[Question]World Of Warcraft Encryption Code (latest version: 4.2.0.14480)

[adapa]

Hello! I have been REing WOW for a while now and I still cant find the Encryption code in the source. I know that WOW calls WS2_32 send around 4-5 times from different locations, and I have been working backwards from those locations but I still can not for the life of me find any type of loop within the code that would resemble a scramble of bytes.

I am going backwards from 0x013B6DA7, and I still can't find any type of loop that would resemble RC4 encryption. I have cracked many RC4 encryption game programs before so I know what I have to look for but I just cant find it. I think this is mostly because I can not break-point nor hardware break-point World Of Warcraft.

My goal is to find the code that takes an unmodified packet and starts encrypting it. Help would be appreciated.

(VERSION: 4.2.0.14480)

Code:

013B6DA7   . 8B17           MOV EDX,DWORD PTR DS:[EDI]
013B6DA9   . 83C4 04        ADD ESP,4                                ;  Below leads to SEND
013B6DAC   . 50             PUSH EAX                                 ; |Arg3
013B6DAD   . 8D8D ECBDFFFF  LEA ECX,DWORD PTR SS:[EBP+FFFFBDEC]      ; |
013B6DB3   . 51             PUSH ECX                                 ; |Arg2
013B6DB4   . 52             PUSH EDX                                 ; |Arg1
013B6DB5   . E8 067D0200    CALL Wow.013DEAC0                        ; \Wow.013DEAC0
013B6DBA   . 83C4 10        ADD ESP,10
013B6DBD   . 85C0           TEST EAX,EAX
013B6DBF   . 0F85 E8000000  JNZ Wow.013B6EAD                         ;  Jump To Z
013B6DC5   . 8B0F           MOV ECX,DWORD PTR DS:[EDI]               ;  Below leads to RECV
013B6DC7   . 68 FF1F0000    PUSH 1FFF                                ; /Arg3 = 00001FFF
013B6DCC   . 8D85 ECDDFFFF  LEA EAX,DWORD PTR SS:[EBP-2214]          ; |
013B6DD2   . 50             PUSH EAX                                 ; |Arg2
013B6DD3   . 51             PUSH ECX                                 ; |Arg1
013B6DD4   . E8 E77D0200    CALL Wow.013DEBC0                        ; \Wow.013DEBC0

[LogicWin]

AFAIK wow is not encryped

[Cypher]

AFAIK wow is not encryped

WHOOSH.

He's talking about packet encryption... Lol.

EDIT:

Rather than tracing backwards from API calls, have you tried tracing forwards from their SendPacket engine function? (I forget the actual name...)

By the way, I can't remember if packets headers etc were encrypted in the Alpha with the leaked PDB, but that may be a starting point for you if nobody has posted the SendPacket offset for a recent patch (though afaik they have... check the offset threads).

EDIT:

http://paste2.org/p/1572547 <-- Posted by TOM_RUS in the latest offset thread.

The WoWConnection::Send etc functions look like they may be a starting point for you.

[TOM_RUS]

Hint: WowConnection::SetEncryptionKeyAndType, WowConnection::SetEncryptionKey, WowConnection::Send, SARC4ProcessBuffer...

[adapa]

WHOA! Thanks a lot guys. I actually wasn't expecting any replies! ^_^ Ill post back with some results...

--EDIT--

Yep, you guys helped a lot. the RC4 is exactly how I knew it would be, and so is the scrambling of the key. Thanks a bunch guy!

[debiangrub]

this is 4.2.0.14333

public static uint Direct3D9__Device = 0xA7E20C;
public static uint Direct3D9__Device__OffsetA = 0x27E8;
public static uint Direct3D9__Device__OffsetB = 0xA8;
public static uint ClntObjMgrGetActivePlayerObjAddress = 0x3280;
public static uint Lua_DoStringAddress = 0x425C20;
public static uint Lua_GetLocalizedTextAddress = 0x1B25A0;


who can show the 4.2.0.14480????