• Welcome to Valhalla Legends Archive.
 

Warden 0x5E Rundown

Started by incubus, April 23, 2009, 02:16 PM

Previous topic - Next topic

incubus

I've been reading over a few sources for a while, and am trying to do a detailed breakdown of how warden works.  I find the explanation of most guides limiting only by their sheer structure, so I'm going to try to do my own complete guide which should hopefully be very helpful to everyone.

First question I have out the box is, all 0x5E SID_WARDEN packets are encrypted by an RC4 encryption scheme which has a key generated by the first 4 bytes of the CD-Key Hash(This is for W3XP);  is this right?  Where does the random shared data come into play?  I was looking at this link http://www.skullsecurity.org/wiki/index.php/Warden_Packets and found the explanations alright, but severely lacking traits of a good technical document.

Hdx

What don't you gets?
The RC4 seeds are generated using the 'random' functions.

S1 = SHA1(Left(KeySeed, 2))
S2 = SHA1(Right(KeySeed, 2))
D1 = SHA1(S1, Str(20, 0), S2)
OutSeed = left(D1, 16)
InSeed = Mid(D1, 17) & left(SHA1(S1, D1, S2), 12)
OutKey = RC4Init(OutSeed)
InKey = RC4Init(InSeed)

Then you Init the rc4s using those seeds.
The problem I have with understanding it is that the 'Random' really isn't 'Random' But, I can't think of a better name for it.

Proud host of the JBLS server www.JBLS.org.
JBLS.org Status:
JBLS/BNLS Server Status

incubus

Well my question is what is actually encrypted?  The packet has 0x5E, then a 0, then data.  Is it the data after the 0 that you decrypt?  With the zero?  And how are the 0x00 packets and such structured that you recieve from the server.  It's literally a packet starting with 0x00 as the first byte of data?

Hdx

Quote from: incubus on April 23, 2009, 08:34 PM
Well my question is what is actually encrypted?  The packet has 0x5E, then a 0, then data.  Is it the data after the 0 that you decrypt?  With the zero?  And how are the 0x00 packets and such structured that you recieve from the server.  It's literally a packet starting with 0x00 as the first byte of data?
Oh, No, the entire payload of the 0x5E packet Minus the BNCS header is RC4 encrypted.
EXA Packet:

FF 5E 06 00 C0 DE
C0 DE would be RC4 crypted. After that the 1st byte would be the opcode.

Proud host of the JBLS server www.JBLS.org.
JBLS.org Status:
JBLS/BNLS Server Status