PTR Build 11.1.7 using new protection

[cloakr]

Looks like they've finally made the switch from their previous protection to something called Eidolon. First analysis of it looks to be using control flow flattening and their anti-disassembly obfuscation. Anyone played around with it? Also, looks like the entire client now is encrypted.


[update] - they've switched it back to their previous protection

[dreadcraft]

Looks like they've finally made the switch from their previous protection to something called Eidolon. First analysis of it looks to be using control flow flattening and their anti-disassembly obfuscation. Anyone played around with it? Also, looks like the entire client now is encrypted.

Is this Eidolon software publicly sold? I googled and only found something that purported to be for use with Unity (WoW isn't using Unity)?

Also it looks like they've used Eidolon before with OW2 and possibly are using it currently?

[651587746]

Can you send over the Scylla dump file? I'd like to take a look at its export structure and memory layout.

[laojunyid]

They perform dynamic obfuscation on the execution code, similar to block obfuscation, where a block of execution code is decrypted at runtime and then obfuscated again after a few seconds, with the code block set to RWX. I have not yet discovered how to perform dynamic obfuscation, and I have tried writing breakpoints to the execution block and to the mapped key APIs, but nothing has stopped it from switching from obfuscated code to the real execution code!

[laojunyid]

Scylla cannot dump the correct execution code. It can be said that Scylla cannot be used directly.

[cloakr]

It looks like they've switched it back to their previous protection. I've managed to snag all the DLLs and the EXE from the previous builds. I've been able to deobfuscate it and now I'm writing an unflattener to take their flattened control flows and lift them back up to original code.

There's a few things this protection is doing, I'm happy to share more in detail. That being said, the fact that they've reverted this protection (now twice!) on WoW tells me that they're _NOT_ sure if it's stable enough for the rest of the WoW players.

[trialbyfire]

It looks like they've switched it back to their previous protection. I've managed to snag all the DLLs and the EXE from the previous builds. I've been able to deobfuscate it and now I'm writing an unflattener to take their flattened control flows and lift them back up to original code.

There's a few things this protection is doing, I'm happy to share more in detail. That being said, the fact that they've reverted this protection (now twice!) on WoW tells me that they're _NOT_ sure if it's stable enough for the rest of the WoW players.

I'm very curious about it if you're willing to infodump in this thread. This will probably go on live servers one day, so it will be good to be prepared.

[aeo]

its in overwatch, well explained on some other site

[casterte]

....ptr 11.2

[numerbo]

rop will decrypt the page and they are not walking the stack