[Question] What packets are not encrypted/decrypted? menu

User Tag List

Results 1 to 11 of 11
  1. #1
    adapa's Avatar Sergeant
    Reputation
    1
    Join Date
    Jul 2011
    Posts
    41
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    [Question] What packets are not encrypted/decrypted?

    What packets in WOW are not encrypted, and decrypted? I have been seeing a ton of packets that are not encrypted... Is there an easy way to tell? Also, it seems the connection goes like this:

    LOGIN -> Port 1119 (this never closes)
    CHAR SERVER -> Port 3724
    Then CHAR SERVER closes when you login with your char, you connect to another server port 3724.


    Another question is: Do you use the same encryption tables? Do they get copied over for each new connection described above? Would seem pretty strange if all servers needed to update each-other on your encryption table... but who knows this is blizzard. O.ol

    The headers below are not encrypted/decrypted... anymore would be appreciated. Or maybe just a method on how to tell if a packet should be touched!

    Code:
    SENT HEADERS NOT ENCRYPTED:
    
    40 00 0a ed ea 07
    
    42 48 21 02 XX XX
    
    45 01 XX XX XX XX
    
    00 30 57 4f 52 4c
    
    01 6c 19 10 00 00
    
    RECV HEADERS NOT DECRYPTED:
    
    42 10
    
    40 10
    
    00 30  
    
    57 4f 
    
    00 27
      
    81 11
    
    00 27
    
    81 11
    
    00 28
    I also came across a sent packet that is only 5 bytes long, but is still random each log I do... But I was under the impression that only 6> byte headers(sent) are encrypted, and 6< bytes were not encrypted. For receive I only notice that 2 bytes are either always encrypted, or not.

    These ads disappear when you log in.

  2. #2
    hcnuld's Avatar Private
    Reputation
    2
    Join Date
    Apr 2011
    Posts
    4
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Port 1119 is used for Battle.net connection. All packets for login challenge sequence are *not* encrypted. This is same for realm connection(port 3724).
    1. Battle.net connection after packet 0x45, 0x01 (This packet may means realm list subscribe) are all encrypted.
    2. Client connects to realm server and create new encryption key pair(using battle.net key and some seeds) for every new connection.
    3. For realm connection, only packet's header is encrypted, not data.
    4. On every new realm connection, server sent 0x00, 0x30, 0x57, ...(0x30 size and WORLD OF WARCRAFT CONNECTION - SERVER TO CLIENT). Client sends 0x00, 0x30, 0x57, ... (0x30 size and WORLD OF WARCRAFT CONNECTION - CLIENT TO SERVER) for reply.

  3. #3
    adapa's Avatar Sergeant
    Reputation
    1
    Join Date
    Jul 2011
    Posts
    41
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Oh, I see. So are you saying for every new connection, I have to read the session key from memory again and use the same HMAC's to make 2 more HMACSHA1's and make encryption/decryption tables again? Or, can I just use the old HMACSHA1's and make the new tables for each new connection?


    Originally Posted by hcnuld View Post
    Port 1119 is used for Battle.net connection. All packets for login challenge sequence are *not* encrypted. This is same for realm connection(port 3724).
    1. Battle.net connection after packet 0x45, 0x01 (This packet may means realm list subscribe) are all encrypted.
    2. Client connects to realm server and create new encryption key pair(using battle.net key and some seeds) for every new connection.
    3. For realm connection, only packet's header is encrypted, not data.
    4. On every new realm connection, server sent 0x00, 0x30, 0x57, ...(0x30 size and WORLD OF WARCRAFT CONNECTION - SERVER TO CLIENT). Client sends 0x00, 0x30, 0x57, ... (0x30 size and WORLD OF WARCRAFT CONNECTION - CLIENT TO SERVER) for reply.

  4. #4
    adapa's Avatar Sergeant
    Reputation
    1
    Join Date
    Jul 2011
    Posts
    41
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have a question about the theory on wow protocol. When you make a connection on a new server after making your encryption charts and what not. Do you just use those for each new connection OR do you copy over your current charts you have already used OR do you read from memory again to get a new session key. I don't think the later is the way you do it... but I have no idea on how WOW is set up.

    A simple yes, no, maybe so question is all I am asking for. Not looking for code.

  5. #5
    hcnuld's Avatar Private
    Reputation
    2
    Join Date
    Apr 2011
    Posts
    4
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by adapa View Post
    I have a question about the theory on wow protocol. When you make a connection on a new server after making your encryption charts and what not. Do you just use those for each new connection OR do you copy over your current charts you have already used OR do you read from memory again to get a new session key. I don't think the later is the way you do it... but I have no idea on how WOW is set up.

    A simple yes, no, maybe so question is all I am asking for. Not looking for code.
    Yes, you should read new session key from memory to calculate encryption/decryption key. But after cataclysm, wow uses 2 simultaneous connections using different HMACSHA1 seed value. This seed value is transferred from server. So to get second connection's key, you have to sniff new connection's authentication packet to get seed value.

  6. #6
    adapa's Avatar Sergeant
    Reputation
    1
    Join Date
    Jul 2011
    Posts
    41
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by hcnuld View Post
    Yes, you should read new session key from memory to calculate encryption/decryption key. But after cataclysm, wow uses 2 simultaneous connections using different HMACSHA1 seed value. This seed value is transferred from server. So to get second connection's key, you have to sniff new connection's authentication packet to get seed value.
    Okay, I am confused. Let me list what I am able todo so far:

    Grab Session Key After Login Challange - Check
    Use The Two Hard Codded HMAC Seeds To Calc Two HMACSHA1S - Check
    Use One HMACSHA1 For ARC4 Incoming Chart, The Other HMACSHA1 For Ourgoing - Check
    Coded Encryption/Decryption For Packets - Check

    So, you are saying, I still need to grab the NEW SESSION KEY(from memory) and the NEW HMAC SEEDS from certain packets for each new connection made to a realm?... and preform the following:

    For Each New Connection To A Realm(port 3724):

    1) Read Another Session Key From Memory (is it in the same place as the original?)
    2) Read Two HMAC Seeds from packets (Will this packet be encrypted, and too what extent?)
    3) Use The New Keys to produce two HMACSHA1's
    4) Use one HMACSHA1 for Incoming ARC4 Chart, the other for Outgoing.
    5) Repeat for each new Connection.
    Last edited by adapa; 09-27-2011 at 03:08 AM.

  7. #7
    hcnuld's Avatar Private
    Reputation
    2
    Join Date
    Apr 2011
    Posts
    4
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    For second connection to realm, wow uses old session key and hmac seed from packet. New hmac seeds can be read from new connection's auth packet, not encrypted.

  8. #8
    adapa's Avatar Sergeant
    Reputation
    1
    Join Date
    Jul 2011
    Posts
    41
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by hcnuld View Post
    For second connection to realm, wow uses old session key and hmac seed from packet. New hmac seeds can be read from new connection's auth packet, not encrypted.
    Ahh thanks so much for clearing that up. Which packet is the Auth Packet that I should be reading the new HMAC seed for the new connection?

  9. #9
    hcnuld's Avatar Private
    Reputation
    2
    Join Date
    Apr 2011
    Posts
    4
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by adapa View Post
    Ahh thanks so much for clearing that up. Which packet is the Auth Packet that I should be reading the new HMAC seed for the new connection?
    SMSG_AUTH_CHALLENGE. Opcode and structure varies from version.

  10. #10
    adapa's Avatar Sergeant
    Reputation
    1
    Join Date
    Jul 2011
    Posts
    41
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by hcnuld View Post
    SMSG_AUTH_CHALLENGE. Opcode and structure varies from version.
    I see, can I get an example of what the packet looks like? :-)

    It would help a lot.

  11. #11
    adapa's Avatar Sergeant
    Reputation
    1
    Join Date
    Jul 2011
    Posts
    41
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Interestingly... I have not seen any packets that are either received nor sent that resembles this packet:


    Code:
    075CEF4C  00 00 00 B3 06 0A 37 D5 0C A6 42 F5 C5 21 C2 C9  ...³.7Õ.¦BõÅ!ÂÉ
    075CEF5C  A4 F7 6B 8F DB F9 93 C1 35 40 73 BF A9 6B C2 59  ¤÷kÛù“Á[email protected]¿©kÂY
    075CEF6C  49 D0 4B 01 07 20 B7 9B 3E 2A 87 82 3C AB 8F 5E  I**K ·›>*‡‚<«^
    075CEF7C  BF BF 8E B1 01 08 53 50 06 29 8B 5B AD BD 5B 53  ¿¿Ž±SP)‹[*½[S
    075CEF8C  E1 89 5E 64 4B 89 73 1A BA 56 A1 8D 78 09 15 E9  á‰^dK‰sºV¡x.é
    075CEF9C  7E 6F 07 62 04 CB E4 A7 D9 79 3E 14 43 E5 E1 5A  ~obËä§Ùy>CåáZ
    075CEFAC  6C 80 DD 95 A4 D5 F9 2C A0 BC A6 E2 82 95 E5 94  l€Ý•¤Õù,*¼¦â‚•å”
    075CEFBC  D5 8C 4D 25 36 CD 00                             ÕŒM%6Í.
    
    
    00 							opcode		_1byte
    00 							cmd		_1byte
    00 							error-code	_1byte
    B3 06 0A 37 D5 0C A6 42 F5 C5 21 C2 C9 A4 F7 6B   	B 		_32bytes
    8F DB F9 93 C1 35 40 73 BF A9 6B C2 59 49 D0 4B
    01							len of g	_1byte
    07							g		_1byte
    20							len of N	_1byte
    B7 9B 3E 2A 87 82 3C AB 8F 5E BF BF 8E B1 01 08		N		_32bytes
    53 50 06 29 8B 5B AD BD 5B 53 E1 89 5E 64 4B 89
    73 1A BA 56 A1 8D 78 09 15 E9 7E 6F 07 62 04 CB  	Salt		_32bytes
    E4 A7 D9 79 3E 14 43 E5 E1 5A 6C 80 DD 95 A4 D5
    F9 2C A0 BC A6 E2 82 95 E5 94 D5 8C 4D 25 36 CD		unknown3 (CRC?)	_16bytes
    00 on socket left						_________________________
    									_118 bytes
    //

    Code:
    2011-07-30 21:51:26 SERVER:
    SOCKET: 28
    LENGTH: 37
    OPCODE: SMSG_AUTH_CHALLENGE (0x8C10)
    DATA:
    47 5A E3 2A 05 16 57 F8 87 94 50 88 C1 8F C4 81 
    01 A4 DB CF 33 EB D2 5B A0 F4 DA 3A 65 D2 FB 8B 
    E8 8C 95 EC A9 
    
    2011-07-30 21:51:26 CLIENT:
    SOCKET: 28
    LENGTH: 4
    OPCODE: CMSG_LOG_DISCONNECT (0x0920)
    DATA:
    03 00 00 00
    And this is the packet that I must receive when making any new connections besides the first connection to the server....

    So the new question is... When I do connect to a new server I get:

    Code:
     ...
    WOW [2] Recv:
    3d d6 f4 4d 15 ae 12 0e 66 54 8b 3b e3 54 21 56 5d 05 ad cf 12 54 	=..M....fT.;.T!V]....T
    af 99 1f 9d 66 91 82 ad f0 36 4d b6 a8 5d cf 3c 1a 83 7c a8 bf aa 	....f....6M..].<..|...
    f0 9e 13 eb 0a 25 23 16 72 27 a6 23 d6 b8 e1 5e 98 94 51 fe c1 43 	.....%#.r'.#...^..Q..C
    dc c1 ba 45 ae 0d 70 55 6c c9 ad 13 41 f4 a3 19 5f 81 d3 b1 19 58 	...E..pUl...A..._....X
    e3 37 ca 40 1e f5 78 41 5a 66 bc 27 c7 f3 78 e5 ba 65 1f fb 61 be 	[email protected]'..x..e..a.
    de e7 6c f8 8f 9b 4c d2 94 e4 cd e3 9e ff 1c 9b 9b 59 93 e7 ae 47 	..l...L..........Y...G
    bd 63 43 bd 64 49 99 53 c5 cf 73 b4 64 7a e3 db 75 2f dd 12 e1 aa 	.cC.dI.S..s.dz..u/....
    8f 0f 10 0e 53 ee 07 d9 0a e9 58 66 d7 fc b1 10 44 26 00 8b 13 d3 	....S.....Xf....D&....
    4c 01 b3 fb 3b f8 f1 9c f8 6f f1 74 b4 03 b4 f9 fc a6 92 25 53 0a 	L...;....o.t.......%S.
    64 7b 4d 4e 5c 4c dc 6d ce f9 e5 ab 32 33 42 a4 a8 0f a2 d6 90 b3 	d{MN\L.m....23B.......
    ef 77 35 9d c9 73 ce 39 da 13 c4 87 58 e7 2e 8c cc 9e 43 e3 14 39 	.w5..s.9....X.....C..9
    ff 0b 1d fd 72 10 4a f1 13 ac 42 4d 4a cd ea 00 0e 00 00 00 00 9d 	....r.J...BMJ.........
    e6 ae 89 44 37 80 19                                              	...D7..               
    
    *******************************************************************
    *Connection [3] made on port: 3724. Socket = [10456] 
    *******************************************************************
    
    WOW [2] Sent:
    4c e6 76 04 2b b5                                                 	L.v.+.                
    
    WOW [2] Sent:
    64 e5 ac a7 0d e7                                                 	d.....                
    
    WOW [2] Sent:
    14 10 2d 5b d0 ef ff ff ff ff                                     	..-[......            
    
    WOW RECEIVE CHECKING HEADER FOR PACKET: 0x00, 0x30
    
    WOW [3] Recv:
    00 30                                                             	.0                    
    
    WOW RECEIVE CHECKING HEADER FOR PACKET: 0x57, 0x4f
    
    WOW [3] Recv:
    57 4f 52 4c 44 20 4f 46 20 57 41 52 43 52 41 46 54 20 43 4f 4e 4e 	WORLD OF WARCRAFT CONN
    45 43 54 49 4f 4e 20 2d 20 53 45 52 56 45 52 20 54 4f 20 43 4c 49 	ECTION - SERVER TO CLI
    45 4e 54 00                                                       	ENT.                  
    
    WOW SEND CHECKING HEADER FOR PACKET: 00 30 57 4f 52 4c
    
    WOW [3] Sent:
    00 30 57 4f 52 4c 44 20 4f 46 20 57 41 52 43 52 41 46 54 20 43 4f 	.0WORLD OF WARCRAFT CO
    4e 4e 45 43 54 49 4f 4e 20 2d 20 43 4c 49 45 4e 54 20 54 4f 20 53 	NNECTION - CLIENT TO S
    45 52 56 45 52 00                                                 	ERVER.                
    
    WOW [2] Recv:
    3b 26                                                             	;&                    
    
    WOW [2] Recv:
    c2 a4 80 25 83 4e 01 15 00 00 00 04 2e 79 4e 00 00 00 00 00 00 00 	...%.N.......yN.......
    00                                                                	.                     
    
    WOW RECEIVE CHECKING HEADER FOR PACKET: 0x00, 0x27
    
    WOW [3] Recv:
    00 27                                                             	.'                    
    
    WOW RECEIVE CHECKING HEADER FOR PACKET: 0x81, 0x11
    
    WOW [3] Recv:
    81 11 1c 59 d9 d5 aa 60 b9 3d cf 7d d9 51 22 2f 3a 7c 2b c5 59 bd 	...Y...`.=.}.Q"/:|+.Y.
    90 a6 d3 a5 58 ef a0 12 3f 5f 2b d3 01 cb c7 42 7a                	....X...?_+....Bz     
    
    WOW [3] Sent:
    f2 7a ff bc a0 e3 d5 3d 48 09 52 bc a4 50 a4 4b f3 3f 56 02 00 00 	.z.....=H.R..P.K.?V...
    00 00 00 00 00 55 6b 9d e6 ae 89 44 37 80 19 ac db 41 24 1d       	.....Uk....D7....A$.  
    
    WOW [2] Recv:
    a8 8d                                                             	..                    
    
    WOW [2] Recv:
    c3 2b 80 01 00 00 00 00 00 00 00 00 da 00 50 XX XX XX XX XX XX XX    .+............XXXXXXXXX
    00 03 00 00 00 00 be 7e a1 9b c5 9f e9 5c 44 c9 1d 8a 43 34 01 00 	.......~.....\D...C4..
    00 00 01 00 00 00 05 00 01 02 09 17 00 00 00 00 00 a0 10 99 61 11 	....................a.
    00 00 01 00 07 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 	......................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 	......................
    00 00 00 00 14 65 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 	.....e1...............
    07 99 08 00 00 00 00 00 00 08 bd 0c 00 00 00 00 00 00 00 00 00 00 	......................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 	......................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 	......................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 d8 01 00 00 00 00 	......................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 	......................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 	......................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 80 00 10    	.....................
    
    ... etc ... etc ...
    Channel 3 is a new connection. Obviously channel 1 would be port 1119 with the login of WOW. channel 2 would be the first connection made to port 3724, and as you can see channel 3 is on port 3724. So, where in this log would I "steal" the new HMAC seeds to make the new ARC4 encryption/decryption charts?

    *sits down facing the corner and sucks thumb*

    EDIT:

    I am guessing that the packet I have to steal the HMAC SEEDS from is this packet(from the log above):

    Code:
    WOW RECEIVE CHECKING HEADER FOR PACKET: 0x81, 0x11
    
    WOW [3] Recv:
    81 11 1c 59 d9 d5 aa 60 b9 3d cf 7d d9 51 22 2f 3a 7c 2b c5 59 bd 	...Y...`.=.}.Q"/:|+.Y.
    90 a6 d3 a5 58 ef a0 12 3f 5f 2b d3 01 cb c7 42 7a                	....X...?_+....Bz
    I know the header is 0x81 0x11, and these never change, but the data does, which makes me think this is the packet I need.

    The thing is, I have no idea what todo with this data, and it doesn't look like it holds two more HMAC SEEDS for the encryption table. Unless I have to split it apart and do it like that.... Very confused. Anywho, any information would be highly appreciated. It doesnt seem like most people know truly how the protocol works, and I really wanna figure this out. :-)
    Last edited by adapa; 09-28-2011 at 11:33 AM.

Similar Threads

  1. Replies: 1
    Last Post: 09-22-2011, 12:18 AM
  2. [Question] What Bosses are solo'able with a Hack like No-Addiction ?
    By luckysurfcs in forum WoW Bots Questions & Requests
    Replies: 1
    Last Post: 05-15-2011, 06:18 PM
  3. [question] What are descriptors?
    By yeahlol in forum WoW Bots Questions & Requests
    Replies: 0
    Last Post: 11-25-2010, 02:30 AM
  4. [Question] What models are used by spirit beasts?
    By Ripper26 in forum WoW ME Questions and Requests
    Replies: 2
    Last Post: 04-07-2010, 04:39 PM
  5. What folders in .MPQ's are protected and what are not?
    By rkriekle in forum WoW ME Questions and Requests
    Replies: 2
    Last Post: 01-08-2008, 03:43 PM
All times are GMT -5. The time now is 10:32 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2020 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search