• Welcome to Valhalla Legends Archive.
 

Rudimentary Warden information

Started by iago, February 28, 2008, 05:07 PM

Previous topic - Next topic
|

iago

I've posted information about how to decrypt, verify, prepare, and save modules for Warden. I'm sure others have done this already, but whatever, it was for my own education. You'll find complete info there about how to generate the keys and decrypt Warden packets, as well as how to read and respond to 0x00 and 0x01. Nothing there about how to respond to 0x02, though. I'm putting the project on hold for an indefinite amount of time, and wanted to share what I've done so far.

http://www.skullsecurity.org/wiki/index.php/Starcraft_Warden

I encourage people to help expand it, if possible, since I have no plans to for awhile. If you intend to edit the wiki (which is fine, if you can contribute useful information), I'd appreciate it if you asked me first (send me a PM here, I'll get back to you).

If you want more info/implementation, get in touch with me. I've written a module downloader/saver.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


brew

#1
d'oh! way to tell them, iago. now that the decryption/encryption is public, people are just going to make databases of warden requests/responses, you know the deal... the end is nigh.
<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P

Barabajagal

STFU, brew.

iago, I was looking over this earlier... before you deleted it the first time, or whatever.... and I'm confused about generating encryption keys...
QuoteGenerating the keys used for encrypting Warden packets is a somewhat convoluted algorithm, but it is fairly simple to implement. Here are the basic steps:

   1. Create a source of shared random data based on a seed
   2. Generate the outgoing key from the first 0x10 bytes, using the generation code in Crypto_and_Hashing#Xor_Encryption
   3. Generate the incoming key from the next 0x10 bytes using that code
That part... where are these bytes coming from?

Ringo

Nice 1 iago, very nice, looks like you worked hard on it.
Interested in seeing where this goes :)
Soon everyone will have a bypass to warden :D

Quote from: brew on February 28, 2008, 05:14 PM
the end is nigh.
You mean the start is nigh? :P
I look faward to beating it again :) Tolk me 30min to beat SC warden, should take me even less time to beat it again :)
afaik, me and rob@east had a working warden, soon everyone will have it :D
I have around about 5000+ of the 1st messages already, but my method was alittle more simple that iago's.
Aside, i dont think blizzard really care, they havent exacly done much with it since it got activated on SC/BW tbh

Newby

Quote from: Andy on February 28, 2008, 05:46 PM
STFU, brew.

/signed. brew, STFU. It's for educational purposes. There's no .ocx files or code that people can go and steal from the page, and I doubt anyone that still actively develops for Battle.net (in the old sense that people ripped bots and TCPConnect.cls and CleanSlateBot.ocx) can use it.
- Newby

Quote[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

Quote<TehUser> Man, I can't get Xorg to work properly.  This sucks.
<torque> you should probably kill yourself
<TehUser> I think I will.  Thanks, torque.

brew

hm, now that it's all over, ringo, why don't you tell us how you did it all from vb6? that's an insane feat tbh ;P

BTW, I was looking over iago's code and i noticed he was refering to a "WardenUnknownPointer1". At first I thought it was just a pointer to some struct, but i think it's the base address for a "class" because it also contains some function pointers. The battle.net developers used OO and all that other crap i hate ;/
and [global_0 + 18h] i was refering to for the longest time as "WardenStruct->oldLen". What is it really?
And then there's the function list. IIRC the real function list for warden is included within the module itself a bit below the actual code...
<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P

MysT_DooM

Quote from: Andy on February 28, 2008, 05:46 PM
STFU, brew.

iago, I was looking over this earlier... before you deleted it the first time, or whatever.... and I'm confused about generating encryption keys...
QuoteGenerating the keys used for encrypting Warden packets is a somewhat convoluted algorithm, but it is fairly simple to implement. Here are the basic steps:

   1. Create a source of shared random data based on a seed
   2. Generate the outgoing key from the first 0x10 bytes, using the generation code in Crypto_and_Hashing#Xor_Encryption
   3. Generate the incoming key from the next 0x10 bytes using that code
That part... where are these bytes coming from?

the cdkey hash


vb6, something about that combination of numbers and letters is sexy

iago

Quote from: Andy on February 28, 2008, 05:46 PM
iago, I was looking over this earlier... before you deleted it the first time, or whatever....
yeah, I realized it might be a bad idea to link it to my work's ip address, so I re-posted from home, hoping nobody would see it. :)

I'm not home right now, so I'll post answers to whatever I can later.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Barabajagal

#8
Ah, okay... Maybe I'll make an OCX... JK JK!

And Myst... CDKey hashes are only 0x14 bytes long... how could I get two sets of 0x10 bytes from it?

MysT_DooM

Quote from: Andy on February 28, 2008, 07:07 PM
Ah, okay... Maybe I'll make an OCX... JK JK!

And Myst... CDKey hashes are only 0x14 bytes long... how could I get two sets of 0x10 bytes from it?

Should read http://www.skullsecurity.org/wiki/index.php/Warden_Packets and http://www.skullsecurity.org/wiki/index.php/Crypto_and_Hashing#Xor_Encryption


vb6, something about that combination of numbers and letters is sexy

iago

#10
Quote from: Andy on February 28, 2008, 07:07 PM
Ah, okay... Maybe I'll make an OCX... JK JK!

And Myst... CDKey hashes are only 0x14 bytes long... how could I get two sets of 0x10 bytes from it?
As Myst alluded to in his last post, maybe, you use something that I called "random source" or "random data" or something. It's some code that generates a random stream of data.

My server seems to have fallen over, right now. I'm leaving here shortly (although cycling through a snow storm, so no telling if I'll survive :-o), and will see what's going on when I get home.

Also keep in mind, this is NOT the end of the road. I only provided a starting point.

<edit> nevermind about the server, I was being stupid. :)
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Barabajagal

Okay, let me rephrase my question... what's the seed?

Nevermind. I don't care enough about SC.

MysT_DooM

Quote from: Andy on February 28, 2008, 08:15 PM
Okay, let me rephrase my question... what's the seed?

Nevermind. I don't care enough about SC.

did rocky throw in the towel after gotten beaten by apollo?


vb6, something about that combination of numbers and letters is sexy

l2k-Shadow

Quote from: replaced on November 04, 2006, 11:54 AM
I dunno wat it means, someone tell me whats ix86 and pmac?
Can someone send me a working bot source (with bnls support) to my email?  Then help me copy and paste it to my bot? ;D
Já jsem byl určenej abych tady žil,
Dával si ovar, křen a k tomu pivo pil.
Tam by ses povídaj jak prase v žitě měl,
Já nechci před nikym sednout si na prdel.

Já nejsem z USA, já nejsem z USA, já vážně nejsem z USA... a snad se proto na mě nezloběj.

iago

Quote from: Andy on February 28, 2008, 08:15 PM
Okay, let me rephrase my question... what's the seed?

Nevermind. I don't care enough about SC.
Well, for anybody else who's wondering, the whole section about generating the keys is right here:
http://www.skullsecurity.org/wiki/index.php/Warden_Packets#Generating_encryption_keys

Read that carefully, and let me know if there's anything confusing in there.

I'm guessing other game clients' implements are similar or identical to that.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


|