Transport Layer:Transmission Control Protocol (TCP)
Application Layer:Battle.net v1 TCP Messages (SID)
Message Id:0x5E
Message Name:SID_WARDEN
Direction:Server to Client
Used By:Starcraft Original, Starcraft Broodwar
Warcraft III Reign of Chaos, Warcraft III The Frozen Throne
Message Format:
(does not include protocol header)
(VOID) Encrypted Data

    (UINT8) ID

        0x00 - Warden Module Info
        (UINT32)[4] MD5 Hash of the current Module
        (UINT32)[4] Decryption key for Module
        (UINT32)    Length of Module

        0x01 - Warden Module Data
        (UINT16) Length of data (without 3-byte header)
        (VOID) Data

        0x02 - Data Checker
        (UINT8) String Length (Usually 0)
        (VOID) String Data
        (UINT8) Check ID

                (UINT8) String Index (Usually 0)
                (UINT32) Address
                (UINT8) Length to Read

                (UINT32) Unknown (Seed?)
                (UINT32)[5] SHA1
                (UINT32) Address
                (UINT8) Length to Read

        (UINT8) IDXor

        0x03 - Library Loader
        (UINT16) Length of data (without 7-byte header)
        (UINT32) Checksum of data (without 7-byte header)
        (UINT8) Unknown (0x01)
        (UINT8) Unknown (Usually 0x00)
        (UINT8) Unknown (Usually 0x01)
        (STRING) Library Name
        (UINT32) Funct1
        (UINT32) Funct2
        (UINT32) Funct3
        (UINT32) Funct4

        0x05 - Initialization
        (UINT32)[5] Unknown


This packet is received after successfully logging onto Battle.net and usually after receiving the first initial chat events. If the client does not respond to this packet, the client gets dropped two minutes later (give or take about 10 seconds).

The packet is encrypted via standard RC4 hashing, using one key for outbound data and another for inbound. Its purpose is to download and execute Warden modules. Full information on how to handle this packet may be found at the Rudimentary Warden information topic.

Documentation provided by iago and Ringo.

| Edited: Anonymous



0x00 - Warden Module
(QWORD) Name of current module (MD5 Hash)
a quadword??
Wow, i never knew md5 hashes could be 8 bytes.

should be:
(DWORD[4]) Name of current module
(DWORD[4]) Decryption seed


Alendar, thanks for tip. Brew, thanks for pointing out error. Confirmed by RealityRipple. Fixed. Thanks for heads up.