Valhalla Legends Forums Archive | Battle.net Bot Development | NLS Stuff

AuthorMessageTime
UserLoser.
Not doing any real research..but, just how similar is the hashing for the NLS to the OLS?

In D2 v1.10's Bnclient.dll, in the sub for 0x51 & 0x53:

I renamed all the functions in the order I see them (NLSHashXX):

Edit: Look for the "*****"

[code]
.text:6FF086C0 loc_6FF086C0: ; CODE XREF: sub_6FF01C70+25j
.text:6FF086C0 sub esp, 320h
.text:6FF086C6 mov dword_6FF1DA50, 0
.text:6FF086D0 push esi
.text:6FF086D1 push edi
.text:6FF086D2 mov esi, ecx
.text:6FF086D4 push 100h
.text:6FF086D9 push esi
.text:6FF086DA push offset unk_6FF1D950
.text:6FF086DF mov edi, edx
.text:6FF086E1 call Storm_501
.text:6FF086E6 push 0BCh
.text:6FF086EB push offset unk_6FF1DA58
.text:6FF086F0 call Storm_494
.text:6FF086F5 lea eax, [esp+8]
.text:6FF086F9 push 100h
.text:6FF086FE push esi
.text:6FF086FF push eax
.text:6FF08700 call Storm_501
.text:6FF08705 lea ecx, [esp+8]
.text:6FF08709 push ecx
.text:6FF0870A call Storm_510
.text:6FF0870F lea edx, [esp+108h]
.text:6FF08716 push 100h
.text:6FF0871B push edi
.text:6FF0871C push edx
.text:6FF0871D call Storm_501
.text:6FF08722 lea eax, [esp+108h]
.text:6FF08729 push eax
.text:6FF0872A call Storm_510
.text:6FF0872F lea ecx, [esp+108h]
.text:6FF08736 lea edx, [esp+8]
.text:6FF0873A push ecx
.text:6FF0873B push edx
.text:6FF0873C push offset unk_6FF1DA58
.text:6FF08741 mov ecx, offset unk_6FF1D948
.text:6FF08746 call NLSHash ; Seen in 0x55 also *****
.text:6FF0874B lea eax, [esp+208h]
.text:6FF08752 push 20h
.text:6FF08754 push offset unk_6FF1DAB8
.text:6FF08759 push eax
.text:6FF0875A call Storm_491
.text:6FF0875F lea ecx, [esp+228h]
.text:6FF08766 push 100h
.text:6FF0876B push esi
.text:6FF0876C push ecx
.text:6FF0876D call Storm_501
.text:6FF08772 add eax, 21h
.text:6FF08775 lea edx, [esp+208h]
.text:6FF0877C push eax
.text:6FF0877D mov cl, 53h ; SID_AUTH_ACCOUNTLOGON
.text:6FF0877F call SendPacket

[/code]


[code]
.text:6FF13D70 NLSHash proc near ; CODE XREF: .text:6FF08746p
.text:6FF13D70 ; Send0x55+BEp
.text:6FF13D70
.text:6FF13D70 arg_0 = dword ptr 4
.text:6FF13D70 arg_4 = dword ptr 8
.text:6FF13D70
.text:6FF13D70 mov eax, [esp+arg_4]
.text:6FF13D74 push ebx
.text:6FF13D75 push ebp
.text:6FF13D76 push esi
.text:6FF13D77 mov esi, [esp+0Ch+arg_0]
.text:6FF13D7B push edi
.text:6FF13D7C push 7FFFFFFFh
.text:6FF13D81 push eax
.text:6FF13D82 push esi
.text:6FF13D83 mov ebx, ecx
.text:6FF13D85 call Storm_501
.text:6FF13D8A mov ecx, [esp+1Ch]
.text:6FF13D8E push 7FFFFFFFh
.text:6FF13D93 lea edx, [esi+20h]
.text:6FF13D96 push ecx
.text:6FF13D97 push edx
.text:6FF13D98 call Storm_501
.text:6FF13D9D lea edi, [esi+40h]
.text:6FF13DA0 push 20h
.text:6FF13DA2 push edi
.text:6FF13DA3 mov ecx, ebx
.text:6FF13DA5 call NLSHash2 *****
.text:6FF13DAA mov edx, 20h
.text:6FF13DAF mov ecx, edi
.text:6FF13DB1 call NLSHash9
.text:6FF13DB6 xor ecx, ecx
.text:6FF13DB8 mov ebp, eax
.text:6FF13DBA call sub_6FF158C0
.text:6FF13DBF mov ebx, [ebx]
.text:6FF13DC1 mov edi, eax
.text:6FF13DC3 mov ecx, edi
.text:6FF13DC5 mov eax, [ebx+8]
.text:6FF13DC8 mov edx, [ebx+4]
.text:6FF13DCB push eax
.text:6FF13DCC push ebp
.text:6FF13DCD call NLSHash10
.text:6FF13DD2 mov ecx, ebp
.text:6FF13DD4 call NLSHash6
.text:6FF13DD9 push 20h
.text:6FF13DDB lea edx, [esi+60h]
.text:6FF13DDE mov ecx, edi
.text:6FF13DE0 call NLSHash5
.text:6FF13DE5 mov ecx, edi
.text:6FF13DE7 call NLSHash6
.text:6FF13DEC pop edi
.text:6FF13DED pop esi
.text:6FF13DEE pop ebp
.text:6FF13DEF pop ebx
.text:6FF13DF0 retn 0Ch
.text:6FF13DF0 NLSHash endp ; sp = -18h
[/code]

In NLSHash2, which is the one that look's very very familar...

About halfway down in NLSHash2:

[code]
.text:6FF13748 call SetHashTable
[/code]

Hmm, where have we all seen these?

[code]
.text:6FF13F70 SetHashTable proc near ; CODE XREF: .text:6FF136B0p
.text:6FF13F70 ; NLSHash2+48p ...
.text:6FF13F70 xor eax, eax
.text:6FF13F72 mov dword ptr [ecx], 67452301h
.text:6FF13F78 mov dword ptr [ecx+4], 0EFCDAB89h
.text:6FF13F7F mov dword ptr [ecx+8], 98BADCFEh
.text:6FF13F86 mov dword ptr [ecx+0Ch], 10325476h
.text:6FF13F8D mov dword ptr [ecx+10h], 0C3D2E1F0h
.text:6FF13F94 mov [ecx+18h], eax
.text:6FF13F97 mov [ecx+14h], eax
.text:6FF13F9A retn
.text:6FF13F9A SetHashTable endp
[/code]


These are seen in the hashing function located at: .text:6FF14060...

NLSHash11 - Largest function where those 5 values are found, can be found here (way to long to post) and what looks like a few new ones: Here...

0x52 = an XXSHA-1? :P (Shown in link)
0x53 = an XXSHA-1? :P (Shown in link)
0x54 = Hell if I know
0x55 = an XXSHA-1? :P (Shown in link)
0x56 = Hell if I know
0x57 = No hashing? (Empty packet)
0x58 = XSHA-1? (current hash function)
February 3, 2004, 1:13 AM
Yoni
Uhh. Enjoy >:D
February 3, 2004, 4:13 PM
UserLoser.
[quote author=dRAgoN link=board=17;threadid=5057;start=0#msg42436 date=1075788977]
Neat and very large 8\
btw shoulden't this be on the asm board.

Edit: Link was down.
[/quote]

No, I don't think this should be in the ASM board because this is one of the few topics that has never been covered, has to do with bots & development, doesn't have to do with CSB, or topics that have been covered many times...

Link was down last night because I was testing a new ISAPI dll on my webserver.. If i wanted to unload the DLL i'd have to shut it down/restart it..
February 3, 2004, 4:34 PM
dRAgoN
[quote author=UserLoser. link=board=17;threadid=5057;start=0#msg42550 date=1075913743]
[quote author=dRAgoN link=board=17;threadid=5057;start=0#msg42506 date=1075860562]
[quote author=UserLoser. link=board=17;threadid=5057;start=0#msg42451 date=1075826076]

No, I don't think this should be in the ASM board because this is one of the few topics that has never been covered, has to do with bots & development, doesn't have to do with CSB, or topics that have been covered many times...

Link was down last night because I was testing a new ISAPI dll on my webserver.. If i wanted to unload the DLL i'd have to shut it down/restart it..
[/quote]

True, but you stated that you weren't doing any real research on it.
[/quote]

And you're not contributing anything here, or in any other threads here so just take your mouth elsewhere

Edit: If you care that much, me and a friend are looking into it
[/quote]
Realy lol, and if thats regarding the d2-ingame packet thread sure, perhaps if a spot wasent restricted on bnetdocs maybe I would actualy contribute to it, but some of us don't have access to that, there for wont contribute to it, also if you dont like somone pointing out little things then, before posting crap that will annoy that somone maybe you should read what that somone has posted and figure out why they posted it.
Anyways I think I'm done typeing more to this, seeing as it turned into a random bitching comment.
February 4, 2004, 2:09 AM
UserLoser.
[quote author=dRAgoN link=board=17;threadid=5057;start=0#msg42506 date=1075860562]
[quote author=UserLoser. link=board=17;threadid=5057;start=0#msg42451 date=1075826076]

No, I don't think this should be in the ASM board because this is one of the few topics that has never been covered, has to do with bots & development, doesn't have to do with CSB, or topics that have been covered many times...

Link was down last night because I was testing a new ISAPI dll on my webserver.. If i wanted to unload the DLL i'd have to shut it down/restart it..
[/quote]

True, but you stated that you weren't doing any real research on it.
[/quote]

And you're not contributing anything here, or in any other threads here so just take your mouth elsewhere

Edit: If you care that much, me and a friend are looking into it
February 4, 2004, 4:55 PM
Arthas
THAT is the kind of code that makes me think long drops with solid bottoms are an option to escape hashing.

Yikes. *Wishes he knew ASM*
February 6, 2004, 6:04 AM

Search