Log in

View Full Version : Flexible Patcher?


Malakar
April 7th, 2005, 20:05
I did a search on these forums, but did not find what I'm looking for. However I have a feeling this has been asked before... Sorry about that.

I am looking for a flexible patcher - something like aPATCH which uses a script I write. I've been using aPATCH, but its wildcard searches are not flexible enough. Often times instructions are swapped around in different compilations, so a simple method of a certain number of wildcard bytes will not always work. So I need something that allows a variable number of wildcard bytes. I would also like multiple possibility bytes - for when the same operation has multiple opcodes depending on the register used.

I started to search the web for patchers, but the problem is there are so many of them that do the same simple patching methods. So I came here, where knowledgable crackers are.

evlncrn8
April 8th, 2005, 00:57
code your own then

diablo2oo2
April 11th, 2005, 08:54
Quote:
code your own then


hehe, that was also my first thought....

but back to topic:
Quote:

So I need something that allows a variable number of wildcard bytes


how you mean that? can you explain with an example?

Quote:
I would also like multiple possibility bytes - for when the same operation has multiple opcodes depending on the register used.


isnt it possible to use a wildcard for this?

Manko
April 11th, 2005, 14:28
Hi!

Quote:
[Originally Posted by Malakar]/.../ I am looking for a flexible patcher /.../
So I came here, where knowledgable crackers are.


Well the problem with many knowledgable crackers are that they have long since stopped using other peoples generic apps and instead write their own patchers/loaders, and have forgotten about those they might have used in the beginning.... Hmm...

I suggest you start learning to code your own too!

It might be some work at first, but it is not THAT difficult, and you will make it if you put in the hours. Some people here will even be MORE willing to help you when you show that you have made some effort yourself.

/Manko

Malakar
May 4th, 2005, 20:50
In response to coding my own, of course that would be the next step on the list. But I would have to be a fool to not first see if there is already a good one out there.


Quote:
how you mean that? can you explain with an example?

isnt it possible to use a wildcard for this?

Certain operations have multiple forms of essentially the same operation. Different forms might use different registers, or a different number of operand bytes. One operation might have one form where the opcode is 67, and another form where the opcode is 68 (these are just random numbers, not a real example). So searching for just one or the other, or using a wildcard, will not always suffice.

Moustafa
May 11th, 2005, 04:13
did you make any progress in your research.
I try to find something like what you're lookin for.

I want an In-memory patcher with search and replace feature.
If you made any progress please contact me.

Bye

diablo2oo2
May 11th, 2005, 06:27
Quote:
I want an In-memory patcher with search and replace feature.


dUP 2 can make search&replace loaders and s&r inline patchers (with wildcards).
maybe that helps you..

dELTA
May 11th, 2005, 08:04
And to spare us all from Moustafa's next post:

http://www.woodmann.com/forum/showthread.php?t=6113&page=2


JMI
May 11th, 2005, 08:34
I am shocked to hear that one can actually find things by using the SEARCH button at the top of the Forums. Who'd a thunk it. Clearly not Moustafa. He prefers to ask someone else to do his searching. Seems he STILL hasn't actually Read the damn FAQ.

You know Moustafa, that part about: - Please use the SEARCH function.

and

- Do not cross post. I can assure you that your question has already been answered and the answer can be found on this site or on some of the links included on this site.

Regards,

Moustafa
May 12th, 2005, 04:15
OH men plesae understand what i'm looking for
the program uses the function TimeGetTime or TimerGetTime then it compares the running time with 927C0 (10 minutes)

cmp eax,927C0
jle someplace

and these instructions are in virtual adresses that the program is encrypted with CRC32 crypto , I changed the jle to jmp and everything working FINE but the after running the program sometimes more the virtual adress has been cahnged that I found the instruction in another location.
and Dup search'n'replace for a static exe not encrypted (I tried it but i'll try again).
so I want the program to search the virtual adresses in program memory (during running) (from 400000 to 4FFFFF for example) and patch the jle to be jmp

I wish you got it or the dupmade what i need, I don't ask for a tool I ask for a source code or something.
If i was mistaken please forgive me.

thx for all your efforts
Greetz & Respect

Moustafa
May 12th, 2005, 04:19
and I don't understand what wildcards means
thx alot
Bye

naides
May 12th, 2005, 05:54
Quote:
[Originally Posted by Moustafa]OH men plesae understand what i'm looking for

If you don't explain, there is NO WAY we could undesrtand

the program uses the function TimeGetTime or TimerGetTime then it compares the running time with 927C0 (10 minutes)

cmp eax,927C0
jle someplace

and these instructions are in virtual adresses that the program is encrypted with CRC32 crypto , I changed the jle to jmp and everything working FINE but the after running the program sometimes more the virtual adress has been cahnged that I found the instruction in another location.
and Dup search'n'replace for a static exe not encrypted (I tried it but i'll try again).

Did you check the Search and Replace code?

so I want the program to search the virtual adresses in program memory (during running) (from 400000 to 4FFFFF for example) and patch the jle to be jmp.

You loader would need to be doing the patch operation frequently, or somehow syncronize with the app code in real time, to keep the patch updated

Now how about locating (and killing) the mechanism that places instances of the offending code
cmp eax,927C0
jle someplace

at "random" locations in memory? Perhaps the program creates objects with execultable code in the stack or the freestore frequently, that's why your protection instructions appear to move around.




I wish you got it or the dupmade what i need, I don't ask for a tool I ask for a source code or something.
If i was mistaken please forgive me.

I do not know your coding abilities, but smells to me this is not a simple coding task. While a dynamic search and replace real time patcher appears to be a simple solution, you need rather advanced ASM skills:
see
h**p://www.cours-info.net/2005/05/01/23-loader-memory-patcher


thx for all your efforts
Greetz & Respect


Wild card explanation:

h**p://www.webopedia.com/TERM/W/wildcard_character.html

I'm in a good mood (got laid)

cRk
May 12th, 2005, 07:33
dUP 2 can make search&replace loaders and s&r inline patchers (with wildcards).
maybe that helps you..


search&replace won't be so easy when target is packed or crypted using a loader...... example with ASPR case... cuestion to Diablo2002 DOes DUP now support caption or class name windows trick for that purpose? .. i remember i never could patch any protected target by using dup loader feature since it need some memory address to start patching from.. but unfortunaly either don't work or never learn how use it.. could you explain me with a real target if really DUP can patch a protected target with a loader for ASPR...

My Best Regards

diablo2oo2
May 12th, 2005, 09:49
it depends on the aspr protection. if the target uses asprotect api to check a 30day trial period you must find this aspr code and patch this yourself.

but when the target is "only" packed with asprotect and no API for evaluation time is used, you can make a loader. to defeat the process crc check you can
1. directly kill process crc it in aspr code ( i have written a tool for that. download from my homepage)
2. use "MemCheck" method to skip process crc check.it will patch the target in memory when the crc check is done.. there is a tutorial for this on ArTeam site

ps. i will try to add windows detection method (window name/classname),although this method also doesnt work always..

Moustafa
May 12th, 2005, 15:10
thx very much for your replies
i'll try to search and continue researching

thx again

Bye