packet monitoring

[Cypher]

yo yo, same shit diff day. I see you're having fun with the newbs 'round here, lol! some pretty entertaining reads.


I wouldn't be surprised if it was in CNetClient, it would be a fitting place for it.. but as I do all the key generation myself, I never had to fiddle around with how the client deals with it much. Either way, grabbing it from memory, or just brute forcing the damn thing (a few proxies have implemented this method before), its fairly straight forward get around the header encryption.

Its awesome fun.

The last proxy I saw dealt with resolving the key by making the user type a sentence into /say, I assume you're talking about something like that?

Tis stored in CNetClient indeed. But if this guy can't even detour a function, i hardly see this helping him.

PS: HAI BOOGIE

But detourz are harrrrdddddd.

Just wanted to add a bit more info

BoogieMan, you can replace the C# PacketGenerator class with 1 line:
byte[] mKey = new System.Security.Cryptography.HMACSHA1(EncryptionSeed).ComputeHash(SessionKey);

The key generation is just HMAC sha1 seeded with those 16 static bytes.

Also, packets can have either 2 or 3 bytes in the header for the size field, depending on how big the packet is. If the packet is over 32767 bytes, 3 bytes are used, and the first byte is OR'd with 0x80 as a marker

if (size > 32767)
{
packetHeader[0] = ((size >> 16) & 0xFF) | 0x80;
packetHeader[1] = (size >> & 0xFF;
packetHeader[2] = size & 0xFF;
}
else
{
packetHeader[0] = (size >> & 0xFF;
packetHeader[1] = size & 0xFF;
}

This goes for both server-sent and client-sent packets

Now for some offsets
At (ClientConnection + 0x27E4) is a pointer to the class that handles the actual communication with the server. I just called this WoWConnection, but it could be the CNetClient

struct WoWConnection
{
int field_0;
SOCKET Socket;
int field_8;
int field_C;
int field_10;
ClientConnection* ClientConnectionPtr;
int field_18;
char *InputBuffer;
int InputBufferPosition;
int InputBufferSize;
int field_28[27];
struct _RTL_CRITICAL_SECTION CS_field_94;
int field_AC;
int ProcessingThreadId;
ClientConnection* SavedClientConnectionContext;
int field_B8[9];
WDSNode PacketQueue;// 0xDC - 0xE8
struct _RTL_CRITICAL_SECTION CS_field_E8;
int field_100[6];
char IsEncryptionInitialized;// 0x118
char EncKeyIndex;
char EncKeyPrevious;
char ClientOpcodeLen; // always 4
char DecKeyIndex;
char DecKeyPrevious;
char ServerOpcodeLen; // always 2
char EncryptionKey[20]; // 0x11F - 0x133 this is whats used to encrypt packets
}

Now if you need the full 40byte sessionkey for some reason, its at ClientConnection+0x288.
The client still keeps this because its used to seed warden modules and hashed in one of the bot packets, but thats another matter

And if you want to see the CDataStore class for the packets, go to https://starfish.westmont.edu/viewcv...tarblabIT/src/ and check out datastore.cpp/h. Its looks to be the exact same as what the client uses, based on some of the function names in the asserts of the ptr clients

-Ralek

Still waiting on my new account to activate, been a few days now. Had to grab this old one from way back

Y halo thar! Very nice work, welcome.

[BoogieManTM]

Its awesome fun.

The last proxy I saw dealt with resolving the key by making the user type a sentence into /say, I assume you're talking about something like that?

That is one of them, yes. and that is the one that currently works, iirc. It's called something like sniffzit or something along those lines. It identifies by chat packets, which are also fairly easy to identify without reading the header. The one I was specifically talking about would passively sniff the ping packets (both client and server sent) while at the logon screen and brute the key that way.

Just wanted to add a bit more info

BoogieMan, you can replace the C# PacketGenerator class with 1 line:
byte[] mKey = new System.Security.Cryptography.HMACSHA1(EncryptionSeed).ComputeHash(SessionKey);

Thanks, but I no longer maintain my C# bot. Just my code for that was still relevant so I posted it

Tis stored in CNetClient indeed. But if this guy can't even detour a function, i hardly see this helping him.

PS: HAI BOOGIE

Lol, I wasn't trying to help him necessarily, but it could be useful to someone else.

P.S. OMFG HAI2U

[Cypher]

that is one of them, yes. And that is the one that currently works, iirc. It's called something like sniffzit or something along those lines. It identifies by chat packets, which are also fairly easy to identify without reading the header. The one i was specifically talking about would passively sniff the ping packets (both client and server sent) while at the logon screen and brute the key that way.



Thanks, but i no longer maintain my c# bot. Just my code for that was still relevant so i posted it



lol, i wasn't trying to help him necessarily, but it could be useful to someone else.

P.s. Omfg hai2u

Yes I think thats the one I was remembering.

PS. OMFGEPIX!