[Question] WoW RC4 Scramble

[adapa]

Hello, I am back again but this time with a question. I am under the impression that the RC4 encryption code is used with the K value, and then the HMACSHA1 value(runs it once with K value and again with the HMACSHA1 value using the same code). Or is it the other way around?

So does the game use the same scramble code and just change the keys used for the RC4 chart?

Thanks for any replies.

[BoogieManTM]

Last time I looked, which was admittedly a while ago - they used K (40 byte result of SRP6), seeded a HMAC-SHA1() with the values below into two seperate hashes and initialized two ARC4 contexts (one for sending, one for receiving - each way having it's own seed). They would then force through 1024 bytes through the context to roll the key by 1024.

Here's the code I used - credit to wcell I believe

Code:

        /// <summary>
        /// This is the key the client uses to encrypt its packets
        /// This is also the key the server uses to decrypt the packets
        /// </summary>
        private static readonly byte[] ServerDecryptionKey =
            {
                0xF4, 0x66, 0x31, 0x59, 0xFC, 0x83, 0x6E, 0x31,
                0x31, 0x02, 0x51, 0xD5, 0x44, 0x31, 0x67, 0x98
            };

        /// <summary>
        /// This is the key the client uses to decrypt server packets
        /// This is also the key the server uses to encrypt the packets
        /// </summary>
        private static readonly byte[] ServerEncryptionKey =
            {
                0x22, 0xBE, 0xE5, 0xCF, 0xBB, 0x07, 0x64, 0xD9,
                0x00, 0x45, 0x1B, 0xD0, 0x24, 0xB8, 0xD5, 0x45
            };

        // This is valid as HMAC-SHA1 transforms can be reused
        static readonly HMACSHA1 s_decryptClientDataHMAC = new HMACSHA1(ServerDecryptionKey);
        static readonly HMACSHA1 s_encryptServerDataHMAC = new HMACSHA1(ServerEncryptionKey);

        /// <summary>
        /// Decrypts data from Server
        /// </summary>
        private readonly ARC4 InData;
        /// <summary>
        /// Encrypts data for server
        /// </summary>
        private readonly ARC4 OutData;

        public PacketCrypt(byte[] sessionKey)
        {
            byte[] encryptHash = s_encryptServerDataHMAC.ComputeHash(sessionKey);
            byte[] decryptHash = s_decryptClientDataHMAC.ComputeHash(sessionKey);

            // Used by the client to decrypt packets sent by the server
            InData = new ARC4(encryptHash); // CLIENT-SIDE
            // Used by the server to decrypt packets sent by the client
            var decryptClientData = new ARC4(decryptHash); // SERVER-SIDE
            // Used by the server to encrypt packets sent to the client
            var encryptServerData = new ARC4(encryptHash); // SERVER-SIDE
            // Used by the client to encrypt packets sent to the server
            OutData = new ARC4(decryptHash); // CLIENT-SIDE

            // Use the 2 encryption objects to generate a common starting point
            var syncBuffer = new byte[1024];
            encryptServerData.Process(syncBuffer, 0, syncBuffer.Length);
            InData.Process(syncBuffer, 0, syncBuffer.Length);

            // Use the 2 decryption objects to generate a common starting point
            syncBuffer = new byte[1024];
            OutData.Process(syncBuffer, 0, syncBuffer.Length);
            decryptClientData.Process(syncBuffer, 0, syncBuffer.Length);
        }

[adapa]

Thanks for that reply. I see in your code that you are in fact using the seed keys and HMACSHA1ing them both and using those keys to scramble two separate charts. I understand this much. But does this mean that the game uses the K value BEFORE the HMACSHA1 keys?

For example:

Lets say K value was 0x98357234972379856298357 and HMACSHA1 was 0xde7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9

Now, WOW has this RC4 scramble code to start off:

Code:

unsigned char chart[0x101];
	//This is making the 00-FF chart...
	std::cout << "STARTING CHART MADE:\n";
	for(int i=0 ; i < 0x100 ; i++)
		chart[i] = i;

	for(int i=0x100;i<0x102;i++)
	chart[i] = 0x0;

Now that the chart is made... the WOW scramble code is:

Code:

.text:00ADC370 Scramble_Code:                          ; CODE XREF: SARC4PrepareKey+3Bj
.text:00ADC370                                         ; SARC4PrepareKey+78j
.text:00ADC370                 mov     eax, [ebp+arg_0]
.text:00ADC373                 movzx   edi, dl
.text:00ADC376                 movzx   edx, byte ptr [edi+eax]
.text:00ADC37A                 add     dl, [ecx+esi]
.text:00ADC37D                 inc     ecx
.text:00ADC37E                 add     bl, dl
.text:00ADC380                 movzx   edx, byte ptr [ecx+esi-1]
.text:00ADC385                 movzx   eax, bl
.text:00ADC388                 add     eax, esi
.text:00ADC38A                 mov     byte ptr [ebp+arg_8+3], dl
.text:00ADC38D                 movzx   edx, byte ptr [eax]
.text:00ADC390                 mov     [ecx+esi-1], dl
.text:00ADC394                 movzx   edx, byte ptr [ebp+arg_8+3]
.text:00ADC398                 mov     [eax], dl
.text:00ADC39A                 xor     edx, edx
.text:00ADC39C                 lea     eax, [edi+1]
.text:00ADC39F                 div     [ebp+arg_4]
.text:00ADC3A2                 cmp     ecx, 100h
.text:00ADC3A8                 jb      short Scramble_Code
.text:00ADC3AA                 pop     edi
.text:00ADC3AB                 pop     esi
.text:00ADC3AC                 pop     ebx
.text:00ADC3AD                 pop     ebp
.text:00ADC3AE                 retn    0Ch

I am under the impression that the game runs the K VALUE through this code FIRST. BUT then runs the HMACHSA1(0xde7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9) code through it again. So the game scrambles twice. On two different charts. Both charts get the K value scramble. And then each chart gets its own HMACSHA1 scramble run through.

Is this how its done?

[BoogieManTM]

Last I saw, K was not used/touched at all besides for the creation of the 2 HMACSHA1 hashes - if it's any different now, I wouldn't know of it.

I am under the impression that the game runs the K VALUE through this code FIRST. BUT then runs the HMACHSA1(0xde7c9b85b8b78aa6bc8a7a36f70a90701c9db4d9) code through it again. So the game scrambles twice. On two different charts. Both charts get the K value scramble. And then each chart gets its own HMACSHA1 scramble run through.

Is this how its done?

[MaiN]

Last I saw, K was not used/touched at all besides for the creation of the 2 HMACSHA1 hashes - if it's any different now, I wouldn't know of it.

Well, it is touched again... For Warden.

[adapa]

Last I saw, K was not used/touched at all besides for the creation of the 2 HMACSHA1 hashes - if it's any different now, I wouldn't know of it.

I see... So to make both HMACSHA1 hashes the message is the two seeds, and the session key value?

EDIT:

I am deeply confused now. Are you just taking these values:

Code:

unsigned char HMAC1[] =   { 0x22, 0xBE, 0xE5, 0xCF, 0xBB, 0x07, 0x64, 0xD9, 0x00, 0x45, 0x1B, 0xD0, 0x24, 0xB8, 0xD5, 0x45 };
unsigned char HMAC2[] =   { 0xF4, 0x66, 0x31, 0x59, 0xFC, 0x83, 0x6E, 0x31, 0x31, 0x02, 0x51, 0xD5, 0x44, 0x31, 0x67, 0x98 };

And running them through HMACSHA1. Or is there another piece to the puzzle. Like the session key value which is found at:

Newest Patch:

Code:

D8056C + 508 = D80A74 for new session key

I have the scramble assembly code all coded in C++ and everything, I just need the value to plug in there. Which, is where I am stuck at. I don't know how to make HMACSHA1's because it doesn't make sense to me to HMACSHA1 the hard coded seeds.

Unless you are incorporating the session key value which is found at the location specified above. So the session key value + HMAC to make two HMACSHA1s to produce the Key to run through the ARC4 scrambler?

Any help would be nice

EDIT 2:

It just seems so confusing because there is a lot of conflicting information out there. Such as this: *BOLD = conflicting*
(http://www.ownedcore.com/forums/worl...-protocol.html)

1) You could use this address
[0x1132F74] + 0x508 = K
kynox posted here.

This gets you K, which is the key for the RC4 encryption that WoW uses since 3.1. If you have a look at the mangos 3.1 source afterwards, you should be able to decrypt the packets in no time.

2) SRP6 itself seems impossible to reverse in realtime. Even with known parameters like the account-password. That is due to use of modular exponentation in SRP6.
See here.

The above quote is saying to just take the session key value found at said address(in my post) and run it through the ARC4 scramble code. But above BoogieManTM, is suggesting that the two seed HMAC keys are paired with the session key to produce two separate HMACSHA1's that are ran through the ARC4 scramble code on two different charts.

So, which one is it?

[BoogieManTM]

Well, it is touched again... For Warden.

Yes, of course. But that was a little out of scope, and a lot more complicated - not so easy to statically describe.

For the record - the code I pasted above is taken directly from my clientless bot project. It _was_ used during 3.x versions of the game on the official servers (not server emulators, which often cut many corners) all the way up to 3.3 i believe.