Valhalla Legends Forums Archive | Battle.net Bot Development | Other clients' wardens?

AuthorMessageTime
iago
As you all know, I did a bunch of work and sorted out how Starcraft handles Warden.

However, I'd like to update my wiki a bit, and talk about how other clients handle Warden. I'm totally out of touch with "the scene" these days, so I was hoping somebody could tell me:
- Which games do/don't use Warden?
- Do they all use the same encryption (RC4, I'm told)?
- Where do they get the key from? (Starcraft, for example, generates it from the first 4 digits of the CDKey -- are other clients similar? The function seemed generic and could handle any size inputs)
- What's the structure of Warden's 0x02 packet (request and response)? I realize somebody posted it in the other thread, but I figure that it's been cleaned up since then, and I'd like to get the newest possible info

Thanks! And keep in mind that anything you tell me will become public information. But really, why not share details without implementation? I've done a lot of work on Battle.net stuff that I've given away, and I hope others appreciate it enough to contribute as well.
April 3, 2008, 9:24 PM
Ringo
IIRC, D2/W3/WoW has it over the game servers.
I have never got into WoW or W3, so not sure what value seeds the encryption. (probly some connetion data)
D2 is seeded with the game hash (see here, listed as D2GS Hash) which gets copyed over from d2 realm S>C 0x04 (join game responce)
Your welcome to use the stuff i PMed you about d2 0x02 if you like, if any of its any use.
Stuff like the warden SHA1 of the MPQ files (from patch_d2.mpq mostly)
April 3, 2008, 10:08 PM
iago
All right, so the hash is a 4-byte value sent, per that link. Is it used the same way as the first 4 bytes of Starcraft's CDKey hash (first two bytes are used to generate one key, and next two for the other), or is that done differently?
April 3, 2008, 10:29 PM
Ringo
ye, exacly the same as SC/BW, just differnt value seeds the random data, which seeds the RC4 keys.
The game hash's source comes from:
http://ersan.us/src/bnetdocs/content0722.html?Section=m&Code=364
Then gets send to the game server in the logon via 0x68
April 3, 2008, 10:42 PM
Insolence
[quote author=Ringo link=topic=17424.msg177440#msg177440 date=1207260531]Stuff like the warden SHA1 of the MPQ files (from patch_d2.mpq mostly)[/quote]I'm confused--what does that have to do with anything?  Could you be a bit more detailed?
April 5, 2008, 10:40 PM
Ringo
[quote author=Insolence link=topic=17424.msg177463#msg177463 date=1207435203]
[quote author=Ringo link=topic=17424.msg177440#msg177440 date=1207260531]Stuff like the warden SHA1 of the MPQ files (from patch_d2.mpq mostly)[/quote]I'm confused--what does that have to do with anything?  Could you be a bit more detailed?
[/quote]

Some of the warden requests in d2, require you to extract files from the mpqs and return a SHA1 hash of them.

For example, some of the files currently checked are:
[code]
data\global\excel\charstats.txt
data\global\excel\charstats.bin
data\global\AnimData.D2
[/code]
And for example, charstats.bin would hash to:
[code]
34 69 78 63 07 9E 9C 62 46 4A 20 DB 06 C4 12 7C AF 9B 60 07
[/code]
IIRC, these files are extracted from patch_d2.mpq.
April 6, 2008, 10:08 AM
UserLoser
what relevance do those have to hacks?  are those files that someone in theory could modify to have better stats or something?
April 7, 2008, 4:18 AM
laurion
[quote author=UserLoser link=topic=17424.msg177473#msg177473 date=1207541883]
what relevance do those have to hacks?  are those files that someone in theory could modify to have better stats or something?
[/quote]
Yep, you can change your cast rate/attack speed and change the way things are displayed client-side, giving you an advantage.
April 7, 2008, 4:50 PM
UserLoser
[quote author=Tazo link=topic=17424.msg177475#msg177475 date=1207587011]
[quote author=UserLoser link=topic=17424.msg177473#msg177473 date=1207541883]
what relevance do those have to hacks?  are those files that someone in theory could modify to have better stats or something?
[/quote]
Yep, you can change your cast rate/attack speed and change the way things are displayed client-side, giving you an advantage.
[/quote]

how does that give you an advantage if it's just client side?
April 7, 2008, 6:37 PM
warz
maybe like... removing certain spell animations that clutter the screen and cause possible client-side lag?
April 7, 2008, 6:41 PM
Barabajagal
Sorta like the old d1 "Fast attack" hack?
April 7, 2008, 9:15 PM
Quarantine
[quote author=Andy link=topic=17424.msg177480#msg177480 date=1207602945]
Sorta like the old d1 "Fast attack" hack?
[/quote]

yea sorta. I think they had "fast" in common.
April 7, 2008, 11:02 PM
laurion
[quote author=UserLoser link=topic=17424.msg177476#msg177476 date=1207593457]
[quote author=Tazo link=topic=17424.msg177475#msg177475 date=1207587011]
[quote author=UserLoser link=topic=17424.msg177473#msg177473 date=1207541883]
what relevance do those have to hacks?  are those files that someone in theory could modify to have better stats or something?
[/quote]
Yep, you can change your cast rate/attack speed and change the way things are displayed client-side, giving you an advantage.
[/quote]

how does that give you an advantage if it's just client side?
[/quote]
The cast rate/attack speed is not a client-side change  ;) D2 left it up to the client to determine FCR/attack speed, less load on the server I guess.

The animation changes can benefit you greatly in PvP, I'd imagine. I've never messed with it myself but from the looks of it, PvP is much easier when people are little black blocks and their attacks are simple animations that don't cloud the screen  ;D
April 8, 2008, 2:34 AM
JoeTheOdd
If I wanted to force an animation to not show up, I'd probably hook DirectX, not change files.
April 12, 2008, 11:18 AM
iago
[quote author=Joe[x86] link=topic=17424.msg177586#msg177586 date=1207999115]
If I wanted to force an animation to not show up, I'd probably hook DirectX, not change files.
[/quote]
Changing the files takes absolutely no skill, though, it's just a matter of finding the proper one with an MPQ-editor and changing it. Way easier, faster, and basically brainless.

Hooking DirectX barely makes sense. You'd have to use some kind of AI algorithm to detect when a certain animation was happening and find a way to change it.
April 12, 2008, 2:34 PM
Quarantine
[quote author=Joe[x86] link=topic=17424.msg177586#msg177586 date=1207999115]
If I wanted to force an animation to not show up, I'd probably hook DirectX, not change files.
[/quote]

You know..besides the little fact that the actual model format is usually what dictates animation and the parsing of that format is what applies the transformations and fills the specified on-card buffers.

You may be able to get away with hooking some sort of internal scene graph that they have and be able to notify yourself of internal entity states (this is assuming they've abstracted it enough for you to be able to make sense of it).

Or you could change a file
April 12, 2008, 9:16 PM
Ringo
Blocking packets works nice to
April 13, 2008, 2:33 PM
Insolence
Using just the GameHash as the seed for the random data doesn't seem to work--the RC4 key produced by that doesn't show up in D2's memory.
April 14, 2008, 10:12 PM
Insolence
I still haven't figured out what else seeds the data, I don't think it's just the GameHash.

Any help is appreciated.
April 19, 2008, 2:34 AM
UserLoser
[quote author=Insolence link=topic=17424.msg177784#msg177784 date=1208572457]
I still haven't figured out what else seeds the data, I don't think it's just the GameHash.

Any help is appreciated.
[/quote]

just throwing out a random thought maybe the server's ip address is included somehow.  seems it would make more "random" results throughout the servers so people couldn't easily make a database of it (since there's multiple d2gs)
April 19, 2008, 5:28 AM
Ringo
Nah, its just the game hash (if the ip comes into play, its down to the way the realm generates the game hash value)
Not sure what Insolence is doing wrong tho
Heres some dumps for you to go over and test with:
Red=Recv encrypted, Yellow=Recv raw (plain text)
Gold=Sent encrypted, Blue = sent raw (plain text)
[tt]
[07:37:24] [color=#FFFFFF][D2RS] Warden Seed/Game Hash: 0x2C07DF39[/color]
[07:37:24] [color=#FFFFFF][D2RS] Warden Out Hash: 6F12361A3F53F79A3CADDCD78A4ABC45[/color]
[07:37:24] [color=#FFFFFF][D2RS] Warden In Hash: 45C9CED38EB8CBAD37322B6E4C3421D1[/color]
[07:37:24] [color=#FFFFFF][D2RS] Warden Out RC4 Key Created![/color]
[07:37:24] [color=#FFFFFF][D2RS] Warden In RC4 Key Created![/color]
[07:37:26] [color=#FFFFFF][D2GS] Joining A [/color][color=#FFFFFF]Normal [/color][color=#FFFFFF]SoftCore [/color][color=#FFFF00]Expantion [/color][color=#FFFF00]Ladder [/color][color=#FFFFFF]Game.[/color]
[07:37:26] [color=#FF0000]Warden In (RAW)
B7 F8 2D 19 1E F2 6B 67 B7 B1 26 C8 64 26 94 71      ..-...kg..&.d&.q
01 34 88 B0 82 81 D4 E7 A6 96 43 CC D2 D9 68 53      .4........C...hS
09 B7 46 DE 47                                      ..F.G
[/color]
[07:37:26] [color=#FFFF00]Warden In (Recv)
00 6F 5D B7 06 AA 82 71 2D 7E 27 E5 A7 14 94 E7      .o]....q-~'.....
59 27 D5 44 A7 C7 28 98 BD 40 2F 18 E5 0D A8 1A      Y'.D..(..@/.....
1C BF 43 00 00                                      ..C..
[/color]



[07:37:27] [color=#FFC080]Warden Out (RAW)
BF                                                  .
[/color]
[07:37:27] [color=#0000FF]Warden Out (sent)
01                                                  .
[/color]

---------------------------------------------------------------------------------------

[07:37:27] [color=#FF0000]Warden In (RAW)
29 F0 4B 2E 0B 8E C6 C8 E1 FD 7B 0F 14 8A 83 AF      ).K.......{.....
F8 43 E4 E0 40 B0 FD 48 00 4A 7A 5A 40 06 0D 6E      .C..@..H.JzZ@..n
38 39 8B C8 05 CE 67 CB C9 18 3A E5 FA              89....g...:..
[/color]
[07:37:27] [color=#FFFF00]Warden In (Recv)
03 1D 00 2A 81 6C 41 01 00 01 09 53 74 6F 72 6D      ...*.lA....Storm
2E 64 6C 6C 70 42 01 00 A0 17 01 00 B0 50 01 00      .dllpB.......P..
50 23 01 00 03 02 00 F8 04 DD F6 03 00              P#...........
[/color]



[07:37:27] [color=#FF0000]Warden In (RAW)
5B 42 66 21 48 B2 2D 5B B5 6C 5B 1B 6E E4 0B B1      [Bf!H.-[.l[.n...
BB EB 13 54 9F A4 51 FC F2 E1 DA 4D 43 4D EA 5A      ...T..Q....MCM.Z
75 ED 12 7A 50 A8 3E 59 36 92 EE 64 68 99 DB C0      u..zP.>Y6..dh...
6D EE A9 5F E6 DA 3C 38 A6 B5 79 CC 25 24 C1 48      m.._..<8..y.%$.H
98 E3 D1 64 C6 9F 45 C4 A4 42 9C 06 A9 DB 27 B1      ...d..E..B....'.
D6 B5 D7 9B FF F8 31 13 79 73 78 78 0D 40 FA 12      ......1.ysxx.@..
E1 EA C6 F4 D2 CB 8F F9 76 0B D9 6D 73 FC 40 B2      ........v..ms.@.
DE 98 4B 41 5E 4B 88 52 0E 82 7E 84 5C 96 A8 86      ..KA^K.R..~.\...
AB 71 05 53 E1 FE 99 7E C3 57 BF A5 32 C0 57 45      .q.S...~.W..2.WE
6C 7D A3 5C CE 75 2A 40 71 B1 C7 4B 17 02 7C        l}.\.u*@q..K..|
[/color]
[07:37:27] [color=#FFFF00]Warden In (Recv)
02 0C 44 32 43 6C 69 65 6E 74 2E 64 6C 6C 00 D8      ..D2Client.dll..
E7 56 6E A5 41 7D 26 FE 05 0F 9D 5A 58 05 53 78      .Vn.A}&....ZX.Sx
EB 04 EA 03 81 A3 E2 D3 2A FF 20 E2 E8 1A AE D7      ........*. .....
B5 53 61 BE 9C 87 90 6F 92 7E DC 74 7A B0 88 F0      .Sa....o.~.tz...
43 8A 81 02 58 A4 00 00 3C FB 01 ED FF 04 00 04      C...X...<.......
F1 3E A8 22 1B E8 7C FC B7 76 59 E2 01 1D 4D D5      .>."..|..vY...M.
D7 6B BB 8D 8A D7 BF 78 5A D8 B0 D5 F8 B1 33 63      .k.....xZ.....3c
AD FB DB FB 97 9C D7 E2 66 1D B9 BB DC 2C E8 F6      ........f....,..
5F BF DF FF 12 F1 F1 E3 73 29 24 64 79 1E 4A 92      _.......s)$dy.J.
04 4E 5C 7F 64 FE 25 06 E1 22 AC 9B B4 82 00        .N\.d.%..".....
[/color]



[07:37:29] [color=#FFC080]Warden Out (RAW)
BD 2D DB 4A 2A 15 03 C2 4F BE 4E 75 73 8F C0 B9      .-.J*...O.Nus...
9D                                                  .
[/color]
[07:37:29] [color=#0000FF]Warden Out (sent)
02 0A 00 3A E8 76 21 00 00 00 75 F2 68 2C 00 00      ...:.v!...u.h,..
00                                                  .
[/color]

---------------------------------------------------------------------------------------

[07:37:35] [color=#FF0000]Warden In (RAW)
2E AD 58 D7 EC 4B 13 BB EB 1B 89 9A BE 3F 83 0C      ..X..K.......?..
24 76 5A 94 6D 3C AC                                $vZ.m<.
[/color]
[07:37:35] [color=#FFFF00]Warden In (Recv)
02 0C 44 32 43 6C 69 65 6E 74 2E 64 6C 6C 00 FB      ..D2Client.dll..
01 30 B8 11 00 06 00                                .0.....
[/color]



[07:37:35] [color=#FFC080]Warden Out (RAW)
97 06 E9 D9 2C 74 F8 D2 68 BF D7 25 EB 86            ....,t..h..%..
[/color]
[07:37:35] [color=#0000FF]Warden Out (sent)
02 07 00 8A B5 94 44 00 00 B4 37 02 01 00            ......D...7...
[/color]
[/tt]
April 19, 2008, 6:44 AM

Search