Rudimentary Warden information

[bulletproof tiger]

So... you're using the warden modules to do the dirty work, just not the actual memory checks? I guess that's pretty close to what I had hoped for.

That's typically the first step in the process.

[Ringo]

0x02:

do until pos => lengh
    (BYTE) String Lengh
    If String Lengh
        (VOID) String
    else
        exit do
loop
do until pos => lengh
    (BYTE) (ID ^ data[lengh]) 
    if ID = MEM_CHECK
        (BYTE) String Index (If 0x00, base 0, else, base of library in this string)
        (DWORD) offset
        (BYTE) read Lengh
        If address_cant_be_read
            insert(BYTE) 0x01
        else
            insert(BYTE) 0x00
            insert(VOID) memory
    elseif ID = PAGE_CHECK_A
        (DWORD) Unknown/seed
        (DWORD[5]) SHA1
        (DWORD) Address
        (BYTE)  Lengh
        If youre_legit
            insert(BYTE) 0x00
        else
            insert(BYTE) result
    else
        blizzards wepon of mass distruction -- abort
loop

That's pretty much what starcraft is doing right now, altho it can do alot more.
The string list, altho not currently used in starcraft, doesnt always contain module names. It can also contain MPQ files to SHA1.
You wont see MPQ files in the requests unless you get packet 0x03, right after 0x05, telling you to load a library (normaly storm.dll) and giving you offsets to functions (to read mpqs)
For ID PAGE_CHECK_A, you can safely skip that request, and just insert byte 0x00 -- it's basicly just checking memory pages and compareing SHA1's -- The legit/unhacked client always sends back 0x00 for them requests.
99.9% safe, enjoy!

edit:
Note* the ID's MEM_CHECK and PAGE_CHECK_A are variable for each module.


(TYPE) is for reading
insert(TYPE) is for sending
once you have finished building you're responce buffer, the format is as followes:
(BYTE) 0x02 packet ID
(WORD) Lengh of buffer
(DWORD) Checksum of buffer
(VOID) Buffer

[Barabajagal]

Okay, since the other topic got locked, I guess I'll ask here. Why does your code in your SCGP bot not use the ID at all? You're checking for MEM_CHECK with (Asc(Mid(S, P + 1, 1)) = 0) And (Asc(Mid(S, P + 6, 1)) < &H40), and PAGE_CHECK_A with (Asc(Mid$(S, P + 29, 1)) < &H80) And (Asc(Mid$(S, P + 28, 1)) = 0) And (Asc(Mid$(S, P + 27, 1)) < &H40), which seems to not work quite right for some packets, unless I'm doing something wrong.

For example:

Code Select Expand

02 00
39
  D6 63 0F F6
  8E 6B 4A 26 AA 55 E0 64 2D 6E 04 5D D6 65 32 F7 12 5A 99 D6
  40 A1 00 00
  10
39
  AB 6E 00 5A
  F5 F7 6C FA E5 1F D1 4A 36 EE 7C 03 43 11 94 00 CA 7E 53 DE
  69 32 00 00
  24
39
  61 E2 48 55
  94 C3 BA 59 8A AE 9E C3 2B FF 1C 12 87 22 3E AB 8F B8 B1 52
  EC D7 06 00
  30
39
  1A A9 B6 B7
  0B C7 9D 5D A4 BC C5 AA C6 C8 BE 9F F7 89 0B 0F B6 C7 95 8B
  F8 D4 06 00
  30
39
  00 D0 81 E3
  67 0D 8A DB 4F E1 EA 49 88 C5 07 3A 34 C7 59 2D 7F 15 BD 0B
  B8 21 00 00
  11
6A

The last request is a PAGE_CHECK_A request, yet it fills the requirements of the second byte being 00 and the seventh being under 0x40, thus attempting to run a MEM_CHECK on invalid data.

Code Select Expand

02 00
A7
  91 4E CE AE
  7B F0 DD 55 4D 51 77 C9 70 02 B4 D2 6D 3B CE 4B E7 28 54 3A
  20 50 00 00
  10
AB
  00
  2A F4 46 00
  09
A7
  6A 6B 5D B6
  14 41 DC 98 3F D4 5F 68 15 18 B9 07 2C D3 BF AD 37 B7 23 FF
  9C FE 01 00
  25
A7
  EF 63 5B 77
  D6 36 B0 C9 3C 11 00 34 E9 08 96 D3 AB 3D 4A AB 87 14 2C 26
  20 EE 01 00
  25
A7
  00 6C 1A 5B
  23 10 E8 22 28 B5 F8 AF A6 2C 4A 8D EA 4C D4 1E F4 1C 75 DB
  5A 22 00 00
  20
A7
  57 9B 66 E0
  52 FF 5F D9 22 A6 06 A8 F1 02 B5 6E D7 BD 4C 9D B5 9F DD 1C
  B4 7C 00 00
  17
28

Likewise, the second-to-last request of this packet fits your pattern matching system, resulting in an attempt to handle a PAGE_CHECK_A request as an MEM_CHECK request.

Also, is there any way to grab MEM_CHECK and PAGE_CHECK_A from the module itself?

[Mystical]

the offsets were changed? so scgp is somewhat outdated..

ringo was kinda enough to send a few of us a pm with the new ones though =)

[Barabajagal]

The offsets have nothing to do with this problem. The data I've posted doesn't even touch MEM_CHECK. And, as it's been mentioned multiple times, both in that topic and this one, the memory check data can easily be found in Starcraft.exe, or by simply running Starcraft as usual and reading the physical memory locations just like Warden would.

Although, I would like to know how to create the SHA1 value to compare to the given SHA1 in PAGE_CHECK_A, just for the sake of knowing.

[Antarctica]

Okay really dumb question for your code, Andy.  I'm getting a mismatch error in the 4th line of code (from your clsWarden module)

Code Select Expand


Public Sub StrToByteArray(ByVal sStr As String, ByRef Ary() As Byte)
Dim I As Integer
  ReDim Ary(Len(sStr) - 1) As Byte
  fnctCopyMemory Ary(0), sStr, Len(sStr)
End Sub


[Barabajagal]

fnctCopyMemory? That's an API call, not a standard function...

In any case, the code in the earlier pages of this thread is no longer the right way to handle Warden.

[brew]

Try using StrConv() instead.

[zeroirc]

Try using StrConv() instead.

ya, andy use this code.

Public Sub StrToByteArray(ByVal sStr As String, ByRef Ary() As Byte):Ary() = StrConv(sStr,vbFromUnicode):End Sub

Public Function ByteArrayToStr(ByRef Ary() As Byte) as String:ByteArrayToStr = StrConv(Ary(),vbUnicode):End Function

[Barabajagal]

I'll stick with APIs, thanks.

[Antarctica]

fnctCopyMemory? That's an API call, not a standard function...

In any case, the code in the earlier pages of this thread is no longer the right way to handle Warden.

Alright.  Do you think I can please see your code for how it is handled now?

[Ringo]

Theres some simple VB6 example code for handleing the current warden found here, if its of any use:
http://forum.valhallalegends.com/index.php?topic=17703.0

[Barabajagal]

Ya, most people wouldn't like my current code...