1.   November 5, 2022  
    Skylon77's Avatar
    Skylon77
    Member

    Question about WoW.exe executable

    Sup everyone, so I was downloading WoW again and as usual I always put everything I download off the internet through VirusTotal and to my surprise one of the AVs has an heuristic detection in WoW.exe (https://www.virustotal.com/gui/file/...d5c38c79dc953c).

    While heuristic detections are notorious for giving false positives I was sure that detection wasn't there the previous time so I checked the executable and yeah, It's a different WoW.exe.
    This one is the original signed from blizzard (https://www.virustotal.com/gui/file/...cd0faf78e88cb8)
    This new executable is also fairly recent having been first spotted in the wild 2020-11-29

    The one that is being distributed now has had it's signatures removed, why is that?
    Why not use the one that came from blizzard directly?
    Was the executable modified in any other way?
    Quote Quote
  2.   November 11, 2022  
    Shred's Avatar
    Shred
    Forum Veteran
    I read this but I forgot to reply. I had noticed this some time ago but I never bothered to look into it and I just did. There are a few differences between the warmane binary and the original, signed binary:

    1) Some changes in the PE header: I haven't investigated further but they probably are the usual LAA modification and perhaps the changes necessary to remove the certificate section.

    2) Changes in the code:

    - Disabled battlenet authentication. You know when you input an email as an account name and it would try to download an update? That was disabled. Althought currently it doesn't even work at all anymore because of server-side changes from Blizzard. The client would try to connect to Blizzard directly if you input an email and bypass the realmlist.

    - The original binary would check if you were running the client through Remote Desktop and refuse to run, that check was disabled.

    - The http client was, eh, neutered. I assume (and this is speculation as I haven't bothered to look much further) that this was done to remove the "breaking news" dialog that would sometimes show on the login screen.

    3) The certificate itself was removed from the executable which explains the smaller size.
    Quote Quote
  3.   November 12, 2022  
    Skylon77's Avatar
    Skylon77
    Member

    Thanks!

    Thank you for your reply, that's an excellent explanation
    Quote Quote
« Previous Topic | Next Topic »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules