Sucessfull WPE operation & search for profit

[retrolandor]

I have reveived the old methods of package editing with WPE Pro.
Since the tool and methods are very old, I am aware that most of the currently active Private Servers are protected against altered packages.

Somehow I found a way to bypass some of the checks. I am messing around on Kronos Vanilla (1.12) in late 2019.
My first attempts to bug bags with items stacks:
I basically took out items from stacks in a bag, which I managed to freeze with WPE.
Баг на дюп с почтой - Золотой Секрет WoW
I traded those stacks to another char and attempted to log out. After logging back in, those frozen stacks should reappear => dupe.
This method got several of my accounts auto-banned, as the server calculated the items in the background.
I checked on them on the twinstar.cz webpage and found "banned for: item dupe".

I was aware that the old method won't work today. But it helped me to get a basic understanding of the communication between my WoW client and the server.
I decided to try something out myself, and found a package Filter I can apply. I am able to make items disappear without any confirmation.
This sounds terrible at first, but means that there are checks the server doesn't make.
Can we exploit it for profit instead of loss?

Preparations:
open WoW.exe, log in
open WPE Pro(admin) & Permedit(grant privileges to WPE)
(I downloaded following: DepositFiles)
attach WPE to WoW.exe
-
open Extreme Injector v3
Extreme Injector v3.7 (2018 Updated)
target WoW.exe
load Whiff.dll, don't inject yet
GitHub - Zedron/Whiff: Whiff is an injection sniffer for WoW (World of Warcraft) written in C++
-
open characters inventory, bag 1
place a stack of items into the second slot
//preparations end

Action Log:
Now let's see what is happening there:
inject Whiff.dll
start logging in WPE
ingame: Shift+Click the item stack mentioned above
enter any number of items (i take 3) and put them into the slot right below the origin

stop logging
Ctrl+Q in you Whiff window to stop sniffing

Reading the log:
I used WoWParser to make the wowsniff.pkg readable.
GitHub - TrinityCore/WowPacketParser: World of Warcraft Packet Parser
I opened the parsed wowsniff and searched for "ClientToServer" packages, and quickly found my item split.
https://pastebin.com/PxuHwTPf
//
ClientToServer: CMSG_SPLIT_ITEM (0x010E) Length: 5 ConnIdx: 0 Time: 10/05/2019 17:03:39.188 Number: 40
Bag: -1
Slot: 24
Destination Bag: 255
Destination Slot: 28
Count: 3
//
Then I looked at my WPE packages and found this package quickly as well:
split_water.jpg
WPE log:
90 68 AE A8 B1 DE FF 18 FF 1C 03
What we can point out:
FF: start bag
18: start slot
FF: destination bag
1C: destination slot
03: count

Another WPE log of the same log breaks the pattern of the first numer chain:
85 A9 63 94 4A 1C --- FF 18 FF 1C 03

After this find I messed around with the numbers I was able to determine.
We CAN:
alter the item count. We will trade the specified number then until the stack doesn't contain enough.
alter the item origin slot. We will then split another item, if there is one which is splittable. Otherwise the game retuns "There is no such item"

alter the Destination Slot. If the slot doesn't exist, the item will just disappear without confirmation by user.
Now this is something I find strange. It show's that Warden doesn't seem to care about item losses. Can we use this "void" somehow?

I have also tried to get a detailed deobfuscated package from my WoW.exe using x64dbg and OverwatchDumpFix.
https://x64dbg.com/#start
But tbh, I could not figure out how to execute the OverwatchDumpFix in x64dbg.
https://github.com/changeofpace/Overwatch-Dump-Fix
I cannot get pass by this Step:
1. Attach x64dbg to Overwatch.exe then execute the OverwatchDumpFix command.
Attaching - yes. But how do I load the file and the command inside x64dbg?

My hope is to be able to read the entire WPE package after getting a deobfuscated WoW pkg.

[retrolandor]

Hmmm.
I will now try to use my "void" mentioned above to extract the item back.
First, repeat the "void":
90 68 AE A8 B1 DE --- FF 18 FF 1C 03
FF: start bag
18: start slot
FF: destination bag
1C: destination slot --> alter this to 27, which my character doesn't have
03: count
Apply filter, proceed to action ingame.
Have only 1 bag.
Split 3 items in the second slot of the first bag into the slot below.
The items will disappear.

Now apply another WPE filter:
First, repeat the "void":
90 68 AE A8 B1 DE --- FF 18 FF 1C 03
FF: start bag
18: start slot --> alter this to 27, which my character STILL doesn't have
FF: destination bag
1C: destination slot
01: count --> pay attention that you have the count on you item in the first bag. I started with 5 refr. spring water and can only extract 1 now x)
RESULT:
I got my item back from the "void".
This literally means that i can use storage space i DO NOT HAVE
At least till i get those bags? i guess slot 27 is a possible bag slot.

Conclusion:
The server doesn't check if player_has_item_slot

continuing exploring this behavior. Gotta sniff the pkg

[retrolandor]

Sorry, i only now fully understand the exploit I found.
I would like to rename the thread into "WPE: use inventory space your character doesn't have".
The items stay after a Re-Log as well, so they are safely storaged somewhere.

My first goal was to find a gold-dupe, yahaha.
But what i found is the usage of inventory slots while not having the necessary bags. Which is also kind of neat.. Might work on the bank as well.

[retrolandor]

Update 1:

I don't seem to be able to get my item out entirely.
Altering the "CMSG_SPLIT_ITEM" seems to work different from "CMSG_SWAP_ITEM".
Alterin the SWAP origin slot will turn your activator-item grey, but won't get your voided item out.

Update 2:

Muhahaha. I got my Item back out of my void by altering the package in a trade:
itemz-back.jpg
I modified the package with "Origin Slot" in a trade to my old **Destination Slot** where I saved my items.

Update 3:
I now entirely figured out what is going on. The hidden slot is our personal bank slot.
My package modification allows us to use the bank while we are on our adventures.

I am also using a new tool for a faster package editing. Falling in love with it.
GitHub - tripleslash/wowscout: Real time packet analysis and modification tool for World of Warcraft 1.12.1, 2.4.3, 3.3.5 and 4.3.4.