Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Weird behavior in a patched program (https://forum.exetools.com/showthread.php?t=20091)

Doit 02-21-2022 23:45

Weird behavior in a patched program
 
Hi!
this is the first time I post a question in the forum, I hope to do it correctly.

I have patched a program, it enables or disables options depending on whether the license is activated or not, in this case the Export option, the strange thing is that it behaves differently depending on how you run it, I mean, if I start it from the debugger, the program works correctly and with the Export option enabled, but if I run it normally, it disables this option.

I would like to know why this is happening, because I have been patching programs for years and I have never encountered this problem before.

Thanks and excuse my English, it is not my language.

TmC 02-22-2022 01:09

The only things that come up to my mind are the following:

1. The program is checking for IsDebuggerPresent and acting accordingly (but if you've been patching programs for years, I believe that you already considered this option and most important, know how to fix it).
2. There are tricks to detect if the program is being started by windows or by another program and the software is acting accordingly.
3. There is some sort of exception that is caught by the debugger and not by the program. This way the program knows it is being debugged and might/might not do some operations.

Stingered 02-22-2022 02:12

Not sure I've heard of this one happening before.

1. Use ScyllaHide plugin to see if you can hide the debugger and check behavior.
2. Set debugger exception ignore range to: 00000000-99999999
3. Disable System BP and Entry BP to see if behavior changes inside debugger.
4. Create a loader to perform patch in-memory.

Research links:

https://www.apriorit.com/dev-blog/367-anti-reverse-engineering-protection-techniques-to-use-before-releasing-software

https://anti-debug.checkpoint.com/

h4sh3m 02-22-2022 06:07

Hi

It might happens because :
1- your target is .NET file and your patched file has another copy in GAC folder (mostly dll files in this case)!

2- sometimes when you're patching files (dll files in .NET I mean) and just renaming original files, windows loader keep going to load original file (don't know why) so you just need to change original file's extension of re/move it solve problem.

3- in native files, sometimes you need to disable ASLR and/or relocation flag, also you need to use rva instead va to have better results (needs more steps but its better).

...

xyz- let me know if some parts (or all of them) is not correct ;)


BR,
h4sh3m

Doit 02-23-2022 01:48

Hi,
@TmC, that is the first thing I tried (IsDebuggerPresent), for the moment I have discarded it, although the program could check it from a file that I have not yet located.

@Stingered, I've tried all that. I'll take a look at those links.

@h4sh3m, In this case it is not a NET program, and I have also tried to deactivate ASLR with CFF, but with the same result.

I welcome any other suggestions, thanks.


All times are GMT +8. The time now is 12:58.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2022, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX