Join Date: Aug 2007
Posts: 1957
|
Kategorie: Tools Entwickler: changeofpace
Beschreibung: Release v3.0
- Updated for new protection tech in Overwatch version 1.8.0.2.34978.
- Import thunks are now spread across several memory regions. Each thunk has multiple blocks combined with relative jumps.
- Now using capstone disassembler to unpack import thunks.
- The .rdata view contains 0x1000 bytes of code (not sure if this is new). The plugin will separate this page from .rdata. IDA will automatically combine the two .text sections.
Summary: This x64dbg plugin removes anti-dumping and obfuscation techniques from Overwatch.exe to make the game able to be dumped using Scylla
How to use: x64dbg
- Attach x64dbg to Overwatch.exe then execute the OverwatchDumpFix command.
- Open Scylla in x64dbg's "Plugins" menu then select Overwatch.exe in the "Attach to an active process" drop-down list.
- Click "IAT Autosearch".
- Click "Get Imports".
- Click "Dump" to create a dump file.
- Click "Fix Dump" and select the dump file from (5) to reconstruct imports.
- The Scylla output view should say "Import Rebuild success [FILE PATH]".
- Click "PE Rebuild" and select the fixed dump file.
IDA Pro
- Open the dump file in IDA. Check the "Manual load" and "Load resources" (optional) boxes. Click "OK" / "Yes" for every prompt.
- Run the "Universal Unpacker Manual Reconstruct" plugin for the IAT to set imports to the correct color.
- Happy reversing
Download: OverwatchDumpFix v3.0
|