Disable ASLR in World of Warcraft (patch)

[ddebug]

I coded an easy-to-use tool that disables (or enables) ASLR in World of Warcraft (or any PE file).

Special thanks to caytchen for opening my eyes up to the "Dll Characteristics" field in the PE Header.

Attached is an EXE that does the dirty work. I didn't feel it was necessary to release the source (as it was fairly trivial to code). All one needs to do is alter the flags set in the "IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE" in "IMAGE_OPTIONAL_HEADER":

Before:


After (ASLR disabled):


If you guys really want the code, let me know.

Anyway, you can download the file here:
Multiupload.com - upload your files to multiple file hosting sites!

A VirusTotal (lol) report can be viewed here:
http://www.virustotal.com/file-scan/...17c-1288584557

The benefits?

• IDA doesn't have to waste time rebasing each time you debug the EXE
• You don't have to do basic math (subtracting addresses from the current base address really SUCKS)

Can you get banned for using this patch?
Sure, Blizzard can ban you for doing anything. Will they? I highly doubt it. This alters the PE Header which they could (if they wanted to) check fairly easily. You can, additionally, globally disable ASLR in your operating system (without modifying the WoW file) by altering a registry key (though, this really isn't recommended). See this.

How do I use it?
Open a command prompt window. Run the NoASLR.exe with parameters like so:

This enables ASLR:

NoASLR.exe "Path_To_Your_Portable_Executable.exe" true

This disables ASLR:

NoASLR.exe "Path_To_Your_Portable_Executable.exe" false

What if it corrupts my PE file?
It won't. Just make sure it isn't running when you use this patch. However, this program DOES backup your old binary (for added comfort ). If the path of your EXE was "C:\lol\pe.exe" then the backed up file will be "C:\lol\pe.exe.bak".

And, yes, you can use this on any PE file. It doesn't have to be WoW.

Cheers.

P.S. This will work on both 32 and 64-bit applications. Yay!

[Cypher]

Fyi, such a tool already exists:
setdllcharacteristics « Didier Stevens

There are others, but that's the first one that comes to mind and it's from a reputable source.

As to actually doing this, it's a bad idea to patch the copy of WoW you actually use. Sure, if you want to do this for the purposes of not having to rebase and do some basic math in IDA then go for it (though personally I think it's a little silly).

However ASLR is there for a reason, and I would suggest that you don't patch the copy of WoW that you actually play the game with, as it is a security mechanism, and no good can come from disabling it.

[ddebug]

Fyi, such a tool already exists:
setdllcharacteristics « Didier Stevens

There are others, but that's the first one that comes to mind and it's from a reputable source.

Guess I reinvented the wheel, haha. Oh well, at least now I know.
I did a brief Google search to find a tool such as this, but, alas I couldn't find anything (my Googling skills are fail).

Thanks for the information Cypher!

[Cypher]

I didn't actually Google for it, so I'm not sure how hard it is to find via Google. I just happen to follow that guy's blog.

[jjaa]

ALSR is there for a reason, but IDA takes sooooooooooooooooooooo long to rebase

[Cypher]

ALSR is there for a reason, but IDA takes sooooooooooooooooooooo long to rebase

It's not like you need to do it every time you load the file, lol.

[jjaa]

It's not like you need to do it every time you load the file, lol.

If your debugging with IDA. You do.

[Flowerew]

It's not like you need to do it every time you load the file, lol.

It's not about rebasing wow itself, it's about the rebasing IDA does every time you debug the process and its actually in memory with its random base.

[Cypher]

People debug with IDA? Eeww.

[jjaa]

How can you not debug with IDA? :O Its awesomely scriptable and you have all your naming and disassembly. Not only that but you have other debugger modules. And IIRC didn't you say you use WinDbg moudle with IDA.

[Flowerew]

Btw I disabled ASLR for my system completly, patching files is something I just don't like

[jjaa]

Btw I disabled ASLR for my system completly, patching files is something I just don't like

ASLR is there for a reason. Its not like its hard to patch a file and remove ASLR, disabling it for your whole system is just silly.

[Flowerew]

ASLR is there for a reason. Its not like its hard to patch a file and remove ASLR, disabling it for your whole system is just silly.

Maybe if you have sensible data on your development system...I don't. And this: "there for a reason" is the same argument Cypher gave you two with your method, think about it.


p.s.: And what he says V

[TOM_RUS]

WinXP FTW. No ASLR - no problems

[Woweur]

Just use GetModuleHandle + adress ...