# Forum > World of Warcraft > World of Warcraft Bots and Programs > WoW Memory Editing >  How to Dump Wow from Memory....

## counted

How to Dump Wow from Memory....
This is not required for binaries before 7.3.0

If you are working on a pre 7.3.0 binary just open the exe with IDA

See: 
https://www.ownedcore.com/forums/wor...on-coming.html (The Free Lunch Is Over - Obfuscation is Coming)

for more info on the changes Blizz made starting with 7.3.0

Download and install x64dbg from:

x64dbg Capstone Build Credit to h42 [ posted later in this thread ] do not use the latest build

Launch x64dbg once to create the plugins folder in the x64 folder then close x64dbg

Download / Build / Main Trunk x64 / ScyllaHide

Copy the following files from the ScyllaHide x64 build to the x64dbg->x64->plugins

HookLibraryx64.dll
ScyllaHideX64DBGPlugin.dp64

Run PDBReaderx64.exe from the ScyllaHide build folder to generate the NtApiCollection.ini file for your particular operating system

The file should look something like this

file 1.png

Different OS versions (windows 7.x 8.x 10.x) will be different

Copy the NtApiCollections.ini file to x64dbg->x64->plugins

Download / Build / Main Trunk x64/ OverwatchDumpFix

Copy OverwatchDumpFix.dp64 to the x64dbg->x64->plugins

Your x64dbg->x64->plugins folder should look like this now

Except for the scylla_hide.ini and scylla_hide.log files they get generated below when we configure scyllahide

file2.png

Launch x64dbg

Your plugin menu should look like this

file3.png

Select ScyllaHide->Options

Create a new profile, name it wow [ or whatever you want ] and select the following

file4.png


Select Apply

Select Ok

You will get a pop up that says you can launch your target app now.

The first time I created the wow profile, I exited x64dbg and relaunched it.

Not sure this is necessary, but I did this incase the newly created scylla_hide.ini file which we just created needs to exist when you launch x64dbg

After relaunching x64dbg, Launch wow and log into a dummy account, not your real account.

Log into a dummy toon.

Once in game.

Select the Scylla Hide Attach Menu and click on the cross hair and hold the mouse button down hover over the wow app window and release.

You should see the wow pid and app name populate in the attach window.

Click Attach

Wow will freeze but not crash at this point.

X64dbg command window should look like this now

file6.png

Type OverwatchDumpFix into the command window

Note: OverwatchDumpFix is written to operate on the current debug target so no changes are required for it to do its magic. All of the error prompts and code is written as Overwatch this and that, but it works on the current debug target, so no code changes are required.

There is copy of this plugin located at WowDumpFix, the best I can tell is all that is different is the error messaging and subroutine names have been changed to Wow from Overwatch. I can not see any functionality that has change, purely cosmetic.

Command window should look like this now

file7.png

Select Scylla Menu now [ not ScyllaHide ]

The wow.exe is auto populated in the selection drop down, but RESELECT it

You should see something like this in the log window

file8.png


If the size is not close you have the wrong exe selected

Clicke IAT auto search and you should get something like

file9.png

Select Get Imports and you should see something like this in the log

file10.png

Note: 543 Api(s) found, not 3

Select Dump and Save the file

Select Fix Dump and select the file you just saved

The result will be saved in the same directory as the first file with _SCY added to it.

Select PE Rebuild and select the SCY file.

You can now load this file into IDA and after auto analysis you should have all 543 import in you import window.

Hope this helps.

-counted












Below is pasted from : GitHub - changeofpace/Overwatch-Dump-Fix: x64dbg plugin which removes anti-dumping and obfuscation techniques from the popular FPS game Overwatch.

1. Attach x64dbg to Overwatch.exe then execute the OverwatchDumpFix command.
2. Open Scylla in x64dbg's Plugins menu then select Overwatch.exe in the "Attach to an active process" drop-down list.
3. Click IAT Autosearch -> Get Imports.
4. Click Dump to create a dump file.
5. Click Fix Dump and select the dump file from (4) to reconstruct imports.
The Scylla output view should say "Import Rebuild success [FILE PATH]".
6. Click PE Rebuild and select the fixed dump file.

IDA Pro

1. Open the dump file in IDA. Check the Manual load and Load resources (optional) boxes. Click OK / Yes for every prompt.
2. Run the Universal Unpacker Manual Reconstruct plugin for the IAT to set imports to the correct color.

Happy reversing ��.

End Paste from Overwatch site

----------


## doityourself

> Download and install x64dbg from:
> 
> x64dbg
> 
> Launch the x64debug version that is same as your wow.exe version (x64 or x32)
> 
> I do not think we can run the OverwatchDumpFix on the Wow.exe because attatching the debbuger to wow crashes the wow.exe. 
> OverwatchDumpFix also appears to be only x64 so not sure you could use it on the x32 wow.exe, if there was a way to attach the debugger and not crash wow
> 
> ...


Use ScyllaHide and attach it. then you can use the overwatch-dump plugin on x64.

----------


## zdohdds

Thanks for method, but I don't want to download Overwath for dump imports.

----------


## counted

A couple people sent me private requests to share my IDA database. I would rather teach people how to fish instead of fishing for them.

Download the 15662 Mac OS Binary from the Sticky Binary Collection thread. This binary was released with a lot of functions and variable named.

Download bindiff from zynamics.com - Software, it is now free to download.

Install the ida pluggin and set the parameters to prioritize string matching and call hierarchy.

Run a diff and start building your own ida database. You can also look through the Offset Threads and start to search and find and name stuff that way.

You can also compare Script_ functions and start building info that way.

Example Find Script_Dismount in Mac OS binary

Open up your freshly memory dumped 25021 binary in IDA and run the auto analysis.

Note i like to set up IDA with Options->General Address Representation Function Offsets = Checked and Number of Opcode Bytes = 10

When it is done Select View->Sub View->Strings

This will load a window will all of the Strings that IDA found.

do a search in this window for "Dismount"

after you find it, double click on it to go to the location of the string.

you will see a reference aDismount to the left of the string 

single click on aDismount to select it and then type the "x" to generate a list of code that refers to this location

it should be one reference that is in the .data segment, highlight it and click OK

In the .data section you should see and "aDismount" reference and directly below it a sub_deadbeef reference where deadbeef is the address of a subroutine.

double click on sub_deadbeef

This is the Script_Dismount routine in the current binary. You can now start to compare the Mac Os Binary structure to this routine and very quickly see that the call statement at Script_Dismount + 0x1c is CGUnit_C__Dismount and further that the call in CGUnit_C__Dismount + 0x3f is CGUnit_C::OnMountDisplayChanged

From here it is a matter of exploring.

That is how I got started.



Good luck...

----------


## doityourself

> Thanks for method, but I don't want to download Overwath for dump imports.


you don't need overwatch...

----------


## counted

I dump the 32-bit binary with the above method WITHOUT overwatchdumpfix.

----------


## doityourself

> I dump the 32-bit binary with the above method WITHOUT overwatchdumpfix.


imports fixed?

----------


## zdohdds

> you don't need overwatch...


Yes, already understood. To be honest I am far from reverse ingenering.

I'm stuck on the 




> Run the Universal Unpacker Manual Reconstruct plugin for the IAT to set imports to the correct color.


And I don't know what to do with it.

Безымянный2.jpg

And how to do imports? :confused:

Безымянный3.jpg

----------


## doityourself

you already missed the part with successfully executing the ow dump script. with IDA 7 you can skip the manual reconstruct part.

----------


## oDev

Is it just me being dumb or does this no longer work in recent versions?

----------


## doityourself

> Is it just me being dumb or does this no longer work in recent versions?


yea its you :P

----------


## oDev

> yea its you :P


Thanks for the reply, was enough to motivate me to keep trying. Totally forgot to change the target module name when building overwatch dump fix. Working fine now  :Big Grin:

----------


## Linwood

Method are always valid?

I'm stuck at "IAT Autosearch", He found nothing with build 7.3.2.25549

----------


## doityourself

> Method are always valid?
> 
> I'm stuck at "IAT Autosearch", He found nothing with build 7.3.2.25549


yes its still working

----------


## Linwood

You use OverwatchDumpFix before? Because i can't done this command, he say PE Header etc Overwatch not found

----------


## pogob

If you ran the fix on an earlier version, check the db folder inside x32 or x64 (x64dbg\release\x32\db) and delete anything that's there. I had the same issue and this fixed it.

----------


## CrazyCo

Tried using dumpfix command after using Scyllahide (and without) doesn't seem to work, getting error unable to find patch to Overwatch.exe

Changed target name from Overwatch to World of Warcraft and using x64dbg as admin. Deleted db folder contents but nothing.

----------


## doityourself

> Tried using dumpfix command after using Scyllahide (and without) doesn't seem to work, getting error unable to find patch to Overwatch.exe
> 
> Changed target name from Overwatch to World of Warcraft and using x64dbg as admin. Deleted db folder contents but nothing.


you are using a wrong target name

----------


## Candyboy

Where could I find OverwatchDumpfix.exe and Overwatch.exe ?
Why is nothing to do with wow.exe in the 6 steps?
Thank you very much.

PS: I'm trying to dump wow build 3.3.5 just for geting frame text.

----------


## xalcon

wow 3.3.5 doesnt have this protection. Just decompile the wow binary with any decompiler, no need for a runtime dump.

----------


## Candyboy

That's good news. @xalcon ,would you mind showing me the steps about how to dump 3.3.5 memory ? I'm a newer to this ,and can't finish it without the clear steps.

THANKS

----------


## Saridormi

> That's good news. @xalcon ,would you mind showing me the steps about how to dump 3.3.5 memory ? I'm a newer to this ,and can't finish it without the clear steps.
> 
> THANKS


Why do you want to dump the 3.3.5 client from memory?

You almost certainly don't need to.

----------


## Candyboy

> Why do you want to dump the 3.3.5 client from memory?
> 
> You almost certainly don't need to.


I want to learn how to read text from frame . Counted told me I need to dump client from memory and reverse Script_GetNumRegions and GetText() functions using ida. 
Could you do it for me ? It's too hard for me to dump and reverse.

https://www.ownedcore.com/forums/wor...rame-text.html (Help with GlueDialog Frame Text)

----------


## xalcon

no, you dont need to dump wow from memory if its 3.3.5. Just open the binary with ida or any other decompiler.

Also, counted gave you a step-by-step guide to do it. Maybe you should learn the basics first if you arent able to follow his guide. There is a book thread with some really good books. The internet is full with guides. Learn x86 assembler, the PE file format (I assume you are on windows), how c++ code looks in memory by reversing your own code, etc.

Most people are not willing to spoonfeed someone else when he isnt even able to click the "dump" button in an xdbg64 plugin. Which - again - you dont need for 3.3.5.

----------


## counted

> I want to learn how to read text from frame . Counted told me I need to dump client from memory and reverse Script_GetNumRegions and GetText() functions using ida. 
> Could you do it for me ? It's too hard for me to dump and reverse.
> 
> https://www.ownedcore.com/forums/wor...rame-text.html (Help with GlueDialog Frame Text)


I did not know you were working on the 3.3.5 binary. The example I gave you and the offsets were based off of the current x64 binary which you would have to dump from memory to learn how to find them and use that knowledge to find them in the 3.3.5 binary. Sorry if i confused you.

----------


## AmazingDisgrace

Hi, I'm trying to dump the 8.0.1.27291 client with x64dbg (Jul 19 2018 version), and I'm having trouble with the OverwatchDumpFix plugin. 

I've built the plugin in VS2013 from the latest source code (5.0.2) and copied OverwatchDumpFix.dp64 to x64dbg's plugins directory, but after launching x64dbg, the log window says, "[PLUGIN] Failed to load plugin: OverwatchDumpFix.dp64". Manually trying to load it with the "loadplugin OverwatchDumpFix" command gives the same error. If I remove the file, the error message is "Cannot find plugin", so it's clearly able to see it, but just can't load it for some reason. Is anyone else having problems with this?

----------


## vegoo

> Hi, I'm trying to dump the 8.0.1.27291 client with x64dbg (Jul 19 2018 version), and I'm having trouble with the OverwatchDumpFix plugin. 
> 
> I've built the plugin in VS2013 from the latest source code (5.0.2) and copied OverwatchDumpFix.dp64 to x64dbg's plugins directory, but after launching x64dbg, the log window says, "[PLUGIN] Failed to load plugin: OverwatchDumpFix.dp64". Manually trying to load it with the "loadplugin OverwatchDumpFix" command gives the same error. If I remove the file, the error message is "Cannot find plugin", so it's clearly able to see it, but just can't load it for some reason. Is anyone else having problems with this?


Try to use standard Scylla plugin with x64dbg first. king48488 pointed out before that without using OverwatchDumpFix some imports are missing, but I don't use it personally and normal Scylla import fix works great for updating my offset list.

----------


## doityourself

> Try to use standard Scylla plugin with x64dbg first. king48488 pointed out before that without using OverwatchDumpFix some imports are missing, but I don't use it personally and normal Scylla import fix works great for updating my offset list.


like 90%+ of all imports are missing without that. maybe even more

----------


## sendeos23

> Hi, I'm trying to dump the 8.0.1.27291 client with x64dbg (Jul 19 2018 version), and I'm having trouble with the OverwatchDumpFix plugin. 
> 
> I've built the plugin in VS2013 from the latest source code (5.0.2) and copied OverwatchDumpFix.dp64 to x64dbg's plugins directory, but after launching x64dbg, the log window says, "[PLUGIN] Failed to load plugin: OverwatchDumpFix.dp64". Manually trying to load it with the "loadplugin OverwatchDumpFix" command gives the same error. If I remove the file, the error message is "Cannot find plugin", so it's clearly able to see it, but just can't load it for some reason. Is anyone else having problems with this?


Hi AmazingDisgrace, 
Did you get anywhere with this? I'm currently having this same issue after building the dumpfix plugin from the latest source on github(5.0.2). '[PLUGIN] Failed to load plugin: OverwatchFumpFix.dp64'

Can anyone confirm their current working method they are using to dump BFA e.g. versions of x64dbg and overwatchDumpFix.dp64 or if there are any special settings for building the dumpfix plugin.

----------


## pogob

> Hi AmazingDisgrace, 
> Did you get anywhere with this? I'm currently having this same issue after building the dumpfix plugin from the latest source on github(5.0.2). '[PLUGIN] Failed to load plugin: OverwatchFumpFix.dp64'
> 
> Can anyone confirm their current working method they are using to dump BFA e.g. versions of x64dbg and overwatchDumpFix.dp64 or if there are any special settings for building the dumpfix plugin.


yeah everything still works. if it worked for you but doesn't anymore you probably forgot to recompile overwatchdumpfix to look for "wow.exe" instead of "wow-64.exe", after 8.0  :Wink:

----------


## pogob

> Hi, I'm trying to dump the 8.0.1.27291 client with x64dbg (Jul 19 2018 version), and I'm having trouble with the OverwatchDumpFix plugin. 
> 
> I've built the plugin in VS2013 from the latest source code (5.0.2) and copied OverwatchDumpFix.dp64 to x64dbg's plugins directory, but after launching x64dbg, the log window says, "[PLUGIN] Failed to load plugin: OverwatchDumpFix.dp64". Manually trying to load it with the "loadplugin OverwatchDumpFix" command gives the same error. If I remove the file, the error message is "Cannot find plugin", so it's clearly able to see it, but just can't load it for some reason. Is anyone else having problems with this?


try a newer version of Visual Studio and update the project. also, make sure to change the process name that it looks for to "wow.exe"

----------


## h42

> Hi AmazingDisgrace, 
> Did you get anywhere with this? I'm currently having this same issue after building the dumpfix plugin from the latest source on github(5.0.2). '[PLUGIN] Failed to load plugin: OverwatchFumpFix.dp64'
> 
> Can anyone confirm their current working method they are using to dump BFA e.g. versions of x64dbg and overwatchDumpFix.dp64 or if there are any special settings for building the dumpfix plugin.


Had the same issue after switching to a new hardware setup, and with the lastest wow version crashing even when attaching with scyllahide I finally got around to looking at this.

The problem boils down to x64dbg switching disassembler engine, deprecating the old Capstone and instead using Zydis. (see this merge)
Longterm it'd probably be best to update the owdumpfix code to support Zydis and make a PR.

If you're just after a quick solution in the short term, download a release of x64dbg from before the switch (this seems to be the last one)
Then recompile with that pluginsdk, and use that version of x64dbg for dumping.

----------------------------

Is anyone else having wow crashes when attaching after 27602 hit? (even with the latest scyllahide fixes from august)
I'm not very experienced in anti-dbg measures, could it be that they added something new this release?

----------


## WiNiFiX

Hopefully this will help people going forward, I have setup a semi-automated auto-dumping system to dump latest binary to
WoW Dumps
*Note* this is on EU times so US people have to wait till EU has updated.

----------


## counted

I edited the original post and added more detail for those who are having trouble. If there is something that I missed or have in error please post in this thread and I will edit the procedure. 

Hope this helps clear things up.

----------


## changeofpace

Hi,

I updated the plugin so that it can be used on modern versions of x64dbg. It no longer requires capstone.dll. If you guys experience any issues then open an issue on github and I'll fix it.

GitHub - changeofpace/Overwatch-Dump-Fix: x64dbg plugin which removes anti-dumping and obfuscation techniques from the popular FPS game Overwatch.

----------


## counted

Thanks, I will give it a try and update the procedure!!

----------


## 07neo

> This is the Script_Dismount routine in the current binary. You can now start to compare the Mac Os Binary structure to this routine and very quickly see that the call statement at Script_Dismount + 0x1c is CGUnit_C__Dismount and further that the call in CGUnit_C__Dismount + 0x3f is CGUnit_C::OnMountDisplayChanged


Everything worked great. My issue is I didn't understand the quoted part. A video explaining how to do that part would be greatly appreciated. I also want to know how to make a simple program let's say for example you click a button and the app dismount you in game. That would help me understand a lot of things and start being creative. I hope you consider my request and thanks in advance.

----------


## air999

> Everything worked great. My issue is I didn't understand the quoted part. A video explaining how to do that part would be greatly appreciated. I also want to know how to make a simple program let's say for example you click a button and the app dismount you in game. That would help me understand a lot of things and start being creative. I hope you consider my request and thanks in advance.


That is not simple program =) You need to know how to inject your code into "protected" wow process.

----------


## 07neo

> That is not simple program =) You need to know how to inject your code into "protected" wow process.


Would it be as hard when trying it on a client running on my own private server? I just want to learn and setting up a private server isn't that hard and it is risk free.

----------


## counted

> Everything worked great. My issue is I didn't understand the quoted part. A video explaining how to do that part would be greatly appreciated. I also want to know how to make a simple program let's say for example you click a button and the app dismount you in game. That would help me understand a lot of things and start being creative. I hope you consider my request and thanks in advance.


The part you are referencing is the easiest part?? 

It is just telling you to compare the Script_Dismount subroutine from the Mac Binary and the subroutine the instruction told you how to find in the current binary.

It sounds like you are not working on the current binary, you talked about running a private server. 

Which binary are you working on?

----------


## 07neo

> The part you are referencing is the easiest part?? 
> 
> It is just telling you to compare the Script_Dismount subroutine from the Mac Binary and the subroutine the instruction told you how to find in the current binary.
> 
> It sounds like you are not working on the current binary, you talked about running a private server. 
> 
> Which binary are you working on?


Well I don't know about that (if it's the easiest part). You guide is pretty great and covered everything. And Google helped as well. I'm using 8.0.1 25153 binary. Which is obfuscated. I'm very new to this and all the diffing tutorials I saw are working with unobfuscated binary that's why it's confusing me. The private server thing is just to let you know that I won't be worrying about making the program undetected.

----------


## counted

Once you follow the dumping procedure the binary is "mostly" de-obfuscaced. You need to load that binary into IDA and let it do the auto analysis work. After that obtain a copy of the Mac Binary 64 bit version I reference load that into IDA and run the auto analysis. 

After that you compare the two binaries.

The reason you want to use the Mac Binary I reference is because it was compiled and release with a lot of subroutines and variables named. This was un intentional by blizzard and give us more information to help in reversing the current binary, assuming you can match up code sections. 

This is why i suggest as an example to reverse the Script_Dismount() routine. It is already named along with it's subroutines in the mac binary and it is easy to find in the current binary.

Compare, Match, Take Notes, .....

Move on to other subroutines...

----------


## counted

> Hi,
> 
> I updated the plugin so that it can be used on modern versions of x64dbg. It no longer requires capstone.dll. If you guys experience any issues then open an issue on github and I'll fix it.
> 
> GitHub - changeofpace/Overwatch-Dump-Fix: x64dbg plugin which removes anti-dumping and obfuscation techniques from the popular FPS game Overwatch.


Finally got around to testing this.

I downloaded the latest x64dbg and the latest OverwatchDumpFix and compiled it and ran it.

Worked fine!!

Thanks changeofpace !!!!

----------


## 07neo

> Once you follow the dumping procedure the binary is "mostly" de-obfuscaced. You need to load that binary into IDA and let it do the auto analysis work. After that obtain a copy of the Mac Binary 64 bit version I reference load that into IDA and run the auto analysis. 
> 
> After that you compare the two binaries.
> 
> The reason you want to use the Mac Binary I reference is because it was compiled and release with a lot of subroutines and variables named. This was un intentional by blizzard and give us more information to help in reversing the current binary, assuming you can match up code sections. 
> 
> This is why i suggest as an example to reverse the Script_Dismount() routine. It is already named along with it's subroutines in the mac binary and it is easy to find in the current binary.
> 
> Compare, Match, Take Notes, .....
> ...


Ohh thanks. I thought you used the mac binary cause you're on mac. Now it makes sense. Thanks again.

----------


## badusername1234

I've tried following this for Classic and have built/added the ScyllaHide and OverwatchDumpFix plugins, both of them work (or at least appear to) without error. However, when I run IAT Autosearch in Scylla it tells me that the results of normal and advanced search are different. If I select to use the advanced search result and then click GetImports, then it will find 565 valid APIs and miss 2 APIs. Now if I click Dump, it will tell me "Error: Cannot dump image". Does anyone know how to fix this?

----------


## plecharts

> I've tried following this for Classic and have built/added the ScyllaHide and OverwatchDumpFix plugins, both of them work (or at least appear to) without error. However, when I run IAT Autosearch in Scylla it tells me that the results of normal and advanced search are different. If I select to use the advanced search result and then click GetImports, then it will find 565 valid APIs and miss 2 APIs. Now if I click Dump, it will tell me "Error: Cannot dump image". Does anyone know how to fix this?


Use the x64dbg linked in the main post

----------


## badusername1234

> Use the x64dbg linked in the main post



Oh cheers, I should have tried that. I used the one that Namreeb linked in a recent post because I figured it fixed an issue I'd run into but it seems to have just worked

----------


## xkyii

> Oh cheers, I should have tried that. I used the one that Namreeb linked in a recent post because I figured it fixed an issue I'd run into but it seems to have just worked


Does it work for Wow Classic 1.13.2.31727 now? I tried with x64dbg(snapshot_2019-09-01_17-37) and failed at Dump step with "Error: Cannot dump image".

----------


## badusername1234

> Does it work for Wow Classic 1.13.2.31727 now? I tried with x64dbg(snapshot_2019-09-01_17-37) and failed at Dump step with "Error: Cannot dump image".


Dumping only seems to work with the specific version linked at the beginning of the thread, just get that one for dumping with

Don't ask me how to get it to debug though because I haven't tried to get that working yet

----------


## xkyii

> Dumping only seems to work with the specific version linked at the beginning of the thread, just get that one for dumping with
> 
> Don't ask me how to get it to debug though because I haven't tried to get that working yet


Thank you buddy! :Embarrassment: 

Of cource next question is how to debug...

_Wow_dump.exe_ and _Wow_dump_SCY.exe_ can't run directly, more further work is needed to do this right?

Or, it can only be statically but not dynamically debugged?

----------


## badusername1234

> Thank you buddy!
> 
> Of cource next question is how to debug...
> 
> _Wow_dump.exe_ and _Wow_dump_SCY.exe_ can't run directly, more further work is needed to do this right?
> 
> Or, it can only be statically but not dynamically debugged?


You don't want to run either of those files, you should open wow_dump_scy.exe in ida or whatever you're using. Debug the actual game instead of the dump file, though I'm not sure how to make that work properly atm

----------


## NoxiaZ

Hi,

I'm starting to get tired of that i cant get this to work, and seems that it is working for everyone else beside me.. :/
So now i have to ask, what am i doing wrong, i'm following step by step, but with no luck - I have to inform that C++ isn't my strongest side, and therefor not able to solve the build errors i get.



1. I download x64dbg from: Download x64dbg from SourceForge.net 
2. I unzip into "D:\Temp\WoW\x64dbg" - Run the exe file located in "D:\Temp\WoW\x64dbg\release\x64" and close the program again
3. I download ScyllaHide from GitHub - x64dbg/ScyllaHide: Advanced usermode anti-anti-debugger - By pressing "Download ZIP" 
4. I unzip it to "D:/Temp/WoW/ScyllaHide-master"
5. I open the ScyllaHide.sln to build the project
6. In VS, i change Win32 to x64 - After that i click "Build" -> "Rebuild solution"
7. First i see 3 errors "Cannot open include file: 'idp.hpp': No such file or directory" in the Porject ScyllaHideIDAProPlugin - But when i press build again they disappear.
8. I go to the build folder "D:\Temp\WoW\ScyllaHide-master\build\Debug\x64" and locate "HookLibraryx64.dll" and "ScyllaHideX64DBGPlugin.dp64
9. I copy the files to plugin folder for x64dbg as written.
10. now i have to run the file "PDBReaderx64.exe" - but this is not located anywhere on my harddrive


I have no clue how to get this file, i have been searching for it every where, but cant find it. So again, what am i doing wrong?

----------


## SailorMars

> Hi,
> 
> I'm starting to get tired of that i cant get this to work, and seems that it is working for everyone else beside me.. :/
> So now i have to ask, what am i doing wrong, i'm following step by step, but with no luck - I have to inform that C++ isn't my strongest side, and therefor not able to solve the build errors i get.
> 
> 
> 
> 1. I download x64dbg from: Download x64dbg from SourceForge.net 
> 2. I unzip into "D:\Temp\WoW\x64dbg" - Run the exe file located in "D:\Temp\WoW\x64dbg\release\x64" and close the program again
> ...


It should work on the latest wow version (as of 9Nov2019). This was the one i tried successfully.
1) make sure you run the x64 verison of x64dbg.
2) you should try using the compiled binary of ScyllaHide (click "release" tab and choose ScyllaHide_2019-05-31_22-45.7z) instead of compiling from the src. You need to generate a NtApiCollection.ini for your OS by running PDBReaderx64.exe. This exe is not included in the source code. Probably this is the step you missed.
3) i encountered the "missing idp.hpp" problem too but i guess it is irrelevant since it is the plugin for IDA and we need a plugin for x64dbg only which can be generated successfully (for me). Anyway, you don't need to compile from the src, just use the pre-compiled binary.

----------


## NoxiaZ

> It should work on the latest wow version (as of 9Nov2019). This was the one i tried successfully.
> 1) make sure you run the x64 verison of x64dbg.
> 2) you should try using the compiled binary of ScyllaHide (click "release" tab and choose ScyllaHide_2019-05-31_22-45.7z) instead of compiling from the src. You need to generate a NtApiCollection.ini for your OS by running PDBReaderx64.exe. This exe is not included in the source code. Probably this is the step you missed.
> 3) i encountered the "missing idp.hpp" problem too but i guess it is irrelevant since it is the plugin for IDA and we need a plugin for x64dbg only which can be generated successfully (for me). Anyway, you don't need to compile from the src, just use the pre-compiled binary.


Thank you so much for you time and answer. This was a great help

I didn't notice the "release" tab, and now i generated the NtApiCollection.ini, seems i need a bit more for being able to build the OverwatchDumpFix - I think it was "v120 build tools" but now i'm updating VS so hopefully i can compile that after.

But again, thank you so much.

----------


## NoxiaZ

I have been trying to compile the project "OverwatchDumpFix", but with no luck, so again i have to ask what i'm doing wrong

I download it from GitHub - changeofpace/Overwatch-Dump-Fix: x64dbg plugin which removes anti-dumping and obfuscation techniques from the popular FPS game Overwatch. and unzip it into D:\Temp\WoW\Overwatch-Dump-Fix-master

I have VS 2017 Enterprise installed, and installed nearly all components where "c++" is in the name  :Big Grin:  
When i open the SLN file it says that i should retarget the solution, i tried not to do that, but then i get an error with missing VS120 build tools, i have tried everything to install VS120 build tools, but i cant figure it how to get it without install VS2013 (which i cant locate anymore)

So i tried retarget the project instead, but then im getting another error "Cannot open include file: 'Windows.h': No such file or directory" - The same goes for the file "basted.h"
Hope someone again can help me.

----------


## counted

I just did a clean git clone of overwatchdumpfix and opened it with MS Community 2019 and it builds fine no errors.

Try a clean clone and Visual Studio Community 2019

----------


## NoxiaZ

> I just did a clean git clone of overwatchdumpfix and opened it with MS Community 2019 and it builds fine no errors.
> 
> Try a clean clone and Visual Studio Community 2019


Thank you so much for your reply, i tried compiling it on my laptop from my work, also with VS 2017 enterprise, but that worked perfectly. 
So i guess it's something on my computer that makes the problem, but what it is, i don't know.

But now i can continue, so that's perfect.

----------


## badusername1234

Just a note - I tried to do this using the latest versions of everything (latest x64dbg, latest overwatchdumpfix, latest scyllahide) and it seems to have successfully dumped/fixed the wow binary, so maybe there is no longer a need to use the older version of x64dbg

----------


## Hellmessage

123.jpg

Scylla Error

----------


## airjqqq

I have tried several build of x64dbg and keep popping Scylla Error once i click plugin->scylla. Even if i attach notepad.exe process. Could anyone give me some hits?

----------


## counted

Are you getting the error with Scylla Hide or Scylla Dump?

----------


## airjqqq

At the time I click Plugin->Scylla, just after run OverwatchDumpFix command. It shows Exception! Please report it! OS: 4563000A

----------


## airjqqq

solved by using vmware. Might be some software i install on my host system triggered the error

----------


## chlycooper

> solved by using vmware. Might be some software i install on my host system triggered the error


how you did it? i win10 got the same problem, run x64bg in mvware only? or WOW as well?

----------


## yezheyu

OverwatchDumpFix Execution error：
Error: failed to deobfuscate the remote IAT.
Error: failed to rebuild imports.

What shall I do?

----------


## bigofsmall

Hi guys, 

I meet two problem.
1)Run PDBReaderx64.exe from the ScyllaHide build folder to generate the NtApiCollection.ini file for your particular operating system.
I can't find PDBReaderx64.exe, where should i get it?
2)Copy OverwatchDumpFix.dp64 to the x64dbg->x64->plugins
I also can't find this file. Shall rebuild the source code?

Thanks in advance.

----------


## charles420

i would rebuild the source code since the moded one that works is not compiled i believe skip your step 1

----------


## matkhl

My wow.exe is just crashing when i click on attach. Did everything exactly like in the description. Any ideas how to fix that?

----------


## PinkFlower

> My wow.exe is just crashing when i click on attach. Did everything exactly like in the description. Any ideas how to fix that?


Start wow suspended, then attach Scylla like normal. Works for me.

I use my own tool to fix imports so no clue if that would conflict with your setup.
Anyway, if you are that desperate you can always use some of my dumps while you get comfortable with x64dbg. 

My dump archive: pinkflowekx74wbxtdu3oiv2gjnryd3lcgk34dknwoeovgnq3ynt2lad.onion

----------


## Wolfone7

What am I doing wrong? All ~ 543 imports do not have. I did everything according to the instructions. 2021-10-27.png Help my plzzz)))

----------


## PinkFlower

> What am I doing wrong? All ~ 543 imports do not have. I did everything according to the instructions. 2021-10-27.png Help my plzzz)))


Import pointers are not directly pointing to the function call, therefore Scylla doesnt resolve them correctly.
You will have to compute the imported functions and overwrite them pointer, this can be done using a plugin that has been floating around (not sure if up to date for Wow)

----------


## Razzue

> What am I doing wrong? All ~ 543 imports do not have. I did everything according to the instructions. 2021-10-27.png Help my plzzz)))


The plugin mentioned by PinkFlower is likely OverwatchDumpFix which does alright for Classics and live, and even some other games surprisingly.
ChangeOfPace's github link: GitHub - changeofpace/Overwatch-Dump-Fix: x64dbg plugin which removes anti-dumping and obfuscation techniques from the popular FPS game Overwatch. (Possibly a better modified one kicking around somewhere)

Alternatively Namreebs dumper still works fine with all clients (and again.. surprisingly with other blizz games). This is personally what im using "if" i need to get a patches binary.
Namreebs github link: GitHub - namreeb/dumpwow: Unpacker for World of Warcraft

Pink also provided that beautiful link, though i haven't had a chance to peek at any of their dumps quite yet (Reallllly tempted to look at the overwatch dumps though  :Wink:  )

----------


## Archos

I am curious how relevant this guide still is. I have updated the original steps below as some are no longer needed.

1. Download and install x64dbg (Installed latest as OverwatchDumpFix has been updated to use XED)
2. Launch x64dbg once to create the plugins folder in the x64 folder then close x64dbg
3. Download/Build ScyllaHide
4. Copy the following files from the ScyllaHide x64 build to the x64dbg->x64->plugins
HookLibraryx64.dll
ScyllaHideX64DBGPlugin.dp645. Download/Build OverwatchDumpFix
6. Copy OverwatchDumpFix.dp64 to the x64dbg->x64->plugins
7. Launch x64dbg
8. Select ScyllaHide->Options
9. Create a new profile, name it wow [ or whatever you want ] and select the following9.a Click Apply
9.b Click Ok10. Launch WoW and log into a trash account and character.
11. Once in game11.a Select the Scylla Hide Attach Menu
11.b Click on the cross hair and hold the mouse button down hover over the WoW window and release.
11.c You should see the WoW PID (process ID) and app name populate in the attach window.
11.d Click Attach
11.e WoW should FREEZE and NOT CRASH at this point.12. Type OverwatchDumpFix into the command window
13. Select Scylla Menu now [ not ScyllaHide ]
14. Wow.exe is will already be selected, reselect it anyway.14.a Click IAT auto search
14.b Select Get Imports and you should see something like this in the log
14.c You should get several hundred "API(s) found"
14.d Select "Dump" and Save the file
14.e Select "Fix Dump" and select the file you saved in step 14.d
Note: The result will be saved in the same directory as the first file with _SCY added to it.
14.f Select "PE Rebuild" and select the SCY file saved in step 14.e.15. Load the file ending with "_SCY" into IDA and after auto analysis you should have all 543 import in you import window.


After auto analysis is complete in IDA, I click "Edit" then "Plugins" and then "Universal Unpacker Manual Reconstruct" though I am unsure of the memory offset options that should be selected. I have yet to get any x64dbg dump with anywhere near several hundred imports. This is me trying against the retail client (9.2). I also get odd behavior where I get sent back to the WoW login screen the first time I log into a WoW character but before I try to attach.

----------


## Razzue

> I am curious how relevant this guide still is. I have updated the original steps below as some are no longer needed.
> 
> 1. Download and install x64dbg (Installed latest as OverwatchDumpFix has been updated to use XED)
> 2. Launch x64dbg once to create the plugins folder in the x64 folder then close x64dbg
> 3. Download/Build ScyllaHide
> 4. Copy the following files from the ScyllaHide x64 build to the x64dbg->x64->plugins
> HookLibraryx64.dll
> ScyllaHideX64DBGPlugin.dp645. Download/Build OverwatchDumpFix
> 6. Copy OverwatchDumpFix.dp64 to the x64dbg->x64->plugins
> ...


If you're having issues with ODF, just use the dumper I linked directly above you by nameeeb. Works fine on all classics and retail. I personally don't follow the op method anymore as my wow clients auto close on ScyllaHide attach 🙃

----------


## Razzue

--double post--

----------


## Archos

Thank you for the info. I am curious if this makes any sense?
uvAC1nx.png

----------


## Razzue

> Thank you for the info. I am curious if this makes any sense?
> uvAC1nx.png


If you're looking for the OM offset, you can find the pattern for it in my GitHub, just use the SOM patterns instead of the TBC patterns :P then starting digging around xref uses that offset.  :Smile:

----------


## Archos

Ahh, so I guess TBC/SOM and Retail offsets are the same or close?

----------


## Razzue

> Ahh, so I guess TBC/SOM and Retail offsets are the same or close?


For the most part, majority of the patterns will work between all versions, though field offsets differ vastly from retail. Tbc client is pretty much the same as retail client now :P

----------


## Archos

Hopefully last question for now, are there any recommended ways for accessing the WoW process memory (read only) from C#?

----------


## Razzue

> Hopefully last question for now, are there any recommended ways for accessing the WoW process memory (read only) from C#?


I just use the generic OpenProcess + Read/Write ProcessMemory calls. Lately I've even started going over board and using a Kernel Driver developed with c# as well... But again that's a tad overkill  :Wink:

----------


## Archos

Should my process run with administrative privileges? I expect I will need to since I want to send key presses using the interception API. Basically, I want to interact with the game client via key presses while obtaining the data I need for executing actions (rotation, etc.) through reading memory.

I apologize also if I have high jacked this thread into something unrelated. I can start a new one if needed.

----------


## Razzue

Admin priv's are not requires, though make sure WoW/BNet are without admin rights.
If for personal use, Interception is a bit overkill and SendMessage works fine. If selling... I would still not use interception.. but that's just me :P

Here's a slimmed down version of what my game/keypress handler's like.
You can find what I use for generic type reading in my dumpers client class as well  :Smile: 



```
internalclassClient{
    private static IntPtr Handle;
    private static Process _active;
    private static List<Process> _procs;

    internal static bool Search()
    {
        try
        {
            _procs = new List<Process>();
            var cProcs = Process.GetProcessesByName("WowClassic");
            if (cProcs.Length > 0)
                _procs.AddRange(cProcs);

            if (null == _procs || _procs.Count <= 0)
                throw new Exception("Could not find any wow clients.");

            return null != _procs && _procs.Count > 0;
        }
        catch (Exception) { return false; }
    }

    internal static bool Attach(int id)
    {
        try
        {
            _active = _procs[id];
            Handle = Imports.OpenProcess(Imports.ALL_ACCESS, false, _active.Id);
            return null != _active && Handle != IntPtr.Zero;
        }
        catch (Exception) { return false; }
    }
    
    internal static bool Close()
    {
        try
        {
            if (null == _active)
                throw new Exception("Not attached to a process.");

            var c = 1250;
            _active.Kill();

            while (!_active.HasExited)
            {
                Thread.Sleep(1);
                if (c == 0) break;
                c--;
            }

            if (!_active.HasExited)
                throw new Exception("Process has not exited.");

            return _active.HasExited;
        }
        catch (Exception) { return false; }
    }

    internal static bool Detach()
    {
        try
        {
            _procs = null;
            _active = null;
            return true;
        }
        catch (Exception) { return false; }
    }

    // For Key Sending.
    // Stamp is another class that parses a unix timestam to ms, s or m.
    internal static void PostFull(int[] _Key, int sleep = 20)
    {
        if (sleep < 20) return;
        foreach (var key0 in _Key)
            Imports.PostMessage(Window, Imports.WM_KEYDOWN, key0, 1);

        var old = Stamp.Milliseconds;
        long dif = 0;
        while (dif < sleep)
            dif = Stamp.Milliseconds - old;

        foreach (var key1 in _Key)
            Imports.PostMessage(Window, Imports.WM_KEYUP, key1, 1);
    }

    internal static void PostHalf(int Dir, int[] _Key)
    {
        foreach (var key in _Key)
            Imports.PostMessage(Window, Dir == 0 ? Imports.WM_KEYUP : Dir == 1 ? Imports.WM_KEYDOWN : Imports.WM_KEYUP, key, 0);
    }

}
```

----------


## doityourself

> If you're having issues with ODF, just use the dumper I linked directly above you by nameeeb. Works fine on all classics and retail. I personally don't follow the op method anymore as my wow clients auto close on ScyllaHide attach 🙃


if used wrong, yes

----------


## Archos

> if used wrong, yes


I did have instances in which I could attach x64dbg to the WoW client process without it crashing but I could not seem to get the correct number of imports to populate.

----------


## Archos

> Admin priv's are not requires, though make sure WoW/BNet are without admin rights.
> If for personal use, Interception is a bit overkill and SendMessage works fine. If selling... I would still not use interception.. but that's just me :P
> 
> Here's a slimmed down version of what my game/keypress handler's like.
> You can find what I use for generic type reading in my dumpers client class as well 
> 
> 
> 
> ```
> ...


This is strictly personal use.

I noticed a JSON file is created along with a CS file. I assume you have a program that uses a combination of the Offset_Manager class in the CS file and info from JSON to read data from the process memory?

----------


## Razzue

> This is strictly personal use.
> 
> I noticed a JSON file is created along with a CS file. I assume you have a program that uses a combination of the Offset_Manager class in the CS file and info from JSON to read data from the process memory?


The JSON is just a collection of the selected patterns in a .JSON value (allows users to edit names/patterns, add new entries etc instead of editing them in source, and needing to re-compile) the .CS is what I use to read game memory  :Smile: 

I use a slightly altered version that posts results to a database, with the idea to be running this on a PC/VM and auto dump wow whenever it updates, plus a nice lil discord bot to ping me if a pattern ever fails (produces 0x0 or 0x30096)

----------


## Archos

How do you know the type of the data being read from the offset?

----------


## Razzue

> How do you know the type of the data being read from the offset?


GitHub - mmalka/TheNoobBot: TheNoobBot is a bot for World of Warcraft live.

GitHub - Lbniese/LazyBot: Currently supports WoW Version: 6.1.0 19702

And hours upon hours spent searching through this forum ++ a lot of guesswork  :Wink:  And of course with the help of some of the peeps that were in this forum regularly.

----------


## Archos

> GitHub - mmalka/TheNoobBot: TheNoobBot is a bot for World of Warcraft live.
> 
> GitHub - Lbniese/LazyBot: Currently supports WoW Version: 6.1.0 19702
> 
> And hours upon hours spent searching through this forum ++ a lot of guesswork


I know what you mean. I have been at a party for the last 3 hours browsing OwnedCore on my iPhone. Would it be good if I store offset and type (string/int) together?

----------


## Archos

Looks like I have more research to do. I am stuck at the point in which I use the offset to get the value from memory. I assumed it was something like 

```
Client.ReadBytes(new IntPtr(pair2.Value.ToInt64() + Client.Base.ToInt64()), 8)
```

 or 

```
Client.ReadProcessMemory
```

 but it seems I am way off.

----------


## Archos

I am hoping someone can confirm what finally clicked in my head:

The data we are looking for is represented by the "wildcards" in a pattern. Example:
Pattern for Player GUID


```
"48 8D 0D ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 83 BC 24 ?? ?? ?? ?? ?? 7C ?? 48 8B 8C 24 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 45 33 C9 45 8D 41 ?? E8 ?? ?? ?? ?? 48 81 C4"
```

The data starts at the first ?? with each ?? representing the data we want to extract.

----------


## qop1832

GitHub - Razzue/Wow-Dumper: A simple wow offset dumper
You can take a look at the Razzue project.

----------


## Archos

> Start wow suspended, then attach Scylla like normal. Works for me.
> 
> I use my own tool to fix imports so no clue if that would conflict with your setup.
> Anyway, if you are that desperate you can always use some of my dumps while you get comfortable with x64dbg. 
> 
> My dump archive: pinkflowekx74wbxtdu3oiv2gjnryd3lcgk34dknwoeovgnq3ynt2lad.onion


Any chance that you have an updated client (latest retail is 9.2.0.43340)?

----------


## Smarter

I cannot seem to get more than 44-48 imports, so frustrating.

----------

