Log in

View Full Version : I need in memory patcher with search'n'replace


Moustafa
May 8th, 2005, 18:22
Hey guys
I'm happy that I found good forum like this one

I need a memory patcher with search and replace option for a crippled program that has a CRC32 crypto signature (from PEid).
every somtimes the offsets in memory changes that my patcher (trainer like) couldn't patch them

can you help ?

or you can give me the ASM code that I'm learning ASM now.

JMI
May 8th, 2005, 22:25
Moustafa:

Go back and ACTUALLY READ the FAQ, as you were supposed to have done, especially the parts which read:

- Do not ask where to find the "tools".
- Do not ask for help without showing you made an effort. This includes asking *lameass* questions in the Newbies Forum.


You have violated these instructions in two respects. 1.) you have asked for a tool without any indication you tried to find one on your own, and 2.) you asked someone to give you asm code without showing any of your own work.

Time to rethink what you have done and what you are doing and the follows the rules.

Regards,

naides
May 9th, 2005, 07:39
Suggestions:

Find an open source patcher, so that you have the source code. There are plenty.
Code yourself the find and replace function, is not that hard.
Recompile, CONTACT the AUTHORS of the original program and get their OK, then publish your enhanced version.
Become Moustafa the Great, Utility Software Author.

Moustafa
May 10th, 2005, 16:16
thx for the reply men, I'm too happy and sorry you know it is my first post.

I already patched the program with ollydbg (in memory patching) and it is working well, also I made a memory patcher like trainers using GTS (game trainer studio) and it worked well for some days but suddenly it stop working and the trainer doesn't work so I reloaded it on ollydbg and I saw that the adresses were changed so I felt bad about and I started to search about search'n'replace tools in memory and I found nothing.
all search'n'replace tools are for the normal excutable and loaders doesn't work.
so I asked for some help but believe me I didin't know the rules well sorry for that again.

I'll try to contact any author of patchers and ask him for help.

Greetz

naides
May 10th, 2005, 16:44
Actually, not long ago there was a thread regarding a similar issue
http://www.woodmann.com/forum/showthread.php?t=6992&highlight=patcher

See if Malakar has made any progress in his quest, perhaps you can collaborate.

Moustafa
May 11th, 2005, 04:11
thx naides
I'll see

bye

condzero
May 12th, 2005, 15:12
Moustafa,

I am curious if you're patching in the correct place. I have patched numerous programs in memory. I do this with a custom loader. For application dll's, I have jumped to patched code, then back to the dll entry point within the dll itself. If you're patching for CRC, then I would suggest you patch further down the line, as you should not run into this condition with correct memory patching as I understand it. What am I missing????

_________________________________________________________________
I then see you post in another category:
OH men plesae understand what i'm looking for
the program uses the function TimeGetTime or TimerGetTime then it compares the running time with 927C0 (10 minutes)

cmp eax,927C0
jle someplace

and these instructions are in virtual adresses that the program is encrypted with CRC32 crypto , I changed the jle to jmp and everything working FINE but the after running the program sometimes more the virtual adress has been cahnged that I found the instruction in another location.
_________________________________________________________________

find where in your program, this call is executed and deal with it. If you can find it, there are a number of choices. I have had success with SEH and RETN within the calling procedure itself, whereby I PUSH a handler, force an exception, which hopefully the program can handle, thus exiting out of the timing procedure. If you do this in the program, you need not worry about where in virtual memory the timing mechanism is running. Hope I made myself clear.

Moustafa
May 12th, 2005, 15:43
I don't exactly understand your advise but I'll explain it to you
ofcourse I can't and I'll not tell the name of the target (I red the FAQ today ).

The target uses the lib winmm.dll three times
first to count a timer for the program itself (which I can't change because it is a function)
second time is the compare between the start time and 10 minutes limit (which I mentioned)
third time (I don't remeber)
all the three calls are from the same jmp instruction.
then go to some place virtually that the program's adresses starts from 1000blah
and ends with 1blahblah
but these adresses are 00Ablah

I took some notes that when I loaded the program with ollydbg I found that the adress of jle instruction in A04cF3, And when I loaded it in ollydbg as ATTACH file the location was A0150B so I made a trainer which patch this instruction to jmp.
worked fine for two days or more I found that the trainer is not working.
I loaded it again in ollydbg and found that the address changed to A0149b.

I tried to make a loader (I used yoda's, dup2.1, and more) but nothing happened.
I tried to patch the winmm.dll but that I xored eax before checking but this made all functions using timers didn't worked too.
I can't make a code cave for it that eax value changed lots of times.
this is part of code in the fake area

00A04CA0 2B05 9888A000 SUB EAX,DWORD PTR>
00A04CA6 3D E0930400 CMP EAX,493E0 (5 minutes in this one)
00A04CAB 0F8E 0A000000 JLE 00A04CBB
every time the addresses changes

they are 4 programs from the same company and using the same scheme and I didn't found any solution in any site.

thx for you help

condzero
May 12th, 2005, 17:57
Moustafa,

Please PM me your target application. I would like to see this for myself.
Thanks.

dELTA
May 13th, 2005, 02:28
I'd simply make a dll stub that checks the address of the function callers, and then "acts accordingly". 5 minute job which will probably result in a clean crack...