Warden anti-hack is back..

Dale · September 10, 2007, 02:25 PM

silly joe

iago · September 10, 2007, 05:54 PM

Quote from: Joex86] link=topic=16998.msg172552#msg172552 date=1189443334]
Nevermind, you're right. I started reading at 0x16 instead of 0x36. That's what I get for trying to understand things in the morning.

Hint: look for 0xFF, and if the three bytes after it don't look sane, it's probably not Battle.net.

Although I'm pretty used to looking at the middle of the third line in a dump, I hope I never have to get used to IPv6

Joe[x86] · September 10, 2007, 07:55 PM

Quote from: iago on September 10, 2007, 05:54 PM
Quote from: Joex86] link=topic=16998.msg172552#msg172552 date=1189443334]
Nevermind, you're right. I started reading at 0x16 instead of 0x36. That's what I get for trying to understand things in the morning.

Hint: look for 0xFF, and if the three bytes after it don't look sane, it's probably not Battle.net.

Although I'm pretty used to looking at the middle of the third line in a dump, I hope I never have to get used to IPv6

Like I said, I always just start at offset 0x36.

devcode · September 10, 2007, 08:07 PM

90% reversed on the 0x5E reply hash.

Dale · September 10, 2007, 08:15 PM

How can you put a percentage of how much you're done when you don't completely know what's left?

devcode · September 10, 2007, 08:30 PM

Because I'm that good

Joe[x86] · September 10, 2007, 09:41 PM

Quote from: Dale on September 10, 2007, 08:15 PM
How can you put a percentage of how much you're done when you don't completely know what's left?

Technically, as far as "reversed" goes, it's a percentage of the code.

Now, at least for me, 90% of the code reversed means that 5% percent of the project is done. You've still gotta bring the loose ends together and make it work.

Don Cullen · September 10, 2007, 09:47 PM

Quote from: devcode on September 10, 2007, 08:30 PM
Because I'm that good

I'm happy to see you have that high of an opinion of yourself. Do you plan on sharing what you've found with the community, or do you plan on withholding it?

devcode · September 10, 2007, 09:55 PM

I promote open sourcing of details and snippets of code.

Don Cullen · September 10, 2007, 09:57 PM

Quote from: devcode on September 10, 2007, 09:55 PM
I promote open sourcing of details and snippets of code.

I'm impressed. Let's hope you're serious about reversing the 0x5E then.

devcode · September 10, 2007, 11:27 PM

The last part in the whole procedure is the encryption of the packet and I recreated the code for this encryption but I didn't know what this was until I remembered someone saying RC4 and it seems to match, didn't check thoroughly. I'm not familiar with RC4 so I'll have to do some reading ;(
So close yet so far ;o

Barabajagal · September 10, 2007, 11:49 PM

Wtf is with bnet using so many different encryption methods? -.-

Don Cullen · September 11, 2007, 12:58 AM

http://en.wikipedia.org/wiki/RC4

QuoteIn cryptography, RC4 (also known as ARC4 or ARCFOUR) is the most widely-used software stream cipher and is used in popular protocols such as Secure Sockets Layer (SSL) (to protect Internet traffic) and WEP (to secure wireless networks). While remarkable in its simplicity, RC4 falls short of the high standards of security set by cryptographers, and some ways of using RC4 can lead to very insecure cryptosystems (an example being WEP). It is not recommended for use in new systems. However, some systems based on RC4 are secure enough for practical use.

When you read the first sentence, it makes sense they chose this particular type to protect Warden. Simple enough to implement, but good enough to make it a pain in the neck to figure out.

Barabajagal · September 11, 2007, 02:09 AM

Didn't something else use RC4?

Joe[x86] · September 11, 2007, 09:32 AM

Yeah. World of WarCraft.. and... Warden.

Warden anti-hack is back..

Barabajagal

Barabajagal