Valhalla Legends Archive

wow very nice hdx, coding this right now so we can see the stability

The following is one of the analisys im performing on 0x02 packet.


[WARDEN REQUEST S->C] [OPCODE : 0x02] [LENGTH : 000156 BYTES]
OFFSET  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | 0123456789ABCDEF
--------------------------------------------------------------------------
000000  0C 44 32 43 6C 69 65 6E 74 2E 64 6C 6C 09 44 32   .D2Client.dll.D2 
000010  57 69 6E 2E 64 6C 6C 0A 75 73 65 72 33 32 2E 64   Win.dll.user32.d 
000020  6C 6C 0C 50 65 65 6B 4D 65 73 73 61 67 65 41 00   ll.PeekMessageA. 
000030  BC 39 0D 10 EB 12 7A A7 CD 99 55 A0 A3 57 25 57   .9....z...U..W%W 
000040  9D 2F E9 DB A5 A4 12 3B 82 E4 E8 00 00 0D 38 01   ./.....;......8. 
000050  60 BB 07 00 04 38 02 8F D9 00 00 08 BC 0F E6 C0   `....8.......... 
000060  57 6F 6F DF 01 ED EB 70 9D 63 2D 02 02 F1 DB 05   Woo....p.c-..... 
000070  23 9A 0B 00 FA F8 D7 06 00 30 D3 D2 7B E0 63 92   #........0..{.c. 
000080  E0 C6 03 27 51 43 AF 0F C5 6D 6D B4 2A 3D 18 7F   ...'QC...mm.*=.. 
000090  6B 97 C7 03 04 02 33 0C 00 1E 29                  k.....3...) 
--------------------------------------------------------------------------

C:\Users\Fr3DBr\Desktop\D2 Bot\Debug>TestSec.exe

- Parsing String Array :

   - [01] D2Client.dll
   - [02] D2Win.dll
   - [03] user32.dll
   - [04] PeekMessageA

- Parsing Command Instructions

   - Page Check :      ADDR[ 0x0D0000E8 ]
   - Hex : BC390D10EB127AA7CD9955A0A35725579D2FE9DBA5A4123B82E4E800000D
   - Memory Check :    FILE[ D2Client.dll ] ADDR[ 0x0007BB60 ]
   - Hex : 380160BB070004
   - Memory Check :    FILE[ D2Win.dll ] ADDR[ 0x0000D98F ]
   - Hex : 38028FD9000008
   - Page Check :      ADDR[ 0x300006D7 ]
   - Hex : BC0FE6C0576F6FDF01EDEB709D632D0202F1DB05239A0B00FAF8D7060030
   - Unknown Check
   - Hex : D3D2
   - Windows API Check : FILE[ user32.dll ] SYMBOL[ PeekMessageA ]
   - Hex : 7BE06392E0C603275143AF0FC56D6DB42A3D187F6B97C7030402330C001E

C:\Users\Fr3DBr\Desktop\D2 Bot\Debug>


The question is, anyone wonder what are the bytes D3D2 ?
i didnt found any 'matching' condition and i dunno what to answer in that case.

seems i got it to work lol, thanks HDX


[Log 25/01/2010 20:46:07]-> ---------------------------------------------------------------------------
[Log 25/01/2010 20:46:07]-> WARDEN MODULE CHECK
[Log 25/01/2010 20:46:07]-> MODULE NAME (MD5) : 76FF4DAFB4D153BD32B47C25A32D4CAB
[Log 25/01/2010 20:46:07]-> MODULE KEY  (RC4) : 777FC6A24FFF7089CBE0631BE8BF9A0D
[Log 25/01/2010 20:46:07]-> MODULE SIZE       : 17623 Bytes
[Log 25/01/2010 20:46:07]-> ---------------------------------------------------------------------------
[Log 25/01/2010 20:46:07]-> PREPARING MODULE...
[Log 25/01/2010 20:46:07]-> MODULE STATUS : READY
[Log 25/01/2010 20:46:07]-> INITIALIZING MODULE...
[Log 25/01/2010 20:46:08]-> MODULE RUNNING...
[Log 25/01/2010 20:46:08]-> STORING NEW RC4 (WARDEN MODULE) KEYS...
[Log 25/01/2010 20:46:09]-> STORING NEW RC4 (WARDEN MODULE) KEYS...
[Log 25/01/2010 20:46:09]-> UNLOADING WARDEN...
[Log 25/01/2010 20:46:09]-> ---------------------------------------------------------------------------
[D2GS S->C] [OPCODE : 0x03] [LENGTH : 000036 BYTES]
OFFSET  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | 0123456789ABCDEF
--------------------------------------------------------------------------
000000  1D 00 B6 2A 39 E6 01 00 01 09 53 74 6F 72 6D 2E   ...*9.....Storm. 
000010  64 6C 6C 00 22 01 00 B0 02 01 00 40 3C 01 00 D0   dll."......@<... 
000020  17 01 00                                          ... 
--------------------------------------------------------------------------
[D2GS S->C] [OPCODE : 0x02] [LENGTH : 000154 BYTES]
OFFSET  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | 0123456789ABCDEF
--------------------------------------------------------------------------
000000  1C 64 61 74 61 5C 67 6C 6F 62 61 6C 5C 65 78 63   .data\global\exc 
000010  65 6C 5C 73 6B 69 6C 6C 73 2E 74 78 74 00 FE 01   el\skills.txt... 
000020  27 41 40 E7 BC 5A B0 96 F8 11 9D 54 47 A1 61 39   '[email protected] 
000030  D2 72 98 D5 E2 A6 36 BB DE 7C 37 01 00 0C 27 A8   .r....6..|7...'. 
000040  62 BE 65 64 26 36 D7 8E 56 BC 54 0F CB 59 0D 07   b.ed&6..V.T..Y.. 
000050  31 98 09 72 AB 51 7F FC FC 01 00 1F 27 66 E2 42   1..r.Q......'f.B 
000060  46 C2 0F 51 E3 02 25 21 57 0E A3 98 0F CB 9C 6E   F..Q..%!W......n 
000070  2A 45 D8 78 BC D2 86 00 00 0F 27 73 A5 7A 8B 2B   *E.x......'s.z.+ 
000080  83 ED 68 4E 45 2F 5A 93 BC 07 80 77 E0 4B 72 A1   ..hNE/Z....w.Kr. 
000090  92 CF A7 69 32 00 00 24 16                        ...i2..$. 
--------------------------------------------------------------------------
[Log 25/01/2010 20:46:52]-> [D2GS] - Connection Interrupted. (0xB0)


Follow me on twitter lol

http://twitter.com/Fr3DBr

Im using the following code lógic, just in case :


// Allocating New Key Buffers
Byte[] bInKey  = new Byte[0x102];
Byte[] bOutKey = new Byte[0x102];

// Extracting 0x05 RC4 Key Seed (Removing 0x05 opcode out of the array)
Byte[] pKeySeed = new Byte[bWardenPkt.Length - 1];
Array.Copy(bWardenPkt, 1, pKeySeed, 0, bWardenPkt.Length - 1);

// Generating RC4 Keys
CD2Security.GenRC4Keys(pKeySeed, pKeySeed.Length);      // Telling Warden to Generate the New RC4 Key Pair

// Reading Keys from Warden Module
CD2Security.GetRC4Keys(bInKey, bOutKey);                // Getting The New Warden Module RC4 Key Pair

// Sending the Packet to Warden Packet Handler
Byte[] bOPCrypt   = new Byte[1024];                     // Warden Output Packet
CD2Security.CryptWithKey(bWardenPkt, bInKey);           // Cryping 0x05 w/ new 'in-key'
CD2Security.WardenPacketHandler(bWardenPkt, bWardenPkt.Length, bOPCrypt);
Int32 nOutSize    = BitConverter.ToInt32(bOPCrypt, 0);
Byte[] bOutPacket = new Byte[nOutSize];
Array.Copy(bOPCrypt, 4, bOutPacket, 0, nOutSize);       // Decrypting 0x04 w/ new 'out-key'
CD2Security.CryptWithKey(bOutPacket, bOutKey);          // Crypting 0x04 w/ old 'out-key'

// Sending 0x05->(0x04) Reply
pkt.Opcode = 0x66;                                      // Warden Response
pkt.Write(bOutPacket, bOutPacket.Length);
Send(pkt, 1);                                           // Sending Warden Reply

// Setting New In-Key
CD2Security.SetRC4Key(0, bInKey);                       // Switching current 'in-key' by the new 'in-key'
CD2Security.SetRC4Key(1, bOutKey);                      // Switching current 'out-key' by the new 'out-key'

// Unloading Warden
GlobalVars.d.WriteLog("UNLOADING WARDEN...");
CD2Security.Unload();                                   // Unloading Warden Module

// Finishing Log
GlobalVars.d.WriteLog("---------------------------------------------------------------------------");


Hey,

im trying to figure out, what could be the seed for the new RC4 keys...

1) Tryed using gamehash (this is the seed for the first keypair)
2) Tryed using 0x05 packet data

Both didn't work to decode/encode the new packets, any hints ?

Thanks.

Ok this was a issue with the global variables that didnt got properly replaced in the module, so as we can see we had a 'kaboom' there

Hello, im trying to initialize my module using the example on skulls website.

Altough i noticed that its usually crashing inside the module when we call init at :


CPU Disasm
Address   Hex dump          Command                                  Comments
005053DD    56              PUSH ESI <--- ESI Had the address to the Function Callback Struct PTR
005053DE    BE 0CA00000     MOV ESI,0A00C
005053E3    EB 08           JMP SHORT 005053ED
005053E5    6A 00           PUSH 0
005053E7    FF15 04900000   CALL DWORD PTR DS:[9004]
005053ED    33C0            XOR EAX,EAX
005053EF    40              INC EAX
005053F0    8BD6            MOV EDX,ESI
005053F2    33C9            XOR ECX,ECX
005053F4    F0:0FB10A       LOCK CMPXCHG DWORD PTR DS:[EDX],ECX <------ crash here
005053F8    85C0            TEST EAX,EAX
005053FA  ^ 74 E9           JE SHORT 005053E5
005053FC    5E              POP ESI
005053FD    C3              RETN

EDX points to the following : 000A00C and ECX is 000000.

So im wondering, whats its exactly the module trying to do here ? seems it replaces the reference to the function callback array, and changes it to A00C but wtf lol ?

Yeah managed to finally prepare the module


Copying code sections to module.
Adjusting references to global variables...
Updating API library references...
Lib: KERNEL32.dll
        Function: GetStdHandle
        Function: Sleep
        Function: GetModuleHandleA
        Function: TlsAlloc
        Function: TlsFree
        Function: TlsGetValue
        Function: TlsSetValue
        Function: RaiseException
        Function: GetProcAddress
        Function: GetSystemInfo
        Function: GetVersionExA
        Function: VirtualQuery
        Function: QueryDosDeviceA
        Function: GetTickCount
        Function: DuplicateHandle
        Function: CloseHandle
        Function: FreeLibrary
        Function: GetCurrentProcess
        Function: LoadLibraryA
        Function: GetProcessHeap
        Function: HeapFree
        Function: TerminateProcess
        Function: UnhandledExceptionFilter
        Function: SetUnhandledExceptionFilter
        Function: QueryPerformanceCounter
        Function: GetCurrentThreadId
        Function: GetCurrentProcessId
        Function: GetSystemTimeAsFileTime
        Function: RtlUnwind
Lib: USER32.dll
        Function: CharUpperBuffA
        Function: GetDC


Now its time to Initialize It lol...

Hello,

Im trying to write my module prepare routine, but it seems its 'been' failing to work mad.

So i wanted to share 2 module files i colected, in order to know if they are good to go or not.

Look the links :

1) http://rapidshare.com/files/340061399/09731C71CF17FCEF90AF15A866DEAA16.BIN.html
2) http://rapidshare.com/files/340061551/BDE96BDBB1DD9BFFCBDD47A94C60AAB4.BIN.html

Thanks.

Ah i found i must use ZLIB to decompress it, now i have it decompressed, but i still didnt managed to fix the file...

Hello,

Im working on my warden module and i'm up to the point i downloaded the module from the 0x01 stream packets
and then dumped this to a file, MD5HASH.MOD

Like This :


[Log 21/01/2010 21:58:04]-> ---------------------------------------------------------------------------
[Log 21/01/2010 21:58:04]-> WARDEN MODULE CHECK
[Log 21/01/2010 21:58:04]-> MODULE NAME (MD5) : 1078705980E0FFDB3B677F673D46E329
[Log 21/01/2010 21:58:04]-> MODULE KEY  (RC4) : 01A801187E809E6F6834B445E1B4ED64
[Log 21/01/2010 21:58:04]-> MODULE SIZE       : 18818 Bytes
[Log 21/01/2010 21:58:04]-> ---------------------------------------------------------------------------
[Log 21/01/2010 21:58:04]-> DOWNLOADING MODULE...
[Log 21/01/2010 21:58:05]-> DOWNLOAD COMPLETE...
[Log 21/01/2010 21:58:05]-> MODULE MD5 : OK
[Log 21/01/2010 21:58:05]-> DECRYPTING MODULE...
[Log 21/01/2010 21:58:05]-> DECRYPTION : OK
[Log 21/01/2010 21:58:05]-> SAVING MODULE : 1078705980E0FFDB3B677F673D46E329.MOD TO DISK...
[Log 21/01/2010 21:58:05]-> MODULE SAVING : OK
[Log 21/01/2010 21:58:05]-> ---------------------------------------------------------------------------


the question is, after we decrypt that MOD file w/ the RC4 Key we got in the 0x00 packet, what should we do next ? i got a little confused by the documentation

(DWORD)      Size of BNI header
(WORD)      BNI Version
(WORD)      Alignment Padding (Unused)
(DWORD)      Number of Icons
(DWORD)      Data Offset

For each icon:
   (DWORD)      Flags
   (DWORD)      X Size
   (DWORD)      Y Size
   (DWORD[32])   Products for this icon*

Image in Targa format

Lets discuss about it...

First you parse : 16 Bytes that are the (BNI HEADER) no problem...

Then since you have : 20 Icons You will have to parse 12Bytes + (8Bytes if the Flags are 0 or 4 Bytes if its != than 0) Sure...

Then after all that... you have the TGA Image wich you (SHOULD) separate from all the data you parsed before...
No problem with that i already have the Good Working Targa File that i can see the 20 icons on it in a Vertical Line... (now) how can i have EACH of these icons in one independant file ? Thats what im talking about .... because when looping the First data that tells you wich String Reamins to Wich ICON you dont get anything related to targa format... got me now ?

Thanks.

man actually i know the document, i just dont know how to separate the TGA DATA i got on my tga file... i have all the icons merged together in one vertical line.... i want to have one file to each icon....

lets dont forget the scope of this thread... the question still remains on what should be done to properly extrapolate the images.