Valhalla Legends Forums Archive | Battle.net Bot Development | 3RAW / PX3W / MD3W Packet Logs

AuthorMessageTime
Ringo
Hi

Im currently adding 3RAW and PX3W into my bot, but im having some problems.
Thanks to packet logging Stealthbot and reading abit of the BNCSuti examplebot i was able to make a logon in a few hours, but seems as i dont own a copy of 3RAW or PX3W its very hard for me to know what im ment to be sending, how im ment to be sending it and when im ment to be sending it.
My main problem at the moment, is when i pass 0x51 and request icons (0x2D) and filetime (0x33). My bot doesnt have icons_WAR3.bni (from 0x2D), and when i try conenct to the ftp server to download it, the ftp server closes connection on me. (like the file doesnt exist, or im on a bad client type) but 0x2D responce is telling me the file time, so it must be currently uploaded on the ftp server.
I dont have ANY logs of a legit 3RAW client logon so cant see what im doing wrong (i can download other files, like version mpqs, banners, etc)
I had a small problem like this when trying to download bnserver-D2DV.ini on PX2D (its purely for a VD2D request?)
On top of that i have no idea what files the client requests to check file time on (in 0x33).

I was wundering if somone who has a copyof the game and has done alot of packet logging on it, could send me as many logs as possible? that would be extramly helpfull if u can!

I mainly need :

A full logon of 3RAW and PX3W (Of game, not bot) - (mainly of file time)
If possible! a log witch cought icons_WAR3.bni being downloaded from the ftp server (so i can see what im not/over sending)

The game list being requested and recv (multiple types if there is multiple types...)
(Also the same for the ladder board if possible) or is that on blizzards site?

3RAW and PX3W joining some games (ladder and none ladder, i here 1 is udp and other is tcp?) a few of these if possible and maybe some ingame packets? (like idleing for awhile, some chatting, etc)
(if u could tag each packet in the log like "this is when i joined, this is when i was visible in the game room etc) that would be great!

Some clan packets (of all types if possible) and maybe a short explaination of how the structure of the "clan" works? like news, members, channel, requests etc

Some general logs of war3 in chat, like joinig empty channels, creating channels or anything that is differnt to other clients) would be helpfull to!

Sorry if it seems im asking alot, but if u can send me a small fraction of any of them things, or any explaination that i would need to know to help me with what im currently doing / stuck on, then it would be helpfull!

Im pritty sure a few logons of the clients would be all i needed tho (a log of somone else's bot downloading icons_WAR3.bni would be just as helpfull - anything that sends what the client sends)

Thanks in advance.



Edit:
Got this error on sending this post:
[error]
mail() [function.mail]: SMTP server response: 501 5.1.8 < "Valhalla Legends Forum" <nunya@bizness.nyet>>... Domain of sender address nunya@bizness.nyet does not exist

Lucky i didnt have to re typeo all that (it posted) :P
May 30, 2005, 1:28 PM
UserLoser.
You need to use the newer file transfer protocol to download icons-war3.bni along with other Warcraft 3 specific files.  I don't know of any other bots besides mine in the past which was able to download those files, so looks like you're out of luck there for the meantime.  I really think you should have read the pinned post here or at least gone here.
May 30, 2005, 2:42 PM
Ringo
[quote author=UserLoser link=topic=11725.msg114168#msg114168 date=1117464150]
You need to use the newer file transfer protocol to download icons-war3.bni along with other Warcraft 3 specific files.  I don't know of any other bots besides mine in the past which was able to download those files, so looks like you're out of luck there for the meantime.  I really think you should have read the pinned post here or at least gone here.
[/quote]

Thanks, what version code would that be, and/or what else is differnt in the packets / sequances for downloading a file?
Can u post a packet log of your bot connecting to it and sending the file request and / or WAR3 its self doing this request? Id log it my self but i dont have the game..

Im not sure what pinned post you mean... and id rather not go to bnet docs.. i do thos kinda thing from packet logs and i expect u do 2.
Also im not sure bnet docs documents this 'newer ftp' protocol.

I just need some packet logs, thanks.
May 30, 2005, 4:28 PM
Ringo
Ah, iv spoken to LoRd[nK] today, and he has sent me some 3RAW and PX3W packet logs witch have helped a great deal! thanks!

He also said that for the newer ftp server, it uses hashing, witch sheads ALOT of light onto the subject...

I havent seen the hashing in question, but im taking a wild guess that it is server signature related, or is it a hashing of the older file to be updated (client side).
Maybe userloser could explain a little more about this and post a log of this packet in question, id like to know a little about it if possible, thanks.
May 30, 2005, 8:36 PM
Soul Taker
It uses your cd-key hash IIRC.
May 30, 2005, 8:42 PM
Ringo
[quote author=Soul Taker link=topic=11725.msg114217#msg114217 date=1117485779]
It uses your cd-key hash IIRC.
[/quote]

Really? thanks!

In what manner is it used? is it rehashed in some sence?
May 30, 2005, 8:46 PM
Soul Taker
UL had the whole thing documented on his site before his computer exploded or whatever.  I can't find any of my notes on it at the moment though, so I guess you'd have to ask him.
May 30, 2005, 8:55 PM
Ringo
Thanks, im starting to get a bigger picture of this now.
I will await UL's reply, thanks again!
May 30, 2005, 8:57 PM
UserLoser.
Sorry, dont have any notes/formats for it anymore.  Bot was lost too with it's source.
May 30, 2005, 10:42 PM
Ringo
[quote author=UserLoser link=topic=11725.msg114238#msg114238 date=1117492926]
Sorry, dont have any notes/formats for it anymore.  Bot was lost too with it's source.
[/quote]
Sry to here that, it sucks when that happens :(

Can you recall any memerys of the way the cdkey was hased? (was it any differnt to how it is preformed in 0x50 or 0x36) also is the cdkey decoded before its hashed, and are any other values used in the hashing? and can you remember how long the hashed data was?

Im guessing the header of the request packet to be sent isnt much differnt to the 1st ftp server because by changing the version Word to 00 02 i can get a 4 byte reply before it close's connection.

If you could recall anything i would be most greatfull, thanks again.
May 30, 2005, 11:14 PM
Ringo
Well, it would seem UserLoser wont/doesnt want to talk about this subject, or at least not with me.

Am i asking to much? i dont want source codes, intence documentation or a back ride all the way through the connection.
I just want a few simple answers and a few packet logs so i can get on with it..

This is 1 main good reassion why i do not use bnetdocs unless i really have to, because bnet docs never documents the packet ur trying to reverse.
And in this case it would seem its because a editor is with holding the infomation (why doesnt that supprise me)

I never needed bnet docs when i steped through 80 + D2GS packet types / lenghs and all the internal values by my self and i dont expect i will need it to do this.
(Plz do not take this as a dig at bnet docs.. bnet docs is all good)

One thing i didnt need for this topic was UserLoser trying to proove a point in it.
Its just a FTP Game Server.... its not like im asking about online banking encryption ...

Thanks to Lord for telling me there is hashing involved and to soul for telling me its to do with the cdkey hash i now know what it intails, but they are 2 very valuable points that UserLoser failed to point out in his 1st post. (Asuming he was trying to proove somthing rather than being helpfull)
But his 1st post really didnt contribute to the descution in hand at all...

I really dont have the money to buy the client just so i can do this, and "this" is no big deal.. like i said its just a gaming FTP server, and blizzards hashing is some what basic as hashing goes.

Im asuming that UserLoser wasnt purely dependant on other people's knolage when he wrote the connection, and that he infact does remember some of it but is not willing to talk about it.

Im hoping somone can bring some more much needed infomation about this to the table, a packet log of the requests would be a great start, or anything about the hashing.

I expect UL will be quick to reply to this, as he will feel his point must be proven valid in some way...
I hope you can explain why you cant remember anything (When you were ment to have reversed it in the past)
Or why your not willing to talk about it.

Again thanks to ppl who have contributed to this topic and anyone who can do so in the not so distant future.

Thanks again
May 31, 2005, 12:30 PM
Arta
[quote author=Ringo link=topic=11725.msg114275#msg114275 date=1117542651]
This is 1 main good reassion why i do not use bnetdocs unless i really have to, because bnet docs never documents the packet ur trying to reverse.
And in this case it would seem its because a editor is with holding the infomation (why doesnt that supprise me)
[/quote]

What messages are you trying to find? I don't think editors are in the business of witholding information.

Bnetdocs should provide you with enough information to write a WAR3/W3XP logon. If it does not, feel free to tell me what you feel is missing, so I can improve the site.
May 31, 2005, 1:13 PM
Ringo
Hello, and thanks for the quick responce.

The main thing im stuck with at the moment, is a limited supply of infomation on the War3 FTP Protocol (Version 2 im guessing)
Id like to download these files so i can later preform checking on them in the logon:

icons_WAR3.bni
termsofservice-enUS.txt
newaccount-enUS.txt
chathelp-war3-enUS.txt 

But the infomation i have on this protocol is limited to what has been said in this topic already, and im yet to see a raw packet log of the packet in question :(
I mainly need info on the manner of hashing and a packet log of the packet (for format reassions) but i can see how this would be handy to document.

On another bnetdocs note, the packet logs Lord sent me contain 2 sent logon packets that are not listed on bnet docs (after file checking it sends 0x55 and 0x56)
0x55 looks like a account hash of some sort, 0x56 looks like pure hashed data, but im not sure what they are doing/requesting/checking in the logon.
I was wundering if they were important to later functions on the client?

Thanks
May 31, 2005, 1:41 PM
Arta
Hmm. Downloading those files isn't a required part of the logon, but you're right, BnFTP v2 should be documented. I'll write it up when I have a moment. 0x55/56 are the password change messages and they will be added to the site shortly - see this thread. That thread also contains a link to iago's NLS documentation which covers these messages.

If you're interested in reversing bnFTP v2 yourself, but do not own the game, you may wish to use my BnFTP utility to obtain a packet capture. The protocol is much the same, but with an added step for CD key validation, which is performed exactly as it is in the logon.
May 31, 2005, 3:21 PM
Ringo
[quote author=Arta[vL] link=topic=11725.msg114284#msg114284 date=1117552896]
Hmm. Downloading those files isn't a required part of the logon, but you're right, BnFTP v2 should be documented. I'll write it up when I have a moment. 0x55/56 are the password change messages and they will be added to the site shortly - see this thread. That thread also contains a link to iago's NLS documentation which covers these messages.

If you're interested in reversing bnFTP v2 yourself, but do not own the game, you may wish to use my BnFTP utility to obtain a packet capture. The protocol is much the same, but with an added step for CD key validation, which is performed exactly as it is in the logon.
[/quote]

Thank you very much!

What you have provided is extramly resourcefull for this, thanks a million!
May 31, 2005, 3:23 PM
Ringo
Hm would anyone care to explain how to load this bnFTPv2?
Im finding my self having to file read it for clues :(
I can see commands like: bnftp -g SEXP -p IX86 useast.battle.net SEXP_IX86_1xx_111b.mpq
but how to load it in the commandline? (sry is this is a stupid question)

Thanks again
May 31, 2005, 5:03 PM
Arta
Go to Start->Run, type cmd, press enter. Use the cd command to change the directory to wherever you have put bnftp.exe, for example: cd c:\bnftp\. Type bnftp -h for help using the program. You'll probably want to do something like bnftp -2 -g WAR3 -p IX86 <Warcraft III cd key> useast.battle.net icons_WAR3.bni.
May 31, 2005, 7:43 PM
Ringo
Thanks, i was able to download a txt file, but it is impossible for me to packet log it...

I cant really carry on with my bot untill i have this packet - unless i remove the whole 3RAW and PX3W clients altogether.
The things inline im going to add will leave no room for me to come back to and do this at a later date and i cant keep kidding my self that somone on this forum is going to send me a packet log of it.
This packet must be like trying to get hold of rocking horse shit or somthing. (none existant) or not many people around here can use a packet logger or somthin..

but thank you to Arta, Soul and lord, as between you 3 have said more than everything i need to know to do this. but im still short of the most basic aspect needed to do it. (the packet log)

I guess i could have added this yesterday if i had the log, but im probly going to have to rid the whole client tomorow, oh well.


[edit]
I was just looking through some FTP version 1 packet logs when i just noticed i got the log from starcraft shareware ages ago, then it struck me, even tho war3 demo is a few years old it should still use the same ftp protocol and should still need to download the tos. (so i reinstalled the demo)

[code]
Send 
14 00 00 02 36 38 58 49 4D 44 33 57 00 00 00 00    ....68XIMD3W....
00 00 00 00                                        ....

Send 
00 00 00 00 00 69 13 B8 F3 59 C2 01 AE 63 3E 00    .....i...Y...c>.
00 00 00 00 4B 09 00 00 FB 98 1C 02 00 00 00 00    ....K...........
70 A0 C1 02 A5 15 C6 A7 FA 9D F5 14 4C D6 74 B0    p...........L.t.
3A 8F 61 4C 74 65 72 6D 73 6F 66 73 65 72 76 69    :.aLtermsofservi
63 65 2D 65 6E 55 53 2E 74 78 74 00                ce-enUS.txt.
[/code]

Altho the demo doesnt need a cdkey, i should beable to pull somthing outa this based on what has been said allready in this topic.
This should give me somthing to do tomorow, thanks again.
May 31, 2005, 11:34 PM
Ringo
Hm this is strange, cos this morning i wrote the packets for the ftp version 2 and downloaded a file 1st try.
But that wasnt what i found strange:

[code]
[08:39:22] Sent
02                                                 .
[08:39:22] Sent 
14 00 00 02 36 38 58 49 4D 44 33 57 00 00 00 00    ....68XIMD3W....
00 00 00 00                                        ....
[08:39:22] Sent
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00 00 00 00 74 65 72 6D 73 6F 66 73 65 72 76 69    ....termsofservi
63 65 2D 65 6E 55 53 2E 74 78 74 00                ce-enUS.txt.
[08:39:22] Uncollected
66 FD F8 45                                        f..E
[08:39:23] Uncollected
30 00 00 00 F1 48 00 00 00 00 00 00 00 00 00 00    0....H..........
00 69 13 B8 F3 59 C2 01 74 65 72 6D 73 6F 66 73    .i...Y..termsofs
65 72 76 69 63 65 2D 65 6E 55 53 2E 74 78 74 00    ervice-enUS.txt.
42 61 74 74 6C 65 2E 6E 65 74 20 54 65 72 6D 73    Battle.net Terms
20 6F 66 20 55 73 65 20 41 67 72 65 65 6D 65 6E     of Use Agreemen
untill it ended.
[/code]

I tryed chaning the client dword to that of 3RAW and the server closed conenction.
The w3 shareware seems to generate a 20 bit hash tho, and it verys every logon (alot) and a few other values.

The shareware client looks like it basicly can log the whole way onto the west battle.net server in this null to Serverside fashion (but stops when a client would normaly send logon proof)
Im yet to write a w3 shareware logon tho, but i might add it into my bot anyway (after all its a semi battle.net client and it supports the game protocol)
I think it would also be worth doing, just to see if blizzard have put a block on chat registration (0x0A), knowing blizzard probly not..

I will carry on adding the hasing to the packet and try download the file on 3RAW or PX3W, but i think this w3 shareware might be worth taking alook into.
June 1, 2005, 2:28 PM
Ringo
I had a quick mess around with the W3 shareware and i was right in thinking nothing is checked.
The things i did find to be needed was a correct version byte, and a 3 chr contry code in 0x50.
Other than that, its protocol mainly just checks the lengh.
I also found that the server it connects to is not a normal average battle.net server, but its own server (right in the middle of the west range)
[code]
63.241.83.7
63.241.83.8
63.241.83.9
63.241.83.11
63.241.83.12
63.241.83.13
63.241.83.103 <---
63.241.83.107
63.241.83.108
63.241.83.109
63.241.83.110
63.241.83.111
63.241.83.112
[/code]
Those were the servers i could connect to on an average client (west servers) but the server this demo uses will only accept a w3 demo client.
Im guessing this server is only built to support the basic eliment of the logon, FTP downloading and gaming, so i dont think sending 0x0A would be such a great idea, it got me ip banend from the server for 4 hours, but i was still able to logon the west servers.

As for the logon it can be done with out preforming checkrevision on the games hash files.
(I kinda figgerd this out after BNCSuti.dll faield to preform checkrevision on the demo hash, but fine on all others)
This was how i logged on:
[code]
1  192.168.0.4:3337  63.241.83.103:6112  1  Send 
0000  01                                                 .

2  192.168.0.4:3337  63.241.83.103:6112  53  Send 
0000  FF 50 35 00 00 00 00 00 36 38 58 49 4D 44 33 57    .P5.....68XIMD3W
0010  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0020  00 00 00 00 00 00 00 00 4F 4D 47 00 48 6F 6D 65    ........OMG.Home
0030  6C 65 73 73 00                                     less.

3  63.241.83.103:6112  192.168.0.4:3337  8  Recv 
0000  FF 25 08 00 31 FE F8 5E                            .%..1..^

4  192.168.0.4:3337  63.241.83.103:6112  8  Send 
0000  FF 25 08 00 31 FE F8 5E                            .%..1..^

5  63.241.83.103:6112  192.168.0.4:3337  230  Recv 
0000  FF 50 E6 00 02 00 00 00 8B 6A 0C DC E2 4D 06 00    .P.......j...M..
0010  00 3C 5B A5 63 E8 C0 01 49 58 38 36 76 65 72 33    .<[.c...IX86ver3
0020  2E 6D 70 71 00 41 3D 32 32 31 31 39 39 35 37 35    .mpq.A=221199575
0030  38 20 42 3D 33 32 32 36 31 35 35 34 39 37 20 43    8 B=3226155497 C
0040  3D 31 31 38 36 39 35 38 31 34 39 20 34 20 41 3D    =1186958149 4 A=
0050  41 2B 53 20 42 3D 42 5E 43 20 43 3D 43 2D 41 20    A+S B=B^C C=C-A
0060  41 3D 41 5E 42 00 BE 8B 94 4A E9 BA 61 81 77 A8    A=A^B....J..a.w.
0070  31 10 B3 4E C7 33 E2 F8 B3 45 12 63 61 D7 A7 B0    1..N.3...E.ca...
0080  C8 C8 70 D8 5F A7 6A 96 CB 04 D5 0B 4D E4 34 EC    ..p._.j.....M.4.
0090  E9 EE 97 91 53 E6 44 8C 98 17 B4 31 E3 76 F8 CE    ....S.D....1.v..
00A0  99 C6 8B B1 DE FE DC 34 39 76 90 DD 64 B6 D1 E2    .......49v..d...
00B0  97 58 91 36 C7 19 96 2B 46 D4 C5 B3 6A 8A 66 EC    .X.6...+F...j.f.
00C0  20 2F B4 75 AA C1 09 10 C0 DD 3D F8 3D F0 1F BC     /.u......=.=...
00D0  F1 DC 10 AE A1 AB E5 12 E1 43 A2 98 84 80 5B 8B    .........C....[.
00E0  D5 55 4A 68 50 C6                                  .UJhP.

6  192.168.0.4:3337  63.241.83.103:6112  26  Send 
0000  FF 51 1A 00 00 00 00 00 00 00 00 00 00 00 00 00    .Q..............
0010  00 00 00 00 00 00 00 00 00 00                      ..........

7  63.241.83.103:6112  192.168.0.4:3337  9  Recv 
0000  FF 51 09 00 00 00 00 00 00                         .Q.......

8  192.168.0.4:3337  63.241.83.103:6112  48  Send 
0000  FF 53 30 00 00 00 00 00 00 00 00 00 00 00 00 00    .S0.............
0010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0020  00 00 00 00 53 69 72 4E 75 6C 6C 41 6C 6F 74 00    ....SirNullAlot.

9  63.241.83.103:6112  192.168.0.4:3337  28  Recv 
0000  FF 54 1C 00 00 00 00 00 00 00 00 00 00 00 00 00    .T..............
0010  00 00 00 00 00 00 00 00 00 00 00 00                ............
[/code]

I dont see much more to figger out from the client, other than you can micky mouse the logon.
If for example the server was to introduce a version 2.0 for the demo, im asuming it would do this check on the version byte, or once the patch was uploaded, they start checking the clients 0x51 info?

I cant help think this relates to this topic in some way, even tho it uses a differnt server.
June 2, 2005, 8:20 PM
Arta
BnFTP Version 2 has now been published. I've only just put it up, so it'll probably need some tweaking. Let me know what you think.
June 2, 2005, 9:49 PM
Ringo
[quote author=Arta[vL] link=topic=11725.msg114620#msg114620 date=1117748952]
BnFTP Version 2 has now been published. I've only just put it up, so it'll probably need some tweaking. Let me know what you think.
[/quote]
Thanks, u probly guessed my luck with FTPv2 wasnt going to great, seems i got drawn into this demo :)
I had a quick look and it and it looks very well documented and compleat, thank you.
(DWORD) Server Token
That has hit the nail right on the head, i get it now, thank you.
June 2, 2005, 10:04 PM
UserLoser
[quote author=Ringo link=topic=11725.msg114275#msg114275 date=1117542651]
Well, it would seem UserLoser wont/doesnt want to talk about this subject, or at least not with me.

Am i asking to much? i dont want source codes, intence documentation or a back ride all the way through the connection.
I just want a few simple answers and a few packet logs so i can get on with it..

This is 1 main good reassion why i do not use bnetdocs unless i really have to, because bnet docs never documents the packet ur trying to reverse.
And in this case it would seem its because a editor is with holding the infomation (why doesnt that supprise me)

I never needed bnet docs when i steped through 80 + D2GS packet types / lenghs and all the internal values by my self and i dont expect i will need it to do this.
(Plz do not take this as a dig at bnet docs.. bnet docs is all good)

One thing i didnt need for this topic was UserLoser trying to proove a point in it.
Its just a FTP Game Server.... its not like im asking about online banking encryption ...

Thanks to Lord for telling me there is hashing involved and to soul for telling me its to do with the cdkey hash i now know what it intails, but they are 2 very valuable points that UserLoser failed to point out in his 1st post. (Asuming he was trying to proove somthing rather than being helpfull)
But his 1st post really didnt contribute to the descution in hand at all...

I really dont have the money to buy the client just so i can do this, and "this" is no big deal.. like i said its just a gaming FTP server, and blizzards hashing is some what basic as hashing goes.

Im asuming that UserLoser wasnt purely dependant on other people's knolage when he wrote the connection, and that he infact does remember some of it but is not willing to talk about it.

Im hoping somone can bring some more much needed infomation about this to the table, a packet log of the requests would be a great start, or anything about the hashing.

I expect UL will be quick to reply to this, as he will feel his point must be proven valid in some way...
I hope you can explain why you cant remember anything (When you were ment to have reversed it in the past)
Or why your not willing to talk about it.

Again thanks to ppl who have contributed to this topic and anyone who can do so in the not so distant future.

Thanks again
[/quote]

I just read this now, never read this post before.  So I want to reply just so you don't think I was ignoring you.  I infact do remember how the system worked and I figured it out independently and wrote a standalone Ftpv2 client and implemented it into my bot.  Just as far as the format, I didn't have at the time of my first posts in this thread because I lost all my previous source codes and basically everything on my computer (it's now on BnetDocs anyways thanks to someone else).
July 7, 2006, 6:52 AM

Search