EEye's Iris and its Application to D2 Hacking

[Ultimate Empire]

@ ACE or CM - Please add this to one of the sticky compilations of information, as it is worth further researching

-----------------------------------
eEye's Iris Packet Analyzer and its Applications to D2 Hacking

###INTRO

One of the main reasons that hacking in Diablo II has beeen deduced to forms of maphack and bots is due to new anti-hacking mechanism's produced by Blizzard to scan for modules attached to Diablo II.exe or its inherent modules. This is known as the Warden. (Thank you Dark_Mage) Which can be verified here:

Text strings referenced in D2Client:.text, item 627
 Address=6FB0261E
 Disassembly=PUSH D2Client.6FB86160
 Text string=ASCII "..\Source\D2Client\WARDEN\WardenClient.cpp"

Therefore modules such as d2hackit are easily detectable. And new versions, that aren't currently referencable by the list warden uses to scan for hacks, is easily updatable. Thus the problem...


###eEye Security - www.eeye.com

eEye is an internet security company that produces a set of tools that ANY hacker would drool over. Even though a true hacker would construct their own tools due to an inferior set of tools produced by commercialization.

eEye's tools are far from inferior.

The problem lies within the fact that these products are commercial, and due cost a hefty penny. This of course will never stop the latest P2P engine from having them for free though. (Contact me if you'd like 'certain files').

If you have time, get all the eEye tools and experiment with them...however this article will only focus on the Iris product.


###eEye's Iris - http://www.eeye.com/html/products/Iris/

I'm sure most of you have used a simple packet sniffer/scanner before. Imagine having the ability to not only sniff packets, but send them as well via an external program. This is what eEye's forensic tool: Iris, was built for.

Iris has the ability to capture and resend modified packets (or new ones) through any protocol over any size network (ie the internet) without attaching itself as a module to the original application that sent the packets.


###Iris' Applications to D2 Hacking

By now, you've already assumed that Iris could be used to beat blizzard's Warden module, since it doesn't link to Diablo II.exe.

Sort of like, an external d2hackit...maybe (I said maybe) with module capabilities...but I'll discuss my ideas next time


### Further Research

Further research is of course required as to the advantages and drawbacks of this software. One that I know of is that if any of the newer (2002-now) versions of Iris is able to contact eEye's website (assuming an illegitimate copy is being used) it will disable Iris on that computer (almost perminantly).

### Next Time
I will be doing research starting Feb 8/06 as to how this can be integrated properly. I will report my findings as I get them in this thread...as well I'll create a new thread when I'm on to something big

### Comments

Leave your comments and feedback here. If you're a former member of BFHS or someone that I know has considerable knowledge, let me know if you're interested in getting eEye's Iris. legit of course :rofl2

 

[Ultimate Empire]

As of February 8, 2006:
----------------------------------------------------
Iris and D2:
Current Advantages:
- No programing knowledge necessary
- Defeats Blizzard's Warden module (theoretical)
- Possible to create applications using the Iris module for VB and C++???

Current Disadvantages:
- If caught using non-legit copy of iris, its a pain to reinstall
- Returning a packet with the appropriate TCP Seq+1/Ack+1 numbers through an external program may prove challanging, unless we can script Iris somehow, or maybe there is an Iris plugin/ocx control that we can use. If not, possibly recreating a version of d2hackit for external use and building our own packet sender may prove worth while

This post will likely be updated several times.

 

[_Ace]

Cool stuff, check your PM inbox. We will be doing some sticky remodelling soon so I'll wait till that to add this.

 

[Ultimate Empire]

Update: Feb 8, 2006

Disadvantages:
- Returning a packet with the appropriate TCP Seq+1/Ack+1 numbers through an external program may prove challanging, unless we can script Iris somehow, or maybe there is an Iris plugin/ocx control that we can use. If not, possibly recreating a version of d2hackit for external use and building our own packet sender may prove worth while

 

[_Ace]

Well, maybe if we can make the send algorithm like this...
SendPacket(packet) {
Wait for a packet to be sent and store its ACK and SEQ numbers
ACK++
SEQ++
Craft the packet to be sent with the new ACK and SEQ numbers
Raw-send it
}

Edit: More in-depth algorithm/pseudocode

int ACK, SEQ, ServerPort, LocalPort;
byte[4] ServerIP, LocalIP;

void SendPacket(Packet, PacketSize) {
byte[PacketSize + ??] RawPacket;
Interrupt(D2ThreadID); //Just in case it sends a packet right when we are trying to send ours, so the ACK and SEQ numbers don't **** up
Craft(Packet, PacketSize, ACK, SEQ, RawPacket)
IrisControl_OrSomethingElse.Send(RawPacket);
Resume(D2ThreadID);
}

void Craft(PacketData, PacketSize, ACK, SEQ, &Crafted) {
byte TCPH[??], IPH[??];
BuildIPHeader(ServerIP, LocalIP, PacketSize, IPH);
BuildTCPHeader(ServerPort, LocalPort, ACK, SEQ, TCPH);
Join(IPH, TCPH, PacketData, Crafted);
}

void BuildIPHeader(DestIP, SourceIP, DataSize, &Header) {
//to do
}

void BuildTCPHeader(DestPort, SourcePort, ACK, SEQ, &Header) {
//to do
}

void Join(IPHeader, TCPHeader, Data, &Joined) {
Joined = IPHeader + TCPHeader + Data //note this is not the "right" way to do it, but this is pseudocode so who cares
}

void OnPacketReceived() {
ACK = getACK(); //to do
SEQ = getSEQ(); //to do
ServerIP = ReceivedPacket.SourceIP;
ServerPort = ReceivedPacket.SourcePort;
LocalIP = ReceivedPacket.DestIP;
LocalPort = ReceivedPacket.DestPort;
}

void OnPacketSent() {
ACK = getACK(); //to do
SEQ = getSEQ(); //to do
ServerIP = SentPacket.DestIP;
ServerPort = SentPacket.DestPort;
LocalIP = SentPacket.SourceIP;
LocalPort = SentPacket.SourcePort;
}

Ahhh boredom...

 

[Ultimate Empire]

If you run Iris for a few seconds with port 4000 filter (no min packet size) while playing d2, you'll notice some similarities with how ack and seq are passed back and forth(and slightly increased almost each time). Sort of like: the server's Sequence number, is the ack number we see, and our sequence number is what the server sees as ack.

Just google TCP and how seq/ack works.