Jump to content
TrinityCore
darki73

6.x password hash generation

Recommended Posts

So i guess it is pretty obvious about what am i going to ask =)

Problem is, previousle we could just sha1 username and password separated by colon and here is the sha_pass_hash.

The problem i am facing right now, is that according to https://github.com/TrinityCore/TrinityCore/blob/86b98686a95e23247ecb774fb23ecd5b8d94b97b/src/server/game/Accounts/BattlenetAccountMgr.cpp#L177 Trinity now uses SHA256, so the hashes do not match anymore. The thing is, password length in database is 40 symbols (exactly as many as in sha1 hash), but sha256 hash length is 64 characters long. I am confused...

I've tried to recreate whole "Cryptography" thing on PHP but, guess what, failed.

Can somebody explain me how the password is generated nowadays?

Thank you for your attention. 

Share this post


Link to post
Share on other sites

There seem to be 2 password hashes generated.
One for the username and pass in auth.account and one for the username and pass in auth.battlenet_accounts.

The latter contains what you look for.

I didnt actually look into the code so no idea if the account table password is used etc.

Share this post


Link to post
Share on other sites

How did you try generating them? Can you share code?
How did you test your generations?
Did you try generating both of them or only one of them, which one?

It looks to me like both of them are done the same way (with different hashes), except in the bnet one the username is hashed and then hashed with the password.
Also the bnet one will be reversed, which means that instead of being 12345 it is 54321 (the bytes converted to hex will be in reverse order)

All parts (username, password, email) will be converted to uppercase before hashing. (see Utf8ToUpperOnlyLatin function)

 

How it looks to me:
normal hash - make everything uppercase, use sha1 to hash username:password. it should be noted that username is probably the 1#1 string.
bnet hash - make everything uppercase, use sha256 to hash email then use sha256 to hash hashedemail:password and that hash is reversed. Now email is used as the "username".

The c++ code enforces some restrictions like length, characters the emails etc can contain and so.

https://github.com/TrinityCore/TrinityCore/blob/86b98686a95e23247ecb774fb23ecd5b8d94b97b/src/server/game/Accounts/AccountMgr.cpp#L387
https://github.com/TrinityCore/TrinityCore/blob/86b98686a95e23247ecb774fb23ecd5b8d94b97b/src/server/game/Accounts/BattlenetAccountMgr.cpp#L177

Share this post


Link to post
Share on other sites

I am checking against hashes which are made by the worldserver application.

I've managed to get hash for battlenet_accounts with following function

strtoupper(bin2hex(strrev(hex2bin(strtoupper(hash("sha256",strtoupper(hash("sha256", strtoupper($username)).":".strtoupper($password))))))));

Now i have some thoughts about the account table... Will share if i will succeed

 

  • Upvote 1

Share this post


Link to post
Share on other sites

Well... i pretended that i am really stupid (well, it seems that actually i am) and tried to simply use the username column from the account database... It worked, hash for the account database is the 

$username = '1#1';
echo sha1(strtoupper($username . ':' . $password))

Share this post


Link to post
Share on other sites
On 05/01/2017 at 11:36 AM, darki73 said:

I am checking against hashes which are made by the worldserver application.

I've managed to get hash for battlenet_accounts with following function

strtoupper(bin2hex(strrev(hex2bin(strtoupper(hash("sha256",strtoupper(hash("sha256", strtoupper($username)).":".strtoupper($password))))))));

Now i have some thoughts about the account table... Will share if i will succeed

 

On 05/01/2017 at 11:43 AM, darki73 said:

Well... i pretended that i am really stupid (well, it seems that actually i am) and tried to simply use the username column from the account database... It worked, hash for the account database is the 

$username = '1#1';
echo sha1(strtoupper($username . ':' . $password))

Thanks, now I can create a web app to create accounts. I'll share it later!

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Xzter
      Hello, before i was using trinity fine, everything working perfect. But now, im always getting the worldserver.exe crash.
      Here is log, if someone  can help me to fix it, please. Thanks

      Screenshoot where error always appear

      And, Error Log 
      b19413aaf21d_worldserver.exe_[22-4_11-51-42].txt
    • By Lenny4
      I'm currently developping a web site to allow user to create an account and play in the game. For that I'm using soap connection, this way I can execute gm command from my website. (like bnetaccount create ...)
      I was wondering, if one day I have a lot of players and I need to limit the amount of players who can be connect in the game at the same time.
      But I want to choose (I will not choose my self I will create a php script for that) wich one can connect or not.
      So my questions are:
      - is there a way to know when a user try to connect in game, I mean a request is send to my website (or another way)? how?
                       - if yes can I avoid the connection to the game? how?
      - is there a way to disconnect a user in the game using soap command (or another way)? how? Because here https://trinitycore.atlassian.net/wiki/spaces/tc/pages/2130065/GM+Commands I can't find a command to disconnect a player
      Thank you for your help.
    • By BRABUS
      Hi all, im trying now to make an php custom market for buying an items in website, and i would ask for help. Which is the proper way to add/send items to player with in-game mail?
      I need to add new entry in mail, mail_item, and item_instance ???
      Something like that? 
      $mail->insert( 'mail', array( 'messageType' => 0, 'stationery' => 61, 'mailTemplateId' => 0, 'sender' => 1, 'receiver' => 2, 'subject' => 'Market item', 'body' => 'You have successfully buyed an item from market!', 'has_items' => 1, 'checked' => 0 ), array( '%d', '%d', '%d', '%d', '%d', '%s', '%s', '%d', '%d' ) ); $mail->insert( 'mail_items', array( 'mail_id' => 44, 'item_guid' => 61, // ???? 'receiver' => 0 ), array( '%d', '%d', '%d' ) );  
      Thanks.
    • By lalalastab
      I've been trying to implement my own simple cms solution without php, but can't figure out the formatting of the SOAP requests. I was wondering if anyone was able to explain where I can find the wsdl schema? Googling only really gives results for php...
      edit2 solved after 2 days. feel free to close. code was updated with correct structure. make sure to set basic authentication headers in your request.
      <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:xsd="http://www.w3.org/1999/XMLSchema" xmlns:ns1="urn:TC">
          <SOAP-ENV:Header>
          </SOAP-ENV:Header>
          <SOAP-ENV:Body>
               <ns1:executeCommand>
                   <command>server info</command>
               </ns1:executeCommand>
          </SOAP-ENV:Body>
      </SOAP-ENV:Envelope>
      The code is enough to get to the authorization stage but I'm not sure how to log in.
      Thanks!
    • By HolyNitzan
      Hey Guys,
      I'm  using the last build of TrinityCore for WoD, currently using latest TDB release, I noticed that there are no spawns in Draenor, I would like to konw how could I solve it? is the TDB not populated with Draenor mobs/npc spawns?
×
×
  • Create New...