Reverse EngineeringThis section details some of the reverse engineering issues

1. Reverse Engineering
2. This section details some of the reverse engineering issues that we face by choosing to support World of Warcraft 4.x (Cataclysm).
3. Issues with Recent Client Versions
4. A lot of this section is pure speculation, though some of it has already been put in effect by Blizzard.
5. The primary challenges we face by targeting WoW 4.x are as follows:
6. • An entirely new opcode set on each build. This means an incredible amount of time and effort to update to new client versions.
7. • Streamed patches. This is not currently a problem, as Blizzard still allows direct downloads of patchers, but should they ever decide to truly use seamless streaming, we’ll have difficulty target-ing a specific build, given the opcodes issue.
8. • Battle.net instatement. With Battle.net.dll being obfuscated, and it now being the primary authen-tication method of the game, we’re facing quite the reversing challenge.
9. • Possible removal of Grunt. The old login system, Grunt, which has been used since early WoW 1.x, will quite possibly be removed at some point in 4.x. We have relied on this login system for a long time, and if it is removed, Battle.net is the only option left.
10. The Game
11. The game executable, Wow.exe itself, has undergone several changes in 4.x that will affect reverse engi-neering. Some are intentional.
12. • SSE optimization has been activated on build. IDA 5.5 with Hex-Rays 1.1 does not yet handle these.
13. • Opcodes are ‘randomized’ on each build. There’s supposedly an algorithm to this, which we ideally should figure out.
14. • Packet handler assignment is done inline, so following calls to registration functions is not always an option now.
15. • Session redirection packets have lots of garbage bytes and some XOR encoding.
16. Battle.net
17. Battle.net is an entirely separate issue by itself. Not only is the DLL obfuscated, but the protocol itself is very unusual compared to what we’ve seen from Blizzard so far:
18. • The protocol does not send a length field in its header. Data is streamed synchronously in blocks.
19. • The protocol header contains a channel ID that determines what command ID follows, and where the packet goes internally.
20. • The actual protocol is based on bit streams, not byte streams.
21. • Packets are serialized using a sort of virtual machine. No raw reads/writes happen (supposedly, an-yway).
22. It’s quite likely not a good idea to focus on Battle.net right now. Given that Battle.net 2.0 is an entire game platform/infrastructure, implementing it is something that could very well take as long as implementing a WoW emulator would.
23. If we ever do focus on Battle.net, it should be emulated a layer above the WoW layer, so to allow, for ex-ample