Log in

View Full Version : Patch a program in memory


techne
July 19th, 2013, 11:11
Hi all,
I have a program that makes some complex operation when it starts.
One of this operation consist in writing a global variable (at address [DS]:005387D4).
It puts into this variable a value (0008) which limites very much the use of this program.

I would like to write a patcher that:
1. attach that program ( after it has started) just like olly for example
2. go to the right memory address ([DS]:005387D4)
3. and let me change the value of that global variable (from 0008 to FFFF).

Is it possibile ?
Have you ever done something like that ?
Do you have a C code (for example) that can do this operation ?

Thanks in advance.

naides
July 19th, 2013, 18:45
It is very much possible. In fact in the tools section, there are several already made apps, called 'loader', and 'patcher' that are designed to do just what you ask, some with available code. . .

techne
July 21st, 2013, 14:42
Thank you naides
but can I use these loader to automatize my patch?
I mean I'd like to send my target program and the loader to one of my friends. He just should execute the target program and then the loader (correctly programmed).
Is it possible?
have you a loader to advice me?

disavowed
July 22nd, 2013, 12:54
See http://www.woodmann.com/collaborative/tools/DUP and http://www.woodmann.com/collaborative/tools/THYloadergen

techne
July 23rd, 2013, 01:57
Thank you I will Read about these software as soon as possibile

techne
July 28th, 2013, 18:35
Hi all,
I have downloaded the two program (DUP and THYloadergen).
But it seems that they two applay a patch directly on my target program.
When then I start the program, my fix is overwritten.

I have to override a global variable after the program has started: how can I do with DUP or THYloadergen ?
Thank you all...

_genuine
July 28th, 2013, 21:41
If youre aware of where the program is writing to, why not use your debugger to make the patch, or use a tool like CheatEngine to put a permanent patch on that address. Or if you track down the location of the instruction that makes the patch, modify that instruction..Or am i missing something?

techne
July 29th, 2013, 07:46
Thank you _genuine for your help,
I have not to patch an instruction, I have to patch a global variable.
when the program start, it makes many and many operation and at the end of the starting processs it put a value 0008 into a global variable (at address [DS]:005387D4).
I'd like to change that value into FFFF, but I have to do this just after the program has started.
If I do it before the program start, when it start, it changes the value again.

So I need a program to patch automatically my target program and change the value at address [DS]:005387D4 from 0008 --> FFFF, but after my target program has started.
I don't know if it is clear and if it is possibile.

Thank you again.

Nacho_dj
July 29th, 2013, 17:36
Here is what you are looking for:
http://www.woodmann.com/forum/showthread.php?5478-PUPE-now-in-english

Best regards

Nacho_dj

techne
August 1st, 2013, 04:01
Thank you Nacho_dj,
Pupe is exactly what I need.
I execute pupe and apply (manually) the patch and everything goes fine.

but...

is it possible to exceute pupe from command line?
I'd like to automatize the patch operation.
Do you know if it possibile ?

Nacho_dj
August 2nd, 2013, 07:04
Never tested that, but pupe comes with sources, so maybe you can add that feature...

techne
August 2nd, 2013, 09:30
OK I will try to do something on that source.
Thank you very much.

qZanity
August 18th, 2013, 16:16
Do you have any c++/c experience at all.. If you know the address patching it is a breeze.


Code:

#include <iostream>
#include <windows.h>

using namespace std;

// setup here
LPVOID targetAddress = (LPWORD)0x017E5950; // address
int newValue = 1000;

int main()
{
HWND hWnd = FindWindow(0, L"WindowName";

if(!hWnd)
{
cout << "Could not find target window" << endl;
return 1;
}

DWORD pID;
GetWindowThreadProcessId(hWnd, &pID);

HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS, false, pID);
if(!handle)
{
cout << "Could not open a process handle!" << endl;
return 1;
}

size_t sznewValue = sizeof(newValue);
int ret = WriteProcessMemory(handle, targetAddress, &newValue, sznewValue, NULL);

if(ret < 1)
{
cout << "WriteProcessMemory failed!" << endl;
return 1;
}
cout << "Written value to target memory address!" << endl;
return 0;
}


Should work fine, dont forget to add the window name


@blabberer: Could of sworn that i included the headers and variables... although when i tested i found a bug so re-edited post and forgot to copy/paste headers. My bad

blabberer
August 19th, 2013, 10:42
no it is not the about the headers (missing headers could be my mistake when i edited your post instead of replying)

it is more fundamental logic i talked about

did you run this on anything and get a result
what it was?
why ?

ask the 5 w 1 h and make it better

qZanity
August 19th, 2013, 15:55
Quote:
[Originally Posted by blabberer;95275]no it is not the about the headers (missing headers could be my mistake when i edited your post instead of replying)

it is more fundamental logic i talked about

did you run this on anything and get a result
what it was?
why ?

ask the 5 w 1 h and make it better


Umm well it's working fine by patching calc.exe MEMORYSTORE address.

Not sure why you think it doesn't work

blabberer
August 20th, 2013, 03:08
because it shouldn't work
any arbitrary process shouldn't be able to write / modify any other arbitrary process
unless the writing process has gained itself proper authorities / privileges
else any script kiddies samanthalovesyou.scr would be able to edit winlogon.exe and
send more screen savers to bill gates from your mickysoft.oldlook

i made 3 changes to your program that you suggest are setup changes user should modify before using
address to write / what to write / whom to write

the three changes i do are

Code:

0:000> !grep -i -e "Calc" -c "!hwnd"
Name Calculator < this will be my window name
Class SciCalc
Name CalcMsgPumpWnd
0:000> du poi(1014b6c) < this will be where i write
000b87c0 "Cannot divide by zero."
0:000> du 100131c this will be what i write
0100131c "An unknown error has occured."
0:000>


and i should get access denied for PROCESS_ALL_ACCESS in OpenProcess
changing it to PROCESS_VM_OPERATION || PROCESS_VM_WRITE

i should get access denied error for WriteProcessMemory

from where i should strive to become a debugger proper not some screensaver overwriting one of my important password with 1am133tbabe from an ordinary untrusted temporary guest account with barest of the barest privileges on a closed down box


i run a fresh calc instance
list the directory and pipe the output to a txt file (create new every time so 0 byte file no previous entries inside)
compare the posted code with modified code and append the results to the previously created txt file
print the contents of the file that contains posted code for verification and append the results aain to the file
compile the modified file and append the results
list the directory again and append teh results
run the compiled executable and append the output
and print the contents of the file with all the results back in one go in a xp sp3 box

see below




Code:


C:\TESTPA~1>calc & dir /b > res.txt & fc modpatchmem.cpp unmodpatchmem.cpp >> re
s.txt & type unmodpatchmem.cpp >> res.txt & cl /EHsc modpatchmem.cpp user32.lib
>> res.txt & dir/b >> res.txt & modpatchmem.exe >> res.txt & wmic os get caption
, csdversion /format:list >> res.txt & type res.txt


Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 16.00.30319.01 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.

modpatchmem.cpp
res.txt
unmodpatchmem.cpp

Comparing files modpatchmem.cpp and UNMODPATCHMEM.CPP
***** modpatchmem.cpp
// setup here
LPVOID targetAddress = (LPWORD)0x01014b6c; // address
int newValue = 0x100131c;

***** UNMODPATCHMEM.CPP
// setup here
LPVOID targetAddress = (LPWORD)0x017E5950; // address
int newValue = 1000;

*****

***** modpatchmem.cpp
{
HWND hWnd = FindWindowW(0, L"Calculator";

***** UNMODPATCHMEM.CPP
{
HWND hWnd = FindWindow(0, L"WindowName";

*****



#include <iostream>
#include <windows.h>

using namespace std;

// setup here
LPVOID targetAddress = (LPWORD)0x017E5950; // address
int newValue = 1000;

int main()
{
HWND hWnd = FindWindow(0, L"WindowName";

if(!hWnd)
{
cout << "Could not find target window" << endl;
return 1;
}

DWORD pID;
GetWindowThreadProcessId(hWnd, &pID);

HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS, false, pID);
if(!handle)
{
cout << "Could not open a process handle!" << endl;
return 1;
}

size_t sznewValue = sizeof(newValue);
int ret = WriteProcessMemory(handle, targetAddress, &newValue, sznewValue, N
ULL);

if(ret < 1)
{
cout << "WriteProcessMemory failed!" << endl;
return 1;
}
cout << "Written value to target memory address!" << endl;
return 0;
}modpatchmem.cpp

Microsoft (R) Incremental Linker Version 10.00.30319.01
Copyright (C) Microsoft Corporation. All rights reserved.

/out:modpatchmem.exe
modpatchmem.obj
user32.lib
modpatchmem.cpp
modpatchmem.exe
modpatchmem.obj
res.txt
unmodpatchmem.cpp


Could not open a process handle!


C a p t i o n = M i c r o s o f t W i n d o w s X P P r o f e s s i o n a
l
C S D V e r s i o n = S e r v i c e P a c k 3



C:\TESTPA~1>




second modification

Code:



C:\TESTPA~1>ren modpatchmem.cpp modpatchmemold.cpp

C:\TESTPA~1>copy modpatchmemold.cpp modpatchmem.cpp
1 file(s) copied.

C:\TESTPA~1>del *.exe *.txt *.obj

C:\TESTPA~1>dir /b
modpatchmem.cpp
modpatchmemold.cpp
unmodpatchmem.cpp

C:\TESTPA~1>edit modpatchmem.cpp

C:\TESTPA~1>fc modpatchmem.cpp modpatchmemold.cpp
Comparing files modpatchmem.cpp and MODPATCHMEMOLD.CPP
***** modpatchmem.cpp

HANDLE handle = OpenProcess(PROCESS_VM_OPERATION || PROCESS_VM_WRITE, false,
pID);
if(!handle)
***** MODPATCHMEMOLD.CPP

HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS, false, pID);
if(!handle)
*****


C:\TESTPA~1>cl /EHsc modpatchmem.cpp user32.lib
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 16.00.30319.01 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.

modpatchmem.cpp
Microsoft (R) Incremental Linker Version 10.00.30319.01
Copyright (C) Microsoft Corporation. All rights reserved.

/out:modpatchmem.exe
modpatchmem.obj
user32.lib

C:\TESTPA~1>modpatchmem.cpp

C:\TESTPA~1>modpatchmem.exe
Could not find target window

C:\TESTPA~1>calc

C:\TESTPA~1>modpatchmem.exe
WriteProcessMemory failed!

C:\TESTPA~1>


qZanity
August 20th, 2013, 06:07
Well of course! All that is needed is something very simple depending on the OS and libarys used by the target, But DLL redirection, ON ATTACH, write to memory. (depending how the dll was loaded)

Indy
August 20th, 2013, 10:00
NtProtectVM/NtWriteVM. Amen!

blabberer
August 21st, 2013, 01:34
Well of course!

oh yeah of course

so you say writing a proper debugger is a breeze for some one who just came to know that there is a programming language called c and landed here via google search well hats off to you

qZanity
August 21st, 2013, 17:04
Quote:
[Originally Posted by blabberer;95292]Well of course!

oh yeah of course

so you say writing a proper debugger is a breeze for some one who just came to know that there is a programming language called c and landed here via google search well hats off to you


Why thank you

techne
January 11th, 2014, 06:42
qZanity, blabber thank you very much your POF is very usefull for me

Shub-nigurrath
January 13th, 2014, 03:31
Hi
Probably I join late in this thread but just wanted to point that if you need to customize your own loader the best source is here
http://www.accessroot.com/arteam/site/download.php?view.108

and all the other loaders related tutorials you can find there like this
http://www.accessroot.com/arteam/site/download.php?view.81