[C -> S] 0x51

Trunning · May 08, 2010, 02:58 PM

And I'm getting 0x02 back, so my password is wrong apparently.

Hdx · May 08, 2010, 03:43 PM

Quote from: Trunning on May 08, 2010, 02:45 PM
So...

Code Select Expand
strcpy(buffer + sizeof(re) - 4, "clientlessya");

This worked after I took off 4 bytes from the malloc().

Yes, now WHY did that work?

QuoteAnd I'm getting 0x02 back, so my password is wrong apparently.

Apparently, either someone has that account, or you're using the wrong password. Remember the real games lcase the password before hashing.
Also, remember you need to use the same client token as you did with your cdkeys.

Trunning · May 09, 2010, 01:11 AM

I'm using the same Client Token, and the password is lower case.

Hdx · May 09, 2010, 02:31 AM

Post a full packet log, minus the TCP headers please!

Trunning · May 09, 2010, 02:39 AM

I don't know if you wanted everything everything or just this packet.

Code Select

0000   2f c0 50 2d 4a 8e a9 3e 21 54 57 aa 61 e4 be 7b  /.P-J..>!TW.a..{
0010   99 38 12 cc e6 66 f8 64 59 f9 85 bd 63 6c 69 65  .8...f.dY...clie
0020   6e 74 6c 65 73 73 79 61 00                       ntlessya.

The BNCS_HEADER is being sent before this.

Code Select

0000 ff 3a 08 00 02 00 00 00 .:......

rabbit · May 09, 2010, 10:05 AM

You have to learn how to dump a complete packet. Don't separate the header (you didn't even do it right). A header is BYTE BYTE WORD, and you're separating BYTE BYTE WORD DWORD as the header (that 2 is part of the packet's data). And "full packet log" means a log of the entire connection.

Trunning · May 09, 2010, 10:47 AM

I'm using the exact same function to send the last packet, but it's being split for god knows why.

Hdx · May 09, 2010, 12:28 PM

Profile a FULL DATA Packet Log. (Thats everything from the packet we actually care about, not the tcp headers)
Everything you send, everything you receive.
ALL Packets.

Trunning · May 09, 2010, 01:00 PM

Probably left some CDKey related stuff there.

Code Select

0000   01                                               .

0000   00 04 ed 6f a5 60 00 26 18 7f 24 a2 08 00 45 00  ...o.`.&..$...E.
0010   00 62 c4 08 40 00 80 06 e1 1f c0 a8 01 65 3f f1  [email protected]?.
0020   53 6f 10 bb 17 e0 09 0a 7b 7a 29 99 0d f0 50 18  So......{z)...P.
0030   ff ff 5b 55 00 00 ff 50 3a 00 00 00 00 00 36 38  ..[U...P:.....68
0040   58 49 56 44 32 44 0d 00 00 00 09 04 00 00 c0 a8  XIVD2D..........
0050   01 64 a8 fd ff ff 09 04 00 00 09 04 00 00 55 53  .d............US
0060   41 00 55 6e 69 74 65 64 20 53 74 61 74 65 73 00  A.United States.


0000   ff 25 08 00 e4 b8 00 50                          .%.....P

0000   ff 25 08 00                                      .%..

0000   ff 50 68 00 00 00 00 00 ed 51 b0 3f 51 13 78 00  .Ph......Q.?Q.x.
0010   00 8b 51 03 70 5f c7 01 76 65 72 2d 49 58 38 36  ..Q.p_..ver-IX86
0020   2d 30 2e 6d 70 71 00 43 3d 34 31 31 38 38 36 39  -0.mpq.C=4118869
0030   33 32 35 20 42 3d 33 34 30 39 37 33 35 30 36 38  325 B=3409735068
0040   20 41 3d 33 30 35 37 30 30 38 30 32 36 20 34 20   A=3057008026 4 
0050   41 3d 41 2d 53 20 42 3d 42 5e 43 20 43 3d 43 2b  A=A-S B=B^C C=C+
0060   41 20 41 3d 41 2d 42 00                          A A=A-B.

0000   e4 b8 00 50                                      ...P

0000   67 00 1a 04 00 00 00 00 00 00 00 21 f6 e6 4b 00  g..........!..K.
0010   8b 51 03 70 5f c7 01 76 65 72 2d 49 58 38 36 2d  .Q.p_..ver-IX86-
0020   30 2e 6d 70 71 00 43 3d 34 31 31 38 38 36 39 33  0.mpq.C=41188693
0030   32 35 20 42 3d 33 34 30 39 37 33 35 30 36 38 20  25 B=3409735068 
0040   41 3d 33 30 35 37 30 30 38 30 32 36 20 34 20 41  A=3057008026 4 A
0050   3d 41 2d 53 20 42 3d 42 5e 43 20 43 3d 43 2b 41  =A-S B=B^C C=C+A
0060   20 41 3d 41 2d 42 00                              A=A-B.

0000   38 00 1a 01 00 00 00 00 0d 00 01 4a 04 6c 1f 67  8..........J.l.g
0010   61 6d 65 2e 65 78 65 20 30 32 2f 30 38 2f 31 30  ame.exe 02/08/10
0020   20 32 33 3a 31 31 3a 30 30 20 35 37 33 34 34 00   23:11:00 57344.
0030   21 f6 e6 4b 0d 00 00 00                          !..K....

Won't include CDKey being sent, and the hash received, but there both here.

0000   ff 51 61 00                                      .Qa.

Packet containing CDKey hash.

0000   ff 51 09 00 00 00 00 00 00                       .Q.......

0000   13 00 0b 04 00 00 00 01 00 00 00 cc cc cc cc 6c  ...............l
0010   6f 6c 00                                         ol.

I believe cc's here because there is no additional information for the result, since it's success.

0000   17 00 0b 21 54 57 aa 61 e4 be 7b 99 38 12 cc e6  ...!TW.a..{.8...
0010   66 f8 64 59 f9 85 bd                             f.dY...

0000   ff 3a 2d 00                                      .:-.

Don't know why the BNCS_HEADER is seperated

0000   94 6d d5 68 ed 51 b0 3f 21 54 57 aa 61 e4 be 7b  .m.h.Q.?!TW.a..{
0010   99 38 12 cc e6 66 f8 64 59 f9 85 bd 63 6c 69 65  .8...f.dY...clie
0020   6e 74 6c 65 73 73 79 61 00                       ntlessya.

0000   ff 3a 08 00 02 00 00 00                          .:......

Hdx · May 09, 2010, 01:49 PM

Code Select


0000   13 00 0b 04 00 00 00 01 00 00 00 cc cc cc cc 6c  ...............l
0010   6f 6c 00                                         ol.

I believe cc's here because there is no additional information for the result, since it's success.

Code Select

(DWORD) Size of Data
(DWORD) Flags
(VOID) Data to be hashed.

Optional*:
(DWORD) Client Key (Double Hash Only)
(DWORD) Server Key (Double Hash Only)
(DWORD) Cookie (Cookie Hash Only)

You're not sending BNLS_HASHDATA properly, No shit it doesn't work.
You Seriously, SERIOUSLY need to learn how to read your own packet logs.
Most the issues you have been having would be obvious if you simply read your logs.

Trunning · May 09, 2010, 01:53 PM

I really can't see what I'm doing wrong there, unless I'm using the wrong flag. Or you mean the cc's? Ok well simple fix there.

Code Select

CMSG_BNLS_HASHDATA packet;
 packet.Size = 4; // Size of the data to be hashed?
 packet.Flags = 0x01;

 char *buffer = (char*)malloc(sizeof(packet) + 4);
 memcpy(buffer, &packet, sizeof(packet));
 strcpy_s(buffer + sizeof(packet), 4, "lol");

Trunning · May 09, 2010, 02:01 PM

Cc's gone, I guess I could make the DWORD Flags a byte, but I can't see how that'll fix this.

Code Select

0000 0f 00 0b 04 00 00 00 01 00 00 00 6c 6f 6c 00 ...........lol.

Hdx · May 09, 2010, 02:03 PM

Post your definition of CMSG_BNLS_HASHDATA.
If you arn't completely thick you'll eventually realize where that data is coming from. You've had this issue before.
Also, the headers are being sent separately because of how I wrote the bncs_send sub (see the 2 send() calls!)

Also, you need to double hash the password, not single.

Anyways, with your last post, thats a valid 0x0B packet! Good for you!

You still need to double hash em.

Trunning · May 09, 2010, 02:05 PM

And I seen the 2 sends in the bncs_send(), but why aren't all packets separated then?

Oh and I'm adding the ClientKey and ServerKey now, since I know I have to use double hash.

And ClientKey is a tracking value? And ServerKey = Server Token?

Code Select

struct CMSG_BNLS_HASHDATA {
 DWORD Size;
 DWORD Flags;
 void *Data;
};

Hdx · May 09, 2010, 02:09 PM

Because Nigel is clumping things together.
Honestly, you just need to use a data buffer like the rest of us.
You haven't even gotten to the complicated packets with arrays of structs inside them.

The Client Token is a random 32-bit int generated when the connection is established by the client and used for the eintire connection.
The Server Token is sent to you in 0x50.
Like I said before you need to use the same client token as you did when hashing the cdkey.