-
[Repost] SIG & MD5 Protection Remover
Due to some technical difficulties with the site, this thread was deleted. This is a repost of that thread since it is a useful tool: http://www.ownedcore.com/forums/worl...n-remover.html
All credit to VX2.
hi all again.
this patch remove MD5 and signature (SIG) checks what must allow you to launch wow with any modified files. also it's remove renaming existing folders
\\Interface\GlueXML\
\\Interface\FrameXML\
\\Interface\AddOns\Blizzard_*\
what allow you use modified files in these folders without packing.
I use it on 3.2.2.10505 version (yet), and I can check up working capacity of other patches only at a "launch before login" stage. but theoretically, should work it all.
------------------------------------------
-- 1.12.1
Code:
########################################################
# Powershell script to patch WoW.exe so it doesn't do
# signature checks. For WoW 1.12.1 (5875) only!
########################################################
# Read in the original WoW.exe
$wow = [System.IO.File]::ReadAllBytes("WoW.exe");
# Patch the executable
$wow[0x2f113a] = 0xeb;
$wow[0x2f113b] = 0x19;
$wow[0x2f1158] = 0x03;
$wow[0x2f11a7] = 0x03;
$wow[0x2f11f0] = 0xeb;
$wow[0x2f11f1] = 0xb2;
# Save the modified version
[System.IO.File]::WriteAllBytes("WoW-modified.exe", $wow);
Source: [Tutorial] Breaking News, An In-Depth Guide - Page 3
------------------------------------------
-- 3.X
3.2.2.10505 - wow_unsig(10505).zip (VirusTotal report)
3.3.0.10958 - wow_unsig(1095.zip (VirusTotal report)
3.3.0.11159 - wow_unsig(11159).zip (VirusTotal report)
3.3.2.11403 - wow_unsig(11403).zip (VirusTotal report)
3.3.3.11685 - wow_unsig(11685).zip (VirusTotal report)
3.3.3.11723 - wow_unsig(11723).zip (VirusTotal report)
3.3.5.12340 - wow_unsig(12340).zip (VirusTotal report)
------------------------------------------
-- 4.X
- from now, renaming of Blizzard addons folders not disabled (can't see a reason in it)
4.0.0.12911 - wow_unsig(12911).zip (VirusTotal report)
- removed first online package check
4.0.3.13329 - wow_unsig(13329).zip (VirusTotal report)
- added "second socket connection" fix
- all available fixes separated and have a tool tip with short description
- above forced me write my own "engine", thereby FSG 2.0 packed (i.e. some not smart AV may don't like it)
v1.01
- added: maximize patch number limitation
4.0.3.13329 - WoWPatcher1.01(13329).zip (VirusTotal report)
4.0.6.13596 - WoWPatcher(13596).zip (VirusTotal report)
4.0.6.13623 - WoWPatcher(13623).zip(FSG) (VirusTotal report)
because AV's greatly aggro vs fsg, packer was changed.
it have absolutely no changes and identical functionality just different packer.
4.0.6.13623 - WoWPatcher(13623)pt.zip (VirusTotalReport)
------------------------------------------
I couldn't test "Second socket connection" fix and in this case this fix temporary disabled. would be added later. anyway if you'll get "wow.exe" already with this fix, patcher would work with modified version too.
4.1.0.13914 - WoWPatcher(13914)nossc.zip (VirusTotalReport)
4.1.0.14007 - WoWPatcher(14007)nossc.zip (VirusTotalReport)
4.2.0.14333 - WoWPatcher(14333)nossc.zip(VirusTotal report)
4.2.0.14480 - WoWPatcher(14480)nossc.zip (VirusTotal report)
4.2.2.14545 - WoWPatcher(14545)nossc.zip (VirusTotal report)
4.3.0.15050 - WoWPatcher(15050)nossc.zip (virscan.org report)
4.3.2.15211 - WoWPatcher(15211)nossc.zip (VirusTotal report)
4.3.3.15354 - WoWPatcher(15354)nossc.zip (VirusTotal report)
4.3.4.15595 - WoWPatcher(15595)nossc.zip (VirusTotal report)
if you have error message about missing Comdlg32.ocx read this:
for x86
for x64
also you may try to install any runtime package with this ocx, for sample like jameszero.net | RuntimePack
I don't trace for official updates, so if at following update this patch will be necessary to someone, just remind me.
I strongly recommend you, do not use modified client for official servers.
if you'll get error message like:
Warning! Incorrect checksumm of signaturefile function or incorrect byte(s) at fix offset
try to set your windows language as english. I can't tell you more, but this issue was resolved at posts 100, 101, 103
how to fix protections manually:
ok. as I promised, I post about how to find protection functions and how to disable it.
at first, I'm not a "cool hacker", and some steps may be unnecessary, or will seem to be ridiculous for someone. you may feel free to correct.
I'll explain it on 15595 revision. for other revision it may have a minor difference.
now. tools what I use:
- Olly Debugger 2.0 (for basic search)
- IDA Pro 5.5 (for advanced viewing and analyzing)
- WinHEX 12.2 (for fix offsets)
you may use other versions, but GUI may have a few difference.
- make an additional two copies of your "wow.exe". first for IDA (may be in other folder). second for test "hot fixes". file for tests, must be located in "wow" folder, i.e. it must have a different name, for sample "wow_h.exe".
- now open your original "wow.exe" by Olly debugger. you'll see that:
- open your "wow_h.exe" by WinHex, you'll see that:
if your offsets is not as hexadecimal, just click once in any offset of this column.
- open your "wow.exe" for IDA by IDA, after few minutes of analyzing, you'll see that:
now by fixes.
wow.mfil:
basic fix. if you not fix it, you may not continue.
- in olly. hit right click in disassembled listing and in context menu, select "Search for/All referenced strings":
- you'll see a "Text strings referenced in Wow" window (if no - select it in "Windows" menu). hit "Ctrl+F" and type "wow.mfil", then click "ok". first what you'll see would "Failed to open a required archive because WoW.mfil failed to download.". it's not what you need. hit "Ctrl+L" (search next), while you not find an exactly "WoW.mfil" string. double click on this string, and you'll jump in required subfunction. click at first command of this sub, and you'll see, who call it ("Local call from 406DE9"):
- alt-tab to your IDA and hit "G", type founded offset (406DE9). it's a main "mfil" protection function. list up to beginning of it. you can see a big jump through full function:
hit to "jz" in "jz loc_406EFB" and remember it memory offset (406D54).
- alt-tab to olly, hit "Ctrl+G" and type this offset. all what you need, is just a replace "JE" , by "JMP". you may do it directly by double click on "JE 00406EFB" and replace, to make "JMP 00406EFB". but "JE" is a two byte command, "0F84 A1010000", while "JMP" is a one byte command "E9". to keeping size, olly add "NOP" command (do nothing), after your editing (E9A201000090 - jmpoffsetnop). to reduce byte changing, you may manually replace "0F84" (JE), to "90E9"(NOP, JMP). just hit "Ctrl+E" and write over "0F84" "90E9", then click "ok":
you can see, what you make what you need, by changing only two bytes (red). you may check both variants, to undo changes, just select red string(s), and hit "Alt+BackSpace".
- now you must fix it in your "exe". alt-tab back to ida. when you click on "jz" to see a memory offset (406D54), at left field, you can see a file offset for this command (6154). it's what you need for fixing.
alt-tab to winhex, hit "Alt+G" and type this offset. you'll jump to it:
now replace "0F84" by "90E9" and click save button.
now your "mfil" protection is fixed. to test - just disable your internet connection and launch fixed "wow.exe" ("wow_h.exe"). if all is ok, you'll see a login screen.
patch number limitation:
easiest fix. just alt-tab to olly, hit "Ctrl+Home" to go at beginning, when hit "Ctrl+F" ("Search for/Command...") and type "cmp edi,3CEB", where "3CEB" is a hexadecimal number of revision (15595) to convert, you may use an ordinary windows calculator. look at bytes for command: "81FF EB3C0000". "81FF" is a command "CMP EDI", but keep in mind, what 4 bytes after, is a byte-reversed hexadecimal minor revision ("EB 3C 00 00", not "00 00 3C EB"). get memory offset for this command, alt-tab to ida and jump to this offset. remember file offset and alt-tab to winhex. just increase minor revision value (maximum is "00 00 00 10"). i.e. skip "81FF", and replace "EB 3C 00 00" by "00 00 00 10". save changes.
for test, you may make an any mpq archive, and launch fixed wow. if all is ok, you'll see a similar named archives in cache folders (both - basic and local).
signaturefile:
- alt-tab in olly, go back to "Text strings referenced in Wow" window, hit "Ctrl+Home" to go at beginning, hit "Ctrl+F" and type "signaturefile". jump to founded offset. look who call this sub ("Local call from 406A0F"). open this offset in ida.
you'll see a big function, but you need only exactly this call. click on it and change "tab view" from "IDA View-A", to "HEX View-A". you'll see this:
highlighted bytes is a full call-command. all what you need is a remove it by replacing of "nop"'s. look at file offset, alt-tab to winhex, jump to file offset and replace "E8 9C D9 FF FF" by "90 90 90 90 90". save changes.
that's all.
Last edited by stoneharry; 03-12-2019 at 02:01 PM.
Reason: Add 1.12.1 support
-
Post Thanks / Like - 6 Thanks
-
Contributor
6.0.3.19116
Version Release Date:
November 3 2014
Version Compiled Date: ~displayed at the bottom left of login screen~
October 29 2014
Version #
6.0.3.19116
For 32-bit:
Download
Patched:
Size: 13,386 KB
Both edits below must be applied!
Force 32-bit Client A:
at offset 0000 EC29 replace E8 15 94 0D 00 with
90 90 90 90 90
Force 32-bit Client B:
at offset 0000 EC30 replace 74 with
75
Both edits below must be applied!
Custom Data Edit A:
at offset 0001 1201 replace 01 with
00
Custom Data Edit B:
at offset 0001 120E replace 74 with
75
For 64-bit:
Patched:
Size: 20,762 KB
Both edits below must be applied!
Custom Data Edit A:
at offset 0001 9BAE replace 01 with
00
Custom Data Edit B:
at offset 0001 9BAF replace 84 with
85
Last edited by jh16; 07-01-2015 at 08:54 PM.
-
Private
Thanks for reposting this thread stoneharry !
And thanks you too jh16 for all your releases and informations
I have tried lot of things, and in few minutes, i have successfully removed the GlueXML security !
It's pretty like Mop system, a little bit more difficult than Wotlk/Cata
For WoW 6.0.3 19116 (32 bits)
LUA FIXS
Remove ".old" rename folder system :
Offset :
0038 1F5A
Replace :
74
By :
75
GlueXML Security remove :
Offset :
001C 76E4
Replace :
E0 0C 68 3C D4
By :
E9 76 FE FF FF
There is 2 things to do :
Remove the ".old" rename system :
If you create a folder Interface/glueXML/*.lua in your wow folder, and you start WoW
You can see GlueXML is renamed GlueXML.old
A very simple change, jz by jnz is required
The fix will remove this function
Remove GlueXML protection :
You have to do this after the old rename sytem, it's like Mop, a little bit harder than cata/tlk
(look this modcraft's thread Modcraft - View topic - [TUTORIAL]*Remove GlueXML-Check from WoW.exe)
The case 3 is just higher than other cases, so you will need to use JMP LONG instead of JMP SHORT
-
Contributor
6.0.3.19243
Version Release Date:
December 3 2014
Version Compiled Date: ~displayed at the bottom left of login screen~
November 26 2014
Version #
6.0.3.19243
For 32-bit:
Download
Patched:
Size: 13,387 KB
Both edits below must be applied!
Force 32-bit Client A:
at offset 0000 EB52 replace E8 A8 92 0D 00 with
90 90 90 90 90
Force 32-bit Client B:
at offset 0000 EB59 replace 74 with
75
Both edits below must be applied!
Custom Data Edit A:
at offset 0001 1082 replace 01 with
00
Custom Data Edit B:
at offset 0001 108F replace 74 with
75
For 64-bit:
Patched:
Size: 20,764 KB
Both edits below must be applied!
Custom Data Edit A:
at offset 0001 9BBE replace 01 with
00
Custom Data Edit B:
at offset 0001 9BC0 replace 84 with
85
Last edited by jh16; 07-01-2015 at 08:54 PM.
-
Member
thanks
where is the old thread?
-
Contributor
Originally Posted by
frozen4
thanks
where is the old thread?
It was deleted due to some technical issues. Same thing happened to the original tMorph and a few other threads.
-
Contributor
6.0.3.19342
Version Release Date:
December 18 2014
Version Compiled Date: ~displayed at the bottom left of login screen~
December 15 2014
Version #
6.0.3.19342
For 32-bit:
Download
Patched:
Size: 13,387 KB
Both edits below must be applied!
Force 32-bit Client A:
at offset 0000 ED31 replace E8 6D 97 0D 00 with
90 90 90 90 90
Force 32-bit Client B:
at offset 0000 ED38 replace 74 with
75
Both edits below must be applied!
Custom Data Edit A:
at offset 0001 1265 replace 01 with
00
Custom Data Edit B:
at offset 0001 1272 replace 74 with
75
For 64-bit:
Patched:
Size: 20,764 KB
Both edits below must be applied!
Custom Data Edit A:
at offset 0001 9B0E replace 01 with
00
Custom Data Edit B:
at offset 0001 9B10 replace 84 with
85
Last edited by jh16; 07-01-2015 at 08:54 PM.
-
Contributor
the 2.4.3.8606 patcher from VX is at: Download: wow_unsig(8606).zip | www.xup.in
It didn't seem to do anything for me, but it might help others out.
-
Contributor
6.1.0.19678
Version Release Date:
February 24 2015
Version Compiled Date: ~displayed at the bottom left of login screen~
February 23 2015
Version #
6.1.0.19678
For 32-bit:
Download
Patched:
Size: 13,387 KB
Both edits below must be applied!
Force 32-bit Client A:
at offset 0001 010F replace E8 13 AA 0D 00 with
90 90 90 90 90
Force 32-bit Client B:
at offset 0001 0116 replace 74 with
75
Both edits below must be applied!
Custom Data Edit A:
at offset 0001 23BB replace 01 with
00
Custom Data Edit B:
at offset 0001 23C8 replace 74 with
75
For 64-bit:
Patched:
Size: 21,440 KB
Both edits below must be applied!
Custom Data Edit A:
at offset 0001 BD9E replace 01 with
00
Custom Data Edit B:
at offset 0001 BDA0 replace 84 with
85
Last edited by jh16; 07-01-2015 at 08:55 PM.
-
Contributor
6.1.0.19702
Version Release Date:
February 27 2015
Version Compiled Date: ~displayed at the bottom left of login screen~
February 26 2015
Version #
6.1.0.19702
For 32-bit:
Download
Patched:
Size: 13,887 KB
Both edits below must be applied!
Force 32-bit Client A:
at offset 0001 00B7 replace E8 03 A8 0D 00 with
90 90 90 90 90
Force 32-bit Client B:
at offset 0001 00BE replace 74 with
75
Both edits below must be applied!
Custom Data Edit A:
at offset 0001 22E0 replace 01 with
00
Custom Data Edit B:
at offset 0001 22ED replace 74 with
75
For 64-bit:
Patched:
Size: 21,441 KB
Both edits below must be applied!
Custom Data Edit A:
at offset 0001 BE6E replace 01 with
00
Custom Data Edit B:
at offset 0001 BE70 replace 84 with
85
Last edited by jh16; 07-01-2015 at 08:55 PM.
-
Contributor
Version Release Date:
March 24 2015
Version Compiled Date: ~displayed at the bottom left of login screen~
March 21 2015
Version #
6.1.2.19802
For 32-bit:
Download
Patched:
Size: 13,901 KB
Both edits below must be applied!
Force 32-bit Client A:
at offset 0001 0183 replace E8 99 A4 0D 00 with
90 90 90 90 90
Force 32-bit Client B:
at offset 0001 018A replace 74 with
75
Both edits below must be applied!
Custom Data Edit A:
at offset 0001 23B3 replace 01 with
00
Custom Data Edit B:
at offset 0001 23C0 replace 74 with
75
For 64-bit:
Patched:
Size: 21,457 KB
Both edits below must be applied!
Custom Data Edit A:
at offset 0001 BFEE replace 01 with
00
Custom Data Edit B:
at offset 0001 BFF0 replace 84 with
85
Last edited by jh16; 07-01-2015 at 08:55 PM.
-
Contributor
6.1.2.19831
Version Release Date:
April 1 2015
Version Compiled Date: ~displayed at the bottom left of login screen~
March 31 2015
Version #
6.1.2.19831
For 32-bit:
Download
Patched:
Size: 13,904 KB
Both edits below must be applied!
Force 32-bit Client A:
at offset 0001 0183 replace E8 99 A4 0D 00 with
90 90 90 90 90
Force 32-bit Client B:
at offset 0001 018A replace 74 with
75
Both edits below must be applied!
Custom Data Edit A:
at offset 0001 23B3 replace 01 with
00
Custom Data Edit B:
at offset 0001 23C0 replace 74 with
75
For 64-bit:
Patched:
Size: 21,457 KB
Both edits below must be applied!
Custom Data Edit A:
at offset 0001 BFEE replace 01 with
00
Custom Data Edit B:
at offset 0001 BFF0 replace 84 with
85
Last edited by jh16; 07-01-2015 at 08:56 PM.
-
Member
Becaus the old post was deleted i need to recover the edits for client 5.4.8 18414.
Thanks for any help
-
Contributor
6.1.2.19865
Version Release Date:
April 6 2015
Version Compiled Date: ~displayed at the bottom left of login screen~
April 3 2015
Version #
6.1.2.19865
For 32-bit:
Download
Patched:
Size: 13,903 KB
Both edits below must be applied!
Force 32-bit Client A:
at offset 0001 0183 replace E8 99 A4 0D 00 with
90 90 90 90 90
Force 32-bit Client B:
at offset 0001 018A replace 74 with
75
Both edits below must be applied!
Custom Data Edit A:
at offset 0001 23B3 replace 01 with
00
Custom Data Edit B:
at offset 0001 23C0 replace 74 with
75
For 64-bit:
Patched:
Size: 21,457 KB
Both edits below must be applied!
Custom Data Edit A:
at offset 0001 C0AE replace 01 with
00
Custom Data Edit B:
at offset 0001 C0B0 replace 84 with
85
Last edited by jh16; 07-01-2015 at 08:56 PM.
-
Member
Remove GlueXML protection :
You have to do this after the old rename sytem, it's like Mop, a little bit harder than cata/tlk
(look this modcraft's thread Modcraft - View topic - [TUTORIAL]*Remove GlueXML-Check from WoW.exe)
The case 3 is just higher than other cases, so you will need to use JMP LONG instead of JMP SHORT
I realized that Case 3 is a bit higher, and SHORT doesn't have the range to get to it.
My problem is that when I change it to LONG, it eats the full line, (Doesn't matter if I check NOP's or not). It deletes the line and adds 2-3 red lines.
I know it's because JMP LONG uses 5/6 bytes, and SHORT uses 2.. so it "overwrites" part of the structure.
Any idea? :S
Last edited by Soldan; 04-07-2015 at 07:40 AM.