Some notes on reverse engineering the Mobalytics Desktop app and its Overwolf-based distribution model, from older Electron builds to the newer Overwolf extension installer, including how Overwolf tags installers, resolves extension metadata, and downloads app.opk packages.
Overwolf:
- https://www.overwolf.com/
- When downloading the installer, it tags it with an externsion ID, which is read by
OWInstaller.exeto download / install the extension.OWInstaller.exeseems to be a .NET application, and looking at UTF16 strings within it shows some interesting URLs such as:- https://install.overwolf.com/install/clean?partnerId={0}&channel={1}&extensionId={3}
- This seems to provide JSON data including a download link for the
app.opk(which is just a renamed.zipfile)
- This seems to provide JSON data including a download link for the
- https://apps.overwolf.com/prod/OWStoreExtentions.json.gz
- This seems to provide a full listing of Overwatch plugins that can be installed, including links to download their
app.opkfiles.
- This seems to provide a full listing of Overwatch plugins that can be installed, including links to download their
- https://apps.overwolf.com/prod/{0}/{1}.json(.gz)
- https://install.overwolf.com/install/clean?partnerId={0}&channel={1}&extensionId={3}
- The practical download chain is basically:
-
download.overwolf.com/install/Download?...ExtensionId=<uid> -> tagged generic installer -> OWInstaller calls install.overwolf.com/install/clean?...extensionId=<uid> -> gets OverwolfSetup.7z + app.opk URL -> downloads app.opk from appsdl.overwolf.com
-
- When downloading the installer, it tags it with an externsion ID, which is read by
- https://www.overwolf.com/browse-by-game/league-of-legends
- https://www.overwolf.com/app/mobalytics
- https://install.overwolf.com/install/clean?partnerId=...&channel=...&extensionId=kccgdmdllebbgifgafjfmcjdgmhoknfhjdnobcho
- Returns the install manifest for the installer.
{"currentVersion":"0.296.3.3","phasedPercent":100,"partnerConfiguration":{"dock":[{"packageId":"kccgdmdllebbgifgafjfmcjdgmhoknfhjdnobcho","url":"https://appsdl.overwolf.com/prod/apps/kccgdmdllebbgifgafjfmcjdgmhoknfhjdnobcho/1.805.1/app.opk"},{"packageId":"aikamiijfggkimenlkhgnkpmofhimhnakmippaco","url":null}],"logicalExtensions":[],"defaultSkinId":null,"firstLaunch":"kccgdmdllebbgifgafjfmcjdgmhoknfhjdnobcho"},"allowWindowsInsider":false,"stateTimes":{"downloadingSetup":10000,"installer":10000},"fullSetup":{"url":"https://setup.overwolf.com/0.296.3.3/OverwolfSetup.7z","md5":"f89aee716e8122df19dbb1e34bab93d9","version":"0.296.3.3"}}- https://appsdl.overwolf.com/prod/apps/kccgdmdllebbgifgafjfmcjdgmhoknfhjdnobcho/1.805.1/app.opk
-
⇒ file ~/Desktop/mobalytics-app.opk mobalytics-app.opk: Zip archive data, at least v2.0 to extract, compression method=store- Seems a
*.opkis just a renamed.zipfile - It contains
manifest.json,.env.ow, JS bundles, HTML windows, native DLLs, and_metadata/verified_contents.json
- Seems a
-
- Returns the install manifest for the installer.
- https://install.overwolf.com/install/clean?partnerId=...&channel=...&extensionId=kccgdmdllebbgifgafjfmcjdgmhoknfhjdnobcho
- https://www.overwolf.com/app/trebonius-porofessor.gg
- https://www.overwolf.com/app/opgg-electron-app
- and a whole bunch more..
- https://www.overwolf.com/app/mobalytics
Extra notes / gotchas about Overwolf exploration:
-
The extracted
$PLUGINSDIRpayload does not contain the Mobalytics extension ID.rg kccgdmdllebbgifgafjfmcjdgmhoknfhjdnobcho $PLUGINSDIRfound nothing.- The ID is embedded/tagged in the original downloaded installer EXE near the end:
Sel=1&Extension=kccgdmdllebbgifgafjfmcjdgmhoknfhjdnobcho&Name=Mobalytics%20Desktop&UtmSource=app&UtmMedium=owaa&...
- So extracting the NSIS installer loses the most obvious evidence of how
OWInstaller.exeknows the selected app.
-
In the installer web UI, the app ID comes from native code:
Commands.getSelectedAppId()returnswindow.external.information.ExtensionId- The HTML/JS UI delegates actual install/download work to
window.external.control.execute(...). - The web UI is mostly installer UI/state management, not the package resolver.
-
https://content.overwolf.com/Installer/promo/<extensionId>/index.htmlis only promo/progress UI.- It is not the extension package source.
- The real package source is the
appsdl.overwolf.com/.../app.opkURL returned byinstall/clean/ catalog metadata.
-
partnerIdandchanneldo not appear to be required to resolve this specific app package.- Even placeholder values still returned the Mobalytics
dockentry whenextensionId=...was present.
- Even placeholder values still returned the Mobalytics
-
OWStoreExtentions.json.gzis spelled that way by Overwolf (Extentions, typo included).- It is a global extension catalog, not just Mobalytics.
- For Mobalytics it confirmed:
UID:kccgdmdllebbgifgafjfmcjdgmhoknfhjdnobchoVersion:1.805.1DownloadURL:https://appsdl.overwolf.com/prod/apps/kccgdmdllebbgifgafjfmcjdgmhoknfhjdnobcho/1.805.1/app.opkType:WebAppMinimalOWVersion:0.251.2.1
-
The
{0}/{1}.json(.gz)URL pattern was found in strings, but simple guesses like:https://apps.overwolf.com/prod/kc/kccgdmdllebbgifgafjfmcjdgmhoknfhjdnobcho.jsonhttps://apps.overwolf.com/prod/kccgdmdllebbgifgafjfmcjdgmhoknfhjdnobcho/kccgdmdllebbgifgafjfmcjdgmhoknfhjdnobcho.jsonreturned 403, so its parameter mapping is still unresolved.
Overwolf dev docs:
- https://dev.overwolf.com/ow-native/getting-started/overview
- https://github.com/overwolf/sample-app
- https://fulcrum.rocks/blog/overwolf-app-development
Newer Overwolf based Mobalytics build:
- https://mobalytics.gg/lol/glp/download-welcome
- https://download.overwolf.com/install/Download?Name=Mobalytics+Desktop&ExtensionId=kccgdmdllebbgifgafjfmcjdgmhoknfhjdnobcho&utm_campaign=VuY4itU&utm_medium=owaa&utm_source=app&utm_term=d1713041-1e10-4372-9faa-9ca1d4d2fe43
- I suspect the Mobalytics Overwolf extension ID is
kccgdmdllebbgifgafjfmcjdgmhoknfhjdnobcho(based on the download URL)- I came across this while searching for it:
Mobalytics Desktop - Installer.exe7z x Mobalytics\ Desktop\ -\ Installer.exe -omobalytics-desktop-installer-extracted- From a quick skim through the files, I'm not sure that the extension is bundled in this
- I suspect the Mobalytics Overwolf extension ID is
- https://download.overwolf.com/install/Download?Name=Mobalytics+Desktop&ExtensionId=kccgdmdllebbgifgafjfmcjdgmhoknfhjdnobcho&utm_campaign=VuY4itU&utm_medium=owaa&utm_source=app&utm_term=d1713041-1e10-4372-9faa-9ca1d4d2fe43
Older Mobalytics electron build:
- https://github.com/sekwah41/mobalytics-repackager
- https://github.com/sekwah41/mobalytics-repackager/blob/master/src/extract.js
- https://cdn.mobalytics.gg/apps/latest/league/win/Mobalytics-Desktop-Win-stable.exe
7z x Mobalytics-Desktop-Win-stable.exe -omobalytics-win-extractedcd mobalytics-win-extracted/$PLUGINSDIR7z x app-64.7zcd app-64resources/app.asarresources/app.asar.unpacked
- Trying similar paths led me to this:
- https://cdn.mobalytics.gg/apps/latest/league/mac/Mobalytics-Desktop-Mac-stable.dmg
Mobalytics Desktop.app- Electron Devtools Console
- "Uncaught Error: Looks like you're attempting get window token outside the desktop app."
Contents/Resources/app.asar
- Electron Devtools Console
- https://cdn.mobalytics.gg/apps/latest/league/mac/Mobalytics-Desktop-Mac-stable.dmg
- https://cdn.mobalytics.gg/apps/latest/league/win/Mobalytics-Desktop-Win-stable.exe
- https://github.com/sekwah41/mobalytics-repackager/blob/master/src/extract.js
- https://github.com/0xdevalias
- https://gist.github.com/0xdevalias
- https://github.com/0xdevalias/chatgpt-source-watch : Analyzing the evolution of ChatGPT's codebase through time with curated archives and scripts.
- Deobfuscating / Unminifying Obfuscated Web App Code (0xdevalias' gist)
- Reverse Engineering Webpack Apps (0xdevalias' gist)
- React Server Components, Next.js v13+, and Webpack: Notes on Streaming Wire Format (
__next_f, etc) (0xdevalias' gist)) - Fingerprinting Minified JavaScript Libraries / AST Fingerprinting / Source Code Similarity / Etc (0xdevalias' gist)
- Bypassing Cloudflare, Akamai, etc (0xdevalias' gist)
- Debugging Electron Apps (and related memory issues) (0xdevalias' gist)
- devalias' Beeper CSS Hacks (0xdevalias' gist)
- Reverse Engineering Golang (0xdevalias' gist)
- Reverse Engineering on macOS (0xdevalias' gist)