[Classic] WoW unpacker / deobfuscator

**doityourself** · 04-17-2022

ghidra can load the files unmodified.

**namreeb** · 04-30-2025

Version 0.4 has been posted. This improves TLS callback support, import reconstruction, and removes some errors when importing the binary into IDA or Ghidra.

Release with binaries: Release 0.4 . namreeb/dumpwow . GitHub

Repository: GitHub - namreeb/dumpwow: Unpacker for World of Warcraft

**ostapus** · 05-13-2025

Thanks for new release.. however, it fails for me (0.3 works just fine). running under oracle virtual box

0.4:
dumpwow.exe wow.exe
Failed to find TLS offsets

0.3:
dumpwow.exe wow.exe
Wow base address: 0x140000000
TLS callback directory: 0x143b6c750
First TLS callback: 0x140003e40
....

**namreeb** · 05-14-2025

Originally Posted by ostapus

Thanks for new release.. however, it fails for me (0.3 works just fine). running under oracle virtual box

0.4:
dumpwow.exe wow.exe
Failed to find TLS offsets

0.3:
dumpwow.exe wow.exe
Wow base address: 0x140000000
TLS callback directory: 0x143b6c750
First TLS callback: 0x140003e40
....

Yeah, I think some of the patterns I've added are not universal enough. Are you using Windows 10, or an older version of Windows 11? For what it's worth, I primarily have been discussing it here: Failed to find TLS offsets . Issue #17 . namreeb/dumpwow . GitHub

Edit: for what it's worth, when I can get it working, the quality of the dump that 0.4 produces is much better. It is more precise in import reconstruction, and greatly improved TLS callback preservation.
There are 5 TLS callbacks that actually run, and a few decoys that are never run. On load, there are three. But the first one inserts two more. The third one clobbers the first two. So at no one point are all five intact. Version 0.4 preserves them when they run, so the dump includes all five, intact.

**chaosrage** · 05-14-2025

also failing to find TLS offsets.

Windows 11 Home
10.0.22631 Build 22631

**trialbyfire** · 05-16-2025

How come the offsets are different on different Windows versions? Is this a Windows ABI instability thing or a WoW randomization thing?

**lidoof** · 05-18-2025

hello, guys i successfully dumped the binary of latest version of retail(may 2025), but when i load it on ghidra, it analyze for hours, and the UI freeze, is it normal ?

**dreadcraft** · 05-22-2025

Originally Posted by lidoof

hello, guys i successfully dumped the binary of latest version of retail(may 2025), but when i load it on ghidra, it analyze for hours, and the UI freeze, is it normal ?

Honestly man, there's a post in this thread from 2022 that says Ghidra can analyze the binary without unpacking it, but even with unpacking I have never been able to get Ghidra to finish auto-analysis. It's taken upwards of 4 days and eventually I cancelled it out of frustration.
But it's possible that there's some tweaking/configuration that needs to be done.

**lidoof** · 05-22-2025

ok, thanks, ill stay on IDA FREE then lol, but if u have some better option (that is free) feel free to tell me

**SailorMars** · 1 Week Ago

Does it work for version 11.1.7 Retail wow?

Shout-Out

User Tag List

Thread: [Classic] WoW unpacker / deobfuscator

Thread Tools

Search Thread

Similar Threads

[Spell Edit Request] Need Old (classic Wow) Blastwave

[WTT] Steam Account(and Classic wow acc) -> 1M Gametime and Gender change

[Request] Classic WoW Login screen.

Classic Wow Code And BC Code

OwnedCore Forums

casino

CoreCoins

My OwnedCore

About Us

Casino