Strange, K should be here ...

[Nishizono]

Hello, That's one week I work on WOW auth protocole, and now i've a little prob.

I've see you can found the SessionKey with IDA just follow a subroutine using "COP_REALM" & etc...

When I check it with IDA, I found 0x0C93424 (with 3.3.2) Client, but when I look memory with OllyDBG, I see memory (0x0C93424+508h = 0xC9392C) contains a large NULL byte field instead of 40 K bytes...

Any ideas ?

[kynox]

That's because the auth is now handled by Battle.net.

[Nishizono]

ah ok, that's why the client run different, and auth packets are differents when it connects to mangos or bliz serv.

But in fact I'm wrong, the 0x0C93424 address refers to a pointer to the stack, and K is juste at [ptr_stack_addr+508h], I've found it on a mangos conn...

[XTZGZoReX]

0x009D3260, is this what you're looking for? It's used in 0x0041C770 which seems to calculate the client seed sent in 0x1ED (CMSG_AUTH_SESSION). See 0x0041CA20.

Edit: Err, nevermind. Irrelevant. Try 0x00C93424 + 0x508. 0x00C93424 is g_ClientServicesCurrent. Thanks to TOM_RUS for that one.

[Nishizono]

0x009D3260 is a stack adress, so randomized on vista, you don't get the same adress at each prog execution.

So, see on the 0x00c93424 : you get (4 1st bytes) : 78 FA E9 09 (in example) -> (little endian) 0x09E9FA78 address to your g_ClientServicesCurrent pointer, add +508h (0X09E9FF80) and I found my key.