From your experience, what do you think is the best method for patching an win32 executable in run-time?

I need to modify the exe's stack, so I'd need to load the patcher in the same address frame of the executable, locate its stack and then patch finally it, by constantly checking the current EIP and ESP.

How is it done in practice? And is there a better approach to accomplish that?

Thanks.

How about you comply with the requirements of the FAQ, which you did actually read, didn't you?? Tell us what YOU have done to attempt to find the answer to your own question. You can expect some assistence here AFTER you have attempted to solve your own problem and not succeeded.

So far, it appears that you have a question and haven't done anything beyond posting it here. What have YOU done??

Regards,

The problem here, JMI, is I don't know what is the exact parlance of this approach. I don't know the jargon people use to say like "hey, i'm gonna modify this code in real time". So, i don't know exactly WHAT to search, that is because i opened this thread.

Anyway, i tried searching for run time patching but it was unfruiful. If I knew at least some naming convention for this technique, that'd be a good start.

regards,
LOPAN

Again, how about using a little self-effort?

For one example, did you try:

patching an win32 executable in run-time

I got 302,000 hits. I'm fairly certain you didn't look at very many.

Then I tried:

run-time patching a win32 executable

and got 388,000 hits, so I still get the impression you are "waiting" for someone to hand you the answer so that you don't actually have to do much work to help yourself.

Now this could be the wrong impression, but it is what you are showing so far. You try one little thing and then want someone else to spoon feed you the answers.

Where is your "personal" drive to "find what you need/want"?? It is that type of determination which is required for advancement at reverse code engineering. The rest is just wanting to do as little as possible on your own. Now, clearly, sometimes everyone needs a little assistance and this is not what this is about, because, so far, you have only shown the bearest amount of personal effort and a quick willingness to stop trying on your own and wanting someone to "give" you the solution to what you seek.

This is not a very useful attitude for much success in reverse code engineering or life in general.

So which is it going to be for you? Are you determined, or just a half-assed wanna-be cracker, as long as it's not too much personal effort required???

You choose.

Regards,

You obviously know a little since you are familiar with the stack and registers, all JMI wants to see is how you came to the conclusion that modifying what you want will accomplish what you need and why the terminology is your problem, usually this would be accomplished by modifying what is pushed on to the stack - describe your conclusion and how you reached it.

SiGiNT

Yes, but jargon IS important. You get nothing out of such a generic google search term for such a specific subject. Sometimes it's easier to just point the way..

Yeah, sometimes questions are asked out of laziness, quite often in fact. But at the same time, some questions have the potential for generating an interesting discussion of techniques, if allowed to live, and if it's a generally popular subject and others wish to present their thoughts on it. I think this is one of those cases.

Go the Arteam main site and type in "writing a loader" in the search box. The first 10 tutorial hits should give you a start. If that's not good enough then you better come back with well defined questions after fully researching everything you found.

JMI: You don't need to get upset nor associate my thread with personal matters.

Let me explain:

Again, how about using a little self-effort?

Wading through 300k google hits seems like a little-self effort? To me it sounds more like masochism

It would be extremely straightforward if someone just pointed out "Look, what you seek is called XXXXX" (like Kayker just did), then I ask google "What do you know about XXXXX?", and I have to wade only through matching results instead of mostly unfruitful matches.

Now for some "personal drive"; I spent the last 2 days of non-interrupt work trying to patch a DirectX current-gen game into running in windowed mode. This should be piece of cake for you, that reverse engineer for over 10 years, but for someone who has recently learned the power of IDA and has little knowledge of the DirectX API, it is a painstaking
path. And I have succeeded. For a person who has a full-time job and others matters to attend to, this is a huge time concentration.

===

SiGiNT: I figured this would be the best approach for mainly two reasons:
1- I analyzed the file, and many instructions that need to be modified don't have the necessary room for static patching. Also I saw that the stack needs to be changed.
2- This has appeared as a nice opportunity for me to learn run-time patching.

===

Kayaker: thanks for pointing me this. Much appreciated, I'm going to look into it right away.

Also, I hope this can become a interesting discussion of run-time patching techniques too. As empiric opinions are always welcome.

Regards,
LOPAN

Howdy,

We all love it when a new one gets his/her bottom warmed by JMI and they come right back and give him a big glass of STFU.

You seem to have the drive indeed .

Woodmann

Hello Lopan:

So the record remains "straight," I did not address any "personal" comments to you, aside from asking the question whether you were "determined" or "just a half-assed wanna-be cracker" and those were issues about your "attitude" and not your "person."

Second, I don't allow myself to become "upset" with posters, it interfers with logical argument. I merely try to perform my function to make sure that posters follow the FAQ and "show" that they have made some personal effort to find what they seek.

Once they do that, I have no "problem" or "issue" with what they might know or not know. I am certain we ALL have a great deal to learn on most subjects, and I certainly am no exception to that general principle.

I hope you have been aided in your quest and that you are successful with your efforts. It is "the journey" which is the true learning experience.

If you discover something which you feel is worth sharing after your investigations are further along, share them here or somewhere where they may be useful to others.

Regards,

The patch can not be a good method, any change in the code is a bad way.
It would be nice to change the links in the sections of data, but it is not always possible and requires parsing and analysis code. The best solution lies in the permutations. These include editing and relocs(..fixups). If the application name is known, it is often used loaders.

Stack - a dynamically allocated memory. He owns the thread, not a file.

loles

I understand JMI is just doing his work, I suppose many kiddies that barely know how to setup a network come here like "crackinn is so culz, I wanna be cracker". JMI's job is necessary.

Thanks everybody.

And thank you very much, Kayaker, the site you provided has loads of useful information that I was seeking. I wish I had more time to dedicate on these matters as they are extremely time-consuming.

Regards,
LOPAN

I don't mean to pour booze on the fire but,



Then your search criterias are not sharp enough,
F+ wrote a lot on search engine optimization and it helps a lot to retrieve infos from the web, it is also time consuming but worth it.

Have phun.