• Welcome to Valhalla Legends Archive.
 

World of WarCraft Protocol Reversal, General Information

Started by Joe[x86], August 12, 2005, 03:47 AM

Previous topic - Next topic

Joe[x86]

Note: I've gotten permission from Arta to post this here. Please do not trash it.


First off, I'm only a human. I can't do this all on my own. I need some more hands on deck here, anyone up for it? Having WoW helps, but if you don't own it, I'm sure theres something you can do along the line.

-------------------------------------

Now, down to business. First thing we should discuss would be the packet header. Its simple, two bytes.
(BYTE) ID
(BYTE) SubID
For WOW_AUTH_INFO (my names are so origional!) this is 0x0002.

-------------------------------------

Logon Sequence:
World of WarCraft Logon Sequence:

C: Connect to us.logon.worldofwarcraft.com:3769
C: Send 0x0002 (WOW_AUTH_INFO)
S: Send 0x0000 (WOW_0000)

Notes:
Packet names with numbers in them, such as WOW_0000, haven't been investigated enough to know their meaning, so I can't name them.
This isn't complete yet, and you won't be logged into the game following this.W


-------------------------------------


Well, I don't see much to discuss other that packet formats, really. We should start with WOW_AUTH_INFO, the first packet to be sent.
Header:
(BYTE)  ID                    (0x00)
(BYTE)  SubID                 (0x02)

Body:
(BYTE)  Unknown, Constant     (0x28)                        [Note: Client always sends 28]
(DWORD) Game ID               ("WoW" + 0x00)
(DWORD) Version Hash          (0x00010601)                  [Historic: 0x00010600 in 1.6.0]
(BYTE)  Version Byte?         (0xC0)                        [Historic: 0x94 in 1.6.0]
(BYTE)  Unknown               (0x11)
(DWORD) Platform ID           ("68x" + 0x00)                [Research: PPC?]
(DWORD) Operating System      ("niW" + 0x00)                [Research: PMAC? XMAC?]
(DWORD) Language              ("SUne")
(BYTE)  Unknown               (0x98)                        [Note: Safe to set to 98. Client doesn't always send 98]
(BYTE)  Unknown               (0xFE)                        [Note: Safe to set to FE. Client doesn't always send FE]
(BYTE)  Unknown               (0xFF)                        [Note: Safe to set to FF. Client doesn't always send FF]
(BYTE)  Unknown               (0xFF)                        [Note: Safe to set to FF. Client doesn't always send FF]
(BYTE)  Unknown               (0xAC)                        [Note: Safe to set to AC. Client doesn't always send AC]
(BYTE)  Unknown, Constant     (0x9D)                        [Note: Client always sends 9D]
(BYTE)  Unknown, Constant     (0x7C)                        [Note: Client always sends 7C]
(BYTE)  Unknown, Constant     (0xFE)                        [Note: Client always sends FE]
(BYTE)  Unknown               (0x0A)                        [Note: Safe to set to 0A. Client doesn't always send 0A]
(STR)   Account Name          ("INSANEJOEY")                [Research: Why isn't this terminated?]


As you can see, theres a whole ton I don't know about this packet. I do have enough to send it correctly, however.

    With WoWBuff
        .InsertByte &H28
        .InsertDWORD GetDWORD(modConstants.DWORDGameID)
        .InsertDWORD GetDWORD(modConstants.DWORDVersion)
        .InsertByte &HC0
        .InsertByte &H11
        .InsertDWORD GetDWORD(modConstants.DWORDPlatform)
        .InsertDWORD GetDWORD(modConstants.DWORDOperSys)
        .InsertDWORD GetDWORD(modConstants.DWORDLocale)
        .InsertByte &H98
        .InsertByte &HFE
        .InsertByte &HFF
        .InsertByte &HFF
        .InsertByte &HAC
        .InsertByte &H9D
        .InsertByte &H7C
        .InsertByte &HFE
        .InsertByte &HA
        .InsertNonNTString modConfig.AccountName
       
        .Push &H0, &H2
        .Flush frmMain.wsWoW
    End With


-------------------------------------

More to come.
Quote from: brew on April 25, 2007, 07:33 PM
that made me feel like a total idiot. this entire thing was useless.

Joe[x86]

TODO:

WOW_AUTH_INFO (C>S 0x0002)
Research PowerPC processor DWORD.
Research MacOS X OS DWORD.
Research MacOS 9 OS DWORD, asuming thats still supported.


WOW_CHAT (C>S Unknown)
Research destination DWORD value for yelling. Asumed to be 0x000004, but I haven't tested this.
Research destination DWORD value for guild officer chat. I lead a guild on Thunderlord where I can test this.
Research why the message ID and subID keep changing. That is really annoying.
Quote from: brew on April 25, 2007, 07:33 PM
that made me feel like a total idiot. this entire thing was useless.

UserLoser.

WoW is endian fucked, so it's "backwards" compared to what you'd see in Battle.net

Quote
(DWORD) Version Hash          (0x00010601)                  [Historic: 0x00010600 in 1.6.0]
(BYTE)  Version Byte?         (0xC0)                        [Historic: 0x94 in 1.6.0]
(BYTE)  Unknown               (0x11)
Not quite, from what I have in my client it's just the three bytes specifiying the version. I.E.:
(Byte) 1
(Byte) 6
(Byte) 1
The next four bytes after that is the executable build number.  Notice that the 0xC011 happens to be 4544 which should match your build number shown at the logon screen.

Quote
(BYTE)  Unknown               (0x0A)                        [Note: Safe to set to 0A. Client doesn't always send 0A]
(STR)   Account Name          ("INSANEJOEY")                [Research: Why isn't this terminated?]
That byte is the length of your username, how else would the server know when to stop copying it?

Quote
0000:  00 00 00 A4 D1 6A 32 A8 B8 35 0D 7E 2E DD 81 2A   ...¤Ñj2¨¸5.~.Ý?*
0010:  07 95 CE 50 C6 6A 15 50 3E EF 91 77 5A 88 A8 03   •ÎPÆjP>ï'wZˆ¨
0020:  C4 3F AE 01 07 20 89 4B 64 5E 89 E1 53 5B BD AD   Ä?® ‰Kd^‰áS[½­
0030:  5B 8B 29 06 50 53 08 01 B1 8E BF BF 5E 8F AB 3C   [‹)PS±Ž¿¿^?«<
0040:  82 87 2A 3E 9B B7 C6 5A C3 A6 6A 0F DF A1 79 AB   ,‡*>›·ÆZæjß¡y«
0050:  D8 86 DC AD F6 9E E0 20 2F 65 8D 8C 16 AD 25 C5   Ø†Ü­öžà /e?Œ­%Å
0060:  41 EE E5 BE C7 1C A1 03 9D 3C 27 60 36 1A 5F 02   Aîå¾Ç¡?<'`6_
0070:  6F E4 1C 65 D6 4F                                 oäeÖO..........
Extract the following in order: packet id, error code, skip next byte, server key (B, 32bytes), generator length, generator (G), modulo length, modulo (N), salt for your account (s, 32 bytes), checksum key (16 bytes, used in version check, we'll discuss that later)

Warrior

Why would they include a string withought nullterminating it then specify a length?

Anyhow, nice job guys.
Quote from: effect on March 09, 2006, 11:52 PM
Islam is a steaming pile of fucking dog shit. Everything about it is flawed, anybody who believes in it is a terrorist, if you disagree with me, then im sorry your wrong.

Quote from: Rule on May 07, 2006, 01:30 PM
Why don't you stop being American and start acting like a decent human?

dxoigmn

Quote from: Warrior on August 12, 2005, 08:22 AM
Why would they include a string withought nullterminating it then specify a length?

Anyhow, nice job guys.

It's usually easier to read the length of the string first, allocate memory for it, then actually read the string.

Joe[x86]

* Vote Joe! runs up to UserLoser and hug-tackles him.

EDIT -
The bot picked the perfect time to blow up (VB completely dies when I try to run it), so can you tell me if I did this right?
Never mind, I disarmed the explosive.
Quote from: brew on April 25, 2007, 07:33 PM
that made me feel like a total idiot. this entire thing was useless.

Joe[x86]

Quote[7:24:25 PM] World of WarCraft Research Chatbot by Joe[x86] loaded!
[7:24:25 PM] Registration passed.
[7:24:27 PM] [WWRL] Connecting to us.logon.worldofwarcraft.com:3724..
[7:24:27 PM] [WWRL] Connected!
[7:24:27 PM] [SEND] 0x0002 (WOW_AUTH_INFO)...
[7:24:27 PM] [RECV] 0x0000 (WOW_AUTH_CHALLENGE)
[7:24:27 PM] B: 0x00000000
[7:24:27 PM] G: 5736481527823200912463412246178819491513660317295005690107323775009437258391897391394106808308017742919194437160303542625583989095660615236121711634207346582432470141
[7:24:27 PM] N: 2273379765382990992853841427106363648285682357372731
[7:24:27 PM] S: 0x00370000
[7:24:27 PM] CK: 0x00000

Which brings us to our next point. What do I do instead of scream when the server sends out packets in more than once piece?
Quote from: brew on April 25, 2007, 07:33 PM
that made me feel like a total idiot. this entire thing was useless.

Warrior

Hmm:
Check if the packet sent is the length specified, if not store whatever was sent in a temporary buffer
and the next time you recieve data append however many bytes recieved until you reach the next
header to your temporary buffer then pass that to your handler.
Quote from: effect on March 09, 2006, 11:52 PM
Islam is a steaming pile of fucking dog shit. Everything about it is flawed, anybody who believes in it is a terrorist, if you disagree with me, then im sorry your wrong.

Quote from: Rule on May 07, 2006, 01:30 PM
Why don't you stop being American and start acting like a decent human?

Hdx

QuotePacket S>C 0x10CA (WOW_REALMLIST)

Header {
  (BYTE)  ID      (0x10)
  (BYTE)  Sub ID  (0xCA)
}

(BYTE)    Unknown (0x0D)
(DWORD)   Unknown (0x00)
(DWORD)   Unknown (0x55000000)
(WORD)    Unknown (0x0000)

For Each server {
  (NTSTR) Server Name ('Eldre'Thalas')       ('Shadow Council')     ('Draenor')
....
I have a theroy that it's more like this:
QuotePacket S>C 0x10CA (WOW_REALMLIST)

Header {
  (BYTE)  ID      (0x10)
  (BYTE)  Sub ID  (0xCA)
}

(BYTE)    Unknown (0x0D)
(DWORD)   Unknown (0x00)
(DWORD)   Number_Of_Servers (0x00000001)

For Each server {
  (WORD) Unknown (0x00)
  (NTSTR) Server Name ('Eldre'Thalas')       ('Shadow Council')     ('Draenor')
Also
55 00 00 00 = 0x00000055(85) not 0x55000000(1,426,063,360) dosent it ?

0000:  10 2F 00 00 00 00 00 01 00 00 00 00 00 55 6C 74   ./...........Ult
0010:  72 61 20 57 6F 57 00 37 30 2E 38 36 2E 34 37 2E   ra WoW.70.86.47.
0020:  31 34 36 3A 38 30 38 35 00 00 00 00 3F 00 01 00   146:8085....?...
0030:  02 00                                             ..

yes im using a emulated server, but dont yell at me, I cant afford the time cards.
~-~(HDX)~-~

Proud host of the JBLS server www.JBLS.org.
JBLS.org Status:
JBLS/BNLS Server Status

Blaze

Quote
Mitosis: Haha, Im great arent I!
hismajesty[yL]: No

UserLoser.

Quote from: Vote Joe! on August 12, 2005, 08:25 PM
Which brings us to our next point. What do I do instead of scream when the server sends out packets in more than once piece?

I do not recall that at all in the logon protocol, so maybe you're doing something wrong...and those variables the server sent you look horribly wrong.

Joe[x86]

Blaze, yes. On the list, it tells if its PvE (Normal), RP, or PvP.

UserLoser, 200 million bucks says its on my side.
                Case &H0
                    Call AddChat(frmMain.rtbChat, True, vbGreen, "[RECV] 0x0000 (WOW_AUTH_CHALLENGE)")
                    With WoWDebuff
                        .Buffer = S
                       
                        .RemoveVoid 2           'Remove PacketID and ErrorCode
                        .RemoveVoid 1           'Remove byte
                       
                        Dim Temp As Variant
                        Dim B As Long, G() As String, N() As String, Salt As Long, CK As Integer
                       
                   
                        Let B = .RemoveDWORD
                        Call AddChat(frmMain.rtbChat, True, vbYellow, "B: 0x" & Right("00000000" & Hex(ServerKey), 8))
                       
                        Let Temp = .RemoveVoid(Asc(.RemoveVoid(1)))
                        ReDim G(1 To Len(Temp))
                        For i = 1 To Len(Temp)
                            G(i) = Mid(Temp, i, 1)
                        Next i
                        Call AddChat(frmMain.rtbChat, True, vbYellow, "G: " & ToHex(Join(G, "")))
                       
                        Let Temp = .RemoveVoid(Asc(.RemoveVoid(1)))
                        ReDim N(1 To Len(Temp))
                        For i = 1 To Len(Temp)
                            N(i) = Mid(Temp, i, 1)
                        Next i
                        Call AddChat(frmMain.rtbChat, True, vbYellow, "N: " & ToHex(Join(N, "")))
                       
                        Salt = .RemoveDWORD
                        Call AddChat(frmMain.rtbChat, True, vbYellow, "S: 0x" & Right("00000000" & Hex(Salt), 8))
                       
                        ChecksumKey = .RemoveWORD
                        Call AddChat(frmMain.rtbChat, True, vbYellow, "CK: 0x" & Right("0000" & Hex(ChecksumKey), 8))
                       
                        '00 00 00 A4 D1 6A 32 A8 B8 35 0D 7E 2E DD 81 2A
                        '07 95 CE 50 C6 6A 15 50 3E EF 91 77 5A 88 A8 03
                        'C4 3F AE 01 07 20 89 4B 64 5E 89 E1 53 5B BD AD
                        '5B 8B 29 06 50 53 08 01 B1 8E BF BF 5E 8F AB 3C
                        '82 87 2A 3E 9B B7 C6 5A C3 A6 6A 0F DF A1 79 AB
                        'D8 86 DC AD F6 9E E0 20 2F 65 8D 8C 16 AD 25 C5
                        '41 EE E5 BE C7 1C A1 03 9D 3C 27 60 36 1A 5F 02
                        '6F E4 1C 65 D6 4F
                    End With
Quote from: brew on April 25, 2007, 07:33 PM
that made me feel like a total idiot. this entire thing was useless.

UserLoser.


Hdx

Meh, Just thought I'd Finish this one up:
QuoteMessage ID: 0x00
Message SubID: 0x02
Message Name: WOW_AUTH_INFO
Format:
   (BYTE) ID
   (BYTE) SubID
   (WORD) Data Lengeth
   (DWORD) Product ID
   (Byte) EXE Major ver
   (Byte) EXE Minor ver
   (Byte) EXE Revision number
   (WORD) EXE Build number
   (DWORD) Platform ID
   (DWORD) OS abbreaveation
   (DWORD) LanguageID
   (DWORD) TimeZone offset
   (DWORD) Local IP
   (BYTE) Username Lengeth
   (VOID) Username

Remarks:
   The Data lengeth field is of all the data following it, not including the ID, SubID, or It's own field.
   And easy way to determin this is simply Lengeht of the username + 30
This is an example of how I used it:/ why you want this iono :P

Public Sub Build_WOW_AUTH_INFO(sExePath As String, sUsername As String)
    With pOut
        .iBYTE 0 'ID
        .iBYTE 2 'SubID
        .iWORD Len(sUsername) + 30 'Data lengeth - header
        .iDWORD &H576F57 'ProdID ("WoW")
        Dim sVerParts() As String
        sVerParts = Split(Replace(GetVersionInfo(sExePath), Space(1), vbNullString), ",", 4)
        '^~~~Get the ver info, GetVersionInfo() returns a string such as this: 1, 6, 0, 4500
        'Extracted form the EXE under the \StringFileInfo\000004B0\FileVersion property.
        .iBYTE Val(sVerParts(0)) 'Major ver
        .iBYTE Val(sVerParts(1)) 'Minor ver
        .iBYTE Val(sVerParts(2)) 'Revis ver
        .iWORD Val(sVerParts(3)) 'Build ver
        .iDWORD &H783836 'PlatformID ("86x")
        .iDWORD &H57696E 'OS ("niW")
        .iDWORD &H656E5553 'Language ("SUne")
        .iDWORD -480 'Time sone offset in minuets (-8 UTC)
        .iDWORD &HA00A8C0 'Local IP address ("192.168.0.10")
        .iBYTE Len(sUsername) 'Lengeth of Username
        .iVoid sUsername 'Username
    End With
End Sub

UL do me a favor, GET ON AIM!! i wana talk to you.
Currently know ID's and Lengeths asociated with them:
0x00 = 118
0x01 = 26
I have NEVER seen either of those packets with a diffrent lengeth.
~-~(HDX)~-~

Proud host of the JBLS server www.JBLS.org.
JBLS.org Status:
JBLS/BNLS Server Status

LivedKrad

Stickied. Eventually this thread may go into the depths of the void, I want it to be seen.