Log in

View Full Version : Error patching on WinXP


Bu3no
August 24th, 2005, 02:40
Well first of all, I'd like to say hi to everyone since I'm new here. I hope to pass a great time in this community and I hope to bring some knowledge as well as learning more on reversing.

I have a problem with a small game I cracked on Win98SE like 2 days ago. Of course that was a real old game since I'm starting out and I think the best way to learn how reversing works is to trace what happens at each line of code in the debugger in an old program. Well... to the problem now... what I had to do was to remove a really simple CD-Check. It simply was a Ok-Cancel Mesagebox telling me to put the CD in. I ended up NOPping a jump but it was still telling me to put the cd in and for some reasons, when I pressed the ok button, the game was running, and I could play anyway. I probably just NOP'd the wrong jump but as I couldn't manage to find the one that wouldn't show the messagebox, I decided to modify the code (Op-Code) so that it would simply jump over the messagebox api call. Worked well, I was so proud of myself, since that was the first real thing I cracked (excluding crackmes). Now sent the crack to my friend, and it didn't work. His comp's running on Win XP. I then decided to try it on XP myself, and it made that error where it asks you if you want to send the report to Microsoft or not... Well... I then tried to crack the game on WinXP but any byte I modified would make that silly error...

I searched the forum for problems patching with Win XP and found here: http://woodmann.net/forum/showthread.php?t=7144&highlight=winxp+patching
that I may be accidently hardcoding something, an API or whatever.... Remember, I'm new to this .

Well I'd like some advices please... 'cause it works all well on Win98 but when I switch to WinXP, doesn't even launch.

Thanks for your time,

Admiral
August 24th, 2005, 15:05
How exactly are you patching the file?
I guess you're editing a the .exe disk image, but are you doing so with a hex-editor or have you written/generated a patcher to do it for you?
If you're patching the virtual image after it's loaded into memory (by means of a loader, say) then you're almost certainly being caught out by the differing image-bases of the two operating systems. Though I see no reason why you should be doing this.

If you're only NOPping jumps, there should be no issue of you hardcoding an address. You say you're patching conditional jumps, so you should be turning a 0x7- (probably) to 0x90. Make sure you also NOP the rest of the jump command (which is probably just the following one byte, although it can be as many as four). If doing only this is causing a crash then you must be patching the wrong place.

Regardless of what and how you're patching, the one thing you should have done before posting here is loaded up your patched file in a debugger (or disassembler) and located the exception causing the crash. Chances are you're creating an access violation by patching the wrong (number of) bytes.

Tell us more.
Admiral

Bu3no
August 24th, 2005, 15:15
I patched the file with a hex-editor, maybe as you said I forgot to patch the second byte of the conditional jump... I'll check that.

What I don't understand is the fact that the cd-check was still showing (on win98), but clicking ok or cancel would simply run the game anyway, without the cd. So I decided to create a jump (EB 28 I think) over a now useless 2 bytes command so that it wouldn't mess anything up, to get directly over the messageboxa api call. It works well on Win98 but does an error in XP. I'll do as you told, and trace the error, if I can, and try to fix it on my own and give you some news. Thanks for your answer.

EDIT:

After some practice cracking some crackme's, I realised that the jump I made to skip the messageboxa call wasn't at the good place, and that I could have used another conditional jump and modify it so it would always jump lol. Works all right now Thanks and sorry for your time Admiral.


Regards,

laola
August 25th, 2005, 12:32
Maybe you could beef up your findings with some disassembler snippets illustrating what you did wrong and how you fixed it. Could be helpful for others to avoid this mistake before it happens...

Bu3no
August 25th, 2005, 15:44
Yeah what a great idea, laola, I'll edit this post with an example of what was my mistake and how I resolved it as soon as I have a little time in front of me. Thanks a lot for the idea

Regards,

LLXX
August 26th, 2005, 01:49
You said it was a really old game, so that is probably the problem. You probably cracked it correctly, it's just because of WinXP's legacy support problems. Many older software which ran fine on 9x systems will refuse to run on XP, cracked or not. It's just an irritating aspect of XP (and they said XP was better than 98...)

To crack a simple CD-check, nop or permanise the jmp closest after the check for the CD itself (often located in its own procedure for your convenience).

Bu3no
August 26th, 2005, 01:56
Quote:
[Originally Posted by LLXX]You said it was a really old game, so that is probably the problem. You probably cracked it correctly, it's just because of WinXP's legacy support problems. Many older software which ran fine on 9x systems will refuse to run on XP, cracked or not. It's just an irritating aspect of XP (and they said XP was better than 98...)


Well thanks for your reply LLXX, but the game was running well on XP without patching, and I said in one of my previous post that I patched something wrong.... and it made an error on XP, while still working on Win98. Now it's alright though, I patched the right thing and it works perfectly on both OS. I'll post a reply later on the mistake I did. For now, bed's yelling at me Cry??? why is that smiley called cry?? I thought he was yawning lol... Oh well... I'll let him stay in the post lol

Regards,