WoW Memory EditingWoW Memory Editing for learning purposes only.
This section is more advanced than others on MMOwnedRead the section specific rules, infractions will be given out if u break them!That is including the expectations! - If you don't meet them then don't post
yo yo, same shit diff day. I see you're having fun with the newbs 'round here, lol! some pretty entertaining reads.
I wouldn't be surprised if it was in CNetClient, it would be a fitting place for it.. but as I do all the key generation myself, I never had to fiddle around with how the client deals with it much. Either way, grabbing it from memory, or just brute forcing the damn thing (a few proxies have implemented this method before), its fairly straight forward get around the header encryption.
Its awesome fun.
The last proxy I saw dealt with resolving the key by making the user type a sentence into /say, I assume you're talking about something like that?
Quote:
Originally Posted by kynox
Tis stored in CNetClient indeed. But if this guy can't even detour a function, i hardly see this helping him.
PS: HAI BOOGIE
But detourz are harrrrdddddd.
Quote:
Originally Posted by Xeta
Just wanted to add a bit more info
BoogieMan, you can replace the C# PacketGenerator class with 1 line:
byte[] mKey = new System.Security.Cryptography.HMACSHA1(EncryptionSeed).ComputeHash(SessionKey);
The key generation is just HMAC sha1 seeded with those 16 static bytes.
Also, packets can have either 2 or 3 bytes in the header for the size field, depending on how big the packet is. If the packet is over 32767 bytes, 3 bytes are used, and the first byte is OR'd with 0x80 as a marker
This goes for both server-sent and client-sent packets
Now for some offsets
At (ClientConnection + 0x27E4) is a pointer to the class that handles the actual communication with the server. I just called this WoWConnection, but it could be the CNetClient
struct WoWConnection
{
int field_0;
SOCKET Socket;
int field_8;
int field_C;
int field_10;
ClientConnection* ClientConnectionPtr;
int field_18;
char *InputBuffer;
int InputBufferPosition;
int InputBufferSize;
int field_28[27];
struct _RTL_CRITICAL_SECTION CS_field_94;
int field_AC;
int ProcessingThreadId;
ClientConnection* SavedClientConnectionContext;
int field_B8[9];
WDSNode PacketQueue;// 0xDC - 0xE8
struct _RTL_CRITICAL_SECTION CS_field_E8;
int field_100[6];
char IsEncryptionInitialized;// 0x118
char EncKeyIndex;
char EncKeyPrevious;
char ClientOpcodeLen; // always 4
char DecKeyIndex;
char DecKeyPrevious;
char ServerOpcodeLen; // always 2
char EncryptionKey[20]; // 0x11F - 0x133 this is whats used to encrypt packets
}
Now if you need the full 40byte sessionkey for some reason, its at ClientConnection+0x288.
The client still keeps this because its used to seed warden modules and hashed in one of the bot packets, but thats another matter
And if you want to see the CDataStore class for the packets, go to [Only registered and activated users can see links. ] and check out datastore.cpp/h. Its looks to be the exact same as what the client uses, based on some of the function names in the asserts of the ptr clients
-Ralek
Still waiting on my new account to activate, been a few days now. Had to grab this old one from way back
Y halo thar! Very nice work, welcome.
__________________
[Only registered and activated users can see links. ]Back online!
"Science is interesting, and if you don't agree you can **** off." [Only registered and activated users can see links. ]
Leonard: "I'm just saying, you can catch more flies with honey than with vinegar."
Sheldon: "You can catch even more flies with manure, what's your point?"
Donate to remove ads, get your "DONATOR title, and get access to the MMOwned community's elite Shoutbawx.
The last proxy I saw dealt with resolving the key by making the user type a sentence into /say, I assume you're talking about something like that?
That is one of them, yes. and that is the one that currently works, iirc. It's called something like sniffzit or something along those lines. It identifies by chat packets, which are also fairly easy to identify without reading the header. The one I was specifically talking about would passively sniff the ping packets (both client and server sent) while at the logon screen and brute the key that way.
Quote:
Originally Posted by Xeta
Just wanted to add a bit more info
BoogieMan, you can replace the C# PacketGenerator class with 1 line:
byte[] mKey = new System.Security.Cryptography.HMACSHA1(EncryptionSeed).ComputeHash(SessionKey);
Thanks, but I no longer maintain my C# bot. Just my code for that was still relevant so I posted it
Quote:
Originally Posted by Kynox
Tis stored in CNetClient indeed. But if this guy can't even detour a function, i hardly see this helping him.
PS: HAI BOOGIE
Lol, I wasn't trying to help him necessarily, but it could be useful to someone else.
that is one of them, yes. And that is the one that currently works, iirc. It's called something like sniffzit or something along those lines. It identifies by chat packets, which are also fairly easy to identify without reading the header. The one i was specifically talking about would passively sniff the ping packets (both client and server sent) while at the logon screen and brute the key that way.
Thanks, but i no longer maintain my c# bot. Just my code for that was still relevant so i posted it
lol, i wasn't trying to help him necessarily, but it could be useful to someone else.
P.s. Omfg hai2u
Yes I think thats the one I was remembering.
PS. OMFGEPIX!
__________________
[Only registered and activated users can see links. ]Back online!
"Science is interesting, and if you don't agree you can **** off." [Only registered and activated users can see links. ]
Leonard: "I'm just saying, you can catch more flies with honey than with vinegar."
Sheldon: "You can catch even more flies with manure, what's your point?"
TOTM/W Award(s): 1
