Exetools - Best way to add a large block of data into a file to patch it?

Exetools (https://forum.exetools.com/index.php)

- General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)

- - Best way to add a large block of data into a file to patch it? (https://forum.exetools.com/showthread.php?t=19285)

Best way to add a large block of data into a file to patch it?

I have a program I have been able to crack. I got the dongle off it and it uses a license file to see which options are enabled or disabled at startup. It copies all these options with a 1 or 0 into memory after a certain point (and license has an encryption key so it can't be modified, this has to be done at startup).

I copied this section which is around 18000 bytes and changed all the options into a 1 instead of a 0. I am not sure the best way to add a large section of data into a program without getting any exceptions. It's working now but it triggers a c0000374 when you get to this code. Running under IDA I can just ignore it and it loads and is cracked. Can't start it normally though. I'd like to be able to get it working correctly.

I created a new section in CFF explorer and pasted the data in it. I modified a jump to go to an unused function and changed that code to change the EBP-40 stack pointer so instead of pointing to the old license, it points to the modified one. Then returns and made sure all registers were same.

I believe going to another function to read memory in a different section and manipulating it is triggering this exception. What is the correct way to do something like this?

Make sure your new section is using the correct alignment ! and also its flags must be valid according to what this new section is doing.

Hi

Some times coding dll files for patching is better way (it's flexible), you just need add an import (dummy function) to exe and do patch at startup !

BR,
h4sh3m

you could use dll hijacking

as @ionioni say, it will be an easy way to handle this data.

Why can't you change the code of the unused function to actually patch the 0 you're interested into 1 in the *original* license area? I think this is a cleaner way.

If finding the position of the "flags" to put to 1 is "complex" you could follow the suggestion by @h4sh3m / @ionioni / @Ahmadmansoor ... dll injection/hijacking, and code your own dll to which you can pass the address of the license data to patch.

--

If you still want to use the hard-coded section, I agree with @Kurapica : check for section location/alignment and permissions.

My idea is that c0000374 error happens because the application, once used the license data (probably in a dinamically allocated area), tries to free it and, because your data is not dynamically created/not on the heap, it fails to do so. Just find the "free()" call and NOP it ;)

Best Regards,
Tony

C0000374 mislabeled critical error, pretty vague, but things like heap corruption can cause it. Did you debug the call stack of the specific crash for details? The segment flags might do it for example. Otherwise if not wanting to go into low level debugging here, other workarounds are safer. Certainly multiple options here.

Thanks everyone for the suggestions. I did check out segment flags and tested different ones but it kept having the same problem.

Ideally, I would have used a custom DLL file but I am not familiar enough with writing DLLs yet. It was easiest to simply code a manual patch as the majority of my time has been spent learning low level debugging/assembly skills.

I ended up re-writing the patch after further study of how it gets written into memory. I used the original function that decrypts the license and wrote assembly code to get the address of the new segment with the license, then I just moved the modified license into the correct memory spot. Before I was simply changing the stack pointer to point to the new segment I made and let the original function copy the data itself into memory. Using an assembly to hex converter I just pasted the bytes in and good to go.

I still have more work to do in cleaning it up and making it work for other versions of this software. The good news is that it works now and I am able to start the program up normally with all features unlocked and it didn't crash once yesterday.

What i used to do with hasp4 encryption & decryption was i used to create several numbered decrypted file & then used to hook up an routines, next load decrypted files with exact number of bytes to load at that particular memory location. Was an tedious process.

In short you need to write code to hook up the process & load your patched data & write it on memory address to patch.

Cheers Sope