Requesting some overwatch information for a small emulator

[BadBoy17]

Hello everyone,
I'm coding a small emulator (lets see how far i can go) for overwatch to test if my computer can run the game or not before buying it.
Does anyone have the ip of overwatch's server (the one that client connects to after start/login. previously 24.105.10.145:3724)?
Also if it isn't much trouble, Can anyone with beta access use wireshark and dump the packets from/to the ip above (NOT *.actual.battle.net/*.battle.net) from client start till u successfully login? The username/password will be encrypted with ssl if you're afraid of that.
If anyone knows the encryption of overwatch, feel free to help

Code:

I just got it "working" like an hour ago or something so not much reversed yet :o

1. HELLO PRO CLIENT <-> HELLO PRO SERVER
2. Some packet <-> Some response (Encryption keys i suppose)
3. Some packet <-> Some response (JAM? O.o)
4. Here server sends a packet and i think client decrypts it because on the client i recv invalid bytes which are not what i sent

Thanks

[BadBoy17]

I'm stuck with the crypto exchange bullshit. any help implementing it?

[BadBoy17]

I don't think i'm asking for much, Is the forum dead or something? Or just no one wants to help? :/
I'm not a complete newbie.. i already reversed the packets structures. i just don't know what to send because i'm not in the beta.
I've guessed my way so far but i can't guess an encryption. i tried looking in the client and i think it uses AES 128bit but i'm not really sure.
ANY HELP IS APPRECIATED EVEN IF YOU DON'T SUPPLY CODE, JUST POINT ME IN THE RIGHT DIRECTION

Oh and don't mind that ip request, i found 12 servers for overwatch LOL (altho some searching online says it's realmd). it just disconnects me for having an incorrect connectionId in the 2nd packet

[BadBoy17]

If anyone knows/heard/coded anything similar for other blizzard games, DO GIVE!

pro = prometheus = overwatch's codename

Handshake#1: Client sends 'HELLO PRO CLIENT' (hey i'm pro client)
Handshake#2: Server sends 'HELLO PRO SERVER' (hey i'm pro server)
1. Client generates a sha256 hash of something. (still not sure about what it is)
2. Client sends that hash to server. 2x 16bytes
3. Server responds with 2 hashes and a byte (official set it to 7)
4. Client uses a static byte array and hash it with the 2nd hash from server and the first generated hash then rehash the result with v64 (unk for now, 64bytes. IDA doesn't see it being set anywhere. maybe was on purpose to have random bytes from stack?)

Code:

  static byte array used:
  *(_QWORD *)(a1 + 104) = 0x3636363636363636i64;
  *(_QWORD *)(a1 + 112) = 0x3636363636363636i64;
  *(_QWORD *)(a1 + 120) = 0x3636363636363636i64;
  *(_QWORD *)(a1 + 128) = 0x3636363636363636i64;
  *(_QWORD *)(a1 + 136) = 0x3636363636363636i64;
  *(_QWORD *)(a1 + 144) = 0x3636363636363636i64;
  *(_QWORD *)(a1 + 152) = 0x3636363636363636i64;
  *(_QWORD *)(a1 + 160) = 0x3636363636363636i64;
  *(_QWORD *)(a1 + 168) = 0x5C5C5C5C5C5C5C5Ci64;
  *(_QWORD *)(a1 + 176) = 0x5C5C5C5C5C5C5C5Ci64;
  *(_QWORD *)(a1 + 184) = 0x5C5C5C5C5C5C5C5Ci64;
  *(_QWORD *)(a1 + 192) = 0x5C5C5C5C5C5C5C5Ci64;
  *(_QWORD *)(a1 + 200) = 0x5C5C5C5C5C5C5C5Ci64;
  *(_QWORD *)(a1 + 208) = 0x5C5C5C5C5C5C5C5Ci64;
  *(_QWORD *)(a1 + 216) = 0x5C5C5C5C5C5C5C5Ci64;
  *(_QWORD *)(a1 + 224) = 0x5C5C5C5C5C5C5C5Ci64;

5. Client sends that hash to server.
6. Server responds with 32 bytes hash
7. Client does something with that packet (didn't look at it yet. doesn't send any packets tho)
8. Server now sends the huge packet that never gets handled by client because it bugs somewhere. and the content changes O_O
packet: (don't trust the sizes. it's how the client reads it that's all)

Code:

decimal -> 16bytes
ulong -> 8bytes
uint -> 4bytes
---------------------------
for (var i = 0; i != 2; ++i)
{
  w.Write(decimal.Zero);
  w.Write(decimal.Zero);
  w.Write(decimal.Zero);
  w.Write(decimal.Zero);
  w.Write(decimal.Zero);
  w.Write(decimal.Zero);
  w.Write(decimal.Zero);
  w.Write(decimal.Zero);
}
w.Write(ulong.MinValue);
w.Write(ulong.MinValue);
w.Write(ulong.MinValue);
w.Write(ulong.MinValue);
w.Write(uint.MinValue);

Edit: it's probably md5 because the hash is 32bytes in length.

[BadBoy17]

Well this is embarrassing... i read memcmp as memcpy
As you can see it compares with the hash received from server. no wonder it never worked for me... i'm sending wrong hash (probably patches like what realmd is doing xDD)


This thread is slowly becoming a dump of my progress...
P.S: i'm reversing pre beta client. i love the dark ui of the game. if only i could port it to the latest client...

[supsnyo]

i have no clue what you're talking about, but if you can make me play the game, keep doing what you do

[Manew]

Did you make any progress ? sometimes i have access to a friend account, i have wireshark and i wish to help you.

[vvvat]

You find guy with access, but have you any progress with doin emulator?

[BadBoy17]

Did you make any progress ? sometimes i have access to a friend account, i have wireshark and i wish to help you.

You find guy with access, but have you any progress with doin emulator?

I paused the emulator development until the open beta (easier to live-reverse the game than looking at a dump)

[vvvat]

I paused the emulator development until the open beta (easier to live-reverse the game than looking at a dump)

Good news, mate. Keep working I think that the emulator will be demanded.

[Sychotix]

Be careful. Blizzard does serve C&D letters for stuff like this. Best of luck though!

[vvvat]

Open Beta is live. Don't forget about it
Any progress?

[BadBoy17]

Open Beta is live. Don't forget about it
Any progress?

They added a small anti debugger and it's causing my pc to bsod every 3mins of debugging so no :c
And they appear to be reading this forum because they patched my ssl bypass and now it compares ip as well (i think?) and obviously i can't bypass that because of no debugger
Aside from emulator, i found a way to log/force-send their game packets (and i have some exploits in my mind from whats been said on /r/Overwatch )

[Sychotix]

They added a small anti debugger and it's causing my pc to bsod every 3mins of debugging so no :c
And they appear to be reading this forum because they patched my ssl bypass and now it compares ip as well (i think?) and obviously i can't bypass that because of no debugger
Aside from emulator, i found a way to log/force-send their game packets (and i have some exploits in my mind from whats been said on /r/Overwatch )

Open up the binary and look for the anti-debugging code before launching it? I believe it isn't that difficult unless it is some custom code within Warden.