lockdown-IX86-XX.mpq update?

Ringo · October 31, 2006, 04:51 PM

Hmm, a friend just noiticed Bnet has updated on west again.
lockdown-IX86-00.mpq to lockdown-IX86-19.mpq
Mpq's/Dll's Here: lockdown-IX86.zip
Also, the checkrevision string in 0x50 is no longer plain text.

Lol @ lockdown :p

l2k-Shadow · October 31, 2006, 04:57 PM

S->C 0x50

Code Select


0030                     ff 50 3e 00 00 00 00 00 c2 24  .......P>......$
0040   99 d3 f5 82 32 00 00 14 5a dc 72 fc c6 01 6c 6f  ....2...Z.r...lo
0050   63 6b 64 6f 77 6e 2d 49 58 38 36 2d 31 34 2e 6d  ckdown-IX86-14.m
0060   70 71 00 59 70 2e b1 94 89 af 9d f3 6f 09 d4 87  pq.Yp.......o...
0070   d5 4a f7 00                                      .J..

C->S 0x51

Code Select


0030                     ff 51 58 00 02 ae 6e 45 01 00  ...Z...QX...nE..
0040   0e 01 8b 64 2b 3c 01 00 00 00 00 00 00 00 0d 00  ...d+<..........
0050   00 00 01 00 00 00 XX XX XX XX 00 00 00 00 1f fe  ................
0060   50 f0 f2 8a 58 ee d5 b2 68 83 f5 f7 06 d2 45 36  P...X...h.....E6
0070   de 98 b3 65 9c 55 43 2a 5f 9d 9c 3a 09 39 8b e1  ...e.UC*_..:.9..
0080   7d 8f 00 6c 32 6b 2d 53 68 61 64 6f 77 00        }..l2k-Shadow.

Packet Log! man they are really trying now. I also tried calling CheckRevision() from the actual library with BNLib.dll, but it looks like they patched that as well!

Also from testing they have put code into the dlls to check for injected libraries.

Hero · October 31, 2006, 05:25 PM

Ah, here we go again!

Hdx · October 31, 2006, 05:43 PM

On a note, this is only being reported to SC/SC:BW.
All other clients are getting the regular returns.
~-~(HDX)~-~

l2k-Shadow · October 31, 2006, 05:44 PM

yes, the file searches for sc-specific injected libraries.

topaz · October 31, 2006, 06:06 PM

RULED

Hopefully this'll stop the lamer flood/loading thats been going on forever

Warrior · October 31, 2006, 06:26 PM

It looks like the newbs who cant code for themselves are screwed, anyone who truly knows what they're doing should be back up in a few days.

Hdx · October 31, 2006, 06:33 PM

Eah looks like it.
But guys don't worry just do your best and try and figure it out.
Also the fact that all other clients seem to be unaffected, this is not the end of bots. So don't freak out like last time

I've got the things up in IDA right now and am poking through it.
Also some other people i know (who are A LOT better then me) are poking around to.
So NEVER FEAR! For eventually it will be figured out.
Also if my theroy is correct... It isn't that big of a change.
~-~(HDX)~-~

topaz · October 31, 2006, 08:07 PM

"\xff\xbe'\xb2\x8ft\x8e-\x9c\xb0\xd2^\xd6\x9f@\xc3"

Interesting value string there...

warz · October 31, 2006, 08:30 PM

Finally, something new to do! ;-)

MysT_DooM · October 31, 2006, 09:03 PM

they shud have make the mpq file names all funny charecters also

and then randomize them

l)ragon · October 31, 2006, 09:07 PM

pplug114.bwl <--- = what?
did this come with the latest bw patch?

Code Select

S->C Dumps
0000:  FF 50 3E 00 00 00 00 00 51 1D C1 71 B1 B9 43 00   ÿP>.....QÁq±¹C.
0010:  00 55 2A BC 72 FC C6 01 6C 6F 63 6B 64 6F 77 6E   .U*¼rüÆlockdown
0020:  2D 49 58 38 36 2D 30 31 2E 6D 70 71 00 49 9F 62   -IX86-01.mpq.IŸb
0030:  4E 60 80 2B C9 06 31 CB 5C 6C 78 CA 4D 00         N`€+É1Ë\lxÊM...

0000:  FF 50 3E 00 00 00 00 00 C2 EC F9 F9 C5 B9 43 00   ÿP>.....ÂìùùÅ¹C.
0010:  00 7C E3 E5 72 FC C6 01 6C 6F 63 6B 64 6F 77 6E   .|ãårüÆlockdown
0020:  2D 49 58 38 36 2D 31 38 2E 6D 70 71 00 7A 58 78   -IX86-18.mpq.zXx
0030:  5D D0 D3 B2 53 2E 6D F1 A0 67 C1 C4 5B 00         ]ÐÓ²S.mñ gÁÄ[...

0000:  FF 50 3E 00 00 00 00 00 E9 CE 8A F2 D1 B9 43 00   ÿP>.....éÎŠòÑ¹C.
0010:  00 52 6E D0 72 FC C6 01 6C 6F 63 6B 64 6F 77 6E   .RnÐrüÆlockdown
0020:  2D 49 58 38 36 2D 30 39 2E 6D 70 71 00 CF 87 F2   -IX86-09.mpq.Ï‡ò
0030:  49 5C A0 33 15 80 7F B7 5E D9 18 B8 28 00         I\ 3€·^Ù¸(...

Apparently they like that one single byte heh, 0x01 right befor the mpq name, I'm guessing its their way of telling which revision to use perhaps.
Are the values compressed or encrypted maybe?

Edit: added dumps.

topaz · October 31, 2006, 09:12 PM

looks like penguin plug

Edit:

yes, it is. penguin plug for starcraft v1.14, and the extension is a BWLoader file

is l)ragon using hax?

BAD

l)ragon · October 31, 2006, 09:26 PM

Quote from: topaz on October 31, 2006, 09:12 PM
looks like penguin plug

Edit:

yes, it is. penguin plug for starcraft v1.14, and the extension is a BWLoader file

is l)ragon using hax?

BAD

No I was checking out these new dll's that file is refrenced in them.

Ringo · October 31, 2006, 09:29 PM

eh, im such a cheater

Starcraft.exe = my BNLS atm ;o

Code Select


[03:27:05] Connecting To Server..
[03:27:05] Connected To Server!
[03:27:05] Sending Client Check...
[03:27:05] Client Check Passed!
[03:27:05] Hooked Starcraft.exe...
[03:27:05] Waiting for Proxy connection to do revision...
[03:27:10] [PROXY] Accepted Connection! 0
[03:27:10] [PROXY] Client is game
[03:27:10] [PROXY] Accepted Connection! 1
[03:27:10] [PROXY] Client is ftp
[03:27:10] [PROXY] FTP Client is downloading lockdown-IX86-15.mpq (6.342kb)
[03:27:10] [PROXY] Got Revision Values Returned!
[03:27:10] Sending Revision Check...
[03:27:10] Revision Check Passed!

Eww hewlp!

lockdown-IX86-XX.mpq update?

warz