Author Topic: Battle.net Server Signature  (Read 29464 times)

0 Members and 4 Guests are viewing this topic.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Battle.net Server Signature
« on: March 19, 2005, 03:42:52 pm »
Last night and this morning I spent a little time and figured out how Battle.net's server signatures work.  It's a simple RSA decryption, r = sk % n, where n is a 128-byte constant, k is a 4-byte constant, and s is the 128-byte signature.  See this document for more details:

http://www.javaop.com/~iago/ServerSig.html


Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Battle.net Server Signature
« Reply #1 on: March 19, 2005, 05:04:31 pm »
Har. Good work.

Was that documented anywhere else?
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Battle.net Server Signature
« Reply #2 on: March 19, 2005, 06:29:13 pm »
Not that I know of.  I knew going in that it was the IP, encrypted, which made it a little easier.  But Skywing told me that directly, a long time ago. 

Offline yiourkas

  • Newbie
  • *
  • Posts: 3
  • I'm new here!
    • View Profile
Re: Battle.net Server Signature
« Reply #3 on: June 20, 2005, 07:44:13 pm »
Is there any way to create a signature for localhost ip (127.0.0.1)???

What i want to do is interfere between Warcraft and battle.net.
I use a modified JavaOp version for THE REAL client (this connects to battle.net) and some extra classes as a server (listens to 127.0.0.1:6112)

Then i let all packets pass through this filter except the SID_AUTH_INFO, which is replaced by a packet with a cdkey different than the one used in war3 mpq files.

That way i am able to change cdkeys on the fly.

The only problem is that the signature my program sents to warcraft is baaad.

Offline yiourkas

  • Newbie
  • *
  • Posts: 3
  • I'm new here!
    • View Profile
Re: Battle.net Server Signature
« Reply #4 on: June 22, 2005, 04:34:51 am »
Reply to myself :P

After tingling with warcraft3 files a little I found that the modulo parameter n is located in the file game.dll offset 0x00722B70

I changed it to all BB's except the last 4 bytes : 0x01000080 (which is {the hex representation of 127.0.0.1 in reverse order} + 1)

After the n is the key k (offset 0x00722BF0). Replaced it with dec 1 (hex: 0x00000001)

So now the sig we have to send to warcraft 3 is all BB's except the last 4 bytes : 0x0100007F

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: Battle.net Server Signature
« Reply #5 on: June 22, 2005, 01:59:32 pm »
Doesn't that mean that now you can't get onto the real Battle.net?
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Battle.net Server Signature
« Reply #6 on: June 22, 2005, 11:17:37 pm »
Doesn't that mean that now you can't get onto the real Battle.net?

Oh well. ::)
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Battle.net Server Signature
« Reply #7 on: June 23, 2005, 11:07:27 pm »
The point of the server signature is to prevent fake servers, such as yours.  It would be computationally infeasable to get Blizzard's private key and thus to make your own signature without patching the client.

Maddox says that he found the private key, but I don't believe him.

Offline Joe

  • B&
  • Moderator
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: Battle.net Server Signature
« Reply #8 on: June 27, 2005, 12:04:16 pm »
How can you decrypt something you can't encrypt? Perhaps Blizzard's key will be in the WarCraft III client.
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Battle.net Server Signature
« Reply #9 on: June 27, 2005, 05:08:39 pm »
How can you decrypt something you can't encrypt? Perhaps Blizzard's key will be in the WarCraft III client.

By using public key cryptography:

A public key can be derived from a private key, but a private key can NOT be derived from the public key.
If a message is encrypted with a private key a, it can only be decrypted with the matching public key A.  That provides proof that a message was sent from the source with the private key.
If a message is encrypted with a public key B, it can only be decrypted with the matching private key b.  That provides confidentiallity since only the person with the matching private key can ever see your message.

When logging into Battle.net as War3, it uses ephemeral (temporary) public/private keys that are based on the password to verify the other's identity.

For more information, and lots of links, see:
http://en.wikipedia.org/wiki/Public-key_cryptography

Offline Joe

  • B&
  • Moderator
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: Battle.net Server Signature
« Reply #10 on: June 27, 2005, 05:44:51 pm »
AHH
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline yiourkas

  • Newbie
  • *
  • Posts: 3
  • I'm new here!
    • View Profile
Re: Battle.net Server Signature
« Reply #11 on: July 01, 2005, 02:44:15 am »
Actually i never wanted to find the private key battle.net uses (as this operation will take about 100 years). I just want to make warcraft believe that my localhost server is NOT fake server. Hex editing of game.dll didn't actually work (perhaps private key is in another file too).

So i suppose patching the client (so as to skip verifying server) will be a solution...
But WHERE is such a patch?!??!?!? ??? ???

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Battle.net Server Signature
« Reply #12 on: July 01, 2005, 04:49:39 pm »
(as this operation will take about 100 years)
No, for this reason: If it took one computer 100 years, it would take 100 computers 1 year, or 36,500 computers 1 day.  It would actually take something on the order of 10^100 (that's a 1 with 100 zeroes after it, 10000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000) years.  At least. 

Quote
So i suppose patching the client (so as to skip verifying server) will be a solution...
But WHERE is such a patch?!??!?!? ??? ???
Dunno.  I could probably go back and find it, but that sounds like work.. :)

Offline Krazed

  • x86
  • Hero Member
  • *****
  • Posts: 1822
    • View Profile
Re: Battle.net Server Signature
« Reply #13 on: July 02, 2005, 08:35:38 pm »
(as this operation will take about 100 years)
No, for this reason: If it took one computer 100 years, it would take 100 computers 1 year, or 36,500 computers 1 day.  It would actually take something on the order of 10^100 (that's a 1 with 100 zeroes after it, 10000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000) years.  At least. 

*cough* Botnets *cough*
It is good to be good, but it is better to be lucky.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Battle.net Server Signature
« Reply #14 on: July 02, 2005, 09:13:57 pm »
(as this operation will take about 100 years)
No, for this reason: If it took one computer 100 years, it would take 100 computers 1 year, or 36,500 computers 1 day.  It would actually take something on the order of 10^100 (that's a 1 with 100 zeroes after it, 10000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000) years.  At least. 

*cough* Botnets *cough*

No, because you're fighting an expontential problem with multiplication.  Say you had a botnet of 100 billion computers (100,000,000,000).  That would still take 10000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 / 100000000000, or 100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 years.  Which really doesn't make a difference.

If you ever take an algorithm analysis course, you'll learn that you can't fight exponential problems with multiplication.