-
[Classic] WoW unpacker / deobfuscator
Currently only available in source code: GitHub - namreeb/dumpwow: Unpacker for World of Warcraft
The dumps are not perfect yet but will load in IDA.
I'll plan to post a binary release up there once I fix a few issues.
-
Post Thanks / Like - 15 Thanks
Icesythe7,
DarkLinux,
wkingnet,
xbec,
Corthezz,
air999,
h42,
bbabba,
Bogie,
GlittPrizes,
linaro,
2845225,
lolp1,
Knutschfisch,
aneng1999 (15 members gave Thanks to namreeb for this useful post)
-
Member
Looking forward to your masterpiece
-
-
Post Thanks / Like - 1 Thanks
Seifer (1 members gave Thanks to namreeb for this useful post)
-
Member
This is a great project. I tried python scripts in IDA.Very clear!
How do I compile the Hadesmem library?
-
Member
it's a great job , very usefull , i thanks you!
-
Post Thanks / Like - 1 Thanks
-
Binaries have been posted for version 0.2 which includes improved import reconstruction. Releases . namreeb/dumpwow . GitHub
-
Blizzard recently added a couple of new things to their import obfuscation code. Binaries have been posted for 0.3 which handles the new changes. Release Handle updated import obfuscation . namreeb/dumpwow . GitHub
Repository link: GitHub - namreeb/dumpwow: Unpacker for World of Warcraft
-
Post Thanks / Like - 4 Thanks
-
Contributor
ty as always for doing shit i cant do or 2 lazy todo
-
Member
Originally Posted by
namreeb
Can you teach me how to use it?
ss.jpg
-
Originally Posted by
2845225
Can you teach me how to use it?
ss.jpg
It takes one argument: the path to the wow executable. It will dump in the same directory a file called <orig name>_dumped.exe.
-
Member
First,Thank you for your reply.
1.I can't find anyway to set the argument.Did I miss something?
2.I dumpwow in other ways, but I'm not sure it is right.
3.I use IDA to find objmgr,But what to do next?
ss.JPG
Looking forward to your help again
-
Originally Posted by
2845225
First,Thank you for your reply.
1.I can't find anyway to set the argument.Did I miss something?
2.I dumpwow in other ways, but I'm not sure it is right.
3.I use IDA to find objmgr,But what to do next?
ss.JPG
Looking forward to your help again
There are many ways to specify the runtime argument for an application. The easiest way is from the command line. It does not require IDA or anything else. Just open a command prompt and do c:\dumpwow.exe c:\wow\wowclassic.exe and hit enter.
-
Member
it's a great job,in this way,I got what I wanted. ObjectMgrPtr = 0x26F2158(classic)
In fact, I'm not familiar with IDA,so,I've looked up a lot of your posts.
about this,I also find it useful:dumpwow/find_lua.py at master . namreeb/dumpwow . GitHub
but,Here's the result
CGGameUI::Initialize: 0x140faa130
Traceback (most recent call last):
File "C:/Users/hero8/Desktop/find_lua.py", line 161, in <module>
main()
File "C:/Users/hero8/Desktop/find_lua.py", line 139, in main
framescript_register = find_framescript_register(game_init)
File "C:/Users/hero8/Desktop/find_lua.py", line 89, in find_framescript_register
2 if magic_string_found else 1)
RuntimeError: 1
I want to know why, Thank you very much!
-
Originally Posted by
2845225
it's a great job,in this way,I got what I wanted. ObjectMgrPtr = 0x26F2158(classic)
In fact, I'm not familiar with IDA,so,I've looked up a lot of your posts.
about this,I also find it useful:
dumpwow/find_lua.py at master . namreeb/dumpwow . GitHub
but,Here's the result
CGGameUI::Initialize: 0x140faa130
Traceback (most recent call last):
File "C:/Users/hero8/Desktop/find_lua.py", line 161, in <module>
main()
File "C:/Users/hero8/Desktop/find_lua.py", line 139, in main
framescript_register = find_framescript_register(game_init)
File "C:/Users/hero8/Desktop/find_lua.py", line 89, in find_framescript_register
2 if magic_string_found else 1)
RuntimeError: 1
I want to know why, Thank you very much!
The patterns I used to write that script no longer hold, and I haven't updated it. It's not working right now.
-
Member
for anyone trying to compile Hadesmem, here's some notes I have about doing that.
- when you clone the hadesmem repository, there's quite a few dependencies in the "deps" folder that don't properly clone since the link is stale.
- asmjit, chaiscript, imgui, pugixml, tclap, and udis86 where the ones that didnt clone for me.
- so you need to re-init those repositories. using the most recent version except asmjit seems to work. though i haven't done thorough testing other than just building it and seeing if it works.
- for asmjit in particular, you need to use the "oldstable" branch AND you must also revert it to before the major refactoring overhaul which happened at commit SHA b7f6d1e369b4b87006851ded9017d3f864ee9d4b (Jan 2017, use something before this).
- This will line up exactly with the VS project build files for hadesmem and build w/o errors.
- Also, you need to link the libraries generated from hadesmem to the dumpwow solution
Once you do that, you should be able to build Dumpwow, which will call the build processes for hadesmem. Then you get your unpacker.dll and dumpwow.exe.
Though when I run this for WoWClassic, I don't seem to get a graceful exit. I get
Code:
concolic failed RVA: 0x1f53978 thunk_ea: 0x7ff6145bad64
Import RVA: +0x1f53980 Thunk EA: 0x7ff6145bad6c Thunk RVA: +0x34a7ad6c
concolic failed RVA: 0x1f53980 thunk_ea: 0x7ff6145bad6c
Import RVA: +0x1f53988 Thunk EA: 0x200000000 Thunk RVA: +0x204c0000
Import RVA: +0x1f53990 Thunk EA: 0x40000000e Thunk RVA: +0x204c000e
Import RVA: +0x1f53998 Thunk EA: 0x1200000003 Thunk RVA: +0x204c0003
Import RVA: +0x1f539a0 Thunk EA: 0x900000008 Thunk RVA: +0x204c0008
Import RVA: +0x1f539a8 Thunk EA: 0x600000005 Thunk RVA: +0x204c0005
Import RVA: +0x1f539b0 Thunk EA: 0xf00000007 Thunk RVA: +0x204c0007
Import RVA: +0x1f539b8 Thunk EA: 0x10 Thunk RVA: +0x204c0010
Import RVA: +0x1f539c0 Thunk EA: 0x100000000 Thunk RVA: +0x204c0000
Import RVA: +0x1f539c8 Thunk EA: 0x400000002 Thunk RVA: +0x204c0002
Import RVA: +0x1f539d0 Thunk EA: 0x1000000008 Thunk RVA: +0x204c0008
Import RVA: +0x1f539d8 Thunk EA: 0x4000000020 Thunk RVA: +0x204c0020
Import RVA: +0x1f539e0 Thunk EA: 0x10000000080 Thunk RVA: +0x204c0080
Import RVA: +0x1f539e8 Thunk EA: 0xc0000000200 Thunk RVA: +0x204c0200
Import RVA: +0x1f539f0 Thunk EA: 0x1800000003000 Thunk RVA: +0x204c3000
Bad thunk ea RVA: 0x1f539f0 thunk_ea: 0x1800000003000
Import RVA: +0x1f539f8 Thunk EA: 0x2000000010000 Thunk RVA: +0x204d0000
Bad thunk ea RVA: 0x1f539f8 thunk_ea: 0x2000000010000
Import RVA: +0x1f53a00 Thunk EA: 0x1800000004000 Thunk RVA: +0x204c4000
Bad thunk ea RVA: 0x1f53a00 thunk_ea: 0x1800000004000
Import RVA: +0x1f53a08 Thunk EA: 0x4000000780000 Thunk RVA: +0x20c40000
Bad thunk ea RVA: 0x1f53a08 thunk_ea: 0x4000000780000
Import RVA: +0x1f53a10 Thunk EA: 0x800000000010 Thunk RVA: +0x204c0010
Exception: D:\vs_projects\hadesmem\include\memory\hadesmem/detail/query_region.hpp(25): Throw in function struct _MEMORY_BASIC_INFORMATION __cdecl hadesmem::detail::Query(const class hadesmem::Process &,const void *)
Dynamic exception type: struct boost::wrapexcept<class hadesmem::Error>
std::exception::what: Unknown exception
[struct hadesmem::TagErrorCodeWinLast * __ptr64] = 87
[struct hadesmem::TagErrorString * __ptr64] = VirtualQueryEx failed.
as the last few lines of input.
It does seem to generate a WowClassic_unpacked.exe and from what I can tell it looks like the unobfuscated binary in IDA.
Wondering if this is a quick fix error and if anybody has encountered it. Otherwise, I can luckily debug it and find it myself