How to Dump Wow from Memory.... menu

User Tag List

Page 3 of 7 FirstFirst 1234567 LastLast
Results 31 to 45 of 96
  1. #31
    pogob's Avatar Established Member
    Reputation
    56
    Join Date
    May 2011
    Posts
    23
    Thanks G/R
    28/2
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by AmazingDisgrace View Post
    Hi, I'm trying to dump the 8.0.1.27291 client with x64dbg (Jul 19 2018 version), and I'm having trouble with the OverwatchDumpFix plugin.

    I've built the plugin in VS2013 from the latest source code (5.0.2) and copied OverwatchDumpFix.dp64 to x64dbg's plugins directory, but after launching x64dbg, the log window says, "[PLUGIN] Failed to load plugin: OverwatchDumpFix.dp64". Manually trying to load it with the "loadplugin OverwatchDumpFix" command gives the same error. If I remove the file, the error message is "Cannot find plugin", so it's clearly able to see it, but just can't load it for some reason. Is anyone else having problems with this?
    try a newer version of Visual Studio and update the project. also, make sure to change the process name that it looks for to "wow.exe"

    How to Dump Wow from Memory....
  2. #32
    h42's Avatar Contributor CoreCoins Purchaser
    Reputation
    130
    Join Date
    Oct 2006
    Posts
    108
    Thanks G/R
    139/52
    Trade Feedback
    12 (100%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by sendeos23 View Post
    Hi AmazingDisgrace,
    Did you get anywhere with this? I'm currently having this same issue after building the dumpfix plugin from the latest source on github(5.0.2). '[PLUGIN] Failed to load plugin: OverwatchFumpFix.dp64'

    Can anyone confirm their current working method they are using to dump BFA e.g. versions of x64dbg and overwatchDumpFix.dp64 or if there are any special settings for building the dumpfix plugin.
    Had the same issue after switching to a new hardware setup, and with the lastest wow version crashing even when attaching with scyllahide I finally got around to looking at this.

    The problem boils down to x64dbg switching disassembler engine, deprecating the old Capstone and instead using Zydis. (see this merge)
    Longterm it'd probably be best to update the owdumpfix code to support Zydis and make a PR.

    If you're just after a quick solution in the short term, download a release of x64dbg from before the switch (this seems to be the last one)
    Then recompile with that pluginsdk, and use that version of x64dbg for dumping.

    ----------------------------

    Is anyone else having wow crashes when attaching after 27602 hit? (even with the latest scyllahide fixes from august)
    I'm not very experienced in anti-dbg measures, could it be that they added something new this release?
    Last edited by h42; 09-17-2018 at 06:51 AM.

  3. Thanks counted (1 members gave Thanks to h42 for this useful post)
  4. #33
    WiNiFiX's Avatar Banned
    Reputation
    242
    Join Date
    Jun 2008
    Posts
    447
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hopefully this will help people going forward, I have setup a semi-automated auto-dumping system to dump latest binary to
    WoW Dumps
    Note this is on EU times so US people have to wait till EU has updated.

  5. Thanks CrimeTime, aeo, h42, sendeos23, kildare (5 members gave Thanks to WiNiFiX for this useful post)
  6. #34
    counted's Avatar Contributor Authenticator enabled
    Reputation
    203
    Join Date
    Mar 2008
    Posts
    183
    Thanks G/R
    11/108
    Trade Feedback
    0 (0%)
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    I edited the original post and added more detail for those who are having trouble. If there is something that I missed or have in error please post in this thread and I will edit the procedure.

    Hope this helps clear things up.

  7. Thanks h42 (1 members gave Thanks to counted for this useful post)
  8. #35
    changeofpace's Avatar Member
    Reputation
    9
    Join Date
    Mar 2019
    Posts
    1
    Thanks G/R
    0/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    I updated the plugin so that it can be used on modern versions of x64dbg. It no longer requires capstone.dll. If you guys experience any issues then open an issue on github and I'll fix it.

    GitHub - changeofpace/Overwatch-Dump-Fix: x64dbg plugin which removes anti-dumping and obfuscation techniques from the popular FPS game Overwatch.

  9. Thanks h42, fortiZ, counted (3 members gave Thanks to changeofpace for this useful post)
  10. #36
    counted's Avatar Contributor Authenticator enabled
    Reputation
    203
    Join Date
    Mar 2008
    Posts
    183
    Thanks G/R
    11/108
    Trade Feedback
    0 (0%)
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Thanks, I will give it a try and update the procedure!!

  11. #37
    07neo's Avatar Member
    Reputation
    1
    Join Date
    Apr 2014
    Posts
    10
    Thanks G/R
    1/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by counted View Post
    This is the Script_Dismount routine in the current binary. You can now start to compare the Mac Os Binary structure to this routine and very quickly see that the call statement at Script_Dismount + 0x1c is CGUnit_C__Dismount and further that the call in CGUnit_C__Dismount + 0x3f is CGUnit_C::OnMountDisplayChanged
    Everything worked great. My issue is I didn't understand the quoted part. A video explaining how to do that part would be greatly appreciated. I also want to know how to make a simple program let's say for example you click a button and the app dismount you in game. That would help me understand a lot of things and start being creative. I hope you consider my request and thanks in advance.

  12. #38
    air999's Avatar Contributor
    Reputation
    131
    Join Date
    Nov 2014
    Posts
    102
    Thanks G/R
    9/62
    Trade Feedback
    0 (0%)
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by 07neo View Post
    Everything worked great. My issue is I didn't understand the quoted part. A video explaining how to do that part would be greatly appreciated. I also want to know how to make a simple program let's say for example you click a button and the app dismount you in game. That would help me understand a lot of things and start being creative. I hope you consider my request and thanks in advance.
    That is not simple program =) You need to know how to inject your code into "protected" wow process.

  13. #39
    07neo's Avatar Member
    Reputation
    1
    Join Date
    Apr 2014
    Posts
    10
    Thanks G/R
    1/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by air999 View Post
    That is not simple program =) You need to know how to inject your code into "protected" wow process.
    Would it be as hard when trying it on a client running on my own private server? I just want to learn and setting up a private server isn't that hard and it is risk free.

  14. #40
    counted's Avatar Contributor Authenticator enabled
    Reputation
    203
    Join Date
    Mar 2008
    Posts
    183
    Thanks G/R
    11/108
    Trade Feedback
    0 (0%)
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by 07neo View Post
    Everything worked great. My issue is I didn't understand the quoted part. A video explaining how to do that part would be greatly appreciated. I also want to know how to make a simple program let's say for example you click a button and the app dismount you in game. That would help me understand a lot of things and start being creative. I hope you consider my request and thanks in advance.
    The part you are referencing is the easiest part??

    It is just telling you to compare the Script_Dismount subroutine from the Mac Binary and the subroutine the instruction told you how to find in the current binary.

    It sounds like you are not working on the current binary, you talked about running a private server.

    Which binary are you working on?

  15. #41
    07neo's Avatar Member
    Reputation
    1
    Join Date
    Apr 2014
    Posts
    10
    Thanks G/R
    1/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by counted View Post
    The part you are referencing is the easiest part??

    It is just telling you to compare the Script_Dismount subroutine from the Mac Binary and the subroutine the instruction told you how to find in the current binary.

    It sounds like you are not working on the current binary, you talked about running a private server.

    Which binary are you working on?
    Well I don't know about that (if it's the easiest part). You guide is pretty great and covered everything. And Google helped as well. I'm using 8.0.1 25153 binary. Which is obfuscated. I'm very new to this and all the diffing tutorials I saw are working with unobfuscated binary that's why it's confusing me. The private server thing is just to let you know that I won't be worrying about making the program undetected.

  16. #42
    counted's Avatar Contributor Authenticator enabled
    Reputation
    203
    Join Date
    Mar 2008
    Posts
    183
    Thanks G/R
    11/108
    Trade Feedback
    0 (0%)
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Once you follow the dumping procedure the binary is "mostly" de-obfuscaced. You need to load that binary into IDA and let it do the auto analysis work. After that obtain a copy of the Mac Binary 64 bit version I reference load that into IDA and run the auto analysis.

    After that you compare the two binaries.

    The reason you want to use the Mac Binary I reference is because it was compiled and release with a lot of subroutines and variables named. This was un intentional by blizzard and give us more information to help in reversing the current binary, assuming you can match up code sections.

    This is why i suggest as an example to reverse the Script_Dismount() routine. It is already named along with it's subroutines in the mac binary and it is easy to find in the current binary.

    Compare, Match, Take Notes, .....

    Move on to other subroutines...

  17. #43
    counted's Avatar Contributor Authenticator enabled
    Reputation
    203
    Join Date
    Mar 2008
    Posts
    183
    Thanks G/R
    11/108
    Trade Feedback
    0 (0%)
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by changeofpace View Post
    Hi,

    I updated the plugin so that it can be used on modern versions of x64dbg. It no longer requires capstone.dll. If you guys experience any issues then open an issue on github and I'll fix it.

    GitHub - changeofpace/Overwatch-Dump-Fix: x64dbg plugin which removes anti-dumping and obfuscation techniques from the popular FPS game Overwatch.
    Finally got around to testing this.

    I downloaded the latest x64dbg and the latest OverwatchDumpFix and compiled it and ran it.

    Worked fine!!

    Thanks changeofpace !!!!

  18. #44
    07neo's Avatar Member
    Reputation
    1
    Join Date
    Apr 2014
    Posts
    10
    Thanks G/R
    1/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by counted View Post
    Once you follow the dumping procedure the binary is "mostly" de-obfuscaced. You need to load that binary into IDA and let it do the auto analysis work. After that obtain a copy of the Mac Binary 64 bit version I reference load that into IDA and run the auto analysis.

    After that you compare the two binaries.

    The reason you want to use the Mac Binary I reference is because it was compiled and release with a lot of subroutines and variables named. This was un intentional by blizzard and give us more information to help in reversing the current binary, assuming you can match up code sections.

    This is why i suggest as an example to reverse the Script_Dismount() routine. It is already named along with it's subroutines in the mac binary and it is easy to find in the current binary.

    Compare, Match, Take Notes, .....

    Move on to other subroutines...
    Ohh thanks. I thought you used the mac binary cause you're on mac. Now it makes sense. Thanks again.

  19. #45
    badusername1234's Avatar Active Member
    Reputation
    26
    Join Date
    Apr 2017
    Posts
    47
    Thanks G/R
    18/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I've tried following this for Classic and have built/added the ScyllaHide and OverwatchDumpFix plugins, both of them work (or at least appear to) without error. However, when I run IAT Autosearch in Scylla it tells me that the results of normal and advanced search are different. If I select to use the advanced search result and then click GetImports, then it will find 565 valid APIs and miss 2 APIs. Now if I click Dump, it will tell me "Error: Cannot dump image". Does anyone know how to fix this?

Page 3 of 7 FirstFirst 1234567 LastLast

Similar Threads

  1. Replies: 4
    Last Post: 07-20-2011, 09:50 PM
  2. How to run WoW from work/school!
    By MMOtoaster in forum World of Warcraft Bots and Programs
    Replies: 41
    Last Post: 04-30-2009, 06:28 PM
  3. How to update WoW to any patch from 1.5 on.
    By ff9pro in forum World of Warcraft Guides
    Replies: 3
    Last Post: 07-05-2008, 07:28 AM
  4. How to find WoW Memory Offset?
    By pegaa in forum World of Warcraft General
    Replies: 0
    Last Post: 08-03-2007, 12:02 AM
  5. How to Export Images from WoW Model Viewer.
    By Elites360 in forum Art & Graphic Design
    Replies: 4
    Last Post: 02-17-2007, 07:36 PM
All times are GMT -5. The time now is 03:17 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2024 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search