Author | Message | Time |
---|---|---|
FrOzeN | I though of an idea, when making a bot it would be a good idea to check the username/password to see if there characters would even make a valid login (inclusive of iLLyz). I know what can be permitted by Usernames, though I don't know what characters/orders are allowed for passwords. And with a bit of testing I wouldn't be able to find out what characters/orders old (from time of iLLyz) passwords used. Anyone know much about them? | January 5, 2006, 5:46 AM |
UserLoser | First off, "iLLyz"? And passwords can have any character you want in it. They're sent in a 256bit hash so it doesn't matter what you have your password as | January 5, 2006, 6:11 AM |
FrOzeN | Well for example you can no longer make accounts with $ in it. So say the bot logged on and account didn't exist, I would then run it through a check which would determine that account cannot be created because of that character and it would just Disconnect with an error message. By "iLLyz" I was just using slang to refer to accounts that contained illegal characters and haven't been permitted to be created for quite a few years now. Anyway you answered my question, I should know better considering my last two passwords contained § and †. :-\ | January 5, 2006, 6:30 AM |
Denial | What the hell did he just say? | January 5, 2006, 7:06 AM |
LoRd | He wants to be able to determine if an account exists and if it doesn't, he wants to check the account name for banned characters before attempting to create it however the local implimentation of this would be pointless since both SID_LOGONRESPONSE2 and SID_CREATEACCOUNT2 have error responses which do exactly that. | January 5, 2006, 7:17 AM |
FrOzeN | I know they have login responces for it. I just through it would speed up some of the authentication upon logging in, if all the basic checks have been done to that details being sent. For example say someone connects with local hashing, first check if they have hashes before even bothering to go any further. Kind of alone those lines. At that moment I was thinking that passwords have limitations on certain characters (not there max length, 12). This way it could be checked before connecting. | January 5, 2006, 8:10 AM |
shout | [quote author=FrOzeN link=topic=13791.msg140597#msg140597 date=1136448601] At that moment I was thinking that passwords have limitations on certain characters (not there max length, 12). This way it could be checked before connecting. [/quote] On a side note, the lenth of a password is a client side thing. There is nothing in the protocol that has the length of the password transfered over network. | January 5, 2006, 1:16 PM |
Skywing | Note that the game clients impose a limit on the number of bytes that a password can consist of - something along the lines of 12 or 14 if I recall correctly. Game clients also use a locale-specific lowercase transform (as I recall, the exact function used was CharLowerBuffA, which has a behavior dependent on which locale you have configured locally). Passwords that do not meet these criteria will be unusable through the game clients. The chat gateway also imposes some of these restrictions on passwords; for instance, the chat gateway will lowercase all passwords. This implies that if you have an exotic locale that does not match the chat server's locale, your password may not be usable via the chat gateway. The chat gateway may also have an arbitrary limit on the length of a password, though I don't recall for certain. There are different restrictions and transforms applied to passwords used with the SRP-based system. | January 5, 2006, 5:29 PM |
laurion | congratz skywing you went almost 2 months without posting! | January 5, 2006, 6:00 PM |
Yegg | What happens if you implement this into your bot and the user decides that they want to log in and create an account on a private Battle.net server. Such as a PvPgn server? Often times these servers support "illegal" characters that the regular servers do not. Checking the account before they actually connect would really be a useless feature. The user should know what they can and can't use in an account. An idea that could possibly save time when connecting could be: Decode cdkey's immediately after the user inputs it into a textbox, or if your bot only uses a file for such information, decode when the program loads | January 5, 2006, 8:20 PM |
Skywing | [quote author=Yegg link=topic=13791.msg140651#msg140651 date=1136492422] What happens if you implement this into your bot and the user decides that they want to log in and create an account on a private Battle.net server. Such as a PvPgn server? Often times these servers support "illegal" characters that the regular servers do not. Checking the account before they actually connect would really be a useless feature. The user should know what they can and can't use in an account. An idea that could possibly save time when connecting could be: Decode cdkey's immediately after the user inputs it into a textbox, or if your bot only uses a file for such information, decode when the program loads [/quote] Except in the case of the chat gateway, all of the logic for dealing with the password in textural form is only in the client and not on the server, so that shouldn't matter for binary interface clients. I would expect that the time spent doing key decoding is insignificant compared to many of the other operations you would do during a binary client logon. If you are looking for ways to optimize you should really do some real profiling of your program first. | January 5, 2006, 8:24 PM |
LoRd | [quote]Decode cdkey's immediately after the user inputs it into a textbox, or if your bot only uses a file for such information, decode when the program loads[/quote] In most cases it's common practice to do as much as you can before you actually need to (providing that it's logical to do so) so that the only delay experienced is during the initial execution and/or connection, however the speed difference is often not very noticeable. The most significant bottlenecks are going to be the version check and your latency with the server. | January 5, 2006, 8:50 PM |
Myndfyr | [quote author=UserLoser link=topic=13791.msg140584#msg140584 date=1136441473] First off, "iLLyz"? And passwords can have any character you want in it. They're sent in a 256bit hash so it doesn't matter what you have your password as [/quote] Uh... they're sent in a 160-bit hash (SHA-1). The hash that's sent in SRP is hardly even related to the password, but the M1 value is 160-bit, as is the password hash sent with old-style logins. | January 5, 2006, 9:38 PM |
MesiaH | If you really wanted to find out what characters are acceptable or not, just have your client fully parse the return data from the account login packet. If there are illegal characters, it will return which one(s) are invalid... However, I don't think this works for the password string.. | January 6, 2006, 12:02 AM |
UserLoser | [quote author=MyndFyre link=topic=13791.msg140674#msg140674 date=1136497085] [quote author=UserLoser link=topic=13791.msg140584#msg140584 date=1136441473] First off, "iLLyz"? And passwords can have any character you want in it. They're sent in a 256bit hash so it doesn't matter what you have your password as [/quote] Uh... they're sent in a 160-bit hash (SHA-1). The hash that's sent in SRP is hardly even related to the password, but the M1 value is 160-bit, as is the password hash sent with old-style logins. [/quote] Duh...160. Was thinking it was a 32 byte hash, oops. | January 6, 2006, 6:07 AM |
FrOzeN | Username: AnX)Ghost(15@Lordaeron Password: *MyndFyre removed to stop breaking tables* Length of Password: 1016 Maybe there isn't even a limit? Strange huh. :-\ [EDIT] I assumed it was 12 characters because of the TextBox (?) limit when typing in a password using StarCraft/BroodWar (The actual game, not a bot). Sorry for table breakage, oh well. | January 6, 2006, 6:50 AM |
UserLoser | [quote author=FrOzeN link=topic=13791.msg140767#msg140767 date=1136530240] Username: AnX)Ghost(15@Lordaeron Password: *MyndFyre removed to stop breaking tables* Length of Password: 1016 Maybe there isn't even a limit? Strange huh. :-\ [/quote] I thought this was already covered: there's no limit because it's sent as a 32 byte hash. | January 6, 2006, 6:52 AM |
FrOzeN | Eh, I didn't realise that. Could this be a way to flood Battle.net. By sending immensely oversized passwords rapidly? :P | January 6, 2006, 6:53 AM |
Myndfyr | [quote author=UserLoser link=topic=13791.msg140769#msg140769 date=1136530322] [quote author=FrOzeN link=topic=13791.msg140767#msg140767 date=1136530240] Username: AnX)Ghost(15@Lordaeron Password: *removed because of table breaking* Length of Password: 1016 Maybe there isn't even a limit? Strange huh. :-\ [/quote] I thought this was already covered: there's no limit because it's sent as a 32 byte hash. [/quote] *20-byte. SHA-1 is 160 bit whether it's SHA-1 or X-SHA-1. Interleaved SHA found in SRP generates a 320-bit hash (40-byte). What is it the rest of you don't understand about this? The plaintext password is never sent to Battle.net. | January 6, 2006, 7:06 AM |
UserLoser | [quote author=FrOzeN link=topic=13791.msg140770#msg140770 date=1136530439] Eh, I didn't realise that. Could this be a way to flood Battle.net. By sending immensely oversized passwords rapidly? :P [/quote] Your passwords is ran through a one-way hash function. This hash function returns a 20 byte output. The 20 byte output is recieved by server. Size of the password doesn't matter. You can have a blank password if you really wanted to | January 6, 2006, 7:32 AM |
Myndfyr | [quote author=UserLoser link=topic=13791.msg140780#msg140780 date=1136532728] You can have a blank password if you really wanted to [/quote] Since the hash output of SHA-1ing no data is always the same, I wonder if Bnet would notice. | January 6, 2006, 10:04 AM |
Newby | [quote author=UserLoser link=topic=13791.msg140780#msg140780 date=1136532728] Size of the password doesn't matter. [/quote] Can you elaborate as to why the length of a password in the Warcraft III game client is limited to 12 characters? | January 7, 2006, 12:28 AM |
LoRd | [quote author=Newby link=topic=13791.msg140868#msg140868 date=1136593705] [quote author=UserLoser link=topic=13791.msg140780#msg140780 date=1136532728] Size of the password doesn't matter. [/quote] Can you elaborate as to why the length of a password in the Warcraft III game client is limited to 12 characters? [/quote] To help keep people from forgetting an incredibly long password? | January 7, 2006, 12:49 AM |
Newby | [quote author=Lord[nK] link=topic=13791.msg140870#msg140870 date=1136594987] [quote author=Newby link=topic=13791.msg140868#msg140868 date=1136593705] [quote author=UserLoser link=topic=13791.msg140780#msg140780 date=1136532728] Size of the password doesn't matter. [/quote] Can you elaborate as to why the length of a password in the Warcraft III game client is limited to 12 characters? [/quote] To help keep people from forgetting an incredibly long password? [/quote] That's why there is password recovery. | January 7, 2006, 3:49 AM |
JoeTheOdd | [quote author=Newby link=topic=13791.msg140892#msg140892 date=1136605767] [quote author=Lord[nK] link=topic=13791.msg140870#msg140870 date=1136594987] [quote author=Newby link=topic=13791.msg140868#msg140868 date=1136593705] [quote author=UserLoser link=topic=13791.msg140780#msg140780 date=1136532728] Size of the password doesn't matter. [/quote] Can you elaborate as to why the length of a password in the Warcraft III game client is limited to 12 characters? [/quote] To help keep people from forgetting an incredibly long password? [/quote] That's why there is password recovery. [/quote] Eh, and then someone "forgets" their password a lot and this happens. | January 7, 2006, 4:37 AM |
Newby | [quote author=Joe link=topic=13791.msg140904#msg140904 date=1136608621] Eh, and then someone "forgets" their password a lot and this happens. [/quote] There's a massive difference between a DDoS (if you're saying there are lots of "someone"'s who manage to forget their password) and someone simply asking for the password recovery e-mail to be sent to their machine. One copy is enough, really. | January 7, 2006, 8:39 PM |
JoeTheOdd | How do you know that he didn't post on his blog, asking a lot of "someones" to intentionally "forget" their password at a specific time, and request an account recovery email? | January 7, 2006, 9:39 PM |
Newby | [quote author=Joe link=topic=13791.msg140975#msg140975 date=1136669943] How do you know that he didn't post on his blog, asking a lot of "someones" to intentionally "forget" their password at a specific time, and request an account recovery email? [/quote] There are much easier ways to DDoS a server. | January 8, 2006, 6:01 AM |