I've posted information about how to decrypt, verify, prepare, and save modules for Warden. I'm sure others have done this already, but whatever, it was for my own education. You'll find complete info there about how to generate the keys and decrypt Warden packets, as well as how to read and respond to 0x00 and 0x01. Nothing there about how to respond to 0x02, though. I'm putting the project on hold for an indefinite amount of time, and wanted to share what I've done so far.
http://www.skullsecurity.org/wiki/index.php/Starcraft_Warden
I encourage people to help expand it, if possible, since I have no plans to for awhile. If you intend to edit the wiki (which is fine, if you can contribute useful information), I'd appreciate it if you asked me first (send me a PM here, I'll get back to you).
If you want more info/implementation, get in touch with me. I've written a module downloader/saver.
d'oh! way to tell them, iago. now that the decryption/encryption is public, people are just going to make databases of warden requests/responses, you know the deal... the end is nigh.
STFU, brew.
iago, I was looking over this earlier... before you deleted it the first time, or whatever.... and I'm confused about generating encryption keys...
QuoteGenerating the keys used for encrypting Warden packets is a somewhat convoluted algorithm, but it is fairly simple to implement. Here are the basic steps:
1. Create a source of shared random data based on a seed
2. Generate the outgoing key from the first 0x10 bytes, using the generation code in Crypto_and_Hashing#Xor_Encryption
3. Generate the incoming key from the next 0x10 bytes using that code
That part... where are these bytes coming from?
Nice 1 iago, very nice, looks like you worked hard on it.
Interested in seeing where this goes :)
Soon everyone will have a bypass to warden :D
Quote from: brew on February 28, 2008, 05:14 PM
the end is nigh.
You mean the start is nigh? :P
I look faward to beating it again :) Tolk me 30min to beat SC warden, should take me even less time to beat it again :)
afaik, me and rob@east had a working warden, soon everyone will have it :D
I have around about 5000+ of the 1st messages already, but my method was alittle more simple that iago's.
Aside, i dont think blizzard really care, they havent exacly done much with it since it got activated on SC/BW tbh
Quote from: Andy on February 28, 2008, 05:46 PM
STFU, brew.
/signed. brew, STFU. It's for educational purposes. There's no .ocx files or code that people can go and steal from the page, and I doubt anyone that still actively develops for Battle.net (in the old sense that people ripped bots and TCPConnect.cls and CleanSlateBot.ocx) can use it.
hm, now that it's all over, ringo, why don't you tell us how you did it all from vb6? that's an insane feat tbh ;P
BTW, I was looking over iago's code and i noticed he was refering to a "WardenUnknownPointer1". At first I thought it was just a pointer to some struct, but i think it's the base address for a "class" because it also contains some function pointers. The battle.net developers used OO and all that other crap i hate ;/
and [global_0 + 18h] i was refering to for the longest time as "WardenStruct->oldLen". What is it really?
And then there's the function list. IIRC the real function list for warden is included within the module itself a bit below the actual code...
Quote from: Andy on February 28, 2008, 05:46 PM
STFU, brew.
iago, I was looking over this earlier... before you deleted it the first time, or whatever.... and I'm confused about generating encryption keys... QuoteGenerating the keys used for encrypting Warden packets is a somewhat convoluted algorithm, but it is fairly simple to implement. Here are the basic steps:
1. Create a source of shared random data based on a seed
2. Generate the outgoing key from the first 0x10 bytes, using the generation code in Crypto_and_Hashing#Xor_Encryption
3. Generate the incoming key from the next 0x10 bytes using that code
That part... where are these bytes coming from?
the cdkey hash
Quote from: Andy on February 28, 2008, 05:46 PM
iago, I was looking over this earlier... before you deleted it the first time, or whatever....
yeah, I realized it might be a bad idea to link it to my work's ip address, so I re-posted from home, hoping nobody would see it. :)
I'm not home right now, so I'll post answers to whatever I can later.
Ah, okay... Maybe I'll make an OCX... JK JK!
And Myst... CDKey hashes are only 0x14 bytes long... how could I get two sets of 0x10 bytes from it?
Quote from: Andy on February 28, 2008, 07:07 PM
Ah, okay... Maybe I'll make an OCX... JK JK!
And Myst... CDKey hashes are only 0x14 bytes long... how could I get two sets of 0x10 bytes from it?
Should read http://www.skullsecurity.org/wiki/index.php/Warden_Packets and http://www.skullsecurity.org/wiki/index.php/Crypto_and_Hashing#Xor_Encryption
Quote from: Andy on February 28, 2008, 07:07 PM
Ah, okay... Maybe I'll make an OCX... JK JK!
And Myst... CDKey hashes are only 0x14 bytes long... how could I get two sets of 0x10 bytes from it?
As Myst alluded to in his last post, maybe, you use something that I called "random source" or "random data" or something. It's some code that generates a random stream of data.
My server seems to have fallen over, right now. I'm leaving here shortly (although cycling through a snow storm, so no telling if I'll survive :-o), and will see what's going on when I get home.
Also keep in mind, this is NOT the end of the road. I only provided a starting point.
<edit> nevermind about the server, I was being stupid. :)
Okay, let me rephrase my question... what's the seed?
Nevermind. I don't care enough about SC.
Quote from: Andy on February 28, 2008, 08:15 PM
Okay, let me rephrase my question... what's the seed?
Nevermind. I don't care enough about SC.
did rocky throw in the towel after gotten beaten by apollo?
kudos man. gj
Quote from: Andy on February 28, 2008, 08:15 PM
Okay, let me rephrase my question... what's the seed?
Nevermind. I don't care enough about SC.
Well, for anybody else who's wondering, the whole section about generating the keys is right here:
http://www.skullsecurity.org/wiki/index.php/Warden_Packets#Generating_encryption_keys
Read that carefully, and let me know if there's anything confusing in there.
I'm guessing other game clients' implements are similar or identical to that.
I know what's throwing me off (not really, but I'd rather have a viable reason to complain about it)... typos.
QuoteOn Starcraft, the first 4 bytes of the CDKey hash are used. That's the actual CDKey has that's sent over the wire as part of SID_AUTH_CHECK.
Hash? ;)
And unimportant, but, spot what's not a byte:
Quote00 a2 d4 d6 4c 46 8e 56 4f 42 c6 s4 68 e4 5d 6a 46 5f 46 b4 5c 24 d5 46 e4 56 a6 4d 75 2d 21 f8 79 05 0b 00 00
As for Myst, I'm afraid I have no clue what you're talking about... Have fun whoever's gonna reverse 0x02, and good job iago (as if you need more congrats).
Very interesting, great job on this iago, doesn't seem as complicated as everyone once thought!
Just two problems I am encountering while trying to compile this in Java, 1 you haven't included the util.Buffer source code; and 2 WardenSHA1 is missing...
Quote from: Chriso.de on February 29, 2008, 03:12 AM
Very interesting, great job on this iago, doesn't seem as complicated as everyone once thought!
Just two problems I am encountering while trying to compile this in Java, 1 you haven't included the util.Buffer source code; and 2 WardenSHA1 is missing...
The Java version of SHA1 is already there:
http://www.skullsecurity.org/wiki/index.php/SHA1_in_Java
For some reason I didn't think you needed util.Buffer (do you?), but in any case, here it is:
http://www.skullsecurity.org/wiki/index.php/Util.Buffer
Quote from: Andy on February 28, 2008, 10:55 PM
I know what's throwing me off (not really, but I'd rather have a viable reason to complain about it)... typos.
QuoteOn Starcraft, the first 4 bytes of the CDKey hash are used. That's the actual CDKey has that's sent over the wire as part of SID_AUTH_CHECK.
Hash? ;)
And unimportant, but, spot what's not a byte:Quote00 a2 d4 d6 4c 46 8e 56 4f 42 c6 s4 68 e4 5d 6a 46 5f 46 b4 5c 24 d5 46 e4 56 a6 4d 75 2d 21 f8 79 05 0b 00 00
As for Myst, I'm afraid I have no clue what you're talking about... Have fun whoever's gonna reverse 0x02, and good job iago (as if you need more congrats).
Why are you looking for things to complain about? Mr I dont care about SC but i care about typo's.
What species of retard are you? ;)
You should be extremely greatfull iago shared this infomation with the botdev community, not complaining about anything you find mistyped!
Anyone would think your getting annoyed because you cant just implement this into a vb6 OCX in 5mins.
Aside, if anyone is trying to implement this in vb6, these links may be helpfull:
VB6 RSA encryption:
http://www.cryptosys.net/pki/rsa_encrypt_ex.html
VB6 MD5 hashing:
http://www.vbforums.com/showthread.php?s=&threadid=232284
And i think warden uses the same SHA1 function used for BNCS cdkey/password hashing(?)
I have only flicked through it, but i remember iago saying somthing about the only differnce is the data in, is more big-endian-like.
iago, Is there any other difernces to bnets broken SHA1 function other than that?
I persionaly let Starcraft do almost all the hard word for me, then built a DB that i have been useing for ages now with constant success, so i dont have much experiance with the inner workings of warden. :(
Quote from: Ringo on February 29, 2008, 12:09 PM
Aside, if anyone is trying to implement this in vb6, these links may be helpfull:
VB6 RSA encryption:
http://www.cryptosys.net/pki/rsa_encrypt_ex.html
VB6 MD5 hashing:
http://www.vbforums.com/showthread.php?s=&threadid=232284
Strictly speaking, you don't NEED the MD5 or RSA, they're just for verification. They do, however, tell you that you're on the right track, which is always nice.
Quote from: Ringo on February 29, 2008, 12:09 PM
And i think warden uses the same SHA1 function used for BNCS cdkey/password hashing(?)
I have only flicked through it, but i remember iago saying somthing about the only differnce is the data in, is more big-endian-like.
iago, Is there any other difernces to bnets broken SHA1 function other than that?
I couldn't say, I haven't compared it to the broken SHA1 function.
I CAN tell you, however, that it's almost identical to the SHA1 implementation used in Lockdown, except with Endianness reversed in some key places. That, I can verify.
The implementation used in Lockdown, I'm told, is almost identical to standard SHA1, except with some extra padding in SHA1-final. That, I haven't verified.
ah :)
I decided to have ago at implementing this, just for a better understanding of it.
But im really struggleing with this modifyed SHA1 function (plus im not native to C) :(
Im trying to do this padding, but im a little unsure what and how much needs to get padded.
Im guessing its somthing to do with the chunks of data that get hashed in 0x40 chunks -- is it the end chunk that gets padded to 0x40 bytes?
Im not so worryed about inverting the byte order just yet, but its hard as i have no test hash to compare with (only the ones you have provided with inverted byte order as well as padding)
Is there any chance you could explain what and where gets padded?
thanks in advance
Quote from: Ringo on March 01, 2008, 09:53 AM
ah :)
I decided to have ago at implementing this, just for a better understanding of it.
But im really struggleing with this modifyed SHA1 function (plus im not native to C) :(
Im trying to do this padding, but im a little unsure what and how much needs to get padded.
Im guessing its somthing to do with the chunks of data that get hashed in 0x40 chunks -- is it the end chunk that gets padded to 0x40 bytes?
Im not so worryed about inverting the byte order just yet, but its hard as i have no test hash to compare with (only the ones you have provided with inverted byte order as well as padding)
Is there any chance you could explain what and where gets padded?
thanks in advance
Search for old information on lockdown, posted by, iirc, warz or rob.
As far as I know, the padding is done in SHA1_final(), and is the "80 00 00 00 00,....." string. But don't quote me on that.
IIRC, that is in C or C++ as well, so its the same problem -- the vb6 port of broken SHA1 i have studyed in the past has them bound into one.
Where it transforms the data in blocks of 0x40 im guessing is where the padding comes into play.
Is it transformed before the end block, or before each block?
THe final function im sturggling to understand where it comes into play
Quote from: brew on February 29, 2008, 10:31 PM
aye, a mod finally split the shit from this thread.
say, iago, did you find your warden_sha1_update at 19010dd0? Am I nuts, or is it the only sha1-updateish-function with a right 0x1D bitshift ....?
I'm guessing that post got trashed because of the first line. Whatever the case, I got rid of the crap and fixed it, who says having mod in the trash is silly?
Anyway, that function that you indicate, I have marked as standard SHA1. It's used by the generate_x() (190116B0) function in NLS, and NLS uses standard SHA1. The Warden one is within the module, In the default module, the function at +0x1112 calls the warden_sha1_init(), warden_sha1_update(), and warden_sha1_final() functions.
Quote from: iago on March 01, 2008, 10:00 AM
Anyway, that function that you indicate, I have marked as standard SHA1. It's used by the generate_x() (190116B0) function in NLS, and NLS uses standard SHA1. The Warden one is within the module, In the default module, the function at +0x1112 calls the warden_sha1_init(), warden_sha1_update(), and warden_sha1_final() functions.
ah :) i had it marked as standard at first too. dunno why but i never bothered to check where it's refrenced. Not to mention that it's about 0x20kb below where the rest of warden is. Went right over my head.
meh.
If somone wants to explain to me how this padding takes effect, that would be great.
I dont want to just be directed to some open source code, since that doesnt answer my question.
I could just compile iagos C source into a dll, or spend a whole day porting it to VB, but indoing that, I would learn nothing.
All the other broken SHA1 i seem to come across in this forum have 2 functions, CalcHashBuf() and DataHash() making it very hard to pick apart what iagos code is doing.
But as im seeing it, the update brakes the data into blocks of 64 bytes (from end to start), padds it will null bytes and then hash's it into 5 dwords against the last chunk/seeds.
But when I look at iago's hash function:
void warden_sha1_hash(int buffer[5], unsigned char *data, int length)
{
SHA1_CTX ctx;
//Inits the 1st 5 dwords in the ctx structure with the seeds
warden_sha1_init(&ctx);
//hashs the in-data in blocks of 64 bytes a time
warden_sha1_update(&ctx, data, length);
//then does some final stuff?
warden_sha1_final(&ctx, buffer);
}
Its double updateing/hashing, 2nd hash being the MysteryBuffer?
//unless im reading this wrong, wouldnt this be a negative number?
//Doesnt seem so important since blocks that are not 64 bytes are padded?
len = ((-9 - (ctx->bitlen[0] >> 3)) & 0x3F) + 1;
//hashs the "MysteryBuffer" into the existing 5 dword hash
warden_sha1_update(ctx, MysteryBuffer, len);
//hashs the 8 bytes from the start of the structure into the existing 5 dword hash? (byte order switched)
warden_sha1_update(ctx, (char *)vars, 8);
So, orginal broken SHA1 didnt need/have a final function?
I have already tryed this a few ways, and thought for awhile that the lengh of the MysteryBuffer hashed was important, but its padded with nulls anyway, and mostly consists of null bytes (x80, x00, x00 etc), so that doesnt seem so important.
Im still alittle unsure what this bitlen is all about (I have not yet traced it all the way around the code tho) but it seems to be hashed as well, so im guessing its important.
Im guessing that the bitlen is unique to warden/lockdown SHA1, as I dont see its relation in the main broken SHA1.
Would somone mind explaing to me whats going on here?
Im not botherd if i can get working or not (thats not important) i just want to understand what and why is differnt to the orgianl broken SHA1.
Sorry if i come across all newbie, thats because i am :)
And sorry for my lack of grammer skills -- no bodys perfect :)
Altho i expect i have gotten this right a few times, but i dont have a raw hash to compare with, so i dont think i would know -- i dont want to do the byte switching untill i know i have understod this bit, other wise 2 problems could create a bottomless pit.
Its really not a language specific problem, its more of an explanation problem, altho im sure im missing somthing blatently oveous, but eh, i have about 10 other things on the go as well :P
Thanks in advance to anyone who can explain this!
I think maybe the best thing would be a description of the differences between each version of SHA-1 used, compared to Standard SHA, referencing no particular implementation...
Standard vs Broken: Switch RoL arguments, buffer input to 0x40 bytes with null bytes... uh.. what else?
Standard vs Lockdown: I dunno.
Standard vs Warden: Lockdown + I dunno even more.
It'd prolly be good to have such a list in the bot development references subforum...? Perhaps with the C code for each or something?
hmm, having another poke at this today, starting to become abit more clear, but my vision is still a little blured. :P
After having a 2nd think about it, my main problem is the update function. (asuming the transform/hashing algorithm remains constant)
For example, the orginal broken SHA1 function does as follows:
Lets say we are hashing the string 0x00 to 0x64 (x00, x01, x02, x03 etc)
We initialize the hash buffer with the seeds: (lets call this H for now)
0123456789ABCDEFFEDCBA9876543210F0E1D2C3
Then we make sure are buffer-to-be-hash is divisible by 64, in this case, the 0x65 byte data would be padded with about 27 null bytes (x01, x02.... x63, x64, x00, x00, x00 etc) resulting in 128 byte of data to be hashed:
Before:
000102030405060708090A0B0C0D0E0F
101112131415161718191A1B1C1D1E1F
202122232425262728292A2B2C2D2E2F
303132333435363738393A3B3C3D3E3F
404142434445464748494A4B4C4D4E4F
505152535455565758595A5B5C5D5E5F
6061626364
After:
000102030405060708090A0B0C0D0E0F
101112131415161718191A1B1C1D1E1F
202122232425262728292A2B2C2D2E2F
303132333435363738393A3B3C3D3E3F
404142434445464748494A4B4C4D4E4F
505152535455565758595A5B5C5D5E5F
60616263640000000000000000000000
00000000000000000000000000000000
Then we hash/transform a block of the raw 128 byte buffer (orginaly 0x65 bytes) with are Hash buffer (H) by appending a block of raw data to H.
Each block of raw data is appended to H and then hashed/transformed in 64 byte chunks at a time:
Quote
0123456789ABCDEFFEDCBA9876543210
F0E1D2C3000102030405060708090A0B
0C0D0E0F101112131415161718191A1B
1C1D1E1F202122232425262728292A2B
2C2D2E2F303132333435363738393A3B
3C3D3E3F
Now, after hashing/transforming this H+chunk buffer into H, the H buffer becomes:
CC2B23B6A048E79466583D880065D36B53AD3A94
We then take the 2nd chunk of the orginal raw buffer and repeat:
Quote
CC2B23B6A048E79466583D880065D36B
53AD3A94404142434445464748494A4B
4C4D4E4F505152535455565758595A5B
5C5D5E5F606162636400000000000000
00000000000000000000000000000000
00000000
H then becomes:
2298255598EFA4E655ABAF9C21806AFC85FEB4B7
And in this case, we have no more chunks of raw data to process, so we return H, and that is the resulting broken SHA1 hash.
That is the standard out line of the orginal broken SHA1 used for cdkey and password hashing for BNCS logons.
How ever, in this lockdown/warden version of broken SHA1, the update process seems a bit more complicated.
Lets forget about byte order switching for the moment.
Its doesnt look like the data is broken up into chunks the same way as above or appended to H in the same manner (unless im missing somthing), for one, there is a 64bit int (known as bitlen in iagos code) that is computed apon each update cycle.
It looks as if the pre-calculation on this 64bit int dictates the next arrangement of the H+raw data block.
And after the updating process of the raw data, the MysteryBuffer (see below) is updated into H as well, which the lengh is dictated by that 64bit int, then the 64bit int is also updated into H, then the resulting H is returned as the resulting SHA1 hash.
80000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00
This is the 64bit int part im talking about:
/* The next two lines multiply len by 8. */
c = len >> 29;
b = len << 3;
a = (bitlen[0] / 8) & 0x3F;
/* Check for overflow. */
if(bitlen[0] + b < bitlen[0] || bitlen[0] + b < b)
bitlen[1]++;
bitlen[0] = bitlen[0] + b;
bitlen[1] = bitlen[1] + c;
len = len + a;
data = data - a;
I would guess below that, is where the padding of non-divisible by 64 blocks takes place, but im struggleing to understand what the code is fully doing as it lacks any comments. :(
Asuming the transform/hashing algorithm is the same, could somone please explain how this update process is working in the warden/lockdown version of SHA1?
Im struggleing to understand the way its broken up into 64 byte blocks/being padded.
If anyone could explain in a similar fashion as i explained the standard broken SHA1 above, that would be great.
thanks in advance.
Well one thing that I found weird (although it could be a mistake on my part) is that i can now decode the 0x00 request of is your module here, and the response packet fine, then I can decode the 1st 0x02 warden request and it's response, but the 2nd 0x02 warden request comes out funky after being decoded. Is this supposed to happen?
Personally, I've never looked past the first packet, so I couldn't say. It's possible that it saves the state of the encryption key before the 0x02 packet, and uses the encryption routine in the same state for every request (it does have functionality for saving/loading the encryption key).
iirc, each request (once warden gets going) seeds the next, thats why it has a request order -- skipping a message would brake it.
Anyone wanna explain to me the update routine of that SHA1? :)
Im happy to help expand on this topic, if somone doesnt mind helping me with this simple little understanding issue im having with warden/lockdown version of SHA1 update cycle's.
I also have a few theorys to put to the test as well.
ah ok. i'll try messing around with the seeds later. thx.
Quote from: Ringo on March 03, 2008, 12:44 PM
Anyone wanna explain to me the update routine of that SHA1? :)
As far as I know, it's identical to the update() routine of standard SHA1.
Quote from: Ringo on March 03, 2008, 12:44 PM
Anyone wanna explain to me the update routine of that SHA1? :)
When I originally looked at lockdown, I used standard sha1 code and roughly modified the sha1_final routine.
http://www.onlythechosen.com/sha1_ld.zip if you want to take a look
Quote from: iago on March 03, 2008, 04:18 PM
As far as I know, it's identical to the update() routine of standard SHA1.
Quote from: Rob on March 03, 2008, 07:01 PM
When I originally looked at lockdown, I used standard sha1 code and roughly modified the sha1_final routine.
http://www.onlythechosen.com/sha1_ld.zip if you want to take a look
Thanks both of you for verifying that, im still confused about this 64bit int (and maybe the new padding)
I had another crack at it today, but with no luck.
I will create a new topic and post some code, sadly i still cant get it right. Im sort of beating around the bush a little.
Thanks
Hmm, 0x02 is all figgerd out :(
I can now build and send responces with out issue all day long, but there is still a few things im unsure of (like a checksum and less importantly, a module unique 16bit integer)
SC currently only checks for 3(?) hacks, so its pretty easy.
Im going to PM iago before i post any more info :)
Grats. but does your method work for all modules, or just the current one? :P
all so far :)
from what i have seen so far, the module wont effect the responce (unless the checksum is unique to code in the module)
So far, it seems a few values in the request are differnt on a set module, none of which are important, but the checks remain the same.
Now waiting for another module update so i can compare the checksums.
Okay, so is this all correct for the 4 types of SHA used?
QuoteStandard SHA (Used for Warcraft 3 CDKeys):
Completely Standard SHA-1.
Broken SHA (Used for Passwords, STAR/D2/W2BN CDKeys):
Endians are not reversed (In "Transform" or "Final")
Buffered to 0x40 bytes, all null.
First RoL is reversed
Lockdown SHA (Used for Lockdown Checkrevision):
Endians are not reveresed (As in Broken SHA)
Buffer is the same as Standard SHA except length*8 and 4 null bytes are in reversed order
Warden SHA (Used for decrypting SID_WARDEN (0x5E) packet):
Exactly the same as SHA except the final 5 DWORDS are individually reversed
Well im going to bed -- wardens being a bitch and wont update the modules.
Then i noticed i had a log from a module before this one, and the checksum was the same for that request, so is safe to guess that the same checksum code exists in (or out side) the module and is possibly a checksum of the send data, how ever, could do with some infomation on that.
I have pm'ed iago with the current protocol spec, so its his call if he wants me to post it or not (dont wanna jump the gun)
Quote from: l2k-Shadow on March 06, 2008, 12:48 AM
Grats. but does your method work for all modules, or just the current one? :P
I had another quick think about this, and assuming the requests are process'ed in the warden module, they could implement a whole new/differnt warden protcol in a single module change.
All the current modules just check 3 address's and return sniplets of asm back to the server to be checked (probly map hacks and such that rewrite asm) so its just a case of getting them from starcraft.exe file data.
I did some tests setting the checksum to 0, and the server loves it long time -- altho its probly bannable, but theres only currently about 6 differnt possible checksums, so they could be hard coded.
Persionaly (i now notice) i have been sending my memory blobs back as null, and havent been banned for it yet, been doing that for months lol.
IM going to take a guess that the packet ID's (0x00, 0x01, 0x02) are infact protocol ID's.
0x00 being a version/module check, 0x01 being a FTP-type protocol, and 0x02(+?) being a w/e u wanna call it protocol (hack check or w/e), since 0x02 has a possible packet ID of 0x00 (just after 0x02), but havent seen any other packet id's for 0x02 if thats the case.
Quote from: Andy on March 06, 2008, 02:05 AM
Okay, so is this all correct for the 4 types of SHA used?
QuoteStandard SHA (Used for Warcraft 3 CDKeys):
Completely Standard SHA-1.
Broken SHA (Used for Passwords, STAR/D2/W2BN CDKeys):
Endians are not reversed (In "Transform" or "Final")
Buffered to 0x40 bytes, all null.
First RoL is reversed
Lockdown SHA (Used for Lockdown Checkrevision):
Endians are not reveresed (As in Broken SHA)
Buffer is the same as Standard SHA except length*8 and 4 null bytes are in reversed order
Warden SHA (Used for decrypting SID_WARDEN (0x5E) packet):
Exactly the same as SHA except the final 5 DWORDS are individually reversed
Sounds about right (assuming w3 uses standard SHA1 -- thats news to me, but never done much with w3)
Apart from lockdown, which does not reverse the 64bit integer (lengh * 8 high/low word)
I meant it does the length after the 0's instead of the 0's first...
Quote from: Andy on March 06, 2008, 03:10 AM
I meant it does the length after the 0's instead of the 0's first...
iirc, they all do (apart from broken SHA1), its part of standard SHA1 padding:
0x80, variable lengh null padding, 64bit int resulting in a padded buffer divisible by 64.
80 00 ........ 00 64bit int = pads orginal data to be divisible by 64
Your own code says otherwise...
If bRE Then
S = S & A & String(4, 0) & StrReverse(MakeDWORD((Len(S) * 8)))
Else
S = S & A & MakeDWORD((Len(S) * 8)) & String(4, 0)
End If
Quote from: Andy on March 06, 2008, 03:24 AM
Your own code says otherwise...
If bRE Then
S = S & A & String(4, 0) & StrReverse(MakeDWORD((Len(S) * 8)))
Else
S = S & A & MakeDWORD((Len(S) * 8)) & String(4, 0)
End If
Yeah, that is the 8 byte (64bit int), i just managed it in 1 dword, rather than calculating it on a low/high word, since you would need over 200mb droped into SHA1 for the other word to come into play.
Heres some request/responce spec:
Requests are:
(BYTE) Packet ID
(BYTE) Event/Packet ID#2
For each check to preform (while pos < len):
(WORD) Module unique 16bit integer (calling this Command for now)
this seems to change with a new module
(DWORD) Process Adderss to read
(BYTE) Lengh to read
end
(BYTE) hmm not sure of this, changes with the module i think
So, for example:
02 00 30 00 F7 2F 4A 00 08 30 00 B0 7F 49 00 0E 30 00 3D C3 49 00 07 D9
02 Packet ID
00 Event/useage/packet ID#2
30 00 Command (module unique)
F7 2F 4A 00 Address
08 Lengh
30 00 Command (module unique)
B0 7F 49 00 Address
0E Lengh
30 00 Command (module unique)
3D C3 49 00 Address
07 Lengh
D9 Command#2? (module unique)
And for building/sending back the responce:
(BYTE) 0x02 - Packet ID
(WORD) Lengh of message (discluding this header of 7 bytes -- ID/Len/Checksum)
(DWORD) Checksum of the send buffer
For each memory request:
(BYTE) 0x00 Not sure what this is, seems constant
(VOID) Chunk of memory from requested address/lengh
end
Heres some out puts of my bot handling a few requests in a single connection:
[06:56:11] 0x02 Request: 1
Command: 0x004E, Address: 0x00497FB0, Lengh: 14
Command: 0x004E, Address: 0x004A2FF7, Lengh: 8
Command: 0x004E, Address: 0x0049C33D, Lengh: 7
02 20 00 00 00 00 00 00 84 5E 0C 74 05 E8 F6 54
F9 FF 8B 76 04 85 00 A3 68 CC 59 00 E8 DF 23 00
83 00 00 00 8B 55 08
[06:56:26] 0x02 Request: 2
Command: 0x004E, Address: 0x0049C33D, Lengh: 7
Command: 0x004E, Address: 0x004A2FF7, Lengh: 8
Command: 0x004E, Address: 0x00497FB0, Lengh: 14
02 20 00 00 00 00 00 00 83 00 00 00 8B 55 08 00
A3 68 CC 59 00 E8 DF 23 00 84 5E 0C 74 05 E8 F6
54 F9 FF 8B 76 04 85
[06:56:42] 0x02 Request: 3
Command: 0x004E, Address: 0x0049C33D, Lengh: 7
Command: 0x004E, Address: 0x00497FB0, Lengh: 14
Command: 0x004E, Address: 0x004A2FF7, Lengh: 8
02 20 00 00 00 00 00 00 83 00 00 00 8B 55 08 00
84 5E 0C 74 05 E8 F6 54 F9 FF 8B 76 04 85 00 A3
68 CC 59 00 E8 DF 23
[06:56:57] 0x02 Request: 4
Command: 0x004E, Address: 0x0049C33D, Lengh: 7
Command: 0x004E, Address: 0x00497FB0, Lengh: 14
Command: 0x004E, Address: 0x004A2FF7, Lengh: 8
02 20 00 00 00 00 00 00 83 00 00 00 8B 55 08 00
84 5E 0C 74 05 E8 F6 54 F9 FF 8B 76 04 85 00 A3
68 CC 59 00 E8 DF 23
[06:57:12] 0x02 Request: 5
Command: 0x004E, Address: 0x004A2FF7, Lengh: 8
Command: 0x004E, Address: 0x00497FB0, Lengh: 14
Command: 0x004E, Address: 0x0049C33D, Lengh: 7
02 20 00 00 00 00 00 00 A3 68 CC 59 00 E8 DF 23
00 84 5E 0C 74 05 E8 F6 54 F9 FF 8B 76 04 85 00
83 00 00 00 8B 55 08
The current 3 blobs of memory sent back to the server's warden are:
83 00 00 00 8B 55 08
A3 68 CC 59 00 E8 DF 23
84 5E 0C 74 05 E8 F6 54 F9 FF 8B 76 04 85
Im currently setting the checksum (or w/e it is) to 0 and bnet doesnt seem to mind, but there is only currently 3 memory checks, so only about 6 possible checksums.
im also just grabbing those memory blocks from starcraft.exe:
R = R & Mid(wFile, lngAddr - &H400000 + 1, lngLen)
wFile being a string holding the file data from starcraft.exe for now. (only seems to be requesting code/asm sniplets)
If im correct then this format for 0x02 can change at any time, as im assuming the downloaded warden module parses/builds it.
[EDIT] After the header of S<>C 0x02's, the buffer can be anything, depending on the warden module at hand.
The end byte of S>C 0x02, seems to be present on all wardens (SC/BW/D2 at least)
Does anyone fancy reverseing that checksum algorithm used in C>S 0x02? :P
Good work on that! I'm glad to see that somebody picked up where I left off.
If somebody's interested, I'd appreciate it if what Ringo posted could be translated to English (err, I mean formalized ;) ) and added to my wiki. I don't really have time to do it.
<edit> Also, from what I understand, Battle.net isn't currently banning people who send back invalid checksums in Starcraft. However, they occasionally do ban sweeps in other games, so I wouldn't be surprised if they queue it up and look for people who have been caught more than once.
hmm reading this thread has made my nearly five year old project reopen... ;)
great job to ringo and iago (sorry if i'm missing anyone here)... 8) you guys really have taken over the pioneering of battle.net now it seems for the most part.
for now
;)
Quote from: Ringo on March 06, 2008, 09:49 AM
Quote from: Andy on March 06, 2008, 03:24 AM
Your own code says otherwise...
If bRE Then
S = S & A & String(4, 0) & StrReverse(MakeDWORD((Len(S) * 8)))
Else
S = S & A & MakeDWORD((Len(S) * 8)) & String(4, 0)
End If
Yeah, that is the 8 byte (64bit int), i just managed it in 1 dword, rather than calculating it on a low/high word, since you would need over 200mb droped into SHA1 for the other word to come into play.
But what I said was that it was reversed for Lockdown....
Hope your account doesn't get banned later on for sending null checksums...
Quote from: Andy on March 06, 2008, 01:09 PM
Hope your account doesn't get banned later on for sending null checksums...
His key might, if they ever bother doing a round of Starcraft bans, but Starcraft keys are cheap and plentiful. :)
Okay... I think I got my Encryption Key code converted to VB, but I don't know if it's right, nor how to use it :(
Private Declare Function WardenSHA Lib "RSHA.dll" (sVal As String) As String
Private Type BARR
Ary() As Byte
End Type
Dim Position As Long
Dim RandomData() As Byte
Dim RandomSource1() As Byte
Dim RandomSource2() As Byte
Private Sub Update()
RandomData = StrToByteArray(WardenSHA(ByteArrayToStr(RandomSource1) & ByteArrayToStr(RandomData) & ByteArrayToStr(RandomSource2))).Ary
End Sub
Public Sub Initialize(Seed As String)
Dim Length1 As Long
Dim Length2 As Long
Dim Seed1() As Byte
Dim Seed2() As Byte
Dim I As Long
Length1 = RShift(Len(Seed), 1)
Length2 = Len(Seed) - Length1
ReDim Seed1(Length1)
ReDim Seed2(Length2)
For I = 0 To Length1 - 1
Seed1(I) = Asc(Mid$(Seed, I + 1, 1))
Next I
For I = 0 To Length2 - 1
Seed2(I) = Asc(Mid$(Seed, I + Length1 + 1, 1))
Next I
ReDim RandomData(&H14) As Byte
RandomSource1 = StrToByteArray(WardenSHA(ByteArrayToStr(Seed1))).Ary
RandomSource2 = StrToByteArray(WardenSHA(ByteArrayToStr(Seed2))).Ary
Update
Position = 0
End Sub
Private Function GetByte()
GetByte = RandomData(Position)
Position = Position + 1
If Position > &H14 Then
Position = 0
Update
End If
End Function
Public Function GetBytes(ByVal Bytes As Long) As String
Dim I As Integer
Dim Buffer() As Byte
ReDim Buffer(Bytes) As Byte
For I = 0 To Bytes
Buffer(I) = GetByte
Next I
GetBytes = ByteArrayToStr(Buffer)
End Function
Private Function StrToByteArray(ByVal sStr As String) As BARR
Dim I As Integer
ReDim StrToByteArray.Ary(Len(sStr) - 1) As Byte
For I = 1 To Len(sStr)
StrToByteArray.Ary(I - 1) = Asc(Mid$(sStr, I, 1))
Next I
End Function
Private Function ByteArrayToStr(ByRef bByt() As Byte) As String
Dim sStr As String
Dim I As Integer
For I = 1 To UBound(bByt) + 1
sStr = sStr & Chr$(bByt(I - 1))
Next I
ByteArrayToStr = sStr
End Function
(Yes, I know it was a dirty hack to pass a byte array as a function return, but it was the only way to make my code look elegant and not use more variables...)
Anyway, is it correct, and how do I use it? I'm still confused as to the seed... It's just the first 4 bytes of the CDKey Hash? And then what? By which I mean, how are the two keys generated? XOR encryption of what value, using what value as a key? Or was the CDKey Hash the XOR key and the seed something else?
I'm feeling pretty lost...
/me facepalm.jpgs
Andy: The seed is the first dword of the cdkey hash.
I don't get what's so hard to understand...
http://www.skullsecurity.org/wiki/index.php/Key_Generation_in_C
int main(int argc, char **argv)
{
unsigned long seed = FirstDwordOfKeyHash;
t_random_data source;
char buffer[0x100];
random_data_initialize(&source, &seed, 4);
random_data_get_bytes(&source, buffer, 0x100);
print_buffer(buffer, 0x100);
}
EDIT**
I just wanted to comment, the blizzard programmers are so newb :)
Note how 0x400000 doesn't necessarily have to be the base of starcraft.exe.
The more professional thing to do would be to supply the RVA of the contents to get... the raw data. raw, plain, pure, binary code ment to be executed. They hash everything else, so why not that? If they did, this would be so much more interesting. Perhaps with their own SHA1 - Hippie edition too. What they do just doesn't make sense sometimes. I guess they just felt like getting lazy, especially after putting oh-so-much hard work into the encryption. Ringo and i were able to find what it was by comparing the responses with the associated address' contents. nothing more at all.
That's part of what I asked... all you had to say was "yes". Now how about the other part... what comes next?
I explained it pretty clearly in this section:
http://www.skullsecurity.org/wiki/index.php/Warden_Packets#Generating_encryption_keys
The key for outgoing packets is the first two bytes of the CDKey hash, run through the generate_key() function.
The key for incoming packets is the next two bytes of the CDKey hash, run through the generate_key() function.
rtfm. (http://www.skullsecurity.org/wiki/index.php/Key_Generation_in_C)
you would be lost if iago never released his code, you know that?
and what happened to "I don't care about warden.", 'cause you obviously do.
I've got nothing better to do... I'm waiting for my replacement video card to arrive....
And I am pretty lost... I'm not a reverse engineer, nor do I enjoy working with proprietary systems. The only reason I ever started working on Battle.net bots was so I could have something useful to chat on. I have no real interest in the system; that's not why I'm here.
And as clearly as it may be explained, I'm afraid I still don't understand. Especially when one part says use 0x10 bytes and another says 0x100...
Edit: Ah... I guess my "Warden SHA" function which switches the endians of the DWords was useless... So my final, and working, code for generating the encryption key is:
Private Declare Function StandardSHA Lib "RSHA.dll" (sVal As String) As String
Private Type BARR
Ary() As Byte
End Type
Dim Position As Long
Dim RandomData() As Byte
Dim RandomSource1() As Byte
Dim RandomSource2() As Byte
Public Sub Initialize(Seed As String)
Dim Length1 As Long
Dim Length2 As Long
Dim Seed1() As Byte
Dim Seed2() As Byte
Dim I As Long
Length1 = RShift(Len(Seed), 1)
Length2 = Len(Seed) - Length1
ReDim Seed1(Length1 - 1)
ReDim Seed2(Length2 - 1)
For I = 0 To Length1 - 1
Seed1(I) = Asc(Mid$(Seed, I + 1, 1))
Next I
For I = 0 To Length2 - 1
Seed2(I) = Asc(Mid$(Seed, I + Length1 + 1, 1))
Next I
ReDim RandomData(&H13) As Byte
RandomSource1 = StrToByteArray(StandardSHA(ByteArrayToStr(Seed1))).Ary
RandomSource2 = StrToByteArray(StandardSHA(ByteArrayToStr(Seed2))).Ary
Update
Position = 0
End Sub
Private Sub Update()
RandomData = StrToByteArray(StandardSHA(ByteArrayToStr(RandomSource1) & ByteArrayToStr(RandomData) & ByteArrayToStr(RandomSource2))).Ary
End Sub
Private Function GetByte()
GetByte = RandomData(Position)
Position = Position + 1
If Position >= &H13 Then
Position = 0
Update
End If
End Function
Public Function GetBytes(ByVal Bytes As Long) As String
Dim I As Integer
Dim Buffer() As Byte
ReDim Buffer(Bytes) As Byte
For I = 0 To Bytes
Buffer(I) = GetByte
Next I
GetBytes = ByteArrayToStr(Buffer)
End Function
Private Function StrToByteArray(ByVal sStr As String) As BARR
Dim I As Integer
ReDim StrToByteArray.Ary(Len(sStr) - 1) As Byte
For I = 1 To Len(sStr)
StrToByteArray.Ary(I - 1) = Asc(Mid$(sStr, I, 1))
Next I
End Function
Private Function ByteArrayToStr(ByRef bByt() As Byte) As String
Dim sStr As String
Dim I As Integer
For I = 1 To UBound(bByt) + 1
sStr = sStr & Chr$(bByt(I - 1))
Next I
ByteArrayToStr = sStr
End Function
And it seems to work just dandy...
Now on to creating the outgoing and incoming keys...
Eh... problems with RC4 stuff... I'll deal with it later... Sorry for sounding dense and stupid, I think my head cold's getting to my ability to read -.- .
if anybody wants the .idb file I've been working on, let me know privately and I'll send it to you. I have a lot of notes on it, and I have the default module and a downloaded module loaded into it.
I'm not comfortable with posting it publicly, but I also don't mind sharing it with anybody who wants it.
Just a quick note:
You said the 2nd field was the length right?
[06:56:26] 0x02 Request: 2
Command: 0x004E, Address: 0x0049C33D, Lengh: 7
Command: 0x004E, Address: 0x004A2FF7, Lengh: 8
Command: 0x004E, Address: 0x00497FB0, Lengh: 14
02 20 00 00 00 00 00 00 83 00 00 00 8B 55 08 00
A3 68 CC 59 00 E8 DF 23 00 84 5E 0C 74 05 E8 F6
54 F9 FF 8B 76 04 85
14+8+7 = 29 0x1d, not 32 0x20
Anyways
Command: 0x00f5, Address: 0x0049c33d, Length: 7
Command: 0x00f5, Address: 0x004a2ff7, Length: 8
Command: 0x00f5, Address: 0x00497fb0, Length: 14
02 1d 00 00 00 00 00 83 00 00 00 8b 55 08 a3 68 ............U..h
cc 59 00 e8 df 23 84 5e 0c 74 05 e8 f6 54 f9 ff .Y...#.^.t...T..
8b 76 04 85 .v..
Length: 36
Command: 0x00f5, Address: 0x00497fb0, Length: 14
Command: 0x00f5, Address: 0x004a2ff7, Length: 8
Command: 0x00f5, Address: 0x0049c33d, Length: 7
02 1d 00 00 00 00 00 84 5e 0c 74 05 e8 f6 54 f9 ........^.t...T.
ff 8b 76 04 85 a3 68 cc 59 00 e8 df 23 83 00 00 ..v...h.Y...#...
00 8b 55 08 ..U.
Length: 36My bot
Problem is.. It must be wrong [I guess diffrent module]
As I am still getting disconnec5ted after 2 mins.
Anyone know a easy way to load the uncompressed modules into IDA?
Quote from: Hdx on March 07, 2008, 01:31 AM
Just a quick note:
You said the 2nd field was the length right?
[06:56:26] 0x02 Request: 2
Command: 0x004E, Address: 0x0049C33D, Lengh: 7
Command: 0x004E, Address: 0x004A2FF7, Lengh: 8
Command: 0x004E, Address: 0x00497FB0, Lengh: 14
02 20 00 00 00 00 00 00 83 00 00 00 8B 55 08 00
A3 68 CC 59 00 E8 DF 23 00 84 5E 0C 74 05 E8 F6
54 F9 FF 8B 76 04 85
14+8+7 = 29 0x1d, not 32 0x20
Anyways
Command: 0x00f5, Address: 0x0049c33d, Length: 7
Command: 0x00f5, Address: 0x004a2ff7, Length: 8
Command: 0x00f5, Address: 0x00497fb0, Length: 14
02 1d 00 00 00 00 00 83 00 00 00 8b 55 08 a3 68 ............U..h
cc 59 00 e8 df 23 84 5e 0c 74 05 e8 f6 54 f9 ff .Y...#.^.t...T..
8b 76 04 85 .v..
Length: 36
Command: 0x00f5, Address: 0x00497fb0, Length: 14
Command: 0x00f5, Address: 0x004a2ff7, Length: 8
Command: 0x00f5, Address: 0x0049c33d, Length: 7
02 1d 00 00 00 00 00 84 5e 0c 74 05 e8 f6 54 f9 ........^.t...T.
ff 8b 76 04 85 a3 68 cc 59 00 e8 df 23 83 00 00 ..v...h.Y...#...
00 8b 55 08 ..U.
Length: 36My bot
Problem is.. It must be wrong [I guess diffrent module]
As I am still getting disconnec5ted after 2 mins.
Anyone know a easy way to load the uncompressed modules into IDA?
uh, yeah, you might have cought it in the middle of a post edit (i just updated the spec a little) :P
the (WORD) Lengh, is the lengh of the payload (discluding the 7 byte header ID/Len/Checksum)
The only thing i can see wrong (at a glance) is your not putting a null byte before each memory blob. (see below)
Quote
And for building/sending back the responce:
(BYTE) 0x02 - Packet ID
(WORD) Lengh of message (discluding this header of 7 bytes -- ID/Len/Checksum)
(DWORD) Checksum of the send buffer
For each memory request:
(BYTE) 0x00 Not sure what this is, seems constant
(VOID) Chunk of memory from requested address/lengh
end
[EDIT] After the header of S<>C 0x02's, the buffer can be anything, depending on the warden module at hand.
The end byte of S>C 0x02, seems to be present on all wardens (SC/BW/D2 at least)
Ah also somthing i noticed today, if you put the checksum as 0, you will drop after 2min, but requests will continue up untill you get disconnected.
Give me a min and i will post some hard coded checksums.
Afaik, the checksum (in C>S 0x02) is a constant thing for warden
Ah ya, I forgot the null byte.
Thats fixed and the lenght is now 0x20 :P
Still getting disconnected as you noticed, but hey, *poors over a log of SC* there are only 9 checksums [I would assume as its the same 3 sets of data in diff orders, [3*3]]
So I can just brute that. But ya, I'm still interested in finding a way to actually look at the mod in IDA.
0x00497FB0, 0x0049C33D, 0x004A2FF7 = 0x193E73E8
0x0049C33D, 0x00497FB0, 0x004A2FF7 = 0xD6557DEF
0x00497FB0, 0x004A2FF7, 0x0049C33D = 0x2183172A
0x0049C33D, 0x004A2FF7, 0x00497FB0 = 0xCA841860
0x004A2FF7, 0x0049C33D, 0x00497FB0 = 0x9F2AD2C3
0x004A2FF7, 0x00497FB0, 0x0049C33D = 0xC04CF757
Coolness, now just to figure out how that is derived.
I noticed something weird while packetlogging my official SC client...
The first warden message that I am receiving from BNCS looks like that:
ff 5e 29 00 d3 2b 67 a5 58 29 21 61 13 44 9d 48 [...]
That looks fine.
However, unless I am missing something here, my client sent an additionnal byte (FB) in the 0x00 message:
ff 5e 05 00 fb
I even tried sending that same byte but I kept getting disconnected by Battle.net
What could the problem be and why would it send that extra 0xFB byte ???
EDIT: Nevermind, someone (Ringo) helped me ;)
I am so stupid. Haha.
Quote from: Paladin on March 07, 2008, 06:45 AM
I noticed something weird while packetlogging my official SC client...
The first warden message that I am receiving from BNCS looks like that:
ff 5e 29 00 d3 2b 67 a5 58 29 21 61 13 44 9d 48 [...]
That looks fine.
However, unless I am missing something here, my client sent an additionnal byte (FB) in the 0x00 message:
ff 5e 05 00 fb
I even tried sending that same byte but I kept getting disconnected by Battle.net
What could the problem be and why would it send that extra 0xFB byte ???
EDIT: Nevermind, someone (Ringo) helped me ;)
I am so stupid. Haha.
I know you've figured it out, but just in case somebody doesn't know -- that "fb" is the encrypted response to the 0x00 packet (either 01 or 00 encrypted, depending on whether or not he'd connected before).
Hrm... turns out the examples HDX gave me were wrong... Anyway, here's my (currently working) code and implementation for VB6:
clsWarden.cls:
Option Explicit
Private Declare Function StandardSHA Lib "RSHA.dll" (sVal As String) As String
Private Position As Long
Private RandomData() As Byte
Private RandomSource1() As Byte
Private RandomSource2() As Byte
Public Sub Initialize(Seed As String)
Dim Length1 As Long
Dim Length2 As Long
Dim Seed1() As Byte
Dim Seed2() As Byte
Dim I As Long
Length1 = RShift(Len(Seed), 1)
Length2 = Len(Seed) - Length1
ReDim Seed1(Length1 - 1)
ReDim Seed2(Length2 - 1)
For I = 0 To Length1 - 1
Seed1(I) = Asc(Mid$(Seed, I + 1, 1))
Next I
For I = 0 To Length2 - 1
Seed2(I) = Asc(Mid$(Seed, I + Length1 + 1, 1))
Next I
ReDim RandomData(&H13) As Byte
StrToByteArray StandardSHA(ByteArrayToStr(Seed1)), RandomSource1
StrToByteArray StandardSHA(ByteArrayToStr(Seed2)), RandomSource2
Update
Position = 0
End Sub
Private Sub Update()
StrToByteArray StandardSHA(ByteArrayToStr(RandomSource1) & ByteArrayToStr(RandomData) & ByteArrayToStr(RandomSource2)), RandomData
End Sub
Private Function GetByte() As Byte
GetByte = RandomData(Position)
Position = Position + 1
If Position >= &H14 Then
Position = 0
Update
End If
End Function
Public Function GetBytes(ByVal bytes As Long) As String
Dim I As Integer
Dim Buffer() As Byte
ReDim Buffer(bytes) As Byte
For I = 0 To bytes
Buffer(I) = GetByte
Next I
GetBytes = ByteArrayToStr(Buffer)
End Function
Private Sub StrToByteArray(ByVal sStr As String, ByRef Ary() As Byte)
Dim I As Integer
ReDim Ary(Len(sStr) - 1) As Byte
For I = 1 To Len(sStr)
Ary(I - 1) = Asc(Mid$(sStr, I, 1))
Next I
End Sub
Private Function ByteArrayToStr(ByRef bByt() As Byte) As String
Dim sStr As String
Dim I As Integer
For I = 1 To UBound(bByt) + 1
sStr = sStr & Chr$(bByt(I - 1))
Next I
ByteArrayToStr = sStr
End Function
Public Function SimpleCrypt(ByVal sBase As String) As String
Dim bKey() As Byte
Dim bBase() As Byte
Dim lVal As Long
Dim I As Long
Dim lPos As Long
Dim temp As Byte
StrToByteArray sBase, bBase
ReDim bKey(&H101) As Byte
For I = 0 To &HFF
bKey(I) = I
Next I
For I = 1 To &H40
lVal = lVal + bKey(I * 4 - 4) + bBase(lPos Mod (UBound(bBase) + 1))
lPos = lPos + 1
temp = bKey(I * 4 - 4)
bKey(I * 4 - 4) = bKey(lVal And &HFF)
bKey(lVal And &HFF) = temp
lVal = lVal + bKey(I * 4 - 3) + bBase(lPos Mod (UBound(bBase) + 1))
lPos = lPos + 1
temp = bKey(I * 4 - 3)
bKey(I * 4 - 3) = bKey(lVal And &HFF)
bKey(lVal And &HFF) = temp
lVal = lVal + bKey(I * 4 - 2) + bBase(lPos Mod (UBound(bBase) + 1))
lPos = lPos + 1
temp = bKey(I * 4 - 2)
bKey(I * 4 - 2) = bKey(lVal And &HFF)
bKey(lVal And &HFF) = temp
lVal = lVal + bKey(I * 4 - 1) + bBase(lPos Mod (UBound(bBase) + 1))
lPos = lPos + 1
temp = bKey(I * 4 - 1)
bKey(I * 4 - 1) = bKey(lVal And &HFF)
bKey(lVal And &HFF) = temp
Next I
SimpleCrypt = ByteArrayToStr(bKey)
End Function
Public Function DoCrypt(ByVal sData As String, ByRef sKey As String) As String
Dim bKey() As Byte
Dim Data() As Byte
Dim I As Long
Dim temp As Byte
Dim Y As Long
Dim Z As Long
StrToByteArray sKey, bKey
Y = bKey(&H100)
Z = bKey(&H101)
StrToByteArray sData, Data
For I = 0 To UBound(Data)
Y = (Y + 1) And &HFF
Z = (Z + bKey(Y)) And &HFF
temp = bKey(Y)
bKey(Y) = bKey(Z)
bKey(Z) = temp
Data(I) = Data(I) Xor bKey((CInt(bKey(Y)) + CInt(bKey(Z))) And &HFF)
Next I
bKey(&H100) = Y
bKey(&H101) = Z
sKey = ByteArrayToStr(bKey)
DoCrypt = ByteArrayToStr(Data)
End Function
Top of Whatever handles BNCS packets:
Private wKeyOut As String
Private wKeyIn As String
Private cWarden As New clsWarden
In SID_AUTH_CHECK:
BNCSPacket.InsertString KeyHash
cWarden.Initialize Left$(KeyHash, 4)
wKeyOut = cWarden.SimpleCrypt(cWarden.GetBytes(&HF))
wKeyIn = cWarden.SimpleCrypt(cWarden.GetBytes(&HF))
For handling 5E:
Private Sub SID_Recv_Warden()
Dim sData As String
Dim wPack As New clsPacket
Static pMD5 As String
Static pKey As String
Static pLen As Long
Static pData As String
Dim dLen As Long
Dim tData As String
Dim cMD5 As New clsMD5
Dim tMD5 As String
Dim nFile As Integer
Dim EventNo As Byte
Dim I As Long
Dim Loops As Long
Dim Vals() As String
Dim cmd As Integer
Dim addr() As Long
Dim readlen As Byte
Dim LastByte As Byte
Dim ToSend As String
Dim Checksum As Long
Const Req1 As Long = &H497FB0
Const Req2 As Long = &H49C33D
Const Req3 As Long = &H4A2FF7
sData = BNCSPacket.GetNull
wPack.SetData cWarden.DoCrypt(sData, wKeyIn)
Select Case wPack.GetByte
Case &H0
pMD5 = wPack.GetString(16)
pKey = wPack.GetString(16)
pLen = wPack.GetDWORD
BNCSPacket.ClearOutbound
'If LenB(Dir$(SettingsFolder & "\Tmp\Warden\" & StH(pMD5) & ".bas")) = 0 Then
' pData = vbNullString
' BNCSPacket.InsertByte &H0
' ToSend = cWarden.DoCrypt(BNCSPacket.GetOutbound, wKeyOut)
' BNCSPacket.ClearOutbound
' BNCSPacket.InsertString ToSend
' AddQueue BNCSPacket.SendBNCSPacket(SID_WARDEN)
'Else
BNCSPacket.InsertByte &H1
ToSend = cWarden.DoCrypt(BNCSPacket.GetOutbound, wKeyOut)
BNCSPacket.ClearOutbound
BNCSPacket.InsertString ToSend
AddQueue BNCSPacket.SendBNCSPacket(SID_WARDEN)
'End If
'Case &H1
' dLen = wPack.GetWORD
' tData = wPack.GetString(dLen)
' pData = pData & tData
' If Len(pData) >= pLen Then
' tMD5 = cMD5.DigestStrToHexStr(pData)
' BNCSPacket.ClearOutbound
' If StH(pMD5) = tMD5 Then
' nFile = FreeFile
' Open SettingsFolder & "\Tmp\Warden\" & StH(pMD5) & ".mod" For Binary Access Write As #nFile
' Put #nFile, , cWarden.DoCrypt(pData, cWarden.SimpleCrypt(pKey))
' Close #nFile
' BNCSPacket.InsertByte &H1
' ToSend = cWarden.DoCrypt(BNCSPacket.GetOutbound, wKeyOut)
' BNCSPacket.ClearOutbound
' BNCSPacket.InsertString ToSend
' AddQueue BNCSPacket.SendBNCSPacket(SID_WARDEN)
' Else
' pData = vbNullString
' BNCSPacket.InsertByte &H0
' ToSend = cWarden.DoCrypt(BNCSPacket.GetOutbound, wKeyOut)
' BNCSPacket.ClearOutbound
' BNCSPacket.InsertString ToSend
' AddQueue BNCSPacket.SendBNCSPacket(SID_WARDEN)
' End If
' End If
Case &H2
EventNo = wPack.GetByte
Loops = (Len(sData) - 3) / 7
ReDim Vals(Loops - 1) As String
ReDim addr(Loops - 1) As Long
nFile = FreeFile
Open Config.HashPath & "\StarCraft.exe" For Binary Access Read As #nFile
For I = 0 To Loops - 1
cmd = wPack.GetWORD
addr(I) = wPack.GetDWORD
readlen = wPack.GetByte
Vals(I) = String$(readlen, 0)
Get #nFile, addr(I) - &H400000 + 1, Vals(I)
Next I
Close #nFile
LastByte = wPack.GetByte
If addr(0) = Req1 And addr(1) = Req2 And addr(2) = Req3 Then
Checksum = &H193E73E8
ElseIf addr(0) = Req2 And addr(1) = Req1 And addr(2) = Req3 Then
Checksum = &HD6557DEF
ElseIf addr(0) = Req1 And addr(1) = Req3 And addr(2) = Req2 Then
Checksum = &H2183172A
ElseIf addr(0) = Req2 And addr(1) = Req3 And addr(2) = Req1 Then
Checksum = &HCA841860
ElseIf addr(0) = Req3 And addr(1) = Req2 And addr(2) = Req1 Then
Checksum = &H9F2AD2C3
ElseIf addr(0) = Req3 And addr(1) = Req1 And addr(2) = Req2 Then
Checksum = &HC04CF757
Else
RaiseEvent BNetError("Unknown Warden Request: " & Hex$(addr(1)) & " " & Hex$(addr(2)) & " " & Hex$(addr(3)))
End If
For I = 0 To Loops - 1
BNCSPacket.InsertByte &H0
BNCSPacket.InsertString Vals(I)
Next I
ToSend = BNCSPacket.GetOutbound
ToSend = Chr$(&H2) & BNCSPacket.CreateWORD(Len(ToSend)) & BNCSPacket.CreateDWORD(Checksum) & ToSend
ToSend = cWarden.DoCrypt(ToSend, wKeyOut)
BNCSPacket.ClearOutbound
BNCSPacket.InsertString ToSend
AddQueue BNCSPacket.SendBNCSPacket(SID_WARDEN)
Case Else
RaiseEvent BNetError("Unknown Warden Packet: " & StH(wPack.GetData))
End Select
End Sub
Note that I've currently got the actual downloading, 0x01 and such commented out, since it's pretty much useless at this point... Once it's publicly released how the checksums are generated, like as not full downloading, decrypting, expanding and everything of the file will be needed. Until then, this works.
BTW, big thanks to both Blake (HDX) and Ringo, and of course iago. I'm sure some of my users will be happy about it...
Quote from: Andy on March 07, 2008, 04:47 PM
and Ringo
NO!
uh, oh, ouch, that gives VB6 a bad name! :P
Mines not exacly great, but its way more cleaner :P
Try somthing like this:
Public Type RANDOMDATA
Pos As Long
Data As String * 20
Sorc1 As String * 20
Sorc2 As String * 20
End Type
Private bR(255) As Byte
Public Sub RC4Key(ByRef S As String, ByRef B() As Byte)
Dim i As Long, A As Long, C As Byte
B(256) = 0
B(257) = 0
A = Len(S)
For i = 0 To 255
bR(i) = Asc(Mid(S, (i Mod A) + 1, 1))
B(i) = i
Next i
A = 0
For i = 0 To 255
A = (A + B(i) + bR(i)) Mod 256
C = B(i)
B(i) = B(A)
B(A) = C
Next i
End Sub
Public Sub RC4Crypt(ByRef S As String, ByRef bK() As Byte)
Dim A As Long, B As Long, C As Byte, i As Long
A = bK(256)
B = bK(257)
For i = 1 To Len(S)
A = (A + 1) Mod 256
B = (B + bK(A)) Mod 256
C = bK(A)
bK(A) = bK(B)
bK(B) = C
Mid(S, i, 1) = Chr(Asc(Mid(S, i, 1)) Xor bK((CInt(bK(A)) + bK(B)) Mod 256))
Next i
bK(256) = A
bK(257) = B
End Sub
Public Sub Data_Init(ByRef R As RANDOMDATA, ByVal lngSeed As Long)
Dim S As String * 4
Call CopyMemory(ByVal S, lngSeed, 4)
R.Sorc1 = BSHA1(Left(S, 2), True, True)
R.Sorc2 = BSHA1(Right(S, 2), True, True)
R.Data = String(20, 0)
R.Data = BSHA1(R.Sorc1 & R.Data & R.Sorc2, True, True)
R.Pos = 1
End Sub
Public Function Data_Get_Bytes(ByRef R As RANDOMDATA, ByVal lngBytes As Long) As String
Dim i As Long, S As String
S = String(lngBytes, 0)
For i = 1 To lngBytes
Mid(S, i, 1) = Mid(R.Data, R.Pos, 1)
R.Pos = R.Pos + 1
If R.Pos > 20 Then
R.Pos = 1
R.Data = BSHA1(R.Sorc1 & R.Data & R.Sorc2, True, True)
End If
Next i
Data_Get_Bytes = S
End Function
For all who have asked, here's how to load a binary in IDA. Start by opening Battle.snp in the standard way, then:
File->Load File->Additional Binary File
Pick the .bin file
Set:
Loading segment: 0x0
Loading offset: The base address you want
File offset in bytes: 0x0
Number of bytes: 0x0
Create segments: yes
Code segment: yes
View->Open Subviews->Segments
Right-click on the new segment (seg000), edit segment
Set:
"Segment name" to something useful
Select "32-bit segment"
Options->general
Tab: Analysis
Reanalyze program
Any code that's left, you can fiddle with using Create Function (p) or Convert to Code (c).
I also uploaded my .idb file, and decided I don't care about keeping it private:
http://www.javaop.com/~ron/tmp/battle_warden.zip
0x02000000: A downloaded module (cc19c0a67a90318e157e6a5325a9bd2e.bin)
0x02e30000: Default module
I also identified sha1 functions in there, because they're so easy to find, and I commented/named the function imports.
Quote from: Ringo on March 08, 2008, 09:12 AM
Quote from: Andy on March 07, 2008, 04:47 PM
and Ringo
NO!
uh, oh, ouch, that gives VB6 a bad name! :P
Mines not exacly great, but its way more cleaner :P
It's an almost line by line port of the example code iago posted... Of course it's not clean.
However, I just added speed timings to Initialize, GetBytes, SimpleCrypt, and DoCrypt, and they all ran instantly... as in... 0 ms. So I'm happy.
Quote from: Andy on March 08, 2008, 02:29 PM
Quote from: Ringo on March 08, 2008, 09:12 AM
Quote from: Andy on March 07, 2008, 04:47 PM
and Ringo
NO!
uh, oh, ouch, that gives VB6 a bad name! :P
Mines not exacly great, but its way more cleaner :P
It's an almost line by line port of the example code iago posted... Of course it's not clean.
However, I just added speed timings to Initialize, GetBytes, SimpleCrypt, and DoCrypt, and they all ran instantly... as in... 0 ms. So I'm happy.
I actually tried your code to see if it worked and it gave me a "Can't find DLL entry point StandardSHA in RSHA.dll". :o
By the way, I got your RSHA.dll by downloading your bot.
For any who care, here's my Java implementation: http://www.javaop.com/~ron/tmp/warden.tgz
I'm not including all the utility classes, but you can find them on my wiki if you actually want to run it instead of use it for a reference.
Hasn't been released in that ver prolly... Here (http://realityripple.com/Uploads/RSHA.zip)'s a current ver of my RSHA.dll with vb declares of all the API calls for ya.
Quote from: iago on March 08, 2008, 10:41 AM
For all who have asked, here's how to load a binary in IDA. Start by opening Battle.snp in the standard way, then:
File->Load File->Additional Binary File
Pick the .bin file
Set:
Loading segment: 0x0
Loading offset: The base address you want
File offset in bytes: 0x0
Number of bytes: 0x0
Create segments: yes
Code segment: yes
View->Open Subviews->Segments
Right-click on the new segment (seg000), edit segment
Set:
"Segment name" to something useful
Select "32-bit segment"
Options->general
Tab: Analysis
Reanalyze program
Any code that's left, you can fiddle with using Create Function (p) or Convert to Code (c).
I also uploaded my .idb file, and decided I don't care about keeping it private:
http://www.javaop.com/~ron/tmp/battle_warden.zip
0x02000000: A downloaded module (cc19c0a67a90318e157e6a5325a9bd2e.bin)
0x02e30000: Default module
I also identified sha1 functions in there, because they're so easy to find, and I commented/named the function imports.
Neat, thanks!, you have motivated me into learning ASM :)
Great work!
Quote from: Andy on March 08, 2008, 02:29 PM
It's an almost line by line port of the example code iago posted... Of course it's not clean.
However, I just added speed timings to Initialize, GetBytes, SimpleCrypt, and DoCrypt, and they all ran instantly... as in... 0 ms. So I'm happy.
I was refering to things like StrToByteArray() and ByteArrayToStr().
You shouldnt need to switch between data types all the time, and if you do, try useing somthing like rtlMoveMemory() api.
The current warden modules will handle packets 0x00, 0x01, 0x02, 0x03, 0x04.
For 0x02, there appear to be multiple 'commands' that the server could request. These also differ per module.
The solutions for 0x02 in this thread should be considered temporary at best. Blizzard could activate any of these other packets/commands at any given time.
Unless I was mistaken while reading Maiev.mod [SC's warden loader] only packets 0-2 are supported. It simply ignores other opcodes.
I know that 0-4 are enabled on D2's version of warden. But meh.
As well, anyone who thinks that this solution for 0x02 is permanent doesn't understand how Warden works...
We're just doing it as far as we can sofar.
As for the current modules.. Still can't find where it calcs the checksum, but it jsut seems to be a 'test' module. Applying some simple memory patches, trying to tighten security around it a little, nothing major.
So who have passed the challenge so far?
I know the solution of 0x02 is temprorary right now since you need to do things related with the modules.
Quote from: Hdx on March 10, 2008, 08:58 PM
Unless I was mistaken while reading Maiev.mod [SC's warden loader] only packets 0-2 are supported. It simply ignores other opcodes.
You are correct. Maiev.mod only has handling for 0x00, 0x01, and 0x02. Once the new module is prepared, Maive is unloaded and the new module is loaded in its place. The new module takes over for Maive to handle packets, crypto, etc.
Ah duaa :P brain fart.
*points at the init struct* pretty !
Anyways, ya, when it comes to warden, due to its nature, everything is temporary.
BUT, its the whole does Blizzard give enough shit to change it?
Has anyone checked if the addresses change if you join a game as opposed to the 3 that are checked while in chat?
Quote from: Rob on March 10, 2008, 09:12 PM
Quote from: Hdx on March 10, 2008, 08:58 PM
Unless I was mistaken while reading Maiev.mod [SC's warden loader] only packets 0-2 are supported. It simply ignores other opcodes.
You are correct. Maiev.mod only has handling for 0x00, 0x01, and 0x02. Once the new module is prepared, Maive is unloaded and the new module is loaded in its place. The new module takes over for Maive to handle packets, crypto, etc.
That's exactly what I said on my wiki. :)
hmm, im trying to read the ASM for the defalt module's 0x02 handler, but i dunno if im reading this correctly.
From what i can see at the moment, it checks the 1st byte into the packet (after 0x02), if that lengh if over 0x00 it does the following:
grabs the byte, reads that lengh into the packet, then creates a SHA1 hash and a MD5 hash of that string and sends it back.
If the lengh is 0x00, it sends back a SHA1 and MD5 hash of "" (nothing)
If the lengh byte contains a lengh that exeeds the lengh of the following data, it does nothing/sends back no responce?
Basicly, the following?
Request:
(BYTE) 0x02 - packet ID
(BYTE) Lengh of data to read
(VOID) data
Responce:
(BYTE) 0x02 - Packet ID
(VOID[20]) SHA1 hash of string
(VOID[16]) MD5 hash of string
unless im missing somthing, isnt that pretty pointless?
Unless, like in d2, the string is a file name of an MPQ file to hash, but im not seeing anything that would do this.. odd.
Can anyone verify this?
Any info on how the checksums are generated yet?
hmm, anyone else willing to contribute to this?
I dont really feel like working on any of this stuff anymore, not untill I see some input from others, its gone kind of dead.
I would have thought many people would have jumped at continueing where iago left off, there is still much to do!
Lets see some team spirit :)
Quote from: Andy on March 18, 2008, 03:11 AM
Any info on how the checksums are generated yet?
With a mathmatical algorithm found with in the warden module you download!
I have made a start on reverseing it, but I have no plans on continueing.
Why dont you start working on this stuff, rather than waiting for info to use to get your bot working.
Who knows, you might even learn somthing!
Afaik, After all, that is what iago started this for, right?
Big thx iago!
Aside, can anyone verify this, for the defalt module?
Request:
(BYTE) 0x02 - packet ID
(BYTE) Lengh of data to read
(VOID) data
Responce:
(BYTE) 0x02 - Packet ID
(VOID[20]) SHA1 hash of data
(VOID[16]) MD5 hash of data
Cause, as I've stated many times before, I have no interest in reversing the work of others, only in creating my own.
And for packet 0x02... I thought it worked like:
(BYTE) Event #
Loop until one byte is left:
(WORD) Command
(DWORD) Address
(BYTE) Length to Read
(BYTE) Unknown
(BYTE) Event #
(DWORD) Checksum
Loop for each item requested:
(BYTE) 0
(VOID) Raw memory data
Or are we talking about different things?
Quote from: Andy on March 19, 2008, 01:48 AM
Cause, as I've stated many times before, I have no interest in reversing the work of others, only in creating my own.
Then why do you want to use the work of others? :p aside, your missing the point.
Quote
And for packet 0x02... I thought it worked like:
(BYTE) Event #
Loop until one byte is left:
(WORD) Command
(DWORD) Address
(BYTE) Length to Read
(BYTE) Unknown
(BYTE) Event #
(DWORD) Checksum
Loop for each item requested:
(BYTE) 0
(VOID) Raw memory data
Or are we talking about different things?
Yeah, im talking about the defalt module, maive.mod or w/e its called -- the one built into the client
My bot gets on bnet on starcraft but then when it responds to the warden it gets disconnected. Here is packet log of this.
1 192.168.0.100:3539 63.240.202.126:6112 59 Send
0000 01 FF 50 3A 00 00 00 00 00 36 38 58 49 50 58 45 ..P:.....68XIPXE
0010 53 D1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 S...............
0020 00 00 00 00 00 00 00 00 00 55 53 41 00 55 6E 69 .........USA.Uni
0030 74 65 64 20 53 74 61 74 65 73 00 ted States.
2 63.240.202.126:6112 192.168.0.100:3539 70 Recv
0000 FF 25 08 00 4A 61 A4 EE FF 50 3E 00 00 00 00 00 .%..Ja...P>.....
0010 6D 2F AE 03 E0 4C 13 00 00 BA F7 D9 72 FC C6 01 m/...L......r...
0020 6C 6F 63 6B 64 6F 77 6E 2D 49 58 38 36 2D 31 33 lockdown-IX86-13
0030 2E 6D 70 71 00 B5 EE 5D A9 2A E6 33 2A C4 77 3B .mpq...].*.3*.w;
0040 4C DA 53 76 F6 00 L.Sv..
3 192.168.0.100:3539 63.240.202.126:6112 8 Send
0000 FF 25 08 00 00 00 00 00 .%......
4 192.168.0.100:3539 63.240.202.126:6112 86 Send
0000 FF 51 56 00 D2 02 96 49 01 02 0F 01 D6 1E B2 89 .QV....I........
0010 01 00 00 00 00 00 00 00 0D 00 00 00 02 00 00 00 ................
0020 E1 30 1F 00 00 00 00 00 43 8F D7 37 D8 B0 80 23 .0......C..7...#
0030 95 AF D8 17 7A 79 11 17 72 D9 1D F0 E5 3B 9A FB ....zy..r....;..
0040 6E 70 92 12 96 32 95 F0 21 28 B8 92 00 4B 7A 55 np...2..!(...KzU
0050 4C 5A 70 49 56 00 LZpIV.
5 63.240.202.126:6112 192.168.0.100:3539 9 Recv
0000 FF 51 09 00 00 00 00 00 00 .Q.......
6 192.168.0.100:3539 63.240.202.126:6112 53 Send
0000 FF 14 08 00 74 65 6E 62 FF 3A 2D 00 59 49 6E 01 ....tenb.:-.YIn.
0010 6D 2F AE 03 A8 61 3A BE 7D 75 AD E8 DA 2D BA A9 m/...a:.}u...-..
0020 F4 28 4C 26 CC 9F 64 28 69 68 61 74 65 77 61 72 .(L&..d(ihatewar
0030 64 65 6E 33 00 den3.
7 63.240.202.126:6112 192.168.0.100:3539 12 Recv
0000 FF 59 04 00 FF 3A 08 00 00 00 00 00 .Y...:......
8 192.168.0.100:3539 63.240.202.126:6112 6 Send
0000 FF 0A 06 00 00 00 ......
9 63.240.202.126:6112 192.168.0.100:3539 41 Recv
0000 FF 5E 29 00 44 0D 06 0F 85 C0 E4 F3 D6 14 C1 EB .^).D...........
0010 B7 F9 82 25 74 D8 7A 2F 07 25 4A 21 4B 65 02 07 ...%t.z/.%J!Ke..
0020 EC B6 52 D0 8C CE 27 02 57 ..R...'.W
10 192.168.0.100:3539 63.240.202.126:6112 47 Send
0000 FF 5E 2F 00 01 CF 7C 29 30 78 F4 12 97 54 F5 A4 .^/...|)0x...T..
0010 36 4B 3D 39 47 EA 4E 6C DE 0D 3B 8C 0B F1 0F B1 6K=9G.Nl..;.....
0020 49 09 74 6D 88 48 CA C7 33 CB 7F B9 22 0F 00 I.tm.H..3..."..
BOOM DISCONNECT
After sending my response to warden (5E) I get disconnected I used code that ANDY posted.
Anyone see what I did wrong? I'm really tired atm, so its possible i made some big mistakes -
Don't program when your really tired because you waste time ;D
-CODE-
With clsP
.SetBuffer dAta
.Skip 1
.Skip 2
PackID = .GetByte
End With
Select Case PackID
Case &H0
pMD5 = clsP.GetString '(16)
pKey = clsP.GetString '(16)
pLen = clsP.GetDWORD
with clsp
.InsertBYTE &H1
ToSend = DoCryptWarden(dAta, wKeyOut)
.InsertString ToSend
.sendPacket frmMain.sckBot, &H5E, iNdex
end with
Thats it, nothing else
Public Function DoCryptWarden(ByVal sData As String, ByRef sKey As String) As String
Dim bKey() As Byte
Dim dAta() As Byte
Dim i As Long
Dim temp As Byte
Dim Y As Long
Dim Z As Long
StrToByteArrayWarden sKey, bKey
Y = bKey(&H100)
Z = bKey(&H101)
StrToByteArrayWarden sData, dAta
For i = 0 To UBound(dAta)
Y = (Y + 1) And &HFF
Z = (Z + bKey(Y)) And &HFF
temp = bKey(Y)
bKey(Y) = bKey(Z)
bKey(Z) = temp
dAta(i) = dAta(i) Xor bKey((CInt(bKey(Y)) + CInt(bKey(Z))) And &HFF)
Next i
bKey(&H100) = Y
bKey(&H101) = Z
sKey = ByteArrayToStrWarden(bKey)
DoCryptWarden = ByteArrayToStrWarden(dAta)
End Function
instead of class module i moved it to a regular module
Option Explicit
Private Declare Function StandardSHA Lib "RSHA.dll" (sVal As String) As String
Private Position As Long
Private RandomData() As Byte
Private RandomSource1() As Byte
Private RandomSource2() As Byte
Also, is position,RandomData, RandomSource1, RandomSource2 something that needs to be saved for later use?
dim stringforwarden as string * 20
InitializeWarden Left$(stringforwarden , 4)
string for warden doesn't contain anything but 20 null values when passed onto InitializeWarden
wKeyOut = SimpleCryptWarden(GetBytesWarden(&HF))
wKeyIn = SimpleCryptWarden(GetBytesWarden(&HF))
Public Function GetBytesWarden(ByVal Bytes As Long) As String
Dim i As Integer
Dim Buffer() As Byte
ReDim Buffer(Bytes) As Byte
For i = 0 To Bytes
Buffer(i) = GetByteWarden
Next i
GetBytesWarden = ByteArrayToStrWarden(Buffer)
End Function
Public Function ByteArrayToStrWarden(ByRef bByt() As Byte) As String
Dim sStr As String
Dim i As Integer
For i = 1 To UBound(bByt) + 1
sStr = sStr & Chr$(bByt(i - 1))
Next i
ByteArrayToStrWarden = sStr
End Function
Help pls, I havn't gotten enough sleep last night and the sun is going to rise soon.
Hyyyy replaced, why wont my vee bee six code work? I ripped it straight from AssBot and it doesnt even connekct lol!!1 W T F!! I dee kay what i might be doing RONG, bekauze i was teird whan i waz implomenting the BOT in my PORGRAM (lol u shuld never kode when u r tierd):
-CODE-
Private Sub cboChat_KeyPress(KeyAscii As Integer)
Dim i&
Dim s$
Dim r&
If Len(cboChat.Text) > 255 Then KeyAscii = 0
If (KeyAscii = vbKeyReturn) And (cboChat.Text <> "") And (wskBNet.State = 7) Then
wskBNet.SendData cboChat.Text & vbCrLf
If g_Telnet Then
tmrDelay.Enabled = True
Do While tmrDelay.Enabled
DoEvents
Loop
End If
If Left(cboChat.Text, 1) <> "/" Then AddChat vbCyan, "<" & g_ConnectedUsername & "> ", vbWhite, cboChat.Text
s = cboChat.Text
For i = (cboChat.ListCount - 1) To 1 Step -1
cboChat.List(i) = cboChat.List(i - 1)
Next i
cboChat.List(0) = s
cboChat.Text = ""
ElseIf (KeyAscii = vbKeyReturn) And (cboChat.Text <> "") And (wskBNet.State <> 7) Then
r = MsgBox("You are currently not connected. You need to be connected to send messages." & _
vbNewLine & "Would you like to connect now?", vbYesNo + vbQuestion, App.Title & " Error")
If r = vbYes Then mnuConnect_Click
End If
End Sub
leik i saids it doent evn konect so pls help me pls pls pls
im pretty sure that is the conect coed so tell me wut is rong with that
her is my Packet Log.
03 04 49 20 4C 4F 56 45 20 52 45 53 45 52 56 45 44 0D 0A 21 21 31 0D 0A
thankx in advanced
On a serious note, do you understand what you're supposed to be passing as the first parameter of initalizewarden? The entire point of the encryption is to use the first dword of the cdkey hash as the base encryption seed. I've lost count of how many times that was said in this thread.
Quote from: brew on March 30, 2008, 08:11 AM
Hyyyy replaced, why wont my vee bee six code work? I ripped it straight from AssBot and it doesnt even connekct lol!!1 W T F!! I dee kay what i might be doing RONG, bekauze i was teird whan i waz implomenting the BOT in my PORGRAM (lol u shuld never kode when u r tierd):
-CODE-
Private Sub cboChat_KeyPress(KeyAscii As Integer)
Dim i&
Dim s$
Dim r&
If Len(cboChat.Text) > 255 Then KeyAscii = 0
If (KeyAscii = vbKeyReturn) And (cboChat.Text <> "") And (wskBNet.State = 7) Then
wskBNet.SendData cboChat.Text & vbCrLf
If g_Telnet Then
tmrDelay.Enabled = True
Do While tmrDelay.Enabled
DoEvents
Loop
End If
If Left(cboChat.Text, 1) <> "/" Then AddChat vbCyan, "<" & g_ConnectedUsername & "> ", vbWhite, cboChat.Text
s = cboChat.Text
For i = (cboChat.ListCount - 1) To 1 Step -1
cboChat.List(i) = cboChat.List(i - 1)
Next i
cboChat.List(0) = s
cboChat.Text = ""
ElseIf (KeyAscii = vbKeyReturn) And (cboChat.Text <> "") And (wskBNet.State <> 7) Then
r = MsgBox("You are currently not connected. You need to be connected to send messages." & _
vbNewLine & "Would you like to connect now?", vbYesNo + vbQuestion, App.Title & " Error")
If r = vbYes Then mnuConnect_Click
End If
End Sub
leik i saids it doent evn konect so pls help me pls pls pls
im pretty sure that is the conect coed so tell me wut is rong with that
her is my Packet Log.
03 04 49 20 4C 4F 56 45 20 52 45 53 45 52 56 45 44 0D 0A 21 21 31 0D 0A
thankx in advanced
On a serious note, do you understand what you're supposed to be passing as the first parameter of initalizewarden? The entire point of the encryption is to use the first dword of the cdkey hash as the base encryption seed. I've lost count of how many times that was said in this thread.
By reading your retarded post I think I just left this thread more of an idiot as when I opened it.
WTF is wrong with you people!
first someone tell me what value exactly do i put in InitializeWarden??
then is this code correct?
With clsP
.InsertBYTE &H1
ToSend = DoCryptWarden(Data, wKeyOut)
.InsertString ToSend
.sendPacket frmMain.sckBot, &H5E
End With
what does Data supposed to consist of? The entire packet?
Make a clsWarden file, with the following (trimmed and updated) code:
Option Explicit
Private Declare Function StandardSHA Lib "RSHA.dll" (sVal As String) As String
Private Position As Long
Private RandomData() As Byte
Private RandomSource1() As Byte
Private RandomSource2() As Byte
Private Function RShift(ByVal pnValue As Double, ByVal pnShift As Long) As Long
Dim Shft As String
Shft = Str$(pnValue / (2 ^ pnShift))
If InStr(Shft, ".") > 0 Then
RShift = CLng(Left$(Shft, InStr(Shft, ".") - 1))
Else
RShift = CLng(Shft)
End If
End Function
Public Sub Initialize(Seed As String)
Dim Length1 As Long
Dim Length2 As Long
Dim Seed1() As Byte
Dim Seed2() As Byte
Dim I As Long
Length1 = RShift(Len(Seed), 1)
Length2 = Len(Seed) - Length1
ReDim Seed1(Length1 - 1)
ReDim Seed2(Length2 - 1)
StrToByteArray Mid$(Seed, 1, Length1), Seed1
StrToByteArray Mid$(Seed, Length1 + 1, Length2), Seed2
ReDim RandomData(&H13) As Byte
StrToByteArray StandardSHA(ByteArrayToStr(Seed1)), RandomSource1
StrToByteArray StandardSHA(ByteArrayToStr(Seed2)), RandomSource2
Update
Position = 0
End Sub
Private Sub Update()
StrToByteArray StandardSHA(ByteArrayToStr(RandomSource1) & ByteArrayToStr(RandomData) & ByteArrayToStr(RandomSource2)), RandomData
End Sub
Private Function GetByte() As Byte
GetByte = RandomData(Position)
Position = Position + 1
If Position >= &H14 Then
Position = 0
Update
End If
End Function
Public Function GetBytes(ByVal bytes As Long) As String
Dim I As Integer
Dim Buffer() As Byte
ReDim Buffer(bytes) As Byte
For I = 0 To bytes
Buffer(I) = GetByte
Next I
GetBytes = ByteArrayToStr(Buffer)
End Function
Public Sub StrToByteArray(ByVal sStr As String, ByRef Ary() As Byte)
Dim I As Integer
ReDim Ary(Len(sStr) - 1) As Byte
RtlMoveMemory Ary(0), ByVal sStr, Len(sStr)
End Sub
Public Function ByteArrayToStr(ByRef bByt() As Byte, Optional ByVal lLoc As Long = 0) As String
Dim sStr As String
Dim I As Integer
sStr = String$(UBound(bByt) + 1, 0)
RtlMoveMemory ByVal sStr, bByt(lLoc), UBound(bByt) + 1
ByteArrayToStr = sStr
End Function
Public Sub SimpleCrypt(ByRef bBase() As Byte, ByRef bKey() As Byte)
Dim lVal As Long
Dim I As Long
Dim lPos As Long
Dim temp As Byte
ReDim bKey(&H101) As Byte
For I = 0 To &HFF
bKey(I) = I
Next I
For I = 1 To &H40
lVal = lVal + bKey(I * 4 - 4) + bBase(lPos Mod (UBound(bBase) + 1))
lPos = lPos + 1
temp = bKey(I * 4 - 4)
bKey(I * 4 - 4) = bKey(lVal And &HFF)
bKey(lVal And &HFF) = temp
lVal = lVal + bKey(I * 4 - 3) + bBase(lPos Mod (UBound(bBase) + 1))
lPos = lPos + 1
temp = bKey(I * 4 - 3)
bKey(I * 4 - 3) = bKey(lVal And &HFF)
bKey(lVal And &HFF) = temp
lVal = lVal + bKey(I * 4 - 2) + bBase(lPos Mod (UBound(bBase) + 1))
lPos = lPos + 1
temp = bKey(I * 4 - 2)
bKey(I * 4 - 2) = bKey(lVal And &HFF)
bKey(lVal And &HFF) = temp
lVal = lVal + bKey(I * 4 - 1) + bBase(lPos Mod (UBound(bBase) + 1))
lPos = lPos + 1
temp = bKey(I * 4 - 1)
bKey(I * 4 - 1) = bKey(lVal And &HFF)
bKey(lVal And &HFF) = temp
Next I
End Sub
Public Sub DoCrypt(ByRef bData() As Byte, ByRef bKey() As Byte, ByRef bRet() As Byte)
Dim I As Long
Dim temp As Byte
Dim Y As Long
Dim Z As Long
ReDim bRet(UBound(bData))
RtlMoveMemory bRet(0), bData(0), UBound(bData) + 1
Y = bKey(&H100)
Z = bKey(&H101)
For I = 0 To UBound(bData)
Y = (Y + 1) And &HFF
Z = (Z + bKey(Y)) And &HFF
temp = bKey(Y)
bKey(Y) = bKey(Z)
bKey(Z) = temp
bRet(I) = bRet(I) Xor bKey((CInt(bKey(Y)) + CInt(bKey(Z))) And &HFF)
Next I
bKey(&H100) = Y
bKey(&H101) = Z
End Sub
In your BNCS connection code, add the following private declarations:
Private cWarden As New clsWarden
Private wKeyOut() As Byte
Private wKeyIn() As Byte
In SID_AUTH_CHECK, somewhere after hashing your CDKey, add:
cWarden.Initialize Left$(KeyHash, 4)
cWarden.StrToByteArray cWarden.GetBytes(&HF), bRet()
cWarden.SimpleCrypt bRet(), wKeyOut()
cWarden.StrToByteArray cWarden.GetBytes(&HF), bRet()
cWarden.SimpleCrypt bRet(), wKeyIn()
To handle SID_Warden (5E):
Private Sub SID_Recv_Warden()
Dim bData() As Byte
Dim bRet() As Byte
Dim sData As String
Dim lPos As Long
Dim nFile As Integer
Dim EventNo As Byte
Dim I As Long
Dim Loops As Long
Dim Vals() As String
Dim addr() As Long
Dim readlen As Byte
Dim ToSend As String
Dim Checksum As Long
Const Req1 As Long = &H497FB0
Const Req2 As Long = &H49C33D
Const Req3 As Long = &H4A2FF7
sData = Packet.GetNull
cWarden.StrToByteArray sData, bData()
cWarden.DoCrypt bData(), wKeyIn(), bRet()
Select Case bRet(0)
Case &H0
Packet.ClearOutbound
ReDim bData(0)
bData(0) = &H1
cWarden.DoCrypt bData(), wKeyOut(), bRet()
Packet.InsertString cWarden.ByteArrayToStr(bRet())
AddQueue Packet.SendBNCSPacket(SID_WARDEN)
Case &H2
If LenB(Dir$(CFm_HashPath & "\StarCraft.exe")) > 0 Then
EventNo = bRet(1)
Loops = (Len(sData) - 3) / 7
ReDim Vals(Loops - 1) As String
ReDim addr(Loops - 1) As Long
nFile = FreeFile
Open CFm_HashPath & "\StarCraft.exe" For Binary Access Read As #nFile
lPos = 2
For I = 0 To Loops - 1
lPos = lPos + 2
RtlMoveMemory addr(I), bRet(lPos), 4
lPos = lPos + 4
readlen = bRet(lPos)
lPos = lPos + 1
Vals(I) = String$(readlen, 0)
Get #nFile, addr(I) - &H400000 + 1, Vals(I)
Next I
Close #nFile
If addr(0) = Req1 And addr(1) = Req2 And addr(2) = Req3 Then
Checksum = &H193E73E8
ElseIf addr(0) = Req2 And addr(1) = Req1 And addr(2) = Req3 Then
Checksum = &HD6557DEF
ElseIf addr(0) = Req1 And addr(1) = Req3 And addr(2) = Req2 Then
Checksum = &H2183172A
ElseIf addr(0) = Req2 And addr(1) = Req3 And addr(2) = Req1 Then
Checksum = &HCA841860
ElseIf addr(0) = Req3 And addr(1) = Req2 And addr(2) = Req1 Then
Checksum = &H9F2AD2C3
ElseIf addr(0) = Req3 And addr(1) = Req1 And addr(2) = Req2 Then
Checksum = &HC04CF757
Else
RaiseEvent BNetError("Unknown Warden Request! You will be disconnected in two minutes.")
Exit Sub
End If
Packet.ClearOutbound
For I = 0 To Loops - 1
Packet.InsertByte &H0
Packet.InsertString Vals(I)
Next I
ToSend = Packet.GetOutbound
ToSend = Chr$(&H2) & Packet.CreateWORD(Len(ToSend)) & Packet.CreateDWORD(Checksum) & ToSend
cWarden.StrToByteArray ToSend, bData()
Packet.ClearOutbound
cWarden.DoCrypt bData(), wKeyOut(), bRet()
Packet.InsertString cWarden.ByteArrayToStr(bRet())
AddQueue Packet.SendBNCSPacket(SID_WARDEN)
Else
RaiseEvent BNetError("Can't respond to Warden without StarCraft.exe!")
End If
Case Else
RaiseEvent BNetError("Unknown Warden Packet: " & StH(sData))
End Select
End Sub
That may make things a bit easier to understand.
Quote from: Dale on March 30, 2008, 01:15 PM
By reading your retarded post I think I just left this thread more of an idiot as when I opened it.
Holy shit, if you think that post was retarded, then why not say the same about replaced's?
And I don't ever remember asking for your opinion.
Your satire = fail.
Quote from: brew on March 30, 2008, 02:32 PM
Quote from: Dale on March 30, 2008, 01:15 PM
By reading your retarded post I think I just left this thread more of an idiot as when I opened it.
Holy shit, if you think that post was retarded, then why not say the same about replaced's?
And I don't ever remember asking for your opinion.
I believe posting on a public forum has nothing to do with accepting one's opinions.
Still does not work, found the problem but not the solution.
I get the msgbox "hello", but not hi1 or hi2
I don't have an "on error resume next" code in the sub
Dim clsP As New clsPacket
With clsP
.SetBuffer datA
.Skip 1
.Skip 2
PackID = .GetByte
End With
bRet(0) = PackID
datA = clsP.GetNTString
msgbox("hello")
cWarden.StrToByteArray datA, bData()
MsgBox ("hi1")
cWarden.DoCrypt bData(), wKeyIn(), bRet()
MsgBox ("hi2")
"datA = clsP.GetNTString" what code should this be?? I replaced "sData = Packet.GetNull" with that.
getnull same as get null terminated string?
whats packet.getnull do?
I just added this code ontop
Dim stringx As String
stringx = StrToHex(bData())
Open App.Path & "/debug.txt" For Append As #1
Print #1, stringx
stringx = StrToHex(wKeyIn())
Print #1, stringx
stringx = StrToHex(bRet())
Print #1, stringx
Close #1
this is what comes in my txt file
3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 4D 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 52 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 00
thats it, 1 null value, then a bunch of 3F's, then another null value
Just post which values come from where, just like bnet docs b/c i've been playing around this for hours i'll even give war3 keys if some1 helps me ><!!
in my text file is now
FF 5E 29 00 06 FA C1 FC FB 0A DA 38 8A 2C A1 47 83 C3 31 11 E7 35 11 18 CF A8 9A 77 CD 38 42 98 34 C1 F4 DF 41 18 32 F3 B0
3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 4D 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 52 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 3F 00
now i get "Unknown Warden Packet: ÿ^)"
Use the code exactly as I gave it.
Quote from: Andy on March 30, 2008, 04:07 PM
Use the code exactly as I gave it.
I'm unable to because I use a different packet buffer and I don't use BNCSutil
I got it to go all the way thru but it still doesn't send out the packet
what does Packet.GetNull do?
Packet.ClearOutbound same as clearing the packet that would be set out?
If packet.getnull gets the last packet (5e) would it be this?
0000
FF 5E 29 00 44 0D 06 0F 85 C0 E4 F3 D6 14 C1 EB .^).D...........
0010 B7 F9 82 25 74 D8 7A 2F 07 25 4A 21 4B 65 02 07 ...%t.z/.%J!Ke..
0020 EC B6 52 D0 8C CE 27 02 57 ..R...'.W
or this
0000 44 0D 06 0F 85 C0 E4 F3 D6 14 C1 EB .^).D...........
0010 B7 F9 82 25 74 D8 7A 2F 07 25 4A 21 4B 65 02 07 ...%t.z/.%J!Ke..
0020 EC B6 52 D0 8C CE 27 02 57 ..R...'.W
without the first 4 chars?
OK, now I just copy and pasted ur code with a few modifications otherwise it will not compile
Here's my result
Unknown Warden Packet: FF 5E 29 00 F0 B2 9F 53 1D 0A 9E 1C 4E 0C 8F 22 4A 61 B3 A1 21 64 2E 05 8B 86 EC 89 75 86 DE F2 6A 3B F6 99 D1 C4 7C 8F 53
bRet(0):202
Here's my new code, more complete
Public Function ParsePacket(ByVal datA As String)
If Len(datA) = 0 Or Asc(Left(datA, 1)) <> 255 Then Exit Function
data2 = datA
With clsI
.SetBuffer datA
.Skip 1
PacketId = .GetByte
.Skip 2
End With
Select Case PacketId
Case &H5E
SID_Recv_Warden datA
...
end function
Public Sub SID_Recv_Warden(datA As String)
Dim clsP As New clsPacket
sData = datA
cWarden.StrToByteArray sData, bData()
cWarden.DoCrypt bData(), wKeyIn(), bRet()
Select Case bRet(0)
Case &H0
clsP.Clear
ReDim bData(0)
bData(0) = &H1
cWarden.DoCrypt bData(), wKeyOut(), bRet()
With clsP
.InsertString cWarden.ByteArrayToStr(bRet())
.sendPacket frmMain.sckBot, &HE
End With
Case Else
AddChat vbRed, "Unknown Warden Packet: " & StrToHex(datA)
AddChat vbRed, "bRet(0):" & bRet(0)
End Select
Right now bret(0) equaled 202, not zero.
Know why?
I also tried sData = Mid$(datA, 5) and it still did not work - bret(0) equaled 233
GetNull gets all the data from the current read position on. In your example it would be the second one, without the 4 byte header. You should at least read the documentation iago posted before trying to adapt my code.
Quote from: Andy on March 30, 2008, 05:42 PM
GetNull gets all the data from the current read position on. In your example it would be the second one, without the 4 byte header. You should at least read the documentation iago posted before trying to adapt my code.
Where's the documentation??
The 4 byte header one still gives me THE WRONG bRet(0)!
Maybe I got the code to initialize wrong
here's my code
Public Function Send0x51(datA As String)
AccountHash = String(20, vbNullChar)
cWarden.Initialize Left$(AccountHash, 4)
cWarden.StrToByteArray cWarden.GetBytes(&HF), bRet()
cWarden.SimpleCrypt bRet(), wKeyOut()
cWarden.StrToByteArray cWarden.GetBytes(&HF), bRet()
cWarden.SimpleCrypt bRet(), wKeyIn()
In making the packet...
.InsertDWORD &H0
.InsertDWORD Len(CDKey)
.InsertDWORD lngProdID
.InsertDWORD lngValue1
.InsertDWORD &H0
.InsertNonNTString AccountHash
Am I suppose to use the AccountHash??
sData = Mid$(datA, 5)
cWarden.StrToByteArray sData, bData()
'problem below
cWarden.DoCrypt bData(), wKeyIn(), bRet()
MsgBox ("HI3")Right now it won't pass cWarden.DoCrypt bData(), wKeyIn(), bRet()
msgbox("HI3") doesn't come up, ill now place msgboxes in docrypt and see where it stops
PROBLEM FOUND!
Public Sub DoCrypt(ByRef bData() As Byte, ByRef bKey() As Byte, ByRef bRet() As Byte)
Dim i As Long
Dim temp As Byte
Dim Y As Long
Dim Z As Long
ReDim bRet(UBound(bData))
RtlMoveMemory bRet(0), bData(0), UBound(bData) + 1
MsgBox ("yes0")
'msg box DOES COME UP
Y = bKey(&H100)
MsgBox ("yes1")
'msg box does NOT COME UP
Z = bKey(&H101)
For i = 0 To UBound(bData)
Y = (Y + 1) And &HFF
Z = (Z + bKey(Y)) And &HFF
temp = bKey(Y)
bKey(Y) = bKey(Z)
bKey(Z) = temp
bRet(i) = bRet(i) Xor bKey((CInt(bKey(Y)) + CInt(bKey(Z))) And &HFF)
Next i
'bad
bKey(&H100) = Y
bKey(&H101) = Z
End Subat the code " Y = bKey(&H100)"
the msgbox after that does not come up
1 line of bad code
Public Sub DoCrypt(ByRef bData() As Byte, ByRef bKey() As Byte, ByRef bRet() As Byte)
Dim Y As Long
Y = bKey(&H100)http://img509.imageshack.us/img509/5600/codeisbadhp3.jpg
(http://img509.imageshack.us/img509/5600/codeisbadhp3.th.jpg) (http://img509.imageshack.us/my.php?image=codeisbadhp3.jpg)
Do you have Break on All Errors enabled in Options>General>Error Trapping? And the documentation's on the first post of this topic.
editted, success!!
the entire problem was due to
Private cWarden As New clsWarden
not being placed on the same module where my send 0x51 packet is
but now I get this...
10 63.240.202.126:6112 192.168.0.100:5753 41 Recv
0000 FF 5E 29 00 2C C4 81 EA 60 3B B1 C6 12 F2 E0 A8 .^).,...`;......
0010 C7 FB CA 10 55 9C E4 93 B0 61 8A BA 8C 6B A3 FA ....U....a...k..
0020 EA 12 9E AE 44 F9 E0 17 8E ....D....
11 192.168.0.100:5753 63.240.202.126:6112 5 Send
0000 FF 5E 05 00 51 .^..Q
12 63.240.202.126:6112 192.168.0.100:5753 28 Recv
0000 FF 5E 1C 00 E8 2D 91 03 78 6F 1C A2 AD DD C6 97 .^...-..xo......
0010 CB 6C 74 6C 5A BA 15 DC B8 12 66 2E .ltlZ.....f.
Now my bot won't respond to the second warden packet, why?
What happens when you get to the 2nd opcode? Are you decoding it correctly?
Are you sure that your crypto states are being saved over multiple packets?
Quote from: Hdx on March 30, 2008, 11:02 PM
What happens when you get to the 2nd opcode? Are you decoding it correctly?
Are you sure that your crypto states are being saved over multiple packets?
I guess i'm going to have to painfully put msgboxes all over the place to find out where it stops :'(
I think my crypto states are being saved over multiple packet, I got them publicly declared. I'll see where it stops and check the values of the variables that I got.
Quote from: replaced on March 30, 2008, 11:02 PM
Quote from: Hdx on March 30, 2008, 11:02 PM
What happens when you get to the 2nd opcode? Are you decoding it correctly?
Are you sure that your crypto states are being saved over multiple packets?
I guess i'm going to have to painfully put msgboxes all over the place to find out where it stops :'(
debug.print?
I get EXACTLY 4 msg boxes of "001"
I get EXACTLY 3 msg boxes of "002"
It does the loop 3 times but at the 4th loop it stops the code "RtlMoveMemory addr(i), bRet(lPos), 4"
EDITTED - FIXED
NOW I GOT ANOTHER PROBLEM :'(
13 63.240.202.126:6112 192.168.0.100:6178 41 Recv
0000 FF 5E 29 00 6B 75 E8 53 D6 F0 A1 5E FF F6 3B BE .^).ku.S...^..;.
0010 58 D7 F3 A5 A3 05 B8 6F D2 30 0B 1A C0 87 1C B4 X......o.0......
0020 78 AD 2B C3 D2 BA 16 2E D3 x.+......
14 192.168.0.100:6178 63.240.202.126:6112 5 Send
0000 FF 5E 05 00 A5 .^...
15 63.240.202.126:6112 192.168.0.100:6178 28 Recv
0000 FF 5E 1C 00 DA 64 C7 09 D4 9E 6B B1 E8 35 AE F4 .^...d....k..5..
0010 3B 3D 64 44 79 35 79 F6 E2 8B 8F FE ;=dDy5y.....
16 192.168.0.100:6178 63.240.202.126:6112 82 Send
0000 FF 5E 52 00 00 84 5E 0C 74 05 E8 F6 54 F9 FF 8B .^R...^.t...T...
0010 76 04 85 00 00 83 00 00 00 8B 55 08 00 00 A3 68 v.........U....h
0020 CC 59 00 E8 DF 23 00 07 82 72 F7 B8 F7 17 A9 FE .Y...#...r......
0030 90 70 07 99 D5 39 5B 5F 06 1B 25 D4 6D 4D F9 6A .p...9[_..%.mM.j
0040 DD A0 5A 44 FB F7 8A AF C9 27 87 C7 41 24 E1 DB ..ZD.....'..A$..
0050 4B 00 K.
DISCONNECT AFTER RESPONDING TO THE SECOND WARDEN REQUEST
HUmm, with new information come to light about your identity, I have conclude that you are not worth helping and that with all the information that is available, you do not have a reason to be confused.
WOOHOO
FINALLY IT WORKS LOL
NOW THIS NIGHTMARE IS OVER ;D ;D ;D
Quote from: replaced on March 31, 2008, 12:41 AM
WOOHOO
FINALLY IT WORKS LOL
NOW THIS NIGHTMARE IS OVER ;D ;D ;D
mm i wouldn't call it a nightmare since all you did was copy and paste, you should be thanking Andy.
New problem,
it does respond to warden but something now happens that never happened before-
My bot freezes! It NEVER has before and now does every time!
Find out where, and if it's in a loop, maybe throw in a DoEvents?
Quote from: Hdx on March 30, 2008, 11:49 PM
HUmm, with new information come to light about your identity, I have conclude that you are not worth helping and that with all the information that is available, you do not have a reason to be confused.
If I didnt know better, I would say replaced is aka NeSucks trying to get his load/flood bot working again ::)
Quote from: Archangel. on March 31, 2008, 01:23 AM
you should be thanking Andy.
lol :)
Quote from: Andy on March 31, 2008, 01:53 AM
Find out where, and if it's in a loop, maybe throw in a DoEvents?
I can think of better ways of fixing a loop that never exits :)
replaced: As said above, try reading the documentation iago posted, to gain a better understanding of the process rather than just copying the code andy posted.
And if you can't find what I posted in this thread (hint: the first post), try http://www.skullsecurity.org/wiki/index.php/Starcraft_Warden
ahhh!!
I would suggest to make a new topic for supporting replaced?
this topic is just making longer and losing its original track.
Its not nice to start reading this topic then ending with this kind of questions :(.
Quote from: Ringo on March 31, 2008, 08:01 AM
If I didnt know better, I would say replaced is aka NeSucks trying to get his load/flood bot working again ::)
lol :)
I can think of better ways of fixing a loop that never exits :)
replaced: As said above, try reading the documentation iago posted, to gain a better understanding of the process rather than just copying the code andy posted.
haha to late newb, I already got warden working and its going to be implemented in my bot.
LISTEN UP PPL, ringo has cracked the sc key algorithm and i got keys from him ;D
thx ringo now i got 9k working sc
ringo liked to scan the product 2 keys
I need warden in genocide so other ppl can load to, I just use war3 and d2 keys right now
Have fun with that, but I don't think mass loading on VB6 with all that work (reading from files, decrypting a lot, etc...) is the smartest idea...
Quote from: Andy on March 31, 2008, 01:40 PM
Have fun with that, but I don't think mass loading on VB6 with all that work (reading from files, decrypting a lot, etc...) is the smartest idea...
I think the bigger problem is that, as soon as somebody abuses bots again, Blizzard is going to update their Warden modules and everybody will be back to square one again.
That, or they'll actually ban users that don't return the proper checksum.
Either way, painful for bot makers. :)
I thought after all this time nes, you wouldn't have to resort to something like this to get what you wanted done :\
Quote from: replaced on March 31, 2008, 12:12 PM
haha to late newb, I already got warden working and its going to be implemented in my bot.
LISTEN UP PPL, ringo has cracked the sc key algorithm and i got keys from him ;D
thx ringo now i got 9k working sc
ringo liked to scan the product 2 keys
I need warden in genocide so other ppl can load to, I just use war3 and d2 keys right now
Thought it was you, lol :) you stick out like a saw thum.
If your talking about those cdkeys I posted (and then deleted) from the starcraft cdkey topic on this forum, everyone has them :-\
We all know how you really got most of your cdkeys, with ur back door'ed load bot.
Aside, no one cares.
Quote from: Andy on March 31, 2008, 01:40 PM
Have fun with that, but I don't think mass loading on VB6 with all that work (reading from files, decrypting a lot, etc...) is the smartest idea...
I dont think posting full vb6 code for it was a good idea, but thats just me. It just allows ppl to avoid the reall learning required :)
But your code looked very messy/slow, so your probly right :D
Theres little wrong with VB6, tbh. I got SHA1 to run 17% faster in vb6 than blizzards SHA1 runs in d2.
Quote from: iago on March 31, 2008, 01:45 PM
I think the bigger problem is that, as soon as somebody abuses bots again, Blizzard is going to update their Warden modules and everybody will be back to square one again.
That, or they'll actually ban users that don't return the proper checksum.
Either way, painful for bot makers. :)
Hopefully, im bored :D
I dont think many people have implemented this yet anyway, at least, not many public release's (afaik)
But if/when that time comes, im sure nes (Replaced) will get off on thinking he caused it. Im supprised they havent updated already.
I agree with Ringo.
Quote
I dont think posting full vb6 code for it was a good idea
I hope bnet will update warden module.
Ya... maybe I'll just let full descriptions be the most that's given from now on.
LoL, I figured out that the code posted wasn't the problem -- my code was :'(
It's been a long time since I've looked at Warden (maybe a year?) but other than the info that iago has given out, the rest of Warden can't be discussed as Warden itself. Some of it may have changed since then but it should be pretty close. The Warden engine is just an infrastructure that loads up the initial mini-programs into memory and executes queries specific to the modules loaded up. In order to talk about the Warden modules, you have to indicate which module it is since all the parsing is done inside the module and not in the Warden engine itself.
Initially Warden didn't contain checksums in the 02 replies but I think it's standard in all the Warden modules now. I believe all the Warden modules for all the games used to be the same but all compiled differently and have different hashes (WoW Warden modules used to contain the detection methods for D2 and even contained the D2Client.dll string). Generally there are hundreds/thousands of modules for a given version of the Warden modules and each one is compiled differently and the 02 protocol for each is different. The 02 format I've seen has always been 02 <cmd1> <cmd2> ... <cmdn>, though they can change it at any time. It took a long time, but they eventually switched it up so cmd1 ... cmdn weren't always in the same order, and they eventually split it up so each packet won't always have all n commands (it'll be n1, n2, n3, etc commands per packet out of m total queries). The number of queries I saw for SC was around 2-4. In D2, there are probably around 10-20. For WoW, there were probably over 20-30 when I last checked.
How the to encrypt/decrypt messages, perform hashes, calculate checksums, etc is irrelevant, as it is all described in the Warden module and can change at any time. I've never seen them change the encryption/decryption routines but they've modified the other stuff in the past. The other protocol commands (00, 01, etc) can be changed as well so you can't assume those will remain the same after loading the initial module. That's the beauty of it and why it's tough for most people to figure out a safe, general solution to it, and it's also why it's a big security concern since it's running code that you generally won't be able to check (nor will file scanners detect any malicious code since the format isn't coded into the virus scanners). From what I saw, they've implemented enough in the Warden engine that it'd be hard for a man in the middle attacker to inject their own malicious Warden module into your client.
In WoW, the session keys from both the server and the client are used to initialize the initial RC4 tables.
The SHA1 used for initializing the tables is standard.
Alright, so I attempted to convert this all to C# (from iago's notes, mostly, which are in Java), and now it compiles and doesn't error, but it incorrectly decrypts it.
My first thought is that I converted the WardenRandom class wrong...
/// <summary>This structure is used to create the decryption base for the simple encryption class.</summary>
internal class WardenRandom
{
private int Position;
private byte[] Data1;
private byte[] Data2;
private byte[] Data3;
public WardenRandom(byte[] seed)
{
Data1 = new byte[0x14];
Data2 = new byte[0x14];
Data3 = new byte[0x14];
int length1 = (int) seed.Length >> 1; //2
int length2 = seed.Length - length1; //2
byte[] seed1 = new byte[length1];
byte[] seed2 = new byte[length2];
for (int i = 0; i < length1; i++)
seed1[i] = seed[i];
for (int i = 0; i < length2; i++)
seed2[i] = seed[i + length1];
Data2 = new ByteFromIntArray(true).getByteArray(WardenSHA1.hash(seed1));
Data3 = new ByteFromIntArray(true).getByteArray(WardenSHA1.hash(seed2));
update();
Position = 0;
}
private void update()
{
WardenSHA1 wsha1 = new WardenSHA1();
wsha1.update(Data2);
wsha1.update(Data1);
wsha1.update(Data3);
Data1 = new ByteFromIntArray(true).getByteArray(wsha1.digest());
}
public byte[] GetBytes(int a_iCount)
{
byte[] m_bBytes = new byte[a_iCount];
for (int i = 0; i < a_iCount; i++)
m_bBytes[i] = GetByte();
return m_bBytes;
}
private byte GetByte()
{
int m_iPos = Position;
byte m_bVal = Data1[m_iPos];
m_iPos++;
if (m_iPos >= 0x14)
{
m_iPos = 0;
update();
}
Position = m_iPos;
return m_bVal;
}
}
/// <summary>This class hashes Warden style.</summary>
internal class WardenSHA1
{
private int[] bitlen = new int[2];
private int[] state = new int[0x15];
public static int[] hash(byte[] data)
{
return WardenSHA1.hash(byteArrayToCharArray(data));
}
public static int[] hash(char[] data)
{
WardenSHA1 ctx = new WardenSHA1();
ctx.update(data);
return ctx.digest();
}
public static int[] hash(String data)
{
return WardenSHA1.hash(data.ToCharArray());
}
public WardenSHA1()
{
bitlen[0] = 0;
bitlen[1] = 0;
unchecked
{
state[0] = (int) 0x67452301;
state[1] = (int) 0xEFCDAB89;
state[2] = (int) 0x98BADCFE;
state[3] = (int) 0x10325476;
state[4] = (int) 0xC3D2E1F0;
}
}
private static int reverseEndian(int i)
{
unchecked
{
i = ((int) (i << 24) & (int) 0xFF000000) |
((int) (i << 8) & (int) 0x00FF0000) |
((int) (i >> 8) & (int) 0x0000FF00) |
((int) (i >> 24) & (int) 0x000000FF);
}
return i;
}
public int[] digest()
{
byte[] vars;
int len;
char[] MysteryBuffer;
int[] temp_vars = new int[2];
temp_vars[0] = WardenSHA1.reverseEndian(bitlen[1]);
temp_vars[1] = WardenSHA1.reverseEndian(bitlen[0]);
len = ((-9 - (bitlen[0] >> 3)) & 0x3F) + 1;
vars = (new ByteFromIntArray(true)).getByteArray(temp_vars);
MysteryBuffer = new char[len];
MysteryBuffer[0] = (char) 0x80;
for (int x = 1; x < len; x++)
MysteryBuffer[x] = (char) 0;
update(MysteryBuffer);
update(byteArrayToCharArray(vars));
int[] hash = new int[5];
for (int x = 0; x < 5; x++)
hash[x] = WardenSHA1.reverseEndian(state[x]);
return hash;
}
public void update(byte[] data)
{
this.update(WardenSHA1.byteArrayToCharArray(data));
}
public void update(char[] data)
{
int a = 0, b = 0, c = 0, x = 0, len = data.Length;
c = len >> 29;
b = len << 3;
a = (bitlen[0] / 8) & 0x3F;
if (bitlen[0] + b < bitlen[0] || bitlen[0] + b < b)
bitlen[1]++;
bitlen[0] += b;
bitlen[1] += c;
len += a;
x = -a;
ByteFromIntArray bfia = new ByteFromIntArray(true);
if (len >= 0x40)
{
if (a > 0)
{
while (a < 0x40)
{
bfia.insertByte(state, a + 0x14, (byte) data[a + x]);
a++;
}
transform(state);
len -= 0x40;
x += 0x40;
a = 0;
}
if (len >= 0x40)
{
b = len;
for (int i = 0; i < b / 0x40; i++)
{
for (int y = 0; y < 0x40; y++)
bfia.insertByte(state, y + 0x14, (byte) data[x + y]);
transform(state);
len -= 0x40;
x += 0x40;
}
}
}
while (a < len)
{
bfia.insertByte(state, 20 + a, (byte) data[a + x]);
a++;
}
return;
}
private static void transform(int[] hashBuffer)
{
int[] buf = new int[0x50];
int dw, a, b, c, d, e, p, i;
for (i = 5; i < hashBuffer.Length; i++)
hashBuffer[i] = WardenSHA1.reverseEndian(hashBuffer[i]);
for (i = 0; i < 0x10; i++)
buf[i] = hashBuffer[i + 5];
for (i = 0; i < 0x40; i++)
{
dw = buf[i + 13] ^ buf[i + 8] ^ buf[i + 0] ^ buf[i + 2];
buf[i + 16] = (dw >> 0x1f) | (dw << 1);
}
a = hashBuffer[0];
b = hashBuffer[1];
c = hashBuffer[2];
d = hashBuffer[3];
e = hashBuffer[4];
p = 0;
i = 0x14;
do
{
dw = ((a << 5) | (a >> 0x1b)) + ((~b & d) | (c & b)) + e + buf[p++] + 0x5a827999;
e = d;
d = c;
c = (b >> 2) | (b << 0x1e);
b = a;
a = dw;
}
while (--i > 0);
i = 0x14;
do
{
dw = (d ^ c ^ b) + e + ((a << 5) | (a >> 0x1b)) + buf[p++] + 0x6ED9EBA1;
e = d;
d = c;
c = (b >> 2) | (b << 0x1e);
b = a;
a = dw;
}
while (--i > 0);
i = 0x14;
do
{
dw = ((c & b) | (d & c) | (d & b)) + e + ((a << 5) | (a >> 0x1b)) + buf[p++] - 0x70E44324;
e = d;
d = c;
c = (b >> 2) | (b << 0x1e);
b = a;
a = dw;
}
while (--i > 0);
i = 0x14;
do
{
dw = ((a << 5) | (a >> 0x1b)) + e + (d ^ c ^ b) + buf[p++] - 0x359D3E2A;
e = d;
d = c;
c = (b >> 2) | (b << 0x1e);
b = a;
a = dw;
}
while (--i > 0);
hashBuffer[0] += a;
hashBuffer[1] += b;
hashBuffer[2] += c;
hashBuffer[3] += d;
hashBuffer[4] += e;
}
public void pad(int amount)
{
char[] emptybuffer = new char[0x1000];
for (int x = 0; x < 0x1000; x++)
emptybuffer[x] = '\0';
while (amount > 0x1000)
{
update(emptybuffer);
amount -= 0x1000;
}
emptybuffer = new char[amount];
for (int x = 0; x < amount; x++)
emptybuffer[x] = '\0';
update(emptybuffer);
}
public bool hash_file(String filename)
{
try
{
update(byteArrayToCharArray(File.ReadAllBytes(filename)));
}
catch (Exception e)
{
//System.out.println("lockdown_SHA1.hash_file(" + filename + ") Failed: " + e.toString());
return false;
}
return true;
}
private static char[] byteArrayToCharArray(byte[] a)
{
char[] buff = new char[a.Length];
for (int x = 0; x < a.Length; x++)
buff[x] = (char) (a[x] & 0x000000FF);
return buff;
}
}
/// <summary></summary>
internal class ByteFromIntArray
{
/*
* iago
* ByteFromIntArray.java
* Created on May 21, 2004, 11:39 AM
* This is a class to take care of treating an array of ints like a an array of bytes.
* Note that this always works in Little Endian
*/
private bool littleEndian;
public static ByteFromIntArray LITTLEENDIAN = new ByteFromIntArray(true);
public static ByteFromIntArray BIGENDIAN = new ByteFromIntArray(false);
public ByteFromIntArray(bool littleEndian)
{
this.littleEndian = littleEndian;
}
public byte getByte(int[] array, int location)
{
if ((location / 4) >= array.Length)
throw new ArgumentOutOfRangeException("location = " + location + ", number of bytes = " + (array.Length * 4));
int theInt = location / 4; // rounded
int theByte = location % 4; // remainder
// reverse the byte to simulate little endian
if (littleEndian)
theByte = 3 - theByte;
// I was worried about sign-extension here, but then I realized that they are being
// put into a byte anyway so it wouldn't matter.
if (theByte == 0)
return (byte) ((array[theInt] & 0x000000FF) >> 0);
else if (theByte == 1)
return (byte) ((array[theInt] & 0x0000FF00) >> 8);
else if (theByte == 2)
return (byte) ((array[theInt] & 0x00FF0000) >> 16);
else if (theByte == 3)
return (byte) ((array[theInt] & 0xFF000000) >> 24);
return 0;
}
/** This function is used to insert the byte into a specified spot in
* an int array. This is used to simulate pointers used in C++.
* Note that this works in little endian only.
* @param intBuffer The buffer to insert the int into.
* @param b The byte we're inserting.
* @param location The location (which byte) we're inserting it into.
* @return The new array - this is returned for convenience only.
*/
public int[] insertByte(int[] intBuffer, int location, byte b)
{
// Get the location in the array and in the int
int theInt = location / 4;
int theByte = location % 4;
// If we're using little endian reverse the hex position
if (littleEndian == false)
theByte = 3 - theByte;
int replaceInt = intBuffer[theInt];
// Creating a new variable here because b is a byte and I need an int
int newByte = b << (8 * theByte);
unchecked
{
switch (theByte)
{
case 0: replaceInt &= (int) 0xFFFFFF00; break;
case 1: replaceInt &= (int) 0xFFFF00FF; break;
case 2: replaceInt &= (int) 0xFF00FFFF; break;
case 3: replaceInt &= (int) 0x00FFFFFF; break;
}
}
replaceInt = replaceInt | newByte;
intBuffer[theInt] = replaceInt;
return intBuffer;
}
public byte[] getByteArray(int[] array)
{
byte[] newArray = new byte[array.Length * 4];
int pos = 0;
for (int i = 0; i < array.Length; i++)
{
if (littleEndian)
{
newArray[pos++] = (byte) ((array[i] >> 0) & 0xFF);
newArray[pos++] = (byte) ((array[i] >> 8) & 0xFF);
newArray[pos++] = (byte) ((array[i] >> 16) & 0xFF);
newArray[pos++] = (byte) ((array[i] >> 24) & 0xFF);
}
else
{
newArray[pos++] = (byte) ((array[i] >> 24) & 0xFF);
newArray[pos++] = (byte) ((array[i] >> 16) & 0xFF);
newArray[pos++] = (byte) ((array[i] >> 8) & 0xFF);
newArray[pos++] = (byte) ((array[i] >> 0) & 0xFF);
}
}
return newArray;
}
public byte[] getByteArray(int integer)
{
int[] temp = new int[1];
temp[0] = integer;
return getByteArray(temp);
}
}
How my implementation works is it creates a new WardenModule(byte[4] { keyhash[0], keyhash[1], keyhash[2], keyhash[3] });
constructor:
public WardenModule(byte[] seed)
{
g_wrRandom = new WardenRandom(seed);
decryptor = new SimpleCrypto(g_wrRandom.GetBytes(0x10));
encryptor = new SimpleCrypto(g_wrRandom.GetBytes(0x10));
}
It then takes the byte[] recieved in 0x5e, and decrypts it, but that doesn't work. :/
[6:45:39 PM] [WARDEN] Received SID_WARDEN!
0000 ff 5e 29 00 d3 a3 92 d4 72 66 98 c1 7b 42 3e ce ÿ^).Ó£.Ôrf.Á{B>Î
0010 9a 08 33 44 f7 3a 53 a3 dd a7 35 2c d4 9f 8f b1 ..3D÷:S£Ý§5,Ô..±
0020 2b 38 b8 5a 19 1a 59 dc 95 +8¸Z..YÜ.
[6:45:40 PM] [WARDEN] Decrypted:
0000 ca 04 ff f2 bd 20 44 66 9c 64 fa 58 50 8f bc a5 Ê.ÿò. Df.dúXP..¥
0010 93 a9 26 1e 8d 81 c7 5c 1a 76 d9 89 0e cc c3 bd .©&...Ç\.vÙ..ÌÃ.
0020 01 72 0a 1d 38 .r..8
[6:45:40 PM] [WARDEN] Unknown Warden request.
(it doesn't recognize the first byte as 0x00 (or 1 or 2), because it isn't.)
think your "encryptor" and "decryptor" are backwards. You're supposed to generate the outgoing key first ("encryptor") then the incoming key ("decryptor")
unless you were using "encryptor" to decrypt your incoming challenge
/// <summary>The SimpleCrypto used to decrypt (key in) packets.</summary>
private SimpleCrypto decryptor;
/// <summary>The SimpleCrypto used to encrypt (key out) packets.</summary>
private SimpleCrypto encryptor; public WardenModule(byte[] seed)
{
g_wrRandom = new WardenRandom(seed);
encryptor = new SimpleCrypto(g_wrRandom.GetBytes(0x10));
decryptor = new SimpleCrypto(g_wrRandom.GetBytes(0x10));
}Nope, you're right; I had them backwards. It still doesn't decrypt it right. :(
Data1 = new byte[0x14];
not sure how c# works or what not, but you declare it but are all 20 bytes 0? or are they randomness
you declare it, allocate 20 bytes, then update it through your hash buffer. get what i mean? you could be hashing randomness :p
I've had this thought that it might give an exception since I didn't give it any value, so then I looked at it while stepping through it. It starts as:
byte[0x14]
0: 0x00
1: 0x00
2: 0x00
etc.
Numeric types are not nullable, so will start off as 0. That isn't the problem.
just making sure, cuz if when it was allocated and it was randomness (unset data) then it would cause the initial update() to give bad data.
Do an example: put in something like &H12345678 for the seed, and post what you get as keys in hex?
I think it should be...
Out:
074CD6FA5379E9330A4956690DB013665C40B6327181B454F929A3E521114B96C8C1FE377DC983D351A5C7858B481972603BB3D28A64EEA0240962BB4F702B9F9D91A7BF5FBE6EC5DE6F55F80B98743E47753F99E10323AE461265DBFC8D6C524ECC877F44F2AFB14DA2A182227B317EECE604C3BC10DC45288E882E92DAD984F5D5AD15D10FCB1A8CAB73F18F80EBA8B906001B2090FD5E9A97FF9B16E0EF34C427E767E39563359C361EBD504A43A93A6AC0012C3D387686F002EA6D5A2DCD411DD4CFE261681FB57CDF1C781426F442E818D0D708EDE45D94AA17DD2FB2A6F6CE935905BA0CF7F3FB25899E6BB83C5BCA77B757587AC22AA4AC0ED830C6390000
In:
AAE6222D60F4197ECB4B73C318576E71928964D484C55AB624A63127CD4D6FE5AF7D787FB40C62295FCC9FC24396E2F0DAD21E8B47B19C9B1D650AF6873BA9382C9A5206FDBE8FBF8E5876E900AB1BB74239D6DB8C3D7C2BE0A02AE11A41B5852E3379FC90DEFA66C04CA8E3A128D1EE0BC9750FEAE7B054BD11940546F363ED5D4F9EE472BB034E562FFBCE1C5CFECFDD981274A2D33299C713F2D51F51B308ACD7366DA3F1AD3E8A6A3459259349042167D8D961690E20FF91F7103F1630C83CB2C48D44BAEBF983DCF5706C68093514407A0717EC861537A7014881024A236BE850A545C6CA97AE95263AD07755B89D7BA4EF800DDF53BC82B95EC188F85B0000
I think at one point I determined it was the WardenSHA1 class by running the SHA1 Test Strings (http://www.skullsecurity.org/wiki/index.php/Crypto_and_Hashing#SHA1_Test_Strings) through it...
Just try it, would you?
Neither byte[] { 0x12, 0x34, 0x56, 0x78 } or byte[] { 0x78, 0x56, 0x34, 0x12 } (I ca't tell if 0x12345678 means the first or second) came up with either of those results (backwards or forwards), and it would be a pain in the ass to try and copy and paste a byte[] with all its values from during debug... (they do end in 0x00 0x00, which is a sign that something is done right)
try standard sha1?
Well, since it is lockdown SHA with the twist, I just took MBNCSUtil's lockdownsha1, modified it by adding a reverse(int) function, and reversing it where needed.
It works, but that ungainly class uses so many MBNCSutil classes, it drove me up a wall. :/
Now WardenSHA1 returns the currect values from his test values. Now lets try generating in/out again. Nope, different.
Wanna help me spot any mess-ups?
public WardenModule(byte[] seed)
{
g_wrRandom = new WardenRandom(seed);
encryptor = new SimpleCrypto(g_wrRandom.GetBytes(0x10));
decryptor = new SimpleCrypto(g_wrRandom.GetBytes(0x10));
}
/// <summary>This structure is used to create the decryption base for the simple encryption class.</summary>
internal class WardenRandom
{
private int Position;
private byte[] Data1;
private byte[] Data2;
private byte[] Data3;
public WardenRandom(byte[] seed)
{
Data1 = new byte[0x14];
Data2 = new byte[0x14];
Data3 = new byte[0x14];
int length1 = (int) seed.Length >> 1; //2
int length2 = seed.Length - length1; //2
byte[] seed1 = new byte[length1];
byte[] seed2 = new byte[length2];
for (int i = 0; i < length1; i++)
seed1[i] = seed[i];
for (int i = 0; i < length2; i++)
seed2[i] = seed[i + length1];
WardenSha1.Context ctx1 = WardenSha1.Init();
WardenSha1.Update(ctx1, seed1, seed1.Length);
WardenSha1.Final(ctx1, out Data2);
WardenSha1.Context ctx2 = WardenSha1.Init();
WardenSha1.Update(ctx2, seed2, seed2.Length);
WardenSha1.Final(ctx2, out Data3);
update();
Position = 0;
}
private void update()
{
WardenSha1.Context ctx = WardenSha1.Init();
WardenSha1.Update(ctx, Data2, Data2.Length);
WardenSha1.Update(ctx, Data1, Data1.Length);
WardenSha1.Update(ctx, Data3, Data3.Length);
WardenSha1.Final(ctx, out Data1);
}
public byte[] GetBytes(int a_iCount)
{
byte[] m_bBytes = new byte[a_iCount];
for (int i = 0; i < a_iCount; i++)
m_bBytes[i] = GetByte();
return m_bBytes;
}
private byte GetByte()
{
int m_iPos = Position;
byte m_bVal = Data1[m_iPos];
m_iPos++;
if (m_iPos >= 0x14)
{
m_iPos = 0;
update();
}
Position = m_iPos;
return m_bVal;
}
}
Alright I solved it.
If anyone cares:
me:
anyways
you have any idea why my warden implementation isn't working ?
RealityRppl: nope
me: tsomehow im amazed that i got WardenSha1 to work
RealityRppl: uh
you realize
"warden sha"
is actually standard SHA
right?
there is no "warden" sha
me: is it? then why does he say in his notes that its lockdown sha1 but changed
RealityRppl: dunno
cause he's weird
Sent at 8:23 PM on Sunday
me: well standard sha doesn't return the correct result
RealityRppl: uh
huh
me: i mean using the System.Security.Cryptography one doesn't return the test values iago shows
RealityRppl: mm
well i dunno
it's standard SHA though
me: wait
ooh
crap
RealityRppl: ?
me: its backwards
he shows it in int groups
it returned the opposite endian
maybe...
@.@
it worked
lolers
eea339da 0d4b6b5e efbf5532 90186095 0907d8af [ from iago's notes ]
doesn't specify that its byte[] { 0xda, 0x39, 0xa3, 0xee (etc) } so i thouught when i got byte[] 0xee, 0xa3, 0x39, 0xda (etc) } it was correct
Yes, I know I seem dumber than brew, but yeah, I got it to work! Now I've just got to get it to read from starcraft.exe correctly.../me disposes of WardenSha1 {}
Quote from: brew on May 03, 2008, 02:54 PM
try standard sha1?
Quote from: Ribose on May 04, 2008, 07:41 PM
Alright I solved it.
Yes, I know I seem dumber than brew, but yeah, I got it to work! Now I've just got to get it to read from starcraft.exe correctly.../me disposes of WardenSha1 {}
You seem dumber than brew? Sorry, I'm too dumb to figure it out for myself. Tell me exactly what you mean by that.
Quote from: brew on May 04, 2008, 08:14 PM
Quote from: brew on May 03, 2008, 02:54 PM
try standard sha1?
Quote from: Ribose on May 04, 2008, 07:41 PM
Alright I solved it.
Yes, I know I seem dumber than brew, but yeah, I got it to work! Now I've just got to get it to read from starcraft.exe correctly.../me disposes of WardenSha1 {}
You seem dumber than brew? Sorry, I'm too dumb to figure it out for myself. Tell me exactly what you mean by that.
It was a joke. If you don't get it or don't like it, sorry for wasting your time.
Quote from: Ribose on May 04, 2008, 09:13 PM
Quote from: brew on May 04, 2008, 08:14 PM
Quote from: brew on May 03, 2008, 02:54 PM
try standard sha1?
Quote from: Ribose on May 04, 2008, 07:41 PM
Alright I solved it.
Yes, I know I seem dumber than brew, but yeah, I got it to work! Now I've just got to get it to read from starcraft.exe correctly.../me disposes of WardenSha1 {}
You seem dumber than brew? Sorry, I'm too dumb to figure it out for myself. Tell me exactly what you mean by that.
It was a joke. If you don't get it or don't like it, sorry for wasting your time.
okay, okay. i get it. Didn't know it was ment to be a joke.
..might i add it is one of questionable humor.
Quote from: brew on May 04, 2008, 09:29 PM
Quote from: Ribose on May 04, 2008, 09:13 PM
Quote from: brew on May 04, 2008, 08:14 PM
Quote from: brew on May 03, 2008, 02:54 PM
try standard sha1?
Quote from: Ribose on May 04, 2008, 07:41 PM
Alright I solved it.
Yes, I know I seem dumber than brew, but yeah, I got it to work! Now I've just got to get it to read from starcraft.exe correctly.../me disposes of WardenSha1 {}
You seem dumber than brew? Sorry, I'm too dumb to figure it out for myself. Tell me exactly what you mean by that.
It was a joke. If you don't get it or don't like it, sorry for wasting your time.
okay, okay. i get it. Didn't know it was ment to be a joke.
..might i add it is one of questionable humor.
He's probably insinuating that you're stupid.
foolish mortals
Does anyone know if the checksum is generated within the warden module?
why does it matter where it's generated
For if/when the values change? :/
If the values change, the whole module will change, so the location will probably be irrelevant.
Maybe it's a crc32 checksum?
Quote from: Lecht on May 15, 2008, 02:55 PM
Maybe it's a crc32 checksum?
its not, the only crc32 i saw in the module is called as described in iago's docs.
any updates on this?
I think because nothing has changed server-side, no one's gonna bother doing anything new until it's necessary.
Quote from: Andy on July 17, 2008, 01:52 AM
I think because nothing has changed server-side, no one's gonna bother doing anything new until it's necessary.
so do you guys have bots yet that are able to handle warden and not get booted off or no?
Uh, ya... I posted the code in this topic.
question is there a bot that handles it on windows vista? ;[
I've lost my source, bot, keys and everything on my old computer when it gave up on life.
Quote from: MyStiCaL on July 17, 2008, 08:19 PM
question is there a bot that handles it on windows vista? ;[
I've lost my source, bot, keys and everything on my old computer when it gave up on life.
handles what on vista?...
Quote from: Dale on July 17, 2008, 08:21 PM
Quote from: MyStiCaL on July 17, 2008, 08:19 PM
question is there a bot that handles it on windows vista? ;[
I've lost my source, bot, keys and everything on my old computer when it gave up on life.
handles what on vista?...
warden or should i say is there an updated bot that handles warden for windows vista? duhh
Quote from: MyStiCaL on July 17, 2008, 08:23 PM
Quote from: Dale on July 17, 2008, 08:21 PM
Quote from: MyStiCaL on July 17, 2008, 08:19 PM
question is there a bot that handles it on windows vista? ;[
I've lost my source, bot, keys and everything on my old computer when it gave up on life.
handles what on vista?...
warden or should i say is there an updated bot that handles warden for windows vista? duhh
the implement for warden will work on any OS if the application will run on that OS...
and yes, their are some bots that work, JavaOp2 As I recall correctly works fine, as of many others.
Quote from: Dale on July 17, 2008, 08:45 PM
Quote from: MyStiCaL on July 17, 2008, 08:23 PM
Quote from: Dale on July 17, 2008, 08:21 PM
Quote from: MyStiCaL on July 17, 2008, 08:19 PM
question is there a bot that handles it on windows vista? ;[
I've lost my source, bot, keys and everything on my old computer when it gave up on life.
handles what on vista?...
warden or should i say is there an updated bot that handles warden for windows vista? duhh
the implement for warden will work on any OS if the application will run on that OS...
and yes, their are some bots that work, JavaOp2 As I recall correctly works fine, as of many others.
that would have already been figured, I'm just asking a simple question if anyone knows a publicly released bot that works on the vista operating system, that supports warden.. and maybe a possible link.
</3 spht & </3 BNLS.
Quote from: MyStiCaL on July 17, 2008, 08:50 PM
Quote from: Dale on July 17, 2008, 08:45 PM
Quote from: MyStiCaL on July 17, 2008, 08:23 PM
Quote from: Dale on July 17, 2008, 08:21 PM
Quote from: MyStiCaL on July 17, 2008, 08:19 PM
question is there a bot that handles it on windows vista? ;[
I've lost my source, bot, keys and everything on my old computer when it gave up on life.
handles what on vista?...
warden or should i say is there an updated bot that handles warden for windows vista? duhh
the implement for warden will work on any OS if the application will run on that OS...
and yes, their are some bots that work, JavaOp2 As I recall correctly works fine, as of many others.
that would have already been figured, I'm just asking a simple question if anyone knows a publicly released bot that works on the vista operating system, that supports warden.. and maybe a possible link.
</3 spht & </3 BNLS.
http://www.javaop.com/download.html
http://rcb.realityripple.com
Vista support's not some amazingly hard thing... And there's an easy way to make any program run as administrator with manifest files:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<v3:trustInfo xmlns:v3="urn:schemas-microsoft-com:asm.v3">
<v3:security>
<v3:requestedPrivileges>
<v3:requestedExecutionLevel level="highestAvailable" />
</v3:requestedPrivileges>
</v3:security>
</v3:trustInfo>
</assembly>
Just save that as EXEName.exe.manifest and put it in the same place as the exe (making EXEName the EXE's name, durr), and the program will run as an administrator and should work just fine in Vista.
hi iago, i am trying to implement your stuff in linux.
is this the function you are using?
function RotateLeft32( Value : longword; Bits : longword ) : longword;
asm
mov cl, dl
rol eax, cl
end;
it would be nice if you post util.h and asm.h and their .c files too
Quote from: Andy on July 17, 2008, 09:04 PM
Vista support's not some amazingly hard thing... And there's an easy way to make any program run as administrator with manifest files:
Ugh.... I cannot believe you want to encourage people doing stupid stuff such as running any program as an administrator. Just blatantly violate LP.
There are tons of programs I use that have to run admin though because they won't work right otherwise. One of which being the blizzard game Warcraft III. Then there are others that it makes some sense to run as admin, like Wireshark.
Quote from: FrostWraith on July 22, 2008, 11:32 AM
There are tons of programs I use that have to run admin though because they won't work right otherwise. One of which being the blizzard game Warcraft III. Then there are others that it makes some sense to run as admin, like Wireshark.
Wireshark allows you to install WinPcap so that you don't need to be an administrator to capture packets:
(http://www.robpaveza.net/wshark-npf.png)
Warcraft III runs fine in the virtualized file system mode except when patching, which is almost acceptable.
WoW used to require admin to patch, but someone at Blizzard listened to me (http://geekswithblogs.net/robp/archive/2008/01/23/dear-blizzard-please-fix-warcrafts-patcher.aspx) and now they download the patch to a place that doesn't require administrative permissions.
There is no reason for most applications to require administrative privileges to run normally. But every time you run a process as an administrator, you're trusting that the application isn't going to run into a buffer overflow, or an improperly-dereferenced pointer, or any number of other security vulnerabilities that will compromise the security of your computer.
Unux users have been running with this benefit for a long time; I don't understand why Windows users are so resistant to the change. I just bought a new laptop and was talking to a Microsoft MVP in app-dev about it and he saw a UAC dialog box pop up and asked me if I'd like to turn it off. I couldn't believe it.
If your justification is that you need to patch your program, consider using Adobe's model. Adobe applications are able to check whether they need updates without elevating, and if they determine that they need to, they start a separate process and prompt for elevation.
Quote from: aton on July 22, 2008, 10:37 AM
hi iago, i am trying to implement your stuff in linux.
is this the function you are using?
function RotateLeft32( Value : longword; Bits : longword ) : longword;
asm
mov cl, dl
rol eax, cl
end;
it would be nice if you post util.h and asm.h and their .c files too
The RotateLeft32 function is actually from a Windows library. But yeah, that function looks right (although I don't know where you get cl and eax from -- that the standard calling convention?).
You may be better off to start from my Java version, since I cleaned it up when I ported it. But eh?
Quote from: MyndFyre[vL] on July 22, 2008, 02:48 PM
Quote from: FrostWraith on July 22, 2008, 11:32 AM
There are tons of programs I use that have to run admin though because they won't work right otherwise. One of which being the blizzard game Warcraft III. Then there are others that it makes some sense to run as admin, like Wireshark.
Wireshark allows you to install WinPcap so that you don't need to be an administrator to capture packets:
<img>
Well, that's one case that admin access ought to be required. Letting any old user on the system sniff packets is just a problem waiting to happen. There are some places where admin privs should be required. Sniffing packets is one, playing a game is not.
Well for Warcraft III, it always says "Error writing to disk", even when not patching. I get this when I try to connect. Running as admin fixes this.
This could have to do with the installer I used. I downloaded it from the blizzard.com/account thing.
With wireshark I did install winpcap with it but it just doesn't pick up on any available devices to listen on without running as admin.
Also, I only have v1.0.0, not 1.0.2, so that might have been changed.
Besides that, I do agree with you on the fact that programs should not have to be run as admin to function properly.
Its the standard for blizzard games to download to the game folder [icon files, TOS files, Anything form bnftp]
A Simple fix for that would to move everything to temp/user folders.
I agree with MyndFyre. Having a 2nd application designed specifically for updating is the best solution so far.
Basically you have two situations that I like to build every program around.
1) Standard computer, Use temp/user folders, use the registry, etc...
2) Portable. Use the local folder only, no Registry/other folders.
Andy, on the other hand, has gone off the charts, Everything admin, use the system folder, etc....
/me notes that he said all this, and had his posts trashed.
I'm giving a viable solution to fix applications that have not yet been ported to Vista. What the hell are you bashing on me for?
I posted on the last page that my bot was completely compatible with Vista. It only needs to run as administrator for updating itself (and the files it uses, some of which are stored in the system32 folder, for user convenience) and for hash files (already moved to app data for the next version). I'm not trying to argue with standard compliance.
edit: posted to the other (smaller) thread
Okay, for those of you looking for a quick fix for warden and don't want to add a lot of stuff to your code, I've made things even easier.
http://realityripple.com/Uploads/Warden.zip
The Warden.dll is basically my code packaged in to two easy-to-call routines. Here's how you use it:
1) Add Warden.dll to your References.
2) Dim cWarden as New clsWarden at the top of whatever module/class/etc you're using for BNCS handling.
3) In 0x51 handling, add:
cWarden.StartWarden KeyHash, App.Path & "\Hashes\STAR\Starcraft.exe"
Replace KeyHash with at least the first 4 characters of your CDKey hash (you can send the whole thing if you want), and the path to Starcraft.exe to wherever your bot stores hash files.
4) in 0x5E handling, add the following:
Dim sData as String
sData = cWarden.HandleWarden(inData)
If LenB(sData) > 0 Then
With Packet
.InsertNonNTString sData
.SendBNCS SID_WARDEN
End With
End If
That's it.
Quote from: Andy on August 04, 2008, 12:21 AM
Okay, for those of you looking for a quick fix for warden and don't want to add a lot of stuff to your code, I've made things even easier.
http://realityripple.com/Uploads/Warden.zip
The Warden.dll is basically my code packaged in to two easy-to-call routines. Here's how you use it:
1) Add Warden.dll to your References.
2) Dim cWarden as New clsWarden at the top of whatever module/class/etc you're using for BNCS handling.
3) In 0x51 handling, add:
cWarden.StartWarden KeyHash, App.Path & "\Hashes\STAR\Starcraft.exe"
Replace KeyHash with at least the first 4 characters of your CDKey hash (you can send the whole thing if you want), and the path to Starcraft.exe to wherever your bot stores hash files.
4) in 0x5E handling, add the following:
Dim sData as String
sData = cWarden.HandleWarden(inData)
If LenB(sData) > 0 Then
With Packet
.InsertNonNTString sData
.SendBNCS SID_WARDEN
End With
End If
That's it.
Thank you.
RealityRipple; it errors out saying:
'Run time error '53':
File not found: RSHA.dll'
I attempted registering the RSHA dll via regsvr32, referencing the RSHA dll via VB, both failed.
I'm guessing I'm the one to blame here; so what am I doing wrong? Thanks in advance for your time.
Quote from: Don Cullen on August 04, 2008, 11:57 PM
RealityRipple; it errors out saying:
'Run time error '53':
File not found: RSHA.dll'
I attempted registering the RSHA dll via regsvr32, referencing the RSHA dll via VB, both failed.
I'm guessing I'm the one to blame here; so what am I doing wrong? Thanks in advance for your time.
If you're running it out of the IDE, move the RSHA.dll into your folder which contains VB6.exe
Thanks, that solved the problem. Got another error, probably my fault again:
Case &H5E 'SID_WARDEN (0x5E)
Dim sData As String
sData = cWarden.HandleWarden(inData)
If LenB(sData) > 0 Then
With PacketBuf
.InsertVOID sData
.Send BNETSock, &H5E
End With
End If
That results in a runtime error '9': subscript out of range. The line "sData = cWarden.HandleWarden(inData)" is highlighted when I click on debug.
This is when I set up the keyhash for warden:
Dim sKeyHash As String
sKeyHash = lHashedKeyData(0) & lHashedKeyData(1) & lHashedKeyData(2) & lHashedKeyData(3) & lHashedKeyData(4)
cWarden.StartWarden sKeyHash, "c:\progra~1\starcraft\Starcraft.exe"
Once again, thanks in advance for your time.
InData is set to what? If each lHashKeyData is a string containing 4 characters (I assume?), why not just pass it (0)?
InData isn't set to anything It's set to PacketData now:
Private Sub ParseBNETPacket(ByVal PacketData As String)
Dim PacketID As Byte
Dim lResults As Long
Dim sReason As String
Dim i As Integer 'Used with loops
PacketDeBuf.SetData (PacketData)
PacketID = PacketDeBuf.StripHeaderI'm assuming the function requires the packet in its' entireity; or is pre-processing required (stripping out header, etc)?
I highlighted where I'm getting the KeyHash from:
Quote Case &HC '0x0C, BNLS_CDKEY_EX
Dim iTotalCDKeys As Byte
Dim iTotalSuccesses As Byte
With PacketDeBuf
lCookie = .rDWORD
If lCookie <> lClientCookie Then
'Not our cookie.
Exit Sub
End If
iTotalCDKeys = .rByte
iTotalSuccesses = .rByte
Dim lBitMask As Long
lBitMask = .rDWORD 'don't use for now
lClientToken = .rDWORD
lKeyLength = .rDWORD
lCDKeyProdValue = .rDWORD
lCDKeyPubValue = .rDWORD
lUnknown = .rDWORD
lHashedKeyData(0) = .rDWORD
lHashedKeyData(1) = .rDWORD
lHashedKeyData(2) = .rDWORD
lHashedKeyData(3) = .rDWORD
lHashedKeyData(4) = .rDWORD
End With
Dim sKeyHash As String
sKeyHash = lHashedKeyData(0) & lHashedKeyData(1) & lHashedKeyData(2) & lHashedKeyData(3) & lHashedKeyData(4)
cWarden.StartWarden sKeyHash, "c:\progra~1\starcraft\Starcraft.exe"
With PacketBuf
.InsertDWORD lClientToken
.InsertDWORD lEXEVersion
.InsertDWORD lChecksum
.InsertDWORD &H1 '1 cdkey for now (number of cdkeys)
.InsertDWORD &H0 'Not using spawn
'for each cdkey loop goes here
.InsertDWORD lKeyLength
.InsertDWORD lCDKeyProdValue
.InsertDWORD lCDKeyPubValue
.InsertDWORD &H0
For i = 0 To 4
.InsertDWORD lHashedKeyData(i)
Next
.InsertSTRING sVerChkStat
.InsertSTRING "ABot"
.Send BNETSock, &H51
End With
Edit: changed code tags to quote tags so highlighting would show up...
Edit: Changed the sKeyHash line, now it says:
sKeyHash = Chr(lHashedKeyData(0)) & Chr(lHashedKeyData(1)) & Chr(lHashedKeyData(2)) & Chr(lHashedKeyData(3)) & Chr(lHashedKeyData(4))Because I realized I was trying to set long variables to a string variable. Added Chr to each one to make it a string. Still errors out though:
"Runtime error '5': Invalid procedure call or argument"
And the sKeyHash line is highlighted when I hit debug. Ideas?
K. Do you get that you're only supposed to pass the first four bytes of the key's hash? I'm not exactly sure how many times that's been repeated throughout this topic, and on iago's wiki, but I guestimate somewhere around a total of 20-25.
sKeyHash = Chr(lHashedKeyData(0)) & Chr(lHashedKeyData(1)) & Chr(lHashedKeyData(2)) & Chr(lHashedKeyData(3)) & Chr(lHashedKeyData(4))
Really, what's that supposed to do ..? Concatinate raw memory? No. Just no. You'd have to CopyMemory that to a string in order to get your desired result. I'm sure your packet buffer/packet debuffer has that functionality already.
As for your runtime error problem, i think that's because you're passing a negative number to chr(). so just do what i said and i think you'll be fine.
Chr doesn't work like that... And yes, strip the FF 5E XX XX header before passing it. You can send the whole key hash if you want, the code automatically trims it to the first 4 bytes.
Thanks. Got it working.
Quote from: Andy on August 05, 2008, 03:20 PM
You can send the whole key hash if you want, the code automatically trims it to the first 4 bytes.
That's a poor idea. What happens when the seed's length changes?
Then the whole DLL will be useless anyway. I literally copy and pasted, added a nice ActiveX wrapper around it, and compiled it. Didn't even test it before I sent it to the guy I made it for. Since I already had it compiled and uploaded, I gave a link to it here, too.
Idk why you keep releaseing all these DLL's ripple, they are very un-educational.
I'm also unsure why you read directly from the exe file, it seems very wastefull.
You hardcode the checksum values, so why not hardcode everything.
Here is a very simple vb6 example of how to handle everything apart from downloading modules. I think everything is explained well enough.
I don't want any credits in pps bots for this, you may use this code as-is or modify it how ever you like.
For parseing the 0x5E packets:
First of all, each bot/connections you have will need its own set of RC4 Keys, example:
Private wKeyIn(257) As Byte
Private wKeyOut(257) As Byte
The code below will need access to these two key variables, so you may need to modify the below code to fit around the way you have structured you're bot.
HandleBNCS0x5E() is the sub you pass the whole 0x5E packet to.
SendBNCS0x5E() is the sub where the data to be sent is passed, so this is where you build you're packet as normal.
When you build you're 0x51 packet and have access to the 1st cdkey's broken SHA1 hash, you must do the following:
Call modWarden.WardenInit(GetDWORD(strCDKeyHash), wKeyIn(), wKeyOut())
If you are useing 0x06, 0x07 logon, then do the following:
Call modWarden.WardenInit(0, wKeyIn(), wKeyOut())
Now this is the code where you will be handleing the warden requests, building the responces and passing them to the send0x5E sub.
Depending how you're bot is layed out, you will need to make some small modications to HandleBNCS0x5E(), HandleWardenCheck() and SendBNCS0x5E()
These modications are very simple, they just need access to the current bots wKeyIn() and wKeyOut()
Private Sub HandleBNCS0x5E(ByRef strData As String)
Dim S As String
S = Mid(strData, 5)
Call modWarden.RC4Crypt(S, wKeyIn())
If Asc(S) = 0 Then
S = Chr(1)
Call modWarden.RC4Crypt(S, wKeyOut())
Call SendBNCS0x5e(S)
ElseIf Asc(S) = 2 Then
Call HandleWardenCheck(S)
Else
'##### This packet ID is not handled, so just ignore it and wait to drop. #####
End If
End Sub
Private Sub HandleWardenCheck(ByVal S As String)
Dim R As String
Dim C As String
Dim lngPos As Long
Dim lngLen As Long
Dim lngAddr As Long
Dim lngCmd As Long
R = Chr(2) & MakeWORD(0) & MakeDWORD(0)
lngPos = 3 'skip packet ID
While lngPos < Len(S)
lngCmd = GetWORD(Mid(S, lngPos, 2)): lngPos = lngPos + 2
lngAddr = GetDWORD(Mid(S, lngPos, 4)): lngPos = lngPos + 4
lngLen = Asc(Mid(S, lngPos, 1)): lngPos = lngPos + 1
R = R & Chr(0)
C = C & Right("00000000" & Hex(lngAddr), 8) & Right("00" & Hex(lngLen), 2) & " "
R = R & GetWardenMem(lngAddr)
Wend
C = GetWardenChecksum(C)
If Len(C) < 4 Then
'#### This request has checks we don't currently support
'#### Lets Ignore and wait to drop, it's fun ####
Exit Sub
End If
Mid(R, 4, 4) = C
Mid(R, 2, 2) = MakeWORD(Len(R) - 7)
Call modWarden.RC4Crypt(R, wKeyOut())
Call SendBNCS0x5E(R)
End Sub
Private Function GetWardenChecksum(ByVal S As String) As String
Select Case S
Case "00497FB00E 0049C33D07 004A2FF708 ": GetWardenChecksum = MakeDWORD(&H193E73E8)
Case "0049C33D07 00497FB00E 004A2FF708 ": GetWardenChecksum = MakeDWORD(&HD6557DEF)
Case "00497FB00E 004A2FF708 0049C33D07 ": GetWardenChecksum = MakeDWORD(&H2183172A)
Case "0049C33D07 004A2FF708 00497FB00E ": GetWardenChecksum = MakeDWORD(&HCA841860)
Case "004A2FF708 0049C33D07 00497FB00E ": GetWardenChecksum = MakeDWORD(&H9F2AD2C3)
Case "004A2FF708 00497FB00E 0049C33D07 ": GetWardenChecksum = MakeDWORD(&HC04CF757)
End Select
End Function
Private Function GetWardenMem(ByVal lngAddr As Long) As String
Select Case lngAddr
Case &H49C33D: GetWardenMem = HexToStr("83 00 00 00 8B 55 08")
Case &H4A2FF7: GetWardenMem = HexToStr("A3 68 CC 59 00 E8 DF 23")
Case &H497FB0: GetWardenMem = HexToStr("84 5E 0C 74 05 E8 F6 54 F9 FF 8B 76 04 85")
End Select
End Function
Public Sub SendBNCS0x5E(ByVal Data As String)
'#### This is where you build the 0x5E packet, Data contains the payload ####
End Sub
You must create a module called modWarden.
Now paste the below code into it:
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (ByRef Destination As Any, _
ByRef Source As Any, ByVal NumBytes As Long)
Public Type RANDOMDATA
Pos As Long
Data As String * 20
Sorc1 As String * 20
Sorc2 As String * 20
End Type
Private bR(255) As Byte
Public Sub WardenInit(ByRef lngSeed As Long, ByRef bKeyIn() As Byte, _
ByRef bKeyOut() As Byte)
Dim wData As RANDOMDATA
Dim wHashOut As String * 16
Dim wHashIn As String * 16
Call Data_Init(wData, lngSeed)
wHashOut = modWarden.Data_Get_Bytes(wData, 16)
wHashIn = modWarden.Data_Get_Bytes(wData, 16)
Call modWarden.RC4Key(wHashIn, bKeyIn)
Call modWarden.RC4Key(wHashOut, bKeyOut)
End Sub
Public Sub RC4Key(ByRef S As String, ByRef B() As Byte)
Dim i As Long, A As Long, C As Byte
B(256) = 0
B(257) = 0
A = Len(S)
For i = 0 To 255
bR(i) = Asc(Mid(S, (i Mod A) + 1, 1))
B(i) = i
Next i
A = 0
For i = 0 To 255
A = (A + B(i) + bR(i)) Mod 256
C = B(i)
B(i) = B(A)
B(A) = C
Next i
End Sub
Public Sub RC4Crypt(ByRef S As String, ByRef bK() As Byte)
Dim A As Long, B As Long, C As Byte, i As Long
A = bK(256)
B = bK(257)
For i = 1 To Len(S)
A = (A + 1) Mod 256
B = (B + bK(A)) Mod 256
C = bK(A)
bK(A) = bK(B)
bK(B) = C
Mid(S, i, 1) = Chr(Asc(Mid(S, i, 1)) Xor bK((CInt(bK(A)) + bK(B)) Mod 256))
Next i
bK(256) = A
bK(257) = B
End Sub
Public Sub Data_Init(ByRef R As RANDOMDATA, ByVal lngSeed As Long)
Dim S As String * 4
Call CopyMemory(ByVal S, lngSeed, 4)
R.Sorc1 = BSHA1(Left(S, 2), True, True)
R.Sorc2 = BSHA1(Right(S, 2), True, True)
R.Data = String(20, 0)
R.Data = BSHA1(R.Sorc1 & R.Data & R.Sorc2, True, True)
R.Pos = 1
End Sub
Public Function Data_Get_Bytes(ByRef R As RANDOMDATA, ByVal lngBytes As Long) As String
Dim i As Long, S As String
S = String(lngBytes, 0)
For i = 1 To lngBytes
Mid(S, i, 1) = Mid(R.Data, R.Pos, 1)
R.Pos = R.Pos + 1
If R.Pos > 20 Then
R.Pos = 1
R.Data = BSHA1(R.Sorc1 & R.Data & R.Sorc2, True, True)
End If
Next i
Data_Get_Bytes = S
End Function
Public Function BSHA1(ByVal S As String, _
Optional ByVal bRE As Boolean = False, _
Optional ByVal bStandard As Boolean = False) As String
Dim B(21) As Long 'hash buffer
Dim i As Long
'//Init the seeds
B(0) = &H67452301
B(1) = &HEFCDAB89
B(2) = &H98BADCFE
B(3) = &H10325476
B(4) = &HC3D2E1F0
'//Update the string buffer (to be hashed)
Call SHA1Update(bRE, bStandard, B(), S)
'//Reverse endian if needed
If bRE Then
For i = 0 To 4
Call rEndian(B(i), B(i))
Next i
End If
'//Return the broken SHA1 hash
BSHA1 = String(20, 0)
Call CopyMemory(ByVal BSHA1, B(0), 20)
End Function
Private Sub SHA1Update(ByVal bRE As Boolean, _
ByVal bS As Boolean, _
ByRef B() As Long, _
ByVal S As String)
Dim i As Long
Dim A As String
If bS Then
'//Standard SHA1 padding
A = Chr(128) & String((128 - (Len(S) Mod 64) - 9) Mod 64, 0)
If bRE Then
S = S & A & String(4, 0) & StrReverse(MakeDWORD((Len(S) * 8)))
Else
S = S & A & MakeDWORD((Len(S) * 8)) & String(4, 0)
End If
Else
If ((Len(S) Mod 64) <> 0) Then
'//buffer the string so its divisible by 64 (0x40)
S = S & String(64 - (Len(S) Mod 64), 0)
End If
End If
For i = 1 To Len(S) Step 64
'//copy chunk of the string into the long array to be hashed
Call CopyMemory(B(5), ByVal Mid$(S, i, 64), 64)
'//transform
Call SHA1Transform(bRE, bS, B)
Next i
End Sub
Private Sub SHA1Transform(ByVal bRE As Boolean, ByVal bS As Boolean, ByRef P() As Long)
Dim hB(80) As Long
Dim A As Long
Dim B As Long
Dim C As Long
Dim D As Long
Dim E As Long
Dim G As Long
Dim i As Long
If bRE Then 'reverse endian
For i = 0 To 15: Call rEndian(P(i + 5), hB(i)): Next i
Else
For i = 0 To 15: hB(i) = P(i + 5): Next i
End If
If bS Then 'standard SHA1
For i = 16 To 79
hB(i) = LSC((hB(i - 16) Xor hB(i - 8) Xor hB(i - 14) Xor hB(i - 3)), 1)
Next i
Else
For i = 16 To 79
hB(i) = LSC(1, (hB(i - 16) Xor hB(i - 8) Xor hB(i - 14) Xor hB(i - 3)) And 31)
Next i
End If
A = P(0)
B = P(1)
C = P(2)
D = P(3)
E = P(4)
For i = 0 To 19
G = Add(Add(Add(Add(hB(i), E), LSC(A, 5)), ((B And C) Or ((Not B) And D))), &H5A827999)
E = D: D = C: C = LSC(B, 30): B = A: A = G
Next i
For i = 20 To 39
G = Add(Add(Add(Add(hB(i), E), LSC(A, 5)), (D Xor C Xor B)), &H6ED9EBA1)
E = D: D = C: C = LSC(B, 30): B = A: A = G
Next i
For i = 40 To 59
G = Add(Add(Add(Add(hB(i), E), LSC(A, 5)), (C And B) Or (D And C) Or (D And B)), &H8F1BBCDC)
E = D: D = C: C = LSC(B, 30): B = A: A = G
Next i
For i = 60 To 79
G = Add(Add(Add(Add(hB(i), E), LSC(A, 5)), (D Xor C Xor B)), &HCA62C1D6)
E = D: D = C: C = LSC(B, 30): B = A: A = G
Next i
P(0) = Add(P(0), A)
P(1) = Add(P(1), B)
P(2) = Add(P(2), C)
P(3) = Add(P(3), D)
P(4) = Add(P(4), E)
End Sub
'~~~~~~ Extra functions ~~~~~~~
Private Sub rEndian(ByVal V As Long, ByRef N As Long)
'//dirty byte order switching
Dim S As String * 4
Call CopyMemory(ByVal S, V, 4)
S = StrReverse(S)
Call CopyMemory(N, ByVal S, 4)
End Sub
Private Function LSC(ByVal N As Long, ByVal S As Long) As Long
'left shift circle
LSC = (LS(N, S) Or RS(N, (32 - S)))
End Function
Private Function RS(ByVal N As Long, ByVal S As Long) As Long
'right shift bits
If (S < 0) Or (S > 31) Then
RS = 0
ElseIf (S = 0) Then
RS = N
Else
If ((N And &H80000000) = &H80000000) Then
N = (N And &H7FFFFFFF)
If (S = 31) Then 'stop over flow when shifting 31bits
N = N / 2147483648#
Else
N = N \ (2 ^ S)
End If
RS = N Or (2 ^ (31 - S))
Else
RS = Int(CDbl(N) / CDbl(2 ^ S))
End If
End If
End Function
Private Function LS(ByVal N As Long, ByVal S As Long) As Long
'left shift bits
If (S < 0) Or (S > 31) Then
LS = 0
ElseIf S = 0 Then
LS = N
Else
N = N And (2 ^ (32 - S) - 1)
LS = WDbl(CDbl(N) * CDbl(WDbl(2 ^ S)))
End If
End Function
Private Function WDbl(ByVal N As Double) As Long
'wrap a double back to a long
If N > &H7FFFFFFF Then
N = N - 4294967296#
ElseIf N < &H80000000 Then
N = N + 4294967296#
End If
WDbl = N
End Function
Private Function Add(ByVal N1 As Long, ByVal N2 As Long, Optional ByVal D As Double) As Long
'add 2 longs to a double, then wrap round
D = N1
D = D + N2
Add = WDbl(D)
End Function
Public Function MakeDWORD(ByVal num As Long) As String
MakeDWORD = String(4, &H0)
Call CopyMemory(ByVal MakeDWORD, num, 4)
End Function
Public Function HexToStr(ByVal Data As String) As String
HexToStr = String(Len(Data) / 3, 0)
Dim iPos As Long
For i = 1 To Len(Data) Step 3
iPos = iPos + 1
Mid(HexToStr, iPos, 1) = Chr("&H" & Mid(Data, i, 2))
Next i
End Function
If you would like to use the BSHA1() sub in modWarden for you're local hashing in the bnet logon, here is a few examples of how to do so:
lngProduct is the product value of the cdkey.
lngPublic is the public value of the cdkey.
lngPrivate is the private value of the cdkey.
S is the 20 byte hash you put into the packet.
Password is you're battle.net password.
For 0x36:
Dim S As String * 20
Mid(S, 1, 4) = MakeDWORD(ClientToken)
Mid(S, 5, 4) = MakeDWORD(ServerToken)
Mid(S, 9, 4) = MakeDWORD(lngProduct)
Mid(S, 13, 4) = MakeDWORD(lngPublic)
Mid(S, 17, 4) = MakeDWORD(lngPrivate)
S = modWarden.BSHA1(S, False, False)
For 0x51:
Dim S2 As String * 24
Dim S As String * 20
Mid(S2, 1, 4) = MakeDWORD(ClientToken)
Mid(S2, 5, 4) = MakeDWORD(ServerToken)
Mid(S2, 9, 4) = MakeDWORD(lngKeyProduct)
Mid(S2, 13, 4) = MakeDWORD(lngKeyPublic)
Mid(S2, 17, 4) = MakeDWORD(0)
Mid(S2, 21, 4) = MakeDWORD(lngKeyPrivate)
S = modWarden.BSHA1(S2, False, False)
'#### WardenInit() with GetDWORD(S) ####
For 0x29/0x3A/0x3E:
Dim S2 As String * 28
Dim S As String * 20
S2 = MakeDWORD(ClientToken) & _
MakeDWORD(ServerToken) & _
modWarden.BSHA1(LCase(Password), False, False)
S = modWarden.BSHA1(S2, False, False)
For 0x3D:
Dim S As String * 20
S = modWarden.BSHA1(LCase(Password), False, False)
Is it really that hard to understand? Most people have no interest in the inner workings of Battle.net. They want to work on their bot, not the protocol. If they want to learn, there's documentation. None of the bnet stuff I release is new; it's all been documented and explained on here or bnetdocs.
Quote from: Andy on August 07, 2008, 04:48 AM
Is it really that hard to understand? Most people have no interest in the inner workings of Battle.net. They want to work on their bot, not the protocol. If they want to learn, there's documentation. None of the bnet stuff I release is new; it's all been documented and explained on here or bnetdocs.
Well it seems like they have no interest in any part of their bot that doesn't say "<namehere>BoT 1.0 mAdE bY <namehere>" (read: 99.9% of battle.net rips their bots. this is the reason why there is zero innovation.)
And 100% of your statistics are made up on the spot.
Honestly, I don't care. I wrote this DLL for someone who was trying to make the connection system an array in a somewhat complicated manner. I suggested he put the whole thing into a UserControl in order to make it easier to handle multiple connections. He was handling warden with one instance, so it was disconnecting him if he had multiple connections open. I made it into a nice ActiveX DLL so he could easily declare and handle it as an array, and I figured people would like to use it. If people want to use it, they can. If they don't, they can keep their useless opinions to themselves and skip over these posts.
Can a moderator move all the posts after Don's (Except Ringo's, though there's plenty of examples in this topic of the same thing already)?
Cmon guys, let's not spoil a good thread. Both of you have contributed a great amount of work to this, for this I'm sure many appreciate your efforts. Let's not jump down each others throats over something so trivial.
Wow... I really hope you're not being sarcastic, because that was really nice of you...
futhermore on reading from the exe and not hardcoding em in as ringo has done, makes ur client , for bnls purposes, not truly hashless, which makes it more confusing for the end user (most of em) and ur prog, for sc purposes, would be dependant on those hash files. not important though, but to some it may be. But i always did wonder why u made it like the way u did and have everybody dependant on the exe. negative points for ringo enlighting you!
I don't like BNLS or JBLS much, really. I think local hashing is the best way to do things, and since my bot downloads hash files off my site, it's easy for the end user, too.
Personally I think what Andy did was fantastic, and he's brought up good points on here, instead of bitching him out about shit, why don't you shut the fuck up. You don't have to use his god damn library if you don't want to, no one is forcing you to. Personally, I could handle warden myself if I went back on this thread and read more about it however I'd probably use his library instead of researching the shit myself, to save time and error.
Quote from: Andy on August 07, 2008, 04:46 PM
Wow... I really hope you're not being sarcastic, because that was really nice of you...
I guess you caught me in a good mood, I'll be more inflammatory later :P.
Seriously though, yeah, I based a lot of the Warden code in my C# client off of the method you used to handle the module.
Why do these things always end in a flame fest?
I'm just pointing out, the only option for people using VB6 is to port iago's code or to use ripples code with dll dependency's.
Thought I would slap up some example code to give people another option, keeping it fairly clean and simple, not starting arguments...
Please forgive me for trying to keep on-topic :-\
My code is a port of iago's code. The dependencies are just calls to common functions like StandardSHA (and uncompress if you want to extract the modules themselves), which can easily be replaced.
Quote from: Andy on August 12, 2008, 07:43 PM
My code is a port of iago's code. The dependencies are just calls to common functions like StandardSHA (and uncompress if you want to extract the modules themselves), which can easily be replaced.
If you're responding to me, I said "the code you use to handle the module" which is limited to 0x02 handling.
If I don't quote, it tends to mean I'm responding to the post above me.
I've updated the dll to make it a bit easier:
# Starcraft.exe is no longer used, so StartWarden requires only the KeyHash (first 4 bytes minimum).
# RSHA.dll is no longer used. Added SHA1 hashing into the DLL itself.
# If you pass HandleWarden the full packet, starting with FF 5E, it will trim off the first 4 bytes.
# The dll has been UPX'd, so it's now 12.5 KB.
Download: http://realityripple.com/files/?file=RW
Use:
1) Add Warden.dll to your References.
2) Dim cWarden as New clsWarden at the top of whatever module/class/etc you're using for BNCS handling.
3) In 0x51 handling, add:
cWarden.StartWarden KeyHash
Replace KeyHash with at least the first 4 characters of your CDKey hash (you can send the whole thing if you want).
4) in 0x5E handling, add something like the following:
Dim sData As String
Dim sRet As String
wsBNet.GetData sData
If Left$(sData, 2) = Chr$(&HFF) & Chr$(&H5E) Then
sRet = cWarden.HandleWarden(sData)
If LenB(sRet) > 0 Then
wsBNet.SendData Chr$(&HFF) & Chr$(&H5E) & MakeWord(Len(sRet)+4) & sRet
End If
End If
Tested and working.
Warden for SC came back today with a new packet: 0x05.
Here's some examples:05 8B 42 F8 D4 A9 4A 36 24 BE 99 6C 09 7E 83 88 58
05 41 C8 03 88 C2 54 38 95 06 02 43 65 21 7B 5D 98
05 43 DE 7E AE 14 8C 48 72 71 76 2F 8A 6E 1C AA EA
05 5A 12 F1 4C 97 3B DD C5 C6 F5 EF 91 C9 64 AC 45
Here's a new module (seems to be the same on all gateways [not verified]): http://realityripple.com/Uploads/56F25CA5BD550B384CC4FA457B438012.mod
Any idea what it's requesting?
My guess is an MD5 of something. The responses are 16 bytes + the 1 byte command identifier.
So the requests and the responses are the same size... that sounds more like it's another encryption, not a hash.
Quote from: Andy on November 04, 2008, 02:40 PM
So the requests and the responses are the same size... that sounds more like it's another encryption, not a hash.
Oh, my bad. I thought those were the responses for some reason. ACK!!!! I hope it's just a xor cipher.
Are those the only three requests? Did you log any responses? The responses, at this point, are 20x as important as what you're
getting. Also, it'd be a lot nicer if you decrypted the module ....
If I decrypted the module, I couldn't MD5 it to make sure it was the right one... And I'm too lazy to write and implement a decrypter for it anyway.
No, those are not the only requests, as I said, they appeared to be random.
No, I didn't grab any responses.
I'm working on NLS for VB6 right now, I just thought I'd post this so other people could work on it if they wanted. I've already got my hands full of endians and N.add(B).subtract(v).mod(N).
Here's the decrypted module:
http://darkblizz.org/brew/module.mod
I seriously feel that I just wasted 30 minutes of my life.
My inital analysis so far is....
• There's some kind of SHA1 init at 00001D46h
• 00000116h seems to be some major part of the module, it's littered with calls to a lot of different small odd comparison functions
• 000047E6h looks interesting
• I have to define all the code chunks myself. Thanks, IDA.
and about the requests...
there's really, only one thing I can think of that's 16 bytes long and encrypted: 3 addresses with a 1 byte length specifier, and an end byte like the one present in command 2 packets. So far I haven't seen a response either.
you guys are cool.....
[5:35:01 PM] Unknown Warden Packet: D78CC9BB96E81CF77C955AC23ED9870E1D
[5:35:11 PM] Unknown Warden Packet: 402F6FF68DB1F319B4429D4A0E2F7A456A
[5:35:31 PM] Unknown Warden Packet: 3E2FD92A4BD9AF010A8CA54B87A13077A3
[5:35:51 PM] Unknown Warden Packet: FE1FF86E7873800A48F7844165EE7E869A
[5:36:01 PM] Unknown Warden Packet: 1F2FBED782D1701637B2F7BA95CE00E7E7
[5:38:37 PM] Unknown Warden Packet: E18D50E2F0E263C1B85905144F619A0ADC
[5:38:52 PM] Unknown Warden Packet: 00D187A22036226151F6FC53985A036FE6
[5:39:02 PM] Unknown Warden Packet: 1B063809449A2AAA6EDBD3D51FA11259B3
[5:39:12 PM] Unknown Warden Packet: 296329D40D865C1190F04EC6BAD7712468
[5:39:42 PM] Unknown Warden Packet: E2FDB8D8A2370E047C37380D699725734A
is what i currently got from using andy's old warden module, i think these bytes/data are randomized and have to be decoded in an algorithm or something then sent back correctly. Correct me if i'm wrong but thats my theory.
edit: what do i use to open the .mod files? which program?
Visual Basic 6.0.
Cool :)
At a glance, it looks like the request payloads have a 2nd layer of encryption:
[23:35:49] Request: 37
00 56 F2 5C A5 BD 55 0B 38 4C C4 FA 45 7B 43 80 .V.\..U.8L..E{C.
12 96 4A C6 F2 B2 E5 E7 92 91 F8 2E A7 AC 4C 81 ..J...........L.
00 E0 46 00 00 ..F..
[23:35:49] Responce: 1
01 .
[23:35:49] Request: 17
05 CB 2E 3B 80 FE 27 EA 26 9F EA 3C F8 5B B0 51 ...;..'.&..<.[.Q
32 2
[23:35:49] Responce: 21
04 01 F9 61 92 44 AE 9A A2 93 10 87 45 B0 D6 4D ...a.D......E..M
CD FA 9B 5D 4D ...]M
[23:35:54] Request: 160
99 D2 0D 61 34 DF 82 A4 8B 44 55 16 C8 86 85 5C ...a4....DU....\
89 39 A6 B0 A1 25 9A FF 96 34 FA 26 6E 71 F7 7D .9...%...4.&nq.}
E0 BF A3 CD A7 B8 01 D8 2A EE 3A 46 82 57 90 86 ........*.:F.W..
8E 06 0C 7A 65 E8 46 8B 0B D0 9F 81 9E 96 91 4E ...ze.F........N
C3 78 90 54 C1 92 0B CA 12 96 DB 10 B0 30 9F 14 .x.T.........0..
43 29 0D 12 CA E5 41 01 62 3D 28 A5 97 EE 0F 29 C)....A.b=(....)
90 72 6E 21 6B DF 9F 91 DB 19 15 2F C7 43 86 66 .rn!k....../.C.f
50 73 F0 73 EE 94 C0 72 74 CF 18 96 7A A7 BD 9C Ps.s...rt...z...
3F 76 B9 B0 E6 CE 15 35 45 3F 51 99 15 98 0F 9F ?v.....5E?Q.....
CA C8 99 2C E8 9C B9 E8 5A 96 F1 51 49 CE 9D 46 ...,....Z..QI..F
[23:35:55] Responce: 29
17 81 B5 62 A1 99 BC F0 A7 7E 69 E1 5C 6A FF 5C ...b.....~i.\j.\
C7 0C C5 EE A2 76 30 6A 28 05 3F 40 FF .....v0j(.?@.
[23:36:09] Request: 160
9B 7B 4F 84 C8 E6 06 19 05 FD DB E9 B7 BB 52 51 .{O...........RQ
7C C5 81 70 2A 87 BC 23 F0 BE 24 D6 6A 22 16 45 |..p*..#..$.j".E
BD 17 79 DB C1 ED 88 80 99 CC 6F 99 94 24 7D D6 ..y.......o..$}.
7E 1B 92 E4 B3 09 BD 01 A1 1C 13 91 E0 8C 50 4B ~.............PK
71 27 F1 C7 D6 03 5A 45 F3 52 BD 55 91 0E FF BD q'....ZE.R.U....
4A 30 2C 59 2C 0C BC 61 EC FD FD 11 70 A7 1B C7 J0,Y,..a....p...
49 85 6F 8B EF BD 8B BE 15 A2 1E 2A 40 72 A6 41 I.o........*@r.A
8B CC 12 1C 9C 3E 70 62 0F 64 BB 52 2D 9F 2A E6 .....>pb.d.R-.*.
B1 ED 3B 6F A6 07 60 63 59 F0 92 E1 00 77 BC 08 ..;o..`cY....w..
97 90 3F 9A A3 2F AF 1E 72 99 EF 4D AB E6 87 06 ..?../..r..M....
[23:36:10] Responce: 22
73 48 F1 2D E4 0F 85 84 9E 3B BF B1 E6 CC 8A 05 sH.-.....;......
48 E7 3C 77 21 D9 H.<w!.
<3 blizzard for giving us somthing new and interesting to do.
Quote from: vector on November 04, 2008, 05:42 PM
Visual Basic 6.0.
Open a Warden module in VB6? lol!
Quote from: Pyro on November 04, 2008, 06:05 PM
Quote from: vector on November 04, 2008, 05:42 PM
Visual Basic 6.0.
Open a Warden module in VB6? lol!
ya thats what i was thinking, i was like "are you on crack?" lol i Module extensions for vb6 are .bas but good try there vector.
Lovely. Well, good luck iago and Ringo. I'm sure one of you will figure it out.
Quote from: Andy on November 04, 2008, 06:13 PM
Lovely. Well, good luck iago and Ringo. I'm sure one of you will figure it out.
You mean you KNOW one of them will figure it out, they are intelligent mother fuckers, don't fuck with them ;)
I know iago is... we were talking a few days ago, and we came to the conclusion none of the bots for the last few years would be in existence without him. He did lockdown, warden, NLS, and most of the open example code for everything.
Quote from: Andy on November 04, 2008, 07:16 PM
I know iago is... we were talking a few days ago, and we came to the conclusion none of the bots for the last few years would be in existence without him. He did lockdown, warden, NLS, and most of the open example code for everything.
Thx iago! and can someone tell me how to open these .mod files i'm interested in warden myself for the new 05 packet :/
Quote from: Racial on November 04, 2008, 06:42 PM
Quote from: Andy on November 04, 2008, 06:13 PM
Lovely. Well, good luck iago and Ringo. I'm sure one of you will figure it out.
You mean you KNOW one of them will figure it out, they are intelligent mother fuckers, don't fuck with them ;)
I'm not intelligent... infact, If you didn't spell intelligent for me, I wouldnt of been able to. ;p
Anyway, nothing new to see here, blizzard are still a bunch of morons. Old news, sry to say.
All ive done so far, is stared at the modules in IDA for the past few hours, and now my eyes hurt ><
Anyway, this is what is going on:
After the default module manages the downloading/executeing of the variable module (im assuming after that, the default module pass's data to the variable module), the server-side warden issues it a new encryption key (the 16 bytes in 0x05)
The client then generates its own encryption key and sends it back (4 byte checksum, 16 byte encryption key in 0x04 etc)
The server side warden and client side warden, then have a convo about the price of fish, the weather, the economic slow down and whos useing hax on starcraft.
These 2nd set of encryption keys are also tied into the 1st set/some logon variables.
The key the client sends back to the server, is checked and verifyed server side. If its wrong, you get disconnect, as you probly already know.
The key the server sends you, is probly used to crypt messages, as well as seed a new encryption key to send back to the server, and crypt the other side of traffic.
Ofc, I havent tested this, and I dont know for sure if the new keys seed a set of RC4 keys, but im 99% sure this is whats going on.
I might verify this tomorow, if I get some free time.
Funny thing is, they have left the same flaw in the protocol that allowed me to get around it last time. *sigh*
Quote from: Ringo on November 05, 2008, 12:14 AM
Quote from: Racial on November 04, 2008, 06:42 PM
Quote from: Andy on November 04, 2008, 06:13 PM
Lovely. Well, good luck iago and Ringo. I'm sure one of you will figure it out.
You mean you KNOW one of them will figure it out, they are intelligent mother fuckers, don't fuck with them ;)
I'm not intelligent... infact, If you didn't spell intelligent for me, I wouldnt of been able to. ;p
Anyway, nothing new to see here, blizzard are still a bunch of morons. Old news, sry to say.
All ive done so far, is stared at the modules in IDA for the past few hours, and now my eyes hurt ><
Anyway, this is what is going on:
After the default module manages the downloading/executeing of the variable module (im assuming after that, the default module pass's data to the variable module), the server-side warden issues it a new encryption key (the 16 bytes in 0x05)
The client then generates its own encryption key and sends it back (4 byte checksum, 16 byte encryption key in 0x04 etc)
The server side warden and client side warden, then have a convo about the price of fish, the weather, the economic slow down and whos useing hax on starcraft.
These 2nd set of encryption keys are also tied into the 1st set/some logon variables.
The key the client sends back to the server, is checked and verifyed server side. If its wrong, you get disconnect, as you probly already know.
The key the server sends you, is probly used to crypt messages, as well as seed a new encryption key to send back to the server, and crypt the other side of traffic.
Ofc, I havent tested this, and I dont know for sure if the new keys seed a set of RC4 keys, but im 99% sure this is whats going on.
I might verify this tomorow, if I get some free time.
Funny thing is, they have left the same flaw in the protocol that allowed me to get around it last time. *sigh*
*cries* poor poor blizzard, they think they outsmart the smarter ones ;)
[edit] can someone please give me a hint in the direction to opening mod files?
Quote from: Racial on November 05, 2008, 04:04 PMcan someone please give me a hint in the direction to opening mod files?
IDA Pro Disassembler.
http://www.hex-rays.com/idapro/idadown.htm
I think.
I had another quick look at it today, It looks like the orginal rc4 keys + the warden module (or its crypt key or alike) are responcible for producing the 2nd set of keys.
Heres a .c file for anyone whos interested -- it might be helpfull:
SCWarden.c (http://d2bot.cjb.net/SCWarden.c.txt)
Theres some errors in it, since braking down the module by hand in IDA, really sucks :(
From what ive seen so far, theres about 4 differnt requests. But I havent yet seen them decrypted, so I can only make a guess at this point.
Quote from: Don Cullen on November 05, 2008, 05:41 PM
Quote from: Racial on November 05, 2008, 04:04 PMcan someone please give me a hint in the direction to opening mod files?
IDA Pro Disassembler.
http://www.hex-rays.com/idapro/idadown.htm
I think.
thanks i got it, but it is confusing of where the hell to start off and do i use the hex mode? i've looked for FF 5E if thats the header even indicated in the module.
Battle.snp callback functions are stored in the TLS, the index of which is stored in 9008h. My strategy as of right now is to find what function(s) reference the address of the 0x5E send function and go from there, although I've been pretty busy lately.
Quote from: Racial on November 05, 2008, 07:07 PM
Quote from: Don Cullen on November 05, 2008, 05:41 PM
Quote from: Racial on November 05, 2008, 04:04 PMcan someone please give me a hint in the direction to opening mod files?
IDA Pro Disassembler.
http://www.hex-rays.com/idapro/idadown.htm
I think.
thanks i got it, but it is confusing of where the hell to start off and do i use the hex mode? i've looked for FF 5E if thats the header even indicated in the module.
You might want to get a book on reverse engineering (or look at the tutorial on my wiki) before you attempt this. You're in way over your head.
Quote from: iago on November 08, 2008, 05:36 PM
Quote from: Racial on November 05, 2008, 07:07 PM
Quote from: Don Cullen on November 05, 2008, 05:41 PM
Quote from: Racial on November 05, 2008, 04:04 PMcan someone please give me a hint in the direction to opening mod files?
IDA Pro Disassembler.
http://www.hex-rays.com/idapro/idadown.htm
I think.
thanks i got it, but it is confusing of where the hell to start off and do i use the hex mode? i've looked for FF 5E if thats the header even indicated in the module.
You might want to get a book on reverse engineering (or look at the tutorial on my wiki) before you attempt this. You're in way over your head.
kk thanks, just wanted to see what everything was about, seems pretty retarded searching through bytes and bytes of assembly :/
Well, if it's the only way to beat Warden, someone's gotta do it. ;)
Quote from: Pyro on November 09, 2008, 04:12 PM
Well, if it's the only way to beat Warden, someone's gotta do it. ;)
There will be a solution soon enough.
Who's working on it?
Quote from: Andy on November 09, 2008, 05:20 PM
Who's working on it?
If that's directed toward what I said then it doesn't matter. Someone somewhere is probably working on it. Someone may already have a solution but hasn't released anything (ie. code, hints, etc.). Someone or more than one person always starts attempting to solve things like this almost right away.
Quote from: Yegg on November 09, 2008, 06:14 PM
Quote from: Andy on November 09, 2008, 05:20 PM
Who's working on it?
If that's directed toward what I said then it doesn't matter. Someone somewhere is probably working on it. Someone may already have a solution but hasn't released anything (ie. code, hints, etc.). Someone or more than one person always starts attempting to solve things like this almost right away.
probley rob & iago is most lilkley.
the only thing now is to wait and see if they'll be kind enuff to release it to the public, in some ways thats good for some of us that don't abuse this for load bots, then its bad when it gets into the hands of the wrong people that cause these patchs to consume more time and waste more peoples lives. :P
Should I not release an easy to use DLL this time?
Quote from: Andy on November 09, 2008, 11:24 PM
Should I not release an easy to use DLL this time?
uhm, well its your option, but i'd only say release it to those you know wont do bad with it?
I just dropped the whole thing in my project because i didn't want a external DLL.
Quote from: MyStiCaL on November 09, 2008, 10:52 PM
probley rob & iago is most lilkley.
Sure ain't, at least, not at the moment.
Someday when I get bored, though, if nobody else has done it I'll do it.
Quote from: iago on November 09, 2008, 11:50 PM
Quote from: MyStiCaL on November 09, 2008, 10:52 PM
probley rob & iago is most lilkley.
Sure ain't, at least, not at the moment.
Someday when I get bored, though, if nobody else has done it I'll do it.
I think Rob already cracked warden, or atleast a bypass to it. Thats what i've heard.
I think something like this should be left in the same way as most of the game protocols are. The information on how to do it is available, but you actually have to make an effort to implement it, not just do something as simple as using a DLL.
So I should make my DLL require the Hash Files like it used to? XD
Quote from: Andy on November 10, 2008, 07:01 PM
So I should make my DLL require the Hash Files like it used to? XD
what do you mean by that?
I was joking... but my DLL used to require Starcraft.exe to get the values requested in 0x02 from, instead of having the correct responses hardcoded.
Quote from: MyStiCaL on November 10, 2008, 07:24 PM
Quote from: Andy on November 10, 2008, 07:01 PM
So I should make my DLL require the Hash Files like it used to? XD
what do you mean by that?
Don't you recall the first revision Andy wrote of his DLL needed a few extra DLL's to run?
I think one was like RSA.dll? It contained a few hashing functions, (I hardly remember so correct me if I'm wrong)
Edit: Meh. Andy replied ^^
RSHA... and it has all the standard BNET hashing stuff (Passwords, CDKeys, and various SHA hashes)
Yeah, Rob is using the same method to respond to the requests as Ringo right now. It's not by any means solved, though.
Quote from: brew on November 10, 2008, 09:10 PM
Yeah, Rob is using the same method to respond to the requests as Ringo right now. It's not by any means solved, though.
My method differs from Ringo's as it does not require the game to be loaded. I patch required memory addresses within battle.snp and call the functions directly to handle warden in the same method that the game would. This method has worked since first developing it, even when modules have changed.
So you're letting Maiev handle everything for you... not quite a redistributable solution... (http://realityripple.com/Uploads/Pictures/Pingu.gif)
Quote from: Andy on November 10, 2008, 09:34 PM
So you're letting Maiev handle everything for you... not quite a redistributable solution... (http://realityripple.com/Uploads/Pictures/Pingu.gif)
Redistribution was never my intention.
Ya, I know. That's why it's always my stuff that ends up getting used.
Quote from: Andy on November 10, 2008, 10:13 PM
Ya, I know. That's why it's always my stuff that ends up getting used.
Battle.net is a better place without a public warden implementation. You should really rethink the implications of your release before doing it again.
Quote from: Dale on November 10, 2008, 07:55 PM
Quote from: MyStiCaL on November 10, 2008, 07:24 PM
Quote from: Andy on November 10, 2008, 07:01 PM
So I should make my DLL require the Hash Files like it used to? XD
what do you mean by that?
Don't you recall the first revision Andy wrote of his DLL needed a few extra DLL's to run?
I think one was like RSA.dll? It contained a few hashing functions, (I hardly remember so correct me if I'm wrong)
Edit: Meh. Andy replied ^^
Nah I didn't use the DLL then, anywho, the public implementation is bad to battle.net when it gets into the wrong hands like trick & his warbots or nes_sucks,
but for the few of us that like to login just starcraft on our bots, well.. Yeah kinda sucks, now my progress of work playing with Ringos new fun modules for game join/creation is at a uttor hault. :[
Ok... I won't update my Warden DLL... It apparently caused too much trouble.
well that sucks :P
Quote from: brew on November 10, 2008, 09:10 PM
Yeah, Rob is using the same method to respond to the requests as Ringo right now. It's not by any means solved, though.
I'm not sure where you got that from.
The method Rob came up with was nothing like the method I came up with.
Quote from: Rob on November 10, 2008, 09:19 PM
My method differs from Ringo's as it does not require the game to be loaded.
The orginal method I conjured up, didn't require the game be loaded, altho I orginaly needed to watch the traffic between the game and the server inorder to take the next step.
That said, ive only ran 8 bots, for 20mins uptime in a little test I did awhile back with the current warden, but haven't continued with it.
Altho the responces I send back are pretty much 100% safe, I don't really want to go into detail on what I do, because blizzard could patch/detect it in a nano-second, if they knew what to look for :p
Anyway, back to what I orginaly posted some days ago:
I probed somthing today and found out somthing else.
It seems the "second layer of encryption" infact replaces the first.
This is what I know for sure so far (keep in mind, I really haven't spent much time at all on this todate)
1) the value the server sends to the client in 0x05, is based on the orginal RC4 encryption.
- By that, I mean it could be based on another logon variable, the orginal seed of the rc4(1st dword of the cdkey hash) or somthing alike.
- it's also based on the current module as well.
2) the value the client sends back to the server in 0x04 seems to be dependent on the value in 0x05, or what went into generating the value seen in 0x05.
3) I still can't say for sure what those 2 value's really are or how to generate them.
- i'm wundering atm, if the server value is an MD5 of *somthing* and the client value is a SHA1 of *somthing* alike.
- they could just be 16 bytes both ways, but i'm not sure if the client value is a checksum+16 bytes, or just 20bytes.
4) After the 0x05/0x04 have pass'ed, the orginal rc4 encryption is pretty much useless.
- i'm guessing the orginal RC4 keys need to be updated *somehow* with the new value's in 0x05/0x04 or a new set of keys created -- that is, if the values in 0x05/0x04 seed an rc4 encryption and not somthing else.
I think it's safe to say, the client and server value, are pretty important.
I would really like to see/get my hands on the default module (raw) that the client's are currently running, that is, if it changed in the latest patch.
iago, how did you orginaly go about extracting it? :p
Tell me if I get this. I'm trying to make sense of this.
Warden now requires you to store another log on variable along with first 4 bytes of the cdkey hash. On top of that, the new value joints to with the old RC4 encryption to create the 0x04 value?
Quote from: PunK on November 12, 2008, 10:51 PM
Warden now requires you to store another log on variable along with first 4 bytes of the cdkey hash.
Maybe, but very unlikely -- I still can't rule out, 100% that another logon value comes into play, but I would make the assumption it doesn't. I figger, it's best not to put all the eggs into 1 basket just yet.
Quote from: PunK on November 12, 2008, 10:51 PM
On top of that, the new value joints to with the old RC4 encryption to create the 0x04 value?
yeah, somthing along those lines. I really haven't probed this much at all, so I guess you could say i'm open minded for now.
let's say for example, you're seed (first dword of key hash) is always the same.
The value sent from the server in 0x05, will always be the same, and the value sent back from the client, will also be the same to.
Now, when the module changes, these value's will change.
The reassion these value's are not always the same for a given module, is because the seed changes each seassion.
So, it's safe to say, the value in 0x05 at least, is tied to the module and the seed, the SHA1 data stream, or the RC4 keys generated from them.
I can't say for sure if the responce value in 0x04, is tied into the value in 0x05, or if the client generates it's own value in the same manner the sevrer generate's it's 0x05 value, with out probeing deeper.
It take's a fair amount of time and hastle to test thses kind of things, so you need to be fairly motivated to do it.
I will post some logs in awhile from now, If i get around to it, showing what I mean.
[edit]:
Both seassions have the same seed:
Seassion1:
[07:46:51] WARDEN: Recv
00000000 00 A9 4A 90 B0 BC AD FD 19 DB 79 ED 51 69 69 FC ..J.......y.Qii.
00000010 17 12 63 A2 D4 83 09 9B 28 A7 3F C9 1A 9B 3B 4C ..c.....(.?...;L
00000020 E0 51 48 00 00 .QH..
[07:46:51] WARDEN: Sent
00000000 01 .
[07:46:51] WARDEN: Recv
00000000 05 1D 58 E3 7E 07 13 84 41 53 02 22 AA 6D CD EE ..X.~...AS.".m..
00000010 C2 .
[07:46:51] WARDEN: Sent
00000000 04 3A A9 B5 C3 C0 7D 96 7B 71 04 C5 57 CE FC BA .:....}.{q..W...
00000010 C1 AE A1 0C 54 ....T
[07:46:56] WARDEN: Recv
00000000 1E D1 8C 9B 20 3D F4 B1 40 43 76 91 17 AC F4 2E .... =..@Cv.....
00000010 4D BD 1C D3 47 25 15 FF 9F B6 77 D6 A1 4A 92 52 M...G%....w..J.R
00000020 38 0E F3 D1 BD 1B 35 E6 16 21 39 93 18 5F 95 48 8.....5..!9.._.H
00000030 13 6E 85 CE 74 11 9A DB 7D 15 F9 DE EF C9 92 FD .n..t...}.......
00000040 44 7C 52 8C 0A BE B3 CC 07 59 47 B8 8A 0C 53 29 D|R......YG...S)
00000050 8E C3 AB AB F5 84 89 11 EB 1C D5 60 D1 0A C5 2B ...........`...+
00000060 3F F5 0F 7B 2C 91 A6 FE 4A 77 7E 81 FC 31 3B CF ?..{,...Jw~..1;.
00000070 D2 7A B9 77 C2 1F EE CA 58 E0 AC 71 EE 17 F9 C0 .z.w....X..q....
00000080 45 B9 1B 4B 7E 49 F6 8F A4 E1 31 89 D7 21 11 F0 E..K~I....1..!..
00000090 6A 78 DF 96 14 BF 52 85 C8 jx....R..
[07:46:56] WARDEN: Sent
00000000 D6 B1 26 26 7D 3D 9A 5E C6 32 8B 51 ..&&}=.^.2.Q
Seassion2:
[08:39:31] WARDEN: Recv
00000000 00 A9 4A 90 B0 BC AD FD 19 DB 79 ED 51 69 69 FC ..J.......y.Qii.
00000010 17 12 63 A2 D4 83 09 9B 28 A7 3F C9 1A 9B 3B 4C ..c.....(.?...;L
00000020 E0 51 48 00 00 .QH..
[08:39:31] WARDEN: Sent
00000000 01 .
[08:39:31] WARDEN: Recv
00000000 05 1D 58 E3 7E 07 13 84 41 53 02 22 AA 6D CD EE ..X.~...AS.".m..
00000010 C2 .
[08:39:31] WARDEN: Sent
00000000 04 3A A9 B5 C3 C0 7D 96 7B 71 04 C5 57 CE FC BA .:....}.{q..W...
00000010 C1 AE A1 0C 54 ....T
[08:39:36] WARDEN: Recv
00000000 1E D1 8C 9B 20 3D F4 B1 40 43 76 91 17 AC F4 2E .... =..@Cv.....
00000010 4D BD 1C D3 47 25 15 FF 9F B6 77 D6 A1 4A 92 52 M...G%....w..J.R
00000020 38 0E F3 D1 BD 1B 35 E6 16 21 39 93 18 5F 95 48 8.....5..!9.._.H
00000030 13 6E 85 CE 74 11 9A DB 7D 15 F9 DE EF C9 92 FD .n..t...}.......
00000040 44 7C 52 8C 0A BE B3 CC 07 59 47 B8 8A 0C 53 29 D|R......YG...S)
00000050 8E C3 AB AB F5 84 89 11 EB 1C D5 60 D1 0A C5 2B ...........`...+
00000060 3F F5 0F 7B 2C 91 A6 FE 4A 77 7E 81 FC 31 3B CF ?..{,...Jw~..1;.
00000070 D2 7A B9 77 C2 1F EE CA 58 E0 AC 71 EE 17 F9 C0 .z.w....X..q....
00000080 45 B9 1B 4B 7E 49 F6 8F A4 E1 31 89 D7 21 11 F0 E..K~I....1..!..
00000090 6A 78 DF 96 14 BF 52 85 C8 jx....R..
[08:39:36] WARDEN: Sent
00000000 D6 B1 26 26 7D 3D 9A 5E C6 32 8B 51 ..&&}=.^.2.Q
I will post another log later, when the module finaly changes, and you should see that the values in 0x04/0x05 change.
The values would also change, if the seed changed, but in the above 2 examples, they were 2 differnt connections with the same seed (1st dword of cdkey hash).
I also checked somthing else why gathering these logs.
When I changed a byte in the 0x05 value, the client responded with a totaly differnt 0x04 value.
So it's safe to say, the value in 0x05 is invloved in generating the value in 0x04. But i'm sure, that's just the tip if the iceburg.
You should have probly noticed by now, that the request is pretty much static, and there is also only a handfull of requests and responces, like before. Hence why I said blizzard are as dumb as ever.
This is probly all just to verify the client really does have the given module, and changes the encryption key's to throw us all off the cent.
I can't see why, once we figger out how to generate the responce to 0x05 plus the new encryption keys, why we can't just hardcode the requests vs responces, like before.
Basicly, If Checksum(Request) = X then send Y -- should be as simple as that, thank's to blizzards wunderfull imagination.
Figgering out how to generate the responce to 0x05, should be pretty easy -- you could set up an array of buffers containing all the value's you know go into it, then brute force every combination possible untill you get a matching value to that seen in 0x04.
I'm pretty sure that the new encryption key's are generated after this process tho, so they would be abit harder to figger out that way.
Quote from: Ringo on November 13, 2008, 01:31 AM
I can't see why, once we figger out how to generate the responce to 0x05 plus the new encryption keys, why we can't just hardcode the requests vs responces, like before.
Basicly, If Checksum(Request) = X then send Y -- should be as simple as that, thank's to blizzards wunderfull imagination.
Figgering out how to generate the responce to 0x05, should be pretty easy -- you could set up an array of buffers containing all the value's you know go into it, then brute force every combination possible untill you get a matching value to that seen in 0x04.
It's only true in theory but not in practice. 0x05 is a challenge and 0x04 is the response to verify that the challenge was computed correctly. It also changes other things, one of them being the pad. The computation of 0x05 is different in each module so you're not going to have much luck brute forcing a 128 bit challenge (nor would you want to) when the modules change every few hours. So module 1 might compute 0x05 as X^2+5 while module 2 computes it as sqrt(X+3)/2 (it's much more involved and complicated than that but you get the idea). 0x04 is SHA1(f(0x05)). One other improvement to this version over earlier ones is it attempts to foil replaying of responses. Other than those, the protocol remains the same as before. Things like these are the reason why I've said not to worry about how to compute checksums, what hasher to use, what protocol to use, what encryption scheme to use, etc., because it is all dependent upon the module they give. A generic warden responder won't work in the long run; the specific warden module's code has to run or be analyzed at some point to get the correct response (which for now can mostly be replayed).
Can we... run the modules in a virtual environment or something? I've never understood why that wouldn't be possible for dealing with things like checkrevision and warden. Just emulate enough of the game's memory to pass as a running client?
Hmm thanks for the clarification Ringo.
I haven't quite done much with encryption and I might as well start learning now since i'll probably be doing it later. And also to help contribute a little bit seeing how a lot of people rely on certain others to fix there problems.
So once your online, the values will never change until a new session is made (reconnecting)? If that's the case... then what was the point of changing warden to a static value vs. the old varying value? Was this another sad attempt to try to "prevent" bots and complicate things?
Quote from: PunK on November 13, 2008, 01:33 PMWas this another sad attempt to try to "prevent" bots and complicate things?
It wasn't an attempt to prevent bots from connecting to Battle.net nor was it an attempt to complicate bot development. The whole point of Warden is to prevent/complicate hacking/cheating. If a bot developer finds a way to defeat Warden just so a bot can use Starcraft to connect to Battle.net, the end result is hackers can use this information to enable their hacks to work in games and not be caught by Warden not just in Starcraft, but in all other games that make use of Warden. Unlike other games, Starcraft has Warden running both in game and chat lobby. In other games, they have two separate servers; chat server, and game servers. But for Starcraft, they have a single server for both chat and game. So because of that, for other games, they run Warden on the game servers, but for Starcraft, since the server handles both chat/game, Warden runs for both.
Just wanted to point that out so people don't mistakenly assume Warden was intended to complicate botmaking.
Quote from: Andy on November 13, 2008, 05:13 AM
Can we... run the modules in a virtual environment or something?
Yes
Quote
I've never understood why that wouldn't be possible for dealing with things like checkrevision and warden. Just emulate enough of the game's memory to pass as a running client?
Problem: The addresses in the 0x02 packet, for example. They're absolute!
Answer: Perhaps if we relocated our application's image base to something other than 0x400000 so Starcraft can load at what it wants to?
Problem: What about the apis it calls? Like GetCurrentProcess, CreateToolhelp32Snapshot, Module32First, Module32Next etc?
Answer: Hook them!!
Problem: Okay, so we've somehow managed to emulate the starcraft environment to the point that the warden module would produce correct responses. How are we going to capture them now? Somehow programatically (pattern recognition?) find the subroutine that crypts the response and set a detour?
Answer: Warden might now check the integrity of itself.
Problem: NOOOOOO
So even if you somehow find a way around that last problem and possibly others, how practical would it be?
Quote from: Don Cullen on November 13, 2008, 02:22 PM
Quote from: PunK on November 13, 2008, 01:33 PMWas this another sad attempt to try to "prevent" bots and complicate things?
It wasn't an attempt to prevent bots from connecting to Battle.net nor was it an attempt to complicate bot development. The whole point of Warden is to prevent/complicate hacking/cheating. If a bot developer finds a way to defeat Warden just so a bot can use Starcraft to connect to Battle.net, the end result is hackers can use this information to enable their hacks to work in games and not be caught by Warden not just in Starcraft, but in all other games that make use of Warden. Unlike other games, Starcraft has Warden running both in game and chat lobby. In other games, they have two separate servers; chat server, and game servers. But for Starcraft, they have a single server for both chat and game. So because of that, for other games, they run Warden on the game servers, but for Starcraft, since the server handles both chat/game, Warden runs for both.
Just wanted to point that out so people don't mistakenly assume Warden was intended to complicate botmaking.
You might say that, but if it was soley for hacks, then it'd be used like warden on d2 & w3 and not be active untill in game, but no! this is active from the second you login. thus meaning its a prevention for BOTH.
Quote from: MyStiCaL on November 13, 2008, 03:50 PM
You might say that, but if it was soley for hacks, then it'd be used like warden on d2 & w3 and not be active untill in game, but no! this is active from the second you login. thus meaning its a prevention for BOTH.
Read what I said earlier:
Quote from: Don Cullen on November 13, 2008, 02:22 PM
Unlike other games, Starcraft has Warden running both in game and chat lobby. In other games, they have two separate servers; chat server, and game servers. But for Starcraft, they have a single server for both chat and game. So because of that, for other games, they run Warden on the game servers, but for Starcraft, since the server handles both chat/game, Warden runs for both.
The server is using old software; it runs warden on both not because they wanted it to cover both chat and game, but because they had no choice since both game and chat were both a SINGLE server. I don't know how to explain it any more simpler than that. Warden is intended to combat game hackers/cheaters, not bots. If it was intended to combat bots, then they would have applied Warden to the chat servers of all other games, not just the game servers.
Quote from: MyStiCaL on November 13, 2008, 03:50 PMYou might say that, but if it was soley for hacks, then it'd be used like warden on d2 & w3 and not be active untill in game, but no! this is active from the second you login. thus meaning its a prevention for BOTH.
As many others have stated, I believe it was simply a anti-hack mechanism {as it has been used many times before} and the anti-bot aspect is simply an added bonus for them.
The main diffrence between SC in-game setup and D2/WC2 in-game setup is that D2 and WC3 game servers are controlled by Blizzard. Whereas SC is a ad-hoc style which is governed solely by the person who hosted the game.
If they decided to expand warden's 0x5E packet for D2 and WC3, then this, I would call, is a direct attack against bot users. Untill that day I still say Warden's effect on non-game bots is simply a side effect.
Anyways I've been poking it a little, as I don't know near enough about reversing to understand much. But I did get Battle.snp to load/parse it. It bitched at me for not having SC up, but hey.. its something.
Hmm, yeah I assumed it was an added bonus and to also prevent hacking.
Is iago's reverse engineering tutorial on his wikipedia?
Quote from: PunK on November 13, 2008, 09:04 PM
Is iago's reverse engineering tutorial on his wikipedia?
Yes.
http://www.skullsecurity.org/wiki/index.php/Assembly
Quote from: vector on November 04, 2008, 05:42 PM
Visual Basic 6.0.
I seriously wasn't thinking when I posted that.
I was thinking Visual Basic modules...
Quote from: Hdx on November 13, 2008, 04:29 PM
Quote from: MyStiCaL on November 13, 2008, 03:50 PMYou might say that, but if it was soley for hacks, then it'd be used like warden on d2 & w3 and not be active untill in game, but no! this is active from the second you login. thus meaning its a prevention for BOTH.
As many others have stated, I believe it was simply a anti-hack mechanism {as it has been used many times before} and the anti-bot aspect is simply an added bonus for them.
basicly what i ment, i just believe they figured why not kill 2 birds with 1 stone.
Well, bnet might see bots (more so, the abuseive ones) as hacks and what not anyway.
Anyway, if what herzog said is true, and each module has a differnt method/function of calculating the responce to 0x05 (makes sence), then that would also mean, the way (or should I say, the seed) the new encryption keys are generated would also be differnt for a given module.
It would be one of the better ways of module verification.
Never the less, the requests after the 0x04/0x05, are still pretty flawed, like the orginal version of warden starcraft saw.
The only thing that's stopping us from taking advantage of that, is the way the new encryption keys are generated.
I guess you could load the module up into memory and execute it, but that sounds a little bit like blind faith :P
If you need to create an image of starcraft (or most of it) in memory, you might as well run a legit version of the client -- at least that way, it's going to be pretty safe.
I guess one other way of doing it, would be to load the module, parse it, seek out the needed function's and execute them to generate the responce to 0x05, and the new encryption keys, then take over from there -- but that still seems like an awfull lot of work.
Quote from: brew on November 13, 2008, 02:33 PM
Problem: Okay, so we've somehow managed to emulate the starcraft environment to the point that the warden module would produce correct responses. How are we going to capture them now? Somehow programatically (pattern recognition?) find the subroutine that crypts the response and set a detour?
Answer: Warden might now check the integrity of itself.
The response is returned and sent by Battle.snp. If you call the Warden functions, it'll return the data to you.
Quote from: iago on November 14, 2008, 10:04 AM
Quote from: brew on November 13, 2008, 02:33 PM
Problem: Okay, so we've somehow managed to emulate the starcraft environment to the point that the warden module would produce correct responses. How are we going to capture them now? Somehow programatically (pattern recognition?) find the subroutine that crypts the response and set a detour?
Answer: Warden might now check the integrity of itself.
The response is returned and sent by Battle.snp. If you call the Warden functions, it'll return the data to you.
I was referring to what would have to be done if you wanted warden to deal with just the base decrypted payload. All battle.snp does is send the finished product.
has anybody come to any new conclusions?
Quote from: PunK on November 16, 2008, 06:55 PM
has anybody come to any new conclusions?
Yes. Warden's very nature has us cornered. Picture it like this:
There's a giant dick heading for your mouth.
You say, "Oh man i'm gonna have to suck this thing!" and brace for impact,
however at the last minute it changes trajectory and stabs you in the eye.
You now have this giant penis inside of your eyesocket, impailing your skull.
It pulls out, and rams back in, over and over and over.
You end up dying a slow, painful death.
There's nothing we can do, really, besides loading the module to respond to the 0x05 challenge for us and hope it doesn't detect anything that'd screw the output.
It's a little silly to argue whether or not these games use some sort of anti-hack mechanism to stop emulation of the client, also. None of us know for a fact, because if any of us worked at Blizzard we probably wouldn't be sitting here discussing this in the "how to emulate warden" thread.
I'm not at all familiar with how Warden works, but from what Herzog has told us, it sounds like the process sort of goes like this:
1. recv warden 'module' data during logon procedure
2. pointer to warden 'module' data is probably given to some method that makes use of this data
.. is this something that has been researched, and documented? (code snippets, psuedocode, whatever)
3. warden module is used to generate some data that is then forwarded to bnet
is this the general process? if so, is this repeated throughout the duration spent online?
Quote from: chyea on November 16, 2008, 11:40 PM
1. recv warden 'module' data during logon procedure
Yea, well, more like right after.
Quote
2. pointer to warden 'module' data is probably given to some method that makes use of this data
.. is this something that has been researched, and documented? (code snippets, psuedocode, whatever)
huh? :p a pointer to the warden module is the first member of a warden class
Quote
3. warden module is used to generate some data that is then forwarded to bnet
Yes
Quote
is this the general process? if so, is this repeated throughout the duration spent online?
The same module requested after logon is used throughout the connection.
What does the module require to function properly? What's stopping a client emulator from downloading the module and using it?
Data in memory... The module reads application memory where it expects starcraft to be loaded. See the last page or the page before for brew's explanation of why it's not feasible to emulate starcraft in memory.
Quote from: brew on November 16, 2008, 10:16 PM
There's a giant dick heading for your mouth.
You say, "Oh man i'm gonna have to suck this thing!" and brace for impact,
however at the last minute it changes trajectory and stabs you in the eye.
You now have this giant penis inside of your eyesocket, impailing your skull.
It pulls out, and rams back in, over and over and over.
You end up dying a slow, painful death.
I don't think we needed to hear about your personal life. :P
Quote from: Andy on November 18, 2008, 03:30 PM
Data in memory... The module reads application memory where it expects starcraft to be loaded. See the last page or the page before for brew's explanation of why it's not feasible to emulate starcraft in memory.
What data, specifically? Is it known how this data is derived? Can this data be produced without needing the client to be loaded? Is this data just to make sure that the client hasn't been modified? If so, is it always static, like lockdown did?
Well? Is this where the extent of the public knowledge ends?
Yes, pretty much, If we knew exactly what the module was doing we would have no problem emulating it.
But, the problem is, the modules can change, that's the nature of warden. So the only 100% way to make it happy is to have the entire memory space of sc mapped out with the correct data.
Couldn't we do it with a BIN file like lockdown?
Quote from: Andy on November 19, 2008, 01:12 PMCouldn't we do it with a BIN file like lockdown?
Why yes we could, the files we would need are: Starcraft.exe Storm.dll and Battle.snp Map those out, trick warden into not checking where its being called from, and then away you go.
Well... we already have all those files for hashing... I still think you should be able to load data into a "virtual" memory system somehow. Just copy all the data and allocate enough space for where the data would normally be loaded in memory, and woosh?
Quote from: Hdx on November 19, 2008, 12:17 PM
So the only 100% way to make it happy is to have the entire memory space of sc mapped out with the correct data.
Well, yea, but that's only because nobody seems to have gone through and analyzed what these warden modules actually do. It sounds as if it'd be wise to write up something to perhaps detect certain algorithms in these modules, and eventually add functionality for evaluating these 'on the fly' algorithms with the appropriate data substituted in. In every scenario the data that these algorithms are dependent on should be static. If they were portions of data that could change it wouldn't really be an appropriate thing to base a challenge on - unless of course it's some crazy thing that I just don't understand. :P
I recall seeing one of these warden modules, and I don't think they were too large. I remember them being fairly small. So I'm guessing it's just a single equation, or two, like Herzog mentioned.
In regards to basically writing an asm to whatever code converter... well... that'd take some research.
It'd be nice to know wtf 9000h is. It's a global variable within the module with some psuedo-random (hell, even xor'd with esp) value that seems to be a centric part of the module. This is where it's generated, in 56f25ca5bd550b384cc4fa457b438012 at least (i've nicknamed it magic):
int __stdcall makevalues_2F01() {
FILETIME ft;
LARGE_INTEGER largeint;
unsigned int result
ft.dwLowDateTime = 0;
ft.dwHighDateTime = 0;
if ((magic != BB40E64E) && (magic & 0xFFFF0000)) {
result = ~magic;
v9004 = ~magic;
} else {
GetSystemTimeAsFileTime(&ft);
uint syshash = GetTickCount() ^ (GetCurrentThreadId() ^ (GetCurrentProcessId() ^ ft.dwLowDateTime ^ ft.dwHighDateTime));
QueryPerformanceCounter(&largeint);
result = largeint.LowPart ^ largeint.HighPart;
uint tmp = largeint.LowPart ^ largeint.HighPart ^ syshash;
if (tmp == 0xBB40E64E) {
tmp = 0xBB40E64F;
} else {
if (!(tmp & 0xFFFF0000)) {
result = tmp << 16;
tmp |= tmp << 16;
}
}
magic = tmp;
v9004 = ~tmp;
}
return result;
}
It's boggling to me. The authors of this module have the audacity to expect this, xored with GetTickCount() ffs, to be some exact value?
@chyea:
the modules can actually be quite large. the one i'm working on right now is 32 kb.
Quote from: brew on November 19, 2008, 02:33 PM
It'd be nice to know wtf 9000h is. It's a global variable within the module with some psuedo-random (hell, even xor'd with esp) value that seems to be a centric part of the module. This is where it's generated, in 56f25ca5bd550b384cc4fa457b438012 at least (i've nicknamed it magic):
int __stdcall makevalues_2F01() {
FILETIME ft;
LARGE_INTEGER largeint;
unsigned int result
ft.dwLowDateTime = 0;
ft.dwHighDateTime = 0;
if ((magic != BB40E64E) && (magic & 0xFFFF0000)) {
result = ~magic;
v9004 = ~magic;
} else {
GetSystemTimeAsFileTime(&ft);
uint syshash = GetTickCount() ^ (GetCurrentThreadId() ^ (GetCurrentProcessId() ^ ft.dwLowDateTime ^ ft.dwHighDateTime));
QueryPerformanceCounter(&largeint);
result = largeint.LowPart ^ largeint.HighPart;
uint tmp = largeint.LowPart ^ largeint.HighPart ^ syshash;
if (tmp == 0xBB40E64E) {
tmp = 0xBB40E64F;
} else {
if (!(tmp & 0xFFFF0000)) {
result = tmp << 16;
tmp |= tmp << 16;
}
}
magic = tmp;
v9004 = ~tmp;
}
return result;
}
It's boggling to me. The authors of this module have the audacity to expect this, xored with GetTickCount() ffs, to be some exact value?
Looks to me like it's not very magic, heh. Looks like it's checking to see if that value is what it expects, and if it's not it reset it to something more appropriate - in this case, a time stamp, or something.
Haha :D I just figured out exactly what it is. Apparently, it's a 'security cookie' thrown in as a defense against buffer overruns.
**EDIT
Oh by the way, for anyone else checking out what the modules do,
here's a listing of battle.snp's 'warden exports'
.rdata:1903DB64 WardenSNPExportTable dd offset WardenSNPSend0x5E ;19031410
.rdata:1903DB64 ; DATA XREF: .data:off_19043408
.rdata:1903DB68 dd offset WardenSNPModuleStart ;19031E80
.rdata:1903DB6C dd offset SaveModuleToBNCache ;19031500
.rdata:1903DB70 dd offset WardenSNPAllocCrap ;190313B0
.rdata:1903DB74 dd offset WardenSNPFreeWrapper ;19031390
.rdata:1903DB78 dd offset WardenSNPDupClass ;19031340
.rdata:1903DB7C dd offset WardenSNPMemcpyNFree ;190312D0
I guess this thread stopped when warden was last deactivated in chat.
Now each time you log on, you get another random packet ID, instead of just 0x05.
I guess you guys should get back to work on it? What does the outcome look like based on what I've just told you?
What are you talking about? It's still using 5. There's no other packets until you respond.
yep, everything looks as it was before, besides a one or two server side changes, but that wouldn't have a noticable effect:
Warden Data Recv: 37
00000000 00 AC 94 67 4C BF 69 6E D1 35 91 71 EA 13 4D EC ...gL.in.5.q..M.
00000010 3E 86 96 74 2E 63 90 0E 84 12 95 D4 C9 FA 62 4E >..t.c........bN
00000020 8C 71 4D 00 00 .qM..
Warden Data Sent: 1
00000000 01 .
Warden Data Recv: 17
00000000 05 13 8B A2 E8 1E 09 68 A1 9D 34 7F 96 53 C4 7C .......h..4..S.|
00000010 94 .
Warden Data Sent: 21
00000000 04 9C 8C EB F5 A1 48 03 EA 59 48 2A 5E 09 D5 7A ......H..YH*^..z
00000010 4B 5E F8 03 25 K^..%
Warden Data Recv: 160
00000000 02 00 74 05 63 1F EA C5 0C 6D BB 41 52 42 BD 93 ..t.c....m.ARB..
00000010 7B E3 67 81 F8 C9 A3 00 56 DF D4 4C 30 00 00 16 {.g.....V..L0...
00000020 50 00 4B E2 41 00 0A 74 DB 09 5F 59 64 BD B1 F1 P.K.A..t.._Yd...
00000030 8D 32 70 C1 77 C3 1D 95 6E 06 0C 10 C5 CE 82 37 .2p.w...n......7
00000040 0C 49 00 00 20 74 DD EC C2 7E FD 23 E9 48 8A B5 .I.. t...~.#.H..
00000050 E0 B4 AF CC 8C 19 D5 F2 69 A6 A2 F2 D4 FB F8 D7 ........i.......
00000060 06 00 30 74 1F B0 BC 11 01 F3 B5 31 AE 6F B3 EF ..0t.......1.o..
00000070 53 A3 0D 0B 24 37 3A 0D B4 AF B3 73 70 E9 01 00 S...$7:....sp...
00000080 17 74 74 45 DC 80 C2 4A 47 9A F7 7C 71 2F B1 F7 .ttE...JG..|q/..
00000090 CB 79 AF C7 FA DD 1A 7B EF 36 C8 D7 06 00 30 69 .y.....{.6....0i
Warden Data Sent: 23
00000000 02 10 00 05 C4 79 86 00 00 00 10 09 6B 03 08 70 .....y......k..p
00000010 19 E1 30 00 00 00 00 ..0....
Warden Data Recv: 160
00000000 02 00 50 00 4B E2 41 00 0A 74 7C 89 27 AA 4E 73 ..P.K.A..t|.'.Ns
00000010 BA DB 7A D8 2F 1B CB C8 6A 61 E2 E5 69 6E 00 E9 ..z./...ja..in..
00000020 57 A3 10 91 00 00 28 74 3D 94 28 CC DD E4 DA AE W.....(t=.(.....
00000030 F1 19 2E E6 99 5C 8D 49 9E 8B 76 2E E0 F8 28 D8 .....\.I..v...(.
00000040 02 E1 00 00 2A 74 AC 90 0E E1 03 1F F7 10 1C F1 ....*t..........
00000050 85 07 C7 CF 7A 5B ED 1A 33 77 BD 06 22 60 F4 D7 ....z[..3w.."`..
00000060 06 00 30 74 C2 03 36 F5 A9 46 FA 75 A6 71 1B D0 ..0t..6..F.u.q..
00000070 8D 32 A8 85 32 EC 27 06 B2 05 E0 BE 9C FE 01 00 .2..2.'.........
00000080 25 74 0C 6D 8F 6C CE 44 3F 8F 9A 70 7C 77 44 26 %t.m.l.D?..p|wD&
00000090 FD BE CB 3D 54 9A D4 CF DB 1A F8 D4 06 00 30 69 ...=T.........0i
Warden Data Sent: 23
00000000 02 10 00 DD 01 73 AE 00 00 10 09 6B 03 08 70 19 .....s.....k..p.
00000010 E1 30 00 00 00 00 00 .0.....
Warden Data Recv: 153
00000000 02 00 74 B4 2D 3C 68 F5 EE 4E 2D 49 53 20 F4 85 ..t.-<h..N-IS ..
00000010 AF A6 11 80 85 1D 9B 75 C2 A9 8D 48 22 06 00 0E .......u...H"...
00000020 74 45 03 D5 ED 27 96 C2 A2 37 2B 94 F6 9F 5F DF tE...'...7+..._.
00000030 03 EE EF 40 4E 65 B2 DE FA 98 20 00 00 11 74 EE ...@Ne.... ...t.
00000040 F4 D4 11 77 5B AE 9C 81 81 74 32 FD FF 35 F0 80 ...w[....t2..5..
00000050 4E F7 E6 8A EA 60 DB C8 D7 06 00 30 74 53 AD 1C N....`.....0tS..
00000060 57 43 EF E2 92 39 26 D1 B8 72 C4 10 0E 48 29 D5 WC...9&..r...H).
00000070 CC 5B 84 8A 9F B9 32 00 00 24 74 92 A7 E0 2B 44 .[....2..$t...+D
00000080 5E 33 96 9B 4E A4 20 C0 97 09 8C E0 AD A1 84 53 ^3..N. ........S
00000090 47 A3 02 02 E1 00 00 2A 69 G......*i
Warden Data Sent: 12
00000000 02 05 00 F4 BD 4B 3E 00 00 00 00 00 .....K>.....
Quote from: Andy on December 02, 2008, 03:37 PM
What are you talking about? It's still using 5. There's no other packets until you respond.
According to the beta of StealthBot, which had warden support implemented before it was broken, everytime a SC/BW client logs on, it will say "Unknown Warden ID: 0x**" etc. The ID will change each time you log in.
I'm not sure if this has to do with a different module, or not.
Don't trust StealthBot to accurately display anything.
So warden is still requesting 0x05, and nothing else, other than the previous IDs?
Odd.
You're probably misinterpreting what it's telling you.
Quote from: vector on December 02, 2008, 07:28 PM
So warden is still requesting 0x05, and nothing else, other than the previous IDs?
Odd.
Warden still has the same encryption and decryption that it had before (of course, the bot doesn't have any handling for 0x5):
[WARDEN] Recieved Decrypted:
0000 05 1c 7b 7f 7d c5 8c c3 ae e5 b9 b9 25 37 9d 9d ..{.}Å.îå..%7..
0010 59 Y
[WARDEN] Request ID 0x5
A first chance exception of type 'System.NotSupportedException' occurred...As Andy says, if you think what StealthBot outputs is correct, you might want to rethink that thought.
Quote from: Ribose on December 02, 2008, 08:16 PM
Quote from: vector on December 02, 2008, 07:28 PM
So warden is still requesting 0x05, and nothing else, other than the previous IDs?
Odd.
Warden still has the same encryption and decryption that it had before (of course, the bot doesn't have any handling for 0x5):
[WARDEN] Recieved Decrypted:
0000 05 1c 7b 7f 7d c5 8c c3 ae e5 b9 b9 25 37 9d 9d ..{.}Å.îå..%7..
0010 59 Y
[WARDEN] Request ID 0x5
A first chance exception of type 'System.NotSupportedException' occurred...
As Andy says, if you think what StealthBot outputs is correct, you might want to rethink thinking.
Seince there are no public docs on the new warden modules, SB will be outdated, live with it. Use another product and you'll be good.
.....
Btw, what are you using? The beta or my lame proxy? {prolly my proxy which again will not be updated untill there are public docs}
The reason you're getting random IDs is because my proxy isnt decrypting the warden module correctly after 0x05 as they are using a diffrent system.
The beta. It used to be a constant 0x05, but now the IDs are different each time.
It's really weird.
Quote from: Hdx on December 02, 2008, 09:24 PM
The reason you're getting random IDs is because my proxy isnt decrypting the warden module correctly after 0x05 as they are using a diffrent system.
Okay, now that we have that settled... Has anyone found anything new with warden other then what has already been said?
hmm, idk if this helps anyone:
IDAWarden.zip (http://d2bot.cjb.net/IDAWarden.zip)
Ive spent the best part of this morning poking around with 56F25CA5BD550B384CC4FA457B438012.mod.
It contains a few files:
56F25CA5BD550B384CC4FA457B438012.mod -> Unprepared, incase I haven't prepared it right.
56F25CA5BD550B384CC4FA457B438012.bin -> Prepared module. (Must load at offset 0x231E80)
56F25CA5BD550B384CC4FA457B438012.c -> Hexray output of Prepared module.
56F25CA5BD550B384CC4FA457B438012.idb -> IDA 5.2 db file of said module.
Maive.mod -> Unprepared default module, extracted from D2Client.dll from current patch. 0xD1838 is the Maive.mod data, 0x12B2 is the lengh, 0xD2B00 is the 16byte encryption key, to decrypt it, before you decompress it.
Note: 56F25CA5BD550B384CC4FA457B438012 is a starcraft warden module, not d2 -- I just extracted Maive from d2client.dll, since I knew its location.
So far, in 56F25CA5BD550B384CC4FA457B438012 ive identifyed the following functions:
0x233470 -> ReadBYTE
0x2339B0 -> HandlePacket
0x233D80 -> RAN_GET_BYTES
0x233E90 -> MD5_TRANSFORM_2
0x234830 -> RAN_UPDATE
0x234E90 -> INIT_RAN_DATA
0x235020 -> ReadVOID
0x235060 -> Initialize
0x2350C5 -> MD5_TRANSFORM
0x235BB8 -> RC4_CRYPT
0x235E20 -> SHA1_UPDATE
0x235FC0 -> Read0x14
0x2362FD -> RC4_KEY
0x2367C0 -> SHA1_INIT
0x2391B0 -> Read0x14_2
0x239200 -> HANDLE_0x05
0x2394B9 -> RC4_CRYPT_2
0x239580 -> SHA1_STRING
0x239620 -> SHA1_FINAL
0x2398B0 -> SHA1_TRANSFORM
0x23A2C0 -> INIT_HANDLER_TABLE
I'm pretty sure, "INIT_HANDLER_TABLE", loads the function table for the packet handlers, for example, sub_2374C0 looks like it parse's 0x02.
The "HANDLE_0x05" i'm pretty sure, is what handles 0x05, or at least, generates 0x04 and the new encryption keys. It basicly parse's 0x10 bytes (0x05 data), does some stuff with it, then does an MD5, SHA1, encrypts the result with standard RC4, makes a callback to have the packet sent, then generates the 2 new RC4 keys.
As for the "RC4_CRYPT_2" function, im really not sure why theres a 2nd version of RC4 in there -- unless im misreading it.
In some/most places, things like readWORD, and readDWORD, are wrote into the actual function where you would expect them to be called along with checking for enough bytes.
I'm not sure of most of the above functions tho, I just labled them by what I thought they were doing.
going by the ones I have labled, it's pretty easy to figger out what functions are doing, based on the calls to above functions they make.
I figger, by posting this, if ppl work on this module, we will all be talking the same language ;)
That is, if *anyone* is working on this.
I persionaly totaly suck at reading asm, but hey, I am trying.
Comon guys, blizzard has set the playground, lets play! its fun ;o
I'm pretty much finished up with this now.
A guy called easyban gave me abit of help, calling the module functions, so he saved me a fair bit of time -- big thanks to him.
I'm currently able to maintain a stable logon by just useing the warden module to handle 0x05, generate 0x04 and return the new RC4 keys.
All the 0x02 requests i'm currently handleing my self, but I havent yet finished reverseing the 0x02 handler, so ive sort of fixed it to say "no" to everything, so it's more than possible my test acc may get closed :)
For loading the module and calling it's function's, pretty much everything you need is already on iagos wiki (thx iago) in the "module" and "my notes" pages.
Basicly, the init function accepts a list of callback function address, so the warden module can talk to you about stuff, like the weather.
the Init function returns a pointer to memory. The 1st dword of that block of memory is a pointer, pointing to wardens export functions.
0x00 = generate rc4 from seed (optional -- you can request a get rc4 keys by returning 1 to this callback)
0x04 = Unload module.
0x08 = Handle Packet
Also, here's that checksum function no one got around to reverseing last time around:
Private Function WardenChecksum(ByRef strBuffer As String) As Long
Dim lngData(4) As Long
Call BSHA1(strBuffer, VarPtr(lngData(0)), 20, SHA1_WARDEN)
WardenChecksum = &H0& Xor lngData(0) _
Xor lngData(1) Xor lngData(2) _
Xor lngData(3) Xor lngData(4)
End Function
Basicly just:
(BYTE) 0x02
(WORD) Lengh of buffer
(DWORD) Check sum of buffer
(VOID) Buffer
As for parseing 0x02 and building the responces, I will post that another time maybe, it's getting late (3PM -- i haven't slept yet -.-) and I still have some work to do on it, before i'm happy it's 99.9% safe.
Here's a little output:
[15:40:00] Warden Data Recv: 37
00000000 00 52 E8 D4 7F CE 76 63 99 72 1B 93 E7 A9 D1 9E .R....vc.r......
00000010 64 01 C7 9D 51 1B 82 2E 73 B6 09 B8 2F 34 C1 03 d...Q...s.../4..
00000020 32 A1 4A 00 00 2.J..
PrepareModule()
Allocated 49152 (0xC000) bytes for new module
Copying code sections to module.
Adjusting references to global variables...
Updating API library references..
Lib: KERNEL32.dll
Function: MulDiv
Function: SystemTimeToFileTime
Function: Sleep
Function: TlsFree
Function: TlsGetValue
Function: TlsSetValue
Function: RaiseException
Function: TlsAlloc
Function: GetProcAddress
Function: GetModuleHandleA
Function: GetVersionExA
Function: GetSystemInfo
Function: GetTickCount
Function: VirtualQuery
Function: QueryDosDeviceA
Function: CloseHandle
Function: GetCurrentProcess
Function: FreeLibrary
Function: DuplicateHandle
Function: LoadLibraryA
Function: GetProcessHeap
Function: HeapFree
Function: TerminateProcess
Function: UnhandledExceptionFilter
Function: SetUnhandledExceptionFilter
Function: QueryPerformanceCounter
Function: GetCurrentThreadId
Function: GetCurrentProcessId
Function: GetSystemTimeAsFileTime
Function: RtlUnwind
Lib: USER32.dll
Function: CharUpperBuffA
Successfully mapped Warden Module to 0x3C80048
InitializeWarden()
Initialize Function is mapped at 0x3C81950
Calling Initialize function and passing my callback function table
Warden.AllocateMem() 2020, 0x3C8C050
Warden.AllocateMem() 52, 0x3C73E68
Warden.AllocateMem() 44, 0x3C73EA8
Warden.GetRC4Data() 0x3C8C070/0x208
[15:40:00] Sending
01
[15:40:01] Warden Data Recv: 17
00000000 05 73 31 6F B2 86 CB 35 99 84 BD DB 1D 4E AF 84 .s1o...5.....N..
00000010 0F .
[15:40:01] Writeing RC4 Keys!
[15:40:01] Mod_Parse()
[15:40:01] Warden.SendPacket() pkt=0x13E9F0, size=21
00000000 26 7D 21 A2 8A 4F 58 D5 9D 9B C1 E3 A3 3E B9 6A &}!..OX......>.j
00000010 C4 D4 73 1D 13 ..s..
[15:40:01] Reading New RC4 Keys!
[15:40:01] OUT KEY:
00000000 AC 66 AA 4E B0 D9 F7 43 7C 26 5F 8B AB 93 20 57 .f.N...C|&_... W
00000010 13 33 47 11 6F 48 73 79 05 84 F4 0E C1 17 24 9D .3G.oHsy......$.
00000020 B9 87 95 8F 56 65 B2 64 C3 4A 39 76 BF 5B FA C2 ....Ve.d.J9v.[..
00000030 51 6A 4F CC 21 58 7F 15 1E 06 E0 3C 0B 80 5C B8 QjO.!X.....<..\.
00000040 77 41 F2 F8 07 92 34 96 3E 01 9C 42 68 99 5D D4 wA....4.>..Bh.].
00000050 D0 61 02 04 2A FB 0D 89 08 A0 9B 28 86 CB A3 D5 .a..*......(....
00000060 A6 ED 9F 1D F1 70 F5 90 82 74 4D E4 40 5A 3A A8 .....p...tM.@Z:.
00000070 EA 62 69 75 52 0A 59 1B 7B BE DC 8A 4B DB E3 0C .biuR.Y.{...K...
00000080 9A 83 B4 F3 6D B7 1F 19 DF 8C 8D 38 7A E8 44 A7 ....m......8z.D.
00000090 CD 78 63 00 EC DE 97 3D C0 A4 3F 71 23 D3 B5 A5 .xc....=..?q#...
000000A0 E6 9E 94 E1 C8 C7 5E 1A AF 36 C5 E2 18 22 D1 29 ......^..6...".)
000000B0 12 A2 54 DA EF E7 1C F6 E5 FE 55 85 7D 10 D6 B6 ..T.......U.}...
000000C0 35 2D 31 14 45 C6 6E B1 A9 EE 81 50 7E BA CE 3B 5-1.E.n....P~..;
000000D0 72 C4 A1 E9 FC 4C 2C 16 DD 98 FD BB 46 60 91 AE r....L,.....F`..
000000E0 FF D8 27 C9 BD 30 D2 25 AD CF 88 CA 03 09 D7 2B ..'..0.%.......+
000000F0 6C 8E 37 2F 67 BC F9 2E F0 EB 6B 49 0F B3 32 53 l.7/g.....kI..2S
00000100 00 00 ..
[15:40:01] IN KEY:
00000000 B4 07 26 5B 0F 6C 05 50 8F 3B F7 AD 4F 63 FF 48 ..&[.l.P.;..Oc.H
00000010 52 EB C1 6B 7F B2 40 49 F3 A3 38 5E 10 B7 04 EE [email protected]^....
00000020 C2 4A B0 89 A5 31 93 4B 65 16 A4 22 FB 60 0C 8D .J...1.Ke..".`..
00000030 AB 11 F5 3C A0 37 81 C9 83 32 79 BA 9F 77 34 43 ...<.7...2y..w4C
00000040 62 02 E1 4C 67 39 36 12 88 E8 61 45 90 0B 66 71 b..Lg96...aE..fq
00000050 75 B1 30 B5 A6 09 FD BF 7E 8B 24 C6 C8 E4 D4 5D u.0.....~.$....]
00000060 96 06 42 1A 9C 4E AA 15 56 A9 E2 2B CC 8A 19 3F ..B..N..V..+...?
00000070 03 9A F9 98 55 70 92 B6 44 1C 41 D9 1E 4D E0 72 ....Up..D.A..M.r
00000080 54 69 F6 D3 64 D5 94 CD 99 91 EA 8C B9 D7 7C 3A Ti..d.........|:
00000090 78 E6 CE 47 2D FA 6D 7B 00 C0 D2 DA 7A A7 CF 2F x..G-.m{....z../
000000A0 AC CB 51 C7 DC 28 5A 46 B3 1F 14 C5 3D DE 2A BE ..Q..(ZF....=.*.
000000B0 95 80 D0 18 BD A2 D1 2C AE 0D 73 D6 76 9D 6E 1D .......,..s.v.n.
000000C0 01 D8 84 74 8E 29 E5 21 23 DF 5F 2E EF ED 3E 9E ...t.).!#._...>.
000000D0 86 E7 FE 59 BB 0A 57 C4 E3 33 DD B8 85 F8 F2 6F ...Y..W..3.....o
000000E0 35 A8 58 97 1B 7D 82 FC 17 87 53 EC 13 20 0E 08 5.X..}....S.. ..
000000F0 25 DB C3 5C F4 9B CA E9 F1 BC F0 AF A1 68 6A 27 %..\.........hj'
00000100 00 00 ..
[15:40:06] Warden Data Recv: 181
00000000 02 00 C1 6F C1 29 5A 10 16 C0 B3 4D 5E BA 0F 2F ...o.)Z....M^../
00000010 00 C5 96 1E 3B AD 09 FE 81 55 F3 60 D0 02 00 0C ....;....U.`....
00000020 E5 00 30 02 45 00 06 C1 FF A8 CF 43 A5 D6 25 7D ..0.E......C..%}
00000030 DE 89 0D 49 CF 42 7C D2 F9 5D 9E CA 98 55 78 67 ...I.B|..]...Uxg
00000040 C4 A8 07 00 30 C1 9B 25 91 6D 5E F7 F3 65 1E B0 ....0..%.m^..e..
00000050 08 8D 98 17 8D 0A D0 85 EF 8A 7A C0 41 5B 4C FD ..........z.A[L.
00000060 01 00 0E E5 00 4B E2 41 00 0A E5 00 3F E2 41 00 .....K.A....?.A.
00000070 09 E5 00 47 32 4A 00 08 C1 0E 24 8E A1 54 96 BB ...G2J....$..T..
00000080 C6 20 A1 3B D4 0C FF 79 0B DD 7C 6F A1 AD 05 BE . .;...y..|o....
00000090 32 08 59 00 00 19 C1 65 5A E3 A0 B0 5E C7 3C 27 2.Y....eZ...^.<'
000000A0 D0 2E E6 09 DB 7F C5 61 15 1A A3 BD B3 D2 D3 F4 .......a........
000000B0 D7 06 00 30 AC ...0.
[15:40:06] Parsed A Total Of: 9 Requests
[15:40:06] SENDING:
00000000 02 09 00 69 D8 96 F6 00 01 00 00 01 01 01 00 00 ...i............
[15:40:21] Warden Data Recv: 153
00000000 02 00 C1 09 12 A5 94 E3 6E 65 01 1D 81 26 40 A9 ........ne...&@.
00000010 DD A5 49 28 2E 08 3A 2F 4B 8F F0 60 D0 02 00 0C ..I(..:/K..`....
00000020 C1 BA 14 86 0E A5 6B AD 04 D9 C3 A5 3A 83 66 F8 ......k.....:.f.
00000030 F1 17 9E 0F A6 4E BA 7E 84 90 21 01 00 32 C1 F5 .....N.~..!..2..
00000040 1A 89 98 91 B2 4F 04 68 4B 76 2A 6A A7 CD D0 FB .....O.hKv*j....
00000050 CE 2C 00 8F 78 57 51 69 32 00 00 24 C1 71 98 45 .,..xWQi2..$.q.E
00000060 36 C5 4E F6 94 21 FB 16 B6 67 70 F2 DE C3 5C 6B 6.N..!...gp...\k
00000070 14 28 C6 FC 1C 98 20 00 00 11 C1 52 B1 AB 3C B6 .(.... ....R..<.
00000080 73 E8 C0 BD B8 DE 68 15 0A A7 6E B7 A8 41 67 E0 s.....h...n..Ag.
00000090 A2 10 E2 78 C3 00 00 1A AC ...x.....
[15:40:21] Parsed A Total Of: 5 Requests
[15:40:21] SENDING:
00000000 02 05 00 F4 BD 4B 3E 00 00 00 00 00 .....K>.....
So... you're using the warden modules to do the dirty work, just not the actual memory checks? I guess that's pretty close to what I had hoped for.
Quote from: Andy on December 06, 2008, 01:37 PM
So... you're using the warden modules to do the dirty work, just not the actual memory checks? I guess that's pretty close to what I had hoped for.
That's typically the first step in the process. :P
0x02:
do until pos => lengh
(BYTE) String Lengh
If String Lengh
(VOID) String
else
exit do
loop
do until pos => lengh
(BYTE) (ID ^ data[lengh])
if ID = MEM_CHECK
(BYTE) String Index (If 0x00, base 0, else, base of library in this string)
(DWORD) offset
(BYTE) read Lengh
If address_cant_be_read
insert(BYTE) 0x01
else
insert(BYTE) 0x00
insert(VOID) memory
elseif ID = PAGE_CHECK_A
(DWORD) Unknown/seed
(DWORD[5]) SHA1
(DWORD) Address
(BYTE) Lengh
If youre_legit
insert(BYTE) 0x00
else
insert(BYTE) result
else
blizzards wepon of mass distruction -- abort
loop
That's pretty much what starcraft is doing right now, altho it can do alot more.
The string list, altho not currently used in starcraft, doesnt always contain module names. It can also contain MPQ files to SHA1.
You wont see MPQ files in the requests unless you get packet 0x03, right after 0x05, telling you to load a library (normaly storm.dll) and giving you offsets to functions (to read mpqs)
For ID PAGE_CHECK_A, you can safely skip that request, and just insert byte 0x00 -- it's basicly just checking memory pages and compareing SHA1's -- The legit/unhacked client always sends back 0x00 for them requests.
99.9% safe, enjoy!
edit:
Note* the ID's MEM_CHECK and PAGE_CHECK_A are variable for each module.
(TYPE) is for reading
insert(TYPE) is for sending
once you have finished building you're responce buffer, the format is as followes:
(BYTE) 0x02 packet ID
(WORD) Lengh of buffer
(DWORD) Checksum of buffer
(VOID) Buffer
Okay, since the other topic got locked, I guess I'll ask here. Why does your code in your SCGP bot not use the ID at all? You're checking for MEM_CHECK with (Asc(Mid(S, P + 1, 1)) = 0) And (Asc(Mid(S, P + 6, 1)) < &H40), and PAGE_CHECK_A with (Asc(Mid$(S, P + 29, 1)) < &H80) And (Asc(Mid$(S, P + 28, 1)) = 0) And (Asc(Mid$(S, P + 27, 1)) < &H40), which seems to not work quite right for some packets, unless I'm doing something wrong.
For example:
02 00
39
D6 63 0F F6
8E 6B 4A 26 AA 55 E0 64 2D 6E 04 5D D6 65 32 F7 12 5A 99 D6
40 A1 00 00
10
39
AB 6E 00 5A
F5 F7 6C FA E5 1F D1 4A 36 EE 7C 03 43 11 94 00 CA 7E 53 DE
69 32 00 00
24
39
61 E2 48 55
94 C3 BA 59 8A AE 9E C3 2B FF 1C 12 87 22 3E AB 8F B8 B1 52
EC D7 06 00
30
39
1A A9 B6 B7
0B C7 9D 5D A4 BC C5 AA C6 C8 BE 9F F7 89 0B 0F B6 C7 95 8B
F8 D4 06 00
30
39
00 D0 81 E3
67 0D 8A DB 4F E1 EA 49 88 C5 07 3A 34 C7 59 2D 7F 15 BD 0B
B8 21 00 00
11
6A
The last request is a PAGE_CHECK_A request, yet it fills the requirements of the second byte being 00 and the seventh being under 0x40, thus attempting to run a MEM_CHECK on invalid data.
02 00
A7
91 4E CE AE
7B F0 DD 55 4D 51 77 C9 70 02 B4 D2 6D 3B CE 4B E7 28 54 3A
20 50 00 00
10
AB
00
2A F4 46 00
09
A7
6A 6B 5D B6
14 41 DC 98 3F D4 5F 68 15 18 B9 07 2C D3 BF AD 37 B7 23 FF
9C FE 01 00
25
A7
EF 63 5B 77
D6 36 B0 C9 3C 11 00 34 E9 08 96 D3 AB 3D 4A AB 87 14 2C 26
20 EE 01 00
25
A7
00 6C 1A 5B
23 10 E8 22 28 B5 F8 AF A6 2C 4A 8D EA 4C D4 1E F4 1C 75 DB
5A 22 00 00
20
A7
57 9B 66 E0
52 FF 5F D9 22 A6 06 A8 F1 02 B5 6E D7 BD 4C 9D B5 9F DD 1C
B4 7C 00 00
17
28
Likewise, the second-to-last request of this packet fits your pattern matching system, resulting in an attempt to handle a PAGE_CHECK_A request as an MEM_CHECK request.
Also, is there any way to grab MEM_CHECK and PAGE_CHECK_A from the module itself?
the offsets were changed? so scgp is somewhat outdated..
ringo was kinda enough to send a few of us a pm with the new ones though =)
The offsets have nothing to do with this problem. The data I've posted doesn't even touch MEM_CHECK. And, as it's been mentioned multiple times, both in that topic and this one, the memory check data can easily be found in Starcraft.exe, or by simply running Starcraft as usual and reading the physical memory locations just like Warden would.
Although, I would like to know how to create the SHA1 value to compare to the given SHA1 in PAGE_CHECK_A, just for the sake of knowing.
Okay really dumb question for your code, Andy. I'm getting a mismatch error in the 4th line of code (from your clsWarden module)
Public Sub StrToByteArray(ByVal sStr As String, ByRef Ary() As Byte)
Dim I As Integer
ReDim Ary(Len(sStr) - 1) As Byte
fnctCopyMemory Ary(0), sStr, Len(sStr)
End Sub
fnctCopyMemory? That's an API call, not a standard function...
In any case, the code in the earlier pages of this thread is no longer the right way to handle Warden.
Try using StrConv() instead.
Quote from: brew on February 13, 2009, 10:34 PM
Try using StrConv() instead.
ya, andy use this code.
Public Sub StrToByteArray(ByVal sStr As String, ByRef Ary() As Byte):Ary() = StrConv(sStr,vbFromUnicode):End Sub
Public Function ByteArrayToStr(ByRef Ary() As Byte) as String:ByteArrayToStr = StrConv(Ary(),vbUnicode):End Function
:)
I'll stick with APIs, thanks.
Quote from: Andy on February 13, 2009, 04:52 PM
fnctCopyMemory? That's an API call, not a standard function...
In any case, the code in the earlier pages of this thread is no longer the right way to handle Warden.
Alright. Do you think I can please see your code for how it is handled now?
Theres some simple VB6 example code for handleing the current warden found here, if its of any use:
http://forum.valhallalegends.com/index.php?topic=17703.0
Ya, most people wouldn't like my current code...