Miscellaneous useful 'nippits

From SkullSecurity
Jump to: navigation, search

I'm not sure what's going to end up here, but I'll know it when I see it. Be prepared!

Overview

This is a quick and dirty overview of the whole process:

  • User connects to Battle.net
  • Built-in Warden module ("Maiev") is loaded from memory
  • Module is initialized (keys are generated, etc.)
  • User logs in
  • Battle.net sends 0x00 ("Do you have this module?")
    • User responds with 0x00 0r 0x01
      • If 0x01 is sent, skip to receiving 0x02
    • Battle.net sends the new module, in a series of 0x01 packets
    • "Maiev" decrypts, verifies, and prepares the new module
    • Once module has been verified and prepared, client sends back 0x01
  • After each Warden packet, Battle.snp checks if a new module is prepared
    • Once complete, the module is swapped out
  • Battle.net sends 0x02
    • New module responds to 0x02 (somehow.. haven't done this yet)

WinDBG Packet Dumper

This little pair of WinDGB commands will set a breakpoint within the built-in module to decrypt and display Warden's initial packets:

e SetThreadContext 0xc2 0x08 0x00
ba e1 19018461 "bd *; ba e1 eax+0x248b \".echo Sent SID_WARDEN Data:; d poi(esp+4) poi(esp+4)+poi(esp+8)-1; g\"; ba e1 eax+0x2730 \".echo Received SID_WARDEN Data:; d eax eax+esi-1; g\"; g"