Protocol

[hasokeric]

Dear Developers,

This is a hot question that many would like to know and it is also a question that is asked many times and quite often.

When sniffing Packets

- How do you determine the Encryption

- How do you decrypt (figure out) the key

For example while googling one MMORPGs Blowfish key was [1;$1[jk0; now how does one figure that out leaves me clueless i have searched and looked at Java and C++ Source Codes of other MMORPG Emulation still i am clueless.

I hope someone can take some time and answer this question with a little bit more detail than found on other forums.

Perhaps someone could list the tools recommended, the steps required.

[hasokeric]

We all know that a Packet Sniffer is required such as:

- EtherDetect

- Wireshark

Once we sniff a packet (which is of course encrypted) how to determine the key and decrypt it is what i am trying to figure out.

[arrai]

The most efficient way is to read it from the wow process itself - simply memory reading as it's done there:

http://hg.sharesource.org/sniffitzt/file/04b874f8d78d/tools/SniffitztClient.cpp

If you don't plan to write the decryption part on your own, you also might want to have a look at the whole project http://sharesource.org/project/sniffitzt/

[hasokeric]

Alright so to clarify - the 'initial' key is usually stored in the client which may be found either through Reverse Engineering with a Debugger or reading it from Memory (as in your case) ?

Let us keep this thread running and input all the details required so that others may see the light.

[hasokeric]

The most efficient way is to read it from the wow process itself - simply memory reading as it's done there:

http://hg.sharesource.org/sniffitzt/file/04b874f8d78d/tools/SniffitztClient.cpp

If you don't plan to write the decryption part on your own, you also might want to have a look at the whole project http://sharesource.org/project/sniffitzt/

What is the difference now between Encryption Key and 'Session Key'

can you define Session Key - as in what is it; what is it used for ?

sessionKey contains only of zeros - unlikely..
reading sessionkey failed - will try again in 1 second
Got pointer: 0X86DDDF8
Got sessionkey: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
checking plausibility
sessionKey contains only of zeros - unlikely..
reading sessionkey failed - will try again in 1 second
Got pointer: 0X86DDDF8
Got sessionkey: 29 82 97 1F 7C 18 DA CF 8C 0C AE 5A 75 FC 54 BE E2 BF 9B C6 52 6
A C4 08 2D 15 18 09 64 EA 4E 4A 73 74 C4 3E B5 A4 CB 88
checking plausibility
trying to send it to sniffitzt

[hasokeric]

Your CPP File works nice

could you however tell us how you figured out 'which' memory address to look at to find the key - i mean i tried OllyDBG and it didnt quite work

[TOM_RUS]

Memory address figured out by using IDA Pro disassembler and it's Hexrays plugin.

[hasokeric]

Memory address figured out by using IDA Pro disassembler and it's Hexrays plugin.

Tom thank you - is there anything else you could share with us on this topic some tips n tricks etc..

like for example for IDA Pro what would be the steps to retrieving such key

Open WoW.exe

Then ?

[hasokeric]

Basically,

We are looking for a Guide/Tutorial or Screencast that will show us 'the beginners' example how to "Sniff" some packets and Sniff the Key and then manually decrypt or decrypt automatically.

If someone could make such tutorial would rock if not; What Guide or Where have you learned how to do - what you do (sniffing, decrypting, detecting encryption) you could also leave some references.

[hasokeric]

Really no one ?

Anyways here is some more Research

As for packets analysis I found that the best way to learn is by studying existing code + "doing some practice man"

only after it you will be able to recognize packet (just for example) in wireshark

0000  00 50 22 e1 60 22 00 1c  42 fc ab 73 08 00 45 00   .P".`".. B..s..E.
0010  00 31 27 12 40 00 6e 06  41 65 60 ec 82 b6 c0 a8   .1'[email protected]. Ae`.....
0020  00 05 1e 61 c0 e5 9f 2c  a7 20 74 ac 81 63 50 18   ...a..., . t..cP.
0030  fd 5c 64 9f 00 00 09 00  01 54 fe 37 1d 47 68      .\\d..... .T.7.Gh 

== SM_KEY

 09 00  01 54 fe 37 1d 47 68

where

09 00 - length

01 - crypted opcode 0x41

54 - static server packet code 0x54

fe - ~ of 0x01

rest bytes (37 1d 47 68 and it is integer generated randomly by server + some mod) - is the key for encryption of the other packets

probably, i should try to write an article after i'll be used to all this stuff