The Initial Plan

Reading information from a game is a mechanic often used by hacks and bots, that would then turn this information into feedback and then input for the client. While we do not want to create a bot, we can actually use the same techniques for reading the game information. The three most common techniques, and the ones I explored in detail are: DLL injection, reading process memory, and using any exported memory files/states.

1. DLL Injection

DLL injection is a technique used for running code within the address space of another process by forcing it to load a dynamic-link library

This allows us to take a bit of code that will export the data, and place it into the form of a dynamic-link library (or DLL). When the program is starting up, we pass this DLL to the process using a DLL injector, at which point our code would be executed by the game client.

Unfortunately for us, DLL injection is a pretty well known technique and Blizzard have many protections in place to prevent against it. In fact, when trying to inject a DLL into the client, it will just crash with no error code.

In regards to modifying any of Blizzard’s DLLs — They are all absolutely monstrous and completely obfuscated, which leaves a lot of work for what should be a simple task. Also, with every minor patch, they will be overwritten with new obfuscated code that may be incompatible with the previous patch.

Therefore, DLL injection or modification is unfeasible.

2. Reading Process Memory

By reading process memory, I am referring to going into the game client’s program space in RAM and searching for certain addresses or values that may contain player information.

This was how StarStream, and most of the StarCraft 2 tools, worked. We would have a table of lookups for information sets that contained the Battle.net ID and username for every player on both teams. I was hoping that this would be the same for Overwatch.

The simplest way to check for process memory protection was to use a program called CheatEngine. Anyone familiar with basic script kiddie hacking games such as ClubPenguin or Runescape would know CheatEngine, which allows a user to browse through a game’s memory space and see all values in hex and ASCII.

However, the second you try and open a process, Overwatch will crash. No matter through CheatEngine, or through the Win32 ReadProcessMemory function, Overwatch can detect the request coming from outside the scope of its code. Some users on dodgy hacking websites have found convoluted work arounds for this access protection, but they can cause game instability and are certainly against Blizzard’s ToS.

Therefore, reading the game’s process memory is not possible.

Demonstration of Overwatch crashing to protect from memory access

3. Finding Exported Information

In StarCraft 2, and other games, the client would often make small registry changes or save state updates in real time to ensure synchronisation with other parts of the system, or for backup purposes. I was hoping to find any file system or registry changes that the Overwatch client made during a game.

I searched for all Overwatch relevant information in the registry. While there were a few keys relating to the client, they were mostly directory addresses or in game settings that weren’t useful to my goal. They also didn’t seem to be updating with any noticeable frequency.

In regards to the file system, while it might be possible to create a new Windows image, play a game of Overwatch, and then search for every file delta in the entire file system, I did not do this. I simply searched in all the common places, AppData, Program Files, Windows, Documents, etc. I didn’t see anything that seemed to contain any useful information. While this was not an exhaustive search, I highly doubt that Overwatch would export information in plaintext to the file system, as it wouldn’t serve any useful purpose to the client.

Therefore, finding any exported information was a fruitless exercise.