Author | Message | Time |
---|---|---|
Strilanc | I'm looking for source code to verify that a wc3 cd key will be accepted by the installer, in order to catch typos when people enter a key into my hosting bot. Anyone have a link? | October 21, 2009, 3:26 PM |
rabbit | Make one yourself? It's hard to make a typo in a string that is 26 characters long and has no single proper spelling. | October 21, 2009, 3:40 PM |
Camel | http://code.google.com/p/bnubot/source/browse/trunk/BNUBot/src/org/jbls/Hashing/War3Decode.java | October 21, 2009, 4:39 PM |
Strilanc | [quote author=rabbit link=topic=18097.msg183568#msg183568 date=1256139637] Make one yourself? It's hard to make a typo in a string that is 26 characters long and has no single proper spelling. [/quote] Making one myself would require disassembling the installer, and finding the code which verifies the key. That's a lot of work which may have already been done, which is why I'm posting the request. [quote author=Camel link=topic=18097.msg183570#msg183570 date=1256143147] http://code.google.com/p/bnubot/source/browse/trunk/BNUBot/src/org/jbls/Hashing/War3Decode.java [/quote] That is code for extracting the public/private/product values from a cd key. It is needed for bnet login, and is probably involved in verifying the key, but doesn't actually perform verification. | October 21, 2009, 6:26 PM |
Camel | [quote author=Strilanc link=topic=18097.msg183573#msg183573 date=1256149596] That is code for extracting the public/private/product values from a cd key. It is needed for bnet login, and is probably involved in verifying the key, but doesn't actually perform verification. [/quote] If you say so. | October 21, 2009, 6:42 PM |
Strilanc | [quote author=Camel link=topic=18097.msg183574#msg183574 date=1256150560] [quote author=Strilanc link=topic=18097.msg183573#msg183573 date=1256149596] That is code for extracting the public/private/product values from a cd key. It is needed for bnet login, and is probably involved in verifying the key, but doesn't actually perform verification. [/quote] If you say so. [/quote] Would you care to point out the line where they verify the checksum? | October 21, 2009, 6:44 PM |
Camel | If it decodes, it's a valid key. If the product ID matches the product, the installer accepts it. You're only going to know if the public/private IDs match by trying to log in to battle.net. | October 21, 2009, 6:46 PM |
Strilanc | [quote author=Camel link=topic=18097.msg183576#msg183576 date=1256150805] Look at the product id. [/quote] I see, so you're saying the product id *is* the checksum. I hadn't considered that part. I figured part of the private key was a checksum. Thanks. | October 21, 2009, 6:48 PM |
Camel | There's no checksum. The CD key is just 3 DWORDs encoded in to a form a human can type. | October 21, 2009, 6:51 PM |
Jailout2000 | [quote author=Camel link=topic=18097.msg183578#msg183578 date=1256151102] The CD key is just 3 DWORDs encoded in to a form a human can type. [/quote]Thank you for this bit of information. You just made things a lot easier for me (I'm confused on how CD-Key hashing works). I now have new insight on how to input CD-Key's. | October 22, 2009, 12:34 AM |
rabbit | [quote author=Strilanc link=topic=18097.msg183573#msg183573 date=1256149596] [quote author=rabbit link=topic=18097.msg183568#msg183568 date=1256139637] Make one yourself? It's hard to make a typo in a string that is 26 characters long and has no single proper spelling. [/quote] Making one myself would require disassembling the installer, and finding the code which verifies the key. That's a lot of work which may have already been done, which is why I'm posting the request. [quote author=Camel link=topic=18097.msg183570#msg183570 date=1256143147] http://code.google.com/p/bnubot/source/browse/trunk/BNUBot/src/org/jbls/Hashing/War3Decode.java [/quote] That is code for extracting the public/private/product values from a cd key. It is needed for bnet login, and is probably involved in verifying the key, but doesn't actually perform verification. [/quote]You've got a lot to learn. | October 22, 2009, 12:49 PM |
Strilanc | [quote author=rabbit link=topic=18097.msg183584#msg183584 date=1256215782]You've got a lot to learn. [/quote] Could you be more specific? | October 22, 2009, 6:19 PM |
rabbit | [quote author=Strilanc link=topic=18097.msg183588#msg183588 date=1256235590] [quote author=rabbit link=topic=18097.msg183584#msg183584 date=1256215782]You've got a lot to learn. [/quote] Could you be more specific? [/quote]Not really. There's a lot of it. But basically, you don't need to disassemble anything these days. There is code out there for checking CD-Keys in Python, Java, C, C++, C#, VB.Net, JavaScript, and PHP (at least). You're also trying to tell Camel how the private, public, and product values work. He's got significantly more experience with this stuff than you do. | October 23, 2009, 1:43 PM |
Imperceptus | Correct me if im wrong, but weren't the keys that work generated and stored, amongst those a % of them flagged to be accepted on bnet? | October 23, 2009, 4:45 PM |
MysT_DooM | Theres a formula that battle.net uses to check to see if the private value given equates to the Prod/Public formula. If the private value isn't the right answer then you get hit with an invalid key. (Different from wrong product) Nothing is stored. The server will see whether or not your private values equate correctly to the prod/public values given. | October 23, 2009, 5:38 PM |
Strilanc | [quote author=rabbit link=topic=18097.msg183594#msg183594 date=1256305436]Not really. There's a lot of it. But basically, you don't need to disassemble anything these days. There is code out there for checking CD-Keys in Python, Java, C, C++, C#, VB.Net, JavaScript, and PHP (at least). You're also trying to tell Camel how the private, public, and product values work. He's got significantly more experience with this stuff than you do. [/quote] Right, which is why I made a post asking for a link instead of starting a disassembler. I was telling Camel how I believed the values work, so that the answer I got back would explain what I was missing. It worked. [quote author=Imperceptus link=topic=18097.msg183596#msg183596 date=1256316307] Correct me if im wrong, but weren't the keys that work generated and stored, amongst those a % of them flagged to be accepted on bnet? [/quote] Apparently the installer accepts any cd key with the correct product key. Bnet requires a correct product key as well as a correct public/private key pair. When you connect the public key is used to identify your cd key while the private key is used to authenticate it. I believe the private is not related to the public key mathematically, it is just generated randomly. Blizzard stores all the information on cd keys it has generated, so when you connect to bnet they can lookup your private key given the public key. | October 23, 2009, 6:29 PM |
Imperceptus | myst, Then how do you equate that there are cdkey generators that generate valid codes to install the game but not to bet onto battle.net? Strilanc is getting at what im trying to say. | October 23, 2009, 6:32 PM |
Strilanc | [quote author=Imperceptus link=topic=18097.msg183600#msg183600 date=1256322748] myst, Then how do you equate that there are cdkey generators that generate valid codes to install the game but not to bet onto battle.net? [/quote] Because the battle.net check is significantly stronger. Also, if the private key is randomly generated, then there is no practical way to verify a generated key will work other than connecting to bnet and trying it. Generating an installer cd key only requires starting with a correct product id, arbitrary public/private keys, and running the encoding process backwards. | October 23, 2009, 6:36 PM |
Camel | [quote author=Strilanc link=topic=18097.msg183599#msg183599 date=1256322547] I believe the private is not related to the public key mathematically, it is just generated randomly. Blizzard stores all the information on cd keys it has generated, so when you connect to bnet they can lookup your private key given the public key. [/quote] That's extremely unlikely, considering there's a huge amount of evidence that the relationship is algorithmic. I don't recall all the details exactly, but there has been a great deal of work put in to studying the relationship, and someone was able to come up with code that generated a battle.net-acceptable SC key about 5% of the time. If it was truly random, they either used a really shitty random number generator, or all the moons were just perfectly aligned. Really, the only way to know would be to ask someone who implemented it, but you'd have to be pretty crazy to believe that they're random. | October 23, 2009, 8:46 PM |
Camel | [quote author=Strilanc link=topic=18097.msg183601#msg183601 date=1256322976] Because the battle.net check is significantly stronger. [/quote] This is sort of misleading; the installer just checks that the key is decodable, and is for the product - like buying a car on ebay based on the picture looking like a car instead of a motorcycle, but without starting it up to see if it runs. When you send the 3 DWORDs to Battle.net, it checks that the private key matches the other two values according to whatever algorithm they used to generate the CD keys in the first place. Sort of going off on a tangent here, but the private value from the cd key is never sent in plain text; it's hashed (BS1) with 32 bits of salt from the client, and 32 more from the server, to protect the key from being sniffed off the wire. It's a pretty weak security measure, since it only takes a few hours in the worst case to brute the private key (it's only a 32-bit value) with a poor implementation of BS1 and a slow computer. | October 23, 2009, 8:58 PM |
MysT_DooM | What Camel said. There is somewhat of a mathematically algorithm of some sorts that derives the private value from the prod/pub. People have wasted many hours of their lifetime looking into this. Check out the Starcraft Key topic; should be one of the most viewed topics when you click on Statistics. So due to the mathematically correlation for certain digits in the private value, a hash table of all product public & their given private value I don't think is likely. But who knows. | October 23, 2009, 9:24 PM |
Strilanc | [quote author=Camel link=topic=18097.msg183603#msg183603 date=1256330797] [quote author=Strilanc link=topic=18097.msg183599#msg183599 date=1256322547] I believe the private is not related to the public key mathematically, it is just generated randomly. Blizzard stores all the information on cd keys it has generated, so when you connect to bnet they can lookup your private key given the public key. [/quote] That's extremely unlikely, considering there's a huge amount of evidence that the relationship is algorithmic. I don't recall all the details exactly, but there has been a great deal of work put in to studying the relationship, and someone was able to come up with code that generated a battle.net-acceptable SC key about 5% of the time. If it was truly random, they either used a really shitty random number generator, or all the moons were just perfectly aligned. Really, the only way to know would be to ask someone who implemented it, but you'd have to be pretty crazy to believe that they're random. [/quote] I was speaking specifically about the warcraft 3 cd keys. I've never done anything with starcraft keys. They may have switched strategies, but I can't speak about it with any confidence. Obviously I agree if you can generate a valid wc3 key a twentieth of the time then the private key isn't random, since if it was random your success rate would be more like one out of a trillion trillions. [quote author=Camel link=topic=18097.msg183604#msg183604 date=1256331503] [quote author=Strilanc link=topic=18097.msg183601#msg183601 date=1256322976] Because the battle.net check is significantly stronger. [/quote] This is sort of misleading; the installer just checks that the key is decodable, and is for the product - like buying a car on ebay based on the picture looking like a car instead of a motorcycle, but without starting it up to see if it runs. When you send the 3 DWORDs to Battle.net, it checks that the private key matches the other two values according to whatever algorithm they used to generate the CD keys in the first place. Sort of going off on a tangent here, but the private value from the cd key is never sent in plain text; it's hashed (BS1) with 32 bits of salt from the client, and 32 more from the server, to protect the key from being sniffed off the wire. It's a pretty weak security measure, since it only takes a few hours in the worst case to brute the private key (it's only a 32-bit value) with a poor implementation of BS1 and a slow computer. [/quote] Right. I'm aware of all that. Actually, I once wrote something so you could "lend" your keys to someone. Because the login process doesn't reveal the private key, you can just answer the login challenges for them. The key is "returned" once they log off. | October 23, 2009, 10:30 PM |