Author | Message | Time |
---|---|---|
BreW | Starts at 190333C9 in battle.snp, after some weak-as-hell static string encryption. Discuss. My guess: The last name of the blizzard employee who implemented it? | February 9, 2008, 4:36 AM |
FrostWraith | Isn't Maiev a warcraft III character? | February 9, 2008, 4:57 AM |
Myndfyr | [quote author=FrostWraith link=topic=17309.msg176209#msg176209 date=1202533077] Isn't Maiev a warcraft III character? [/quote] Yes. Big surprise that Blizzard named something after a character that they created. PsiStorm.dll was a Starcraft activity. Woo. Who cares? | February 9, 2008, 6:58 AM |
UserLoser | thought this was figured out years and years back that maiev.mod is the always running warden module ? | February 9, 2008, 10:22 AM |
BreW | [quote author=UserLoser link=topic=17309.msg176216#msg176216 date=1202552522] thought this was figured out years and years back that maiev.mod is the always running warden module ? [/quote] eh? the always running one? is this warcraft 3 specific? 'cause if it is, i'm wasting a shitload of time ;P @FrostWraith: according to WoWWiki it's Maiev Shadowsong, a priestest of Elune during the War of the Ancients. One of 'her' aliases is the "Hand of Justice"... oooo EDIT** I was reading that wiki arcticle a bit more and here's what i found: [quote] The "death" originates from the mission, The Search for Illidan, in which the mission objective is to slay the guardians of the cage, the Watchers, carrying Illidan to the Sentinels base. There were four guardians included Maeiv; Lord Illidan has been captured by the cunning Warden in a cage of magical enchantments. Slay the guardians of the cage and take it from the Night Elves before they reach safety the safety of their base. [/quote] | February 9, 2008, 2:06 PM |
UserLoser | yes war3 specific | February 9, 2008, 4:46 PM |
iago | I believe that Maive.mod is initially loaded, before a new one is downloaded/run. The code/decryption key are stored as constants, and it's decrypted before receiving any "warden" packets. | February 10, 2008, 7:55 AM |
BreW | Constant decryption key? Might it be "WBc+8F%R" by any chance? | February 10, 2008, 12:52 PM |
iago | It's 16 bytes, but yeah, it starts with that. | February 10, 2008, 5:31 PM |
BreW | Hmm, does anyone have a copy of the mac storm.dll handy? | February 10, 2008, 5:44 PM |
iago | You can extract the Mac version from Install.exe if you're stuck. But it's version 1.04, so it isn't especially useful. It's the only version I've ever used, though. And incidentally, I was making breakfast when I realized that I was wrong -- that WBc+.. string isn't the key, that's the encrypted module. The key used is referenced right above it. | February 10, 2008, 6:52 PM |
BreW | Heh, i realized that it couldn't have been the key. What the 3rd parameter's offset is pointing to, is exactly 16 bytes. It's 57 42 63 C9 38 46 25 52 00 71 E4 47 00 40 DD 84. Just curious, why 16 bytes? Is starcraft's the same len? Please don't tell me it's md5... | February 10, 2008, 7:13 PM |
Myndfyr | [quote author=brew link=topic=17309.msg176267#msg176267 date=1202670823] Heh, i realized that it couldn't have been the key. What the 3rd parameter's offset is pointing to, is exactly 16 bytes. It's 57 42 63 C9 38 46 25 52 00 71 E4 47 00 40 DD 84. Just curious, why 16 bytes? Is starcraft's the same len? Please don't tell me it's md5... [/quote] MD5 isn't an encryption algorithm, it's a hashing algorithm. | February 10, 2008, 7:58 PM |
iago | [quote author=brew link=topic=17309.msg176267#msg176267 date=1202670823] Heh, i realized that it couldn't have been the key. What the 3rd parameter's offset is pointing to, is exactly 16 bytes. It's 57 42 63 C9 38 46 25 52 00 71 E4 47 00 40 DD 84. Just curious, why 16 bytes? Is starcraft's the same len? Please don't tell me it's md5... [/quote] The third parameter is the decryption key. .text:19033697 push offset default_warden_key ; KeyString .text:1903369C push 12B3h ; EncryptedSize .text:190336A1 push offset default_warden_module ; "WBc+8F%RqSG@¦ärBµs}\x11\"-<+\x02±ç¦y+\x168µ3+ûxŪ"... .text:190336A6 call sub_190333C0 And yes, there is some MD5 involved, but not here. | February 10, 2008, 7:59 PM |
BreW | [quote author=MyndFyre[vL] link=topic=17309.msg176268#msg176268 date=1202673531] [quote author=brew link=topic=17309.msg176267#msg176267 date=1202670823] Heh, i realized that it couldn't have been the key. What the 3rd parameter's offset is pointing to, is exactly 16 bytes. It's 57 42 63 C9 38 46 25 52 00 71 E4 47 00 40 DD 84. Just curious, why 16 bytes? Is starcraft's the same len? Please don't tell me it's md5... [/quote] MD5 isn't an encryption algorithm, it's a hashing algorithm. [/quote] was talking about the key generation. @iago: thanks! You're good :P Also, how often do the modules update? I was able to convert it from the hex view in ollydbg to binary data, then disassemble with ndisasm, but then when i go back to check it again (3 days later), my addresses aren't valid! :( | February 10, 2008, 8:35 PM |
Ringo | [quote author=brew link=topic=17309.msg176270#msg176270 date=1202675754] Also, how often do the modules update? [/quote] About every hour or so. How ever it doesnt update once your connected, you would only notice it on a new connection. It might/can update in the middle of an idle connection, but i have never seen it do so. I have found module updates to be the biggest pain in the ass :( Aside, good work brew, sounds like your getting somwhere! :) | February 11, 2008, 6:03 AM |
BreW | At 19032FED, esi == the address of the encryption key, amirite? And edi would sensibly be the size of it ;) exactly as i first suspected, it's 24 bytes. The other param is just the address of the wardendata arg to parse0x5e (modifies byref to make some kind of numerical number). I'll look into it more tomorrow. | February 12, 2008, 3:51 AM |
Myndfyr | [quote author=brew link=topic=17309.msg176327#msg176327 date=1202788293] At 19032FED, esi == the address of the encryption key, amirite? And edi would sensibly be the size of it ;) exactly as i first suspected, it's 24 bytes. The other param is just the address of the wardendata arg to parse0x5e (modifies byref to make some kind of numerical number). I'll look into it more tomorrow. [/quote] What encryption algorithm uses a 192-bit key? | February 12, 2008, 4:35 AM |
iago | [quote author=brew link=topic=17309.msg176327#msg176327 date=1202788293] At 19032FED, esi == the address of the encryption key, amirite? And edi would sensibly be the size of it ;) exactly as i first suspected, it's 24 bytes. The other param is just the address of the wardendata arg to parse0x5e (modifies byref to make some kind of numerical number). I'll look into it more tomorrow. [/quote] Nope and nope. Try again next time! | February 12, 2008, 4:47 AM |
BreW | [quote author=MyndFyre[vL] link=topic=17309.msg176328#msg176328 date=1202790923] What encryption algorithm uses a 192-bit key? [/quote] IIRC RC4 can use any sized key. | February 12, 2008, 4:34 PM |