3.3.5 - Streamed Modules

[Tanaris4]

So I've still been trying to figure out what's actually going on during the login process (and am severely crippled since I can't use GDB), but I came across another streamed module during login. It's actually loaded with dlopen and it appears to be some sort of authorization module - there's a lot of crypt functions within.

Anyone have any idea what this is? (new in 3.3.5?)

[andy012345]

Sounds like battle.net, they stream a bunch of modules (although I only use windows), filename is a sha256 of the actual mod name, mod is packed, although once unpacked you can get the name pretty easily from strings.

Theres a bunch of them streamed on demand for wow login, Password.dll, SelectGameAccount.dll (I think, I only had multiple accounts on US and I don't play US anymore).

[raistlinthewiz]

The modules came with new bnet2 auth system -- which is also included in SC2 beta too..

When first a client initiates an connection and sends initial auth info the server sends back module information (PROOFREQUEST). These modules are used by client in auth. process. When client gets the module information packet, it'll first check if has the module downloaded, if not i'll download them from

http://eu.depot.battle.net:1119/ with the filename {sha256encodedmodulename}.auth. (Latest password.dll: http://eu.depot.battle.net:1119/8f52...24962043c.auth) Then the games uses modules inner functions to create a secure connection between server and itself (the Password.dll module for ex. implements SRP6). Also your game will cache these modules on your computer to prevent re-downloading (ie: C:\Users\user\AppData\Local\Blizzard Entertainment\Battle.net\Cache\8f\52\8f52906a2c85b416a595702251570f96d3522f39237 603115f2f1ab24962043c).

I remember older resources (2-3 months ago) still mentioning that modules are upx packet, what i belive is they're no more packed.

For one of my project's i need to utilize these modules functionality but still can't manage. If'd be happy if some managed it and can direct me on it.

[TOM_RUS]

There's dirty limited C# Password.dll implementation:
Paste2: Next Generation Pastebin - Viewing Paste 908904.
BigInt class used in this example: http://paste2.org/p/908907.
IDA Database of 8f52906a2c85b416a595702251570f96d3522f39237 603115f2f1ab24962043c http://filebeam.com/1d77156b09440936af215e114bf1c933
It only supports standard password authentication without authenticators of any kind.
Resulting session key can be used to decrypt battle.net traffic.

Example usage:

Code:

Password password = new Password();
password.HandleData(moduleBlob); // data blob from ProofRequest packet
password.AccountPassword = password; // your password
password.AccountName = account; // your email=account
password.RequestPassword();
password.HandleData(blob); // data blob from AuthComplete packet
var sessionKey = new byte[64];
sessionKey = password.SessionKey;

[raistlinthewiz]

TOM_RUS, thanks for your response, first of all is current password.dll's are still upx packet? i tried to unpack them with no success?

secondly i'm on client side and server sends me ProofRequest, do i still need to this line?

Code:

password.HandleData(blob); // data blob from AuthComplete packet

as i guess i can only read authcomplete blob's after i send my proofrequest response

[TOM_RUS]

Ofc. First you handle ProofRequest and than AuthComplete packet...
Some more code: http://paste2.org/p/908946. Please note that this isn't my code, I only wrote Password.dll implementation.

[raistlinthewiz]

thanks it worked.. now i'm in need to figure out the rest

[raistlinthewiz]

do anybody have idea about which channel IM conversation traffic flows through? the app channel, or may be the game channel itself?

[raistlinthewiz]

TOM_RUS do you have any idea about what sould be next after a succesfull authcomplete. In some sample code i see a ListSubscribeRequest (0x0) for wow-channel 0x2.. I do recieve some packets from server after the authcomplete but still didnt figure out them..

[daCoder]

First of all: Sorry for bumping this old thread again.

I am currently playing with the BNET login, basically i try understand the the login procedure by reimplementing it.
My Thread: http://www.ownedcore.com/forums/worl...wow-login.html (BNET Authentication and wow login)

I recognized this thread, which is using the same moduleid as the actual retail version.

Code:

//Authentication_ProofRequest
Channel: 0
PacketID: 0x2
2 Modules
	n	auth	locale	moduleid	blobsize
	0 auth EU 0x8f52906a2c85b416a595702251570f96d3522f39237603115f2f1ab24962043cL 2568
	1 auth EU 0x36b27cd911b33c61730a8b82c8b2495fd16e8024fc3b2dde08861c77a852941cL 4096

Unfortunately, alls links in this threads are dead. Pastebin, filebeam, ...
It would be great if you TOM_RUS or somebody else can reupload the password.dll implementation and the IDA file(i guess it has interesting labels).
I would really appreciate it.

daCoder