How to Null WoWonder 2.3.2 (latest)

How to null WoWonder + apps + updates + remove all callbacks.

Tested and working with WoWonder v2.3.2 (latest as of 6/5/24).

I gave this guide a makeover and spent a lot of time working on it, if you need any help comment below and someone will be glad to help!

If you don’t want to null WoWonder yourself you can visit the link below to find all the latest nulled WoWonder versions.

WoWonder Download Archive

PURCHASE CODE NULL


Go to install/index.php and remove the code around lines lines 9-40 as shown below.

WoWonder-lines-9-40eca761de09082caa.gif

function check_($check) {
    $siteurl           = urlencode(getBaseUrl());
    $arrContextOptions = array(
        "ssl" => array(
            "verify_peer" => false,
            "verify_peer_name" => false
        )
    );
    $file              = file_get_contents('http://www.wowonder.com/purchase.php?code=' . $check . '&url=' . $siteurl, false, stream_context_create($arrContextOptions));
    if ($file) {
        $check             = json_decode($file, true);
    } else {
        $check             = array('status' => 'SUCCESS', 'url' => $siteurl, 'code' => $check);
    }
    return $check;
}
function check_success($check) {
    $siteurl           = urlencode(getBaseUrl());
    $arrContextOptions = array(
        "ssl" => array(
            "verify_peer" => false,
            "verify_peer_name" => false
        )
    );
    $file              = file_get_contents('http://www.wowonder.com/purchase.php?code=' . $check . '&success=true&url=' . $siteurl, false, stream_context_create($arrContextOptions));
    if ($file) {
        $check             = json_decode($file, true);
    } else {
        $check             = array('status' => 'SUCCESS', 'url' => $siteurl, 'code' => $check);
    }
    return $check;
}

In the same file remove the code around lines 35-42 as shown below.

WoWonder-lines-35-428e4bdcb15da60916.gif

$p = check_(trim($_POST['purshase_code']));
if (isset($p['status'])) {
  if ($p['status'] == 'ERROR') {
    $ServerErrors[] = $p['ERROR_NAME'];
  }
} else {
 $ServerErrors[] = 'Failed to connect to server, please try again later, or contact us.';
}

Add $go = 1; before if (empty($ServerErrors)) {, and make if (empty($ServerErrors)) { say if ($go == 1) { as shown below.

WoWonder-add-go--1ed9169737a786eb3.gif

Still in install/index.php remove the code around lines 91-96 as shown below.

WoWonder-lines-91-9667016224d563d2c4.gif

$p2 = check_success(trim($_POST['purshase_code']));
if(isset($p2['status'])) {
if ($p2['status'] == 'SUCCESS') {
  $can = 1;
}
}

Finally, add $can = 1; above if ($can == 1) { as shown below.

WoWonder-add-can--1ead28eb64f645859.gif

You have now nulled the installer properly, give yourself a pat on the back as we are now over half way done!

APP NULL


Nulling the apps is pretty easy, we just need to edit the wowonder.sql file in the root of the script.

Go around line 654 and find (141, 'footer_background', ''),, we need to make that line say (141, 'footer_background', '#aaa'),. Don’t forget to add the comma.

We’re gonna do the same thing for the other 2 footer_background entries in the sql file. On the footer_text_color entry we have to make it’s value be #ddd, for example: (143, 'footer_text_color', '#ddd'),.

SEE THE GIF BELOW FOR REFERENCE.

WoWonder-sql-app-nulld71b6b600e27ac3e.gif

Removing the following code does not make the apps be nulled, but it is used during legitimate activation of them. We will remove the code from the app as an extra security measure (this is sort of a callback).

Go to xhr/admin_setting.php and remove the code around lines 649-707.

WoWonder-app-callback44f6170435e331d5.gif

$data['android_status']        = 0;
$data['windows_status']        = 0;
$data['android_native_status'] = 0;
if (!empty($_POST['android_purchase_code'])) {
    $android_code = Wo_Secure($_POST['android_purchase_code']);
    $file         = file_get_contents("http://www.wowonder.com/access_token.php?code={$android_code}&type=android", false, stream_context_create($arrContextOptions));
    $check        = json_decode($file, true);
    if (!empty($check['status'])) {
        if ($check['status'] == 'SUCCESS') {
            $update                 = Wo_SaveConfig('footer_background', '#aaa');
            $data['android_status'] = 200;
        } else {
            $data['android_status'] = 400;
            $data['android_text']   = $check['ERROR_NAME'];
        }
    }
}
if (!empty($_POST['android_native_purchase_code'])) {
    $android_code = Wo_Secure($_POST['android_native_purchase_code']);
    $file         = file_get_contents("http://www.wowonder.com/access_token.php?code={$android_code}&type=android", false, stream_context_create($arrContextOptions));
    $check        = json_decode($file, true);
    if (!empty($check['status'])) {
        if ($check['status'] == 'SUCCESS') {
            $update                        = Wo_SaveConfig('footer_background_n', '#aaa');
            $data['android_native_status'] = 200;
        } else {
            $data['android_native_status'] = 400;
            $data['android_text']          = $check['ERROR_NAME'];
        }
    }
}
if (!empty($_POST['windows_purchase_code'])) {
    $windows_code = Wo_Secure($_POST['windows_purchase_code']);
    $file         = file_get_contents("http://www.wowonder.com/access_token.php?code={$windows_code}&type=windows_desktop", false, stream_context_create($arrContextOptions));
    $check        = json_decode($file, true);
    if (!empty($check['status'])) {
        if ($check['status'] == 'SUCCESS') {
            $update                 = Wo_SaveConfig('footer_text_color', '#ddd');
            $data['windows_status'] = 200;
        } else {
            $data['windows_status'] = 400;
            $data['windows_text']   = $check['ERROR_NAME'];
        }
    }
}
if (!empty($_POST['ios_purchase_code'])) {
    $windows_code = Wo_Secure($_POST['ios_purchase_code']);
    $file         = file_get_contents("http://www.wowonder.com/access_token.php?code={$windows_code}&type=ios", false, stream_context_create($arrContextOptions));
    $check        = json_decode($file, true);
    if (!empty($check['status'])) {
        if ($check['status'] == 'SUCCESS') {
            $update             = Wo_SaveConfig('footer_background_2', '#aaa');
            $data['ios_status'] = 200;
        } else {
            $data['ios_status'] = 400;
            $data['ios_text']   = $check['ERROR_NAME'];
        }
    }
}

CALLBACK REMOVAL


Getting rid of all the dangerous external requests.

It can be dangerous for a nulled script to be making contact with the author’s server. Therefore, as an extra security measure I’ve included that information in this guide.

The first file we need to fix is in the root of the script, updater.php.

What I recommend you do is remove every line of code from the file except for the <?php and then say return;. See below for reference.

WoWonder-updater09e83d0754dbc51a.gif

The next file is located in xhr/check_for_updates.php.

Simply remove the code around lines 19-47 as shown below.

WoWonder-update-checkerb6e4e1ed513cf9c0.gif

if (Wo_CheckMainSession($hash_id) === true) {
    $arrContextOptions = array(
        "ssl" => array(
            "verify_peer" => false,
            "verify_peer_name" => false
        )
    );
    if (!empty($_GET['purchase_code'])) {
        $purchase_code = Wo_Secure($_GET['purchase_code']);
        $version       = Wo_Secure($wo['script_version']);
        $siteurl       = urlencode($_SERVER['SERVER_NAME']);
        $file          = file_get_contents("http://www.wowonder.com/check_for_updates.php?code={$purchase_code}&version=$version&url=$siteurl", false, stream_context_create($arrContextOptions));
        $check         = json_decode($file, true);
        if (!empty($check['status'])) {
            if ($check['status'] == 'SUCCESS') {
                if (!empty($check['versions'])) {
                    $data['status']         = 200;
                    $data['script_version'] = $wo['script_version'];
                    $data['versions']       = $check['versions'];
                } else {
                    $data['status'] = 300;
                }
            } else {
                $data['status']     = 400;
                $data['ERROR_NAME'] = $check['ERROR_NAME'];
            }
        }
    }
}

Finally, the last place we need to edit to remove all the callbacks is in the xhr folder as well, xhr/download_updates.php.

Remove the code around lines 10-56 and you’ve successfully nulled the entire WoWonder script! See below for reference.

WoWonder-update-downloader3d33458d1a90614e.gif

UPDATE NULL


Coming Soon!

5 Likes

Thanks a lot for this tutorial . Hope you keep updating this for every new release.
Can you help me null the native apps??

1 Like

Nulling Wowonder Apps has alot of demand.
@savas Try to do it ASAP

1 Like

No, I can’t because I have not spent any time trying to null them. I might in the future though.

thank a lot for this tutorial…

good job

Bro i am trying to null it but i can’t null it can you nulled it for me plz bro

It seems that the new version of the backdoor address has been changed to http://validate.wowonder.com/validate.php

@reishi bro i need 2.2.2 nulled If you have please send me

@Zuck

here you are

@reishi Thanks brother :kissing_heart::kissing_heart::kissing_heart:

How did you determine this @reishi?

because i know the backdoor code

if (!file_exists(DIR . ‘/loader.json’) && is_writable(DIR) && !empty($wo[‘config’][‘updatev2’]) && empty($_COOKIE[‘finshed’]) && empty($_SESSION[‘finshed’])) {
$paypal_connection = “purchase_code”;
$paypal_connection = (!empty($purchase_code)) ? $purchase_code : “”;
$paypal_call_back_url = urlencode($site_url);
$paypal_url = base64_decode(“aHR0cDovL3ZhbGlkYXRlLndvd29uZGVyLmNvbS92YWxpZGF0ZS5waHA=”);
$random_code = sha1(rand(11111, 99999) . time());
$put_file = file_put_contents(DIR . ‘/loader.json’, $random_code);
if ($put_file && file_exists(DIR . ‘/loader.json’)) {
$call_back_respond = fetchDataFromURL($paypal_url . “?connection=$paypal_connection&call_back_url=$paypal_call_back_url&code=$random_code&platform=wowonder”);
}
setcookie(‘finshed’, ‘true’, time() + 259200, “/”);
$_SESSION[‘finshed’] = “true”;
}

1 Like

This is not in any of the latest versions, which version are you looking at?

2.1.1
and aHR0cDovL2JhY2tkb29yLndvd29uZGVyLmNvbS92YWxpZGF0ZS5waHA
http://backdoor.wowonder.com/validate.php

this url can’t open it
aHR0cDovL3ZhbGlkYXRlLndvd29uZGVyLmNvbS92YWxpZGF0ZS5waHA
decoded url is
http://validate.wowonder.com/validate.php

1 Like

Updated to support the latest version of WoWonder! Also made it much easier to follow along.

1 Like

Updated to support WoWonder 2.3.2