Valhalla Legends Forums Archive | Battle.net Bot Development | [Solved][VB] C-> S 0x51 Packet

AuthorMessageTime
LockesRabb
SID_AUTH_CHECK Info:

[quote](DWORD) Client Token
(DWORD) EXE Version
(DWORD) EXE Hash
(DWORD) Number of keys in this packet
(BOOLEAN) Using Spawn (32-bit)

For Each Key:
(DWORD) Key Length
(DWORD) CD key's product value
(DWORD) CD key's public value
(DWORD) Unknown (0)
(DWORD[5]) Hashed Key Data

(STRING) Exe Information
(STRING) CD Key owner name[/quote]

After studying the BNETDocs, I tried to code a 0x51 packet, and got stuck in the process. The Client Token was easy enough, only had to use GetTickCount() API for that one.

EXE Version: Does that follow a specific format? And how can this be obtained dynamically without hard-coding it?

How is a EXE Hash formatted, and how does one go about hashing an EXE? I'm assuming here that it's the Starcraft.exe that needs to be hashed...

(DWORD) Number of keys in this packet

Number of keys? As in number of cdkeys, or how many numbers inside the cdkey, or what?

For Spawn, can I just do:

.INSERTDWORD &H0  'Zero, boolean for false

Or does it have to be done another way?
September 12, 2005, 1:25 AM
l2k-Shadow
Use BNCSUtil Hashing Library to get those values... a vb example source on how to use it is also on the site.

[quote](DWORD)      Number of keys in this packet

Number of keys? As in number of cdkeys, or how many numbers inside the cdkey, or what?[/quote]

Yeah, number of cdkeys. 0x00000001 for STAR, SEXP, W2BN, D2DV, WAR3 and 0x00000002 for D2XP and W3XP.

[quote]
For Spawn, can I just do:

.INSERTDWORD &H0  'Zero, boolean for false

Or does it have to be done another way?[/quote]

that works :)
September 12, 2005, 1:34 AM
LockesRabb
So, because I'll be only using one cdkey (it being Starcraft), I should just put down:

[code].InsertDWORD &H1 'only one cdkey, if two cdkeys, &H2[/code]

Right?
September 12, 2005, 1:58 AM
l2k-Shadow
Right.
September 12, 2005, 1:58 AM
LockesRabb
Since this is a very sensitive packet to battle.net (high risk of ipban), is there a server I can test the bot on so I won't have to worry about ipban?

[Edit: added to avoid double post]

Oh and-- how do I know I've gotten IPBanned? Does Battle.net send a packet informing me of ipban before disconnecting?
September 12, 2005, 2:02 AM
l2k-Shadow
No, it just disconnects you and when you attempt to connect again you'll receive winsock error 10053.
September 12, 2005, 2:16 AM
LockesRabb
[code] ' Check server signature.
    If (UseNLS) Then
        ServerSignature = P.GetFixedString(128)
        If (Not nls_check_socket_signature(frmMain.WS.SocketHandle, ServerSignature)) Then
            Disconnect
            MsgBox "Server signature check failed.", vbExclamation, "Example Bot"
        End If
    End If[/code]

This section errored out-- says Sub/Function not defined. nls_check_socket_signature() was the one highlighted. I decided to do some checking around, and found out there was not only no sub/function for it which means it's in bncsutil.dll, but the declaration for it also was missing.

Do you by any perchance have the declaration for that particular sub?
September 12, 2005, 2:50 AM
l2k-Shadow
This DL has all of the current declerations.

BTW what packet buffer are you using?

EDIT: You know, you don't have to use that declare anyway...
September 12, 2005, 3:40 AM
LockesRabb
I'm using Dark Minion's Packet Buffer class.

[quote]What's the “mpqNumber” argument in checkRevision? 
This is the number in the filename received in 0x50 (SID_AUTH_INFO) that looks like “IX86ver#.mpq”.  You can get this number by using the extractMPQNumber function. [/quote]

Why does the mpq number matter?
September 12, 2005, 3:42 AM
shout
[quote author=Kyro link=topic=12781.msg127820#msg127820 date=1126496576]
Why does the mpq number matter?
[/quote]

The MPQ number is which IX86Ver?.dll to emulate.
September 12, 2005, 3:45 AM
l2k-Shadow
[quote author=Shout link=topic=12781.msg127821#msg127821 date=1126496713]
[quote author=Kyro link=topic=12781.msg127820#msg127820 date=1126496576]
Why does the mpq number matter?
[/quote]

The MPQ number is which IX86Ver?.dll to emulate.
[/quote]

In more understandable words, Battle.net assigns you a .dll file with which to use CheckRevision(). There are 8 dlls and each has it's own unique checksum key. BNCSUtil, however, has all of these 8 checksum keys inside itself, so by the MPQ number, you're telling it which one to use.
September 12, 2005, 3:53 AM
LockesRabb
Alright, got it. I'm curious about something:

[code]    ' Check server signature.
    If (UseNLS) Then
        ServerSignature = P.GetFixedString(128)
        If (Not nls_check_socket_signature(frmMain.WS.SocketHandle, ServerSignature)) Then
            Disconnect
            MsgBox "Server signature check failed.", vbExclamation, "Example Bot"
        End If
    End If[/code]

Why check the server signature?
September 12, 2005, 4:05 AM
l2k-Shadow
I think it's to make sure that the server is authentic bnet server, there is no use for it really.
September 12, 2005, 4:44 AM
LockesRabb
[code]'SID_AUTH_CHECK
Public Sub P0x51(ServerToken As Long, Ix86verfilename As String, ChecksumFormula As String)
    AddC vbMagenta, "Assembling 0x51 SID_AUTH_CHECK Packet..."
    Dim ClientToken As Long
    Dim EXEVersion As Long
    Dim EXEHash As Long
    Dim KeyLen As Long
    Dim CDKeyProductValue As Long
    Dim CDKeyPublicValue As Long
    Dim HashedKeyData As Long
    Dim EXEInformation As String
    Dim CDKeyOwnerName As String
    Dim EXEPath As String, DLLPath As String, ThirdPath As String
     
    EXEPath = ProgHashPath & ProgFileName
    DLLPath = ProgHashPath & DLLFileName
    ThirdPath = ProgHashPath & ThirdFileName
     
    ClientToken = GetTickCount()
    EXEVersion = getExeInfo(EXEPath, EXEInfo)
    mpqNumber = extractMPQNumber(Ix86verfilename)
         
    ' Perform revision check operations.
    If (checkRevision(ChecksumFormula, EXEPath, DLLPath, ThirdPath, mpqNumber, Checksum) = False) Then
        DMBot.BNET.Close
        Call DMBot.BNET_Close
        AddC vbRed, "CheckRevision failed."
        Exit Sub
    End If
     
    AddC vbMagenta, "Done."
    'Now data for the packet has been gathered,
    'begin assembling the packet
End Sub[/code]

How does that look so far? Any errors?
September 12, 2005, 4:46 AM
l2k-Shadow
Looks good so far :)
September 12, 2005, 4:58 AM
LockesRabb
Excellent, I'll begin coding the packet assemblement. Thanks!
September 12, 2005, 5:10 AM
JoeTheOdd
Testing Server
September 12, 2005, 6:20 AM
LockesRabb
TestBNCS Server Checks:

Server: joe.x86labs.org
Owner: Joe[x86]
Status: Nonoperational
Notes: Joe[x86] *did* warn it's not a 24/7 server, so he has an excuse.

Server: TheHague.Shacknet.nu
Owner: Trance
Status: Nonoperational

Server: 68.39.37.231/usnorth.no-ip.org
Owner: Remain
Status: Nonoperational

Server: Pyroserver.no-ip.org
Owner: BNCSFan (Guest)
Status: Nonoperational

:(
September 12, 2005, 6:47 AM
JoeTheOdd
Try hdx.no-ip.org
September 12, 2005, 8:15 AM
LockesRabb
@Joe- hdx.no-ip.org didn't respond to my bot either. Asia, USWest, USEast, Europe all responded to my bot. So I assume hdx.no-ip.org is also nonoperational.

@Everyone-- warning- this is a long post. Done coding the C->S 0x51 Packet Sub and the 0x51 handler. Please, if alright with you, look at the sub and tell me if it looks good, and if there's any flaws. If you see any way I can improve on it, I'm always open to suggestions!

[code]'SID_AUTH_CHECK
Public Sub P0x51(ServerToken As Long, Ix86verfilename As String, ChecksumFormula As String)
    AddC vbMagenta, "Assembling 0x51 SID_AUTH_CHECK Packet..."
    Dim ClientToken As Long
    Dim EXEVersion As Long
    Dim EXEHash As Long
    Dim NumberOfKeys As Long
    Dim KeyLen As Long
    Dim CDKeyProductValue As Long
    Dim CDKeyPublicValue As Long
    Dim HashedKeyData As Long
    Dim EXEInformation As String
    Dim CDKeyOwnerName As String
    Dim EXEPath As String, DLLPath As String, ThirdPath As String
   
    EXEPath = ProgHashPath & ProgFileName
    DLLPath = ProgHashPath & "storm.dll"
    ThirdPath = ProgHashPath & "battle.snp"
   
    ClientToken = GetTickCount()
    EXEVersion = getExeInfo(EXEPath, EXEInfo)
    mpqNumber = extractMPQNumber(Ix86verfilename)
       
    ' Perform revision check operations.
    If (checkRevision(ChecksumFormula, EXEPath, DLLPath, ThirdPath, mpqNumber, Checksum) = False) Then
        DMBot.BNET.Close
        Call DMBot.BNET_Close
        AddC vbRed, "CheckRevision failed."
        Exit Sub
    End If
   
    'Decode the main CD-key.
    decoder = kd_create(bnetcdkey, Len(bnetcdkey))
    If (decoder = -1) Then
        DMBot.BNET.Close
        Call DMBot.BNET_Close
        AddC vbRed, "Failed to decode your CD-key."
        Exit Sub
    End If
   
    ' Calculate key hash.
    HashLength = kd_calculateHash(decoder, ClientToken, ServerToken)
    If (HashLength = 0) Then
        DMBot.BNET.Close
        Call DMBot.BNET_Close
        AddC vbRed, "Failed to hash your CD-key."
        Exit Sub
    End If
   
    ' Retrieve key hash.
    KeyHash = String$(HashLength, vbNullChar) ' Initialize buffer.
    Call kd_getHash(decoder, KeyHash)
   
    AddC vbMagenta, "Done gathering data, finalizing assembly..."
   
    'Now data for the packet has been gathered,
    'begin assembling the packet

    With PacketBuf
        .InsertDWORD ClientToken    'Client Token
        .InsertDWORD EXEVersion     'EXE Version
        .InsertDWORD Checksum       'EXE Hash
        .InsertDWORD &H1            'only one cdkey, if two cdkeys, &H2
        .InsertDWORD &H0            'Spawn = False
        .InsertDWORD Len(bnetcdkey)         'CDKey Length
        .InsertDWORD kd_product(decoder)    'CD key's product value
        .InsertDWORD kd_val1(decoder)       'CD key's public value
        .InsertDWORD 0                      'Unknown, just put zero
        .InsertNonNTString KeyHash          'Hashed Key Data
        .InsertString EXEInfo               'EXE Info
        .InsertString "Don Cullen"          'CDKey owner.
        .SendPacket DMBot.BNET, &H51        'Send 0x51 packet
    End With
   
    ' Release the key decoder.
    Call kd_free(decoder)
   
    AddC vbMagenta, "0x51 SID_AUTH_CHECK packet sent."
   
End Sub[/code]

Also, if you have time, check out my 0x50 and 0x51 response handler and give me your thoughts- I worked all day on those two packets, and would appreciate input on them:

[code]        Case &H50
            AddC vbYellow, "BNET: Gimme your cdkey. And who are you?"
           
            Dim LogonType As Long
            Dim ServerToken As Long
            Dim UDPValue As Long
            Dim MPQFileTime As String
            Dim Ix86verfilename As String
            Dim ValueString As String
           
            LogonType = PktDeBuf.rDWORD
            ServerToken = PktDeBuf.rDWORD
            UDPValue = PktDeBuf.rDWORD
            MPQFileTime = PktDeBuf.rFILETIME(True)
            Ix86verfilename = PktDeBuf.rNTString
            ValueString = PktDeBuf.rNTString
            AddC vbWhite, ValueString
            If LogonType = &H0 Then
                AddC vbWhite, "LogonType = STAR/SEXP/D2DV/D2XP"
            ElseIf LogonType = &H1 Then
                AddC vbWhite, "LogonType = War3Beta"
            ElseIf LogonType = &H2 Then
                AddC vbWhite, "Logon Type = War3"
            Else
                AddC vbRed, "Unrecognized logon type var: " & LogonType
            End If
            'Now send 0x51
            'Call P0X51(ServerToken, Ix86verfilename, ValueString)
           
            AddC vbYellow, "DMBot: There ya go. Happy?"
            BNETDiscReq = True
            DMBot.BNET.Close
            DumpPacket (PacketData)
            AddC vbWhite, "Forced Disconnect to avoid ipban since we haven't done 0x51 yet."
            Call DMBot.BNET_Close
            Exit Sub
        Case &H51
            AddC vbYellow, "BNET: Well..." 'They got authenication info
            Dim BNETResponse As Long
            BNETResponse = PktDeBuf.rDWORD
            Select Case BNETResponse
                Case &H0
                    'OK.
                    AddC vbYellow, "BNET: Fine, I'll accept that..."
                Case &H100
                    DMBot.BNET.Close
                    AddC vbRed, "BNET: Nope. Jeez, your game version is old! Update it, dude! Bye..."
                    Call DMBot.BNET_Close
                    DumpPacket (PacketData)
                    Exit Sub
                Case &H101
                    DMBot.BNET.Close
                    AddC vbRed, "BNET: Nope. Invalid game version. Bye."
                    Call DMBot.BNET_Close
                    DumpPacket (PacketData)
                    Exit Sub
                Case &H102
                    DMBot.BNET.Close
                    AddC vbRed, "BNET: Nope. Your game needs to be downgraded. Bye."
                    Call DMBot.BNET_Close
                    DumpPacket (PacketData)
                    Exit Sub
                Case &H200
                    DMBot.BNET.Close
                    AddC vbWhite, "BNET: Nope. Invalid CDKey. Bye."
                    Call DMBot.BNET_Close
                    DumpPacket (PacketData)
                    Exit Sub
                Case &H201
                    strTMP = rNTString()
                    DMBot.BNET.Close
                    If LenB(strTMP) > 0 Then
                        AddC vbWhite, "BNET: Dude, " & strTMP & "'s using your CDKey! Sorry... Bye."
                    Else
                        AddC vbWhite, "BNET: Dude, someone's using your CDKey! Sorry... Bye."
                    End If
                    DumpPacket (PacketData)
                    Call DMBot.BNET_Close
                    Exit Sub
                Case &H202
                    DMBot.BNET.Close
                    AddC vbWhite, "BNET: Dude- that CDKey's banned and ain't welcome to BNET! Bye!"
                    Call DMBot.BNET_Close
                    DumpPacket (PacketData)
                    Exit Sub
                Case &H203
                    DMBot.BNET.Close
                    AddC vbWhite, "BNET: LOL dude- that CDKey's for a different game! Heh, bye!"
                    Call DMBot.BNET_Close
                    DumpPacket (PacketData)
                    Exit Sub
                Case &H210
                    DMBot.BNET.Close
                    AddC vbWhite, "BNET: Invalid Expansion CDKey! Sorry, ain't letting you in! Bye!"
                    Call DMBot.BNET_Close
                    DumpPacket (PacketData)
                    Exit Sub
                Case &H211
                    strTMP = rNTString()
                    DMBot.BNET.Close
                    If LenB(strTMP) > 0 Then
                        AddC vbWhite, "BNET: Dude, " & strTMP & "'s using your Expansion CDKey! Sorry... Bye."
                    Else
                        AddC vbWhite, "BNET: Dude, someone's using your Expansion CDKey! Sorry... Bye."
                    End If
                    DumpPacket (PacketData)
                    Call DMBot.BNET_Close
                    Exit Sub
                Case &H212
                    DMBot.BNET.Close
                    AddC vbWhite, "BNET: Dude- that Expansion CDKey's banned and ain't welcome to BNET! Bye!"
                    Call DMBot.BNET_Close
                    DumpPacket (PacketData)
                    Exit Sub
                Case &H213
                    DMBot.BNET.Close
                    AddC vbWhite, "BNET: LOL dude- that Expansion CDKey's for a different game! Heh, bye!"
                    Call DMBot.BNET_Close
                    DumpPacket (PacketData)
                    Exit Sub
                Case CLng("&H" & VerByte)
                    DMBot.BNET.Close
                    AddC vbWhite, "BNET: Nope. Invalid VerByte, never heard of it. Bye."
                    Call DMBot.BNET_Close
                    DumpPacket (PacketData)
                    Exit Sub
                Case Else
                    DMBot.BNET.Close
                    AddC vbWhite, "BNET: SID_AUTH_CHECK failed for an unknown reason."
                    AddC vbWhite, "BNET: Maybe it's because I don't like you? LOL! Bye..."
                    DumpPacket (PacketData)
                    Call DMBot.BNET_Close
                    Exit Sub
            End Select[/code]

Everything look good?

I plan on testing the bot on Asia.Battle.net tomorrow, and if it works, I plan on getting to work on sending and handling the 0x3A packet, and if that goes smoothly, I'll move onto the 0x14 and 0x0A packets. I'll check your posts in response to this first thing after class BEFORE I test bot- I want you guys, if you guys don't mind, to confirm the code looks safe enough to not get me ipbanned before I test it. If you guys are willing to look it over, it'd be much appreciated-- if not, thanks for your time anyway! Thanks to everyone who has helped me to learn so much as to get this far!!! ;D
September 12, 2005, 8:29 AM
shout
Note on style, you should not use 'P0x51' as a function name, it will make it harder to read and maintain.

[quote author=Kyro link=topic=12781.msg127848#msg127848 date=1126513741]
[code]
AddC vbYellow, "DMBot: There ya go. Happy?"
[/code]
[/quote]

DMBot!?
September 12, 2005, 12:23 PM
LockesRabb
DM = Demented Minds, DM is abbrev of that. For proof, www.dementedminds.org , and here's the source for a script coded for DM: http://www.doncullen.net/bnetphp.txt . My DM aka is Kyro[DM]. I realize this is confusing, since there's also a DMBot by Dark Minion, so I'm renaming bot to something else, like DementedBot or something. Not sure of name. I left it to DMBot for now, until I get the basic functionalities completed.

[Edit: fixed links]

As for P0x51, it's easy for me to read, so that isn't really a problem. When I see P0x51, I automatically think Packet 0x51. And besides, I originally wanted:

Private Sub 0x51(vars, here)
'yadda yadda
End Sub

But VB doesn't allow sub/function names to start with numbers. Other than style, do u see any bugs/errors/flaws?

I'm going to hit the shower and head out--- gotta catch bus in half hour for college class. Will check back here after class. Thanks for the input so far.
September 12, 2005, 1:10 PM
HdxBmx27
My server is up, I sjut took it down cuz after 12 weeks.. without a SINGLE login. It looked kind of pointless. But its back up now for your testing purposes. Have fun. Only thing is, BNLS dosent work for the latest SC patch, Nither does my JBLS server report the correct ver for testBNCS ... but it does for normal BNCS.. I'll look into it tonight
~-~(HDX)~-~
September 12, 2005, 2:12 PM
LockesRabb
My bot doesn't use BNLS, so it's no problem. Thanks! That'll let me test my bot without worrying about getting ipbanned for a screw up in coding process... Heh.

I just tested my bot on Asia.battle.net, and Europe.battle.net, apparently it works fine without any problems. But if you don't mind, I'd love some input on my code, I'm always looking for ways to improve it...

I plan on using your server for testing my bot, you can feel free to shut it off after a few weeks if you want- by then, I should have the basic stuff done, and can relax and not worry about an ipban. Thanks!

[Edited to avoid double posting]

This might interest you, I just told my bot to connect to hdx.no-ip.org, it connected fine, but my vb program crashed when it tried to send the 0x51 packet. Now get this, I just checked my code to see why- apparently it's setting the socket to hdx.no-ip.org, when it should stay BNET (the name of my winsock is BNET), and the packet ID that it's being told to sent is 81. I'm like, WTH, there shouldn't be a packet 0x81, so I checked my code-- I don't have any 0x81 packet code in there?!? So why is it trying to send that one? I also checked all lines that sent packets- they all correctly state for SendPacket to use the BNET winsock, and also all correctly state the right packet... This is very unusual...

What I don't get is, why does it work for asia.battle.net, and europe.battle.net (haven't tested on uswest nor useast- wanted to hold off on that until I'm danged sure my code is safe), but crashes when it tries to connect to hdx.no-ip.org?
September 12, 2005, 2:17 PM

Search