-
-
[讨论]已初步模拟出魔兽世界客户端通讯(机器人)
-
发表于: 2011-12-25 19:55
-
已模拟出整套魔兽世界的安全认证系统(SRP6)和数据包对称加密系统(RC4),但暂时只到登陆验证到和进入角色界面,OPCODE 是在太多了,只能慢慢分析数据包和服务端模拟器源码,下一步要做的是角色的选择、删除和创建了,只要能简单做到移动和操作我的目标就达到了,有在研究的朋友,联系QQ:153466238。
最新进展:
角色枚举数据处理完毕。12-28
角色创建、删除处理完毕。12-30
很多人在关注我的帖子,因为工作原因没有太多时间去继续分析,抽空我会将 SRP6、RC4 部分源代码放出来。
客户端 服务器
-----------------------------------------------------------------------------
---------------Connect成功--------------> 初始化 N, g
N.SetHexStr("894B645E89E1535BBDAD5B8B290650530801B18EBFBF5E8FAB3C82872A3E9BB7");
g.SetDword(7);
I = USER //明文账号
---------------Challenge请求(I)---------> 读取DB -> v, s, p
首次通过 p 计算 v, s
s.SetRand(32 * 8);
x1 = hash(s, p)
x.SetBinary(x1, 20) (p = sha_pass_hash)
v = g ^ x % N
存入DB -> v, s
计算 B
b.SetRand(19 * 8);
k = 3 (SRP6a: k = hash(N, g))
b1 = g ^ b % N;
B = v * k + b1 % N
unk1.SetRand(16 * 8) ( or MD5(s) )
I = hash(USER) //账号 <------Challenge应答(B, g, N, s)---
p = hash(PASS) //密码
-----------
a.SetRand(32 * 8)
A = g ^ a % N
x1 = hash(s, p)
x.SetBinary(x1, 20)
-----------
u1 = hash(A, B)
u.SetBinary(u1, 20)
k = 3 (SRP6a: k = hash(N, g))
S1 = g ^ x % N
S2 = B - S1 * k
S3 = a + u * x
S = S1 ^ S2 % N
-----------非标准奇偶校验HASH算法
t1[20], t2[20], vK[40]
-----------偶数校验
for i := 0 to 15 do t1[i] = S[i*2]
H1 = hash(t1)
for i := 0 to 19 do vK[i*2] = H1[i]
-----------奇数校验
for i := 0 to 15 do t2[i] = S[i*2+1]
H2 = hash(t2)
for i := 0 to 19 do vK[i*2+1] = H2[i]
-----------HASH vK
K.SetBinary(vK, 40);
-----------XOR N,g
T1 = hash(N) , T2 = hash(g)
for i := 0 to 19 do T1[i] = T1[i] xor T2[i]
T.SetBinary(T1, 20);
M = hash(T, I, s, A, B, K)
----------------Proff请求(A, M)-----------> u1 = hash(A, B)
u.SetBinary(u1, 20)
S1 = v ^ u % N
S = (A * S1) ^ b % N
-----------非标准奇偶校验HASH算法
t1[20], t2[20], vK[40]
-----------偶数校验
for i := 0 to 15 do t1[i] = S[i*2]
H1 = hash(t1)
for i := 0 to 19 do vK[i*2] = sha[i]
-----------奇数校验
for i := 0 to 15 do t2[i] = S[i*2+1]
H2 = hash(t2)
for i := 0 to 19 do vK[i*2+1] = sha[i]
-----------HASH vK
K.SetBinary(vK, 40);
-----------XOR N,g
T1 = hash(N) , T2 = hash(g)
for i := 0 to 19 do T1[i] = T1[i] xor T2[i]
T.SetBinary(T1, 20);
M = hash(T, I, s, A, B, K)
M2 = H(A, M, K)
<------Proff应答(M2)-------------
最新进展:
角色枚举数据处理完毕。12-28
角色创建、删除处理完毕。12-30
很多人在关注我的帖子,因为工作原因没有太多时间去继续分析,抽空我会将 SRP6、RC4 部分源代码放出来。
客户端 服务器
-----------------------------------------------------------------------------
---------------Connect成功--------------> 初始化 N, g
N.SetHexStr("894B645E89E1535BBDAD5B8B290650530801B18EBFBF5E8FAB3C82872A3E9BB7");
g.SetDword(7);
I = USER //明文账号
---------------Challenge请求(I)---------> 读取DB -> v, s, p
首次通过 p 计算 v, s
s.SetRand(32 * 8);
x1 = hash(s, p)
x.SetBinary(x1, 20) (p = sha_pass_hash)
v = g ^ x % N
存入DB -> v, s
计算 B
b.SetRand(19 * 8);
k = 3 (SRP6a: k = hash(N, g))
b1 = g ^ b % N;
B = v * k + b1 % N
unk1.SetRand(16 * 8) ( or MD5(s) )
I = hash(USER) //账号 <------Challenge应答(B, g, N, s)---
p = hash(PASS) //密码
-----------
a.SetRand(32 * 8)
A = g ^ a % N
x1 = hash(s, p)
x.SetBinary(x1, 20)
-----------
u1 = hash(A, B)
u.SetBinary(u1, 20)
k = 3 (SRP6a: k = hash(N, g))
S1 = g ^ x % N
S2 = B - S1 * k
S3 = a + u * x
S = S1 ^ S2 % N
-----------非标准奇偶校验HASH算法
t1[20], t2[20], vK[40]
-----------偶数校验
for i := 0 to 15 do t1[i] = S[i*2]
H1 = hash(t1)
for i := 0 to 19 do vK[i*2] = H1[i]
-----------奇数校验
for i := 0 to 15 do t2[i] = S[i*2+1]
H2 = hash(t2)
for i := 0 to 19 do vK[i*2+1] = H2[i]
-----------HASH vK
K.SetBinary(vK, 40);
-----------XOR N,g
T1 = hash(N) , T2 = hash(g)
for i := 0 to 19 do T1[i] = T1[i] xor T2[i]
T.SetBinary(T1, 20);
M = hash(T, I, s, A, B, K)
----------------Proff请求(A, M)-----------> u1 = hash(A, B)
u.SetBinary(u1, 20)
S1 = v ^ u % N
S = (A * S1) ^ b % N
-----------非标准奇偶校验HASH算法
t1[20], t2[20], vK[40]
-----------偶数校验
for i := 0 to 15 do t1[i] = S[i*2]
H1 = hash(t1)
for i := 0 to 19 do vK[i*2] = sha[i]
-----------奇数校验
for i := 0 to 15 do t2[i] = S[i*2+1]
H2 = hash(t2)
for i := 0 to 19 do vK[i*2+1] = sha[i]
-----------HASH vK
K.SetBinary(vK, 40);
-----------XOR N,g
T1 = hash(N) , T2 = hash(g)
for i := 0 to 19 do T1[i] = T1[i] xor T2[i]
T.SetBinary(T1, 20);
M = hash(T, I, s, A, B, K)
M2 = H(A, M, K)
<------Proff应答(M2)-------------
|
|
|---|---|
|
|
|
|
|
脱机G????
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 我是来膜拜LZ的...
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
潜力贴留名.Opera插图补丁.颜色补丁.字数补丁..
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
膜拜LZ
|
