Unrecognized BNCS packet SID_005E received

[Spht]

Yeah, so I'm not going to post the contents of the message, but it was 37 bytes of unrecognizable data

[l2k-Shadow]

what client and when during the connection?

[Spht]

Currently only on Starcraft and Brood War, and consistently 4 seconds after logging on / entering "chat environment"

Also worth noting (probably related) that that Battle.net is now dropping connection about 2 minutes after log on

[warz]

Also worth noting (probably related) that that Battle.net is now dropping connection about 2 minutes after log on

Doesn't appear to be dropping my connection - you on a bot, or the client? I'm using the client. Perhaps the client handles this properly, and already knows the purpose of this?

[l2k-Shadow]

you're right.. it appears like this:

S->C 0x5E 41 bytes (random number i guess)
C->S 0x5E 1 byte (i got 0x8D)

S->C Mass of data (thousands of bytes) some packets have 0x5E header, some don't - sending a file perhaps? - although it doesn't use the FTP connection
C->S 0x51 1 byte (i got 0x78)

(few seconds later)
S->C 0x5E 28 bytes
C->S 0x5E 43 bytes

[Spht]

Also worth noting (probably related) that that Battle.net is now dropping connection about 2 minutes after log on

Doesn't appear to be dropping my connection - you on a bot, or the client? I'm using the client. Perhaps the client handles this properly, and already knows the purpose of this?

Well I just assume that, doubt Blizzard would do something that breaks their own client ...

[vuther.de]

[3:55:03 PM] FF 5E 29 00 1D 59 BC 8E FC B0 0F B9 DF 2B A3 80   ÿ^)..Y¼Žü°.¹ß+£€
EC EC 94 69 1E 8C C3 6F E0 2C 55 09 41 35 D0 1F   ìì"i.ŒÃoà,U.A5Ð.
60 5B 6E 9A 47 CE 9E 60 CF                        `[nšGΞ`Ï.......

[Ringo]

you're right.. it appears like this:

S->C 0x5E 41 bytes (random number i guess)
C->S 0x5E 1 byte (i got 0x8D)

S->C Mass of data (thousands of bytes) some packets have 0x5E header, some don't - sending a file perhaps? - although it doesn't use the FTP connection
C->S 0x51 1 byte (i got 0x78)

(few seconds later)
S->C 0x5E 28 bytes
C->S 0x5E 43 bytes

Sounds like warden! woohoo

[warz]

you're right.. it appears like this:

S->C 0x5E 41 bytes (random number i guess)
C->S 0x5E 1 byte (i got 0x8D)

S->C Mass of data (thousands of bytes) some packets have 0x5E header, some don't - sending a file perhaps? - although it doesn't use the FTP connection
C->S 0x51 1 byte (i got 0x78)

(few seconds later)
S->C 0x5E 28 bytes
C->S 0x5E 43 bytes

Careful, there. Are you sure you're not just receiving a file still? I have received 5Eh numerous times in a simple recv/reply fashion. No additional data.

[l2k-Shadow]

you're right.. it appears like this:

S->C 0x5E 41 bytes (random number i guess)
C->S 0x5E 1 byte (i got 0x8D)

S->C Mass of data (thousands of bytes) some packets have 0x5E header, some don't - sending a file perhaps? - although it doesn't use the FTP connection
C->S 0x51 1 byte (i got 0x78)

(few seconds later)
S->C 0x5E 28 bytes
C->S 0x5E 43 bytes

Careful, there. Are you sure you're not just receiving a file still? I have received 5Eh numerous times in a simple recv/reply fashion. No additional data.

i think so because all the packets have ff 5E fb 01 in the front, and the client doesn't ask for any file before starting to receive the ones without the header.

[Ringo]

you're right.. it appears like this:

S->C 0x5E 41 bytes (random number i guess)
C->S 0x5E 1 byte (i got 0x8D)

S->C Mass of data (thousands of bytes) some packets have 0x5E header, some don't - sending a file perhaps? - although it doesn't use the FTP connection
C->S 0x51 1 byte (i got 0x78)

(few seconds later)
S->C 0x5E 28 bytes
C->S 0x5E 43 bytes

Careful, there. Are you sure you're not just receiving a file still? I have received 5Eh numerous times in a simple recv/reply fashion. No additional data.

You would only get the large amount of data 1st logon with the client, after that, its uptodate.
Im 99.9999% sure this is warden
After the warden version check, the client is requested a new check every 15seconds.
It looks almost like (from a few dumps) it works in almost/exacly the same way as d2 warden client.

[l2k-Shadow]

check out bncache.dat:

67d66f46a09ac454b61d980c0820ba0d.mod

great file name - md5 hash of something?, the data i guess?

[Ringo]

check out bncache.dat:

67d66f46a09ac454b61d980c0820ba0d.mod

great file name - md5 hash of something?, the data i guess?

Hmm, if d2 warden client is anything to go by, the packet payloads are encrypted both ways (I think d2 uses a RC4 encryption), and one of the tokens (server/client/udp most likely for sc/bw) is used as the encrption key.
The 67d66f46a09ac454b61d980c0820ba0d.mod should be a module of asm code, that the client uses to make the result out of the request. Blizzard can and normaly do update that anti hack code at anytime on d2.
Im no expert on the warden client tho, but if d2 warden client is anything to go by, bnet warden client will be the same if not a slightly modify version of the one wow,w3,d2 uses.
Now we know the BNCS warden packet, im now interested to know what other clients have warden installed and enabled, but switched off

[warz]

According to Saren, from bwhacks.com:

This is a very lite-version of warden that actually reports (believe it not) the vm memory size of Starcraft along with some other data (version number, operating system, etc tied to your cd key + account) whenever you log into battle.net. It's been known for a while.

It has really nothing to do with preventing hacks at all. They added a separate 'protection' for that.

[Chriso]

Someone just reported this packet to me also...

[1:36:29 PM] Unhandled packet: 0x5E
[1:36:29 PM] FF 5E 29 00 39 C2 59 F4 13 53 67 F3 D2 E6 18 B2 ÿ^).9ÂYô.SgóÒæ.²
[1:36:29 PM] 98 51 2B E3 F2 06 4E 75 31 C2 A9 8E 00 32 53 45 ˜Q+ãò.Nu1©Ž.2SE
[1:36:29 PM] D9 5C 56 6D 18 46 C3 0F 74 Ù\Vm.FÃ.t.......


[1:45:42 PM] Unhandled packet: 0x5E
[1:45:42 PM] FF 5E 29 00 05 44 A9 B9 E5 66 E7 6D 45 97 D6 AA ÿ^)..D©¹åfçmE—Öª
[1:45:42 PM] B9 EE 07 56 E6 0F 99 A1 C4 ED ED 32 5C 66 B7 F5 ¹î.Væ.™¡Äíí2\f·õ
[1:45:42 PM] 8B F2 3F 2E D6 86 AF A7 09 ‹ò?.Ö†¯§........


That is more than 15 seconds, this bot is not responding though...