[wow][mac] Help finding username/password in memory

[Tanaris4]

I haven't been able to find much in here, except a posting of an occasional offset (which generally isn't static).

Anyone have any ideas on how I should go about this? I've obviously searched + found them in memory, but can never find a static pointer to ANYWHERE near where it is actually stored.

I was able to find that where the "Account Password" string is stored, subtract 0x34 then you find the pointer to the real password, but that's about it. so:
Ptr to Password = [[ptr to "Account Password" string]-0x34]

But obviously "Account Password" isn't stored in a static.

Thanks!

[EmiloZ]

You can go into the Key memory, the mac app
Which OSX version?

[Tanaris4]

Key memory? I'm using snow leopard but I don't really see how that is relevant.

I'd rather not send keys to simulate logging in, just wanted to write it to memory.

[Tanaris4]

Anyone have any ideas here?

[namreeb]

What's wrong with the approach you mentioned?

[Tanaris4]

because it's not static... i.e. Everytime I fire up wow I can't just write to a memory location

[namreeb]

But you can search in memory for that string FindPattern() style?

[Apoc]

Lua.Execute("DefaultServerLogin(\"{0}\",\"{1}\")", username, password);

Enjoy.

[Cypher]

Obligatory:

Macs suck.

[Tanaris4]

@Apoc - lol you realize I don't do injection - i only do passive (kidding :P) memory read/writes

and yea i can search ALL of memory for the account password portion, but not for the login :/

@Cypher, expected :/

[UnknOwned]

Obligatory:

Macs suck.

[Cypher]

EPIC WIN!

Zomg a new Charmander gif, awesome. Saved.

[BoogieManTM]

@Apoc - lol you realize I don't do injection - i only do passive (kidding :P) memory read/writes

and yea i can search ALL of memory for the account password portion, but not for the login :/

@Cypher, expected :/

Maybe you should inject? :P mac's warden isn't lookin for ya, so it's pretty damn safe to do so.

[Apoc]

@Apoc - lol you realize I don't do injection - i only do passive (kidding :P) memory read/writes

and yea i can search ALL of memory for the account password portion, but not for the login :/

@Cypher, expected :/

Erm; I'm well aware.

That func handles logging in. Is it that hard to reverse the func and figure the rest out?

Code:

.text:0047B5C0     ; =============== S U B R O U T I N E =======================================
.text:0047B5C0
.text:0047B5C0     ; Attributes: bp-based frame
.text:0047B5C0
.text:0047B5C0     ; void __cdecl CGlueMgr__DefaultServerLogin(char *accountName, char *password)
.text:0047B5C0     CGlueMgr__DefaultServerLogin proc near  ; CODE XREF: lua_DefaultServerLogin+41p
.text:0047B5C0
.text:0047B5C0     accountName     = dword ptr  8
.text:0047B5C0     password        = dword ptr  0Ch
.text:0047B5C0
.text:0047B5C0 000                 push    ebp
.text:0047B5C1 004                 mov     ebp, esp
.text:0047B5C3 004                 cmp     byte_10D8B4C, 0 ; Compare Two Operands
.text:0047B5CA 004                 jz      loc_47B6D0      ; Jump if Zero (ZF=1)
.text:0047B5CA
.text:0047B5D0 004                 cmp     dword_10D86E0, 0 ; Compare Two Operands
.text:0047B5D7 004                 jz      loc_47B6D0      ; Jump if Zero (ZF=1)
.text:0047B5D7
.text:0047B5DD 004                 cmp     dword_10D86E8, 0 ; Compare Two Operands
.text:0047B5E4 004                 jz      loc_47B6D0      ; Jump if Zero (ZF=1)
.text:0047B5E4
.text:0047B5EA 004                 cmp     eventId, 0      ; Compare Two Operands
.text:0047B5F1 004                 jnz     loc_47B6D0      ; Jump if Not Zero (ZF=0)
.text:0047B5F1
.text:0047B5F7 004                 mov     eax, [ebp+accountName]
.text:0047B5FA 004                 test    eax, eax        ; Logical Compare
.text:0047B5FC 004                 jz      loc_47B6F8      ; Jump if Zero (ZF=1)
.text:0047B5FC
.text:0047B602 004                 cmp     byte ptr [eax], 0 ; Compare Two Operands
.text:0047B605 004                 jz      loc_47B6F8      ; Jump if Zero (ZF=1)
.text:0047B605
.text:0047B60B 004                 push    esi
.text:0047B60C 008                 mov     esi, [ebp+password]
.text:0047B60F 008                 test    esi, esi        ; Logical Compare
.text:0047B611 008                 jz      loc_47B6D2      ; Jump if Zero (ZF=1)
.text:0047B611
.text:0047B617 008                 cmp     byte ptr [esi], 0 ; Compare Two Operands
.text:0047B61A 008                 jz      loc_47B6D2      ; Jump if Zero (ZF=1)
.text:0047B61A
.text:0047B620 008                 or      ecx, 0FFFFFFFFh ; Logical Inclusive OR
.text:0047B623 008                 mov     dword_103CC40, ecx
.text:0047B629 008                 mov     dword_103CC44, ecx
.text:0047B62F 008                 mov     dword_103CC48, ecx
.text:0047B635 008                 mov     dword_103CC4C, ecx
.text:0047B63B 008                 mov     byte_10D8704, 0
.text:0047B642 008                 mov     dword_10D86D0, 0
.text:0047B64C 008                 mov     eventId, 1
.text:0047B656 008                 mov     cl, [eax]
.text:0047B658 008                 test    cl, cl          ; Logical Compare
.text:0047B65A 008                 mov     edx, offset g_pszAccount
.text:0047B65F 008                 jz      short loc_47B687 ; Jump if Zero (ZF=1)
.text:0047B65F
.text:0047B661
.text:0047B661     loc_47B661:                             ; CODE XREF: CGlueMgr__DefaultServerLogin+C5j
.text:0047B661 008                 cmp     edx, offset unk_10D86CF ; Compare Two Operands
.text:0047B667 008                 jnb     short loc_47B687 ; Jump if Not Below (CF=0)
.text:0047B667
.text:0047B669 008                 cmp     cl, 7Ch         ; Compare Two Operands
.text:0047B66C 008                 jnz     short loc_47B676 ; Jump if Not Zero (ZF=0)
.text:0047B66C
.text:0047B66E 008                 cmp     [eax+1], cl     ; Compare Two Operands
.text:0047B671 008                 jnz     short loc_47B676 ; Jump if Not Zero (ZF=0)
.text:0047B671
.text:0047B673 008                 add     eax, 1          ; Add
.text:0047B673
.text:0047B676
.text:0047B676     loc_47B676:                             ; CODE XREF: CGlueMgr__DefaultServerLogin+ACj
.text:0047B676                                             ; CGlueMgr__DefaultServerLogin+B1j
.text:0047B676 008                 movzx   ecx, byte ptr [eax] ; Move with Zero-Extend
.text:0047B679 008                 add     eax, 1          ; Add
.text:0047B67C 008                 mov     [edx], cl
.text:0047B67E 008                 mov     cl, [eax]
.text:0047B680 008                 add     edx, 1          ; Add
.text:0047B683 008                 test    cl, cl          ; Logical Compare
.text:0047B685 008                 jnz     short loc_47B661 ; Jump if Not Zero (ZF=0)
.text:0047B685
.text:0047B687
.text:0047B687     loc_47B687:                             ; CODE XREF: CGlueMgr__DefaultServerLogin+9Fj
.text:0047B687                                             ; CGlueMgr__DefaultServerLogin+A7j
.text:0047B687 008                 push    offset g_pszAccount ; char *
.text:0047B68C 00C                 mov     byte ptr [edx], 0
.text:0047B68F 00C                 call    strToUpper      ; Call Procedure
.text:0047B68F
.text:0047B694 008                 push    offset aCancel  ; "CANCEL"
.text:0047B699 00C                 push    offset aS_16    ; "%s"
.text:0047B69E 010                 push    3               ; eventId
.text:0047B6A0 014                 call    FrameScript_SignalEvent ; Call Procedure
.text:0047B6A0
.text:0047B6A5 014                 push    esi
.text:0047B6A6 018                 push    offset g_pszAccount
.text:0047B6AB 01C                 call    sub_62D7A0      ; Call Procedure
.text:0047B6AB
.text:0047B6B0 01C                 mov     eax, esi
.text:0047B6B2 01C                 add     esp, 14h        ; Add
.text:0047B6B5 008                 lea     edx, [eax+1]    ; Load Effective Address
.text:0047B6B5
.text:0047B6B8
.text:0047B6B8     loc_47B6B8:                             ; CODE XREF: CGlueMgr__DefaultServerLogin+FFj
.text:0047B6B8 008                 mov     cl, [eax]
.text:0047B6BA 008                 add     eax, 1          ; Add
.text:0047B6BD 008                 test    cl, cl          ; Logical Compare
.text:0047B6BF 008                 jnz     short loc_47B6B8 ; Jump if Not Zero (ZF=0)
.text:0047B6BF
.text:0047B6C1 008                 sub     eax, edx        ; Integer Subtraction
.text:0047B6C3 008                 push    eax             ; Size
.text:0047B6C4 00C                 push    0               ; Val
.text:0047B6C6 010                 push    esi             ; Dst
.text:0047B6C7 014                 call    _memset         ; Call Procedure
.text:0047B6C7
.text:0047B6CC 014                 add     esp, 0Ch        ; Add
.text:0047B6CF 008                 pop     esi
.text:0047B6CF
.text:0047B6D0
.text:0047B6D0     loc_47B6D0:                             ; CODE XREF: CGlueMgr__DefaultServerLogin+Aj
.text:0047B6D0                                             ; CGlueMgr__DefaultServerLogin+17j ...
.text:0047B6D0 004                 pop     ebp
.text:0047B6D1 000                 retn                    ; Return Near from Procedure
.text:0047B6D1
.text:0047B6D2     ; ---------------------------------------------------------------------------
.text:0047B6D2
.text:0047B6D2     loc_47B6D2:                             ; CODE XREF: CGlueMgr__DefaultServerLogin+51j
.text:0047B6D2                                             ; CGlueMgr__DefaultServerLogin+5Aj
.text:0047B6D2 008                 push    0               ; a3
.text:0047B6D4 00C                 push    0FFFFFFFFh      ; a2
.text:0047B6D6 010                 push    offset aLogin_enter_pa ; "LOGIN_ENTER_PASSWORD"
.text:0047B6DB 014                 call    FrameScript_GetText ; Call Procedure
.text:0047B6DB
.text:0047B6E0 014                 push    eax
.text:0047B6E1 018                 push    offset aOkay    ; "OKAY"
.text:0047B6E6 01C                 push    offset aSS      ; "%s%s"
.text:0047B6EB 020                 push    3               ; eventId
.text:0047B6ED 024                 call    FrameScript_SignalEvent ; Call Procedure
.text:0047B6ED
.text:0047B6F2 024                 add     esp, 1Ch        ; Add
.text:0047B6F5 008                 pop     esi
.text:0047B6F6 004                 pop     ebp
.text:0047B6F7 000                 retn                    ; Return Near from Procedure
.text:0047B6F7
.text:0047B6F8     ; ---------------------------------------------------------------------------
.text:0047B6F8
.text:0047B6F8     loc_47B6F8:                             ; CODE XREF: CGlueMgr__DefaultServerLogin+3Cj
.text:0047B6F8                                             ; CGlueMgr__DefaultServerLogin+45j
.text:0047B6F8 004                 push    0               ; a3
.text:0047B6FA 008                 push    0FFFFFFFFh      ; a2
.text:0047B6FC 00C                 push    offset aLogin_enter_na ; "LOGIN_ENTER_NAME"
.text:0047B701 010                 call    FrameScript_GetText ; Call Procedure
.text:0047B701
.text:0047B706 010                 push    eax
.text:0047B707 014                 push    offset aOkay    ; "OKAY"
.text:0047B70C 018                 push    offset aSS      ; "%s%s"
.text:0047B711 01C                 push    3               ; eventId
.text:0047B713 020                 call    FrameScript_SignalEvent ; Call Procedure
.text:0047B713
.text:0047B718 020                 add     esp, 1Ch        ; Add
.text:0047B71B 004                 pop     ebp
.text:0047B71C 000                 retn                    ; Return Near from Procedure
.text:0047B71C
.text:0047B71C     CGlueMgr__DefaultServerLogin endp
.text:0047B71C
.text:0047B71C     ; ---------------------------------------------------------------------------

That's the only non 'sanity' check in the DefaultServerLogon (and non ToString call). It'll be fairly similar afaict.

Edit; I'm not sure that WoW stores the password for the account except for the few seconds it takes to log in. (As apparent by their code, which never has the password set to any .data)

If you're just looking for the fields; then just type some random text; and figure it out!

[Tanaris4]

@Apoc ty sir, exactly what I was looking for!