[StarCraft] Public Warden Discussion

[AgentGOD]

Code:

190250CE  |. 0FB7D8         MOVZX EBX,AX                       ;  Length?
190250D1  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
190250D4  |. 50             PUSH EAX                           ; /Buffer?
190250D5  |. 6A 5E          PUSH 5E                            ; |Arg1 = 0000005E
190250D7  |. E8 14D00000    CALL battle.190320F0               ; \SendPacket

Here's the function I found. I haven't looked into the "EAX" parameter yet, but I will soon. 0x5E is part of the packet header that warden uses to phone home to battle.net. When I NOP'd out the call to this function, I got disconnected from battle.net in 30 seconds, so I indeed found the function.

The function that it calls is the sendPacket function that SC seems to globally use for various other packets.
This is where it does the sending.

Code:

19032173  |. 6A 00          PUSH 0                                   ; /Flags = 0
19032175  |. 57             PUSH EDI                                 ; |DataSize
19032176  |. 56             PUSH ESI                                 ; |Data
19032177  |. 50             PUSH EAX                                 ; |Socket => EE0
19032178  |. FF15 78A30319  CALL DWORD PTR DS:[<&WSOCK32.#19>]       ; \send

The packet that warden sends seems to be ALWAYS 0x2B in length.

Just a list of packets I picked up (it appears that they are always different):

Code:

FF 5E 2B 00 5C 2B 03 3F 83 4D CF 12 67 BD 93 F7 EE 6C 73 6E 19 4B 67 20 B9 BE 4B 88 1B B8 60 4B
BF 12 69 D0 F4 72 D7 75 B0 A5 08

FF 5E 2B 00 15 81 2E 6F A7 1B AF 64 68 F9 73 E3 96 2C 78 A3 22 F2 4D F7 8B B2 1A 49 7C 8D 04 23
BB B9 11 AE 1D 5D CF 20 74 63 2F

FF 5E 2B 00 4E C1 E7 C0 58 9D 56 E0 83 9F F3 2A 43 AF A3 93 F1 A2 B4 E9 F2 D1 7F 97 D7 9D FA E6
FE 4C BC 27 CC 4A 0F 1C F2 EB 6A

#EDIT:
It seems that the eax parameter of the "phone-home" function contains some kind of buffer. I think it's for the checksum (has to be). The ebx register seems to hold the length of the data contained in the buffer.

#EDIT2:
I think I found the function that does the actual checksumming.

Code:

190253EF  |. 51             PUSH ECX                         ;  Push buffer
190253F0  |. C745 08 000000>MOV DWORD PTR SS:[EBP+8],0
190253F7  |. 8B40 0C        MOV EAX,DWORD PTR DS:[EAX+C]     ;  a buffer?
190253FA  |. 8B10           MOV EDX,DWORD PTR DS:[EAX]       ;  ptr to function that grabs checksum - 8h
190253FC  |. 57             PUSH EDI                         ;  Length?
190253FD  |. 56             PUSH ESI                         ;  Another buffer
190253FE  |. 8BC8           MOV ECX,EAX                      ;  same as eax now
19025400  |. FF52 08        CALL DWORD PTR DS:[EDX+8]        ;  Checksum fxn

The most interesting piece of data:

Code:

edi == 24

ecx:
10 bytes same
94 00 AC 03 00 00 00 00 B0 3C 07 02 48 3D 07 02 64 BB 62 AE 77 BB 84 80

94 00 AC 03 00 00 00 00 B0 3C 05 02 48 3D 05 02 00 00 00 00 00 00 00 00

Len: 24

Original thread:
http://www.blizzthreat.com/forum/index.php?topic=41.0

[NickF]

Good work +rep.

[ScAreCroW]

Hmm that's interesting.

The packet thing may be problematic however

[saren]

Woah, agent, have you checked to see if this is similar in WC3 or WoW?

You may have just hit upon how to intercept and loopback what it really reports.

[p00onu]

Nice work Agent.

[AgentGOD]

It seems that SC runs the checksumming function outside of the main module (Starcraft.exe). It looked like a separate thread to me.

I'm talking about this little function:

Code:

19025400  |. FF52 08        CALL DWORD PTR DS:[EDX+8]        ;  Checksum fxn

It calls a function not inside Starcraft.exe.

Quote:

Originally Posted by saren

Woah, agent, have you checked to see if this is similar in WC3 or WoW?

I don't have WC3 or WoW, so I don't know.

[StarCrap]

Typical warden implementations use a dynamically created algorithm, or use some data provided by the server, as part of their checksumming routine. You may be interested in checking out the bncache file, and looking at the new mod file being used. Maybe you can relate the data in bncache and the weird function call somehow.

[MiNeR]

Although I haven't really any ideas as to what goes on behind closed doors here, is there a reason why AgentGOD isn't on hacking staff?

I mean he's put out a TON of ****. I think I recall him being on it before, but what happened?

[ScAreCroW]

Because he has pissed people off in the past mostly. Plus I don't know if he wants it or not

[SC_Modder]

The day Agent is staff is the day I forever leave this arid hellhole.

[NickF]

Since when are you a retired staff?

[AgentGOD]

From more research yesterday, I concluded that there is indeed an external module at work for Warden.

I've also located something else within Warden's dedicated DLL:


p00onu tested the "EnumProcessModule" to see if it was ever used, and the test came up negative. I think that it might be in a future Warden version. A module scan can be activated by blizzard at any given moment, if they decide to send a packet to request it.

Looks like also they were trying to implement an anti-debugger (from "IsDebuggerPresent").

[bobbyman100]

Loads of nice work, AgentGOD. Keep it up.

[AgentGOD]

After looking deeper into it, it is indeed a separate thread. Probably all the functions were loaded into a buffer, and a new thread was created to access it.