Overwatch Debug Dumper Fix

Overwatch Debug Dumper Fix is a tool which when used with IDA Pro and x64dbg will allow you to dump the complete memory from Overwatch.exe. It will deobfuscate and remove the anti-dumping code present within Overwatch, and opened with Scylla.

Dumping a process can be used as a reverse engineering technique to obtain the deobfuscated program for static analysis.

Overwatch.exe is obfuscated on disk. It is unpacked and/or decrypted at run-time during the TLS callbacks. It uses several anti-dumping tricks to prevent debuggers / dump programs from dumping Overwatch's "image" region in memory. This plugin removes these tricks so that Scylla, which is built into x64dbg, can be used to create a dump file and reconstruct the imports. The dump file is then meant to be disassembled and analyzed with IDA Pro (or whatever other tools you wish to use).

Overwatch Debug Dumper Fix

Overwatch Debug Dumper FixWhile there have been other versions of Overwatch Debug Dumper Fix, this is the latest release, version 3.0. It should only be used while Overwatch is offline, as otherwise it could become detectable and result in a suspension or ban - thus, use at your own risk.

  • Updated for new protection tech in Overwatch version 1.8.0.2.34978.
  • Import thunks are now spread across several memory regions. Each thunk has multiple blocks combined with relative jumps.
  • Now using capstone disassembler to unpack import thunks.
  • The .rdata view contains 0x1000 bytes of code (not sure if this is new). The plugin will separate this page from .rdata. IDA will automatically combine the two .text sections.

SyntaxOverwatchDumpFix [verbose]

Invoking the command with an argument that evaluates to true, e.g. 1, will enable verbose output.

How to use Overwatch Debug Dumper Fix:

x64dbg

  1. Attach x64dbg to Overwatch.exe then execute the OverwatchDumpFix command.
  2. Open Scylla in x64dbg's "Plugins" menu then select Overwatch.exe in the "Attach to an active process" drop-down list.
  3. Click "IAT Autosearch".
  4. Click "Get Imports".
  5. Click "Dump" to create a dump file.
  6. Click "Fix Dump" and select the dump file from (5) to reconstruct imports.
  7. The Scylla output view should say "Import Rebuild success [FILE PATH]".
  8. Click "PE Rebuild" and select the fixed dump file.

IDA Pro

  1. Open the dump file in IDA. Check the "Manual load" and "Load resources" (optional) boxes. Click "OK" / "Yes" for every prompt.
  2. Run the "Universal Unpacker Manual Reconstruct" plugin for the IAT to set imports to the correct color.
  3. Happy reversing.

Notes:

  • This plugin is tested while offline on battlenet.
  • Run x64dbg in Admin mode.
  • Use ScyllaHide's "Kill Anti-Attach" option. It's on github.
  • Dont resume the process after attaching.

Download Overwatch Debug Dumper Fix

NOTE: Press  SKIP AD  at the top of the link, to get to the download page. We use adf.ly to mask all links and prevent bots from issuing automatic DMCA removal requests (and it works surprisingly well).

 

Final Warning

If you aren't sure what a file dump is for, you probably don't need this Overwatch Debug Dumper Fix Tool. Using it without knowing what you are doing can cause a HWID ban, which means you won't be able to play Overwatch at all on that computer, ever again.

Leave a Reply

Your email address will not be published. Required fields are marked *

css.php
s2Member®