-
How to Dump Wow from Memory....
How to Dump Wow from Memory....
This is not required for binaries before 7.3.0
If you are working on a pre 7.3.0 binary just open the exe with IDA
See:
https://www.ownedcore.com/forums/wor...on-coming.html (The Free Lunch Is Over - Obfuscation is Coming)
for more info on the changes Blizz made starting with 7.3.0
Download and install x64dbg from:
x64dbg Capstone Build Credit to h42 [ posted later in this thread ] do not use the latest build
Launch x64dbg once to create the plugins folder in the x64 folder then close x64dbg
Download / Build / Main Trunk x64 / ScyllaHide
Copy the following files from the ScyllaHide x64 build to the x64dbg->x64->plugins
HookLibraryx64.dll
ScyllaHideX64DBGPlugin.dp64
Run PDBReaderx64.exe from the ScyllaHide build folder to generate the NtApiCollection.ini file for your particular operating system
The file should look something like this
file 1.png
Different OS versions (windows 7.x 8.x 10.x) will be different
Copy the NtApiCollections.ini file to x64dbg->x64->plugins
Download / Build / Main Trunk x64/ OverwatchDumpFix
Copy OverwatchDumpFix.dp64 to the x64dbg->x64->plugins
Your x64dbg->x64->plugins folder should look like this now
Except for the scylla_hide.ini and scylla_hide.log files they get generated below when we configure scyllahide
file2.png
Launch x64dbg
Your plugin menu should look like this
file3.png
Select ScyllaHide->Options
Create a new profile, name it wow [ or whatever you want ] and select the following
file4.png
Select Apply
Select Ok
You will get a pop up that says you can launch your target app now.
The first time I created the wow profile, I exited x64dbg and relaunched it.
Not sure this is necessary, but I did this incase the newly created scylla_hide.ini file which we just created needs to exist when you launch x64dbg
After relaunching x64dbg, Launch wow and log into a dummy account, not your real account.
Log into a dummy toon.
Once in game.
Select the Scylla Hide Attach Menu and click on the cross hair and hold the mouse button down hover over the wow app window and release.
You should see the wow pid and app name populate in the attach window.
Click Attach
Wow will freeze but not crash at this point.
X64dbg command window should look like this now
file6.png
Type OverwatchDumpFix into the command window
Note: OverwatchDumpFix is written to operate on the current debug target so no changes are required for it to do its magic. All of the error prompts and code is written as Overwatch this and that, but it works on the current debug target, so no code changes are required.
There is copy of this plugin located at WowDumpFix, the best I can tell is all that is different is the error messaging and subroutine names have been changed to Wow from Overwatch. I can not see any functionality that has change, purely cosmetic.
Command window should look like this now
file7.png
Select Scylla Menu now [ not ScyllaHide ]
The wow.exe is auto populated in the selection drop down, but RESELECT it
You should see something like this in the log window
file8.png
If the size is not close you have the wrong exe selected
Clicke IAT auto search and you should get something like
file9.png
Select Get Imports and you should see something like this in the log
file10.png
Note: 543 Api(s) found, not 3
Select Dump and Save the file
Select Fix Dump and select the file you just saved
The result will be saved in the same directory as the first file with _SCY added to it.
Select PE Rebuild and select the SCY file.
You can now load this file into IDA and after auto analysis you should have all 543 import in you import window.
Hope this helps.
-counted
Below is pasted from : GitHub - changeofpace/Overwatch-Dump-Fix: x64dbg plugin which removes anti-dumping and obfuscation techniques from the popular FPS game Overwatch.
1. Attach x64dbg to Overwatch.exe then execute the OverwatchDumpFix command.
2. Open Scylla in x64dbg's Plugins menu then select Overwatch.exe in the "Attach to an active process" drop-down list.
3. Click IAT Autosearch -> Get Imports.
4. Click Dump to create a dump file.
5. Click Fix Dump and select the dump file from (4) to reconstruct imports.
The Scylla output view should say "Import Rebuild success [FILE PATH]".
6. Click PE Rebuild and select the fixed dump file.
IDA Pro
1. Open the dump file in IDA. Check the Manual load and Load resources (optional) boxes. Click OK / Yes for every prompt.
2. Run the Universal Unpacker Manual Reconstruct plugin for the IAT to set imports to the correct color.
Happy reversing ��.
End Paste from Overwatch site
Last edited by counted; 10-11-2018 at 04:26 PM.
Reason: Added More Detail
-
Post Thanks / Like - 13 Thanks
zdohdds,
MrNoble,
oDev,
tutrakan,
h42,
derbenzin,
CrimeTime,
ChrisIsMe,
Corthezz,
reapler,
07neo,
NoxiaZ,
GlittPrizes (13 members gave Thanks to counted for this useful post)
-
★ Elder ★
Originally Posted by
counted
Download and install x64dbg from:
x64dbg
Launch the x64debug version that is same as your wow.exe version (x64 or x32)
I do not think we can run the OverwatchDumpFix on the Wow.exe because attatching the debbuger to wow crashes the wow.exe.
OverwatchDumpFix also appears to be only x64 so not sure you could use it on the x32 wow.exe, if there was a way to attach the debugger and not crash wow
So Do NOT do Step 1, start with Step 2.
The IDA script referenced in the IDA section is located on the OverwatchDumpfix site;
Below is pasted from :
GitHub - changeofpace/Overwatch-Dump-Fix: x64dbg plugin which removes anti-dumping and obfuscation techniques from the popular FPS game Overwatch.
1. Attach x64dbg to Overwatch.exe then execute the OverwatchDumpFix command.
2. Open Scylla in x64dbg's Plugins menu then select Overwatch.exe in the "Attach to an active process" drop-down list.
3. Click IAT Autosearch -> Get Imports.
4. Click Dump to create a dump file.
5. Click Fix Dump and select the dump file from (4) to reconstruct imports.
The Scylla output view should say "Import Rebuild success [FILE PATH]".
6. Click PE Rebuild and select the fixed dump file.
IDA Pro
1. Open the dump file in IDA. Check the Manual load and Load resources (optional) boxes. Click OK / Yes for every prompt.
2. Run the Universal Unpacker Manual Reconstruct plugin for the IAT to set imports to the correct color.
Happy reversing ��.
End Paste from Overwatch site
Use ScyllaHide and attach it. then you can use the overwatch-dump plugin on x64.
-
Post Thanks / Like - 4 Thanks
-
Active Member
Thanks for method, but I don't want to download Overwath for dump imports.
-
A couple people sent me private requests to share my IDA database. I would rather teach people how to fish instead of fishing for them.
Download the 15662 Mac OS Binary from the Sticky Binary Collection thread. This binary was released with a lot of functions and variable named.
Download bindiff from zynamics.com - Software, it is now free to download.
Install the ida pluggin and set the parameters to prioritize string matching and call hierarchy.
Run a diff and start building your own ida database. You can also look through the Offset Threads and start to search and find and name stuff that way.
You can also compare Script_ functions and start building info that way.
Example Find Script_Dismount in Mac OS binary
Open up your freshly memory dumped 25021 binary in IDA and run the auto analysis.
Note i like to set up IDA with Options->General Address Representation Function Offsets = Checked and Number of Opcode Bytes = 10
When it is done Select View->Sub View->Strings
This will load a window will all of the Strings that IDA found.
do a search in this window for "Dismount"
after you find it, double click on it to go to the location of the string.
you will see a reference aDismount to the left of the string
single click on aDismount to select it and then type the "x" to generate a list of code that refers to this location
it should be one reference that is in the .data segment, highlight it and click OK
In the .data section you should see and "aDismount" reference and directly below it a sub_deadbeef reference where deadbeef is the address of a subroutine.
double click on sub_deadbeef
This is the Script_Dismount routine in the current binary. You can now start to compare the Mac Os Binary structure to this routine and very quickly see that the call statement at Script_Dismount + 0x1c is CGUnit_C__Dismount and further that the call in CGUnit_C__Dismount + 0x3f is CGUnit_C::OnMountDisplayChanged
From here it is a matter of exploring.
That is how I got started.
Good luck...
Last edited by counted; 10-04-2017 at 05:34 PM.
-
Post Thanks / Like - 5 Thanks
-
★ Elder ★
Originally Posted by
zdohdds
Thanks for method, but I don't want to download Overwath for dump imports.
you don't need overwatch...
-
I dump the 32-bit binary with the above method WITHOUT overwatchdumpfix.
-
★ Elder ★
Originally Posted by
counted
I dump the 32-bit binary with the above method WITHOUT overwatchdumpfix.
imports fixed?
-
Active Member
Originally Posted by
king48488
you don't need overwatch...
Yes, already understood. To be honest I am far from reverse ingenering.
I'm stuck on the
Run the Universal Unpacker Manual Reconstruct plugin for the IAT to set imports to the correct color.
And I don't know what to do with it.
Безымянный2.jpg
And how to do imports? :confused:
Безымянный3.jpg
-
★ Elder ★
you already missed the part with successfully executing the ow dump script. with IDA 7 you can skip the manual reconstruct part.
-
Active Member
Is it just me being dumb or does this no longer work in recent versions?
-
★ Elder ★
Originally Posted by
oDev
Is it just me being dumb or does this no longer work in recent versions?
yea its you :P
-
Post Thanks / Like - 2 Thanks
oDev,
PinkFlower (2 members gave Thanks to doityourself for this useful post)
-
Active Member
Originally Posted by
king48488
yea its you :P
Thanks for the reply, was enough to motivate me to keep trying. Totally forgot to change the target module name when building overwatch dump fix. Working fine now
-
Member
Method are always valid?
I'm stuck at "IAT Autosearch", He found nothing with build 7.3.2.25549
-
★ Elder ★
Originally Posted by
Linwood
Method are always valid?
I'm stuck at "IAT Autosearch", He found nothing with build 7.3.2.25549
yes its still working
-
Member
You use OverwatchDumpFix before? Because i can't done this command, he say PE Header etc Overwatch not found