Exetools - Olly thread patching... help

Exetools (https://forum.exetools.com/index.php)

- General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)

- - Olly thread patching... help (https://forum.exetools.com/showthread.php?t=2799)

SvensK

10-05-2003 23:49

Olly thread patching... help

I'm debugging a program in Olly and found that I wanna change some code in the exe to remove a nasty check.

But the code I wanna change is in a thread and can't be found in the exe when using hexedit.

The program is pure c++ code and isn't packed.

The CPU window reports: thread 00000FF4
And it displays no module anymore.
It got to the code with a: :00425F3B FF15A4384900 call dword ptr [004938A4]

The code I wanna patch looks like this:
003E6913 75 3F JNE SHORT 003E6954

How do I find that code in the exe or is that located outside the exe?

Thanks
-SvensK

SvensK

10-06-2003 03:17

Nevermind, I solved it.

JMI	10-06-2003 03:43

Perhaps it would help others if you describe how you solved your own problem.

Regards.

yaa	10-06-2003 04:17

Yes SvensK, please let us know how you solved it.

Regards,
yaa

SvensK

10-06-2003 05:28

Well, I followed the call outside the code with Olly and copied the code to NotePad. Then I reinserted the code slightly modified somewhere in the exe where there was free space (bunch of zeros). And at last I re-routed the call to the new place in the exe.

Worked like a charm :)

Lunar_Dust

10-11-2003 11:52

Good solution!

However, I'd like to mention that code for a "thread" is still going to be in the EXE, so unless its encrypted, you should be able to find it. A thread is just code like any other piece of code, it just runs in its own context. It's still code in the code section of the EXE somewhere (although C++ will make it tougher to track it down)

Nice job on the solution, thinking out of the box ! Well done :)

-Lunar

All times are GMT +8. The time now is 19:39.