at first (again), sorry for my english, it's some hard for me (writing. reading not so).
can't find any thread, explaining client files protection methods (outside this forum too). I try to understand it's structure, and I hope there are people who know more, will help to understanding in this (not only for me).
I'll write something that I find/identify, if I'm wrong, or you know more, please append this.
for simplicity, I will analyze a base client files (ie, without patch-files patch.MPQ, patch-2.MPQ, etc.), because this files absolutely identical and present in all versions WotLK, + no need to combine files from another patch-files.
signaturefile
main file signatures "\\Data\common-2.MPQ\signaturefile" (in root of every base patch-file).
first text part contain name, location and "quadruple-reversed" md5 of a file. for example first string
whereCode:base;c;00004C6B3F100833E62D33A44F4C7017;World\wmo\Dungeon\LD_ScarletMonestary\Monestary_Cathedral_001.wmo
base - dir. "Data" or localization folder
c - not sure may be classic/expansion, but I think does not principle matter
00004C6B3F100833E62D33A44F4C7017 - most interesting "quadruple-reversed" md5. it's md5 of a file, but separated on quadruples and each reversed. for simple example
0123 4567 89ab cdef - normal md5 (separated on quadruples)
3210 7654 ba98 fedc - "quadruple-reversed" md5
World\wmo\Dungeon\LD_ScarletMonestary\Monestary_Cathedral_001.wmo - path & name of a file
second binary part. header "NGIS", then 256 bytes digital signature. this part I can't understand. some theory later.
SIG files
some dirs, have personal signature files with "SIG" extension.
this file contain two parts too, but both binary.
first part (first 16 bytes before "NGIS" header) is normal md5 of same files (write some strings later).
second part (256 bytes after "NGIS" header) looks like second binary part of "signaturefile".
first part
I don't know program, what can count md5 of several files as one. so one way to calculate md5 files in folder what I see - make one file from several, then calculate md5 of result file. but that's main problem - what's sequence files when combine it's in one?
for check this theory, I take dir \\Data\enGB\locale-enGB.MPQ\\Interface\AddOns\Blizzard_VehicleUI\ because it's contain minimum files (3). then combine it's with different sequence and compare md5 of result files with first 16 bytes of BLIZZARD_VEHICLEUI.TOC.SIG file. I have completely identical numbers with
copy Blizzard_VehicleUI.toc+Blizzard_VehicleUI.xml+Blizzard_VehicleUI.lua /b 231.res
from this, imho first 16 bytes of a "SIG" files is normal md5 of sequentially spliced files.
second part
I see only one theory of this structure. it's may be similary MPQ "Strong Digital Signature", but i can't prove it, or can't understand sign making.
that's description of "Strong Digital Signature" part specification of the MPQ format The MoPaQ Archive Format - /dev/klog Wiki
from wich, i think 256 bytes of signature (after "NGIS" header), must be separated on two part. 235 bytes of some "padding", and last 20 bytes is standart sha-1 hash.
I think, reasonably, calculating process must be with byte-chain, what used for calculate md5 before header "NGIS", but I can't see any similarity. I can't see anything may be yet...
sequence of splicing files is important, but byte-chain giving correct md5 from first part of the SIG file is enough for analyzing second part. in this time, understanding structure of second part more important, because without second part all of it's does not matter.
can anybody help me in this puzzle with second part of signature?
p.s. one more may be useful article Warden Modules - Skull Security