BNET Authentication and wow login

[daCoder]

Hello,

i am looking into the wow login process right now. I tried to learn this from open source private server implementations like TrinityCore but they differ much in this login procedure. Actually i am interested in all traffic before Netclient::ProcessMessage() with the relevant opcodes are getting called.
Is there some kind of work doing already this battle.net authentication or login. My aim is to login into the realm without the wow client.

I would appreciate every pointing to relevant functions in the client or some related work, which help me to learn.


The BNET part

Code:

The client connects to port 1119 and sending a username(email)
The server responds with a auth packet looking like

size: 0x6d (constant value, which contains the strings "auth", "EU")
size: 0x100 (random value)
size: 0x22a (constant value, which contains the strings "auth", "EU")

The client responds with the password auth.
Server responds with some auth data if credentials are valid.

Client: some data 
Server: Numeric account name.
Client: 2+29*27 bytes
Server: huge data (>1000Bytes)
Client: 2+2*23 bytes
Server: huge data (>1000Bytes)
Client: 16 bytes
Server: 104 bytes

The realm part

Code:

// Init part
Server: "WORLD OF WARCRAFT CONNECTION - SERVER TO CLIENT"  // Not done by privservers
Client: "WORLD OF WARCRAFT CONNECTION - CLIENT TO SERVER"  // Not done by privservers
Server: 42 Bytes // Not done by privservers
Client: AuthLogonChallenge (much longer than the priv server version)
Server: AuthLogonChallenge_Repsonse
....

-daCoder

[doityourself]

bnet2_protcol [DarkBlizz.org SC2 Wiki]
http://www.bhfiles.com/files/Battle....oofRequest.txt

[stoneharry]

A ton of resources for Battle.net2 protocol here: Index of /files/Battle.net 2/

[Mackdaddy2887]

Hmm good luck on u r endeavor I'm really curious to see u results. What outcomes or goals are u trying to accomplish in this task? If u succeed what do u aim to accomplish? Definitely would be curious to see what applications this could be used for.

[daCoder]

Thank you very much for the links king48488 and stoneharry. It helped me for get an understanding about the packets.
I implemented the protocol described in the wiki to have a look on the packages. It could parse the first two request/responses.
The "S->C Battlenet::Client::Authentication::Complete" seems to be changed. It does not really complete, so the last parsing is not really working.
I will keep working on it if i get some free time. For now, i am sharing my current implementation for all who want to play with it.

Code:

# BNET Protocol Parser by daCoder (2014)
import binascii

#Insert your hexstream from wireshark here
login1 = ""
login2 = ""
login3 = ""
login4 = ""


def byte_to_binary(n):
    return ''.join(str((n & (1 << i)) and 1) for i in (range(8)))

def hex_to_binary(h):
    return ''.join(byte_to_binary(ord(b)) for b in binascii.unhexlify(h))

def get_right_order(bin, pointer, size):
	lastbytes = (pointer + size) % 8
	if pointer+size-lastbytes <= pointer:
		b = bin[pointer:pointer+size]
	else:
		b = bin[pointer+size-lastbytes:pointer+size]
		size = size - lastbytes
		while (pointer+size-8 >= pointer):
			b = b + bin[pointer+size-8:pointer+size]
			size = size - 8
		b = b + bin[pointer:pointer+size]

	return b[::-1]

def bin_to_hex(bin, pointer, size):
	return hex(int(get_right_order(bin,pointer,size),2))

def bin_to_char(bin,pointer, size):
	b = int(get_right_order(bin,pointer,size),2)
	return binascii.unhexlify('%x' % b)

def bin_to_dec(bin, pointer, size):
	b = get_right_order(bin,pointer,size)
	return int(b,2)

	
def Authentication_InformationRequest(login1_bin):
	# First packet to battlenet on port 1119
	print "------------------------------"
	# Header Information for the packets
	packetid = bin_to_hex(login1_bin, 0, 6)
	haschannel = bin_to_dec(login1_bin, 6, 1)
	p = 7

	if (haschannel > 0):
		channelid = bin_to_dec(login1_bin,p,4)
		p = p + 4
		print "Channel:", channelid
	
	# The main part begins here
	program = bin_to_char(login1_bin,p,32)
	p = p + 32
	platform = bin_to_char(login1_bin,p,32)
	p = p + 32
	locale = bin_to_char(login1_bin,p,32)
	p = p + 32
	componentCount = bin_to_dec(login1_bin,p,6)
	p = p + 6

	print "PacketID:", packetid
	print program, platform, locale
	print componentCount, "Components:"

	for c in range(componentCount):
		program = bin_to_char(login1_bin,p,32)
		p = p + 32
		platform = bin_to_char(login1_bin,p,32)
		p = p + 32
		build = bin_to_hex(login1_bin,p,32)
		p = p + 32
		print "\t", c, program, platform, build

	hasAccountName = bin_to_dec(login1_bin,p,1)
	p = p + 1
	if (hasAccountName):
		len = bin_to_dec(login1_bin,p,9) + 3
		len = len * 8 # get size as bits
		p = p + 9
		p = p + 5 #empty bits?
		accountname = bin_to_char(login1_bin,p,len)
		p = p + len
		print "Account:", accountname

def Authentication_ProofRequest(login1_bin):
	print "------------------------------"
	# Header Information for the packets
	packetid = bin_to_hex(login1_bin, 0, 6)
	haschannel = bin_to_dec(login1_bin, 6, 1)
	p = 7

	if (haschannel > 0):
		channelid = bin_to_dec(login1_bin,p,4)
		p = p + 4
		print "Channel:", channelid
		print "PacketID:", packetid

	moduleCount = bin_to_dec(login1_bin,p,3)
	p = p + 3
	print moduleCount, "Modules"
	
	print "\tn\tauth\tlocale\tmoduleid\tblobsize"
	for c in range(moduleCount):
		p = p + (8 - p % 8) # align bits 
		auth = bin_to_char(login1_bin,p,32)
		p = p + 32
		locale = bin_to_char(login1_bin,p,32)
		p = p + 32
		moduleid = bin_to_hex(login1_bin,p,32*8)
		p = p + 32*8
		blobsize = bin_to_dec(login1_bin,p,10) * 8
		p = p + 10
		moduleData = bin_to_hex(login1_bin,p, blobsize)
		p = p + blobsize
		print "\t", c, auth, locale, moduleid,blobsize
		print "\tdata:", moduleData
	
def Authentication_ProofResponse(login1_bin):
	print "------------------------------"
	# Header Information for the packets
	packetid = bin_to_hex(login1_bin, 0, 6)
	haschannel = bin_to_dec(login1_bin, 6, 1)
	p = 7

	if (haschannel > 0):
		channelid = bin_to_dec(login1_bin,p,4)
		p = p + 4
		print "Channel:", channelid
		print "PacketID:", packetid

	moduleCount = bin_to_dec(login1_bin,p,3)
	p = p + 3
	print moduleCount, "Modules"
	
	for c in range(moduleCount):
		blobsize = bin_to_dec(login1_bin,p,10) * 8
		p = p + 10
		moduleData = bin_to_hex(login1_bin,p, blobsize)
		p = p + blobsize
		print "\t", c, "- size:", blobsize
		print "\tdata:", moduleData
	
def Authentication_Complete(login1_bin):
	print "------------------------------"
	# Header Information for the packets
	packetid = bin_to_hex(login1_bin, 0, 6)
	haschannel = bin_to_dec(login1_bin, 6, 1)
	p = 7

	if (haschannel > 0):
		channelid = bin_to_dec(login1_bin,p,4)
		p = p + 4
		print "Channel:", channelid
		print "PacketID:", packetid
		
	success = bin_to_dec(login1_bin,p,1)
	p = p + 1
	if (success):
		print "Success"
		moduleCount = bin_to_dec(login1_bin,p,3)
		p = p + 3
		print moduleCount, "Modules"
		
		print "\tn\tauth\tlocale\tmoduleid\tblobsize"
		for c in range(moduleCount):
			p = p + (8 - p % 8) # align bits 
			auth = bin_to_char(login1_bin,p,32)
			p = p + 32
			locale = bin_to_char(login1_bin,p,32)
			p = p + 32
			moduleid = bin_to_hex(login1_bin,p,32*8)
			p = p + 32*8
			blobsize = bin_to_dec(login1_bin,p,10) * 8
			p = p + 10
			moduleData = bin_to_hex(login1_bin,p, blobsize)
			p = p + blobsize
			print "\t", c, auth, locale, moduleid,blobsize
			print "\tdata:", moduleData
		
		pingTimeout = bin_to_dec(login1_bin,p,32)
		p = p + 32
		print "ping timeout:", pingTimeout
		
		hasOptsegment = bin_to_dec(login1_bin,p,1)
		p = p + 1
		
		if (hasOptsegment):
			params_bool = bin_to_dec(login1_bin,p,1)
			p = p + 1
			if (params_bool):
				threshold = bin_to_hex(login1_bin,p,32)
				p = p + 32
				rate = bin_to_hex(login1_bin,p,32)
				p = p + 32
				print "threshold:", threshold, "rate:", rate
			
		name_len = bin_to_dec(login1_bin,p,7)
		p = p + 7
		accountname = bin_to_char(login1_bin,p,name_len)
		p = p + len
		unk64 = bin_to_hex(login1_bin,p,64)
		p = p + 64
		unk32 = bin_to_hex(login1_bin,p,32)
		p = p + 32
		print accountname, unk64, unk32
		
		
		
	else:
		print "No Success"
		hasOptModule = bin_to_dec(login1_bin,p,1)
		p = p + 1
		if (hasOptModule):
			print "\tauth\tlocale\tmoduleid"
			p = p + (8 - p % 8) # align bits 
			auth = bin_to_char(login1_bin,p,32)
			p = p + 32
			locale = bin_to_char(login1_bin,p,32)
			p = p + 32
			moduleid = bin_to_hex(login1_bin,p,32*8)
			p = p + 32*8
			print "\t", auth, locale, moduleid
			
		failType = bin_to_dec(login1_bin,p,2)
		p = p + 2
		if failType == 1:
			errorCode = bin_to_dec(login1_bin,p,16)
			p = p + 16
			timestamp_maybe = bin_to_dec(login1_bin,p,32)
			p = p + 32
			print "errorCode:", errorCode, timestamp_maybe
		else:
			print "failType:", failType
		
	
		
# First Request	parsing
Authentication_InformationRequest(hex_to_binary(login1))

# First Response parsing
Authentication_ProofRequest(hex_to_binary(login2))

# Second Request parsing
Authentication_ProofResponse(hex_to_binary(login3))

# Second Response parsing
Authentication_Complete(hex_to_binary(login4))

[doityourself]

your implementation from the docs is the wotlk state i guess. the curreent protocl has changes in proofrequest, response and complete. and for the wow part after that in all packets of them

/edit

oh ok I see you just dont implemented the module data parts

[daCoder]

your implementation from the docs is the wotlk state i guess. the curreent protocl has changes in proofrequest, response and complete. and for the wow part after that in all packets of them

Actually i could parse everything fine with this code except for auth_complete. So auth_complete seems to be changed, but all the other stuff works fine for current build. But you are the right, the docs are done for wotlk, but seems like they didn't change the protocol much. I could also find the same the module id in old posting, maybe just a minor change. After further research i found, that other projects/persons like tom_rus reversed the auth dll for doing the next steps.

[doityourself]

Actually i could parse everything fine with this code except for auth_complete. So auth_complete seems to be changed, but all the other stuff works fine for current build. But you are the right, the docs are done for wotlk, but seems like they didn't change the protocol much. I could also find the same the module id in old posting, maybe just a minor change. After further research i found, that other projects/persons like tom_rus reversed the auth dll for doing the next steps.

yea you can parse the modules without probs, but the data blob inside the modules is splitted in different parts too. like clientChallenge etc.

btw: I have a whole AuthServer implementation in C# but idk if I should make it public atm :P

/Edit

Just made it open source: https://github.com/Arctium/Arctium-WoW

[daCoder]

yea you can parse the modules without probs, but the data blob inside the modules is splitted in different parts too. like clientChallenge etc.

btw: I have a whole AuthServer implementation in C# but idk if I should make it public atm :P

/Edit

Just made it open source: https://github.com/Arctium/Arctium-WoW

Awesome! Thank you very much!

[Natrist]

Could you guys please document the whole process a little bit? I personally don't know C# and couldn't understand everything you were doing on Arctium.

[doityourself]

Could you guys please document the whole process a little bit? I personally don't know C# and couldn't understand everything you were doing on Arctium.

you know any language like c++? then you should understand all the stuff. I used really no complex code

[Natrist]

you know any language like c++? then you should understand all the stuff. I used really no complex code

Because I like wasting time reading crap code written in a language I dislike to begin with, through multiple commits of a project I know nothing about, where hard-coded values have no apparent descriptions. I'd rather do it on my own. Thanks for being a douche about it though.

[TOM_RUS]

I'd rather do it on my own.

Then do it? Why did you post here calling other ppl douche without doing anything yourself?

[Natrist]

I already started working on this and didn't get too far yet and wanted someone to document the actual process instead of belittling me and telling me to read their code, since they have it working.
Now I have a high respect for you and you have greatly helped me start off but really king48488 didn't have to reply to me in the way he did and I do not regret getting back to him the way I did.

[Jadd]

I already started working on this and didn't get too far yet and wanted someone to document the actual process instead of belittling me and telling me to read their code, since they have it working.
Now I have a high respect for you and you have greatly helped me start off but really king48488 didn't have to reply to me in the way he did and I do not regret getting back to him the way I did.

If you can't understand how the protocol is handled by his code, that's your own problem. It's far from being crap code. I'm sure he would've helped with any particular part you didn't understand.

How anyone (you) gets offended by being told to read C# code, I will never know.