Valhalla Legends Forums Archive | Battle.net Bot Development | Uncovering 0x5E - Warden

AuthorMessageTime
devcode
vL still has noobs in it...reason its so stained, Invert still sucking dick for your spare change, I bin hustlin thats why I get paid, you bin writing code from the start but you just gettin played. First piece of code sold for a hundred back in the day, and that was a shitty old cs hack that I had just made. Moved into malware cause shit was gettin boring fast, who ever thought you could sell code for thousands in cash. More money mo problems the fbi getting serius, seeing more than 200 thousand zombie hosts on a server almost got you delirious but times have changed, i aint on the same shit, but people still bring me money so i stay spliff HOLLR


off to the trash can here we gooooooooo, its a cold world lets hope it snows
September 25, 2007, 4:47 AM
Barabajagal
And the recent takedown of 5E...? You think they're just going to change the 16 bytes? Did you do any reversing of the previous one?
September 25, 2007, 5:17 AM
devcode
Generated in battle.snp. I'll post my results later.
September 25, 2007, 5:21 AM
LockesRabb
Thank you for standing by your word, devcode. And thank you for contributing your work. It most certainly is appreciated.
September 25, 2007, 7:28 AM
laurion
[quote author=Andy link=topic=17050.msg173211#msg173211 date=1190706953]
He's not posted anything new.... This is all known information so far.
[/quote]
This is new information to me and I'm sure I speak for others, too.

Thanks for sharing your findings, devcode.
September 25, 2007, 11:20 AM
devcode
Updated to include stage 1 key generation :)
September 26, 2007, 2:15 AM
Myndfyr
I split off the shit.  Stay on topic or we'll stop talking about it altogether.
October 15, 2007, 1:51 AM
MyStiCaL
Soo, Just curious if anyones got anything done on warden since i guess it's bypassed now, because im looking at a starcraft broodwar load on battle.net. =|
November 2, 2007, 8:09 AM
-MichaeL-
was the load during a time of which warden was disabled?
November 7, 2007, 1:05 AM
BreW
The rate of connection was high enough so that it would offset the loss of connections from warden. People dedicated to loading have been using this principle ever since warden was activated.
November 7, 2007, 1:31 AM
DDA-TriCk-E
Yeah if you turn on join/leaves you will realise that bots are leaving and others are entering.
November 7, 2007, 1:39 AM
MyStiCaL
No... they idled for much more then 2 mins,

as well devcode's  idled 5 bots in my channel on starcraft.
November 7, 2007, 2:53 AM
Ringo
[quote author=devcode link=topic=17050.msg173205#msg173205 date=1190695646]
off to the trash can here we gooooooooo, its a cold world lets hope it snows
[/quote]
Is this uncovering 0x51, 0x5E or somthing else all together?

[quote author=Andy link=topic=17050.msg173206#msg173206 date=1190697425]
You think they're just going to change the 16 bytes?
[/quote]
*they*? :)
Those 16bytes will change, when one changes cdkey. (2 tokens + decoded cdkey block)
The 1st dword of the cdkey hash then relates to 0x5E encryption. I thought this was common knowledge.
November 9, 2007, 4:29 PM
Barabajagal
I meant that they'll do more than change how those bytes are gathered if they need to. And "They" are Blizzard.
November 9, 2007, 7:36 PM
UserLoser
Here we go again [img]http://forums.clubrsx.com/images/smilies/spin.gif[/img]
November 10, 2007, 9:46 AM
LockesRabb
Could we please focus on the development aspect rather than debate on whether it's worth doing? :)
November 10, 2007, 1:37 PM
BreW
[quote author=Andy link=topic=17050.msg174732#msg174732 date=1194636973]
I meant that they'll do more than change how those bytes are gathered if they need to. And "They" are Blizzard.
[/quote]
No. That would require a patch, and they're aiming for a no-starcraft-patch antihack system. Looks like they've got it. It'd take more effort then you'd think: We could easily find the encryption key values again. They can only patch oh-so-many times.
Speaking of which, did anyone find the address where battle.snp actually parses the warden packet? I can only find where it sends it. (19019C15)
November 10, 2007, 2:44 PM
Ringo
[quote author=Andy link=topic=17050.msg174732#msg174732 date=1194636973]
I meant that they'll do more than change how those bytes are gathered if they need to. And "They" are Blizzard.
[/quote]

huh? so what?
I think you missed the point, the 16 bytes inquestion, were the decoded cdkey.
If your saying that by pointing out that the 1st dword of the cdkey hash relates the warden traffic, that blizzard will change the way the client generates the key, then I dont think anyone cares. Its not rocket science to work out again, its very simple 1st step. ;)
You must embrace change, the future brings much of it.
November 10, 2007, 7:29 PM
Barabajagal
CDKey? Warden's response is dependent on the CDKey now, too?
November 10, 2007, 9:48 PM
BreW
[quote author=Andy link=topic=17050.msg174755#msg174755 date=1194731328]
CDKey? Warden's response is dependent on the CDKey now, too?
[/quote]
Now? It's always been based on the cdkey. And the client/server tokens.

EDIT*** Well, warden's response isn't dependent on the cdkey, I ment the key used to encrypt/decrypt it.

EDIT

I was looking into warden a bit more, and the send function is called by 03820078. Well, it's not called by that, but called a few bytes before that. That's just the ESI at the time of calling. I'm not exactly sure what module this thread is from, and nor does my debugger. It seems like this might be warden being executed? Am I on the right track, at least? And I'm still not able to find where it's being parsed at on receive :/... But I'm pretty sure it's not battle.snp anymore.
November 10, 2007, 10:08 PM
warz
[quote author=brew link=topic=17050.msg174756#msg174756 date=1194732512]Am I on the right track, at least?[/quote]

Getting there. Keep at it.
November 11, 2007, 12:43 AM
rob
[quote author=brew link=topic=17050.msg174756#msg174756 date=1194732512]
I was looking into warden a bit more, and the send function is called by 03820078. Well, it's not called by that, but called a few bytes before that. That's just the ESI at the time of calling. I'm not exactly sure what module this thread is from, and nor does my debugger. It seems like this might be warden being executed? Am I on the right track, at least? And I'm still not able to find where it's being parsed at on receive :/... But I'm pretty sure it's not battle.snp anymore.
[/quote]


19019D90 is the warden handler function.  Its called from the function @ 190200D0 which is responsible for receiving the data and dispatching each packet.

In your case, 03820078 would be the address space of the loaded warden module.
November 13, 2007, 6:04 AM
BreW
[quote author=Rob link=topic=17050.msg174808#msg174808 date=1194933882]
19019D90 is the warden handler function.  Its called from the function @ 190200D0 which is responsible for receiving the data and dispatching each packet.
[/quote]

Ah. so that's the packet parse function? I've looked at that before, but I concluded that it isn't the packet handler (packets like 0x01 and 0x03 were apparently parsed there, both of which i have never heard of, also i found it odd that nothing was passed as a parameter in the function called by the 0x0F handler). Thanks, Rob.
November 14, 2007, 12:46 AM
moh.vze.com
Can't we just hire a real "Eningeer" and have them solve this or something?
November 14, 2007, 3:14 AM
BreW
[quote author=moh.vze.com link=topic=17050.msg174820#msg174820 date=1195010082]
Can't we just hire a real "Eningeer" and have them solve this or something?
[/quote]
Most of the people here are on par with, if not above a real "engineer" as you call it. Sure, I guess you can, but when you said "we", you meant "you". :)
November 14, 2007, 3:45 AM
LW-Falcon
[quote author=brew link=topic=17050.msg174822#msg174822 date=1195011909]
[quote author=moh.vze.com link=topic=17050.msg174820#msg174820 date=1195010082]
Can't we just hire a real "Eningeer" and have them solve this or something?
[/quote]
Most of the people here are on par with, if not above a real "engineer" as you call it. Sure, I guess you can, but when you said "we", you meant "you". :)
[/quote]
Uhhh no.
November 14, 2007, 4:56 AM
UserLoser
Not trying to break anything here, but once you guys eventually (if ever) figure out how to encrypt/decrypt the message, how are you going to handle the hundreds of different challenges? i.e. memory checks, loaded libraries checks, etc.
November 14, 2007, 5:33 AM
MyStiCaL
[quote author=UserLoser link=topic=17050.msg174826#msg174826 date=1195018390]
Not trying to break anything here, but once you guys eventually (if ever) figure out how to encrypt/decrypt the message, how are you going to handle the hundreds of different challenges? i.e. memory checks, loaded libraries checks, etc.
[/quote]

are you saying its impossible? That's sad, the last 2 patches have only affected bots, and barley any hacks at all.
November 14, 2007, 7:07 AM
BreW
[quote author=Falcon[anti-yL] link=topic=17050.msg174825#msg174825 date=1195016208]
[quote author=brew link=topic=17050.msg174822#msg174822 date=1195011909]
[quote author=moh.vze.com link=topic=17050.msg174820#msg174820 date=1195010082]
Can't we just hire a real "Eningeer" and have them solve this or something?
[/quote]
Most of the people here are on par with, if not above a real "engineer" as you call it. Sure, I guess you can, but when you said "we", you meant "you". :)
[/quote]
Uhhh no.
[/quote]
Oh please. Perhaps, you're talking about your own ability. (or lack thereof)

[quote]
are you saying its impossible? That's sad, the last 2 patches have only affected bots, and barley any hacks at all.
[/quote]
No, it's not impossible. He's saying it'll take a while to figure out. Lockdown took about a year and a half, right? But we solved it. So why wouldn't we be able to solve warden as well?
November 14, 2007, 3:46 PM
warz
[quote author=brew link=topic=17050.msg174832#msg174832 date=1195055211]Lockdown took about a year and a half, right? But we solved it.[/quote]

No, lockdown didn't take a year and a half to solve. It came out towards the end of 2006, and we had fixes in a month, or two. I made our code public not long after that.

[quote author=brew link=topic=17050.msg174822#msg174822 date=1195011909]
[quote author=moh.vze.com link=topic=17050.msg174820#msg174820 date=1195010082]
Can't we just hire a real "Eningeer" and have them solve this or something?
[/quote]
Sure, I guess you can, but when you said "we", you meant "you". :)
[/quote]


[quote author=brew link=topic=17050.msg174832#msg174832 date=1195055211]But we solved it. So why wouldn't we...[/quote]

While you're being a technical asshole, I'll take a moment to point out that you had nothing to do with the progression of either of the two lockdown projects that were eventually released, at all.
November 14, 2007, 5:22 PM
BreW
[quote author=betawarz link=topic=17050.msg174835#msg174835 date=1195060938]
While you're being a technical asshole, I'll take a moment to point out that you had nothing to do with the progression of either of the two lockdown projects that were eventually released, at all.
[/quote]
I ment the fourm's members as a whole. I didn't really think of saying "warz, rob and iago" when I was making that statement.
November 14, 2007, 5:26 PM
St0rm.iD
brew you are so fucking stupid. please stop posting. people like you stop me from making constructive posts on this forum; policing is so much easier.
November 14, 2007, 6:24 PM
BreW
[quote author=Banana fanna fo fanna link=topic=17050.msg174837#msg174837 date=1195064691]
brew you are so fucking stupid. please stop posting. people like you stop me from making constructive posts on this forum; policing is so much easier.
[/quote]
what the fuck did i do that makes me so stupid? that moh.vze.com guy was asking a question, and i answered him.
November 14, 2007, 7:05 PM
St0rm.iD
[quote author=brew link=topic=17050.msg174822#msg174822 date=1195011909]
[quote author=moh.vze.com link=topic=17050.msg174820#msg174820 date=1195010082]
Can't we just hire a real "Eningeer" and have them solve this or something?
[/quote]
Most of the people here are on par with, if not above a real "engineer" as you call it. Sure, I guess you can, but when you said "we", you meant "you". :)
[/quote]
November 14, 2007, 7:58 PM
BreW
I really, really, really don't get what's wrong with that statement.
November 14, 2007, 8:01 PM
LW-Falcon
[quote author=brew link=topic=17050.msg174842#msg174842 date=1195070512]
I really, really, really don't get what's wrong with that statement.
[/quote]
Then theres no hope for you, just kill yourself.
November 14, 2007, 9:29 PM
BreW
[quote author=Falcon[anti-yL] link=topic=17050.msg174845#msg174845 date=1195075746]
[quote author=brew link=topic=17050.msg174842#msg174842 date=1195070512]
I really, really, really don't get what's wrong with that statement.
[/quote]
Then theres no hope for you, just kill yourself.
[/quote]

Really? Perhaps you or banana could explain what was wrong with that statement?
November 14, 2007, 9:35 PM
MyStiCaL
that your going off topic and soon about 6 of our posts will move into the trashcann woooo trash here i come!
November 14, 2007, 11:05 PM
UserLoser
[quote author=MyStiCaL link=topic=17050.msg174828#msg174828 date=1195024030]
[quote author=UserLoser link=topic=17050.msg174826#msg174826 date=1195018390]
Not trying to break anything here, but once you guys eventually (if ever) figure out how to encrypt/decrypt the message, how are you going to handle the hundreds of different challenges? i.e. memory checks, loaded libraries checks, etc.
[/quote]

are you saying its impossible? That's sad, the last 2 patches have only affected bots, and barley any hacks at all.
[/quote]

Not impossible, there's already a member here (who doesn't frequently post) that has accomplished and been around the Warden for probably almost two years now.  I'm not revealing his name so he doesn't get pounded with messages (as I said before), but nobody wants to believe me.
November 15, 2007, 1:40 AM
Yegg
[quote author=UserLoser link=topic=17050.msg174849#msg174849 date=1195090841]
[quote author=MyStiCaL link=topic=17050.msg174828#msg174828 date=1195024030]
[quote author=UserLoser link=topic=17050.msg174826#msg174826 date=1195018390]
Not trying to break anything here, but once you guys eventually (if ever) figure out how to encrypt/decrypt the message, how are you going to handle the hundreds of different challenges? i.e. memory checks, loaded libraries checks, etc.
[/quote]

are you saying its impossible? That's sad, the last 2 patches have only affected bots, and barley any hacks at all.
[/quote]

Not impossible, there's already a member here (who doesn't frequently post) that has accomplished and been around the Warden for probably almost two years now.  I'm not revealing his name so he doesn't get pounded with messages (as I said before), but nobody wants to believe me.
[/quote]

There's more than one person I can think of who could definitely have gotten around it around two years ago. None of which actively post anymore, but have in the past.
November 15, 2007, 3:17 AM
dlStevens
I bet I know one :)


Also, I just found this funny from another thread from brew.
[quote]
Quote from: brew on February 27, 2007, 09:00 PM
vL forums as a whole.


No, Not as a whole, I'm sure out of 499 members on here, at least 1/3 would not care about abusing battle.net
[/quote]
November 15, 2007, 1:07 PM

Search