OldSchoolHack

Register / Login English

OWImports v2


icon OWImports v2 #1

Join Date: Aug 2007

Posts: 1957

Kategorie: Tools
Entwickler: qwerty9384

Beschreibung:
his plugin adds the 'oiu' command to x64dbg. the command locates the memory region containing Overwatch's import address table, deobfuscates all import entries, and labels each import's thunk address.

how to use:

1. attach x64dbg to overwatch.exe.
2. enter 'oiu' in the command line.

example output:

[OW Imports]:  00000000002B0A50  actual = 0000000077843380  kernel32.GetCurrentThreadIdStub
[OW Imports]:  00000000002B0A66  actual = 00000000778348D0  kernel32.OutputDebugStringAStub
[OW Imports]:  00000000002B0A7C  actual = 0000000077845190  kernel32.GetCurrentProcessStub
[OW Imports]:  00000000002B0A92  actual = 0000000077976540  ntdll.RtlInitializeCriticalSection
[OW Imports]:  00000000002B0AA8  actual = 000000007799DA50  ntdll.RtlEnterCriticalSection
source code:

Only registered and activated users can see links.



Download:
OWImports v2

icon #2

Join Date: Aug 2007

Posts: 1957

Kategorie: Tools
Entwickler: changeofpace

Beschreibung:
Release v3.0
  • Updated for new protection tech in Overwatch version 1.8.0.2.34978.
  • Import thunks are now spread across several memory regions. Each thunk has multiple blocks combined with relative jumps.
  • Now using capstone disassembler to unpack import thunks.
  • The .rdata view contains 0x1000 bytes of code (not sure if this is new). The plugin will separate this page from .rdata. IDA will automatically combine the two .text sections.


Summary:
This x64dbg plugin removes anti-dumping and obfuscation techniques from Overwatch.exe to make the game able to be dumped using Scylla

How to use:

x64dbg
  1. Attach x64dbg to Overwatch.exe then execute the OverwatchDumpFix command.
  2. Open Scylla in x64dbg's "Plugins" menu then select Overwatch.exe in the "Attach to an active process" drop-down list.
  3. Click "IAT Autosearch".
  4. Click "Get Imports".
  5. Click "Dump" to create a dump file.
  6. Click "Fix Dump" and select the dump file from (5) to reconstruct imports.
  7. The Scylla output view should say "Import Rebuild success [FILE PATH]".
  8. Click "PE Rebuild" and select the fixed dump file.

IDA Pro
  1. Open the dump file in IDA. Check the "Manual load" and "Load resources" (optional) boxes. Click "OK" / "Yes" for every prompt.
  2. Run the "Universal Unpacker Manual Reconstruct" plugin for the IAT to set imports to the correct color.
  3. Happy reversing




Download:
OverwatchDumpFix v3.0
icon #3

Join Date: Aug 2007

Posts: 1957

Kategorie: Tools
Entwickler: changeofpace

Beschreibung:
Release v4.0.0

  • Updated for new protection tech in Overwatch version 1.10.0.2.36031.
  • The 'secret' pe header is no longer stored in memory (or it's now obfuscated). The plugin now uses the pe header from the file on disk as a base when patching Overwatch's invalid pe header.




Download:
OverwatchDumpFix v4.0.0
icon #4

Join Date: Aug 2007

Posts: 1957

Kategorie: Tools
Entwickler: changeofpace

Beschreibung:
Release v4.0.1
  • Updated for new protection tech in Overwatch version 1.10.1.2.36268.
  • The 'secret' pe header is no longer stored in memory (or it's now obfuscated). The plugin now uses the pe header from the file on disk as a base when patching Overwatch's invalid pe header.
  • Plugin now uses WinAPI instead of C++ file streams to get the pe header. This should fix a bug involving unicode paths.


Source:
Only registered and activated users can see links.



Download:
OverwatchDumpFix v4.0.1
icon #5

Join Date: Aug 2007

Posts: 1957

Kategorie: Tools
Entwickler: changeofpace

Beschreibung:
Release v5.0.0
  • Updated for Overwatch version 1.11.1.2.36859.
  • The import address table is no longer terminated by two null pointers. The second null has been replaced with a pointer to a 'ret 0' instruction.




Download:
OverwatchDumpFix v5.0.0