TOM_RUS

There's was some misleading error output. It was fixed and should now show correct source of problem.

Should be fixed.

Honor deminishing returns was removed in some old client patch. Patch 2.4.0: PvP - Diminishing returns on honor for kills is being eliminated. - Honor will now be instantly calculated, and available for player use. - Players that have the resurrection sickness debuff will be worth no honor.

May be fixed in latest rev.

Anyone tried to add flag 0x8000 to such items? May be it will work... All such items have 0x8 item flag.

There's also message like "Time is over!" (exact message unknown, because i'm playing on Russian realms) at the end of battleground in this case.

00:30:07,811 INFO - S->C 0x00: Warden module loading request! 00:30:07,826 INFO - Module MD5: B97DB15A24740055BBCA8EDDD6B23CF2 00:30:07,826 INFO - Module decryption key: 682F1CE077552EE9D021B8A7A72CCDA1 00:30:07,826 INFO - Module length: 18442 Packet S->C, SMSG_WARDEN_DATA (0x02E6), len 0x0025 0000: 00 B9 7D B1 5A 24 74 00 55 BB CA 8E DD D6 B2 3C | ..}.Z$t.U......< 0010: F2 68 2F 1C E0 77 55 2E E9 D0 21 B8 A7 A7 2C CD | .h/..wU...!...,. 0020: A1 0A 48 00 00 -- -- -- -- -- -- -- -- -- -- -- | ..H............. 00:30:08,014 INFO - C->S 0x01: Warden module loaded! 00:30:08,014 INFO - [WARDEN] Loading module B97DB15A24740055BBCA8EDDD6B23CF2... 00:30:08,014 INFO - [WARDEN] Update... 00:30:08,014 INFO - [WARDEN] Update: Adjusting references to global variables... 00:30:08,014 INFO - [WARDEN] Update: Updating API library references... 00:30:08,014 INFO - Library: KERNEL32.dll 00:30:08,029 INFO - Function: LCMapStringA @ 0x7C838E18 00:30:08,029 INFO - Function: Sleep @ MY 0x0036284A 00:30:08,029 INFO - Function: TlsFree @ 0x7C813777 00:30:08,029 INFO - Function: TlsGetValue @ 0x7C8097E0 00:30:08,029 INFO - Function: TlsSetValue @ 0x7C809C65 00:30:08,029 INFO - Function: RaiseException @ 0x7C812AA9 00:30:08,029 INFO - Function: TlsAlloc @ 0x7C812E3F 00:30:08,029 INFO - Function: GetProcAddress @ MY 0x00362A0A 00:30:08,029 INFO - Function: GetModuleHandleA @ 0x7C80B741 00:30:08,029 INFO - Function: GetTickCount @ 0x7C80934A 00:30:08,029 INFO - Function: GetVersionExA @ 0x7C812B7E 00:30:08,029 INFO - Function: GetSystemInfo @ 0x7C812DF6 00:30:08,029 INFO - Function: QueryDosDeviceA @ 0x7C85D344 00:30:08,029 INFO - Function: VirtualQuery @ MY 0x00362B22 00:30:08,029 INFO - Function: CloseHandle @ 0x7C809BE7 00:30:08,029 INFO - Function: GetCurrentProcess @ MY 0x00362D1A 00:30:08,029 INFO - Function: FreeLibrary @ MY 0x00362E2A 00:30:08,029 INFO - Function: DuplicateHandle @ 0x7C80DE9E 00:30:08,029 INFO - Function: LoadLibraryA @ MY 0x00362E5A 00:30:08,029 INFO - Function: GetProcessHeap @ 0x7C80AC61 00:30:08,029 INFO - Function: HeapFree @ 0x7C90FF2D 00:30:08,029 INFO - Function: TerminateProcess @ 0x7C801E1A 00:30:08,029 INFO - Function: UnhandledExceptionFilter @ 0x7C863FCA 00:30:08,029 INFO - Function: SetUnhandledExceptionFilter @ 0x7C84495D 00:30:08,029 INFO - Function: QueryPerformanceCounter @ 0x7C80A4C7 00:30:08,029 INFO - Function: GetCurrentThreadId @ 0x7C8097D0 00:30:08,029 INFO - Function: GetCurrentProcessId @ MY 0x00362EBA 00:30:08,029 INFO - Function: GetSystemTimeAsFileTime @ 0x7C8017E9 00:30:08,029 INFO - Function: RtlUnwind @ 0x7C92ABC5 00:30:08,029 INFO - Library: USER32.dll 00:30:08,029 INFO - Function: IsCharUpperA @ 0x7E38707E 00:30:08,029 INFO - Function: CharUpperBuffA @ 0x7E36AE3F 00:30:08,029 INFO - Function: BeginPaint @ 0x7E378FE9 00:30:08,045 INFO - [WARDEN] Initialize... 00:30:08,045 INFO - [WARDEN] Initialize function: 0x040C17A7 00:30:08,061 INFO - [WARDEN] Init() 00:30:08,061 INFO - GetCurrentProcessId() = 0x00000EE0 00:30:08,061 INFO - GetProcAddress(0x7C800000, AddVectoredExceptionHandler) = 0x7C936C2A 00:30:08,061 INFO - GetProcAddress(0x7C800000, RemoveVectoredExceptionHandler) = 0x7C936C96 00:30:08,061 INFO - AllocateMemory(0x001CB5E0, 0x000007F0) 00:30:08,061 INFO - AllocateMemory(0x001CCA38, 0x0000003C) 00:30:08,061 INFO - AllocateMemory(0x001C3F20, 0x0000002C) 00:30:08,061 INFO - LoadLibrary(kernel32.dll) = 0x7C800000 00:30:08,061 INFO - GetProcAddress(0x7C800000, CreateToolhelp32Snapshot) = 0x7C865C7F 00:30:08,061 INFO - GetProcAddress(0x7C800000, Module32First) = 0x7C8653A0 00:30:08,061 INFO - GetProcAddress(0x7C800000, Module32Next) = 0x7C865525 00:30:08,061 INFO - GetProcAddress(0x7C800000, wine_get_unix_file_name) = 0x00000000 00:30:08,061 INFO - AllocateMemory(0x001CD3F8, 0x0000005C) 00:30:08,061 INFO - [WARDEN] Initialized... 00:30:08,061 INFO - GetRC4Data(0x001CB600, 0x00000208) Packet C->S, CMSG_WARDEN_DATA (0x02E7), len 0x0001 0000: 01 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- | ................ 00:30:08,076 INFO - S->C 0x05: Warden hash request! 00:30:08,076 INFO - Seed: AEF3F42B2B831F265E16ABB5D9F87718 00:30:08,076 INFO - Passing S->C 0x05 packet to warden module... 00:30:08,076 INFO - SendPacket(0x03D5EFD8, 0x00000015) 00:30:08,076 INFO - S->C 0x05: handled packet 17 bytes. 00:30:08,076 INFO - Client RC4 Seed 0x8D1BDA8E0D82E600DD3CDA0F48CFB3D7 Packet S->C, SMSG_WARDEN_DATA (0x02E6), len 0x0011 0000: 05 AE F3 F4 2B 2B 83 1F 26 5E 16 AB B5 D9 F8 77 | ....++..&^.....w 0010: 18 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- | ................ 00:30:08,186 INFO - Mpq checks init! Packet S->C, SMSG_WARDEN_DATA (0x02E6), len 0x0039 0000: 03 14 00 0D D4 CA C8 01 00 02 00 90 59 33 00 D0 | ............Y3.. 0010: 25 33 00 A0 31 33 00 B0 35 33 00 03 08 00 E9 AD | %3..13..53...... 0020: 99 92 04 00 00 E0 01 3D 00 01 03 08 00 8A 88 B5 | .......=........ 0030: 4D 01 01 00 20 04 42 00 01 -- -- -- -- -- -- -- | M... .B......... 00:30:08,248 INFO - C->S 0x04: Warden response! 00:30:08,248 INFO - Hash: 38FDC97E90926A44A4A3F7BC44495A8E8818DC52 Packet C->S, CMSG_WARDEN_DATA (0x02E7), len 0x0015 0000: 04 38 FD C9 7E 90 92 6A 44 A4 A3 F7 BC 44 49 5A | .8..~..jD....DIZ 0010: 8E 88 18 DC 52 -- -- -- -- -- -- -- -- -- -- -- | ....R........... Packet S->C, SMSG_WARDEN_DATA (0x02E6), len 0x00B0 0000: 02 2A 77 6F 72 6C 64 5C 6D 61 70 73 5C 73 74 72 | .*world\\maps\\str 0010: 61 74 68 6F 6C 6D 65 5C 73 74 72 61 74 68 6F 6C | atholme\\strathol 0020: 6D 65 5F 33 38 5F 32 35 2E 61 64 74 00 1A 15 01 | me_38_25.adt.... 0030: BE 00 87 B6 47 00 08 72 63 53 49 BA E9 AA 5B A5 | ....G..rcSI...[. 0040: 36 FC 7E 8C 66 8B 5B F6 63 16 74 A4 A0 18 FC BA | 6.~.f.[.c.t..... 0050: 69 32 00 00 24 BF 05 1B 95 43 28 C9 D9 4D 44 F6 | i2..$....C(..MD. 0060: 90 E4 6B 3C 6F 02 84 30 75 EA B7 E4 9D 76 92 4E | ..k<o..0u....v.N 0070: 03 00 17 72 E5 CF 81 C4 09 52 79 A7 19 72 80 D6 | ...r.....Ry..r.. 0080: A6 BE AD E2 65 CA 8A 35 75 9D 57 39 8C A0 00 00 | ....e..5u.W9.... 0090: 18 72 40 1F DF F1 3E B7 4C FB D4 20 96 BE D6 84 | .r@...>.L.. .... 00A0: F3 5A 81 53 D9 7D 50 4E A7 A4 0C A1 00 00 18 8D | .Z.S.}PN........ Packet C->S, CMSG_WARDEN_DATA (0x02E7), len 0x002E 0000: 02 27 00 6F 76 DC 39 01 44 7A 70 15 00 B2 FB C9 | .'.ov.9.Dzp..... 0010: D5 59 86 67 F9 0C 86 2F 87 CB 9B 6A B0 4E CB AD | .Y.g.../...j.N.. 0020: 3E 00 68 D0 81 0D 01 C6 02 00 E9 E9 E9 E9 -- -- | >.h............. Packet S->C, SMSG_WARDEN_DATA (0x02E6), len 0x00AD 0000: 02 08 41 66 64 65 33 32 75 75 00 1A BE 00 00 84 | ..Afde32uu...... 0010: 6D 00 0B 72 8B B4 13 ED 5F 47 4D 1F 7C E9 63 37 | m..r...._GM.|.c7 0020: 42 59 79 8D 67 54 0C 48 CB 85 1F 31 10 9C 06 00 | BYy.gT.H...1.... 0030: 30 BF F6 BD 52 1B 0A 22 2F 69 EA 00 AA ED 69 4E | 0...R.."/i....iN 0040: 65 F6 C0 FA D6 2B 6E 8F 20 A5 70 A1 18 00 1E BE | e....+n. .p..... 0050: 00 0A A9 4C 00 05 BC 46 0D CC A2 1A 8F 1C F5 62 | ...L...F.......b 0060: A5 0F C0 74 21 92 EC 50 57 63 4A B5 52 A7 2D 01 | ...t!..PWcJ.R.-. 0070: 72 A6 4B 53 91 E0 AA 96 47 BF 59 2B E2 80 73 07 | r.KS....G.Y+..s. 0080: AA 7D 8F 13 29 E4 42 94 F5 F8 D4 06 00 30 BF CC | .}..).B......0.. 0090: EF 3F 0B 7B BD B2 A0 EC DD 60 61 AF C6 B1 F2 85 | .?.{.....`a..... 00A0: B4 FF DB 32 BA 2B B8 A0 5F 16 00 1F 8D -- -- -- | ...2.+.._....... Packet C->S, CMSG_WARDEN_DATA (0x02E7), len 0x0023 0000: 02 1C 00 10 55 4B 1C 01 8C C8 70 15 00 01 BE 80 | ....UK....p..... 0010: 00 00 00 E8 E5 B6 FF FF E9 E9 00 77 34 FF 24 85 | ...........w4.$. 0020: E9 E9 E9 -- -- -- -- -- -- -- -- -- -- -- -- -- | ................ As you can see 00:30:08,076 INFO - Client RC4 Seed 0x8D1BDA8E0D82E600DD3CDA0F48CFB3D7 First byte is 0x8D and Packet S->C, SMSG_WARDEN_DATA (0x02E6), len 0x00B0 0000: 02 2A 77 6F 72 6C 64 5C 6D 61 70 73 5C 73 74 72 | .*world\\maps\\str 0010: 61 74 68 6F 6C 6D 65 5C 73 74 72 61 74 68 6F 6C | atholme\\strathol 0020: 6D 65 5F 33 38 5F 32 35 2E 61 64 74 00 1A 15 01 | me_38_25.adt.... 0030: BE 00 87 B6 47 00 08 72 63 53 49 BA E9 AA 5B A5 | ....G..rcSI...[. 0040: 36 FC 7E 8C 66 8B 5B F6 63 16 74 A4 A0 18 FC BA | 6.~.f.[.c.t..... 0050: 69 32 00 00 24 BF 05 1B 95 43 28 C9 D9 4D 44 F6 | i2..$....C(..MD. 0060: 90 E4 6B 3C 6F 02 84 30 75 EA B7 E4 9D 76 92 4E | ..k<o..0u....v.N 0070: 03 00 17 72 E5 CF 81 C4 09 52 79 A7 19 72 80 D6 | ...r.....Ry..r.. 0080: A6 BE AD E2 65 CA 8A 35 75 9D 57 39 8C A0 00 00 | ....e..5u.W9.... 0090: 18 72 40 1F DF F1 3E B7 4C FB D4 20 96 BE D6 84 | .r@...>.L.. .... 00A0: F3 5A 81 53 D9 7D 50 4E A7 A4 0C A1 00 00 18 8D | .Z.S.}PN........ Packet S->C, SMSG_WARDEN_DATA (0x02E6), len 0x00AD 0000: 02 08 41 66 64 65 33 32 75 75 00 1A BE 00 00 84 | ..Afde32uu...... 0010: 6D 00 0B 72 8B B4 13 ED 5F 47 4D 1F 7C E9 63 37 | m..r...._GM.|.c7 0020: 42 59 79 8D 67 54 0C 48 CB 85 1F 31 10 9C 06 00 | BYy.gT.H...1.... 0030: 30 BF F6 BD 52 1B 0A 22 2F 69 EA 00 AA ED 69 4E | 0...R.."/i....iN 0040: 65 F6 C0 FA D6 2B 6E 8F 20 A5 70 A1 18 00 1E BE | e....+n. .p..... 0050: 00 0A A9 4C 00 05 BC 46 0D CC A2 1A 8F 1C F5 62 | ...L...F.......b 0060: A5 0F C0 74 21 92 EC 50 57 63 4A B5 52 A7 2D 01 | ...t!..PWcJ.R.-. 0070: 72 A6 4B 53 91 E0 AA 96 47 BF 59 2B E2 80 73 07 | r.KS....G.Y+..s. 0080: AA 7D 8F 13 29 E4 42 94 F5 F8 D4 06 00 30 BF CC | .}..).B......0.. 0090: EF 3F 0B 7B BD B2 A0 EC DD 60 61 AF C6 B1 F2 85 | .?.{.....`a..... 00A0: B4 FF DB 32 BA 2B B8 A0 5F 16 00 1F 8D -- -- -- | ...2.+.._....... last byte of both SMSG packets is 0x8D. I don't see any problems here...

Xor byte is a first byte of seed, used for initializing client RC4 encryption. This seed stored at module+4. SHA1 of this seed is sent in 0x04 packet. // This seed used by warden module for RC4 initialization (client - one pass, server - 2 passes) public byte[] ReadRC4Seed { get { var seed = new byte[16]; unsafe { Marshal.Copy(new IntPtr((int)ppWFuncList + 4), seed, 0, seed.Length); } return seed; } }

Are you Blizzard employee?

Nice that you got it fixed

No. 0x04 packet handled by my sniffer. There's full source code, that deal with warden: http://paste2.org/p/502204 I forgot Arc4 class: using System; using System.Collections.Generic; namespace Wlp { public class Arc4 { private readonly byte[] state; private byte x, y; public byte[] RC4Data { get { var data = new byte[0x102]; state.CopyTo(data, 0); data[100] = x; data[101] = y; return data; } set { Array.Copy(value, state, 0x100); x = value[0x100]; y = value[0x101]; } } public Arc4(byte[] key) { state = new byte[256]; x = y = 0; KeySetup(key); } public int Process(byte[] buffer, int start, int count) { return InternalTransformBlock(buffer, start, count, buffer, start); } public int Process(List<byte> buffer, int start, int count) { return InternalTransformBlock(buffer, start, count, buffer, start); } private void KeySetup(byte[] key) { byte index1 = 0; byte index2 = 0; for (var counter = 0; counter < 256; counter++) { state[counter] = (byte)counter; } x = 0; y = 0; for (var counter = 0; counter < 256; counter++) { index2 = (byte)(key[index1] + state[counter] + index2); // swap byte var tmp = state[counter]; state[counter] = state[index2]; state[index2] = tmp; index1 = (byte)((index1 + 1) % key.Length); } } private int InternalTransformBlock(byte[] inputBuffer, int inputOffset, int inputCount, byte[] outputBuffer, int outputOffset) { for (var counter = 0; counter < inputCount; counter++) { x = (byte)(x + 1); y = (byte)(state[x] + y); // swap byte var tmp = state[x]; state[x] = state[y]; state[y] = tmp; var xorIndex = (byte)(state[x] + state[y]); outputBuffer[outputOffset + counter] = (byte)(inputBuffer[inputOffset + counter] ^ state[xorIndex]); } return inputCount; } private int InternalTransformBlock(List<byte> inputBuffer, int inputOffset, int inputCount, List<byte> outputBuffer, int outputOffset) { for (var counter = 0; counter < inputCount; counter++) { x = (byte)(x + 1); y = (byte)(state[x] + y); // swap byte var tmp = state[x]; state[x] = state[y]; state[y] = tmp; var xorIndex = (byte)(state[x] + state[y]); outputBuffer[outputOffset + counter] = (byte)(inputBuffer[inputOffset + counter] ^ state[xorIndex]); } return inputCount; } } }

That's how I doing that: s_wardenLoader.LoadWarden(s_currentModule.Data); // load s_wardenLoader.GenerateRC4Keys(WardenCrypt.s_sessionKey); // init with session key, may be not required than module calls it's GetRC4Data function callback: private unsafe int GetRC4Data(void* buffer, int* length) { var pBuffer = new IntPtr(buffer); Logger.Add(" GetRC4Data(0x{0:X8}, 0x{1:X8})", pBuffer.ToInt32(), *length); for (var i = 0; i < *length; ++i) // clear all keys ((byte*)buffer)[i] = 0; return 1; // this is important!!! } s_wardenLoader.PacketHandler(packet.m_data, out handled); // handle 0x05 packet WardenCrypt.ServerRC4Data = s_wardenLoader.ReadRC4Data; // get server keys in 0x05 packet handler WardenCrypt.ClientRC4Data = s_wardenLoader.ReadRC4Data; // get client keys in 0x04 packet handler ppWFuncList is shit returned by Warden Init function public byte[] ReadRC4Data { get { var data = new byte[0x204]; unsafe { Marshal.Copy(new IntPtr((int)ppWFuncList + 32), data, 0, data.Length); } return data; } }

I have that done. And I collected 56 modules so far. 01615ECE93F7338E0222FD65F980DE5E.bin 020F5AF2B0D646B81D7C15542B1339D1.bin 0AB2DCC91B8D52FB34C663CD63D4D29A.bin 0BE6B21C37F937401FB34650408C4C55.bin 1D5F921A03F3357983AB0799A845D9EA.bin 1E3603741C0EFFC83C8CE7F0FE5F0B1B.bin 1FBC81B56D674A1E8DA9AD720B0E6B8B.bin 257D860402EC76256379F810C3D48418.bin 29A94615F3CB7E460B6645C590772B56.bin 2DAC5284B383377E207B474A42FC11E5.bin 3016CD46723D437F396E49EC86997D35.bin 398550DE1087C53FAF2ED2C2309C7650.bin 39AF4B1CC5DDB1968113029B49BFCE3A.bin 3C058C9A46C7939C97D335A0A317518A.bin 4405C5C94C713C832A1C8D863E038E11.bin 499D0AAB170AA4376B1FC329895733F3.bin 5286FFA3231E000D49263759BD77446B.bin 5B63C4158A71676AE764D85813BE3CD0.bin 5DF72E877269CBC34DB91A0AF94BF11A.bin 5F947B8AB100C93D206D1FC3EA1FE6DD.bin 66D85EEB9F72E2BF1EA0949156F0C73F.bin 671E47F179127137CC47F2FBDF31E3AF.bin 6A914823E022CFFDC5A94797636E5CA5.bin 6AC4D01D274E287F6560930803198DCF.bin 6D6B65B2FDCFF9E6CDB7BC9E3425EE18.bin 77C2BB2F3FAC7992F1A4B98234806018.bin 789533BC3027E2E246757E4107005F13.bin 79C0768D657977D697E10BAD956CCED1.bin 7C4ABC97B86494A2D91820785F3A1C87.bin 7F3C4EA3B1EC5866A1ACD80A6D82A5F6.bin 8A2156F668B15D2407EAEB61850EBC8B.bin 8AF8D377B87E29F6F28AFCCBA031BA5C.bin 959162ED696E469673C96CFDEC0EFFA6.bin 9653E8190B71180367F7E033972CA6C3.bin 9D257F6F769606DDD622BE2C24941901.bin AF203602B6E8414A835A10B4E3DC8EEC.bin B09BB776F37C6030115FDEA7F5383DB8.bin B211108E8B3BED69390A8C24A34DAB5E.bin B97DB15A24740055BBCA8EDDD6B23CF2.bin C752AE93D2CF377AF009A2A48BC99E68.bin D0F75B799F47CC69CC826778CF4630B5.bin D13D91D203FF0CCAE7A9FA107CFBEEB8.bin D16D1E6C34854C1BA102AE1FE30B69B0.bin D2362F5334DB0ACC31C6D377B4CB0FF9.bin D38D4C8740A7617F8DFFB958020D968C.bin D418B9F6334CAB80929961A5C70AACA5.bin D4557FDD68A1ACB955724E91DE3050F2.bin DA3BF29EB72099327FDFA6ED7322C35E.bin DD6BC9E427ECBB46D0D45498CA4468CC.bin DE240190C1446E66A2A51A19804356C7.bin DE82F1BEC723F8623E6FA8E32C52FFFC.bin ED4272452F70779CC12079C155812E0A.bin FC5630F8D423155E765662C3EFC60512.bin FC6560DAA366D845884B71CD15ED64E3.bin FCA7F7EF7A900FD617B1DF58470649A4.bin FD3A83D0EC85687144148B79DB55CAC4.bin

I checked, and that module specific hashing function is completely different between 2 modules. So best way is to load module and grab the keys...

Sounds correct. It looks something like that: byte seed[16]; // taken from 0x05 packet byte[] rc4_seed_client = ModuleSpecificHash(&seed); // this value than stored at module+4 byte[] rc4_seed_server = ModuleSpecificHash(&seed); // so we have double processed seed here clientRC4Crypt_Init(rc4_seed_client); serverRC4Crypt_Init(rc4_seed_server); byte[] seedHash = SHA1(rc4_seed_client); // used in 0x04 packet Hex-Rays pseudocode: signed int __thiscall Handle_05_packet(Module *this, int data, int serverRC4ctx) { Module *module; // ebx@1 signed int result; // eax@2 unsigned int v5; // eax@3 int v6; // edx@5 int localData; // esi@1 int s; // [sp+CCh] [bp+0h]@1 unsigned int v9; // [sp+C8h] [bp-4h]@1 int v10; // [sp+28h] [bp-A4h]@1 Seed *clientSeed; // [sp+18h] [bp-B4h]@1 Seed *serverSeed; // [sp+8h] [bp-C4h]@3 int v13; // [sp+Ch] [bp-C0h]@3 int v14; // [sp+10h] [bp-BCh]@3 int v15; // [sp+14h] [bp-B8h]@3 char v16; // [sp+3Ch] [bp-90h]@5 char clientSeedHash; // [sp+9Ch] [bp-30h]@5 int v18; // [sp+34h] [bp-98h]@5 int a3; // [sp+B0h] [bp-1Ch]@5 int *buffer; // [sp+2Ch] [bp-A0h]@5 signed int size; // [sp+30h] [bp-9Ch]@5 char opcode; // [sp+38h] [bp-94h]@5 v9 = (unsigned int)& s ^ dword_409040; localData = data; v10 = serverRC4ctx; module = this; ReadInt32Blocks(data, (int)&clientSeed, 4); // 4*4=16 bytes if ( *(_DWORD *)(localData + 8) <= *(_DWORD *)(localData + 4) ) { UnknownHashingFunc((Seed *)&clientSeed); serverSeed = clientSeed; v13 = clientSeed->b; v14 = clientSeed->c; v15 = clientSeed->d; UnknownHashingFunc((Seed *)&serverSeed); v5 = 0; do v5 += 4; while ( v5 < 16 ); module->seed[0] = (int)clientSeed; // store client seed at module+4 module->seed[1] = clientSeed->b; module->seed[2] = clientSeed->c; module->seed[3] = clientSeed->d; Sha1Init((int)&v16); Sha1Update((int)&v16, (int)&clientSeed, 16); Sha1Final((int)&v16, (int)&clientSeedHash); v18 = 0; buffer = &a3; size = 21; opcode = 4; InitPacket((int)&buffer, (int)&opcode); PutBytes((int)&buffer, (int)&clientSeedHash); if ( v18 <= (unsigned int)size ) SendPacket((int)module, v6, (int)&a3); RC4Init((int)module->out_key, (int)&clientSeed, 16); // module+32 RC4Init(v10, (int)&serverSeed, 16); result = 1; } else { result = 3; } return result; }

http://www.skullsecurity.org/wiki/index.php/Warden_Packets

Warden packets are encrypted. Packet logs posted in this topic were decrypted. You need encrypt packets before sending...

It's client limitation.

0: mostly "flag" quests (63 quests in 3.3.0) -1: a lot of quests (1289 quests in 3.3.0)

As I said there's no more hardcoded values, I added interactive debugging. Is some modules it's switch, and in some it's not. Initializes file reading functions (open/getsize/read/close). May be something more... http://paste2.org/p/473332

I just added interactive debugging to warden parser, so you don't have to recompile it anymore. I just realized that xor byte changes each session. Let's see what I can do... Ralek did some reversing using IDA. Can't separate warden packets from rest of packets right now (because I'm lazy).

May be this way?

No, it's not open source. To parse checks I manually find them first, add them to parser and then parse log. P.S. Two more parsed sniffs http://paste2.org/p/474078, http://paste2.org/p/474089 Parser is here http://code.google.com/p/mywowtools/source/browse/trunk/WoWPacketViewer/WoWPacketViewer/Parsers/WardenParser.cs?spec=svn137&r=137#, nothing interesting really.

It's not fully in C#. I wrote C++ DLL that deals with warden modules and than I just get pointers to RC4 keys and read them (pinvoke)... Edit: I have ported my C++ code to C# completely. Small research on warden packets: http://paste2.org/p/471651 And whole session with this module: http://paste2.org/p/471660 And some parsed output: http://paste2.org/p/472958

There's special opcode doing that probably. SMSG_MIRRORIMAGE_DATA or something.