²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²² ²² ____ __ __ ²²ßÛ ²² / _/_ _ __ _ ___ ____/ /____ _/ / ²² ÛßÛ ²² _/ // ' \/ ' \/ _ \/ __/ __/ _ `/ / ²² Û Û ²² /___/_/_/_/_/_/_/\___/_/ \__/\_,_/_/ ²² Û Û ²² ____ __ __ ²² Û Û ²² / __ \___ ___ _______ ___ ___/ /__ ____ / /____²² Û Û ²² / /_/ / -_|_-</ __/ -_) _ \/ _ / _ `/ _ \/ __(_-<²² Û Û ²²/_____/\__/___/\__/\__/_//_/\_,_/\_,_/_//_/\__/___/²² Û Û ²² ²² Û Û ²² Web: http://www.ImmortalDescendants.com ²² Û Û ²² Author: alpine ²² Û Û ²² Date: 01/09/2000 ²² Û Û ²² Topic: Win32asm Patcher Coding ²² Û Û ²² Level: intermediate ²² Û Û ²² ²² Û Û ²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²² Û Û ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ Û ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ part one: the patcher part two: will be the process patcher...watch out for it Welcome This essay is mainly about coding in win32asm, but there is a bit of cracking in it as well. Target today is a well known PC game called Kingpin.I think most of you know this game, which is a pretty brutal and violent one.What we wanna achieve is to play the game without cd,after you've installed it.If you don't have the game at home, it doesn't matter a lot. Since the protection it uses to check for the Kingpin-Cd in the Cd-drive is realy easy to defeat ( or like Volatility would say: banal :).The only prob is that you can't work with Softice, because nothing happens on a CRTL+d during the game, and if ya set a breakpoint before running the game, softice will break, but you doesn't see anything ofsoftice, it looks like just a screenshot of the game.Therefore i used wdasm mainly.After we have found the location to patch, we will code a patcher for it. You need: Tasm 5.0 Wdasm Softice an Api-Reference will I assume that you have a fundamental knowledge of coding in win32asm. BTW a short remark: if ya find words like "irst","sotice" or "deeat" in this essay, that's coz my f-key is pretty much fucked up, sorry about this. part one: (which i will keep short) Ater you've installed the game and took out the cd from drive, you try to run the game.Hmm an error occurs, showed you through a message box: "You must have the KINGPIN Cd in drive to play".Disassemble it using wdasm, and search for that string using the Search/Find Text function.You will get more than one hit for that string, to short it up, the one we are searching for is the second one, which is referenced by a call from: 0043D5F1.Goto this location and you find: 0043D5ED test eax,eax 0043D5EF jne 0043D5F6 0043D5F1 call 00442030 0043D5F6 call 00444BAC Yes! You are right, by patching the jne into an unconditional jump we can play the game without having the Cd in drive.The opcodes for the jne 0043D5F6 are 7505 (which we will patch into EB05 of course).The raw offset for 0043D5F6 is part two: the patcher The theory: * We will open "Kingpin.exe", which we achieve with a call to CreateFileA * We use the handle given back by CreateFileA to obtain the filesize (a call to GetFileSize) which we need to know on how many bytes to read from the file and how many bytes to allocate in memory (a call to VirtualAlloc) * We read the whole file (a call to ReadFile) into the allocated memory area * We goto the offset (the raw offset) we wanna patch and check for 7505, if not present check for EB05, if so show a messagebox "already patched" else "File not correct", and quit * Change the byte from 7505 into EB05 * Set the file pointer (a call to SetFilePointer) to the beginning of the file and write the image from memory to disk (a call to WriteFile) * Give a final msg-box "patched" The code: .386P jumps locals Model Flat, StdCall ;----here are the Api's we use extrn MessageBoxA :proc extrn CreateFileA :proc extrn ReadFile :proc extrn WriteFile :proc extrn GetFileSize :proc extrn ExitProcess :proc extrn VirtualAlloc :proc extrn CloseHandle :proc ;used for closing the handle given back by CreateFileA extrn SetFilePointer :proc ;----data starts here .data _cap_ok db "KingPin -No Cd- Patcher",0 ;Caption of the final msg-box _text_ok db "patched",0 ;Text of the final msg-box _cap_err1 db "KingPin -No Cd- Patcher",0 ;Caption of the.... _text_err1 db "File not found",0 _cap_err2 db "KingPin -No Cd- Patcher",0 ;... _text_err2 db "Not correct version of file",0 _cap_err3 db "KingPin -No Cd- Patcher",0 _text_err3 db "can't patch, coz it's already patched",0 _handle dd ? ;This dword will hold the handle given back by CreateFileA _filesize dd ? ;dword for the value given back by GetFileSize _check dw 0575h ;the value to check for 7505 (be aware: use reversed order) _file db "KINGPIN.EXE",0 ;File to open _mempointer dd ? ;dword pointing to the mem-offset given by VirtualAlloc _bytesread dd 0 ;a dword needed for ReadFile _byteswritten dd 0 ;a dword needed for Writefile _alreadypatched dw 05EBh ;the value to check if already patched (only if _check ;fails) ;---code starts here .code Start: push 0 push 00000080h push 3 push 0 push 1 push 0C0000000h ;open file for read and write access push offset _file ;Kingpin.exe call CreateFileA cmp eax, 0FFFFFFFFh je _err1 ;msgbox "File not found" mov [_handle],eax ;save handle push 0 push eax ;push handle Call GetFileSize mov [_filesize],eax ;Save file size push 4 push 1000h push [_filesize] ;how many bytes to allocate in mem push 0 Call VirtualAlloc ;allocate mov [_mempointer],eax ;save offset of allocated bytes push 0 push offset _bytesread push [_filesize] ;how many bytes to read push [_mempointer] ;buffer which will hold the read bytes push [_handle] call ReadFile ;read file mov eax,[_mempointer] ;start of read file in mem add eax, 03D5EFh ;raw offset of 0043D5EF mov ebx, [eax] cmp bx, [_check] ;cmp value at 0043D5EF with _check (0575h) jne _check2 ;if not equal check if already patched mov byte ptr [eax], 0EBh ;else patch jmp _goon ;and go on _check2: cmp bx, [_alreadypatched] ;cmp with 05EBh jne _err2 ;if not equal msgbox "Not correct version of file" jmp _alpatched ;else msgbox "Already patched" _goon: push 0 ;set file pointer to beginning push 0 push 0 push [_handle] call SetFilePointer ;set push 0 push offset _byteswritten push [_filesize] ;how many bytes to write push [_mempointer] ;buffer which contains the bytes to write push [_handle] ;to Kingpin.exe call WriteFile ;write push 0 ;msgbox "patched" push offset _cap_ok push offset _text_ok push 0 call MessageBoxA jmp _exit ;close handle and exit _err1: push 0 push offset _cap_err1 push offset _text_err1 push 0 call MessageBoxA jmp _exit _err2: push 0 push offset _cap_err2 push offset _text_err2 push 0 call MessageBoxA jmp _exit _alpatched: push 0 push offset _cap_err3 push offset _text_err3 push 0 call MessageBoxA _exit: push [_handle] call CloseHandle push 0 call ExitProcess End Start To compile this file use the following batch file in your TASM\BIN directory: tasm32 /mx /m3 /z /q test1 tlink32 -x /Tpe /aa /c test1,test1,, import32.lib del *.obj del *.map of course if your .asm file is called test1 I hope you got a basic idea on how to write a patcher in win32asm. regards alpine alpine@ImmortalDescendants.com alpiner.cjb.net and of course http://www.immortaldescendants.comll just show the part of