Proxy to manipulate?

[SinnerG]

RealmProxy: Client connected
Received (from wow client) 41 byte(s)
AUTH_LOGON_CHALLENGE - SINNERG trying to login
Received (from realm server) 119 byte(s)
Sending data to Session...
Received (from wow client) 75 byte(s)
AUTH_LOGON_PROOF - Got payload
Received (from realm server) 32 byte(s)
Sending data to Session...
Received (from wow client) 5 byte(s)
REALM_LIST - Got payload
WorldProxy: Client connected
Received (from realm server) 28 byte(s)
Sending data to Session...
Received (from wow client) 275 byte(s)
Received opcode:493(size: 273)
Received CMSG_AUTH_SESSION
Received (from realm server) 251 byte(s)
Sending data to Session...
Received (from wow client) 6 byte(s)
Received malformed package
Received (from wow client) 16 byte(s)
Received malformed package

After CMSG_AUTH_SESSION things are encrypted (therefor the malformed packages), and thats where I'm at now.

FYI: Covering the basics first, then I'll clean up the proxy code since 1) the 'real' realm ip is hardcoded + no decent logging :P

[SinnerG]

w00t - I can now, on the fly, decrypt client > server packages (not modify them yet though)

some console output:

UNHANDLED OPCODE RECEIVED: CMSG_MEETINGSTONE_INFO
Received (from realm server) 106 byte(s)
Sending data to Session...
Received (from wow client) 40 byte(s)
Got header!
UNHANDLED OPCODE RECEIVED: CMSG_LFD_PLAYER_LOCK_INFO_REQUEST
Received (from wow client) 120 byte(s)
Got header!
UNHANDLED OPCODE RECEIVED: MSG_GUILD_BANK_MONEY_WITHDRAWN
Received (from realm server) 106 byte(s)
Sending data to Session...
Received (from wow client) 56 byte(s)
Got header!
UNHANDLED OPCODE RECEIVED: CMSG_CALENDAR_GET_NUM_PENDING
Received (from realm server) 8 byte(s)
Sending data to Session...
Received (from wow client) 56 byte(s)
Got header!
UNHANDLED OPCODE RECEIVED: CMSG_VOICE_SESSION_ENABLE

[SinnerG]

Atm I cannot inject new packages yet, but since the 'body' is not encrypted, we're able to modify it as long as the size does not change.

As a POC I made a PROXY-SIDE fall damage prevention (tested on some emu server)! No way they (warden) can detect this client side! :P
I store the last MOVE_HEARTBEAT Z location, and reuse it the moment we 'land'

Other POC uses I come to mind is a never ending 'slow fall' (prevent the buff from going away on the client) etc etc :P

Jumped of a large cliff : no dmg (edit: It is either no or low damage, since the heartbeat is not super frequent)

Now about warden : Warden could simply check the target realm ip and if it is [non-blizz/localhost] and use its banhamer as it can detect a proxy this way.

Is there a way, on Windows (7?), to redirect traffic of only a certain app (wow in this case) to an ip of our choice?

Does anyone know how to change the realmlist.wtf WHILE using a username with an @ in it, currently it seems that it goes to a hardcoded server IF it contains a @ (like an email) -> if it does not contain an @ it does use the realmlist.wtf!

edit: did they change something to the client? :/ (I had to apply a patch on connecting to the 'real' server and the build number didnt change??)

edit 2 : Looks like I'm being had by the wow client... Anyone got any references on the new battlenet gateway?

[TOM_RUS]

Anyone got any references on the new battlenet gateway?

New battle.net has protection against man in the middle attacks (checking server IPv6 RSA signature on client side).

[SinnerG]

Not stating that I'm interested in 'countering' that but wouldn't it still be possible to sit in between? As in => Client connects to your proxy (actually a basic wow server) and spawns a 'custom coded' client to connect to the real wow server

Just thinking here :P

edit: Anyway, guess I'll have to postpone my work until someone figures out the new protocol, even if it was to just be able to decrypt packages again!

[BoogieManTM]

It's actually very easy to detect this, since both the packet stream and (more importantly) the Warden info are encrypted. Specifically with Warden, the keys rotate, which makes a true clientless bot nigh impossible (not completely impossible, just really, really hard).

AFAIK only one or two people have ever made this work, and it's still fairly fragile. boogeyman etc. feel free to correct me if you've actually cracked this nut for good.

Edit: just realized you weren't specifically talking about a clientless bot, but still the problems are similar.

man in the middle and clientless do pretty much propose the same issues. the only real difference is with man in the middle you can just let stuff pass through to which you do not know how to deal with it. clientless isn't so fortunate obviously.

It's definitely not impossible, as you said I've done it before (with loads of help, mind you), i just don't see man-in-the-middle as a viable solution to the 'botting problem'

I don't see any further risk in detection, though.


Your best bet for a man in the middle is not to have two independent sessions (client <-> proxy, proxy <-> server) as that has many complicated sync issues you need to keep in check. You also need to emulate the authentication (good luck!), warden handshakes/key exchanges/etc. the simpler solution is to passively proxy up to a point, and directly reference the wow client for information you need (like the primary protocol encryption key/state). That way you can maintain the two states (client <-> proxy, proxy <-> server) without the problem of maintaining two entirely different encryption states, instead of one state, split into 2 to enable modification.

But I stick by my story and would advise against messing with packets. it really does look appealing (trust me i know), but in the end it's just a big headache.


Good luck either way!

[xdk]

Atm I cannot inject new packages yet, but since the 'body' is not encrypted, we're able to modify it as long as the size does not change.

As a POC I made a PROXY-SIDE fall damage prevention (tested on some emu server)! No way they (warden) can detect this client side! :P
I store the last MOVE_HEARTBEAT Z location, and reuse it the moment we 'land'

Other POC uses I come to mind is a never ending 'slow fall' (prevent the buff from going away on the client) etc etc :P

Jumped of a large cliff : no dmg (edit: It is either no or low damage, since the heartbeat is not super frequent)

Now about warden : Warden could simply check the target realm ip and if it is [non-blizz/localhost] and use its banhamer as it can detect a proxy this way.

Is there a way, on Windows (7?), to redirect traffic of only a certain app (wow in this case) to an ip of our choice?

Does anyone know how to change the realmlist.wtf WHILE using a username with an @ in it, currently it seems that it goes to a hardcoded server IF it contains a @ (like an email) -> if it does not contain an @ it does use the realmlist.wtf!

edit: did they change something to the client? :/ (I had to apply a patch on connecting to the 'real' server and the build number didnt change??)

edit 2 : Looks like I'm being had by the wow client... Anyone got any references on the new battlenet gateway?

I'm actually working on a proxy like yours.
I met the same problem with @ and client ignoring the realmlist, so, I'm trying another way. I put a fake username in client, without @, and I use the proxy to replace it. Here is the code (C#):

Code:

        /* If you send an adress email as username in WoW, it will ignore realmlist and connect to BNet servers.
         * But, if you type anything else it will connect to realmlist, so, just type anything and it will be modified with the correct username here.
         */
        static private void HandleLogonChallenge(SOpCode OpCode, ref Byte[] ByteBuffer)
        {
            BinaryReader PacketReader = new BinaryReader(new MemoryStream(ByteBuffer), System.Text.Encoding.UTF8);
            Console.WriteLine("[CLIENT] OpCode: [{0}] {1} handled.", OpCode.ID, OpCode.Text);
            SByte TmpOpCode = PacketReader.ReadSByte();
            SByte Error = PacketReader.ReadSByte();
            UInt16 Size = PacketReader.ReadUInt16();
            Char[] GameName = PacketReader.ReadChars(4);
            SByte Version1 = PacketReader.ReadSByte();
            SByte Version2 = PacketReader.ReadSByte();
            SByte Version3 = PacketReader.ReadSByte();
            UInt16 Build = PacketReader.ReadUInt16();
            Char[] Platform = PacketReader.ReadChars(4);
            Char[] OS = PacketReader.ReadChars(4);
            Char[] Country = PacketReader.ReadChars(4);
            UInt32 TimeZone = PacketReader.ReadUInt32();
            UInt32 IP = PacketReader.ReadUInt32();
            SByte UsernameLength = PacketReader.ReadSByte();
            Char[] Username = PacketReader.ReadChars(UsernameLength);
            PacketReader.Close();

            MemoryStream OutputStream = new MemoryStream();
            BinaryWriter PacketWriter = new BinaryWriter(OutputStream, System.Text.Encoding.UTF8);
            PacketWriter.Write((SByte)TmpOpCode);
            PacketWriter.Write((SByte)Error);
            PacketWriter.Write((UInt16)0); // Let's set the size to 0, we'll replace it when the packet building processus terminated.
            PacketWriter.Write((Char[])GameName);
            PacketWriter.Write((SByte)Version1);
            PacketWriter.Write((SByte)Version2);
            PacketWriter.Write((SByte)Version3);
            PacketWriter.Write((UInt16)Build);
            PacketWriter.Write((Char[])Platform);
            PacketWriter.Write((Char[])OS);
            PacketWriter.Write((Char[])Country);
            PacketWriter.Write((UInt32)TimeZone);
            PacketWriter.Write((UInt32)IP);
            PacketWriter.Write((SByte)(CProgram.Username.Length));
            PacketWriter.Write((Char[])CProgram.Username.ToUpperInvariant().ToCharArray());
            PacketWriter.Seek(2*sizeof(SByte), SeekOrigin.Begin);
            PacketWriter.Write((UInt16)OutputStream.Length); // Write size
            ByteBuffer = OutputStream.ToArray();
            PacketWriter.Close();
        }

But, it doesn't work. The server doesn't reply to my new packet, even on emu server. I don't what happens at server side, so I'm actually setting up a server with debug informations to see what doesn't go right.

Last tip, if you are looking for an ARC4 in C#, I found one in WoWLib ( RE it ).

PS: I'm french, please excuse my English.

[SinnerG]

Hehe, I was using the same trick ^^ (replaced the @with an _) :P

[BoogieManTM]

any username with the @ sign goes through the battle.net authentication, which is entirely new and you're not going to be proxying that anytime soon without some serious IDA time :P

If this is only for you, you're better off setting the ip of your realm server as a loopback device on your local machine/network, and using the proxy to listen for incoming connections and forward them on like a tunnel would do. it's tricky, but it can be done. this way you don't have to touch auth at all, or the key exchanges or anything else. you just passively proxy the realm, reading the encryption key from the client's memory when you need it (once you start to proxy the connection to realm)

[Lance989]

just wanna say after reading through i think you guys are on to something epic and keep up the hard work

[xdk]

any username with the @ sign goes through the battle.net authentication, which is entirely new and you're not going to be proxying that anytime soon without some serious IDA time :P

If this is only for you, you're better off setting the ip of your realm server as a loopback device on your local machine/network, and using the proxy to listen for incoming connections and forward them on like a tunnel would do. it's tricky, but it can be done. this way you don't have to touch auth at all, or the key exchanges or anything else. you just passively proxy the realm, reading the encryption key from the client's memory when you need it (once you start to proxy the connection to realm)

Great idea, +rep.
I started looking for a way to do this. I found a few ideas (W7x64):
- using a software router on Windows.
- using host file: realm -> localhost and then send data got from the proxy to another computer which would send them to realms
- using *pcap ?
Do someone know a software way to forward WoW's process connection to my proxy (using a library or something like) ? So I would be able to use it easily on different computers.

[!@^^@!]

FreeCap Homepage - Home can force a specific process to use a proxy, a program that does the same but better/easier is ProxyCap - A stable and reliable proxifier for Windows/Mac OS X but it's not free

[TOM_RUS]

You don't need any software to redirect wow connections to other host. Use realmlist.wtf instead.

[xdk]

You don't need any software to redirect wow connections to other host. Use realmlist.wtf instead.

It's not possible, as some one said before. If you put an @ in your login, WoW bypass realmlist.wtf and connect to BNet servers, with different system than old one.

[TOM_RUS]

It's not possible, as some one said before. If you put an @ in your login, WoW bypass realmlist.wtf and connect to BNet servers, with different system than old one.

Wrong. There's variable for specifying battle.net server as well... But anyway connection will fail at thumbprint check since you don't have blizzard's private RSA keys to form correct thumbprint packet.