[Question] How to find K Value

[adapa]

Hello. I was wondering how you find the K Value for the RC4 encryption in Wow's source. The problem I am having is I cant even breakpoint while in Olly, or IDA without throwing an assertion due to the Battle.net.dll. Also, while in game, breakpoints don't work.

Is there something I am missing? Is there some Godly hack that can bypass these restrictions so I can step through the wow source in olly, or IDA(or a similar type of program) so I can find where WOW stores its K value? I really don't feel like stepping through the battle.net.dll and seeing if I can bypass the restrictions for checking if a debugger is present on logon... (if I even could lol)

Goal: Encrypt/Decrypt the packets by finding the K Value.

I hope there is a way(there has to be...) Or is it:

Blizzard:1
Me: 0

Any help would be appreciative.

[sitnspinlock]

heh, just use a VEH ;p

otherwise you are looking at detouring the zwqueryinformationprocess syscall, and bypassing their unhandled exception filter from the random int1's and int3's.

[adapa]

heh, just use a VEH ;p

otherwise you are looking at detouring the zwqueryinformationprocess syscall, and bypassing their unhandled exception filter from the random int1's and int3's.

I really wish I knew what VEH was. I googled "VEH" and "VEH DEBUGGER". Is there a full name for VEH(as this is the acronym I assume). Thanks...

[sitnspinlock]

vectored exception handler

[adapa]

Thanks a lot. It seems that coding is endless with these kind of things, why can't this just be easy. -_-;; Pardon my noobness. But how does one go about using a VEH to look through WOW's source in OLLY, or IDA?

[sitnspinlock]

well if you wanted to browse the disassembly you could just use IDA and disassemble the PE. I thought you wanted a way to watch wow during the logon sequence without having to bypass the debug protection.

but it would obviously be next to impossible by just looking at the disasm so you have a few choices.

a. bypass the debug protection and just debug it ;p

b. write your own veh debugger.

c. use IDA stealth (a plugin that attempts to hide the debugger though various drivers and system call hooks)

d. download the DDK and roll your own

[adapa]

I'm sorry if my question in the OP was confusing. But all I really want to do, is break at the (ws2_32)"SEND" call in WOW, and look back and see how the packets are encrypted. From the encryption function I could find the location of the K value, and just read the memory from there and copy/past the encryption code in assembly and dump it into a program.

[sitnspinlock]

well then in that case just use IDA to browse the import address table and look for Send(). WoW I believe uses 2 sockets, not entirely sure what for as I don't really care to look (maybe someone else here can share )

Last I checked WoW calls it directly through the IAT so it should be easy

[adapa]

well then in that case just use IDA to browse the import address table and look for Send(). WoW I believe uses 2 sockets, not entirely sure what for as I don't really care to look (maybe someone else here can share )

Last I checked WoW calls it directly through the IAT so it should be easy

Thank you for all your information and time!! Although, it wont be easy because I can not breakpoint the game at those locations without making battle.net.dll throw an assertion because of the anti-debugging checks. What I can do however is blindly trace back without live debugging and see if I can figure out from loops and whatnot if I am at the right piece of assembly code that makes the rc4 chart. However, I don't believe this would be "easy" per-say... It be real nice if there was a way to-do live debugging. That way I can just breakpoint and look at the stack and see some calls that took place.