• Welcome to Valhalla Legends Archive.
 

BnetAuth.dll and YobGul's Hashing Security

Started by Mephisto, May 26, 2004, 07:31 PM

Previous topic - Next topic

Mephisto

After looking through the YobGul's hashing functions I've noticed a series of security risks primarily involving buffer overflows which some of you should be concerned about who use these hashing functions (included in BnetAuth.dll).

Examine the following hashing function in YobGul's hashing algorithm:

bool _stdcall DecodeCDKey(LPCTSTR lpszCDKey, DWORD * lpdwProductId, DWORD * lpdwValue1, DWORD * lpdwValue2) {
  char key[1024], value[1024];
  int i, length, keylength;
  bool bValid;

  length = strlen(lpszCDKey);
  keylength = 0;
  for (i = 0; i < length; i++) {
     if (isalnum(lpszCDKey[i])) {
        key[keylength] = lpszCDKey[i];
        keylength++;
     }
  }
  if (keylength == 13)
     bValid = DecodeStarcraftKey(key);
  else if (keylength == 16)
     bValid = DecodeD2Key(key);
  else
     return false;
  strncpy(value, key, 2);
  value[2] = '\0';
  sscanf(value, "%X", lpdwProductId);
  if (keylength == 16) {
     strncpy(value, &key[2], 6);
     value[6] = '\0';
     sscanf(value, "%X", lpdwValue1);
     strcpy(value, &key[8]);
     value[8] = '\0';
     sscanf(value, "%X", lpdwValue2);
  }
  else if (keylength == 13) {
     strncpy(value, &key[2], 7);
     value[7] = '\0';
     sscanf(value, "%ld", lpdwValue1);
     strncpy(value, &key[9], 3);
     value[3] = '\0';
     sscanf(value, "%ld", lpdwValue2);
  }    
  return bValid;
}

Now, examine more closely the following part of his DecodeCDKey() function:

  length = strlen(lpszCDKey);
  keylength = 0;
  for (i = 0; i < length; i++) {
     if (isalnum(lpszCDKey[i])) {
        key[keylength] = lpszCDKey[i];
        keylength++;
     }
  }


This code takes the size of the CDKey and copies it into an unchecked buffer.  This can cause a buffer overflow at runtime when handling the CDKey and possibly crash your program, corrupt memory, etc. and even provide a method of launching arbitrary code.

It seems however, that most bot developers have handled these necessary checks elsewhere in their code, but for those who don't you may want to heed this as a security risk in your Battle.net hashing utilization software/bots.

I would also check through his hashing functions for other buffers like those and add bound-checking.

iago

Yeah, I noticed that awhile back.  I talked to Skywing, but of course bnls doesn't use Yobgul's code (we're too good for that) so we aren't affected.  But if anybody else is running a bnls ripoff remote hashing server, you might want to watch out for that.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Maddox

His CheckRevision also has an error. It should be GetFileTime(hFile, NULL, NULL, &ft); where GetFileTime() is called.
asdf.

iago

I think his CheckRevision also assumes there will be 3 operations in the Checksum, and if more are sent I think it will overflow.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Maddox

#4
Yes, anymore than 4 variables (including S) will cause it to overflow.
asdf.

DarkMinion

People use yobguls checkrevision?  I've always found it better to call the blizzard code (and faster).

Maddox

#6
Then you're dealing with 8 files and import table patching. Though I guess you could just use one file and write the checksum to the process memory every time.
asdf.

iago

Blizzard's also leaks memory (I'm told) and it will only work in Windows computers.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Yoni

#8
key[keylength] = '\0'; // Skywing Was Here - Fixed potential crash problem

There's no date on this so it's very old.
Thanks. We're safe.

Quote from: iago on May 26, 2004, 07:34 PM
Yeah, I noticed that awhile back.  I talked to Skywing, but of course bnls doesn't use Yobgul's code (we're too good for that) so we aren't affected.  But if anybody else is running a bnls ripoff remote hashing server, you might want to watch out for that.

We use Yobgul's code (very slightly modified) for SC and D2 CD-key decoding. It's nice and fast enough (there's not really that much to do...). We use our own bits of magic in War3 CD-key decoding and in CheckRevision.


Blaze

What would we do without BNLS, Skywing, or Yoni? (Most likely use hashes but thats not the point..)
Quote
Mitosis: Haha, Im great arent I!
hismajesty[yL]: No

Lenny

#11
Would you spend the time to decode it?  How many times must this be said? BNLS IS A SERVICE, No one is under any obligation to offer you this service, and most importantly no one is obligated to give you the hash methods

If you really wanted to, you would spend the effort to do it yourself.
The Bovine Revolution
Something unimportant

Live Battle.net:

WARNING: The preceding message may have contained content unsuitable for young children.

tA-Kane

Quote from: iago on May 28, 2004, 02:45 AMit will only work in Windows computers.
Then would you mind telling me what is contained within PMACverX.mpq and XMACverX.mpq, and how does those platform's clients do the version checking?
Macintosh programmer and enthusiast.
Battle.net Bot Programming: http://www.bash.org/?240059
I can write programs. Can you right them?

http://www.clan-mac.com
http://www.eve-online.com

iago

I reversed/wrote the cdkey decoding myself in Java, and it works on the three major platforms.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Maddox

Quote from: iago on May 30, 2004, 12:58 AM
I reversed/wrote the cdkey decoding myself in Java, and it works on the three major platforms.

He's asking about CheckRevision, not CD-Key decoding.
asdf.