Battle.net Bot Development | 0x53/0x53 BNCSutil

Author	Message	Time
HdxBmx27	Well, I decided to dink around with BCNCSutil. I have been switching my bot from BnetAuth to BNCSutil one protocall at a time. The place I am stuck at is 0x54. Here is how I send 0x53, And it gets accepted by BNCS: [code]Public Sub Send0x53(Index As Integer) Dim Pointer As Long, Buff As String Pointer = nls_init(Config(Index).Username, Config(Index).Password) If Pointer = 0 Then AddChat Index, vbRed, "[BNET] Failed to initalize NLS functions in 0x53 C->S. Bot Disconnecting." Bots(Index).mnuDisconnect_Click Exit Sub End If Buff = String(32, vbNull) Call nls_get_A(Pointer, Buff) PBuffer.InsertNonNTString Buff PBuffer.InsertNTString Config(Index).Username PBuffer.SendPacket Index, &H53 nls_free Pointer End Sub[/code] I recive 0x53 back, with a status of 0x00(accepted) [code]Case &H53 Select Case .removeDWORD Case &H0 Call Send0x54(Index, .removeVOID(32), .removeVOID(32)) End Select note: I have all the others cases in there alos.[/code] the .Remove functions are from the stupied little packet remver class I made. the 2 .RemoveVOID() calls remove both the Salt and the Server Key.(respectivly) Having removed the Header, and the Status before hand. I use this Sub to send my 0x54 packet: [code]Public Sub Send0x54(Index As Integer, S As String, B As String) Dim Pointe As Long, Buf As String Pointe = nls_init(Config(Index).Username, Config(Index).Password) If Pointe = 0 Then AddChat Index, vbRed, "[BNET] Failed to initalize NLS functions in 0x54 C->S. Bot Disconnecting." Bots(Index).mnuDisconnect_Click Exit Sub End If Buf = String(20, vbNull) Call nls_get_M1(Pointe, Buf, B, S) PBuffer.InsertNonNTString Buf PBuffer.SendPacket Index, &H54 nls_free Pointe End Sub[/code] Ass you can see it passes the Salt and Server Key to the sub as strings, and then jsut passes those strings to the BNCSutil api call. Here is a packetLog of the two packets. (It has a few others in it, but you can tell witch is witch: [code]9 192.168.0.11:3268 63.241.83.13:6112 54 Send 0000 FF 2D 04 00 FF 53 32 00 A7 7B DE 9A 9B 61 29 91 .-...S2..{...a). 0010 F5 0A 5B D1 D6 62 AF B1 F4 38 7C DB 9D 3E D6 AD ..[..b...8\|..>.. 0020 80 5F 2B FC 13 4B 60 16 48 64 78 45 76 69 6C 46 ._+..K`.HdxEvilF 0030 69 72 65 32 37 00 ire27. 10 63.241.83.13:6112 192.168.0.11:3268 27 Recv 0000 FF 2D 1B 00 00 64 37 BB 78 DD C4 01 69 63 6F 6E .-...d7.x...icon 0010 73 2D 57 41 52 33 2E 62 6E 69 00 s-WAR3.bni. 11 63.241.83.13:6112 192.168.0.11:3268 72 Recv 0000 FF 53 48 00 00 00 00 00 7B 13 41 1B FA 58 CA 29 .SH.....{.A..X.) 0010 B2 7D 15 74 A6 F7 6B 9D 3E E9 41 B1 56 D9 7F 9F .}.t..k.>.A.V... 0020 36 9A 2A A6 E1 79 86 37 D1 F4 46 73 8D 6A A2 40 6.*..y.7..Fs.j.@ 0030 08 A7 80 11 C3 44 78 5E 80 63 D6 D2 B2 BB 19 93 .....Dx^.c...... 0040 90 08 54 4D 8B 30 B5 50 ..TM.0.P 12 192.168.0.11:3268 63.241.83.13:6112 24 Send 0000 FF 54 18 00 A4 45 93 23 D0 69 80 2E 05 6A BD 55 .T...E.#.i...j.U 0010 02 0F E7 24 1E CC 64 C2 ...$..d. 13 63.241.83.13:6112 192.168.0.11:3268 28 Recv 0000 FF 54 1C 00 02 00 00 00 00 00 00 00 00 00 00 00 .T.............. 0010 00 00 00 00 00 00 00 00 00 00 00 00 ............[/code] Do any of you have any suggestions as to what I might be doing wrong? Oh and during doing this, I found the new Wc3 patch acually did change the VerHash. yet Bnet still allows for in accuret VerHashes.. So does that acually do anything or is it there just as an extra bit of information? (i'm still looking for a way to get the verhash in VB myself, not using a Hashing library.) So can anyone enlighten me as to my errors? (besides the fact that VB = lame, I get that a lot, so please don't do it.) ~-~(HDX)~-~	March 9, 2005, 8:07 AM
iago	If you're looking for information on how BNCSUtil works for War3 login packets, have a look at: http://www.javaop.com/~iago/SRP.html Or at the appropriate sections of BNetDocs.	March 9, 2005, 11:59 AM
NetNX	Make sure you get the upgraded version :) <3 BNCSUtil if its not on the site yet msg me on aim when i get home and ill send ya it ~_^	March 9, 2005, 3:31 PM
HdxBmx27	Well I'm using 0.2.3 witch is the latest. So iono. Anyone got suggestions? ~-~(HDX)~-~	March 10, 2005, 5:29 AM
NetNX	ive been talking to eric about an example but he seems less then enthusastic to provide one :-/ i'll beg him agian today ~_^	March 10, 2005, 3:20 PM
HdxBmx27	The example that he posted showed me what I was doing wrong. I missunderstood the nls_init() function. I was creating a new pointer for each packet. Simply initalizing the pointer on 0x53 C->S and then clearing it on 0x54 c->s fixed it :) Now I have sucessuflly made my bot use ALL login types using local hashing. (Including spawns, and sharewares, and non-cdkeyed products) ~-~(HDX)~-~	March 11, 2005, 6:36 AM
NetNX	Hdx, This is Zac ("Grim Reaper Ice") if you have successfully hashed all clients including spawns can i see what you have for hashing on your 0x36 (ive been trying to get that for a while without the use of another Hashing Library :-/) oh well ~_^ <3 Hdx	March 11, 2005, 3:35 PM
iago	BNCSutil is opensource, just find the sourcecode for it.	March 11, 2005, 4:11 PM
shadypalm88	[quote author=NetNX link=topic=10866.msg103326#msg103326 date=1110555350] Hdx, This is Zac ("Grim Reaper Ice") if you have successfully hashed all clients including spawns can i see what you have for hashing on your 0x36 (ive been trying to get that for a while without the use of another Hashing Library :-/) oh well ~_^ <3 Hdx [/quote]I've already told NetNX/Zac this, but for the benefit of others, BNCSutil's kd_calculateHash and CDKeyDecoder::calculateHash functions only generate hashes for SID_AUTH_CHECK (0x51, for people who like the numbers), not for SID_CDKEY2 (0x36). The information put into the hash is different between the two (I think SID_AUTH_CHECK just uses an extra zero DWORD). Anyway, I came up with a suggestion for VB users who really want to use SID_CDKEY2 (I don't really think C users should have any trouble). Have a look at the BnetDocs for SID_CDKEY2, where you'll find the list of things, in order, that are used to figure the CD-key hash. Make a new packet buffer and add the things to it. Then just run the buffer through calcHashBuf, something like this: [code] Dim Hash As String * 20 'note the * 20 allocates 20 bytes for Hash ' ... insert the stuff into the packet buffer ... Call calcHashBuf(Buffer.GetData(), Buffer.GetLength(), Hash)[/code] Where Buffer.GetData() gets the contents of the packet buffer and Buffer.GetLength() gets the length of the contents (obviously Len(Buffer.GetData()) would also work).	March 11, 2005, 5:01 PM

Author

Message

Time

HdxBmx27

Well, I decided to dink around with BCNCSutil.

I have been switching my bot from BnetAuth to BNCSutil one protocall at a time. The place I am stuck at is 0x54.
Here is how I send 0x53, And it gets accepted by BNCS:
[code]Public Sub Send0x53(Index As Integer)
Dim Pointer As Long, Buff As String
Pointer = nls_init(Config(Index).Username, Config(Index).Password)
If Pointer = 0 Then
AddChat Index, vbRed, "[BNET] Failed to initalize NLS functions in 0x53 C->S. Bot Disconnecting."
Bots(Index).mnuDisconnect_Click
Exit Sub
End If
Buff = String(32, vbNull)
Call nls_get_A(Pointer, Buff)

PBuffer.InsertNonNTString Buff
PBuffer.InsertNTString Config(Index).Username
PBuffer.SendPacket Index, &H53

nls_free Pointer

End Sub[/code]

I recive 0x53 back, with a status of 0x00(accepted)
[code]Case &H53
Select Case .removeDWORD
Case &H0
Call Send0x54(Index, .removeVOID(32), .removeVOID(32))
End Select

note: I have all the others cases in there alos.[/code]
the .Remove functions are from the stupied little packet remver class I made.
the 2 .RemoveVOID() calls remove both the Salt and the Server Key.(respectivly) Having removed the Header, and the Status before hand.

I use this Sub to send my 0x54 packet:
[code]Public Sub Send0x54(Index As Integer, S As String, B As String)
Dim Pointe As Long, Buf As String
Pointe = nls_init(Config(Index).Username, Config(Index).Password)
If Pointe = 0 Then
AddChat Index, vbRed, "[BNET] Failed to initalize NLS functions in 0x54 C->S. Bot Disconnecting."
Bots(Index).mnuDisconnect_Click
Exit Sub
End If

Buf = String(20, vbNull)
Call nls_get_M1(Pointe, Buf, B, S)

PBuffer.InsertNonNTString Buf
PBuffer.SendPacket Index, &H54

nls_free Pointe

End Sub[/code]

Ass you can see it passes the Salt and Server Key to the sub as strings, and then jsut passes those strings to the BNCSutil api call.

Here is a packetLog of the two packets. (It has a few others in it, but you can tell witch is witch:
[code]9 192.168.0.11:3268 63.241.83.13:6112 54 Send
0000 FF 2D 04 00 FF 53 32 00 A7 7B DE 9A 9B 61 29 91 .-...S2..{...a).
0010 F5 0A 5B D1 D6 62 AF B1 F4 38 7C DB 9D 3E D6 AD ..[..b...8|..>..
0020 80 5F 2B FC 13 4B 60 16 48 64 78 45 76 69 6C 46 ._+..K`.HdxEvilF
0030 69 72 65 32 37 00 ire27.

10 63.241.83.13:6112 192.168.0.11:3268 27 Recv
0000 FF 2D 1B 00 00 64 37 BB 78 DD C4 01 69 63 6F 6E .-...d7.x...icon
0010 73 2D 57 41 52 33 2E 62 6E 69 00 s-WAR3.bni.

11 63.241.83.13:6112 192.168.0.11:3268 72 Recv
0000 FF 53 48 00 00 00 00 00 7B 13 41 1B FA 58 CA 29 .SH.....{.A..X.)
0010 B2 7D 15 74 A6 F7 6B 9D 3E E9 41 B1 56 D9 7F 9F .}.t..k.>.A.V...
0020 36 9A 2A A6 E1 79 86 37 D1 F4 46 73 8D 6A A2 40 6.*..y.7..Fs.j.@
0030 08 A7 80 11 C3 44 78 5E 80 63 D6 D2 B2 BB 19 93 .....Dx^.c......
0040 90 08 54 4D 8B 30 B5 50 ..TM.0.P

12 192.168.0.11:3268 63.241.83.13:6112 24 Send
0000 FF 54 18 00 A4 45 93 23 D0 69 80 2E 05 6A BD 55 .T...E.#.i...j.U
0010 02 0F E7 24 1E CC 64 C2 ...$..d.

13 63.241.83.13:6112 192.168.0.11:3268 28 Recv
0000 FF 54 1C 00 02 00 00 00 00 00 00 00 00 00 00 00 .T..............
0010 00 00 00 00 00 00 00 00 00 00 00 00 ............[/code]

Do any of you have any suggestions as to what I might be doing wrong?

Oh and during doing this, I found the new Wc3 patch acually did change the VerHash. yet Bnet still allows for in accuret VerHashes.. So does that acually do anything or is it there just as an extra bit of information? (i'm still looking for a way to get the verhash in VB myself, not using a Hashing library.)

So can anyone enlighten me as to my errors? (besides the fact that VB = lame, I get that a lot, so please don't do it.)
~-~(HDX)~-~

March 9, 2005, 8:07 AM

iago

If you're looking for information on how BNCSUtil works for War3 login packets, have a look at:
http://www.javaop.com/~iago/SRP.html

Or at the appropriate sections of BNetDocs.

March 9, 2005, 11:59 AM

NetNX

Make sure you get the upgraded version :)

<3 BNCSUtil

if its not on the site yet msg me on aim when i get home and ill send ya it ~_^

March 9, 2005, 3:31 PM

HdxBmx27

Well I'm using 0.2.3 witch is the latest. So iono. Anyone got suggestions?
~-~(HDX)~-~

March 10, 2005, 5:29 AM

NetNX

ive been talking to eric about an example but he seems less then enthusastic to provide one :-/ i'll beg him agian today ~_^

March 10, 2005, 3:20 PM

HdxBmx27

The example that he posted showed me what I was doing wrong. I missunderstood the nls_init() function. I was creating a new pointer for each packet. Simply initalizing the pointer on 0x53 C->S and then clearing it on 0x54 c->s fixed it :)

Now I have sucessuflly made my bot use ALL login types using local hashing. (Including spawns, and sharewares, and non-cdkeyed products)
~-~(HDX)~-~

March 11, 2005, 6:36 AM

NetNX

Hdx, This is Zac ("Grim Reaper Ice") if you have successfully hashed all clients including spawns can i see what you have for hashing on your 0x36 (ive been trying to get that for a while without the use of another Hashing Library :-/) oh well ~_^ <3 Hdx

March 11, 2005, 3:35 PM

iago

BNCSutil is opensource, just find the sourcecode for it.

March 11, 2005, 4:11 PM

shadypalm88

[quote author=NetNX link=topic=10866.msg103326#msg103326 date=1110555350]
Hdx, This is Zac ("Grim Reaper Ice") if you have successfully hashed all clients including spawns can i see what you have for hashing on your 0x36 (ive been trying to get that for a while without the use of another Hashing Library :-/) oh well ~_^ <3 Hdx
[/quote]I've already told NetNX/Zac this, but for the benefit of others, BNCSutil's kd_calculateHash and CDKeyDecoder::calculateHash functions only generate hashes for SID_AUTH_CHECK (0x51, for people who like the numbers), not for SID_CDKEY2 (0x36). The information put into the hash is different between the two (I think SID_AUTH_CHECK just uses an extra zero DWORD).

Anyway, I came up with a suggestion for VB users who really want to use SID_CDKEY2 (I don't really think C users should have any trouble). Have a look at the BnetDocs for SID_CDKEY2, where you'll find the list of things, in order, that are used to figure the CD-key hash. Make a new packet buffer and add the things to it. Then just run the buffer through calcHashBuf, something like this:
[code]
Dim Hash As String * 20 'note the * 20 allocates 20 bytes for Hash
' ... insert the stuff into the packet buffer ...
Call calcHashBuf(Buffer.GetData(), Buffer.GetLength(), Hash)[/code]
Where Buffer.GetData() gets the contents of the packet buffer and Buffer.GetLength() gets the length of the contents (obviously Len(Buffer.GetData()) would also work).

March 11, 2005, 5:01 PM

Valhalla Legends Forums Archive | Battle.net Bot Development | 0x53/0x53 BNCSutil