[Archive] File Extractor - Warlords of Draenor
[Archive] File Extractor - Warlords of Draenor
11-04-2025, 10:37 AM
Original source
Quote: Hello all
I wrote a little file extractor that uses wowb.exe to extract files from the client. It features a file list from TOM_RUS that contains about 421k file names.
Usage:
1. Rename your wowb-64.exe to something else (like wowb-642.exe) if you are using an x64 system
2. Open wowb.exe
3. Launch extractor.exe
4. Select wowb.exe process
5. Choose the output directory where the files should get extracted to
6. Choose the file list
7. Choose the path to the dll (if its in the same folder than the extractor you can leave this like it is)
8. Hit Launch
9. Wait
10. Wait even more
11. Wait like 2 hours
12. ??
13. Profit
UPDATES:
DLL only for 18379 (you need to download V2 and replace the injected_32.dll with this one): http://www22.zippyshare.com/v/2607494/file.html
Download:
V2:
http://www.file-upload.net/download-...actor.rar.html
V1:
File-Upload.net - WoD_Extractor.rar
Image:
VS:
Extractor: https://www.virustotal.com/de/file/e...is/1396982391/
DLL: https://www.virustotal.com/de/file/c...is/1396982478/
The virus scan once more shows how useless they are. The Extractor opens a process and tries to inject a dll and call various functions from that dll in the remote process but still only one scanner triggers something suspicious as im calling native functions from .NET...
Source code for the DLL (for updates):
Code:
#include "stdafx.h"
#include <filesystem>
#include <fstream>
#include <string>
#include <iostream>
#include <vector>
#include <sstream>
#include <WinSock2.h>
#pragma comment(lib, "ws2_32.lib")
#define BUILD_18379
static unsigned int baseAddress = (unsigned int) GetModuleHandle(nullptr);
static std:tring outDir;
static SOCKET connSocket;
static bool hasProgress = false;
static SOCKADDR_IN destAddr;
unsigned int GetWowBase() {
return baseAddress;
}
void extractFiles(const std:
typedef DWORD CASFILE;
typedef BOOL(*pCASOpenFile)(char *srcfile, int srcline, const char *name, CASFILE *pFile, int flags);
typedef BOOL(*pCASReadFile)(CASFILE pFile, uint8_t *buffer, int size);
typedef void(*pCASCloseFile)(CASFILE pFile);
typedef DWORD(*pCASGetFileSize)(CASFILE pFile);
#ifdef BUILD_18322
pCASOpenFile CASOpenFile = pCASOpenFile(GetWowBase() + 0x12875);
pCASReadFile CASReadFile = pCASReadFile(GetWowBase() + 0x10FEF);
pCASCloseFile CASCloseFile = pCASCloseFile(GetWowBase() + 0x127BB);
pCASGetFileSize CASGetFileSize = pCASGetFileSize(GetWowBase() + 0x1125B);
#endif
#ifdef BUILD_18322
pCASOpenFile CASOpenFile = pCASOpenFile(GetWowBase() + 0x12CB5);
pCASReadFile CASReadFile = pCASReadFile(GetWowBase() + 0x11445);
pCASCloseFile CASCloseFile = pCASCloseFile(GetWowBase() + 0x12BFB);
pCASGetFileSize CASGetFileSize = pCASGetFileSize(GetWowBase() + 0x11747);
#endif
#ifdef BUILD_18379
pCASOpenFile CASOpenFile = pCASOpenFile(GetWowBase() + 0x12AA6);
pCASReadFile CASReadFile = pCASReadFile(GetWowBase() + 0x114E6);
pCASCloseFile CASCloseFile = pCASCloseFile(GetWowBase() + 0x129EC);
pCASGetFileSize CASGetFileSize = pCASGetFileSize(GetWowBase() + 0x117E8);
#endif
if (hasProgress) {
std::vector<uint8_t> data(3 + fileName.length() + 1);
data[0] = 1;
uint16_t lenName = fileName.length() + 1;
*(uint16_t*) &data[1] = lenName;
memcpy(&data[3], fileName.c_str(), fileName.length());
send(connSocket, (char*) data.data(), data.size(), 0);
}
CASFILE file = 0;
if (CASOpenFile(__FILE__, __LINE__, fileName.c_str(), &file, 0)) {
DWORD size = CASGetFileSize(file);
if (size > 0) {
std::vector<uint8_t> content(size);
if (CASReadFile(file, content.data(), size)) {
std:
strm << outDir << fileName.c_str();
auto path = std::tr2:
std::tr2:
std::ofstream os(path.string(), std::ios::binary);
os.write((const char*)content.data(), content.size());
os.close();
} else {
std::cout << "Reading failed" << std::endl;
}
} else {
std::cout << "File empty" << std::endl;
}
CASCloseFile(file);
}
else {
std::cout << "Extracting: " << fileName << "... ";
std::cout << " failed!" << std::endl;
}
}
static std::ifstream inFile;
static std:
struct InitParams
{
char outDir[1024];
char fileList[1024];
bool hasProgress;
};
void loadParams(InitParams* ip) {
outDir = std::tr2:
if (outDir[outDir.length() - 1] != '/') {
outDir += "/";
}
}
extern "C" {
__declspec(dllexport) LRESULT WINAPI ExtractThread(LPVOID params) {
InitParams* ip = (InitParams*) params;
loadParams(ip);
if (ip->hasProgress) {
connSocket = socket(AF_INET, SOCK_STREAM, 0);
if (connSocket != INVALID_SOCKET) {
hasProgress = true;
memset(&destAddr, 0, sizeof(SOCKADDR_IN));
destAddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
destAddr.sin_port = htons(56789);
destAddr.sin_family = AF_INET;
int rc = connect(connSocket, (const sockaddr*) &destAddr, sizeof(destAddr));
if (rc < 0) {
hasProgress = false;
}
}
}
inFile.open(ip->fileList);
while (std::getline(inFile, line)) {
__try {
extractFiles(line);
}
__except (EXCEPTION_EXECUTE_HANDLER) {
}
}
if (hasProgress) {
char fin = 0;
send(connSocket, &fin, 1, 0);
closesocket(connSocket);
}
ExitThread(0);
}
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
Greetings
Cromon
![[Image: 81RCe.png]](http://puu.sh/81RCe.png)
rektbyfaith
11-04-2025, 10:37 AM #1Archived author: Cromon • Posted: 2025-11-04T11:37:43.640137
Original source
Quote: Hello all
I wrote a little file extractor that uses wowb.exe to extract files from the client. It features a file list from TOM_RUS that contains about 421k file names.
Usage:
1. Rename your wowb-64.exe to something else (like wowb-642.exe) if you are using an x64 system
2. Open wowb.exe
3. Launch extractor.exe
4. Select wowb.exe process
5. Choose the output directory where the files should get extracted to
6. Choose the file list
7. Choose the path to the dll (if its in the same folder than the extractor you can leave this like it is)
8. Hit Launch
9. Wait
10. Wait even more
11. Wait like 2 hours
12. ??
13. Profit
UPDATES:
DLL only for 18379 (you need to download V2 and replace the injected_32.dll with this one): http://www22.zippyshare.com/v/2607494/file.html
Download:
V2:
http://www.file-upload.net/download-...actor.rar.html
V1:
File-Upload.net - WoD_Extractor.rar
Image:
VS:
Extractor: https://www.virustotal.com/de/file/e...is/1396982391/
DLL: https://www.virustotal.com/de/file/c...is/1396982478/
The virus scan once more shows how useless they are. The Extractor opens a process and tries to inject a dll and call various functions from that dll in the remote process but still only one scanner triggers something suspicious as im calling native functions from .NET...
Source code for the DLL (for updates):
Code:
#include "stdafx.h"
#include <filesystem>
#include <fstream>
#include <string>
#include <iostream>
#include <vector>
#include <sstream>
#include <WinSock2.h>
#pragma comment(lib, "ws2_32.lib")
#define BUILD_18379
static unsigned int baseAddress = (unsigned int) GetModuleHandle(nullptr);
static std:
static SOCKET connSocket;
static bool hasProgress = false;
static SOCKADDR_IN destAddr;
unsigned int GetWowBase() {
return baseAddress;
}
void extractFiles(const std:
typedef DWORD CASFILE;
typedef BOOL(*pCASOpenFile)(char *srcfile, int srcline, const char *name, CASFILE *pFile, int flags);
typedef BOOL(*pCASReadFile)(CASFILE pFile, uint8_t *buffer, int size);
typedef void(*pCASCloseFile)(CASFILE pFile);
typedef DWORD(*pCASGetFileSize)(CASFILE pFile);
#ifdef BUILD_18322
pCASOpenFile CASOpenFile = pCASOpenFile(GetWowBase() + 0x12875);
pCASReadFile CASReadFile = pCASReadFile(GetWowBase() + 0x10FEF);
pCASCloseFile CASCloseFile = pCASCloseFile(GetWowBase() + 0x127BB);
pCASGetFileSize CASGetFileSize = pCASGetFileSize(GetWowBase() + 0x1125B);
#endif
#ifdef BUILD_18322
pCASOpenFile CASOpenFile = pCASOpenFile(GetWowBase() + 0x12CB5);
pCASReadFile CASReadFile = pCASReadFile(GetWowBase() + 0x11445);
pCASCloseFile CASCloseFile = pCASCloseFile(GetWowBase() + 0x12BFB);
pCASGetFileSize CASGetFileSize = pCASGetFileSize(GetWowBase() + 0x11747);
#endif
#ifdef BUILD_18379
pCASOpenFile CASOpenFile = pCASOpenFile(GetWowBase() + 0x12AA6);
pCASReadFile CASReadFile = pCASReadFile(GetWowBase() + 0x114E6);
pCASCloseFile CASCloseFile = pCASCloseFile(GetWowBase() + 0x129EC);
pCASGetFileSize CASGetFileSize = pCASGetFileSize(GetWowBase() + 0x117E8);
#endif
if (hasProgress) {
std::vector<uint8_t> data(3 + fileName.length() + 1);
data[0] = 1;
uint16_t lenName = fileName.length() + 1;
*(uint16_t*) &data[1] = lenName;
memcpy(&data[3], fileName.c_str(), fileName.length());
send(connSocket, (char*) data.data(), data.size(), 0);
}
CASFILE file = 0;
if (CASOpenFile(__FILE__, __LINE__, fileName.c_str(), &file, 0)) {
DWORD size = CASGetFileSize(file);
if (size > 0) {
std::vector<uint8_t> content(size);
if (CASReadFile(file, content.data(), size)) {
std:
strm << outDir << fileName.c_str();
auto path = std::tr2:
std::tr2:
std::ofstream os(path.string(), std::ios::binary);
os.write((const char*)content.data(), content.size());
os.close();
} else {
std::cout << "Reading failed" << std::endl;
}
} else {
std::cout << "File empty" << std::endl;
}
CASCloseFile(file);
}
else {
std::cout << "Extracting: " << fileName << "... ";
std::cout << " failed!" << std::endl;
}
}
static std::ifstream inFile;
static std:
struct InitParams
{
char outDir[1024];
char fileList[1024];
bool hasProgress;
};
void loadParams(InitParams* ip) {
outDir = std::tr2:
if (outDir[outDir.length() - 1] != '/') {
outDir += "/";
}
}
extern "C" {
__declspec(dllexport) LRESULT WINAPI ExtractThread(LPVOID params) {
InitParams* ip = (InitParams*) params;
loadParams(ip);
if (ip->hasProgress) {
connSocket = socket(AF_INET, SOCK_STREAM, 0);
if (connSocket != INVALID_SOCKET) {
hasProgress = true;
memset(&destAddr, 0, sizeof(SOCKADDR_IN));
destAddr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
destAddr.sin_port = htons(56789);
destAddr.sin_family = AF_INET;
int rc = connect(connSocket, (const sockaddr*) &destAddr, sizeof(destAddr));
if (rc < 0) {
hasProgress = false;
}
}
}
inFile.open(ip->fileList);
while (std::getline(inFile, line)) {
__try {
extractFiles(line);
}
__except (EXCEPTION_EXECUTE_HANDLER) {
}
}
if (hasProgress) {
char fin = 0;
send(connSocket, &fin, 1, 0);
closesocket(connSocket);
}
ExitThread(0);
}
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
Greetings
Cromon
11-04-2025, 10:37 AM
Original source
Quote: Very nice thx
rektbyfaith
11-04-2025, 10:37 AM #2Archived author: Blackplayer27 • Posted: 2025-11-04T11:37:43.640137
Original source
Quote: Very nice thx
11-04-2025, 10:37 AM
Original source
Quote: On a sidenote: If you dont have the alpha client downloaded the files get downloaded when requested. It just takes even longer to extract.
rektbyfaith
11-04-2025, 10:37 AM #3Archived author: Cromon • Posted: 2025-11-04T11:37:43.640137
Original source
Quote: On a sidenote: If you dont have the alpha client downloaded the files get downloaded when requested. It just takes even longer to extract.
11-04-2025, 10:37 AM
Original source
Quote: Nice work, is this project open source by any chance? I've seen similar implementations by some people and it'd be interesting to take a look at yours ^^
"You must spread some Reputation around before giving it to Cromon again." Damnit
rektbyfaith
11-04-2025, 10:37 AM #4Archived author: Xel • Posted: 2025-11-04T11:37:43.640137
Original source
Quote: Nice work, is this project open source by any chance? I've seen similar implementations by some people and it'd be interesting to take a look at yours ^^
"You must spread some Reputation around before giving it to Cromon again." Damnit
11-04-2025, 10:37 AM
Original source
Quote: how to make file list? i would update it self for all next patches...
rektbyfaith
11-04-2025, 10:37 AM #5Archived author: akriso • Posted: 2025-11-04T11:37:43.640137
Original source
Quote: how to make file list? i would update it self for all next patches...
11-04-2025, 10:37 AM
Original source
Quote: "6. Choose the file list "
huh
rektbyfaith
11-04-2025, 10:37 AM #6Archived author: DavidTwo2009 • Posted: 2025-11-04T11:37:43.640137
Original source
Quote: "6. Choose the file list "
huh
11-04-2025, 10:37 AM
Original source
Quote: Originally Posted by DavidTwo2009
"6. Choose the file list "
huh
file_list.txt in rar with extractor
![[Image: lastpost-right.svg]](https://www.ownedcore.com/forums/images/styles/OwnedCoreFX/buttons/lastpost-right.svg)
rektbyfaith
11-04-2025, 10:37 AM #7Archived author: Lofinko • Posted: 2025-11-04T11:37:43.640137
Original source
Quote: Originally Posted by DavidTwo2009
"6. Choose the file list "
huh
file_list.txt in rar with extractor
11-04-2025, 10:37 AM
Original source
Quote: excelent tool +rep
rektbyfaith
11-04-2025, 10:37 AM #8Archived author: ulminia • Posted: 2025-11-04T11:37:43.640137
Original source
Quote: excelent tool +rep
11-04-2025, 10:37 AM
Original source
Quote: Well now it's not giving me the option to load from WoWB.exe, just other .exe's that aren't related to WoW at all.
rektbyfaith
11-04-2025, 10:37 AM #9Archived author: DavidTwo2009 • Posted: 2025-11-04T11:37:43.640137
Original source
Quote: Well now it's not giving me the option to load from WoWB.exe, just other .exe's that aren't related to WoW at all.
11-04-2025, 10:37 AM
Original source
Quote: Go to your task manager and have a look if the correct process is open. Im pretty sure you didnt do step 1.
rektbyfaith
11-04-2025, 10:37 AM #10Archived author: Cromon • Posted: 2025-11-04T11:37:43.640137
Original source
Quote: Go to your task manager and have a look if the correct process is open. Im pretty sure you didnt do step 1.
Recently Browsing
1 Guest(s)
1 Guest(s)
Recently Browsing
1 Guest(s)
1 Guest(s)