World of WarCraft Protocol Reversal, General Information

[Joe[x86]]

Note: I've gotten permission from Arta to post this here. Please do not trash it.


First off, I'm only a human. I can't do this all on my own. I need some more hands on deck here, anyone up for it? Having WoW helps, but if you don't own it, I'm sure theres something you can do along the line.

-------------------------------------

Now, down to business. First thing we should discuss would be the packet header. Its simple, two bytes.
(BYTE) ID
(BYTE) SubID
For WOW_AUTH_INFO (my names are so origional!) this is 0x0002.

-------------------------------------

Logon Sequence:

Code Select Expand

World of WarCraft Logon Sequence:

C: Connect to us.logon.worldofwarcraft.com:3769
C: Send 0x0002 (WOW_AUTH_INFO)
S: Send 0x0000 (WOW_0000)

Notes:
Packet names with numbers in them, such as WOW_0000, haven't been investigated enough to know their meaning, so I can't name them.
This isn't complete yet, and you won't be logged into the game following this.W

-------------------------------------


Well, I don't see much to discuss other that packet formats, really. We should start with WOW_AUTH_INFO, the first packet to be sent.

Code Select Expand

Header:
(BYTE)  ID                    (0x00)
(BYTE)  SubID                 (0x02)

Body:
(BYTE)  Unknown, Constant     (0x28)                        [Note: Client always sends 28]
(DWORD) Game ID               ("WoW" + 0x00)
(DWORD) Version Hash          (0x00010601)                  [Historic: 0x00010600 in 1.6.0]
(BYTE)  Version Byte?         (0xC0)                        [Historic: 0x94 in 1.6.0]
(BYTE)  Unknown               (0x11)
(DWORD) Platform ID           ("68x" + 0x00)                [Research: PPC?]
(DWORD) Operating System      ("niW" + 0x00)                [Research: PMAC? XMAC?]
(DWORD) Language              ("SUne")
(BYTE)  Unknown               (0x98)                        [Note: Safe to set to 98. Client doesn't always send 98]
(BYTE)  Unknown               (0xFE)                        [Note: Safe to set to FE. Client doesn't always send FE]
(BYTE)  Unknown               (0xFF)                        [Note: Safe to set to FF. Client doesn't always send FF]
(BYTE)  Unknown               (0xFF)                        [Note: Safe to set to FF. Client doesn't always send FF]
(BYTE)  Unknown               (0xAC)                        [Note: Safe to set to AC. Client doesn't always send AC]
(BYTE)  Unknown, Constant     (0x9D)                        [Note: Client always sends 9D]
(BYTE)  Unknown, Constant     (0x7C)                        [Note: Client always sends 7C]
(BYTE)  Unknown, Constant     (0xFE)                        [Note: Client always sends FE]
(BYTE)  Unknown               (0x0A)                        [Note: Safe to set to 0A. Client doesn't always send 0A]
(STR)   Account Name          ("INSANEJOEY")                [Research: Why isn't this terminated?]

As you can see, theres a whole ton I don't know about this packet. I do have enough to send it correctly, however.

Code Select Expand

    With WoWBuff
        .InsertByte &H28
        .InsertDWORD GetDWORD(modConstants.DWORDGameID)
        .InsertDWORD GetDWORD(modConstants.DWORDVersion)
        .InsertByte &HC0
        .InsertByte &H11
        .InsertDWORD GetDWORD(modConstants.DWORDPlatform)
        .InsertDWORD GetDWORD(modConstants.DWORDOperSys)
        .InsertDWORD GetDWORD(modConstants.DWORDLocale)
        .InsertByte &H98
        .InsertByte &HFE
        .InsertByte &HFF
        .InsertByte &HFF
        .InsertByte &HAC
        .InsertByte &H9D
        .InsertByte &H7C
        .InsertByte &HFE
        .InsertByte &HA
        .InsertNonNTString modConfig.AccountName
       
        .Push &H0, &H2
        .Flush frmMain.wsWoW
    End With

-------------------------------------

More to come.

[Joe[x86]]

TODO:

WOW_AUTH_INFO (C>S 0x0002)
Research PowerPC processor DWORD.
Research MacOS X OS DWORD.
Research MacOS 9 OS DWORD, asuming thats still supported.


WOW_CHAT (C>S Unknown)
Research destination DWORD value for yelling. Asumed to be 0x000004, but I haven't tested this.
Research destination DWORD value for guild officer chat. I lead a guild on Thunderlord where I can test this.
Research why the message ID and subID keep changing. That is really annoying.

[UserLoser.]

WoW is endian fucked, so it's "backwards" compared to what you'd see in Battle.net

(DWORD) Version Hash          (0x00010601)                  [Historic: 0x00010600 in 1.6.0]
(BYTE)  Version Byte?         (0xC0)                        [Historic: 0x94 in 1.6.0]
(BYTE)  Unknown               (0x11)

Not quite, from what I have in my client it's just the three bytes specifiying the version. I.E.:
(Byte) 1
(Byte) 6
(Byte) 1
The next four bytes after that is the executable build number.  Notice that the 0xC011 happens to be 4544 which should match your build number shown at the logon screen.

(BYTE)  Unknown               (0x0A)                        [Note: Safe to set to 0A. Client doesn't always send 0A]
(STR)   Account Name          ("INSANEJOEY")                [Research: Why isn't this terminated?]

That byte is the length of your username, how else would the server know when to stop copying it?

0000:  00 00 00 A4 D1 6A 32 A8 B8 35 0D 7E 2E DD 81 2A   ...¤Ñj2¨¸5.~.Ý?*
0010:  07 95 CE 50 C6 6A 15 50 3E EF 91 77 5A 88 A8 03   •ÎPÆjP>ï'wZˆ¨
0020:  C4 3F AE 01 07 20 89 4B 64 5E 89 E1 53 5B BD AD   Ä?®
 ‰Kd^‰áS[½­
0030:  5B 8B 29 06 50 53 08 01 B1 8E BF BF 5E 8F AB 3C   [‹)PS
±Ž¿¿^?«<
0040:  82 87 2A 3E 9B B7 C6 5A C3 A6 6A 0F DF A1 79 AB   ,‡*>›·ÆZæjß¡y«
0050:  D8 86 DC AD F6 9E E0 20 2F 65 8D 8C 16 AD 25 C5   Ø†Ü­öžà /e?Œ­%Å
0060:  41 EE E5 BE C7 1C A1 03 9D 3C 27 60 36 1A 5F 02   Aîå¾Ç¡?<'`6_
0070:  6F E4 1C 65 D6 4F                                 oäeÖO..........

Extract the following in order: packet id, error code, skip next byte, server key (B, 32bytes), generator length, generator (G), modulo length, modulo (N), salt for your account (s, 32 bytes), checksum key (16 bytes, used in version check, we'll discuss that later)

[Warrior]

Why would they include a string withought nullterminating it then specify a length?

Anyhow, nice job guys.

[dxoigmn]

Why would they include a string withought nullterminating it then specify a length?

Anyhow, nice job guys.

It's usually easier to read the length of the string first, allocate memory for it, then actually read the string.

[Joe[x86]]

* Vote Joe! runs up to UserLoser and hug-tackles him.

EDIT -
The bot picked the perfect time to blow up (VB completely dies when I try to run it), so can you tell me if I did this right?
Never mind, I disarmed the explosive.

[Joe[x86]]

[7:24:25 PM] World of WarCraft Research Chatbot by Joe[x86] loaded!
[7:24:25 PM] Registration passed.
[7:24:27 PM] [WWRL] Connecting to us.logon.worldofwarcraft.com:3724..
[7:24:27 PM] [WWRL] Connected!
[7:24:27 PM] [SEND] 0x0002 (WOW_AUTH_INFO)...
[7:24:27 PM] [RECV] 0x0000 (WOW_AUTH_CHALLENGE)
[7:24:27 PM] B: 0x00000000
[7:24:27 PM] G: 5736481527823200912463412246178819491513660317295005690107323775009437258391897391394106808308017742919194437160303542625583989095660615236121711634207346582432470141
[7:24:27 PM] N: 2273379765382990992853841427106363648285682357372731
[7:24:27 PM] S: 0x00370000
[7:24:27 PM] CK: 0x00000

Which brings us to our next point. What do I do instead of scream when the server sends out packets in more than once piece?

[Warrior]

Hmm:
Check if the packet sent is the length specified, if not store whatever was sent in a temporary buffer
and the next time you recieve data append however many bytes recieved until you reach the next
header to your temporary buffer then pass that to your handler.

[Hdx]

Packet S>C 0x10CA (WOW_REALMLIST)

Header {
  (BYTE)  ID      (0x10)
  (BYTE)  Sub ID  (0xCA)
}

(BYTE)    Unknown (0x0D)
(DWORD)   Unknown (0x00)
(DWORD)   Unknown (0x55000000)
(WORD)    Unknown (0x0000)

For Each server {
  (NTSTR) Server Name ('Eldre'Thalas')       ('Shadow Council')     ('Draenor')
....

I have a theroy that it's more like this:

Packet S>C 0x10CA (WOW_REALMLIST)

Header {
  (BYTE)  ID      (0x10)
  (BYTE)  Sub ID  (0xCA)
}

(BYTE)    Unknown (0x0D)
(DWORD)   Unknown (0x00)
(DWORD)   Number_Of_Servers (0x00000001)

For Each server {
  (WORD) Unknown (0x00)
  (NTSTR) Server Name ('Eldre'Thalas')       ('Shadow Council')     ('Draenor')

Also
55 00 00 00 = 0x00000055(85) not 0x55000000(1,426,063,360) dosent it ?

Code Select Expand

0000:  10 2F 00 00 00 00 00 01 00 00 00 00 00 55 6C 74   ./...........Ult
0010:  72 61 20 57 6F 57 00 37 30 2E 38 36 2E 34 37 2E   ra WoW.70.86.47.
0020:  31 34 36 3A 38 30 38 35 00 00 00 00 3F 00 01 00   146:8085....?...
0030:  02 00                                             ..
yes im using a emulated server, but dont yell at me, I cant afford the time cards.
~-~(HDX)~-~

[Blaze]

Could the Unknown be a telling if its pvp?

[UserLoser.]

Which brings us to our next point. What do I do instead of scream when the server sends out packets in more than once piece?

I do not recall that at all in the logon protocol, so maybe you're doing something wrong...and those variables the server sent you look horribly wrong.

[Joe[x86]]

Blaze, yes. On the list, it tells if its PvE (Normal), RP, or PvP.

UserLoser, 200 million bucks says its on my side.

Code Select Expand

                Case &H0
                    Call AddChat(frmMain.rtbChat, True, vbGreen, "[RECV] 0x0000 (WOW_AUTH_CHALLENGE)")
                    With WoWDebuff
                        .Buffer = S
                       
                        .RemoveVoid 2           'Remove PacketID and ErrorCode
                        .RemoveVoid 1           'Remove byte
                       
                        Dim Temp As Variant
                        Dim B As Long, G() As String, N() As String, Salt As Long, CK As Integer
                       
                   
                        Let B = .RemoveDWORD
                        Call AddChat(frmMain.rtbChat, True, vbYellow, "B: 0x" & Right("00000000" & Hex(ServerKey), 8))
                       
                        Let Temp = .RemoveVoid(Asc(.RemoveVoid(1)))
                        ReDim G(1 To Len(Temp))
                        For i = 1 To Len(Temp)
                            G(i) = Mid(Temp, i, 1)
                        Next i
                        Call AddChat(frmMain.rtbChat, True, vbYellow, "G: " & ToHex(Join(G, "")))
                       
                        Let Temp = .RemoveVoid(Asc(.RemoveVoid(1)))
                        ReDim N(1 To Len(Temp))
                        For i = 1 To Len(Temp)
                            N(i) = Mid(Temp, i, 1)
                        Next i
                        Call AddChat(frmMain.rtbChat, True, vbYellow, "N: " & ToHex(Join(N, "")))
                       
                        Salt = .RemoveDWORD
                        Call AddChat(frmMain.rtbChat, True, vbYellow, "S: 0x" & Right("00000000" & Hex(Salt), 8))
                       
                        ChecksumKey = .RemoveWORD
                        Call AddChat(frmMain.rtbChat, True, vbYellow, "CK: 0x" & Right("0000" & Hex(ChecksumKey), 8))
                       
                        '00 00 00 A4 D1 6A 32 A8 B8 35 0D 7E 2E DD 81 2A
                        '07 95 CE 50 C6 6A 15 50 3E EF 91 77 5A 88 A8 03
                        'C4 3F AE 01 07 20 89 4B 64 5E 89 E1 53 5B BD AD
                        '5B 8B 29 06 50 53 08 01 B1 8E BF BF 5E 8F AB 3C
                        '82 87 2A 3E 9B B7 C6 5A C3 A6 6A 0F DF A1 79 AB
                        'D8 86 DC AD F6 9E E0 20 2F 65 8D 8C 16 AD 25 C5
                        '41 EE E5 BE C7 1C A1 03 9D 3C 27 60 36 1A 5F 02
                        '6F E4 1C 65 D6 4F
                    End With

[UserLoser.]

Checksum key is also 16 bytes not bits

[Hdx]

Meh, Just thought I'd Finish this one up:

Message ID: 0x00
Message SubID: 0x02
Message Name: WOW_AUTH_INFO
Format:
   (BYTE) ID
   (BYTE) SubID
   (WORD) Data Lengeth
   (DWORD) Product ID
   (Byte) EXE Major ver
   (Byte) EXE Minor ver
   (Byte) EXE Revision number
   (WORD) EXE Build number
   (DWORD) Platform ID
   (DWORD) OS abbreaveation
   (DWORD) LanguageID
   (DWORD) TimeZone offset
   (DWORD) Local IP
   (BYTE) Username Lengeth
   (VOID) Username

Remarks:
   The Data lengeth field is of all the data following it, not including the ID, SubID, or It's own field.
   And easy way to determin this is simply Lengeht of the username + 30

This is an example of how I used it:/ why you want this iono

Code Select Expand


Public Sub Build_WOW_AUTH_INFO(sExePath As String, sUsername As String)
    With pOut
        .iBYTE 0 'ID
        .iBYTE 2 'SubID
        .iWORD Len(sUsername) + 30 'Data lengeth - header
        .iDWORD &H576F57 'ProdID ("WoW")
        Dim sVerParts() As String
        sVerParts = Split(Replace(GetVersionInfo(sExePath), Space(1), vbNullString), ",", 4)
        '^~~~Get the ver info, GetVersionInfo() returns a string such as this: 1, 6, 0, 4500
        'Extracted form the EXE under the \StringFileInfo\000004B0\FileVersion property.
        .iBYTE Val(sVerParts(0)) 'Major ver
        .iBYTE Val(sVerParts(1)) 'Minor ver
        .iBYTE Val(sVerParts(2)) 'Revis ver
        .iWORD Val(sVerParts(3)) 'Build ver
        .iDWORD &H783836 'PlatformID ("86x")
        .iDWORD &H57696E 'OS ("niW")
        .iDWORD &H656E5553 'Language ("SUne")
        .iDWORD -480 'Time sone offset in minuets (-8 UTC)
        .iDWORD &HA00A8C0 'Local IP address ("192.168.0.10")
        .iBYTE Len(sUsername) 'Lengeth of Username
        .iVoid sUsername 'Username
    End With
End Sub
UL do me a favor, GET ON AIM!! i wana talk to you.
Currently know ID's and Lengeths asociated with them:
0x00 = 118
0x01 = 26
I have NEVER seen either of those packets with a diffrent lengeth.
~-~(HDX)~-~

[LivedKrad]

Stickied. Eventually this thread may go into the depths of the void, I want it to be seen.