
packet.HashedKeyData[3] = pkt.Data[7];
packet.HashedKeyData[4] = pkt.Data[8];

Trunning

Edit: Still getting invalid CDKey...

I'm about to try this, but I have still haven't used pkt.Data[7] or [8] elements, so I doubt this will work, I'm basing my code on this.

CMSG_SID_AUTH_CHECK packet;
packet.ClientToken = g_Cookie;
packet.ExeVersion = g_ExeVersion;
packet.ExeHash = g_ExeHash;
packet.KeyCount = 1;
packet.Spawn = 0;
packet.KeyLength = pkt.Data[0];
packet.CDKeyProduct = pkt.Data[1];
packet.CDKeyPublic = pkt.Data[2];
packet.Unknown = pkt.Data[3]; // 0 either way
packet.HashedKeyData[0] = g_Cookie;
packet.HashedKeyData[1] = g_ServerToken;
packet.HashedKeyData[2] = pkt.Data[4];
packet.HashedKeyData[3] = pkt.Data[5];
packet.HashedKeyData[4] = 0;
packet.HashedKeyData[5] = pkt.Data[6];
packet.ExeInfo = g_ExeInfo;
packet.Owner = (char*)malloc(4);
strcpy_s(packet.Owner, 4, "abc");

struct CMSG_SID_AUTH_CHECK {
DWORD ClientToken;
DWORD ExeVersion;
DWORD ExeHash;
DWORD KeyCount;
DWORD Spawn;
// --------------------
DWORD KeyLength;
DWORD CDKeyProduct;
DWORD CDKeyPublic;
DWORD Unknown;
DWORD HashedKeyData[6];
// --------------------
char* ExeInfo;
char* Owner;
};

lord2800

Quote from: l)ragon on May 08, 2010, 02:13 AMPvPGN is for failures, only way for you to get real results is by using and abusing the real system.

Of course you don't use PvPGN and say your code works, but it sure does make getting the BNCS sequence down easier. It saved me hours of waiting every time I screwed something innocuous up that took me 30 seconds to fix (and had to wait 5 minutes to test again).

Trunning

This is my current code, for constructing the packet. It's commented, if anything is wrong tell me, which it is because it's not working.

CMSG_SID_AUTH_CHECK packet;
packet.ClientToken = pkt.ClientToken; // Tracking Value
packet.ExeVersion = g_ExeVersion; // Version from BNLS 0x1A
packet.ExeHash = g_ExeHash; // Checksum from BNLS 0x1A
packet.KeyCount = 1; // Only using 1 key, Diablo 2
packet.Spawn = 0; // Only true for STAR and W2BN

packet.KeyLength = pkt.Data[0]; // Unsure if these are right
packet.ProductVal = pkt.Data[1];
packet.PublicVal = pkt.Data[2];
packet.Unknown = pkt.Data[3];
packet.KeyData[0] = pkt.ClientToken; // Same tracking value from above
packet.KeyData[1] = g_ServerToken; // ServerToken from S -> C BNCS 0x50
packet.KeyData[2] = pkt.Data[4];
packet.KeyData[3] = pkt.Data[5];
packet.KeyData[4] = 0; // 0
packet.KeyData[5] = pkt.Data[6];

packet.ExeInfo = g_ExeInfo; // Pointer to the stat string from BNLS 0x1A
packet.Owner = (char*)malloc(4);
strcpy_s(packet.Owner, 4, "abc");


CMSG_SID_AUTH_CHECK Structure
struct CMSG_SID_AUTH_CHECK {
DWORD ClientToken;
DWORD ExeVersion;
DWORD ExeHash;
DWORD KeyCount;
DWORD Spawn;

// --------------------

DWORD KeyLength;
DWORD ProductVal;
DWORD PublicVal;
DWORD Unknown;
DWORD KeyData[6];

// --------------------

char* ExeInfo;
char* Owner;
};

l)ragon

Quote from: lord2800 on May 08, 2010, 05:11 AM
Quote from: l)ragon on May 08, 2010, 02:13 AMPvPGN is for failures, only way for you to get real results is by using and abusing the real system.

Of course you don't use PvPGN and say your code works, but it sure does make getting the BNCS sequence down easier. It saved me hours of waiting every time I screwed something innocuous up that took me 30 seconds to fix (and had to wait 5 minutes to test again).
You must be retarded now unless PvPGN has access to blizzards CDKey database, how bright do you think what your saying is when his current problem is with CDKeys.
*^~·.,¸¸,.·´¯`·.,¸¸,.-·~^*ˆ¨¯¯¨ˆ*^~·.,l)ragon,.-·~^*ˆ¨¯¯¨ˆ*^~·.,¸¸,.·´¯`·.,¸¸,.-·~^*

l)ragon

packet.KeyLength = pkt.Data[0]; // Unsure if these are right
packet.ProductVal = pkt.Data[1];
packet.PublicVal = pkt.Data[2];
packet.Unknown = pkt.Data[3];
packet.KeyData[0] = pkt.ClientToken; // Same tracking value from above
packet.KeyData[1] = g_ServerToken; // ServerToken from S -> C BNCS 0x50
packet.KeyData[2] = pkt.Data[4];
packet.KeyData[3] = pkt.Data[5];
packet.KeyData[4] = 0; // 0
packet.KeyData[5] = pkt.Data[6];

is where your problem is, the entire data should be 9 DWORDS in length within this section.
I thought BNLS gave you this entire section?
*^~·.,¸¸,.·´¯`·.,¸¸,.-·~^*ˆ¨¯¯¨ˆ*^~·.,l)ragon,.-·~^*ˆ¨¯¯¨ˆ*^~·.,¸¸,.·´¯`·.,¸¸,.-·~^*

|