Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 08-05-2019, 00:01
Chuck954 Chuck954 is offline
Friend
 
Join Date: Jul 2018
Posts: 45
Rept. Given: 0
Rept. Rcvd 9 Times in 7 Posts
Thanks Given: 24
Thanks Rcvd at 54 Times in 32 Posts
Chuck954 Reputation: 9
Best way to add a large block of data into a file to patch it?

I have a program I have been able to crack. I got the dongle off it and it uses a license file to see which options are enabled or disabled at startup. It copies all these options with a 1 or 0 into memory after a certain point (and license has an encryption key so it can't be modified, this has to be done at startup).

I copied this section which is around 18000 bytes and changed all the options into a 1 instead of a 0. I am not sure the best way to add a large section of data into a program without getting any exceptions. It's working now but it triggers a c0000374 when you get to this code. Running under IDA I can just ignore it and it loads and is cracked. Can't start it normally though. I'd like to be able to get it working correctly.

I created a new section in CFF explorer and pasted the data in it. I modified a jump to go to an unused function and changed that code to change the EBP-40 stack pointer so instead of pointing to the old license, it points to the modified one. Then returns and made sure all registers were same.

I believe going to another function to read memory in a different section and manipulating it is triggering this exception. What is the correct way to do something like this?
Reply With Quote
  #2  
Old 08-05-2019, 02:16
Kurapica's Avatar
Kurapica Kurapica is offline
VIP
 
Join Date: Jun 2009
Location: Archives
Posts: 114
Rept. Given: 11
Rept. Rcvd 126 Times in 35 Posts
Thanks Given: 17
Thanks Rcvd at 175 Times in 37 Posts
Kurapica Reputation: 100-199 Kurapica Reputation: 100-199
Make sure your new section is using the correct alignment ! and also its flags must be valid according to what this new section is doing.
Reply With Quote
The Following 2 Users Say Thank You to Kurapica For This Useful Post:
Chuck954 (08-17-2019), niculaita (08-06-2019)
  #3  
Old 08-05-2019, 07:41
h4sh3m h4sh3m is offline
Friend
 
Join Date: Aug 2016
Posts: 22
Rept. Given: 0
Rept. Rcvd 3 Times in 1 Post
Thanks Given: 29
Thanks Rcvd at 51 Times in 21 Posts
h4sh3m Reputation: 3
Hi

Some times coding dll files for patching is better way (it's flexible), you just need add an import (dummy function) to exe and do patch at startup !

BR,
h4sh3m
Reply With Quote
The Following User Says Thank You to h4sh3m For This Useful Post:
Chuck954 (08-17-2019)
  #4  
Old 08-05-2019, 08:57
ionioni ionioni is offline
Friend
 
Join Date: Jul 2016
Posts: 29
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 31
Thanks Rcvd at 22 Times in 16 Posts
ionioni Reputation: 1
you could use dll hijacking
Reply With Quote
  #5  
Old 08-05-2019, 13:32
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Exetools Team Manager
 
Join Date: Feb 2006
Location: Syria
Posts: 1,006
Rept. Given: 462
Rept. Rcvd 361 Times in 134 Posts
Thanks Given: 188
Thanks Rcvd at 276 Times in 98 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
as @ionioni say, it will be an easy way to handle this data.
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #6  
Old 08-10-2019, 23:28
tonyweb tonyweb is offline
Family
 
Join Date: Jan 2009
Posts: 139
Rept. Given: 163
Rept. Rcvd 86 Times in 31 Posts
Thanks Given: 1,158
Thanks Rcvd at 167 Times in 84 Posts
tonyweb Reputation: 86
Why can't you change the code of the unused function to actually patch the 0 you're interested into 1 in the *original* license area? I think this is a cleaner way.

If finding the position of the "flags" to put to 1 is "complex" you could follow the suggestion by @h4sh3m / @ionioni / @Ahmadmansoor ... dll injection/hijacking, and code your own dll to which you can pass the address of the license data to patch.

--

If you still want to use the hard-coded section, I agree with @Kurapica : check for section location/alignment and permissions.

My idea is that c0000374 error happens because the application, once used the license data (probably in a dinamically allocated area), tries to free it and, because your data is not dynamically created/not on the heap, it fails to do so. Just find the "free()" call and NOP it

Best Regards,
Tony
__________________
Want to learn unpacking ... but I'm too stupid
Reply With Quote
The Following 3 Users Say Thank You to tonyweb For This Useful Post:
ahmadmansoor (08-12-2019), Chuck954 (08-17-2019), niculaita (08-13-2019)
  #7  
Old 08-12-2019, 20:41
chants chants is offline
Family
 
Join Date: Jul 2016
Posts: 456
Rept. Given: 2
Rept. Rcvd 30 Times in 18 Posts
Thanks Given: 376
Thanks Rcvd at 725 Times in 333 Posts
chants Reputation: 30
C0000374 mislabeled critical error, pretty vague, but things like heap corruption can cause it. Did you debug the call stack of the specific crash for details? The segment flags might do it for example. Otherwise if not wanting to go into low level debugging here, other workarounds are safer. Certainly multiple options here.
Reply With Quote
The Following 4 Users Say Thank You to chants For This Useful Post:
ahmadmansoor (08-13-2019), Chuck954 (08-17-2019), niculaita (08-13-2019), tonyweb (08-17-2019)
  #8  
Old 08-17-2019, 22:13
Chuck954 Chuck954 is offline
Friend
 
Join Date: Jul 2018
Posts: 45
Rept. Given: 0
Rept. Rcvd 9 Times in 7 Posts
Thanks Given: 24
Thanks Rcvd at 54 Times in 32 Posts
Chuck954 Reputation: 9
Thanks everyone for the suggestions. I did check out segment flags and tested different ones but it kept having the same problem.

Ideally, I would have used a custom DLL file but I am not familiar enough with writing DLLs yet. It was easiest to simply code a manual patch as the majority of my time has been spent learning low level debugging/assembly skills.

I ended up re-writing the patch after further study of how it gets written into memory. I used the original function that decrypts the license and wrote assembly code to get the address of the new segment with the license, then I just moved the modified license into the correct memory spot. Before I was simply changing the stack pointer to point to the new segment I made and let the original function copy the data itself into memory. Using an assembly to hex converter I just pasted the bytes in and good to go.

I still have more work to do in cleaning it up and making it work for other versions of this software. The good news is that it works now and I am able to start the program up normally with all features unlocked and it didn't crash once yesterday.
Reply With Quote
The Following User Says Thank You to Chuck954 For This Useful Post:
tonyweb (08-25-2019)
  #9  
Old 09-06-2019, 14:47
sope sope is offline
Friend
 
Join Date: May 2016
Posts: 13
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 7
Thanks Rcvd at 14 Times in 8 Posts
sope Reputation: 0
What i used to do with hasp4 encryption & decryption was i used to create several numbered decrypted file & then used to hook up an routines, next load decrypted files with exact number of bytes to load at that particular memory location. Was an tedious process.

In short you need to write code to hook up the process & load your patched data & write it on memory address to patch.

Cheers Sope
Reply With Quote
The Following 2 Users Say Thank You to sope For This Useful Post:
Chuck954 (09-12-2019), niculaita (09-07-2019)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to pass the large data in kernel mode to user mode? benina General Discussion 3 03-06-2010 04:50
Need Help With Masm Dialog Resource File Data kittmaster General Discussion 2 02-18-2006 09:15
ripping some data from upx packed file macpiter General Discussion 4 11-09-2005 20:41


All times are GMT +8. The time now is 13:10.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX