so it seems that the war3 request gives you the name of the file to check the memory for. no problem... the kicker is though that game.dll has the base address of 0x6F000000 and no viable addresses to check are found in that packet. ideas...?
[quote author=l2k-Shadow link=topic=17903.msg182332#msg182332 date=1239759559] so it seems that the war3 request gives you the name of the file to check the memory for. no problem... the kicker is though that game.dll has the base address of 0x6F000000 and no viable addresses to check are found in that packet. ideas...? [/quote][me=brew]lols[/me] you aren't seriously letting the module parse the 0x02, are you? well even if you are, you still can hook VirtualQuery then return whatever blobs you'd like.
It does. Just because they give you an absolute address doesn't mean you need to read exactly from there, though. You know the exact address to read from, as well as where the image's base is. By the way, your previous post screws up the tables. Do break it up please.
so it seems that the war3 request gives you the name of the file to check the memory for. no problem... the kicker is though that game.dll has the base address of 0x6F000000 and no viable addresses to check are found in that packet. ideas...?
[/quote]
Yeah, this is the standard for all (sc/w3/d2) wardens atm. Pretty sure I explained abit about this in iago's warden thread. In d2, ive seen 4 request types active -- 1 memory check, 2 page checks and a local file check For those 4 types of common checks, only the memory checks and local file checks use the string table.
The memory checks have a string index to a library; [code] (BYTE) String Index (If 0x00, base 0, else, base of library in this string) (DWORD) offset (BYTE) read Lengh If address_cant_be_read insert(BYTE) 0x01 else insert(BYTE) 0x00 insert(VOID) memory [/code]
The local file checks have a string index to an mpq file to be hashed; [code] (BYTE) String Index (points to an MPQ file) If file_cant_be_read insert(BYTE) 0x01 else insert(BYTE) 0x00 insert(BYTE[20]) Warden SHA1 of file [/code]
On another note, the modWARDEN.bas I added to the SCGP bot, should work fine for Warcraft3 as well. The 0x02 handler just needs some mild modifying.
[quote author=Ringo link=topic=17903.msg182339#msg182339 date=1239768293] On another note, the modWARDEN.bas I added to the SCGP bot, should work fine for Warcraft3 as well. The 0x02 handler just needs some mild modifying. [/quote]
I'm assuming that warden being activated on Warcraft III isn't a big change then? Just some minor tweaks to the existing code you already have?
Registered just to post a suggestion in this thread, don't know if it's completely useless. The Mac version of the Warcraft III client (in fact, all mac versions of all blizzard games) does not contain Warden, as it doesn't work with the infastructure of OS X. Would it be possible to have a bot spoof itself as a Mac client, tricking battle.net into not warden-checking? We were discussing this over on the GHost++ forums, and someone linked here.
[quote author=neckbeard link=topic=17903.msg182343#msg182343 date=1239780747] Registered just to post a suggestion in this thread, don't know if it's completely useless. The Mac version of the Warcraft III client (in fact, all mac versions of all blizzard games) does not contain Warden, as it doesn't work with the infastructure of OS X. Would it be possible to have a bot spoof itself as a Mac client, tricking battle.net into not warden-checking? We were discussing this over on the GHost++ forums, and someone linked here. [/quote]
I was wondering why there were like 15 guests viewing this topic. Has anyone tried this out yet? It shouldn't be hard. I haven't kept up with Bnet protocol lately so I don't have anything to work with. That would be an interesting test though.
[quote author=Hdx link=topic=17903.msg182345#msg182345 date=1239784256] Pyro tested this out earlier tonight. And yes, there is no warden on mac clients. But meh. Dunna if its be viable they could jsut do something else. [/quote]
I'm sure someone will take advantage of this soon enough.
[quote author=Yegg link=topic=17903.msg182341#msg182341 date=1239770094] I'm assuming that warden being activated on Warcraft III isn't a big change then? Just some minor tweaks to the existing code you already have? [/quote] Yeah, where it checks the 1st string in the string table is 0x00 in lengh, needs to be some code to build an array of strings. Then that array just needs to be pass'ed down to the get result function thingy :p Later on, when I get time, I will post an updated module for who ever needs it.
[quote author=Ringo link=topic=17903.msg182351#msg182351 date=1239805445] Later on, when I get time, I will post an updated module for who ever needs it. [/quote]thousands of people are waiting for this module. I would do your laundry and dishwashing to get you time and get my clan-bot back online :p
[quote author=PabloWz link=topic=17903.msg182353#msg182353 date=1239812461] [quote author=Ringo link=topic=17903.msg182351#msg182351 date=1239805445] Later on, when I get time, I will post an updated module for who ever needs it. [/quote]thousands of people are waiting for this module. I would do your laundry and dishwashing to get you time and get my clan-bot back online :p [/quote]
Your clan-bot? lol I highly doubt it's even anywhere that many people and if you need it done so badly why don't you learn something like the rest of us who work hard at it, not that i've contributed anything major yet but I plan on it. Sorry for the rant but that sh*t just annoys me 10-fold.
[quote author=RiffRiot link=topic=17903.msg182356#msg182356 date=1239817682]clan-bot? lol I highly doubt it's even anywhere that many people and if you need it done so badly why don't you learn something like the rest of us who work hard at it, not that i've contributed anything major yet but I plan on it. Sorry for the rant but that sh*t just annoys me 10-fold. [/quote]Hi Ryan, thank you for your polite and constructive opinion. Sorry about annoying you, with only weeks of c++ studies I shouldn't have done this. And yes, I was refering to all communities not "my clan"..
i love how battle.net constantly updates their shit to try to stop bots from connecting they should just give up because people will always find a way to go around this
[quote author=neckbeard link=topic=17903.msg182343#msg182343 date=1239780747] The Mac version of the Warcraft III client (in fact, all mac versions of all blizzard games) does not contain Warden [/quote]
No, there's a full fledged Warden handler in mac starcraft, probably just not active.
[quote author=brew link=topic=17903.msg182359#msg182359 date=1239823080] [quote author=neckbeard link=topic=17903.msg182343#msg182343 date=1239780747] The Mac version of the Warcraft III client (in fact, all mac versions of all blizzard games) does not contain Warden [/quote]
No, there's a full fledged Warden handler in mac starcraft, probably just not active. [/quote]
With that, I may add (this may be a redundant theory or fact, please correct me) that Mac doesn't use Warden (rather, can't use) because of it not allowing administrative rights for Warden to run. This is something that a colleague/friend of mine has said to me and thought it might apply to this thread.
So, Brew, it would make sense that the Mac version of Blizzard games do have Warden, they are just not enabled or active due to the lack of administrative rights.
[quote author=nindoja] [quote author=neckbeard] [quote author=nindoja] ALL, warden does work on Mac OS X, just not in the same way as the windows version. I've sent a windows and mac packet dump to Varlock, and both clients respond to the warden packet (starts with "ff 5e"), so it's not as simple as just sending mac hashes or authenticating as a mac client.
The good news is that it appears to be the same warden system as they use in starcraft, and quite a few people have broken the SC warden. I'm watching the progress online in a few different places and will keep posting here as I get more information. [/quote]
Sorry but can you prove this? To my knowledge this is incorrect. The response to the warden packet is most likely identifying itself as a Mac client, perhaps? [/quote]
I know it's not just identifying itself as a Mac because the response it sends changes with every challenge. It may not be the same warden system as in windows, but it does change it's response each time. Later, if I get some time I'll post a few packets from my capture in "The Void" [/quote]
From the thread on GHost++ forums. <http://forum.codelain.com/index.php?topic=4756.0>, by the way.
[quote author=Yegg link=topic=17903.msg182364#msg182364 date=1239827491] When you say lack of "administrative rights" what do you mean? [/quote]
After discussing it with my friend from work, applications need administrator rights for certain programs to access other programs memory.
[Wikipedia] [quote]World of Warcraft can be played on both Macintosh and Windows systems, but only the Windows version has Warden. The Macintosh doesn't have Warden due to the way Apple designed their Mac OS X operating system with other applications accessing another application's memory (it requires administrative rights).[/quote]
Please note this is WoW not SC/BW, Diablo, etc. It may be different but the Mac OS X administrator rights issue may still apply.
Checking in here from codelain.com, I've posted the packets I mentioned in the quote. http://pastebin.com/f79314ae8 is the packets taken over a short time period that show the mac client getting the warden challenge and responding properly.
I know wikipedia says that warden doesn't work on macs (for WoW anyways), but I believe blizzard may have either found a workaround or is using a modified method to generate warden responses.
[quote author=RiffRiot link=topic=17903.msg182366#msg182366 date=1239829644] [quote author=Yegg link=topic=17903.msg182364#msg182364 date=1239827491] When you say lack of "administrative rights" what do you mean? [/quote]
After discussing it with my friend from work, applications need administrator rights for certain programs to access other programs memory.[/quote] Warden runs in-process and doesn't access other programs' memory. It is able to read other windows' titles, though, because Windows provides APIs to do so.
Looks like guests are coming from everywhere. But as we have learned in past time. When the mac thing gets to public like if i recall for starcraft we made a temp fix for battle.net patched it and people had to start over. Even if it was possible to spoof being a mac.
I personally don't care about war3 i never use it but it would be very smart to look ahead not just for a temp quick fix.
I also agree with the people working on this. They are gaining nothing from fixing all the bots to work again so chill out and wait and when they are done thank them.
[quote author=MyndFyre[vL] link=topic=17903.msg182368#msg182368 date=1239831256] [quote author=RiffRiot link=topic=17903.msg182366#msg182366 date=1239829644] [quote author=Yegg link=topic=17903.msg182364#msg182364 date=1239827491] When you say lack of "administrative rights" what do you mean? [/quote]
After discussing it with my friend from work, applications need administrator rights for certain programs to access other programs memory.[/quote] Warden runs in-process and doesn't access other programs' memory. It is able to read other windows' titles, though, because Windows provides APIs to do so. [/quote]
Effectively meaning spoofing as a Mac client won't do shit, as we are being stopped by battle.net hashchecking to make sure Warden is included, NOT by the memory scans looking for 3rd party apps. Gotta do it the hard(er) way.
I did these yesterday night, for anyone who's interested, but didn't get time to post this. :(
I've updated the SCGP bot, here and theres some basic infomation on how to use it here.
I've also put all the *stuff* into one VB6 module (modWARDEN.zip), so it should be pretty easy to add to a VB6 bot.
You need: - modWARDEN.bas added to you're vb6 project. - xxxx_warden.ini file accessable - zlib.dll accessable - A folder named "Warden" in the program's directory
The module has 3 functions, WardenInit(), WardenOnData() and WardenCleanUp() WardenInit: - When building you're 0x51 packet, you call the WardenInit(Seed, Handle, Warden.ini) - The Seed is the 1st dword of the 1st cdkey hash, in C>S 0x51. - The Handle is the socket handle of the TCP socket you are connected to bnet with. - The Warden.ini is the file path to the ini file. (found in the zip)
WardenOnData: - When you get a S>C 0x5E, pass the full packet (including the bnet header) to WardenOnData()
WardenCleanUp: - When you're program unloads, call WardenCleanUp() to free up any memory it maybe useing.
If you don't want it to send out going warden packets to bnet for you, then just modify the OnSendPacket() at the bottom of the .bas file.
It's not much and it's abit of a mess, but I hope it helps somone.
edit; I don't have warcraft3 installed atm, so I don't know 100% that the offsets blizzard are useing, does not over lap non-static data, since I just pulled these blobs of data from the dll file, on the fly. [code] [MEMORY] game.dll&H3A1DCE_7=E8 5D D6 C6 FF 8B D0 game.dll&H285B3A_8=E8 81 FA 22 00 8B 40 10 game.dll&H743576_8=C1 E0 08 03 E8 8B 84 AE game.dll&H361DD3_7=E8 78 F4 1C 00 85 C0 game.dll&HF453_9=8B 41 14 8B 49 10 BA 02 00 game.dll&H3C1354_8=F6 D0 8A C8 8B 44 24 1C game.dll&H3F92CA_6=75 0A 83 7B 14 00 game.dll&H3A1E8E_7=8B 54 24 20 0F B7 32 game.dll&H285B33_7=B9 0D 00 00 00 8B E8 game.dll&H283444_7=8B C8 BA 01 00 00 00 game.dll&H39A39B_6=8B 97 98 01 00 00 game.dll&H39A458_6=74 27 39 6C 24 44 game.dll&HF490_6=74 08 8B 00 83 C4 game.dll&H73DFFC_7=E8 DF 3D FF FF 85 C0 game.dll&H361DF9_7=33 C9 B8 01 00 00 00 game.dll&H431569_6=85 C0 0F 84 AD 00 game.dll&H356F1C_8=3B 86 18 02 00 00 89 44 game.dll&H3A1DE3_4=75 04 A8 02 game.dll&H36040A_6=EB 08 C7 44 24 18 game.dll&H285BA2_5=75 29 53 8B CF game.dll&H3A1DE9_7=8B 44 24 24 66 09 18 game.dll&H39A3B1_10=55 50 56 E8 37 7B 00 00 23 D8 game.dll&H356C67_8=85 DB 8A 8E E8 07 00 00 game.dll&H361DFC_6=01 00 00 00 D3 E8 game.dll&H39A465_13=66 85 87 F4 01 00 00 74 1D 8B 8F 98 01 game.dll&H285B8C_6=74 2A 8B 44 24 20 game.dll&H28345C_4=C3 CC CC CC game.dll&H3A1E64_6=8B 0C 41 66 8B 04 game.dll&H356E7E_5=66 85 C0 76 04 game.dll&H73DEC9_6=8A 90 6C 68 AA 6F game.dll&H3C135C_10=3D FF 00 00 00 76 05 C1 F8 1F game.dll&H362211_10=85 C0 0F 84 30 04 00 00 8B 03 game.dll&H431556_6=85 C0 0F 84 C0 00 game.dll&H3A1E9B_4=23 CA 75 32 game.dll&H3C5C22_12=74 0B 81 88 7C 02 00 00 00 02 00 00 game.dll&H73DEB7_10=0F B7 0C 4A 81 C9 00 F0 00 00 [/code] I'm 99% sure they should all be fine, but if anyone has warcraft3 installed and feels like doing somthing -- could you verify those offsets/data?
I may have missed this somewhere in this thread, although I have read it from first to last post, but could someone explain to me how I take the key hash that bncsutil returns and make it into a long/dword that Ringo's class will accept?