Looking for warden modules from 1.12.1 menu

User Tag List

Results 1 to 13 of 13
  1. #1
    namreeb's Avatar Legendary

    Reputation
    633
    Join Date
    Sep 2008
    Posts
    1,017
    Thanks G/R
    7/206
    Trade Feedback
    0 (0%)
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)

    Looking for warden modules from 1.12.1

    I'm looking for locally cached warden modules from 1.12.1. Anyone know where I might get these?

    These ads disappear when you log in.

  2. #2
    Jadd's Avatar 🐸 Premium Seller
    Reputation
    1501
    Join Date
    May 2008
    Posts
    2,430
    Thanks G/R
    80/323
    Trade Feedback
    1 (100%)
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    PM TOM_RUS. I'm not sure if he deals with warden at all though.

  3. #3
    namreeb's Avatar Legendary

    Reputation
    633
    Join Date
    Sep 2008
    Posts
    1,017
    Thanks G/R
    7/206
    Trade Feedback
    0 (0%)
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    I've already asked him. He doesn't have them, although he pointed out that they might be the same as more recent versions.

  4. #4
    BoogieManTM's Avatar Active Member
    Reputation
    52
    Join Date
    May 2008
    Posts
    193
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    They're not exactly the same. They were slightly more primitive back then. They employed basically the same techniques for detection (with a few methods being added over the years), but now they have better crypto systems. An encryption key scrambler post-initialization, for example. I may have some old research docs that explained them better and possibly even some modules - catch me on MSN.

  5. #5
    ~Unknown~'s Avatar Contributor
    Reputation
    193
    Join Date
    Jan 2009
    Posts
    211
    Thanks G/R
    0/5
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by BoogieManTM View Post
    They're not exactly the same. They were slightly more primitive back then. They employed basically the same techniques for detection (with a few methods being added over the years), but now they have better crypto systems. An encryption key scrambler post-initialization, for example. I may have some old research docs that explained them better and possibly even some modules - catch me on MSN.
    a wild BoogieMan appears!

  6. #6
    Ramono's Avatar Member
    Reputation
    9
    Join Date
    Jun 2008
    Posts
    41
    Thanks G/R
    1/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I havent done anything with 1.21.1 but i'm sending the sniffed 3.3.5a module to my 2.4.3 clients and it works propperly, have you tested this for 1.21.1?
    Last edited by Ramono; 05-01-2012 at 09:05 AM.

  7. #7
    BoogieManTM's Avatar Active Member
    Reputation
    52
    Join Date
    May 2008
    Posts
    193
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Ramono View Post
    I havent done anything with 1.21.1 but i'm sending the sniffed 3.3.5a module to my 2.4.3 clients and it works propperly, have you tested this for 1.21.1?
    That is definitely an option if he has any 1.12.1 packet dumps. otherwise what's to sniff?

  8. #8
    namreeb's Avatar Legendary

    Reputation
    633
    Join Date
    Sep 2008
    Posts
    1,017
    Thanks G/R
    7/206
    Trade Feedback
    0 (0%)
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by BoogieManTM View Post
    That is definitely an option if he has any 1.12.1 packet dumps. otherwise what's to sniff?
    I'm confused, why would I need a packet dump from 1.12.1? I think he's suggesting using a module from a later version of WoW and sending it to the 1.12.1 clients. This would require a packet dump of the source client when it was sent.

    Originally Posted by Ramono View Post
    I havent done anything with 1.21.1 but i'm sending the sniffed 3.3.5a module to my 2.4.3 clients and it works propperly, have you tested this for 1.21.1?
    I am in the process of testing that. Did you have to change anything on the server side for the client to accept the module? There is so much encryption and decryption going on that I am getting really confused. It *seems* like the only encryption going on here (edit: I mean in terms of sending the module) is with the keys the client and server both generate on their own from the K value of the initial auth handshake. Is that correct?
    Last edited by namreeb; 05-01-2012 at 04:19 PM.

  9. #9
    BoogieManTM's Avatar Active Member
    Reputation
    52
    Join Date
    May 2008
    Posts
    193
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by namreeb View Post
    I'm confused, why would I need a packet dump from 1.12.1? I think he's suggesting using a module from a later version of WoW and sending it to the 1.12.1 clients. This would require a packet dump of the source client when it was sent.



    I am in the process of testing that. Did you have to change anything on the server side for the client to accept the module? There is so much encryption and decryption going on that I am getting really confused. It *seems* like the only encryption going on here (edit: I mean in terms of sending the module) is with the keys the client and server both generate on their own from the K value of the initial auth handshake. Is that correct?


    Ah, right. I don't think it's going to work that far back though. 2.x is when Warden was upgraded.

    But what I was implying was that if you have a full 1.12.1 retail packet dump and you know the K value of that dump then you can reconstruct the warden module that was sent over the wire (if one was sent over the wire)

  10. #10
    namreeb's Avatar Legendary

    Reputation
    633
    Join Date
    Sep 2008
    Posts
    1,017
    Thanks G/R
    7/206
    Trade Feedback
    0 (0%)
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    My main problem at the moment is that, according to TOM_RUS's warden code, there should be five server->client "warden opcodes" available. The 1.12.1 client as I see it seems to only be aware of three. Opcode 0 to query the presence of a module, Opcode 1 to send a module, and Opcode 2 to execute a module. I assume their intended functions based on the names TOM_RUS has assigned them in his code:

    Code:
        WARDEN_SMSG_MODULE_USE                      = 0,
        WARDEN_SMSG_MODULE_CACHE                    = 1,
        WARDEN_SMSG_CHEAT_CHECKS_REQUEST            = 2,
    I have verified that the function of the opcode 0 and opcode 1 are consistent with the function implied by their names. However, when I look at the handler for opcode 2 (aka "WARDEN_SMSG_CHEAT_CHECKS_REQUEST"), it does not look like it is executing the module to me. This is what I have for that handler:

    Code:
    signed int __thiscall WardenPacket__Handle_WARDEN_SMSG_CHEAT_CHECKS_REQUEST(Warden *this, WardenPacket *packet)
    {
      WardenPacket *packet2; // [email protected]
      Warden *warden; // [email protected]
      signed int v5; // [sp-4h] [bp-150h]@4
      char str; // [sp+8h] [bp-144h]@3
      unsigned __int8 buff[40]; // [sp+108h] [bp-44h]@5
      int hash[7]; // [sp+130h] [bp-1Ch]@5
      int v9[5]; // [sp+190h] [bp+44h]@5
      char v10; // [sp+1A4h] [bp+58h]@5
      WardenPacket replyPacket; // [sp+1B4h] [bp+68h]@5
    
      packet2 = packet;
      warden = this;
      if ( WardenPacket__PeekByte(packet, &packet) && packet2->Length - packet2->BufferPosition >= packet )
      {                                             // at this point, packet now holds an int32 value of the length of an incoming string
        WardenPacket__ReadString(packet2, &str, 0xFFu);
        if ( packet2->BufferPosition <= packet2->Length )
        {
          replyPacket.BufferPosition = 0;
          replyPacket.Data = buff;
          replyPacket.Length = 37;
          HMACSHA1__Init(hash);
          HMACSHA1__HashString(hash, &str);
          HMACSHA1__Output(hash, v9);
          MD5__Init(&hash[2]);
          MD5__HashString(&hash[2], &str);
          MD5__Output(&hash[2], &v10);
          BYTE3(packet->Data) = 2;
          WardenPacket__Write8(&replyPacket, (&packet->Data + 3));
          WardenPacket__WriteBytes(v9, &replyPacket, 20u);
          WardenPacket__WriteBytes(&v10, &replyPacket, 16u);
          WardenPacket__SendResponse(warden, buff, replyPacket.BufferPosition);
          return Continue;
        }
        v5 = PacketReadOverflow;
      }
      else
      {
        v5 = PacketTooShort;
      }
      return v5;
    This doesn't seem to execute any module, but rather to simply report back the HMACSHA1 and MD5 hashes of the data which is sent. That seems rather pointless to me, so I assume I am making a mistake somewhere -- but I don't see where. Also, if this function indeed does not execute the loaded module, how does that happen? Is perhaps the Warden VMT altered after a module is loaded, and I have missed that?

  11. #11
    TOM_RUS's Avatar Legendary
    Reputation
    914
    Join Date
    May 2008
    Posts
    699
    Thanks G/R
    0/52
    Trade Feedback
    0 (0%)
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    That looks very similar to what warden on MAC does.
    Last edited by TOM_RUS; 05-01-2012 at 06:11 PM.

  12. #12
    namreeb's Avatar Legendary

    Reputation
    633
    Join Date
    Sep 2008
    Posts
    1,017
    Thanks G/R
    7/206
    Trade Feedback
    0 (0%)
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Update: The 79C0768D657977D697E10BAD956CCED1 module does appear to be working on 1.12.1.

    Update 2: The reason the table of warden server->client opcodes had functions only in the 0, 1 and 2 positions is that at the point of that dump, it was only the Maiev module which was loaded. I repeated the dump after the actual warden module was loaded and found the additional handlers I expected to see. This also explains its similarity to the warden client on a Mac. According to Boogieman, it uses only the Maiev module.
    Last edited by namreeb; 05-01-2012 at 06:50 PM.

  13. #13
    MaiN's Avatar Elite User
    Reputation
    335
    Join Date
    Sep 2006
    Posts
    1,047
    Thanks G/R
    0/10
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by namreeb View Post
    I'm confused, why would I need a packet dump from 1.12.1? I think he's suggesting using a module from a later version of WoW and sending it to the 1.12.1 clients. This would require a packet dump of the source client when it was sent.



    I am in the process of testing that. Did you have to change anything on the server side for the client to accept the module? There is so much encryption and decryption going on that I am getting really confused. It *seems* like the only encryption going on here (edit: I mean in terms of sending the module) is with the keys the client and server both generate on their own from the K value of the initial auth handshake. Is that correct?
    I seem to remember that, if you're lazy, you don't have to employ all of the encryption. Just the RC4 with the key you get at auth is required if you don't send packet 5. This also skips the key scrambling method (even if this is only in the newer Warden).
    [16:15:41] Cypher: caus the CPU is a dick
    [16:16:07] kynox: CPU is mad
    [16:16:15] Cypher: CPU is all like
    [16:16:16] Cypher: whatever, i do what i want

Similar Threads

  1. [Buying] Looking for Legend Boost from Rank 3 5*
    By Maik Thon in forum Hearthstone Buy Sell Trade
    Replies: 1
    Last Post: 08-27-2014, 10:24 AM
  2. Looking for one server from "old time"
    By Loonbg in forum World of Warcraft Emulator Servers
    Replies: 4
    Last Post: 05-23-2014, 01:45 AM
  3. [Trading] Looking for gold transfer from Stormscale EU
    By vianko in forum World of Warcraft Buy Sell Trade
    Replies: 0
    Last Post: 12-14-2013, 02:57 AM
  4. [Buying] WTB SPECTRAL TIGER!!! LOOKING FOR CHEAP OFFERS! FROM OLD DUPES ETC.. Add My Skype...
    By jackdamsell in forum World of Warcraft Buy Sell Trade
    Replies: 0
    Last Post: 12-12-2012, 02:38 PM
  5. Bookrags - Looking for a page from it
    By Rectal Exambot in forum Community Chat
    Replies: 0
    Last Post: 04-04-2009, 03:33 AM
All times are GMT -5. The time now is 07:43 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2023 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2023 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search