The warden! He's back again, with avengence! We've really gotta find a way to respond to this packet. Honestly. So let's start from what we DO know.
So far, the packet's payload (37 bytes) is RC4 encrypted with the key made up of 4 DWORDs from various values in the 0x51. Errrr.... This is all we know (pretty much) right now. Isn't anyone interested in finding a way to kill the warden once and for all? Even though the inital topic about it died a while ago?
http://www.rootkit.com/vault/hoglund/Governor.zip
If anyone haven't used this or heard of this it monitors Wardens activity.
EDIT: That's only for WoW.
Uhm, I don't believe that Warden is active on USWest.
I have been logged on for several hours without any problem, but when I connect on East, I get fried.
Nevermind, it's because I haven't reconnected in over 5 days. O_o
Well, I recently got hooked into finding out what warden was all about. From what I've read...
Warden checks:
- Process names.
- Window titles.
- Scans a small portion of code segment.
Warden then takes the scanned strings and hashes them comparing them to the list of hashes known to correspond to programs that induce cheating.
According to something I read up on Warden does
not send information, it only sends a flag.
Quote from: GSX on August 29, 2007, 08:56 PM
Uhm, I don't believe that Warden is active on USWest.
I have been logged on for several hours without any problem, but when I connect on East, I get fried.
Nevermind, it's because I haven't reconnected in over 5 days. O_o
Uh, That must of changed, because I got this.
[9:56:28 PM] Last logon: Thu Aug 30 1:58 AM
[9:56:28 PM] Joined channel Op Council (flags 0x00000000)
[9:56:28 PM] Account created: June 18, 2006 at 08:04:45 PM
[9:56:28 PM] Last logon: August 30, 2007 at 01:58:53 AM
[9:56:28 PM] Last log off: July 7, 2007 at 05:21:06 AM
[9:56:28 PM] Time Logged: 10 days, 9 hours, 30 minutes, 25 seconds.
[10:08:08 PM] You are currently IPBanned on this realm/server.
[10:08:08 PM] BNET ERROR: Connection is aborted due to timeout or other failure [ 10053 ]
[10:08:08 PM] Disconnected from Battle.net.
you get ipbanned now if you dont reply to warden?
10053 = IPBan? As far as I know, the description is there for a reason... and the description is right...
He's using daemonchat, and when you get the message 10053 I just do a AddChat saying you were IP'd since that's the message you receive when you get IP'd.
Quote from: inner.de on August 29, 2007, 09:22 PM
He's using daemonchat, and when you get the message 10053 I just do a AddChat saying you were IP'd since that's the message you receive when you get IP'd.
yup
EDIT:
I don't know if this helps at all, but I'm trying.. I received this about 1 minute before being disconnected by warden
0000 00 18 f8 29 19 e9 00 18 f8 3f 4a b4 08 00 45 00 ...).... .?J...E.
0010 00 28 0a 2a 00 00 ff 06 5c 9f 3f f1 53 09 c0 a8 .(.*.... \.?.S...
0020 01 64 17 e0 0e de f1 33 94 94 00 00 00 00 50 04 .d.....3 ......P.
0030 00 00 ae 53 00 00 ...S..
Quote from: dlStevens on August 29, 2007, 09:09 PM
According to something I read up on Warden does not send information, it only sends a flag.
Is that so..? Then that flag must be included in the single byte response that starcraft client sends to battle.net. . . All we really have to do is find the appropriate flag to send back, together with the "other" psuedo-random value within that byte. So far we've just tried to find the encryption key for the encrypted packet contents sent TO us, even if we do decrypt it how useful will this be? While reverse engineering starcraft, did anyone even attempt to see the decrypted value and/or what it does with that information upon receiving? To be completely honest, I think that the data might be static. Blizzard has been coming up with a lot of good ideas lately, that really have turned out to be completely bad ideas anyways (i.e., dx video buffer for lockdown hashing). So, maybe someone can just work out whatever process is used to get the value of that one single byte (remember, only 256 possiblites) from that decrypted packet's content? Perhaps we can find a way to completely bypass having to decrypt this. Of course, one may argue the contents of this packet are dynamic, which is more likely. You'd never know unless you do it. But who knows, maybe the flag value is OR'd with the first hi byte of an uptime value? Or something equally lame?
WHO KNOWS!
Why so much guessing? Somebody with so much time to devote to bnet, such as brew, should spend a little bit of that time checking this stuff out in a debugger.
Or get a girlfriend...
If brew posts in something, rabbit usually posts back in it with a smart remark.
Quote from: inner.de on August 30, 2007, 03:19 PM
If brew posts in something, rabbit usually posts back in it with a smart remark.
Oh, Still a large amount of immature people still here, huh?
Anyway, Back on topic:
MyndFyre emulated WoW's protocol as I recall, I realize the warden isn't the exact same (as to my knowledge) but isn't there a reasonable amount of identically?
EDIT:
Has anyone came across the hashed values that warden uses? If so can you post them?
I don't believe that Mynd ever emulated WoW's Warden implementation.
Nope. The protocol was OK, but I never created an implementation. Would have been too much work.
Ah, okay thanks for the clear up.
I don't packet lag Battle.Net often, but is it right to be logged on into an empty channel and send the client every ~10 packets just idling?
Quote
0 00 18 f8 3f 4a b4 00 18 f8 29 19 e9 08 00 45 00 ...?J... .)....E.
0010 00 3c 17 90 40 00 80 06 8e 25 c0 a8 01 64 3f f1 .<..@... .%...d?.
0020 53 09 04 78 17 e0 33 ae 3d 98 9f a0 ab b1 50 18 S..x..3. =.....P.
0030 41 41 a2 6c 00 00 ff 15 14 00 36 38 58 49 52 41 AA.l.... ..68XIRA
0040 54 53 db 0a 00 00 a3 95 d7 46 TS...... .F
Quote from: dlStevens on August 30, 2007, 08:20 PM
I don't packet lag Battle.Net often, but is it right to be logged on into an empty channel and send the client every ~10 packets just idling?
Quote
0 00 18 f8 3f 4a b4 00 18 f8 29 19 e9 08 00 45 00 ...?J... .)....E.
0010 00 3c 17 90 40 00 80 06 8e 25 c0 a8 01 64 3f f1 .<..@... .%...d?.
0020 53 09 04 78 17 e0 33 ae 3d 98 9f a0 ab b1 50 18 S..x..3. =.....P.
0030 41 41 a2 6c 00 00 ff 15 14 00 36 38 58 49 52 41 AA.l.... ..68XIRA
0040 54 53 db 0a 00 00 a3 95 d7 46 TS...... .F
Yes
Packet 0x15... SID_CHECKAD. Sent every 15 seconds by the client. Not always responded to by the server. For bots, it's usually not used, as SID_NULL keeps the connection alive just the same, although some clients (Such as RCB) send SID_CHECKAD instead, so as to emulate the game better.
Ah, okay, Ill keep packet logging and asking questions.. ;D
Aww... my stupid joke is gone :(
Quote from: betawarz on August 30, 2007, 01:17 PM
Somebody with so much time to devote to bnet, such as brew, should spend a little bit of that time checking this stuff out in a debugger.
That requires intelligence and knowledge. Something brew lacks in both aspects. ;)
Quote from: Newby on September 01, 2007, 12:54 AM
Quote from: betawarz on August 30, 2007, 01:17 PM
Somebody with so much time to devote to bnet, such as brew, should spend a little bit of that time checking this stuff out in a debugger.
That requires intelligence and knowledge. Something brew lacks in both aspects. ;)
You're sure about that?
Honestly. If you have nothing nice to post, don't post it at all. That comment really didn't help us.
Have you figured anything else new brew?
Quote from: brew on September 01, 2007, 09:00 AM
You're sure about that?
Honestly. If you have nothing nice to post, don't post it at all. That comment really didn't help us.
Yes. You hung out in #beta long enough that I can say that confidently.
This Warden crap is a conspiracy.
I think B.net hired some [vL] people to put an end to bots and such. As a result, the [vL] guy suggested bnet to use this so call "Warden" to put an end to all of us.
;D
Either that or you're retarded.
Quote from: Newby on September 02, 2007, 12:00 AM
Quote from: brew on September 01, 2007, 09:00 AM
You're sure about that?
Honestly. If you have nothing nice to post, don't post it at all. That comment really didn't help us.
Yes. You hung out in #beta long enough that I can say that confidently.
You don't know me.
Quote from: brew on September 02, 2007, 10:31 AM
Quote from: Newby on September 02, 2007, 12:00 AM
Quote from: brew on September 01, 2007, 09:00 AM
You're sure about that?
Honestly. If you have nothing nice to post, don't post it at all. That comment really didn't help us.
Yes. You hung out in #beta long enough that I can say that confidently.
You don't know me.
Then go program something that makes you look older than 3. You've yet to do that.
In all honesty, I think everyone in this thread whos bashed or harassed brew is quite immature, and you really need to grow up.
So's your face.
That was indeed, hilarious.
Quote from: moh.vze.com on September 02, 2007, 01:51 AM
This Warden crap is a conspiracy.
I think B.net hired some [vL] people to put an end to bots and such. As a result, the [vL] guy suggested bnet to use this so call "Warden" to put an end to all of us.
;D
That wouldn't do much good. The overall effect of binary bots is good, not evil. Blizzard even used to allow chat bots to moderate channels, before people started abusing it. As long as there's a cd key they can ban, I don't see why they would make any concious effort to universally block BNCS bots. They don't even block the deprecated OLS for games that no longer use it, so long as your cd key checks out.
Except that their stance on bots of any type is that the only one allowed is the Support Bot.... Plus it breaks their EULA to connect with a third-party client.
It's also not legal to reverse the OSCAR protocol for connecting to AIM/ICQ. How many lawsuits have been brought against Trillian, Gaim, or any of the hundreds of other free and proprietary software packages for connecting using the OSCAR protocol?
The purpose of the license is to give the company some legal footing in the event that they need to bring an end to inappropriate behaviour of the end-user. It has to be loosely worded so that the company can't be backed in to a corner. It would be absurd of Blizzard, from a legal standpoint, to say that it is kosher to go masquerading as one of their games. That doesn't mean they're actively opposed to the idea.
As far as flood bots, they damn well should be actively opposed -.- . However, they're still opposed (if only passive) to third-party clients, as was made clear by discontinuing the CHAT telnet protocol.
They disabled CHAT because they couldn't control it. They can control cd keys.
Quote from: Joex86] link=topic=16998.msg172237#msg172237 date=1188758823]
Quote from: brew on September 02, 2007, 10:31 AM
Quote from: Newby on September 02, 2007, 12:00 AM
Quote from: brew on September 01, 2007, 09:00 AM
You're sure about that?
Honestly. If you have nothing nice to post, don't post it at all. That comment really didn't help us.
Yes. You hung out in #beta long enough that I can say that confidently.
You don't know me.
Then go program something that makes you look older than 3. You've yet to do that.
What exactly have I made that makes me look like i'm 3? What have YOU made, besides some half-assed OS?
They controlled chat. It was allowed in like... Public Chat channels... and that's it.
Well i mean its still simple to flood using public channels. By whispers and such. Also the amount of starcraft cdkeys to the public is probably one of the reason they put warden online because the amount of bots which were online for starcraft. There are other ways such as using starcraft japan exploit in joining some channels that normally wouldn't be allowed otherwise.
But the simple fact remains as long as people have time floodbots will try to exist. You are better off coming up with a better way to totally remove floodbots from your bots so people using them dont even notice them.
Quote from: brew on September 03, 2007, 12:26 AM
What have YOU made, besides some half-assed OS?
Half-assed? That would imply it might be worth running.
Joe, you made an OS? From stratch? With a boot record and everything? If you did that, even if it was only half-assed, chalk me up as impressed! Did you contribute to the Linux OS core? They could use serious programmers like you.
Quote from: Don Cullen on September 03, 2007, 07:37 AM
Joe, you made an OS? From stratch? With a boot record and everything? If you did that, even if it was only half-assed, chalk me up as impressed! Did you contribute to the Linux OS core? They could use serious programmers like you.
He made the bootloader himself, along with a few other things, I forget. But it ended up being a complete failure. TBH I think he got most of the code from Minix.
This topic went WAY off topic
Every vL thread goes off topic real fast...
Quote from: brew on September 03, 2007, 08:13 AM
TBH I think he got most of the code from Minix.
LOL. I'm not joe's biggest fan, but even I'll say that's totally far-fetched. But ok, whatever floats your boat.
Quote from: Denial on September 03, 2007, 05:14 AM
There are other ways such as using starcraft japan exploit in joining some channels that normally wouldn't be allowed otherwise.
elaborate, please?
Quote from: Tazo on September 03, 2007, 12:23 PM
Quote from: Denial on September 03, 2007, 05:14 AM
There are other ways such as using starcraft japan exploit in joining some channels that normally wouldn't be allowed otherwise.
elaborate, please?
No, please don't. No giving out bnet exploits publicly! -.-
Agreed. Giving them out would result in Blizzard patching it.
Quote from: Don Cullen on September 03, 2007, 02:09 PM
Agreed. Giving them out would result in Blizzard patching it.
What's the point of keeping it a secret if nobody knows about it... unless that is, you do too.
EDIT**
wait a minute... whoa ...
Quote
[4:08:23 PM] -- Joined Channel: StarCraftJ -- Flags: 0x1021 --
am i hallucinating?!
i've never seen flag 0x1000 used. what does this mean.....
Public Const CHANNEL_PUBLIC As Long = &H1
Public Const CHANNEL_MODERATED As Long = &H2
Public Const CHANNEL_RESTRICTED As Long = &H4
Public Const CHANNEL_SILENT As Long = &H8
Public Const CHANNEL_SYSTEM As Long = &H10
Public Const CHANNEL_PRODUCTSPECIFIC As Long = &H20
Public Const CHANNEL_GLOBAL As Long = &H1000
Don't you know anything? :P
Quote from: Tazo on September 03, 2007, 12:23 PM
Quote from: Denial on September 03, 2007, 05:14 AM
There are other ways such as using starcraft japan exploit in joining some channels that normally wouldn't be allowed otherwise.
elaborate, please?
Think he's talking about warez and something Chat I forget the name...the channel listing on JSTR lists those along with The Void.
Quote from: Andy on September 03, 2007, 03:14 PM
Public Const CHANNEL_PUBLIC As Long = &H1
Public Const CHANNEL_MODERATED As Long = &H2
Public Const CHANNEL_RESTRICTED As Long = &H4
Public Const CHANNEL_SILENT As Long = &H8
Public Const CHANNEL_SYSTEM As Long = &H10
Public Const CHANNEL_PRODUCTSPECIFIC As Long = &H20
Public Const CHANNEL_GLOBAL As Long = &H1000
Don't you know anything? :P
You forgot redirecting (0x400)
I never found a redirecting channel, so I don't see any reason to add it. As for joining channels like Warez, just use a force join.
cant force join Backstage
Quote from: Andy on September 03, 2007, 04:04 PM
I never found a redirecting channel, so I don't see any reason to add it. As for joining channels like Warez, just use a force join.
Channels like Starcraft USA-1
Nobody can join Backstage unless they're @Blizzard accounts and are on the blizzard rep/admin database list.
And ya, there's ways of getting JSTR into channels it's not supposed to be in, but if you get caught doing it, you'll ruin it for everyone -.-
Plus, the only reason to use JSTR is cause its icon is better than any other icons :D (http://realityripple.com/Uploads/icons/Games/JSTR.bmp)
Hey guys so i heard some guy on bnet called leaky has a private "warden fix" stealthbot script which magically allows people to stay connected and respond to warden. W O W, right? I haven't seen it myself, but I bet it's just some cheezy loopback connection that has starcraft do the warden processing. The average stealthbot user will most likely jump for joy. And you have to have starcraft and all of it's dependencies running (of course) while connected to battle.net, which isn't really a problem for the average stealthbot user, but that's to be expected. Since we can't really "fix" warden yet I say we make a stand alone .exe to "patch" other bots too. All it would require additionally is to hook a few sockets, the bot's window caption, so on. I dont know about you, but I say we split this up into two parts (the warden request processor and the actual packet sender) and since RealityRipple has such an interest in doing stuff like that maybe he should make some quick warden response server, bnet is saved, blah blah. ^^
NTY. Done fighting against Blizzard.
Quote from: Andy on September 03, 2007, 08:33 PM
NTY. Done fighting against Blizzard.
Wise decision.
Quote from: Explicit[nK] on September 03, 2007, 11:08 PM
Quote from: Andy on September 03, 2007, 08:33 PM
NTY. Done fighting against Blizzard.
Wise decision.
It's easier to let other people fight and wait for it to be incorporated into JBLS or a DLL or something :)
But it's still fun to fight against Blizzard.
Basically, how the Stealth solution works is as you have stated, it has Starcraft running in the background, and when Warden on the Battle.net server sends Warden packets to Stealth, the bot redirects it to StarCraft client, which in turn generates the appropriate response.
Now, before you ask, yes, this can be done with ANY bot. All it would require is some simple hooking, although it'd still require StarCraft to be running in the background for as long as you wanted to maintain the connection. While it's a workaround, it's not a solution, nor a viable workaround as it's totally dependent on StarCraft.
For two, in regards to a Warden response server based on the above method, I've already tried the route of having StarCraft process the data. I was trying to write a Warden server. I basically wrote a proxy for bots and StarCraft, so bots could send warden packets to my server running StarCraft, and it'd generate the appropriate response and send it back to the bot, which in turn would send it to Battle.net. But unfortunately, after nearly finishing the proxy, I found out that this solution was not doable. instead of explaining it myself, I'll paste a conversation I had with the l2uthless bot creater, l2k-Shadow. While I unfortunately gave him a headache from my attempts to understand how it basically worked, perhaps I can save him and others from future headaches by pasting here so people can follow the conversation along and figure it out as well. Keep in mind I only had 3 hours of sleep the night before, so I'm somewhat slow in the conversation. :P Many thanks to l2k-Shadow for his patience.
QuoteSession Start (Kyro:l2k-Shadow): Sun Sep 02 11:21:56 2007
[11:21] Kyro: hey
[11:21] Kyro: got time?
[11:22] l2k-Shadow: depends what the time is for
[11:22] Kyro: tech support :P
[11:22] Kyro: im coding a warden proxy
[11:22] l2k-Shadow: that's a little vague
[11:22] l2k-Shadow: alright
[11:22] Kyro: basically, the way i have it set up is
[11:23] Kyro: two pcs, gateway on one, starcraft on the other
[11:23] Kyro: when i start gateway, it listens for starcraft
[11:23] Kyro: i have starcraft connect to my laptop (the gateway)
[11:23] Kyro: ah hell i'll just paste and save you the trouble
[11:23] Kyro:
[11:20:47 AM] SYSTEM> Initializing relay...
[11:20:47 AM] SYSTEM> Initalized. Waiting for StarCraft...
[11:20:52 AM] SYSTEM> StarCraft connected!
[11:20:52 AM] SYSTEM> Connecting to battle.net...
[11:20:52 AM] STARCRAFT> Received GameByte.
[11:20:52 AM] STARCRAFT> Received Packet: 0x50 (SID_AUTH_INFO)
[11:20:52 AM] SYSTEM> Connected to Battle.net!
[11:20:52 AM] BATTLE.NET> 0x01 Emulation Byte sent.
[11:20:52 AM] BATTLE.NET> 0x50 (SID_AUTH_INFO) Sent to Battle.net.
[11:20:52 AM] BATTLE.NET> Received Packet: 0x25 (SID_PING)
[11:20:52 AM] SYSTEM> Packet: 0x25 (SID_PING) sent to STARCRAFT.
[11:20:52 AM] BATTLE.NET> Received Packet: 0x50 (SID_AUTH_INFO)
[11:20:52 AM] SYSTEM> Packet: 0x50 (SID_AUTH_INFO) sent to STARCRAFT.
[11:20:52 AM] STARCRAFT> Received Packet: 0x25 (SID_PING)
[11:20:52 AM] SYSTEM> Packet: 0x25 (SID_PING) sent to BATTLE.NET.
[11:22:31 AM] BATTLE.NET> Received Packet: 0x0 (SID_NULL)
[11:22:31 AM] SYSTEM> Packet: 0x0 (SID_NULL) sent to STARCRAFT.
[11:24] l2k-Shadow: and
[11:24] Kyro: well basically
[11:25] Kyro: the goal here is to get starcraft completely loaded, (aka in channel) via proxy (my laptop is acting as proxy). Once starcraft is completely connected, my proxy would disconnect from battle.net, but maintain the connection with starcraft
[11:25] Kyro: would keep connection alive via pings/nulls
[11:26] Kyro: then any bot could connect to my laptop, send it a warden packet that was sent to them by battle.net, which my laptop in turn would relay it to starcraft, starcraft would construct the appropriate response thinking it's from battle.net, and send it to my proxy, which in turn would send it to the bot requesting the warden response
[11:27] Kyro: make sense?
[11:27] l2k-Shadow: good idea
[11:27] l2k-Shadow: but
[11:27] l2k-Shadow: that won't work
[11:27] l2k-Shadow: sorry
[11:27] l2k-Shadow: (which is why no one else has done it)
[11:27] Kyro: why wont it work
[11:27] l2k-Shadow: because of the nature of warden
[11:27] l2k-Shadow: warden is encrypted using a key-based encryption
[11:27] l2k-Shadow: this key is generated from the key hash
[11:27] l2k-Shadow: so the encryption is different for every bot
[11:27] l2k-Shadow: so
[11:27] l2k-Shadow: gl
[11:28] l2k-Shadow: so u can do this
[11:28] Kyro: ahh damn.
[11:28] l2k-Shadow: but only with 1 bot at a time
[11:28] Kyro: key, as in, cdkey based
[11:28] Kyro: right?
[11:28] l2k-Shadow: no
[11:28] l2k-Shadow: key-based as in the encryption
[11:28] l2k-Shadow: uses a key
[11:28] l2k-Shadow: this key comes from your CD-Key hash
[11:28] Kyro: damn.
[11:28] l2k-Shadow: and therefore
[11:28] l2k-Shadow: it is different
[11:28] l2k-Shadow: every time u login
[11:29] Kyro: becase my starcraft cdkey isn't the same from the botuser's cdkey, the warden proxy would fail.
[11:29] Kyro: damn.
[11:29] l2k-Shadow: not even that
[11:29] l2k-Shadow: even if they used the same cdkey it would fail because the cdkey hash is different per login
[11:29] l2k-Shadow: due to different client and server tokens
[11:29] Kyro: double damn.
[11:29] Kyro: theres goes my idea.
[11:30] Kyro: thanks for your time
[11:30] l2k-Shadow: i tried doing your idea
[11:30] l2k-Shadow: like day after warden came out
[11:30] l2k-Shadow: when i was researching it
[11:30] l2k-Shadow: then i found this out
[11:30] l2k-Shadow: so
[11:30] l2k-Shadow: yeah
[11:31] l2k-Shadow: one thing you COULD do
[11:31] l2k-Shadow: is mess with starcraft's memory
[11:31] l2k-Shadow: and change the cdkey hash
[11:31] l2k-Shadow: with the warden request
[11:31] l2k-Shadow: i tried doing that but failed
[11:31] l2k-Shadow: somehow
[11:31] l2k-Shadow: but the general idea remains the same.
[11:33] Kyro: i dont suppose reversing the logon sequence via assembly and porting it over is doable?
[11:33] l2k-Shadow: what does that have to do with anything?
[11:33] Kyro: im not tryin to reverse the entireity of warden, just the 0x5E packet
[11:34] l2k-Shadow: well.. the main problem is that you're trying to do something you don't know much about
[11:34] l2k-Shadow: -.-
[11:34] Kyro: yeah, time for me to take ASM classes.
[11:34] l2k-Shadow: it's not just a packet.
[11:34] l2k-Shadow: regardless if u know asm or not
[11:35] Kyro: from what little i know, 0x5E seems to tell starcraft to run a check on memory searching for hacks/etc, contains known current signatures to check for, then starcraft compiles a response and sends the response, then bnet sends what i think is a confirmation
[11:35] Kyro: that about right?
[11:36] l2k-Shadow: about
[11:36] l2k-Shadow: not quite right though
[11:36] l2k-Shadow: when sc first logs in and receives the first warden request
[11:36] l2k-Shadow: warden is a program
[11:36] l2k-Shadow: inside
[11:36] l2k-Shadow: sc
[11:36] l2k-Shadow: it sends version of warden back
[11:36] l2k-Shadow: if its up to date or not
[11:36] l2k-Shadow: if it isnt sc sends you updated warden module
[11:37] l2k-Shadow: then 0x5e sends warden what to look for
[11:37] l2k-Shadow: and warden compiles a response
[11:37] l2k-Shadow: and sends it back
[11:37] l2k-Shadow: the problem with making a server
[11:37] l2k-Shadow: for this
[11:37] l2k-Shadow: is few things
[11:37] l2k-Shadow: warden can be updated at any time
[11:37] l2k-Shadow: and warden sends a check every 5 seconds
[11:37] l2k-Shadow: that means
[11:37] l2k-Shadow: people who use your server
[11:37] l2k-Shadow: would have to remain constantly connected
[11:38] l2k-Shadow: to it
[11:38] l2k-Shadow: #1
[11:38] Kyro: that'd butcher my bandwidth.
[11:38] l2k-Shadow: #2 it would get abused
[11:38] l2k-Shadow: by people trying to load bots
[11:38] l2k-Shadow: which would butcher your bandwidth and your server.
[11:38] Kyro: in other words, not worth considering
[11:38] l2k-Shadow: precisely.
[11:39] l2k-Shadow: unlike BNLS, warden isn't something that you could do server-side
[...]
[11:41] Kyro: ah well.
[11:41] Kyro: is the 0x5E also in effect for other game clients, or just SC?
[11:41] l2k-Shadow: sc only
[11:41] l2k-Shadow: it is not implemented
[11:42] l2k-Shadow: in any other games
[11:42] Kyro: probably plan on it.
[11:42] l2k-Shadow: i dont think so
[...]
[11:43] l2k-Shadow: and there is a good reason it wont be in another clients
[11:43] Kyro: so wouldnt solve the problem, unless the 0x5E packet was made a requirement prior to finishing logon
[11:43] l2k-Shadow: it won't be in w2
[11:43] l2k-Shadow: because w2 is no longer updated
[11:43] l2k-Shadow: by blizzard
[11:44] l2k-Shadow: it won't be in d2
[11:44] l2k-Shadow: because d2 has warden in game
[11:44] l2k-Shadow: it won't be in w3.. same reason
[11:44] l2k-Shadow: so there u go.
[11:44] Kyro: sc has warden in game, so why are they using it outgame?
[11:44] l2k-Shadow: no it doesn't.
[11:44] Kyro: i could have sworn it did.
[11:44] l2k-Shadow: no.
[11:44] l2k-Shadow: because
[11:44] l2k-Shadow: since sc games
[11:44] l2k-Shadow: are
[11:44] l2k-Shadow: p2p
[11:44] Kyro: the rest arent?
[11:44] l2k-Shadow: warden has to be controlled
[11:45] l2k-Shadow: by the battle.net server
[11:45] l2k-Shadow: for sc
[11:45] l2k-Shadow: since d2 games and w3 games
[11:45] l2k-Shadow: are
[11:45] l2k-Shadow: client->server->client
[11:45] l2k-Shadow: warden for those games can be controlled by the game server.
[11:45] Kyro: i see.
[11:46] Kyro: wouldn't it make sense for blizz to make the game p2s2p?
[11:46] Kyro: then warden'd be ingame
[11:46] l2k-Shadow: it would but that would require them to recode a major portion of starcraft
[11:46] Kyro: unless their code for the game didn't permit for ease of implementation
[11:46] l2k-Shadow: which they won't do.
[11:46] Kyro: yea.
[11:46] Kyro: but from what you say
[11:47] Kyro: wouldn't that mean all a hacker had to do was join a game, then load their hacks. they'd be relatively safe from warden, and prior to finishing the game, the hacks could then be unloaded.
[11:47] Kyro: all theyd have to do would be avoid having hacks running when not in game
[11:48] l2k-Shadow: no..
[11:48] l2k-Shadow: they remain connected to the battle.net server throughout the game.
[11:48] Kyro: but you just said warden doesnt run ingame.
[11:48] Kyro: im referring to sc.
[11:48] l2k-Shadow: warden for sc runs all the time
[11:48] l2k-Shadow: regardless of ingame or out of game
[11:49] Kyro: then why do they have need for the 0x5E packet, when the other games have no need for it?
[...]
[11:52] l2k-Shadow: l2k-Shadow: warden has to be controlled
l2k-Shadow: by the battle.net server
l2k-Shadow: for sc
l2k-Shadow: since d2 games and w3 games
l2k-Shadow: are
l2k-Shadow: client->server->client
l2k-Shadow: warden for those games can be controlled by the game server.
[11:53] Kyro: [11:52] l2k-Shadow: warden has to be controlled by the battle.net server
[11:53] Kyro: but isnt sc p2p? meaning no interaction with the server?
[11:54] l2k-Shadow: *SIGH*
[11:54] l2k-Shadow: when you enter a starcraft game
[11:54] l2k-Shadow: you don't disconnect from battle.net
[11:54] l2k-Shadow: you exchange UDP data with the other players in the game
[11:54] l2k-Shadow: warden is still controlled by battle.net
[11:54] l2k-Shadow: sending u 0x5E packets.
[11:54] l2k-Shadow: the same way
[11:54] l2k-Shadow: if u talk in game
[11:54] l2k-Shadow: when you talk in game
[11:54] l2k-Shadow: you just send that data to other players via UDP
[11:55] l2k-Shadow: but lets say u want to whisper
[11:55] l2k-Shadow: when you whisper you send that data via Battle.net server.
[11:57] l2k-Shadow: however the warden is now controlled
[11:57] l2k-Shadow: by the server you play the game on
[11:58] l2k-Shadow: not the main battle.net server
[11:58] l2k-Shadow: which is why warden for sc is still active while you are in lobby
[11:58] l2k-Shadow: but d2 warden is not
[11:58] l2k-Shadow: because d2 warden is only active while on a game server
[11:59] Kyro: ah, so that's why the bots can get on via emulating other clients, no warden outgame
[11:59] l2k-Shadow: Right
[11:59] Kyro: battle.net servers are both lobby/game servers, while for the other games, lobby/game servers are separate
[11:59] Kyro: right?
[12:00] l2k-Shadow: no
[12:00] l2k-Shadow: battle.net server is lobby only
[12:00] l2k-Shadow: for all gaems
[12:00] l2k-Shadow: games
[12:01] Kyro: let me rephrase, starcraft only makes one connection: bnet, hence why warden is always in effect, while for the other games, two connections are made, one for the lobby for bnet, and another one for the game servers
[12:01] Kyro: about right?
[12:01] l2k-Shadow: correct
[12:01] l2k-Shadow: congratulations
[12:01] l2k-Shadow: -_-
[12:02] Kyro: yeah, thanks. it feels great to not be so dumb now.
[12:02] l2k-Shadow: lol
[...]
[12:03] Kyro: based on it, it sounds like the 0x5E packet being in effect outgame wasn't intentional, it was just a permanent side effect, due to it being on same server as battle.net
[12:03] Kyro: sucks.
[12:03] l2k-Shadow: right
[12:07] Kyro: does the fact that warden isn't centralized, is keybased, encrypted, etc, etc mean you're fresh out of ideas?
[12:08] l2k-Shadow: it can be done
[12:08] l2k-Shadow: but no solution is pemanent
[12:08] l2k-Shadow: because warden can always be updated
[12:08] l2k-Shadow: server-side
[12:08] l2k-Shadow: so even if u wrote a workaround
[12:08] l2k-Shadow: for the current warden
[12:08] Kyro: so it'd be a tit for tat, in other words not worth it
[12:08] l2k-Shadow: right
[12:08] l2k-Shadow: of course there are people
[12:08] l2k-Shadow: who have done it
[12:08] l2k-Shadow: im sure
[12:08] l2k-Shadow: probably skywing/adron
[12:08] l2k-Shadow: etc
[12:09] l2k-Shadow: but i mena
[12:09] l2k-Shadow: lol
[12:09] Kyro: alright, thanks for ur time
[12:09] Kyro: sorry to have given you a headache.
[12:09] l2k-Shadow: i've had worse.
[...]
Session Close (l2k-Shadow): Sun Sep 02 12:27:49 2007
Quote from: Andy on September 03, 2007, 12:38 AM
They controlled chat. It was allowed in like... Public Chat channels... and that's it.
And they disabled it entirely when people figured out how to whisper flood.
Quote from: Camel on September 04, 2007, 10:53 AM
Quote from: Andy on September 03, 2007, 12:38 AM
They controlled chat. It was allowed in like... Public Chat channels... and that's it.
And they disabled it entirely when people figured out how to whisper flood.
And yet you can still whisper flood on any other non-keyed client. And it's easy to just do /dnd anyway!
Quote from: Don Cullen on September 04, 2007, 10:07 AM
[11:27] l2k-Shadow: because of the nature of warden
[11:27] l2k-Shadow: warden is encrypted using a key-based encryption
[11:27] l2k-Shadow: this key is generated from the key hash
[11:27] l2k-Shadow: so the encryption is different for every bot
where you could store all the nessisary values, then patch the memory addresses of the warden encryption key values (we already have the offsets from the previous warden topic) very easy if you ask me.
Quote from: brew on September 04, 2007, 02:20 PM
Quote from: Don Cullen on September 04, 2007, 10:07 AM
[11:27] l2k-Shadow: because of the nature of warden
[11:27] l2k-Shadow: warden is encrypted using a key-based encryption
[11:27] l2k-Shadow: this key is generated from the key hash
[11:27] l2k-Shadow: so the encryption is different for every bot
where you could store all the nessisary values, then patch the memory addresses of the warden encryption key values (we already have the offsets from the previous warden topic) very easy if you ask me.
Don't bother. Blizzard will just update warden to break your algorithm. If you're going to shim, then shim; multiple people have had success with that. You can't half-ass warden, so save yourself some lost effort and stop trying.
Quote from: Camel on September 04, 2007, 03:26 PM
Quote from: brew on September 04, 2007, 02:20 PM
Quote from: Don Cullen on September 04, 2007, 10:07 AM
[11:27] l2k-Shadow: because of the nature of warden
[11:27] l2k-Shadow: warden is encrypted using a key-based encryption
[11:27] l2k-Shadow: this key is generated from the key hash
[11:27] l2k-Shadow: so the encryption is different for every bot
where you could store all the nessisary values, then patch the memory addresses of the warden encryption key values (we already have the offsets from the previous warden topic) very easy if you ask me.
Don't bother. Blizzard will just update warden to break your algorithm. If you're going to shim, then shim; multiple people have had success with that. You can't half-ass warden, so save yourself some lost effort and stop trying.
Who said it was an algorithm, and so far people have been half-assing warden with great success. Besides, it's not like blizzard is working against bot makers. They are, however, working against hack makers.
You haven't read Blizzard's TOS or EULA, have you?
Quote from: rabbit on September 04, 2007, 04:27 PM
You haven't read Blizzard's TOS or EULA, have you?
I have. Why didn't they make something to prevent Diablo 2 bots connecting? Or warcraft 2? Hell, even their beloved warcraft 3? Why didn't they encrypt all of their packets. *Hint* They're not trying to "kill the botz"
I'd have to agree that bots are not of a great concern to blizzard at the time being, maybe in the old days they were and in the future they might but going by their current stance I am led to the conclusion that they do not have any problems with normal bots. (By normal bots I do not include loaders or flooders)
Today I was in the Blizzard Tech Support channel (reporting a bot that was advertising a game and being annoying in general), and the user before me apparently asked the rep for help with a bot. The rep said they did not support third party clients, and that the user should contact the bot developer for help. Sounds to me like they're apathetic about chat bots :)
Look at it from their perspective. Blizzard uses paid employees to police battle.net. Since battle.net does not generate subscription revenue, there is no incentive to expend effort fighting issues which do not substantially bother the gaming users. Bots can be annoying, but are generally easy to avoid. However, cheaters are more difficult to avoid (how do you as a mere gamer tell when someone's cheating?) and tend to cause more annoyance. Thus, given limited resources, Blizzard focuses on stopping cheating. As we have seen, they are not averse to causing bot developers/users grief when it is a cheap or free side effect of fighting cheating, but it is not cost effective to spend employee time on a pursuit which will only hinder bots.
As for the remark about encryption: what good would that do? Do you really think bots would have gotten this far if people were restricted to inspecting wire traffic to understand the protocol? Once a user commits to reverse engineering the client to get the protocol details, an encrypted protocol just means some extra functions to take apart. Also, encryption is not free. Encrypting all the wire traffic going in and out of battle.net would require non-trivial resources for any good encryption algorithm. I doubt Blizzard would even consider spending the CPU cycles to encrypt a couple hundred thousand connections (battle.net's user count during its heyday) when, as above, it is only a temporary hindrance to third party developers and does not earn any additional money.
Quote from: brew on September 04, 2007, 04:50 PM
Quote from: rabbit on September 04, 2007, 04:27 PM
You haven't read Blizzard's TOS or EULA, have you?
I have. Why didn't they make something to prevent Diablo 2 bots connecting? Or warcraft 2? Hell, even their beloved warcraft 3? Why didn't they encrypt all of their packets. *Hint* They're not trying to "kill the botz"
Their TOS/EULA specifically prohibits emulation of their protocols. That's pretty anti-bot to me.
Quote from: rabbit on September 04, 2007, 11:19 PM
Quote from: brew on September 04, 2007, 04:50 PM
Quote from: rabbit on September 04, 2007, 04:27 PM
You haven't read Blizzard's TOS or EULA, have you?
I have. Why didn't they make something to prevent Diablo 2 bots connecting? Or warcraft 2? Hell, even their beloved warcraft 3? Why didn't they encrypt all of their packets. *Hint* They're not trying to "kill the botz"
Their TOS/EULA specifically prohibits emulation of their protocols. That's pretty anti-bot to me.
As was previously mentioned, it's apparently only really there as leverage in case an incident arises.
Quote from: brew on September 04, 2007, 04:16 PM
Who said it was an algorithm
Anyone who has ever taken any kind of computer science course. Ever.
Quote from: Camel on September 05, 2007, 08:40 AM
Quote from: brew on September 04, 2007, 04:16 PM
Who said it was an algorithm
Anyone who has ever taken any kind of computer science course. Ever.
Haha Camel +1 :P
I told that kid it was an algorithm weeks ago and everyone yelled at me "NO IT R TEH PORGAMZ" and now Camel says the same thing and he gets +1 and praise. WTF?
QuoteAn explicit step-by-step procedure for producing a solution to a given problem. Specifically, a mathematical equation typically executed using a computer program (or set of programs) that is designed to systematically solve a certain kind of problem.
Quote from: Andy on September 03, 2007, 05:31 PM
Nobody can join Backstage unless they're @Blizzard accounts and are on the blizzard rep/admin database list.
And ya, there's ways of getting JSTR into channels it's not supposed to be in, but if you get caught doing it, you'll ruin it for everyone -.-
Plus, the only reason to use JSTR is cause its icon is better than any other icons :D (http://realityripple.com/Uploads/icons/Games/JSTR.bmp)
Isn't a admin database, just names tagged with specific flags are allowed access. IIRC, years back you were able to see System\Flags for a user--I could be wrong about this though. Obivously we would all have 0 for that value, while Blizzard reps would have 0x8 for example and admins have 0x1--or whatever the values are
That sounds like a database to me <.<
Quote from: Camel on September 05, 2007, 12:36 PM
QuoteAn explicit step-by-step procedure for producing a solution to a given problem. Specifically, a mathematical equation typically executed using a computer program (or set of programs) that is designed to systematically solve a certain kind of problem.
You're pushing that definition. Notice how I use everything except actual math for that algorithm. Just patch a few addresses, and send data through a winsock.
Quote from: brew on September 05, 2007, 02:52 PM
Quote from: Camel on September 05, 2007, 12:36 PM
QuoteAn explicit step-by-step procedure for producing a solution to a given problem. Specifically, a mathematical equation typically executed using a computer program (or set of programs) that is designed to systematically solve a certain kind of problem.
You're pushing that definition. Notice how I use everything except actual math for that algorithm. Just patch a few addresses, and send data through a winsock.
Uhm... no, he's not pushing it. That's what an algorithm is.
Quote from: Andy on September 05, 2007, 02:13 PM
That sounds like a database to me <.<
yeah, a database. not an admin database
Select * From `Users` where `Flags` AND FLAG_ADMIN
Sorry for using obscure terminology. By Admin Database, I mean a listing of data containing information about administrators.
Quote from: brew on September 05, 2007, 02:52 PM
Quote from: Camel on September 05, 2007, 12:36 PM
QuoteAn explicit step-by-step procedure for producing a solution to a given problem. Specifically, a mathematical equation typically executed using a computer program (or set of programs) that is designed to systematically solve a certain kind of problem.
You're pushing that definition. Notice how I use everything except actual math for that algorithm. Just patch a few addresses, and send data through a winsock.
Actually, I was quoting the result of a Google search for "define:algorithm"
Google, define:program
Results obtained from: Georgetown University
QuoteA set of coded instructions that a computer executes or interprets to perform an automated task. 2. An interrelated group of projects that are either being run concurrently or sequentially and that share a system goal. Individual projects may have different goals, however the combined set of projects will have a program goal.
Google, define:algorithm
Results obtained from: Wetstone, a division of Allen Corporation
QuoteA set of ordered steps for solving a problem, such as a mathematical formula or the instructions in a program. The terms algorithm and logic are synonymous. Both refer to a sequence of steps to solve a problem. However, an algorithm implies an expression that solves a complex problem rather than the overall input-process-output logic of typical business programs.
In other words, they're the one and the same.
The algorithm is more like the logic behind the program.
Not quite;
Algorithm : program :: class : object.
That is to say, a program is an instance of an algorithm, just as an object is an instance of a class.
Almost.
A class is also a type of object, but an algorithm isn't necessarily a program.
Emulate what Starcraft does for the 0x5E packet. KABEWM. EZ.
Quote from: devcode on September 08, 2007, 12:51 PM
Emulate what Starcraft does for the 0x5E packet. KABEWM. EZ.
I assume that means you've already got it done?
For an experienced reverse-engineer/developer, it shoudn't be hard at all. I personally haven't done it since I'm more focused on the ingame-hacks side of things (ie. maphack, selection hacks, etc..) but maybe sometime in the future, I may take it on as project. I briefly reversed it when Warden released for SC but didn't focus my time and effort on it.
Its not hard at all to do what SC does with warden. It's hard to modify warden to return the proper values.
Basically what SC does is takes the data, shoves it into a big block of free memory in its memory space. And does a call 0x12345678 where 0x12345678 is the start address of where it loads it into memory.
It's not hard to do at all, in fact, i've done it, I even make a wrapper exe that you can shove modules in to be called.
So 'Emulate what Starcraft does for the 0x5E packet. ' has already been done.
~Hdx
Obviously you didn't understand what I said. We consider the black-box to be for eg. in 0x12345678, and we feed the input (the 0x5E packet) and the output from this black-box is the reply we send back to Battle.net. Obviously, to be cool, the warden code will be loaded on your bot client instead of using an interface which communicates with the Starcraft client. Now which part did you not get from this.
Pretty much all of it... What the hell are you talking about?
Hows exactly do you propose to setup this black box to trick warden into thinking its still inside a valid SC space?
~Hdx
That's the part that requires you to reverse the processing of the 0x5E packet.
Quote from: devcode on September 08, 2007, 01:35 PM
For an experienced reverse-engineer/developer, it shoudn't be hard at all. I personally haven't done it since I'm more focused on the ingame-hacks side of things (ie. maphack, selection hacks, etc..) but maybe sometime in the future, I may take it on as project. I briefly reversed it when Warden released for SC but didn't focus my time and effort on it.
You claim to have briefly reversed it-- and claim to have the ability to reverse 0x5E-- would you care to elaborate more on the details of it? Anyone can claim to have done it, but not everybody can actually prove it. Especially when you view this page:
http://forum.valhallalegends.com/index.php?action=profile;u=4665;sa=showPosts
Hard to take someone seriously when all there seems to be pretty much are insults and vaporized efforts. ;)
Yes, that was a few months back, don't remember all the details off the top of my head. I'll take a look at it when I get time today/tomorrow.
Quote from: devcode on September 08, 2007, 03:47 PM
That's the part that requires you to reverse the processing of the 0x5E packet.
So, in essence, you've contributed absolutely nothing and gotten everyone mad at you. GOOD JOB, FUCKUP :)
But I clearly said in the post
"For an experienced reverse-engineer/developer..." and I mentioned I hadn't got in-depth with this. I just said it was possible for someone who is experienced, nothing else. So, in essence, you fale.
Fail.
No duh someone who's experienced at reverse engineering can reverse engineer. You're saying nothing of any value or use, or even anything that isn't completely obvious!
Being experienced at reverse-engineering does not necessarily mean it's
practically possible to achieve a solution. Doing some analysis myself, I came to a conclusion that it was possible to achieve an optimal solution, and this conclusion is not trivial unless you go through some initial reversing. I think you should spend time getting a better website up as well as upgrading on that knowledge of yours (i was like LOLWUTAN00B when i saw you used VB) instead of writing replys to my statements.
Quote from: Andy on September 08, 2007, 05:36 PM
Fail.
No duh someone who's experienced at reverse engineering can reverse engineer. You're saying nothing of any value or use, or even anything that isn't completely obvious!
"Getting" a better website? How many websites do you know that are 100% valid in all areas? How many do you know that were written entirely by one person in notepad and are 100% valid in all areas? Then you attack me via IM claiming I know nothing because my language of choice happens to be one you don't like. HOW FUCKING RETARDED CAN YOU GET?
Really, kids should think before they talk.
RealityRipple (7:00 PM):
i wouldn't use c for any programs
powerbasic > cbooyakasha (7:01 PM):
lol
lol
see, thats what makes you dumb
RealityRipple (7:01 PM):
what, because a
superior language isn't well known, it's no good?
<Andy> OMG GUYZ POWERBASIC IZ LIKE TEH BEST THING EVURRR AND OMG WHY DIDNT THEY USEZ IT TO MAKE LINUX WTF? STUPID LINUZ. IM GUNNA GO MAKE AN OS FROM POWERBASIC FUX THIZ SHIT.
Inshort, EPIC FALE.
Do you even know what PowerBASIC is?
Quote from: Andy on September 08, 2007, 06:03 PMHow many websites do you know that are 100% valid in all areas? How many do you know that were written entirely by one person in notepad and are 100% valid in all areas?
It's not tough to write a simple website that passes as valid html. I would consider your site fairly simple, compared to other sites that achieve valid html, also. You're not the only person that uses a simple text editor for writing html, either. A majority of web developers use basic text editors for html, php, javascript, python, whatever.
My site uses php, allows you to select from 6 CSS color schemes, and has a handful of other things (try clicking the arrow on the left of the footer bar to see what I mean). It makes use of getting (and formatting) file sizes for applications, is safe against the php include() exploit, and has many dynamic aspects you don't notice from looking at it.
Quote from: devcode on September 08, 2007, 05:12 PM
But I clearly said in the post "For an experienced reverse-engineer/developer..." and I mentioned I hadn't got in-depth with this. I just said it was possible for someone who is experienced, nothing else. So, in essence, you fale.
Quote from: devcode on September 08, 2007, 12:51 PM
Emulate what Starcraft does for the 0x5E packet. KABEWM. ----->EZ.<----
Contradictory.
Also, it's fail, not fale. :P
Can you tell me which two points are contradicting? You highlighted "EZ", what's the other one?
Quote from: Don Cullen on September 08, 2007, 07:34 PM
Quote from: devcode on September 08, 2007, 05:12 PM
But I clearly said in the post "For an experienced reverse-engineer/developer..." and I mentioned I hadn't got in-depth with this. I just said it was possible for someone who is experienced, nothing else. So, in essence, you fale.
Quote from: devcode on September 08, 2007, 12:51 PM
Emulate what Starcraft does for the 0x5E packet. KABEWM. ----->EZ.<----
Contradictory.
Also, it's fail, not fale. :P
I smell squeak
God you're all fucking retarded.
Quote from: rabbit on September 06, 2007, 06:25 PM
Almost.
A class is also a type of object, but an algorithm isn't necessarily a program.
You misread my statement. I didn't say an algorithm is always a program; I said a program is an instance of an algorithm.
If you're a Java programmer, you may be confusing objects that are instances of the <Class> class. The
definition of an object is an instance of a class, so your statement is simply incorrect.
References:
http://dictionary.reference.com/browse/object
Quoteobject object-oriented
In object-oriented programming, an instance of the data structure and behaviour defined by the object's class. Each object has its own values for the instance variables of its class and can respond to the methods defined by its class.
For example, an object of the "Point" class might have instance variables "x" and "y" and might respond to the "plot" method by drawing a dot on the screen at those coordinates.
(2004-01-26)
Quote from: Dale on August 29, 2007, 09:27 PM
I don't know if this helps at all, but I'm trying.. I received this about 1 minute before being disconnected by warden
0000 00 18 f8 29 19 e9 00 18 f8 3f 4a b4 08 00 45 00 ...).... .?J...E.
0010 00 28 0a 2a 00 00 ff 06 5c 9f 3f f1 53 09 c0 a8 .(.*.... \.?.S...
0020 01 64 17 e0 0e de f1 33 94 94 00 00 00 00 50 04 .d.....3 ......P.
0030 00 00 ae 53 00 00 ...S..
Does this happen over and over? That's an interestingly malformed SID_STARTVERSIONING. (http://ersan.us/src/bnetdocs/content17fc.html?Section=m&Code=23)
Quote from: Joex86] link=topic=16998.msg172550#msg172550 date=1189437466]
Quote from: Dale on August 29, 2007, 09:27 PM
I don't know if this helps at all, but I'm trying.. I received this about 1 minute before being disconnected by warden
0000 00 18 f8 29 19 e9 00 18 f8 3f 4a b4 08 00 45 00 ...).... .?J...E.
0010 00 28 0a 2a 00 00 ff 06 5c 9f 3f f1 53 09 c0 a8 .(.*.... \.?.S...
0020 01 64 17 e0 0e de f1 33 94 94 00 00 00 00 50 04 .d.....3 ......P.
0030 00 00 ae 53 00 00 ...S..
Does this happen over and over? That's an interestingly malformed SID_STARTVERSIONING. (http://ersan.us/src/bnetdocs/content17fc.html?Section=m&Code=23)
I could be wrong, but that just looks like a TCP header to me, no actual packet data.
Nevermind, you're right. I started reading at 0x16 instead of 0x36. That's what I get for trying to understand things in the morning.
silly joe ;D
Quote from: Joex86] link=topic=16998.msg172552#msg172552 date=1189443334]
Nevermind, you're right. I started reading at 0x16 instead of 0x36. That's what I get for trying to understand things in the morning.
Hint: look for 0xFF, and if the three bytes after it don't look sane, it's probably not Battle.net.
Although I'm pretty used to looking at the middle of the third line in a dump, I hope I never have to get used to IPv6 :)
Quote from: iago on September 10, 2007, 05:54 PM
Quote from: Joex86] link=topic=16998.msg172552#msg172552 date=1189443334]
Nevermind, you're right. I started reading at 0x16 instead of 0x36. That's what I get for trying to understand things in the morning.
Hint: look for 0xFF, and if the three bytes after it don't look sane, it's probably not Battle.net.
Although I'm pretty used to looking at the middle of the third line in a dump, I hope I never have to get used to IPv6 :)
Like I said, I always just start at offset 0x36.
90% reversed on the 0x5E reply hash. ;)
How can you put a percentage of how much you're done when you don't completely know what's left?
Because I'm that good :)
Quote from: Dale on September 10, 2007, 08:15 PM
How can you put a percentage of how much you're done when you don't completely know what's left?
Technically, as far as "reversed" goes, it's a percentage of the code.
Now, at least for me, 90% of the code reversed means that 5% percent of the project is done. You've still gotta bring the loose ends together and make it work. :P
Quote from: devcode on September 10, 2007, 08:30 PM
Because I'm that good :)
I'm happy to see you have that high of an opinion of yourself. Do you plan on sharing what you've found with the community, or do you plan on withholding it?
I promote open sourcing of details and snippets of code.
Quote from: devcode on September 10, 2007, 09:55 PM
I promote open sourcing of details and snippets of code.
I'm impressed. Let's hope you're serious about reversing the 0x5E then.
The last part in the whole procedure is the encryption of the packet and I recreated the code for this encryption but I didn't know what this was until I remembered someone saying RC4 and it seems to match, didn't check thoroughly. I'm not familiar with RC4 so I'll have to do some reading ;(
So close yet so far ;o
Wtf is with bnet using so many different encryption methods? -.-
http://en.wikipedia.org/wiki/RC4
QuoteIn cryptography, RC4 (also known as ARC4 or ARCFOUR) is the most widely-used software stream cipher and is used in popular protocols such as Secure Sockets Layer (SSL) (to protect Internet traffic) and WEP (to secure wireless networks). While remarkable in its simplicity, RC4 falls short of the high standards of security set by cryptographers, and some ways of using RC4 can lead to very insecure cryptosystems (an example being WEP). It is not recommended for use in new systems. However, some systems based on RC4 are secure enough for practical use.
When you read the first sentence, it makes sense they chose this particular type to protect Warden. Simple enough to implement, but good enough to make it a pain in the neck to figure out.
Didn't something else use RC4?
Yeah. World of WarCraft.. and... Warden.
No... I just looked up RC4 a few days ago for some reason....
No.. yeah, WoW's protocol is encrypted by RC4, and Warden is also in WoW.
I wasn't looking up WoW or warden though -.-
Diablo II Warden requests...
And what do you mean, "why does blizzard use so many different kinds of encryption"?
The only encryption i've seen blizzard so far is RC4.
Quote from: brew on September 11, 2007, 02:17 PM
Diablo II Warden requests...
And what do you mean, "why does blizzard use so many different kinds of encryption"?
The only encryption i've seen blizzard so far is RC4.
Forgot about the login packets?
Quote from: iCe on September 11, 2007, 02:42 PM
Quote from: brew on September 11, 2007, 02:17 PM
Diablo II Warden requests...
And what do you mean, "why does blizzard use so many different kinds of encryption"?
The only encryption i've seen blizzard so far is RC4.
Forgot about the login packets?
Login packets aren't encrypted. On traditional clients, your password is "hashed" (not encrypted), and on newer clients a verifier related to your password is generated, in a way that's similar to encryption.
A hash is a one way encryption.
If you can't recover the original, it's not encryption, it's hashing. Encryption, by definition, is two-way.
The definition of a hash I've always heard is a "one-way encryption (http://en.wikipedia.org/wiki/One-way_encryption)", as a hash's full name is a "cryptographic hash function".
The tedious part is to find out how the key is obtained in order to generate the S[box] array in ARC4. I think Ringo was attempting this previously, I wonder how that went.
Quote from: devcode on September 11, 2007, 04:36 PM
The tedious part is to find out how the key is obtained in order to generate the S[box] array in ARC4. I think Ringo was attempting this previously, I wonder how that went.
I don't know if this would be of assistance, but RC4 has already been reversed.
http://www.di.unito.it/~rabser/ssleay/rrc4.html
On brute forcing RC4 keys:
http://ieeexplore.ieee.org/Xplore/login.jsp?url=/iel5/9316/29617/01344747.pdf?arnumber=1344747
On discovering the key if it's a weak key:
http://www.cs.berkeley.edu/~daw/my-posts/my-rc4-weak-keys
Good luck, dude.
Not really what I meant but thanks, I think I have found where it's generating the key stream.
Quote from: Don Cullen on September 11, 2007, 04:58 PM
Quote from: devcode on September 11, 2007, 04:36 PM
The tedious part is to find out how the key is obtained in order to generate the S[box] array in ARC4. I think Ringo was attempting this previously, I wonder how that went.
I don't know if this would be of assistance, but RC4 has already been reversed.
http://www.di.unito.it/~rabser/ssleay/rrc4.html
On brute forcing RC4 keys:
http://ieeexplore.ieee.org/Xplore/login.jsp?url=/iel5/9316/29617/01344747.pdf?arnumber=1344747
On discovering the key if it's a weak key:
http://www.cs.berkeley.edu/~daw/my-posts/my-rc4-weak-keys
Good luck, dude.