[QUESTION] client files protection. signature structure.

[VX2]

at first (again), sorry for my english, it's some hard for me (writing. reading not so).

can't find any thread, explaining client files protection methods (outside this forum too). I try to understand it's structure, and I hope there are people who know more, will help to understanding in this (not only for me).
I'll write something that I find/identify, if I'm wrong, or you know more, please append this.

for simplicity, I will analyze a base client files (ie, without patch-files patch.MPQ, patch-2.MPQ, etc.), because this files absolutely identical and present in all versions WotLK, + no need to combine files from another patch-files.

signaturefile
main file signatures "\\Data\common-2.MPQ\signaturefile" (in root of every base patch-file).
first text part contain name, location and "quadruple-reversed" md5 of a file. for example first string

Code:

base;c;00004C6B3F100833E62D33A44F4C7017;World\wmo\Dungeon\LD_ScarletMonestary\Monestary_Cathedral_001.wmo

where
base - dir. "Data" or localization folder
c - not sure may be classic/expansion, but I think does not principle matter
00004C6B3F100833E62D33A44F4C7017 - most interesting "quadruple-reversed" md5. it's md5 of a file, but separated on quadruples and each reversed. for simple example
0123 4567 89ab cdef - normal md5 (separated on quadruples)
3210 7654 ba98 fedc - "quadruple-reversed" md5
World\wmo\Dungeon\LD_ScarletMonestary\Monestary_Cathedral_001.wmo - path & name of a file
second binary part. header "NGIS", then 256 bytes digital signature. this part I can't understand. some theory later.

SIG files
some dirs, have personal signature files with "SIG" extension.
this file contain two parts too, but both binary.
first part (first 16 bytes before "NGIS" header) is normal md5 of same files (write some strings later).
second part (256 bytes after "NGIS" header) looks like second binary part of "signaturefile".

first part
I don't know program, what can count md5 of several files as one. so one way to calculate md5 files in folder what I see - make one file from several, then calculate md5 of result file. but that's main problem - what's sequence files when combine it's in one?
for check this theory, I take dir \\Data\enGB\locale-enGB.MPQ\\Interface\AddOns\Blizzard_VehicleUI\ because it's contain minimum files (3). then combine it's with different sequence and compare md5 of result files with first 16 bytes of BLIZZARD_VEHICLEUI.TOC.SIG file. I have completely identical numbers with
copy Blizzard_VehicleUI.toc+Blizzard_VehicleUI.xml+Blizzard_VehicleUI.lua /b 231.res
from this, imho first 16 bytes of a "SIG" files is normal md5 of sequentially spliced files.

second part
I see only one theory of this structure. it's may be similary MPQ "Strong Digital Signature", but i can't prove it, or can't understand sign making.
that's description of "Strong Digital Signature" part specification of the MPQ format The MoPaQ Archive Format - /dev/klog Wiki
from wich, i think 256 bytes of signature (after "NGIS" header), must be separated on two part. 235 bytes of some "padding", and last 20 bytes is standart sha-1 hash.
I think, reasonably, calculating process must be with byte-chain, what used for calculate md5 before header "NGIS", but I can't see any similarity. I can't see anything may be yet...

sequence of splicing files is important, but byte-chain giving correct md5 from first part of the SIG file is enough for analyzing second part. in this time, understanding structure of second part more important, because without second part all of it's does not matter.
can anybody help me in this puzzle with second part of signature?

p.s. one more may be useful article Warden Modules - Skull Security

[VX2]

I choose another way. may be it's not correct and less desirable, but in this time works and it's enough for me. yet.
I worked with wow 1.12, because 4.7mb exe file looks more likely for disassembling (especially for newbie in this) against 17mb in 3.2.2 version. now it's works:

now I try to do same with 3.2.2. I post about results latter.
not sure to do some patch for latest version, because version of private server on which I play is 3.2.2. but... step by step... may be later, if anyone find some interesting in this.

[Kirth]

That's nice, I assume you won't be sharing your work?

[VX2]

yesterday I had little time to do it with 3.2.2, and made a little mistake then tried to disable checks. and result was always "Your login interface files are corrupt. Please reinstall the game." (with correct files too). my carelessness in last jump.
today seems all is works (tested with FrameXML & GlueXML):

patcher for 3.2.2.10505 wow_unsig.zip
or cracktable

Code:

WOW.EXE
0007C65D:	77 EB
0007C65E:	34 4B
0007C6E8:	75 90
0007C6E9:	12 90
0007C6F6:	73 90
0007C6F7:	EC 90
0007C6FA:	74 EB
0007C75F:	0F 90
0007C760:	85 90
0007C761:	2E 90
0007C762:	FF 90
0007C763:	FF 90
0007C764:	FF 90

may be it's not all checks. need tests.

p.s. 2 Kirth: sorry, I'm misunderstood you at first time. why not?

[VX2]

not completely worked. this disable only GlueXML checks.
all it was necessary for me, only that it was possible to change login screen. and I changed files only in a GlueXML folder when I worked.
other day, I tried to change FrameXML files, and when I tried enter into the world, after loading, the client was closed with the message, "Your game interface files are corrupt. Please remove your Interface\FrameXML folder.".
a reason has appeared in sequence and place of checks.
GlueXML is checked on launching. blizzard addons is checked on realm login or changing realm, and Frame XML checked on login into the world.
as I looked only login screen when check this patch, and tested a patch I just start capability on the client without logging (thinking that all checks going on start).
now all seems is works... again x)

I removed old patcher from sendspace, and uploaded new.
WARNING! before apply new patch, launch old, and hit "restore" button, or just restore original wow.exe file manually.

patcher for 3.2.2.10505 http://www.mmowned.com/forums/bots-p...n-remover.html
cracktable

Code:

003CBEF5:	75 EB
003CBF0F:	01 03
003CBF65:	01 03
003CC016:	7F EB
003CC01D:	1B 90
003CC01E:	C0 B8
003CC01F:	5F 03
003CC020:	83 00
003CC021:	C0 00
003CC022:	03 00
003CC02F:	83 EB
003CC030:	C0 ED

I hope now that's all

p.s. further about patches here http://www.mmowned.com/forums/bots-p...n-remover.html

[danielrhodea]

can you please help me to remove the frame, signature and modeledit checks in 1.12, 2.4 & 3.3 (I'm assuming the code is standard)

[danielrhodea]

lol removed now for all of the above =) yay @ me

[Ayos]

lol removed now for all of the above =) yay @ me

Can you tell me how did you do it? I would like to remove frameXML protection from a 1.12.1 wow.exe (or perhaps all of the prots). Could not find the 1.12 removal tool anywhere on the internet.