Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Inline Patching ASPacked Program
Register Forum Rules FAQ Calendar

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 05-25-2005, 14:44
codeX codeX is offline
{RES} Cracker
  
Join Date: Dec 2004
Location: C:\WINDOWS\SYSTEM32
Posts: 162
Rept. Given: 1
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 3
Thanks Rcvd at 1 Time in 1 Post
codeX Reputation: 0
Inline Patching ASPacked Program
Hi,

I found this nice app which uses a simple serial registration.


Quote:
iolo System Shield Shield v2.1c Final
===========================
http://ss.iolo.com/systemshield.exe

I need to inline patch it to make an internal keygen. All my effrts to insert patch data failed as

the inlinepatched app. crashes complaining about a missing DLL file.Can Anybody take alook at this??

My supposed patch bytes are

Quote:
0055C06C 3E 8B 45 DC 90
__________________
{RES}
Reply With Quote
  #2  
Old 05-26-2005, 20:11
Spiteful
 
Posts: n/a
look at VA 5DB39Ch, this dword contains OEP RVA (173118), so change replace it with 80 (address after DOS stub)
Now, you can add your byte replacement code at 400080h
Reply With Quote
  #3  
Old 05-28-2005, 22:38
Android
 
Posts: n/a
Hi,
The method that is mentioned by Spiteful is very nice.
But if the packer is Aspack you can have another method for inline patching.

This is where you have your OEP
Code:
005DB3B0    61              POPAD
005DB3B1    75 08           JNZ SHORT SystemSh.005DB3BB
005DB3B3    B8 01000000     MOV EAX,1
005DB3B8    C2 0C00         RETN 0C
005DB3BB    68 18315700     PUSH SystemSh.00573118
005DB3C0    C3              RETN
Now check these lines:
Code:
005DB3B0    61              POPAD
005DB3B1    75 08           JNZ SHORT SystemSh.005DB3BB
005DB3B3    B8 01000000     MOV EAX,1
005DB3B8    C2 0C00         RETN 0C
005DB3BB    68 18315700     PUSH SystemSh.00573118
005DB3C0    C3              RETN
005DB3C1    8B85 26040000   MOV EAX,DWORD PTR SS:[EBP+426]
005DB3C7    8D8D 3B040000   LEA ECX,DWORD PTR SS:[EBP+43B]
005DB3CD    51              PUSH ECX
005DB3CE    50              PUSH EAX
005DB3CF    FF95 480F0000   CALL DWORD PTR SS:[EBP+F48]
005DB3D5    8985 54050000   MOV DWORD PTR SS:[EBP+554],EAX
005DB3DB    8D85 47040000   LEA EAX,DWORD PTR SS:[EBP+447]
005DB3E1    50              PUSH EAX
005DB3E2    FF95 500F0000   CALL DWORD PTR SS:[EBP+F50]
005DB3E8    8985 2A040000   MOV DWORD PTR SS:[EBP+42A],EAX
005DB3EE    8D8D 52040000   LEA ECX,DWORD PTR SS:[EBP+452]
005DB3F4    51              PUSH ECX
005DB3F5    50              PUSH EAX
005DB3F6    FF95 480F0000   CALL DWORD PTR SS:[EBP+F48]
005DB3FC    8985 58050000   MOV DWORD PTR SS:[EBP+558],EAX
005DB402    8B85 2A040000   MOV EAX,DWORD PTR SS:[EBP+42A]
005DB408    8D8D 5E040000   LEA ECX,DWORD PTR SS:[EBP+45E]
005DB40E    51              PUSH ECX
005DB40F    50              PUSH EAX
005DB410    FF95 480F0000   CALL DWORD PTR SS:[EBP+F48]
005DB416    FFD0            CALL EAX
005DB418    83C4 10         ADD ESP,10
005DB41B    5F              POP EDI                                  ; kernel32.77E814C7
005DB41C    6A 30           PUSH 30
005DB41E    8D9D 68040000   LEA EBX,DWORD PTR SS:[EBP+468]
005DB424    53              PUSH EBX
005DB425    57              PUSH EDI
005DB426    6A 00           PUSH 0
005DB428    FF95 58050000   CALL DWORD PTR SS:[EBP+558]
005DB42E    6A FF           PUSH -1
005DB430    FF95 54050000   CALL DWORD PTR SS:[EBP+554]
In every aspacked file from

005DB3C1 8B85 26040000 MOV EAX,DWORD PTR SS:[EBP+426]


To

005DB430 FF95 54050000 CALL DWORD PTR SS:[EBP+554]


Is always the same.
I mean you have the same code for all the time.
So searching for these bytes will lead you to the OEP.
But the fact is that these lines are just JUNK CODES.
So you can easily change them to any code you like.
The result is a huge space for inline patching.

But be careful of this command:
005DB436 0000 ADD BYTE PTR DS:[EAX],AL

This command is very critical and shouldn't be touched.

I mean this command is you limitation line.
never change it and commands after this line are critical also.

So you line patch will be like this:
Code:
005DB3A8    0BC9            OR ECX,ECX                               ; ntdll.77F532FA
005DB3AA    90              NOP
005DB3AB    90              NOP
005DB3AC    90              NOP
005DB3AD    90              NOP
005DB3AE    90              NOP
005DB3AF    90              NOP
005DB3B0    61              POPAD
005DB3B1    75 08           JNZ SHORT SystemSh.005DB3BB
005DB3B3    B8 01000000     MOV EAX,1
005DB3B8    C2 0C00         RETN 0C
005DB3BB    C705 6CC05500 8>MOV DWORD PTR DS:[55C06C],90DC458B
005DB3C5    C605 70C05500 3>MOV BYTE PTR DS:[55C070],3E
005DB3CC    68 18315700     PUSH SystemSh.00573118
005DB3D1    C3              RETN
005DB3D2    90              NOP
005DB3D3    90              NOP
005DB3D4    90              NOP
I paste the bytes that you should change.
Just copy and paste these bytes to see the result.

C7 05 6C C0 55 00 8B 45 DC 90 C6 05 70 C0 55 00 3E 68 18 31 57 00 C3 90 90 90


I hope this method is useful for further inline patching ASpack.
Best Regards,
Android.
Reply With Quote
  #4  
Old 05-29-2005, 01:04
SLV SLV is offline
Friend
  
Join Date: May 2005
Posts: 62
Rept. Given: 3
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 5
Thanks Rcvd at 2 Times in 2 Posts
SLV Reputation: 4
Also u may use this nice tool...
Attached Files
File Type: zip bkinline.zip (67.1 KB, 73 views)
Reply With Quote
  #5  
Old 05-29-2005, 09:31
Android
 
Posts: n/a
Thanks SLV.
That's a great Tool.

Regards,
Android.
Reply With Quote
  #6  
Old 05-29-2005, 23:00
nikola nikola is offline
Friend
  
Join Date: Jan 2004
Location: Your head
Posts: 115
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
nikola Reputation: 0
My friend Ap0x wrote a nice patch engine with inline patching
http://ap0x.blogspot.com/2005/05/ape-v004alfa.html
Reply With Quote
  #7  
Old 05-30-2005, 12:33
codeX codeX is offline
{RES} Cracker
  
Join Date: Dec 2004
Location: C:\WINDOWS\SYSTEM32
Posts: 162
Rept. Given: 1
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 3
Thanks Rcvd at 1 Time in 1 Post
codeX Reputation: 0
Thank you verymuch friends. Sorry for a late reply.

I've tried the methods shown by Spiteful and Android ,both works fine. Thankx Android for deep post in to ASPACK code that may be usefull in future too.

@nikola

Can you give a direct link to that inline patcher? Both links at Ap0x's blog are not working. Anyway it'a an amazing tool with support for 10's of packers...
Reply With Quote
  #8  
Old 05-30-2005, 12:47
codeX codeX is offline
{RES} Cracker
  
Join Date: Dec 2004
Location: C:\WINDOWS\SYSTEM32
Posts: 162
Rept. Given: 1
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 3
Thanks Rcvd at 1 Time in 1 Post
codeX Reputation: 0
Hi another different question,

I found the following in the Ap0x's blog . Can anybody translate this please?

Quote:

Inline patching...
Trazili ste, gledajte:
Packer: UPX
Version: 0.96-1.25
Patch: Izmena poslednjeg skoka pre OEPa
Level: 1/5

Packer: ASPack
Version: 1.0.8-2.12
Patch: Ubacivanje koda odmah posle odpakivanja
Level: 2/5

Packer: PeTite
Version: 2.2
Patch: Ubacivanje koda u ne zasticeni deo packera
Level: 3/5

Packer: FSG
Version: 1.33
Patch: Izmena skoka ka OEPu i prosirenje sekcije
Level: 2/5

Packer: PKLITE32
Version: 1.0
Patch: Izmena skoka ka OEPu
Level: 1/5

Packer: MEW
Version: 1.1
Patch: Izmena RETa i par komandi pre nje
Level: 2/5

Packer: VirogenCrypt
Version: 0.75
Patch: Dekripcija OEPa i redirekcija ka patch kodu
Level: 4/5

Packer: Neolite
Version: 2.0
Patch: Izmena JMP EAX i iskljucenje VirutalProtect
Level: 2/5
Reply With Quote
  #9  
Old 05-30-2005, 16:52
nikola nikola is offline
Friend
  
Join Date: Jan 2004
Location: Your head
Posts: 115
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
nikola Reputation: 0
Nothing special... General guide
Quote:
Inline patching...
You asked for, now watch:
Packer: UPX
Version: 0.96-1.25
Patch: Change last jump before OEP
Level: 1/5

Packer: ASPack
Version: 1.0.8-2.12
Patch: Add code right after unpacking
Level: 2/5

Packer: PeTite
Version: 2.2
Patch: Add code in unprotected part of packer
Level: 3/5

Packer: FSG
Version: 1.33
Patch: Changing jump to OEP and wightening the section
Level: 2/5

Packer: PKLITE32
Version: 1.0
Patch: Change jump to OEP
Level: 1/5

Packer: MEW
Version: 1.1
Patch: Chane RET and few commands before it
Level: 2/5

Packer: VirogenCrypt
Version: 0.75
Patch: Decryption of OEP and redirection to code that patches
Level: 4/5

Packer: Neolite
Version: 2.0
Patch: Changing of JMP EAX and turning off VirtualProtect
Level: 2/5
I see now that link is dead. I'll ask him about this...
Reply With Quote
  #10  
Old 05-30-2005, 19:27
nikola nikola is offline
Friend
  
Join Date: Jan 2004
Location: Your head
Posts: 115
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
nikola Reputation: 0
Here is link to 0.0.3
http://www.wasm.ru/baixado.php?mode=tool&id=341
Reply With Quote
  #11  
Old 06-03-2005, 00:05
Kameo Kameo is offline
Friend
  
Join Date: Mar 2004
Posts: 87
Rept. Given: 3
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 12
Thanks Rcvd at 1 Time in 1 Post
Kameo Reputation: 1
when it deals to patch ASPack files i often use Diablo2002's Universal Patcher. It just does the job perfectly.
First unpack your target (my_target.exe), dump it (as target_dumped.exe), make all your modifications (with olly) and save them to new file (target_patched.exe).
Now fire up dUP, and locate your modified and patched file.
dUP will compare which modifications you've done, then show itthe real file to patch (the packed one: (my_target.exe), get infos and thhat's all, it will create a small patch that you can send anywhere and will perform all the modifications.

Here are the links to dUP v1.14 and dUP v2.03, yet i can't make v2.03 work, still got an error and i don't know why.

However:
Attached Files
File Type: rar dup114.rar (119.0 KB, 10 views)
File Type: rar dup2.rar (101.5 KB, 8 views)
Reply With Quote
  #12  
Old 06-03-2005, 13:28
codeX codeX is offline
{RES} Cracker
  
Join Date: Dec 2004
Location: C:\WINDOWS\SYSTEM32
Posts: 162
Rept. Given: 1
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 3
Thanks Rcvd at 1 Time in 1 Post
codeX Reputation: 0
Hi nikola,
That link works. Thankx for the translation. Ap0x's work is really great with support for 34 packers !!! I wonder why this patcher is not so popular....

@Kameo
Thankx for this info.I haven't tried it yet. But I remember it complais 'bout incorrect file size.So which are the supposed original & patched files in the Offset Patch Tab of
dUp v1.14..
Reply With Quote
  #13  
Old 06-06-2005, 22:25
Kameo Kameo is offline
Friend
  
Join Date: Mar 2004
Posts: 87
Rept. Given: 3
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 12
Thanks Rcvd at 1 Time in 1 Post
Kameo Reputation: 1
hum... not sure what you are about, however, in the Offset Patch Tab of dUP v1.14, the top one is for your dumped file and the bottom one is for your patched-dumped file.
If you're not sure, just look at the text at the top of the FileSelectionDialogBox that popups.
Hope it helps.
Reply With Quote
Reply

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
does any cryptor for aspacked program c0d4r General Discussion 3 09-09-2004 03:24
Inline Patching MaRKuS-DJM General Discussion 1 01-24-2004 23:03
Inline patching for armadillo annibal General Discussion 1 09-04-2003 14:24


All times are GMT +8. The time now is 04:52.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )