Author Topic: S > Clean C > dirty C  (Read 6322 times)

0 Members and 1 Guest are viewing this topic.

Offline vector

  • Newbie
  • *
  • Posts: 9
    • View Profile
S > Clean C > dirty C
« on: September 01, 2007, 02:38:18 am »
Now, I heard it was possible to bypass warden by connecting to warden on a clean client, then forwarding the data to the dirty client, in this case StealthBot, or what bot have you. How is this done?

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: S > Clean C > dirty C
« Reply #1 on: September 01, 2007, 10:02:58 am »
I believe you're talking about using a "shim". My very first bot worked like that, but I'm not sure how useful that would be...

Offline rabbit

  • x86
  • Hero Member
  • *****
  • Posts: 8092
  • I speak for the entire clan (except Joe)
    • View Profile
Re: S > Clean C > dirty C
« Reply #2 on: September 01, 2007, 12:12:12 pm »
Wasn't nbbot a shim?

Offline zorm

  • Hero Member
  • *****
  • Posts: 591
    • View Profile
    • Zorm's Page
Re: S > Clean C > dirty C
« Reply #3 on: September 01, 2007, 12:57:48 pm »
Rabbit: Nope.
"Frustra fit per plura quod potest fieri per pauciora"
- William of Ockham

Offline Hdx

  • The Hdx!
  • Full Member
  • ***
  • Posts: 311
  • <3 Java/Cpp/VB/QB
    • View Profile
Re: S > Clean C > dirty C
« Reply #4 on: September 04, 2007, 06:48:09 pm »
Setup a server w/ a BNCS ad Sock5 end.
SC->Loalhost (Need a gateway editor)
SB->Proxy->Localhost->bnet!
When the proxy server gets 0x5e send to SC over the BNCS connection.
When SC sends the reply, send on the proxy.
Simple.
~Hdx
http://img140.exs.cx/img140/6720/hdxnew6lb.gif
09/08/05 - Clan SBs @ USEast
 [19:59:04.000] <DeadHelp> We don't like customers.
 [19:59:05.922] <DeadHelp> They're assholes
 [19:59:08.094] <DeadHelp> And they're never right.

Offline Camel

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
    • BNU Bot
Re: S > Clean C > dirty C
« Reply #5 on: September 05, 2007, 09:47:01 am »
Setup a server w/ a BNCS ad Sock5 end.
SC->Loalhost (Need a gateway editor)
SB->Proxy->Localhost->bnet!
When the proxy server gets 0x5e send to SC over the BNCS connection.
When SC sends the reply, send on the proxy.
Simple.
~Hdx

I don't believe it is that simple. From what I understand, the key to decrypt warden is based on the client/server tokens (specifically, the cd key hash), and therefore you really need to hijack SC's connection using the proxy rather than redirect just warden packets to it.

Of course, I've done no research in to this, I'm just going off of what I've read about it.

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!

Offline Joe

  • B&
  • Moderator
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: S > Clean C > dirty C
« Reply #6 on: September 06, 2007, 03:12:44 pm »
If you integrate Hdx's piece of software into the bot itself, it becomes easy to bypass that. Client token is ridiculously easy -- you can simply use whatever one the client specifies when it connects to the proxy, and send that as your bot. As for the server token, when the bot receives SID_AUTH_INFO, then respond to the client with the server token from the true Battle.net.

Allow me to be the first to say this is a kludge and should not be a permanent solution. But kludges are good for holding things over, so this could be a good idea. :)
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline Hdx

  • The Hdx!
  • Full Member
  • ***
  • Posts: 311
  • <3 Java/Cpp/VB/QB
    • View Profile
Re: S > Clean C > dirty C
« Reply #7 on: September 06, 2007, 04:08:01 pm »
Just to let everyone know, a proof of concept connection was implemented a while ago. And it DOES work. It's not quite as simple as I said (you have to trick SC into thinking you have the same server/client tokens as your bot, not hard as they are public vareables)
But, as joe stated, this should not be a solution its merely one way to do it. (A bad way)
~Hdx
http://img140.exs.cx/img140/6720/hdxnew6lb.gif
09/08/05 - Clan SBs @ USEast
 [19:59:04.000] <DeadHelp> We don't like customers.
 [19:59:05.922] <DeadHelp> They're assholes
 [19:59:08.094] <DeadHelp> And they're never right.

Offline Camel

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
    • BNU Bot
Re: S > Clean C > dirty C
« Reply #8 on: September 06, 2007, 06:02:00 pm »
Allow me to be the first to say this is a kludge and should not be a permanent solution. But kludges are good for holding things over, so this could be a good idea. :)

It's a crutch, and I don't support it at all. When CSB came out, a whole host of people gave up on trying to come up with a good solution to the problem it solved. We're supposed to learn from history, right?

Of course, I can't make you do anything, but I hope you can at least see it the way I do.

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!

Offline vector

  • Newbie
  • *
  • Posts: 9
    • View Profile
Re: S > Clean C > dirty C
« Reply #9 on: September 11, 2007, 06:42:58 pm »
Setup a server w/ a BNCS ad Sock5 end.
SC->Loalhost (Need a gateway editor)
SB->Proxy->Localhost->bnet!
When the proxy server gets 0x5e send to SC over the BNCS connection.
When SC sends the reply, send on the proxy.
Simple.
~Hdx

I don't believe it is that simple. From what I understand, the key to decrypt warden is based on the client/server tokens (specifically, the cd key hash), and therefore you really need to hijack SC's connection using the proxy rather than redirect just warden packets to it.

Of course, I've done no research in to this, I'm just going off of what I've read about it.
Well, from what I know about warden, it just needs a reply from the client, and since you are forwarding e5 to the dirty client (stealthbot), there should be no problem with this. I may be wrong though.

Offline Camel

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
    • BNU Bot
Re: S > Clean C > dirty C
« Reply #10 on: September 13, 2007, 03:40:47 pm »
You can take that approach, but you have to understand that it's not just as simple as forwarding the packets to some random SC client. You have to let your SC client pick the client key, you have tell the SC client the server key, and you have to use the same CD key that the SC client is registered to. Of course, this is assuming that what I've read about it is correct - I can not verify that information.

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!