unix

Hehe, okay. I think my other module was broken or something I switched to a new one and it worked, thanks yet again for your help

Somehow that is not correct for me. I get this: [09:00:29] ServerSeed: 4E 00 23 34 3D 83 3B 45 DE 29 7E 9F 42 8C FD 54 [09:00:29] ClientSeed: 22 6A 39 A4 D8 43 78 DF 82 BF 86 1C A6 21 15 22 [09:00:29] Real xorByte: FB [09:00:29] XorByte: 22 [09:05:02] ServerSeed: C4 27 68 DE CE 8F 76 02 CE D8 3D 5D 58 00 13 13 [09:05:02] ClientSeed: 2E BC 64 C7 0C 52 BA 99 7C 94 38 C1 50 B2 03 31 [09:05:02] Real xorByte: 7F [09:05:02] XorByte: 2E These are based on two of your logs. And I know the client seed is correct because I tried hashing it with sha1 and I got the hash sent with 0x04. Edit: What do you mean with this: (client - one pass, server - 2 passes)? Edit 2: Ignore the second attempt. I realized I used the wrong module for it. But the first one should be 0xFB but I got 0x22 for the first byte in the client seed.

Yeah, actually there seems to be one thing left Do you know how the xor byte in the 0x02 packet is calculated? Because it seems like it's linked to the seed somehow

Thank you I'll have a look. Edit: Omg, thanks for all your help. But I had it all correct except for one part. The pointer to the data passed into the packet handler was messed up. I'm using VB.net so pointers and stuff is really tricky

So the module handles the 0x04 packet as well? Doesn't seem to work for me though These are my results: [02:13:30] [127.0.0.1:2307] CMSG_WARDEN_DATA [MAIEV_RESPONSE_HASH] [02:13:30] [127.0.0.1:2307] DEBUG: Packet Dump - Length=21 | 04 68 B3 66 7C 9C F3 0E D1 F3 00 59 73 2D DB 49 | ♦h?f|??♫?? Ys-?I | | 05 74 55 24 A3 | ♣tU$? | [02:13:30] Hash1: 0x68B3667C9CF30ED1F30059732DDB4905745524A3 [02:13:30] [WARDEN] m_ModMem = 0x1D1884 k = 0x5004764 k_len = 40! Warden.GetRC4Data() Buffer=1906852, Size=520 [02:13:30] [127.0.0.1:2307] DEBUG: Packet Dump - Length=17 | 05 4E 00 23 34 3D 83 3B 45 DE 29 7E 9F 42 8C FD | ♣N #4=?;E?)~?B?? | | 54 | T | Warden.SendPacket() ptrPacket=113506188, size=21 [02:13:30] [127.0.0.1:2307] DEBUG: Packet Dump - Length=21 | 04 B2 DE A0 95 A9 C8 BB F6 45 68 8B 51 D6 CF 75 | ♦????????Eh?Q??u | | BE F5 E3 A0 BA | ????? | [02:13:30] Hash2: 0xB2DEA095A9C8BBF645688B51D6CF75BEF5E3A0BA As you can see, Hash2 (server calculated) differs from Hash1 (client calculated). And therefore the keys are also invalid. But I've finally got the hash to be static. This is how I do it: GenerateRC4Keys(ModuleFuncTable, K, K.length); PacketHandler(ModuleFuncTable, PacketData, PacketData.length, BytesRead); And for the GetRC4Data callback, it's now the same as you posted. Thanks to that, the hash never changes as it should. And the SendPacket is no need to go into since it's just copying of bytes. And btw, I no longer encrypt the data that is sent into the packet handler and decrypting the return packet since it looks like you didn't do that. Do I need to do something more to the hash I just returned? And what is this 0x04 packet handler you're talking about? Is it the return packet from 0x05? Edit: No success with the keys from the public byte[] ReadRC4Data function.

I don't seem to be able to generate the same hash and keys as the client I'm currently calling the PacketHandler function with the opcode (0x05) + the seed (0x10 bytes), and that seems to be the correct way to do since if I try any other structure I won't get any packet in return. The thing is that the hash keeps changing, while it really shouldn't. I'm using the same seed at all times, and the client always respond with the same hash. So I'm really confused. Do I have to do something else? From other Warden sources out there I've noticed some call GenerateRC4Keys but I don't really see how that would help since the hash never should change. I don't really see the point of it at all since it's going to get new keys with the 0x05 packet response anyways What am I missing?

Thank you, it was as I thought. Just have to work on the module specific hash then

Have you figured out a way to calculate the new keys after the 0x05 packet instead of loading the module and let it do the dirty job? I do know that every module has a different MD5 function, but still, there has to be a pattern between them all. I've tried reversing the MD5 function of a module, but havn't gotten it to calculate either the new keys or the return hash correctly. Afaik the module first hashes the "seed" with it's own md5 function, and then creates a new hash from that one with the same md5 function. Then it sha1 hashes the first one and that one is supposed to be the return hash. And it then takes the two md5 hashes generated in the beginning into RC4_Init and generates the new keys. Is this correct?