ShareSource

download source

Login Status

You are not logged in!
Login now »
Create new user!

ShareSource Site » Projects » sniffitzt » sniffitztWiki

Project: sniffitzt - a wow logging proxy [Wiki]

Summary

Files

Screenshots [_]

Wiki

Bug Tracker

Mercurial Repository

Project Wiki (Page: SessionkeyDecryption)
Last Changed 5 months ago, by arrai
View History \| Edit this page Sessionkey Decryption As you can see in the algorithm the encryption uses a simple xor operator, which is vulnerable for a know-plaintext attack. For receiving the sessionkey, this tool uses an ingame macro, which causes the client to send several packets with an identifiable payload. As soon as the sniffer recognizes this payload in the stream, it extracts the 6 header bytes (2 bytes size + 4 bytes opcode) of these packets. If there are at least 7 packets in a row (76=42, sessionkey is 40 bytes long), it has enough data to reconstruct the sessionkey. These 42 bytes are referred as "taintedBytes" in the source code. The sniffer knows the plaintext of the header and simply reverses the encryption algorithm, leading to an shuffled* sessionkey. In the last step, the client shuffles the sessionkey, until the whole session can be decrypted with it - if it reads the packets send by the macro, we finally have the sessionkey :)

Project Wiki (Page: SessionkeyDecryption)

Last Changed 5 months ago, by

arrai

View History | Edit this page

Sessionkey Decryption

As you can see in the algorithm the encryption uses a simple xor operator, which is vulnerable for a know-plaintext attack.

For receiving the sessionkey, this tool uses an ingame macro, which causes the client to send several packets with an *identifiable* payload. As soon as the sniffer recognizes this payload in the stream, it extracts the 6 header bytes (2 bytes size + 4 bytes opcode) of these packets. If there are at least 7 packets in a row (7*6=42, sessionkey is 40 bytes long), it has enough data to reconstruct the sessionkey. These 42 bytes are referred as "taintedBytes" in the source code.

The sniffer knows the plaintext of the header and simply reverses the encryption algorithm, leading to an *shuffled* sessionkey.

In the last step, the client shuffles the sessionkey, until the whole session can be decrypted with it - if it reads the packets send by the macro, we finally have the sessionkey :)