Maiev.mod

brew · February 08, 2008, 10:36 PM

Starts at 190333C9 in battle.snp, after some weak-as-hell static string encryption. Discuss.

My guess: The last name of the blizzard employee who implemented it?

FrostWraith · February 08, 2008, 10:57 PM

Isn't Maiev a warcraft III character?

MyndFyre · February 09, 2008, 12:58 AM

Quote from: FrostWraith on February 08, 2008, 10:57 PM
Isn't Maiev a warcraft III character?

Yes. Big surprise that Blizzard named something after a character that they created. PsiStorm.dll was a Starcraft activity. Woo. Who cares?

UserLoser · February 09, 2008, 04:22 AM

thought this was figured out years and years back that maiev.mod is the always running warden module ?

brew · February 09, 2008, 08:06 AM

Quote from: UserLoser on February 09, 2008, 04:22 AM
thought this was figured out years and years back that maiev.mod is the always running warden module ?

eh? the always running one? is this warcraft 3 specific? 'cause if it is, i'm wasting a shitload of time ;P

@FrostWraith: according to WoWWiki it's Maiev Shadowsong, a priestest of Elune during the War of the Ancients.
One of 'her' aliases is the "Hand of Justice"... oooo

EDIT**
I was reading that wiki arcticle a bit more and here's what i found:

Quote
The "death" originates from the mission, The Search for Illidan, in which the mission objective is to slay the guardians of the cage, the Watchers, carrying Illidan to the Sentinels base. There were four guardians included Maeiv;

Lord Illidan has been captured by the cunning Warden in a cage of magical enchantments. Slay the guardians of the cage and take it from the Night Elves before they reach safety the safety of their base.

UserLoser · February 09, 2008, 10:46 AM

yes war3 specific

iago · February 10, 2008, 01:55 AM

I believe that Maive.mod is initially loaded, before a new one is downloaded/run. The code/decryption key are stored as constants, and it's decrypted before receiving any "warden" packets.

brew · February 10, 2008, 06:52 AM

Constant decryption key? Might it be "WBc+8F%R" by any chance?

iago · February 10, 2008, 11:31 AM

It's 16 bytes, but yeah, it starts with that.

brew · February 10, 2008, 11:44 AM

Hmm, does anyone have a copy of the mac storm.dll handy?

iago · February 10, 2008, 12:52 PM

You can extract the Mac version from Install.exe if you're stuck. But it's version 1.04, so it isn't especially useful. It's the only version I've ever used, though.

And incidentally, I was making breakfast when I realized that I was wrong -- that WBc+.. string isn't the key, that's the encrypted module. The key used is referenced right above it.

brew · February 10, 2008, 01:13 PM

Heh, i realized that it couldn't have been the key. What the 3rd parameter's offset is pointing to, is exactly 16 bytes. It's 57 42 63 C9 38 46 25 52 00 71 E4 47 00 40 DD 84. Just curious, why 16 bytes? Is starcraft's the same len? Please don't tell me it's md5...

MyndFyre · February 10, 2008, 01:58 PM

Quote from: brew on February 10, 2008, 01:13 PM
Heh, i realized that it couldn't have been the key. What the 3rd parameter's offset is pointing to, is exactly 16 bytes. It's 57 42 63 C9 38 46 25 52 00 71 E4 47 00 40 DD 84. Just curious, why 16 bytes? Is starcraft's the same len? Please don't tell me it's md5...

MD5 isn't an encryption algorithm, it's a hashing algorithm.

iago · February 10, 2008, 01:59 PM

Quote from: brew on February 10, 2008, 01:13 PM
Heh, i realized that it couldn't have been the key. What the 3rd parameter's offset is pointing to, is exactly 16 bytes. It's 57 42 63 C9 38 46 25 52 00 71 E4 47 00 40 DD 84. Just curious, why 16 bytes? Is starcraft's the same len? Please don't tell me it's md5...

The third parameter is the decryption key.

.text:19033697 push offset default_warden_key ; KeyString
.text:1903369C push 12B3h ; EncryptedSize
.text:190336A1 push offset default_warden_module ; "WBc+8F%RqSG@¦ärBµs}\x11\"-<+\x02±ç¦y+\x168µ3+ûxÅª"...
.text:190336A6 call sub_190333C0

And yes, there is some MD5 involved, but not here.

brew · February 10, 2008, 02:35 PM

Quote from: MyndFyre[vL] on February 10, 2008, 01:58 PM
Quote from: brew on February 10, 2008, 01:13 PM
Heh, i realized that it couldn't have been the key. What the 3rd parameter's offset is pointing to, is exactly 16 bytes. It's 57 42 63 C9 38 46 25 52 00 71 E4 47 00 40 DD 84. Just curious, why 16 bytes? Is starcraft's the same len? Please don't tell me it's md5...

MD5 isn't an encryption algorithm, it's a hashing algorithm.

was talking about the key generation.

@iago: thanks! You're good

Also, how often do the modules update? I was able to convert it from the hex view in ollydbg to binary data, then disassemble with ndisasm, but then when i go back to check it again (3 days later), my addresses aren't valid!