²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²
    ²²    ____                     __       __           ²²ßÛ
    ²²   /  _/_ _  __ _  ___  ____/ /____ _/ /           ²² ÛßÛ
    ²²  _/ //  ' \/  ' \/ _ \/ __/ __/ _ `/ /            ²² Û Û
    ²² /___/_/_/_/_/_/_/\___/_/  \__/\_,_/_/             ²² Û Û
    ²²   ____                          __          __    ²² Û Û
    ²²  / __ \___ ___ _______ ___  ___/ /__ ____  / /____²² Û Û
    ²² / /_/ / -_|_-</ __/ -_) _ \/ _  / _ `/ _ \/ __(_-<²² Û Û
    ²²/_____/\__/___/\__/\__/_//_/\_,_/\_,_/_//_/\__/___/²² Û Û
    ²²                                                   ²² Û Û
    ²²      Web: http://www.ImmortalDescendants.com      ²² Û Û
    ²²                 Author: alpine                    ²² Û Û
    ²²                Date: 01/09/2000                   ²² Û Û
    ²²          Topic: Win32asm Patcher Coding           ²² Û Û
    ²²               Level: intermediate                 ²² Û Û
    ²²                                                   ²² Û Û
    ²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²² Û Û
      ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ Û
        ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ

part one: the patcher
part two: will be the process patcher...watch out for it


Welcome

This essay is mainly about coding in win32asm, but there is a bit of cracking in it as well.
Target today is a well known PC game called Kingpin.I think most of you know this game, 
which is a pretty brutal and violent one.What we wanna achieve is to play the game without 
cd,after you've installed it.If you don't have the game at home, it doesn't matter a lot.
Since the protection it uses to check for the Kingpin-Cd in the Cd-drive is realy easy to 
defeat ( or like Volatility would say: banal :).The only prob is that you can't work with 
Softice, because nothing happens on a CRTL+d during the game, and if ya set a breakpoint 
before running the game, softice will break, but you doesn't see anything ofsoftice, 
it looks like just a screenshot of the game.Therefore i used wdasm mainly.After we have 
found the location to patch, we will code a patcher for it. 

You need:

Tasm 5.0
Wdasm
Softice
an Api-Reference will 

I assume that you have a fundamental knowledge of coding in win32asm.
BTW a short remark: if ya find words like "irst","sotice" or "deeat" in this essay, that's 
coz my f-key is pretty much fucked up, sorry about this.

part one:
(which i will keep short)

Ater you've installed the game and took out the cd from drive, you try to run the game.Hmm 
an error occurs, showed you through a message box: "You must have the KINGPIN Cd in drive 
to play".Disassemble it using wdasm, and search for that string using the Search/Find Text 
function.You will get more than one hit for that string, to short it up, the one we are 
searching for is the second one, which is referenced by a call from: 0043D5F1.Goto this 
location and you find:

0043D5ED test eax,eax
0043D5EF jne 0043D5F6

0043D5F1 call 00442030

0043D5F6 call 00444BAC


Yes! You are right, by patching the jne into an unconditional jump we can play the game 
without having the Cd in drive.The opcodes for the jne 0043D5F6 are 7505 
(which we will patch into EB05 of course).The raw offset for 0043D5F6 is

part two:
the patcher

The theory:

* We will open "Kingpin.exe", which we achieve with a call to CreateFileA
* We use the handle given back by CreateFileA to obtain the filesize (a call to GetFileSize)
  which we need to know on how many bytes to read from the file and how many bytes to 
  allocate   in memory (a call to VirtualAlloc)
* We read the whole file (a call to ReadFile) into the allocated memory area
* We goto the offset (the raw offset) we wanna patch and check for 7505, if not present 
  check for EB05, if so show a messagebox "already patched" else "File not correct", and     quit
* Change the byte from 7505 into EB05
* Set the file pointer (a call to SetFilePointer) to the beginning of the file and write the
  image from memory to disk (a call to WriteFile)
* Give a final msg-box "patched"

The code:

.386P
jumps
locals
Model Flat, StdCall

;----here are the Api's we use
extrn MessageBoxA :proc 
extrn CreateFileA :proc
extrn ReadFile    :proc
extrn WriteFile   :proc
extrn GetFileSize :proc
extrn ExitProcess :proc
extrn VirtualAlloc :proc
extrn CloseHandle :proc		;used for closing the handle given back by CreateFileA
extrn SetFilePointer :proc


;----data starts here
.data

_cap_ok db "KingPin -No Cd- Patcher",0		;Caption of the final msg-box
_text_ok db "patched",0				;Text of the final msg-box

_cap_err1 db "KingPin -No Cd- Patcher",0	;Caption of the....
_text_err1 db "File not found",0

_cap_err2 db "KingPin -No Cd- Patcher",0	;...
_text_err2 db "Not correct version of file",0

_cap_err3 db "KingPin -No Cd- Patcher",0
_text_err3 db "can't patch, coz it's already patched",0

_handle dd ? 			;This dword will hold the handle given back by CreateFileA
_filesize dd ?			;dword for the value given back by GetFileSize
_check dw 0575h			;the value to check for 7505 (be aware: use reversed order)
_file db "KINGPIN.EXE",0	;File to open
_mempointer dd ?		;dword pointing to the mem-offset given by VirtualAlloc
_bytesread dd 0			;a dword needed for ReadFile
_byteswritten dd 0		;a dword needed for Writefile
_alreadypatched dw 05EBh	;the value to check if already patched (only if _check 				;fails)


;---code starts here
.code

Start:

	push 0			
	push 00000080h
	push 3
	push 0
	push 1
	push 0C0000000h		;open file for read and write access
	push offset _file	;Kingpin.exe
	call CreateFileA
	cmp eax, 0FFFFFFFFh

	je _err1		;msgbox "File not found"
	mov [_handle],eax	;save handle

	push 0			
	push eax		;push handle
	Call GetFileSize	
	mov [_filesize],eax	;Save file size


	push 4			
	push 1000h	
	push [_filesize]	;how many bytes to allocate in mem
	push 0
	Call VirtualAlloc	;allocate
	mov [_mempointer],eax	;save offset of allocated bytes


	push 0			
	push offset _bytesread
	push [_filesize]	;how many bytes to read
	push [_mempointer]	;buffer which will hold the read bytes
	push [_handle]
	call ReadFile		;read file

	mov eax,[_mempointer]	;start of read file in mem
	add eax, 03D5EFh	;raw offset of 0043D5EF
	mov ebx, [eax]
	cmp bx, [_check]	;cmp value at 0043D5EF with _check (0575h)
	jne _check2		;if not equal check if already patched

	mov byte ptr [eax], 0EBh ;else patch
	jmp _goon		;and go on

_check2:

	cmp bx, [_alreadypatched] ;cmp with 05EBh
	jne _err2		  ;if not equal msgbox "Not correct version of file"
	jmp _alpatched		  ;else msgbox "Already patched"

_goon:

	push 0			;set file pointer to beginning
	push 0
	push 0
	push [_handle]
	call SetFilePointer	;set

	push 0				
	push offset _byteswritten
	push [_filesize]		;how many bytes to write
	push [_mempointer]		;buffer which contains the bytes to write
	push [_handle]			;to Kingpin.exe
	call WriteFile			;write



	push 0				;msgbox "patched"
	push offset _cap_ok
	push offset _text_ok
	push 0
	call MessageBoxA
	jmp _exit			;close handle and exit

_err1:

	push 0
	push offset _cap_err1
	push offset _text_err1
	push 0
	call MessageBoxA
	jmp _exit

_err2:
	push 0
	push offset _cap_err2
	push offset _text_err2
	push 0
	call MessageBoxA
	jmp _exit

_alpatched:
	push 0
	push offset _cap_err3
	push offset _text_err3
	push 0
	call MessageBoxA

_exit:

	push [_handle]
	call CloseHandle

	push 0
	call ExitProcess

End Start



To compile this file use the following batch file in your TASM\BIN directory:

tasm32 /mx /m3 /z /q test1
tlink32 -x /Tpe /aa /c test1,test1,, import32.lib
del *.obj
del *.map

of course if your .asm file is called test1


I hope you got a basic idea on how to write a patcher in win32asm.

regards
alpine


alpine@ImmortalDescendants.com
alpiner.cjb.net
and of course
http://www.immortaldescendants.comll just show the part of