General Programming | WoW Game Server Authentication

Author	Message	Time
drivehappy	I don't believe this breaks any rules here, as it's only going to be used for writing a server, not running one. Has anyone looked through wow.exe to get past the server authentication? I've bypassed the login server check and I'm able to get the client to connect to a hardcoded realmlist server I whipped up. Now, however, when trying to connect to a game server (from the realmlist) it does yet another authentication of the server. What I've gotten out of it so far is this: Packet Log: Server -> Client: 00 06 EC 01 4F 9A 4A EE (format is always: 00 06 EC 01 xx xx xx xx) Client -> Server: 00 xx ED 01, 00 00 aa aa 00 00 00 00 00 00 bb bb bb bb bb bb bb bb bb bb 00 cc cc cc cc dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd (format: xx=packet size, aa aa = client version, bb = account name, cc = 4 bytes - this have to do with auth?, dd = hash of data - not sure what) Server -> Client: xx xx xx xx 0C yy yy 07/08 00 00 (format: xx = server auth, yy = I'm not sure) After the wssock recv function, the client appears to XOR the bytes with a lookup table upto and including 0C and subtracts the previous byte it did. The lookup table is created randomly each time the client connects to the login server, but is left the same if only you disconnect from the game server. The lookup table is located at 090BB678 in memory. Client -> Server: xx xx xx xx xx xx (format, looks to be a client auth for the server. The first byte always appears to match the first byte the server sent. This leads me to believe the client also does the XOR operation on the lookup table and adds the next byte) The problem I'm having is that I cannot find where the client compares the server auth bytes with what it should actually be. I would be OK with patching the client to get around it (as I had to do with the login server). I've got a quick little server written up in C# and I can tell you how to patch the client to get around the first auth key if anyone is willing to help. I've also posted this on Blizzhackers, but it appears many of the users there are more interested in playing w/o paying. I'm only interested in creating a server, not playing on it. P.S. This would easily be seen where the logic flow goes on a legitmate server, however I don't have the game yet, so I'm unable to how the client responds to a correct server authentication packet. Hopefully I didn't ramble too much about it and confuse anyone, it's just something that's been bothering me for the last few days. EDIT: Clarification.	November 30, 2004, 12:32 AM
UserLoser.	Upload Wow.exe somewhere for download? :p	November 30, 2004, 2:34 AM
drivehappy	http://drivehappy.rgaming.net/WoWPatched.exe That is for v1.1.1 Build 4062 (latest I know of) It's the patched exe I use to bypass the first authentication. The socket recv function for the game server is at: 005AD788 If you need the original: http://drivehappy.rgaming.net/WoW.exe	November 30, 2004, 2:52 AM
j0k3r	It's nice to see somebody doing something constructive, and sharing freely with people, keep up the good work and goodluck.	November 30, 2004, 4:27 AM
Myndfyr	[quote author=j0k3r link=topic=9716.msg90545#msg90545 date=1101788860] It's nice to see somebody doing something constructive, and sharing freely with people, keep up the good work and goodluck. [/quote] Aye. I'd like to help, but I'd really like to chat with you about where you're trying to go. I worry that you're trying to hack people's accounts or something. I'm not saying that you are; I don't know you well enough to make that judgement.	November 30, 2004, 6:02 AM
drivehappy	I understand how it may appear that way, but this is only for creating my own server. I don't care at all how the client creates the server auth bytes, because my server will accept it no matter what. The problem is creating or bypassing the check on the bytes the server sends (if this were done on a legitimate server, it would disconnect the client). I use MSN Messenger exclusively if you would like to chat, my contact is: drivehappy@gmail.com	November 30, 2004, 6:18 AM
drivehappy	Update: I've got the client encryption and decryption of world packets bypassed (with help from modem from BH). Since modem privated messaged me with the encryption bypass, I'm not sure how much he wants me to reveal (since this is his information). The decryption bypass is at 005AD7B8, change JE to JMP. The big thing though was the switch statement that used the received decrypted packet to do it's work. If anyone is really interested in the locations and packet format, send me a PM.	December 3, 2004, 4:52 AM
Lycaon	Just wanted to note, the authentication WoW uses is SRP6, or a modified version of it, and the key generated by it is either going to be used to encrypt traffic between the client and server, or will start being used fairly soon. I've been looking for a solution to this for a long time, since I figure that the key generated by the initial login sequence is used to authenticate with the world server as well (after character selection), but nobody's been able to figure out exactly how Blizz modified the SRP6 algorithim to create rhe key. If there's anything I can do to help out with this, give me a holler.	January 11, 2005, 4:49 PM
Kp	It should be possible to isolate the change, since SRP6-conventional source is available (I assume), and anyone with WoW will have SRP6-WoW binaries available. At that point, you're just comparing the functions in WoW to functions in conventional looking for (mis)matches. Of course, depending on worker proficiency and the complexity of SRP, this might be a very time-consuming process. :)	January 11, 2005, 5:31 PM

Author

Message

Time

drivehappy

I don't believe this breaks any rules here, as it's only going to be used for writing a server, not running one.

Has anyone looked through wow.exe to get past the server authentication? I've bypassed the login server check and I'm able to get the client to connect to a hardcoded realmlist server I whipped up. Now, however, when trying to connect to a game server (from the realmlist) it does yet another authentication of the server. What I've gotten out of it so far is this:

Packet Log:
Server -> Client:
00 06 EC 01 4F 9A 4A EE (format is always: 00 06 EC 01 xx xx xx xx)

Client -> Server:
00 xx ED 01, 00 00 aa aa 00 00 00 00 00 00 bb bb bb bb bb bb bb bb bb bb 00 cc cc cc cc dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd (format: xx=packet size, aa aa = client version, bb = account name, cc = 4 bytes - this have to do with auth?, dd = hash of data - not sure what)

Server -> Client:
xx xx xx xx 0C yy yy 07/08 00 00 (format: xx = server auth, yy = I'm not sure)
After the wssock recv function, the client appears to XOR the bytes with a lookup table upto and including 0C and subtracts the previous byte it did. The lookup table is created randomly each time the client connects to the login server, but is left the same if only you disconnect from the game server. The lookup table is located at 090BB678 in memory.

Client -> Server:
xx xx xx xx xx xx (format, looks to be a client auth for the server. The first byte always appears to match the first byte the server sent. This leads me to believe the client also does the XOR operation on the lookup table and adds the next byte)

The problem I'm having is that I cannot find where the client compares the server auth bytes with what it should actually be. I would be OK with patching the client to get around it (as I had to do with the login server). I've got a quick little server written up in C# and I can tell you how to patch the client to get around the first auth key if anyone is willing to help. I've also posted this on Blizzhackers, but it appears many of the users there are more interested in playing w/o paying. I'm only interested in creating a server, not playing on it.

P.S. This would easily be seen where the logic flow goes on a legitmate server, however I don't have the game yet, so I'm unable to how the client responds to a correct server authentication packet.

Hopefully I didn't ramble too much about it and confuse anyone, it's just something that's been bothering me for the last few days.

EDIT: Clarification.

November 30, 2004, 12:32 AM

UserLoser.

Upload Wow.exe somewhere for download? :p

November 30, 2004, 2:34 AM

drivehappy

http://drivehappy.rgaming.net/WoWPatched.exe
That is for v1.1.1 Build 4062 (latest I know of)

It's the patched exe I use to bypass the first authentication.
The socket recv function for the game server is at: 005AD788

If you need the original: http://drivehappy.rgaming.net/WoW.exe

November 30, 2004, 2:52 AM

j0k3r

It's nice to see somebody doing something constructive, and sharing freely with people, keep up the good work and goodluck.

November 30, 2004, 4:27 AM

Myndfyr

[quote author=j0k3r link=topic=9716.msg90545#msg90545 date=1101788860]
It's nice to see somebody doing something constructive, and sharing freely with people, keep up the good work and goodluck.
[/quote]

Aye. I'd like to help, but I'd really like to chat with you about where you're trying to go. I worry that you're trying to hack people's accounts or something.

I'm not saying that you are; I don't know you well enough to make that judgement.

November 30, 2004, 6:02 AM

drivehappy

I understand how it may appear that way, but this is only for creating my own server. I don't care at all how the client creates the server auth bytes, because my server will accept it no matter what. The problem is creating or bypassing the check on the bytes the server sends (if this were done on a legitimate server, it would disconnect the client). I use MSN Messenger exclusively if you would like to chat, my contact is: drivehappy@gmail.com

November 30, 2004, 6:18 AM

drivehappy

Update:
I've got the client encryption and decryption of world packets bypassed (with help from modem from BH). Since modem privated messaged me with the encryption bypass, I'm not sure how much he wants me to reveal (since this is his information). The decryption bypass is at 005AD7B8, change JE to JMP. The big thing though was the switch statement that used the received decrypted packet to do it's work. If anyone is really interested in the locations and packet format, send me a PM.

December 3, 2004, 4:52 AM

Lycaon

Just wanted to note, the authentication WoW uses is SRP6, or a modified version of it, and the key generated by it is either going to be used to encrypt traffic between the client and server, or will start being used fairly soon. I've been looking for a solution to this for a long time, since I figure that the key generated by the initial login sequence is used to authenticate with the world server as well (after character selection), but nobody's been able to figure out exactly how Blizz modified the SRP6 algorithim to create rhe key. If there's anything I can do to help out with this, give me a holler.

January 11, 2005, 4:49 PM

It should be possible to isolate the change, since SRP6-conventional source is available (I assume), and anyone with WoW will have SRP6-WoW binaries available. At that point, you're just comparing the functions in WoW to functions in conventional looking for (mis)matches. Of course, depending on worker proficiency and the complexity of SRP, this might be a very time-consuming process. :)

January 11, 2005, 5:31 PM

Valhalla Legends Forums Archive | General Programming | WoW Game Server Authentication