[WoW] 1.12.1.5875 Info Dump Thread

[namreeb]

would anyone be so kind as to provide me with any pointers (pun intended) to the 1.12.1 sessionkey?

Look at this for session and auth related info: GitHub - namreeb/wowned: Authentication bypass for outdated WoW emulation authentication servers

Specifically: wowned/misc.hpp at master * namreeb/wowned * GitHub

[danwins]

would anyone be so kind as to provide me with any pointers (pun intended) to the 1.12.1 sessionkey?

are you talking about this?



offsets:

Code:

00C28114  g_clientConnection

structs:

Code:

struct NetClient
{
  NetClientVMT *vmt;
  LoginData m_loginData;
  int m_netState;
  int (__fastcall *m_handlers[828])(void *, NETMESSAGE, unsigned int, CDataStore *);
  void *m_handlerParams[828];
  int m_netEventQueue;
  WowConnection *m_serverConnection;
  int m_refCount;
  int m_deleteMe;
  int m_pingSent;
  int m_pingSequence;
  int m_latency[16];
  int m_latencyStart;
  int m_latencyEnd;
  int m_bytesSent;
  int m_bytesReceived;
  int m_connectedTimestamp;
};

Code:

struct LoginData
{
  char m_account[64];
  int m_loginServerId;
  char m_sessionKey[40];
};

[newfag]

Look at this for session and auth related info: GitHub - namreeb/wowned: Authentication bypass for outdated WoW emulation authentication servers

Specifically: wowned/misc.hpp at master * namreeb/wowned * GitHub

excellent, thank you!

are you talking about this?



offsets:

Code:

00C28114  g_clientConnection

structs:

Code:

struct NetClient
{
  NetClientVMT *vmt;
  LoginData m_loginData;
  int m_netState;
  int (__fastcall *m_handlers[828])(void *, NETMESSAGE, unsigned int, CDataStore *);
  void *m_handlerParams[828];
  int m_netEventQueue;
  WowConnection *m_serverConnection;
  int m_refCount;
  int m_deleteMe;
  int m_pingSent;
  int m_pingSequence;
  int m_latency[16];
  int m_latencyStart;
  int m_latencyEnd;
  int m_bytesSent;
  int m_bytesReceived;
  int m_connectedTimestamp;
};

Code:

struct LoginData
{
  char m_account[64];
  int m_loginServerId;
  char m_sessionKey[40];
};

thanks very much!

[newfag]

so i just spent the better part of the last three days learning assembly/disassembly and tons of other stuff.

this post is paying it forward to the next guy - who like me two weeks ago - is looking into fidgeting with wow/vanilla on linux / bsd through means of wine and shared object preloading.

the following is a minimal, jet complete and self contained example of a chat dump functionality written in C.

it works by linking (preloading) wine with a custom 'recvmsg' function which calls the 'recvmsg' libc function and then decrypts and interprets the packet.
like this: wow.exe -> wine -> chatdump.so -> libc -> kernel

compile:

Code:

gcc -m32 -Wall -g -shared -fPIC -D_GNU_SOURCE chatdump.c -o chatdump.so

run:

Code:

LD_PRELOAD="$PWD/chatdump.so" wine $WOWPATH/WoW.exe 2> /dev/null

output:

Code:

[world] [00079045]:  Tank LFG, ubrs, or dm w 
[world] [000e31e7]:  LFG BFD 
[world] [0008ee3c]:  LF tank ulda
[world] [000e31e7]:  LF3M BFD tank healer and dps
[world] [000e31e7]:  LFM BFD need tank
[Trade - City] [00065101]:  no enchanters?

source: [chatdump.c]

Code:

#include <dlfcn.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <sys/socket.h>

#define SMSG_MESSAGECHAT 0x096
#define CHAT_MSG_CHANNEL 0x0e

typedef struct {
	uint8_t pad_120[0x120];
	uint8_t cryptavailable; // 0x120
	uint8_t pad_124[0x3];
	uint8_t sessionkey_i;	// 0x124
	uint8_t sessionkey_j;	// 0x125
	uint8_t opcodelen;  // 0x126
	uint8_t sessionkey_size;  // 0x127
	uint8_t *sessionkey_base; // 0x128
} serverconnection_t;

typedef struct {
	uint8_t pad_1a58[0x1a58];
	serverconnection_t *serverconnection; // 0x1a58
} netclient_t;

typedef struct {
	uint8_t pad_c28114[0xc28114];
	netclient_t *netclient; // 0x00c28114
} wow_t;

wow_t *wow = (wow_t *)0x00000000;

void decrypt(uint8_t *data, int length)
{
	uint8_t i = wow->netclient->serverconnection->sessionkey_i;
	uint8_t j = wow->netclient->serverconnection->sessionkey_j;
	uint8_t size = wow->netclient->serverconnection->sessionkey_size;
	uint8_t *key = wow->netclient->serverconnection->sessionkey_base;

	while (length--) {
		uint8_t v = (uint8_t)((*data - j) ^ key[i++]);
		j = *data;
		*data++ = v;
		i %= size;
	}
}

ssize_t recvmsg(int sockfd, struct msghdr *msg, int flags)
{
	ssize_t (*_recvmsg)(int sockfd, struct msghdr *msg, int flags);
	_recvmsg = dlsym(RTLD_NEXT, "recvmsg");
	ssize_t retval = (*_recvmsg)(sockfd, msg, flags);

	if (retval <= 2 || sockfd < 50 || wow->netclient == NULL ||
	    wow->netclient->serverconnection == NULL ||
	    wow->netclient->serverconnection->cryptavailable == 0)
		return retval;

	static uint32_t bytesread = 0;
	uint8_t *base = ((uint8_t *)msg->msg_iov->iov_base) - bytesread;
	uint8_t opcodelen = wow->netclient->serverconnection->opcodelen;

	uint16_t opcode = *((uint16_t *)base);
	if (bytesread == 0) {
		decrypt((uint8_t *)&opcode, opcodelen);
	}

	switch (opcode) {
	case SMSG_MESSAGECHAT:
		if (*((uint8_t *)(base + 2)) == CHAT_MSG_CHANNEL) {
			printf(
			    "[%s] [%08llx]:  %s\n", (char *)(base + 7),
			    *(uint64_t *)(base + 7 +
					  strlen((char *)(base + 7)) + 1 + 0x4),
			    (char *)(base + 7 + strlen((char *)(base + 7)) + 1 +
				     0x10));
		}
	}

	bytesread = 0;
	return retval;
}

[newfag]

anybody got an offset to the function which resolves a guids name?

[karliky]

Got working Spectate mode on WoW 1.12 - it wasn't available until 2.x -


This is the url of the project in case anyone is interested Bugcraft Studio

[alwaysLate..]

anyone wanna help me with dostring currently it crashes but i have seen it done this way in several other bots.

i am calling it in a codecave when the thread is paused

Globals.Magic.Asm.AddLine("mov edx, 0");
Globals.Magic.Asm.AddLine("mov ecx, " + codecave);
Globals.Magic.Asm.AddLine("call " + 0x00704CD0);
Globals.Magic.Asm.AddLine("retn");

when done like this it occasionally crashes always unable to read mem at 006F876A

also sometimes there are weird errors like other lua functions bugging out im thinking some paramater is wrong.

[tutrakan]

Because you have to do these calls from the main thread (a.k.a. end scene).
As a safety check, the best thing you can do, is to verify every time before these calls if the local player is not zero:

Code:

var pGuid = Globals.Magic.ReadUInt64(Globals.Magic.ReadUInt(0x00B41414) + 0xC0);
var low = (uint)(pGuid & 0xFFFFFFFF);
var high = (uint)((pGuid >> 32) & 0xFFFFFFFF);
var localPlayerPtr = 0;
		
"push, 0"                       //source code line used for debugging
"push " + high,                 //local player's GUID ...
"push " + low,                  //... passed as 2 x 32 bit
"mov ecx, 0x10",                //typemask, 0x10 = player       
"call 0x00468460",              //ClntObjMgrObjectPtr(TypeMask typeMask, const char *fileName, __int64 guid, const int line)
"mov eax, [" + localPlayerPtr + "]",
"retn",

[alwaysLate..]

to check if player exists i just read a byte at 0xB4B424 if its nonzero hes ingame

but how do i do endscene what thread is that

im using blackmagic would it be

magic.mainmodule.baseaddr ?

i think im already doing that because i do : magic.SuspendThread and the game freezes..

[tutrakan]

to check if player exists i just read a byte at 0xB4B424 if its nonzero hes ingame ...

That's wrong.
And please, open a new thread for such basic questions, or even better: use the search options or google before asking here

P.S Practically, what we all do is to hook the wow client while it graphically render it's stuff. In that moment we are called from the game painting callback and we suppose that all objects are set up. That callback occurs about every 10 ms. Please, somebody correct me if i say nonsense.

[schiebung]

Hey can someone provide me the ChatBufferStart and NextMessage offset/address?

[RivaLfr]

Hello,
chatBufferStart = 0xB50580
NextMessage = 0x800
chatBufferPos = 0xB6E5D4

[thebad.cb]

correct sendpacket?

Vanilla


Delphi code

Code:

 
  g_clientConnection        = $00C28114;
  g_clientConnection_Offset = $40;
  ClientConnection__SendPacket = $005379A0;

Procedure Sendpacket(buffer: Array of Byte);
begin
  asm
        MOV EDX, buffer
        PUSH EDX
        MOV ECX, g_clientConnection
        MOV EAX, ClientConnection__SendPacket
        CALL EAX
  end;
end;

what is the base address?

[culino2]

correct sendpacket?

Vanilla


Delphi code

Code:

 
  g_clientConnection        = $00C28114;
  g_clientConnection_Offset = $40;
  ClientConnection__SendPacket = $005379A0;

Procedure Sendpacket(buffer: Array of Byte);
begin
  asm
        MOV EDX, buffer
        PUSH EDX
        MOV ECX, g_clientConnection
        MOV EAX, ClientConnection__SendPacket
        CALL EAX
  end;
end;

what is the base address?

Correct SendPacket but invalid usage.

Code:

type
  PDataStore = ^TDataStore;
  TDataStore = packed record
    vTable  : Pointer;
    Buffer  : PByteArray; // or Pointer to avoid SysUtils unit
    Base    : Integer;
    Alloc   : Integer;
    Size    : Integer;
    Read    : Integer;
  end;

const
  ClientServices__Connection: function: Pointer = Pointer($005AB490);
  NetClient__Send: procedure(__eax, __edx, __this: Pointer; DataStore: PDataStore) = Pointer($005379A0);

procedure SendPacket(const Data; Length: Integer);
var
  DS: TDataStore;
begin
  DS.vTable := nil;
  DS.Buffer := @Data;
  DS.Size := Length;
  DS.Alloc := $1000;
  DS.Read := 0;
  DS.Base := 0;

  NetClient__Send(nil, nil, ClientServices__Connection(), @DS);
end;

Base is always the same pre cata.

[thebad.cb]

yGcw8bQ.jpg

I'm trying to make a hook on sendpacket


005379A0 55 PUSH EBP
005379A1 8BEC MOV EBP,ESP
005379A3 56 PUSH ESI
005379A4 8BF1 MOV ESI,ECX
005379A6 837E 70 06 CMP DWORD PTR DS:[ESI+70],6
005379AA 57 PUSH EDI
005379AB 75 78 JNZ SHORT errorRep.00537A25
005379AD 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
005379B0 8B78 10 MOV EDI,DWORD PTR DS:[EAX+10]
005379B3 2B78 14 SUB EDI,DWORD PTR DS:[EAX+14]
005379B6 74 6D JE SHORT errorRep.00537A25
005379B8 8B8E 581A0000 MOV ECX,DWORD PTR DS:[ESI+1A58]
005379BE 6A 00 PUSH 0
005379C0 50 PUSH EAX
005379C1 E8 6ADC0700 CALL errorRep.005B5630
005379C6 013D 5CD4C000 ADD DWORD PTR DS:[C0D45C],EDI
005379CC 8B96 B41A0000 MOV EDX,DWORD PTR DS:[ESI+1AB4]
005379D2 8B86 581A0000 MOV EAX,DWORD PTR DS:[ESI+1A58]
005379D8 03D7 ADD EDX,EDI
005379DA 8996 B41A0000 MOV DWORD PTR DS:[ESI+1AB4],EDX
005379E0 8A88 20010000 MOV CL,BYTE PTR DS:[EAX+120]
005379E6 84C9 TEST CL,CL
005379E8 75 3B JNZ SHORT errorRep.00537A25 <<<<<
005379EA 8BCE MOV ECX,ESI
005379EC E8 5F000000 CALL errorRep.00537A50
005379F1 8B8E 581A0000 MOV ECX,DWORD PTR DS:[ESI+1A58]
005379F7 8981 28010000 MOV DWORD PTR DS:[ECX+128],EAX
005379FD C681 27010000 28 MOV BYTE PTR DS:[ECX+127],28
00537A04 8B86 581A0000 MOV EAX,DWORD PTR DS:[ESI+1A58]
00537A0A C680 23010000 04 MOV BYTE PTR DS:[EAX+123],4
00537A11 C680 26010000 02 MOV BYTE PTR DS:[EAX+126],2
00537A18 8B8E 581A0000 MOV ECX,DWORD PTR DS:[ESI+1A58]
00537A1E 6A 01 PUSH 1
00537A20 E8 9BF90700 CALL errorRep.005B73C0
00537A25 5F POP EDI
00537A26 5E POP ESI
00537A27 5D POP EBP
00537A28 C2 0400 RETN 4


procedure SetJMP(Func:Pointer; Addr: DWORD);
Var
RET: DWORD;
begin
VirtualProtect(ptr(Addr), 10, PAGE_EXECUTE_READWRITE, Ret);
asm
mov eax, Func
mov ecx, Addr
sub eax, ecx
sub eax, 05h
mov dword ptr ds:[ecx], 0E9h //
mov dword ptr ds:[ecx+1], eax
end;
VirtualProtect(ptr(Addr), 10, Ret, Ret);
end;