SCGP Client (VB6 Open Source)

[Ribose]

I was able to "rip" it and convert it to C# (with tons of help from him and Hdx, and looking at iago's wiki) and it's working mostly. If I could get it, you should be able to.

[Mystical]

I was able to "rip" it and convert it to C# (with tons of help from him and Hdx, and looking at iago's wiki) and it's working mostly. If I could get it, you should be able to.

Well I'm not getting actual help from them, just RIPPING his warden source, ha ha, I've pulled all the needed functions converted what i needed to convert.I how ever believe I"m generating the seed wrong. the way things r going, i'll probley end up just understanding his FULL source.

[Ringo]

You can, in theory, copy/paste the modWARDEN.bas and clsASM.cls into a chat bot, declare the needed API's and a few other functions (like HexToStr(), StrToHex(), malloc() and free()) and use it right away.
It is not copy/paste friendly for multi profile chat bots, load bots, or alike tho.

If anyone wants to just copy/paste the .bas and .cls to their bot, I will explain below (after all, that is what I had in mind when writeing this)

1st, create a folder in you're bots directory called "warden", this is where the modules will be downloaded and saved to.

2nd, declare any API the module/class uses, and add the extra functions, that you currently dont have, IE: hextostr, strtohex, malloc, free, etc. (they should all be in the modAPI.bas, iirc)

3rd, any call in the modWARDEN.bas to "modBNET.SB5E()", change to you're send0x5E() sub.

4th, when you send BNCS 0x51, make a call to the modWARDEN.WardenInit(FirstDwordOfCdkeyHash)
If you're sending 0x36, pass zero, rather than the first dword of the cdkey hash.
This call will also unload any existing module, ready for a fresh logon.

5th, when you recv an incoming 0x5E message, pass the whole packet to the modWARDEN.WardenOnData(PacketData)

6th, when you unload you're program, you should make a call to the modWARDEN.WardenCleanUp()


Thats pretty much it, iirc.

[Smarter]

Ringo, I hate to critisize, but when will you learn a new language, your amazing truly, but VB6 makes me want to lose my lunch, or whatever meal it is I may have recently ingested.

[Mystical]

You can, in theory, copy/paste the modWARDEN.bas and clsASM.cls into a chat bot, declare the needed API's and a few other functions (like HexToStr(), StrToHex(), malloc() and free()) and use it right away.
It is not copy/paste friendly for multi profile chat bots, load bots, or alike tho.

If anyone wants to just copy/paste the .bas and .cls to their bot, I will explain below (after all, that is what I had in mind when writeing this)

1st, create a folder in you're bots directory called "warden", this is where the modules will be downloaded and saved to.

2nd, declare any API the module/class uses, and add the extra functions, that you currently dont have, IE: hextostr, strtohex, malloc, free, etc. (they should all be in the modAPI.bas, iirc)

3rd, any call in the modWARDEN.bas to "modBNET.SB5E()", change to you're send0x5E() sub.

4th, when you send BNCS 0x51, make a call to the modWARDEN.WardenInit(FirstDwordOfCdkeyHash)
If you're sending 0x36, pass zero, rather than the first dword of the cdkey hash.
This call will also unload any existing module, ready for a fresh logon.

5th, when you recv an incoming 0x5E message, pass the whole packet to the modWARDEN.WardenOnData(PacketData)

6th, when you unload you're program, you should make a call to the modWARDEN.WardenCleanUp()


Thats pretty much it, iirc.

Hmm, That's exactly what i have already done, and sadly, I must have errored somewhere or generate the wrong seed, because it doesn't even attempt tocreate it's own warden modules lol. as far as about the multiprofile after i have it working, i can probley just attempt to add it to a library n should be easyier to work from there.

[helpmeringo]

Here's the problem that I've ran into.

The ENTIRE packet starting from "FF" is S.

Code Select Expand


Public Function WardenOnData(S As String)
    Dim lngData         As Long
    Dim lngLengh        As Long
    Dim lngID           As Long
    lngLengh = (Len(S) - 4)
    If (lngLengh < 1) Then Exit Function
    lngData = malloc(lngLengh)
    Call RC4CryptStr(S, m_KeyIn(), 5)
    lngID = Asc(Mid$(S, 5, 1))
    If (lngID < 6) Then
        Call CopyMemory(ByVal lngData, ByVal Mid$(S, 5, lngLengh), lngLengh)
        Call CallWindowProcA(m_Parse(lngID), lngData, lngID, lngLengh, 0)
    End If
    Call free(lngData)
End Function

The problem that I run into is that lngID is never 5 or under.  RC4CryptStr is broken. 

Packet data before I run it into rc4cryptstr
FF 5E 29 00 D9 9A F8 69 D9 3D DC 1F EF 28 83 4D 07 9D D7 90 2C 3D C6 D2 0F 77 80 46 73 36 32 D1 CB 10 CC 38 32 B9 15 63 AD


The packet data after it's ran through rc4cryptstr
FF 5E 29 00 C5 6A F4 E2 AB E9 B4 56 0F FC 2F AD CA 40 7D 4D 69 BD 74 26 6C B7 78 51 C8 63 2A 8F E8 39 4A 98 1C C4 D5 45 52

As you can see.  the 5th hex string "C5" isn't below 6.  I'm clueless why this is happening!  I got warden init, everything else correct.  I can't even pass the FIRST warden packet.  Again I'm completely clueless I've been trying for hours!  It makes no sense why the rc4cryptstr works for SCGP and not another bot??

Here's my RC4CryptStr function

Code Select Expand


Private Sub RC4CryptStr(ByRef S As String, ByRef bK() As Byte, ByVal Pos As Long)
    Dim A           As Long
    Dim B           As Long
    Dim C           As Byte
    Dim i           As Long
    A = bK(256)
    B = bK(257)
     Call WritetoFile("warden.txt", StrToHex(S))
    For i = Pos To Len(S)
        A = (A + 1) Mod 256
        B = (B + bK(A)) Mod 256
        C = bK(A)
        bK(A) = bK(B)
        bK(B) = C
        Mid(S, i, 1) = Chr$(Asc(Mid$(S, i, 1)) Xor bK((CInt(bK(A)) + bK(B)) Mod 256))
    Next i
    Call WritetoFile("warden.txt", StrToHex(S))
    bK(256) = A
    bK(257) = B
End Sub


[Ringo]

I would guess you're not passing the correct seed to wardeninit(), when you build 0x51.
It should be the 1st 4 bytes of the 1st cdkey's broken SHA1 hash.
If you're logging on via 0x06/0x07/0x36 etc, you will need to seed wardeninit() with 0x00000000.

[helpmeringo]

I would guess you're not passing the correct seed to wardeninit(), when you build 0x51.
It should be the 1st 4 bytes of the 1st cdkey's broken SHA1 hash.
If you're logging on via 0x06/0x07/0x36 etc, you will need to seed wardeninit() with 0x00000000.

I think I did something wrong at the warden init, gonna check

Ok here's part of my 0x51 send packet code

Code Select Expand

   
Dim lngSeed     As Long

Call CopyMemory(lngSeed, ByVal AccountHash, 4)
   
    Call ModWarden.WardenInit(lngSeed)

'fast forward to see what accounthash is

           pk.InsertDWORD Len(CDKeyg)
            pk.InsertDWORD productvalue
            pk.InsertDWORD publicvalue
            pk.InsertDWORD Checksum
           
           
            pk.InsertNonNTString AccountHash



Am I doing it right?

accounthash works for 0x51


I FIXED IT!  Make sure INIT warden works!

After like 2 minutes my prog freezes?  Any ideas why?

[Mystical]

Yuck, now here comes a load bot ^ nes

[Ringo]

Yuck, now here comes a load bot ^ nes

heh yeah, thought it might be with a name like that
gonner take him a long time to figger out how to get it working for multiple connects at once
Fun times.

[Mystical]

Yuck, now here comes a load bot ^ nes

heh yeah, thought it might be with a name like that
gonner take him a long time to figger out how to get it working for multiple connects at once
Fun times.

well for me that's actually the easy part, i guess my problem is still the seed to see if anything is intializing right

[Ribose]

Yuck, now here comes a load bot ^ nes

heh yeah, thought it might be with a name like that
gonner take him a long time to figger out how to get it working for multiple connects at once
Fun times.

Converting it to C# almost unavoidably made it easy to use the class multiple times (there are not "modules" like there are in VB6, instead use a class), besides the part that I already had all of the RC4 and init with seed done from the first Warden work-around.

I really can't understand what the point of having Warden support for a load bot serves anyway. You're connected for less than two minutes...

[Paladin]

Hey Ringo  !

I have tried to integrate your source code into my own bot however I do not get the results I would want to get.

I succesfully get the:

Code Select Expand

Downloading Warden Module:
615178218368F15E84FF2921091A3D78.bin

message but...the module doesn't seem to get downloaded as it is not saved in my \Warden\ folder and my bot disconnects ~2 minutes after connecting.

What could possibly cause this? Bad seed?

Nice work by the way!
Would appreciate help 


EDIT: Nevermind, got everything working fine now..

[Ringo]

EDIT: Nevermind, got everything working fine now..

What was the problem and how did you fix it, incase others have the same problem?
I'm guessing, you didn't include zlib.dll to the bot directory?

[Paladin]

Well, I got it to work by using your SCGP program to download Warden modules (which isn't the best solution but it worked for me I was tired and didn't really bother..)

Anyways, now I read my debug messages and I get this:

Code Select Expand

HW0x02() Error:


W:é—uq\¢–/¥ëÛh1þ$' :ÚâÖÎïýv&µaËÕ6yêP4rÌ
{
PrepareModule()
   Allocated 49152 (0xC000) bytes for new module
   Copying code sections to module.
   Adjusting references to global variables...
   Updating API library references..
   Lib: KERNEL32.dll
       Function: Sleep
       Function: TlsFree
       Function: TlsGetValue
       Function: TlsSetValue
       Function: RaiseException
       Function: TlsAlloc
       Function: GetProcAddress
       Function: GetModuleHandleA
       Function: GetVersionExA
       Function: GetSystemInfo
       Function: GetTickCount
       Function: VirtualQuery
       Function: QueryDosDeviceA
       Function: CloseHandle
       Function: GetCurrentProcess
       Function: FreeLibrary
       Function: DuplicateHandle
       Function: LoadLibraryA
       Function: GetProcessHeap
       Function: HeapFree
       Function: TerminateProcess
       Function: UnhandledExceptionFilter
       Function: SetUnhandledExceptionFilter
       Function: QueryPerformanceCounter
       Function: GetCurrentThreadId
       Function: GetCurrentProcessId
       Function: GetSystemTimeAsFileTime
       Function: RtlUnwind
   Lib: USER32.dll
       Function: CharUpperBuffA
   Successfully mapped Warden Module to 0x383FFDC
InitModule()
   Initialize Function is mapped at 0x384646C


As you can see, there's an error at HW0x02() and I know the error occurs at that line:

Code Select Expand

If (Not m_ModState = 2) Then GoTo HW0x02Err

So what could it possibly be?