Battle.net Bot Development | Warden 0x5E Rundown

Author	Message	Time
incubus	I've been reading over a few sources for a while, and am trying to do a detailed breakdown of how warden works. I find the explanation of most guides limiting only by their sheer structure, so I'm going to try to do my own complete guide which should hopefully be very helpful to everyone. First question I have out the box is, all 0x5E SID_WARDEN packets are encrypted by an RC4 encryption scheme which has a key generated by the first 4 bytes of the CD-Key Hash(This is for W3XP); is this right? Where does the random shared data come into play? I was looking at this link http://www.skullsecurity.org/wiki/index.php/Warden_Packets and found the explanations alright, but severely lacking traits of a good technical document.	April 23, 2009, 7:16 PM
HdxBmx27	What don't you gets? The RC4 seeds are generated using the 'random' functions. S1 = SHA1(Left(KeySeed, 2)) S2 = SHA1(Right(KeySeed, 2)) D1 = SHA1(S1, Str(20, 0), S2) OutSeed = left(D1, 16) InSeed = Mid(D1, 17) & left(SHA1(S1, D1, S2), 12) OutKey = RC4Init(OutSeed) InKey = RC4Init(InSeed) Then you Init the rc4s using those seeds. The problem I have with understanding it is that the 'Random' really isn't 'Random' But, I can't think of a better name for it.	April 23, 2009, 10:55 PM
incubus	Well my question is what is actually encrypted? The packet has 0x5E, then a 0, then data. Is it the data after the 0 that you decrypt? With the zero? And how are the 0x00 packets and such structured that you recieve from the server. It's literally a packet starting with 0x00 as the first byte of data?	April 24, 2009, 1:34 AM
HdxBmx27	[quote author=incubus link=topic=17918.msg182491#msg182491 date=1240536858] Well my question is what is actually encrypted? The packet has 0x5E, then a 0, then data. Is it the data after the 0 that you decrypt? With the zero? And how are the 0x00 packets and such structured that you recieve from the server. It's literally a packet starting with 0x00 as the first byte of data? [/quote]Oh, No, the entire payload of the 0x5E packet Minus the BNCS header is RC4 encrypted. EXA Packet: FF 5E 06 00 C0 DE C0 DE would be RC4 crypted. After that the 1st byte would be the opcode.	April 24, 2009, 1:44 AM

Author

Message

Time

incubus

I've been reading over a few sources for a while, and am trying to do a detailed breakdown of how warden works. I find the explanation of most guides limiting only by their sheer structure, so I'm going to try to do my own complete guide which should hopefully be very helpful to everyone.

First question I have out the box is, all 0x5E SID_WARDEN packets are encrypted by an RC4 encryption scheme which has a key generated by the first 4 bytes of the CD-Key Hash(This is for W3XP); is this right? Where does the random shared data come into play? I was looking at this link http://www.skullsecurity.org/wiki/index.php/Warden_Packets and found the explanations alright, but severely lacking traits of a good technical document.

April 23, 2009, 7:16 PM

HdxBmx27

What don't you gets?
The RC4 seeds are generated using the 'random' functions.

S1 = SHA1(Left(KeySeed, 2))
S2 = SHA1(Right(KeySeed, 2))
D1 = SHA1(S1, Str(20, 0), S2)
OutSeed = left(D1, 16)
InSeed = Mid(D1, 17) & left(SHA1(S1, D1, S2), 12)
OutKey = RC4Init(OutSeed)
InKey = RC4Init(InSeed)

Then you Init the rc4s using those seeds.
The problem I have with understanding it is that the 'Random' really isn't 'Random' But, I can't think of a better name for it.

April 23, 2009, 10:55 PM

incubus

Well my question is what is actually encrypted? The packet has 0x5E, then a 0, then data. Is it the data after the 0 that you decrypt? With the zero? And how are the 0x00 packets and such structured that you recieve from the server. It's literally a packet starting with 0x00 as the first byte of data?

April 24, 2009, 1:34 AM

HdxBmx27

[quote author=incubus link=topic=17918.msg182491#msg182491 date=1240536858]
Well my question is what is actually encrypted? The packet has 0x5E, then a 0, then data. Is it the data after the 0 that you decrypt? With the zero? And how are the 0x00 packets and such structured that you recieve from the server. It's literally a packet starting with 0x00 as the first byte of data?
[/quote]Oh, No, the entire payload of the 0x5E packet Minus the BNCS header is RC4 encrypted.
EXA Packet:

FF 5E 06 00 C0 DE
C0 DE would be RC4 crypted. After that the 1st byte would be the opcode.

April 24, 2009, 1:44 AM

Valhalla Legends Forums Archive | Battle.net Bot Development | Warden 0x5E Rundown