Under the Hood: World of Warcraft – Logging In
Welcome to the first of many planned ‘Under the Hood’ articles. This article series will take you inside a program and explain how things work – and sometimes how to expand on them to add functionality to their existing code base.
This time, we’ll be looking at World of Warcraft version 2.4.3 (Which is far from the newest version, for obvious reasons). If you’re familiar with the game, you’re no doubt aware that it’s filled with playable elves, ogres, trolls, and even punt-able gnomes. What you may not know is what goes on behind the scenes during the process of logging on, selecting a realm to play on, creating a character, and finally logging on to that character to play the game.
The first thing you see when you start the game is the log-on screen, so we’ll first examine that. This is referred to as a “GLUE Screen” in the code and MPQ files (MoPaQ – a custom archive format used by Blizzard in their games). As you may have noticed when starting the game, the background on the log-on screen is animated – this is because it’s a 3D model. For enUS, the file itself is located in “World of Warcraft\Data\enUS\expansion-locale-enUS.MPQ” under “Interface\GLUES\MODELS\UI_MainMenu_BurningCrusade\UI_MainMenu_BurningCrusade.m2” as referenced in the below lua code as ‘mdx’ – both of which are valid as far as World of Warcraft is concerned.
|
1 2 3 4 |
if ( GetClientExpansionLevel() == 2 ) then this:SetModel("Interface\\GLUES\\MODELS\\UI_MainMenu_BurningCrusade\\UI_MainMenu_BurningCrusade.mdx"); this:SetCamera(0); end |
You’re probably fully aware that World of Warcraft utilizes lua, but what you may not know is the extent to which it utilizes it. All GUI interactions are handled by lua – including the login, take this code for example.
|
1 2 3 4 5 6 7 8 9 10 11 |
function AccountLogin_Login() PlaySound("gsLogin"); DefaultServerLogin(AccountLoginAccountEdit:GetText(), AccountLoginPasswordEdit:GetText()); AccountLoginPasswordEdit:SetText(""); if ( AccountLoginSaveAccountName:GetChecked() ) then SetSavedAccountName(AccountLoginAccountEdit:GetText()); else SetSavedAccountName(""); end end |
This code will execute when the ‘Login’ button is clicked. The important part of this code is the line with ‘DefaultServerLogin’ – this command is the code that will actually parse the login information and send it to the server. Before we continue I’d like to point out for those of you who are not familiar with implementing lua into a program, or have no programming experience at all – lua is basically just a set of callbacks, the underlying code for that is all in your main program. This means that while all GUI elements may be handled by lua, it all eventually goes back to Wow.exe.
I’ve taken the time to go through Wow.exe a little, and below is the assembly version of the DefaultServerLogin lua callback.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 |
.text:00471690 sub_471690 proc near ; DATA XREF: .data:00B938F4 .text:00471690 .text:00471690 arg_0 = dword ptr 8 .text:00471690 .text:00471690 push ebp .text:00471691 mov ebp, esp .text:00471693 push esi .text:00471694 mov esi, [ebp+arg_0] .text:00471697 push 1 .text:00471699 push esi .text:0047169A call sub_72DE70 .text:0047169F add esp, 8 .text:004716A2 test eax, eax .text:004716A4 jz short loc_4716DE .text:004716A6 push 2 .text:004716A8 push esi .text:004716A9 call sub_72DE70 .text:004716AE add esp, 8 .text:004716B1 test eax, eax .text:004716B3 jz short loc_4716DE .text:004716B5 push 0 .text:004716B7 push 2 .text:004716B9 push esi .text:004716BA call sub_72DFF0 .text:004716BF add esp, 0Ch .text:004716C2 push eax ; Dst .text:004716C3 push 0 .text:004716C5 push 1 .text:004716C7 push esi .text:004716C8 call sub_72DFF0 .text:004716CD add esp, 0Ch .text:004716D0 push eax ; int .text:004716D1 call sub_46E560 .text:004716D6 add esp, 8 .text:004716D9 xor eax, eax .text:004716DB pop esi .text:004716DC pop ebp .text:004716DD retn .text:004716DE ; --------------------------------------------------------------------------- .text:004716DE .text:004716DE loc_4716DE: ; CODE XREF: sub_471690+14 .text:004716DE ; sub_471690+23 .text:004716DE push offset aUsageDefaultse ; "Usage: DefaultServerLogin(\"accountName\""... .text:004716E3 push esi .text:004716E4 call sub_72F5C0 .text:004716E9 add esp, 8 .text:004716EC xor eax, eax .text:004716EE pop esi .text:004716EF pop ebp .text:004716F0 retn .text:004716F0 sub_471690 endp |
Below, I have roughly translated it into C.
|
1 2 3 4 5 6 7 8 |
int DefaultServerLogin_handler(int luaInstance) // possibly not the lua instance - educated guess { if( getArguments(luaInstance, 1) && getArguments(luaInstance, 2) ) AttemptLogin(getArguments(luaInstance, 1, 0), getArguments(luaInstance, 2, 0)); else PostError(luaInstance, "Usage: DefaultServerLogin(\"accountName\", \"password\")"); return 0; } |
The interesting thing to note about this code is that it only has one argument, not two like you may assume – but if you look further in the code you’ll see that the argument is being used in order to grab the account name and password (both to make sure they exist, and to grab their actual values), this argument could very well be ‘GUI’, or ‘form’. All the function ‘AttemptLogin’ does is make sure that the username and password both exist, and are not empty – it then will make all the letters of the username uppercase, and call ‘AttemptLogin2’. Now.. ‘AttemptLogin2’ is a little more complicated (and is also the core of the login, I’d say), so I enlisted the help of a de-compiler that put the resulting code in a C-like Pseudo-code.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 |
int __cdecl AttemptLogin2(char *user, char *pass) { int v2; // esi@3 int v3; // eax@7 int v5; // eax@20 char *v6; // [sp-10h] [bp-60h]@12 signed int maxLen; // [sp-Ch] [bp-5Ch]@12 char *format; // [sp-8h] [bp-58h]@12 char v9; // [sp-4h] [bp-54h]@11 char v10; // [sp+Ch] [bp-44h]@12 unsigned int v11; // [sp+4Ch] [bp-4h]@1 int v12; // [sp+50h] [bp+0h]@1 v11 = &v12 ^ dword_90F530; if ( byte_D43320 ) { if ( dword_D43324 ) { v2 = dword_D43324; sub_41DE30(); sub_644230(v2, "delete", -1, 0); dword_D43324 = 0; } byte_D43320 = 0; } if ( !dword_D43324 ) { if ( sub_6441F0(0x240u, ".\\ClientServices.cpp", 845, 0) ) { v3 = sub_46FAA0(); dword_D43324 = sub_41E400(v3); } else { dword_D43324 = 0; } } if ( *(decorateAccountName + 40) ) { switch ( locale ) { case 0: case 7: v9 = a1; if ( region == 3 ) { format = "%s#EU"; maxLen = 64; v6 = &v10; } else { format = "%s#US"; maxLen = 64; v6 = &v10; } goto LABEL_19; case 2: case 3: case 6: case 8: v9 = a1; format = "%s#EU"; goto LABEL_18; case 1: v9 = a1; format = "%s#KR"; maxLen = 64; v6 = &v10; goto LABEL_19; case 4: case 5: v9 = a1; format = "%s#CN"; maxLen = 64; v6 = &v10; goto LABEL_19; default: break; } } else { v9 = a1; format = "%s"; LABEL_18: maxLen = 64; v6 = &v10; LABEL_19: sub_644CA0(v6, maxLen, format, v9); } sub_41DB00(&v10, a2); v5 = sub_5B3D00(0); return sub_41DA30(v5); } |
The important part of this function begins at “if ( *(decorateAccountName + 40) )”, You can usually tell if a variable is a structure based on whether or not it’s dereferrenced after adding a value to it – this indicates that it’s accessing a sub-value of the structure, and since we do not know the structure format, we rely on how many bytes past the initial pointer it’s looking. One of the variables the client is able to set (or that the user can, if they launch the game with -console) is “decorateAccountName”, and while this seemingly does nothing to the user, it changes how the account name is presented in the actual protocol. Although it may seem backwards, when disabled it will append the users region to their account name – this region is highly based off the locale setting in your Config.wtf file which is located in “World of Warcraft\WTF\”.
After the client has finished preparing the login data to submit to the server, it’s finally able to send it – this is called the “Challenge”. To us, this would look like a ton of gobbledygook with our account name in it – The server however, parses each byte sent, analyzes the information, and if everything is successful will move on to the “Proofing” stage in which the login is finally validated. Below are the opcodes that you can receive during the login process.
- Success – You proceed to the realm selection screen.
- Unable to Connect – You receive a popup saying that you are Unable to connect.
- Account Closed – You receive a popup saying “This account has been closed and is no longer in service — Please check the registered email address of this account for further information.”
- No Account – Generally, you receive this when you entered the wrong account name or password.
- Account in use – World of Warcraft does not allow two people to play on the same account at once.
- Time limit – The server can disallow you to login for a period of time, this is what this opcode is for.
- Server full – We’ve all seen this horrible opcode far too often..
- Wrong Build Number – You receive a popup saying “Unable to validate game version. This may be caused by file corruption or the interference of another program.”
- Update Client – the server will initiate a patch download to update your client to the newest version.
- Account Frozen – for whatever reason (canceling your account, no money, etc), your account is not accessible right now.
If everything went well, you should now either proceed to the character selection screen, or the realm selection screen depending on whether or not you have a preferred realm set in your Config.wtf file.
I hope that was somewhat enlightening! I’m debating where to go next with this, it will either be the innards of the client itself, or how it communicates with the server as you chat, switch characters, die, etc. Where do you think I should take this?
Great hammer of Thor, that is powruelfly helpful!
Nice article!
I would say the innards of the client before “how it communicates” so we can understand what its trying to do 🙂