Rudimentary Warden information

[vector]

I guess this thread stopped when warden was last deactivated in chat.

Now each time you log on, you get another random packet ID, instead of just 0x05.

I guess you guys should get back to work on it? What does the outcome look like based on what I've just told you?

[Barabajagal]

What are you talking about? It's still using 5. There's no other packets until you respond.

[Ringo]

yep, everything looks as it was before, besides a one or two server side changes, but that wouldn't have a noticable effect:

Code Select Expand


Warden Data Recv: 37
00000000    00 AC 94 67 4C BF 69 6E D1 35 91 71 EA 13 4D EC       ...gL.in.5.q..M.
00000010    3E 86 96 74 2E 63 90 0E 84 12 95 D4 C9 FA 62 4E       >..t.c........bN
00000020    8C 71 4D 00 00                                        .qM..

Warden Data Sent: 1
00000000    01                                                    .

Warden Data Recv: 17
00000000    05 13 8B A2 E8 1E 09 68 A1 9D 34 7F 96 53 C4 7C       .......h..4..S.|
00000010    94                                                    .

Warden Data Sent: 21
00000000    04 9C 8C EB F5 A1 48 03 EA 59 48 2A 5E 09 D5 7A       ......H..YH*^..z
00000010    4B 5E F8 03 25                                        K^..%

Warden Data Recv: 160
00000000    02 00 74 05 63 1F EA C5 0C 6D BB 41 52 42 BD 93       ..t.c....m.ARB..
00000010    7B E3 67 81 F8 C9 A3 00 56 DF D4 4C 30 00 00 16       {.g.....V..L0...
00000020    50 00 4B E2 41 00 0A 74 DB 09 5F 59 64 BD B1 F1       P.K.A..t.._Yd...
00000030    8D 32 70 C1 77 C3 1D 95 6E 06 0C 10 C5 CE 82 37       .2p.w...n......7
00000040    0C 49 00 00 20 74 DD EC C2 7E FD 23 E9 48 8A B5       .I.. t...~.#.H..
00000050    E0 B4 AF CC 8C 19 D5 F2 69 A6 A2 F2 D4 FB F8 D7       ........i.......
00000060    06 00 30 74 1F B0 BC 11 01 F3 B5 31 AE 6F B3 EF       ..0t.......1.o..
00000070    53 A3 0D 0B 24 37 3A 0D B4 AF B3 73 70 E9 01 00       S...$7:....sp...
00000080    17 74 74 45 DC 80 C2 4A 47 9A F7 7C 71 2F B1 F7       .ttE...JG..|q/..
00000090    CB 79 AF C7 FA DD 1A 7B EF 36 C8 D7 06 00 30 69       .y.....{.6....0i

Warden Data Sent: 23
00000000    02 10 00 05 C4 79 86 00 00 00 10 09 6B 03 08 70       .....y......k..p
00000010    19 E1 30 00 00 00 00                                  ..0....

Warden Data Recv: 160
00000000    02 00 50 00 4B E2 41 00 0A 74 7C 89 27 AA 4E 73       ..P.K.A..t|.'.Ns
00000010    BA DB 7A D8 2F 1B CB C8 6A 61 E2 E5 69 6E 00 E9       ..z./...ja..in..
00000020    57 A3 10 91 00 00 28 74 3D 94 28 CC DD E4 DA AE       W.....(t=.(.....
00000030    F1 19 2E E6 99 5C 8D 49 9E 8B 76 2E E0 F8 28 D8       .....\.I..v...(.
00000040    02 E1 00 00 2A 74 AC 90 0E E1 03 1F F7 10 1C F1       ....*t..........
00000050    85 07 C7 CF 7A 5B ED 1A 33 77 BD 06 22 60 F4 D7       ....z[..3w.."`..
00000060    06 00 30 74 C2 03 36 F5 A9 46 FA 75 A6 71 1B D0       ..0t..6..F.u.q..
00000070    8D 32 A8 85 32 EC 27 06 B2 05 E0 BE 9C FE 01 00       .2..2.'.........
00000080    25 74 0C 6D 8F 6C CE 44 3F 8F 9A 70 7C 77 44 26       %t.m.l.D?..p|wD&
00000090    FD BE CB 3D 54 9A D4 CF DB 1A F8 D4 06 00 30 69       ...=T.........0i

Warden Data Sent: 23
00000000    02 10 00 DD 01 73 AE 00 00 10 09 6B 03 08 70 19       .....s.....k..p.
00000010    E1 30 00 00 00 00 00                                  .0.....

Warden Data Recv: 153
00000000    02 00 74 B4 2D 3C 68 F5 EE 4E 2D 49 53 20 F4 85       ..t.-<h..N-IS ..
00000010    AF A6 11 80 85 1D 9B 75 C2 A9 8D 48 22 06 00 0E       .......u...H"...
00000020    74 45 03 D5 ED 27 96 C2 A2 37 2B 94 F6 9F 5F DF       tE...'...7+..._.
00000030    03 EE EF 40 4E 65 B2 DE FA 98 20 00 00 11 74 EE       ...@Ne.... ...t.
00000040    F4 D4 11 77 5B AE 9C 81 81 74 32 FD FF 35 F0 80       ...w[....t2..5..
00000050    4E F7 E6 8A EA 60 DB C8 D7 06 00 30 74 53 AD 1C       N....`.....0tS..
00000060    57 43 EF E2 92 39 26 D1 B8 72 C4 10 0E 48 29 D5       WC...9&..r...H).
00000070    CC 5B 84 8A 9F B9 32 00 00 24 74 92 A7 E0 2B 44       .[....2..$t...+D
00000080    5E 33 96 9B 4E A4 20 C0 97 09 8C E0 AD A1 84 53       ^3..N. ........S
00000090    47 A3 02 02 E1 00 00 2A 69                            G......*i

Warden Data Sent: 12
00000000    02 05 00 F4 BD 4B 3E 00 00 00 00 00                   .....K>.....


[vector]

What are you talking about? It's still using 5. There's no other packets until you respond.

According to the beta of StealthBot, which had warden support implemented before it was broken, everytime a SC/BW client logs on, it will say "Unknown Warden ID: 0x**" etc. The ID will change each time you log in.

I'm not sure if this has to do with a different module, or not.

[Barabajagal]

Don't trust StealthBot to accurately display anything.

[vector]

So warden is still requesting 0x05, and nothing else, other than the previous IDs?

Odd.

[Pyro]

You're probably misinterpreting what it's telling you.

[Ribose]

So warden is still requesting 0x05, and nothing else, other than the previous IDs?

Odd.

Warden still has the same encryption and decryption that it had before (of course, the bot doesn't have any handling for 0x5):

Code Select Expand

[WARDEN] Recieved Decrypted:
0000   05 1c 7b 7f 7d c5 8c c3  ae e5 b9 b9 25 37 9d 9d    ..{.}Å.îå..%7..
0010   59                                                  Y

[WARDEN] Request ID 0x5
A first chance exception of type 'System.NotSupportedException' occurred...
As Andy says, if you think what StealthBot outputs is correct, you might want to rethink that thought.

[Hdx]

So warden is still requesting 0x05, and nothing else, other than the previous IDs?

Odd.

Warden still has the same encryption and decryption that it had before (of course, the bot doesn't have any handling for 0x5):

Code Select Expand

[WARDEN] Recieved Decrypted:
0000   05 1c 7b 7f 7d c5 8c c3  ae e5 b9 b9 25 37 9d 9d    ..{.}Å.îå..%7..
0010   59                                                  Y

[WARDEN] Request ID 0x5
A first chance exception of type 'System.NotSupportedException' occurred...
As Andy says, if you think what StealthBot outputs is correct, you might want to rethink thinking.

Seince there are no public docs on the new warden modules, SB will be outdated, live with it. Use another product and you'll be good.
.....
Btw, what are you using? The beta or my lame proxy? {prolly my proxy which again will not be updated untill there are public docs}
The reason you're getting random IDs is because my proxy isnt decrypting the warden module correctly after 0x05 as they are using a diffrent system.

[vector]

The beta. It used to be a constant 0x05, but now the IDs are different each time.

It's really weird.

[Hdx]

The reason you're getting random IDs is because my proxy isnt decrypting the warden module correctly after 0x05 as they are using a diffrent system.

[PunK]

Okay, now that we have that settled... Has anyone found anything new with warden other then what has already been said?

[Ringo]

hmm, idk if this helps anyone:
IDAWarden.zip
Ive spent the best part of this morning poking around with 56F25CA5BD550B384CC4FA457B438012.mod.
It contains a few files:
56F25CA5BD550B384CC4FA457B438012.mod -> Unprepared, incase I haven't prepared it right.
56F25CA5BD550B384CC4FA457B438012.bin -> Prepared module. (Must load at offset 0x231E80)
56F25CA5BD550B384CC4FA457B438012.c -> Hexray output of Prepared module.
56F25CA5BD550B384CC4FA457B438012.idb -> IDA 5.2 db file of said module.
Maive.mod -> Unprepared default module, extracted from D2Client.dll from current patch. 0xD1838 is the Maive.mod data, 0x12B2 is the lengh, 0xD2B00 is the 16byte encryption key, to decrypt it, before you decompress it.
Note: 56F25CA5BD550B384CC4FA457B438012 is a starcraft warden module, not d2 -- I just extracted Maive from d2client.dll, since I knew its location.

So far, in 56F25CA5BD550B384CC4FA457B438012 ive identifyed the following functions:
0x233470 -> ReadBYTE
0x2339B0 -> HandlePacket
0x233D80 -> RAN_GET_BYTES
0x233E90 -> MD5_TRANSFORM_2
0x234830 -> RAN_UPDATE
0x234E90 -> INIT_RAN_DATA
0x235020 -> ReadVOID
0x235060 -> Initialize
0x2350C5 -> MD5_TRANSFORM
0x235BB8 -> RC4_CRYPT
0x235E20 -> SHA1_UPDATE
0x235FC0 -> Read0x14
0x2362FD -> RC4_KEY
0x2367C0 -> SHA1_INIT
0x2391B0 -> Read0x14_2
0x239200 -> HANDLE_0x05
0x2394B9 -> RC4_CRYPT_2
0x239580 -> SHA1_STRING
0x239620 -> SHA1_FINAL
0x2398B0 -> SHA1_TRANSFORM
0x23A2C0 -> INIT_HANDLER_TABLE

I'm pretty sure, "INIT_HANDLER_TABLE", loads the function table for the packet handlers, for example, sub_2374C0 looks like it parse's 0x02.

The "HANDLE_0x05" i'm pretty sure, is what handles 0x05, or at least, generates 0x04 and the new encryption keys. It basicly parse's 0x10 bytes (0x05 data), does some stuff with it, then does an MD5, SHA1, encrypts the result with standard RC4, makes a callback to have the packet sent, then generates the 2 new RC4 keys.

As for the "RC4_CRYPT_2" function, im really not sure why theres a 2nd version of RC4 in there -- unless im misreading it.

In some/most places, things like readWORD, and readDWORD, are wrote into the actual function where you would expect them to be called along with checking for enough bytes.
I'm not sure of most of the above functions tho, I just labled them by what I thought they were doing.
going by the ones I have labled, it's pretty easy to figger out what functions are doing, based on the calls to above functions they make.
I figger, by posting this, if ppl work on this module, we will all be talking the same language
That is, if *anyone* is working on this.
I persionaly totaly suck at reading asm, but hey, I am trying.
Comon guys, blizzard has set the playground, lets play! its fun ;o

[Ringo]

I'm pretty much finished up with this now.
A guy called easyban gave me abit of help, calling the module functions, so he saved me a fair bit of time -- big thanks to him.
I'm currently able to maintain a stable logon by just useing the warden module to handle 0x05, generate 0x04 and return the new RC4 keys.
All the 0x02 requests i'm currently handleing my self, but I havent yet finished reverseing the 0x02 handler, so ive sort of fixed it to say "no" to everything, so it's more than possible my test acc may get closed
For loading the module and calling it's function's, pretty much everything you need is already on iagos wiki (thx iago) in the "module" and "my notes" pages.
Basicly, the init function accepts a list of callback function address, so the warden module can talk to you about stuff, like the weather.
the Init function returns a pointer to memory. The 1st dword of that block of memory is a pointer, pointing to wardens export functions.
0x00 = generate rc4 from seed (optional -- you can request a get rc4 keys by returning 1 to this callback)
0x04 = Unload module.
0x08 = Handle Packet

Also, here's that checksum function no one got around to reverseing last time around:

Code Select Expand


Private Function WardenChecksum(ByRef strBuffer As String) As Long
    Dim lngData(4)      As Long
    Call BSHA1(strBuffer, VarPtr(lngData(0)), 20, SHA1_WARDEN)
    WardenChecksum = &H0& Xor lngData(0) _
           Xor lngData(1) Xor lngData(2) _
           Xor lngData(3) Xor lngData(4)
End Function

Basicly just:
(BYTE) 0x02
(WORD) Lengh of buffer
(DWORD) Check sum of buffer
(VOID) Buffer

As for parseing 0x02 and building the responces, I will post that another time maybe, it's getting late (3PM -- i haven't slept yet -.-) and I still have some work to do on it, before i'm happy it's 99.9% safe.

Here's a little output:

Code Select Expand


[15:40:00] Warden Data Recv: 37
00000000    00 52 E8 D4 7F CE 76 63 99 72 1B 93 E7 A9 D1 9E       .R....vc.r......
00000010    64 01 C7 9D 51 1B 82 2E 73 B6 09 B8 2F 34 C1 03       d...Q...s.../4..
00000020    32 A1 4A 00 00                                        2.J..

PrepareModule()
   Allocated 49152 (0xC000) bytes for new module
   Copying code sections to module.
   Adjusting references to global variables...
   Updating API library references..
   Lib: KERNEL32.dll
       Function: MulDiv
       Function: SystemTimeToFileTime
       Function: Sleep
       Function: TlsFree
       Function: TlsGetValue
       Function: TlsSetValue
       Function: RaiseException
       Function: TlsAlloc
       Function: GetProcAddress
       Function: GetModuleHandleA
       Function: GetVersionExA
       Function: GetSystemInfo
       Function: GetTickCount
       Function: VirtualQuery
       Function: QueryDosDeviceA
       Function: CloseHandle
       Function: GetCurrentProcess
       Function: FreeLibrary
       Function: DuplicateHandle
       Function: LoadLibraryA
       Function: GetProcessHeap
       Function: HeapFree
       Function: TerminateProcess
       Function: UnhandledExceptionFilter
       Function: SetUnhandledExceptionFilter
       Function: QueryPerformanceCounter
       Function: GetCurrentThreadId
       Function: GetCurrentProcessId
       Function: GetSystemTimeAsFileTime
       Function: RtlUnwind
   Lib: USER32.dll
       Function: CharUpperBuffA
   Successfully mapped Warden Module to 0x3C80048
InitializeWarden()
   Initialize Function is mapped at 0x3C81950
   Calling Initialize function and passing my callback function table
Warden.AllocateMem() 2020, 0x3C8C050
Warden.AllocateMem() 52, 0x3C73E68
Warden.AllocateMem() 44, 0x3C73EA8
Warden.GetRC4Data() 0x3C8C070/0x208

[15:40:00] Sending
01

[15:40:01] Warden Data Recv: 17
00000000    05 73 31 6F B2 86 CB 35 99 84 BD DB 1D 4E AF 84       .s1o...5.....N..
00000010    0F                                                    .

[15:40:01] Writeing RC4 Keys!
[15:40:01] Mod_Parse()
[15:40:01] Warden.SendPacket() pkt=0x13E9F0, size=21
00000000    26 7D 21 A2 8A 4F 58 D5 9D 9B C1 E3 A3 3E B9 6A       &}!..OX......>.j
00000010    C4 D4 73 1D 13                                        ..s..

[15:40:01] Reading New RC4 Keys!
[15:40:01] OUT KEY:
00000000    AC 66 AA 4E B0 D9 F7 43 7C 26 5F 8B AB 93 20 57       .f.N...C|&_... W
00000010    13 33 47 11 6F 48 73 79 05 84 F4 0E C1 17 24 9D       .3G.oHsy......$.
00000020    B9 87 95 8F 56 65 B2 64 C3 4A 39 76 BF 5B FA C2       ....Ve.d.J9v.[..
00000030    51 6A 4F CC 21 58 7F 15 1E 06 E0 3C 0B 80 5C B8       QjO.!X.....<..\.
00000040    77 41 F2 F8 07 92 34 96 3E 01 9C 42 68 99 5D D4       wA....4.>..Bh.].
00000050    D0 61 02 04 2A FB 0D 89 08 A0 9B 28 86 CB A3 D5       .a..*......(....
00000060    A6 ED 9F 1D F1 70 F5 90 82 74 4D E4 40 5A 3A A8       .....p...tM.@Z:.
00000070    EA 62 69 75 52 0A 59 1B 7B BE DC 8A 4B DB E3 0C       .biuR.Y.{...K...
00000080    9A 83 B4 F3 6D B7 1F 19 DF 8C 8D 38 7A E8 44 A7       ....m......8z.D.
00000090    CD 78 63 00 EC DE 97 3D C0 A4 3F 71 23 D3 B5 A5       .xc....=..?q#...
000000A0    E6 9E 94 E1 C8 C7 5E 1A AF 36 C5 E2 18 22 D1 29       ......^..6...".)
000000B0    12 A2 54 DA EF E7 1C F6 E5 FE 55 85 7D 10 D6 B6       ..T.......U.}...
000000C0    35 2D 31 14 45 C6 6E B1 A9 EE 81 50 7E BA CE 3B       5-1.E.n....P~..;
000000D0    72 C4 A1 E9 FC 4C 2C 16 DD 98 FD BB 46 60 91 AE       r....L,.....F`..
000000E0    FF D8 27 C9 BD 30 D2 25 AD CF 88 CA 03 09 D7 2B       ..'..0.%.......+
000000F0    6C 8E 37 2F 67 BC F9 2E F0 EB 6B 49 0F B3 32 53       l.7/g.....kI..2S
00000100    00 00                                                 ..

[15:40:01] IN KEY:
00000000    B4 07 26 5B 0F 6C 05 50 8F 3B F7 AD 4F 63 FF 48       ..&[.l.P.;..Oc.H
00000010    52 EB C1 6B 7F B2 40 49 F3 A3 38 5E 10 B7 04 EE       [email protected]^....
00000020    C2 4A B0 89 A5 31 93 4B 65 16 A4 22 FB 60 0C 8D       .J...1.Ke..".`..
00000030    AB 11 F5 3C A0 37 81 C9 83 32 79 BA 9F 77 34 43       ...<.7...2y..w4C
00000040    62 02 E1 4C 67 39 36 12 88 E8 61 45 90 0B 66 71       b..Lg96...aE..fq
00000050    75 B1 30 B5 A6 09 FD BF 7E 8B 24 C6 C8 E4 D4 5D       u.0.....~.$....]
00000060    96 06 42 1A 9C 4E AA 15 56 A9 E2 2B CC 8A 19 3F       ..B..N..V..+...?
00000070    03 9A F9 98 55 70 92 B6 44 1C 41 D9 1E 4D E0 72       ....Up..D.A..M.r
00000080    54 69 F6 D3 64 D5 94 CD 99 91 EA 8C B9 D7 7C 3A       Ti..d.........|:
00000090    78 E6 CE 47 2D FA 6D 7B 00 C0 D2 DA 7A A7 CF 2F       x..G-.m{....z../
000000A0    AC CB 51 C7 DC 28 5A 46 B3 1F 14 C5 3D DE 2A BE       ..Q..(ZF....=.*.
000000B0    95 80 D0 18 BD A2 D1 2C AE 0D 73 D6 76 9D 6E 1D       .......,..s.v.n.
000000C0    01 D8 84 74 8E 29 E5 21 23 DF 5F 2E EF ED 3E 9E       ...t.).!#._...>.
000000D0    86 E7 FE 59 BB 0A 57 C4 E3 33 DD B8 85 F8 F2 6F       ...Y..W..3.....o
000000E0    35 A8 58 97 1B 7D 82 FC 17 87 53 EC 13 20 0E 08       5.X..}....S.. ..
000000F0    25 DB C3 5C F4 9B CA E9 F1 BC F0 AF A1 68 6A 27       %..\.........hj'
00000100    00 00                                                 ..


[15:40:06] Warden Data Recv: 181
00000000    02 00 C1 6F C1 29 5A 10 16 C0 B3 4D 5E BA 0F 2F       ...o.)Z....M^../
00000010    00 C5 96 1E 3B AD 09 FE 81 55 F3 60 D0 02 00 0C       ....;....U.`....
00000020    E5 00 30 02 45 00 06 C1 FF A8 CF 43 A5 D6 25 7D       ..0.E......C..%}
00000030    DE 89 0D 49 CF 42 7C D2 F9 5D 9E CA 98 55 78 67       ...I.B|..]...Uxg
00000040    C4 A8 07 00 30 C1 9B 25 91 6D 5E F7 F3 65 1E B0       ....0..%.m^..e..
00000050    08 8D 98 17 8D 0A D0 85 EF 8A 7A C0 41 5B 4C FD       ..........z.A[L.
00000060    01 00 0E E5 00 4B E2 41 00 0A E5 00 3F E2 41 00       .....K.A....?.A.
00000070    09 E5 00 47 32 4A 00 08 C1 0E 24 8E A1 54 96 BB       ...G2J....$..T..
00000080    C6 20 A1 3B D4 0C FF 79 0B DD 7C 6F A1 AD 05 BE       . .;...y..|o....
00000090    32 08 59 00 00 19 C1 65 5A E3 A0 B0 5E C7 3C 27       2.Y....eZ...^.<'
000000A0    D0 2E E6 09 DB 7F C5 61 15 1A A3 BD B3 D2 D3 F4       .......a........
000000B0    D7 06 00 30 AC                                        ...0.

[15:40:06] Parsed A Total Of: 9 Requests
[15:40:06] SENDING:
00000000    02 09 00 69 D8 96 F6 00 01 00 00 01 01 01 00 00       ...i............

[15:40:21] Warden Data Recv: 153
00000000    02 00 C1 09 12 A5 94 E3 6E 65 01 1D 81 26 40 A9       ........ne...&@.
00000010    DD A5 49 28 2E 08 3A 2F 4B 8F F0 60 D0 02 00 0C       ..I(..:/K..`....
00000020    C1 BA 14 86 0E A5 6B AD 04 D9 C3 A5 3A 83 66 F8       ......k.....:.f.
00000030    F1 17 9E 0F A6 4E BA 7E 84 90 21 01 00 32 C1 F5       .....N.~..!..2..
00000040    1A 89 98 91 B2 4F 04 68 4B 76 2A 6A A7 CD D0 FB       .....O.hKv*j....
00000050    CE 2C 00 8F 78 57 51 69 32 00 00 24 C1 71 98 45       .,..xWQi2..$.q.E
00000060    36 C5 4E F6 94 21 FB 16 B6 67 70 F2 DE C3 5C 6B       6.N..!...gp...\k
00000070    14 28 C6 FC 1C 98 20 00 00 11 C1 52 B1 AB 3C B6       .(.... ....R..<.
00000080    73 E8 C0 BD B8 DE 68 15 0A A7 6E B7 A8 41 67 E0       s.....h...n..Ag.
00000090    A2 10 E2 78 C3 00 00 1A AC                            ...x.....

[15:40:21] Parsed A Total Of: 5 Requests
[15:40:21] SENDING:
00000000    02 05 00 F4 BD 4B 3E 00 00 00 00 00                   .....K>.....


[Barabajagal]

So... you're using the warden modules to do the dirty work, just not the actual memory checks? I guess that's pretty close to what I had hoped for.