Proxy to manipulate? menu

Shout-Out

User Tag List

Page 3 of 6 FirstFirst 123456 LastLast
Results 31 to 45 of 76
  1. #31
    abdula123's Avatar Sergeant
    Reputation
    14
    Join Date
    Feb 2010
    Posts
    46
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by !@^^@! View Post
    FreeCap Homepage - Home can force a specific process to use a proxy, a program that does the same but better/easier is ProxyCap - A stable and reliable proxifier for Windows/Mac OS X but it's not free
    +1

    set up any "socksifier" (proxycap, sockscap, freecap, proxifier - there lot of them) to forward wow.exe connections via your proxy.

    of course, you must implement SOCKS4 on it (its simple).

    also you must separate connections to auth server (just forward, don't touch it) and to world server (do the bad things on it).

    after CMSG_AUTH_SESSION you just freeze connection for some time, read seesion key from wow.exe process, create ARC4 instances, and then start do decryption/re-encryption of pkt headers thru your proxy.


    OR

    if your rly guru in windows sockets and have LOOOT of free time, you can write your own Layered Service Provider, that will filter wow.exe connection and do same things on it.




    maybe this trick will stop working in 3.3.3, but now its works ok.
    Last edited by abdula123; 03-07-2010 at 10:35 AM.

    Proxy to manipulate?
  2. #32
    SinnerG's Avatar Member
    Reputation
    6
    Join Date
    Aug 2006
    Posts
    78
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, isnt the issue that the protocol (encryption) changed ? Or does this only count for the 'realm list' part?

  3. #33
    BoogieManTM's Avatar Active Member
    Reputation
    52
    Join Date
    May 2008
    Posts
    193
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by SinnerG View Post
    Well, isnt the issue that the protocol (encryption) changed ? Or does this only count for the 'realm list' part?
    only authentication has changed extensively in the past few months. Which is why I recommend you bypass it completely and DO NOT even attempt to proxy it. There is no need.

  4. #34
    SinnerG's Avatar Member
    Reputation
    6
    Join Date
    Aug 2006
    Posts
    78
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So, if I remove my realm code, and just let my proxy sit in between the client<>'world server' things should still work without any change? (except that I actually need to get it to connect to my proxy )

  5. #35
    !@^^@!'s Avatar Active Member
    Reputation
    23
    Join Date
    Feb 2007
    Posts
    155
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'll admit that i lack knowledge about this subject but wouldn't you need either to time when you start proxying wow's network packages or filter the data?

  6. #36
    xdk's Avatar Member
    Reputation
    1
    Join Date
    Feb 2008
    Posts
    7
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by BoogieManTM View Post
    only authentication has changed extensively in the past few months. Which is why I recommend you bypass it completely and DO NOT even attempt to proxy it. There is no need.
    So, how can I forward only Realm server's connection and not AuthServer's connection ? ProxyCap/Proxifer etc doesn't have this feature.
    Can I hook WinSock functions (using EasyHook) to force him to connect to my local realm proxy ?

  7. #37
    BoogieManTM's Avatar Active Member
    Reputation
    52
    Join Date
    May 2008
    Posts
    193
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by xdk View Post
    So, how can I forward only Realm server's connection and not AuthServer's connection ? ProxyCap/Proxifer etc doesn't have this feature.
    Can I hook WinSock functions (using EasyHook) to force him to connect to my local realm proxy ?
    Sure, that's another way I never thought of. you can hook Winsock's Connect() function, looking for a connect that is headed towards a realm server (what you guys call world server), change the endpoint and voila! You're now proxying without any system-level modifications. Gotta let the proxy know somehow where it is supposed to be connecting to the other direction.. perhaps inject your own handshake packet?


    ie, hook Connect()
    Wait for call that looks like it's going to a realm server
    intercept call to realm server
    redirect to proxy
    inject 'hello' packet to your proxy to instruct it on which realm it needs to connect to for you (I would also include encryption keys in this packet. which would allow for a totally remote proxy without much headache)

    and then you're done! you're successfully proxying the realm connection only, which is the only thing majority of people would be remotely interested in.

  8. #38
    SinnerG's Avatar Member
    Reputation
    6
    Join Date
    Aug 2006
    Posts
    78
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)


    ^^

    Used to do this:

    - A VMWare'd Windows 7 (running as bridged aka own dynamic ip)
    - A simple proxy instance (seen in screeny)

    This is a connection to REAL wow server (not emulated) - FYI does not 'look' at the packages! (Just a POC for a proxy :P)

    SimpleProxy is something I quickly made to do this thing ^^ (just an app that takes <local ip> <local port> <remote ip> <remote port> :P)
    Last edited by SinnerG; 03-09-2010 at 02:45 PM.

  9. #39
    SinnerG's Avatar Member
    Reputation
    6
    Join Date
    Aug 2006
    Posts
    78
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm in need of a favor.

    Could anyone explain me the LARGE header for wow server > client packages.

    I've looked both in pseuwow (wow client) + mangos code and all code there is either not working or the bitwise operations are not c# compatibe (I assume its the 2nd)

    Wasted hours on this already. I do have it working for 'regular' headers :/

    edit: For example take the following 5 decrypted bytes:

    -
    headerBytes Count = 5 System.Collections.Generic.List<byte>
    [0] 195 byte
    [1] 35 byte
    [2] 63 byte
    [3] 216 byte
    [4] 226 byte
    All code I tried either gave an incredible high 'size' OR an invalid one :/

    Edit 2 : could it be that the 'session key' changes when entering a realm?

    Edit 3 : until further edits, don't reply on this => I think I found it ... (GAAH hours wasted on this...) I added a 'peek' function to decrypt 1 byte, without ruining the decryption state, but I ruin it still later on ...

    Edit 4 : Yup... It is working now (no 'big' packet yet though to see if that is working :/)

    Some output:
    UNHANDLED OPCODE RECEIVED: SMSG_TIME_SYNC_REQ
    UNHANDLED OPCODE RECEIVED: CMSG_TIME_SYNC_RESP
    Server > Client
    UNHANDLED OPCODE RECEIVED: SMSG_MONSTER_MOVE
    Server > Client
    UNHANDLED OPCODE RECEIVED: SMSG_MONSTER_MOVE
    UNHANDLED OPCODE RECEIVED: CMSG_PING
    Server > Client
    UNHANDLED OPCODE RECEIVED: SMSG_PONG
    Server > Client
    UNHANDLED OPCODE RECEIVED: SMSG_MONSTER_MOVE
    Server > Client
    UNHANDLED OPCODE RECEIVED: SMSG_MONSTER_MOVE
    Server > Client
    UNHANDLED OPCODE RECEIVED: SMSG_MONSTER_MOVE
    Server > Client
    UNHANDLED OPCODE RECEIVED: SMSG_MONSTER_MOVE
    Server > Client
    UNHANDLED OPCODE RECEIVED: SMSG_MONSTER_MOVE
    Server > Client
    UNHANDLED OPCODE RECEIVED: SMSG_MONSTER_MOVE
    Last edited by SinnerG; 03-09-2010 at 08:24 PM.

  10. #40
    SinnerG's Avatar Member
    Reputation
    6
    Join Date
    Aug 2006
    Posts
    78
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Here is a POC of Packet Injection

    I said Hello, and I coded in an auto-reply (it injects the 'world' reply after the client' CMSG_MESSAGECHAT message)

    Added server > client injection

    http://yfrog.us/4rwow2010031009002261z (video)

    I know the text aint clear so:

    I move around a bit (cant fly) then I type 'Superman!' and I forge a message that I send to the wow client, it then thinks I'm allowed to fly and tada : fly 'hack' without any 'wow process' injection :P

    FYI : Tested on a private server since wow offi servers are down atm (thats why I didnt bother 'cleaning' up my 'info' :P)
    Last edited by SinnerG; 03-10-2010 at 03:13 AM.

  11. #41
    SinnerG's Avatar Member
    Reputation
    6
    Join Date
    Aug 2006
    Posts
    78
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Err, could anyone be so kind to convert (*(((uint16*)&(x))+3)) to C# compatible code? :s

    (where x is an ulong)

  12. #42
    Cypher's Avatar Kynox's Sister's Pimp
    Reputation
    1358
    Join Date
    Apr 2006
    Posts
    5,368
    Thanks G/R
    0/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by SinnerG View Post
    Err, could anyone be so kind to convert (*(((uint16*)&(x))+3)) to C# compatible code? :s

    (where x is an ulong)
    Its not a difficult or complex expression, it just looks that way because of the way it's written.

    Break it down into its 'parts' and convert it, its really not hard.

  13. #43
    SinnerG's Avatar Member
    Reputation
    6
    Join Date
    Aug 2006
    Posts
    78
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well I think I got it...

    Almost got a working 'object manager' that purely works on proxied data (ok you still need the session key ;p)

    It works for most 'objects' except 'units' trigger an exception atm (looking into it...)

    edit : meh keep fixing 'race' conditions... Lucky I had some data to compare so I knew it had a 'bit' to much data at a certain point

    edit 2 : It is mostly working now though - now if I reverse the process I should be able to set the 'fly' bit once again :P

    Some debug output (positions were fixed just then, thats why not all entries have a position :P)

    Player: Position: 1 0 0 7,006492E-45
    Player: Position: 0 0 0 0
    Player: Errrz Position: 0 0 0 0
    Player: Position: 0 0 0 0
    Player: Position: 0 0 0 0
    Unit: TODO Position: -629,7752 -4154,154 38,56937 0,4596916
    Unit: TODO Position: -628,3361 -4284,025 42,10564 0,6844615
    Player: Panzo Position: -658,518 -4251,67 38,718 3,660948
    Player: Position: 0 0 0 0
    Server > Client
    Server > Client
    UNHANDLED OPCODE RECEIVED: SMSG_MONSTER_MOVE
    Server > Client
    UNHANDLED OPCODE RECEIVED: SMSG_MONSTER_MOVE
    Server > Client
    UNHANDLED OPCODE RECEIVED: SMSG_MONSTER_MOVE
    FYI: I'm not planning to do something with with what I do here. I'm just doing this for the coding XP (not planning to use it on my real account either - trials ftw!)
    Last edited by SinnerG; 03-12-2010 at 11:44 PM.

  14. #44
    SinnerG's Avatar Member
    Reputation
    6
    Join Date
    Aug 2006
    Posts
    78
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hmm, it works, the object manager, except when I get a 'local' player update.

    Anyone who has more info on the SMSG_UPDATE_OBJECT pack?

    I must be reading something to much or to little (I can read the 'speed' values correctly though)

    Either the movement reading is wrong, or the values reading (but I dont think the values reading differs from the regular player one, so I think its the movement reading)

    'Praying' that an update with only 1 package occurs containing a player update.. Then I can debug (no luck so far)

    edit: Hmm, didnt look at this yet => http://www.mmowned.com/forums/wow-me...crypt-lib.html <= Did all code myself, but let me take a look there.. Maybe I missed something :/

    edit: goody! Thanks amadmonk for your code! I found out that I did have all the correct checks EXCEPT that my 'NOT LIVING' else was closed 2 late :P
    Last edited by SinnerG; 03-13-2010 at 04:21 PM.

  15. #45
    abdula123's Avatar Sergeant
    Reputation
    14
    Join Date
    Feb 2010
    Posts
    46
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by kynox View Post
    They're generated again using a polymorphic function which computes new in/out keys. The function changes with each module (which are distributed daily, multiple times) - so you need to read the context from Warden itself.

    I load fresh warden module into memory, initalize it, as described in skillsecurity wiki
    (in pyton with ctypes it not so hard - just need to understand, what happens under the hood)

    when I feed it with current RC4 state (box1, i1, j1, box2, i2, j2, err - 520 bytes total) via GetRC4Data callback

    after that I give it encrypted SEED packet, captured from stream and got encrypted SEED responce via SendPacket callback - exaclty same, as live warden sent to server.

    after that I read new RC4 state with i1=0 and i2=0 (i.e not used for encryption) from warden's memory (from addr, there old state was written to).

    but when I try to decrypt next warden pkt with this new RC4 state - I got nonsense result.

    also when I give this pkt to module, it don't do any job - PacketHandler return 0, and no callbacks fired.


    what I missed ?


    Code:
    Loading module AF203602B6E8414A835A10B4E3DC8EEC.raw
    Allocated mem for module: 0x010b0000
    Copying code sections to module.
    Adjusting references to global variables...
    Updating API library references...
    Lib: KERNEL32.dll, offset: 0x00007000
       Function: GetConsoleMode, 	 0x7c81ac50
       Function: GetStdHandle, 	 0x7c812fd9
       Function: Sleep, 	 0x7c802446
    HOOKED
       Function: GetModuleHandleA, 	 0x00f70fa4
       Function: TlsAlloc, 	 0x7c812e3f
       Function: TlsFree, 	 0x7c813777
       Function: TlsGetValue, 	 0x7c8097e0
       Function: TlsSetValue, 	 0x7c809c65
       Function: RaiseException, 	 0x7c812aa9
    HOOKED
       Function: GetProcAddress, 	 0x00f70fdc
       Function: GetSystemInfo, 	 0x7c812df6
       Function: GetVersionExA, 	 0x7c812b7e
       Function: VirtualQuery, 	 0x7c80ba71
       Function: QueryDosDeviceA, 	 0x7c85d344
       Function: GetTickCount, 	 0x7c80934a
       Function: DuplicateHandle, 	 0x7c80de9e
       Function: CloseHandle, 	 0x7c809be7
       Function: FreeLibrary, 	 0x7c80ac7e
       Function: GetCurrentProcess, 	 0x7c80de95
    HOOKED
       Function: LoadLibraryA, 	 0x00f70fc0
       Function: GetProcessHeap, 	 0x7c80ac61
       Function: HeapFree, 	 0x7c90ff2d
       Function: TerminateProcess, 	 0x7c801e1a
       Function: UnhandledExceptionFilter, 	 0x7c863fca
       Function: SetUnhandledExceptionFilter, 	 0x7c84495d
       Function: QueryPerformanceCounter, 	 0x7c80a4c7
       Function: GetCurrentThreadId, 	 0x7c8097d0
       Function: GetCurrentProcessId, 	 0x7c8099c0
       Function: GetSystemTimeAsFileTime, 	 0x7c8017e9
       Function: RtlUnwind, 	 0x7c92abc5
    Lib: USER32.dll, offset: 0x0000707c
       Function: CharUpperBuffA, 	 0x7e36ae3f
       Function: CreateWindowExA, 	 0x7e37e4a9
       Function: ScrollWindowEx, 	 0x7e380187
       Initialize Function is mapped at 0x010b263d
     <-- GetModuleHandleA('kernel32.dll') = 0x7c800000
     <-- GetProcAddress(0x7c800000, 'AddVectoredExceptionHandler') = 0x7c936c2a
     <-- GetProcAddress(0x7c800000, 'RemoveVectoredExceptionHandler') = 0x7c936c96
     <-- AllocateMemory(2032)
     <-- AllocateMemory(60)
     <-- AllocateMemory(44)
     <-- LoadLibraryA('kernel32.dll') = 0x7c800000
    HOOKED
     <-- GetProcAddress(0x7c800000, 'CreateToolhelp32Snapshot') = 0x00f70f88
     <-- GetProcAddress(0x7c800000, 'Module32First') = 0x7c8653a0
     <-- GetProcAddress(0x7c800000, 'Module32Next') = 0x7c865525
     <-- GetModuleHandleA('kernel32.dll') = 0x7c800000
     <-- GetProcAddress(0x7c800000, 'wine_get_unix_file_name') = 0x00000000
     <-- AllocateMemory(92)
    Module Initialized, return 0x00cd2b60
    GenerateRC4Keys = 0x17512352
    Unload = 0x17523824
    PacketHandler = 0x17512560
    Tick = 0x17504864
     -> GenerateRC4Keys
     <-- GetRC4Data <warden.LP_c_ubyte object at 0x019089E0> 520
     -> PacketHandler
     <-- SendPacket(0x01908af8, 21)
    (1, 17)
    encrypted responce
    0000: 52 58 2e be 97 dd fe dc ad a7 87 bc 1b ca ef 56  |  RX............V
    0010: 7b fe 5c ce b6                                   |  {.\..
    
    decrypted responce
    0000: 04 0e 94 81 61 d0 b6 8b fb aa d5 60 eb a0 f1 8a  |  ....a......`....
    0010: 73 d6 5c ad ad                                   |  s.\..
    
    AFTER SEED -> HASH
    
    serv pkt encrypted
    0000: ac 03 4d 10 f6 d2 b7 b9 dc 96 5f 9f 75 ff f4 dc  |  ..M......._.u...
    0010: 82 25 74 8c c0 c7 da 41 eb 7d 90 c0 3a 2a c0 74  |  .%t....A.}..:*.t
    0020: 10 f4 d6 2f 6c 46 cb 71 5e ce 0b 22 bf b4 8b 56  |  .../lF.q^.."...V
    0030: 35 1e 52 af 15 3f 4e 14 b7                       |  5R.?N.
    
    serv pkt decrypted
    0000: 69 b6 97 1c 52 8d 97 9a 70 c4 7f 5d f3 6e 6e df  |  i..R...p.].nn.
    0010: a5 ff 96 72 bd f9 94 89 5c cc 18 e1 7d e8 dc d4  |  ...r....\..}...
    0020: 42 eb c4 80 87 77 8b 86 c0 ea ff e0 82 dc 8b b5  |  B....w..........
    0030: 40 42 6b ed b7 4b 4f 4e 80                       |  @Bk..KON.
    
     -> PacketHandler
    (0, 0)
    
     <-- ReleaseMemory(0x00ca61d0)
     <-- ReleaseMemory(0x00c207a8)
     <-- ReleaseMemory(0x00aba020)
     <-- SetRC4Data <warden.LP_c_ubyte object at 0x00CFCBC0> 520
     <-- ReleaseMemory(0x00cd2b60)

Page 3 of 6 FirstFirst 123456 LastLast

Similar Threads

  1. I need a proxy!!!!!!!
    By Spazzoid in forum World of Warcraft General
    Replies: 3
    Last Post: 03-30-2007, 07:13 AM
  2. Lag Manipulation 2.0.5 :>
    By Zentek in forum World of Warcraft Exploits
    Replies: 32
    Last Post: 02-09-2007, 12:11 AM
  3. Lag manipulation
    By Zentek in forum World of Warcraft Guides
    Replies: 15
    Last Post: 10-19-2006, 02:23 PM
All times are GMT -5. The time now is 10:24 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2025 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Google Authenticator verification provided by Two-Factor Authentication (Free) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search