| Author | Message | Time |
|---|
| Goran | I've done it to log in and stuff but when i do something similar it doesn't work. Look below for the code:
Public Sub ChangePassword()
Dim ClientToken As Long
Dim pwHash3 As String
Dim Password As Integer
ClientToken = GetTickCount()
Password = BotVar.NewPassword
pwHash3 = String(7 * 4, vbNullChar)
a pwHash3, BotVar.ServerTokenMCP, Password
With pBuffer
.InsertDWORD ClientToken
.InsertDWORD BotVar.ServerTokenMCP
.InsertDWORD BotVar.PasswordHash
.InsertDWORD pwHash3
.InsertNTString BotVar.UserNameLAP
.SendPacketLAP &H31
End With
End Sub
What am I doing wrong?
I'm NUB no flaming please :'( | April 14, 2007, 10:10 PM |
| Barabajagal | Make sure it's converted to lowercase... and what's with the 7*4?
Also, What's with the ServerTokenMCP? MCP is for realm servers, not for bnet servers. Change Password goes like this:
Client Token DWORD
Server Token DWORD
Double Hash (Password, Client Token, and Server Token) STRING
Hash (Password) STRING
Username NTSTRING
I'm pretty sure the hashes are STRINGs, not DWORDs. | April 14, 2007, 10:15 PM |
| Goran | My problem is that I can't hash the passwords correctly. Like...
Public Declare Function a Lib "bnetauth.dll" Alias "A" (ByVal outbuf As String, ByVal ServerKey As Long, ByVal Password As String) As Long
Public Declare Function A2 Lib "bnetauth.dll" (ByVal outbuf As String, ByVal Key As Long) As Long
Public Declare Function C Lib "bnetauth.dll" (ByVal outbuf As String, ByVal serverhash As Long, ByVal prodid As Long, ByVal val1 As Long, ByVal val2 As Long, ByVal Seed As Long) As Long
Public Declare Function X Lib "bnetauth.dll" (ByVal outbuf As String, ByVal Password As String) As Long
Public Declare Function z Lib "bnetauth.dll" Alias "Z" (ByVal FileExe As String, ByVal FileStormDll As String, ByVal FileBnetDll As String, ByVal HashText As String, ByRef Version As Long, ByRef CheckSum As Long, ByVal EXEInfo As String, ByVal MPQName As String) As Long
Those are the declares for BnetAuth.. I don't really know which one to use for Double Hashing and can I not use the hash from when I logged in with the account? | April 14, 2007, 10:39 PM |
| Barabajagal | The double-hash is the same as the logon. The single hash is the new password. | April 14, 2007, 10:54 PM |
| l2k-Shadow | Hashes are DWORD arrays.
Single Hash = Hash(Password)
Double Hash = Hash(ClientToken & ServerToken & Hash(Password))
| April 14, 2007, 11:25 PM |
| Barabajagal | I'm just wondering... What the HELL is the point of hashing the password, if all you need to log in or change the password is the hash? I mean... say you have a packetlogger trojan on a computer. A user logs in and changes their password. You get the new password hash through the logger. You get a bot's source (or more likely write a bot) and make it hash the password with the clienttoken and servertoken. Bam, you log in without knowing their password. Or am I missing something somewhere? | April 14, 2007, 11:45 PM |
| HdxBmx27 | You are correct.
Except for the fact that people USUALLY don't change there passwords. So they only send the single hashed password when they create the account, and if the account is jsut created, whats the point of nabbing it?
~Hdx
PS: FreeGeek is fun! | April 15, 2007, 12:02 AM |
| Goran | Ok so here is the new code..
Public Sub ChangePassword()
Dim ClientToken As Long
Dim NewHash As String
ClientToken = GetTickCount()
Password = LCase(BotVar.NewPassword)
X NewHash, Password
With pBuffer
.InsertDWORD ClientToken
.InsertDWORD BotVar.ServerTokenMCP
.InsertDWORD BotVar.PasswordHash
.InsertDWORD NewHash
.InsertNTString BotVar.UserNameLAP
.SendPacketLAP &H31
End With
End Sub
Has client token, X is the function on BnetAuth for a single pass hash Newhash being the hash and Password being the pass. I set the password lowercase like you said I should. Made both hashes DWORDS. Is all this correct?
(BotVar.ServerTokenMCP IS the ServerToken.. long story.. & BotVar.PasswordHash is the old Pass hash from login which I stored in there.)
EDIT: Error! ByRef argument type mismatch. Its highlighting NewHash and I assume maybe its not declared correctly. | April 15, 2007, 12:11 AM |
| l2k-Shadow | you're passing a string to a function which accepts a 32-bit signed integer. | April 15, 2007, 12:18 AM |
| Goran | So Dim NewHash as String should be an Integer instead? | April 15, 2007, 12:43 AM |
| Barabajagal | Long. | April 15, 2007, 12:48 AM |
| l2k-Shadow | [quote author=Goran link=topic=16618.msg167973#msg167973 date=1176597811]
So Dim NewHash as String should be an Integer instead?
[/quote]
you're clueless about what you're attempting to achieve.
[quote]
(DWORD) Client Token
(DWORD) Server Token
(DWORD[5]) Old password hash
(DWORD[5]) New password hash
(STRING) Account name
[/quote] | April 15, 2007, 12:51 AM |
| Hell-Lord | [quote](InsertDWORD) =ClientToken
(InsertDWORD) = ServerToken
(InsertString) =doubleHashPassword (Old Password)
(InsertString) = hashPassword (New Password)
(InsertNTString) = Username[/quote]
That would work to right? | April 15, 2007, 1:03 AM |
| Barabajagal | It really is easier to deal with them as a non-null terminated string in VB... | April 15, 2007, 1:03 AM |
| Goran | We all start somewhere, Shadow. :) | April 15, 2007, 1:22 AM |
| Hell-Lord | Yep thats true. Anyway have you got anywhere after some of the suggestions? | April 15, 2007, 1:25 AM |
| l2k-Shadow | yeah but don't confuse what the data type string is in the first place.. it is a character array terminated by a null character. | April 15, 2007, 1:28 AM |
| Goran | Dim ClientToken As Long
Dim Password As String
Dim NewHash As Long
ClientToken = GetTickCount()
Password = LCase(BotVar.NewPassword)
X NewHash, Password
With pBuffer
.InsertDWORD ClientToken
.InsertDWORD BotVar.ServerTokenMCP
.InsertDWORD BotVar.PasswordHash
.InsertDWORD NewHash
.InsertNTString BotVar.UserNameLAP
.SendPacketLAP &H31
End With
Getting type mismatch at BotVar.PasswordHash
When i put my mouse over it I see the hash info, strange characters blah blah.. sooo.. I guess I don't really know what type mismatch means. If someone would kindly explain as I am a novice :) | April 15, 2007, 1:34 AM |
| l2k-Shadow | Type mismatch means that you are trying to assign a value to a variable which is unfit to be assigned to that variable or that you are trying to pass a variable to a function which accepts different variable type.
Ex:
[code]
Option Explicit
Sub Form_Load()
Dim a As String
a = "SHIT"
Call ExampleFunction(a)
End Sub
Sub ExampleFunction(ByVal a As Integer)
MsgBox a
End Sub
[/code]
You will get a type mismatch error on the function call line.
| April 15, 2007, 1:49 AM |
| Spilled[DW] | [quote author=Goran link=topic=16618.msg167981#msg167981 date=1176600857]
Dim ClientToken As Long
Dim Password As String
Dim NewHash As Long
ClientToken = GetTickCount()
Password = LCase(BotVar.NewPassword)
X NewHash, Password
With pBuffer
.InsertDWORD ClientToken
.InsertDWORD BotVar.ServerTokenMCP
.InsertDWORD BotVar.PasswordHash
.InsertDWORD NewHash
.InsertNTString BotVar.UserNameLAP
.SendPacketLAP &H31
End With
Getting type mismatch at BotVar.PasswordHash
When i put my mouse over it I see the hash info, strange characters blah blah.. sooo.. I guess I don't really know what type mismatch means. If someone would kindly explain as I am a novice :)
[/quote]
(DWORD) Client Token
(DWORD) Server Token
(DWORD[5]) Old password hash
(DWORD[5]) New password hash
(STRING) Account name
Hrmm well lets see. DWORD[5], first off do you know what this means? Second off your passing a string to and sub that's expecting a long. Same with the new password hash. Alot of people handle this as a Non Null Terminated string because its eazier then 5 DWORDS, So put InsertNonNTString Oldhash and InsertNonNTSting newhash
And see what it gets you ;)
"BotVar.ServerTokenMCP" lmao? | April 15, 2007, 1:52 AM |
| Goran | No more Type Mismatch but now I'm getting ByRef Argument Type Mismatch and its highlighting NewHash.
Public Sub ChangePassword()
Dim ClientToken As Long
Dim NewPassword As Long
Dim NewHash As Long
ClientToken = GetTickCount()
NewPassword = LCase(BotVar.NewPassword)
X NewHash, NewPassword
With pBuffer
.InsertDWORD ClientToken
.InsertDWORD BotVar.ServerTokenMCP
.InsertNonNTString BotVar.PasswordHash
.InsertNonNTString NewHash <--- Highlighted :\
.InsertNTString BotVar.UserNameLAP
.SendPacketLAP &H31
End With
End Sub
Oh and the ServerTokenMCP is a long story and I don't feel like telling it... | April 15, 2007, 2:19 AM |
| Yegg | I've thought about this before, but I have no desire to create such a thing. With relative ease, someone could create a simple program that grabs the client and server token and the hash of a password and easily obtain the password correct? Of course, they would have to write a reverse of the hashing function, but that shouldn't really be too difficult. This idea is very practical, is it? | April 15, 2007, 2:28 AM |
| l2k-Shadow | [quote author=Yegg link=topic=16618.msg167985#msg167985 date=1176604117]
I've thought about this before, but I have no desire to create such a thing. With relative ease, someone could create a simple program that grabs the client and server token and the hash of a password and easily obtain the password correct? Of course, they would have to write a reverse of the hashing function, but that shouldn't really be too difficult. This idea is very practical, is it?
[/quote]
no, it's a hash, not an encryption. | April 15, 2007, 2:46 AM |
| BreW | [quote author=l2k-Shadow link=topic=16618.msg167975#msg167975 date=1176598272]
you're clueless about what you're attempting to achieve.
[quote]
(DWORD) Client Token
(DWORD) Server Token
(DWORD[5]) Old password hash
(DWORD[5]) New password hash
(STRING) Account name
[/quote]
[/quote]
"If CreateHash <> "" Then
InsertNonNTString CreateHash
InsertNTString Username
SendPacket &H3D"
- l2uthless ops | April 15, 2007, 2:46 AM |
| Barabajagal | Yegg: the point of a hash is that it's not supposed to be reversible. That's the entire point of them. If a hash can be reversed, it should no longer be used.
Goran: the hashes are DWORD[5]'s, which means they are an array of 5 dwords (20 bytes of pure data). "String", "Non-Null Terminated String", etc... just means pure data. It's a bit misleading. A better name for the type would be Null, I guess. Your function looks like it expects a string. So what do you do? Set the hashes to Strings equal to 20 bytes of empty data (strHash = String$(20,0)) | April 15, 2007, 2:51 AM |
| Hell-Lord | [code]Dim NewHash As String[/code] | April 15, 2007, 2:54 AM |
| BreW | [quote author=Yegg link=topic=16618.msg167985#msg167985 date=1176604117]
I've thought about this before, but I have no desire to create such a thing. With relative ease, someone could create a simple program that grabs the client and server token and the hash of a password and easily obtain the password correct? Of course, they would have to write a reverse of the hashing function, but that shouldn't really be too difficult. This idea is very practical, is it?
[/quote]
Uh... Reality is right. It's not ment to be reversed. Please, TRY to find the original value of ANY md5 hash without using a rainbow table. Also another hole in your theory: How would the person "decoding" the hash know the client token and server token? Now please tell me, HOW the hell is decoding a double broken sha-1 hash pratical at all? | April 15, 2007, 3:02 AM |
| Goran | Public Sub ChangePassword()
Dim ClientToken As Long
Dim NewPassword As String
Dim NewHash As String
NewHash = String$(20, 0)
ClientToken = GetTickCount()
NewPassword = LCase(BotVar.NewPassword)
X NewHash, NewPassword
With pBuffer
.InsertDWORD ClientToken
.InsertDWORD BotVar.ServerTokenMCP
.InsertNonNTString BotVar.PasswordHash
.InsertNonNTString NewHash
.InsertNTString BotVar.UserNameLAP
.SendPacketLAP &H31
End With
End Sub
Ok so this is what I got, it seems to be loading and connecting without errors but I'm getting IP banned so I assume I'm building the packet incorrectly. Any ideas? | April 15, 2007, 3:19 AM |
| BreW | Make sure your client/server tokens AREN'T 0, and make sure the length of your hashes are both 20 characters long. Other then that, I have no idea how you can possibly get ipbanned. | April 15, 2007, 3:29 AM |
| Explicit[nK] | [quote author=Goran link=topic=16618.msg167991#msg167991 date=1176607161]
Public Sub ChangePassword()
Dim ClientToken As Long
Dim NewPassword As String
Dim NewHash As String
NewHash = String$(20, 0)
ClientToken = GetTickCount()
NewPassword = LCase(BotVar.NewPassword)
X NewHash, NewPassword
With pBuffer
.InsertDWORD ClientToken
.InsertDWORD BotVar.ServerTokenMCP
.InsertNonNTString BotVar.PasswordHash
.InsertNonNTString NewHash
.InsertNTString BotVar.UserNameLAP
.SendPacketLAP &H31
End With
End Sub
Ok so this is what I got, it seems to be loading and connecting without errors but I'm getting IP banned so I assume I'm building the packet incorrectly. Any ideas?
[/quote]
This is where everyone says "packet log." | April 15, 2007, 3:50 AM |
| Yegg | [quote author=brew link=topic=16618.msg167990#msg167990 date=1176606173]
[quote author=Yegg link=topic=16618.msg167985#msg167985 date=1176604117]
I've thought about this before, but I have no desire to create such a thing. With relative ease, someone could create a simple program that grabs the client and server token and the hash of a password and easily obtain the password correct? Of course, they would have to write a reverse of the hashing function, but that shouldn't really be too difficult. This idea is very practical, is it?
[/quote]
Uh... Reality is right. It's not ment to be reversed. Please, TRY to find the original value of ANY md5 hash without using a rainbow table. Also another hole in your theory: How would the person "decoding" the hash know the client token and server token? Now please tell me, HOW the hell is decoding a double broken sha-1 hash pratical at all?
[/quote]
IIRC, the client and server token are located in another packet. | April 15, 2007, 4:10 AM |
| l2k-Shadow | [quote author=brew link=topic=16618.msg167987#msg167987 date=1176605188]
[quote author=l2k-Shadow link=topic=16618.msg167975#msg167975 date=1176598272]
you're clueless about what you're attempting to achieve.
[quote]
(DWORD) Client Token
(DWORD) Server Token
(DWORD[5]) Old password hash
(DWORD[5]) New password hash
(STRING) Account name
[/quote]
[/quote]
"If CreateHash <> "" Then
InsertNonNTString CreateHash
InsertNTString Username
SendPacket &H3D"
- l2uthless ops
[/quote]
Those were my bad coding habits 2 and half years ago when I was learning to program, however it did do the job, while Goran's function obviously is not doing the job.
@Yegg: When double hashing you hash the hash of the password hence the term "double hash", which is why you still can't obtain plain text even if you know client and server tokens. | April 15, 2007, 4:18 AM |
| Yegg | [quote author=l2k-Shadow link=topic=16618.msg167996#msg167996 date=1176610703]
[quote author=brew link=topic=16618.msg167987#msg167987 date=1176605188]
[quote author=l2k-Shadow link=topic=16618.msg167975#msg167975 date=1176598272]
you're clueless about what you're attempting to achieve.
[quote]
(DWORD) Client Token
(DWORD) Server Token
(DWORD[5]) Old password hash
(DWORD[5]) New password hash
(STRING) Account name
[/quote]
[/quote]
"If CreateHash <> "" Then
InsertNonNTString CreateHash
InsertNTString Username
SendPacket &H3D"
- l2uthless ops
[/quote]
Those were my bad coding habits 2 and half years ago when I was learning to program, however it did do the job, while Goran's function obviously is not doing the job.
@Yegg: When double hashing you hash the hash of the password hence the term "double hash", which is why you still can't obtain plain text even if you know client and server tokens.
[/quote]
Ya, makes sense. Thanks. | April 15, 2007, 4:31 AM |
| Goran | 1:12:56 AM) 0000: FF 25 08 00 9E 3F 02 34 ÿ%�.ž?�4........
(1:12:56 AM) 0000: FF 50 66 00 00 00 00 00 87 1C 40 F0 94 E2 15 00 ÿPf.....‡�@ð”â�.
0010: 00 4D 89 7E 99 CB C6 01 76 65 72 2D 49 58 38 36 .M‰~™ËÆ�ver-IX86
0020: 2D 37 2E 6D 70 71 00 43 3D 32 34 32 34 39 38 35 -7.mpq.C=2424985
0030: 32 36 20 41 3D 32 38 32 32 35 35 30 38 30 31 20 26 A=2822550801
0040: 42 3D 31 36 30 39 39 39 36 38 32 20 34 20 41 3D B=160999682 4 A=
0050: 41 2D 53 20 42 3D 42 5E 43 20 43 3D 43 2D 41 20 A-S B=B^C C=C-A
0060: 41 3D 41 5E 42 00 A=A^B...........
(1:12:56 AM) 0000: FF 51 09 00 00 00 00 00 00 ÿQ..............
(1:12:56 AM) 0000: FF 4C 16 00 49 58 38 36 4D 69 6E 64 53 69 67 68 ÿL�.IX86MindSigh
0010: 74 2E 6D 70 71 00 t.mpq...........
(1:12:56 AM) 0000: FF 3A 08 00 00 00 00 00 ÿ:�.............
Looks like its getting caught on Login...
I know I'm supposed to send it before EnterChat which I'm doing. I'm doing it on &H0 is received for 3A. Doing both...
BNCSPacketsLAP.ChangePass
BNCSPacketsLAP.EnterChat
Right after eachother.. should I be putting change pass somewhere else? | April 15, 2007, 5:16 AM |
| Barabajagal | You shouldn't send enter chat until you've received the ChangePass response. | April 15, 2007, 8:11 AM |
| BreW | oooh.... nice job goran. (sarcastic)
You CAN'T send these packets after the 0x3a (if 0x00 response):
0x31
0x3D
You CAN send these packets before the 0x3a
0x31
0x3D
If you pass the 0x3a, you can only send the packets 0x0A, 0x0C
Also, just a note: Any value higher then 0x02 in the 0x0C for join flags will result in a default of 0x01 (firstjoin)
If you fail the 0x3a for any reason, you could send these:
0x31
0x3A
0x3D | April 15, 2007, 3:56 PM |
| raylu | You can also send 0x0B, but that's almost not worth mentioning.
I'm hoping BNCSPacketsLAP is something you wrote yourself? | April 22, 2007, 5:47 AM |