Jump to content

Warden

Auntie Mangos

By Auntie Mangos
in OldGeneral discussion

 Share

Recommended Posts

TOM_RUS Advanced Member

TOM_RUS

Posted
Posted
Have you figured out a way to calculate the new keys after the 0x05 packet instead of loading the module and let it do the dirty job?

I do know that every module has a different MD5 function, but still, there has to be a pattern between them all. I've tried reversing the MD5 function of a module, but havn't gotten it to calculate either the new keys or the return hash correctly.

Afaik the module first hashes the "seed" with it's own md5 function, and then creates a new hash from that one with the same md5 function. Then it sha1 hashes the first one and that one is supposed to be the return hash. And it then takes the two md5 hashes generated in the beginning into RC4_Init and generates the new keys. Is this correct? :P

Sounds correct. It looks something like that:

byte seed[16]; // taken from 0x05 packet
byte[] rc4_seed_client = ModuleSpecificHash(&seed); // this value than stored at module+4
byte[] rc4_seed_server = ModuleSpecificHash(&seed); // so we have double processed seed here
clientRC4Crypt_Init(rc4_seed_client);
serverRC4Crypt_Init(rc4_seed_server);
byte[] seedHash = SHA1(rc4_seed_client); // used in 0x04 packet

Hex-Rays pseudocode:

signed int __thiscall Handle_05_packet(Module *this, int data, int serverRC4ctx)
{
 Module *module; // ebx@1
 signed int result; // eax@2
 unsigned int v5; // eax@3
 int v6; // edx@5
 int localData; // esi@1
 int  s; // [sp+CCh] [bp+0h]@1
 unsigned int v9; // [sp+C8h] [bp-4h]@1
 int v10; // [sp+28h] [bp-A4h]@1
 Seed *clientSeed; // [sp+18h] [bp-B4h]@1
 Seed *serverSeed; // [sp+8h] [bp-C4h]@3
 int v13; // [sp+Ch] [bp-C0h]@3
 int v14; // [sp+10h] [bp-BCh]@3
 int v15; // [sp+14h] [bp-B8h]@3
 char v16; // [sp+3Ch] [bp-90h]@5
 char clientSeedHash; // [sp+9Ch] [bp-30h]@5
 int v18; // [sp+34h] [bp-98h]@5
 int a3; // [sp+B0h] [bp-1Ch]@5
 int *buffer; // [sp+2Ch] [bp-A0h]@5
 signed int size; // [sp+30h] [bp-9Ch]@5
 char opcode; // [sp+38h] [bp-94h]@5

 v9 = (unsigned int)& s ^ dword_409040;
 localData = data;
 v10 = serverRC4ctx;
 module = this;
 ReadInt32Blocks(data, (int)&clientSeed, 4);                   // 4*4=16 bytes
 if ( *(_DWORD *)(localData + 8) <= *(_DWORD *)(localData + 4) )
 {
   UnknownHashingFunc((Seed *)&clientSeed);
   serverSeed = clientSeed;
   v13 = clientSeed->b;
   v14 = clientSeed->c;
   v15 = clientSeed->d;
   UnknownHashingFunc((Seed *)&serverSeed);
   v5 = 0;
   do
     v5 += 4;
   while ( v5 < 16 );
   module->seed[0] = (int)clientSeed;                          // store client seed at module+4
   module->seed[1] = clientSeed->b;
   module->seed[2] = clientSeed->c;
   module->seed[3] = clientSeed->d;
   Sha1Init((int)&v16);
   Sha1Update((int)&v16, (int)&clientSeed, 16);
   Sha1Final((int)&v16, (int)&clientSeedHash);
   v18 = 0;
   buffer = &a3;
   size = 21;
   opcode = 4;
   InitPacket((int)&buffer, (int)&opcode);
   PutBytes((int)&buffer, (int)&clientSeedHash);
   if ( v18 <= (unsigned int)size )
     SendPacket((int)module, v6, (int)&a3);
   RC4Init((int)module->out_key, (int)&clientSeed, 16);        // module+32
   RC4Init(v10, (int)&serverSeed, 16);
   result = 1;
 }
 else
 {
   result = 3;
 }
 return result;
}

Link to comment
Share on other sites
  • Replies 125
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

unix Newbie

unix

Posted
Posted
Sounds correct. It looks something like that:

byte seed[16]; // taken from 0x05 packet
byte[] rc4_seed_client = ModuleSpecificHash(&seed); // this value than stored at module+4
byte[] rc4_seed_server = ModuleSpecificHash(&seed); // so we have double processed seed here
clientRC4Crypt_Init(rc4_seed_client);
serverRC4Crypt_Init(rc4_seed_server);
byte[] seedHash = SHA1(rc4_seed_client); // used in 0x04 packet

Thank you, it was as I thought. Just have to work on the module specific hash then :)

Link to comment
Share on other sites
LexManos Advanced Member

LexManos

Posted
Posted
I checked, and that module specific hashing function is completely different between 2 modules. So best way is to load module and grab the keys...
Last time I check the functions were actually the same, jsut compiled/coded in different manors with SLIGHTLY different functionality. And last I checked there were 32 different versions of it.

But yes, the best way to deal with warden, is to load the module up, and only handle 0x02 yourself. Honestly get your hands on a copy of mediv.mod (The original module) and load it up. Let it handle all the loading, unloading, etc.. of new modules, and you're golden! Thats how I do it for Battle.net and I haven't had any issues in the last 4 functionality changes.

The only problem is determining exactly what to do with the 0x02 packet, currently there are 5 versions, Mediv, which jsut returns a SHA1/MD5 of the data sent in 0x02 (Hence why I call it the test module :P)

One that only supports memory grabs, which is jsut a array of (DWORD Address BYTE Length) places to check.

One that added support for file MD5's so it was now (BYTE) ID [1 for MD5, 0 for Address]

If it was MD5 it was a CString file name.

Then theres the version jsut previous to this one with all the functionality of the current 0x02, but didn't support 0x04/0x05

And then theres what we have today, with the ability to make new RC4 keys.

I am Collecting modules so that I can 1) Track whats being used and when 2) Hopefully derrive an algorythem that will determine what version, and what Check IDs there are. So if you would be a dear and add the function into your packet logger to dump the modules/keys that would be awesome!

The .mod file is the fully compressed, encrypted module

The .key file is the 16 byte RC4 seed you get in 0x01.

They are named with the MD5 of the module.

Link to comment
Share on other sites
TOM_RUS Advanced Member

TOM_RUS

Posted
Posted

I am Collecting modules so that I can 1) Track whats being used and when 2) Hopefully derrive an algorythem that will determine what version, and what Check IDs there are. So if you would be a dear and add the function into your packet logger to dump the modules/keys that would be awesome!

The .mod file is the fully compressed, encrypted module

The .key file is the 16 byte RC4 seed you get in 0x01.

They are named with the MD5 of the module.

I have that done. And I collected 56 modules so far.

01615ECE93F7338E0222FD65F980DE5E.bin
020F5AF2B0D646B81D7C15542B1339D1.bin
0AB2DCC91B8D52FB34C663CD63D4D29A.bin
0BE6B21C37F937401FB34650408C4C55.bin
1D5F921A03F3357983AB0799A845D9EA.bin
1E3603741C0EFFC83C8CE7F0FE5F0B1B.bin
1FBC81B56D674A1E8DA9AD720B0E6B8B.bin
257D860402EC76256379F810C3D48418.bin
29A94615F3CB7E460B6645C590772B56.bin
2DAC5284B383377E207B474A42FC11E5.bin
3016CD46723D437F396E49EC86997D35.bin
398550DE1087C53FAF2ED2C2309C7650.bin
39AF4B1CC5DDB1968113029B49BFCE3A.bin
3C058C9A46C7939C97D335A0A317518A.bin
4405C5C94C713C832A1C8D863E038E11.bin
499D0AAB170AA4376B1FC329895733F3.bin
5286FFA3231E000D49263759BD77446B.bin
5B63C4158A71676AE764D85813BE3CD0.bin
5DF72E877269CBC34DB91A0AF94BF11A.bin
5F947B8AB100C93D206D1FC3EA1FE6DD.bin
66D85EEB9F72E2BF1EA0949156F0C73F.bin
671E47F179127137CC47F2FBDF31E3AF.bin
6A914823E022CFFDC5A94797636E5CA5.bin
6AC4D01D274E287F6560930803198DCF.bin
6D6B65B2FDCFF9E6CDB7BC9E3425EE18.bin
77C2BB2F3FAC7992F1A4B98234806018.bin
789533BC3027E2E246757E4107005F13.bin
79C0768D657977D697E10BAD956CCED1.bin
7C4ABC97B86494A2D91820785F3A1C87.bin
7F3C4EA3B1EC5866A1ACD80A6D82A5F6.bin
8A2156F668B15D2407EAEB61850EBC8B.bin
8AF8D377B87E29F6F28AFCCBA031BA5C.bin
959162ED696E469673C96CFDEC0EFFA6.bin
9653E8190B71180367F7E033972CA6C3.bin
9D257F6F769606DDD622BE2C24941901.bin
AF203602B6E8414A835A10B4E3DC8EEC.bin
B09BB776F37C6030115FDEA7F5383DB8.bin
B211108E8B3BED69390A8C24A34DAB5E.bin
B97DB15A24740055BBCA8EDDD6B23CF2.bin
C752AE93D2CF377AF009A2A48BC99E68.bin
D0F75B799F47CC69CC826778CF4630B5.bin
D13D91D203FF0CCAE7A9FA107CFBEEB8.bin
D16D1E6C34854C1BA102AE1FE30B69B0.bin
D2362F5334DB0ACC31C6D377B4CB0FF9.bin
D38D4C8740A7617F8DFFB958020D968C.bin
D418B9F6334CAB80929961A5C70AACA5.bin
D4557FDD68A1ACB955724E91DE3050F2.bin
DA3BF29EB72099327FDFA6ED7322C35E.bin
DD6BC9E427ECBB46D0D45498CA4468CC.bin
DE240190C1446E66A2A51A19804356C7.bin
DE82F1BEC723F8623E6FA8E32C52FFFC.bin
ED4272452F70779CC12079C155812E0A.bin
FC5630F8D423155E765662C3EFC60512.bin
FC6560DAA366D845884B71CD15ED64E3.bin
FCA7F7EF7A900FD617B1DF58470649A4.bin
FD3A83D0EC85687144148B79DB55CAC4.bin

Link to comment
Share on other sites
unix Newbie

unix

Posted
Posted

I don't seem to be able to generate the same hash and keys as the client :/

I'm currently calling the PacketHandler function with the opcode (0x05) + the seed (0x10 bytes), and that seems to be the correct way to do since if I try any other structure I won't get any packet in return.

The thing is that the hash keeps changing, while it really shouldn't. I'm using the same seed at all times, and the client always respond with the same hash. So I'm really confused. Do I have to do something else?

From other Warden sources out there I've noticed some call GenerateRC4Keys but I don't really see how that would help since the hash never should change. I don't really see the point of it at all since it's going to get new keys with the 0x05 packet response anyways :/

What am I missing?

Link to comment
Share on other sites
TOM_RUS Advanced Member

TOM_RUS

Posted
Posted

That's how I doing that:

s_wardenLoader.LoadWarden(s_currentModule.Data); // load

s_wardenLoader.GenerateRC4Keys(WardenCrypt.s_sessionKey); // init with session key, may be not required

than module calls it's GetRC4Data function callback:

       private unsafe int GetRC4Data(void* buffer, int* length)
       {
           var pBuffer = new IntPtr(buffer);
           Logger.Add("        GetRC4Data(0x{0:X8}, 0x{1:X8})", pBuffer.ToInt32(), *length);

           for (var i = 0; i < *length; ++i) // clear all keys
               ((byte*)buffer)[i] = 0;

           return 1; // this is important!!!
       }

s_wardenLoader.PacketHandler(packet.m_data, out handled); // handle 0x05 packet

WardenCrypt.ServerRC4Data = s_wardenLoader.ReadRC4Data; // get server keys in 0x05 packet handler

WardenCrypt.ClientRC4Data = s_wardenLoader.ReadRC4Data; // get client keys in 0x04 packet handler

ppWFuncList is shit returned by Warden Init function

       public byte[] ReadRC4Data
       {
           get
           {
               var data = new byte[0x204];
               unsafe
               {
                   Marshal.Copy(new IntPtr((int)ppWFuncList + 32), data, 0, data.Length);
               }
               return data;
           }
       }

Link to comment
Share on other sites
unix Newbie

unix

Posted
Posted

WardenCrypt.ServerRC4Data = s_wardenLoader.ReadRC4Data; // get server keys in 0x05 packet handler

WardenCrypt.ClientRC4Data = s_wardenLoader.ReadRC4Data; // get client keys in 0x04 packet handler

So the module handles the 0x04 packet as well? Doesn't seem to work for me though :/

These are my results:

[02:13:30] [127.0.0.1:2307] CMSG_WARDEN_DATA [MAIEV_RESPONSE_HASH]
[02:13:30] [127.0.0.1:2307] DEBUG: Packet Dump - Length=21
|  04 68 B3 66 7C 9C F3 0E D1 F3 00 59 73 2D DB 49 |  ♦h?f|??♫?? Ys-?I |
|  05 74 55 24 A3                                  |  ♣tU$?            |

[02:13:30] Hash1: 0x68B3667C9CF30ED1F30059732DDB4905745524A3
[02:13:30] [WARDEN] m_ModMem = 0x1D1884  k = 0x5004764  k_len = 40!
Warden.GetRC4Data() Buffer=1906852, Size=520
[02:13:30] [127.0.0.1:2307] DEBUG: Packet Dump - Length=17
|  05 4E 00 23 34 3D 83 3B 45 DE 29 7E 9F 42 8C FD |  ♣N #4=?;E?)~?B?? |
|  54                                              |  T                |

Warden.SendPacket() ptrPacket=113506188, size=21
[02:13:30] [127.0.0.1:2307] DEBUG: Packet Dump - Length=21
|  04 B2 DE A0 95 A9 C8 BB F6 45 68 8B 51 D6 CF 75 |  ♦????????Eh?Q??u |
|  BE F5 E3 A0 BA                                  |  ?????            |

[02:13:30] Hash2: 0xB2DEA095A9C8BBF645688B51D6CF75BEF5E3A0BA

As you can see, Hash2 (server calculated) differs from Hash1 (client calculated).

And therefore the keys are also invalid. But I've finally got the hash to be static.

This is how I do it:

GenerateRC4Keys(ModuleFuncTable, K, K.length);

PacketHandler(ModuleFuncTable, PacketData, PacketData.length, BytesRead);

And for the GetRC4Data callback, it's now the same as you posted. Thanks to that, the hash never changes as it should.

And the SendPacket is no need to go into since it's just copying of bytes.

And btw, I no longer encrypt the data that is sent into the packet handler and decrypting the return packet since it looks like you didn't do that.

Do I need to do something more to the hash I just returned? And what is this 0x04 packet handler you're talking about? Is it the return packet from 0x05?

Edit: No success with the keys from the public byte[] ReadRC4Data function.

Link to comment
Share on other sites
TOM_RUS Advanced Member

TOM_RUS

Posted
Posted

So the module handles the 0x04 packet as well? Doesn't seem to work for me though :/

No. 0x04 packet handled by my sniffer.

There's full source code, that deal with warden: http://paste2.org/p/502204

I forgot Arc4 class:

using System;
using System.Collections.Generic;

namespace Wlp
{
   public class Arc4
   {
       private readonly byte[] state;
       private byte x, y;

       public byte[] RC4Data
       {
           get
           {
               var data = new byte[0x102];
               state.CopyTo(data, 0);
               data[100] = x;
               data[101] = y;
               return data;
           }
           set
           {
               Array.Copy(value, state, 0x100);
               x = value[0x100];
               y = value[0x101];
           }
       }

       public Arc4(byte[] key)
       {
           state = new byte[256];
           x = y = 0;
           KeySetup(key);
       }

       public int Process(byte[] buffer, int start, int count)
       {
           return InternalTransformBlock(buffer, start, count, buffer, start);
       }

       public int Process(List<byte> buffer, int start, int count)
       {
           return InternalTransformBlock(buffer, start, count, buffer, start);
       }

       private void KeySetup(byte[] key)
       {
           byte index1 = 0;
           byte index2 = 0;

           for (var counter = 0; counter < 256; counter++)
           {
               state[counter] = (byte)counter;
           }
           x = 0;
           y = 0;
           for (var counter = 0; counter < 256; counter++)
           {
               index2 = (byte)(key[index1] + state[counter] + index2);
               // swap byte
               var tmp = state[counter];
               state[counter] = state[index2];
               state[index2] = tmp;
               index1 = (byte)((index1 + 1) % key.Length);
           }
       }

       private int InternalTransformBlock(byte[] inputBuffer, int inputOffset, int inputCount, byte[] outputBuffer, int outputOffset)
       {
           for (var counter = 0; counter < inputCount; counter++)
           {
               x = (byte)(x + 1);
               y = (byte)(state[x] + y);
               // swap byte
               var tmp = state[x];
               state[x] = state[y];
               state[y] = tmp;

               var xorIndex = (byte)(state[x] + state[y]);
               outputBuffer[outputOffset + counter] = (byte)(inputBuffer[inputOffset + counter] ^ state[xorIndex]);
           }
           return inputCount;
       }

       private int InternalTransformBlock(List<byte> inputBuffer, int inputOffset, int inputCount, List<byte> outputBuffer, int outputOffset)
       {
           for (var counter = 0; counter < inputCount; counter++)
           {
               x = (byte)(x + 1);
               y = (byte)(state[x] + y);
               // swap byte
               var tmp = state[x];
               state[x] = state[y];
               state[y] = tmp;

               var xorIndex = (byte)(state[x] + state[y]);
               outputBuffer[outputOffset + counter] = (byte)(inputBuffer[inputOffset + counter] ^ state[xorIndex]);
           }
           return inputCount;
       }
   }
}

Link to comment
Share on other sites
unix Newbie

unix

Posted
Posted

Thank you :o I'll have a look.

Edit: Omg, thanks for all your help. But I had it all correct except for one part. The pointer to the data passed into the packet handler was messed up. I'm using VB.net so pointers and stuff is really tricky :P

Link to comment
Share on other sites
TOM_RUS Advanced Member

TOM_RUS

Posted
Posted

Xor byte is a first byte of seed, used for initializing client RC4 encryption.

This seed stored at module+4. SHA1 of this seed is sent in 0x04 packet.

       // This seed used by warden module for RC4 initialization (client - one pass, server - 2 passes)
       public byte[] ReadRC4Seed
       {
           get
           {
               var seed = new byte[16];
               unsafe
               {
                   Marshal.Copy(new IntPtr((int)ppWFuncList + 4), seed, 0, seed.Length);
               }
               return seed;
           }
       }

Link to comment
Share on other sites
unix Newbie

unix

Posted
Posted
Xor byte is a first byte of seed, used for initializing client RC4 encryption.

This seed stored at module+4. SHA1 of this seed is sent in 0x04 packet.

       // This seed used by warden module for RC4 initialization (client - one pass, server - 2 passes)
       public byte[] ReadRC4Seed
       {
           get
           {
               var seed = new byte[16];
               unsafe
               {
                   Marshal.Copy(new IntPtr((int)ppWFuncList + 4), seed, 0, seed.Length);
               }
               return seed;
           }
       }

Somehow that is not correct for me. I get this:

[09:00:29] ServerSeed: 4E 00 23 34 3D 83 3B 45 DE 29 7E 9F 42 8C FD 54
[09:00:29] ClientSeed:  22 6A 39 A4 D8 43 78 DF 82 BF 86 1C A6 21 15 22
[09:00:29] Real xorByte: FB
[09:00:29] XorByte: 22

[09:05:02] ServerSeed: C4 27 68 DE CE 8F 76 02 CE D8 3D 5D 58 00 13 13
[09:05:02] ClientSeed:  2E BC 64 C7 0C 52 BA 99 7C 94 38 C1 50 B2 03 31
[09:05:02] Real xorByte: 7F
[09:05:02] XorByte: 2E

These are based on two of your logs. And I know the client seed is correct because I tried hashing it with sha1 and I got the hash sent with 0x04.

Edit: What do you mean with this: (client - one pass, server - 2 passes)?

Edit 2: Ignore the second attempt. I realized I used the wrong module for it. But the first one should be 0xFB but I got 0x22 for the first byte in the client seed.

Link to comment
Share on other sites
TOM_RUS Advanced Member

TOM_RUS

Posted
Posted 

00:30:07,811 INFO  - S->C 0x00: Warden module loading request!
00:30:07,826 INFO  - Module MD5: B97DB15A24740055BBCA8EDDD6B23CF2
00:30:07,826 INFO  - Module decryption key: 682F1CE077552EE9D021B8A7A72CCDA1
00:30:07,826 INFO  - Module length: 18442

Packet S->C, SMSG_WARDEN_DATA (0x02E6), len 0x0025
0000: 00 B9 7D B1 5A 24 74 00 55 BB CA 8E DD D6 B2 3C | ..}.Z$t.U......<
0010: F2 68 2F 1C E0 77 55 2E E9 D0 21 B8 A7 A7 2C CD | .h/..wU...!...,.
0020: A1 0A 48 00 00 -- -- -- -- -- -- -- -- -- -- -- | ..H.............

00:30:08,014 INFO  - C->S 0x01: Warden module loaded!
00:30:08,014 INFO  - [WARDEN] Loading module B97DB15A24740055BBCA8EDDD6B23CF2...
00:30:08,014 INFO  - [WARDEN] Update...
00:30:08,014 INFO  - [WARDEN] Update: Adjusting references to global variables...
00:30:08,014 INFO  - [WARDEN] Update: Updating API library references...
00:30:08,014 INFO  -     Library: KERNEL32.dll
00:30:08,029 INFO  -         Function: LCMapStringA @ 0x7C838E18
00:30:08,029 INFO  -         Function: Sleep @ MY 0x0036284A
00:30:08,029 INFO  -         Function: TlsFree @ 0x7C813777
00:30:08,029 INFO  -         Function: TlsGetValue @ 0x7C8097E0
00:30:08,029 INFO  -         Function: TlsSetValue @ 0x7C809C65
00:30:08,029 INFO  -         Function: RaiseException @ 0x7C812AA9
00:30:08,029 INFO  -         Function: TlsAlloc @ 0x7C812E3F
00:30:08,029 INFO  -         Function: GetProcAddress @ MY 0x00362A0A
00:30:08,029 INFO  -         Function: GetModuleHandleA @ 0x7C80B741
00:30:08,029 INFO  -         Function: GetTickCount @ 0x7C80934A
00:30:08,029 INFO  -         Function: GetVersionExA @ 0x7C812B7E
00:30:08,029 INFO  -         Function: GetSystemInfo @ 0x7C812DF6
00:30:08,029 INFO  -         Function: QueryDosDeviceA @ 0x7C85D344
00:30:08,029 INFO  -         Function: VirtualQuery @ MY 0x00362B22
00:30:08,029 INFO  -         Function: CloseHandle @ 0x7C809BE7
00:30:08,029 INFO  -         Function: GetCurrentProcess @ MY 0x00362D1A
00:30:08,029 INFO  -         Function: FreeLibrary @ MY 0x00362E2A
00:30:08,029 INFO  -         Function: DuplicateHandle @ 0x7C80DE9E
00:30:08,029 INFO  -         Function: LoadLibraryA @ MY 0x00362E5A
00:30:08,029 INFO  -         Function: GetProcessHeap @ 0x7C80AC61
00:30:08,029 INFO  -         Function: HeapFree @ 0x7C90FF2D
00:30:08,029 INFO  -         Function: TerminateProcess @ 0x7C801E1A
00:30:08,029 INFO  -         Function: UnhandledExceptionFilter @ 0x7C863FCA
00:30:08,029 INFO  -         Function: SetUnhandledExceptionFilter @ 0x7C84495D
00:30:08,029 INFO  -         Function: QueryPerformanceCounter @ 0x7C80A4C7
00:30:08,029 INFO  -         Function: GetCurrentThreadId @ 0x7C8097D0
00:30:08,029 INFO  -         Function: GetCurrentProcessId @ MY 0x00362EBA
00:30:08,029 INFO  -         Function: GetSystemTimeAsFileTime @ 0x7C8017E9
00:30:08,029 INFO  -         Function: RtlUnwind @ 0x7C92ABC5
00:30:08,029 INFO  -     Library: USER32.dll
00:30:08,029 INFO  -         Function: IsCharUpperA @ 0x7E38707E
00:30:08,029 INFO  -         Function: CharUpperBuffA @ 0x7E36AE3F
00:30:08,029 INFO  -         Function: BeginPaint @ 0x7E378FE9
00:30:08,045 INFO  - [WARDEN] Initialize...
00:30:08,045 INFO  - [WARDEN] Initialize function: 0x040C17A7
00:30:08,061 INFO  - [WARDEN] Init()
00:30:08,061 INFO  -         GetCurrentProcessId() = 0x00000EE0
00:30:08,061 INFO  -         GetProcAddress(0x7C800000, AddVectoredExceptionHandler) = 0x7C936C2A
00:30:08,061 INFO  -         GetProcAddress(0x7C800000, RemoveVectoredExceptionHandler) = 0x7C936C96
00:30:08,061 INFO  -         AllocateMemory(0x001CB5E0, 0x000007F0)
00:30:08,061 INFO  -         AllocateMemory(0x001CCA38, 0x0000003C)
00:30:08,061 INFO  -         AllocateMemory(0x001C3F20, 0x0000002C)
00:30:08,061 INFO  -         LoadLibrary(kernel32.dll) = 0x7C800000
00:30:08,061 INFO  -         GetProcAddress(0x7C800000, CreateToolhelp32Snapshot) = 0x7C865C7F
00:30:08,061 INFO  -         GetProcAddress(0x7C800000, Module32First) = 0x7C8653A0
00:30:08,061 INFO  -         GetProcAddress(0x7C800000, Module32Next) = 0x7C865525
00:30:08,061 INFO  -         GetProcAddress(0x7C800000, wine_get_unix_file_name) = 0x00000000
00:30:08,061 INFO  -         AllocateMemory(0x001CD3F8, 0x0000005C)
00:30:08,061 INFO  - [WARDEN] Initialized...
00:30:08,061 INFO  -         GetRC4Data(0x001CB600, 0x00000208)

Packet C->S, CMSG_WARDEN_DATA (0x02E7), len 0x0001
0000: 01 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- | ................

00:30:08,076 INFO  - S->C 0x05: Warden hash request!
00:30:08,076 INFO  - Seed: AEF3F42B2B831F265E16ABB5D9F87718
00:30:08,076 INFO  - Passing S->C 0x05 packet to warden module...
00:30:08,076 INFO  -         SendPacket(0x03D5EFD8, 0x00000015)
00:30:08,076 INFO  - S->C 0x05: handled packet 17 bytes.
00:30:08,076 INFO  - Client RC4 Seed 0x8D1BDA8E0D82E600DD3CDA0F48CFB3D7

Packet S->C, SMSG_WARDEN_DATA (0x02E6), len 0x0011
0000: 05 AE F3 F4 2B 2B 83 1F 26 5E 16 AB B5 D9 F8 77 | ....++..&^.....w
0010: 18 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- | ................

00:30:08,186 INFO  - Mpq checks init!

Packet S->C, SMSG_WARDEN_DATA (0x02E6), len 0x0039
0000: 03 14 00 0D D4 CA C8 01 00 02 00 90 59 33 00 D0 | ............Y3..
0010: 25 33 00 A0 31 33 00 B0 35 33 00 03 08 00 E9 AD | %3..13..53......
0020: 99 92 04 00 00 E0 01 3D 00 01 03 08 00 8A 88 B5 | .......=........
0030: 4D 01 01 00 20 04 42 00 01 -- -- -- -- -- -- -- | M... .B.........

00:30:08,248 INFO  - C->S 0x04: Warden response!
00:30:08,248 INFO  - Hash: 38FDC97E90926A44A4A3F7BC44495A8E8818DC52

Packet C->S, CMSG_WARDEN_DATA (0x02E7), len 0x0015
0000: 04 38 FD C9 7E 90 92 6A 44 A4 A3 F7 BC 44 49 5A | .8..~..jD....DIZ
0010: 8E 88 18 DC 52 -- -- -- -- -- -- -- -- -- -- -- | ....R...........

Packet S->C, SMSG_WARDEN_DATA (0x02E6), len 0x00B0
0000: 02 2A 77 6F 72 6C 64 5C 6D 61 70 73 5C 73 74 72 | .*world\\maps\\str
0010: 61 74 68 6F 6C 6D 65 5C 73 74 72 61 74 68 6F 6C | atholme\\strathol
0020: 6D 65 5F 33 38 5F 32 35 2E 61 64 74 00 1A 15 01 | me_38_25.adt....
0030: BE 00 87 B6 47 00 08 72 63 53 49 BA E9 AA 5B A5 | ....G..rcSI...[.
0040: 36 FC 7E 8C 66 8B 5B F6 63 16 74 A4 A0 18 FC BA | 6.~.f.[.c.t.....
0050: 69 32 00 00 24 BF 05 1B 95 43 28 C9 D9 4D 44 F6 | i2..$....C(..MD.
0060: 90 E4 6B 3C 6F 02 84 30 75 EA B7 E4 9D 76 92 4E | ..k<o..0u....v.N
0070: 03 00 17 72 E5 CF 81 C4 09 52 79 A7 19 72 80 D6 | ...r.....Ry..r..
0080: A6 BE AD E2 65 CA 8A 35 75 9D 57 39 8C A0 00 00 | ....e..5u.W9....
0090: 18 72 40 1F DF F1 3E B7 4C FB D4 20 96 BE D6 84 | .r@...>.L.. ....
00A0: F3 5A 81 53 D9 7D 50 4E A7 A4 0C A1 00 00 18 8D | .Z.S.}PN........

Packet C->S, CMSG_WARDEN_DATA (0x02E7), len 0x002E
0000: 02 27 00 6F 76 DC 39 01 44 7A 70 15 00 B2 FB C9 | .'.ov.9.Dzp.....
0010: D5 59 86 67 F9 0C 86 2F 87 CB 9B 6A B0 4E CB AD | .Y.g.../...j.N..
0020: 3E 00 68 D0 81 0D 01 C6 02 00 E9 E9 E9 E9 -- -- | >.h.............

Packet S->C, SMSG_WARDEN_DATA (0x02E6), len 0x00AD
0000: 02 08 41 66 64 65 33 32 75 75 00 1A BE 00 00 84 | ..Afde32uu......
0010: 6D 00 0B 72 8B B4 13 ED 5F 47 4D 1F 7C E9 63 37 | m..r...._GM.|.c7
0020: 42 59 79 8D 67 54 0C 48 CB 85 1F 31 10 9C 06 00 | BYy.gT.H...1....
0030: 30 BF F6 BD 52 1B 0A 22 2F 69 EA 00 AA ED 69 4E | 0...R.."/i....iN
0040: 65 F6 C0 FA D6 2B 6E 8F 20 A5 70 A1 18 00 1E BE | e....+n. .p.....
0050: 00 0A A9 4C 00 05 BC 46 0D CC A2 1A 8F 1C F5 62 | ...L...F.......b
0060: A5 0F C0 74 21 92 EC 50 57 63 4A B5 52 A7 2D 01 | ...t!..PWcJ.R.-.
0070: 72 A6 4B 53 91 E0 AA 96 47 BF 59 2B E2 80 73 07 | r.KS....G.Y+..s.
0080: AA 7D 8F 13 29 E4 42 94 F5 F8 D4 06 00 30 BF CC | .}..).B......0..
0090: EF 3F 0B 7B BD B2 A0 EC DD 60 61 AF C6 B1 F2 85 | .?.{.....`a.....
00A0: B4 FF DB 32 BA 2B B8 A0 5F 16 00 1F 8D -- -- -- | ...2.+.._.......

Packet C->S, CMSG_WARDEN_DATA (0x02E7), len 0x0023
0000: 02 1C 00 10 55 4B 1C 01 8C C8 70 15 00 01 BE 80 | ....UK....p.....
0010: 00 00 00 E8 E5 B6 FF FF E9 E9 00 77 34 FF 24 85 | ...........w4.$.
0020: E9 E9 E9 -- -- -- -- -- -- -- -- -- -- -- -- -- | ................

As you can see

00:30:08,076 INFO  - Client RC4 Seed 0x8D1BDA8E0D82E600DD3CDA0F48CFB3D7

First byte is 0x8D

and

Packet S->C, SMSG_WARDEN_DATA (0x02E6), len 0x00B0
0000: 02 2A 77 6F 72 6C 64 5C 6D 61 70 73 5C 73 74 72 | .*world\\maps\\str
0010: 61 74 68 6F 6C 6D 65 5C 73 74 72 61 74 68 6F 6C | atholme\\strathol
0020: 6D 65 5F 33 38 5F 32 35 2E 61 64 74 00 1A 15 01 | me_38_25.adt....
0030: BE 00 87 B6 47 00 08 72 63 53 49 BA E9 AA 5B A5 | ....G..rcSI...[.
0040: 36 FC 7E 8C 66 8B 5B F6 63 16 74 A4 A0 18 FC BA | 6.~.f.[.c.t.....
0050: 69 32 00 00 24 BF 05 1B 95 43 28 C9 D9 4D 44 F6 | i2..$....C(..MD.
0060: 90 E4 6B 3C 6F 02 84 30 75 EA B7 E4 9D 76 92 4E | ..k<o..0u....v.N
0070: 03 00 17 72 E5 CF 81 C4 09 52 79 A7 19 72 80 D6 | ...r.....Ry..r..
0080: A6 BE AD E2 65 CA 8A 35 75 9D 57 39 8C A0 00 00 | ....e..5u.W9....
0090: 18 72 40 1F DF F1 3E B7 4C FB D4 20 96 BE D6 84 | .r@...>.L.. ....
00A0: F3 5A 81 53 D9 7D 50 4E A7 A4 0C A1 00 00 18 8D | .Z.S.}PN........

Packet S->C, SMSG_WARDEN_DATA (0x02E6), len 0x00AD
0000: 02 08 41 66 64 65 33 32 75 75 00 1A BE 00 00 84 | ..Afde32uu......
0010: 6D 00 0B 72 8B B4 13 ED 5F 47 4D 1F 7C E9 63 37 | m..r...._GM.|.c7
0020: 42 59 79 8D 67 54 0C 48 CB 85 1F 31 10 9C 06 00 | BYy.gT.H...1....
0030: 30 BF F6 BD 52 1B 0A 22 2F 69 EA 00 AA ED 69 4E | 0...R.."/i....iN
0040: 65 F6 C0 FA D6 2B 6E 8F 20 A5 70 A1 18 00 1E BE | e....+n. .p.....
0050: 00 0A A9 4C 00 05 BC 46 0D CC A2 1A 8F 1C F5 62 | ...L...F.......b
0060: A5 0F C0 74 21 92 EC 50 57 63 4A B5 52 A7 2D 01 | ...t!..PWcJ.R.-.
0070: 72 A6 4B 53 91 E0 AA 96 47 BF 59 2B E2 80 73 07 | r.KS....G.Y+..s.
0080: AA 7D 8F 13 29 E4 42 94 F5 F8 D4 06 00 30 BF CC | .}..).B......0..
0090: EF 3F 0B 7B BD B2 A0 EC DD 60 61 AF C6 B1 F2 85 | .?.{.....`a.....
00A0: B4 FF DB 32 BA 2B B8 A0 5F 16 00 1F 8D -- -- -- | ...2.+.._.......

last byte of both SMSG packets is 0x8D. I don't see any problems here...

Link to comment
Share on other sites
  • 3 weeks later...
  • 2 weeks later...
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

Contact Us

To contact us click here
You can also email us at [email protected]

Privacy Policy | Terms & Conditions

Repositories

The Link to the master list
of MaNGOS repositories:
Copyright © getMaNGOS. All rights Reserved.

This website is in no way associated with or endorsed by Blizzard Entertainment®
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. Privacy Policy Terms of Use