X64dbg plugin: OWImports

[samoray]

""Author: qwerty9384 ""

Description:

Quote

This plugin adds the 'oiu' command to x64dbg. executing the command with the IAT's base address will label all obfuscated winapi imports and log the address / label names in the x64dbg log tab. generated labels are automatically deleted once you stop debugging. behavior is undefined if used on any other address or if you run the command more than once per debug session.

Note: the IAT is dynamically built some time between the second TLS callback and the creation of the second thread.

How to use:

1. click on the "Memory Map" tab in x64dbg.
2. find the first region (lowest address) of virtual memory of size 0x3000. it's always near the top of the mem map table.
3. go to this region's base address in the disassembly view.
4. you should see something like this:
Code:

00000000000B0000 | 48 | MOVABS RAX, iphlpapi.7FEF9F73F33 |
00000000000B000A | 48 | ADD RAX, 39F9 |
00000000000B0010 | 71 | JNO B0014 |

5. click the base address, press 'ALT+INSERT' to copy the address.
6. press 'CTRL+ENTER' to focus the cmd line.
7. type 'oiu ', paste the address, press enter.
8. check the log for the import name / address dump.
9. all labels will be automatically removed when you stop debugging.

Many thanks to the Author

 

OWImports_[unknowncheats.me]_.zip

[Dragon Palace]

why dont have 32 bit version?

[samoray]

let me check with its Author about x32 version.

[mrexodia]

On 11/24/2016 at 11:18 PM, Dragon Palace said:

why dont have 32 bit version?

Overwatch has no 32 bit version, it's a 64 bit executable.