Valhalla Legends Forums Archive | Battle.net Bot Development | Warden anti-hack is back..

AuthorMessageTime
BreW
The warden! He's back again, with avengence! We've really gotta find a way to respond to this packet. Honestly. So let's start from what we DO know.
So far, the packet's payload (37 bytes) is RC4 encrypted with the key made up of 4 DWORDs from various values in the 0x51. Errrr.... This is all we know (pretty much) right now. Isn't anyone interested in finding a way to kill the warden once and for all? Even though the inital topic about it died a while ago?
August 30, 2007, 12:01 AM
dlStevens
http://www.rootkit.com/vault/hoglund/Governor.zip

If anyone haven't used this or heard of this it monitors Wardens activity.


EDIT: That's only for WoW.
August 30, 2007, 1:51 AM
GSX
Uhm, I don't believe that Warden is active on USWest.

I have been logged on for several hours without any problem, but when I connect on East, I get fried.

Nevermind, it's because I haven't reconnected in over 5 days. O_o
August 30, 2007, 1:56 AM
dlStevens
Well, I recently got hooked into finding out what warden was all about. From what I've read...

Warden checks:
- Process names.
- Window titles.
- Scans a small portion of code segment.

Warden then takes the scanned strings and hashes them comparing them to the list of hashes known to correspond to programs that induce cheating.

According to something I read up on Warden does not send information, it only sends a flag.


[quote author=GSX link=topic=16998.msg172169#msg172169 date=1188439004]
Uhm, I don't believe that Warden is active on USWest.

I have been logged on for several hours without any problem, but when I connect on East, I get fried.

Nevermind, it's because I haven't reconnected in over 5 days. O_o
[/quote]


Uh, That must of changed, because I got this.

[code]
[9:56:28 PM] Last logon: Thu Aug 30  1:58 AM
[9:56:28 PM] Joined channel Op Council (flags 0x00000000)
[9:56:28 PM] Account created: June 18, 2006 at 08:04:45 PM
[9:56:28 PM] Last logon: August 30, 2007 at 01:58:53 AM
[9:56:28 PM] Last log off: July 7, 2007 at 05:21:06 AM
[9:56:28 PM] Time Logged: 10 days, 9 hours, 30 minutes, 25 seconds.
[10:08:08 PM] You are currently IPBanned on this realm/server.
[10:08:08 PM] BNET ERROR: Connection is aborted due to timeout or other failure [ 10053 ]
[10:08:08 PM] Disconnected from Battle.net.
[/code]
August 30, 2007, 2:09 AM
iCe
you get ipbanned now if you dont reply to warden?
August 30, 2007, 2:14 AM
Newby
10053 = IPBan? As far as I know, the description is there for a reason... and the description is right...
August 30, 2007, 2:21 AM
inner.
He's using daemonchat, and when you get the message 10053 I just do a AddChat saying you were IP'd since that's the message you receive when you get IP'd.
August 30, 2007, 2:22 AM
dlStevens
[quote author=inner.de link=topic=16998.msg172173#msg172173 date=1188440556]
He's using daemonchat, and when you get the message 10053 I just do a AddChat saying you were IP'd since that's the message you receive when you get IP'd.
[/quote]

yup

EDIT:
I don't know if this helps at all, but I'm trying.. I received this about 1 minute before being disconnected by warden
[code]
0000  00 18 f8 29 19 e9 00 18  f8 3f 4a b4 08 00 45 00  ...).... .?J...E.
0010  00 28 0a 2a 00 00 ff 06  5c 9f 3f f1 53 09 c0 a8  .(.*.... \.?.S...
0020  01 64 17 e0 0e de f1 33  94 94 00 00 00 00 50 04  .d.....3 ......P.
0030  00 00 ae 53 00 00                                  ...S..         
[/code]
August 30, 2007, 2:27 AM
BreW
[quote author=dlStevens link=topic=16998.msg172170#msg172170 date=1188439789]
According to something I read up on Warden does not send information, it only sends a flag.
[/quote]

Is that so..? Then that flag must be included in the single byte response that starcraft client sends to battle.net. . . All we really have to do is find the appropriate flag to send back, together with the "other" psuedo-random value within that byte. So far we've just tried to find the encryption key for the encrypted packet contents sent TO us, even if we do decrypt it how useful will this be? While reverse engineering starcraft, did anyone even attempt to see the decrypted value and/or what it does with that information upon receiving? To be completely honest, I think that the data might be static. Blizzard has been coming up with a lot of good ideas lately, that really have turned out to be completely bad ideas anyways (i.e., dx video buffer for lockdown hashing). So, maybe someone can just work out whatever process is used to get the value of that one single byte (remember, only 256 possiblites) from that decrypted packet's content? Perhaps we can find a way to completely bypass having to decrypt this. Of course, one may argue the contents of this packet are dynamic, which is more likely. You'd never know unless you do it. But who knows, maybe the flag value is OR'd with the first hi byte of an uptime value? Or something equally lame?
August 30, 2007, 4:39 PM
MrRaza
WHO KNOWS!
August 30, 2007, 5:49 PM
warz
Why so much guessing? Somebody with so much time to devote to bnet, such as brew, should spend a little bit of that time checking this stuff out in a debugger.
August 30, 2007, 6:17 PM
rabbit
Or get a girlfriend...
August 30, 2007, 6:23 PM
dlStevens
[quote author=rabbit link=topic=16998.msg172183#msg172183 date=1188498203]
Or get a girlfriend...
[/quote]

Was that necessary?..
August 30, 2007, 8:06 PM
inner.
If brew posts in something, rabbit usually posts back in it with a smart remark.
August 30, 2007, 8:19 PM
dlStevens
[quote author=inner.de link=topic=16998.msg172186#msg172186 date=1188505140]
If brew posts in something, rabbit usually posts back in it with a smart remark.
[/quote]

Oh, Still a large amount of immature people still here, huh?
August 30, 2007, 8:23 PM
dlStevens
Anyway, Back on topic:

MyndFyre emulated WoW's protocol as I recall, I realize the warden isn't the exact same (as to my knowledge) but isn't there a reasonable amount of identically?

EDIT:
Has anyone came across the hashed values that warden uses? If so can you post them?
August 30, 2007, 8:33 PM
iago
I don't believe that Mynd ever emulated WoW's Warden implementation.
August 30, 2007, 9:05 PM
Myndfyr
Nope.  The protocol was OK, but I never created an implementation.  Would have been too much work.
August 30, 2007, 10:10 PM
dlStevens
Ah, okay thanks for the clear up.
August 31, 2007, 1:08 AM
dlStevens
I don't packet lag Battle.Net often, but is it right to be logged on into an empty channel and send the client every ~10 packets just idling?

[quote]
0  00 18 f8 3f 4a b4 00 18  f8 29 19 e9 08 00 45 00  ...?J... .)....E.
0010  00 3c 17 90 40 00 80 06  8e 25 c0 a8 01 64 3f f1  .<..@... .%...d?.
0020  53 09 04 78 17 e0 33 ae  3d 98 9f a0 ab b1 50 18  S..x..3. =.....P.
0030  41 41 a2 6c 00 00 ff 15  14 00 36 38 58 49 52 41  AA.l.... ..68XIRA
0040  54 53 db 0a 00 00 a3 95  d7 46                    TS...... .F     
[/quote]
August 31, 2007, 1:20 AM
BreW
[quote author=dlStevens link=topic=16998.msg172195#msg172195 date=1188523243]
I don't packet lag Battle.Net often, but is it right to be logged on into an empty channel and send the client every ~10 packets just idling?

[quote]
0  00 18 f8 3f 4a b4 00 18  f8 29 19 e9 08 00 45 00   ...?J... .)....E.
0010  00 3c 17 90 40 00 80 06  8e 25 c0 a8 01 64 3f f1   .<..@... .%...d?.
0020  53 09 04 78 17 e0 33 ae  3d 98 9f a0 ab b1 50 18   S..x..3. =.....P.
0030  41 41 a2 6c 00 00 ff 15  14 00 36 38 58 49 52 41   AA.l.... ..68XIRA
0040  54 53 db 0a 00 00 a3 95  d7 46                     TS...... .F     
[/quote]
[/quote]
Yes
August 31, 2007, 1:46 AM
Barabajagal
Packet 0x15... SID_CHECKAD. Sent every 15 seconds by the client. Not always responded to by the server. For bots, it's usually not used, as SID_NULL keeps the connection alive just the same, although some clients (Such as RCB) send SID_CHECKAD instead, so as to emulate the game better.
August 31, 2007, 1:53 AM
dlStevens
Ah, okay, Ill keep packet logging and asking questions.. ;D
August 31, 2007, 9:36 PM
Barabajagal
Aww... my stupid joke is gone :(
August 31, 2007, 10:30 PM
Newby
[quote author=betawarz link=topic=16998.msg172182#msg172182 date=1188497862]
Somebody with so much time to devote to bnet, such as brew, should spend a little bit of that time checking this stuff out in a debugger.
[/quote]

That requires intelligence and knowledge. Something brew lacks in both aspects. ;)
September 1, 2007, 5:54 AM
BreW
[quote author=Newby link=topic=16998.msg172218#msg172218 date=1188626082]
[quote author=betawarz link=topic=16998.msg172182#msg172182 date=1188497862]
Somebody with so much time to devote to bnet, such as brew, should spend a little bit of that time checking this stuff out in a debugger.
[/quote]
That requires intelligence and knowledge. Something brew lacks in both aspects. ;)
[/quote]
You're sure about that?

Honestly. If you have nothing nice to post, don't post it at all. That comment really didn't help us.
September 1, 2007, 2:00 PM
dlStevens
Have you figured anything else new brew?
September 1, 2007, 4:22 PM
Newby
[quote author=brew link=topic=16998.msg172221#msg172221 date=1188655219]
You're sure about that?

Honestly. If you have nothing nice to post, don't post it at all. That comment really didn't help us.
[/quote]

Yes. You hung out in #beta long enough that I can say that confidently.
September 2, 2007, 5:00 AM
moh.vze.com
[quote author=dlStevens link=topic=16998.msg172185#msg172185 date=1188504383]
[quote author=rabbit link=topic=16998.msg172183#msg172183 date=1188498203]
Or get a girlfriend...
[/quote]

Was that necessary?..
[/quote]

:o :o :o :o
September 2, 2007, 6:48 AM
moh.vze.com
This Warden crap is a conspiracy.
I think B.net hired some [vL] people to put an end to bots and such. As a result, the [vL] guy suggested bnet to use this so call "Warden" to put an end to all of us.

;D
September 2, 2007, 6:51 AM
rabbit
Either that or you're retarded.
September 2, 2007, 6:53 AM
BreW
[quote author=Newby link=topic=16998.msg172230#msg172230 date=1188709204]
[quote author=brew link=topic=16998.msg172221#msg172221 date=1188655219]
You're sure about that?

Honestly. If you have nothing nice to post, don't post it at all. That comment really didn't help us.
[/quote]

Yes. You hung out in #beta long enough that I can say that confidently.
[/quote]
You don't know me.
September 2, 2007, 3:31 PM
JoeTheOdd
[quote author=brew link=topic=16998.msg172234#msg172234 date=1188747113]
[quote author=Newby link=topic=16998.msg172230#msg172230 date=1188709204]
[quote author=brew link=topic=16998.msg172221#msg172221 date=1188655219]
You're sure about that?

Honestly. If you have nothing nice to post, don't post it at all. That comment really didn't help us.
[/quote]

Yes. You hung out in #beta long enough that I can say that confidently.
[/quote]

You don't know me.
[/quote]

Then go program something that makes you look older than 3. You've yet to do that.
September 2, 2007, 6:47 PM
dlStevens
In all honesty, I think everyone in this thread whos bashed or harassed brew is quite immature, and you really need to grow up.
September 2, 2007, 7:15 PM
rabbit
So's your face.
September 2, 2007, 7:30 PM
dlStevens
That was indeed, hilarious.
September 2, 2007, 7:39 PM
Camel
[quote author=moh.vze.com link=topic=16998.msg172232#msg172232 date=1188715872]
This Warden crap is a conspiracy.
I think B.net hired some [vL] people to put an end to bots and such. As a result, the [vL] guy suggested bnet to use this so call "Warden" to put an end to all of us.

;D
[/quote]

That wouldn't do much good. The overall effect of binary bots is good, not evil. Blizzard even used to allow chat bots to moderate channels, before people started abusing it. As long as there's a cd key they can ban, I don't see why they would make any concious effort to universally block BNCS bots. They don't even block the deprecated OLS for games that no longer use it, so long as your cd key checks out.
September 2, 2007, 9:45 PM
Barabajagal
Except that their stance on bots of any type is that the only one allowed is the Support Bot.... Plus it breaks their EULA to connect with a third-party client.
September 2, 2007, 9:50 PM
Camel
It's also not legal to reverse the OSCAR protocol for connecting to AIM/ICQ. How many lawsuits have been brought against Trillian, Gaim, or any of the hundreds of other free and proprietary software packages for connecting using the OSCAR protocol?

The purpose of the license is to give the company some legal footing in the event that they need to bring an end to inappropriate behaviour of the end-user. It has to be loosely worded so that the company can't be backed in to a corner. It would be absurd of Blizzard, from a legal standpoint, to say that it is kosher to go masquerading as one of their games. That doesn't mean they're actively opposed to the idea.
September 2, 2007, 9:58 PM
Barabajagal
As far as flood bots, they damn well should be actively opposed -.- . However, they're still opposed (if only passive) to third-party clients, as was made clear by discontinuing the CHAT telnet protocol.
September 2, 2007, 10:14 PM
Camel
They disabled CHAT because they couldn't control it. They can control cd keys.
September 3, 2007, 4:08 AM
BreW
[quote author=Joe[x86] link=topic=16998.msg172237#msg172237 date=1188758823]
[quote author=brew link=topic=16998.msg172234#msg172234 date=1188747113]
[quote author=Newby link=topic=16998.msg172230#msg172230 date=1188709204]
[quote author=brew link=topic=16998.msg172221#msg172221 date=1188655219]
You're sure about that?

Honestly. If you have nothing nice to post, don't post it at all. That comment really didn't help us.
[/quote]

Yes. You hung out in #beta long enough that I can say that confidently.
[/quote]

You don't know me.
[/quote]

Then go program something that makes you look older than 3. You've yet to do that.
[/quote]
What exactly have I made that makes me look like i'm 3? What have YOU made, besides some half-assed OS?
September 3, 2007, 5:26 AM
Barabajagal
They controlled chat. It was allowed in like... Public Chat channels... and that's it.
September 3, 2007, 5:38 AM
Denial
Well i mean its still simple to flood using public channels. By whispers and such. Also the amount of starcraft cdkeys to the public is probably one of the reason they put warden online because the amount of bots which were online for starcraft. There are other ways such as using starcraft japan exploit in joining some channels that normally wouldn't be allowed otherwise.

But the simple fact remains as long as people have time floodbots will try to exist. You are better off coming up with a better way to totally remove floodbots from your bots so people using them dont even notice them.
September 3, 2007, 10:14 AM
Newby
[quote author=brew link=topic=16998.msg172251#msg172251 date=1188797182]
What have YOU made, besides some half-assed OS?
[/quote]

Half-assed? That would imply it might be worth running.
September 3, 2007, 12:07 PM
LockesRabb
Joe, you made an OS? From stratch? With a boot record and everything? If you did that, even if it was only half-assed, chalk me up as impressed! Did you contribute to the Linux OS core? They could use serious programmers like you.
September 3, 2007, 12:37 PM
BreW
[quote author=Don Cullen link=topic=16998.msg172256#msg172256 date=1188823060]
Joe, you made an OS? From stratch? With a boot record and everything? If you did that, even if it was only half-assed, chalk me up as impressed! Did you contribute to the Linux OS core? They could use serious programmers like you.
[/quote]
He made the bootloader himself, along with a few other things, I forget. But it ended up being a complete failure. TBH I think he got most of the code from Minix.
September 3, 2007, 1:13 PM
iCe
This topic went WAY off topic
September 3, 2007, 1:24 PM
dlStevens
Every vL thread goes off topic real fast...
September 3, 2007, 3:45 PM
Newby
[quote author=brew link=topic=16998.msg172257#msg172257 date=1188825205]
TBH I think he got most of the code from Minix.
[/quote]

LOL. I'm not joe's biggest fan, but even I'll say that's totally far-fetched. But ok, whatever floats your boat.
September 3, 2007, 4:47 PM
laurion
[quote author=Denial link=topic=16998.msg172253#msg172253 date=1188814476]
There are other ways such as using starcraft japan exploit in joining some channels that normally wouldn't be allowed otherwise.
[/quote]

elaborate, please?
September 3, 2007, 5:23 PM
Barabajagal
[quote author=Tazo link=topic=16998.msg172263#msg172263 date=1188840225]
[quote author=Denial link=topic=16998.msg172253#msg172253 date=1188814476]
There are other ways such as using starcraft japan exploit in joining some channels that normally wouldn't be allowed otherwise.
[/quote]

elaborate, please?
[/quote]

No, please don't. No giving out bnet exploits publicly! -.-
September 3, 2007, 6:33 PM
LockesRabb
Agreed. Giving them out would result in Blizzard patching it.
September 3, 2007, 7:09 PM
BreW
[quote author=Don Cullen link=topic=16998.msg172269#msg172269 date=1188846580]
Agreed. Giving them out would result in Blizzard patching it.
[/quote]
What's the point of keeping it a secret if nobody knows about it... unless that is, you do too.

EDIT**
wait a minute... whoa ...
[quote]
[4:08:23 PM]  -- Joined Channel: StarCraftJ -- Flags: 0x1021 --
[/quote]
am i hallucinating?!
i've never seen flag 0x1000 used. what does this mean.....
September 3, 2007, 8:07 PM
Barabajagal
[code]Public Const CHANNEL_PUBLIC                  As Long = &H1
Public Const CHANNEL_MODERATED                As Long = &H2
Public Const CHANNEL_RESTRICTED              As Long = &H4
Public Const CHANNEL_SILENT                  As Long = &H8
Public Const CHANNEL_SYSTEM                  As Long = &H10
Public Const CHANNEL_PRODUCTSPECIFIC          As Long = &H20
Public Const CHANNEL_GLOBAL                  As Long = &H1000[/code]

Don't you know anything? :P
September 3, 2007, 8:14 PM
UserLoser
[quote author=Tazo link=topic=16998.msg172263#msg172263 date=1188840225]
[quote author=Denial link=topic=16998.msg172253#msg172253 date=1188814476]
There are other ways such as using starcraft japan exploit in joining some channels that normally wouldn't be allowed otherwise.
[/quote]

elaborate, please?
[/quote]

Think he's talking about warez and something Chat I forget the name...the channel listing on JSTR lists those along with The Void.
September 3, 2007, 8:25 PM
UserLoser
[quote author=Andy link=topic=16998.msg172273#msg172273 date=1188850495]
[code]Public Const CHANNEL_PUBLIC                   As Long = &H1
Public Const CHANNEL_MODERATED                As Long = &H2
Public Const CHANNEL_RESTRICTED               As Long = &H4
Public Const CHANNEL_SILENT                   As Long = &H8
Public Const CHANNEL_SYSTEM                   As Long = &H10
Public Const CHANNEL_PRODUCTSPECIFIC          As Long = &H20
Public Const CHANNEL_GLOBAL                   As Long = &H1000[/code]

Don't you know anything? :P
[/quote]

You forgot redirecting (0x400)
September 3, 2007, 8:26 PM
Barabajagal
I never found a redirecting channel, so I don't see any reason to add it. As for joining channels like Warez, just use a force join.
September 3, 2007, 9:04 PM
iCe
cant force join Backstage
September 3, 2007, 9:12 PM
UserLoser
[quote author=Andy link=topic=16998.msg172279#msg172279 date=1188853471]
I never found a redirecting channel, so I don't see any reason to add it. As for joining channels like Warez, just use a force join.
[/quote]

Channels like Starcraft USA-1
September 3, 2007, 9:32 PM
Barabajagal
Nobody can join Backstage unless they're @Blizzard accounts and are on the blizzard rep/admin database list.
And ya, there's ways of getting JSTR into channels it's not supposed to be in, but if you get caught doing it, you'll ruin it for everyone -.-
Plus, the only reason to use JSTR is cause its icon is better than any other icons :D [img]http://realityripple.com/Uploads/icons/Games/JSTR.bmp[/img]
September 3, 2007, 10:31 PM
BreW
Hey guys so i heard some guy on bnet called leaky has a private "warden fix" stealthbot script which magically allows people to stay connected and respond to warden. W O W, right? I haven't seen it myself, but I bet it's just some cheezy loopback connection that has starcraft do the warden processing. The average stealthbot user will most likely jump for joy. And you have to have starcraft and all of it's dependencies running (of course) while connected to battle.net, which isn't really a problem for the average stealthbot user, but that's to be expected. Since we can't really "fix" warden yet I say we make a stand alone .exe to "patch" other bots too. All it would require additionally is to hook a few sockets, the bot's window caption, so on. I dont know about you, but I say we split this up into two parts (the warden request processor and the actual packet sender) and since RealityRipple has such an interest in doing stuff like that maybe he should make some quick warden response server, bnet is saved, blah blah.  ^^
September 4, 2007, 1:14 AM
Barabajagal
NTY. Done fighting against Blizzard.
September 4, 2007, 1:33 AM
Explicit[nK]
[quote author=Andy link=topic=16998.msg172292#msg172292 date=1188869597]
NTY. Done fighting against Blizzard.
[/quote]

Wise decision.
September 4, 2007, 4:08 AM
Barabajagal
[quote author=Explicit[nK] link=topic=16998.msg172296#msg172296 date=1188878930]
[quote author=Andy link=topic=16998.msg172292#msg172292 date=1188869597]
NTY. Done fighting against Blizzard.
[/quote]

Wise decision.
[/quote]

It's easier to let other people fight and wait for it to be incorporated into JBLS or a DLL or something :)
September 4, 2007, 4:13 AM
dlStevens
But it's still fun to fight against Blizzard.
September 4, 2007, 11:59 AM
LockesRabb
Basically, how the Stealth solution works is as you have stated, it has Starcraft running in the background, and when Warden on the Battle.net server sends Warden packets to Stealth, the bot redirects it to StarCraft client, which in turn generates the appropriate response.

Now, before you ask, yes, this can be done with ANY bot. All it would require is some simple hooking, although it'd still require StarCraft to be running in the background for as long as you wanted to maintain the connection. While it's a workaround, it's not a solution, nor a viable workaround as it's totally dependent on StarCraft.

For two, in regards to a Warden response server based on the above method, I've already tried the route of having StarCraft process the data. I was trying to write a Warden server. I basically wrote a proxy for bots and StarCraft, so bots could send warden packets to my server running StarCraft, and it'd generate the appropriate response and send it back to the bot, which in turn would send it to Battle.net. But unfortunately, after nearly finishing the proxy, I found out that this solution was not doable. instead of explaining it myself, I'll paste a conversation I had with the l2uthless bot creater, l2k-Shadow. While I unfortunately gave him a headache from my attempts to understand how it basically worked, perhaps I can save him and others from future headaches by pasting here so people can follow the conversation along and figure it out as well. Keep in mind I only had 3 hours of sleep the night before, so I'm somewhat slow in the conversation. :P Many thanks to l2k-Shadow for his patience.

[quote]Session Start (Kyro:l2k-Shadow): Sun Sep 02 11:21:56 2007
[11:21] Kyro: hey
[11:21] Kyro: got time?
[11:22] l2k-Shadow: depends what the time is for
[11:22] Kyro: tech support :P
[11:22] Kyro: im coding a warden proxy
[11:22] l2k-Shadow: that's a little vague
[11:22] l2k-Shadow: alright
[11:22] Kyro: basically, the way i have it set up is
[11:23] Kyro: two pcs, gateway on one, starcraft on the other
[11:23] Kyro: when i start gateway, it listens for starcraft
[11:23] Kyro: i have starcraft connect to my laptop (the gateway)
[11:23] Kyro: ah hell i'll just paste and save you the trouble
[11:23] Kyro:
[11:20:47 AM] SYSTEM> Initializing relay...
[11:20:47 AM] SYSTEM> Initalized. Waiting for StarCraft...
[11:20:52 AM] SYSTEM> StarCraft connected!
[11:20:52 AM] SYSTEM> Connecting to battle.net...
[11:20:52 AM] STARCRAFT> Received GameByte.
[11:20:52 AM] STARCRAFT> Received Packet: 0x50 (SID_AUTH_INFO)
[11:20:52 AM] SYSTEM> Connected to Battle.net!
[11:20:52 AM] BATTLE.NET> 0x01 Emulation Byte sent.
[11:20:52 AM] BATTLE.NET> 0x50 (SID_AUTH_INFO) Sent to Battle.net.
[11:20:52 AM] BATTLE.NET> Received Packet: 0x25 (SID_PING)
[11:20:52 AM] SYSTEM> Packet: 0x25 (SID_PING) sent to STARCRAFT.
[11:20:52 AM] BATTLE.NET> Received Packet: 0x50 (SID_AUTH_INFO)
[11:20:52 AM] SYSTEM> Packet: 0x50 (SID_AUTH_INFO) sent to STARCRAFT.
[11:20:52 AM] STARCRAFT> Received Packet: 0x25 (SID_PING)
[11:20:52 AM] SYSTEM> Packet: 0x25 (SID_PING) sent to BATTLE.NET.
[11:22:31 AM] BATTLE.NET> Received Packet: 0x0 (SID_NULL)
[11:22:31 AM] SYSTEM> Packet: 0x0 (SID_NULL) sent to STARCRAFT.
[11:24] l2k-Shadow: and
[11:24] Kyro: well basically
[11:25] Kyro: the goal here is to get starcraft completely loaded, (aka in channel) via proxy (my laptop is acting as proxy). Once starcraft is completely connected, my proxy would disconnect from battle.net, but maintain the connection with starcraft
[11:25] Kyro: would keep connection alive via pings/nulls
[11:26] Kyro: then any bot could connect to my laptop, send it a warden packet that was sent to them by battle.net, which my laptop in turn would relay it to starcraft, starcraft would construct the appropriate response thinking it's from battle.net, and send it to my proxy, which in turn would send it to the bot requesting the warden response
[11:27] Kyro: make sense?
[11:27] l2k-Shadow: good idea
[11:27] l2k-Shadow: but
[11:27] l2k-Shadow: that won't work
[11:27] l2k-Shadow: sorry
[11:27] l2k-Shadow: (which is why no one else has done it)
[11:27] Kyro: why wont it work
[11:27] l2k-Shadow: because of the nature of warden
[11:27] l2k-Shadow: warden is encrypted using a key-based encryption
[11:27] l2k-Shadow: this key is generated from the key hash
[11:27] l2k-Shadow: so the encryption is different for every bot
[11:27] l2k-Shadow: so
[11:27] l2k-Shadow: gl
[11:28] l2k-Shadow: so u can do this
[11:28] Kyro: ahh damn.
[11:28] l2k-Shadow: but only with 1 bot at a time
[11:28] Kyro: key, as in, cdkey based
[11:28] Kyro: right?
[11:28] l2k-Shadow: no
[11:28] l2k-Shadow: key-based as in the encryption
[11:28] l2k-Shadow: uses a key
[11:28] l2k-Shadow: this key comes from your CD-Key hash
[11:28] Kyro: damn.
[11:28] l2k-Shadow: and therefore
[11:28] l2k-Shadow: it is different
[11:28] l2k-Shadow: every time u login
[11:29] Kyro: becase my starcraft cdkey isn't the same from the botuser's cdkey, the warden proxy would fail.
[11:29] Kyro: damn.
[11:29] l2k-Shadow: not even that
[11:29] l2k-Shadow: even if they used the same cdkey it would fail because the cdkey hash is different per login
[11:29] l2k-Shadow: due to different client and server tokens
[11:29] Kyro: double damn.
[11:29] Kyro: theres goes my idea.
[11:30] Kyro: thanks for your time
[11:30] l2k-Shadow: i tried doing your idea
[11:30] l2k-Shadow: like day after warden came out
[11:30] l2k-Shadow: when i was researching it
[11:30] l2k-Shadow: then i found this out
[11:30] l2k-Shadow: so
[11:30] l2k-Shadow: yeah
[11:31] l2k-Shadow: one thing you COULD do
[11:31] l2k-Shadow: is mess with starcraft's memory
[11:31] l2k-Shadow: and change the cdkey hash
[11:31] l2k-Shadow: with the warden request
[11:31] l2k-Shadow: i tried doing that but failed
[11:31] l2k-Shadow: somehow
[11:31] l2k-Shadow: but the general idea remains the same.
[11:33] Kyro: i dont suppose reversing the logon sequence via assembly and porting it over is doable?
[11:33] l2k-Shadow: what does that have to do with anything?
[11:33] Kyro: im not tryin to reverse the entireity of warden, just the 0x5E packet
[11:34] l2k-Shadow: well.. the main problem is that you're trying to do something you don't know much about
[11:34] l2k-Shadow: -.-
[11:34] Kyro: yeah, time for me to take ASM classes.
[11:34] l2k-Shadow: it's not just a packet.
[11:34] l2k-Shadow: regardless if u know asm or not
[11:35] Kyro: from what little i know, 0x5E seems to tell starcraft to run a check on memory searching for hacks/etc, contains known current signatures to check for, then starcraft compiles a response and sends the response, then bnet sends what i think is a confirmation
[11:35] Kyro: that about right?
[11:36] l2k-Shadow: about
[11:36] l2k-Shadow: not quite right though
[11:36] l2k-Shadow: when sc first logs in and receives the first warden request
[11:36] l2k-Shadow: warden is a program
[11:36] l2k-Shadow: inside
[11:36] l2k-Shadow: sc
[11:36] l2k-Shadow: it sends version of warden back
[11:36] l2k-Shadow: if its up to date or not
[11:36] l2k-Shadow: if it isnt sc sends you updated warden module
[11:37] l2k-Shadow: then 0x5e sends warden what to look for
[11:37] l2k-Shadow: and warden compiles a response
[11:37] l2k-Shadow: and sends it back
[11:37] l2k-Shadow: the problem with making a server
[11:37] l2k-Shadow: for this
[11:37] l2k-Shadow: is few things
[11:37] l2k-Shadow: warden can be updated at any time
[11:37] l2k-Shadow: and warden sends a check every 5 seconds
[11:37] l2k-Shadow: that means
[11:37] l2k-Shadow: people who use your server
[11:37] l2k-Shadow: would have to remain constantly connected
[11:38] l2k-Shadow: to it
[11:38] l2k-Shadow: #1
[11:38] Kyro: that'd butcher my bandwidth.
[11:38] l2k-Shadow: #2 it would get abused
[11:38] l2k-Shadow: by people trying to load bots
[11:38] l2k-Shadow: which would butcher your bandwidth and your server.
[11:38] Kyro: in other words, not worth considering
[11:38] l2k-Shadow: precisely.
[11:39] l2k-Shadow: unlike BNLS, warden isn't something that you could do server-side
[...]
[11:41] Kyro: ah well.
[11:41] Kyro: is the 0x5E also in effect for other game clients, or just SC?
[11:41] l2k-Shadow: sc only
[11:41] l2k-Shadow: it is not implemented
[11:42] l2k-Shadow: in any other games
[11:42] Kyro: probably plan on it.
[11:42] l2k-Shadow: i dont think so
[...]
[11:43] l2k-Shadow: and there is a good reason it wont be in another clients
[11:43] Kyro: so wouldnt solve the problem, unless the 0x5E packet was made a requirement prior to finishing logon
[11:43] l2k-Shadow: it won't be in w2
[11:43] l2k-Shadow: because w2 is no longer updated
[11:43] l2k-Shadow: by blizzard
[11:44] l2k-Shadow: it won't be in d2
[11:44] l2k-Shadow: because d2 has warden in game
[11:44] l2k-Shadow: it won't be in w3.. same reason
[11:44] l2k-Shadow: so there u go.
[11:44] Kyro: sc has warden in game, so why are they using it outgame?
[11:44] l2k-Shadow: no it doesn't.
[11:44] Kyro: i could have sworn it did.
[11:44] l2k-Shadow: no.
[11:44] l2k-Shadow: because
[11:44] l2k-Shadow: since sc games
[11:44] l2k-Shadow: are
[11:44] l2k-Shadow: p2p
[11:44] Kyro: the rest arent?
[11:44] l2k-Shadow: warden has to be controlled
[11:45] l2k-Shadow: by the battle.net server
[11:45] l2k-Shadow: for sc
[11:45] l2k-Shadow: since d2 games and w3 games
[11:45] l2k-Shadow: are
[11:45] l2k-Shadow: client->server->client
[11:45] l2k-Shadow: warden for those games can be controlled by the game server.
[11:45] Kyro: i see.
[11:46] Kyro: wouldn't it make sense for blizz to make the game p2s2p?
[11:46] Kyro: then warden'd be ingame
[11:46] l2k-Shadow: it would but that would require them to recode a major portion of starcraft
[11:46] Kyro: unless their code for the game didn't permit for ease of implementation
[11:46] l2k-Shadow: which they won't do.
[11:46] Kyro: yea.
[11:46] Kyro: but from what you say
[11:47] Kyro: wouldn't that mean all a hacker had to do was join a game, then load their hacks. they'd be relatively safe from warden, and prior to finishing the game, the hacks could then be unloaded.
[11:47] Kyro: all theyd have to do would be avoid having hacks running when not in game
[11:48] l2k-Shadow: no..
[11:48] l2k-Shadow: they remain connected to the battle.net server throughout the game.
[11:48] Kyro: but you just said warden doesnt run ingame.
[11:48] Kyro: im referring to sc.
[11:48] l2k-Shadow: warden for sc runs all the time
[11:48] l2k-Shadow: regardless of ingame or out of game
[11:49] Kyro: then why do they have need for the 0x5E packet, when the other games have no need for it?
[...]
[11:52] l2k-Shadow: l2k-Shadow: warden has to be controlled
l2k-Shadow: by the battle.net server
l2k-Shadow: for sc
l2k-Shadow: since d2 games and w3 games
l2k-Shadow: are
l2k-Shadow: client->server->client
l2k-Shadow: warden for those games can be controlled by the game server.
[11:53] Kyro: [11:52] l2k-Shadow: warden has to be controlled by the battle.net server
[11:53] Kyro: but isnt sc p2p? meaning no interaction with the server?
[11:54] l2k-Shadow: *SIGH*
[11:54] l2k-Shadow: when you enter a starcraft game
[11:54] l2k-Shadow: you don't disconnect from battle.net
[11:54] l2k-Shadow: you exchange UDP data with the other players in the game
[11:54] l2k-Shadow: warden is still controlled by battle.net
[11:54] l2k-Shadow: sending u 0x5E packets.
[11:54] l2k-Shadow: the same way
[11:54] l2k-Shadow: if u talk in game
[11:54] l2k-Shadow: when you talk in game
[11:54] l2k-Shadow: you just send that data to other players via UDP
[11:55] l2k-Shadow: but lets say u want to whisper
[11:55] l2k-Shadow: when you whisper you send that data via Battle.net server.
[11:57] l2k-Shadow: however the warden is now controlled
[11:57] l2k-Shadow: by the server you play the game on
[11:58] l2k-Shadow: not the main battle.net server
[11:58] l2k-Shadow: which is why warden for sc is still active while you are in lobby
[11:58] l2k-Shadow: but d2 warden is not
[11:58] l2k-Shadow: because d2 warden is only active while on a game server
[11:59] Kyro: ah, so that's why the bots can get on via emulating other clients, no warden outgame
[11:59] l2k-Shadow: Right
[11:59] Kyro: battle.net servers are both lobby/game servers, while for the other games, lobby/game servers are separate
[11:59] Kyro: right?
[12:00] l2k-Shadow: no
[12:00] l2k-Shadow: battle.net server is lobby only
[12:00] l2k-Shadow: for all gaems
[12:00] l2k-Shadow: games
[12:01] Kyro: let me rephrase, starcraft only makes one connection: bnet, hence why warden is always in effect, while for the other games, two connections are made, one for the lobby for bnet, and another one for the game servers
[12:01] Kyro: about right?
[12:01] l2k-Shadow: correct
[12:01] l2k-Shadow: congratulations
[12:01] l2k-Shadow: -_-
[12:02] Kyro: yeah, thanks. it feels great to not be so dumb now.
[12:02] l2k-Shadow: lol
[...]
[12:03] Kyro: based on it, it sounds like the 0x5E packet being in effect outgame wasn't intentional, it was just a permanent side effect, due to it being on same server as battle.net
[12:03] Kyro: sucks.
[12:03] l2k-Shadow: right
[12:07] Kyro: does the fact that warden isn't centralized, is keybased, encrypted, etc, etc mean you're fresh out of ideas?
[12:08] l2k-Shadow: it can be done
[12:08] l2k-Shadow: but no solution is pemanent
[12:08] l2k-Shadow: because warden can always be updated
[12:08] l2k-Shadow: server-side
[12:08] l2k-Shadow: so even if u wrote a workaround
[12:08] l2k-Shadow: for the current warden
[12:08] Kyro: so it'd be a tit for tat, in other words not worth it
[12:08] l2k-Shadow: right
[12:08] l2k-Shadow: of course there are people
[12:08] l2k-Shadow: who have done it
[12:08] l2k-Shadow: im sure
[12:08] l2k-Shadow: probably skywing/adron
[12:08] l2k-Shadow: etc
[12:09] l2k-Shadow: but i mena
[12:09] l2k-Shadow: lol
[12:09] Kyro: alright, thanks for ur time
[12:09] Kyro: sorry to have given you a headache.
[12:09] l2k-Shadow: i've had worse.
[...]
Session Close (l2k-Shadow): Sun Sep 02 12:27:49 2007[/quote]
September 4, 2007, 3:07 PM
Camel
[quote author=Andy link=topic=16998.msg172252#msg172252 date=1188797928]
They controlled chat. It was allowed in like... Public Chat channels... and that's it.
[/quote]

And they disabled it entirely when people figured out how to whisper flood.
September 4, 2007, 3:53 PM
Barabajagal
[quote author=Camel link=topic=16998.msg172308#msg172308 date=1188921202]
[quote author=Andy link=topic=16998.msg172252#msg172252 date=1188797928]
They controlled chat. It was allowed in like... Public Chat channels... and that's it.
[/quote]

And they disabled it entirely when people figured out how to whisper flood.
[/quote]

And yet you can still whisper flood on any other non-keyed client. And it's easy to just do /dnd anyway!
September 4, 2007, 6:04 PM
BreW
[quote author=Don Cullen link=topic=16998.msg172305#msg172305 date=1188918440]
[11:27] l2k-Shadow: because of the nature of warden
[11:27] l2k-Shadow: warden is encrypted using a key-based encryption
[11:27] l2k-Shadow: this key is generated from the key hash
[11:27] l2k-Shadow: so the encryption is different for every bot
[/quote]
where you could store all the nessisary values, then patch the memory addresses of the warden encryption key values (we already have the offsets from the previous warden topic) very easy if you ask me.
September 4, 2007, 7:20 PM
Camel
[quote author=brew link=topic=16998.msg172319#msg172319 date=1188933644]
[quote author=Don Cullen link=topic=16998.msg172305#msg172305 date=1188918440]
[11:27] l2k-Shadow: because of the nature of warden
[11:27] l2k-Shadow: warden is encrypted using a key-based encryption
[11:27] l2k-Shadow: this key is generated from the key hash
[11:27] l2k-Shadow: so the encryption is different for every bot
[/quote]
where you could store all the nessisary values, then patch the memory addresses of the warden encryption key values (we already have the offsets from the previous warden topic) very easy if you ask me.
[/quote]
Don't bother. Blizzard will just update warden to break your algorithm. If you're going to shim, then shim; multiple people have had success with that. You can't half-ass warden, so save yourself some lost effort and stop trying.
September 4, 2007, 8:26 PM
BreW
[quote author=Camel link=topic=16998.msg172323#msg172323 date=1188937560]
[quote author=brew link=topic=16998.msg172319#msg172319 date=1188933644]
[quote author=Don Cullen link=topic=16998.msg172305#msg172305 date=1188918440]
[11:27] l2k-Shadow: because of the nature of warden
[11:27] l2k-Shadow: warden is encrypted using a key-based encryption
[11:27] l2k-Shadow: this key is generated from the key hash
[11:27] l2k-Shadow: so the encryption is different for every bot
[/quote]
where you could store all the nessisary values, then patch the memory addresses of the warden encryption key values (we already have the offsets from the previous warden topic) very easy if you ask me.
[/quote]
Don't bother. Blizzard will just update warden to break your algorithm. If you're going to shim, then shim; multiple people have had success with that. You can't half-ass warden, so save yourself some lost effort and stop trying.
[/quote]

Who said it was an algorithm, and so far people have been half-assing warden with great success. Besides, it's not like blizzard is working against bot makers. They are, however, working against hack makers.
September 4, 2007, 9:16 PM
rabbit
You haven't read Blizzard's TOS or EULA, have you?
September 4, 2007, 9:27 PM
BreW
[quote author=rabbit link=topic=16998.msg172329#msg172329 date=1188941225]
You haven't read Blizzard's TOS or EULA, have you?
[/quote]
I have. Why didn't they make something to prevent Diablo 2 bots connecting? Or warcraft 2? Hell, even their beloved warcraft 3? Why didn't they encrypt all of their packets. *Hint* They're not trying to "kill the botz"
September 4, 2007, 9:50 PM
-MichaeL-
I'd have to agree that bots are not of a great concern to blizzard at the time being, maybe in the old days they were and in the future they might but going by their current stance I am led to the conclusion that they do not have any problems with normal bots. (By normal bots I do not include loaders or flooders)
September 4, 2007, 10:17 PM
Barabajagal
Today I was in the Blizzard Tech Support channel (reporting a bot that was advertising a game and being annoying in general), and the user before me apparently asked the rep for help with a bot. The rep said they did not support third party clients, and that the user should contact the bot developer for help. Sounds to me like they're apathetic about chat bots :)
September 4, 2007, 10:25 PM
Kp
Look at it from their perspective.  Blizzard uses paid employees to police battle.net.  Since battle.net does not generate subscription revenue, there is no incentive to expend effort fighting issues which do not substantially bother the gaming users.  Bots can be annoying, but are generally easy to avoid.  However, cheaters are more difficult to avoid (how do you as a mere gamer tell when someone's cheating?) and tend to cause more annoyance.  Thus, given limited resources, Blizzard focuses on stopping cheating.  As we have seen, they are not averse to causing bot developers/users grief when it is a cheap or free side effect of fighting cheating, but it is not cost effective to spend employee time on a pursuit which will only hinder bots.

As for the remark about encryption: what good would that do?  Do you really think bots would have gotten this far if people were restricted to inspecting wire traffic to understand the protocol?  Once a user commits to reverse engineering the client to get the protocol details, an encrypted protocol just means some extra functions to take apart.  Also, encryption is not free.  Encrypting all the wire traffic going in and out of battle.net would require non-trivial resources for any good encryption algorithm.  I doubt Blizzard would even consider spending the CPU cycles to encrypt a couple hundred thousand connections (battle.net's user count during its heyday) when, as above, it is only a temporary hindrance to third party developers and does not earn any additional money.
September 5, 2007, 3:17 AM
rabbit
[quote author=brew link=topic=16998.msg172330#msg172330 date=1188942617]
[quote author=rabbit link=topic=16998.msg172329#msg172329 date=1188941225]
You haven't read Blizzard's TOS or EULA, have you?
[/quote]
I have. Why didn't they make something to prevent Diablo 2 bots connecting? Or warcraft 2? Hell, even their beloved warcraft 3? Why didn't they encrypt all of their packets. *Hint* They're not trying to "kill the botz"
[/quote]Their TOS/EULA specifically prohibits emulation of their protocols.  That's pretty anti-bot to me.
September 5, 2007, 4:19 AM
Barabajagal
[quote author=rabbit link=topic=16998.msg172343#msg172343 date=1188965947]
[quote author=brew link=topic=16998.msg172330#msg172330 date=1188942617]
[quote author=rabbit link=topic=16998.msg172329#msg172329 date=1188941225]
You haven't read Blizzard's TOS or EULA, have you?
[/quote]
I have. Why didn't they make something to prevent Diablo 2 bots connecting? Or warcraft 2? Hell, even their beloved warcraft 3? Why didn't they encrypt all of their packets. *Hint* They're not trying to "kill the botz"
[/quote]Their TOS/EULA specifically prohibits emulation of their protocols.  That's pretty anti-bot to me.
[/quote]
As was previously mentioned, it's apparently only really there as leverage in case an incident arises.
September 5, 2007, 4:33 AM
Camel
[quote author=brew link=topic=16998.msg172328#msg172328 date=1188940564]
Who said it was an algorithm
[/quote]
Anyone who has ever taken any kind of computer science course. Ever.
September 5, 2007, 1:40 PM
LW-Falcon
[quote author=Camel link=topic=16998.msg172348#msg172348 date=1188999644]
[quote author=brew link=topic=16998.msg172328#msg172328 date=1188940564]
Who said it was an algorithm
[/quote]
Anyone who has ever taken any kind of computer science course. Ever.
[/quote]
Haha Camel +1 :P
September 5, 2007, 3:42 PM
rabbit
I told that kid it was an algorithm weeks ago and everyone yelled at me "NO IT R TEH PORGAMZ" and now Camel says the same thing and he gets +1 and praise.  WTF?
September 5, 2007, 4:23 PM
Camel
[quote]An explicit step-by-step procedure for producing a solution to a given problem. Specifically, a mathematical equation typically executed using a computer program (or set of programs) that is designed to systematically solve a certain kind of problem.[/quote]
September 5, 2007, 5:36 PM
UserLoser
[quote author=Andy link=topic=16998.msg172284#msg172284 date=1188858709]
Nobody can join Backstage unless they're @Blizzard accounts and are on the blizzard rep/admin database list.
And ya, there's ways of getting JSTR into channels it's not supposed to be in, but if you get caught doing it, you'll ruin it for everyone -.-
Plus, the only reason to use JSTR is cause its icon is better than any other icons :D [img]http://realityripple.com/Uploads/icons/Games/JSTR.bmp[/img]
[/quote]

Isn't a admin database, just names tagged with specific flags are allowed access.  IIRC, years back you were able to see System\Flags for a user--I could be wrong about this though.  Obivously we would all have 0 for that value, while Blizzard reps would have 0x8 for example and admins have 0x1--or whatever the values are
September 5, 2007, 6:37 PM
Barabajagal
That sounds like a database to me <.<
September 5, 2007, 7:13 PM
BreW
[quote author=Camel link=topic=16998.msg172354#msg172354 date=1189013783]
[quote]An explicit step-by-step procedure for producing a solution to a given problem. Specifically, a mathematical equation typically executed using a computer program (or set of programs) that is designed to systematically solve a certain kind of problem.[/quote]
[/quote]
You're pushing that definition. Notice how I use everything except actual math for that algorithm. Just patch a few addresses, and send data through a winsock.
September 5, 2007, 7:52 PM
Barabajagal
[quote author=brew link=topic=16998.msg172361#msg172361 date=1189021953]
[quote author=Camel link=topic=16998.msg172354#msg172354 date=1189013783]
[quote]An explicit step-by-step procedure for producing a solution to a given problem. Specifically, a mathematical equation typically executed using a computer program (or set of programs) that is designed to systematically solve a certain kind of problem.[/quote]
[/quote]
You're pushing that definition. Notice how I use everything except actual math for that algorithm. Just patch a few addresses, and send data through a winsock.
[/quote]
Uhm... no, he's not pushing it. That's what an algorithm is.
September 5, 2007, 8:09 PM
UserLoser
[quote author=Andy link=topic=16998.msg172358#msg172358 date=1189019625]
That sounds like a database to me <.<
[/quote]

yeah, a database.  not an admin database
September 6, 2007, 12:30 AM
Barabajagal
Select * From `Users` where `Flags` AND FLAG_ADMIN

Sorry for using obscure terminology. By Admin Database, I mean a listing of data containing information about administrators.
September 6, 2007, 12:49 AM
Camel
[quote author=brew link=topic=16998.msg172361#msg172361 date=1189021953]
[quote author=Camel link=topic=16998.msg172354#msg172354 date=1189013783]
[quote]An explicit step-by-step procedure for producing a solution to a given problem. Specifically, a mathematical equation typically executed using a computer program (or set of programs) that is designed to systematically solve a certain kind of problem.[/quote]
[/quote]
You're pushing that definition. Notice how I use everything except actual math for that algorithm. Just patch a few addresses, and send data through a winsock.
[/quote]
Actually, I was quoting the result of a Google search for "define:algorithm"
September 6, 2007, 5:39 PM
LockesRabb
Google, define:program
Results obtained from: Georgetown University
[quote]A set of coded instructions that a computer executes or interprets to perform an automated task. 2. An interrelated group of projects that are either being run concurrently or sequentially and that share a system goal. Individual projects may have different goals, however the combined set of projects will have a program goal.[/quote]

Google, define:algorithm
Results obtained from: Wetstone, a division of Allen Corporation
[quote]A set of ordered steps for solving a problem, such as a mathematical formula or the instructions in a program. The terms algorithm and logic are synonymous. Both refer to a sequence of steps to solve a problem. However, an algorithm implies an expression that solves a complex problem rather than the overall input-process-output logic of typical business programs.[/quote]

In other words, they're the one and the same.
September 6, 2007, 7:24 PM
Barabajagal
The algorithm is more like the logic behind the program.
September 6, 2007, 9:13 PM
Camel
Not quite;

Algorithm : program :: class : object.

That is to say, a program is an instance of an algorithm, just as an object is an instance of a class.
September 6, 2007, 9:44 PM
rabbit
Almost.

A class is also a type of object, but an algorithm isn't necessarily a program.
September 6, 2007, 11:25 PM
devcode
Emulate what Starcraft does for the 0x5E packet. KABEWM. EZ.
September 8, 2007, 5:51 PM
Barabajagal
[quote author=devcode link=topic=16998.msg172460#msg172460 date=1189273893]
Emulate what Starcraft does for the 0x5E packet. KABEWM. EZ.
[/quote]
I assume that means you've already got it done?
September 8, 2007, 6:11 PM
devcode
For an experienced reverse-engineer/developer, it shoudn't be hard at all. I personally haven't done it since I'm more focused on the ingame-hacks side of things (ie. maphack, selection hacks, etc..) but maybe sometime in the future, I may take it on as project. I briefly reversed it when Warden released for SC but didn't focus my time and effort on it.
September 8, 2007, 6:35 PM
HdxBmx27
Its not hard at all to do what SC does with warden. It's hard to modify warden to return the proper values.
Basically what SC does is takes the data, shoves it into a big block of free memory in its memory space. And does a call 0x12345678 where 0x12345678 is the start address of where it loads it into memory.
It's not hard to do at all, in fact, i've done it, I even make a wrapper exe that you can shove modules in to be called.
So 'Emulate what Starcraft does for the 0x5E packet. ' has already been done.
~Hdx
September 8, 2007, 7:18 PM
devcode
Obviously you didn't understand what I said. We consider the black-box to be for eg. in 0x12345678, and we feed the input (the 0x5E packet) and the output from this black-box is the reply we send back to Battle.net. Obviously, to be cool, the warden code will be loaded on your bot client instead of using an interface which communicates with the Starcraft client. Now which part did you not get from this.
September 8, 2007, 8:39 PM
HdxBmx27
Pretty much all of it... What the hell are you talking about?
Hows exactly do you propose to setup this black box to trick warden into thinking its still inside a valid SC space?
~Hdx
September 8, 2007, 8:44 PM
devcode
That's the part that requires you to reverse the processing of the 0x5E packet.
September 8, 2007, 8:47 PM
LockesRabb
[quote author=devcode link=topic=16998.msg172463#msg172463 date=1189276504]
For an experienced reverse-engineer/developer, it shoudn't be hard at all. I personally haven't done it since I'm more focused on the ingame-hacks side of things (ie. maphack, selection hacks, etc..) but maybe sometime in the future, I may take it on as project. I briefly reversed it when Warden released for SC but didn't focus my time and effort on it.
[/quote]

You claim to have briefly reversed it-- and claim to have the ability to reverse 0x5E-- would you care to elaborate more on the details of it? Anyone can claim to have done it, but not everybody can actually prove it. Especially when you view this page:

https://davnit.net/bnet/vL/index.php?action=profile;u=4665;sa=showPosts

Hard to take someone seriously when all there seems to be pretty much are insults and vaporized efforts. ;)
September 8, 2007, 8:54 PM
devcode
Yes, that was a few months back, don't remember all the details off the top of my head. I'll take a look at it when I get time today/tomorrow.
September 8, 2007, 9:07 PM
Barabajagal
[quote author=devcode link=topic=16998.msg172469#msg172469 date=1189284476]
That's the part that requires you to reverse the processing of the 0x5E packet.
[/quote]
So, in essence, you've contributed absolutely nothing and gotten everyone mad at you. GOOD JOB, FUCKUP :)
September 8, 2007, 9:11 PM
devcode
But I clearly said in the post

"For an experienced reverse-engineer/developer..." and I mentioned I hadn't got in-depth with this. I just said it was possible for someone who is experienced, nothing else. So, in essence, you fale.

September 8, 2007, 10:12 PM
Barabajagal
Fail.

No duh someone who's experienced at reverse engineering can reverse engineer. You're saying nothing of any value or use, or even anything that isn't completely obvious!
September 8, 2007, 10:36 PM
devcode
Being experienced at reverse-engineering does not necessarily mean it's practically possible to achieve a solution. Doing some analysis myself, I came to a conclusion that it was possible to achieve an optimal solution, and this conclusion is not trivial unless you go through some initial reversing. I think you should spend time getting a better website up as well as upgrading on that knowledge of yours (i was like LOLWUTAN00B when i saw you used VB) instead of writing replys to my statements.

[quote author=Andy link=topic=16998.msg172475#msg172475 date=1189290970]
Fail.

No duh someone who's experienced at reverse engineering can reverse engineer. You're saying nothing of any value or use, or even anything that isn't completely obvious!
[/quote]
September 8, 2007, 10:52 PM
Barabajagal
"Getting" a better website? How many websites do you know that are 100% valid in all areas? How many do you know that were written entirely by one person in notepad and are 100% valid in all areas? Then you attack me via IM claiming I know nothing because my language of choice happens to be one you don't like. HOW FUCKING RETARDED CAN YOU GET?
September 8, 2007, 11:03 PM
devcode
Really, kids should think before they talk.

RealityRipple ‎(7:00 PM):
i wouldn't use c for any programs
powerbasic > c
booyakasha ‎(7:01 PM):
lol
lol
see, thats what makes you dumb
RealityRipple ‎(7:01 PM):
what, because a superior language isn't well known, it's no good?

<Andy> OMG GUYZ POWERBASIC IZ LIKE TEH BEST THING EVURRR AND OMG WHY DIDNT THEY USEZ IT TO MAKE LINUX WTF? STUPID LINUZ. IM GUNNA GO MAKE AN OS FROM POWERBASIC FUX THIZ SHIT.

Inshort, EPIC FALE.
September 8, 2007, 11:05 PM
Barabajagal
Do you even know what PowerBASIC is?
September 8, 2007, 11:08 PM
warz
[quote author=Andy link=topic=16998.msg172479#msg172479 date=1189292602]How many websites do you know that are 100% valid in all areas? How many do you know that were written entirely by one person in notepad and are 100% valid in all areas?[/quote]

It's not tough to write a simple website that passes as valid html. I would consider your site fairly simple, compared to other sites that achieve valid html, also. You're not the only person that uses a simple text editor for writing html, either. A majority of web developers use basic text editors for html, php, javascript, python, whatever.
September 9, 2007, 12:15 AM
Barabajagal
My site uses php, allows you to select from 6 CSS color schemes, and has a handful of other things (try clicking the arrow on the left of the footer bar to see what I mean). It makes use of getting (and formatting) file sizes for applications, is safe against the php include() exploit, and has many dynamic aspects you don't notice from looking at it.
September 9, 2007, 12:28 AM
LockesRabb
[quote author=devcode link=topic=16998.msg172474#msg172474 date=1189289573]
But I clearly said in the post "For an experienced reverse-engineer/developer..." and I mentioned I hadn't got in-depth with this. I just said it was possible for someone who is experienced, nothing else. So, in essence, you fale.[/quote]

[quote author=devcode link=topic=16998.msg172460#msg172460 date=1189273893]
Emulate what Starcraft does for the 0x5E packet. KABEWM. ----->EZ.<----
[/quote]


Contradictory.

Also, it's fail, not fale. :P
September 9, 2007, 12:34 AM
devcode
Can you tell me which two points are contradicting? You highlighted "EZ", what's the other one?

[quote author=Don Cullen link=topic=16998.msg172488#msg172488 date=1189298082]
[quote author=devcode link=topic=16998.msg172474#msg172474 date=1189289573]
But I clearly said in the post "For an experienced reverse-engineer/developer..." and I mentioned I hadn't got in-depth with this. I just said it was possible for someone who is experienced, nothing else. So, in essence, you fale.[/quote]

[quote author=devcode link=topic=16998.msg172460#msg172460 date=1189273893]
Emulate what Starcraft does for the 0x5E packet. KABEWM. ----->EZ.<----
[/quote]


Contradictory.

Also, it's fail, not fale. :P
[/quote]
September 9, 2007, 1:00 AM
BreW
I smell squeak
September 9, 2007, 1:40 AM
Newby
God you're all fucking retarded.
September 9, 2007, 2:47 AM
Camel
[quote author=rabbit link=topic=16998.msg172419#msg172419 date=1189121110]
Almost.

A class is also a type of object, but an algorithm isn't necessarily a program.
[/quote]

You misread my statement. I didn't say an algorithm is always a program; I said a program is an instance of an algorithm.

If you're a Java programmer, you may be confusing objects that are instances of the <Class> class. The definition of an object is an instance of a class, so your statement is simply incorrect.

References:
http://dictionary.reference.com/browse/object
[quote]object object-oriented
In object-oriented programming, an instance of the data structure and behaviour defined by the object's class. Each object has its own values for the instance variables of its class and can respond to the methods defined by its class.
For example, an object of the "Point" class might have instance variables "x" and "y" and might respond to the "plot" method by drawing a dot on the screen at those coordinates.
(2004-01-26)[/quote]
September 10, 2007, 2:45 PM
JoeTheOdd
[quote author=Dale link=topic=16998.msg172174#msg172174 date=1188440823]
I don't know if this helps at all, but I'm trying.. I received this about 1 minute before being disconnected by warden

[code]
0000  00 18 f8 29 19 e9 00 18  f8 3f 4a b4 08 00 45 00  ...).... .?J...E.
0010  00 28 0a 2a 00 00 ff 06  5c 9f 3f f1 53 09 c0 a8  .(.*.... \.?.S...
0020  01 64 17 e0 0e de f1 33  94 94 00 00 00 00 50 04  .d.....3 ......P.
0030  00 00 ae 53 00 00                                  ...S..         
[/code]
[/quote]

Does this happen over and over? That's an interestingly malformed SID_STARTVERSIONING.
September 10, 2007, 3:17 PM
iago
[quote author=Joe[x86] link=topic=16998.msg172550#msg172550 date=1189437466]
[quote author=Dale link=topic=16998.msg172174#msg172174 date=1188440823]
I don't know if this helps at all, but I'm trying.. I received this about 1 minute before being disconnected by warden

[code]
0000  00 18 f8 29 19 e9 00 18  f8 3f 4a b4 08 00 45 00  ...).... .?J...E.
0010  00 28 0a 2a 00 00 ff 06  5c 9f 3f f1 53 09 c0 a8  .(.*.... \.?.S...
0020  01 64 17 e0 0e de f1 33  94 94 00 00 00 00 50 04  .d.....3 ......P.
0030  00 00 ae 53 00 00                                  ...S..         
[/code]
[/quote]

Does this happen over and over? That's an interestingly malformed SID_STARTVERSIONING.
[/quote]

I could be wrong, but that just looks like a TCP header to me, no actual packet data.
September 10, 2007, 4:35 PM
JoeTheOdd
Nevermind, you're right. I started reading at 0x16 instead of 0x36. That's what I get for trying to understand things in the morning.
September 10, 2007, 4:55 PM
dlStevens
silly joe ;D
September 10, 2007, 7:25 PM
iago
[quote author=Joe[x86] link=topic=16998.msg172552#msg172552 date=1189443334]
Nevermind, you're right. I started reading at 0x16 instead of 0x36. That's what I get for trying to understand things in the morning.
[/quote]
Hint: look for 0xFF, and if the three bytes after it don't look sane, it's probably not Battle.net.

Although I'm pretty used to looking at the middle of the third line in a dump, I hope I never have to get used to IPv6 :)
September 10, 2007, 10:54 PM
JoeTheOdd
[quote author=iago link=topic=16998.msg172579#msg172579 date=1189464887]
[quote author=Joe[x86] link=topic=16998.msg172552#msg172552 date=1189443334]
Nevermind, you're right. I started reading at 0x16 instead of 0x36. That's what I get for trying to understand things in the morning.
[/quote]

Hint: look for 0xFF, and if the three bytes after it don't look sane, it's probably not Battle.net.

Although I'm pretty used to looking at the middle of the third line in a dump, I hope I never have to get used to IPv6 :)
[/quote]

Like I said, I always just start at offset 0x36.
September 11, 2007, 12:55 AM
devcode
90% reversed on the 0x5E reply hash. ;)
September 11, 2007, 1:07 AM
dlStevens
How can you put a percentage of how much you're done when you don't completely know what's left?
September 11, 2007, 1:15 AM
devcode
Because I'm that good :)
September 11, 2007, 1:30 AM
JoeTheOdd
[quote author=Dale link=topic=16998.msg172594#msg172594 date=1189473304]
How can you put a percentage of how much you're done when you don't completely know what's left?
[/quote]

Technically, as far as "reversed" goes, it's a percentage of the code.

Now, at least for me, 90% of the code reversed means that 5% percent of the project is done. You've still gotta bring the loose ends together and make it work. :P
September 11, 2007, 2:41 AM
LockesRabb
[quote author=devcode link=topic=16998.msg172595#msg172595 date=1189474241]
Because I'm that good :)
[/quote]

I'm happy to see you have that high of an opinion of yourself. Do you plan on sharing what you've found with the community, or do you plan on withholding it?
September 11, 2007, 2:47 AM
devcode
I promote open sourcing of details and snippets of code.
September 11, 2007, 2:55 AM
LockesRabb
[quote author=devcode link=topic=16998.msg172598#msg172598 date=1189479328]
I promote open sourcing of details and snippets of code.
[/quote]

I'm impressed. Let's hope you're serious about reversing the 0x5E then.
September 11, 2007, 2:57 AM
devcode
The last part in the whole procedure is the encryption of the packet and I recreated the code for this encryption but I didn't know what this was until I remembered someone saying RC4 and it seems to match, didn't check thoroughly. I'm not familiar with RC4 so I'll have to do some reading ;(
So close yet so far ;o
September 11, 2007, 4:27 AM
Barabajagal
Wtf is with bnet using so many different encryption methods? -.-
September 11, 2007, 4:49 AM
LockesRabb
http://en.wikipedia.org/wiki/RC4

[quote]In cryptography, RC4 (also known as ARC4 or ARCFOUR) is the most widely-used software stream cipher and is used in popular protocols such as Secure Sockets Layer (SSL) (to protect Internet traffic) and WEP (to secure wireless networks). While remarkable in its simplicity, RC4 falls short of the high standards of security set by cryptographers, and some ways of using RC4 can lead to very insecure cryptosystems (an example being WEP). It is not recommended for use in new systems. However, some systems based on RC4 are secure enough for practical use.[/quote]

When you read the first sentence, it makes sense they chose this particular type to protect Warden. Simple enough to implement, but good enough to make it a pain in the neck to figure out.
September 11, 2007, 5:58 AM
Barabajagal
Didn't something else use RC4?
September 11, 2007, 7:09 AM
JoeTheOdd
Yeah. World of WarCraft.. and... Warden.
September 11, 2007, 2:32 PM
Barabajagal
No... I just looked up RC4 a few days ago for some reason....
September 11, 2007, 6:39 PM
JoeTheOdd
No.. yeah, WoW's protocol is encrypted by RC4, and Warden is also in WoW.
September 11, 2007, 6:56 PM
Barabajagal
I wasn't looking up WoW or warden though -.-
September 11, 2007, 7:01 PM
BreW
Diablo II Warden requests...
And what do you mean, "why does blizzard use so many different kinds of encryption"?
The only encryption i've seen blizzard so far is RC4.
September 11, 2007, 7:17 PM
iCe
[quote author=brew link=topic=16998.msg172627#msg172627 date=1189538271]
Diablo II Warden requests...
And what do you mean, "why does blizzard use so many different kinds of encryption"?
The only encryption i've seen blizzard so far is RC4.
[/quote]

Forgot about the login packets?
September 11, 2007, 7:42 PM
iago
[quote author=iCe link=topic=16998.msg172630#msg172630 date=1189539751]
[quote author=brew link=topic=16998.msg172627#msg172627 date=1189538271]
Diablo II Warden requests...
And what do you mean, "why does blizzard use so many different kinds of encryption"?
The only encryption i've seen blizzard so far is RC4.
[/quote]

Forgot about the login packets?
[/quote]

Login packets aren't encrypted. On traditional clients, your password is "hashed" (not encrypted), and on newer clients a verifier related to your password is generated, in a way that's similar to encryption.
September 11, 2007, 8:03 PM
Barabajagal
A hash is a one way encryption.
September 11, 2007, 8:17 PM
iago
If you can't recover the original, it's not encryption, it's hashing. Encryption, by definition, is two-way.
September 11, 2007, 8:55 PM
Barabajagal
The definition of a hash I've always heard is a "one-way encryption", as a hash's full name is a "cryptographic hash function".
September 11, 2007, 9:02 PM
devcode
The tedious part is to find out how the key is obtained in order to generate the S[box] array in ARC4. I think Ringo was attempting this previously, I wonder how that went.
September 11, 2007, 9:36 PM
LockesRabb
[quote author=devcode link=topic=16998.msg172648#msg172648 date=1189546605]
The tedious part is to find out how the key is obtained in order to generate the S[box] array in ARC4. I think Ringo was attempting this previously, I wonder how that went.
[/quote]

I don't know if this would be of assistance, but RC4 has already been reversed.

http://www.di.unito.it/~rabser/ssleay/rrc4.html

On brute forcing RC4 keys:
http://ieeexplore.ieee.org/Xplore/login.jsp?url=/iel5/9316/29617/01344747.pdf?arnumber=1344747

On discovering the key if it's a weak key:
http://www.cs.berkeley.edu/~daw/my-posts/my-rc4-weak-keys

Good luck, dude.
September 11, 2007, 9:58 PM
devcode
Not really what I meant but thanks, I think I have found where it's generating the key stream.

[quote author=Don Cullen link=topic=16998.msg172653#msg172653 date=1189547887]
[quote author=devcode link=topic=16998.msg172648#msg172648 date=1189546605]
The tedious part is to find out how the key is obtained in order to generate the S[box] array in ARC4. I think Ringo was attempting this previously, I wonder how that went.
[/quote]

I don't know if this would be of assistance, but RC4 has already been reversed.

http://www.di.unito.it/~rabser/ssleay/rrc4.html

On brute forcing RC4 keys:
http://ieeexplore.ieee.org/Xplore/login.jsp?url=/iel5/9316/29617/01344747.pdf?arnumber=1344747

On discovering the key if it's a weak key:
http://www.cs.berkeley.edu/~daw/my-posts/my-rc4-weak-keys

Good luck, dude.
[/quote]
September 12, 2007, 1:33 AM

Search