-
Originally Posted by
newfag
would anyone be so kind as to provide me with any pointers (pun intended) to the 1.12.1 sessionkey?
Look at this for session and auth related info: GitHub - namreeb/wowned: Authentication bypass for outdated WoW emulation authentication servers
Specifically: wowned/misc.hpp at master * namreeb/wowned * GitHub
-
Post Thanks / Like - 2 Thanks
culino2,
newfag (2 members gave Thanks to namreeb for this useful post)
-
Contributor
Originally Posted by
newfag
would anyone be so kind as to provide me with any pointers (pun intended) to the 1.12.1 sessionkey?
are you talking about this?
offsets:
Code:
00C28114 g_clientConnection
structs:
Code:
struct NetClient
{
NetClientVMT *vmt;
LoginData m_loginData;
int m_netState;
int (__fastcall *m_handlers[828])(void *, NETMESSAGE, unsigned int, CDataStore *);
void *m_handlerParams[828];
int m_netEventQueue;
WowConnection *m_serverConnection;
int m_refCount;
int m_deleteMe;
int m_pingSent;
int m_pingSequence;
int m_latency[16];
int m_latencyStart;
int m_latencyEnd;
int m_bytesSent;
int m_bytesReceived;
int m_connectedTimestamp;
};
Code:
struct LoginData
{
char m_account[64];
int m_loginServerId;
char m_sessionKey[40];
};
-
Post Thanks / Like - 3 Thanks
-
Member
Originally Posted by
namreeb
excellent, thank you!
Originally Posted by
danwins
are you talking about this?
offsets:
Code:
00C28114 g_clientConnection
structs:
Code:
struct NetClient
{
NetClientVMT *vmt;
LoginData m_loginData;
int m_netState;
int (__fastcall *m_handlers[828])(void *, NETMESSAGE, unsigned int, CDataStore *);
void *m_handlerParams[828];
int m_netEventQueue;
WowConnection *m_serverConnection;
int m_refCount;
int m_deleteMe;
int m_pingSent;
int m_pingSequence;
int m_latency[16];
int m_latencyStart;
int m_latencyEnd;
int m_bytesSent;
int m_bytesReceived;
int m_connectedTimestamp;
};
Code:
struct LoginData
{
char m_account[64];
int m_loginServerId;
char m_sessionKey[40];
};
thanks very much!
-
Member
so i just spent the better part of the last three days learning assembly/disassembly and tons of other stuff.
this post is paying it forward to the next guy - who like me two weeks ago - is looking into fidgeting with wow/vanilla on linux / bsd through means of wine and shared object preloading.
the following is a minimal, jet complete and self contained example of a chat dump functionality written in C.
it works by linking (preloading) wine with a custom 'recvmsg' function which calls the 'recvmsg' libc function and then decrypts and interprets the packet.
like this: wow.exe -> wine -> chatdump.so -> libc -> kernel
compile:
Code:
gcc -m32 -Wall -g -shared -fPIC -D_GNU_SOURCE chatdump.c -o chatdump.so
run:
Code:
LD_PRELOAD="$PWD/chatdump.so" wine $WOWPATH/WoW.exe 2> /dev/null
output:
Code:
[world] [00079045]: Tank LFG, ubrs, or dm w
[world] [000e31e7]: LFG BFD
[world] [0008ee3c]: LF tank ulda
[world] [000e31e7]: LF3M BFD tank healer and dps
[world] [000e31e7]: LFM BFD need tank
[Trade - City] [00065101]: no enchanters?
source: [chatdump.c]
Code:
#include <dlfcn.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <sys/socket.h>
#define SMSG_MESSAGECHAT 0x096
#define CHAT_MSG_CHANNEL 0x0e
typedef struct {
uint8_t pad_120[0x120];
uint8_t cryptavailable; // 0x120
uint8_t pad_124[0x3];
uint8_t sessionkey_i; // 0x124
uint8_t sessionkey_j; // 0x125
uint8_t opcodelen; // 0x126
uint8_t sessionkey_size; // 0x127
uint8_t *sessionkey_base; // 0x128
} serverconnection_t;
typedef struct {
uint8_t pad_1a58[0x1a58];
serverconnection_t *serverconnection; // 0x1a58
} netclient_t;
typedef struct {
uint8_t pad_c28114[0xc28114];
netclient_t *netclient; // 0x00c28114
} wow_t;
wow_t *wow = (wow_t *)0x00000000;
void decrypt(uint8_t *data, int length)
{
uint8_t i = wow->netclient->serverconnection->sessionkey_i;
uint8_t j = wow->netclient->serverconnection->sessionkey_j;
uint8_t size = wow->netclient->serverconnection->sessionkey_size;
uint8_t *key = wow->netclient->serverconnection->sessionkey_base;
while (length--) {
uint8_t v = (uint8_t)((*data - j) ^ key[i++]);
j = *data;
*data++ = v;
i %= size;
}
}
ssize_t recvmsg(int sockfd, struct msghdr *msg, int flags)
{
ssize_t (*_recvmsg)(int sockfd, struct msghdr *msg, int flags);
_recvmsg = dlsym(RTLD_NEXT, "recvmsg");
ssize_t retval = (*_recvmsg)(sockfd, msg, flags);
if (retval <= 2 || sockfd < 50 || wow->netclient == NULL ||
wow->netclient->serverconnection == NULL ||
wow->netclient->serverconnection->cryptavailable == 0)
return retval;
static uint32_t bytesread = 0;
uint8_t *base = ((uint8_t *)msg->msg_iov->iov_base) - bytesread;
uint8_t opcodelen = wow->netclient->serverconnection->opcodelen;
uint16_t opcode = *((uint16_t *)base);
if (bytesread == 0) {
decrypt((uint8_t *)&opcode, opcodelen);
}
switch (opcode) {
case SMSG_MESSAGECHAT:
if (*((uint8_t *)(base + 2)) == CHAT_MSG_CHANNEL) {
printf(
"[%s] [%08llx]: %s\n", (char *)(base + 7),
*(uint64_t *)(base + 7 +
strlen((char *)(base + 7)) + 1 + 0x4),
(char *)(base + 7 + strlen((char *)(base + 7)) + 1 +
0x10));
}
}
bytesread = 0;
return retval;
}
Last edited by newfag; 07-12-2017 at 10:41 PM.
-
Post Thanks / Like - 1 Thanks
-
Member
anybody got an offset to the function which resolves a guids name?
-
Got working Spectate mode on WoW 1.12 - it wasn't available until 2.x -
This is the url of the project in case anyone is interested Bugcraft Studio
Last edited by karliky; 07-16-2017 at 11:34 AM.
-
Post Thanks / Like - 3 Thanks
-
Member
anyone wanna help me with dostring currently it crashes but i have seen it done this way in several other bots.
i am calling it in a codecave when the thread is paused
Globals.Magic.Asm.AddLine("mov edx, 0");
Globals.Magic.Asm.AddLine("mov ecx, " + codecave);
Globals.Magic.Asm.AddLine("call " + 0x00704CD0);
Globals.Magic.Asm.AddLine("retn");
when done like this it occasionally crashes always unable to read mem at 006F876A
also sometimes there are weird errors like other lua functions bugging out im thinking some paramater is wrong.
-
Contributor
Because you have to do these calls from the main thread (a.k.a. end scene).
As a safety check, the best thing you can do, is to verify every time before these calls if the local player is not zero:
Code:
var pGuid = Globals.Magic.ReadUInt64(Globals.Magic.ReadUInt(0x00B41414) + 0xC0);
var low = (uint)(pGuid & 0xFFFFFFFF);
var high = (uint)((pGuid >> 32) & 0xFFFFFFFF);
var localPlayerPtr = 0;
"push, 0" //source code line used for debugging
"push " + high, //local player's GUID ...
"push " + low, //... passed as 2 x 32 bit
"mov ecx, 0x10", //typemask, 0x10 = player
"call 0x00468460", //ClntObjMgrObjectPtr(TypeMask typeMask, const char *fileName, __int64 guid, const int line)
"mov eax, [" + localPlayerPtr + "]",
"retn",
Last edited by tutrakan; 08-05-2017 at 06:17 PM.
-
Member
to check if player exists i just read a byte at 0xB4B424 if its nonzero hes ingame
but how do i do endscene what thread is that
im using blackmagic would it be
magic.mainmodule.baseaddr ?
i think im already doing that because i do : magic.SuspendThread and the game freezes..
Last edited by alwaysLate..; 08-05-2017 at 03:29 PM.
-
Contributor
Originally Posted by
alwaysLate..
to check if player exists i just read a byte at 0xB4B424 if its nonzero hes ingame ...
That's wrong.
And please, open a new thread for such basic questions, or even better: use the search options or google before asking here
P.S Practically, what we all do is to hook the wow client while it graphically render it's stuff. In that moment we are called from the game painting callback and we suppose that all objects are set up. That callback occurs about every 10 ms. Please, somebody correct me if i say nonsense.
Last edited by tutrakan; 08-06-2017 at 12:54 AM.
-
Post Thanks / Like - 1 Thanks
alwaysLate.. (1 members gave Thanks to tutrakan for this useful post)
-
Member
Hey can someone provide me the ChatBufferStart and NextMessage offset/address?
-
Hello,
chatBufferStart = 0xB50580
NextMessage = 0x800
chatBufferPos = 0xB6E5D4
-
Member
correct sendpacket?
Vanilla
Delphi code
Code:
g_clientConnection = $00C28114;
g_clientConnection_Offset = $40;
ClientConnection__SendPacket = $005379A0;
Procedure Sendpacket(buffer: Array of Byte);
begin
asm
MOV EDX, buffer
PUSH EDX
MOV ECX, g_clientConnection
MOV EAX, ClientConnection__SendPacket
CALL EAX
end;
end;
what is the base address?
Last edited by thebad.cb; 09-17-2017 at 12:07 PM.
-
Elite User
Originally Posted by
thebad.cb
correct sendpacket?
Vanilla
Delphi code
Code:
g_clientConnection = $00C28114;
g_clientConnection_Offset = $40;
ClientConnection__SendPacket = $005379A0;
Procedure Sendpacket(buffer: Array of Byte);
begin
asm
MOV EDX, buffer
PUSH EDX
MOV ECX, g_clientConnection
MOV EAX, ClientConnection__SendPacket
CALL EAX
end;
end;
what is the base address?
Correct SendPacket but invalid usage.
Code:
type
PDataStore = ^TDataStore;
TDataStore = packed record
vTable : Pointer;
Buffer : PByteArray; // or Pointer to avoid SysUtils unit
Base : Integer;
Alloc : Integer;
Size : Integer;
Read : Integer;
end;
const
ClientServices__Connection: function: Pointer = Pointer($005AB490);
NetClient__Send: procedure(__eax, __edx, __this: Pointer; DataStore: PDataStore) = Pointer($005379A0);
procedure SendPacket(const Data; Length: Integer);
var
DS: TDataStore;
begin
DS.vTable := nil;
DS.Buffer := @Data;
DS.Size := Length;
DS.Alloc := $1000;
DS.Read := 0;
DS.Base := 0;
NetClient__Send(nil, nil, ClientServices__Connection(), @DS);
end;
Base is always the same pre cata.
-
Post Thanks / Like - 1 Thanks
thebad.cb (1 members gave Thanks to culino2 for this useful post)
-
Member
yGcw8bQ.jpg
I'm trying to make a hook on sendpacket
005379A0 55 PUSH EBP
005379A1 8BEC MOV EBP,ESP
005379A3 56 PUSH ESI
005379A4 8BF1 MOV ESI,ECX
005379A6 837E 70 06 CMP DWORD PTR DS:[ESI+70],6
005379AA 57 PUSH EDI
005379AB 75 78 JNZ SHORT errorRep.00537A25
005379AD 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
005379B0 8B78 10 MOV EDI,DWORD PTR DS:[EAX+10]
005379B3 2B78 14 SUB EDI,DWORD PTR DS:[EAX+14]
005379B6 74 6D JE SHORT errorRep.00537A25
005379B8 8B8E 581A0000 MOV ECX,DWORD PTR DS:[ESI+1A58]
005379BE 6A 00 PUSH 0
005379C0 50 PUSH EAX
005379C1 E8 6ADC0700 CALL errorRep.005B5630
005379C6 013D 5CD4C000 ADD DWORD PTR DS:[C0D45C],EDI
005379CC 8B96 B41A0000 MOV EDX,DWORD PTR DS:[ESI+1AB4]
005379D2 8B86 581A0000 MOV EAX,DWORD PTR DS:[ESI+1A58]
005379D8 03D7 ADD EDX,EDI
005379DA 8996 B41A0000 MOV DWORD PTR DS:[ESI+1AB4],EDX
005379E0 8A88 20010000 MOV CL,BYTE PTR DS:[EAX+120]
005379E6 84C9 TEST CL,CL
005379E8 75 3B JNZ SHORT errorRep.00537A25 <<<<<
005379EA 8BCE MOV ECX,ESI
005379EC E8 5F000000 CALL errorRep.00537A50
005379F1 8B8E 581A0000 MOV ECX,DWORD PTR DS:[ESI+1A58]
005379F7 8981 28010000 MOV DWORD PTR DS:[ECX+128],EAX
005379FD C681 27010000 28 MOV BYTE PTR DS:[ECX+127],28
00537A04 8B86 581A0000 MOV EAX,DWORD PTR DS:[ESI+1A58]
00537A0A C680 23010000 04 MOV BYTE PTR DS:[EAX+123],4
00537A11 C680 26010000 02 MOV BYTE PTR DS:[EAX+126],2
00537A18 8B8E 581A0000 MOV ECX,DWORD PTR DS:[ESI+1A58]
00537A1E 6A 01 PUSH 1
00537A20 E8 9BF90700 CALL errorRep.005B73C0
00537A25 5F POP EDI
00537A26 5E POP ESI
00537A27 5D POP EBP
00537A28 C2 0400 RETN 4
procedure SetJMP(Func:Pointer; Addr: DWORD);
Var
RET: DWORD;
begin
VirtualProtect(ptr(Addr), 10, PAGE_EXECUTE_READWRITE, Ret);
asm
mov eax, Func
mov ecx, Addr
sub eax, ecx
sub eax, 05h
mov dword ptr ds:[ecx], 0E9h //
mov dword ptr ds:[ecx+1], eax
end;
VirtualProtect(ptr(Addr), 10, Ret, Ret);
end;
Last edited by thebad.cb; 09-17-2017 at 07:56 PM.