Is my memory dump correct

[SailorMars]

I followed this https://www.ownedcore.com/forums/wor...ow-memory.html (How to Dump Wow from Memory....) to dump the current retail 8.3.0 33941. I've got a exe file and have it analyzed by IDA Pro. But it contains some weird content e.g.

Code:

.text:0000000000004400                                         ; channel 2 base address and word count
.text:0000000000004402                 imul    ebx, [rbp-13h], 45h
.text:0000000000004406                 and     r9b, r9b
.text:0000000000004409                 mov     ebx, 0B795CD5Eh
.text:000000000000440E                 out     35h, eax
.text:0000000000004410                 adc     [rdi+6E6B9A01h], edx
.text:0000000000004416                 or      al, 7Ah
.text:0000000000004418                 sub     [rcx+20h], eax
.text:000000000000441B                 std
.text:000000000000441C                 jg      short near ptr byte_447B
.text:000000000000441E                 stc
.text:000000000000441F                 call    near ptr 1128FE29h
.text:000000000000441F ; ---------------------------------------------------------------------------
.text:0000000000004424                 dd 0C817B5C6h
.text:0000000000004428                 dq 0B11EB04029457A34h, 0BCA2495500A4164Fh, 0C8C663E8B9E115BBh
.text:0000000000004428                 dq 7A00709D0AB7D133h, 0EE0D7AA2F46D1A1Ah, 901BDDFC65F3975Eh
.text:0000000000004428                 dq 88703B05F57B830Ah, 62264CCDA3CA4673h, 0EBA7B8FA468A42B4h
.text:0000000000004428                 dq 719F0DFE4F0AED74h
.text:0000000000004478                 db 6Dh, 0A5h, 36h
.text:000000000000447B byte_447B       db 0FEh, 38h, 0A3h, 13h, 18h
.text:000000000000447B                                         ; CODE XREF: sub_3920+AFCj
.text:0000000000004480                 dq 0B363209D0888A0ECh, 65C13F4C6B9FB021h, 5A750AC98BFC9037h
.text:0000000000004480                 dq 0E6268D0923488563h, 0A413DF8A5427B83Dh, 396212DFD914448Ah
.text:0000000000004480                 dq 0E54EC45A79C5292Ch, 0B14363F41AED831Eh, 1B638F57B06212E8h
.text:0000000000004480                 dq 0F459EC5D9966A1B8h, 0D70AC69B9B08AC9Ah, 583B22C670359A03h
.text:0000000000004480                 dq 59E589D12789E291h, 8CC3AE96AE5D0EEAh, 0E54CD97993F16971h
.text:0000000000004480                 dq 0B102ECBDA7B65F0Eh, 0B68F74F49D4FB11Eh, 5D6D88D01AE4DDF6h
.text:0000000000004480                 dq 2A2C96069345816Bh, 0BF2AB947FCCBC072h, 12BE84626303AE5Ch
.text:0000000000004480                 dq 0CEB318AF497CDB59h, 0E1F8206358547713h, 0C08B50C948F72E74h
.text:0000000000004480                 dq 0D8C177B1D050304h
.text:0000000000004548                 db 0B2h, 0EDh, 48h, 0D5h
.text:000000000000454C ; -------------------------------------------------------------------------

The "call near ptr 1128FE29h" is not calling a valid address (1128FE29h is not a valid address). And, what are the random bytes beginning at 4424h (rebased to 0)? Are these part of their obfuscation or is it my mistake when dumping the binary?

I tried to dump the memory content of wowbase+4424h from a running client and found that it is not 0C817B5C6. Is it some encrypted opcode?

[Jadd]

There are a lot of conditional (but not really conditional) jumps to invalid code. It's part of the obfuscation. See Opaque predicate - Wikipedia

[IlikePP]

I followed this https://www.ownedcore.com/forums/wor...ow-memory.html (How to Dump Wow from Memory....) to dump the current retail 8.3.0 33941. I've got a exe file and have it analyzed by IDA Pro. But it contains some weird content e.g.

Code:

.text:0000000000004400                                         ; channel 2 base address and word count
.text:0000000000004402                 imul    ebx, [rbp-13h], 45h
.text:0000000000004406                 and     r9b, r9b
.text:0000000000004409                 mov     ebx, 0B795CD5Eh
.text:000000000000440E                 out     35h, eax
.text:0000000000004410                 adc     [rdi+6E6B9A01h], edx
.text:0000000000004416                 or      al, 7Ah
.text:0000000000004418                 sub     [rcx+20h], eax
.text:000000000000441B                 std
.text:000000000000441C                 jg      short near ptr byte_447B
.text:000000000000441E                 stc
.text:000000000000441F                 call    near ptr 1128FE29h
.text:000000000000441F ; ---------------------------------------------------------------------------
.text:0000000000004424                 dd 0C817B5C6h
.text:0000000000004428                 dq 0B11EB04029457A34h, 0BCA2495500A4164Fh, 0C8C663E8B9E115BBh
.text:0000000000004428                 dq 7A00709D0AB7D133h, 0EE0D7AA2F46D1A1Ah, 901BDDFC65F3975Eh
.text:0000000000004428                 dq 88703B05F57B830Ah, 62264CCDA3CA4673h, 0EBA7B8FA468A42B4h
.text:0000000000004428                 dq 719F0DFE4F0AED74h
.text:0000000000004478                 db 6Dh, 0A5h, 36h
.text:000000000000447B byte_447B       db 0FEh, 38h, 0A3h, 13h, 18h
.text:000000000000447B                                         ; CODE XREF: sub_3920+AFCj
.text:0000000000004480                 dq 0B363209D0888A0ECh, 65C13F4C6B9FB021h, 5A750AC98BFC9037h
.text:0000000000004480                 dq 0E6268D0923488563h, 0A413DF8A5427B83Dh, 396212DFD914448Ah
.text:0000000000004480                 dq 0E54EC45A79C5292Ch, 0B14363F41AED831Eh, 1B638F57B06212E8h
.text:0000000000004480                 dq 0F459EC5D9966A1B8h, 0D70AC69B9B08AC9Ah, 583B22C670359A03h
.text:0000000000004480                 dq 59E589D12789E291h, 8CC3AE96AE5D0EEAh, 0E54CD97993F16971h
.text:0000000000004480                 dq 0B102ECBDA7B65F0Eh, 0B68F74F49D4FB11Eh, 5D6D88D01AE4DDF6h
.text:0000000000004480                 dq 2A2C96069345816Bh, 0BF2AB947FCCBC072h, 12BE84626303AE5Ch
.text:0000000000004480                 dq 0CEB318AF497CDB59h, 0E1F8206358547713h, 0C08B50C948F72E74h
.text:0000000000004480                 dq 0D8C177B1D050304h
.text:0000000000004548                 db 0B2h, 0EDh, 48h, 0D5h
.text:000000000000454C ; -------------------------------------------------------------------------

The "call near ptr 1128FE29h" is not calling a valid address (1128FE29h is not a valid address). And, what are the random bytes beginning at 4424h (rebased to 0)? Are these part of their obfuscation or is it my mistake when dumping the binary?

I tried to dump the memory content of wowbase+4424h from a running client and found that it is not 0C817B5C6. Is it some encrypted opcode?

Did you figure anything out in the end, I am in the same boat at the moment

[namreeb]

Did you figure anything out in the end, I am in the same boat at the moment

The answer is in the second post. But to restate it, you should expect to see things like this in the dump. It is part of their obfuscation. Specifically, opaque predicates.

[IlikePP]

I did realise that after actually reading up on it... I asked the question before doing the research :/ ... Thanks though

[PinkFlower]

There are a lot of conditional (but not really conditional) jumps to invalid code. It's part of the obfuscation. See Opaque predicate - Wikipedia

Thats where you'r wrong kiddo, no one gives a damn shit about opaque or not, all he is looking for is a proper de-obfuscated technique.
I mean yeah sure its opaque.. but all you really have to do is check if the branch is located inside the next instruction and patch it out or not. Doing so may not give the best results, but IDA will be able to analyse porperly.

For who still gives a crap, you can use my old 9.1.0.39804 de-obfuscated jump a pinkflowekx74wbxtdu3oiv2gjnryd3lcgk34dknwoeovgnq3ynt2lad.onion/dumps/Wow_dump_9.1.0.39804_nojmp.exe (TOR URL). It's not perfect, but should do the trick