TOM_RUS
-
Posts
164 -
Joined
-
Last visited
Never -
Donations
0.00 GBP
Content Type
Profiles
Bug Tracker
Wiki
Release Notes
Forums
Downloads
Blogs
Events
Posts posted by TOM_RUS
-
-
Should be fixed.
-
Honor deminishing returns was removed in some old client patch.
Patch 2.4.0:
PvP - Diminishing returns on honor for kills is being eliminated. - Honor will now be instantly calculated, and available for player use. - Players that have the resurrection sickness debuff will be worth no honor.
-
May be fixed in latest rev.
-
Anyone tried to add flag 0x8000 to such items? May be it will work... All such items have 0x8 item flag.
-
There's also message like "Time is over!" (exact message unknown, because i'm playing on Russian realms) at the end of battleground in this case.
-
00:30:07,811 INFO - S->C 0x00: Warden module loading request! 00:30:07,826 INFO - Module MD5: B97DB15A24740055BBCA8EDDD6B23CF2 00:30:07,826 INFO - Module decryption key: 682F1CE077552EE9D021B8A7A72CCDA1 00:30:07,826 INFO - Module length: 18442 Packet S->C, SMSG_WARDEN_DATA (0x02E6), len 0x0025 0000: 00 B9 7D B1 5A 24 74 00 55 BB CA 8E DD D6 B2 3C | ..}.Z$t.U......< 0010: F2 68 2F 1C E0 77 55 2E E9 D0 21 B8 A7 A7 2C CD | .h/..wU...!...,. 0020: A1 0A 48 00 00 -- -- -- -- -- -- -- -- -- -- -- | ..H............. 00:30:08,014 INFO - C->S 0x01: Warden module loaded! 00:30:08,014 INFO - [WARDEN] Loading module B97DB15A24740055BBCA8EDDD6B23CF2... 00:30:08,014 INFO - [WARDEN] Update... 00:30:08,014 INFO - [WARDEN] Update: Adjusting references to global variables... 00:30:08,014 INFO - [WARDEN] Update: Updating API library references... 00:30:08,014 INFO - Library: KERNEL32.dll 00:30:08,029 INFO - Function: LCMapStringA @ 0x7C838E18 00:30:08,029 INFO - Function: Sleep @ MY 0x0036284A 00:30:08,029 INFO - Function: TlsFree @ 0x7C813777 00:30:08,029 INFO - Function: TlsGetValue @ 0x7C8097E0 00:30:08,029 INFO - Function: TlsSetValue @ 0x7C809C65 00:30:08,029 INFO - Function: RaiseException @ 0x7C812AA9 00:30:08,029 INFO - Function: TlsAlloc @ 0x7C812E3F 00:30:08,029 INFO - Function: GetProcAddress @ MY 0x00362A0A 00:30:08,029 INFO - Function: GetModuleHandleA @ 0x7C80B741 00:30:08,029 INFO - Function: GetTickCount @ 0x7C80934A 00:30:08,029 INFO - Function: GetVersionExA @ 0x7C812B7E 00:30:08,029 INFO - Function: GetSystemInfo @ 0x7C812DF6 00:30:08,029 INFO - Function: QueryDosDeviceA @ 0x7C85D344 00:30:08,029 INFO - Function: VirtualQuery @ MY 0x00362B22 00:30:08,029 INFO - Function: CloseHandle @ 0x7C809BE7 00:30:08,029 INFO - Function: GetCurrentProcess @ MY 0x00362D1A 00:30:08,029 INFO - Function: FreeLibrary @ MY 0x00362E2A 00:30:08,029 INFO - Function: DuplicateHandle @ 0x7C80DE9E 00:30:08,029 INFO - Function: LoadLibraryA @ MY 0x00362E5A 00:30:08,029 INFO - Function: GetProcessHeap @ 0x7C80AC61 00:30:08,029 INFO - Function: HeapFree @ 0x7C90FF2D 00:30:08,029 INFO - Function: TerminateProcess @ 0x7C801E1A 00:30:08,029 INFO - Function: UnhandledExceptionFilter @ 0x7C863FCA 00:30:08,029 INFO - Function: SetUnhandledExceptionFilter @ 0x7C84495D 00:30:08,029 INFO - Function: QueryPerformanceCounter @ 0x7C80A4C7 00:30:08,029 INFO - Function: GetCurrentThreadId @ 0x7C8097D0 00:30:08,029 INFO - Function: GetCurrentProcessId @ MY 0x00362EBA 00:30:08,029 INFO - Function: GetSystemTimeAsFileTime @ 0x7C8017E9 00:30:08,029 INFO - Function: RtlUnwind @ 0x7C92ABC5 00:30:08,029 INFO - Library: USER32.dll 00:30:08,029 INFO - Function: IsCharUpperA @ 0x7E38707E 00:30:08,029 INFO - Function: CharUpperBuffA @ 0x7E36AE3F 00:30:08,029 INFO - Function: BeginPaint @ 0x7E378FE9 00:30:08,045 INFO - [WARDEN] Initialize... 00:30:08,045 INFO - [WARDEN] Initialize function: 0x040C17A7 00:30:08,061 INFO - [WARDEN] Init() 00:30:08,061 INFO - GetCurrentProcessId() = 0x00000EE0 00:30:08,061 INFO - GetProcAddress(0x7C800000, AddVectoredExceptionHandler) = 0x7C936C2A 00:30:08,061 INFO - GetProcAddress(0x7C800000, RemoveVectoredExceptionHandler) = 0x7C936C96 00:30:08,061 INFO - AllocateMemory(0x001CB5E0, 0x000007F0) 00:30:08,061 INFO - AllocateMemory(0x001CCA38, 0x0000003C) 00:30:08,061 INFO - AllocateMemory(0x001C3F20, 0x0000002C) 00:30:08,061 INFO - LoadLibrary(kernel32.dll) = 0x7C800000 00:30:08,061 INFO - GetProcAddress(0x7C800000, CreateToolhelp32Snapshot) = 0x7C865C7F 00:30:08,061 INFO - GetProcAddress(0x7C800000, Module32First) = 0x7C8653A0 00:30:08,061 INFO - GetProcAddress(0x7C800000, Module32Next) = 0x7C865525 00:30:08,061 INFO - GetProcAddress(0x7C800000, wine_get_unix_file_name) = 0x00000000 00:30:08,061 INFO - AllocateMemory(0x001CD3F8, 0x0000005C) 00:30:08,061 INFO - [WARDEN] Initialized... 00:30:08,061 INFO - GetRC4Data(0x001CB600, 0x00000208) Packet C->S, CMSG_WARDEN_DATA (0x02E7), len 0x0001 0000: 01 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- | ................ 00:30:08,076 INFO - S->C 0x05: Warden hash request! 00:30:08,076 INFO - Seed: AEF3F42B2B831F265E16ABB5D9F87718 00:30:08,076 INFO - Passing S->C 0x05 packet to warden module... 00:30:08,076 INFO - SendPacket(0x03D5EFD8, 0x00000015) 00:30:08,076 INFO - S->C 0x05: handled packet 17 bytes. 00:30:08,076 INFO - Client RC4 Seed 0x8D1BDA8E0D82E600DD3CDA0F48CFB3D7 Packet S->C, SMSG_WARDEN_DATA (0x02E6), len 0x0011 0000: 05 AE F3 F4 2B 2B 83 1F 26 5E 16 AB B5 D9 F8 77 | ....++..&^.....w 0010: 18 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- | ................ 00:30:08,186 INFO - Mpq checks init! Packet S->C, SMSG_WARDEN_DATA (0x02E6), len 0x0039 0000: 03 14 00 0D D4 CA C8 01 00 02 00 90 59 33 00 D0 | ............Y3.. 0010: 25 33 00 A0 31 33 00 B0 35 33 00 03 08 00 E9 AD | %3..13..53...... 0020: 99 92 04 00 00 E0 01 3D 00 01 03 08 00 8A 88 B5 | .......=........ 0030: 4D 01 01 00 20 04 42 00 01 -- -- -- -- -- -- -- | M... .B......... 00:30:08,248 INFO - C->S 0x04: Warden response! 00:30:08,248 INFO - Hash: 38FDC97E90926A44A4A3F7BC44495A8E8818DC52 Packet C->S, CMSG_WARDEN_DATA (0x02E7), len 0x0015 0000: 04 38 FD C9 7E 90 92 6A 44 A4 A3 F7 BC 44 49 5A | .8..~..jD....DIZ 0010: 8E 88 18 DC 52 -- -- -- -- -- -- -- -- -- -- -- | ....R........... Packet S->C, SMSG_WARDEN_DATA (0x02E6), len 0x00B0 0000: 02 2A 77 6F 72 6C 64 5C 6D 61 70 73 5C 73 74 72 | .*world\\maps\\str 0010: 61 74 68 6F 6C 6D 65 5C 73 74 72 61 74 68 6F 6C | atholme\\strathol 0020: 6D 65 5F 33 38 5F 32 35 2E 61 64 74 00 1A 15 01 | me_38_25.adt.... 0030: BE 00 87 B6 47 00 08 72 63 53 49 BA E9 AA 5B A5 | ....G..rcSI...[. 0040: 36 FC 7E 8C 66 8B 5B F6 63 16 74 A4 A0 18 FC BA | 6.~.f.[.c.t..... 0050: 69 32 00 00 24 BF 05 1B 95 43 28 C9 D9 4D 44 F6 | i2..$....C(..MD. 0060: 90 E4 6B 3C 6F 02 84 30 75 EA B7 E4 9D 76 92 4E | ..k<o..0u....v.N 0070: 03 00 17 72 E5 CF 81 C4 09 52 79 A7 19 72 80 D6 | ...r.....Ry..r.. 0080: A6 BE AD E2 65 CA 8A 35 75 9D 57 39 8C A0 00 00 | ....e..5u.W9.... 0090: 18 72 40 1F DF F1 3E B7 4C FB D4 20 96 BE D6 84 | .r@...>.L.. .... 00A0: F3 5A 81 53 D9 7D 50 4E A7 A4 0C A1 00 00 18 8D | .Z.S.}PN........ Packet C->S, CMSG_WARDEN_DATA (0x02E7), len 0x002E 0000: 02 27 00 6F 76 DC 39 01 44 7A 70 15 00 B2 FB C9 | .'.ov.9.Dzp..... 0010: D5 59 86 67 F9 0C 86 2F 87 CB 9B 6A B0 4E CB AD | .Y.g.../...j.N.. 0020: 3E 00 68 D0 81 0D 01 C6 02 00 E9 E9 E9 E9 -- -- | >.h............. Packet S->C, SMSG_WARDEN_DATA (0x02E6), len 0x00AD 0000: 02 08 41 66 64 65 33 32 75 75 00 1A BE 00 00 84 | ..Afde32uu...... 0010: 6D 00 0B 72 8B B4 13 ED 5F 47 4D 1F 7C E9 63 37 | m..r...._GM.|.c7 0020: 42 59 79 8D 67 54 0C 48 CB 85 1F 31 10 9C 06 00 | BYy.gT.H...1.... 0030: 30 BF F6 BD 52 1B 0A 22 2F 69 EA 00 AA ED 69 4E | 0...R.."/i....iN 0040: 65 F6 C0 FA D6 2B 6E 8F 20 A5 70 A1 18 00 1E BE | e....+n. .p..... 0050: 00 0A A9 4C 00 05 BC 46 0D CC A2 1A 8F 1C F5 62 | ...L...F.......b 0060: A5 0F C0 74 21 92 EC 50 57 63 4A B5 52 A7 2D 01 | ...t!..PWcJ.R.-. 0070: 72 A6 4B 53 91 E0 AA 96 47 BF 59 2B E2 80 73 07 | r.KS....G.Y+..s. 0080: AA 7D 8F 13 29 E4 42 94 F5 F8 D4 06 00 30 BF CC | .}..).B......0.. 0090: EF 3F 0B 7B BD B2 A0 EC DD 60 61 AF C6 B1 F2 85 | .?.{.....`a..... 00A0: B4 FF DB 32 BA 2B B8 A0 5F 16 00 1F 8D -- -- -- | ...2.+.._....... Packet C->S, CMSG_WARDEN_DATA (0x02E7), len 0x0023 0000: 02 1C 00 10 55 4B 1C 01 8C C8 70 15 00 01 BE 80 | ....UK....p..... 0010: 00 00 00 E8 E5 B6 FF FF E9 E9 00 77 34 FF 24 85 | ...........w4.$. 0020: E9 E9 E9 -- -- -- -- -- -- -- -- -- -- -- -- -- | ................
As you can see
00:30:08,076 INFO - Client RC4 Seed 0x8D1BDA8E0D82E600DD3CDA0F48CFB3D7
First byte is 0x8D
and
Packet S->C, SMSG_WARDEN_DATA (0x02E6), len 0x00B0 0000: 02 2A 77 6F 72 6C 64 5C 6D 61 70 73 5C 73 74 72 | .*world\\maps\\str 0010: 61 74 68 6F 6C 6D 65 5C 73 74 72 61 74 68 6F 6C | atholme\\strathol 0020: 6D 65 5F 33 38 5F 32 35 2E 61 64 74 00 1A 15 01 | me_38_25.adt.... 0030: BE 00 87 B6 47 00 08 72 63 53 49 BA E9 AA 5B A5 | ....G..rcSI...[. 0040: 36 FC 7E 8C 66 8B 5B F6 63 16 74 A4 A0 18 FC BA | 6.~.f.[.c.t..... 0050: 69 32 00 00 24 BF 05 1B 95 43 28 C9 D9 4D 44 F6 | i2..$....C(..MD. 0060: 90 E4 6B 3C 6F 02 84 30 75 EA B7 E4 9D 76 92 4E | ..k<o..0u....v.N 0070: 03 00 17 72 E5 CF 81 C4 09 52 79 A7 19 72 80 D6 | ...r.....Ry..r.. 0080: A6 BE AD E2 65 CA 8A 35 75 9D 57 39 8C A0 00 00 | ....e..5u.W9.... 0090: 18 72 40 1F DF F1 3E B7 4C FB D4 20 96 BE D6 84 | .r@...>.L.. .... 00A0: F3 5A 81 53 D9 7D 50 4E A7 A4 0C A1 00 00 18 8D | .Z.S.}PN........ Packet S->C, SMSG_WARDEN_DATA (0x02E6), len 0x00AD 0000: 02 08 41 66 64 65 33 32 75 75 00 1A BE 00 00 84 | ..Afde32uu...... 0010: 6D 00 0B 72 8B B4 13 ED 5F 47 4D 1F 7C E9 63 37 | m..r...._GM.|.c7 0020: 42 59 79 8D 67 54 0C 48 CB 85 1F 31 10 9C 06 00 | BYy.gT.H...1.... 0030: 30 BF F6 BD 52 1B 0A 22 2F 69 EA 00 AA ED 69 4E | 0...R.."/i....iN 0040: 65 F6 C0 FA D6 2B 6E 8F 20 A5 70 A1 18 00 1E BE | e....+n. .p..... 0050: 00 0A A9 4C 00 05 BC 46 0D CC A2 1A 8F 1C F5 62 | ...L...F.......b 0060: A5 0F C0 74 21 92 EC 50 57 63 4A B5 52 A7 2D 01 | ...t!..PWcJ.R.-. 0070: 72 A6 4B 53 91 E0 AA 96 47 BF 59 2B E2 80 73 07 | r.KS....G.Y+..s. 0080: AA 7D 8F 13 29 E4 42 94 F5 F8 D4 06 00 30 BF CC | .}..).B......0.. 0090: EF 3F 0B 7B BD B2 A0 EC DD 60 61 AF C6 B1 F2 85 | .?.{.....`a..... 00A0: B4 FF DB 32 BA 2B B8 A0 5F 16 00 1F 8D -- -- -- | ...2.+.._.......
last byte of both SMSG packets is 0x8D. I don't see any problems here...
-
Xor byte is a first byte of seed, used for initializing client RC4 encryption.
This seed stored at module+4. SHA1 of this seed is sent in 0x04 packet.
// This seed used by warden module for RC4 initialization (client - one pass, server - 2 passes) public byte[] ReadRC4Seed { get { var seed = new byte[16]; unsafe { Marshal.Copy(new IntPtr((int)ppWFuncList + 4), seed, 0, seed.Length); } return seed; } }
-
Are you Blizzard employee?
-
Thank you I'll have a look.
Edit: Omg, thanks for all your help. But I had it all correct except for one part. The pointer to the data passed into the packet handler was messed up. I'm using VB.net so pointers and stuff is really tricky
Nice that you got it fixed
-
So the module handles the 0x04 packet as well? Doesn't seem to work for me though
No. 0x04 packet handled by my sniffer.
There's full source code, that deal with warden: http://paste2.org/p/502204
I forgot Arc4 class:
using System; using System.Collections.Generic; namespace Wlp { public class Arc4 { private readonly byte[] state; private byte x, y; public byte[] RC4Data { get { var data = new byte[0x102]; state.CopyTo(data, 0); data[100] = x; data[101] = y; return data; } set { Array.Copy(value, state, 0x100); x = value[0x100]; y = value[0x101]; } } public Arc4(byte[] key) { state = new byte[256]; x = y = 0; KeySetup(key); } public int Process(byte[] buffer, int start, int count) { return InternalTransformBlock(buffer, start, count, buffer, start); } public int Process(List<byte> buffer, int start, int count) { return InternalTransformBlock(buffer, start, count, buffer, start); } private void KeySetup(byte[] key) { byte index1 = 0; byte index2 = 0; for (var counter = 0; counter < 256; counter++) { state[counter] = (byte)counter; } x = 0; y = 0; for (var counter = 0; counter < 256; counter++) { index2 = (byte)(key[index1] + state[counter] + index2); // swap byte var tmp = state[counter]; state[counter] = state[index2]; state[index2] = tmp; index1 = (byte)((index1 + 1) % key.Length); } } private int InternalTransformBlock(byte[] inputBuffer, int inputOffset, int inputCount, byte[] outputBuffer, int outputOffset) { for (var counter = 0; counter < inputCount; counter++) { x = (byte)(x + 1); y = (byte)(state[x] + y); // swap byte var tmp = state[x]; state[x] = state[y]; state[y] = tmp; var xorIndex = (byte)(state[x] + state[y]); outputBuffer[outputOffset + counter] = (byte)(inputBuffer[inputOffset + counter] ^ state[xorIndex]); } return inputCount; } private int InternalTransformBlock(List<byte> inputBuffer, int inputOffset, int inputCount, List<byte> outputBuffer, int outputOffset) { for (var counter = 0; counter < inputCount; counter++) { x = (byte)(x + 1); y = (byte)(state[x] + y); // swap byte var tmp = state[x]; state[x] = state[y]; state[y] = tmp; var xorIndex = (byte)(state[x] + state[y]); outputBuffer[outputOffset + counter] = (byte)(inputBuffer[inputOffset + counter] ^ state[xorIndex]); } return inputCount; } } }
-
That's how I doing that:
s_wardenLoader.LoadWarden(s_currentModule.Data); // load
s_wardenLoader.GenerateRC4Keys(WardenCrypt.s_sessionKey); // init with session key, may be not required
than module calls it's GetRC4Data function callback:
private unsafe int GetRC4Data(void* buffer, int* length) { var pBuffer = new IntPtr(buffer); Logger.Add(" GetRC4Data(0x{0:X8}, 0x{1:X8})", pBuffer.ToInt32(), *length); for (var i = 0; i < *length; ++i) // clear all keys ((byte*)buffer)[i] = 0; return 1; // this is important!!! }
s_wardenLoader.PacketHandler(packet.m_data, out handled); // handle 0x05 packet
WardenCrypt.ServerRC4Data = s_wardenLoader.ReadRC4Data; // get server keys in 0x05 packet handler
WardenCrypt.ClientRC4Data = s_wardenLoader.ReadRC4Data; // get client keys in 0x04 packet handler
ppWFuncList is shit returned by Warden Init function
public byte[] ReadRC4Data { get { var data = new byte[0x204]; unsafe { Marshal.Copy(new IntPtr((int)ppWFuncList + 32), data, 0, data.Length); } return data; } }
-
I am Collecting modules so that I can 1) Track whats being used and when 2) Hopefully derrive an algorythem that will determine what version, and what Check IDs there are. So if you would be a dear and add the function into your packet logger to dump the modules/keys that would be awesome!
The .mod file is the fully compressed, encrypted module
The .key file is the 16 byte RC4 seed you get in 0x01.
They are named with the MD5 of the module.
I have that done. And I collected 56 modules so far.
01615ECE93F7338E0222FD65F980DE5E.bin 020F5AF2B0D646B81D7C15542B1339D1.bin 0AB2DCC91B8D52FB34C663CD63D4D29A.bin 0BE6B21C37F937401FB34650408C4C55.bin 1D5F921A03F3357983AB0799A845D9EA.bin 1E3603741C0EFFC83C8CE7F0FE5F0B1B.bin 1FBC81B56D674A1E8DA9AD720B0E6B8B.bin 257D860402EC76256379F810C3D48418.bin 29A94615F3CB7E460B6645C590772B56.bin 2DAC5284B383377E207B474A42FC11E5.bin 3016CD46723D437F396E49EC86997D35.bin 398550DE1087C53FAF2ED2C2309C7650.bin 39AF4B1CC5DDB1968113029B49BFCE3A.bin 3C058C9A46C7939C97D335A0A317518A.bin 4405C5C94C713C832A1C8D863E038E11.bin 499D0AAB170AA4376B1FC329895733F3.bin 5286FFA3231E000D49263759BD77446B.bin 5B63C4158A71676AE764D85813BE3CD0.bin 5DF72E877269CBC34DB91A0AF94BF11A.bin 5F947B8AB100C93D206D1FC3EA1FE6DD.bin 66D85EEB9F72E2BF1EA0949156F0C73F.bin 671E47F179127137CC47F2FBDF31E3AF.bin 6A914823E022CFFDC5A94797636E5CA5.bin 6AC4D01D274E287F6560930803198DCF.bin 6D6B65B2FDCFF9E6CDB7BC9E3425EE18.bin 77C2BB2F3FAC7992F1A4B98234806018.bin 789533BC3027E2E246757E4107005F13.bin 79C0768D657977D697E10BAD956CCED1.bin 7C4ABC97B86494A2D91820785F3A1C87.bin 7F3C4EA3B1EC5866A1ACD80A6D82A5F6.bin 8A2156F668B15D2407EAEB61850EBC8B.bin 8AF8D377B87E29F6F28AFCCBA031BA5C.bin 959162ED696E469673C96CFDEC0EFFA6.bin 9653E8190B71180367F7E033972CA6C3.bin 9D257F6F769606DDD622BE2C24941901.bin AF203602B6E8414A835A10B4E3DC8EEC.bin B09BB776F37C6030115FDEA7F5383DB8.bin B211108E8B3BED69390A8C24A34DAB5E.bin B97DB15A24740055BBCA8EDDD6B23CF2.bin C752AE93D2CF377AF009A2A48BC99E68.bin D0F75B799F47CC69CC826778CF4630B5.bin D13D91D203FF0CCAE7A9FA107CFBEEB8.bin D16D1E6C34854C1BA102AE1FE30B69B0.bin D2362F5334DB0ACC31C6D377B4CB0FF9.bin D38D4C8740A7617F8DFFB958020D968C.bin D418B9F6334CAB80929961A5C70AACA5.bin D4557FDD68A1ACB955724E91DE3050F2.bin DA3BF29EB72099327FDFA6ED7322C35E.bin DD6BC9E427ECBB46D0D45498CA4468CC.bin DE240190C1446E66A2A51A19804356C7.bin DE82F1BEC723F8623E6FA8E32C52FFFC.bin ED4272452F70779CC12079C155812E0A.bin FC5630F8D423155E765662C3EFC60512.bin FC6560DAA366D845884B71CD15ED64E3.bin FCA7F7EF7A900FD617B1DF58470649A4.bin FD3A83D0EC85687144148B79DB55CAC4.bin
-
I checked, and that module specific hashing function is completely different between 2 modules. So best way is to load module and grab the keys...
-
Have you figured out a way to calculate the new keys after the 0x05 packet instead of loading the module and let it do the dirty job?
I do know that every module has a different MD5 function, but still, there has to be a pattern between them all. I've tried reversing the MD5 function of a module, but havn't gotten it to calculate either the new keys or the return hash correctly.
Afaik the module first hashes the "seed" with it's own md5 function, and then creates a new hash from that one with the same md5 function. Then it sha1 hashes the first one and that one is supposed to be the return hash. And it then takes the two md5 hashes generated in the beginning into RC4_Init and generates the new keys. Is this correct?
Sounds correct. It looks something like that:
byte seed[16]; // taken from 0x05 packet byte[] rc4_seed_client = ModuleSpecificHash(&seed); // this value than stored at module+4 byte[] rc4_seed_server = ModuleSpecificHash(&seed); // so we have double processed seed here clientRC4Crypt_Init(rc4_seed_client); serverRC4Crypt_Init(rc4_seed_server); byte[] seedHash = SHA1(rc4_seed_client); // used in 0x04 packet
Hex-Rays pseudocode:
signed int __thiscall Handle_05_packet(Module *this, int data, int serverRC4ctx) { Module *module; // ebx@1 signed int result; // eax@2 unsigned int v5; // eax@3 int v6; // edx@5 int localData; // esi@1 int s; // [sp+CCh] [bp+0h]@1 unsigned int v9; // [sp+C8h] [bp-4h]@1 int v10; // [sp+28h] [bp-A4h]@1 Seed *clientSeed; // [sp+18h] [bp-B4h]@1 Seed *serverSeed; // [sp+8h] [bp-C4h]@3 int v13; // [sp+Ch] [bp-C0h]@3 int v14; // [sp+10h] [bp-BCh]@3 int v15; // [sp+14h] [bp-B8h]@3 char v16; // [sp+3Ch] [bp-90h]@5 char clientSeedHash; // [sp+9Ch] [bp-30h]@5 int v18; // [sp+34h] [bp-98h]@5 int a3; // [sp+B0h] [bp-1Ch]@5 int *buffer; // [sp+2Ch] [bp-A0h]@5 signed int size; // [sp+30h] [bp-9Ch]@5 char opcode; // [sp+38h] [bp-94h]@5 v9 = (unsigned int)& s ^ dword_409040; localData = data; v10 = serverRC4ctx; module = this; ReadInt32Blocks(data, (int)&clientSeed, 4); // 4*4=16 bytes if ( *(_DWORD *)(localData + 8) <= *(_DWORD *)(localData + 4) ) { UnknownHashingFunc((Seed *)&clientSeed); serverSeed = clientSeed; v13 = clientSeed->b; v14 = clientSeed->c; v15 = clientSeed->d; UnknownHashingFunc((Seed *)&serverSeed); v5 = 0; do v5 += 4; while ( v5 < 16 ); module->seed[0] = (int)clientSeed; // store client seed at module+4 module->seed[1] = clientSeed->b; module->seed[2] = clientSeed->c; module->seed[3] = clientSeed->d; Sha1Init((int)&v16); Sha1Update((int)&v16, (int)&clientSeed, 16); Sha1Final((int)&v16, (int)&clientSeedHash); v18 = 0; buffer = &a3; size = 21; opcode = 4; InitPacket((int)&buffer, (int)&opcode); PutBytes((int)&buffer, (int)&clientSeedHash); if ( v18 <= (unsigned int)size ) SendPacket((int)module, v6, (int)&a3); RC4Init((int)module->out_key, (int)&clientSeed, 16); // module+32 RC4Init(v10, (int)&serverSeed, 16); result = 1; } else { result = 3; } return result; }
-
So the packets are encrypted in?
-
Warden packets are encrypted. Packet logs posted in this topic were decrypted. You need encrypt packets before sending...
-
It's client limitation.
-
0: mostly "flag" quests (63 quests in 3.3.0)
-1: a lot of quests (1289 quests in 3.3.0)
-
Fairly easy jsut change your hard coded values
As I said there's no more hardcoded values, I added interactive debugging.
I'm fairly sure it'd be simple, haven't looked at a module in IDA for a while but if they use a switch() then it's just a jump table.
Is some modules it's switch, and in some it's not.
Anyways, I'd also like to figure out exactly what opcode 0x03 does.
Initializes file reading functions (open/getsize/read/close). May be something more... http://paste2.org/p/473332
-
Oh you're manually parsing check IDs Ouch. But it looks sexy.
I just added interactive debugging to warden parser, so you don't have to recompile it anymore.
Just a suggestion, I'd say do ID checks vs the post xored value. Just in case they ever bother to change it during a single connection. So that you can parse multiple connections using the same module, because they choose seemingly random xor byte during each connection.
I just realized that xor byte changes each session. Let's see what I can do...
But this is cool, how exactly are you determining what each check does? Just guessing, watching the module run, or do you have the modules loaded up in IDA?
Ralek did some reversing using IDA.
Anyway I could get you to upload the binary packet logs? At least the Warden packets. I'd like to some work with the modules you are working with. (yes i *could* parse your text logs but... :*( )
Can't separate warden packets from rest of packets right now (because I'm lazy).
-
ok so i guess the:
((MangosSendPacket)ctx->sendpacket)(ctx->session, pdata, size);
should be replaced by
WorldPacket data(SMSG_WARDEN_DATA, size); data.append(pdata, size); ctx->session->SendPacket(&data);
May be this way?
-
Is your Packet Logger Open source?
I'd like to see it, see what you've done.
I am really interested in seeing how you split up the requests and extract the proper check IDs.
No, it's not open source.
To parse checks I manually find them first, add them to parser and then parse log.
P.S. Two more parsed sniffs http://paste2.org/p/474078, http://paste2.org/p/474089
Parser is here http://code.google.com/p/mywowtools/source/browse/trunk/WoWPacketViewer/WoWPacketViewer/Parsers/WardenParser.cs?spec=svn137&r=137#, nothing interesting really.
-
Vary nice, It's been confirmed, as I always suspected. The initial field in 0x02 is not libraries, it just strings.
So you got a C# version of module prepping/loading/running done?
Thats rather interesting, I haven't delt much with C# but others that I know that have are always bitching how difficult it is to run non managed code from it.
I'd be interested in seeing how you've done it.
Also, Do you know ASM? I still want to have someone figure out the other opcodes, (and preferably a more reliable way to determine them u.u)
It's not fully in C#. I wrote C++ DLL that deals with warden modules and than I just get pointers to RC4 keys and read them (pinvoke)...
Edit: I have ported my C++ code to C# completely.
Small research on warden packets: http://paste2.org/p/471651
And whole session with this module: http://paste2.org/p/471660
And some parsed output: http://paste2.org/p/472958
-
anyone knows what is to send to get correct naming of the mirror images? i.e. name of the player and not "mirror image".
i dont think this works on trinity. from videos floating around it looks like an aura
There's special opcode doing that probably. SMSG_MIRRORIMAGE_DATA or something.
[9316] New Model ID's not working (e.g. ICC Bosses)
in OldBug reports
Posted
There's was some misleading error output. It was fixed and should now show correct source of problem.