Valhalla Legends Archive

wrong:
memset(&dwTable, 0, sizeof(FuncList));
dwTable.fpSendPacket = cSendPacket;
dwTable.fpCheckModule = cCheckModule;
dwTable.fpLoadModule = cLoadModule;
dwTable.fpAllocateMemory = cAllocateMemory;
dwTable.fpReleaseMemory = cReleaseMemory;
dwTable.fpSetRC4Data = cSetRC4Data;
dwTable.fpGetRC4Data = cGetRC4Data;

fpInitializeModule((DWORD*)&dwTable);

RIGHT:
memset(&dwTable, 0, sizeof(FuncList));
dwTable.fpSendPacket = cSendPacket;
dwTable.fpCheckModule = cCheckModule;
dwTable.fpLoadModule = cLoadModule;
dwTable.fpAllocateMemory = cAllocateMemory;
dwTable.fpReleaseMemory = cReleaseMemory;
dwTable.fpSetRC4Data = cSetRC4Data;
dwTable.fpGetRC4Data = cGetRC4Data;
uint32 tableptr = &dwTable;

fpInitializeModule((DWORD*)&tableptr);

well...3 days wasted. Thanks to all for your support.
I'm going to update this page
http://www.skullsecurity.org/wiki/index.php/Warden_Modules
so no one else will have this problem.

Simple C warden module handler:
http://filebeam.com/f1489d8beca6c075933e558e150bf0fa

Edit: it works very well under windows, but it still crashes in wine...
Edit2: problems under wine SOLVED! if you want to execute some code you must use VirtualAlloc() with a specific flag.

Quote from: brew on June 06, 2009, 06:21 PM
I think that's because you didn't move the class pointer into ecx before calling, since it's a thiscall.

I've switched to assembly:
_asm {
mov ecx, dword ptr dwTable
call A
}

it still crashes, but with another wrong address.

same here:
_asm {
mov ecx, dword ptr dwTable
call dword ptr A
}

Edit: code fully converted from C++ to C. Nothing changes.

Nothing.

I've installed Visual Basic 6 Enterprise Edition, learned some basic, compiled and tested ringo's warden handler with a module: it worked PERFECTLY, and i didn't know any Basic function/struct.

With the C code, which is written in a language i write for years, nothing came.
I've compared every single line of the C interpreter to the Basic one, adding debug outputs, comparing the prepared modules, changing definitions for hours, but the error remains the same.

Functions are the same, code is the same, input is the same. I checked them (too) many times.

this is my C project with a module attached, you need only to compile and run it (Visual Studio 9):
http://filebeam.com/b9d795e7a3518ea6729f33b7e317ec48

if someone could solve this strange problem, i would be very grateful.

Quote from: Hdx on June 04, 2009, 02:45 PM
Stupid problem that got me for a while. Are you 100% sure that your memory space is being zeroed out before you prop the module into it?
I'll see if I can find some debugging code I can get you to prep a module for comparison to another. I just don't know where I put it :/

Yes, i realized it while comparing ringo's code to iago's code.
I've already added a ZeroMemory() afterm malloc().

Edit: i've tried to run the module attached to the SCGP bot and it gives me the same error... it means something is wrong in my code preparation, i'll check it later. Thanks for all your support.

Quote from: brew on June 04, 2009, 11:52 AM
That's a real odd address, you sure you're calling that function in the valid range?

i did only this:
DWORD ECX, EDX, EBP;

EBP = getInteger(pModule, 0x18);
EDX = 1 - EBP;

if(EDX > getInteger(pModule, 0x14))
return FALSE;

ECX = getInteger(pModule, 0x10); // offsetWardenSetup
ECX = getInteger(pModule, ECX + (EDX * 4)) + (DWORD)pModule;

fnInitializeModule fpInitializeModule = (fnInitializeModule)ECX;

and called the function with a valid function pointers array.
Can anyone run the module i posted before? i'm almost sure it's an error in my decryption.

I can't execute the module code without crashing (with a C program).

This is the module i tried to run (the file isn't a real .txt file but the decoded and decompressed code sent by battle.net, rename it as you like):
http://filebeam.com/c0d8f7eb04ad97715466becad4b286d0

The module crashes in the main function, calling a wrong address:
0xC0000005: Access violation at address 0xe9000021
I've used exactly iago's preparation and init code, showed here:
http://www.skullsecurity.org/wiki/index.php/Warden_Modules

Can anyone try to load it and tell me if it runs or not with a tested system, like ringo's script? i want to find out if the bug is in the preparation or in the code itself (maybe i haven't downloaded it in the right way). Thank you.

Quote from: Ringo on June 01, 2009, 11:35 AM
If you have already loaded and mapped the module to memory with python, there shouldnt really be a problem.
Assuming, you can get the address of a variable and call a function pointer (even if that requires useing user32.dll's CallWindowProcA)
I've never used python in my life, so i've really no idea about problems you would run into.

If running on non-window os' requires you not to use winapis, such as LoadLibrary and GetProcAddress (to write api function address's to the warden module)
you should beable to just null them api address's.
If some api's are required by the module, you could always just supply the address of a dummy std function with in you're program, and just return values that will keep the module from failing.
iirc, warden modules only use a few apis when initialized and I dont think they use any for the rc4/handle packet function (as long as you only allow it to handle 0x05)

specifically, what do you see as a problem at the moment?

Python, like many modern languages, is not a compiled language, but an interpreted language. Strings in Python, PHP, Perl or Ruby arent real strings, but structures handled internally by the interpreter (NOT by the script) that can't be hacked or executed for security reason (for instance you can't make a program crash, but you can only get errors).
So, if i want to load and execute a precompiled code, like in this case, i must do it with a lower language.

Why am i using python? Because it's very simple, intuitive, it has NATIVELY every library i need (socket, SHA1, zlib, gtk (i'll need it to build the interface), etc) and has the best string managing system i've ever seen.

You're right, warden modules are pure assembly/binary with a few calls, they can be found with a simple hexadecimal editor, but i prefer using an engine like wine instead of mapping these functions manually, because they're windows-native.

Thanks for the help, in a couple of weeks i'll get my first results.

Quote from: Hdx on June 01, 2009, 04:23 AM
UnknowN-TerroR, Short answer is that currently the actuall format or function of 0x05 is not publically [or as far as I know privately] documented. So, unless python has a way of running machine code you are out of luck.

I plan to make the module loader in C and, if there are no ways to run that code under non-windows system, to use wine.
I was able to make every passage (RC4, broken sha, zlib inflate) through python, so this is the only problem.

Hi,
I'm developing a multi-os battle.net client written in python that i'm going to release under GPL.

I'm analyzing the behaviour of the new anticheat system under warcraft III, i've managed to decrypt and encrypt the first packets, but i can't understand what i should do when i receive the SID_WARDEN packet with the 0x05 code, that changes the keys, breaking the decription.

i've looked here:
http://www.skullsecurity.org/wiki/index.php/Warden_Modules
but nothing is written about this kind of packet.

bnet docs only says:
   0x05 - Initialization
       (DWORD)[5] Unknown

I've looked also here:
http://forum.valhallalegends.com/index.php?topic=17903.msg182385#msg182385
but  i can't understand very well what the program calls.

I read that the client must first initialize the warden module sent in the 0x00 packet, then use it to generate a new key, but i'm not very sure...

What should i do?
Thanks for you great work in analyzing the blizzard protocol.