Download the Liquipedia app here!Download the Liquipedia app to follow Brood War!Want personalized updates on Brood War esports? Download the Liquipedia app on iOS or Android to never miss your favorite tournaments and matches!
Liquipedia app match pages updated! Liquipedia app match pages are overhauled! Download on Android or iOS! Liquipedia app's match pages got completely revamped with game data, standings, VODs and more! Download the the latest version on iOS or Android and read our update blog here.

Blizzard Weak Digital Signature

From Liquipedia StarCraft Brood War Wiki

The Blizzard Weak Digital Signature uses RSA to verify files for authenticity which helps prevent hackers from executing arbitrary code on a client's computer. Signatures are verified using Microsoft CryptoAPI which contains an implementation of the RSASSA-PKCS1-v1_5 signature scheme. The signature uses the MD5 hashing algorithm and a 512-bit RSA key. The public key and exponent are stored as resources in Storm.[1] In 2014, the Blizzard Weak Digital Signature private key was factored in a week using CADO-NFS and ~300 cores.[2]

Storage[edit]

Signatures are stored in MPQ archives under the name (signature), are uncompressed, and are in little-endian order. The archive is hashed from the beginning to the end of the archive and the signature file is added to the archive before signing. The space occupied by the signature file is considered to be all binary 0's during signing and verification.[1]

Usage in Blizzard Games[edit]

The Blizzard Weak Digital Signature is known to be used in classic games for authenticating DLL files sent from servers such as CheckRevision and ExtraWork. Manual patches supplied by Blizzard contain an embedded MPQ archive which is signed with the Blizzard Weak Digital Signature to prevent distribution of unauthorized modifications. It is not known if all Battle.net(v1) compatible games verify digital signatures.

File Structure[edit]

00h: int32 Unknown: Must be 0.
04h: int32 Unknown: Must be 0.
08h: int512 Signature: The digital signature.[1]

Verification Using OpenSSL in C++[edit]

   int mpq_verify_weak_signature (RSA* public_key, const unsigned char* signature, const unsigned char* digest)
   {
       std::uint8_t reversed_signature[MPQ_WEAK_SIGNATURE_SIZE];
       std::memcpy(reversed_signature, signature + 8, MPQ_WEAK_SIGNATURE_SIZE);
       memrev(reversed_signature, MPQ_WEAK_SIGNATURE_SIZE);
   
       return RSA_verify(NID_md5, digest, MD5_DIGEST_LENGTH, reversed_signature, MPQ_WEAK_SIGNATURE_SIZE, public_key);
   }

Public Key[edit]

-----BEGIN PUBLIC KEY-----

MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJJidwS/uILMBSO5DLGsBFknIXWWjQJe

2kfdfEk3G/j66w4KkhZ1V61Rt4zLaMVCYpDun7FLwRjkMDSepO1q2DcCAwEAAQ==

-----END PUBLIC KEY-----

Private Key[edit]

-----BEGIN PRIVATE KEY-----

MIIBOQIBAAJBAJJidwS/uILMBSO5DLGsBFknIXWWjQJe2kfdfEk3G/j66w4KkhZ1

V61Rt4zLaMVCYpDun7FLwRjkMDSepO1q2DcCAwEAAQJANtiztVDMJh2hE1hjPDKy

UmEJ9U/aN3gomuKOjbQbQ/bWWcM/WfhSVHmPqtqh/bQI2UXFr0rnXngeteZHLr/b

8QIhAMuWriSKGMACw18/rVVfUrThs915odKBH1Alr3vMVVzZAiEAuBHPSQkgwcb6

L4MWaiKuOzq08mSyNqPeN8oSy18q848CIHeMn+3s+eOmu7su1UYQl6yH7OrdBd1q

3UxfFNEJiAbhAiAqxdCyOxHGlbM7aS3DOg3cq5ayoN2cvtV7h1R4t8OmVwIgF+5z

/6vkzBUsZhd8Nwyis+MeQYH0rpFpMKdTlqmPF2Q=

-----END PRIVATE KEY-----


Signing[edit]

StormLib provides an API to sign files to add a Blizzard Weak Digital Signature.[3] MPQ Editor and MPQSigner uses StormLib to sign files.

References[edit]