Valhalla Legends Forums Archive | Battle.net Bot Development | Warden for warcraft III

AuthorMessageTime
PunK
Well it appears Warcraft III requires the same warden response as Starcraft directly after login.
April 14, 2009, 9:19 PM
MyStiCaL
The exact same responce? thanks for the packetlog.
April 14, 2009, 9:24 PM
PunK
If you want to see it, don't be lazy - packet log it yourself.

Here it is anyways.
[code]
0000:  FF 5E 29 00 F7 5A 70 D4 2F 33 9F 1E 67 8F 08 FD  ÿ^).÷ZpÔ/3Ÿg?ý
0010:  A6 5F EA 94 CE AE A0 4A E2 44 2E CE FD DC 3A A9  ¦_ê”ή JâD.ÎýÜ:©
0020:  52 16 FD B9 BF A9 5F D1 85                        Rý¹¿©_Ñ….......
[/code]
April 14, 2009, 9:29 PM
HdxBmx27
[code][2:53:26 PM] [Server] Listening for connections on port 6112
[2:57:19 PM] [Server] New connection from 127.0.0.1:53184
[2:57:19 PM] [Server] Received Socks connection: 63.240.202.138:6112
[2:57:19 PM] [Client] Connected
[2:57:22 PM] Received Warden 0x00
[2:57:22 PM] Name:     d192b987e0fdf83be621b5dfc98b179d
[2:57:22 PM] Key Seed: c5f41a2b952dd4533eaa1d50f0c11a11
[2:57:22 PM] Length:   17464
[2:57:22 PM] Download 100%
[2:57:22 PM] Module Decrypted
[2:57:22 PM] Module decompressed
[2:57:22 PM] Module Header:
[2:57:22 PM] Maped Size:    0x0000B000
[2:57:22 PM] Unknown 1:     0x00005B0C
[2:57:22 PM] Ref Table:     0x0000A000
[2:57:22 PM] Ref Count:     0x00000141
[2:57:22 PM] Init Addr:     0x00008768
[2:57:22 PM] Unknown 2:     0x00000001
[2:57:22 PM] Unknown 3:     0x00000001
[2:57:22 PM] Lib Table:     0x000083FC
[2:57:22 PM] Lib Count:     0x00000002
[2:57:22 PM] Unknown 4:     0x00000003
[2:57:22 PM] [DEBUG] Warden Base: 0x0235004C
[2:57:22 PM] [DEBUG] Copying code blocks to module
[2:57:22 PM] [DEBUG] Adjusting 321 references to global variables...
[2:57:22 PM] [DEBUG] Updating API library referances...
[2:57:22 PM] [DEBUG] Lib: KERNEL32.dll
[2:57:22 PM] [DEBUG] IsValidCodePage @ 0x77bb000d
[2:57:22 PM] [DEBUG] GetStdHandle @ 0x77bbb94d
[2:57:22 PM] [DEBUG] Sleep @ 0x77bc4e86
[2:57:22 PM] [DEBUG] TlsSetValue @ 0x77bc3d24
[2:57:22 PM] [DEBUG] RaiseException @ 0x77ba7088
[2:57:22 PM] [DEBUG] GetProcAddress @ 0x77bc4b71
[2:57:22 PM] [DEBUG] GetModuleHandleA @ 0x77bc4b89
[2:57:22 PM] [DEBUG] TlsAlloc @ 0x77bb5a72
[2:57:22 PM] [DEBUG] TlsFree @ 0x77bbfd41
[2:57:22 PM] [DEBUG] TlsGetValue @ 0x77bc54ee
[2:57:22 PM] [DEBUG] GetSystemInfo @ 0x77bb5a8f
[2:57:22 PM] [DEBUG] GetVersionExA @ 0x77bb5adb
[2:57:22 PM] [DEBUG] VirtualQuery @ 0x77bbb97d
[2:57:22 PM] [DEBUG] QueryDosDeviceA @ 0x77be85ea
[2:57:22 PM] [DEBUG] GetTickCount @ 0x77bc4e96
[2:57:22 PM] [DEBUG] DuplicateHandle @ 0x77bc3457
[2:57:22 PM] [DEBUG] CloseHandle @ 0x77bc5137
[2:57:22 PM] [DEBUG] FreeLibrary @ 0x77bc32f3
[2:57:22 PM] [DEBUG] GetCurrentProcess @ 0x77bc3532
[2:57:22 PM] [DEBUG] LoadLibraryA @ 0x77bb5a27
[2:57:22 PM] [DEBUG] GetProcessHeap @ 0x77bc372d
[2:57:22 PM] [DEBUG] HeapFree @ 0x77bc55cd
[2:57:22 PM] [DEBUG] TerminateProcess @ 0x77baaa2f
[2:57:22 PM] [DEBUG] UnhandledExceptionFilter @ 0x77beebb9
[2:57:22 PM] [DEBUG] SetUnhandledExceptionFilter @ 0x77bbb99d
[2:57:22 PM] [DEBUG] QueryPerformanceCounter @ 0x77bb59c7
[2:57:22 PM] [DEBUG] GetCurrentThreadId @ 0x77bc3520
[2:57:22 PM] [DEBUG] GetCurrentProcessId @ 0x77bc4bb0
[2:57:22 PM] [DEBUG] GetSystemTimeAsFileTime @ 0x77bb96b0
[2:57:22 PM] [DEBUG] RtlUnwind @ 0x77ba71f3
[2:57:22 PM] [DEBUG] Lib: USER32.dll
[2:57:22 PM] [DEBUG] DrawTextA @ 0x763aa8f7
[2:57:22 PM] [DEBUG] CharUpperBuffA @ 0x76397c23
[2:57:22 PM] [DEBUG] ScrollWindowEx @ 0x763b5c22
[2:57:22 PM] [DEBUG] IsCharUpperA @ 0x763e3928
[2:57:22 PM] Module prepared/loaded
[2:57:22 PM] Callbacks:    0x005E95B4
[2:57:22 PM] Send Packet:  0x00415B40
[2:57:22 PM] Check Module: 0x004160B0
[2:57:22 PM] ModuleLoad:   0x00416430
[2:57:22 PM] AllocateMem:  0x004168E0
[2:57:23 PM] FreeMemory:   0x00416BA0
[2:57:23 PM] SetRC4Data:   0x00416DE0
[2:57:23 PM] GetRC4Data:   0x00417150
[2:57:23 PM] AllocateMem(2024) = 0x0065E00C
[2:57:23 PM] AllocateMem(60) = 0x005F924C
[2:57:23 PM] AllocateMem(44) = 0x00634BBC
[2:57:23 PM] [DEBUG] Init_Data:
[2:57:23 PM] [DEBUG]   Exports:         0x023581B4
[2:57:23 PM] [DEBUG]     RC4 Init:      0x023535EC
[2:57:23 PM] [DEBUG]     Handle Packet: 0x0235371C
[2:57:23 PM] [DEBUG]     Unload:        0x02356B3C
[2:57:23 PM] [DEBUG]   Unknown1:        0x00000000 0x00000000 0x00000000 0x00000000 0x023581C4
[2:57:23 PM] [DEBUG]   CallBacks:       0x005E95B4
[2:57:23 PM] [DEBUG]     Send Packet:   0x00415B40
[2:57:23 PM] [DEBUG]     Check Mod:     0x004160B0
[2:57:23 PM] [DEBUG]     Mod Load:      0x00416430
[2:57:23 PM] [DEBUG]     MemAlloc:      0x004168E0
[2:57:23 PM] [DEBUG]     MemFree:       0x00416BA0
[2:57:23 PM] [DEBUG]     Set RC4:       0x00416DE0
[2:57:23 PM] [DEBUG]     get RC4:       0x00417150
[2:57:23 PM] [DEBUG]   Unknown2:        0x00000000
[2:57:23 PM] [DEBUG] Init 0x0013f354 0x00417150
[2:57:23 PM] GetRC4Data(0x0065E02C, 0x00000208)
[2:57:23 PM] Init() = 0x0065E00C
[2:57:23 PM] Received Warden 0x05
[2:57:23 PM] SendPacket() pkt=0x0013F0E4, size=21
[2:57:23 PM] Sending Packet Data:
0000:  04 9F 54 9D B9 F8 A5 96 FC D9 AA 92 AA 44 D9 BB   ŸT?¹ø¥–üÙª’ªDÙ»
0010:  D8 C1 0E 7D 77                                    ØÁ}w...........
[2:57:23 PM] Handled 17/17
[2:57:23 PM] Handled packet successfully
[2:57:27 PM] Received Warden 0x02
[2:57:27 PM] Key: 0x78
[2:57:27 PM] Library: game.dll
[2:57:27 PM] Library: Çüßs
[2:57:27 PM] Library: Ç
6
[2:57:27 PM] Library: Ç:[(
[2:57:27 PM] Library: Çã:
[2:57:27 PM] Library: ÚËÆ°Nïn‘\&I º?m,ÂàOç\‚<4
[2:57:27 PM] Library: Çgl5
[2:57:27 PM] Library: ÇÊ’?
[2:57:27 PM] Opcode: 0xBB Page:  48 @ 0x0007A8C4 Seed: 0xBF8C393D Hash: d332d199425adc6e0af2dff632d860f203794c7b
[2:57:27 PM] Opcode: 0xBB Page:  25 @ 0x00005908 Seed: 0xCA846AD3 Hash: a6678e78b9ce718ea5436d905eec88d3c0abaa23
[2:57:27 PM] Opcode: 0xBF Read:  12 @ 0x003C5C22 Data: 00 00 00 00 00 00 00 00 00 00 00 00
[2:57:27 PM] Opcode: 0xBF Read:   6 @ 0x0039A39B Data: 00 00 00 00 00 00
[2:57:27 PM] 0x02 Response:
0000:  02 16 00 E1 29 B5 A0 00 00 00 00 00 00 00 00 00   .á)µ .........
0010:  00 00 00 00 00 00 00 00 00 00 00 00 00            ................
[2:57:27 PM] Response:
0000:  75 73 53 7C 5B 37 2E BA 6C FA 71 45 63 06 96 F0   usS|[7.ºlúqEc–ð
0010:  20 95 C2 C8 5E 4A B5 2B D9 8B 8A 8C 28             •ÂÈ^Jµ+Ù‹ŠŒ(...
[2:57:27 PM] [Client] Connection closed
[2:57:27 PM] [Server] Connection closed
[2:57:27 PM] [Server] Listening for connections on port 6112
[/code]
Same modules, same method of handeling, if I wasnt lazy and used a few shortcuts my bypass would still work. But alas I was, and I deleted 1/2 the source, so meh.

Though this is curious, why in gods name would they enable it for WC3? Oh wait, maybe hacks had taken advantage of it!
April 14, 2009, 10:02 PM
PunK
yeah, only thing different is the requests for the memory blobs.
April 14, 2009, 10:14 PM
l2k-Shadow
here's something interesting: a decompression of the 0x02 warden request yields:
[code]
02 08 67 61 6D 65 2E 64 6C 6C 00 38 70 26 A8 F8 7B 14 12 E9 46 4B 0B 65 8E 3E D1 7F A0 CD CD B8 C2 E5 26 14 20 70 00 00 10 7C 01 A2 5B 28 00 05 38 B6 0C 20 4C C2 4F EF 6D C3 FC 00 59 3F 1B EE BB 20 56 23 4D B9 EC A6 96 10 91 00 00 28 38 9C 72 4D 07 94 30 01 BE 16 26 EE B3 2A 4A 3E 43 8B C8 6E 9A B5 B0 89 67 C8 D7 06 00 30 38 ED 06 1E 0F 0B B6 B3 CC 39 18 88 3A 07 8E 9B 94 12 53 BA 7F 63 92 CF A9 02 E1 00 00 2A 38 24 76 98 7A EF 9F 1F E5 A8 D6 96 DA 9C 5C 52 A7 2E 9B 24 16 35 17 5D 29 F8 D4 06 00 30 8D

game.dll 8p&¨ø{éFK eŽ>Ñ Í͸Âå& p  |¢[( 8¶ LÂOïmÃü Y?î» V#M¹ì¦–‘  (8œrM”0¾&î³*J>C‹Ènšµ°‰gÈ× 08í ¶³Ì9ˆ:Ž›”Sºc’Ï©á  *8$v˜zïŸå¨Ö–Úœ\R§.›$5])øÔ 0?

[/code]

so it seems that the war3 request gives you the name of the file to check the memory for. no problem... the kicker is though that game.dll has the base address of 0x6F000000 and no viable addresses to check are found in that packet. ideas...?
April 15, 2009, 1:39 AM
BreW
[quote author=l2k-Shadow link=topic=17903.msg182332#msg182332 date=1239759559]
so it seems that the war3 request gives you the name of the file to check the memory for. no problem... the kicker is though that game.dll has the base address of 0x6F000000 and no viable addresses to check are found in that packet. ideas...?
[/quote][me=brew]lols[/me]
you aren't seriously letting the module parse the 0x02, are you?
well even if you are, you still can hook VirtualQuery then return whatever blobs you'd like.
April 15, 2009, 1:40 AM
l2k-Shadow
no, i'm not. i assumed that since the sc gives you the exact address to look at, it would do the same here. guess not?
April 15, 2009, 1:48 AM
BreW
It does. Just because they give you an absolute address doesn't mean you need to read exactly from there, though. You know the exact address to read from, as well as where the image's base is.
By the way, your previous post screws up the tables. Do break it up please.
April 15, 2009, 3:20 AM
Ringo
[quote author=l2k-Shadow link=topic=17903.msg182332#msg182332 date=1239759559]
here's something interesting: a decompression of the 0x02 warden request yields:
[code]
02 08 67 61 6D 65 2E 64 6C 6C 00 38 70 26 A8 F8 7B 14 12 E9 46 4B 0B 65 8E 3E D1 7F A0 CD CD B8 C2 E5 26 14 20 70 00 00 10 7C 01 A2 5B 28 00 05 38 B6 0C 20 4C C2 4F EF 6D C3 FC 00 59 3F 1B EE BB 20 56 23 4D B9 EC A6 96 10 91 00 00 28 38 9C 72 4D 07 94 30 01 BE 16 26 EE B3 2A 4A 3E 43 8B C8 6E 9A B5 B0 89 67 C8 D7 06 00 30 38 ED 06 1E 0F 0B B6 B3 CC 39 18 88 3A 07 8E 9B 94 12 53 BA 7F 63 92 CF A9 02 E1 00 00 2A 38 24 76 98 7A EF 9F 1F E5 A8 D6 96 DA 9C 5C 52 A7 2E 9B 24 16 35 17 5D 29 F8 D4 06 00 30 8D

game.dll 8p&¨ø{éFK eŽ>Ñ Í͸Âå& p  |¢[( 8¶ LÂOïmÃü Y?î» V#M¹ì¦–‘  (8œrM”0¾&î³*J>C‹Ènšµ°‰gÈ× 08í ¶³Ì9ˆ:Ž›”Sºc’Ï©á  *8$v˜zïŸå¨Ö–Úœ\R§.›$5])øÔ 0?

[/code]

so it seems that the war3 request gives you the name of the file to check the memory for. no problem... the kicker is though that game.dll has the base address of 0x6F000000 and no viable addresses to check are found in that packet. ideas...?

[/quote]

Yeah, this is the standard for all (sc/w3/d2) wardens atm.
Pretty sure I explained abit about this in iago's warden thread.
In d2, ive seen 4 request types active -- 1 memory check, 2 page checks and a local file check
For those 4 types of common checks, only the memory checks and local file checks use the string table.

The memory checks have a string index to a library;
[code]
        (BYTE) String Index (If 0x00, base 0, else, base of library in this string)       
        (DWORD) offset       
        (BYTE) read Lengh
        If address_cant_be_read           
            insert(BYTE) 0x01       
        else           
            insert(BYTE) 0x00           
            insert(VOID) memory
[/code]

The local file checks have a string index to an mpq file to be hashed;
[code]
        (BYTE) String Index (points to an MPQ file)   
        If file_cant_be_read           
            insert(BYTE) 0x01       
        else           
            insert(BYTE) 0x00           
            insert(BYTE[20]) Warden SHA1 of file
[/code]


On another note, the modWARDEN.bas I added to the SCGP bot, should work fine for Warcraft3 as well.
The 0x02 handler just needs some mild modifying.
April 15, 2009, 4:04 AM
Yegg
[quote author=Ringo link=topic=17903.msg182339#msg182339 date=1239768293]
On another note, the modWARDEN.bas I added to the SCGP bot, should work fine for Warcraft3 as well.
The 0x02 handler just needs some mild modifying.
[/quote]

I'm assuming that warden being activated on Warcraft III isn't a big change then? Just some minor tweaks to the existing code you already have?
April 15, 2009, 4:34 AM
HdxBmx27
From the looks of it, it uses the same exact modules as SC. Only difference, it actually tells you to load a dll. [game.dll]

Yarly, Hey Haxorz out there, these are the offsets you wanna look at!
[code][3RAW_game.dll]
0A_003C135C=3dff0000007605c1f81f
07_00285B33=b90d0000008be8
07_00361DD3=e878f41c0085c0
0A_0073DEB7=0fb70c4a81c900f00000
06_0039A458=7427396c2444
04_0028345C=c3cccccc
0A_00362211=85c00f84300400008b03
08_00743576=c1e00803e88b84ae
06_0039A39B=8b9798010000
06_0036040A=eb08c7442418
05_00285BA2=7529538bcf
06_0073DEC9=8a906c68aa6f
07_0073DFFC=e8df3dffff85c0
09_0000F453=8b41148b4910ba0200
07_00283444=8bc8ba01000000
04_003A1DE3=7504a802
07_003A1DE9=8b442424660918
05_00356E7E=6685c07604
06_00285B8C=742a8b442420
06_003F92CA=750a837b1400
06_00361DFC=01000000d3e8
06_00431556=85c00f84c000
08_00356F1C=3b86180200008944
08_00285B3A=e881fa22008b4010
07_003A1DCE=e85dd6c6ff8bd0
07_00361DF9=33c9b801000000
08_00356C67=85db8a8ee8070000
0A_0039A3B1=555056e8377b000023d8
0D_0039A465=668587f4010000741d8b8f9801
0C_003C5C22=740b81887c02000000020000
04_003A1E9B=23ca7532
06_00431569=85c00f84ad00
06_0000F490=74088b0083c4
06_003A1E64=8b0c41668b04
08_003C1354=f6d08ac88b44241c
07_003A1E8E=8b5424200fb732[/code]
Format:
Length_Offset=Data
April 15, 2009, 4:48 AM
neckbeard
Registered just to post a suggestion in this thread, don't know if it's completely useless.
The Mac version of the Warcraft III client (in fact, all mac versions of all blizzard games) does not contain Warden, as it doesn't work with the infastructure of OS X.
Would it be possible to have a bot spoof itself as a Mac client, tricking battle.net into not warden-checking?
We were discussing this over on the GHost++ forums, and someone linked here.
April 15, 2009, 7:32 AM
Yegg
[quote author=neckbeard link=topic=17903.msg182343#msg182343 date=1239780747]
Registered just to post a suggestion in this thread, don't know if it's completely useless.
The Mac version of the Warcraft III client (in fact, all mac versions of all blizzard games) does not contain Warden, as it doesn't work with the infastructure of OS X.
Would it be possible to have a bot spoof itself as a Mac client, tricking battle.net into not warden-checking?
We were discussing this over on the GHost++ forums, and someone linked here.
[/quote]

I was wondering why there were like 15 guests viewing this topic. Has anyone tried this out yet? It shouldn't be hard. I haven't kept up with Bnet protocol lately so I don't have anything to work with. That would be an interesting test though.
April 15, 2009, 7:35 AM
HdxBmx27
Pyro tested this out earlier tonight. And yes, there is no warden on mac clients.
But meh. Dunna if its be viable they could jsut do something else.
April 15, 2009, 8:30 AM
Yegg
[quote author=Hdx link=topic=17903.msg182345#msg182345 date=1239784256]
Pyro tested this out earlier tonight. And yes, there is no warden on mac clients.
But meh. Dunna if its be viable they could jsut do something else.
[/quote]

I'm sure someone will take advantage of this soon enough.
April 15, 2009, 8:39 AM
Ozzapoo
Yes...Are there mac hashes anywhere though?
April 15, 2009, 10:21 AM
Yegg
[quote author=Ozzapoo link=topic=17903.msg182347#msg182347 date=1239790915]
Yes...Are there mac hashes anywhere though?
[/quote]

You don't have to purchase the game separately for Mac. The hashes are the same.
April 15, 2009, 10:44 AM
Ringo
[quote author=Yegg link=topic=17903.msg182341#msg182341 date=1239770094]
I'm assuming that warden being activated on Warcraft III isn't a big change then? Just some minor tweaks to the existing code you already have?
[/quote]
Yeah, where it checks the 1st string in the string table is 0x00 in lengh, needs to be some code to build an array of strings.
Then that array just needs to be pass'ed down to the get result function thingy :p
Later on, when I get time, I will post an updated module for who ever needs it.
April 15, 2009, 2:24 PM
PabloWz
[quote author=Ringo link=topic=17903.msg182351#msg182351 date=1239805445]
Later on, when I get time, I will post an updated module for who ever needs it.
[/quote]thousands of people are waiting for this module. I would do your laundry and dishwashing to get you time and get my clan-bot back online :p
April 15, 2009, 4:21 PM
RiffRiot
[quote author=PabloWz link=topic=17903.msg182353#msg182353 date=1239812461]
[quote author=Ringo link=topic=17903.msg182351#msg182351 date=1239805445]
Later on, when I get time, I will post an updated module for who ever needs it.
[/quote]thousands of people are waiting for this module. I would do your laundry and dishwashing to get you time and get my clan-bot back online :p
[/quote]

Your clan-bot?  lol  I highly doubt it's even anywhere that many people and if you need it done so badly why don't you learn something like the rest of us who work hard at it, not that i've contributed anything major yet but I plan on it.  Sorry for the rant but that sh*t just annoys me 10-fold.
April 15, 2009, 5:48 PM
PabloWz
[quote author=RiffRiot link=topic=17903.msg182356#msg182356 date=1239817682]clan-bot?  lol  I highly doubt it's even anywhere that many people and if you need it done so badly why don't you learn something like the rest of us who work hard at it, not that i've contributed anything major yet but I plan on it.  Sorry for the rant but that sh*t just annoys me 10-fold.
[/quote]Hi Ryan, thank you for your polite and constructive opinion. Sorry about annoying you, with only weeks of c++ studies I shouldn't have done this. And yes, I was refering to all communities not "my clan"..
April 15, 2009, 6:21 PM
WheatThins
i love how battle.net constantly updates their shit to try to stop bots from connecting they should just give up because people will always find a way to go around this
April 15, 2009, 6:44 PM
BreW
[quote author=neckbeard link=topic=17903.msg182343#msg182343 date=1239780747]
The Mac version of the Warcraft III client (in fact, all mac versions of all blizzard games) does not contain Warden
[/quote]

No, there's a full fledged Warden handler in mac starcraft, probably just not active.
April 15, 2009, 7:18 PM
RiffRiot
[quote author=brew link=topic=17903.msg182359#msg182359 date=1239823080]
[quote author=neckbeard link=topic=17903.msg182343#msg182343 date=1239780747]
The Mac version of the Warcraft III client (in fact, all mac versions of all blizzard games) does not contain Warden
[/quote]

No, there's a full fledged Warden handler in mac starcraft, probably just not active.
[/quote]

With that, I may add (this may be a redundant theory or fact, please correct me) that Mac doesn't use Warden (rather, can't use) because of it not allowing administrative rights for Warden to run.  This is something that a colleague/friend of mine has said to me and thought it might apply to this thread.

So, Brew, it would make sense that the Mac version of Blizzard games do have Warden, they are just not enabled or active due to the lack of administrative rights.
April 15, 2009, 8:13 PM
neckbeard
[quote author=nindoja]
[quote author=neckbeard]
[quote author=nindoja]
ALL,  warden does work on Mac OS X, just not in the same way as the windows version.  I've sent a windows and mac packet dump to Varlock, and both clients respond to the warden packet (starts with "ff 5e"), so it's not as simple as just sending mac hashes or authenticating as a mac client.

The good news is that it appears to be the same warden system as they use in starcraft, and quite a few people have broken the SC warden.  I'm watching the progress online in a few different places and will keep posting here as I get more information.
[/quote]

Sorry but can you prove this? To my knowledge this is incorrect. The response to the warden packet is most likely identifying itself as a Mac client, perhaps?
[/quote]

I know it's not just identifying itself as a Mac because the response it sends changes with every challenge.  It may not be the same warden system as in windows, but it does change it's response each time.  Later, if I get some time I'll post a few packets from my capture in "The Void"
[/quote]

From the thread on GHost++ forums.
<http://forum.codelain.com/index.php?topic=4756.0>, by the way.
April 15, 2009, 8:28 PM
Yegg
When you say lack of "administrative rights" what do you mean?
April 15, 2009, 8:31 PM
RiffRiot
[quote author=Yegg link=topic=17903.msg182364#msg182364 date=1239827491]
When you say lack of "administrative rights" what do you mean?
[/quote]

After discussing it with my friend from work, applications need administrator rights for certain programs to access other programs memory.

[Wikipedia]
[quote]World of Warcraft can be played on both Macintosh and Windows systems, but only the Windows version has Warden. The Macintosh doesn't have Warden due to the way Apple designed their Mac OS X operating system with other applications accessing another application's memory (it requires administrative rights).[/quote]

Please note this is WoW not SC/BW, Diablo, etc.  It may be different but the Mac OS X administrator rights issue may still apply.

[source]
http://en.wikipedia.org/wiki/Warden_(software)
April 15, 2009, 9:07 PM
nindoja
Checking in here from codelain.com, I've posted the packets I mentioned in the quote.  http://pastebin.com/f79314ae8 is the packets taken over a short time period that show the mac client getting the warden challenge and responding properly.

I know wikipedia says that warden doesn't work on macs (for WoW anyways), but I believe blizzard may have either found a workaround or is using a modified method to generate warden responses.
April 15, 2009, 9:30 PM
Myndfyr
[quote author=RiffRiot link=topic=17903.msg182366#msg182366 date=1239829644]
[quote author=Yegg link=topic=17903.msg182364#msg182364 date=1239827491]
When you say lack of "administrative rights" what do you mean?
[/quote]

After discussing it with my friend from work, applications need administrator rights for certain programs to access other programs memory.[/quote]
Warden runs in-process and doesn't access other programs' memory.  It is able to read other windows' titles, though, because Windows provides APIs to do so.
April 15, 2009, 9:34 PM
BreW
That's a terribly written wikipedia article.
April 15, 2009, 9:54 PM
Yegg
[quote author=brew link=topic=17903.msg182369#msg182369 date=1239832459]
That's a terribly written wikipedia article.
[/quote]

Looks fine to me without putting a microscope to it. Luckily, Wikipedia gives us the freedom to modify it so people like you can enlighten us all.
April 15, 2009, 10:10 PM
Denial
Looks like guests are coming from everywhere. But as we have learned in past time. When the mac thing gets to public like if i recall for starcraft we made a temp fix for battle.net patched it and people had to start over. Even if it was possible to spoof being a mac.

I personally don't care about war3 i never use it but it would be very smart to look ahead not just for a temp quick fix.

I also agree with the people working on this. They are gaining nothing from fixing all the bots to work again so chill out and wait and when they are done thank them.
April 15, 2009, 11:39 PM
neckbeard
[quote author=MyndFyre[vL] link=topic=17903.msg182368#msg182368 date=1239831256]
[quote author=RiffRiot link=topic=17903.msg182366#msg182366 date=1239829644]
[quote author=Yegg link=topic=17903.msg182364#msg182364 date=1239827491]
When you say lack of "administrative rights" what do you mean?
[/quote]

After discussing it with my friend from work, applications need administrator rights for certain programs to access other programs memory.[/quote]
Warden runs in-process and doesn't access other programs' memory.  It is able to read other windows' titles, though, because Windows provides APIs to do so.
[/quote]

Effectively meaning spoofing as a Mac client won't do shit, as we are being stopped by battle.net hashchecking to make sure Warden is included, NOT by the memory scans looking for 3rd party apps. Gotta do it the hard(er) way.
April 15, 2009, 11:39 PM
neckbeard
Warden officially broken.
http://bnetweb.org/news-on-bnetweb/warden-now-on-war3/30/
http://bnetweb.org/moderation-bots/l2uthless-ops-v2-12/
http://forum.codelain.com/index.php?topic=4803.0
April 16, 2009, 1:44 PM
Ringo
I did these yesterday night, for anyone who's interested, but didn't get time to post this. :(

I've updated the SCGP bot, here and theres some basic infomation on how to use it here.


I've also put all the *stuff* into one VB6 module (modWARDEN.zip), so it should be pretty easy to add to a VB6 bot.

You need:
- modWARDEN.bas added to you're vb6 project.
- xxxx_warden.ini file accessable
- zlib.dll accessable
- A folder named "Warden" in the program's directory

The module has 3 functions, WardenInit(), WardenOnData() and WardenCleanUp()
WardenInit:
- When building you're 0x51 packet, you call the WardenInit(Seed, Handle, Warden.ini)
- The Seed is the 1st dword of the 1st cdkey hash, in C>S 0x51.
- The Handle is the socket handle of the TCP socket you are connected to bnet with.
- The Warden.ini is the file path to the ini file. (found in the zip)

WardenOnData:
- When you get a S>C 0x5E, pass the full packet (including the bnet header) to WardenOnData()

WardenCleanUp:
- When you're program unloads, call WardenCleanUp() to free up any memory it maybe useing.

If you don't want it to send out going warden packets to bnet for you, then just modify the OnSendPacket() at the bottom of the .bas file.

It's not much and it's abit of a mess, but I hope it helps somone.

edit;
I don't have warcraft3 installed atm, so I don't know 100% that the offsets blizzard are useing, does not over lap non-static data, since I just pulled these blobs of data from the dll file, on the fly.
[code]
[MEMORY]
game.dll&H3A1DCE_7=E8 5D D6 C6 FF 8B D0
game.dll&H285B3A_8=E8 81 FA 22 00 8B 40 10
game.dll&H743576_8=C1 E0 08 03 E8 8B 84 AE
game.dll&H361DD3_7=E8 78 F4 1C 00 85 C0
game.dll&HF453_9=8B 41 14 8B 49 10 BA 02 00
game.dll&H3C1354_8=F6 D0 8A C8 8B 44 24 1C
game.dll&H3F92CA_6=75 0A 83 7B 14 00
game.dll&H3A1E8E_7=8B 54 24 20 0F B7 32
game.dll&H285B33_7=B9 0D 00 00 00 8B E8
game.dll&H283444_7=8B C8 BA 01 00 00 00
game.dll&H39A39B_6=8B 97 98 01 00 00
game.dll&H39A458_6=74 27 39 6C 24 44
game.dll&HF490_6=74 08 8B 00 83 C4
game.dll&H73DFFC_7=E8 DF 3D FF FF 85 C0
game.dll&H361DF9_7=33 C9 B8 01 00 00 00
game.dll&H431569_6=85 C0 0F 84 AD 00
game.dll&H356F1C_8=3B 86 18 02 00 00 89 44
game.dll&H3A1DE3_4=75 04 A8 02
game.dll&H36040A_6=EB 08 C7 44 24 18
game.dll&H285BA2_5=75 29 53 8B CF
game.dll&H3A1DE9_7=8B 44 24 24 66 09 18
game.dll&H39A3B1_10=55 50 56 E8 37 7B 00 00 23 D8
game.dll&H356C67_8=85 DB 8A 8E E8 07 00 00
game.dll&H361DFC_6=01 00 00 00 D3 E8
game.dll&H39A465_13=66 85 87 F4 01 00 00 74 1D 8B 8F 98 01
game.dll&H285B8C_6=74 2A 8B 44 24 20
game.dll&H28345C_4=C3 CC CC CC
game.dll&H3A1E64_6=8B 0C 41 66 8B 04
game.dll&H356E7E_5=66 85 C0 76 04
game.dll&H73DEC9_6=8A 90 6C 68 AA 6F
game.dll&H3C135C_10=3D FF 00 00 00 76 05 C1 F8 1F
game.dll&H362211_10=85 C0 0F 84 30 04 00 00 8B 03
game.dll&H431556_6=85 C0 0F 84 C0 00
game.dll&H3A1E9B_4=23 CA 75 32
game.dll&H3C5C22_12=74 0B 81 88 7C 02 00 00 00 02 00 00
game.dll&H73DEB7_10=0F B7 0C 4A 81 C9 00 F0 00 00
[/code]
I'm 99% sure they should all be fine, but if anyone has warcraft3 installed and feels like doing somthing -- could you verify those offsets/data?
April 16, 2009, 1:56 PM
nindoja
Thanks ringo and everyone else involved for all the hard work!
April 16, 2009, 2:03 PM
Rebel
got another link? that link isn't working for me or my friend.
April 19, 2009, 12:54 AM
Jailout2000
I have another link for everyone, since his seems to be broken.
http://www.BnetBeta.com/files/Battle.net/modWARDEN.zip

Edit: His link seems to be working again, oh well.
April 20, 2009, 5:14 AM
AngelicKing
I may have missed this somewhere in this thread, although I have read it from first to last post, but could someone explain to me how I take the key hash that bncsutil returns and make it into a long/dword that Ringo's class will accept?

-King-
May 6, 2009, 1:34 AM
l2k-Shadow
[code]
Dim Seed As Long
Call CopyMemory(Seed, ByVal KeyHash, 4)
[/code]
May 6, 2009, 3:32 AM

Search