Hello everybody,

I have a simple question.
When you log in bnet, u use the "FF29" packet structure.
In this structure, the client send :

- u32 Client Session Token ( i use the time: (u32)time(NULL) )
- u32 Server Session Token (u received this in the "FF50" packet)
- u32 PasswordHash[5] (calculate with Client token, Server Token and the password)
- String account name

So ok, no probleme for this sequence. The server recalculate the hashing of the password with the data u send to it. ( Client Token and Server Token)

Now, when u create an account, u use "FF3D" packet structure but
in this packet structure, u never send the Client Token and Server Token. So with which data the hashing password is calculated ?
U have the Server Token and the bnetd server too but what's about the Client Token ? When U hash the password, u use Client Token = 0 ?

Thanks and sorry for my poor english :)

OriOn

Arf,
U use the same Client Token and Server Token sent in the "FF51" packet for the hashing of the CdKey ?

[quote author=OriOn link=board=17;threadid=1308;start=0#msg9755 date=1052739810]U use the same Client Token and Server Token sent in the "FF51" packet for the hashing of the CdKey ?[/quote]No. The account create hash is done with only the password.

Yes thanx kane, i have not enough thought about this question but it's very logical :)
the hash is stored on the server so without challenge data :p

could someone show me how to use PacketBuffer and wsock to create a new account on bnet?
On my bot I tried using packet id 0x04 and
SID_AUTH_ACCOUNTCREATE (0x52)
but it didnt work. Could someone show me some code please.
Thank you.

[quote author=vampgirl link=board=17;threadid=1308;start=0#msg9861 date=1052841555]On my bot I tried using packet id 0x04 and
SID_AUTH_ACCOUNTCREATE (0x52)
but it didnt work.[/quote]I'm not familiar with packet 0x04, nor 0x52. But, I do know that it's most likely only Skywing (and his BNLS server) which knows how to successfully create packet 0x52.

SID_AUTH_ACCOUNTCREATE is part of the new logon system, and as far as I know, can only be used by WarCraft 3 (would be cool if I'm wrong, though).

so how can i create a bnet account without BNLS

[quote author=vampgirl link=board=17;threadid=1308;start=0#msg9874 date=1052849328]so how can i create a bnet account without BNLS[/quote]On WarCraft 3, you cannot, except for using the actual WarCraft 3 client.

Otherwise, you should use SID_CREATEACCOUNT2 (0x3D)
http://www.valhallalegends.com/arta/bnetdocs/content.php?id=3D&Sender=C

i have read that but im not smart enough to understand
could you give me some sample code please
thank you so much :)

[quote author=vampgirl link=board=17;threadid=1308;start=0#msg9880 date=1052853248]i have read that but im not smart enough to understand[/quote]Keep trying, don't give up. You keep the knowledge you learn the longest when you learn it yourself instead of having someone else hand-feed you the knowledge.

ok i tried but i cant get it ...
could you give me a little hint please?

i send chr(1)
then i send DWORD[0] = null
DWORD[1] = NULL
DWORD[2] = NULL
DWORD[3] = NULL
DWORD[4] = NULL
DWORD[5] = Password hash
then insert.ntstring (Username)

this will give a SID_AUTH_ACCOUNTCREATE (0x52) returned?
and how should i parse that ?

please give me a little hint ...

vampgirl:

Did you write PacketBuffer?
If not, do you know how it works and/or what it does?
Are you sure? Try examining the PacketBuffer code and/or writing your own PacketBuffer class. It will give you a better understanding of buffers.

Also, you haven't said once what language you're writing in.

im using vb6 .. i am using packetbuffer class
i am writing a module to send the login sequence
i am using bnet + star hash
i got the version and everything completed

this is what i have so far after packet logging.
create account:
c->s ff 3d 22 00 something(password hash?) + username
s->c ff 3d 0b 00 00 00 00 00 00 e5 ff
login account:
c->s ff 29 2a 00 something(password hash?) + username
s->c ff 29 08 00 01 00 00 00

now I got the login working with a premade account
but I cant get the create account to work.

It seems the way the password is sent in the create account is different from the way it is send in the regular login. or is it just a time factor?

So basically what Im looking for is some help to get this to work and I would greatly appreciate any hints.
BTW: I am IPBanned from the BnetDocs .. I dont know why.

[quote author=vampgirl link=board=17;threadid=1308;start=0#msg9995 date=1052965578]
It seems the way the password is sent in the create account is different from the way it is send in the regular login.
[/quote]

correct. when you create account, you run the password through broken sha-1 once, and send the 160bit result to battle.net
when you log in, you take the 160bit hashed result, and hash it again with some salt. then, iirc, the 160 byte result is prepended by the salt


so, in 0x3D, the password is single hashed:
[code]Public Sub SendCreateAccount(UserName As String, Password As String)
SendPacket &H3D, CalcHashBuf(Password) & UserName & Chr(0)
End Sub[/code]

while in 0x29, the password is double hashed:
[code]Public Function HashPass(ByVal password As String, Key As Long, seed As Long) As String
Dim hashout As String * 20
hashout = CalcHashBuf(password)
HashPass = MKL(seed) & MKL(Key)
HashPass = HashPass & CalcHashBuf(HashPass & hashout)
End Function[/code]

bnet's only record of a user's password, as discussed in some previous thread, is, under normal circumstances, the single-hashed version of the password. when bnet recieves 0x29, it takes its single hashed copy of the password, and hashes it with the 64 bits of salt sent, and compares it to the 160 bit double broken sha-1 hash.

condensed pseudocode:
[code]create_account_buffer = brokensha1(password)
login_buffer = seed & key & brokensha1(seed & key & brokensha1(password))
[/code]

also note that under some conditions you only send the seed and the hashed pass, but the server key is still used in hashing!! unless you are adding d2 realm support, however, you probably wont ever need to worry about this
[code]realm_login_buffer = (dword)1 & brokensha1((dword)1 & key & brokensha1("password"))[/code]
you don't really need to calculate the hash of "password" because it's always going to be the same (ECC80D1D76E758C0B9DA8C25FF106AFF8E242916), but you need to calculate the hash of the seed and key prepended to that, because key will change from connection to connection

Thank you for that last reply. That was very helpful to me. I understand how to hash the password and how to send the packets now. I created my own packetbuffer class and my own secure hash module. I tested it on my pvpgn and it did create the account, however it did not login.

I took a snapshot of Fyrebot's login sequence to create an account and login and it works as follows:
3a,3d,2d,3d,3a,0a

This is the snapshot of my sc game client making an account
c->s 51
s->c 51
c->s 2d
s->c 2d
33 (not important just the profile)
c->s 3d
s->c 3d
c->s 29
s->c 29
c->s ack <-- maybe im missing this in my bot packet login sequence
c->s 0a
s->c 0a

I send in my sequence: 2d,36,3d,29 <- after 29 I send FIN packet. It is closing the connection because the account was not made to login, however after 5 mins the account shows up on the server.
What am I not getting here?

[quote author=tA-Kane link=board=17;threadid=1308;start=0#msg9881 date=1052854982]
Keep trying, don't give up. You keep the knowledge you learn the longest when you learn it yourself instead of having someone else hand-feed you the knowledge.
[/quote]

not true, theres alot of ppl (including myself) who learn better thru your so called 'hand-feed' method

[quote author=vampgirl link=board=17;threadid=1308;start=0#msg10031 date=1053003806]
Thank you for that last reply. That was very helpful to me. I understand how to hash the password and how to send the packets now. I created my own packetbuffer class and my own secure hash module. I tested it on my pvpgn and it did create the account, however it did not login.

I took a snapshot of Fyrebot's login sequence to create an account and login and it works as follows:
3a,3d,2d,3d,3a,0a

This is the snapshot of my sc game client making an account
c->s 51
s->c 51
c->s 2d
s->c 2d
33 (not important just the profile)
c->s 3d
s->c 3d
c->s 29
s->c 29
c->s ack <-- maybe im missing this in my bot packet login sequence
c->s 0a
s->c 0a

I send in my sequence: 2d,36,3d,29 <- after 29 I send FIN packet. It is closing the connection because the account was not made to login, however after 5 mins the account shows up on the server.
What am I not getting here?

[/quote]

BTW, since Im Ipbanned from bnetdocs (I dont know why), Can someone please tell me the meaning of each returned byte from server for 0x3D ?
Thank you.

[quote author=vampgirl link=board=17;threadid=1308;start=0#msg10031 date=1053003806]
I took a snapshot of Fyrebot's login sequence to create an account and login and it works as follows:
3a,3d,2d,3d,3a,0a

This is the snapshot of my sc game client making an account
c->s 51
s->c 51
c->s 2d
s->c 2d
33 (not important just the profile)
c->s 3d
s->c 3d
c->s 29
s->c 29
c->s ack <-- maybe im missing this in my bot packet login sequence
c->s 0a
s->c 0a

I send in my sequence: 2d,36,3d,29 <- after 29 I send FIN packet. It is closing the connection because the account was not made to login, however after 5 mins the account shows up on the server.
What am I not getting here?
[/quote]
FYI, 33 is not profile request. :) 26 is profile query.

What prompted your closure of the connection? Unless the server is incompatible with bncs, it should not kick you for a failed creation.

no no .. all the data is from useast.battle.net
oh i didnt know 26 was the profile request ..
but i think 33 is the initial profile that you get before you login
or something from bnet. i didnt make that up .. its what the game
client sends. and the server didnt send the session close .. my client
closed it. the reason it closes it is because it did not login. but i can easily fix that. the point is why cant i login after i create the account which i know i have created cuz i see the file when i tested it on my pvpgn server. (although it doesnt create it right away... like 2-3 mins later) but when i use a game client or another bot that creates accounts like fyrebot .. it creates the account right away on my pvpgn. so basically what im asking is, what is wrong with my packet sequence? And why is the account made 2-3 mins later. Here is my event sequence:
send 36 to verify key
catch 36 (key is good)
send 3d create account
catch 3d (its created)
send 29 to login
catch 29 (login failed)

[quote author=vampgirl link=board=17;threadid=1308;start=15#msg10077 date=1053104310]
no no .. all the data is from useast.battle.net
oh i didnt know 26 was the profile request ..
but i think 33 is the initial profile that you get before you login
or something from bnet. i didnt make that up .. its what the game
client sends. and the server didnt send the session close .. my client
closed it. the reason it closes it is because it did not login. but i can easily fix that. the point is why cant i login after i create the account which i know i have created cuz i see the file when i tested it on my pvpgn server. (although it doesnt create it right away... like 2-3 mins later) but when i use a game client or another bot that creates accounts like fyrebot .. it creates the account right away on my pvpgn. so basically what im asking is, what is wrong with my packet sequence? And why is the account made 2-3 mins later. Here is my event sequence:
send 36 to verify key
catch 36 (key is good)
send 3d create account
catch 3d (its created)
send 29 to login
catch 29 (login failed)[/quote]33 is indeed sent by the game client, but it has nothing to do with profiles.

As to your account creation, my guess is that either: a) you're misinterpreting the response the server gives, so you think the create worked when it didn't or b) you're not properly sending your password. Without the code of what you do to create each of those packets, there's not much more I can do.

RE banning from BnetDocs: Don't use proxies. Don't use a shitty ISP (Read: AOL). Don't use a crappy browser like MSN or AOL.

Failing that, it's temporary anyway, so just go back later.

THANK YOU! :)
I got it to work! ... apparently all my packet sequences were wrong lol.