Warden for warcraft III

[PunK]

Well it appears Warcraft III requires the same warden response as Starcraft directly after login.

[Mystical]

The exact same responce? thanks for the packetlog.

[PunK]

If you want to see it, don't be lazy - packet log it yourself.

Here it is anyways.

Code Select Expand


0000:  FF 5E 29 00 F7 5A 70 D4 2F 33 9F 1E 67 8F 08 FD   ÿ^).÷ZpÔ/3Ÿg?ý
0010:  A6 5F EA 94 CE AE A0 4A E2 44 2E CE FD DC 3A A9   ¦_ê"ή JâD.ÎýÜ:©
0020:  52 16 FD B9 BF A9 5F D1 85                        Rý¹¿©_Ñ..........


[Hdx]

Code Select Expand

[2:53:26 PM] [Server] Listening for connections on port 6112
[2:57:19 PM] [Server] New connection from 127.0.0.1:53184
[2:57:19 PM] [Server] Received Socks connection: 63.240.202.138:6112
[2:57:19 PM] [Client] Connected
[2:57:22 PM] Received Warden 0x00
[2:57:22 PM] Name:     d192b987e0fdf83be621b5dfc98b179d
[2:57:22 PM] Key Seed: c5f41a2b952dd4533eaa1d50f0c11a11
[2:57:22 PM] Length:   17464
[2:57:22 PM] Download 100%
[2:57:22 PM] Module Decrypted
[2:57:22 PM] Module decompressed
[2:57:22 PM] Module Header:
[2:57:22 PM] Maped Size:    0x0000B000
[2:57:22 PM] Unknown 1:     0x00005B0C
[2:57:22 PM] Ref Table:     0x0000A000
[2:57:22 PM] Ref Count:     0x00000141
[2:57:22 PM] Init Addr:     0x00008768
[2:57:22 PM] Unknown 2:     0x00000001
[2:57:22 PM] Unknown 3:     0x00000001
[2:57:22 PM] Lib Table:     0x000083FC
[2:57:22 PM] Lib Count:     0x00000002
[2:57:22 PM] Unknown 4:     0x00000003
[2:57:22 PM] [DEBUG] Warden Base: 0x0235004C
[2:57:22 PM] [DEBUG] Copying code blocks to module
[2:57:22 PM] [DEBUG] Adjusting 321 references to global variables...
[2:57:22 PM] [DEBUG] Updating API library referances...
[2:57:22 PM] [DEBUG] Lib: KERNEL32.dll
[2:57:22 PM] [DEBUG] IsValidCodePage @ 0x77bb000d
[2:57:22 PM] [DEBUG] GetStdHandle @ 0x77bbb94d
[2:57:22 PM] [DEBUG] Sleep @ 0x77bc4e86
[2:57:22 PM] [DEBUG] TlsSetValue @ 0x77bc3d24
[2:57:22 PM] [DEBUG] RaiseException @ 0x77ba7088
[2:57:22 PM] [DEBUG] GetProcAddress @ 0x77bc4b71
[2:57:22 PM] [DEBUG] GetModuleHandleA @ 0x77bc4b89
[2:57:22 PM] [DEBUG] TlsAlloc @ 0x77bb5a72
[2:57:22 PM] [DEBUG] TlsFree @ 0x77bbfd41
[2:57:22 PM] [DEBUG] TlsGetValue @ 0x77bc54ee
[2:57:22 PM] [DEBUG] GetSystemInfo @ 0x77bb5a8f
[2:57:22 PM] [DEBUG] GetVersionExA @ 0x77bb5adb
[2:57:22 PM] [DEBUG] VirtualQuery @ 0x77bbb97d
[2:57:22 PM] [DEBUG] QueryDosDeviceA @ 0x77be85ea
[2:57:22 PM] [DEBUG] GetTickCount @ 0x77bc4e96
[2:57:22 PM] [DEBUG] DuplicateHandle @ 0x77bc3457
[2:57:22 PM] [DEBUG] CloseHandle @ 0x77bc5137
[2:57:22 PM] [DEBUG] FreeLibrary @ 0x77bc32f3
[2:57:22 PM] [DEBUG] GetCurrentProcess @ 0x77bc3532
[2:57:22 PM] [DEBUG] LoadLibraryA @ 0x77bb5a27
[2:57:22 PM] [DEBUG] GetProcessHeap @ 0x77bc372d
[2:57:22 PM] [DEBUG] HeapFree @ 0x77bc55cd
[2:57:22 PM] [DEBUG] TerminateProcess @ 0x77baaa2f
[2:57:22 PM] [DEBUG] UnhandledExceptionFilter @ 0x77beebb9
[2:57:22 PM] [DEBUG] SetUnhandledExceptionFilter @ 0x77bbb99d
[2:57:22 PM] [DEBUG] QueryPerformanceCounter @ 0x77bb59c7
[2:57:22 PM] [DEBUG] GetCurrentThreadId @ 0x77bc3520
[2:57:22 PM] [DEBUG] GetCurrentProcessId @ 0x77bc4bb0
[2:57:22 PM] [DEBUG] GetSystemTimeAsFileTime @ 0x77bb96b0
[2:57:22 PM] [DEBUG] RtlUnwind @ 0x77ba71f3
[2:57:22 PM] [DEBUG] Lib: USER32.dll
[2:57:22 PM] [DEBUG] DrawTextA @ 0x763aa8f7
[2:57:22 PM] [DEBUG] CharUpperBuffA @ 0x76397c23
[2:57:22 PM] [DEBUG] ScrollWindowEx @ 0x763b5c22
[2:57:22 PM] [DEBUG] IsCharUpperA @ 0x763e3928
[2:57:22 PM] Module prepared/loaded
[2:57:22 PM] Callbacks:    0x005E95B4
[2:57:22 PM] Send Packet:  0x00415B40
[2:57:22 PM] Check Module: 0x004160B0
[2:57:22 PM] ModuleLoad:   0x00416430
[2:57:22 PM] AllocateMem:  0x004168E0
[2:57:23 PM] FreeMemory:   0x00416BA0
[2:57:23 PM] SetRC4Data:   0x00416DE0
[2:57:23 PM] GetRC4Data:   0x00417150
[2:57:23 PM] AllocateMem(2024) = 0x0065E00C
[2:57:23 PM] AllocateMem(60) = 0x005F924C
[2:57:23 PM] AllocateMem(44) = 0x00634BBC
[2:57:23 PM] [DEBUG] Init_Data:
[2:57:23 PM] [DEBUG]   Exports:         0x023581B4
[2:57:23 PM] [DEBUG]     RC4 Init:      0x023535EC
[2:57:23 PM] [DEBUG]     Handle Packet: 0x0235371C
[2:57:23 PM] [DEBUG]     Unload:        0x02356B3C
[2:57:23 PM] [DEBUG]   Unknown1:        0x00000000 0x00000000 0x00000000 0x00000000 0x023581C4
[2:57:23 PM] [DEBUG]   CallBacks:       0x005E95B4
[2:57:23 PM] [DEBUG]     Send Packet:   0x00415B40
[2:57:23 PM] [DEBUG]     Check Mod:     0x004160B0
[2:57:23 PM] [DEBUG]     Mod Load:      0x00416430
[2:57:23 PM] [DEBUG]     MemAlloc:      0x004168E0
[2:57:23 PM] [DEBUG]     MemFree:       0x00416BA0
[2:57:23 PM] [DEBUG]     Set RC4:       0x00416DE0
[2:57:23 PM] [DEBUG]     get RC4:       0x00417150
[2:57:23 PM] [DEBUG]   Unknown2:        0x00000000
[2:57:23 PM] [DEBUG] Init 0x0013f354 0x00417150
[2:57:23 PM] GetRC4Data(0x0065E02C, 0x00000208)
[2:57:23 PM] Init() = 0x0065E00C
[2:57:23 PM] Received Warden 0x05
[2:57:23 PM] SendPacket() pkt=0x0013F0E4, size=21
[2:57:23 PM] Sending Packet Data:
0000:  04 9F 54 9D B9 F8 A5 96 FC D9 AA 92 AA 44 D9 BB   ŸT?¹ø¥–üÙª'ªDÙ»
0010:  D8 C1 0E 7D 77                                    ØÁ}w...........
[2:57:23 PM] Handled 17/17
[2:57:23 PM] Handled packet successfully
[2:57:27 PM] Received Warden 0x02
[2:57:27 PM] Key: 0x78
[2:57:27 PM] Library: game.dll
[2:57:27 PM] Library: Ç
üßs
[2:57:27 PM] Library: Ç

6
[2:57:27 PM] Library: Ç
:[(
[2:57:27 PM] Library: Ç
ã:
[2:57:27 PM] Library: ÚËÆ°Nïn'\&I º?m,ÂàOç\,<4
[2:57:27 PM] Library: Ç
gl5
[2:57:27 PM] Library: Ç
Ê'?
[2:57:27 PM] Opcode: 0xBB Page:  48 @ 0x0007A8C4 Seed: 0xBF8C393D Hash: d332d199425adc6e0af2dff632d860f203794c7b
[2:57:27 PM] Opcode: 0xBB Page:  25 @ 0x00005908 Seed: 0xCA846AD3 Hash: a6678e78b9ce718ea5436d905eec88d3c0abaa23
[2:57:27 PM] Opcode: 0xBF Read:  12 @ 0x003C5C22 Data: 00 00 00 00 00 00 00 00 00 00 00 00
[2:57:27 PM] Opcode: 0xBF Read:   6 @ 0x0039A39B Data: 00 00 00 00 00 00
[2:57:27 PM] 0x02 Response:
0000:  02 16 00 E1 29 B5 A0 00 00 00 00 00 00 00 00 00   .á)µ .........
0010:  00 00 00 00 00 00 00 00 00 00 00 00 00            ................
[2:57:27 PM] Response:
0000:  75 73 53 7C 5B 37 2E BA 6C FA 71 45 63 06 96 F0   usS|[7.ºlúqEc–ð
0010:  20 95 C2 C8 5E 4A B5 2B D9 8B 8A 8C 28             •ÂÈ^Jµ+Ù‹ŠŒ(...
[2:57:27 PM] [Client] Connection closed
[2:57:27 PM] [Server] Connection closed
[2:57:27 PM] [Server] Listening for connections on port 6112

Same modules, same method of handeling, if I wasnt lazy and used a few shortcuts my bypass would still work. But alas I was, and I deleted 1/2 the source, so meh.

Though this is curious, why in gods name would they enable it for WC3? Oh wait, maybe hacks had taken advantage of it!

[PunK]

yeah, only thing different is the requests for the memory blobs.

[l2k-Shadow]

here's something interesting: a decompression of the 0x02 warden request yields:

Code Select Expand


02 08 67 61 6D 65 2E 64 6C 6C 00 38 70 26 A8 F8 7B 14 12 E9 46 4B 0B 65 8E 3E D1 7F A0 CD CD B8 C2 E5 26 14 20 70 00 00 10 7C 01 A2 5B 28 00 05 38 B6 0C 20 4C C2 4F EF 6D C3 FC 00 59 3F 1B EE BB 20 56 23 4D B9 EC A6 96 10 91 00 00 28 38 9C 72 4D 07 94 30 01 BE 16 26 EE B3 2A 4A 3E 43 8B C8 6E 9A B5 B0 89 67 C8 D7 06 00 30 38 ED 06 1E 0F 0B B6 B3 CC 39 18 88 3A 07 8E 9B 94 12 53 BA 7F 63 92 CF A9 02 E1 00 00 2A 38 24 76 98 7A EF 9F 1F E5 A8 D6 96 DA 9C 5C 52 A7 2E 9B 24 16 35 17 5D 29 F8 D4 06 00 30 8D

game.dll 8p&¨ø{éFKeŽ>Ñ Í͸Âå& p  |
¢[( 8¶ LÂOïmÃü Y?î» V#M¹ì¦–'  (8œrM"0
¾&î³*J>C‹Ènšµ°‰gÈ× 08í¶³Ì9ˆ:Ž›"Sºc'Ï©á  *8$v˜zïŸå¨Ö–Úœ\R§.›$5])øÔ 0?



so it seems that the war3 request gives you the name of the file to check the memory for. no problem... the kicker is though that game.dll has the base address of 0x6F000000 and no viable addresses to check are found in that packet. ideas...?

[brew]

so it seems that the war3 request gives you the name of the file to check the memory for. no problem... the kicker is though that game.dll has the base address of 0x6F000000 and no viable addresses to check are found in that packet. ideas...?

* brew lols

you aren't seriously letting the module parse the 0x02, are you?
well even if you are, you still can hook VirtualQuery then return whatever blobs you'd like.

[l2k-Shadow]

no, i'm not. i assumed that since the sc gives you the exact address to look at, it would do the same here. guess not?

[brew]

It does. Just because they give you an absolute address doesn't mean you need to read exactly from there, though. You know the exact address to read from, as well as where the image's base is.
By the way, your previous post screws up the tables. Do break it up please.

[Ringo]

here's something interesting: a decompression of the 0x02 warden request yields:

Code Select Expand


02 08 67 61 6D 65 2E 64 6C 6C 00 38 70 26 A8 F8 7B 14 12 E9 46 4B 0B 65 8E 3E D1 7F A0 CD CD B8 C2 E5 26 14 20 70 00 00 10 7C 01 A2 5B 28 00 05 38 B6 0C 20 4C C2 4F EF 6D C3 FC 00 59 3F 1B EE BB 20 56 23 4D B9 EC A6 96 10 91 00 00 28 38 9C 72 4D 07 94 30 01 BE 16 26 EE B3 2A 4A 3E 43 8B C8 6E 9A B5 B0 89 67 C8 D7 06 00 30 38 ED 06 1E 0F 0B B6 B3 CC 39 18 88 3A 07 8E 9B 94 12 53 BA 7F 63 92 CF A9 02 E1 00 00 2A 38 24 76 98 7A EF 9F 1F E5 A8 D6 96 DA 9C 5C 52 A7 2E 9B 24 16 35 17 5D 29 F8 D4 06 00 30 8D

game.dll 8p&¨ø{éFKeŽ>Ñ Í͸Âå& p  |
¢[( 8¶ LÂOïmÃü Y?î» V#M¹ì¦–'  (8œrM"0
¾&î³*J>C‹Ènšµ°‰gÈ× 08í¶³Ì9ˆ:Ž›"Sºc'Ï©á  *8$v˜zïŸå¨Ö–Úœ\R§.›$5])øÔ 0?



so it seems that the war3 request gives you the name of the file to check the memory for. no problem... the kicker is though that game.dll has the base address of 0x6F000000 and no viable addresses to check are found in that packet. ideas...?

Yeah, this is the standard for all (sc/w3/d2) wardens atm.
Pretty sure I explained abit about this in iago's warden thread.
In d2, ive seen 4 request types active -- 1 memory check, 2 page checks and a local file check
For those 4 types of common checks, only the memory checks and local file checks use the string table.

The memory checks have a string index to a library;

Code Select Expand


        (BYTE) String Index (If 0x00, base 0, else, base of library in this string)       
        (DWORD) offset       
        (BYTE) read Lengh
        If address_cant_be_read           
            insert(BYTE) 0x01       
        else           
            insert(BYTE) 0x00           
            insert(VOID) memory


The local file checks have a string index to an mpq file to be hashed;

Code Select Expand


        (BYTE) String Index (points to an MPQ file)   
        If file_cant_be_read           
            insert(BYTE) 0x01       
        else           
            insert(BYTE) 0x00           
            insert(BYTE[20]) Warden SHA1 of file



On another note, the modWARDEN.bas I added to the SCGP bot, should work fine for Warcraft3 as well.
The 0x02 handler just needs some mild modifying.

[Yegg]

On another note, the modWARDEN.bas I added to the SCGP bot, should work fine for Warcraft3 as well.
The 0x02 handler just needs some mild modifying.

I'm assuming that warden being activated on Warcraft III isn't a big change then? Just some minor tweaks to the existing code you already have?

[Hdx]

From the looks of it, it uses the same exact modules as SC. Only difference, it actually tells you to load a dll. [game.dll]

Yarly, Hey Haxorz out there, these are the offsets you wanna look at!

Code Select Expand

[3RAW_game.dll]
0A_003C135C=3dff0000007605c1f81f
07_00285B33=b90d0000008be8
07_00361DD3=e878f41c0085c0
0A_0073DEB7=0fb70c4a81c900f00000
06_0039A458=7427396c2444
04_0028345C=c3cccccc
0A_00362211=85c00f84300400008b03
08_00743576=c1e00803e88b84ae
06_0039A39B=8b9798010000
06_0036040A=eb08c7442418
05_00285BA2=7529538bcf
06_0073DEC9=8a906c68aa6f
07_0073DFFC=e8df3dffff85c0
09_0000F453=8b41148b4910ba0200
07_00283444=8bc8ba01000000
04_003A1DE3=7504a802
07_003A1DE9=8b442424660918
05_00356E7E=6685c07604
06_00285B8C=742a8b442420
06_003F92CA=750a837b1400
06_00361DFC=01000000d3e8
06_00431556=85c00f84c000
08_00356F1C=3b86180200008944
08_00285B3A=e881fa22008b4010
07_003A1DCE=e85dd6c6ff8bd0
07_00361DF9=33c9b801000000
08_00356C67=85db8a8ee8070000
0A_0039A3B1=555056e8377b000023d8
0D_0039A465=668587f4010000741d8b8f9801
0C_003C5C22=740b81887c02000000020000
04_003A1E9B=23ca7532
06_00431569=85c00f84ad00
06_0000F490=74088b0083c4
06_003A1E64=8b0c41668b04
08_003C1354=f6d08ac88b44241c
07_003A1E8E=8b5424200fb732
Format:
Length_Offset=Data

[neckbeard]

Registered just to post a suggestion in this thread, don't know if it's completely useless.
The Mac version of the Warcraft III client (in fact, all mac versions of all blizzard games) does not contain Warden, as it doesn't work with the infastructure of OS X.
Would it be possible to have a bot spoof itself as a Mac client, tricking battle.net into not warden-checking?
We were discussing this over on the GHost++ forums, and someone linked here.

[Yegg]

Registered just to post a suggestion in this thread, don't know if it's completely useless.
The Mac version of the Warcraft III client (in fact, all mac versions of all blizzard games) does not contain Warden, as it doesn't work with the infastructure of OS X.
Would it be possible to have a bot spoof itself as a Mac client, tricking battle.net into not warden-checking?
We were discussing this over on the GHost++ forums, and someone linked here.

I was wondering why there were like 15 guests viewing this topic. Has anyone tried this out yet? It shouldn't be hard. I haven't kept up with Bnet protocol lately so I don't have anything to work with. That would be an interesting test though.

[Hdx]

Pyro tested this out earlier tonight. And yes, there is no warden on mac clients.
But meh. Dunna if its be viable they could jsut do something else.