Rudimentary Warden information

UserLoser · March 06, 2008, 01:03 PM

hmm reading this thread has made my nearly five year old project reopen...

great job to ringo and iago (sorry if i'm missing anyone here)...

you guys really have taken over the pioneering of battle.net now it seems for the most part.
for now

Barabajagal · March 06, 2008, 01:09 PM

Quote from: Ringo on March 06, 2008, 09:49 AM
Quote from: Andy on March 06, 2008, 03:24 AM
Your own code says otherwise...
Code Select Expand
If bRE Then S = S & A & String(4, 0) & StrReverse(MakeDWORD((Len(S) * 8))) Else S = S & A & MakeDWORD((Len(S) * 8)) & String(4, 0) End If
Yeah, that is the 8 byte (64bit int), i just managed it in 1 dword, rather than calculating it on a low/high word, since you would need over 200mb droped into SHA1 for the other word to come into play.

But what I said was that it was reversed for Lockdown....

Hope your account doesn't get banned later on for sending null checksums...

iago · March 06, 2008, 01:21 PM

Quote from: Andy on March 06, 2008, 01:09 PM
Hope your account doesn't get banned later on for sending null checksums...

His key might, if they ever bother doing a round of Starcraft bans, but Starcraft keys are cheap and plentiful.

Barabajagal · March 06, 2008, 02:00 PM

Okay... I think I got my Encryption Key code converted to VB, but I don't know if it's right, nor how to use it

Code Select

Private Declare Function WardenSHA Lib "RSHA.dll" (sVal As String) As String
Private Type BARR
    Ary()           As Byte
End Type
Dim Position        As Long
Dim RandomData()    As Byte
Dim RandomSource1() As Byte
Dim RandomSource2() As Byte
Private Sub Update()
    RandomData = StrToByteArray(WardenSHA(ByteArrayToStr(RandomSource1) & ByteArrayToStr(RandomData) & ByteArrayToStr(RandomSource2))).Ary
End Sub
Public Sub Initialize(Seed As String)
Dim Length1 As Long
Dim Length2 As Long
Dim Seed1() As Byte
Dim Seed2() As Byte
Dim I       As Long
    Length1 = RShift(Len(Seed), 1)
    Length2 = Len(Seed) - Length1
    ReDim Seed1(Length1)
    ReDim Seed2(Length2)
    For I = 0 To Length1 - 1
        Seed1(I) = Asc(Mid$(Seed, I + 1, 1))
    Next I
    For I = 0 To Length2 - 1
        Seed2(I) = Asc(Mid$(Seed, I + Length1 + 1, 1))
    Next I
    ReDim RandomData(&H14) As Byte
    RandomSource1 = StrToByteArray(WardenSHA(ByteArrayToStr(Seed1))).Ary
    RandomSource2 = StrToByteArray(WardenSHA(ByteArrayToStr(Seed2))).Ary
    Update
    Position = 0
End Sub
Private Function GetByte()
    GetByte = RandomData(Position)
    Position = Position + 1
    If Position > &H14 Then
        Position = 0
        Update
    End If
End Function
Public Function GetBytes(ByVal Bytes As Long) As String
Dim I           As Integer
Dim Buffer()    As Byte
    ReDim Buffer(Bytes) As Byte
    For I = 0 To Bytes
        Buffer(I) = GetByte
    Next I
    GetBytes = ByteArrayToStr(Buffer)
End Function
Private Function StrToByteArray(ByVal sStr As String) As BARR
Dim I As Integer
    ReDim StrToByteArray.Ary(Len(sStr) - 1) As Byte
    For I = 1 To Len(sStr)
        StrToByteArray.Ary(I - 1) = Asc(Mid$(sStr, I, 1))
    Next I
End Function
Private Function ByteArrayToStr(ByRef bByt() As Byte) As String
Dim sStr As String
Dim I    As Integer
    For I = 1 To UBound(bByt) + 1
        sStr = sStr & Chr$(bByt(I - 1))
    Next I
    ByteArrayToStr = sStr
End Function

(Yes, I know it was a dirty hack to pass a byte array as a function return, but it was the only way to make my code look elegant and not use more variables...)

Anyway, is it correct, and how do I use it? I'm still confused as to the seed... It's just the first 4 bytes of the CDKey Hash? And then what? By which I mean, how are the two keys generated? XOR encryption of what value, using what value as a key? Or was the CDKey Hash the XOR key and the seed something else?

I'm feeling pretty lost...

brew · March 06, 2008, 02:29 PM

* brew facepalm.jpgs

Andy: The seed is the first dword of the cdkey hash.
I don't get what's so hard to understand...

http://www.skullsecurity.org/wiki/index.php/Key_Generation_in_C

Code Select


int main(int argc, char **argv)
{
 unsigned long seed = FirstDwordOfKeyHash;
 t_random_data source;
 char buffer[0x100];

 random_data_initialize(&source, &seed, 4);
 random_data_get_bytes(&source, buffer, 0x100);
 print_buffer(buffer, 0x100);
}

EDIT**
I just wanted to comment, the blizzard programmers are so newb

Note how 0x400000 doesn't necessarily have to be the base of starcraft.exe.
The more professional thing to do would be to supply the RVA of the contents to get... the raw data. raw, plain, pure, binary code ment to be executed. They hash everything else, so why not that? If they did, this would be so much more interesting. Perhaps with their own SHA1 - Hippie edition too. What they do just doesn't make sense sometimes. I guess they just felt like getting lazy, especially after putting oh-so-much hard work into the encryption. Ringo and i were able to find what it was by comparing the responses with the associated address' contents. nothing more at all.

Barabajagal · March 06, 2008, 02:38 PM

That's part of what I asked... all you had to say was "yes". Now how about the other part... what comes next?

iago · March 06, 2008, 02:42 PM

I explained it pretty clearly in this section:
http://www.skullsecurity.org/wiki/index.php/Warden_Packets#Generating_encryption_keys

The key for outgoing packets is the first two bytes of the CDKey hash, run through the generate_key() function.

The key for incoming packets is the next two bytes of the CDKey hash, run through the generate_key() function.

brew · March 06, 2008, 02:42 PM

rtfm.

you would be lost if iago never released his code, you know that?
and what happened to "I don't care about warden.", 'cause you obviously do.

Barabajagal · March 06, 2008, 02:53 PM

I've got nothing better to do... I'm waiting for my replacement video card to arrive....
And I am pretty lost... I'm not a reverse engineer, nor do I enjoy working with proprietary systems. The only reason I ever started working on Battle.net bots was so I could have something useful to chat on. I have no real interest in the system; that's not why I'm here.

And as clearly as it may be explained, I'm afraid I still don't understand. Especially when one part says use 0x10 bytes and another says 0x100...

Edit: Ah... I guess my "Warden SHA" function which switches the endians of the DWords was useless... So my final, and working, code for generating the encryption key is:

Code Select

Private Declare Function StandardSHA Lib "RSHA.dll" (sVal As String) As String
Private Type BARR
    Ary()           As Byte
End Type
Dim Position        As Long
Dim RandomData()    As Byte
Dim RandomSource1() As Byte
Dim RandomSource2() As Byte
Public Sub Initialize(Seed As String)
Dim Length1 As Long
Dim Length2 As Long
Dim Seed1() As Byte
Dim Seed2() As Byte
Dim I       As Long
    Length1 = RShift(Len(Seed), 1)
    Length2 = Len(Seed) - Length1
    ReDim Seed1(Length1 - 1)
    ReDim Seed2(Length2 - 1)
    For I = 0 To Length1 - 1
        Seed1(I) = Asc(Mid$(Seed, I + 1, 1))
    Next I
    For I = 0 To Length2 - 1
        Seed2(I) = Asc(Mid$(Seed, I + Length1 + 1, 1))
    Next I
    ReDim RandomData(&H13) As Byte
    RandomSource1 = StrToByteArray(StandardSHA(ByteArrayToStr(Seed1))).Ary
    RandomSource2 = StrToByteArray(StandardSHA(ByteArrayToStr(Seed2))).Ary
    Update
    Position = 0
End Sub
Private Sub Update()
    RandomData = StrToByteArray(StandardSHA(ByteArrayToStr(RandomSource1) & ByteArrayToStr(RandomData) & ByteArrayToStr(RandomSource2))).Ary
End Sub
Private Function GetByte()
    GetByte = RandomData(Position)
    Position = Position + 1
    If Position >= &H13 Then
        Position = 0
        Update
    End If
End Function
Public Function GetBytes(ByVal Bytes As Long) As String
Dim I           As Integer
Dim Buffer()    As Byte
    ReDim Buffer(Bytes) As Byte
    For I = 0 To Bytes
        Buffer(I) = GetByte
    Next I
    GetBytes = ByteArrayToStr(Buffer)
End Function
Private Function StrToByteArray(ByVal sStr As String) As BARR
Dim I As Integer
    ReDim StrToByteArray.Ary(Len(sStr) - 1) As Byte
    For I = 1 To Len(sStr)
        StrToByteArray.Ary(I - 1) = Asc(Mid$(sStr, I, 1))
    Next I
End Function
Private Function ByteArrayToStr(ByRef bByt() As Byte) As String
Dim sStr As String
Dim I    As Integer
    For I = 1 To UBound(bByt) + 1
        sStr = sStr & Chr$(bByt(I - 1))
    Next I
    ByteArrayToStr = sStr
End Function

And it seems to work just dandy...

Now on to creating the outgoing and incoming keys...

Eh... problems with RC4 stuff... I'll deal with it later... Sorry for sounding dense and stupid, I think my head cold's getting to my ability to read -.- .

iago · March 06, 2008, 09:12 PM

if anybody wants the .idb file I've been working on, let me know privately and I'll send it to you. I have a lot of notes on it, and I have the default module and a downloaded module loaded into it.

I'm not comfortable with posting it publicly, but I also don't mind sharing it with anybody who wants it.

Hdx · March 07, 2008, 01:31 AM

Just a quick note:
You said the 2nd field was the length right?

Code Select

[06:56:26] 0x02 Request: 2
    Command: 0x004E, Address: 0x0049C33D, Lengh: 7
    Command: 0x004E, Address: 0x004A2FF7, Lengh: 8
    Command: 0x004E, Address: 0x00497FB0, Lengh: 14
02 20 00 00 00 00 00 00 83 00 00 00 8B 55 08 00
A3 68 CC 59 00 E8 DF 23 00 84 5E 0C 74 05 E8 F6
54 F9 FF 8B 76 04 85

14+8+7 = 29 0x1d, not 32 0x20

Anyways

Code Select

Command: 0x00f5, Address: 0x0049c33d, Length: 7
Command: 0x00f5, Address: 0x004a2ff7, Length: 8
Command: 0x00f5, Address: 0x00497fb0, Length: 14
02 1d 00 00 00 00 00 83 00 00 00 8b 55 08 a3 68         ............U..h
cc 59 00 e8 df 23 84 5e 0c 74 05 e8 f6 54 f9 ff         .Y...#.^.t...T..
8b 76 04 85                                             .v..
Length: 36

Command: 0x00f5, Address: 0x00497fb0, Length: 14
Command: 0x00f5, Address: 0x004a2ff7, Length: 8
Command: 0x00f5, Address: 0x0049c33d, Length: 7
02 1d 00 00 00 00 00 84 5e 0c 74 05 e8 f6 54 f9         ........^.t...T.
ff 8b 76 04 85 a3 68 cc 59 00 e8 df 23 83 00 00         ..v...h.Y...#...
00 8b 55 08                                             ..U.
Length: 36

My bot
Problem is.. It must be wrong [I guess diffrent module]
As I am still getting disconnec5ted after 2 mins.

Anyone know a easy way to load the uncompressed modules into IDA?

Ringo · March 07, 2008, 01:44 AM

Quote from: Hdx on March 07, 2008, 01:31 AM
Just a quick note:
You said the 2nd field was the length right?
Code Select Expand
[06:56:26] 0x02 Request: 2 Command: 0x004E, Address: 0x0049C33D, Lengh: 7 Command: 0x004E, Address: 0x004A2FF7, Lengh: 8 Command: 0x004E, Address: 0x00497FB0, Lengh: 14 02 20 00 00 00 00 00 00 83 00 00 00 8B 55 08 00 A3 68 CC 59 00 E8 DF 23 00 84 5E 0C 74 05 E8 F6 54 F9 FF 8B 76 04 85
14+8+7 = 29 0x1d, not 32 0x20

Anyways
Code Select Expand
Command: 0x00f5, Address: 0x0049c33d, Length: 7 Command: 0x00f5, Address: 0x004a2ff7, Length: 8 Command: 0x00f5, Address: 0x00497fb0, Length: 14 02 1d 00 00 00 00 00 83 00 00 00 8b 55 08 a3 68 ............U..h cc 59 00 e8 df 23 84 5e 0c 74 05 e8 f6 54 f9 ff .Y...#.^.t...T.. 8b 76 04 85 .v.. Length: 36 Command: 0x00f5, Address: 0x00497fb0, Length: 14 Command: 0x00f5, Address: 0x004a2ff7, Length: 8 Command: 0x00f5, Address: 0x0049c33d, Length: 7 02 1d 00 00 00 00 00 84 5e 0c 74 05 e8 f6 54 f9 ........^.t...T. ff 8b 76 04 85 a3 68 cc 59 00 e8 df 23 83 00 00 ..v...h.Y...#... 00 8b 55 08 ..U. Length: 36My bot
Problem is.. It must be wrong [I guess diffrent module]
As I am still getting disconnec5ted after 2 mins.

Anyone know a easy way to load the uncompressed modules into IDA?

uh, yeah, you might have cought it in the middle of a post edit (i just updated the spec a little)

the (WORD) Lengh, is the lengh of the payload (discluding the 7 byte header ID/Len/Checksum)
The only thing i can see wrong (at a glance) is your not putting a null byte before each memory blob. (see below)

Quote
And for building/sending back the responce:
Code Select Expand
(BYTE) 0x02 - Packet ID (WORD) Lengh of message (discluding this header of 7 bytes -- ID/Len/Checksum) (DWORD) Checksum of the send buffer For each memory request: (BYTE) 0x00 Not sure what this is, seems constant (VOID) Chunk of memory from requested address/lengh end

[EDIT] After the header of S<>C 0x02's, the buffer can be anything, depending on the warden module at hand.
The end byte of S>C 0x02, seems to be present on all wardens (SC/BW/D2 at least)

Ah also somthing i noticed today, if you put the checksum as 0, you will drop after 2min, but requests will continue up untill you get disconnected.
Give me a min and i will post some hard coded checksums.
Afaik, the checksum (in C>S 0x02) is a constant thing for warden

Hdx · March 07, 2008, 01:53 AM

Ah ya, I forgot the null byte.
Thats fixed and the lenght is now 0x20

Still getting disconnected as you noticed, but hey, *poors over a log of SC* there are only 9 checksums [I would assume as its the same 3 sets of data in diff orders, [3*3]]
So I can just brute that. But ya, I'm still interested in finding a way to actually look at the mod in IDA.

Ringo · March 07, 2008, 02:00 AM

Code Select


0x00497FB0, 0x0049C33D, 0x004A2FF7  = 0x193E73E8
0x0049C33D, 0x00497FB0, 0x004A2FF7  = 0xD6557DEF
0x00497FB0, 0x004A2FF7, 0x0049C33D  = 0x2183172A
0x0049C33D, 0x004A2FF7, 0x00497FB0  = 0xCA841860
0x004A2FF7, 0x0049C33D, 0x00497FB0  = 0x9F2AD2C3
0x004A2FF7, 0x00497FB0, 0x0049C33D  = 0xC04CF757

Hdx · March 07, 2008, 02:24 AM

Coolness, now just to figure out how that is derived.

Rudimentary Warden information

UserLoser

Barabajagal

Barabajagal

Barabajagal

Barabajagal