-
Notifications
You must be signed in to change notification settings - Fork 28
/
Copy pathREADME
312 lines (267 loc) · 10.3 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
================================================================================
WoWScout v1.1 - ReadMe
Author: tripleslash (https://github.com/tripleslash)
Issue Tracker: https://github.com/tripleslash/wowscout
Date: 08.01.2015
================================================================================
================================================================================
1. What is WoWScout?
--------------------------------------------------------------------------------
WoWScout is an advanced real-time packet inspection and modification utility.
You can use it for pentesting your WoW server applications by modifying outgoing
packets, sending your own packets or altering the behaviour of your WoW client
through modified incoming packets.
WoWScout comes with a simple command line interface. All commands that you type
into the WoWScout shell are mirrored in the in-built WoW console (that is when
you start WoW with the -console command line argument).
================================================================================
2. Which versions are supported?
--------------------------------------------------------------------------------
WoWScout currently supports 1.12.1, 2.4.3, 3.3.5 and 4.3.4.
================================================================================
3. How do I get started?
--------------------------------------------------------------------------------
To get started, all you have to do is start up your WoW client and double click
the loader executable. WoWScout will then attempt to attach to all open WoW
windows.
Alternatively you can add a shortcut to the loader executable and start a WoW
instance for your favourite server like this:
loader -g "D:\Games\WoW 1.12.1\WoW.exe" -c "set realmlist logon.example.com"
================================================================================
4. Command overview
--------------------------------------------------------------------------------
WoWScout extends the WoW console with a set of custom console commands.
Here is an overview of the commands (the symbol [...] means optional).
log [<incoming>/<outgoing>]
description:
Sets which types of packets should be logged. To filter for specific packets
you can use the blacklist/whitelist commands.
example:
> log outgoing
Outgoing packet logging enabled.
blacklist [<opcode/name <packet>>/<all>/<none>]
description:
Blacklists the specified packet. Whitelisted packets will pass the message
filter and appear on the console. Blacklisted packets won't show up on the
console.
example:
> blacklist all
Blacklisting all packets...
> blacklist 0xbb
Blacklisting packet MSG_MOVE_JUMP (0xBB)...
> blacklist name jump
Blacklisting packets containing "jump"...
whitelist [<opcode/name <packet>>/<all>/<none>]
description:
Whitelists the specified packet. Whitelisted packets will pass the message
filter and appear on the console. Blacklisted packets won't show up on the
console.
example:
> whitelist all
Whitelisting all packets...
> whitelist 0xbb
Whitelisting packet MSG_MOVE_JUMP (0xBB)...
> whitelist name jump
Whitelisting packets containing "jump"...
> whitelist name chat
[OUT] Packet: CMSG_MESSAGECHAT (0x95)
[1] PutUInt32: 1 (0x1)
[2] PutUInt32: 7 (0x7)
[3] PutString: Hello world!
01 00 00 00 07 00 00 00 48 65 6C 6C 6F 20 77 6F 72 6C 64 21 00
===================================
block [<opcode/name <packet>>/<all>/<none>]
description:
Prevents the packet from being sent. Instead, each time the packet would
have been sent, it is put into an internal packet queue. All the queued up
packets can be sent using the "send" command (without arguments).
example:
> block name jump
Blocking packets containing "jump"...
unblock [<opcode/name <packet>>/<all>/<none>]
description:
Removes the packet from the blocked packets list. Previously blocked packets
will not be sent by using this command.
example:
> unblock name jump
Unblocking packets containing "jump"...
send [<<opcode> <byte...>>/<queue>/<count <times>> [<opcode> <byte...>]]
description:
Sends the specified packet or if no argument given, sends the contents of
the packet queue. The command "send queue <opcode> <byte...>" can be used
to place the given packet into the packet queue, instead of sending it.
example:
> makepkt 0x95
> put32 1
> put32 7
> puts Hi
> send
Sent 1 queued packets.
> send 0x95 01 00 00 00 07 00 00 00 48 69 00
Sending packet CMSG_MESSAGECHAT (0x95) to server...
> send queue 0x95 01 00 00 00 07 00 00 00 48 69 00
Enqueuing packet CMSG_MESSAGECHAT (0x95) to server...
> send
Sent 1 queued packets.
flush
description:
Clears the contents of the packet queue, without sending them.
example:
> flush
Clearing packet queue...
lookup [<opcode/name <packet>>]
description:
Looks up the name and opcode of the given packet.
example:
> lookup name chat
Search results for "chat"...
[1] CMSG_MESSAGECHAT (0x95)
[2] SMSG_MESSAGECHAT (0x96)
[3] SMSG_CHAT_WRONG_FACTION (0x219)
[4] CMSG_CHAT_IGNORED (0x225)
[5] SMSG_CHAT_NOT_IN_PARTY (0x299)
[6] SMSG_CHAT_PLAYER_NOT_FOUND (0x2A9)
[7] SMSG_CHAT_RESTRICTED (0x2FD)
[8] SMSG_CHAT_PLAYER_AMBIGUOUS (0x32D)
[9] CMSG_CHAT_FILTERED (0x331)
[10] SMSG_GM_MESSAGECHAT (0x3B3)
[11] SMSG_VOICE_CHAT_STATUS (0x3E3)
===================================
> lookup 0x95
Looking up opcode 0x95...
CMSG_MESSAGECHAT (0x95)
===================================
mod <opcode/name <packet>> <call index> <set>/<add>/<sub>/<mul>/<div>/<or>/
<and>/<xor>/<shl>/<shr> <variable> [<lifetime>]
description:
Adds a modification to the specified packet. The call index determines to
which Put-call the modification should be added. You can see the call
indices in the packet log. The variable field may be a value, a CVar or a
wildcard. The lifetime field specifies to how many packets the modification
should be applied to, before it is automatically removed.
example:
Modifying the MESSAGECHAT packets to say IMACOOLGUY on the next chat.
> mod name chat 3 set IMACOOLGUY 1
Adding modification...
makepkt <opcode>
description:
Begins a new packet to which content can be added by using the put-commands.
example:
> makepkt 0x95
> put32 1
> put32 7
> puts Hi
> send
Sent 1 queued packets.
put8 <value>
description:
Puts an 8 bit integer value into the packet. See "makepkt" or "send" for
more information.
put16 <value>
description:
Puts a 16 bit integer value into the packet. See "makepkt" or "send" for
more information.
put32 <value>
description:
Puts a 32 bit integer value into the packet. See "makepkt" or "send" for
more information.
put64 <value>
description:
Puts a 64 bit integer value into the packet. See "makepkt" or "send" for
more information.
putf <value>
description:
Puts a float value into the packet. See "makepkt" or "send" for more
information.
puts <value>
description:
Puts a zero terminated string into the packet. See "makepkt" or "send" for
more information.
putg <value>
description:
Puts a packed GUID value into the packet. See "makepkt" or "send" for
more information.
putp <value>
description:
Puts a float position vector into the packet. The command putp is equal to
3 subsequent putf calls with the individual vector components.
See "makepkt" or "send" for more information.
echo <message>
description:
Prints a formatted string. The string can contain variables, CVars and
wildcard symbols.
example:
> echo My name is $playern and my position is $playerp
My name is Nureya and my position is {-8701.43,402.32,100.62}
setv/addv/subv/mulv/divv/modv/orv/andv/xorv/shlv/shrv <value>
description:
These commands can be used to set and modify CVar variables.
example:
> setv my_variable 50
> subv my_variable 13
> echo 50 - 13 = $my_variable
50 - 13 = 37
> setv my_position $playerp
> echo My position is $my_position
My position is {-8701.43,402.32,100.62}
> setv my_position {$playerx,$playery,$playerz}
> addv my_position {0,0,10}
> echo My position is $my_position
My position is {-8701.43,402.32,110.62}
================================================================================
5. In-built wildcard variables
--------------------------------------------------------------------------------
As can be seen from the command overview, several commands accept wildcard
variables. Here is a list of the inbuilt variables:
$unitg
description:
The GUID of the specified unit, identified by its UnitId
(http://wowwiki.wikia.com/wiki/UnitId).
example:
> makepkt 0x13d
> put64 $targetg
> send
Sent 1 queued packets.
$unitp
description:
The position of the specified unit, identified by its UnitId
(http://wowwiki.wikia.com/wiki/UnitId).
This is equivalent to writing {$unitx,$unity,$unitz}
example:
> echo My targets position is $targetp
My targets position is {-8753.58,400.98,101.06}
$unitx
description:
The x-position of the specified unit, identified by its UnitId
(http://wowwiki.wikia.com/wiki/UnitId).
example:
> echo My targets x-position is $targetx
My targets x-position is -8753.580078
$unity
description:
The y-position of the specified unit, identified by its UnitId
(http://wowwiki.wikia.com/wiki/UnitId).
example:
> echo My targets y-position is $targety
My targets y-position is 400.979004
$unitz
description:
The z-position of the specified unit, identified by its UnitId
(http://wowwiki.wikia.com/wiki/UnitId).
example:
> echo My targets z-position is $targetz
My targets z-position is 101.056000
$unitn
description:
The name of the specified unit, identified by its UnitId
(http://wowwiki.wikia.com/wiki/UnitId).
example:
> echo My targets name is $targetn
My targets name is Lieutenant Karter
$timestamp
description:
The current timestamp, used in WoW's movement packets.
The timestamp is retrieved by a call to OsGetAsyncTimeMs.
example:
> echo Current timestamp $timestamp
Current timestamp 1809813967