Since the tool and methods are very old, I am aware that most of the currently active Private Servers are protected against altered packages.
Somehow I found a way to bypass some of the checks. I am messing around on Kronos Vanilla (1.12) in late 2019.
My first attempts to bug bags with items stacks:
I basically took out items from stacks in a bag, which I managed to freeze with WPE.
Баг на дюп с почтой - Золотой Секрет WoW
I traded those stacks to another char and attempted to log out. After logging back in, those frozen stacks should reappear => dupe.
This method got several of my accounts auto-banned, as the server calculated the items in the background.
I checked on them on the twinstar.cz webpage and found "banned for: item dupe".
I was aware that the old method won't work today. But it helped me to get a basic understanding of the communication between my WoW client and the server.
I decided to try something out myself, and found a package Filter I can apply. I am able to make items disappear without any confirmation.
This sounds terrible at first, but means that there are checks the server doesn't make.
Can we exploit it for profit instead of loss?
Preparations:
open WoW.exe, log in
open WPE Pro(admin) & Permedit(grant privileges to WPE)
(I downloaded following: DepositFiles)
attach WPE to WoW.exe
-
open Extreme Injector v3
Extreme Injector v3.7 (2018 Updated)
target WoW.exe
load Whiff.dll, don't inject yet
GitHub - Zedron/Whiff: Whiff is an injection sniffer for WoW (World of Warcraft) written in C++
-
open characters inventory, bag 1
place a stack of items into the second slot
//preparations end
Action Log:
Now let's see what is happening there:
inject Whiff.dll
start logging in WPE
ingame: Shift+Click the item stack mentioned above
enter any number of items (i take 3) and put them into the slot right below the origin
stop logging
Ctrl+Q in you Whiff window to stop sniffing
Reading the log:
I used WoWParser to make the wowsniff.pkg readable.
GitHub - TrinityCore/WowPacketParser: World of Warcraft Packet Parser
I opened the parsed wowsniff and searched for "ClientToServer" packages, and quickly found my item split.
https://pastebin.com/PxuHwTPf
//
ClientToServer: CMSG_SPLIT_ITEM (0x010E) Length: 5 ConnIdx: 0 Time: 10/05/2019 17:03:39.188 Number: 40
Bag: -1
Slot: 24
Destination Bag: 255
Destination Slot: 28
Count: 3
//
Then I looked at my WPE packages and found this package quickly as well:
split_water.jpg
WPE log:
90 68 AE A8 B1 DE FF 18 FF 1C 03
What we can point out:
FF: start bag
18: start slot
FF: destination bag
1C: destination slot
03: count
Another WPE log of the same log breaks the pattern of the first numer chain:
85 A9 63 94 4A 1C --- FF 18 FF 1C 03
After this find I messed around with the numbers I was able to determine.
We CAN:
alter the item count. We will trade the specified number then until the stack doesn't contain enough.
alter the item origin slot. We will then split another item, if there is one which is splittable. Otherwise the game retuns "There is no such item"
alter the Destination Slot. If the slot doesn't exist, the item will just disappear without confirmation by user.
Now this is something I find strange. It show's that Warden doesn't seem to care about item losses. Can we use this "void" somehow?
I have also tried to get a detailed deobfuscated package from my WoW.exe using x64dbg and OverwatchDumpFix.
https://x64dbg.com/#start
But tbh, I could not figure out how to execute the OverwatchDumpFix in x64dbg.
https://github.com/changeofpace/Overwatch-Dump-Fix
I cannot get pass by this Step:
1. Attach x64dbg to Overwatch.exe then execute the OverwatchDumpFix command.
Attaching - yes. But how do I load the file and the command inside x64dbg?
My hope is to be able to read the entire WPE package after getting a deobfuscated WoW pkg.