Load Wow as shared library

[573737534947]

Just for fun as it's suprisingly easy:
1. Set DLL flag in PE header
2. Change entrypoint to an address that holds the bytes "B8 01 00 00 00 C3" standing for "mov eax, 1; retn;" e.g. 0x632146
3. Function 0x10F582 fills a buffer with the the dir path of the mainmodule and uses it to load all data from wow directory but unless our loader is also located in the wow directory the returned path is of no use for obvious reasons. I patched it like this:

Code:

mov edi, [esp+4]
mov esi, 0x0BADF00D
copybyte:
movsb
cmp byte ptr ds:[edi-1], 0
jne copybyte
ret

4. At 0x10EE63 addresses are compared against the mainmodules code section boundaries. Again wow isn't the mainmodule anymore so the address is compared against the wrong boundaries, but I simply bypassed the check in the most obvious way: 0x10EE8F -> nop & 0x10EE94 -> jmp
5. You're done you can load wow now with LoadLibrary and start the game with CreateThread at the original entrypoint.
6. If you made the dir patch from 3. you should patch 0x10F587 with a pointer to a buffer holding the real wowpath before CreateThread. You need to alter the memory region with virtualprotect to get write access.

Use CFF Explorer for PE header stuff. All addresses mentioned are 0-based and have to be rebased with the addr returned from LoadLibrary, obviously. With this naive approach it will probably get you banned so don't try it with accounts you're not ready to give up.

Here is a package including a loader with source and a patched wow.dll but without the dir patch so you have to place the loader and the wow.dll beside your original Wow.exe.

[Jadd]

What's the use for this?

[573737534947]

What's the use for this?

If you can't see a use for it, then there is probably none. What comes to mind is that you can start wow within your process and therefore don't need to inject your code into another process, which is usually trivial except for some non compiled languages, but then again I would consider it highly unsafe with regard to warden. So as I wrote: just for fun.

[DarthTon]

To make Wow think it is a main module you can patch PEB::ImageBaseAddress (and probably PEB64, just in case...) with new address. I also had some fun with this approach and was able to manually map whole wow executable and run it.

[573737534947]

To make Wow think it is a main module you can patch PEB::ImageBaseAddress (and probably PEB64, just in case...) with new address. I also had some fun with this approach and was able to manually map whole wow executable and run it.

Ay, marvelous idea. Forget about points 3.-6. Just make sure the dll is in the wow directory. New package