Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 08-05-2019, 00:01
Chuck954 Chuck954 is offline
Friend
 
Join Date: Jul 2018
Posts: 51
Rept. Given: 0
Rept. Rcvd 11 Times in 9 Posts
Thanks Given: 27
Thanks Rcvd at 59 Times in 36 Posts
Chuck954 Reputation: 11
Best way to add a large block of data into a file to patch it?

I have a program I have been able to crack. I got the dongle off it and it uses a license file to see which options are enabled or disabled at startup. It copies all these options with a 1 or 0 into memory after a certain point (and license has an encryption key so it can't be modified, this has to be done at startup).

I copied this section which is around 18000 bytes and changed all the options into a 1 instead of a 0. I am not sure the best way to add a large section of data into a program without getting any exceptions. It's working now but it triggers a c0000374 when you get to this code. Running under IDA I can just ignore it and it loads and is cracked. Can't start it normally though. I'd like to be able to get it working correctly.

I created a new section in CFF explorer and pasted the data in it. I modified a jump to go to an unused function and changed that code to change the EBP-40 stack pointer so instead of pointing to the old license, it points to the modified one. Then returns and made sure all registers were same.

I believe going to another function to read memory in a different section and manipulating it is triggering this exception. What is the correct way to do something like this?
Reply With Quote
  #2  
Old 08-05-2019, 02:16
Kurapica's Avatar
Kurapica Kurapica is offline
VIP
 
Join Date: Jun 2009
Location: Archives
Posts: 190
Rept. Given: 20
Rept. Rcvd 143 Times in 42 Posts
Thanks Given: 67
Thanks Rcvd at 404 Times in 87 Posts
Kurapica Reputation: 100-199 Kurapica Reputation: 100-199
Make sure your new section is using the correct alignment ! and also its flags must be valid according to what this new section is doing.
Reply With Quote
The Following 2 Users Say Thank You to Kurapica For This Useful Post:
Chuck954 (08-17-2019), niculaita (08-06-2019)
  #3  
Old 08-05-2019, 07:41
h4sh3m h4sh3m is offline
Friend
 
Join Date: Aug 2016
Location: RCE
Posts: 56
Rept. Given: 1
Rept. Rcvd 4 Times in 2 Posts
Thanks Given: 49
Thanks Rcvd at 81 Times in 35 Posts
h4sh3m Reputation: 4
Hi

Some times coding dll files for patching is better way (it's flexible), you just need add an import (dummy function) to exe and do patch at startup !

BR,
h4sh3m
Reply With Quote
The Following User Says Thank You to h4sh3m For This Useful Post:
Chuck954 (08-17-2019)
  #4  
Old 08-05-2019, 08:57
ionioni ionioni is offline
Friend
 
Join Date: Jul 2016
Posts: 80
Rept. Given: 8
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 92
Thanks Rcvd at 154 Times in 49 Posts
ionioni Reputation: 3
you could use dll hijacking
Reply With Quote
  #5  
Old 08-05-2019, 13:32
ahmadmansoor's Avatar
ahmadmansoor ahmadmansoor is offline
Coder
 
Join Date: Feb 2006
Location: Syria
Posts: 1,044
Rept. Given: 505
Rept. Rcvd 373 Times in 142 Posts
Thanks Given: 326
Thanks Rcvd at 406 Times in 119 Posts
ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399 ahmadmansoor Reputation: 300-399
as @ionioni say, it will be an easy way to handle this data.
__________________
Ur Best Friend Ahmadmansoor
Always My Best Friend: Aaron & JMI & ZeNiX
Reply With Quote
  #6  
Old 08-10-2019, 23:28
tonyweb tonyweb is offline
Family
 
Join Date: Jan 2009
Posts: 190
Rept. Given: 190
Rept. Rcvd 95 Times in 36 Posts
Thanks Given: 1,901
Thanks Rcvd at 299 Times in 122 Posts
tonyweb Reputation: 95
Why can't you change the code of the unused function to actually patch the 0 you're interested into 1 in the *original* license area? I think this is a cleaner way.

If finding the position of the "flags" to put to 1 is "complex" you could follow the suggestion by @h4sh3m / @ionioni / @Ahmadmansoor ... dll injection/hijacking, and code your own dll to which you can pass the address of the license data to patch.

--

If you still want to use the hard-coded section, I agree with @Kurapica : check for section location/alignment and permissions.

My idea is that c0000374 error happens because the application, once used the license data (probably in a dinamically allocated area), tries to free it and, because your data is not dynamically created/not on the heap, it fails to do so. Just find the "free()" call and NOP it

Best Regards,
Tony
__________________
Want to learn unpacking ... but I'm too stupid
Reply With Quote
The Following 3 Users Say Thank You to tonyweb For This Useful Post:
ahmadmansoor (08-12-2019), Chuck954 (08-17-2019), niculaita (08-13-2019)
  #7  
Old 08-12-2019, 20:41
chants chants is offline
VIP
 
Join Date: Jul 2016
Posts: 724
Rept. Given: 35
Rept. Rcvd 48 Times in 30 Posts
Thanks Given: 666
Thanks Rcvd at 1,050 Times in 475 Posts
chants Reputation: 48
C0000374 mislabeled critical error, pretty vague, but things like heap corruption can cause it. Did you debug the call stack of the specific crash for details? The segment flags might do it for example. Otherwise if not wanting to go into low level debugging here, other workarounds are safer. Certainly multiple options here.
Reply With Quote
The Following 4 Users Say Thank You to chants For This Useful Post:
ahmadmansoor (08-13-2019), Chuck954 (08-17-2019), niculaita (08-13-2019), tonyweb (08-17-2019)
  #8  
Old 08-17-2019, 22:13
Chuck954 Chuck954 is offline
Friend
 
Join Date: Jul 2018
Posts: 51
Rept. Given: 0
Rept. Rcvd 11 Times in 9 Posts
Thanks Given: 27
Thanks Rcvd at 59 Times in 36 Posts
Chuck954 Reputation: 11
Thanks everyone for the suggestions. I did check out segment flags and tested different ones but it kept having the same problem.

Ideally, I would have used a custom DLL file but I am not familiar enough with writing DLLs yet. It was easiest to simply code a manual patch as the majority of my time has been spent learning low level debugging/assembly skills.

I ended up re-writing the patch after further study of how it gets written into memory. I used the original function that decrypts the license and wrote assembly code to get the address of the new segment with the license, then I just moved the modified license into the correct memory spot. Before I was simply changing the stack pointer to point to the new segment I made and let the original function copy the data itself into memory. Using an assembly to hex converter I just pasted the bytes in and good to go.

I still have more work to do in cleaning it up and making it work for other versions of this software. The good news is that it works now and I am able to start the program up normally with all features unlocked and it didn't crash once yesterday.
Reply With Quote
The Following User Says Thank You to Chuck954 For This Useful Post:
tonyweb (08-25-2019)
  #9  
Old 09-06-2019, 14:47
sope sope is offline
Friend
 
Join Date: May 2016
Posts: 14
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 7
Thanks Rcvd at 14 Times in 8 Posts
sope Reputation: 0
What i used to do with hasp4 encryption & decryption was i used to create several numbered decrypted file & then used to hook up an routines, next load decrypted files with exact number of bytes to load at that particular memory location. Was an tedious process.

In short you need to write code to hook up the process & load your patched data & write it on memory address to patch.

Cheers Sope
Reply With Quote
The Following 2 Users Say Thank You to sope For This Useful Post:
Chuck954 (09-12-2019), niculaita (09-07-2019)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to pass the large data in kernel mode to user mode? benina General Discussion 3 03-06-2010 04:50
Need Help With Masm Dialog Resource File Data kittmaster General Discussion 2 02-18-2006 09:15
ripping some data from upx packed file macpiter General Discussion 4 11-09-2005 20:41


All times are GMT +8. The time now is 16:42.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )