Need a program to find data from WoW.

[apollo0510]

Ok. At least hypnodok doesn't mind.

This is about finding the key that the wow server uses to encrypt the message headers. My algorithm is able to calculate the key without knowledge about the login process.

The message headers look like this:

Code:

struct CLIENTHEADER
{
	WORD  oplen;
	DWORD opcode;
};

struct SERVERHEADER
{
	WORD  oplen;
	WORD  opcode;
};

The weakness with this definition is, that the clientheader contains a lot of zeros and known bits for small messages. For example the oplen is known, if we have a nonfragmented message. Test have shown, that this is true for all messages with a len smaller than 256 bytes. Under special conditions, it is also possible to assume the opcode. Such a special condition can be created by right clicking into the wow window and turning the character heavily with the mouse for some seconds. You will find the one command for updating player position repeated multiple times.

Due to the poor encryption sheme that wow uses, a single zero byte in the crypted area stopps the influence from former bytes in the stream. And because the client header contains multiple zeros, it is easy to see a repeating pattern after that in scenarios as described above. A manual analysis showed a pattern length of 40 bytes.

Of course the original leaked client code gave a hint about the encryption method, but the following class for retreiving the key is originally mine.

Code:

#define KEY_LENGTH 40

class CRYPT
{
public:

	CRYPT();
	void Reset();
	BOOL HasKey() { return m_key_valid; }
	BOOL FindKey(BYTE* pData,int len,BYTE* pSollData,BYTE* pSollMask);
	void Decrypt(BYTE* pData,int len);

protected:
	BOOL m_key_valid;
	BYTE m_key     [KEY_LENGTH];
	BYTE m_key_mask[KEY_LENGTH];

	BYTE m_last_recv;
	int  m_key_index;
	int  m_missing_keys;
};

CRYPT::CRYPT()
{
	Reset();
}

void CRYPT::Reset()
{
	memset(m_key     ,0,KEY_LENGTH);
	memset(m_key_mask,0,KEY_LENGTH);
	m_key_valid =FALSE;
	m_last_recv =0;
	m_key_index =0;
	m_missing_keys=KEY_LENGTH;
}

BOOL CRYPT::FindKey(BYTE* pData,int len,BYTE* pSollData,BYTE* pSollMask)
{
	for (int t = 0; t < len; t++)
	{
		m_key_index %= KEY_LENGTH;
		BYTE temp = pData[t] - m_last_recv;
		if(pSollMask[t])
		{
			if(m_key_mask[m_key_index])
			{
				temp^=m_key[m_key_index];
				if(temp!=pSollData[t])
				{
					Reset();
					printf("Key not consistent in position %d. Starting new key\n",t);
				}
			}
			else
			{
				m_key     [m_key_index]=pSollData[t]^temp; 
				m_key_mask[m_key_index]=1;
				m_missing_keys--;
				if(!m_missing_keys)
				{
					m_key_valid=TRUE;
					printf("Key found !\n");
				}
			}
		}
		m_key_index++;
		m_last_recv = pData[t];
		pData[t]    = temp;
	}
	return m_key_valid;
}

void CRYPT::Decrypt(BYTE* pData,int len)
{
	for (int t = 0; t < len; t++)
	{
		m_key_index %= KEY_LENGTH;
		BYTE temp = (pData[t] - m_last_recv)^m_key[m_key_index++];
		m_last_recv = pData[t];
		pData[t]    = temp;
	}
}

Then you hook the outgoing traffic from your wow client and use the crypt class like this (the following is a code fragment from my wow proxy) :

Code:

void GAME_CONNECT::OnClientData (int size)
{
	CLIENTHEADER header; 

	if(!m_crypt.HasKey())
	{
		memcpy(&header,m_buffer,sizeof(CLIENTHEADER));
		if(size>sizeof(CLIENTHEADER) && (size<256) )
		{
			BYTE soll_data[6]={ 0x00,0x20,0xee,0x00,0x00,0x00 };
			BYTE soll_mask[6]={    0,   1,   0,   1,   1,   1 };
			soll_data[1]=size-2;
			m_crypt.FindKey((BYTE*)&header,6,soll_data,soll_mask);
		}
		send(m_server_sock,m_buffer,size,0);
	}
	else
	{
		int decoded=0;
		do
		{
			memcpy(&header,&m_buffer[decoded],sizeof(CLIENTHEADER));
			decoded+=sizeof(CLIENTHEADER);
			m_crypt.Decrypt((BYTE*)&header,sizeof(CLIENTHEADER));
			header.oplen=htons(header.oplen)-4;
			int missing=(header.oplen+sizeof(CLIENTHEADER))-size;
			while(m_connected && (missing>0))
			{   // read in the missing data to have the complete command block
				int r=recv(m_client_sock,&m_buffer[size],missing,0);
				if(r>0)
				{
					missing-=r;
					size+=r;
				}
				else m_connected=FALSE;
			}
			OnClientCommand(header,&m_buffer[decoded]);

			decoded+=header.oplen;
		}while(m_connected && (decoded<size));

		send(m_server_sock,m_buffer,size,0);
		// printf("CLIENT->SERVER %d bytes\n",size);
		// hexdump("Out",m_buffer,size);
	}
}

WoW uses the same key for incoming and outgoing traffic, so once you found the key in the outgoing traffic, you can use the same key for incoming traffic.


Greetings

Apollo

[hypnodok]

Very interesting, thanks for sharing.

[kynox]

Just FYI, they store the key in the CNetClient class.

[wat-u-doin]

ive read through all this i understand nothing but im trying my best to look up guides on how to do this

[undrgrnd59]

im 15 ive got school stuff to do i dont have much time.

I started programming when I was 16 (might even have been 15). Don't let your age get in the way of anything. I'm 18 now, and it took a while but now I'm making leaps in programming that I never thought I'd be able to make while teaching myself. There are a lot of resources if you look hard enough for them, I suggest learning a different language because I don't think the examples are going to be in VB.

Btw, @ 15 the school work is a joke, who are you kidding?
(If you end up learning C# this helped me out the most: 2008 June « Shynd’s WoW Modification Journal)

[wat-u-doin]

actually i havent been on for a week because ive been catching up on all my math homework i dont have much time and im lucky i have time for the computer

[typedef]

AAAAAAAHHH!

AVERT YOUR EYES! It may take on another form!

Role-Play that way ->

[wat-u-doin]

ive given up on this **** it im not spending my weekend tryign to figure out this pointless BS that i wont understand until i learn how to script better or if a guide gets posted thats like step by step. Ive tryed and failed.

ill spend my time to figure out different features to throw onto my program

[argh44z]

ive given up on this **** it im not spending my weekend tryign to figure out this pointless BS that i wont understand until i learn how to script better or if a guide gets posted thats like step by step. Ive tryed and failed.

ill spend my time to figure out different features to throw onto my program

Good luck with your pre-Algebra I homework.

[wat-u-doin]

advanced geometry thank you

[Cypher]

advanced geometry thank you

Geometry: Serious business.

Here's your homework:

How many sides does a square have?

Let me know if its too hard, I have some easier questions.

[lanman92]

LOL, advanced geometry? Go read a book, retard. Honors or bust!

[wat-u-doin]

cypher im sry that question is way to hard for me you should go a bit easier

[apollo0510]

Just FYI, they store the key in the CNetClient class.

dammed, thats too easy. But good to know !
I never did a memory search for it ....

Thanks.

Apollo

[galpha]

Decryption done here (correct me if I'm wrong):

Code:

0042097C    .  8B46 1C           MOV EAX,DWORD PTR DS:[ESI+1C]
0042097F    .  8A1408            MOV DL,BYTE PTR DS:[EAX+ECX]
00420982    .  0FB6BE 1C010000   MOVZX EDI,BYTE PTR DS:[ESI+11C]
00420989    .  03C1              ADD EAX,ECX
0042098B    .  8ADA              MOV BL,DL
0042098D    .  2A9E 1D010000     SUB BL,BYTE PTR DS:[ESI+11D]
00420993    .  83C1 01           ADD ECX,1
00420996    .  329C37 1F010000   XOR BL,BYTE PTR DS:[EDI+ESI+11F]
0042099D    .  BF 14000000       MOV EDI,14
004209A2    .  8818              MOV BYTE PTR DS:[EAX],BL
004209A4    .  8A86 1C010000     MOV AL,BYTE PTR DS:[ESI+11C]
004209AA    .  04 01             ADD AL,1
004209AC    .  0FB6C0            MOVZX EAX,AL
004209AF    .  8896 1D010000     MOV BYTE PTR DS:[ESI+11D],DL
004209B5    .  99                CDQ
004209B6    .  F7FF              IDIV EDI
004209B8    .  3B4D EC           CMP ECX,DWORD PTR SS:[EBP-14]
004209BB    .  8B7D FC           MOV EDI,DWORD PTR SS:[EBP-4]
004209BE    .  8896 1C010000     MOV BYTE PTR DS:[ESI+11C],DL
004209C4    .^ 7C AD             JL SHORT WoW.00420973