Uninformed: Informative Information for the Uninformed

Vol 2» 2005.Sept

Battle.net server emulation

Blizzard 'declared war' on the programmers of servers that implement the Battle.net protocol some time ago when they took the developers of ``bnetd'' to court. As of Warcraft III, they have taken active measures to make life difficult for developers programming third party Battle.net-compatible servers. In particular, two actions are of note:

During the Warcraft III Expansion beta test, Blizzard implemented an encryption scheme for the Battle.net protocol (this was only used during the beta test and not on production Battle.net). This consisted of using the RC4 cipher to encrypt messages send and received from the server. The tricky part was that Blizzard had hardcoded constants that were encrypted using the cipher state, but never actually sent on the wire (these constants were different for each message). This made implementing a server difficult, as one had to find each magic constant. Unfortunately, Blizzard neglected to consider the policy of someone releasing a hacked version of the client that zeroed the RC4 initialization parameters, such that the entire encrypted stream became plaintext.

After several patches, Blizzard implemented a scheme by which a Warcraft III client could verify that it was indeed connecting to a genuine Blizzard Battle.net server. This scheme worked by having the Battle.net server sign it's IP address and send the resulting signature to the client, which would refuse to log on if the server's IP address did not match the signature. However, in the original implementation, the game client only checked the first four bytes of the signed data, and did not validate the remaining (normally zero) 124 bytes. This allows one to easily brute-force a signature that has a designed IP address, as one only has to check 32 bits of possible signatures at most to find it.