Rudimentary Warden information

MysT_DooM · August 07, 2008, 06:00 PM

futhermore on reading from the exe and not hardcoding em in as ringo has done, makes ur client , for bnls purposes, not truly hashless, which makes it more confusing for the end user (most of em) and ur prog, for sc purposes, would be dependant on those hash files. not important though, but to some it may be. But i always did wonder why u made it like the way u did and have everybody dependant on the exe. negative points for ringo enlighting you!

Barabajagal · August 07, 2008, 06:36 PM

I don't like BNLS or JBLS much, really. I think local hashing is the best way to do things, and since my bot downloads hash files off my site, it's easy for the end user, too.

Dale · August 07, 2008, 06:56 PM

Personally I think what Andy did was fantastic, and he's brought up good points on here, instead of bitching him out about shit, why don't you shut the fuck up. You don't have to use his god damn library if you don't want to, no one is forcing you to. Personally, I could handle warden myself if I went back on this thread and read more about it however I'd probably use his library instead of researching the shit myself, to save time and error.

Warrior · August 07, 2008, 07:41 PM

Quote from: Andy on August 07, 2008, 04:46 PM
Wow... I really hope you're not being sarcastic, because that was really nice of you...

I guess you caught me in a good mood, I'll be more inflammatory later

.
Seriously though, yeah, I based a lot of the Warden code in my C# client off of the method you used to handle the module.

Ringo · August 07, 2008, 09:06 PM

Why do these things always end in a flame fest?
I'm just pointing out, the only option for people using VB6 is to port iago's code or to use ripples code with dll dependency's.
Thought I would slap up some example code to give people another option, keeping it fairly clean and simple, not starting arguments...
Please forgive me for trying to keep on-topic $:-\$

Barabajagal · August 12, 2008, 07:43 PM

My code is a port of iago's code. The dependencies are just calls to common functions like StandardSHA (and uncompress if you want to extract the modules themselves), which can easily be replaced.

Warrior · August 12, 2008, 09:07 PM

Quote from: Andy on August 12, 2008, 07:43 PM
My code is a port of iago's code. The dependencies are just calls to common functions like StandardSHA (and uncompress if you want to extract the modules themselves), which can easily be replaced.

If you're responding to me, I said "the code you use to handle the module" which is limited to 0x02 handling.

Barabajagal · August 12, 2008, 09:19 PM

If I don't quote, it tends to mean I'm responding to the post above me.

I've updated the dll to make it a bit easier:
# Starcraft.exe is no longer used, so StartWarden requires only the KeyHash (first 4 bytes minimum).
# RSHA.dll is no longer used. Added SHA1 hashing into the DLL itself.
# If you pass HandleWarden the full packet, starting with FF 5E, it will trim off the first 4 bytes.
# The dll has been UPX'd, so it's now 12.5 KB.

Download: http://realityripple.com/files/?file=RW

Use:
1) Add Warden.dll to your References.
2) Dim cWarden as New clsWarden at the top of whatever module/class/etc you're using for BNCS handling.
3) In 0x51 handling, add:

Code Select

cWarden.StartWarden KeyHash
Replace KeyHash with at least the first 4 characters of your CDKey hash (you can send the whole thing if you want).
4) in 0x5E handling, add something like the following:

Code Select


Dim sData As String
Dim sRet  As String
  wsBNet.GetData sData
  If Left$(sData, 2) = Chr$(&HFF) & Chr$(&H5E) Then
    sRet = cWarden.HandleWarden(sData)
    If LenB(sRet) > 0 Then
      wsBNet.SendData Chr$(&HFF) & Chr$(&H5E) & MakeWord(Len(sRet)+4) & sRet
    End If
  End If

Tested and working.

Barabajagal · November 04, 2008, 02:04 PM

Warden for SC came back today with a new packet: 0x05.

Here's some examples:

Code Select

05 8B 42 F8 D4 A9 4A 36 24 BE 99 6C 09 7E 83 88 58

05 41 C8 03 88 C2 54 38 95 06 02 43 65 21 7B 5D 98

05 43 DE 7E AE 14 8C 48 72 71 76 2F 8A 6E 1C AA EA

05 5A 12 F1 4C 97 3B DD C5 C6 F5 EF 91 C9 64 AC 45

Here's a new module (seems to be the same on all gateways [not verified]): http://realityripple.com/Uploads/56F25CA5BD550B384CC4FA457B438012.mod

Any idea what it's requesting?

brew · November 04, 2008, 02:31 PM

My guess is an MD5 of something. The responses are 16 bytes + the 1 byte command identifier.

Barabajagal · November 04, 2008, 02:40 PM

So the requests and the responses are the same size... that sounds more like it's another encryption, not a hash.

brew · November 04, 2008, 02:57 PM

Quote from: Andy on November 04, 2008, 02:40 PM
So the requests and the responses are the same size... that sounds more like it's another encryption, not a hash.

Oh, my bad. I thought those were the responses for some reason. ACK!!!! I hope it's just a xor cipher.
Are those the only three requests? Did you log any responses? The responses, at this point, are 20x as important as what you're getting. Also, it'd be a lot nicer if you decrypted the module ....

Barabajagal · November 04, 2008, 03:05 PM

If I decrypted the module, I couldn't MD5 it to make sure it was the right one... And I'm too lazy to write and implement a decrypter for it anyway.

No, those are not the only requests, as I said, they appeared to be random.

No, I didn't grab any responses.

I'm working on NLS for VB6 right now, I just thought I'd post this so other people could work on it if they wanted. I've already got my hands full of endians and N.add(B).subtract(v).mod(N).

brew · November 04, 2008, 03:51 PM

Here's the decrypted module:

http://darkblizz.org/brew/module.mod

I seriously feel that I just wasted 30 minutes of my life.

My inital analysis so far is....

• There's some kind of SHA1 init at 00001D46h
• 00000116h seems to be some major part of the module, it's littered with calls to a lot of different small odd comparison functions
• 000047E6h looks interesting
• I have to define all the code chunks myself. Thanks, IDA.

and about the requests...
there's really, only one thing I can think of that's 16 bytes long and encrypted: 3 addresses with a 1 byte length specifier, and an end byte like the one present in command 2 packets. So far I haven't seen a response either.

Racial · November 04, 2008, 04:47 PM

you guys are cool.....
[5:35:01 PM] Unknown Warden Packet: D78CC9BB96E81CF77C955AC23ED9870E1D
[5:35:11 PM] Unknown Warden Packet: 402F6FF68DB1F319B4429D4A0E2F7A456A
[5:35:31 PM] Unknown Warden Packet: 3E2FD92A4BD9AF010A8CA54B87A13077A3
[5:35:51 PM] Unknown Warden Packet: FE1FF86E7873800A48F7844165EE7E869A
[5:36:01 PM] Unknown Warden Packet: 1F2FBED782D1701637B2F7BA95CE00E7E7
[5:38:37 PM] Unknown Warden Packet: E18D50E2F0E263C1B85905144F619A0ADC
[5:38:52 PM] Unknown Warden Packet: 00D187A22036226151F6FC53985A036FE6
[5:39:02 PM] Unknown Warden Packet: 1B063809449A2AAA6EDBD3D51FA11259B3
[5:39:12 PM] Unknown Warden Packet: 296329D40D865C1190F04EC6BAD7712468
[5:39:42 PM] Unknown Warden Packet: E2FDB8D8A2370E047C37380D699725734A
is what i currently got from using andy's old warden module, i think these bytes/data are randomized and have to be decoded in an algorithm or something then sent back correctly. Correct me if i'm wrong but thats my theory.

edit: what do i use to open the .mod files? which program?

Rudimentary Warden information

Barabajagal

Barabajagal

Barabajagal

Barabajagal

Barabajagal

Barabajagal