• Welcome to Valhalla Legends Archive.
 

Rudimentary Warden information

Started by iago, February 28, 2008, 05:07 PM

Previous topic - Next topic
|

bulletproof tiger

Quote from: Andy on December 06, 2008, 01:37 PM
So... you're using the warden modules to do the dirty work, just not the actual memory checks? I guess that's pretty close to what I had hoped for.

That's typically the first step in the process. :P

Ringo

#286
0x02:

do until pos => lengh
    (BYTE) String Lengh
    If String Lengh
        (VOID) String
    else
        exit do
loop
do until pos => lengh
    (BYTE) (ID ^ data[lengh])
    if ID = MEM_CHECK
        (BYTE) String Index (If 0x00, base 0, else, base of library in this string)
        (DWORD) offset
        (BYTE) read Lengh
        If address_cant_be_read
            insert(BYTE) 0x01
        else
            insert(BYTE) 0x00
            insert(VOID) memory
    elseif ID = PAGE_CHECK_A
        (DWORD) Unknown/seed
        (DWORD[5]) SHA1
        (DWORD) Address
        (BYTE)  Lengh
        If youre_legit
            insert(BYTE) 0x00
        else
            insert(BYTE) result
    else
        blizzards wepon of mass distruction -- abort
loop


That's pretty much what starcraft is doing right now, altho it can do alot more.
The string list, altho not currently used in starcraft, doesnt always contain module names. It can also contain MPQ files to SHA1.
You wont see MPQ files in the requests unless you get packet 0x03, right after 0x05, telling you to load a library (normaly storm.dll) and giving you offsets to functions (to read mpqs)
For ID PAGE_CHECK_A, you can safely skip that request, and just insert byte 0x00 -- it's basicly just checking memory pages and compareing SHA1's -- The legit/unhacked client always sends back 0x00 for them requests.
99.9% safe, enjoy!

edit:
Note* the ID's MEM_CHECK and PAGE_CHECK_A are variable for each module.


(TYPE) is for reading
insert(TYPE) is for sending
once you have finished building you're responce buffer, the format is as followes:
(BYTE) 0x02 packet ID
(WORD) Lengh of buffer
(DWORD) Checksum of buffer
(VOID) Buffer

Barabajagal

#287
Okay, since the other topic got locked, I guess I'll ask here. Why does your code in your SCGP bot not use the ID at all? You're checking for MEM_CHECK with (Asc(Mid(S, P + 1, 1)) = 0) And (Asc(Mid(S, P + 6, 1)) < &H40), and PAGE_CHECK_A with (Asc(Mid$(S, P + 29, 1)) < &H80) And (Asc(Mid$(S, P + 28, 1)) = 0) And (Asc(Mid$(S, P + 27, 1)) < &H40), which seems to not work quite right for some packets, unless I'm doing something wrong.

For example:
02 00
39
  D6 63 0F F6
  8E 6B 4A 26 AA 55 E0 64 2D 6E 04 5D D6 65 32 F7 12 5A 99 D6
  40 A1 00 00
  10
39
  AB 6E 00 5A
  F5 F7 6C FA E5 1F D1 4A 36 EE 7C 03 43 11 94 00 CA 7E 53 DE
  69 32 00 00
  24
39
  61 E2 48 55
  94 C3 BA 59 8A AE 9E C3 2B FF 1C 12 87 22 3E AB 8F B8 B1 52
  EC D7 06 00
  30
39
  1A A9 B6 B7
  0B C7 9D 5D A4 BC C5 AA C6 C8 BE 9F F7 89 0B 0F B6 C7 95 8B
  F8 D4 06 00
  30
39
  00 D0 81 E3
  67 0D 8A DB 4F E1 EA 49 88 C5 07 3A 34 C7 59 2D 7F 15 BD 0B
  B8 21 00 00
  11
6A


The last request is a PAGE_CHECK_A request, yet it fills the requirements of the second byte being 00 and the seventh being under 0x40, thus attempting to run a MEM_CHECK on invalid data.

02 00
A7
  91 4E CE AE
  7B F0 DD 55 4D 51 77 C9 70 02 B4 D2 6D 3B CE 4B E7 28 54 3A
  20 50 00 00
  10
AB
  00
  2A F4 46 00
  09
A7
  6A 6B 5D B6
  14 41 DC 98 3F D4 5F 68 15 18 B9 07 2C D3 BF AD 37 B7 23 FF
  9C FE 01 00
  25
A7
  EF 63 5B 77
  D6 36 B0 C9 3C 11 00 34 E9 08 96 D3 AB 3D 4A AB 87 14 2C 26
  20 EE 01 00
  25
A7
  00 6C 1A 5B
  23 10 E8 22 28 B5 F8 AF A6 2C 4A 8D EA 4C D4 1E F4 1C 75 DB
  5A 22 00 00
  20
A7
  57 9B 66 E0
  52 FF 5F D9 22 A6 06 A8 F1 02 B5 6E D7 BD 4C 9D B5 9F DD 1C
  B4 7C 00 00
  17
28


Likewise, the second-to-last request of this packet fits your pattern matching system, resulting in an attempt to handle a PAGE_CHECK_A request as an MEM_CHECK request.

Also, is there any way to grab MEM_CHECK and PAGE_CHECK_A from the module itself?

Mystical

the offsets were changed? so scgp is somewhat outdated..

ringo was kinda enough to send a few of us a pm with the new ones though =)

Barabajagal

#289
The offsets have nothing to do with this problem. The data I've posted doesn't even touch MEM_CHECK. And, as it's been mentioned multiple times, both in that topic and this one, the memory check data can easily be found in Starcraft.exe, or by simply running Starcraft as usual and reading the physical memory locations just like Warden would.

Although, I would like to know how to create the SHA1 value to compare to the given SHA1 in PAGE_CHECK_A, just for the sake of knowing.

Antarctica

Okay really dumb question for your code, Andy.  I'm getting a mismatch error in the 4th line of code (from your clsWarden module)


Public Sub StrToByteArray(ByVal sStr As String, ByRef Ary() As Byte)
Dim I As Integer
  ReDim Ary(Len(sStr) - 1) As Byte
  fnctCopyMemory Ary(0), sStr, Len(sStr)
End Sub

Barabajagal

fnctCopyMemory? That's an API call, not a standard function...

In any case, the code in the earlier pages of this thread is no longer the right way to handle Warden.

brew

<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P

zeroirc

Quote from: brew on February 13, 2009, 10:34 PM
Try using StrConv() instead.

ya, andy use this code.

Public Sub StrToByteArray(ByVal sStr As String, ByRef Ary() As Byte):Ary() = StrConv(sStr,vbFromUnicode):End Sub

Public Function ByteArrayToStr(ByRef Ary() As Byte) as String:ByteArrayToStr = StrConv(Ary(),vbUnicode):End Function
:)

Barabajagal


Antarctica

Quote from: Andy on February 13, 2009, 04:52 PM
fnctCopyMemory? That's an API call, not a standard function...

In any case, the code in the earlier pages of this thread is no longer the right way to handle Warden.

Alright.  Do you think I can please see your code for how it is handled now?

Ringo

Theres some simple VB6 example code for handleing the current warden found here, if its of any use:
http://forum.valhallalegends.com/index.php?topic=17703.0

Barabajagal

Ya, most people wouldn't like my current code...

|