BNETDocs
CheckRevision

CheckRevision is a module sent by the server during the logon process. The purpose of CheckRevision is to ensure that only official, unmodified Battle.net clients are connecting to Battle.net servers.

Procedure

In all versions of CheckRevision, the following procedure is used to obtain CheckRevision and run it to return some values to the server:

  1. The client sends the server its platform ID, product ID, and version byte via C>S 0x06 SID_STARTVERSIONING or C>S 0x50 SID_AUTH_INFO.

  2. The server will then determine which CheckRevision to serve the client and then send the appropriate filename and filetime of the CheckRevision MPQ and a formula for the CheckRevision function via S>C 0x06 SID_STARTVERSIONING or S>C 0x50 SID_AUTH_INFO.

  3. The client checks bncache for CheckRevision. If CheckRevision is not found in bncache, the client initiates a BNFTPv1 connection to download CheckRevision.

  4. The client verifies that the CheckRevision MPQ contains a valid Blizzard Weak Digital Signature. If one is not found, the client immediately closes the connection to the server. It appears that this does not apply for XMAC/PMAC clients.

  5. The client extracts the CheckRevision DLL, whose base filename is the same as the CheckRevision MPQ's base filename (e.g. CheckRevision.mpq contains CheckRevision.dll). Depending on the client and client's version, the client verifies the CheckRevision DLL's signature. If one is not found, the client immediately closes the connection to the server.

  6. The client calls CheckRevision(). If the function returns 0, the client immediately closes the connection to the server.

  7. Information returned from CheckRevision() is sent to the server via C>S 0x07 SID_REPORTVERSION or C>S 0x51 SID_AUTH_CHECK.

CheckRevision() function declaration in C++

extern "C" __declspec(dllexport) std::int32_t __stdcall CheckRevision(const char* filename1, const char* filename2, const char* filename3, const char* formula, std::uint32_t* version, std::uint32_t* checksum, char* exeinfo);

Filenames

Product Files
WarCraft II: Battle.net Edition Warcraft II BNE.exe, storm.dll, battle.snp
StarCraft, StarCraft: Brood War Starcraft.exe, storm.dll, battle.snp
Diablo II, Diablo II: Lord of Destruction Game.exe, Bnclient.dll, D2Client.snp
WarCraft III: Reign of Chaos, WarCraft III: The Frozen Throne War3.exe, storm.dll, Game.dll

* - In the latest versions of these games, these files are packed into the game executables and the other two arguments should be passed as NULL.

Version 1

CheckRevision Filename Format

Initially, the filename format of CheckRevision v1 was $ver#.mpq, where $ is to be replaced with IX86, PMAC, or XMAC and # is to be replaced with a number between 0 and 7. In late 2006, Blizzard modified the format to ver-$-#.mpq. As of today, the only valid # for PMAC and XMAC is 0.

Implementation

The client passes in the formula given by the server and three filenames to CheckRevision(). Via the version, checksum, and exeinfo pointer variables CheckRevision() will return the client's file version, checksum, and a string via pointers in its function parameters, which are then passed to the server. The version is a combination of dwProductVersionMS and dwProductVersionLS from VS_FIXEDFILEINFO. The exeinfo is a space delimited string containing the client's filename, last modified date (mm/dd/yy), last modified time (hh:mm:ss), and client's filesize in bytes.

In May 2016, Blizzard signed the CheckRevision DLLs. Starting from StarCraft 1.17.0 and Diablo II 1.14d, the client will verify the signature of the CheckRevision DLL.

Version 2

CheckRevision Filename Format

CheckRevision v2's filename format is lockdown-IX86-##.mpq for IX86, psistorm-XMAC-##.mpq for XMAC, and psistorm-PMAC-##.mpq for PMAC, where ## is to be replaced with a number between 00 and 19.

Implementation

Battle.net serves IX86 CheckRevision v2 to Diablo I, WarCraft: Battle.net Edition, StarCraft, StarCraft: Brood War, and StarCraft Shareware clients and XMAC and PMAC to Diablo II and Diablo II: Lord of Destruction.

See An Objective Analysis of the Lockdown Protection System for Battle.net.

Version 3

CheckRevision Filename Format

CheckRevision v3's filename format is simply CheckRevision.mpq.

Implementation

Battle.net only serves CheckRevision v3 to Diablo II and Diablo II: Lord of Destruction.

The algorithm behind v3 is much simpler and does not actually require any of the game files, just the full file version of Game.exe (ex: 1.14.3.71). The value for EXE Version is now always 0, and the checksum and EXE info have changed.

The value string sent in S>C 0x50 SID_AUTH_INFO is encoded as Base64. The first 4 bytes of the decoded value are hashed along with the file version of Game.exe and the result is encoded as Base64 and returned to the server in the checksum and EXE info fields in C>S 0x51 SID_AUTH_CHECK.

result = base64(sha1(value, ":" + version + ":", 0x01))

Value is 4 bytes, version is a string, and 0x01 is a byte. The first 4 bytes of the resulting encoded string are sent as the checksum and the rest is sent as the EXE info (with a null terminator). This effectively removes the checksum field and sends the entire hash as the EXE info string.

If calling the CheckRevision() function from the v3 DLL, the calling app's version needs to match the version of Game.exe and have any valid signature.

History

  • March 7, 2019 GOG releases DRTL client, CheckRevision v3 for DRTL seen in use.
  • February 2, 2019 CheckRevision v3 created for DRTL
  • January 4, 2019 Battle.net server reset, CheckRevision v3 seen in use.
  • January 3, 2019 CheckRevision v3 created for D2DV and D2XP
  • May 27, 2016 CheckRevision v1 DLL files signed
  • April 21, 2016 CheckRevision v2 updated for XMAC
  • March 5, 2007 CheckRevision is updated
  • Late 2006 CheckRevision v2 released
  • Late 2006 Checkrevision v1 files are renamed from IX86ver#.mpq to ver-IX86-#.mpq (Where # is replaced with numbers 0 - 7)
| Edited: xboi209
Comments
Davnit

Added information on the new algorithm for v3.