Hi guys, this is my first post on the forum but I've read quite some interesting tuturials by now. Now I've noticed that all those tutorials use some kind of tool to modify the binary manually. I'm making a thesis on the process of cracking and that is why I'd like to know how these manual modifications are commonly implemented in a patch:

- are most patches offset patches or do they search the binary in some way? Could someone give me a percentage on that?
- is there some kind of patch generator that puts out a tailored patch for applying a certain modification to the binary?

Thx in advance

Most patches (I'd say 90%) out there use an offset. All but the worst ones will check to make sure that offset originally contains what is expected before it goes ahead and does damage, but usually you'll get nothing more helpful than a poorly worded 'Filesize not match!' error if there isn't a match.

However, it's this minority of patches (that actually perform a binary search, even a simple one) that are the most effective. Often a binary is updated between releases without the protection algorithm being as much as breathed on, so although the offset may change the bit-pattern will often remain the same. However, this is something of a double-edged sword, since some bit-patterns will appear several times in a binary (and so false-positives can occur). Provided the reverser knew what they were doing, they'd probably do a good job of making a quasi-multi-version patch. Otherwise, their attempts to be clever may do more harm than good.

As for patch generators, these are plentiful (although I'm dubious of the quality of many of them). I think most cracking groups use their own templates for cracks and keygens, whereas the smalltime dabblers will tend to use something they grabbed off the net. This said, you'll often enough encounter a purpose-coded patcher or keygen UI.

So I guess the answer to both of your questions is 'it depends' .

Regards
Admiral

If I understand you correcly, you are interested in patcher programs. right?

Manual patching entails changing some bytes in the binary, usually with a hex editor. The secret of this sort of cracking is simple: To know where are the bytes to change and what to change them to. Nothing more. . .

A patcher is a small executable that automates this process.
The simplest patch generators compare the original and the cracked version of the binary, store away the differences in position ( file offset) and the contents of teh altered bytes. The patcher then blindly modify the specific bytes when run. Some patchers will perform some preliminary checking, making sure that the target binary is of the right size, version and perhaps the right CRC.

It is plausible also, as you say, scan the target binary searching for some signature that marks the area you want to patch, but I have not seen very many of those. there could be false positives, non unique signatures.

There are commercially available patch generators that automate these tasks: patching is frequent in commercial sofware updates and security updates, also in virus removal. Search the net and you will find. Also If you look in EXETOOLS and other tool repositories you will find some home-made patcher generators used by crackers.

Admiral: From now on, you are not allowed to read my mind, or beat me to answer a posting

Almost all of them rely on hardcoded file offsets. This is much easier than searching for a specific sequence.
There are many out there. One of the most interesting is known as the xor-difference patcher, which stores the patch data in such a way that the values of the patched bytes cannot be determined without the file that is intended to be patched. The patched bytes are generated from the xor of the original byte and the difference-byte.