Warcraft III CD Key Voodoo

[pxc]

This isn't exactly/directly about Battle.net bots so much as Battle.net related tools (hopefully it's a kosher topic). Does anyone here have experience enough to say where within the mysterious war3.mpq and war3x.mpq files the CD key is located? I believe that they are encrypted in some file within those aforementioned, but I haven't found any likely files (I've poked around with an MPQ editor).

The reason I'm asking all this is basically because I can't find/don't trust Warcraft III CD key changers online and they're useful for things like avoiding reinstalls after a LAN party (I install a copy of Warcraft III on a friend's computer at a party for LAN usage, they buy their own copy and want to use it online) and also to satisfy my curiosity surrounding the subject. Any insight would be much appreciated.

--Patrick C.

[Camel]

IIRC, the filename is binary.

It's also possible, however, that the tool I was writing was just broken in a way that made me think that.

[pxc]

By binary, do you mean some god awful huge string of numbers (probably actually in hex) for the filename? I also read that it's encrypted where its stored, but that'll be a separate issue once I find the file.

[iago]

It's definitely encrypted, and to my knowledge nobody has bothered figuring out how it's decrypted, although that'd make for a fun project.

The easier way to pull the key is to grab it in the game's memory after it's been decrypted.

[pxc]

Well, I'm not interested in decrypting it. If I discover (or guess!) what encryption algorithm it uses, I can just replace the old encrypted string with my encrypted string (for the new CD key, whatever). The way the CD key grabber that floats around on the net grabs the key in a similar way to what you described, iago. It does even less work and grabs it off the network when it's submitted to Battle.net, IIRC.

In fact, this might be useful for giving bogus CD keys to an already-working install. At a LAN party or a friend's computer, I can give them an install with my alternate CD key, and then change it to some stupid made up one like "THIS-ISAFA-KECDK-EYBLAH" or whatever and they're left with a system that'll work on the LAN, which is fine for the party, but there's no risk of them using it online and blocking me from getting onto Battle.net when they take it home.

Does anyone with more skillz than me wanna dive into this and start hunting around for candidate containers/files for the CD key? I can think of a few ways of doing this.

1.) Get a delta (binary diff) of two MPQ files that are the same patch version. Theoretically, the only thing that should be different is the part containing the CD key. Save this diff as an MPQ file "cdkey.mpq" and then extract it using an MPQ editor and giving the listfiles of one of the full MPQs as the listfile.

2.) Similar to above: Take a known working MPQ and back it up before changing the CD key using one of the CD key changers floating around on the internet, and compare changes as in above.

It may be easier to extract them before comparison instead of getting fancy with xdeltas and all that.

[Camel]

It's definitely encrypted, and to my knowledge nobody has bothered figuring out how it's decrypted, although that'd make for a fun project.

The easier way to pull the key is to grab it in the game's memory after it's been decrypted.

The counter-evidence to that is that I have a key changer on my other computer. You can get a good one with mm.bot (a series of autoit scripts for d2 botting).

Pxc, again I'm calling on very old memories, so I may be completely incorrect. So, if memory does serve me correctly though, the file names in an MPQ file are stored in a hashed form, and you can't get at the files without knowing at least the filename hash. The filename I was using was simply a collision of the hash, as there was no known filename at the time. It's very possible, however, that I was mistaken, or that the filename has been discovered. Either way, it's probably safe to assume the filename wont change, and you can theoretically get at the file with only the hash, though I'm not sure if storm provides a way to get at files without knowing the original filename.

If you do discover the filename, you'll still have to take the added step of de-encrypting the file down to the 3 DWORDs that identify the key - product, public, and private; IIRC the actual textual representation is not stored.

In any event, what I know for sure is that it can be done, as evidenced by a tool I actually use.

[Joe]

It may be worth noting that any piece of software written by ShadowFrench, including but not limited to his CD Key changers, is clean in my book. But the secure thing is to not take my word for it. So, this is definitely a kosher topic and the kind I like to see.

A cheaters way of doing this would be to grab his key changer and disassemble it. I'm pretty sure that it'll be easier to read his disasm than anything from the game, since the game does so much more than just display it -- you'd be all over the map trying to figure out what's going on.

[iago]

It's definitely encrypted, and to my knowledge nobody has bothered figuring out how it's decrypted, although that'd make for a fun project.

The easier way to pull the key is to grab it in the game's memory after it's been decrypted.

The counter-evidence to that is that I have a key changer on my other computer. You can get a good one with mm.bot (a series of autoit scripts for d2 botting).

Pxc, again I'm calling on very old memories, so I may be completely incorrect. So, if memory does serve me correctly though, the file names in an MPQ file are stored in a hashed form, and you can't get at the files without knowing at least the filename hash. The filename I was using was simply a collision of the hash, as there was no known filename at the time. It's very possible, however, that I was mistaken, or that the filename has been discovered. Either way, it's probably safe to assume the filename wont change, and you can theoretically get at the file with only the hash, though I'm not sure if storm provides a way to get at files without knowing the original filename.

If you do discover the filename, you'll still have to take the added step of de-encrypting the file down to the 3 DWORDs that identify the key - product, public, and private; IIRC the actual textual representation is not stored.

In any event, what I know for sure is that it can be done, as evidenced by a tool I actually use.

I don't think the key is stored as an ordinary file within the .mpq, I think it's encrypted and appended. I guess a binary diff would solve that pretty quick.

[Camel]

I don't think the key is stored as an ordinary file within the .mpq, I think it's encrypted and appended. I guess a binary diff would solve that pretty quick.

That's definitely not consistent with what I remember, but again I do not remember this topic well

[Camel]

Bump!

Check out the cdkey mpq generator that is floating around for D2. I won't provide link since it's way illegal, but it shouldn't be hard to find.

Use it to generate a key mpq - basically, it's an MPQ file with only a cdkey set in it, and no other files. Extract the MPQ, and you'll be able to investigate the encryption on it.

Alternatively, disassemble the generator


[edit] It's worth noting that I'm assuming that the encryption is the same in W3 and D2, but I don't have any reason to think otherwise. Does anyone know for sure?

[Joe]

I'm going to guess Alpha16 and Alpha26 (I think WC3 is Alpha26) keys aren't encrypted the same way.

Alternatively, take Joe's advice and disassemble the WC3 key changer.

[Camel]

I'm going to guess Alpha16 and Alpha26 (I think WC3 is Alpha26) keys aren't encrypted the same way.

Well, when you consider that the key hashing procedure is identical, that seems like a pretty poor basis for a guess