[Workaround] On packet redirection

[Cromon]

Hello everyone!

As you maybe have noticed blizzard now uses that interesting opcode SMSG_REDIRECT_CLIENT which opens a second connection in the client to a specified IP and port. Most packets then will be sent using the new connection. If this connection is not opened packets will be queued and sent when the connection gets opened.

Now thats where the problems begin. Unfortunately some dev had the very bad idea to encrypt the content of SMSG_REDIRECT_CLIENT using the RSA-algorithm. We have a hardcoded modulus and private key but we do not know the servers "public" key and as a main feature of RSA this is at the moment safe. We would have to factorize modulus to calculate phi(modulus) and then we could calculate the public key from the private key.

There are basically two workarounds:
Nr. 1: Patch WoW.exe and change the hardcoded modulus to a large number we know its factors p and q. So we can easily calculate the public key from there.

Nr. 2:

Code:

        static void Main(string[] args)
        {
            Memory mem = new Memory("WoW");
            uint netClient = gNetClient + mem.Base;
            uint basePtr = mem.Read<uint>(netClient);
            uint ofs1 = basePtr + 0x464C; // bool QueuePacketsForConnection1;
            uint ofs2 = basePtr + 0x464D; // bool QueuePacketsForConnection2;
            uint ofs3 = basePtr + 0x461C; // ServerConnection* pConnection1;
            uint ofs4 = basePtr + 0x4620; // ServerConnection* pConnection2;
            byte val1 = mem.Read<byte>(ofs1); 
            uint ptr1 = mem.Read<uint>(ofs3);
            mem.Write(ofs4, ptr1); // pConnection2 = pConnection1;
            mem.Write(ofs2, val1); // QueuePacketsForConnection2 = QueuePacketsForConnection1;
            Console.ReadKey();
        }

The code is pretty self explaining id say. Its just saying the client, that the redirected connection is initialized and sets its pointer to the initial connection. By running this at the characterlist and then enter the world the server again receives every packet. There are of course also issues with that. When falling back to login-screen (disconnected from sever) you have to restart Wow or reverse the changes made, else delete is used on the same connection twice which results in an access violation. The same happens if you close WoW. Connections are freed twice which gives you an access violation, but that doesnt hurt.

Greetings
Cromon

[Hiperzone]

gonna try a new method soon but your workarround #1 is my second sujestion as the second one is too troublesome for servers that wanna have redirection support as intended by blizzard.

Im not sure how to patch N and Priv Key on wow(i dont even know the locations on IDA atm), maybe you can try ;P
there should be RSA key generators somewhere.

[abdula123]

gonna try a new method soon but your workarround #1 is my second sujestion as the second one is too troublesome for servers that wanna have redirection support as intended by blizzard.

Im not sure how to patch N and Priv Key on wow(i dont even know the locations on IDA atm), maybe you can try ;P
there should be RSA key generators somewhere.

you can use openssl to generate RSA key:
openssl genrsa -out privkey.pem 2048
openssl rsa -in privkey.pem -text

public exponent E, used in openssl is same as used in WOW (0x10001)
so you need only modulus N - to replace WOW.EXE one with your, and private exponent D - to encrypt data on your server side.

but before encryption, you need to do (in reverse order of course) all crap, that blizzies do with data (shuffling, checksuming and all other).


imho, simplest way to do redirection - is patching SMSG_REDIRECT_CLIENT handler to:
1. remove decryption sub call (so you don't need to encrypt packet and deal with rsa key in wow.exe)
2. remove shuffling sub call (so you save bunch of time to implement it in reverse order in server side)
3. disable xor checking (so you save bunch of time to implement it in reverse order in server side)