• Welcome to Valhalla Legends Archive.
 

[Warden] - Discussing Analisys

Started by Fr3DBr, January 26, 2010, 09:07 PM

Previous topic - Next topic

Fr3DBr

The following is one of the analisys im performing on 0x02 packet.


[WARDEN REQUEST S->C] [OPCODE : 0x02] [LENGTH : 000156 BYTES]
OFFSET  00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F | 0123456789ABCDEF
--------------------------------------------------------------------------
000000  0C 44 32 43 6C 69 65 6E 74 2E 64 6C 6C 09 44 32   .D2Client.dll.D2 
000010  57 69 6E 2E 64 6C 6C 0A 75 73 65 72 33 32 2E 64   Win.dll.user32.d 
000020  6C 6C 0C 50 65 65 6B 4D 65 73 73 61 67 65 41 00   ll.PeekMessageA. 
000030  BC 39 0D 10 EB 12 7A A7 CD 99 55 A0 A3 57 25 57   .9....z...U..W%W 
000040  9D 2F E9 DB A5 A4 12 3B 82 E4 E8 00 00 0D 38 01   ./.....;......8. 
000050  60 BB 07 00 04 38 02 8F D9 00 00 08 BC 0F E6 C0   `....8.......... 
000060  57 6F 6F DF 01 ED EB 70 9D 63 2D 02 02 F1 DB 05   Woo....p.c-..... 
000070  23 9A 0B 00 FA F8 D7 06 00 30 D3 D2 7B E0 63 92   #........0..{.c. 
000080  E0 C6 03 27 51 43 AF 0F C5 6D 6D B4 2A 3D 18 7F   ...'QC...mm.*=.. 
000090  6B 97 C7 03 04 02 33 0C 00 1E 29                  k.....3...) 
--------------------------------------------------------------------------

C:\Users\Fr3DBr\Desktop\D2 Bot\Debug>TestSec.exe

- Parsing String Array :

   - [01] D2Client.dll
   - [02] D2Win.dll
   - [03] user32.dll
   - [04] PeekMessageA

- Parsing Command Instructions

   - Page Check :      ADDR[ 0x0D0000E8 ]
   - Hex : BC390D10EB127AA7CD9955A0A35725579D2FE9DBA5A4123B82E4E800000D
   - Memory Check :    FILE[ D2Client.dll ] ADDR[ 0x0007BB60 ]
   - Hex : 380160BB070004
   - Memory Check :    FILE[ D2Win.dll ] ADDR[ 0x0000D98F ]
   - Hex : 38028FD9000008
   - Page Check :      ADDR[ 0x300006D7 ]
   - Hex : BC0FE6C0576F6FDF01EDEB709D632D0202F1DB05239A0B00FAF8D7060030
   - Unknown Check
   - Hex : D3D2
   - Windows API Check : FILE[ user32.dll ] SYMBOL[ PeekMessageA ]
   - Hex : 7BE06392E0C603275143AF0FC56D6DB42A3D187F6B97C7030402330C001E

C:\Users\Fr3DBr\Desktop\D2 Bot\Debug>


The question is, anyone wonder what are the bytes D3D2 ?
i didnt found any 'matching' condition and i dunno what to answer in that case.

Hdx

#1
MEM_CHECK:
  S->C:
    (UInt8)  Library Index
    (UInt32) Address
    (UInt8)  Length
  C->S:
    (UInt8)  Result: 0: Success, 1: Failure
    If Result == Success Then
      (UInt8[Length]) Memory Data
PAGE_CHECK_A/B:
  S->C:
    (UInt32)    Seed
    (UInt8[20]) SHA1
    (UInt32)    Address
    (UInt8)     Length
  C->S:
    (UInt8) Result:
      Module specific, 0x00, or 0xE9 for failure
MPQ_FILE_CHECK:
  S->C:
    (UInt8) File Name Index
  C->S:
    (UInt8) Result: 0: Success 1: Failed
    If Result == Success Then
      (UInt8[20]) SHA1 Hash of file
LUA_STRING_CHECK:
  S->C:
    (UInt8) String Index
  C->S:
    (UInt8) Result? Only ever seen 0x00
    (UInt8) Length
    (UInt8[Length]) Data
DRIVER_CHECK:
  S->C:
    (UInt32)    Seed
    (UInt8[20]) SHA1
    (UInt8)     Name Index
  C->S:
    (UInt8) Result:
      Module specific, 0x00, or 0xE9 for failure
TIMING_CHECK:
  S->C:
    [Blank]
  C->S:
    (UInt32) GetTickCount
FUNCTION_CHECK:
  S->C:
    (UInt32)    Seed
    (UInt8[20]) SHA1
    (UInt8)     Library Index
    (UInt8)     Function Index
    (UInt32)    Address
    (UInt8)     Length
  C->S:
    (UInt8) Result:
      Module specific, 0x00, or 0xE9 for failure
MODULE_CHECK:
  S->C:
    (UInt32)    Seed
    (UInt8[20]) SHA1
  C->S:
    (UInt8) Result:
      Module specific, 0x00, or 0xE9 for failure

Anyways those 2 bytes are part of the function check

Proud host of the JBLS server www.JBLS.org.
JBLS.org Status:
JBLS/BNLS Server Status

Fr3DBr

wow very nice hdx, coding this right now :) so we can see the stability