Are you getting the error with Scylla Hide or Scylla Dump?
Are you getting the error with Scylla Hide or Scylla Dump?
At the time I click Plugin->Scylla, just after run OverwatchDumpFix command. It shows Exception! Please report it! OS: 4563000A
solved by using vmware. Might be some software i install on my host system triggered the error
OverwatchDumpFix Execution error:
Error: failed to deobfuscate the remote IAT.
Error: failed to rebuild imports.
What shall I do?
Hi guys,
I meet two problem.
1)Run PDBReaderx64.exe from the ScyllaHide build folder to generate the NtApiCollection.ini file for your particular operating system.
I can't find PDBReaderx64.exe, where should i get it?
2)Copy OverwatchDumpFix.dp64 to the x64dbg->x64->plugins
I also can't find this file. Shall rebuild the source code?
Thanks in advance.
i would rebuild the source code since the moded one that works is not compiled i believe skip your step 1
My wow.exe is just crashing when i click on attach. Did everything exactly like in the description. Any ideas how to fix that?
Start wow suspended, then attach Scylla like normal. Works for me.
I use my own tool to fix imports so no clue if that would conflict with your setup.
Anyway, if you are that desperate you can always use some of my dumps while you get comfortable with x64dbg.
My dump archive: pinkflowekx74wbxtdu3oiv2gjnryd3lcgk34dknwoeovgnq3ynt2lad.onion
What am I doing wrong? All ~ 543 imports do not have. I did everything according to the instructions. 2021-10-27.png Help my plzzz)))
Import pointers are not directly pointing to the function call, therefore Scylla doesnt resolve them correctly.
You will have to compute the imported functions and overwrite them pointer, this can be done using a plugin that has been floating around (not sure if up to date for Wow)
The plugin mentioned by PinkFlower is likely OverwatchDumpFix which does alright for Classics and live, and even some other games surprisingly.
ChangeOfPace's github link: GitHub - changeofpace/Overwatch-Dump-Fix: x64dbg plugin which removes anti-dumping and obfuscation techniques from the popular FPS game Overwatch. (Possibly a better modified one kicking around somewhere)
Alternatively Namreebs dumper still works fine with all clients (and again.. surprisingly with other blizz games). This is personally what im using "if" i need to get a patches binary.
Namreebs github link: GitHub - namreeb/dumpwow: Unpacker for World of Warcraft
Pink also provided that beautiful link, though i haven't had a chance to peek at any of their dumps quite yet (Reallllly tempted to look at the overwatch dumps though )
Last edited by Razzue; 10-29-2021 at 02:27 PM.
I am curious how relevant this guide still is. I have updated the original steps below as some are no longer needed.
1. Download and install x64dbg (Installed latest as OverwatchDumpFix has been updated to use XED)
2. Launch x64dbg once to create the plugins folder in the x64 folder then close x64dbg
3. Download/Build ScyllaHide
4. Copy the following files from the ScyllaHide x64 build to the x64dbg->x64->plugins
HookLibraryx64.dll5. Download/Build OverwatchDumpFix
ScyllaHideX64DBGPlugin.dp64
6. Copy OverwatchDumpFix.dp64 to the x64dbg->x64->plugins
7. Launch x64dbg
8. Select ScyllaHide->Options
9. Create a new profile, name it wow [ or whatever you want ] and select the following9.a Click Apply10. Launch WoW and log into a trash account and character.
9.b Click Ok
11. Once in game11.a Select the Scylla Hide Attach Menu12. Type OverwatchDumpFix into the command window
11.b Click on the cross hair and hold the mouse button down hover over the WoW window and release.
11.c You should see the WoW PID (process ID) and app name populate in the attach window.
11.d Click Attach
11.e WoW should FREEZE and NOT CRASH at this point.
13. Select Scylla Menu now [ not ScyllaHide ]
14. Wow.exe is will already be selected, reselect it anyway.14.a Click IAT auto search15. Load the file ending with "_SCY" into IDA and after auto analysis you should have all 543 import in you import window.
14.b Select Get Imports and you should see something like this in the log
14.c You should get several hundred "API(s) found"
14.d Select "Dump" and Save the file
14.e Select "Fix Dump" and select the file you saved in step 14.d
Note: The result will be saved in the same directory as the first file with _SCY added to it.
14.f Select "PE Rebuild" and select the SCY file saved in step 14.e.
After auto analysis is complete in IDA, I click "Edit" then "Plugins" and then "Universal Unpacker Manual Reconstruct" though I am unsure of the memory offset options that should be selected. I have yet to get any x64dbg dump with anywhere near several hundred imports. This is me trying against the retail client (9.2). I also get odd behavior where I get sent back to the WoW login screen the first time I log into a WoW character but before I try to attach.
Last edited by Archos; 04-08-2022 at 09:56 PM.
--double post--
Last edited by Razzue; 04-08-2022 at 11:23 PM.