TOM_RUS

There's was some misleading error output. It was fixed and should now show correct source of problem.

Should be fixed.

Honor deminishing returns was removed in some old client patch.

Patch 2.4.0:

PvP
-  Diminishing returns on honor for kills is being eliminated.
-  Honor will now be instantly calculated, and available for player use.
-  Players that have the resurrection sickness debuff will be worth no
  honor.

May be fixed in latest rev.

Anyone tried to add flag 0x8000 to such items? May be it will work... All such items have 0x8 item flag.

There's also message like "Time is over!" (exact message unknown, because i'm playing on Russian realms) at the end of battleground in this case.

00:30:07,811 INFO  - S->C 0x00: Warden module loading request!
00:30:07,826 INFO  - Module MD5: B97DB15A24740055BBCA8EDDD6B23CF2
00:30:07,826 INFO  - Module decryption key: 682F1CE077552EE9D021B8A7A72CCDA1
00:30:07,826 INFO  - Module length: 18442

Packet S->C, SMSG_WARDEN_DATA (0x02E6), len 0x0025
0000: 00 B9 7D B1 5A 24 74 00 55 BB CA 8E DD D6 B2 3C | ..}.Z$t.U......<
0010: F2 68 2F 1C E0 77 55 2E E9 D0 21 B8 A7 A7 2C CD | .h/..wU...!...,.
0020: A1 0A 48 00 00 -- -- -- -- -- -- -- -- -- -- -- | ..H.............

00:30:08,014 INFO  - C->S 0x01: Warden module loaded!
00:30:08,014 INFO  - [WARDEN] Loading module B97DB15A24740055BBCA8EDDD6B23CF2...
00:30:08,014 INFO  - [WARDEN] Update...
00:30:08,014 INFO  - [WARDEN] Update: Adjusting references to global variables...
00:30:08,014 INFO  - [WARDEN] Update: Updating API library references...
00:30:08,014 INFO  -     Library: KERNEL32.dll
00:30:08,029 INFO  -         Function: LCMapStringA @ 0x7C838E18
00:30:08,029 INFO  -         Function: Sleep @ MY 0x0036284A
00:30:08,029 INFO  -         Function: TlsFree @ 0x7C813777
00:30:08,029 INFO  -         Function: TlsGetValue @ 0x7C8097E0
00:30:08,029 INFO  -         Function: TlsSetValue @ 0x7C809C65
00:30:08,029 INFO  -         Function: RaiseException @ 0x7C812AA9
00:30:08,029 INFO  -         Function: TlsAlloc @ 0x7C812E3F
00:30:08,029 INFO  -         Function: GetProcAddress @ MY 0x00362A0A
00:30:08,029 INFO  -         Function: GetModuleHandleA @ 0x7C80B741
00:30:08,029 INFO  -         Function: GetTickCount @ 0x7C80934A
00:30:08,029 INFO  -         Function: GetVersionExA @ 0x7C812B7E
00:30:08,029 INFO  -         Function: GetSystemInfo @ 0x7C812DF6
00:30:08,029 INFO  -         Function: QueryDosDeviceA @ 0x7C85D344
00:30:08,029 INFO  -         Function: VirtualQuery @ MY 0x00362B22
00:30:08,029 INFO  -         Function: CloseHandle @ 0x7C809BE7
00:30:08,029 INFO  -         Function: GetCurrentProcess @ MY 0x00362D1A
00:30:08,029 INFO  -         Function: FreeLibrary @ MY 0x00362E2A
00:30:08,029 INFO  -         Function: DuplicateHandle @ 0x7C80DE9E
00:30:08,029 INFO  -         Function: LoadLibraryA @ MY 0x00362E5A
00:30:08,029 INFO  -         Function: GetProcessHeap @ 0x7C80AC61
00:30:08,029 INFO  -         Function: HeapFree @ 0x7C90FF2D
00:30:08,029 INFO  -         Function: TerminateProcess @ 0x7C801E1A
00:30:08,029 INFO  -         Function: UnhandledExceptionFilter @ 0x7C863FCA
00:30:08,029 INFO  -         Function: SetUnhandledExceptionFilter @ 0x7C84495D
00:30:08,029 INFO  -         Function: QueryPerformanceCounter @ 0x7C80A4C7
00:30:08,029 INFO  -         Function: GetCurrentThreadId @ 0x7C8097D0
00:30:08,029 INFO  -         Function: GetCurrentProcessId @ MY 0x00362EBA
00:30:08,029 INFO  -         Function: GetSystemTimeAsFileTime @ 0x7C8017E9
00:30:08,029 INFO  -         Function: RtlUnwind @ 0x7C92ABC5
00:30:08,029 INFO  -     Library: USER32.dll
00:30:08,029 INFO  -         Function: IsCharUpperA @ 0x7E38707E
00:30:08,029 INFO  -         Function: CharUpperBuffA @ 0x7E36AE3F
00:30:08,029 INFO  -         Function: BeginPaint @ 0x7E378FE9
00:30:08,045 INFO  - [WARDEN] Initialize...
00:30:08,045 INFO  - [WARDEN] Initialize function: 0x040C17A7
00:30:08,061 INFO  - [WARDEN] Init()
00:30:08,061 INFO  -         GetCurrentProcessId() = 0x00000EE0
00:30:08,061 INFO  -         GetProcAddress(0x7C800000, AddVectoredExceptionHandler) = 0x7C936C2A
00:30:08,061 INFO  -         GetProcAddress(0x7C800000, RemoveVectoredExceptionHandler) = 0x7C936C96
00:30:08,061 INFO  -         AllocateMemory(0x001CB5E0, 0x000007F0)
00:30:08,061 INFO  -         AllocateMemory(0x001CCA38, 0x0000003C)
00:30:08,061 INFO  -         AllocateMemory(0x001C3F20, 0x0000002C)
00:30:08,061 INFO  -         LoadLibrary(kernel32.dll) = 0x7C800000
00:30:08,061 INFO  -         GetProcAddress(0x7C800000, CreateToolhelp32Snapshot) = 0x7C865C7F
00:30:08,061 INFO  -         GetProcAddress(0x7C800000, Module32First) = 0x7C8653A0
00:30:08,061 INFO  -         GetProcAddress(0x7C800000, Module32Next) = 0x7C865525
00:30:08,061 INFO  -         GetProcAddress(0x7C800000, wine_get_unix_file_name) = 0x00000000
00:30:08,061 INFO  -         AllocateMemory(0x001CD3F8, 0x0000005C)
00:30:08,061 INFO  - [WARDEN] Initialized...
00:30:08,061 INFO  -         GetRC4Data(0x001CB600, 0x00000208)

Packet C->S, CMSG_WARDEN_DATA (0x02E7), len 0x0001
0000: 01 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- | ................

00:30:08,076 INFO  - S->C 0x05: Warden hash request!
00:30:08,076 INFO  - Seed: AEF3F42B2B831F265E16ABB5D9F87718
00:30:08,076 INFO  - Passing S->C 0x05 packet to warden module...
00:30:08,076 INFO  -         SendPacket(0x03D5EFD8, 0x00000015)
00:30:08,076 INFO  - S->C 0x05: handled packet 17 bytes.
00:30:08,076 INFO  - Client RC4 Seed 0x8D1BDA8E0D82E600DD3CDA0F48CFB3D7

Packet S->C, SMSG_WARDEN_DATA (0x02E6), len 0x0011
0000: 05 AE F3 F4 2B 2B 83 1F 26 5E 16 AB B5 D9 F8 77 | ....++..&^.....w
0010: 18 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- | ................

00:30:08,186 INFO  - Mpq checks init!

Packet S->C, SMSG_WARDEN_DATA (0x02E6), len 0x0039
0000: 03 14 00 0D D4 CA C8 01 00 02 00 90 59 33 00 D0 | ............Y3..
0010: 25 33 00 A0 31 33 00 B0 35 33 00 03 08 00 E9 AD | %3..13..53......
0020: 99 92 04 00 00 E0 01 3D 00 01 03 08 00 8A 88 B5 | .......=........
0030: 4D 01 01 00 20 04 42 00 01 -- -- -- -- -- -- -- | M... .B.........

00:30:08,248 INFO  - C->S 0x04: Warden response!
00:30:08,248 INFO  - Hash: 38FDC97E90926A44A4A3F7BC44495A8E8818DC52

Packet C->S, CMSG_WARDEN_DATA (0x02E7), len 0x0015
0000: 04 38 FD C9 7E 90 92 6A 44 A4 A3 F7 BC 44 49 5A | .8..~..jD....DIZ
0010: 8E 88 18 DC 52 -- -- -- -- -- -- -- -- -- -- -- | ....R...........

Packet S->C, SMSG_WARDEN_DATA (0x02E6), len 0x00B0
0000: 02 2A 77 6F 72 6C 64 5C 6D 61 70 73 5C 73 74 72 | .*world\\maps\\str
0010: 61 74 68 6F 6C 6D 65 5C 73 74 72 61 74 68 6F 6C | atholme\\strathol
0020: 6D 65 5F 33 38 5F 32 35 2E 61 64 74 00 1A 15 01 | me_38_25.adt....
0030: BE 00 87 B6 47 00 08 72 63 53 49 BA E9 AA 5B A5 | ....G..rcSI...[.
0040: 36 FC 7E 8C 66 8B 5B F6 63 16 74 A4 A0 18 FC BA | 6.~.f.[.c.t.....
0050: 69 32 00 00 24 BF 05 1B 95 43 28 C9 D9 4D 44 F6 | i2..$....C(..MD.
0060: 90 E4 6B 3C 6F 02 84 30 75 EA B7 E4 9D 76 92 4E | ..k<o..0u....v.N
0070: 03 00 17 72 E5 CF 81 C4 09 52 79 A7 19 72 80 D6 | ...r.....Ry..r..
0080: A6 BE AD E2 65 CA 8A 35 75 9D 57 39 8C A0 00 00 | ....e..5u.W9....
0090: 18 72 40 1F DF F1 3E B7 4C FB D4 20 96 BE D6 84 | .r@...>.L.. ....
00A0: F3 5A 81 53 D9 7D 50 4E A7 A4 0C A1 00 00 18 8D | .Z.S.}PN........

Packet C->S, CMSG_WARDEN_DATA (0x02E7), len 0x002E
0000: 02 27 00 6F 76 DC 39 01 44 7A 70 15 00 B2 FB C9 | .'.ov.9.Dzp.....
0010: D5 59 86 67 F9 0C 86 2F 87 CB 9B 6A B0 4E CB AD | .Y.g.../...j.N..
0020: 3E 00 68 D0 81 0D 01 C6 02 00 E9 E9 E9 E9 -- -- | >.h.............

Packet S->C, SMSG_WARDEN_DATA (0x02E6), len 0x00AD
0000: 02 08 41 66 64 65 33 32 75 75 00 1A BE 00 00 84 | ..Afde32uu......
0010: 6D 00 0B 72 8B B4 13 ED 5F 47 4D 1F 7C E9 63 37 | m..r...._GM.|.c7
0020: 42 59 79 8D 67 54 0C 48 CB 85 1F 31 10 9C 06 00 | BYy.gT.H...1....
0030: 30 BF F6 BD 52 1B 0A 22 2F 69 EA 00 AA ED 69 4E | 0...R.."/i....iN
0040: 65 F6 C0 FA D6 2B 6E 8F 20 A5 70 A1 18 00 1E BE | e....+n. .p.....
0050: 00 0A A9 4C 00 05 BC 46 0D CC A2 1A 8F 1C F5 62 | ...L...F.......b
0060: A5 0F C0 74 21 92 EC 50 57 63 4A B5 52 A7 2D 01 | ...t!..PWcJ.R.-.
0070: 72 A6 4B 53 91 E0 AA 96 47 BF 59 2B E2 80 73 07 | r.KS....G.Y+..s.
0080: AA 7D 8F 13 29 E4 42 94 F5 F8 D4 06 00 30 BF CC | .}..).B......0..
0090: EF 3F 0B 7B BD B2 A0 EC DD 60 61 AF C6 B1 F2 85 | .?.{.....`a.....
00A0: B4 FF DB 32 BA 2B B8 A0 5F 16 00 1F 8D -- -- -- | ...2.+.._.......

Packet C->S, CMSG_WARDEN_DATA (0x02E7), len 0x0023
0000: 02 1C 00 10 55 4B 1C 01 8C C8 70 15 00 01 BE 80 | ....UK....p.....
0010: 00 00 00 E8 E5 B6 FF FF E9 E9 00 77 34 FF 24 85 | ...........w4.$.
0020: E9 E9 E9 -- -- -- -- -- -- -- -- -- -- -- -- -- | ................

As you can see

00:30:08,076 INFO  - Client RC4 Seed 0x8D1BDA8E0D82E600DD3CDA0F48CFB3D7

First byte is 0x8D

and

Packet S->C, SMSG_WARDEN_DATA (0x02E6), len 0x00B0
0000: 02 2A 77 6F 72 6C 64 5C 6D 61 70 73 5C 73 74 72 | .*world\\maps\\str
0010: 61 74 68 6F 6C 6D 65 5C 73 74 72 61 74 68 6F 6C | atholme\\strathol
0020: 6D 65 5F 33 38 5F 32 35 2E 61 64 74 00 1A 15 01 | me_38_25.adt....
0030: BE 00 87 B6 47 00 08 72 63 53 49 BA E9 AA 5B A5 | ....G..rcSI...[.
0040: 36 FC 7E 8C 66 8B 5B F6 63 16 74 A4 A0 18 FC BA | 6.~.f.[.c.t.....
0050: 69 32 00 00 24 BF 05 1B 95 43 28 C9 D9 4D 44 F6 | i2..$....C(..MD.
0060: 90 E4 6B 3C 6F 02 84 30 75 EA B7 E4 9D 76 92 4E | ..k<o..0u....v.N
0070: 03 00 17 72 E5 CF 81 C4 09 52 79 A7 19 72 80 D6 | ...r.....Ry..r..
0080: A6 BE AD E2 65 CA 8A 35 75 9D 57 39 8C A0 00 00 | ....e..5u.W9....
0090: 18 72 40 1F DF F1 3E B7 4C FB D4 20 96 BE D6 84 | .r@...>.L.. ....
00A0: F3 5A 81 53 D9 7D 50 4E A7 A4 0C A1 00 00 18 8D | .Z.S.}PN........

Packet S->C, SMSG_WARDEN_DATA (0x02E6), len 0x00AD
0000: 02 08 41 66 64 65 33 32 75 75 00 1A BE 00 00 84 | ..Afde32uu......
0010: 6D 00 0B 72 8B B4 13 ED 5F 47 4D 1F 7C E9 63 37 | m..r...._GM.|.c7
0020: 42 59 79 8D 67 54 0C 48 CB 85 1F 31 10 9C 06 00 | BYy.gT.H...1....
0030: 30 BF F6 BD 52 1B 0A 22 2F 69 EA 00 AA ED 69 4E | 0...R.."/i....iN
0040: 65 F6 C0 FA D6 2B 6E 8F 20 A5 70 A1 18 00 1E BE | e....+n. .p.....
0050: 00 0A A9 4C 00 05 BC 46 0D CC A2 1A 8F 1C F5 62 | ...L...F.......b
0060: A5 0F C0 74 21 92 EC 50 57 63 4A B5 52 A7 2D 01 | ...t!..PWcJ.R.-.
0070: 72 A6 4B 53 91 E0 AA 96 47 BF 59 2B E2 80 73 07 | r.KS....G.Y+..s.
0080: AA 7D 8F 13 29 E4 42 94 F5 F8 D4 06 00 30 BF CC | .}..).B......0..
0090: EF 3F 0B 7B BD B2 A0 EC DD 60 61 AF C6 B1 F2 85 | .?.{.....`a.....
00A0: B4 FF DB 32 BA 2B B8 A0 5F 16 00 1F 8D -- -- -- | ...2.+.._.......

last byte of both SMSG packets is 0x8D. I don't see any problems here...

Xor byte is a first byte of seed, used for initializing client RC4 encryption.

This seed stored at module+4. SHA1 of this seed is sent in 0x04 packet.

       // This seed used by warden module for RC4 initialization (client - one pass, server - 2 passes)
       public byte[] ReadRC4Seed
       {
           get
           {
               var seed = new byte[16];
               unsafe
               {
                   Marshal.Copy(new IntPtr((int)ppWFuncList + 4), seed, 0, seed.Length);
               }
               return seed;
           }
       }

Are you Blizzard employee?

Thank you I'll have a look.

Edit: Omg, thanks for all your help. But I had it all correct except for one part. The pointer to the data passed into the packet handler was messed up. I'm using VB.net so pointers and stuff is really tricky

Nice that you got it fixed

So the module handles the 0x04 packet as well? Doesn't seem to work for me though

No. 0x04 packet handled by my sniffer.

There's full source code, that deal with warden: http://paste2.org/p/502204

I forgot Arc4 class:

using System;
using System.Collections.Generic;

namespace Wlp
{
   public class Arc4
   {
       private readonly byte[] state;
       private byte x, y;

       public byte[] RC4Data
       {
           get
           {
               var data = new byte[0x102];
               state.CopyTo(data, 0);
               data[100] = x;
               data[101] = y;
               return data;
           }
           set
           {
               Array.Copy(value, state, 0x100);
               x = value[0x100];
               y = value[0x101];
           }
       }

       public Arc4(byte[] key)
       {
           state = new byte[256];
           x = y = 0;
           KeySetup(key);
       }

       public int Process(byte[] buffer, int start, int count)
       {
           return InternalTransformBlock(buffer, start, count, buffer, start);
       }

       public int Process(List<byte> buffer, int start, int count)
       {
           return InternalTransformBlock(buffer, start, count, buffer, start);
       }

       private void KeySetup(byte[] key)
       {
           byte index1 = 0;
           byte index2 = 0;

           for (var counter = 0; counter < 256; counter++)
           {
               state[counter] = (byte)counter;
           }
           x = 0;
           y = 0;
           for (var counter = 0; counter < 256; counter++)
           {
               index2 = (byte)(key[index1] + state[counter] + index2);
               // swap byte
               var tmp = state[counter];
               state[counter] = state[index2];
               state[index2] = tmp;
               index1 = (byte)((index1 + 1) % key.Length);
           }
       }

       private int InternalTransformBlock(byte[] inputBuffer, int inputOffset, int inputCount, byte[] outputBuffer, int outputOffset)
       {
           for (var counter = 0; counter < inputCount; counter++)
           {
               x = (byte)(x + 1);
               y = (byte)(state[x] + y);
               // swap byte
               var tmp = state[x];
               state[x] = state[y];
               state[y] = tmp;

               var xorIndex = (byte)(state[x] + state[y]);
               outputBuffer[outputOffset + counter] = (byte)(inputBuffer[inputOffset + counter] ^ state[xorIndex]);
           }
           return inputCount;
       }

       private int InternalTransformBlock(List<byte> inputBuffer, int inputOffset, int inputCount, List<byte> outputBuffer, int outputOffset)
       {
           for (var counter = 0; counter < inputCount; counter++)
           {
               x = (byte)(x + 1);
               y = (byte)(state[x] + y);
               // swap byte
               var tmp = state[x];
               state[x] = state[y];
               state[y] = tmp;

               var xorIndex = (byte)(state[x] + state[y]);
               outputBuffer[outputOffset + counter] = (byte)(inputBuffer[inputOffset + counter] ^ state[xorIndex]);
           }
           return inputCount;
       }
   }
}

That's how I doing that:

s_wardenLoader.LoadWarden(s_currentModule.Data); // load

s_wardenLoader.GenerateRC4Keys(WardenCrypt.s_sessionKey); // init with session key, may be not required

than module calls it's GetRC4Data function callback:

       private unsafe int GetRC4Data(void* buffer, int* length)
       {
           var pBuffer = new IntPtr(buffer);
           Logger.Add("        GetRC4Data(0x{0:X8}, 0x{1:X8})", pBuffer.ToInt32(), *length);

           for (var i = 0; i < *length; ++i) // clear all keys
               ((byte*)buffer)[i] = 0;

           return 1; // this is important!!!
       }

s_wardenLoader.PacketHandler(packet.m_data, out handled); // handle 0x05 packet

WardenCrypt.ServerRC4Data = s_wardenLoader.ReadRC4Data; // get server keys in 0x05 packet handler

WardenCrypt.ClientRC4Data = s_wardenLoader.ReadRC4Data; // get client keys in 0x04 packet handler

ppWFuncList is shit returned by Warden Init function

       public byte[] ReadRC4Data
       {
           get
           {
               var data = new byte[0x204];
               unsafe
               {
                   Marshal.Copy(new IntPtr((int)ppWFuncList + 32), data, 0, data.Length);
               }
               return data;
           }
       }

I am Collecting modules so that I can 1) Track whats being used and when 2) Hopefully derrive an algorythem that will determine what version, and what Check IDs there are. So if you would be a dear and add the function into your packet logger to dump the modules/keys that would be awesome!

The .mod file is the fully compressed, encrypted module

The .key file is the 16 byte RC4 seed you get in 0x01.

They are named with the MD5 of the module.

I have that done. And I collected 56 modules so far.

01615ECE93F7338E0222FD65F980DE5E.bin
020F5AF2B0D646B81D7C15542B1339D1.bin
0AB2DCC91B8D52FB34C663CD63D4D29A.bin
0BE6B21C37F937401FB34650408C4C55.bin
1D5F921A03F3357983AB0799A845D9EA.bin
1E3603741C0EFFC83C8CE7F0FE5F0B1B.bin
1FBC81B56D674A1E8DA9AD720B0E6B8B.bin
257D860402EC76256379F810C3D48418.bin
29A94615F3CB7E460B6645C590772B56.bin
2DAC5284B383377E207B474A42FC11E5.bin
3016CD46723D437F396E49EC86997D35.bin
398550DE1087C53FAF2ED2C2309C7650.bin
39AF4B1CC5DDB1968113029B49BFCE3A.bin
3C058C9A46C7939C97D335A0A317518A.bin
4405C5C94C713C832A1C8D863E038E11.bin
499D0AAB170AA4376B1FC329895733F3.bin
5286FFA3231E000D49263759BD77446B.bin
5B63C4158A71676AE764D85813BE3CD0.bin
5DF72E877269CBC34DB91A0AF94BF11A.bin
5F947B8AB100C93D206D1FC3EA1FE6DD.bin
66D85EEB9F72E2BF1EA0949156F0C73F.bin
671E47F179127137CC47F2FBDF31E3AF.bin
6A914823E022CFFDC5A94797636E5CA5.bin
6AC4D01D274E287F6560930803198DCF.bin
6D6B65B2FDCFF9E6CDB7BC9E3425EE18.bin
77C2BB2F3FAC7992F1A4B98234806018.bin
789533BC3027E2E246757E4107005F13.bin
79C0768D657977D697E10BAD956CCED1.bin
7C4ABC97B86494A2D91820785F3A1C87.bin
7F3C4EA3B1EC5866A1ACD80A6D82A5F6.bin
8A2156F668B15D2407EAEB61850EBC8B.bin
8AF8D377B87E29F6F28AFCCBA031BA5C.bin
959162ED696E469673C96CFDEC0EFFA6.bin
9653E8190B71180367F7E033972CA6C3.bin
9D257F6F769606DDD622BE2C24941901.bin
AF203602B6E8414A835A10B4E3DC8EEC.bin
B09BB776F37C6030115FDEA7F5383DB8.bin
B211108E8B3BED69390A8C24A34DAB5E.bin
B97DB15A24740055BBCA8EDDD6B23CF2.bin
C752AE93D2CF377AF009A2A48BC99E68.bin
D0F75B799F47CC69CC826778CF4630B5.bin
D13D91D203FF0CCAE7A9FA107CFBEEB8.bin
D16D1E6C34854C1BA102AE1FE30B69B0.bin
D2362F5334DB0ACC31C6D377B4CB0FF9.bin
D38D4C8740A7617F8DFFB958020D968C.bin
D418B9F6334CAB80929961A5C70AACA5.bin
D4557FDD68A1ACB955724E91DE3050F2.bin
DA3BF29EB72099327FDFA6ED7322C35E.bin
DD6BC9E427ECBB46D0D45498CA4468CC.bin
DE240190C1446E66A2A51A19804356C7.bin
DE82F1BEC723F8623E6FA8E32C52FFFC.bin
ED4272452F70779CC12079C155812E0A.bin
FC5630F8D423155E765662C3EFC60512.bin
FC6560DAA366D845884B71CD15ED64E3.bin
FCA7F7EF7A900FD617B1DF58470649A4.bin
FD3A83D0EC85687144148B79DB55CAC4.bin

I checked, and that module specific hashing function is completely different between 2 modules. So best way is to load module and grab the keys...

Have you figured out a way to calculate the new keys after the 0x05 packet instead of loading the module and let it do the dirty job?

I do know that every module has a different MD5 function, but still, there has to be a pattern between them all. I've tried reversing the MD5 function of a module, but havn't gotten it to calculate either the new keys or the return hash correctly.

Afaik the module first hashes the "seed" with it's own md5 function, and then creates a new hash from that one with the same md5 function. Then it sha1 hashes the first one and that one is supposed to be the return hash. And it then takes the two md5 hashes generated in the beginning into RC4_Init and generates the new keys. Is this correct?

Sounds correct. It looks something like that:

byte seed[16]; // taken from 0x05 packet
byte[] rc4_seed_client = ModuleSpecificHash(&seed); // this value than stored at module+4
byte[] rc4_seed_server = ModuleSpecificHash(&seed); // so we have double processed seed here
clientRC4Crypt_Init(rc4_seed_client);
serverRC4Crypt_Init(rc4_seed_server);
byte[] seedHash = SHA1(rc4_seed_client); // used in 0x04 packet

Hex-Rays pseudocode:

signed int __thiscall Handle_05_packet(Module *this, int data, int serverRC4ctx)
{
 Module *module; // ebx@1
 signed int result; // eax@2
 unsigned int v5; // eax@3
 int v6; // edx@5
 int localData; // esi@1
 int  s; // [sp+CCh] [bp+0h]@1
 unsigned int v9; // [sp+C8h] [bp-4h]@1
 int v10; // [sp+28h] [bp-A4h]@1
 Seed *clientSeed; // [sp+18h] [bp-B4h]@1
 Seed *serverSeed; // [sp+8h] [bp-C4h]@3
 int v13; // [sp+Ch] [bp-C0h]@3
 int v14; // [sp+10h] [bp-BCh]@3
 int v15; // [sp+14h] [bp-B8h]@3
 char v16; // [sp+3Ch] [bp-90h]@5
 char clientSeedHash; // [sp+9Ch] [bp-30h]@5
 int v18; // [sp+34h] [bp-98h]@5
 int a3; // [sp+B0h] [bp-1Ch]@5
 int *buffer; // [sp+2Ch] [bp-A0h]@5
 signed int size; // [sp+30h] [bp-9Ch]@5
 char opcode; // [sp+38h] [bp-94h]@5

 v9 = (unsigned int)& s ^ dword_409040;
 localData = data;
 v10 = serverRC4ctx;
 module = this;
 ReadInt32Blocks(data, (int)&clientSeed, 4);                   // 4*4=16 bytes
 if ( *(_DWORD *)(localData + 8) <= *(_DWORD *)(localData + 4) )
 {
   UnknownHashingFunc((Seed *)&clientSeed);
   serverSeed = clientSeed;
   v13 = clientSeed->b;
   v14 = clientSeed->c;
   v15 = clientSeed->d;
   UnknownHashingFunc((Seed *)&serverSeed);
   v5 = 0;
   do
     v5 += 4;
   while ( v5 < 16 );
   module->seed[0] = (int)clientSeed;                          // store client seed at module+4
   module->seed[1] = clientSeed->b;
   module->seed[2] = clientSeed->c;
   module->seed[3] = clientSeed->d;
   Sha1Init((int)&v16);
   Sha1Update((int)&v16, (int)&clientSeed, 16);
   Sha1Final((int)&v16, (int)&clientSeedHash);
   v18 = 0;
   buffer = &a3;
   size = 21;
   opcode = 4;
   InitPacket((int)&buffer, (int)&opcode);
   PutBytes((int)&buffer, (int)&clientSeedHash);
   if ( v18 <= (unsigned int)size )
     SendPacket((int)module, v6, (int)&a3);
   RC4Init((int)module->out_key, (int)&clientSeed, 16);        // module+32
   RC4Init(v10, (int)&serverSeed, 16);
   result = 1;
 }
 else
 {
   result = 3;
 }
 return result;
}

So the packets are encrypted in?

http://www.skullsecurity.org/wiki/index.php/Warden_Packets

Warden packets are encrypted. Packet logs posted in this topic were decrypted. You need encrypt packets before sending...

It's client limitation.

0: mostly "flag" quests (63 quests in 3.3.0)

-1: a lot of quests (1289 quests in 3.3.0)

Fairly easy jsut change your hard coded values

As I said there's no more hardcoded values, I added interactive debugging.

I'm fairly sure it'd be simple, haven't looked at a module in IDA for a while but if they use a switch() then it's just a jump table.

Is some modules it's switch, and in some it's not.

Anyways, I'd also like to figure out exactly what opcode 0x03 does.

Initializes file reading functions (open/getsize/read/close). May be something more... http://paste2.org/p/473332

Oh you're manually parsing check IDs Ouch. But it looks sexy.

I just added interactive debugging to warden parser, so you don't have to recompile it anymore.

Just a suggestion, I'd say do ID checks vs the post xored value. Just in case they ever bother to change it during a single connection. So that you can parse multiple connections using the same module, because they choose seemingly random xor byte during each connection.

I just realized that xor byte changes each session. Let's see what I can do...

But this is cool, how exactly are you determining what each check does? Just guessing, watching the module run, or do you have the modules loaded up in IDA?

Ralek did some reversing using IDA.

Anyway I could get you to upload the binary packet logs? At least the Warden packets. I'd like to some work with the modules you are working with. (yes i *could* parse your text logs but... :*( )

Can't separate warden packets from rest of packets right now (because I'm lazy).

ok so i guess the:

 
((MangosSendPacket)ctx->sendpacket)(ctx->session, pdata, size);

should be replaced by

           WorldPacket data(SMSG_WARDEN_DATA, size);
           data.append(pdata, size);
           ctx->session->SendPacket(&data);

May be this way?

Is your Packet Logger Open source?

I'd like to see it, see what you've done.

I am really interested in seeing how you split up the requests and extract the proper check IDs.

No, it's not open source.

To parse checks I manually find them first, add them to parser and then parse log.

P.S. Two more parsed sniffs http://paste2.org/p/474078, http://paste2.org/p/474089

Parser is here http://code.google.com/p/mywowtools/source/browse/trunk/WoWPacketViewer/WoWPacketViewer/Parsers/WardenParser.cs?spec=svn137&r=137#, nothing interesting really.

Vary nice, It's been confirmed, as I always suspected. The initial field in 0x02 is not libraries, it just strings.

So you got a C# version of module prepping/loading/running done?

Thats rather interesting, I haven't delt much with C# but others that I know that have are always bitching how difficult it is to run non managed code from it.

I'd be interested in seeing how you've done it.

Also, Do you know ASM? I still want to have someone figure out the other opcodes, (and preferably a more reliable way to determine them u.u)

It's not fully in C#. I wrote C++ DLL that deals with warden modules and than I just get pointers to RC4 keys and read them (pinvoke)...

Edit: I have ported my C++ code to C# completely.

Small research on warden packets: http://paste2.org/p/471651

And whole session with this module: http://paste2.org/p/471660

And some parsed output: http://paste2.org/p/472958

anyone knows what is to send to get correct naming of the mirror images? i.e. name of the player and not "mirror image".

i dont think this works on trinity. from videos floating around it looks like an aura

There's special opcode doing that probably. SMSG_MIRRORIMAGE_DATA or something.