S>C 0x5E SID_WARDEN
0x5E
SID_WARDEN
(does not include protocol header)
(VOID) Encrypted Data
(UINT8) ID
0x00 - Warden Module Info
(UINT32)[4] MD5 Hash of the current Module
(UINT32)[4] Decryption key for Module
(UINT32) Length of Module
0x01 - Warden Module Data
(UINT16) Length of data (without 3-byte header)
(VOID) Data
0x02 - Data Checker
(UINT8) String Length (Usually 0)
(VOID) String Data
(UINT8) Check ID
MEM_CHECK
(UINT8) String Index (Usually 0)
(UINT32) Address
(UINT8) Length to Read
PAGE_CHECK_A
(UINT32) Unknown (Seed?)
(UINT32)[5] SHA1
(UINT32) Address
(UINT8) Length to Read
(UINT8) IDXor
0x03 - Library Loader
(UINT16) Length of data (without 7-byte header)
(UINT32) Checksum of data (without 7-byte header)
(UINT8) Unknown (0x01)
(UINT8) Unknown (Usually 0x00)
(UINT8) Unknown (Usually 0x01)
(STRING) Library Name
(UINT32) Funct1
(UINT32) Funct2
(UINT32) Funct3
(UINT32) Funct4
0x05 - Initialization
(UINT32)[5] UnknownRemarks
This packet is received after successfully logging onto Battle.net and usually after receiving the first initial chat events. If the client does not respond to this packet, the client gets dropped two minutes later (give or take about 10 seconds).
The packet is encrypted via standard RC4 hashing, using one key for outbound data and another for inbound. Its purpose is to download and execute Warden modules. Full information on how to handle this packet may be found at the Rudimentary Warden information topic.
Documentation provided by iago and Ringo.
Comments
AlendarWarden Bypass finally made: http://forum.valhallalegends.com/index.php?topic=17356
brew0x00 - Warden Module
(QWORD) Name of current module (MD5 Hash)
a quadword??
Wow, i never knew md5 hashes could be 8 bytes.
should be:
(DWORD[4]) Name of current module
(DWORD[4]) Decryption seed
KyroAlendar, thanks for tip. Brew, thanks for pointing out error. Confirmed by RealityRipple. Fixed. Thanks for heads up.