Is my memory dump correct menu

User Tag List

Results 1 to 5 of 5
  1. #1
    SailorMars's Avatar Member
    Reputation
    6
    Join Date
    Oct 2015
    Posts
    44
    Thanks G/R
    0/5
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Is my memory dump correct

    I followed this https://www.ownedcore.com/forums/wor...ow-memory.html (How to Dump Wow from Memory....) to dump the current retail 8.3.0 33941. I've got a exe file and have it analyzed by IDA Pro. But it contains some weird content e.g.

    Code:
    .text:0000000000004400                                         ; channel 2 base address and word count
    .text:0000000000004402                 imul    ebx, [rbp-13h], 45h
    .text:0000000000004406                 and     r9b, r9b
    .text:0000000000004409                 mov     ebx, 0B795CD5Eh
    .text:000000000000440E                 out     35h, eax
    .text:0000000000004410                 adc     [rdi+6E6B9A01h], edx
    .text:0000000000004416                 or      al, 7Ah
    .text:0000000000004418                 sub     [rcx+20h], eax
    .text:000000000000441B                 std
    .text:000000000000441C                 jg      short near ptr byte_447B
    .text:000000000000441E                 stc
    .text:000000000000441F                 call    near ptr 1128FE29h
    .text:000000000000441F ; ---------------------------------------------------------------------------
    .text:0000000000004424                 dd 0C817B5C6h
    .text:0000000000004428                 dq 0B11EB04029457A34h, 0BCA2495500A4164Fh, 0C8C663E8B9E115BBh
    .text:0000000000004428                 dq 7A00709D0AB7D133h, 0EE0D7AA2F46D1A1Ah, 901BDDFC65F3975Eh
    .text:0000000000004428                 dq 88703B05F57B830Ah, 62264CCDA3CA4673h, 0EBA7B8FA468A42B4h
    .text:0000000000004428                 dq 719F0DFE4F0AED74h
    .text:0000000000004478                 db 6Dh, 0A5h, 36h
    .text:000000000000447B byte_447B       db 0FEh, 38h, 0A3h, 13h, 18h
    .text:000000000000447B                                         ; CODE XREF: sub_3920+AFCj
    .text:0000000000004480                 dq 0B363209D0888A0ECh, 65C13F4C6B9FB021h, 5A750AC98BFC9037h
    .text:0000000000004480                 dq 0E6268D0923488563h, 0A413DF8A5427B83Dh, 396212DFD914448Ah
    .text:0000000000004480                 dq 0E54EC45A79C5292Ch, 0B14363F41AED831Eh, 1B638F57B06212E8h
    .text:0000000000004480                 dq 0F459EC5D9966A1B8h, 0D70AC69B9B08AC9Ah, 583B22C670359A03h
    .text:0000000000004480                 dq 59E589D12789E291h, 8CC3AE96AE5D0EEAh, 0E54CD97993F16971h
    .text:0000000000004480                 dq 0B102ECBDA7B65F0Eh, 0B68F74F49D4FB11Eh, 5D6D88D01AE4DDF6h
    .text:0000000000004480                 dq 2A2C96069345816Bh, 0BF2AB947FCCBC072h, 12BE84626303AE5Ch
    .text:0000000000004480                 dq 0CEB318AF497CDB59h, 0E1F8206358547713h, 0C08B50C948F72E74h
    .text:0000000000004480                 dq 0D8C177B1D050304h
    .text:0000000000004548                 db 0B2h, 0EDh, 48h, 0D5h
    .text:000000000000454C ; -------------------------------------------------------------------------
    The "call near ptr 1128FE29h" is not calling a valid address (1128FE29h is not a valid address). And, what are the random bytes beginning at 4424h (rebased to 0)? Are these part of their obfuscation or is it my mistake when dumping the binary?

    I tried to dump the memory content of wowbase+4424h from a running client and found that it is not 0C817B5C6. Is it some encrypted opcode?

    These ads disappear when you log in.

  2. #2
    Jadd's Avatar 🐸
    Reputation
    1464
    Join Date
    May 2008
    Posts
    2,397
    Thanks G/R
    77/297
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    There are a lot of conditional (but not really conditional) jumps to invalid code. It's part of the obfuscation. See Opaque predicate - Wikipedia

  3. #3
    IlikePP's Avatar Member Authenticator enabled
    Reputation
    2
    Join Date
    Oct 2020
    Posts
    5
    Thanks G/R
    4/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by SailorMars View Post
    I followed this https://www.ownedcore.com/forums/wor...ow-memory.html (How to Dump Wow from Memory....) to dump the current retail 8.3.0 33941. I've got a exe file and have it analyzed by IDA Pro. But it contains some weird content e.g.

    Code:
    .text:0000000000004400                                         ; channel 2 base address and word count
    .text:0000000000004402                 imul    ebx, [rbp-13h], 45h
    .text:0000000000004406                 and     r9b, r9b
    .text:0000000000004409                 mov     ebx, 0B795CD5Eh
    .text:000000000000440E                 out     35h, eax
    .text:0000000000004410                 adc     [rdi+6E6B9A01h], edx
    .text:0000000000004416                 or      al, 7Ah
    .text:0000000000004418                 sub     [rcx+20h], eax
    .text:000000000000441B                 std
    .text:000000000000441C                 jg      short near ptr byte_447B
    .text:000000000000441E                 stc
    .text:000000000000441F                 call    near ptr 1128FE29h
    .text:000000000000441F ; ---------------------------------------------------------------------------
    .text:0000000000004424                 dd 0C817B5C6h
    .text:0000000000004428                 dq 0B11EB04029457A34h, 0BCA2495500A4164Fh, 0C8C663E8B9E115BBh
    .text:0000000000004428                 dq 7A00709D0AB7D133h, 0EE0D7AA2F46D1A1Ah, 901BDDFC65F3975Eh
    .text:0000000000004428                 dq 88703B05F57B830Ah, 62264CCDA3CA4673h, 0EBA7B8FA468A42B4h
    .text:0000000000004428                 dq 719F0DFE4F0AED74h
    .text:0000000000004478                 db 6Dh, 0A5h, 36h
    .text:000000000000447B byte_447B       db 0FEh, 38h, 0A3h, 13h, 18h
    .text:000000000000447B                                         ; CODE XREF: sub_3920+AFCj
    .text:0000000000004480                 dq 0B363209D0888A0ECh, 65C13F4C6B9FB021h, 5A750AC98BFC9037h
    .text:0000000000004480                 dq 0E6268D0923488563h, 0A413DF8A5427B83Dh, 396212DFD914448Ah
    .text:0000000000004480                 dq 0E54EC45A79C5292Ch, 0B14363F41AED831Eh, 1B638F57B06212E8h
    .text:0000000000004480                 dq 0F459EC5D9966A1B8h, 0D70AC69B9B08AC9Ah, 583B22C670359A03h
    .text:0000000000004480                 dq 59E589D12789E291h, 8CC3AE96AE5D0EEAh, 0E54CD97993F16971h
    .text:0000000000004480                 dq 0B102ECBDA7B65F0Eh, 0B68F74F49D4FB11Eh, 5D6D88D01AE4DDF6h
    .text:0000000000004480                 dq 2A2C96069345816Bh, 0BF2AB947FCCBC072h, 12BE84626303AE5Ch
    .text:0000000000004480                 dq 0CEB318AF497CDB59h, 0E1F8206358547713h, 0C08B50C948F72E74h
    .text:0000000000004480                 dq 0D8C177B1D050304h
    .text:0000000000004548                 db 0B2h, 0EDh, 48h, 0D5h
    .text:000000000000454C ; -------------------------------------------------------------------------
    The "call near ptr 1128FE29h" is not calling a valid address (1128FE29h is not a valid address). And, what are the random bytes beginning at 4424h (rebased to 0)? Are these part of their obfuscation or is it my mistake when dumping the binary?

    I tried to dump the memory content of wowbase+4424h from a running client and found that it is not 0C817B5C6. Is it some encrypted opcode?
    Did you figure anything out in the end, I am in the same boat at the moment

  4. #4
    namreeb's Avatar Elite User

    Reputation
    596
    Join Date
    Sep 2008
    Posts
    990
    Thanks G/R
    5/179
    Trade Feedback
    0 (0%)
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by IlikePP View Post
    Did you figure anything out in the end, I am in the same boat at the moment
    The answer is in the second post. But to restate it, you should expect to see things like this in the dump. It is part of their obfuscation. Specifically, opaque predicates.

  5. Thanks IlikePP (1 members gave Thanks to namreeb for this useful post)
  6. #5
    IlikePP's Avatar Member Authenticator enabled
    Reputation
    2
    Join Date
    Oct 2020
    Posts
    5
    Thanks G/R
    4/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I did realise that after actually reading up on it... I asked the question before doing the research :/ ... Thanks though

Similar Threads

  1. Is my boss script correct? it wont work
    By popwar0012 in forum WoW EMU Questions & Requests
    Replies: 3
    Last Post: 12-01-2009, 11:10 AM
  2. What is my ui missing? Thanks
    By ownedown in forum WoW UI, Macros and Talent Specs
    Replies: 15
    Last Post: 07-15-2007, 06:26 PM
  3. Well this is my goodbyes to WoW
    By 0-0-7 in forum World of Warcraft General
    Replies: 9
    Last Post: 02-18-2007, 10:58 PM
  4. Here is my speech2 file with the fixed Night Elf -> Blood Elf replacement...
    By grampa5000 in forum World of Warcraft Model Editing
    Replies: 5
    Last Post: 09-06-2006, 08:22 PM
  5. Here is my Model Editing
    By barnyonfire1 in forum World of Warcraft General
    Replies: 13
    Last Post: 08-10-2006, 05:36 AM
All times are GMT -5. The time now is 09:09 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2020 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search