• Welcome to Valhalla Legends Archive.
 

WARDEN WANT'S YOU'RE FIRST BORN

Started by Ringo, August 11, 2009, 08:15 PM

Previous topic - Next topic

Ringo

Just a heads up, now warden is active once more;
I'm sure some of you have noticed, but for those of you that haven't:
Since wardens been enabled again, the responce to a "Page check" had changed, somtime between *then* and now -- it's no longer just null byte, it's 0xE9.
This is the 1st time i've noticed blizzard do somthing sneaky like this.
Basicly, this mean's (it always ment this, but you should be extra aware of it), when the warden module changes, you wont know for sure the responce you send back for a pagecheck, is valid. (it's been 0xE9 for the last 2 warden modules) You could be reporting you're self as cheating and never know it untill you're account was closed.
So unless you're reading this value from the downloaded warden module (to detect a value change, etc), next time this number changes, you may become a fallen warden victim.  :P

note: if you're useing a public warden handler/code thats floating around, you may want to double check, that it sends the result it reads from the ini file, for pagechecks. Because SCGP/modWarden.bas all have 0x00 hardcoded.

Heres a list of offsets/responce values etc (treat page check B as page check A's, and you should be *ok*)
3RAW/PX3W:

[MEMORY]
game.dll&H356F3E_5=66 85 C0 76 04
game.dll&H283504_7=8B C8 BA 01 00 00 00
game.dll&H361E93_7=E8 A8 DC 1D 00 85 C0
game.dll&H43F996_6=85 C0 0F 84 C0 00
game.dll&H3604CA_6=EB 08 C7 44 24 18
game.dll&H3A1FE4_6=8B 0C 41 66 8B 04
game.dll&H39A45B_6=8B 97 98 01 00 00
game.dll&H3A200E_7=8B 54 24 20 0F B7 32
game.dll&H3A1F63_4=75 04 A8 02
game.dll&H3A1F4E_7=E8 8D D5 C6 FF 8B D0
game.dll&H43F9A9_6=85 C0 0F 84 AD 00
game.dll&H285BFA_8=E8 B1 E2 23 00 8B 40 10
game.dll&H361EB9_7=33 C9 B8 01 00 00 00
game.dll&H74D059_6=8A 90 6C 7E AB 6F
game.dll&H39A474_8=E8 F7 7B 00 00 23 D8 89
game.dll&H285C62_5=75 29 53 8B CF
game.dll&H3CC2F2_12=74 0B 81 88 7C 02 00 00 00 02 00 00
game.dll&H3A1F69_7=8B 44 24 24 66 09 18
game.dll&H3C6E14_8=F6 D0 8A C8 8B 44 24 1C
game.dll&H752706_8=C1 E0 08 03 E8 8B 84 AE
game.dll&H285C4C_6=74 2A 8B 44 24 20
game.dll&H356FDC_8=3B 86 18 02 00 00 89 44
game.dll&HF503_9=8B 41 14 8B 49 10 BA 02 00
game.dll&H74D047_10=0F B7 0C 4A 81 C9 00 F0 00 00
game.dll&H285BF3_7=B9 0D 00 00 00 8B E8
game.dll&H361EBC_6=01 00 00 00 D3 E8
game.dll&H3A201B_4=23 CA 75 32
game.dll&H39A471_10=55 50 56 E8 F7 7B 00 00 23 D8
game.dll&H74D18C_7=E8 DF 3D FF FF 85 C0
game.dll&H39A518_6=74 27 39 6C 24 44
game.dll&H40770A_6=75 0A 83 7B 14 00
game.dll&H356D27_8=85 DB 8A 8E E8 07 00 00
game.dll&H3C6E1C_10=3D FF 00 00 00 76 05 C1 F8 1F
game.dll&H28351C_4=C3 CC CC CC
game.dll&HF540_6=74 08 8B 00 83 C4
game.dll&H3622D1_10=85 C0 0F 84 30 04 00 00 8B 03
game.dll&H39A525_13=66 85 87 F4 01 00 00 74 1D 8B 8F 98 01

[PAGEA]
&HD0000E8=E9
&HE000622=E9
&H300006D4=E9
&H19000059=E9
&H300006D7=E9
&H23000048=E9
&H2A0000F1=E9
&H24000032=E9
&HE0001FD=E9
&H20000049=E9
&H300007A8=E9
&H1700007C=E9
&H1F000234=E9
&H100000A1=E9
&H10000050=E9
&HD000160=E9
&H10000070=E9
&H1A0000C3=E9
&H24000030=E9
&H3700008E=E9
&H3000069C=E9
&H1F000219=E9
&H2A0000E1=E9
&H28000091=E9

[PAGEB]
&HC000000=E9
&HA000000=E9


SEXP/RATS:

[MEMORY]
&H41E237_4=74 38 A0 51
&H41E23E_16=0F BF 0D 54 EF 6C 00 0F BF 15 58 EF 6C 00 0C 01
&H41E24F_9=0F BF 35 56 EF 6C 00 A2 51
&H41E25B_10=0F BF 05 52 EF 6C 00 8D 74 06
&H4433E5_6=74 18 8B 46 0C E8
&H450236_12=8B 04 85 FC F4 68 00 83 F8 64 74 72
&H450240_6=74 72 85 C0 74 6E
&H4512E8_5=74 07 8A 43 46
&H4565E9_5=56 8B C3 E8 9F
&H4565EE_5=FE FF FF 85 C0
&H45816A_5=80 3D 3D 72 59
&H45816F_4=00 01 75 45
&H458E4A_5=80 F9 01 66 89
&H458E4F_6=15 C4 C1 68 00 5E
&H46F428_9=84 C8 0F 84 05 01 00 00 8B
&H46F42A_9=0F 84 05 01 00 00 8B 8E DC
&H47FF61_11=8A 46 07 8A A8 A0 73 59 00 03 FA
&H485BD0_9=55 8B EC 51 A1 A0 4A 65 00
&H486033_6=C3 CC CC CC CC CC
&H48A452_11=E9 E9 71 FD FF E9 54 71 FD FF C3
&H48E502_2=74 73
&H4A3357_8=A3 80 CC 59 00 E8 3F 24
&H4A3ECD_12=68 B0 DD 6C 00 FF 15 7C E3 4F 00 C3
&H4BD60F_8=E8 CC 32 FC FF E8 47 F9
&H4CE6B7_6=C3 CC CC CC CC CC
&H4D302D_16=68 B0 DD 6C 00 FF 15 7C E3 4F 00 A1 F8 68 59 00

[PAGEA]
&H10000050=E9
&H10000070=E9
&H100000A1=E9
&H1700007C=E9
&H170001E9=E9
&H19000059=E9
&H1A0000C3=E9
&H1F000219=E9
&H1F000234=E9
&H20000022=E9
&H20000049=E9
&H23000048=E9
&H24000032=E9
&H250001EE=E9
&H250001FE=E9
&H28000091=E9
&H2A0000E1=E9
&H2A0000F1=E9
&H3000069C=E9
&H300006D4=E9
&H300006D7=E9
&H300007A8=E9
&H32000121=E9
&H33000030=E9
&H3700008E=E9
&H40000081=E9
&HD0000E8=E9
&HD000160=E9
&HE0001FD=E9
&HE000622=E9

[PAGEB]
&HA000000=E9
&HC000000=E9

Hdx

#1
Is there any possibility of getting this information progmatically from the modules?
Also, can you list me all the modules you have for the diff versions? I just want the names and I'm pretty sure you have a full list :P (I never reconnect enough to get every module)
I'd like to make my dll check the module name and determine if ti should use 0x00/0xE9, so it support all '3 versions' of warden as we've seen them.

Also, any suggestions on how to progmatically differ between A/B?

<3 much Ringo

Proud host of the JBLS server www.JBLS.org.
JBLS.org Status:
JBLS/BNLS Server Status

Mystical


Ringo

#3
Just to let people know, the responce to page check's is still 0xE9.
I've tryed to check the client each morning, to make sure it's still spitting out 0xE9, and so far, from what i've seen, its stayed at 0xE9. (but for how long, is anyones guess)
I've also been hearing reports, if you're sending the old responce value (0x00), it will cause problems with other client's/bots, ie; causeing BW to drop every 2mins.
So id assume sending anything other than 0xE9 for a pagecheck, make's bnet angry.
(I remember hearing, if you were hacking on client, warden would send back bad responces, causeing strange things would happen, like getting melee loss's after games, when you won, etc)


Idk what use this is, but heres a small packet dump of client's warden traffic/responces etc;


[15:09:52] Request: 37
00 BF 33 69 74 C2 B3 3B 4A EE 8F E9 CF 15 4C B1       ..3it..;J.....L.
BE B7 C0 8F 76 3A FF 6A D9 A5 DD D1 93 AF 1A AE       ....v:.j........
85 A0 48 00 00                                        ..H..


[15:09:52] Responce: 1
01                                                    .


[15:09:52] Request: 17
05 61 F5 E3 D0 37 9F 1F 9D B5 2D AA 42 48 76 E4       .a...7....-.BHv.
9B                                                    .


[15:09:52] Responce: 21
04 2C D8 B1 53 DB 45 33 6C 91 5F E2 CB 56 6B FF       .,..S.E3l._..Vk.
E7 A2 45 17 4E                                        ..E.N


[15:09:56] Request: 174

- Starcraft.exe = 0x485BD0, len = 9 =  55 8B EC 51 A1 A0 4A 65 00
- Starcraft.exe = 0x486033, len = 6 =  C3 CC CC CC CC CC
- 6D EA 12 8E 81 83 CA 01 A4 B9 31 79 B6 A5 F8 E0 4B FD 51 38 58 C0 71 1D 8A B2 F1 00 00 2A
- 6D 24 95 42 B5 CE 38 BD A2 F3 C7 7C 97 11 43 7B 46 12 A6 C6 1C 02 10 E8 D5 F8 D4 06 00 30
- Starcraft.exe = 0x458E4A, len = 5 =  80 F9 01 66 89
- 6D 90 8F CC 15 6E A2 5A AF 39 31 B3 D4 13 A1 8C 2B 8B FC 2B F1 FE C4 FE 62 B9 32 00 00 24
- 6D 0D 74 69 32 3E 3E E0 DF 1D 68 28 14 49 57 34 C2 30 CA B7 09 9A 8B 91 AA 69 32 00 00 24
- 6D 1B 0E 56 DC 99 28 8A 0C 6E 19 3A C1 0E AA C4 CB F6 06 27 09 1F EB 60 D4 EC D7 06 00 30

02 00 69 00 D0 5B 48 00 09 69 00 33 60 48 00 06       ..i..[H..i.3`H..
6D EA 12 8E 81 83 CA 01 A4 B9 31 79 B6 A5 F8 E0       m.........1y....
4B FD 51 38 58 C0 71 1D 8A B2 F1 00 00 2A 6D 24       K.Q8X.q......*m$
95 42 B5 CE 38 BD A2 F3 C7 7C 97 11 43 7B 46 12       .B..8....|..C{F.
A6 C6 1C 02 10 E8 D5 F8 D4 06 00 30 69 00 4A 8E       ...........0i.J.
45 00 05 6D 90 8F CC 15 6E A2 5A AF 39 31 B3 D4       E..m....n.Z.91..
13 A1 8C 2B 8B FC 2B F1 FE C4 FE 62 B9 32 00 00       ...+..+....b.2..
24 6D 0D 74 69 32 3E 3E E0 DF 1D 68 28 14 49 57       $m.ti2>>...h(.IW
34 C2 30 CA B7 09 9A 8B 91 AA 69 32 00 00 24 6D       4.0.......i2..$m
1B 0E 56 DC 99 28 8A 0C 6E 19 3A C1 0E AA C4 CB       ..V..(..n.:.....
F6 06 27 09 1F EB 60 D4 EC D7 06 00 30 28             ..'...`.....0(


[15:10:01] Responce: 35
02 1C 00 47 40 3F 35 00 55 8B EC 51 A1 A0 4A 65       ...G@?5.U..Q..Je
00 00 C3 CC CC CC CC CC E9 E9 00 80 F9 01 66 89       ..............f.
E9 E9 E9                                              ...


[15:10:17] Request: 158

- Starcraft.exe = 0x4D302D, len = 16 = 68 B0 DD 6C 00 FF 15 7C E3 4F 00 A1 F8 68 59 00
- Starcraft.exe = 0x46F42A, len = 9 =  0F 84 05 01 00 00 8B 8E DC
- 6D DC 17 01 37 71 E8 97 C0 2C E7 99 3C 42 DF 33 6B 22 6C 14 22 80 37 2B 2E 08 59 00 00 19
- Starcraft.exe = 0x450236, len = 12 = 8B 04 85 FC F4 68 00 83 F8 64 74 72
- 6D 62 20 95 A5 CE 22 7C 0C 4B 68 F3 1E 16 3C 60 07 73 28 D5 1A 8C 5D F5 24 E4 E8 00 00 0D
- Starcraft.exe = 0x4CE6B7, len = 6 =  C3 CC CC CC CC CC
- 6D 22 E1 03 EF AC 49 20 E7 CE B5 42 1B 86 86 B3 C8 31 19 30 C8 7E 58 80 C0 F8 D4 06 00 30
- AE 78 AF 2C EF BB 29 0D 51 D5 33 2A A1 47 E9 39 1F 0D F4 A3 08 F0 C2 21 34 C6 00 00 00 0A
- Starcraft.exe = 0x4A3ECD, len = 12 = 68 B0 DD 6C 00 FF 15 7C E3 4F 00 C3

02 00 69 00 2D 30 4D 00 10 69 00 2A F4 46 00 09       ..i.-0M..i.*.F..
6D DC 17 01 37 71 E8 97 C0 2C E7 99 3C 42 DF 33       m...7q...,..<B.3
6B 22 6C 14 22 80 37 2B 2E 08 59 00 00 19 69 00       k"l.".7+..Y...i.
36 02 45 00 0C 6D 62 20 95 A5 CE 22 7C 0C 4B 68       6.E..mb ..."|.Kh
F3 1E 16 3C 60 07 73 28 D5 1A 8C 5D F5 24 E4 E8       ...<`.s(...].$..
00 00 0D 69 00 B7 E6 4C 00 06 6D 22 E1 03 EF AC       ...i...L..m"....
49 20 E7 CE B5 42 1B 86 86 B3 C8 31 19 30 C8 7E       I ...B.....1.0.~
58 80 C0 F8 D4 06 00 30 AE 78 AF 2C EF BB 29 0D       X......0.x.,..).
51 D5 33 2A A1 47 E9 39 1F 0D F4 A3 08 F0 C2 21       Q.3*.G.9.......!
34 C6 00 00 00 0A 69 00 CD 3E 4A 00 0C 28             4.....i..>J..(


[15:10:20] Responce: 71
02 40 00 10 FE 75 29 00 68 B0 DD 6C 00 FF 15 7C       [email protected]).h..l...|
E3 4F 00 A1 F8 68 59 00 00 0F 84 05 01 00 00 8B       .O...hY.........
8E DC E9 00 8B 04 85 FC F4 68 00 83 F8 64 74 72       .........h...dtr
E9 00 C3 CC CC CC CC CC E9 E9 00 68 B0 DD 6C 00       ...........h..l.
FF 15 7C E3 4F 00 C3                                  ..|.O..




Quote from: Hdx on August 11, 2009, 08:55 PM
Is there any possibility of getting this information progmatically from the modules?

Also, can you list me all the modules you have for the diff versions? I just want the names and I'm pretty sure you have a full list :P (I never reconnect enough to get every module)
I'd like to make my dll check the module name and determine if ti should use 0x00/0xE9, so it support all '3 versions' of warden as we've seen them.

Also, any suggestions on how to progmatically differ between A/B?

<3 much Ringo
Probably, but I expect it may proove fairly tricky to get working in a fail safe manner, that works with all modules.
My modules are all mixed up now, i've got both kinds. (over 600 in total)

If you mean differ between a pageA and pageB check, then probly somthing like this

if looks like pagecheck
   if op code <> pre-determined pageA op code
       B = opcode
   end if
end if

Or somthing like that -- just compare the op codes, or the end dword (page B will always have an unsigned offset < 0x100 iirc.
Fair few ways to go about it, persionaly id go on op codes.

Mystical

Strangely enough, my bot stays connected just fine, never any disconnects, but my client and many others that i play with have there clients drop them, with that being said, alot of us dont even use hacks. anyone know if bnets just sending bad warden request that the client isn't updated to handle?

Ringo

#5
Well, i've persionaly had no problem with this, but then again, I haven't played broodwar in awhile and when I do, it's normaly on a differnt realm to where I idle a few bots, which idle on w2/d2. :p

I figgured id look into this just now to find some kind of out-line to it.
It takes 2 - 6mins to do a test, so i've only done a few -- pretty simple to do.
I connected a bot up on PXES, and made it send bad warden responces (0x00 page check responces)
I then connected the actuall broodwar client up to the same server cluster (could be another bot, cant see why it would matter)
After 2 - 5mins, broodwar (the legit bot) drops, but the bot (bad responder) remains connected.
Seemed more common on useast, altho I only did a handfull of tests.
BW didnt drop on europe/west, after 6mins, so i'm not sure if it will happen there to.

Basicly (on east), with a good/bad responder on the same server cluster, the bad responder will cause the good responder to drop every 2 - 5mins.
With 2 good responders on the same server cluster, it tolk around 20-30mins for BW to drop. (my internet is kinda crappy, so not sure if that drop was related, or badluck/random)
Captureing a packet log of BW's traffic, right up untill it drops, showed BW was responding to warden just fine.

id take a guess that bnet is broadcasting every x time and binding/linking client's (from same IP etc) inorder to ban everything tied to an offender.
Somone needs to do a bunch more tests to narrow the effects/causes down a little more, I got lazzy, since testing is rather time consuming :p
The interval between drops, was kind of all over the place (2-5mins) which made me think a server was broadcasting to others inorder to link client's.

Im not sure if;
spoofing 0ms ping or chatting/anti idleing on one/both clients will effect anything (time out related)
Drops on realms other than east.
Drops if both clients are on a differnt server cluster -- if so and above, still Drops if both clients are on differnt realms.

If somones got some time to burn, it might be worth looking into abit more.

@Mystical
Did you update ur warden handler to send 0xE9 for pagechecks, rather than 0x00?
Somthing like;

------ from;
   If Len(GetINI("PAGEA", "&H" & Hex(A), m_WardenIniPath, vbNullString)) = 0 Then Exit Function
   P = P + 30
   Get0x02Data = vbNullChar
------ to;
   R = GetINI("PAGEA", "&H" & Hex(A), m_WardenIniPath, vbNullString)
   If Len(R) = 0 Then R = GetINI("PAGEB", "&H" & Hex(A), WardenIniPath, vbNullString)
   If Len(R) = 0 Then Exit Function
   P = P + 30
   Get0x02Data = HexToStr(R)

eX.Pro

Quote from: Ringo on August 16, 2009, 06:57 PM
@Mystical
Did you update ur warden handler to send 0xE9 for pagechecks, rather than 0x00?
Somthing like;

------ from;
    If Len(GetINI("PAGEA", "&H" & Hex(A), m_WardenIniPath, vbNullString)) = 0 Then Exit Function
    P = P + 30
    Get0x02Data = vbNullChar
------ to;
    R = GetINI("PAGEA", "&H" & Hex(A), m_WardenIniPath, vbNullString)
    If Len(R) = 0 Then R = GetINI("PAGEB", "&H" & Hex(A), WardenIniPath, vbNullString)
    If Len(R) = 0 Then Exit Function
    P = P + 30
    Get0x02Data = HexToStr(R)


    If Len(R) = 0 Then R = GetINI("PAGEB", "&H" & Hex(A), m_WardenIniPath, vbNullString)

Thanks ringo for your warden module.

Mystical

with this line, my bot's have worked correctly since u released the new configs, but my actual GAME Client has failed since the warden was re-activated on the useast server.
it's not my bots problem its the actual client and many other people i play with have the same problem.
Quote
If Len(GetINI("PAGEA", CStr("&H" & Hex(A)), m_WardenIniPath, vbNullString)) = 0 And Len(GetINI("PAGEB", CStr("&H" & Hex(A)), m_WardenIniPath, vbNullString)) = 0 Then Exit Function
[/qoute]

Mystical

Word from blizzard is, that they are aware of the problem and they are looking into it, so my guess would be to expect a new patch soon.

eX.Pro

#9
Warden Updated.  >:(

::Working::
--WAR3--

[MEMORY]
game.dll&HF540_6=74 08 8B 00 83 C4
game.dll&H43F969_6=85 C0 0F 84 AD 00
game.dll&H285BFA_8=E8 51 E3 23 00 8B 40 10
game.dll&H3C6E14_8=F6 D0 8A C8 8B 44 24 1C
game.dll&H43F956_6=85 C0 0F 84 C0 00
game.dll&H39A474_8=E8 F7 7B 00 00 23 D8 89
game.dll&H356D27_8=85 DB 8A 8E E8 07 00 00
game.dll&H285C62_5=75 29 53 8B CF
game.dll&H3CC2F2_12=74 0B 81 88 7C 02 00 00 00 02 00 00
game.dll&H7527A6_8=C1 E0 08 03 E8 8B 84 AE
game.dll&H28351C_4=C3 CC CC CC
game.dll&H39A471_10=55 50 56 E8 F7 7B 00 00 23 D8
game.dll&HF503_9=8B 41 14 8B 49 10 BA 02 00
game.dll&H3A1F69_7=8B 44 24 24 66 09 18
game.dll&H3A200E_7=8B 54 24 20 0F B7 32
game.dll&H3A201B_4=23 CA 75 32
game.dll&H3604CA_6=EB 08 C7 44 24 18
game.dll&H285C4C_6=74 2A 8B 44 24 20
game.dll&H361E93_7=E8 48 DD 1D 00 85 C0
game.dll&H361EB9_7=33 C9 B8 01 00 00 00
game.dll&H39A45B_6=8B 97 98 01 00 00
game.dll&H356F3E_5=66 85 C0 76 04
game.dll&H74D0F9_6=8A 90 6C 7E AB 6F
game.dll&H39A518_6=74 27 39 6C 24 44
game.dll&H39A525_13=66 85 87 F4 01 00 00 74 1D 8B 8F 98 01
game.dll&H74D22C_7=E8 DF 3D FF FF 85 C0
game.dll&H361EBC_6=01 00 00 00 D3 E8
game.dll&H3C6E1C_10=3D FF 00 00 00 76 05 C1 F8 1F
game.dll&H74D0E7_10=0F B7 0C 4A 81 C9 00 F0 00 00
game.dll&H283504_7=8B C8 BA 01 00 00 00
game.dll&H3A1F63_4=75 04 A8 02
game.dll&H3A1F4E_7=E8 8D D5 C6 FF 8B D0
game.dll&H3622D1_10=85 C0 0F 84 30 04 00 00 8B 03
game.dll&H356FDC_8=3B 86 18 02 00 00 89 44
game.dll&H4076CA_6=75 0A 83 7B 14 00
game.dll&H285BF3_7=B9 0D 00 00 00 8B E8
game.dll&H3A1FE4_6=8B 0C 41 66 8B 04

[PAGEA]
&HD0000E8=E9
&HE000622=E9
&H300006D4=E9
&H19000059=E9
&H300006D7=E9
&H23000048=E9
&H2A0000F1=E9
&H24000032=E9
&HE0001FD=E9
&H20000049=E9
&H300007A8=E9
&H1700007C=E9
&H1F000234=E9
&H100000A1=E9
&H10000050=E9
&HD000160=E9
&H10000070=E9
&H1A0000C3=E9
&H24000030=E9
&H3700008E=E9
&H3000069C=E9
&H1F000219=E9
&H2A0000E1=E9
&H28000091=E9

[PAGEB]
&HC000000=E9
&HA000000=E9


Enjoy.

Ringo

STAR/SEXP - WAR3/W3XP
Still sending 0xE9 for page checks, SC/BW now checking a storm.dll address, i'm not sure if game.dll changed at all this patch, so I just assumed it did (altho, I think 1 new game.dll offset was added)

Sixen

Any other information you can offer on why the client would be sending a bad Warden response, Ringo? I've got people saying they don't use any chat bots, no hacks, no nothing, and Warden is disconnecting them from the actual client as well.
Blizzard Tech Support/Op W@R - FallenArms
The Chat Gem Lives!
http://www.diablofans.com
http://www.sixen.org

Maged

#12
Quote from: Sixen on September 07, 2009, 01:08 AM
I've got people saying they don't use any chat bots, no hacks, no nothing, and Warden is disconnecting them from the actual client as well.
They aren't just saying this, I've verified it with my own computer with a single active (completely legit) Battle.net connection.