[help] Understanding WoW's anti-disassembly technique(s) menu

User Tag List

Results 1 to 5 of 5
  1. #1
    Valldex's Avatar Member
    Reputation
    1
    Join Date
    Oct 2020
    Posts
    2
    Thanks G/R
    1/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    [help] Understanding WoW's anti-disassembly technique(s)

    Hi! I've done a decent amount of research and have become stuck, so hopefully one of you can help me?

    I'm trying to understand why IDA cannot understand a subroutine.

    I'm disasembling WoW 8.3.6 (35662), and have used Overwatch dump fix to de-obfuscate (also Jadd's lua function renaming + offset finder just to help a bit (thanks for script btw m)

    Now I'm comparing the two side by side, using the lua function 'JumpOrAscendStart()' as an example.

    Searching the Strings, I can find the offset
    Code:
    .data:000000014282AF90 F0 AD 2C 42 01 00+                dq offset aJumporascendst ; "JumpOrAscendStart"
    .data:000000014282AF98 60 AC 63 41 01 00+                dq offset qword_14163AC60
    Now, jumping to that offset, I see that IDA is not able to disassemble:

    Code:
    .text:000000014163AC60 6D 88 A9 F8 D4 4D+qword_14163AC60 dq 21AF4DD4F8A9886Dh, 62722451E4589271h, 164A19B420A5658Bh
    .text:000000014163AC60 AF 21 71 92 58 E4+                                        ; DATA XREF: .rdata:0000000142542EB4↓o
    .text:000000014163AC60 51 24 72 62 8B 65+                                        ; .rdata:0000000142542EEC↓o ...
    .text:000000014163AC60 A5 20 B4 19 4A 16+                dq 13E28A8D542AB2A1h, 19F5B4E1F40B1C9Dh, 48898C76CBB74A53h
    However, comparing my de-obfuscated client, IDA manages to cleanly disassemble that location:
    Code:
    .text:00007FF6A036AC60 40 53                             push    rbx
    .text:00007FF6A036AC62 48 83 EC 20                       sub     rsp, 20h
    .........
    What I'm totally confused about, the contents at that address is totally different between the original and de-obfuscated client. E.G at AC60, we have 6D 88... compared to 40 53... for both clients respectively. How is that possible?
    From what I understand, most anti-disassembly techniques involve tricking the disassembler into misinterpreting the data/code. How is it possible for me to understand what's going on here without the help of a tool such as the dump fix??

    Cheers


    [bonus question if you're feeling super helpful: how do I find click to move offset lol]
    Last edited by Valldex; 11-21-2020 at 08:10 AM.

    These ads disappear when you log in.

  2. #2
    clestor's Avatar Member
    Reputation
    3
    Join Date
    Jul 2018
    Posts
    4
    Thanks G/R
    2/2
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Valldex View Post
    Hi! I've done a decent amount of research and have become stuck, so hopefully one of you can help me?

    I'm trying to understand why IDA cannot understand a subroutine.

    I'm disasembling WoW 8.3.6 (35662), and have used Overwatch dump fix to de-obfuscate (also Jadd's lua function renaming + offset finder just to help a bit (thanks for script btw m)

    Now I'm comparing the two side by side, using the lua function 'JumpOrAscendStart()' as an example.

    Searching the Strings, I can find the offset
    Code:
    .data:000000014282AF90 F0 AD 2C 42 01 00+                dq offset aJumporascendst ; "JumpOrAscendStart"
    .data:000000014282AF98 60 AC 63 41 01 00+                dq offset qword_14163AC60
    Now, jumping to that offset, I see that IDA is not able to disassemble:

    Code:
    .text:000000014163AC60 6D 88 A9 F8 D4 4D+qword_14163AC60 dq 21AF4DD4F8A9886Dh, 62722451E4589271h, 164A19B420A5658Bh
    .text:000000014163AC60 AF 21 71 92 58 E4+                                        ; DATA XREF: .rdata:0000000142542EB4↓o
    .text:000000014163AC60 51 24 72 62 8B 65+                                        ; .rdata:0000000142542EEC↓o ...
    .text:000000014163AC60 A5 20 B4 19 4A 16+                dq 13E28A8D542AB2A1h, 19F5B4E1F40B1C9Dh, 48898C76CBB74A53h
    However, comparing my de-obfuscated client, IDA manages to cleanly disassemble that location:
    Code:
    .text:00007FF6A036AC60 40 53                             push    rbx
    .text:00007FF6A036AC62 48 83 EC 20                       sub     rsp, 20h
    .........
    What I'm totally confused about, the contents at that address is totally different between the original and de-obfuscated client. E.G at AC60, we have 6D 88... compared to 40 53... for both clients respectively. How is that possible?
    From what I understand, most anti-disassembly techniques involve tricking the disassembler into misinterpreting the data/code. How is it possible for me to understand what's going on here without the help of a tool such as the dump fix??

    Cheers


    [bonus question if you're feeling super helpful: how do I find click to move offset lol]
    Did you use IDA to decompile Wow directly(not dumped from memory )? Wow is packed , and the whole program will be unpacked and initialized after TLS called.

  3. #3
    Valldex's Avatar Member
    Reputation
    1
    Join Date
    Oct 2020
    Posts
    2
    Thanks G/R
    1/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by clestor View Post
    Did you use IDA to decompile Wow directly(not dumped from memory )? Wow is packed , and the whole program will be unpacked and initialized after TLS called.
    Ahhh I did not know there was a difference between decompiling directly and dumping from memory. I realise now that to generated the de-obfuscated version, I followed a guide to dump from memory. That makes sense!

    So WoW has executable compression, and is inflated/unpacked at the beginning? I see.

    So really, now that I have the de-obfuscated client, there is no real reason for me to be looking at the exe dump? Or even the obfuscated memory dump, for that matter?

    Thanks for the reply!

  4. #4
    Jadd's Avatar 🐸
    Reputation
    1475
    Join Date
    May 2008
    Posts
    2,401
    Thanks G/R
    77/302
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Valldex View Post
    So really, now that I have the de-obfuscated client, there is no real reason for me to be looking at the exe dump? Or even the obfuscated memory dump, for that matter?
    Unless you're reversing the unpacking process: no.

  5. #5
    air999's Avatar Contributor
    Reputation
    108
    Join Date
    Nov 2014
    Posts
    89
    Thanks G/R
    6/57
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Valldex View Post
    [bonus question if you're feeling super helpful: how do I find click to move offset lol]
    bonus answer: it doesn't help you much, as CTM coordinate is dynamically encoded.

Similar Threads

  1. help with wow (mac)
    By 00162 in forum World of Warcraft Emulator Servers
    Replies: 0
    Last Post: 10-01-2007, 10:38 AM
  2. help with wow server
    By yugich in forum World of Warcraft Emulator Servers
    Replies: 0
    Last Post: 09-08-2007, 08:00 PM
  3. Help hiding wow from my dad
    By RichyG in forum World of Warcraft General
    Replies: 7
    Last Post: 12-01-2006, 09:09 PM
  4. need help with WoW Model View
    By Avianar47 in forum World of Warcraft General
    Replies: 1
    Last Post: 11-08-2006, 08:53 PM
  5. Need Help with WoW Glider
    By paypal in forum World of Warcraft General
    Replies: 2
    Last Post: 07-07-2006, 02:08 AM
All times are GMT -5. The time now is 10:20 PM. Powered by vBulletin® Version 4.2.3
Copyright © 2021 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2021 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search