• Welcome to Valhalla Legends Archive.
 

Rudimentary Warden information

Started by iago, February 28, 2008, 05:07 PM

Previous topic - Next topic
|

MysT_DooM

futhermore on reading from the exe and not hardcoding em in as ringo has done, makes ur client , for bnls purposes, not truly hashless, which makes it more confusing for the end user (most of em) and ur prog, for sc purposes, would be dependant on those hash files. not important though, but to some it may be. But i always did wonder why u made it like the way u did and have everybody dependant on the exe. negative points for ringo enlighting you!


vb6, something about that combination of numbers and letters is sexy

Barabajagal

I don't like BNLS or JBLS much, really. I think local hashing is the best way to do things, and since my bot downloads hash files off my site, it's easy for the end user, too.

Dale

#182
Personally I think what Andy did was fantastic, and he's brought up good points on here, instead of bitching him out about shit, why don't you shut the fuck up. You don't have to use his god damn library if you don't want to, no one is forcing you to. Personally, I could handle warden myself if I went back on this thread and read more about it however I'd probably use his library instead of researching the shit myself, to save time and error.

Warrior

Quote from: Andy on August 07, 2008, 04:46 PM
Wow... I really hope you're not being sarcastic, because that was really nice of you...

I guess you caught me in a good mood, I'll be more inflammatory later :P.
Seriously though, yeah, I based a lot of the Warden code in my C# client off of the method you used to handle the module.
Quote from: effect on March 09, 2006, 11:52 PM
Islam is a steaming pile of fucking dog shit. Everything about it is flawed, anybody who believes in it is a terrorist, if you disagree with me, then im sorry your wrong.

Quote from: Rule on May 07, 2006, 01:30 PM
Why don't you stop being American and start acting like a decent human?

Ringo

Why do these things always end in a flame fest?
I'm just pointing out, the only option for people using VB6 is to port iago's code or to use ripples code with dll dependency's.
Thought I would slap up some example code to give people another option, keeping it fairly clean and simple, not starting arguments...
Please forgive me for trying to keep on-topic :-\

Barabajagal

#185
My code is a port of iago's code. The dependencies are just calls to common functions like StandardSHA (and uncompress if you want to extract the modules themselves), which can easily be replaced.

Warrior

Quote from: Andy on August 12, 2008, 07:43 PM
My code is a port of iago's code. The dependencies are just calls to common functions like StandardSHA (and uncompress if you want to extract the modules themselves), which can easily be replaced.


If you're responding to me, I said "the code you use to handle the module" which is limited to 0x02 handling.
Quote from: effect on March 09, 2006, 11:52 PM
Islam is a steaming pile of fucking dog shit. Everything about it is flawed, anybody who believes in it is a terrorist, if you disagree with me, then im sorry your wrong.

Quote from: Rule on May 07, 2006, 01:30 PM
Why don't you stop being American and start acting like a decent human?

Barabajagal

#187
If I don't quote, it tends to mean I'm responding to the post above me.




I've updated the dll to make it a bit easier:
# Starcraft.exe is no longer used, so StartWarden requires only the KeyHash (first 4 bytes minimum).
# RSHA.dll is no longer used. Added SHA1 hashing into the DLL itself.
# If you pass HandleWarden the full packet, starting with FF 5E, it will trim off the first 4 bytes.
# The dll has been UPX'd, so it's now 12.5 KB.

Download: http://realityripple.com/files/?file=RW

Use:
1) Add Warden.dll to your References.
2) Dim cWarden as New clsWarden at the top of whatever module/class/etc you're using for BNCS handling.
3) In 0x51 handling, add:
cWarden.StartWarden KeyHash
Replace KeyHash with at least the first 4 characters of your CDKey hash (you can send the whole thing if you want).
4) in 0x5E handling, add something like the following:

Dim sData As String
Dim sRet  As String
  wsBNet.GetData sData
  If Left$(sData, 2) = Chr$(&HFF) & Chr$(&H5E) Then
    sRet = cWarden.HandleWarden(sData)
    If LenB(sRet) > 0 Then
      wsBNet.SendData Chr$(&HFF) & Chr$(&H5E) & MakeWord(Len(sRet)+4) & sRet
    End If
  End If


Tested and working.

Barabajagal

#188
Warden for SC came back today with a new packet: 0x05.

Here's some examples:05 8B 42 F8 D4 A9 4A 36 24 BE 99 6C 09 7E 83 88 58

05 41 C8 03 88 C2 54 38 95 06 02 43 65 21 7B 5D 98

05 43 DE 7E AE 14 8C 48 72 71 76 2F 8A 6E 1C AA EA

05 5A 12 F1 4C 97 3B DD C5 C6 F5 EF 91 C9 64 AC 45

Here's a new module (seems to be the same on all gateways [not verified]): http://realityripple.com/Uploads/56F25CA5BD550B384CC4FA457B438012.mod

Any idea what it's requesting?

brew

My guess is an MD5 of something. The responses are 16 bytes + the 1 byte command identifier.
<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P

Barabajagal

So the requests and the responses are the same size... that sounds more like it's another encryption, not a hash.

brew

#191
Quote from: Andy on November 04, 2008, 02:40 PM
So the requests and the responses are the same size... that sounds more like it's another encryption, not a hash.

Oh, my bad. I thought those were the responses for some reason. ACK!!!! I hope it's just a xor cipher.
Are those the only three requests? Did you log any responses? The responses, at this point, are 20x as important as what you're getting. Also, it'd be a lot nicer if you decrypted the module ....
<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P

Barabajagal

#192
If I decrypted the module, I couldn't MD5 it to make sure it was the right one... And I'm too lazy to write and implement a decrypter for it anyway.

No, those are not the only requests, as I said, they appeared to be random.

No, I didn't grab any responses.

I'm working on NLS for VB6 right now, I just thought I'd post this so other people could work on it if they wanted. I've already got my hands full of endians and N.add(B).subtract(v).mod(N).

brew

#193
Here's the decrypted module:

http://darkblizz.org/brew/module.mod

I seriously feel that I just wasted 30 minutes of my life.

My inital analysis so far is....

• There's some kind of SHA1 init at 00001D46h
• 00000116h seems to be some major part of the module, it's littered with calls to a lot of different small odd comparison functions
• 000047E6h looks interesting
• I have to define all the code chunks myself. Thanks, IDA.

and about the requests...
there's really, only one thing I can think of that's 16 bytes long and encrypted: 3 addresses with a 1 byte length specifier, and an end byte like the one present in command 2 packets. So far I haven't seen a response either.
<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P

Racial

you guys are cool.....
[5:35:01 PM] Unknown Warden Packet: D78CC9BB96E81CF77C955AC23ED9870E1D
[5:35:11 PM] Unknown Warden Packet: 402F6FF68DB1F319B4429D4A0E2F7A456A
[5:35:31 PM] Unknown Warden Packet: 3E2FD92A4BD9AF010A8CA54B87A13077A3
[5:35:51 PM] Unknown Warden Packet: FE1FF86E7873800A48F7844165EE7E869A
[5:36:01 PM] Unknown Warden Packet: 1F2FBED782D1701637B2F7BA95CE00E7E7
[5:38:37 PM] Unknown Warden Packet: E18D50E2F0E263C1B85905144F619A0ADC
[5:38:52 PM] Unknown Warden Packet: 00D187A22036226151F6FC53985A036FE6
[5:39:02 PM] Unknown Warden Packet: 1B063809449A2AAA6EDBD3D51FA11259B3
[5:39:12 PM] Unknown Warden Packet: 296329D40D865C1190F04EC6BAD7712468
[5:39:42 PM] Unknown Warden Packet: E2FDB8D8A2370E047C37380D699725734A
is what i currently got from using andy's old warden module, i think these bytes/data are randomized and have to be decoded in an algorithm or something then sent back correctly. Correct me if i'm wrong but thats my theory.

edit: what do i use to open the .mod files? which program?

|