Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Battle.net 2 Packet Research:
- Data stream is a bit-based protocol. Reading and writing functions as in the following example:
- For data: 0x40 0x01
- As binary: 01000000 00000001
- If you were to read the first 11 bits, it would be done like so:
- 01000000 #####001 - resulting in 0x201.
- If you were to read 6 bits, 1 bit, and then 4 bits, it would be:
- ##000000 ########
- #1###### ########
- 0####### #####001
- Resulting in 0, 1, and 1.
- As you can see, bits are read left to right across bytes, but the bits that are read begin counting from the right end of the byte.
- Some fields align to the byte border before being read or written, skipping the remaining bits in a byte (if any). These are mostly strings and byte arrays.
- Types:
- Packets contain multiple types, which alter the way the above system works in the following way: a single type spans an entire section of bits, ignoring byte organization until after the type is complete.
- Example:
- Read 32 bit DWORD from 0x40 0x00 0x00 0x0A 0x66 0x02, starting after the 11 bit header:
- As binary: 01000000 00000000 00000000 00001010 01100110 00000010
- Correctly: ######## RRRRR### RRRRRRRR RRRRRRRR RRRRRRRR #####RRR - all R bits are read and squished together to form 00000000 00000000 01010011 00110010, aka the string "..S2" [.=null byte].
- Incorrect: ######## 11111### 22222111 33333222 44444333 #####444 - You might think to read an array of bytes byte by byte, but this is incorrect and gives you a completely wrong set: 00000000 00000010 00001110 01100010.
- So remember, these types are extremely important to be read in full, and not as multiples of bytes.
- Type List:
- (BOOLEAN): a single bit, 1 = true, 0 = false
- (DWORD): 32 bit value containing 4 characters. Also called a FourCC value in some docs. Values less than 4 characters are preceeded by null characters as in the case of the Starcraft 2 product ID: 0x00005332 [..S2 (see above)]
- (INT:#): a custom length integer. As BNet2 is a bit-based protocol, there are no longer only BYTEs, WORDs, DWORDs, and QWORDs. The lengths can literally be anything from a bit onward.
- (STRING): These are preceeded by a length value of some sort in the packet structure, and are often aligned to the byte border.
- (NTSTRING): Unconfirmed at the moment, but strings with a null terminator can be seen in packets, though more research is needed to see if reading will actually rely on the null terminator. These are also often aligned to the byte border.
- (BYTE[#]): A byte array of varying length (described in packet structure). Sometimes aligned to the byte border.
- |: Means that the item is aligned to the byte border.
- Note: Some values have a [minus] or [plus], which means that the actual value is the given value minus or plus the listed offset. Usually, you will subtract a value that says minus on outgoing packets, and add a value that says minus on incoming packets (think about it, it makes sense).
- Packet Documentation:
- Packet headers are 7 or 11 bits:
- 6 bit Packet ID
- 1 bit Channel Boolean
- > 4 bit Channel ID (Optional)
- Known packets:
- C > S CLIENT_AUTH_INFOREQUEST [Packet 0, Channel 0]
- (DWORD) Product
- (DWORD) Platform
- (DWORD) Locale
- (INT:6) Components
- For 1 to Components
- (DWORD) Product
- (DWORD) Platform
- (INT:32) Build
- Next
- (BOOLEAN) HasAccountName
- If HasAccountName
- (INT:9) EMail Address Length [minus 3]
- |(STRING) EMail Address (lowercase)
- End If
- S > C CLIENT_AUTH_COMPLETE [Packet 0, Channel 0]
- (BOOLEAN) Failure
- If Failure
- (BOOLEAN) HasOptModule
- If HasOptModule
- |(DWORD) Type
- (DWORD) Locale
- (INT:32) ModuleID
- End If
- (INT:2) Fail Type
- If Fail Type = 1
- (INT:16) ErrorCode
- (INT:32) Unknown [minus 2147483648]
- Else
- UNKNOWN - More Research Needed
- End IF
- Else
- (INT:3) Modules
- For 1 to Modules
- |(DWORD) Type
- (DWORD) Locale
- (INT:32) ModuleID
- (INT:10) BlobSize
- |(BYTE[BlobSize]): Blob
- Next
- (INT:32) PingTimeout [minus 2147483648]
- (BOOLEAN) OptionalSegment
- If OptionalSegment
- (BOOLEAN) Parameters
- If Parameters
- (INT:32) Threshold
- (INT:32) Rate
- End If
- End If
- (INT:8) First Name Length
- |(STRING) First Name
- (INT:8) Last Name Length
- |(STRING) Last Name
- (INT:32) A number...
- (BYTE[10]) Unknown, first byte and last byte are 1, all between are 0.
- (INT:8) String Length
- (STRING) The same number as a string with a # at the end.
- (BYTE[12]) Unknown, again with the 0s...
- End If
- C > S CLIENT_AUTH_PROOFRESPONSE [Packet 2, Channel 0]
- (INT:3) Modules
- For 1 to Modules
- (INT:10) BlobSize
- |(BYTE[BlobSize]): Blob
- Next
- S > C CLIENT_AUTH_PROOFREQUEST [Packet 2, Channel 0]
- (INT:3) Modules
- For 1 to Modules
- |(DWORD) Type
- (DWORD) Locale
- (INT:32) ModuleID
- (INT:10) BlobSize
- |(BYTE[BlobSize]): Blob
- Next
- S > UNKNOWN [Packet 5, Channel 1]
- [INT:5] Unknown (0)
- After this comes the encrypted packets.
- Module Research:
- Modules are downloaded through HTTP using the ModuleID provided by Battle.net packets. The address is http://REALM.depot.battle.net:1119/hexdata.type where REALM is the realm you're on, like us or eu, hexdata is a lowercase hexadecimal display of the ModuleID, and type is the type value (thus far, always "auth").
- These auth modules are standard C++ DLLs with a CreateModule function.
- Before running CreateModule, the following buffer data must be set:
- 0x7A7D7B79: 128-byte SALT value (randomly generated).
- 0x59F8A2FC: E-mail address (lower case).
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement