Valhalla Legends Forums Archive | Battle.net Bot Development | 0x51 rejection - 0x101 - need help.

AuthorMessageTime
HydraPride
I get rejected with 0x51 packets. It gives me 0x101 in the s->c return. I am running essentially the DataHash function from prolix... and I don't believe that's the problem. I think maybe my cd key decoder is screwed up. I am using it directly from prolix, with a few compatibility adjustments. There was one line in the getcdvariables function (also from prolix, essentially) which required strcasecmp() which I don't have, so I just changed it to strcmp(). That's bothering me... because I think it may be the problem. Also, I need to make sure I'm getting the proper server token - that is bothering me as well. I'm trying to get it from the 2nd DWORD (bytes 8-11) of 0x50. Is that proper?

thanks for help.
June 17, 2003, 9:57 AM
HydraPride
Everything static appears to be included int he packet, but i KEEP getting same 0x101
I NEED HELP!!!!!
thanks
June 17, 2003, 5:00 PM
Camel
post a packet log of the 0x51 you sent (minus cd key hash of course :))
June 17, 2003, 11:31 PM
kamakazie
[quote author=Camel link=board=17;threadid=1648;start=0#msg12538 date=1055892674]
post a packet log of the 0x51 you sent (minus cd key hash of course :))
[/quote]

Would it be feasible to even attempt to brute force the hash?
June 18, 2003, 12:23 AM
Camel
[quote author=kamakazie link=board=17;threadid=1648;start=0#msg12543 date=1055895794]
Would it be feasible to even attempt to brute force the hash?
[/quote]

well assuming one had all of the correct codes and ONLY the five seeds were off...that would be 160 bits to mess with. that's about 1.46E48 different combinations. i'm not even going to attempt to calculate the odds if the operations aren't correct.
June 18, 2003, 12:31 AM
c0ol
[quote author=kamakazie link=board=17;threadid=1648;start=0#msg12543 date=1055895794]
Would it be feasible to even attempt to brute force the hash?
[/quote]

well 0x51 includes the product id and value 1, so you would only need to brute force value 2, ive done it before, it doesnt take that long; infact thats how eurijk started with his cdkey decoder.
June 18, 2003, 5:43 AM
kamakazie
[quote author=c0ol link=board=17;threadid=1648;start=0#msg12572 date=1055915015]
well 0x51 includes the product id and value 1, so you would only need to brute force value 2, ive done it before, it doesnt take that long; infact thats how eurijk started with his cdkey decoder.
[/quote]

What about the server salt?
June 18, 2003, 6:34 AM
Camel
[quote author=kamakazie link=board=17;threadid=1648;start=0#msg12573 date=1055918059]
What about the server salt?
[/quote]

why would one brute the salt? or should i ask, HOW would one brute the salt?
[code]Public Function HashPass(ByVal password As String, Key As Long, seed As Long, prependkey As Boolean) As String
Dim hashout As String * 20
hashout = CalcHashBuf(password)
HashPass = MKL(seed) & MKL(Key)
HashPass = IIf(prependkey, HashPass, MKL(seed)) & CalcHashBuf(HashPass & hashout)
End Function[/code]

obviously that is vb, but it's the concept that counts
btw, the reason prependkey is there is because sometimes the key isn't sent with the hash (realm login)
June 18, 2003, 5:46 PM
kamakazie
[quote author=Camel link=board=17;threadid=1648;start=0#msg12595 date=1055958362]
why would one brute the salt? or should i ask, HOW would one brute the salt?
[code]Public Function HashPass(ByVal password As String, Key As Long, seed As Long, prependkey As Boolean) As String
Dim hashout As String * 20
hashout = CalcHashBuf(password)
HashPass = MKL(seed) & MKL(Key)
HashPass = IIf(prependkey, HashPass, MKL(seed)) & CalcHashBuf(HashPass & hashout)
End Function[/code]

obviously that is vb, but it's the concept that counts
btw, the reason prependkey is there is because sometimes the key isn't sent with the hash (realm login)
[/quote]

What does hashing passwords have anything to do with hashing a cdkey?

My point was, since there is a salt this makes the attempt to brute force the hash (looking for value2 and the server salt - which we don't know since he's only telling us the contents of SID_AUTH_CHECK he sent) much more difficult. The structure for hashing a cdkey is as follows:
[code]
** Indicates which values we know.

(DWORD) Client Salt **
(DWORD) Server Salt
(DWORD) ProgramId (decoded from CDKey) **
(DWORD) Value 1 (decoded from CDKey) **
(DWORD) 0 **
(DWORD) Value 2 (decoded from CDKey)
[/code]

Is there something wrong I'm not seeing?
June 18, 2003, 9:47 PM
Camel
[quote author=kamakazie link=board=17;threadid=1648;start=0#msg12616 date=1055972830]
What does hashing passwords have anything to do with hashing a cdkey?[/quote]
it's basicly the same idea and i didn't want to post the answer, but since you already did...

[code] HashThisCDKey = _
MKL(Len(CDKey)) & _
MKL(ProductID) & _
MKL(Val1) & _
MKL(0) & _
CalcHashBuf( _
MKL(seed) & _
ServerHash & _
MKL(ProductID) & _
MKL(Val1) & _
MKL(0) & _
MKL(Val2))[/code]
June 18, 2003, 11:11 PM
kamakazie
Camel, you're lost and frankly it seems like you don't know what you're talking about.

c0ol, how long does it take him to brute value2 + the server salt? I'm just wondering if this is worth anyone's time to do.
June 18, 2003, 11:58 PM
Arta
Isn't all this moot anyway? Retrieving the actual key from the decoded values is probably impractical, and using the values directly is just ew. Seems like a lot less effort just to go to the store and write a cdkey down from the back of the manual - especially since they so kindly break the seal so people can't steal the disc.
June 19, 2003, 10:42 PM
Camel
[quote author=kamakazie link=board=17;threadid=1648;start=0#msg12624 date=1055980729]
Camel, you're lost and frankly it seems like you don't know what you're talking about.

c0ol, how long does it take him to brute value2 + the server salt? I'm just wondering if this is worth anyone's time to do.
[/quote]

i didnt see c0ol's post until after i posted, so i misunderstood the question
June 19, 2003, 11:27 PM
Adron
[quote author=Arta[vL] link=board=17;threadid=1648;start=0#msg12657 date=1056062567]
Isn't all this moot anyway? Retrieving the actual key from the decoded values is probably impractical, and using the values directly is just ew. Seems like a lot less effort just to go to the store and write a cdkey down from the back of the manual - especially since they so kindly break the seal so people can't steal the disc.
[/quote]

Retrieving the actual key from the decoded values is very easy, comparable to decoding the key in the first place. Not a big brute force task or anything like that. What game is this about? What's the size of val2?
June 21, 2003, 2:49 PM
HydraPride
Hey guys,
I've been out for a little while that's why I havent said anything (been in Alaska =o).
Anyway, I believe i have everything correct EXCEPT for the hash, and thus i believe that I am doing something incorrect with the hash.
I know I am hashing the right theoritical values (in the proper order, and all), but what I do not know is

1) The server token. I think I have this right, but can someone pinpoint exactly where it is? I believe i posted my original thoughts about it in the first post.
2) If its not the server token, and I have all the other values correct, what could it be?
June 21, 2003, 4:33 PM
Arta
Oh, didn't realise that. Assumed decoding was comparable to hashing.

This is Starcraft, both values are DWORDs.
June 21, 2003, 6:56 PM
K
[quote author=Adron link=board=17;threadid=1648;start=0#msg12718 date=1056206966]
Retrieving the actual key from the decoded values is very easy, comparable to decoding the key in the first place. Not a big brute force task or anything like that. What game is this about? What's the size of val2?
[/quote]

Really? Seems like re-encoding a cdkey would be fairly difficult...
June 22, 2003, 1:19 AM
K
[quote author=kamakazie link=board=17;threadid=1648;start=0#msg12624 date=1055980729]
how long does it take him to brute value2 + the server salt? I'm just wondering if this is worth anyone's time to do.
[/quote]

(System: Athlon XP 2000+, 512mb RAM)
Did a test with my own Diablo 2 cd key from an old packet log. Since they included the server token, brute forcing just value 2 didn't take *that* long. My program took 16.2 seconds to try 0x01000000 values, so it would take around 1 hour and 17 minutes to try all the possible values. Wouldn't even want to guess if it didn't include the server token.
June 22, 2003, 5:05 AM
Adron
Well, it's not even that hard. If this is Starcraft, the unknown is just three decimal digits. Say 10 bits. The server seed is 32 bits. Total 42 bits, or 4.4e12 operations. Running at 1 GHz thus a bit over 1 hour worst case time for each cpu cycle/loop your optimized brute forcing algorithm needs.
June 22, 2003, 1:40 PM

Search