Neo2003
Members-
Posts
149 -
Joined
-
Last visited
-
Donations
0.00 GBP
Recent Profile Visitors
The recent visitors block is disabled and is not being shown to other users.
Neo2003's Achievements
Advanced Member (3/3)
0
Reputation
-
Opcode CMSG_FORCE_RUN_SPEED_CHANGE_ACK badly pasred When you release your corpse after a death, you get kicked from server (since I configure server to kick players for bad packets of course). How to reproduce: .die youself and release your corps. Log: 2014-06-22 19:26:27 WORLD: Received opcode CMSG_REPOP_REQUEST 2014-06-22 19:26:27 Holder of spell 8326 now is in use 2014-06-22 19:26:27 Corpse (Guid: 3) enters grid[14,32] 2014-06-22 19:26:27 WORLD: Received CMSG_FORCE_RUN_SPEED_CHANGE_ACK (227, 0xE3) opcode 2014-06-22 19:26:27 ERROR:Attempted to get in ByteBuffer (pos: 44 size: 44) value with size: 4 Unit::CanDetectInvisibilityOf()+0x162 [0x0] Unit::GetDummyAura()+0x2be9 [0x0] WorldSession::HandleForceSpeedChangeAckOpcodes()+0x185 [0x0] WorldSession::ExecuteOpcode()+0x21 [0x0] WorldSession::Update()+0xf1 [0x0] Map::Update()+0xa5 [0x0] GetCreatureModelRace()+0x23ed5 [0x0] CreatureEventAI::CreatureEventAI()+0x744a [0x0] BarGoLink::operator=()+0x4aa2 [0x0] ACE_OS_Thread_Adapter::invoke()+0x74 [0x0] endthreadex()+0x3a [0x0] endthreadex()+0xe4 [0x0] BaseThreadInitThunk()+0x12 [0x0] RtlInitializeExceptionChain()+0x63 [0x0] RtlInitializeExceptionChain()+0x36 [0x0] 2014-06-22 19:26:27 ERROR:WorldSession::Update ByteBufferException occured while parsing a packet (opcode: 227) from client 192.168.10.1, accountid=6. 2014-06-22 19:26:27 Dumping error causing packet: 2014-06-22 19:26:27 STORAGE_SIZE: 44 02 00 00 00 00 00 00 00 | 00 00 00 00 00 10 00 00 16 88 B0 01 DA 57 12 C6 | F3 FD 16 43 F8 CE 76 42 7E C9 3D 3F 00 00 00 00 | 00 00 0C 41 2014-06-22 19:26:27 Disconnecting session [account id 6 / address 192.168.10.1] for badly formatted packet. My player is Guid 3. Regards, Neo2003
-
Neo2003 joined the community
-
Warden - The definitive anti-cheat system
Neo2003 replied to Auntie Mangos's topic in OldCore modifications
Yes, my version is no more active. This hijack of the thread was the one making the bottle full. I leaved wow development stuff definitely with rm -rf everything, then forget about the full warden cryptography usage, better hardcode static keys everywhere in code. Good luck for the future -
Warden - The definitive anti-cheat system
Neo2003 replied to Auntie Mangos's topic in OldCore modifications
I have no value for Chk7 & Chk8 because blizz don't use them. Then I did use 0xFF as a non know value. By the way, the patch don't use Chk7 and 8 because I have no values for them for modules and only 1 check to add in DB. -
No, I have plenty of modules. I just need their keys and later will need a way to find the check codes
-
Hello, Just for your information, I try to break some RC4 keys of modules for which I did not get it via sniffing. In fact I did get them from wdb. But even if I manage to brute force 700 000 key test per second on a single process/single thread, it's not possible to get the 128bits key in a reasonable time. If you know any shortcut to brute force a RC4 key, I would be happy to hear it. I already only recrypt the 1st 6 bytes of the module to check the uint32 module_deflated_size in a proper range and the uint16 zlib signature. Then if this pass, I decrypt the module until the RSA signature to check the "SIGN" at offset size-0x104 (I never came to that point yet on an unknown module, so my first check with 6 bytes is pretty well). I also changed a bit the rc4 function to write the result in another buffer to prevent the memory copy each loop. Here is the code, if you see any big optimization, tell me #include <windows.h> #include <stdio.h> #include <time.h> #include <stdint.h> #include "BigNumber.h" // rc4 part inline void SWAP(uint8_t *a, uint8_t *b); inline void rc4_init(uint8_t *key_buffer, uint8_t *base, uint32_t base_length); inline void rc4_crypt(uint8_t *key, uint8_t *data, uint32_t length, uint8_t *destdata); int main(int argc, char *argv[]) { uint32_t mod_length = 18754; char *name = "1D811DBA8199D4CF0633CE36C7557E3D.bin"; FILE *fp = fopen(name, "rb"); if(!fp) { printf("Module file missing!!!\\n"); return 0; } uint8_t *m_cryptedModule, *m_workCopy; m_cryptedModule = (uint8_t*)malloc(sizeof(uint8_t)*mod_length); m_workCopy = (uint8_t*)malloc(sizeof(uint8_t)*(mod_length - 0x100)); uint8_t m_testKey[0x102]; fread(m_cryptedModule, sizeof(uint8_t)*mod_length, 1, fp); fclose(fp); BigNumber bn; bn.SetDword(0); bool found = false; time_t start = time(0); uint32_t a = -1; while (!found) { if (0x007FFFFF == a++) { a = 0; printf("%u: ", time(0) - start); printf("%s\\n", bn.AsHexStr()); } // fast check rc4_init(m_testKey, bn.AsByteArray(16, false), 16); rc4_crypt(m_testKey, m_cryptedModule, 6, m_workCopy); // no need to decrypt until the end uint32_t m_inflatedSize = *(uint32_t*)m_workCopy; uint16_t m_sign = *(uint16_t*)(m_workCopy+4); if (m_sign == 0xDA78 && m_inflatedSize > 25500 && m_inflatedSize < 34500) // 78 DA { printf("%s: slib signature check pass.\\n Inflated size would be %u\\n", bn.AsHexStr(), *(uint32_t*)m_workCopy); rc4_init(m_testKey, bn.AsByteArray(16, false), 16); rc4_crypt(m_testKey, m_cryptedModule, mod_length - 0x100, m_workCopy); // no need to decrypt until the end uint32_t m_signature = *(uint32_t*)(m_workCopy + mod_length - 0x104); if (m_signature == 0x5349474E) { printf("Found !!!!!!\\n"); fp = fopen("module.key", "wb"); fwrite(&mod_length, sizeof(uint32_t), 1, fp); fwrite(bn.AsByteArray(16, false), sizeof(uint8_t)*16, 1, fp); fclose(fp); found = true; printf("\\n%s - 0x%08X\\n", bn.AsHexStr(), m_signature); } } ++bn; } return 0; } // rc4 part inline void SWAP(uint8_t *a, uint8_t *b) { uint8_t t; t = *a; *a = *b; *b = t; } inline void rc4_init(uint8_t *key_buffer, uint8_t *base, uint32_t base_length) { uint8_t val = 0; uint32_t position = 0; uint32_t i; for(i = 0; i < 0x100; i++) key_buffer[i] = (uint8_t)i; key_buffer[0x100] = 0; key_buffer[0x101] = 0; for(i = 1; i <= 0x40; i++) { val += key_buffer[(i * 4) - 4] + base[position++ % base_length]; SWAP(&key_buffer[(i * 4) - 4], &key_buffer[val & 0x0FF]); val += key_buffer[(i * 4) - 3] + base[position++ % base_length]; SWAP(&key_buffer[(i * 4) - 3], &key_buffer[val & 0x0FF]); val += key_buffer[(i * 4) - 2] + base[position++ % base_length]; SWAP(&key_buffer[(i * 4) - 2], &key_buffer[val & 0x0FF]); val += key_buffer[(i * 4) - 1] + base[position++ % base_length]; SWAP(&key_buffer[(i * 4) - 1], &key_buffer[val & 0x0FF]); } } inline void rc4_crypt(uint8_t *key, uint8_t *data, uint32_t length, uint8_t *destdata) { for(uint32_t i = 0; i < length; i++) { key[0x100]++; key[0x101] += key[key[0x100]]; SWAP(&key[key[0x101]], &key[key[0x100]]); //data[i] ^= key[(key[key[0x101]] + key[key[0x100]]) & 0x0FF]; destdata[i] = data[i] ^ (key[(key[key[0x101]] + key[key[0x100]]) & 0x0FF]); } } I did add ++ and -- operators to BigNumber class like this: BigNumber BigNumber::operator++() { BN_add_word(_bn, 1); return *this; }
-
Warden - The definitive anti-cheat system
Neo2003 replied to Auntie Mangos's topic in OldCore modifications
For 2.4.3, you only need to change void WardenMgr::SendWardenData(WorldSession* const session) method in WardenMgr.cpp line 882-929. The modules are unchanged and the keys are the same since they are associated with the module. This method send to the client the offsets of the functions in Warden Client (in wow.exe). I did comment them, the first group are the MPQ access functions, then LUA functions and finally the PerformanceCounter for timing check which did not exist by default in 3.3.5 sniffs. I will dig my hard-disk next week, I probably have the packet somewhere for 2.4.3. The patch can work for 2.4.3, but it won't work for 1.12 since the modules format was different in Vanilia, then keys were different too. -
Warden - The definitive anti-cheat system
Neo2003 replied to Auntie Mangos's topic in OldCore modifications
The *.key are generated from packet sniff. The .bin are also get from sniffing, but can be taken from wowcache.wdb. Anyway a module is useless without the RC4 key to decode it (.key file). You can create your own module but the client will never load it. The last 2048 bits of the .bin are the RSA signature of it. As for the redirect packet, it's not possible at this point of the time to break such an encryption and it's a good thing or anyone could send harmful code to the client. -
Warden - The definitive anti-cheat system
Neo2003 replied to Auntie Mangos's topic in OldCore modifications
I spent 2 days checking everything, I will let this ACE problem to an ACE expert, I cannot debug this ____ myself. I think the best reactor to use on Linux is the default one : ACE_Select_Reactor, then we don't even need any #ifdef. On Windows, there is no problem, the "WFMO" is working fine on Windows, while the "Select" one on Linux fails the run_reactor_event_loot(). I tried to instantiate a reactor out of the ACE_Reactor::instance() singleton, this changes nothing. I rewrote the WardenSvcHandler class so that method are matching 100% the base ACE_Svc_Handler class, this changes nothing. I am out of idea. I don't understand why on Linux ACE works so bad. -
The second link I posted fixed this. I have same problem, unable to patch neither wow.exe 4.0.3, nor 4.1.0. Only wow.exe 4.0.6 patches properly.
-
Warden - The definitive anti-cheat system
Neo2003 replied to Auntie Mangos's topic in OldCore modifications
The problem is around ACE and the Reactor used for Linux. I was not yet able to find a working one on Linux while the Windows one (WFMO_Reactor) just works fine. If I use a TP_Reactor or a DEV_POL_Reactor, I get this problem of infinite loop, if I use the Select_Reactor, I cannot get data back from core, the handle_input method is simply never called. I am still searching how to make this damn Select_Reactor work on Linux. -
Btw, new version. I did prevent from searching after the end of the data and removed the size in arrays creation. http://trunk.dyndns.org/BreakTrue-C++0429.rar
Contact Us
To contact us
click here
You can also email us at [email protected]
Privacy Policy | Terms & Conditions
You can also email us at [email protected]
Privacy Policy | Terms & Conditions
Copyright © getMaNGOS. All rights Reserved.
This website is in no way associated with or endorsed by Blizzard Entertainment®
This website is in no way associated with or endorsed by Blizzard Entertainment®