-
Established Member
Originally Posted by
AmazingDisgrace
Hi, I'm trying to dump the 8.0.1.27291 client with x64dbg (Jul 19 2018 version), and I'm having trouble with the OverwatchDumpFix plugin.
I've built the plugin in VS2013 from the latest source code (5.0.2) and copied OverwatchDumpFix.dp64 to x64dbg's plugins directory, but after launching x64dbg, the log window says, "[PLUGIN] Failed to load plugin: OverwatchDumpFix.dp64". Manually trying to load it with the "loadplugin OverwatchDumpFix" command gives the same error. If I remove the file, the error message is "Cannot find plugin", so it's clearly able to see it, but just can't load it for some reason. Is anyone else having problems with this?
try a newer version of Visual Studio and update the project. also, make sure to change the process name that it looks for to "wow.exe"
-
Originally Posted by
sendeos23
Hi AmazingDisgrace,
Did you get anywhere with this? I'm currently having this same issue after building the dumpfix plugin from the latest source on github(5.0.2). '[PLUGIN] Failed to load plugin: OverwatchFumpFix.dp64'
Can anyone confirm their current working method they are using to dump BFA e.g. versions of x64dbg and overwatchDumpFix.dp64 or if there are any special settings for building the dumpfix plugin.
Had the same issue after switching to a new hardware setup, and with the lastest wow version crashing even when attaching with scyllahide I finally got around to looking at this.
The problem boils down to x64dbg switching disassembler engine, deprecating the old Capstone and instead using Zydis. (see this merge)
Longterm it'd probably be best to update the owdumpfix code to support Zydis and make a PR.
If you're just after a quick solution in the short term, download a release of x64dbg from before the switch (this seems to be the last one)
Then recompile with that pluginsdk, and use that version of x64dbg for dumping.
----------------------------
Is anyone else having wow crashes when attaching after 27602 hit? (even with the latest scyllahide fixes from august)
I'm not very experienced in anti-dbg measures, could it be that they added something new this release?
Last edited by h42; 09-17-2018 at 06:51 AM.
-
Post Thanks / Like - 1 Thanks
counted (1 members gave Thanks to h42 for this useful post)
-
Banned
Hopefully this will help people going forward, I have setup a semi-automated auto-dumping system to dump latest binary to
WoW Dumps
Note this is on EU times so US people have to wait till EU has updated.
-
Post Thanks / Like - 5 Thanks
-
I edited the original post and added more detail for those who are having trouble. If there is something that I missed or have in error please post in this thread and I will edit the procedure.
Hope this helps clear things up.
-
Post Thanks / Like - 1 Thanks
h42 (1 members gave Thanks to counted for this useful post)
-
Member
Hi,
I updated the plugin so that it can be used on modern versions of x64dbg. It no longer requires capstone.dll. If you guys experience any issues then open an issue on github and I'll fix it.
GitHub - changeofpace/Overwatch-Dump-Fix: x64dbg plugin which removes anti-dumping and obfuscation techniques from the popular FPS game Overwatch.
-
Post Thanks / Like - 3 Thanks
h42,
fortiZ,
counted (3 members gave Thanks to changeofpace for this useful post)
-
Thanks, I will give it a try and update the procedure!!
-
Member
Originally Posted by
counted
This is the Script_Dismount routine in the current binary. You can now start to compare the Mac Os Binary structure to this routine and very quickly see that the call statement at Script_Dismount + 0x1c is CGUnit_C__Dismount and further that the call in CGUnit_C__Dismount + 0x3f is CGUnit_C::OnMountDisplayChanged
Everything worked great. My issue is I didn't understand the quoted part. A video explaining how to do that part would be greatly appreciated. I also want to know how to make a simple program let's say for example you click a button and the app dismount you in game. That would help me understand a lot of things and start being creative. I hope you consider my request and thanks in advance.
-
Contributor
Originally Posted by
07neo
Everything worked great. My issue is I didn't understand the quoted part. A video explaining how to do that part would be greatly appreciated. I also want to know how to make a simple program let's say for example you click a button and the app dismount you in game. That would help me understand a lot of things and start being creative. I hope you consider my request and thanks in advance.
That is not simple program =) You need to know how to inject your code into "protected" wow process.
-
Member
Originally Posted by
air999
That is not simple program =) You need to know how to inject your code into "protected" wow process.
Would it be as hard when trying it on a client running on my own private server? I just want to learn and setting up a private server isn't that hard and it is risk free.
-
Originally Posted by
07neo
Everything worked great. My issue is I didn't understand the quoted part. A video explaining how to do that part would be greatly appreciated. I also want to know how to make a simple program let's say for example you click a button and the app dismount you in game. That would help me understand a lot of things and start being creative. I hope you consider my request and thanks in advance.
The part you are referencing is the easiest part??
It is just telling you to compare the Script_Dismount subroutine from the Mac Binary and the subroutine the instruction told you how to find in the current binary.
It sounds like you are not working on the current binary, you talked about running a private server.
Which binary are you working on?
-
Member
Originally Posted by
counted
The part you are referencing is the easiest part??
It is just telling you to compare the Script_Dismount subroutine from the Mac Binary and the subroutine the instruction told you how to find in the current binary.
It sounds like you are not working on the current binary, you talked about running a private server.
Which binary are you working on?
Well I don't know about that (if it's the easiest part). You guide is pretty great and covered everything. And Google helped as well. I'm using 8.0.1 25153 binary. Which is obfuscated. I'm very new to this and all the diffing tutorials I saw are working with unobfuscated binary that's why it's confusing me. The private server thing is just to let you know that I won't be worrying about making the program undetected.
-
Once you follow the dumping procedure the binary is "mostly" de-obfuscaced. You need to load that binary into IDA and let it do the auto analysis work. After that obtain a copy of the Mac Binary 64 bit version I reference load that into IDA and run the auto analysis.
After that you compare the two binaries.
The reason you want to use the Mac Binary I reference is because it was compiled and release with a lot of subroutines and variables named. This was un intentional by blizzard and give us more information to help in reversing the current binary, assuming you can match up code sections.
This is why i suggest as an example to reverse the Script_Dismount() routine. It is already named along with it's subroutines in the mac binary and it is easy to find in the current binary.
Compare, Match, Take Notes, .....
Move on to other subroutines...
-
Originally Posted by
changeofpace
Finally got around to testing this.
I downloaded the latest x64dbg and the latest OverwatchDumpFix and compiled it and ran it.
Worked fine!!
Thanks changeofpace !!!!
-
Member
Originally Posted by
counted
Once you follow the dumping procedure the binary is "mostly" de-obfuscaced. You need to load that binary into IDA and let it do the auto analysis work. After that obtain a copy of the Mac Binary 64 bit version I reference load that into IDA and run the auto analysis.
After that you compare the two binaries.
The reason you want to use the Mac Binary I reference is because it was compiled and release with a lot of subroutines and variables named. This was un intentional by blizzard and give us more information to help in reversing the current binary, assuming you can match up code sections.
This is why i suggest as an example to reverse the Script_Dismount() routine. It is already named along with it's subroutines in the mac binary and it is easy to find in the current binary.
Compare, Match, Take Notes, .....
Move on to other subroutines...
Ohh thanks. I thought you used the mac binary cause you're on mac. Now it makes sense. Thanks again.
-
Active Member
I've tried following this for Classic and have built/added the ScyllaHide and OverwatchDumpFix plugins, both of them work (or at least appear to) without error. However, when I run IAT Autosearch in Scylla it tells me that the results of normal and advanced search are different. If I select to use the advanced search result and then click GetImports, then it will find 565 valid APIs and miss 2 APIs. Now if I click Dump, it will tell me "Error: Cannot dump image". Does anyone know how to fix this?