flat assembler
Message board for the users of flat assembler.

Index > Windows > Patching.

Author
Thread Post new topic Reply to topic
liteonish



Joined: 24 Feb 2005
Posts: 26
liteonish
Firstly, I just want to say that I've been a lurker here for a while now and that FASM is, well... l33t. Very Happy

Now - my problem. I'm just fooling in assembly, and I got the idea to write a program that patches an executable. What I wish to know is how this would be done in assembly.

I'm guessing, from previous experience, that I would need to open the file, go to a certain position, write several bytes, and save the file. I'm just wondering if anyone could show me how this would be done in FASM for M$ Windooze.

Thanks in advance.

_________________
I just own that much.
Post 24 Feb 2005, 02:54
View user's profile Send private message Visit poster's website Reply with quote
drocon



Joined: 14 Nov 2004
Posts: 8
drocon
create a file mapping and apply changes directly, OR ... load the executable into a buffer. apply chances to the buffer (memcpy, whatnot), write.

just for time's sake, i would stick with msvcrt, and libc functions, they're smaller anyways.
Post 24 Feb 2005, 07:01
View user's profile Send private message Reply with quote
liteonish



Joined: 24 Feb 2005
Posts: 26
liteonish
And how would I do this? Smile

_________________
I just own that much.
Post 24 Feb 2005, 12:58
View user's profile Send private message Visit poster's website Reply with quote
liteonish



Joined: 24 Feb 2005
Posts: 26
liteonish
Anyone? JohnFound? I've seen your comments, you know how this is done. Smile

I just need an example of how you could open a file, write several bytes at a certain point, and save/close the file. It can't be that hard can it? Rolling Eyes

_________________
I just own that much.
Post 25 Feb 2005, 01:04
View user's profile Send private message Visit poster's website Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3500
Location: Bulgaria
JohnFound
Well, I'll suggest you to open Win32.hlp and read at least partially chapters about CreateFile, ReadFile, WriteFile (don't read about OpenFile, it is obsolete.)
Then if something doesn't work as you need - ask a question.

Regards.
Post 25 Feb 2005, 05:21
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
Vasilev Vjacheslav



Joined: 11 Aug 2004
Posts: 392
Vasilev Vjacheslav
for patching i prefer code like this:

Code:
CreateFile
CreateFileMapping
MapViewOfFile
<modify bytes in memory>
UnmapViewOfFile
CloseHandle (after CreateFileMapping)
CloseHandle (after CreateFile)
    
Post 25 Feb 2005, 15:55
View user's profile Send private message Reply with quote
liteonish



Joined: 24 Feb 2005
Posts: 26
liteonish
Thanks guys. I had no clue that a Help file even existed for this. And I think I'm gonna try the Mapping method.

Here's what I have so far:
Code:
include "%fasminc%/win32ax.inc"

.data
        fileHandle dd ?
        mapHandle dd ?
        mapLocation dd ?
        mapName db "mapHandleName",0

.code
        rewt:
          invoke CreateFile,"c:/winmine.exe",GENERIC_READ or GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL
          mov [fileHandle],eax

          invoke CreateFileMapping,fileHandle,NULL,PAGE_READWRITE,0,0,mapName
          mov [mapHandle],eax

          invoke MapViewOfFile,mapHandle,FILE_MAP_WRITE,0,0,0
          mov [mapLocation],eax

          ;change bytes here

          invoke FlushViewOfFile,mapLocation,0

          invoke UnmapViewOfFile,mapLocation
          invoke CloseHandle,mapHandle
          invoke CloseHandle,fileHandle

        eend:
          invoke ExitProcess,0

.end rewt    

Two things are bugging me at the moment. One - when I try to debug the result, it crashes during FileCreate. Says the handle is wrong, or something of the sort. I don't think I'm shoving in the right parameters for any of these.

And also, I can't find how to change bytes in the memory. A little hint maybe?

_________________
I just own that much.
Post 26 Feb 2005, 14:01
View user's profile Send private message Visit poster's website Reply with quote
marciano



Joined: 27 Feb 2005
Posts: 18
Location: Argentina
marciano
I think you should put something like this:
Code:
invoke CreateFile,"c:/winmine.exe",GENERIC_READ or GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL
or eax,eax
jz  error_ocurred          ;jump if the handle is not valid
mov [fileHandle],eax 

...
...
...
error_ocurred:
  ;code to handle the error while creating the file

    


Greetings Smile
Post 27 Feb 2005, 03:04
View user's profile Send private message Visit poster's website Reply with quote
liteonish



Joined: 24 Feb 2005
Posts: 26
liteonish
Thanks. I was debugging a bit to see just what the error is. It actually creates a handle, 1C, which is passed on correctly to CreateFileMap, but then it gives an ERROR_INVALID_HANDLE. I think I'm going insane, just a bit. Confused

_________________
I just own that much.
Post 27 Feb 2005, 03:10
View user's profile Send private message Visit poster's website Reply with quote
Joshua



Joined: 12 Jul 2003
Posts: 56
Location: Belgium
Joshua
Code:
include "%fasminc%/win32ax.inc" 

.data 
        fileHandle dd ?
        fileName db "c:/winmine.exe",0
        mapHandle dd ? 
        mapLocation dd ? 
        mapName db "mapHandleName",0

.code 
        rewt: 
          invoke CreateFile,fileName,GENERIC_READ or GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL 
          mov [fileHandle],eax 

          invoke CreateFileMapping,[fileHandle],NULL,PAGE_READWRITE,0,0,mapName
          mov [mapHandle],eax 

          invoke MapViewOfFile,[mapHandle],FILE_MAP_WRITE,0,0,0 
          mov [mapLocation],eax 

          ;change bytes here 

          invoke FlushViewOfFile,[mapLocation],0 

          invoke UnmapViewOfFile,[mapLocation]
          invoke CloseHandle,[mapHandle]
          invoke CloseHandle,[fileHandle]

        eend: 
          invoke ExitProcess,0 

.end rewt
    
Post 27 Feb 2005, 13:02
View user's profile Send private message Reply with quote
liteonish



Joined: 24 Feb 2005
Posts: 26
liteonish
Wow. Changing the file name to a label cleans up the final assmebly code so much, and I'm such an idiot, passing on the address instead of the actual handle. Smile

Now to figure out how to change memory values, and I'm done. I think. Rolling Eyes

_________________
I just own that much.
Post 27 Feb 2005, 14:09
View user's profile Send private message Visit poster's website Reply with quote
liteonish



Joined: 24 Feb 2005
Posts: 26
liteonish
Wsprintf seems to do the trick.

Here's my code:
Code:
include "%fasminc%/win32ax.inc"

IDUS = 101
IDJS = 102
IDBS = 201
IDNM = 202
IDBF = 203
IDJF = 204
IDLT = 301

.data
        fileName db "c:/windows/system32/winmine.exe",0
        fileHandle dd ?
        mapHandle dd ?
        mapLocation dd ?

        stringType db "%s",0
        stringToWrite dd 0x03E8,0

.code
        rewt:
          invoke  DialogBoxParam,eax,37,HWND_DESKTOP,DialogProc,0
          jmp done

        eend:
          invoke ExitProcess,0

        fileoperations:
          invoke CreateFile,fileName,GENERIC_READ or GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL
          mov [fileHandle],eax

          invoke CreateFileMapping,[fileHandle],NULL,PAGE_READWRITE,0,0,NULL
          mov [mapHandle],eax

          invoke MapViewOfFile,[mapHandle],FILE_MAP_WRITE,0,0,0
          mov [mapLocation],eax

          ;change bytes here
          add [mapLocation],0x2C3E
          cinvoke wsprintf,[mapLocation],stringType,stringToWrite
          sub [mapLocation],0x2C3E

          invoke FlushViewOfFile,[mapLocation],0
          invoke UnmapViewOfFile,[mapLocation]
          invoke CloseHandle,[mapHandle]
          invoke CloseHandle,[fileHandle]
         ret

        done:
          invoke MessageBox,0,"Done. Open Minesweeper to see if it worked.","Done!",MB_ICONASTERISK
         jmp eend

proc DialogProc,hwnddlg,msg,wparam,lparam
        cmp     [msg],WM_COMMAND
        je      wmcommand
        cmp     [msg],WM_CLOSE
        je      wmclose
  wmcommand:
        cmp     [wparam],BN_CLICKED shl 16 + IDUS
        je      wmUS
        cmp     [wparam],BN_CLICKED shl 16 + IDJS
        je      wmJS
        cmp     [wparam],BN_CLICKED shl 16 + IDBS
        je      wmBS
        cmp     [wparam],BN_CLICKED shl 16 + IDNM
        je      wmNM
        cmp     [wparam],BN_CLICKED shl 16 + IDBF
        je      wmBF
        cmp     [wparam],BN_CLICKED shl 16 + IDJF
        je      wmJF
        cmp     [wparam],BN_CLICKED shl 16 + IDLT
        je      wmLT
        jmp     finish
  wmUS:
        mov [stringToWrite],0xFFFFFF
        jmp callfilestuff
  wmJS:
        mov [stringToWrite],0xABCD
        jmp callfilestuff
  wmBS:
        mov [stringToWrite],0x1111
        jmp callfilestuff
  wmNM:
        mov [stringToWrite],0x03E8
        jmp callfilestuff
  wmBF:
        mov [stringToWrite],0x0111
        jmp callfilestuff
  wmJF:
        mov [stringToWrite],0x0011
        jmp callfilestuff
  wmLT:
        mov [stringToWrite],0x01
        jmp callfilestuff
  callfilestuff:
        call fileoperations
  wmclose:
        invoke  EndDialog,[hwnddlg],0
        mov     eax,1
  finish:
        xor eax,eax
        return
endp

.rsrc

  directory RT_DIALOG,dialogs

  resource dialogs,\
           37,LANG_ENGLISH+SUBLANG_DEFAULT,demonstration

  dialog demonstration,'Minesweeper crack for XP.',100,100,355,77,DS_MODALFRAME
    dialogitem 'STATIC','---->>> !!!This only works on WinXP!!! <<<----',175,21,5,300,8,WS_VISIBLE
    dialogitem 'STATIC','Choose one of the speeds below for the timer.',175,180,5,300,8,WS_VISIBLE
    dialogitem 'BUTTON','Uber Slow',IDUS,5,20,45,15,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON
    dialogitem 'BUTTON','Just Slow',IDJS,55,20,45,15,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON
    dialogitem 'BUTTON','A Bit Slow',IDBS,105,20,45,15,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON
    dialogitem 'BUTTON','Normal',IDNM,155,20,45,15,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON
    dialogitem 'BUTTON','A Bit Fast',IDBF,205,20,45,15,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON
    dialogitem 'BUTTON','Just Fast',IDJF,255,20,45,15,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON
    dialogitem 'BUTTON','l33t',IDLT,305,20,45,15,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON
    dialogitem 'STATIC','16 thou',5,16,39,300,8,WS_VISIBLE
    dialogitem 'STATIC','44 secs',55,66,39,300,8,WS_VISIBLE
    dialogitem 'STATIC','4 secs',105,116,39,300,8,WS_VISIBLE
    dialogitem 'STATIC','1 sec',155,168,39,300,8,WS_VISIBLE
    dialogitem 'STATIC','0.2 secs',105,216,39,300,8,WS_VISIBLE
    dialogitem 'STATIC','0.02 secs',105,264,39,300,8,WS_VISIBLE
    dialogitem 'STATIC','0!',155,325,39,300,8,WS_VISIBLE
    dialogitem 'STATIC','(c)2005 liteonish || johnnyspoon@gmail.com || Made with FASM || http://www.flatassembler.net/',175,30,50,300,8,WS_VISIBLE
  enddialog

.end rewt    

I know I could do a lot more error checking and tweaking, but there's no point really. Compile it if you want to see it work. And thanks for the help. Smile

_________________
I just own that much.
Post 28 Feb 2005, 17:08
View user's profile Send private message Visit poster's website Reply with quote
marciano



Joined: 27 Feb 2005
Posts: 18
Location: Argentina
marciano
Here I have another way for patching executables; I was working on it today. I don't use a file mapping, I just use the API functions SetFilePointer and WriteFile:

Code:
include "%fasminc%/win32ax.inc"

IDUS = 101
IDJS = 102
IDBS = 201
IDNM = 202
IDBF = 203
IDJF = 204
IDLT = 301

.data
  fileName db "c:/windows/system32/winmine.exe",0
       fileHandle dd ?

 stringType db "%s",0
      stringToWrite dd 0x03E8,0
   tmp dd ?

.code
       rewt:
     invoke  DialogBoxParam,eax,37,HWND_DESKTOP,DialogProc,0
     jmp done

      eend:
     invoke ExitProcess,0

  fileoperations:
   invoke CreateFile,fileName,GENERIC_READ or GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL
    mov [fileHandle],eax

    ;change bytes here
          invoke SetFilePointer,\
           [fileHandle],\               ;file handle
          0x2C3E,\                     ;offset (low)
                 0,\                          ;offset (high)
                0                             ;from beginning

    invoke WriteFile,\
                [fileHandle],\               ;file handle
          stringToWrite,\              ;string to write
              2,\                          ;number of bytes to write
             tmp,\                        ;bytes written
                NULL                          ;overlapped= 0
         invoke CloseHandle,[fileHandle]
    ret

    done:
     invoke MessageBox,0,"Done. Open Minesweeper to see if it worked.","Done!",MB_ICONASTERISK
      jmp eend

proc DialogProc,hwnddlg,msg,wparam,lparam
  cmp     [msg],WM_COMMAND
    je      wmcommand
   cmp     [msg],WM_CLOSE
      je      wmclose
  wmcommand:
 cmp     [wparam],BN_CLICKED shl 16 + IDUS
   je      wmUS
        cmp     [wparam],BN_CLICKED shl 16 + IDJS
   je      wmJS
        cmp     [wparam],BN_CLICKED shl 16 + IDBS
   je      wmBS
        cmp     [wparam],BN_CLICKED shl 16 + IDNM
   je      wmNM
        cmp     [wparam],BN_CLICKED shl 16 + IDBF
   je      wmBF
        cmp     [wparam],BN_CLICKED shl 16 + IDJF
   je      wmJF
        cmp     [wparam],BN_CLICKED shl 16 + IDLT
   je      wmLT
        jmp     finish
  wmUS:
       mov [stringToWrite],0xFFFFFF
        jmp callfilestuff
  wmJS:
    mov [stringToWrite],0xABCD
  jmp callfilestuff
  wmBS:
    mov [stringToWrite],0x1111
  jmp callfilestuff
  wmNM:
    mov [stringToWrite],0x03E8
  jmp callfilestuff
  wmBF:
    mov [stringToWrite],0x0111
  jmp callfilestuff
  wmJF:
    mov [stringToWrite],0x0011
  jmp callfilestuff
  wmLT:
    mov [stringToWrite],0x01
    jmp callfilestuff
  callfilestuff:
   call fileoperations
  wmclose:
       invoke  EndDialog,[hwnddlg],0
       mov     eax,1
  finish:
      xor eax,eax
 return
endp

section '.rsrc' resource data readable

  directory RT_DIALOG,dialogs

  resource dialogs,\
       37,LANG_ENGLISH+SUBLANG_DEFAULT,demonstration

  dialog demonstration,'Minesweeper crack for XP.',100,100,355,77,DS_MODALFRAME
    dialogitem 'STATIC','---->>> !!!This only works on WinXP!!! <<<----',175,21,5,300,8,WS_VISIBLE
    dialogitem 'STATIC','Choose one of the speeds below for the timer.',175,180,5,300,8,WS_VISIBLE
    dialogitem 'BUTTON','Uber Slow',IDUS,5,20,45,15,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON
    dialogitem 'BUTTON','Just Slow',IDJS,55,20,45,15,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON
    dialogitem 'BUTTON','A Bit Slow',IDBS,105,20,45,15,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON
    dialogitem 'BUTTON','Normal',IDNM,155,20,45,15,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON
    dialogitem 'BUTTON','A Bit Fast',IDBF,205,20,45,15,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON
    dialogitem 'BUTTON','Just Fast',IDJF,255,20,45,15,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON
    dialogitem 'BUTTON','l33t',IDLT,305,20,45,15,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON
    dialogitem 'STATIC','16 thou',5,16,39,300,8,WS_VISIBLE
    dialogitem 'STATIC','44 secs',55,66,39,300,8,WS_VISIBLE
    dialogitem 'STATIC','4 secs',105,116,39,300,8,WS_VISIBLE
    dialogitem 'STATIC','1 sec',155,168,39,300,8,WS_VISIBLE
    dialogitem 'STATIC','0.2 secs',105,216,39,300,8,WS_VISIBLE
    dialogitem 'STATIC','0.02 secs',105,264,39,300,8,WS_VISIBLE
    dialogitem 'STATIC','0!',155,325,39,300,8,WS_VISIBLE
    dialogitem 'STATIC','(c)2005 liteonish || johnnyspoon@gmail.com || Made with FASM || http://www.flatassembler.net/',175,30,50,300,8,WS_VISIBLE
  enddialog

.end rewt
    


Greetings Wink
Post 03 Mar 2005, 02:56
View user's profile Send private message Visit poster's website Reply with quote
liteonish



Joined: 24 Feb 2005
Posts: 26
liteonish
Awesome. That makes life so much easier. Hooray for Windows API calls! Very Happy

_________________
I just own that much.
Post 03 Mar 2005, 04:09
View user's profile Send private message Visit poster's website Reply with quote
sylwek32



Joined: 27 Apr 2006
Posts: 339
sylwek32
But it doesnt compile under FASM!


Description: Doesnt compile as you see...
Filesize: 41.18 KB
Viewed: 2303 Time(s)

doznutcompile.jpg


Post 26 May 2006, 05:53
View user's profile Send private message Reply with quote
sylwek32



Joined: 27 Apr 2006
Posts: 339
sylwek32
so no it works but i had to change return to ret.

Can somebody tell me how to modify the dialog's title ?
Post 26 May 2006, 05:58
View user's profile Send private message Reply with quote
Vasilev Vjacheslav



Joined: 11 Aug 2004
Posts: 392
Vasilev Vjacheslav
SetWindowText
Post 26 May 2006, 06:56
View user's profile Send private message Reply with quote
sylwek32



Joined: 27 Apr 2006
Posts: 339
sylwek32
But how to make a patcher which patches a programs title ?
Post 26 May 2006, 07:24
View user's profile Send private message Reply with quote
Vasilev Vjacheslav



Joined: 11 Aug 2004
Posts: 392
Vasilev Vjacheslav
FindWindow + SetWindowText
Post 26 May 2006, 14:26
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.