-
Notifications
You must be signed in to change notification settings - Fork 157
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
0x4B SID_EXTRAWORK #72
Comments
This can be tested with the latest commit (1065063).
--api.client_requiredwork(account.name, "IX86ExtraWork.mpq")
--DEBUG(string.format("Received EXTRAWORK packet with GameType: %d and Length: %d (%s)", gametype, length, data))
or another line if the file was cached in
|
The client won't load the dll because it requires the mpq file to be signed. |
I can't find original |
A bypass will require client modifications and creating the signature will require a certain private RSA key. |
Yes, I think it is possible to disable signature check (or add own) using game loader or a launcher. |
Addition that can be interesting. I found this chunk in Starcraft
It may mean that gametype enumeration sequence is wrong on bnetdocs. It should be:
|
You can create weak signature now by using the private key. I've commited this: |
@tesseract2048 could you please give a simple example how to sign MPQ using StormLib? |
Judging by the commit, you call SFileAllocateWeakSignature(HANDLE hMpq), reopen archive and then SFileSignArchiveWeak(HANDLE hMpq) |
Thank you @tesseract2048 for informing us, I was about to put together some resources to crack the private key(which would probably take months). |
Actually you can get it done within a week in a small cluster (~300 cores) with CADO-NFS. |
I don't have that much resources available to use so it would have been months for me |
@tesseract2048 can be maps from Starcraft or Warcraft 3 signed using the same way? And I want to clarify yuor information. What is the key that you provide here, can it be used to sign MPQ, or we still need a cluster to find working key? |
@HarpyWar About signing maps, it depends. I'm almost sure that you can sign StarCraft maps with this but I think WarCraft 3 uses the Blizzard Strong Digital Signature RSA private/public key pair for more security. I'm going to guess that WarCraft 3 will accept the Blizzard Weak Digital Signature for the ExtraWork module(or else Blizzard would have to make a second copy of the mpq file and sign it every time they want to turn on ExtraWork). If that is true, just send a dll to disable signature verification checks. |
@HarpyWar I do think @xboi209 's approach is a good one, suppose you can send signed extra work / version check modules to disable map signing verification inside client. |
BTW i think it's a good idea to integrate this feature with PvPGN, for example PvPGN can automatically sign these modules and send it to client, with only raw DLLs are provided manually. |
@tesseract2048 That'd be a great feature to have, we just need to make sure that the signing and mpq manipulation is cross compatible between operating systems |
Great! Can someone write the console program with two usages depending on file extension: |
I've checked that StarCraft and WarCraft 3 maps are signed using Blizzard Strong Digital Signature key. We won't be able to sign custom maps. |
@tesseract2048 Is it normal for the (listfile) to be deleted when signing a mpq file? |
TODO: |
@xboi209 I think (listfile) should be deleted by all means, for client does not require it. |
https:/HarpyWar/pvpgn/blob/master/src/bnetd/handle_bnet.cpp#L5393 |
@xboi209 It works fine with Warcraft 3 - data from DLL is correctly returned to a server! I just compiled your ExtraWork DLL template and sign it with MPQSigner, then replace the result MPQ file in my server files directory. |
That's strange, I recompiled the code and I got the same error which didn't happen before. |
Any news how to suppress that error? |
No, I don't know the cause of the error but I tried removing all the unnecessary code in the function and the client still crashes, so knowing the return value of LoadLibrary should help. |
Is that relevant to differences between versions of battle.net client library? |
@tesseract2048 the same error occured in Starcraft and Diablo 2 with official DLL from Battle.net, that I found in the internet (link in the first message of the topic). But I can't find original MPQ - only DLL, then it was signed with your library using MPQSigner. |
Code above worked for me, to be more specific:
|
So |
Here is a wild idea: can this packet be pushed in the connecting to server stage and make W3 patch itself instead of using w3lh loader? |
That might actually be possible. Client will start the logon sequence using SID_AUTHINFO and instead of immediately replying back to that packet, we could try sending ExtraWork to disable server signature verification before replying. |
If someone has time, try to push AlertBox before the logon sequence and see what happens. |
For what purpose? |
I guess to see if the game accepts packets out of the blue like this. |
I have added |
I don't think that's an acceptable place to put it(for clean code). I would suggest placing it in Check your bncache.dat file to see if your client downloaded IX86ExtraWork.mpq. |
This is just for testing purpose so position is far from final. I'll check it out. |
Ok, I tried to put it where you recommended but EXTRAWORK is never sent from the client. Then I tried to put it on channel join just for a sanity check and it worked:
It seems that client does not react to REQUIREWORK in early stage but more testing is probably needed. |
After sending server → client SID_REQUIREDWORD packet, client should download mpq file and then call
ExtraWork
function from dll inside of mpq, with sending output from the function back from client → server SID_EXTRAWORK.I found two different versions of
IX86ExtraWork.dll
from official Battle.net and add one of them intoIX86ExtraWork.mpq
using MpqEditor. This file correctly received by a game client (I tried DIablo 2, Warcraft3 and Starcraft), but then nothing happened (no response from the client).I even create own dll that shows messagebox, but it doesn't work too. You can try it by yourself ExtraWorkTest.zip
Code for ExtraWork.exe was taken from here:
The text was updated successfully, but these errors were encountered: