Jump to content
TrinityCore

6.x password hash generation


darki73
 Share

Recommended Posts

So i guess it is pretty obvious about what am i going to ask =)

Problem is, previousle we could just sha1 username and password separated by colon and here is the sha_pass_hash.

The problem i am facing right now, is that according to https://github.com/TrinityCore/TrinityCore/blob/86b98686a95e23247ecb774fb23ecd5b8d94b97b/src/server/game/Accounts/BattlenetAccountMgr.cpp#L177 Trinity now uses SHA256, so the hashes do not match anymore. The thing is, password length in database is 40 symbols (exactly as many as in sha1 hash), but sha256 hash length is 64 characters long. I am confused...

I've tried to recreate whole "Cryptography" thing on PHP but, guess what, failed.

Can somebody explain me how the password is generated nowadays?

Thank you for your attention. 

Link to comment
Share on other sites

There seem to be 2 password hashes generated.
One for the username and pass in auth.account and one for the username and pass in auth.battlenet_accounts.

The latter contains what you look for.

I didnt actually look into the code so no idea if the account table password is used etc.

Link to comment
Share on other sites

How did you try generating them? Can you share code?
How did you test your generations?
Did you try generating both of them or only one of them, which one?

It looks to me like both of them are done the same way (with different hashes), except in the bnet one the username is hashed and then hashed with the password.
Also the bnet one will be reversed, which means that instead of being 12345 it is 54321 (the bytes converted to hex will be in reverse order)

All parts (username, password, email) will be converted to uppercase before hashing. (see Utf8ToUpperOnlyLatin function)

 

How it looks to me:
normal hash - make everything uppercase, use sha1 to hash username:password. it should be noted that username is probably the 1#1 string.
bnet hash - make everything uppercase, use sha256 to hash email then use sha256 to hash hashedemail:password and that hash is reversed. Now email is used as the "username".

The c++ code enforces some restrictions like length, characters the emails etc can contain and so.

https://github.com/TrinityCore/TrinityCore/blob/86b98686a95e23247ecb774fb23ecd5b8d94b97b/src/server/game/Accounts/AccountMgr.cpp#L387
https://github.com/TrinityCore/TrinityCore/blob/86b98686a95e23247ecb774fb23ecd5b8d94b97b/src/server/game/Accounts/BattlenetAccountMgr.cpp#L177

Link to comment
Share on other sites

I am checking against hashes which are made by the worldserver application.

I've managed to get hash for battlenet_accounts with following function

strtoupper(bin2hex(strrev(hex2bin(strtoupper(hash("sha256",strtoupper(hash("sha256", strtoupper($username)).":".strtoupper($password))))))));

Now i have some thoughts about the account table... Will share if i will succeed

 

  • Upvote 1
Link to comment
Share on other sites

Well... i pretended that i am really stupid (well, it seems that actually i am) and tried to simply use the username column from the account database... It worked, hash for the account database is the 

$username = '1#1';
echo sha1(strtoupper($username . ':' . $password))
Link to comment
Share on other sites

  • 10 months later...
On 05/01/2017 at 11:36 AM, darki73 said:

I am checking against hashes which are made by the worldserver application.

I've managed to get hash for battlenet_accounts with following function

strtoupper(bin2hex(strrev(hex2bin(strtoupper(hash("sha256",strtoupper(hash("sha256", strtoupper($username)).":".strtoupper($password))))))));

Now i have some thoughts about the account table... Will share if i will succeed

 

On 05/01/2017 at 11:43 AM, darki73 said:

Well... i pretended that i am really stupid (well, it seems that actually i am) and tried to simply use the username column from the account database... It worked, hash for the account database is the 

$username = '1#1';
echo sha1(strtoupper($username . ':' . $password))

Thanks, now I can create a web app to create accounts. I'll share it later!

 

Link to comment
Share on other sites

  • 3 years later...

hey guys. i try to create web application in python with flask for this core but for creating hash in battlenet_accounts table i cant figure it out how it work exactly. if someone could help, that would be nice. i'm following this part of code to making this:

strtoupper(bin2hex(strrev(hex2bin(strtoupper(hash("sha256",strtoupper(hash("sha256", strtoupper($username)).":".strtoupper($password))))))));

my python code:

username = "admin"
password = "admin"
# To uppercase
username = username.upper()
password = password.upper()
# username to hash
username = hashlib.sha256(username.encode('utf-8'))
username = username.hexdigest()
# combine username(hash) with password and convert to uppercase
username_password = str((username + ":" + password).upper())
# hash username and password and convert to uppercase
username_password = hashlib.sha256(username_password.encode('utf-8'))
username_password = str(username_password.hexdigest()).upper()
# convert hex to bin
username_password = "{0:08b}".format(int(username_password, 16))
# rev string
username_password = str(username_password[::-1])
# convert bin to hex
username_password = '%08X' % int(username_password, 2)
# string to uppercase
username_password = str(username_password.upper())
print(username_password)

111.jpg

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Frik24
      Hello TrinityCore members,

      I wanted to mess around with 6.2.4a build 21742,
      I've downloaded/compiled the trinitycore TrinityCore-6.2.4-21742 from github

      I've got connection_patcher.exe among other files in my release build

      I've got client with same patch TrinityCore-6.2.4-21742

      I patched the client(all successful) with patcher i've got from compiling source.

      When i run WoW_Patched.exe i get error message https://imgur.com/a/ZZQI3J9
       
      can anyone help me i'd appreciate it a lot!
    • By Madbryan
      Hi,
      I've follow the explanation to make a server with the mmaster branch.
      The authserver and worldserver launch without error.
      I've created an account with the command bnetaccount create
      But when i try to identificate on wow, it says that the login or password is invalid.
      How could vérify that password are encrypted in the right way and decrypt in the good way too ?
       
      Thanks in advance and for all your good work.
       
      Example of salt et verifier that appear in my database auth :
      Salt : ҕ��E��O���4��`˷����NV�:
      Verifier : � ���1ri͐������IDmm-�����v
       
      My table are in utf8_general_ci for auth, world and characters table and utf8mb4_unicode_ci for hotfixes
      MySQL57
      MySQL Workbench 8
      Visual Studio 2019
      Git v2.30.0

    • By Xzter
      Hello, before i was using trinity fine, everything working perfect. But now, im always getting the worldserver.exe crash.
      Here is log, if someone  can help me to fix it, please. Thanks

      Screenshoot where error always appear

      And, Error Log 
      b19413aaf21d_worldserver.exe_[22-4_11-51-42].txt
    • By Lenny4
      I'm currently developping a web site to allow user to create an account and play in the game. For that I'm using soap connection, this way I can execute gm command from my website. (like bnetaccount create ...)
      I was wondering, if one day I have a lot of players and I need to limit the amount of players who can be connect in the game at the same time.
      But I want to choose (I will not choose my self I will create a php script for that) wich one can connect or not.
      So my questions are:
      - is there a way to know when a user try to connect in game, I mean a request is send to my website (or another way)? how?
                       - if yes can I avoid the connection to the game? how?
      - is there a way to disconnect a user in the game using soap command (or another way)? how? Because here https://trinitycore.atlassian.net/wiki/spaces/tc/pages/2130065/GM+Commands I can't find a command to disconnect a player
      Thank you for your help.
    • By BRABUS
      Hi all, im trying now to make an php custom market for buying an items in website, and i would ask for help. Which is the proper way to add/send items to player with in-game mail?
      I need to add new entry in mail, mail_item, and item_instance ???
      Something like that? 
      $mail->insert( 'mail', array( 'messageType' => 0, 'stationery' => 61, 'mailTemplateId' => 0, 'sender' => 1, 'receiver' => 2, 'subject' => 'Market item', 'body' => 'You have successfully buyed an item from market!', 'has_items' => 1, 'checked' => 0 ), array( '%d', '%d', '%d', '%d', '%d', '%s', '%s', '%d', '%d' ) ); $mail->insert( 'mail_items', array( 'mail_id' => 44, 'item_guid' => 61, // ???? 'receiver' => 0 ), array( '%d', '%d', '%d' ) );  
      Thanks.
×
×
  • Create New...