| Author | Message | Time |
|---|---|---|
| ThePro | Hello there! About a year ago I wrote my own Bot which was able to enter battle.net. Since my reversing skills aren't very good, I used the BNCS-Util to generate the hashes for 0x51. Since Blizzard released a new patch, I'm not able to connect to bnet anymore. I've corrected the version byte, put the new Starcraft.exe, battle.snp and storm.dll in the botfolder but I still get an error right behind 0x51 (SID_AUTH_CHECK). When I used a packet sniffer I found out that Blizzard changed the names of the MPQ files. Instead "IX86ver7.mpq" they are called now something like "lockdown-IX86-16.mpq". The BNLS Server don't seem to be updated, so I can't use it. BNCS-Util isn't updated too yet. :( Is there a way to calculate the right hashes anyway? | November 12, 2006, 9:26 PM |
| l2k-Shadow | The BNLS server is updated, however you must use the BNLS_CHECKVERSIONEX2 packet. However, if you would like to not use BNLS, you can login using PMAC. PMAC dlls have not been patched yet. | November 12, 2006, 9:29 PM |
| ThePro | you mean I have to fool battle.net that I'm using a mac? | November 12, 2006, 9:37 PM |
| LordNevar | He's a smart one this guy. | November 12, 2006, 10:06 PM |
| ThePro | The Idea with the PMAC is smart but I need the executable and the other files for mac, don't I? | November 12, 2006, 10:20 PM |
| Kp | Yes. Since it sounds like you have no objection to using BNLS, the simplest course would be for you to switch to using the new BNLS_VERSIONCHECKEX2 message that Shadow linked above. It allows you to pass the new style version check, and is more extensible in the event of future changes to CheckRevision. | November 12, 2006, 10:39 PM |
| ThePro | Hm yes, it seems it is the best way. I have no code to connect to BNLS yet, that's why I wanted to use BNCS-Util. It will be no problem to add this into my bot, but It's a bit more of work now. :( I hope the BNLS Server will never shutdown, else I'd be fucked. | November 12, 2006, 10:43 PM |
| Kp | You and many, many others. :) | November 12, 2006, 11:28 PM |
| Jaquio | I get invalid version whenever I try using BNLS to connect. Any idea why? You still send the same things, but use BNLS_VERSIONCHECKEX2 instead? | November 13, 2006, 1:59 AM |
| JoeTheOdd | [quote author=l2k-Shadow link=topic=16022.msg161148#msg161148 date=1163366998] The BNLS server is updated, however you must use the BNLS_CHECKVERSIONEX2 packet. However, if you would like to not use BNLS, you can login using PMAC. PMAC dlls have not been patched yet. [/quote] Of course the DLL's haven't changed! Dynamic link libraries don't exist in the Mac world. :P | November 13, 2006, 2:23 AM |
| l2k-Shadow | [quote author=Joe[x86] link=topic=16022.msg161158#msg161158 date=1163384611] [quote author=l2k-Shadow link=topic=16022.msg161148#msg161148 date=1163366998] The BNLS server is updated, however you must use the BNLS_CHECKVERSIONEX2 packet. However, if you would like to not use BNLS, you can login using PMAC. PMAC dlls have not been patched yet. [/quote] Of course the DLL's haven't changed! Dynamic link libraries don't exist in the Mac world. :P [/quote] smartass shush | November 13, 2006, 2:24 AM |
| Skywing | [quote author=Jaquio link=topic=16022.msg161157#msg161157 date=1163383164] I get invalid version whenever I try using BNLS to connect. Any idea why? You still send the same things, but use BNLS_VERSIONCHECKEX2 instead? [/quote] You should use the new message as it moves the onus of figuring out the vercheck module differences onto BNLS instead of clients. Note that in the current implementation, there are now two digits of significant identifying information in the vercheck module filenames, instead of just one as used previously. If you are using the old, deprecated messages and only checking one digit, this will often result in bad version check data. | November 13, 2006, 2:35 AM |
| Myndfyr | [quote author=Joe[x86] link=topic=16022.msg161158#msg161158 date=1163384611] [quote author=l2k-Shadow link=topic=16022.msg161148#msg161148 date=1163366998] The BNLS server is updated, however you must use the BNLS_CHECKVERSIONEX2 packet. However, if you would like to not use BNLS, you can login using PMAC. PMAC dlls have not been patched yet. [/quote] Of course the DLL's haven't changed! Dynamic link libraries don't exist in the Mac world. :P [/quote] Depends which Mac world you're talking about. If OS X, which is *nix-based, then you're wrong - .so, shared object files, serve the same purpose as dynamically-linked libraries. | November 13, 2006, 4:57 AM |
| Jaquio | [quote author=Skywing link=topic=16022.msg161161#msg161161 date=1163385355] [quote author=Jaquio link=topic=16022.msg161157#msg161157 date=1163383164] I get invalid version whenever I try using BNLS to connect. Any idea why? You still send the same things, but use BNLS_VERSIONCHECKEX2 instead? [/quote] You should use the new message as it moves the onus of figuring out the vercheck module differences onto BNLS instead of clients. Note that in the current implementation, there are now two digits of significant identifying information in the vercheck module filenames, instead of just one as used previously. If you are using the old, deprecated messages and only checking one digit, this will often result in bad version check data. [/quote] I have fixed the problem and made it use both digits instead... I don't know why it keeps saying invalid version.. Here it is from BNLS_VersionCheckEx2 to 0x51.. [code] [BNLS] Sent:2d 00 1a 02 00 00 00 00 00 00 00 e6 5e f5 4f 00 -...........^.O. 14 5a dc 72 fc c6 01 31 34 00 00 a3 bd 3a 98 95 .Z.r...14....:.. b6 e0 c0 53 aa 6f c7 57 3c 6f c2 00 00 ...S.o.W [BNLS] Performing CheckRevision... [BNLS] Received: 28 00 1a 01 00 00 00 01 00 0e 01 73 64 80 e3 5e (..........sd..^ 52 af 0b 3c 24 ae 11 9f a9 27 ff 3d 63 be bf 00 R..<$....'.=c... e6 5e f5 4f cf 00 00 00 .^.O.... Length: 40 [BNET] Sent:ff 51 59 00 e6 5e f5 4f 01 00 0e 01 73 64 80 e3 .QY..^.O....sd.. 01 00 00 00 00 00 00 00 0d 00 00 00 01 00 00 00 ................ 81 92 10 00 00 00 00 00 bc 91 56 83 c8 50 56 85 ..........V..PV. b9 a2 11 11 34 2e ef 7f 27 9b 3a 13 5e 52 af 0b ....4..'.:.^R.. 3c 24 ae 11 9f a9 27 ff 3d 63 be bf 00 50 48 50 <$....'.=c...PHP 42 6f 74 20 76 31 2e 30 00 Bot v1.0. Length: 89 [BNET] Attempting to answer challenge.. [BNET] Received: ff 51 09 00 01 01 00 00 00 .Q....... Length: 9 [BNET] Invalid version. [/code] | November 13, 2006, 5:43 AM |
| l2k-Shadow | BNLS_VERSIONCHECKEX2 requires (STRING) Version check archive filename. [code] Battle.net->Client 0x50 ff 50 3e 00 00 00 00 00 20 48 ...K...P>..... H 0040 8c 78 f2 dd 28 00 00 90 82 c4 72 fc c6 01 6c 6f .x..(.....r...lo 0050 63 6b 64 6f 77 6e 2d 49 58 38 36 2d 30 34 2e 6d ckdown-IX86-04.m 0060 70 71 00 2f 20 52 8b b5 28 2f 7b 5b 21 4f 35 da pq./ R..(/{[!O5. 0070 e0 0a 1f 00 .... Client->BNLS 0x1A 3d 00 1a 02 00 00 00 00 00 00 ......=......... 0040 00 00 00 00 00 00 90 82 c4 72 fc c6 01 6c 6f 63 .........r...loc 0050 6b 64 6f 77 6e 2d 49 58 38 36 2d 30 34 2e 6d 70 kdown-IX86-04.mp 0060 71 00 2f 20 52 8b b5 28 2f 7b 5b 21 4f 35 da e0 q./ R..(/{[!O5.. 0070 0a 1f 00 ... [/code] | November 13, 2006, 5:58 AM |
| Logitech | Can I just check, you send 0x1A after you receive 0x50, right? | November 13, 2006, 7:49 AM |
| UserLoser | [quote author=Logitech link=topic=16022.msg161167#msg161167 date=1163404156] Can I just check, you send 0x1A after you receive 0x50, right? [/quote] You can send it whenever you like ;) Sending it after that is the ideal time to send it...so yes. | November 13, 2006, 7:53 AM |
| Jaquio | [quote author=l2k-Shadow link=topic=16022.msg161166#msg161166 date=1163397516] BNLS_VERSIONCHECKEX2 requires (STRING) Version check archive filename. [code] Battle.net->Client 0x50 ff 50 3e 00 00 00 00 00 20 48 ...K...P>..... H 0040 8c 78 f2 dd 28 00 00 90 82 c4 72 fc c6 01 6c 6f .x..(.....r...lo 0050 63 6b 64 6f 77 6e 2d 49 58 38 36 2d 30 34 2e 6d ckdown-IX86-04.m 0060 70 71 00 2f 20 52 8b b5 28 2f 7b 5b 21 4f 35 da pq./ R..(/{[!O5. 0070 e0 0a 1f 00 .... Client->BNLS 0x1A 3d 00 1a 02 00 00 00 00 00 00 ......=......... 0040 00 00 00 00 00 00 90 82 c4 72 fc c6 01 6c 6f 63 .........r...loc 0050 6b 64 6f 77 6e 2d 49 58 38 36 2d 30 34 2e 6d 70 kdown-IX86-04.mp 0060 71 00 2f 20 52 8b b5 28 2f 7b 5b 21 4f 35 da e0 q./ R..(/{[!O5.. 0070 0a 1f 00 ... [/code] [/quote] Ohh, ok I didn't see that thought you still had to send the xx values(lockdown-IX86-xx.mpq). But it still didn't work, here is a full log(BNLS_CDKey removed). [code] [BNLS] Connecting... [BNLS] BNLS Server bnls.valhallalegends.com Connected on port 9367! [BNLS] Sent: 07 00 10 02 00 00 00 ....... Length: 7 [BNLS] Getting verbyte... [BNLS] Received: 0b 00 10 02 00 00 00 cf 00 00 00 ........... Length: 11 [BNLS] Using verbyte:0xcf [BNET] Connecting... [BNET] BNET Server useast.battle.net Connected on port 6112! [BNET] Sent: ff 50 3a 00 00 00 00 00 36 38 58 49 50 58 45 53 .P:.....68XIPXES cf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 55 53 41 00 55 6e 69 74 ........USA.Unit 65 64 20 53 74 61 74 65 73 00 ed States. Length: 58 [BNET] Requesting authorization.. [BNET] Received: ff 25 08 00 ea 4a 03 10 .%...J.. Length: 8 [BNET] Received: ff 50 3e 00 00 00 00 00 0f 26 63 c4 32 02 43 00 .P>......&c.2.C. 00 09 ef c0 72 fc c6 01 6c 6f 63 6b 64 6f 77 6e ....r...lockdown 2d 49 58 38 36 2d 30 33 2e 6d 70 71 00 29 e8 27 -IX86-03.mpq.).' 3f b5 0a 9c 15 dd 94 76 70 25 f6 ce ea 00 ?......vp%.... Length: 62 [BNET] Sent: ff 25 08 00 ea 4a 03 10 .%...J.. Length: 8 [BNLS] Sent: 3f 00 1a 02 00 00 00 00 00 00 00 06 b9 b5 50 00 ?.............P. 09 ef c0 72 fc c6 01 6c 6f 63 6b 64 6f 77 6e 2d ...r...lockdown- 49 58 38 36 2d 30 33 2e 6d 70 71 00 00 29 e8 27 IX86-03.mpq..).' 3f b5 0a 9c 15 dd 94 76 70 25 f6 ce ea 00 00 ?......vp%..... Length: 63 [BNLS] Performing CheckRevision... [BNLS] Received: 28 00 1a 01 00 00 00 01 00 0e 01 ab 05 b4 13 81 (............... ac 39 92 2d 9c 68 a6 c4 66 e1 04 df a3 93 76 00 .9.-.h..f.....v. 06 b9 b5 50 cf 00 00 00 ...P.... Length: 40 [BNET] Sent: ff 51 59 00 06 b9 b5 50 01 00 0e 01 ab 05 b4 13 .QY....P........ 01 00 00 00 00 00 00 00 0d 00 00 00 01 00 00 00 ................ 81 92 10 00 00 00 00 00 3e ff 69 24 86 ed 26 bc ........>.i$..&. f7 3c 2e c2 e3 1f 46 5d d0 e2 43 d6 81 ac 39 92 .<....F]..C...9. 2d 9c 68 a6 c4 66 e1 04 df a3 93 76 00 50 48 50 -.h..f.....v.PHP 42 6f 74 20 76 31 2e 30 00 Bot v1.0. Length: 89 [BNET] Attempting to answer challenge.. [BNET] Received: ff 51 09 00 01 01 00 00 00 .Q....... Length: 9 [BNET] Invalid version. [/code] Any idea what could be wrong? | November 13, 2006, 9:10 AM |
| Ringo | [quote author=Jaquio link=topic=16022.msg161169#msg161169 date=1163409054] [BNLS] Sent: 3f 00 1a 02 00 00 00 00 00 00 00 06 b9 b5 50 00 ?.............P. 09 ef c0 72 fc c6 01 6c 6f 63 6b 64 6f 77 6e 2d ...r...lockdown- 49 58 38 36 2d 30 33 2e 6d 70 71 00 00 29 e8 27 IX86-03.mpq..).' 3f b5 0a 9c 15 dd 94 76 70 25 f6 ce ea 00 00 ?......vp%..... [/quote] The problems right there I think, your nullstrings are double null'ed :) [EDIT]: Shouldnt BNLS rejected an over sized request like that? ::) | November 13, 2006, 9:18 AM |
| UserLoser | [quote author=Ringo link=topic=16022.msg161170#msg161170 date=1163409536] [quote author=Jaquio link=topic=16022.msg161169#msg161169 date=1163409054] [BNLS] Sent: 3f 00 1a 02 00 00 00 00 00 00 00 06 b9 b5 50 00 ?.............P. 09 ef c0 72 fc c6 01 6c 6f 63 6b 64 6f 77 6e 2d ...r...lockdown- 49 58 38 36 2d 30 33 2e 6d 70 71 00 00 29 e8 27 IX86-03.mpq..).' 3f b5 0a 9c 15 dd 94 76 70 25 f6 ce ea 00 00 ?......vp%..... [/quote] The problems right there I think, your nullstrings are double null'ed :) [EDIT]: Shouldnt BNLS rejected an over sized request like that? ::) [/quote] I suppose if they designed the server to be strict like say, Battle.net, then sure, but I think their intention is to be user friendly and not worry about extra moot :) | November 13, 2006, 9:33 AM |
| Jaquio | [quote author=Ringo link=topic=16022.msg161170#msg161170 date=1163409536] [quote author=Jaquio link=topic=16022.msg161169#msg161169 date=1163409054] [BNLS] Sent: 3f 00 1a 02 00 00 00 00 00 00 00 06 b9 b5 50 00 ?.............P. 09 ef c0 72 fc c6 01 6c 6f 63 6b 64 6f 77 6e 2d ...r...lockdown- 49 58 38 36 2d 30 33 2e 6d 70 71 00 00 29 e8 27 IX86-03.mpq..).' 3f b5 0a 9c 15 dd 94 76 70 25 f6 ce ea 00 00 ?......vp%..... [/quote] The problems right there I think, your nullstrings are double null'ed :) [EDIT]: Shouldnt BNLS rejected an over sized request like that? ::) [/quote] Only the ones at the end? If so, I just fixed that and now it is returning 0x203(Wrong product) any idea why on that one? Also is the ValueString always 16 bytes? I kept refreshing the page and got cd-key hashing failed... Why different returns? Must be doing something wrong? | November 13, 2006, 9:37 AM |
| Ringo | [quote author=Jaquio link=topic=16022.msg161172#msg161172 date=1163410631] [quote author=Ringo link=topic=16022.msg161170#msg161170 date=1163409536] [quote author=Jaquio link=topic=16022.msg161169#msg161169 date=1163409054] [BNLS] Sent: 3f 00 1a 02 00 00 00 00 00 00 00 06 b9 b5 50 00 ?.............P. 09 ef c0 72 fc c6 01 6c 6f 63 6b 64 6f 77 6e 2d ...r...lockdown- 49 58 38 36 2d 30 33 2e 6d 70 71 00 00 29 e8 27 IX86-03.mpq..).' 3f b5 0a 9c 15 dd 94 76 70 25 f6 ce ea 00 00 ?......vp%..... [/quote] The problems right there I think, your nullstrings are double null'ed :) [EDIT]: Shouldnt BNLS rejected an over sized request like that? ::) [/quote] Only the ones at the end? If so, I just fixed that and now it is returning 0x203(Wrong product) any idea why on that one? Also is the ValueString always 16 bytes? I kept refreshing the page and got cd-key hashing failed... Why different returns? Must be doing something wrong? [/quote] Well, on BNLS, it says: [code] (DWORD) Product ID.* (DWORD) Flags.** (DWORD) Cookie. (ULONGLONG) Timestamp for version check archive. (STRING) Version check archive filename. (STRING) Checksum formula. [/code] And when we compare it with your packet log: [code] 3f 00 1a 02 00 00 00 00 00 00 00 06 b9 b5 50 00 ?.............P. 09 ef c0 72 fc c6 01 6c 6f 63 6b 64 6f 77 6e 2d ...r...lockdown- 49 58 38 36 2d 30 33 2e 6d 70 71 00 00 29 e8 27 IX86-03.mpq..).' 3f b5 0a 9c 15 dd 94 76 70 25 f6 ce ea 00 00 ?......vp%..... [/code] You can see that BNLS wasnt reading/useing your supplyed version check string: [code] (DWORD) 02 00 00 00 .... (DWORD) 00 00 00 00 .... (DWORD) 06 b9 b5 50 ...P (ULONGLONG) 09 ef c0 72 fc c6 01 ....r... (STRING) 6c 6f 63 6b 64 6f 77 6e 2d 49 58 38 36 2d 30 33 2e 6d 70 71 00 lockdown-IX86-03.mpq. (STRING) 00 . ~~~ extra/over flow ~~~ (STRING) 29 e8 27 3f b5 0a 9c 15 dd 94 76 70 25 f6 ce ea 00 ).'?......vp%.... (STRING) 00 . [/code] So just useing 1 null byte to terminate the string, rather than 2, will make it fall into place. Aside from that, if your now getting 0x203 back in 0x51, then your passing the version check for bnet to be going onto the cdkey check :) Now your next task would be, to try a differnt cdkey, check the cdkey is being decoded/handled/hashed correctly. [quote author=UserLoser link=topic=16022.msg161171#msg161171 date=1163410417] I suppose if they designed the server to be strict like say, Battle.net, then sure, but I think their intention is to be user friendly and not worry about extra moot :) [/quote] I guess :P, I was a little supprised BNLS sent him a result back, when the check version string was blank. Or maybe it did, and he's parseing the responce as success all the time :) | November 13, 2006, 12:16 PM |
| Jaquio | Have tried W2BN,STAR and SEXP... None work all say wrong product. So I guess I have another problem to work out... [code] [BNLS] Connecting... [BNLS] BNLS Server bnls.valhallalegends.com Connected on port 9367! [BNLS] Sent: 07 00 10 03 00 00 00 ....... Length: 7 [BNLS] Getting verbyte... [BNLS] Received: 0b 00 10 03 00 00 00 4f 00 00 00 .......O... Length: 11 [BNLS] Using verbyte:0x4f [BNET] Connecting... [BNET] BNET Server useast.battle.net Connected on port 6112! [BNET] Sent: ff 50 3a 00 00 00 00 00 36 38 58 49 4e 42 32 57 .P:.....68XINB2W 4f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 O............... 00 00 00 00 00 00 00 00 55 53 41 00 55 6e 69 74 ........USA.Unit 65 64 20 53 74 61 74 65 73 00 ed States. Length: 58 [BNET] Requesting authorization.. [BNET] Received: ff 25 08 00 79 5c 6f 6a .%..y\oj Length: 8 [BNET] Received: ff 50 3e 00 00 00 00 00 15 d7 48 ca ec 21 43 00 .P>.......H..!C. 00 ea e4 c6 72 fc c6 01 6c 6f 63 6b 64 6f 77 6e ....r...lockdown 2d 49 58 38 36 2d 30 35 2e 6d 70 71 00 59 03 90 -IX86-05.mpq.Y.. e4 fb 2e e7 66 02 47 44 59 64 3e d3 86 00 ....f.GDYd>... Length: 62 [BNET] Sent: ff 25 08 00 79 5c 6f 6a .%..y\oj Length: 8 [BNLS] Sent: 3d 00 1a 03 00 00 00 00 00 00 00 83 a0 a4 51 00 =.............Q. ea e4 c6 72 fc c6 01 6c 6f 63 6b 64 6f 77 6e 2d ...r...lockdown- 49 58 38 36 2d 30 35 2e 6d 70 71 00 59 03 90 e4 IX86-05.mpq.Y... fb 2e e7 66 02 47 44 59 64 3e d3 86 00 ...f.GDYd>... Length: 61 [BNLS] Performing CheckRevision... [BNLS] Received: 28 00 1a 01 00 00 00 00 02 00 02 b6 fa ff 22 27 (............."' 3d 31 01 e2 b3 14 2c 37 08 de 16 05 5e 62 f6 00 =1....,7....^b.. 83 a0 a4 51 4f 00 00 00 ...QO... Length: 40 [BNET] Sent: ff 51 59 00 83 a0 a4 51 00 02 00 02 b6 fa ff 22 .QY....Q......." 01 00 00 00 00 00 00 00 11 00 00 00 04 00 00 00 ................ f6 2c 2b 00 00 00 00 00 a7 bd 4b 86 d5 8c a5 27 .,+.......K....' 2c a6 e6 11 c9 64 96 29 2d 8a b0 0e 27 3d 31 01 ,....d.)-...'=1. e2 b3 14 2c 37 08 de 16 05 5e 62 f6 00 50 48 50 ...,7....^b..PHP 42 6f 74 20 76 31 2e 30 00 Bot v1.0. Length: 89 [BNET] Attempting to answer challenge.. [BNET] Received: ff 51 09 00 03 02 00 00 00 .Q....... Length: 9 [BNET] Wrong product. [/code] | November 13, 2006, 1:28 PM |
| Ringo | [quote author=Jaquio link=topic=16022.msg161177#msg161177 date=1163424524] Have tried W2BN,STAR and SEXP... None work all say wrong product. So I guess I have another problem to work out... [code] [BNET] Sent: ff 51 59 00 83 a0 a4 51 00 02 00 02 b6 fa ff 22 .QY....Q......." 01 00 00 00 00 00 00 00 11 00 00 00 04 00 00 00 ................ ...... [/code] [/quote] Think how the server reads the message, from start to finish: [code] Stores Client token: 83 a0 a4 51 Checks EXE version vs Product+Version byte: 00 02 00 02 Checks Version Checksum: b6 fa ff 22 Stores/Checks number of cdkeys: 01 00 00 00 Stores Spawn flag: 00 00 00 00 Then for each cdkey: Checks cdkey lengh: 11 00 00 00 Failed. No current products have a cdkey with 17 characters [/code] | November 13, 2006, 1:56 PM |
| Jaquio | Heh, don't know why I am having trouble with this.. I got my VB bot working just fine, it's my PHPBot giving me problems.. I never used the keylength dword in 0x51 ever... But I added it in there and got a return of 0x101 again. Better then 0x203 I guess.. I am about to give up, because I cannot figure it out. [code] [BNLS] Connecting... [BNLS] BNLS Server bnls.valhallalegends.com Connected on port 9367! [BNLS] Sent: 07 00 10 02 00 00 00 ....... Length: 7 [BNLS] Getting verbyte... [BNLS] Received: 0b 00 10 02 00 00 00 cf 00 00 00 ........... Length: 11 [BNLS] Using verbyte:0xcf [BNET] Connecting... [BNET] BNET Server useast.battle.net Connected on port 6112! [BNET] Sent: ff 50 3a 00 00 00 00 00 36 38 58 49 50 58 45 53 .P:.....68XIPXES cf 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 55 53 41 00 55 6e 69 74 ........USA.Unit 65 64 20 53 74 61 74 65 73 00 ed States. Length: 58 [BNET] Requesting authorization.. [BNET] Received: ff 25 08 00 d9 88 00 cb .%...... Length: 8 [BNET] Received: ff 50 3e 00 00 00 00 00 7b 66 27 0b 5c a7 49 00 .P>.....{f'.\.I. 00 6e bc de 72 fc c6 01 6c 6f 63 6b 64 6f 77 6e .n..r...lockdown 2d 49 58 38 36 2d 31 35 2e 6d 70 71 00 9c 41 82 -IX86-15.mpq..A. d1 77 8d fd 20 4a f1 97 d5 5c 1c 4e 29 00 .w.. J...\.N). Length: 62 [BNET] Sent: ff 25 08 00 d9 88 00 cb .%...... Length: 8 [BNET] Received authorization challenge. [BNLS] Sent: 3d 00 1a 02 00 00 00 00 00 00 00 5c 08 e5 51 00 =..........\..Q. 6e bc de 72 fc c6 01 6c 6f 63 6b 64 6f 77 6e 2d n..r...lockdown- 49 58 38 36 2d 31 35 2e 6d 70 71 00 9c 41 82 d1 IX86-15.mpq..A.. 77 8d fd 20 4a f1 97 d5 5c 1c 4e 29 00 w.. J...\.N). Length: 61 [BNLS] Performing CheckRevision... [BNLS] Received: 28 00 1a 01 00 00 00 01 00 0e 01 dc 46 63 b8 30 (...........Fc.0 d7 7d db b6 68 60 2a 8a 19 ea d8 d3 f9 3e 91 00 .}..h`*......>.. 5c 08 e5 51 cf 00 00 00 \..Q.... Length: 40 [BNET] Sent: ff 51 61 00 5c 08 e5 51 01 00 0e 01 dc 46 63 b8 .Qa.\..Q.....Fc. 01 00 00 00 00 00 00 00 0d 00 00 00 00 00 00 00 ................ 0e 00 00 00 01 00 00 00 81 92 10 00 00 00 00 00 ................ 55 ee 61 73 a6 2b b9 aa db bf 57 92 72 4a c9 41 U.as.+....W.rJ.A 89 d8 ba 94 30 d7 7d db b6 68 60 2a 8a 19 ea d8 ....0.}..h`*.... d3 f9 3e 91 00 50 48 50 42 6f 74 20 76 31 2e 30 ..>..PHPBot v1.0 00 . Length: 97 [BNET] Attempting to answer challenge.. [BNET] Received: ff 51 09 00 01 01 00 00 00 .Q....... Length: 9 [BNET] Invalid version. [/code] | November 13, 2006, 2:49 PM |
| Ringo | [quote author=Jaquio link=topic=16022.msg161179#msg161179 date=1163429380] Heh, don't know why I am having trouble with this.. I got my VB bot working just fine, it's my PHPBot giving me problems.. I never used the keylength dword in 0x51 ever... But I added it in there and got a return of 0x101 again. Better then 0x203 I guess.. I am about to give up, because I cannot figure it out. [code] [BNET] Sent: ff 51 61 00 5c 08 e5 51 01 00 0e 01 dc 46 63 b8 .Qa.\..Q.....Fc. 01 00 00 00 00 00 00 00 0d 00 00 00 00 00 00 00 ................ 0e 00 00 00 01 00 00 00 81 92 10 00 00 00 00 00 ................ 55 ee 61 73 a6 2b b9 aa db bf 57 92 72 4a c9 41 U.as.+....W.rJ.A 89 d8 ba 94 30 d7 7d db b6 68 60 2a 8a 19 ea d8 ....0.}..h`*.... d3 f9 3e 91 00 50 48 50 42 6f 74 20 76 31 2e 30 ..>..PHPBot v1.0 00 .[/code] [/quote] Whats that bit extra? :P [code] ff 51 61 00 5c 08 e5 51 01 00 0e 01 dc 46 63 b8 .Qa.\..Q.....Fc. 01 00 00 00 00 00 00 00 0d 00 00 00 ?? ?? ?? ?? ................ ?? ?? ?? ?? 01 00 00 00 81 92 10 00 00 00 00 00 ................ 55 ee 61 73 a6 2b b9 aa db bf 57 92 72 4a c9 41 U.as.+....W.rJ.A 89 d8 ba 94 30 d7 7d db b6 68 60 2a 8a 19 ea d8 ....0.}..h`*.... d3 f9 3e 91 00 50 48 50 42 6f 74 20 76 31 2e 30 ..>..PHPBot v1.0 00 .[/code][code][/code] | November 13, 2006, 3:01 PM |
| Jaquio | Heh, it was that 'unknown(0)' tid-bit. Not sure why it was there, I removed it but still 0x101.. [code] BNLS_CDKey($CDKey, $ServerKey); BNLS_VersionCheckEx2($Product, 0, $IX86FileTime, $IX86Filename, $CheckRevStr); insert_int32($ClientKey); insert_int32($VerHash); insert_int32($CheckSum); insert_int32(1); //Number of CD-Keys(1 for non-expansion games, 2 for expansion games) insert_int32(0); //Using Spawn(0 - no, 1 - yes) insert_int32(strlen($CDKey)); //CD-Key Length insert_void($KeyHash); //CD-Key Hash insert_string($EXEInfo); //EXE Info insert_string("PHPBot v1.0"); //CD-Key Owner BNCS_Send(0x51); [/code] My 0x51, lol pretty shitty I know... But oh well. Just want it to work! Lol | November 13, 2006, 3:14 PM |
| Skywing | Assuming you are getting your CD-key data from BNLS, the blob that BNLS sends back to you should include the length of the CD-key, and you should not be sending that to Battle.net in addition to another field including the CD-key length. The BNLS protocol specification includes details on where the blobs sent back by BNLS should be used when communicating with Battle.net. It should be your first choice when troubleshooting problems like this. | November 14, 2006, 4:21 PM |
| ThePro | I have the same Problem, I always get an invalid version error. What do I have to send to bnet Server on 0x51 now? BnetDocs say: (DWORD) Client Token (Generates BNLS in BNLS_CDKEY) (DWORD) EXE Version (Generates BNLS in BNLS_VERSIONCHECKEX2) (DWORD) EXE Hash (Generates BNLS in BNLS_VERSIONCHECKEX2) (DWORD) Number of keys in this packet (1) (BOOLEAN) Using Spawn (0) (DWORD) Key Length (13) (DWORD) CD key's product value (1 = Starcraft) (DWORD) CD key's public value (How can I calculate this? I copy and pasted it of my packet sniffer) (DWORD) Unknown (0) (DWORD[5]) Hashed Key Data (Generates BNLS but BNLS Spec says DWORD[9] instead DWORD[5]!!?? I noticed, that blizzard removed the exe String) (STRING) Exe Information (seems to be removed) (STRING) CD Key owner name (ThePro) 1.) Do I just have to copy the result of BNLS_CDKEY (DWORD HashedKeyData[9]) into SID_AUTH_CHECK and send it to bnet? 2.) Where do I have to use the VersionCheckStatstring returned by BNLS_VERSIONCHECKEX2? | November 15, 2006, 7:29 PM |
| Skywing | The four cleartext and five digest ulong values are all included in the blob returned from BNLS, which contains all the CD-key related data you need to send to Battle.net. You should not duplicate any of this information in your SID_AUTHCHECK request; simply include the CD-key blob "as-is" with your SID_AUTHCHECK request. The only CD-key related data that you must supply are the count of CD-key blobs and the spawn/retail flag. "Exe Information" and "VersionCheckStatstring" are synonomous in this particular context. "Exe Information" is the string value returned by BNLS_VERSIONCHECKEX2. | November 15, 2006, 8:48 PM |
| ThePro | Hm, it doesent work for me. What does the first item of the array right before the ProductID mean? The whole packet is too large, this is what I send: [code] 0000 FF 51 5B 00 00 00 00 0F 01 00 0E 01 FE B3 05 13 .Q[............. 0010 01 00 00 00 00 00 00 00 0D 00 00 00 EB E0 47 0D ..............G. <--- right after the 0D isn't the ProductID 0x1 :( 0020 00 00 00 01 00 00 00 xx xx xx 00 00 00 00 00 AF ................ 0030 8A 86 28 4D CB F7 87 1C F2 98 5E DC AD 31 85 3A ..(M......^..1.: 0040 FC 97 ED F3 81 64 96 28 05 EB F1 FD 06 B3 C2 B0 .....d.(........ 0050 00 53 74 65 70 68 61 6E 42 54 00 .StephanBT. [/code] If I set a pointer to Dword[1] everything fits but I get 0x203 error then. :( This are my class variables I use: [code] DWORD ClientToken; <-- BNLS_CDKEY DWORD EXEVersion; (ok) DWORD EXEHash; (i think its ok) DWORD NumOfKeys; (1) DWORD UsingSpawn; (0) DWORD KeyLength; (0x0D) ULONG KeyData[9]; <-- The result of BNLS_CDKEY char StatString[17]; <--- The result of BNLS_VERCHECKEX2 char OwnerName[16]; <--- "StephanBT" [/code] | November 15, 2006, 11:13 PM |
| Spilled[DW] | [quote author=ThePro link=topic=16022.msg161255#msg161255 date=1163632411] Hm, it doesent work for me. What does the first item of the array right before the ProductID mean? The whole packet is too large, this is what I send: [code] 0000 FF 51 5B 00 00 00 00 0F 01 00 0E 01 FE B3 05 13 .Q[............. 0010 01 00 00 00 00 00 00 00 0D 00 00 00 EB E0 47 0D ..............G. <--- right after the 0D isn't the ProductID 0x1 :( 0020 00 00 00 01 00 00 00 xx xx xx 00 00 00 00 00 AF ................ 0030 8A 86 28 4D CB F7 87 1C F2 98 5E DC AD 31 85 3A ..(M......^..1.: 0040 FC 97 ED F3 81 64 96 28 05 EB F1 FD 06 B3 C2 B0 .....d.(........ 0050 00 53 74 65 70 68 61 6E 42 54 00 .StephanBT. [/code] If I set a pointer to Dword[1] everything fits but I get 0x203 error then. :( This are my class variables I use: [code] DWORD ClientToken; <-- BNLS_CDKEY DWORD EXEVersion; (ok) DWORD EXEHash; (i think its ok) DWORD NumOfKeys; (1) DWORD UsingSpawn; (0) DWORD KeyLength; (0x0D) ULONG KeyData[9]; <-- The result of BNLS_CDKEY char StatString[17]; <--- The result of BNLS_VERCHECKEX2 char OwnerName[16]; <--- "StephanBT" [/code] [/quote] DWORD EXEHash? no? | November 15, 2006, 11:21 PM |
| ThePro | I used DWORD ExeHash in the old Auth system. For compatility reasons I didn't change it's name. Instead the ExeHash I store the checksum value returned by BNLS_VERSIONCHECKEX2 in there. | November 16, 2006, 7:02 AM |
| UserLoser | Don't think server allows client to have 0 as client token in any message. | November 16, 2006, 7:06 AM |
| ThePro | If you take a clother look, you will notice that the Client Token is 0x0000000F and not 0x00000000 Anyway, I get a CD Key error. If the Client Token wasn't correct I'd be banned by bnet I guess. What does this EB E0 47 0D right after CDKeylength (0x0D) mean? It's the first Item of the DWORD[9] KeyData Array | November 16, 2006, 12:56 PM |
| l2k-Shadow | [quote author=ThePro link=topic=16022.msg161255#msg161255 date=1163632411] Hm, it doesent work for me. What does the first item of the array right before the ProductID mean? The whole packet is too large, this is what I send: [code] 0000 FF 51 5B 00 00 00 00 0F 01 00 0E 01 FE B3 05 13 .Q[............. 0010 01 00 00 00 00 00 00 00 0D 00 00 00 EB E0 47 0D ..............G. <--- right after the 0D isn't the ProductID 0x1 :( 0020 00 00 00 01 00 00 00 xx xx xx 00 00 00 00 00 AF ................ 0030 8A 86 28 4D CB F7 87 1C F2 98 5E DC AD 31 85 3A ..(M......^..1.: 0040 FC 97 ED F3 81 64 96 28 05 EB F1 FD 06 B3 C2 B0 .....d.(........ 0050 00 53 74 65 70 68 61 6E 42 54 00 .StephanBT. [/code] If I set a pointer to Dword[1] everything fits but I get 0x203 error then. :( This are my class variables I use: [code] DWORD ClientToken; <-- BNLS_CDKEY DWORD EXEVersion; (ok) DWORD EXEHash; (i think its ok) DWORD NumOfKeys; (1) DWORD UsingSpawn; (0) DWORD KeyLength; (0x0D) ULONG KeyData[9]; <-- The result of BNLS_CDKEY char StatString[17]; <--- The result of BNLS_VERCHECKEX2 char OwnerName[16]; <--- "StephanBT" [/code] [/quote] That packet is definitely incorrect. After 0x0D your product ID should be 0x01 (in most cases) or 0x02 for starcraft. You are inserting 7 extra bytes in there, the problem probably is that you are not parsing the BNLS packet correctly. Also your exe information string is .. 13 bytes long. It should be 16 for IX86 login. | November 16, 2006, 2:30 PM |
| ThePro | You was right. :) I declared the Success variable as bool (which reserves one byte in c++) but the REAL type is DWORD so everything got shifted. Please note that in the spec @ valhallalegends stuff! That could be wired to other ones. Now everything works fine again, thanks for help. :) | November 16, 2006, 8:05 PM |