(help) WPE PRO *identifying packets*

[jacob4313]

QUESTION: I am currently reviewing my packet collection over about 8 events for each area ive tested. Currently ive collected data for entering instances, hearthing and using teleports in dal and shatt.

Ive looked over the results rather hard over the past 3 hours and have came up with a few results but am left with even more questions. I already new that the 10 byte *send* packet dealt with the instance trigger and the 7th and 8th blocks where the actual instance trigger. Im pretty sure that the 14 byte packet within the multiple teleports ive taken is the packet i was looking for that deals with where you shall be sent.

Now my big question is, what packet details your hearth stone. I have a series of 14 byte and 10 byte strings in the several hearth logs ive saved. About 5 of them have a 10 byte string and 4 of them dont. Leaving me to believe that the same 10 byte string that comes with hitting a instance trigger either doesnt always apply or this perticular 10 byte string doesnt have anything to do with a trigger of any sort. Ive reviewed the 14 byte strings and havent found many similarities like i had with the teleports that lead me to believe the 14 byte string represented where you shall go on that portal.

Also on a side note, Ive edited the 7 and 8 block's in the 10 byte string as well as the 14 byte string. Same results applied that mode of teleporting becomes unusable. The instance portal just doesnt let me pass through, though in wpe it shows the packet being sent. As well as the actual teleport in dal just not letting me use it. Is this a sign that when i eventually find the byte that control's the hearth that once i edit it it will no longer let me use it?

either way once i find it i will try anyway so i would appreciate answers.

[apollo0510]

Hi Jacob,

you are talking about "packets".

Are you referring to command packets or are you dumping TCP/IP packets ?

Have you already decoded the raw command structure with its encrypted header and are you now looking for the meaning of some special command tokens ?

If you are starting from scratch, I suggest you have a look at the latest mangos sourcecode. That is a WoW server. So you get a clue, how the commands form TCP/IP packets.

Greetings

Apollo

[kakamunsug]

Although your idea is awesome, despite a very popular idea, I doubt that it will be that easy to trigger your teleporting destination.
I am very sure Blizzard has from long ago taken in consideration what options and what landscapes/instances you are able to teleport from in a case of teleportation, which means unless you can go past that check - you can't choose any destination by changing the packet you're sending.

I'm also interested in if you even decrypted the packets, and if you did - you need to re-encrypt them before you put them in queue for sending away.
Anyhow, encrypted packets should make little to no sense and the server shouldn't like getting them at the wrong moment (I haven't tried anything with packets within WoW hacking - but ..) I can tell you that the past games I've used packets in, they had lots and lots of checks and you couldn't do much of what you wanted to do. There was flaws in it, of course, and you could dupe stuff if you were handy enough. But all in all fixed once they got the hint of it.

ps.
If this is just for building up a list of packet structure for World of Warcraft to use within private servers, I can see where you're coming at. And you should (if it is) do what the above poster said, look into the latest emu source.


EDIT:
Ahh, you're trying to use the hearthstone to teleport somewhere else than the inns. I'm very confident that will not work.
Good luck anyhow!

[Nesox]

SourceForge.net Repository - [mangos] View of /trunk/src/game/Opcodes.h

[omfgman]

That SVN repo is really outdated.
For newest opcodes use their 3.1 git branch.
lates Opcodes.h

[apollo0510]

Hi Jacob,

I just looked up the potential attacks against the new RC4 streamcypher they use to crypt the command header.

It does'nt look too good. If you find a method to retrieve the key during the login process, your chances might rise.

Nevertheless,it would be neccessary to analyse, how they initialize the RC4 scrambling table, if they combine a public key and a nonce and so on.

Without breaking into the WoW process and simply stealing the RC4 scrambling status the whole thing looks much too complicated to me.

The only successful attacks on RC4 encoded streams need 50000+ samples of known input before they can start optimized brute force. People writing papers about this stuff carry at least one 'doctor' in their name.

In other words: Forget it.

Greetings
Apollo

[Boopy]

@apollo:

It is possible to lookup the sessionkey in the games' memory. With that you are able to initialize the RC4 cipher and start decrypting packets. I've just finished implementing this a few minutes ago.

So:
When you lookup the sessionkey and start logging the packets from the login on, you are able to reconstruct the datastream between client & server. Looking at the sourcecode of mangos will help interpreting it

[korknob]

Is there any relevant info on this floating around anywhere? Found some 2.4.3 info and it didn't seem very applicable - bp on recv, bp on pRecv, then bp on the copy of pRecv it makes but that was about as far as I got.

[jacob4313]

*The only successful attacks on RC4 encoded streams need 50000+ samples of known input before they can start optimized brute force. People writing papers about this stuff carry at least one 'doctor' in their name.*

lol way to take a shit on my parade. but thanks for the info none the less. i didnt even think my thread would get posted, figured a mod would delete it before that.

most of what your saying is above my head and what your going on about is far more complex then the steps i had taken previously. that being said, you can continue inputting info and talking amongst each other. I will read what you post and look into what you say but i doubt i will understand it for some time to come.

[Jadd]

Glad I could be the one to get your hopes up...

[YT]<object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/Q_HhlV3r_Ec&hl=en&fs=1"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/Q_HhlV3r_Ec&hl=en&fs=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="344"></embed></object>[/YT]

[apollo0510]

Hey Jacob,

you started digging, so I strongly encourage you to gon on. RC4 encryption is extremely easy to understand and to use (guess why the wow guys liked it).

Please look it up, there are many sources on the internet. I would recommend this topic even for programming beginners, because the implementation is so dammn easy.

The only difficult part is, to hack the RC4 encryption.

And what I stated out was, that your only chance to break into the stream is to hack wow itself and steal the key (and or the complete RC4 status).

So, you get in touch with Boopy, and he might tell you, were to find the key.
You learn what RC4 is, and program some sample code until you understand it.
Then you go to the given sources of mangos and try to decode the command blocks .

It is all possible if you want it. All the information is here.

Do something.

Greetings
Apollo

[kynox]

Hey Jacob,

you started digging, so I strongly encourage you to gon on. RC4 encryption is extremely easy to understand and to use (guess why the wow guys liked it).

Please look it up, there are many sources on the internet. I would recommend this topic even for programming beginners, because the implementation is so dammn easy.

The only difficult part is, to hack the RC4 encryption.

And what I stated out was, that your only chance to break into the stream is to hack wow itself and steal the key (and or the complete RC4 status).

So, you get in touch with Boopy, and he might tell you, were to find the key.
You learn what RC4 is, and program some sample code until you understand it.
Then you go to the given sources of mangos and try to decode the command blocks .

It is all possible if you want it. All the information is here.

Do something.

Greetings
Apollo

[0x1132F74] + 0x508 = K (The K refers to the Key used in the SRP6 authentication).

I haven't seen how its used in the RC4, Warden uses only the first 16 bytes of it. You'll have to look into the mangos source and have a look.

[amadmonk]

Hmmm.

One of the reasons I got out of reversing back in the day was because finding the new offsets every release became a huge PITA. I'd wager that the packet structure doesn't change NEARLY as often as the in-mem structures, and if most of your input is keystrokes and you don't need any fancy DX UI or clever teleport/speed/wall climb hacks, etc., I think a packet reader proxy might just be the best route for me.

I wasn't aware how easy the RC4 decryption is, given the key.

[snoke]

I would take a look at https://sharesource.org/hg/sniffitzt/ , it shows you how to get the key( is gotten from reading the key directly from the wow process ) and sniff the packets for 3.1 , its a good starting point and the packets are decrypted correctly.

altough it doesnt correctly parse the compressed packets and some other , but that isnt important you have the decrypted data right infront of you , just look at the mangos 3.1 branch and you'll figure it out.

as a tip alot of the the data about players and gameobjects comes in compressed update data packets , which are zip compressed and ofcourse to makes it abit harder since there is no size value found for the next command ,the commands just comes right after eachother , which means that parsing and incrementing the index from the last "command" in the packet is crucial. and this changes sometimes , atleast there has been changes from 3.09 to 3.1 ( not much tough ), but again the mangos guys is usually way infront so its sortof just look at the mangos 3.1 tree imo.