World of WarCraft Protocol Reversal, General Information

Hdx · August 13, 2005, 04:26 PM

Quote[2:24:49 PM] [RECV] 0x0000 (WOW_AUTH_CHALLENGE)
[2:24:49 PM] SK: 0x3ED8B5DFBC56BED82E7F412AFFFBA329FA57D491744910E6B1BADCBD79CB0E2C
[2:24:49 PM] GLen: 1
[2:24:49 PM] G: 0x07
[2:24:49 PM] NLen: 32
[2:24:49 PM] N: 0xB79B3E2A87823CAB8F5EBFBF8EB10108535006298B5BADBD5B53E1895E644B89
[2:24:49 PM] S: 0x0000000000000000000000000000000000000000000000000000000000000000
[2:24:49 PM] ck: 0xAAA1146648D060F57286875C1FB3AED9
[2:24:49 PM] Packet Len: 118 Data:
[2:24:49 PM] 0000: 00 00 00 2C 0E CB 79 BD DC BA B1 E6 10 49 74 91 ...,Ëy½Üº±æIt'
[2:24:49 PM] 0010: D4 57 FA 29 A3 FB FF 2A 41 7F 2E D8 BE 56 BC DF ÔWú)£ûÿ*A.Ø¾V¼ß
[2:24:49 PM] 0020: B5 D8 3E 01 07 20 89 4B 64 5E 89 E1 53 5B BD AD µØ> ‰Kd^‰áS[½
[2:24:49 PM] 0030: 5B 8B 29 06 50 53 08 01 B1 8E BF BF 5E 8F AB 3C [‹)PS±Ž¿¿^?«<
[2:24:49 PM] 0040: 82 87 2A 3E 9B B7 00 00 00 00 00 00 00 00 00 00 ,‡*>›·..........
[2:24:49 PM] 0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[2:24:49 PM] 0060: 00 00 00 00 00 00 D9 AE B3 1F 5C 87 86 72 F5 60 ......Ù®³\‡†rõ`
[2:24:49 PM] 0070: D0 48 66 14 A1 AA ÐHf¡ª..........

Look about right?
Now,

Quote192.168.0.10:2982 -> 70.68.47.146:3724 SENT Data Len: 74
0000: 01 AE 37 B7 EC B4 DF 74 78 43 7D A9 C3 E2 53 AD .®7·ì´ßtxC}©ÃâS
0010: 5A 78 99 7C 34 02 76 15 0D 89 27 E9 55 46 EB C6 Zx™|4.v..‰'éUFëÆ
0020: A0 86 FB AB 2A E8 79 FA 10 7D 9D 99 6A 72 52 22 †û«*èyú.}?™jrR"
0030: F7 11 C2 DD A5 A4 BA E4 D5 A5 84 23 58 87 43 F7 ÷.ÂÝ¥¤ºäÕ¥,,#X‡C÷
0040: C5 3F 99 5F BE B6 DA 51 52 00 Å?™_¾¶ÚQR.

this is the packet used for sending the hashed password data. Now i've been looking at WoW.exe in IDa for hrs.. Cant find it anywhere. Any tips UL?
~-~(HDX)~-~

Joe[x86] · August 13, 2005, 09:20 PM

Quote[8:29:19 PM] [RECV] 0x0000 (WOW_AUTH_CHALLENGE)
[8:29:19 PM] B: 3052598809479962165910969052173007229413931598887534138377729764
[8:29:19 PM] G: 07
[8:29:19 PM] N: 3775009437258391897391394106808308017742919194437160303542625583
[8:29:19 PM] S: 9890956606152361217116342073465824324701414022733797653829909928
[8:29:19 PM] CK: 44540083548842031422722779152198

Better, UserLoser?

Also, if anyone needs a job to do, I'm updating the TODO list in the second post (first page).

UserLoser. · August 13, 2005, 11:30 PM

Hdx: Looks good except your account doesn't exist (salt is 0)

Quote from: Vote Joe! on August 13, 2005, 09:20 PM
Quote[8:29:19 PM] [RECV] 0x0000 (WOW_AUTH_CHALLENGE)
[8:29:19 PM] B: 3052598809479962165910969052173007229413931598887534138377729764
[8:29:19 PM] G: 07
[8:29:19 PM] N: 3775009437258391897391394106808308017742919194437160303542625583
[8:29:19 PM] S: 9890956606152361217116342073465824324701414022733797653829909928
[8:29:19 PM] CK: 44540083548842031422722779152198
Better, UserLoser?

Also, if anyone needs a job to do, I'm updating the TODO list in the second post (first page).

Yes, better.

Joe[x86] · August 14, 2005, 01:02 AM

I asume Hdx's problem is that he is using a fake server.

EDIT -
UL, I asume you know the format of WOW_AUTH_PROOF (the one Hdx posted), right?

Hdx · August 14, 2005, 02:34 AM

Quote from: Vote Joe! on August 14, 2005, 01:02 AM
I asume Hdx's problem is that he is using a fake server.

Bingo was his name-o!
UL, that is my problem, But it's not going to change in the near future, so w/e.
So anything I post S->C wise should not be taken as definitive, BUT please note that it DOES work with the client, So it still helps int he research. Anything that I post I HOPE is double/tripple checked froma real server.
Just cuz i'm on a emu server dosent mean The packets arnt the same. All'be-it that some of the information is omitted(nulled) but I can still help.
~-~(HDX)~-~

UserLoser. · August 14, 2005, 02:24 PM

Quote from: Vote Joe! on August 14, 2005, 01:02 AM
I asume Hdx's problem is that he is using a fake server.

EDIT -
UL, I asume you know the format of WOW_AUTH_PROOF (the one Hdx posted), right?

Yes, I have them all somewhere here..I'll get back to you later....And where do you get this name WOW_AUTH_PROOF from? IIRC, that is *not* what is lingering around in WoW.exe...

Warrior · August 14, 2005, 02:44 PM

He's too lazy to dissaseble so he makes up the names

Hdx · August 14, 2005, 06:22 PM

QuoteClientLink:
0x01 CMD_AUTH_LOGON_PROOF
0x02 CMD_AUTH_RECONNECT_CHALLENGE
0x03 CMD_AUTH_RECONNECT_PROOF
0x10 CMD_REALM_LIST
0x30 CMD_XFER_INITIATE
0x31 CMD_XFER_DATA
ServerLink:
0x02 CMD_GRUNT_AUTH_VERIFY
0x10 CMD_GRUNT_CONN_PING
0x11 CMD_GRUNT_CONN_PONG
0x20 CMD_GRUNT_HELLO
0x21 CMD_GRUNT_PROVESESSION
0x24 CMD_GRUNT_KICK

ClientLink I beleave is ~~C->S and ServerLink is S->C~~ the logen server, and ServerLink is In-game 0.o??
~-~(HDX)~-~

Joe[x86] · August 14, 2005, 10:24 PM

Warrior is totally right. I figured that the packet names weren't in the disassembly, so I decided to make them up.

UserLoser. · August 14, 2005, 10:52 PM

Quote from: Vote Joe! on August 14, 2005, 10:24 PM
Warrior is totally right. I figured that the packet names weren't in the disassembly, so I decided to make them up.

That will only cause confusion...

Joe[x86] · August 15, 2005, 12:58 AM

Didn't know they were in the client. I suppose I'll use the real ones, now that I know.

MyndFyre · August 15, 2005, 11:05 AM

Quote from: Vote Joe! on August 15, 2005, 12:58 AM
Didn't know they were in the client. I suppose I'll use the real ones, now that I know.

Just an FYI, while it might cause less confusion, it's something that you could potentially be hit with in terms of copyright violation.

I was talking to one of the leaders at WDDG, a group I've been working with (they're developing Ludmilla, a general MMO server app; the first server they're developing for it is WoW), and he said that they've been going over every precaution to be sure they can't lose if Blizzard was to file a lawsuit (if you look, even on their website and forums, WoW is written out "W@W," even in user posts).

UserLoser. · August 15, 2005, 11:36 AM

Quote from: MyndFyre on August 15, 2005, 11:05 AM
Quote from: Vote Joe! on August 15, 2005, 12:58 AM
Didn't know they were in the client. I suppose I'll use the real ones, now that I know.

Just an FYI, while it might cause less confusion, it's something that you could potentially be hit with in terms of copyright violation.

I was talking to one of the leaders at WDDG, a group I've been working with (they're developing Ludmilla, a general MMO server app; the first server they're developing for it is WoW), and he said that they've been going over every precaution to be sure they can't lose if Blizzard was to file a lawsuit (if you look, even on their website and forums, WoW is written out "W@W," even in user posts).

We've been using names of Battle.net & Blizzard things for years now... Do you really think that Blizzard will go after a single individual (or a few) for writing a client to their service (which costs money to use!)?!

Joe[x86] · August 15, 2005, 12:38 PM

No, but if the situation gets out of hand, say, someone makes a flood bot, the researchers who lead to that floodbot being developed can be, in some twisted reality called the internet, be held responsible.

Joe[x86] · August 15, 2005, 01:52 PM

For no aparent reason, I'm collecting backversions of the WoW.exe files. So far I have...
WoW 1.4.2.exe
WoW 1.5.0.exe
WoW 1.5.1.exe
WoW 1.6.0.exe
WoW 1.6.1.exe

Anyone have any others? I think thats all of them except WoW 1.4.1.exe on back.

World of WarCraft Protocol Reversal, General Information

UserLoser.

UserLoser.

UserLoser.

UserLoser.