I think the last thread concluded that it's impossible without the 256 bits key.

end of the story.
Lesson: blizzard owned us....... for the time being...

Okay, hold up. Has someone looked at the beta SWF yet and see if it has something of a key that can be used for Authenticating?

The auth key is the decrypt key right? Or is it something else entirely?

Hmm.. There must be something in the beta files that are encrypted which gets decrypted the same way.

It's amazing how many people just copied what i said about the key.

Anyways, since you guys are so into makin a crack, i'll post what i have found.

Salsa20 R(389) encryption for both mpqe files.
They corrupted the file header and run a crc32 check on file edit.

Memory dumps of the installer are NOT protected but still use a header corruption technique (I wasn't able to circumvent a hc on a memory dump, so this is all i got).

Modifying the authorization code isn't too difficult with the right tools, however, it still requires the 256 bit key for the tome decryption.

Useful tools:

Ollydbg
Phant0m
Peid with crc32 plugin
IDA PRO

IGNORE PEOPLE THAT SAY YOU NEED AN EMULATED SERVER - EVERYTHING EXCEPT THE 256-BIT KEY CAN BE FOUND LOCALLY.


Edit: You might wanna get Kerneldetective for dumping the sc2 installer.

The 256 bit key I believe is retrieved somehow by the Authentication code for sure than. The Authentication Code and the Decryption code are the one and the same. As proof I present that there is no storage space for authentication code, however when you change a jump address from jz to jnz it opens a screen where you manually enter the authentication code, this than goes directly down to a section of code containing hasValidDecryptionKey.

This means that the authentication key is also checked. Then there are 3 characters that are restricted. So that narrows down the decryption key further.

Yeah, it's the auth code. Now all you gotta do is guess a 10 - 20 digit & alphanumerical number.

To darkrei9n, obliviron and other cracking pros:
The chinese cracking group made some progress on this and I'm going to translate what they currently get:
 
1. They also find authentication key and decription key is the same and get to the screen for manaully entering the authentication code. So everything still boils down to getting the salsa20 decription key.
 
2. What they found is that the mpqe file heads are NOT corrupted, and you can get plain text from them. With the plain text known, one can do a XOR with cipher text to get the Hash table.  With a second round of sorting on Hash table you can get decription key. They compare the mpqe file with the beta non-encrypted) ones. For example, the first row in beta mpq is 01 00 03 00. And in retail mpqe it's 01 00 05 00. If you do a XOR of 03 and 05 and use the result to XOR the other mpqe and you get the same result. This shows the key is valid. So we actually know the plain text. However, the second row of mpqe file is messed up so there's 8 bits out of 64 bits plain text missing.
 
3. Now the project is: Attack sala20 cryptography with complete knowledge of ciphertext and about 90% plain text.  Is there any algorithm optimized for computing that?
 
We hope the pros here can help us and share the knowledge and skills. I don't know much about the terminology in cryptography so the translation may be a little hard to understand. But you pros should be able to get it!

...however when you change a   jump address from jz to jnz it opens a screen where you manually enter   the authentication code...

...
1. They also find authentication key and decription key is the same and get to the screen for manaully entering the authentication code. So everything still boils down to getting the salsa20 decription key.
...

To get to that screen(where you manually enter the auth key) you just need to restrict the SC2 installer from accessing the net(or simply unplug your network cable/turn off your modem). Then when you try to install the game you will get an error explaining that you need the authkey from internet. On that error screen when you click on the yellow triangle(with the exclamation mark on it)  in the bottom right corner and it opens the following screen:





No need to modify the exe in any way to get to that screen...

P.S.
Sry for the lame Paint editing just didn't wanted everyone to see the p0rn that I was downloading