How to Dump Wow from Memory.... menu

User Tag List

Page 1 of 5 12345 LastLast
Results 1 to 15 of 64
  1. #1
    counted's Avatar Contributor Authenticator enabled
    Reputation
    198
    Join Date
    Mar 2008
    Posts
    179
    Thanks G/R
    10/104
    Trade Feedback
    0 (0%)
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    How to Dump Wow from Memory....

    How to Dump Wow from Memory....
    This is not required for binaries before 7.3.0

    If you are working on a pre 7.3.0 binary just open the exe with IDA

    See:
    https://www.ownedcore.com/forums/wor...on-coming.html (The Free Lunch Is Over - Obfuscation is Coming)

    for more info on the changes Blizz made starting with 7.3.0

    Download and install x64dbg from:

    x64dbg Capstone Build Credit to h42 [ posted later in this thread ] do not use the latest build

    Launch x64dbg once to create the plugins folder in the x64 folder then close x64dbg

    Download / Build / Main Trunk x64 / ScyllaHide

    Copy the following files from the ScyllaHide x64 build to the x64dbg->x64->plugins

    HookLibraryx64.dll
    ScyllaHideX64DBGPlugin.dp64

    Run PDBReaderx64.exe from the ScyllaHide build folder to generate the NtApiCollection.ini file for your particular operating system

    The file should look something like this

    file 1.png

    Different OS versions (windows 7.x 8.x 10.x) will be different

    Copy the NtApiCollections.ini file to x64dbg->x64->plugins

    Download / Build / Main Trunk x64/ OverwatchDumpFix

    Copy OverwatchDumpFix.dp64 to the x64dbg->x64->plugins

    Your x64dbg->x64->plugins folder should look like this now

    Except for the scylla_hide.ini and scylla_hide.log files they get generated below when we configure scyllahide

    file2.png

    Launch x64dbg

    Your plugin menu should look like this

    file3.png

    Select ScyllaHide->Options

    Create a new profile, name it wow [ or whatever you want ] and select the following

    file4.png


    Select Apply

    Select Ok

    You will get a pop up that says you can launch your target app now.

    The first time I created the wow profile, I exited x64dbg and relaunched it.

    Not sure this is necessary, but I did this incase the newly created scylla_hide.ini file which we just created needs to exist when you launch x64dbg

    After relaunching x64dbg, Launch wow and log into a dummy account, not your real account.

    Log into a dummy toon.

    Once in game.

    Select the Scylla Hide Attach Menu and click on the cross hair and hold the mouse button down hover over the wow app window and release.

    You should see the wow pid and app name populate in the attach window.

    Click Attach

    Wow will freeze but not crash at this point.

    X64dbg command window should look like this now

    file6.png

    Type OverwatchDumpFix into the command window

    Note: OverwatchDumpFix is written to operate on the current debug target so no changes are required for it to do its magic. All of the error prompts and code is written as Overwatch this and that, but it works on the current debug target, so no code changes are required.

    There is copy of this plugin located at WowDumpFix, the best I can tell is all that is different is the error messaging and subroutine names have been changed to Wow from Overwatch. I can not see any functionality that has change, purely cosmetic.

    Command window should look like this now

    file7.png

    Select Scylla Menu now [ not ScyllaHide ]

    The wow.exe is auto populated in the selection drop down, but RESELECT it

    You should see something like this in the log window

    file8.png


    If the size is not close you have the wrong exe selected

    Clicke IAT auto search and you should get something like

    file9.png

    Select Get Imports and you should see something like this in the log

    file10.png

    Note: 543 Api(s) found, not 3

    Select Dump and Save the file

    Select Fix Dump and select the file you just saved

    The result will be saved in the same directory as the first file with _SCY added to it.

    Select PE Rebuild and select the SCY file.

    You can now load this file into IDA and after auto analysis you should have all 543 import in you import window.

    Hope this helps.

    -counted












    Below is pasted from : GitHub - changeofpace/Overwatch-Dump-Fix: x64dbg plugin which removes anti-dumping and obfuscation techniques from the popular FPS game Overwatch.

    1. Attach x64dbg to Overwatch.exe then execute the OverwatchDumpFix command.
    2. Open Scylla in x64dbg's Plugins menu then select Overwatch.exe in the "Attach to an active process" drop-down list.
    3. Click IAT Autosearch -> Get Imports.
    4. Click Dump to create a dump file.
    5. Click Fix Dump and select the dump file from (4) to reconstruct imports.
    The Scylla output view should say "Import Rebuild success [FILE PATH]".
    6. Click PE Rebuild and select the fixed dump file.

    IDA Pro

    1. Open the dump file in IDA. Check the Manual load and Load resources (optional) boxes. Click OK / Yes for every prompt.
    2. Run the Universal Unpacker Manual Reconstruct plugin for the IAT to set imports to the correct color.

    Happy reversing ��.

    End Paste from Overwatch site
    Last edited by counted; 10-11-2018 at 04:26 PM. Reason: Added More Detail

    These ads disappear when you log in.

  2. Thanks zdohdds, ferib, oDev, tutrakan, h42, derbenzin, CrimeTime, ChrisIsMe, Corthezz, reapler, 07neo, NoxiaZ, hycolyte (13 members gave Thanks to counted for this useful post)
  3. #2
    king48488's Avatar ★ Elder ★


    Reputation
    1356
    Join Date
    Nov 2008
    Posts
    801
    Thanks G/R
    33/411
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by counted View Post
    Download and install x64dbg from:

    x64dbg

    Launch the x64debug version that is same as your wow.exe version (x64 or x32)

    I do not think we can run the OverwatchDumpFix on the Wow.exe because attatching the debbuger to wow crashes the wow.exe.
    OverwatchDumpFix also appears to be only x64 so not sure you could use it on the x32 wow.exe, if there was a way to attach the debugger and not crash wow

    So Do NOT do Step 1, start with Step 2.

    The IDA script referenced in the IDA section is located on the OverwatchDumpfix site;

    Below is pasted from : GitHub - changeofpace/Overwatch-Dump-Fix: x64dbg plugin which removes anti-dumping and obfuscation techniques from the popular FPS game Overwatch.

    1. Attach x64dbg to Overwatch.exe then execute the OverwatchDumpFix command.
    2. Open Scylla in x64dbg's Plugins menu then select Overwatch.exe in the "Attach to an active process" drop-down list.
    3. Click IAT Autosearch -> Get Imports.
    4. Click Dump to create a dump file.
    5. Click Fix Dump and select the dump file from (4) to reconstruct imports.
    The Scylla output view should say "Import Rebuild success [FILE PATH]".
    6. Click PE Rebuild and select the fixed dump file.

    IDA Pro

    1. Open the dump file in IDA. Check the Manual load and Load resources (optional) boxes. Click OK / Yes for every prompt.
    2. Run the Universal Unpacker Manual Reconstruct plugin for the IAT to set imports to the correct color.

    Happy reversing ��.

    End Paste from Overwatch site
    Use ScyllaHide and attach it. then you can use the overwatch-dump plugin on x64.

  4. Thanks oDev, derbenzin, ChrisIsMe (3 members gave Thanks to king48488 for this useful post)
  5. #3
    zdohdds's Avatar Member
    Reputation
    15
    Join Date
    Feb 2013
    Posts
    46
    Thanks G/R
    19/8
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for method, but I don't want to download Overwath for dump imports.

  6. #4
    counted's Avatar Contributor Authenticator enabled
    Reputation
    198
    Join Date
    Mar 2008
    Posts
    179
    Thanks G/R
    10/104
    Trade Feedback
    0 (0%)
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    A couple people sent me private requests to share my IDA database. I would rather teach people how to fish instead of fishing for them.

    Download the 15662 Mac OS Binary from the Sticky Binary Collection thread. This binary was released with a lot of functions and variable named.

    Download bindiff from zynamics.com - Software, it is now free to download.

    Install the ida pluggin and set the parameters to prioritize string matching and call hierarchy.

    Run a diff and start building your own ida database. You can also look through the Offset Threads and start to search and find and name stuff that way.

    You can also compare Script_ functions and start building info that way.

    Example Find Script_Dismount in Mac OS binary

    Open up your freshly memory dumped 25021 binary in IDA and run the auto analysis.

    Note i like to set up IDA with Options->General Address Representation Function Offsets = Checked and Number of Opcode Bytes = 10

    When it is done Select View->Sub View->Strings

    This will load a window will all of the Strings that IDA found.

    do a search in this window for "Dismount"

    after you find it, double click on it to go to the location of the string.

    you will see a reference aDismount to the left of the string

    single click on aDismount to select it and then type the "x" to generate a list of code that refers to this location

    it should be one reference that is in the .data segment, highlight it and click OK

    In the .data section you should see and "aDismount" reference and directly below it a sub_deadbeef reference where deadbeef is the address of a subroutine.

    double click on sub_deadbeef

    This is the Script_Dismount routine in the current binary. You can now start to compare the Mac Os Binary structure to this routine and very quickly see that the call statement at Script_Dismount + 0x1c is CGUnit_C__Dismount and further that the call in CGUnit_C__Dismount + 0x3f is CGUnit_C::OnMountDisplayChanged

    From here it is a matter of exploring.

    That is how I got started.



    Good luck...
    Last edited by counted; 10-04-2017 at 05:34 PM.

  7. Thanks pogob, oDev, derbenzin, hycolyte (4 members gave Thanks to counted for this useful post)
  8. #5
    king48488's Avatar ★ Elder ★


    Reputation
    1356
    Join Date
    Nov 2008
    Posts
    801
    Thanks G/R
    33/411
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by zdohdds View Post
    Thanks for method, but I don't want to download Overwath for dump imports.
    you don't need overwatch...

  9. #6
    counted's Avatar Contributor Authenticator enabled
    Reputation
    198
    Join Date
    Mar 2008
    Posts
    179
    Thanks G/R
    10/104
    Trade Feedback
    0 (0%)
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    I dump the 32-bit binary with the above method WITHOUT overwatchdumpfix.

  10. #7
    king48488's Avatar ★ Elder ★


    Reputation
    1356
    Join Date
    Nov 2008
    Posts
    801
    Thanks G/R
    33/411
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by counted View Post
    I dump the 32-bit binary with the above method WITHOUT overwatchdumpfix.
    imports fixed?

  11. #8
    zdohdds's Avatar Member
    Reputation
    15
    Join Date
    Feb 2013
    Posts
    46
    Thanks G/R
    19/8
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by king48488 View Post
    you don't need overwatch...
    Yes, already understood. To be honest I am far from reverse ingenering.

    I'm stuck on the

    Run the Universal Unpacker Manual Reconstruct plugin for the IAT to set imports to the correct color.
    And I don't know what to do with it.

    Безымянный2.jpg

    And how to do imports?

    Безымянный3.jpg

  12. #9
    king48488's Avatar ★ Elder ★


    Reputation
    1356
    Join Date
    Nov 2008
    Posts
    801
    Thanks G/R
    33/411
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    you already missed the part with successfully executing the ow dump script. with IDA 7 you can skip the manual reconstruct part.

  13. #10
    oDev's Avatar Active Member
    Reputation
    17
    Join Date
    Nov 2017
    Posts
    14
    Thanks G/R
    7/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Is it just me being dumb or does this no longer work in recent versions?

  14. #11
    king48488's Avatar ★ Elder ★


    Reputation
    1356
    Join Date
    Nov 2008
    Posts
    801
    Thanks G/R
    33/411
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by oDev View Post
    Is it just me being dumb or does this no longer work in recent versions?
    yea its you :P

  15. Thanks oDev (1 members gave Thanks to king48488 for this useful post)
  16. #12
    oDev's Avatar Active Member
    Reputation
    17
    Join Date
    Nov 2017
    Posts
    14
    Thanks G/R
    7/6
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by king48488 View Post
    yea its you :P
    Thanks for the reply, was enough to motivate me to keep trying. Totally forgot to change the target module name when building overwatch dump fix. Working fine now

  17. #13
    Linwood's Avatar Member
    Reputation
    1
    Join Date
    Apr 2013
    Posts
    2
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Method are always valid?

    I'm stuck at "IAT Autosearch", He found nothing with build 7.3.2.25549

  18. #14
    king48488's Avatar ★ Elder ★


    Reputation
    1356
    Join Date
    Nov 2008
    Posts
    801
    Thanks G/R
    33/411
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Linwood View Post
    Method are always valid?

    I'm stuck at "IAT Autosearch", He found nothing with build 7.3.2.25549
    yes its still working

  19. #15
    Linwood's Avatar Member
    Reputation
    1
    Join Date
    Apr 2013
    Posts
    2
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You use OverwatchDumpFix before? Because i can't done this command, he say PE Header etc Overwatch not found

Page 1 of 5 12345 LastLast

Similar Threads

  1. Replies: 4
    Last Post: 07-20-2011, 09:50 PM
  2. How to run WoW from work/school!
    By MMOtoaster in forum World of Warcraft Bots and Programs
    Replies: 41
    Last Post: 04-30-2009, 06:28 PM
  3. How to update WoW to any patch from 1.5 on.
    By ff9pro in forum World of Warcraft Guides
    Replies: 3
    Last Post: 07-05-2008, 07:28 AM
  4. How to find WoW Memory Offset?
    By pegaa in forum World of Warcraft General
    Replies: 0
    Last Post: 08-03-2007, 12:02 AM
  5. How to Export Images from WoW Model Viewer.
    By Elites360 in forum Art & Graphic Design
    Replies: 4
    Last Post: 02-17-2007, 07:36 PM
All times are GMT -5. The time now is 03:02 PM. Powered by vBulletin® Version 4.2.3
Copyright © 2020 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search