• Welcome to Valhalla Legends Archive.
 

Rudimentary Warden information

Started by iago, February 28, 2008, 05:07 PM

Previous topic - Next topic
|

vector


Ringo

#196
Cool :)
At a glance, it looks like the request payloads have a 2nd layer of encryption:

[23:35:49] Request: 37
00 56 F2 5C A5 BD 55 0B 38 4C C4 FA 45 7B 43 80       .V.\..U.8L..E{C.
12 96 4A C6 F2 B2 E5 E7 92 91 F8 2E A7 AC 4C 81       ..J...........L.
00 E0 46 00 00                                        ..F..

[23:35:49] Responce: 1
01                                                    .

[23:35:49] Request: 17
05 CB 2E 3B 80 FE 27 EA 26 9F EA 3C F8 5B B0 51       ...;..'.&..<.[.Q
32                                                    2

[23:35:49] Responce: 21
04 01 F9 61 92 44 AE 9A A2 93 10 87 45 B0 D6 4D       ...a.D......E..M
CD FA 9B 5D 4D                                        ...]M

[23:35:54] Request: 160
99 D2 0D 61 34 DF 82 A4 8B 44 55 16 C8 86 85 5C       ...a4....DU....\
89 39 A6 B0 A1 25 9A FF 96 34 FA 26 6E 71 F7 7D       .9...%...4.&nq.}
E0 BF A3 CD A7 B8 01 D8 2A EE 3A 46 82 57 90 86       ........*.:F.W..
8E 06 0C 7A 65 E8 46 8B 0B D0 9F 81 9E 96 91 4E       ...ze.F........N
C3 78 90 54 C1 92 0B CA 12 96 DB 10 B0 30 9F 14       .x.T.........0..
43 29 0D 12 CA E5 41 01 62 3D 28 A5 97 EE 0F 29       C)....A.b=(....)
90 72 6E 21 6B DF 9F 91 DB 19 15 2F C7 43 86 66       .rn!k....../.C.f
50 73 F0 73 EE 94 C0 72 74 CF 18 96 7A A7 BD 9C       Ps.s...rt...z...
3F 76 B9 B0 E6 CE 15 35 45 3F 51 99 15 98 0F 9F       ?v.....5E?Q.....
CA C8 99 2C E8 9C B9 E8 5A 96 F1 51 49 CE 9D 46       ...,....Z..QI..F


[23:35:55] Responce: 29
17 81 B5 62 A1 99 BC F0 A7 7E 69 E1 5C 6A FF 5C       ...b.....~i.\j.\
C7 0C C5 EE A2 76 30 6A 28 05 3F 40 FF                .....v0j(.?@.

[23:36:09] Request: 160
9B 7B 4F 84 C8 E6 06 19 05 FD DB E9 B7 BB 52 51       .{O...........RQ
7C C5 81 70 2A 87 BC 23 F0 BE 24 D6 6A 22 16 45       |..p*..#..$.j".E
BD 17 79 DB C1 ED 88 80 99 CC 6F 99 94 24 7D D6       ..y.......o..$}.
7E 1B 92 E4 B3 09 BD 01 A1 1C 13 91 E0 8C 50 4B       ~.............PK
71 27 F1 C7 D6 03 5A 45 F3 52 BD 55 91 0E FF BD       q'....ZE.R.U....
4A 30 2C 59 2C 0C BC 61 EC FD FD 11 70 A7 1B C7       J0,Y,..a....p...
49 85 6F 8B EF BD 8B BE 15 A2 1E 2A 40 72 A6 41       I.o........*@r.A
8B CC 12 1C 9C 3E 70 62 0F 64 BB 52 2D 9F 2A E6       .....>pb.d.R-.*.
B1 ED 3B 6F A6 07 60 63 59 F0 92 E1 00 77 BC 08       ..;o..`cY....w..
97 90 3F 9A A3 2F AF 1E 72 99 EF 4D AB E6 87 06       ..?../..r..M....


[23:36:10] Responce: 22
73 48 F1 2D E4 0F 85 84 9E 3B BF B1 E6 CC 8A 05       sH.-.....;......
48 E7 3C 77 21 D9                                     H.<w!.


<3 blizzard for giving us somthing new and interesting to do.

Pyro


Racial

Quote from: Pyro on November 04, 2008, 06:05 PM
Quote from: vector on November 04, 2008, 05:42 PM
Visual Basic 6.0.
Open a Warden module in VB6? lol!
ya thats what i was thinking, i was like "are you on crack?" lol i Module extensions for vb6 are .bas but good try there vector.

Barabajagal

Lovely. Well, good luck iago and Ringo. I'm sure one of you will figure it out.

Racial

Quote from: Andy on November 04, 2008, 06:13 PM
Lovely. Well, good luck iago and Ringo. I'm sure one of you will figure it out.
You mean you KNOW one of them will figure it out, they are intelligent mother fuckers, don't fuck with them ;)

Barabajagal

I know iago is... we were talking a few days ago, and we came to the conclusion none of the bots for the last few years would be in existence without him. He did lockdown, warden, NLS, and most of the open example code for everything.

Racial

Quote from: Andy on November 04, 2008, 07:16 PM
I know iago is... we were talking a few days ago, and we came to the conclusion none of the bots for the last few years would be in existence without him. He did lockdown, warden, NLS, and most of the open example code for everything.
Thx iago! and can someone tell me how to open these .mod files i'm interested in warden myself for the new 05 packet :/

Ringo

Quote from: Racial on November 04, 2008, 06:42 PM
Quote from: Andy on November 04, 2008, 06:13 PM
Lovely. Well, good luck iago and Ringo. I'm sure one of you will figure it out.
You mean you KNOW one of them will figure it out, they are intelligent mother fuckers, don't fuck with them ;)
I'm not intelligent... infact, If you didn't spell intelligent for me, I wouldnt of been able to. ;p

Anyway, nothing new to see here, blizzard are still a bunch of morons. Old news, sry to say.
All ive done so far, is stared at the modules in IDA for the past few hours, and now my eyes hurt ><
Anyway, this is what is going on:
After the default module manages the downloading/executeing of the variable module (im assuming after that, the default module pass's data to the variable module), the server-side warden issues it a new encryption key (the 16 bytes in 0x05)
The client then generates its own encryption key and sends it back (4 byte checksum, 16 byte encryption key in 0x04 etc)
The server side warden and client side warden, then  have a convo about the price of fish, the weather, the economic slow down and whos useing hax on starcraft.
These 2nd set of encryption keys are also tied into the 1st set/some logon variables.
The key the client sends back to the server, is checked and verifyed server side. If its wrong, you get disconnect, as you probly already know.
The key the server sends you, is probly used to crypt messages, as well as seed a new encryption key to send back to the server, and crypt the other side of traffic.

Ofc, I havent tested this, and I dont know for sure if the new keys seed a set of RC4 keys, but im 99% sure this is whats going on.
I might verify this tomorow, if I get some free time.

Funny thing is, they have left the same flaw in the protocol that allowed me to get around it last time. *sigh*

Racial

#204
Quote from: Ringo on November 05, 2008, 12:14 AM
Quote from: Racial on November 04, 2008, 06:42 PM
Quote from: Andy on November 04, 2008, 06:13 PM
Lovely. Well, good luck iago and Ringo. I'm sure one of you will figure it out.
You mean you KNOW one of them will figure it out, they are intelligent mother fuckers, don't fuck with them ;)
I'm not intelligent... infact, If you didn't spell intelligent for me, I wouldnt of been able to. ;p

Anyway, nothing new to see here, blizzard are still a bunch of morons. Old news, sry to say.
All ive done so far, is stared at the modules in IDA for the past few hours, and now my eyes hurt ><
Anyway, this is what is going on:
After the default module manages the downloading/executeing of the variable module (im assuming after that, the default module pass's data to the variable module), the server-side warden issues it a new encryption key (the 16 bytes in 0x05)
The client then generates its own encryption key and sends it back (4 byte checksum, 16 byte encryption key in 0x04 etc)
The server side warden and client side warden, then  have a convo about the price of fish, the weather, the economic slow down and whos useing hax on starcraft.
These 2nd set of encryption keys are also tied into the 1st set/some logon variables.
The key the client sends back to the server, is checked and verifyed server side. If its wrong, you get disconnect, as you probly already know.
The key the server sends you, is probly used to crypt messages, as well as seed a new encryption key to send back to the server, and crypt the other side of traffic.

Ofc, I havent tested this, and I dont know for sure if the new keys seed a set of RC4 keys, but im 99% sure this is whats going on.
I might verify this tomorow, if I get some free time.

Funny thing is, they have left the same flaw in the protocol that allowed me to get around it last time. *sigh*
*cries* poor poor blizzard, they think they outsmart the smarter ones ;)

[edit] can someone please give me a hint in the direction to opening mod files?

Don Cullen

Quote from: Racial on November 05, 2008, 04:04 PMcan someone please give me a hint in the direction to opening mod files?

IDA Pro Disassembler.

http://www.hex-rays.com/idapro/idadown.htm

I think.
Regards,
Don
-------

Don't wonder why people suddenly are hostile when you treat them the way they shouldn't be- it's called 'Mutual Respect'.

Ringo

I had another quick look at it today, It looks like the orginal rc4 keys + the warden module (or its crypt key or alike) are responcible for producing the 2nd set of keys.
Heres a .c file for anyone whos interested -- it might be helpfull:
SCWarden.c
Theres some errors in it, since braking down the module by hand in IDA, really sucks :(
From what ive seen so far, theres about 4 differnt requests. But I havent yet seen them decrypted, so I can only make a guess at this point.

Racial

Quote from: Don Cullen on November 05, 2008, 05:41 PM
Quote from: Racial on November 05, 2008, 04:04 PMcan someone please give me a hint in the direction to opening mod files?

IDA Pro Disassembler.

http://www.hex-rays.com/idapro/idadown.htm

I think.
thanks i got it, but it is confusing of where the hell to start off and do i use the hex mode? i've looked for FF 5E if thats the header even indicated in the module.

brew

#208
Battle.snp callback functions are stored in the TLS, the index of which is stored in 9008h. My strategy as of right now is to find what function(s) reference the address of the 0x5E send function and go from there, although I've been pretty busy lately.
<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P

iago

Quote from: Racial on November 05, 2008, 07:07 PM
Quote from: Don Cullen on November 05, 2008, 05:41 PM
Quote from: Racial on November 05, 2008, 04:04 PMcan someone please give me a hint in the direction to opening mod files?

IDA Pro Disassembler.

http://www.hex-rays.com/idapro/idadown.htm

I think.
thanks i got it, but it is confusing of where the hell to start off and do i use the hex mode? i've looked for FF 5E if thats the header even indicated in the module.

You might want to get a book on reverse engineering (or look at the tutorial on my wiki) before you attempt this. You're in way over your head.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


|