Unrecognized BNCS packet SID_005E received

Ringo · June 05, 2007, 05:03 PM

Quote from: betawarz on June 05, 2007, 04:17 PM
According to Saren, from bwhacks.com:

Quote
This is a very lite-version of warden that actually reports (believe it not) the vm memory size of Starcraft along with some other data (version number, operating system, etc tied to your cd key + account) whenever you log into battle.net. It's been known for a while.

It has really nothing to do with preventing hacks at all. They added a separate 'protection' for that.

Nice, that sounds pretty mild, any idea if that is what the current module is doing?
I get the feeling blizzard would change that if needed

Also does anyone know the process memory offset for 1.15 sc/bw's storm.dll and battle.snp?

l2k-Shadow · June 05, 2007, 07:10 PM

Quote from: Ringo on June 05, 2007, 05:03 PM
Quote from: betawarz on June 05, 2007, 04:17 PM
According to Saren, from bwhacks.com:

Quote
This is a very lite-version of warden that actually reports (believe it not) the vm memory size of Starcraft along with some other data (version number, operating system, etc tied to your cd key + account) whenever you log into battle.net. It's been known for a while.

It has really nothing to do with preventing hacks at all. They added a separate 'protection' for that.
Nice, that sounds pretty mild, any idea if that is what the current module is doing?
I get the feeling blizzard would change that if needed

Also does anyone know the process memory offset for 1.15 sc/bw's storm.dll and battle.snp?

0x15000000 storm
0x19000000 battle

i think

Denial · June 05, 2007, 11:48 PM

Intresting Seems they are already modifying it So iago what might say you?

iago · June 06, 2007, 12:00 AM

I say it was lucky timing. I'm told that they use Warden for all the other clients, it was just a matter of time before they used it for Starcraft.

Denial · June 06, 2007, 12:05 AM

I think we should stick with 1 thread to post iago you choose

.

Chriso · June 06, 2007, 04:10 AM

Quote from: iago on June 06, 2007, 12:00 AM
I say it was lucky timing. I'm told that they use Warden for all the other clients, it was just a matter of time before they used it for Starcraft.

I heard warden disconnects you if you don't reply to it... Is this true?

Denial · June 06, 2007, 05:34 AM

It disconnects you after about roughly 2 minutes when you don't respond to it. I havent done much research so if you respond to it every 110 seconds wouldn't you be fine?

Ringo · June 06, 2007, 06:35 AM

Quote from: l2k-Shadow on June 05, 2007, 07:10 PM
0x15000000 storm
0x19000000 battle

i think

Thanks, im gonner need them abit later

Quote from: Denial on June 06, 2007, 12:04 AM
Lockdown 2 = Warden But this isnt the end of it wait until later this week.

Quote from: Denial on June 05, 2007, 11:48 PM
Intresting Seems they are already modifying it So iago what might say you?

Quote from: Denial on June 06, 2007, 12:05 AM
I think we should stick with 1 thread to post iago you choose .

Lockdown = lockdown, warden = warden, they are not the same thing, and have little, if any thing to do with each other

And I maybe wrong, but I havent noticed any changes to the lockdown dlls, and the warden client that is built into sc/bw has been present, but unactive since 1.13 I think

They just switched it on as a last resort.

Quote from: Denial on June 06, 2007, 05:34 AM
It disconnects you after about roughly 2 minutes when you don't respond to it. I havent done much research so if you respond to it every 110 seconds wouldn't you be fine?

Yes

this will sort of be the princibles that my BNWS (battle net warden server) will work on, when Its finished later today.
I already have a working D2WS, so a BNWS should be just as easy, altho im still having afew problems with warden over bnet

When finished it should beable to support up to 80+ clients

Denial · June 06, 2007, 07:32 AM

Ringo, The lockdown 2 is a joke which was started a few days before this came out it started when iago posted his code for lockdown. We weren't being serious about them two actually being related. Also the exact time is between 2 minutes and 2 minutes and 12 seconds is when you get disconnected from broodwar.

Chriso · June 06, 2007, 08:09 AM

According to StarCrap's post on bwhacks you only have to reply to this packet with 1 byte, I haven't been able to get a packet log (of what byte is being returned) as yet since I don't have a StarCraft cd-key. According to him it updates your bncache.dat with some asm which is responsible for creating the appropriate hash to respond to the server with.

Spht · June 06, 2007, 08:27 AM

Quote from: Denial on June 06, 2007, 07:32 AM
Ringo, The lockdown 2 is a joke which was started a few days before this came out it started when iago posted his code for lockdown. We weren't being serious about them two actually being related. Also the exact time is between 2 minutes and 2 minutes and 12 seconds is when you get disconnected from broodwar.

It'll give you 2 minutes to respond after you log on, then after that you're dropped (how quickly depends on how your client handles connection)

Ringo · June 06, 2007, 09:13 AM

Quote from: Denial on June 06, 2007, 07:32 AM
Ringo, The lockdown 2 is a joke which was started a few days before this came out it started when iago posted his code for lockdown. We weren't being serious about them two actually being related.

Oh

I have ran out of time again, and still havent found the encryption key

I have done a fair bit of testing so far, and im pretty sure the encryption key is computed from a few logon values and not like D2, where the game hash is used as the encryption key. I have a hunch it is the server and client token used to make the key.
Also i dont know if this is 0x3A vs 0x29 related or 0x06, 0x07, 0x36 vs 0x50, 0x51 (I didnt get time to check) but when you logon starcraft/broodwar with 0x06, 0x07, 0x36, 0x29, the warden version check is pretty much static across all the battle.net realms/address's, meaning the encrytion key is static. That makes me think, the encrytion key is unique to one or two packet handlers server side. (0x51 or 0x29/0x3A)
However, every hour or so, it seems to change, leaving me puzzled $:-\$

Has anyone looked into the encryption key yet?

Rob · June 06, 2007, 10:25 AM

While investigating, I ran across 2 other packets in battle.snp that I have never encountered. They seem to be undocumented on bnetdocs as well.

0x17 and 0x24

I didn't examine them close enough to find their purpose.

warz · June 06, 2007, 08:38 PM

youll find plenty of interesting things while reversing blizzard games, heh.

Ringo · June 09, 2007, 01:15 PM

Im just wundering if and how anyone is coming along with this?

I came back to it yesterday/today and I have a good idea what needs to be done.
Does anyone know the offset to 0x50 handler/0x51 builder, in battle.snp? or better still, know how I would go about setting Starcrafts clienttoken to zero when its building 0x51, rather than the tickcount of the cpu?
I think this is all I need to do to get warden to chase its tail, can anyone help here?