Packets/Login/Vanilla
It's worth noting that, for build (1.1.2.4125), the client automatically disconnects after a successful login challenge and proof exchange and sends a reconnect packet right away instead of asking for the realm list.
Opcodes and Errors
Name | Value | Description |
---|---|---|
Authentication | ||
LOGIN_CHALL | 0x00 | Intial information sent by client and then challenge by server. |
LOGIN_PROOF | 0x01 | Proof sent by client and then server. |
RECON_CHALL | 0x02 | Reconnect challenge sent by client and then server. |
RECON_PROOF | 0x03 | Reconnect proof sent by client and then server. |
SURVEY_RESULT | 0x04 | Used for hardware survey. |
Realmlist | ||
REALMLIST | 0x10 | Realmlist request sent by client and realmlist information sent by server. |
Patching | ||
XFER_INITIATE | 0x30 | Used for patching. |
XFER_DATA | 0x31 | Used for patching. |
XFER_ACCEPT | 0x32 | Used for patching. |
XFER_RESUME | 0x33 | Used for patching. |
XFER_CANCEL | 0x34 | Used for patching. |
Name | Value |
---|---|
LOGIN_OK | 0x00 |
LOGIN_FAILED | 0x01 |
LOGIN_FAILED2 | 0x02 |
LOGIN_BANNED | 0x03 |
LOGIN_UNKNOWN_ACCOUNT | 0x04 |
LOGIN_UNKNOWN_ACCOUNT3 | 0x05 |
LOGIN_ALREADYONLINE | 0x06 |
LOGIN_NOTIME | 0x07 |
LOGIN_DBBUSY | 0x08 |
LOGIN_BADVERSION | 0x09 |
LOGIN_DOWNLOAD_FILE | 0x0A |
LOGIN_FAILED3 | 0x0B |
LOGIN_SUSPENDED | 0x0C |
LOGIN_FAILED4 | 0x0D |
LOGIN_CONNECTED | 0x0E |
LOGIN_PARENTALCONTROL | 0x0F |
LOGIN_LOCKED_ENFORCED | 0x10 |
Challenge packets
Offset | Size / Endianness | Type | Name | Description |
---|---|---|---|---|
0x0 | 1 / - | uint8 | command | LOGIN_CHALL (0x0), AuthReconnectionChallenge_Client has RECON_CHALL (0x2). |
0x1 | 1 / - | uint8 | protocol_version | 3 for 1.12, unknown for 1.1. |
0x2 | 2 / Little | uint16 | size | length of package minus the size of the command, protocol_version and size fields (4 bytes). The size can be calculated as 30 (0x1E) + account_name_len, see that field for a maximum. |
0x4 | 4 / Little | uint8[4] | gamename | Always null terminated 'WoW\0' string. |
0x8 | 3 / - | uint8[3] | version | [0x01, 0x01, 0x02] for 1.1.2. [0x01, 0x0C, 0x01] for 1.12.1. |
0xB | 2 / Little | uint16 | build | 4125, aka Revision |
0xD | 4 / Big | uint8[4] | platform | eg '\0x86'. Has a leading zero for 'x86'. |
0x11 | 4 / Big | uint8[4] | os | eg '\0Win'. Has a leading zero for 'Win'. |
0x15 | 4 / Big | uint8[4] | locale | eg 'enUS' |
0x19 | 4 / Little | uint32 | worldregion_bias | Offset in minutes from UTC time, eg. 180 means 180 minutes |
0x1D | 4 / Big | uint32 | ip | client_ip |
0x21 | 1 / - | uint8 | account_name_lenth | Length of the account_name field in bytes. The client can only send 16 characters, but this can still be more than 16 bytes if non-ASCII characters are used. |
0x22 | account_name_len / Big | uint8[account_name_len] | account_name | UTF-8 encoded uppercase string of the username. Not all unicode characters are uppercased correctly. |
(1.1.2.4125)
Offset | Type | Name | Description |
---|---|---|---|
0x1 | uint8 | command | LOGIN_CHALL (0x0) |
0x2 | uint8 | protocol_version | Must be 0. |
0x3 | uint8 | result | |
0x4 | char[32] | B | SRP public server ephemeral |
0x24 | uint8 | g_len | SRP generator length |
0x25 | uint8 | g | SRP generator |
0x26 | uint8 | n_len | SRP modulus length |
0x27 | char[32] | n | SRP modulus |
0x47 | char[32] | srp_salt | SRP user's salt |
0x47 | char[16] | crc_salt | A salt to be used in AuthLogonProof_Client.crc_hash |
(1.12.1.5875)
The AuthLogonChallenge_Server packet has added the two_factor_authentication field and will hang waiting for it to be sent.
Offset | Size / Endianness | Type | Name | Description |
---|---|---|---|---|
Header | ||||
0x1 | 1 / - | uint8 | command | LOGIN_CHALL (0x0) |
0x2 | 1 / - | uint8 | protocol_version | Must be 0. |
0x3 | 1 / - | uint8 | result | The fields below are only included if this is LOGIN_OK (0x0). |
Body | ||||
0x4 | 32 / Little | uint8[32] | B | SRP public server ephemeral. All SRP operations are performed with little endian values. |
0x24 | 1 / - | uint8 | g_len | SRP generator length. Should always be 1 since the generator is never larger than 255. |
0x25 | g_len / - | uint8 | g | SRP generator. All SRP operations are performed with little endian values. |
(0x26) | 1 / - | uint8 | n_len | SRP modulus length. Client will not read more than 32. All SRP operations are performed with little endian values. |
(0x27) | n_len / Little | uint8[n_len] | n | SRP modulus. All SRP operations are performed with little endian values. |
(0x47) | 32 / Little | uint8[32] | srp_salt | SRP user's salt. All SRP operations are performed with little endian values. |
(0x47) | 16 / Little | uint8[16] | crc_salt | A salt to be used in AuthLogonProof_Client.crc_hash. Can be all zeros. |
(0x57) | 1 / - | bool (size 1 byte) | two_factor_authentication | 0 for disabled. The fields below are not included if this is 0. |
PIN | ||||
(0x58) | 4 / Little | uint32 | pin_grid_seed | Seed value for the PIN grid on the client. Only here if the two_factor_authentication field is true. |
(0x5c) | 16 / Little | uint8[16] | pin_salt | Salt value for the client. Only here if the two_factor_authentication field is true. |
The offsets in parentheses are not fixed since they depend on the lengths of previous fields, but these fields are most often the default values so the offsets are presented as semi-fixed.
Proof packets
(1.1.2.4125)
Offset | Type | Name | Description |
---|---|---|---|
0x0 | uint8 | command | 0x1 |
0x1 | uint8[32] | a | |
0x21 | uint8[20] | m1 | |
0x35 | uint8[20] | crc_hash | |
0x49 | uint8 | num_keys |
Offset | Type | Name | Description |
---|---|---|---|
0x0 | uint8 | command | 0x1 |
0x1 | uint8 | error | |
0x2 | uint8[20] | m2 | |
0x16 | uint32 | unk |
(1.12.1.5875)
Proof packets changed during Vanilla:
Offset | Type | Name | Description |
---|---|---|---|
0x0 | uint8 | command | LOGIN_PROOF (0x1) |
0x1 | uint8[32] | a | Client public key. |
0x21 | uint8[20] | m1 | Client proof. |
0x35 | uint8[20] | crc_hash | |
0x49 | uint8 | num_keys | Used for unknown telemetry. Can be expected to always be 0. |
0x4A | bool (size 1 byte) | two_factor_enabled | If false the packet ends here, if true the two fields below are included. Added in 1.12.x client branch. |
uint8[16] | pin_salt | Salt used for PIN. Only included if two_factor_enabled is true. | |
uint8[20] | pin_hash | Hash used for PIN. Only included if two_factor_enabled is true. |
Offset | Type | Name | Description |
---|---|---|---|
0x0 | uint8 | command | LOGIN_PROOF (0x1) |
0x1 | uint8 | error | |
0x2 | uint8[20] | m2 | Server proof. |
0x16 | uint32 | hardware_survey_id | ID of a hardware survey that the client should perform. Set to 0 to not use. |
Reconnection challenge packets
AuthReconnectionChallenge_Client has the same structure as AuthLogonChallenge_Client, except that the command is 0x2.
Offset | Type | Name | Description |
---|---|---|---|
0x0 | uint8 | command | 0x2 |
0x1 | uint8 | error | |
0x2 | char[16] | challenge_data | random data, used as a challenge |
0x12 | uint64 | unk1 | |
0x1A | uint64 | unk2 |
Reconnection proof packets
Offset | Type | Name | Description |
---|---|---|---|
0x0 | uint8 | command | 0x3 |
0x1 | char[16] | proof_data | |
0x11 | char[20] | client_proof | |
0x25 | char[20] | unk_hash | |
0x39 | uint8 | unk |
To check if the client proof is correct, the server must calculate SHA1(account_name | proof_data | challenge_data | session_key) and compare it to client_proof.
Offset | Type | Name | Description |
---|---|---|---|
0x0 | uint8 | command | 0x3 |
0x1 | uint8 | error |
Realm list packets
Offset | Type | Name | Description |
---|---|---|---|
0x0 | uint8 | cmd | REALMLIST |
0x1 | uint32 | unknown | null |
The server answers with a packet composed of a RealmHeader_Server, as many RealmInfo_Server as specified and a RealmFooter_Server.
Offset | Type | Name | Description |
---|---|---|---|
0x0 | uint8 | cmd | REALMLIST |
0x1 | uint16 | size | size of the rest of packet, without these 3 first bytes |
0x3 | uint32 | unknown | null |
0x7 | uint8 | num_realms | Number of RealmInfo_Server |
The size value can be computed with the part of the header taken into account plus the footer (5+2 bytes) and the size of every RealmInfo_Server which is variable.
Offset | Type | Name | Description |
---|---|---|---|
0x0 | uint32 | type | realm type? 0 is normal, 1 is PVP |
0x4 | uint8 | flags | see below |
0x5 | char[] | name | Zero terminated string; name of the Realm |
char[] | addr_port | Zero terminated string; address of the Realm ("ip:port") | |
float | population | Population value. 0 is low, 1 is medium, 2 is high. | |
uint8 | num_chars | The number of chars you have on that server | |
uint8 | time_zone | really? | |
uint8 | unknown |
Flags Meaning 0x01 Color the realm name in red (can't create char?) 0x02 Realm is offline
Offset | Type | Name | Description |
---|---|---|---|
0x0 | uint16 | unk |