Patching.

Index > Windows > Patching.

Author

Thread

liteonish

Joined: 24 Feb 2005
Posts: 26

liteonish 24 Feb 2005, 02:54

Firstly, I just want to say that I've been a lurker here for a while now and that FASM is, well... l33t. Very Happy

Now - my problem. I'm just fooling in assembly, and I got the idea to write a program that patches an executable. What I wish to know is how this would be done in assembly.

I'm guessing, from previous experience, that I would need to open the file, go to a certain position, write several bytes, and save the file. I'm just wondering if anyone could show me how this would be done in FASM for M$ Windooze.

Thanks in advance.

_________________
I just own that much.

24 Feb 2005, 02:54

drocon

Joined: 14 Nov 2004
Posts: 8

drocon 24 Feb 2005, 07:01

create a file mapping and apply changes directly, OR ... load the executable into a buffer. apply chances to the buffer (memcpy, whatnot), write.

just for time's sake, i would stick with msvcrt, and libc functions, they're smaller anyways.

24 Feb 2005, 07:01

liteonish

Joined: 24 Feb 2005
Posts: 26

liteonish 24 Feb 2005, 12:58

And how would I do this? Smile

_________________
I just own that much.

24 Feb 2005, 12:58

liteonish

Joined: 24 Feb 2005
Posts: 26

liteonish 25 Feb 2005, 01:04

Anyone? JohnFound? I've seen your comments, you know how this is done. Smile

I just need an example of how you could open a file, write several bytes at a certain point, and save/close the file. It can't be that hard can it? Rolling Eyes

_________________
I just own that much.

25 Feb 2005, 01:04

JohnFound

Joined: 16 Jun 2003
Posts: 3499
Location: Bulgaria

JohnFound 25 Feb 2005, 05:21

Well, I'll suggest you to open Win32.hlp and read at least partially chapters about CreateFile, ReadFile, WriteFile (don't read about OpenFile, it is obsolete.)
Then if something doesn't work as you need - ask a question.

Regards.

25 Feb 2005, 05:21

Vasilev Vjacheslav

Joined: 11 Aug 2004
Posts: 392

Vasilev Vjacheslav 25 Feb 2005, 15:55

for patching i prefer code like this:

Code:

CreateFile
CreateFileMapping
MapViewOfFile
<modify bytes in memory>
UnmapViewOfFile
CloseHandle (after CreateFileMapping)
CloseHandle (after CreateFile)

25 Feb 2005, 15:55

liteonish

Joined: 24 Feb 2005
Posts: 26

liteonish 26 Feb 2005, 14:01

Thanks guys. I had no clue that a Help file even existed for this. And I think I'm gonna try the Mapping method.

Here's what I have so far:

Code:

include "%fasminc%/win32ax.inc"

.data
        fileHandle dd ?
        mapHandle dd ?
        mapLocation dd ?
        mapName db "mapHandleName",0

.code
        rewt:
          invoke CreateFile,"c:/winmine.exe",GENERIC_READ or GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL
          mov [fileHandle],eax

          invoke CreateFileMapping,fileHandle,NULL,PAGE_READWRITE,0,0,mapName
          mov [mapHandle],eax

          invoke MapViewOfFile,mapHandle,FILE_MAP_WRITE,0,0,0
          mov [mapLocation],eax

          ;change bytes here

          invoke FlushViewOfFile,mapLocation,0

          invoke UnmapViewOfFile,mapLocation
          invoke CloseHandle,mapHandle
          invoke CloseHandle,fileHandle

        eend:
          invoke ExitProcess,0

.end rewt

Two things are bugging me at the moment. One - when I try to debug the result, it crashes during FileCreate. Says the handle is wrong, or something of the sort. I don't think I'm shoving in the right parameters for any of these.

And also, I can't find how to change bytes in the memory. A little hint maybe?

_________________
I just own that much.

26 Feb 2005, 14:01

marciano

Joined: 27 Feb 2005
Posts: 18
Location: Argentina

marciano 27 Feb 2005, 03:04

I think you should put something like this:

Code:

invoke CreateFile,"c:/winmine.exe",GENERIC_READ or GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL
or eax,eax
jz  error_ocurred          ;jump if the handle is not valid
mov [fileHandle],eax 

...
...
...
error_ocurred:
  ;code to handle the error while creating the file

Greetings

27 Feb 2005, 03:04

liteonish

Joined: 24 Feb 2005
Posts: 26

liteonish 27 Feb 2005, 03:10

Thanks. I was debugging a bit to see just what the error is. It actually creates a handle, 1C, which is passed on correctly to CreateFileMap, but then it gives an ERROR_INVALID_HANDLE. I think I'm going insane, just a bit. Confused

_________________
I just own that much.

27 Feb 2005, 03:10

Joshua

Joined: 12 Jul 2003
Posts: 56
Location: Belgium

Joshua 27 Feb 2005, 13:02

Code:

include "%fasminc%/win32ax.inc" 

.data 
        fileHandle dd ?
        fileName db "c:/winmine.exe",0
        mapHandle dd ? 
        mapLocation dd ? 
        mapName db "mapHandleName",0

.code 
        rewt: 
          invoke CreateFile,fileName,GENERIC_READ or GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL 
          mov [fileHandle],eax 

          invoke CreateFileMapping,[fileHandle],NULL,PAGE_READWRITE,0,0,mapName
          mov [mapHandle],eax 

          invoke MapViewOfFile,[mapHandle],FILE_MAP_WRITE,0,0,0 
          mov [mapLocation],eax 

          ;change bytes here 

          invoke FlushViewOfFile,[mapLocation],0 

          invoke UnmapViewOfFile,[mapLocation]
          invoke CloseHandle,[mapHandle]
          invoke CloseHandle,[fileHandle]

        eend: 
          invoke ExitProcess,0 

.end rewt

27 Feb 2005, 13:02

liteonish

Joined: 24 Feb 2005
Posts: 26

liteonish 27 Feb 2005, 14:09

Wow. Changing the file name to a label cleans up the final assmebly code so much, and I'm such an idiot, passing on the address instead of the actual handle. Smile

Now to figure out how to change memory values, and I'm done. I think. Rolling Eyes

_________________
I just own that much.

27 Feb 2005, 14:09

liteonish

Joined: 24 Feb 2005
Posts: 26

liteonish 28 Feb 2005, 17:08

Wsprintf seems to do the trick.

Here's my code:

Code:

include "%fasminc%/win32ax.inc"

IDUS = 101
IDJS = 102
IDBS = 201
IDNM = 202
IDBF = 203
IDJF = 204
IDLT = 301

.data
        fileName db "c:/windows/system32/winmine.exe",0
        fileHandle dd ?
        mapHandle dd ?
        mapLocation dd ?

        stringType db "%s",0
        stringToWrite dd 0x03E8,0

.code
        rewt:
          invoke  DialogBoxParam,eax,37,HWND_DESKTOP,DialogProc,0
          jmp done

        eend:
          invoke ExitProcess,0

        fileoperations:
          invoke CreateFile,fileName,GENERIC_READ or GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL
          mov [fileHandle],eax

          invoke CreateFileMapping,[fileHandle],NULL,PAGE_READWRITE,0,0,NULL
          mov [mapHandle],eax

          invoke MapViewOfFile,[mapHandle],FILE_MAP_WRITE,0,0,0
          mov [mapLocation],eax

          ;change bytes here
          add [mapLocation],0x2C3E
          cinvoke wsprintf,[mapLocation],stringType,stringToWrite
          sub [mapLocation],0x2C3E

          invoke FlushViewOfFile,[mapLocation],0
          invoke UnmapViewOfFile,[mapLocation]
          invoke CloseHandle,[mapHandle]
          invoke CloseHandle,[fileHandle]
         ret

        done:
          invoke MessageBox,0,"Done. Open Minesweeper to see if it worked.","Done!",MB_ICONASTERISK
         jmp eend

proc DialogProc,hwnddlg,msg,wparam,lparam
        cmp     [msg],WM_COMMAND
        je      wmcommand
        cmp     [msg],WM_CLOSE
        je      wmclose
  wmcommand:
        cmp     [wparam],BN_CLICKED shl 16 + IDUS
        je      wmUS
        cmp     [wparam],BN_CLICKED shl 16 + IDJS
        je      wmJS
        cmp     [wparam],BN_CLICKED shl 16 + IDBS
        je      wmBS
        cmp     [wparam],BN_CLICKED shl 16 + IDNM
        je      wmNM
        cmp     [wparam],BN_CLICKED shl 16 + IDBF
        je      wmBF
        cmp     [wparam],BN_CLICKED shl 16 + IDJF
        je      wmJF
        cmp     [wparam],BN_CLICKED shl 16 + IDLT
        je      wmLT
        jmp     finish
  wmUS:
        mov [stringToWrite],0xFFFFFF
        jmp callfilestuff
  wmJS:
        mov [stringToWrite],0xABCD
        jmp callfilestuff
  wmBS:
        mov [stringToWrite],0x1111
        jmp callfilestuff
  wmNM:
        mov [stringToWrite],0x03E8
        jmp callfilestuff
  wmBF:
        mov [stringToWrite],0x0111
        jmp callfilestuff
  wmJF:
        mov [stringToWrite],0x0011
        jmp callfilestuff
  wmLT:
        mov [stringToWrite],0x01
        jmp callfilestuff
  callfilestuff:
        call fileoperations
  wmclose:
        invoke  EndDialog,[hwnddlg],0
        mov     eax,1
  finish:
        xor eax,eax
        return
endp

.rsrc

  directory RT_DIALOG,dialogs

  resource dialogs,\
           37,LANG_ENGLISH+SUBLANG_DEFAULT,demonstration

  dialog demonstration,'Minesweeper crack for XP.',100,100,355,77,DS_MODALFRAME
    dialogitem 'STATIC','---->>> !!!This only works on WinXP!!! <<<----',175,21,5,300,8,WS_VISIBLE
    dialogitem 'STATIC','Choose one of the speeds below for the timer.',175,180,5,300,8,WS_VISIBLE
    dialogitem 'BUTTON','Uber Slow',IDUS,5,20,45,15,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON
    dialogitem 'BUTTON','Just Slow',IDJS,55,20,45,15,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON
    dialogitem 'BUTTON','A Bit Slow',IDBS,105,20,45,15,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON
    dialogitem 'BUTTON','Normal',IDNM,155,20,45,15,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON
    dialogitem 'BUTTON','A Bit Fast',IDBF,205,20,45,15,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON
    dialogitem 'BUTTON','Just Fast',IDJF,255,20,45,15,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON
    dialogitem 'BUTTON','l33t',IDLT,305,20,45,15,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON
    dialogitem 'STATIC','16 thou',5,16,39,300,8,WS_VISIBLE
    dialogitem 'STATIC','44 secs',55,66,39,300,8,WS_VISIBLE
    dialogitem 'STATIC','4 secs',105,116,39,300,8,WS_VISIBLE
    dialogitem 'STATIC','1 sec',155,168,39,300,8,WS_VISIBLE
    dialogitem 'STATIC','0.2 secs',105,216,39,300,8,WS_VISIBLE
    dialogitem 'STATIC','0.02 secs',105,264,39,300,8,WS_VISIBLE
    dialogitem 'STATIC','0!',155,325,39,300,8,WS_VISIBLE
    dialogitem 'STATIC','(c)2005 liteonish || johnnyspoon@gmail.com || Made with FASM || http://www.flatassembler.net/',175,30,50,300,8,WS_VISIBLE
  enddialog

.end rewt

I know I could do a lot more error checking and tweaking, but there's no point really. Compile it if you want to see it work. And thanks for the help. Smile

_________________
I just own that much.

28 Feb 2005, 17:08

marciano

Joined: 27 Feb 2005
Posts: 18
Location: Argentina

marciano 03 Mar 2005, 02:56

Here I have another way for patching executables; I was working on it today. I don't use a file mapping, I just use the API functions SetFilePointer and WriteFile:

Code:

include "%fasminc%/win32ax.inc"

IDUS = 101
IDJS = 102
IDBS = 201
IDNM = 202
IDBF = 203
IDJF = 204
IDLT = 301

.data
  fileName db "c:/windows/system32/winmine.exe",0
       fileHandle dd ?

 stringType db "%s",0
      stringToWrite dd 0x03E8,0
   tmp dd ?

.code
       rewt:
     invoke  DialogBoxParam,eax,37,HWND_DESKTOP,DialogProc,0
     jmp done

      eend:
     invoke ExitProcess,0

  fileoperations:
   invoke CreateFile,fileName,GENERIC_READ or GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL
    mov [fileHandle],eax

    ;change bytes here
          invoke SetFilePointer,\
           [fileHandle],\               ;file handle
          0x2C3E,\                     ;offset (low)
                 0,\                          ;offset (high)
                0                             ;from beginning

    invoke WriteFile,\
                [fileHandle],\               ;file handle
          stringToWrite,\              ;string to write
              2,\                          ;number of bytes to write
             tmp,\                        ;bytes written
                NULL                          ;overlapped= 0
         invoke CloseHandle,[fileHandle]
    ret

    done:
     invoke MessageBox,0,"Done. Open Minesweeper to see if it worked.","Done!",MB_ICONASTERISK
      jmp eend

proc DialogProc,hwnddlg,msg,wparam,lparam
  cmp     [msg],WM_COMMAND
    je      wmcommand
   cmp     [msg],WM_CLOSE
      je      wmclose
  wmcommand:
 cmp     [wparam],BN_CLICKED shl 16 + IDUS
   je      wmUS
        cmp     [wparam],BN_CLICKED shl 16 + IDJS
   je      wmJS
        cmp     [wparam],BN_CLICKED shl 16 + IDBS
   je      wmBS
        cmp     [wparam],BN_CLICKED shl 16 + IDNM
   je      wmNM
        cmp     [wparam],BN_CLICKED shl 16 + IDBF
   je      wmBF
        cmp     [wparam],BN_CLICKED shl 16 + IDJF
   je      wmJF
        cmp     [wparam],BN_CLICKED shl 16 + IDLT
   je      wmLT
        jmp     finish
  wmUS:
       mov [stringToWrite],0xFFFFFF
        jmp callfilestuff
  wmJS:
    mov [stringToWrite],0xABCD
  jmp callfilestuff
  wmBS:
    mov [stringToWrite],0x1111
  jmp callfilestuff
  wmNM:
    mov [stringToWrite],0x03E8
  jmp callfilestuff
  wmBF:
    mov [stringToWrite],0x0111
  jmp callfilestuff
  wmJF:
    mov [stringToWrite],0x0011
  jmp callfilestuff
  wmLT:
    mov [stringToWrite],0x01
    jmp callfilestuff
  callfilestuff:
   call fileoperations
  wmclose:
       invoke  EndDialog,[hwnddlg],0
       mov     eax,1
  finish:
      xor eax,eax
 return
endp

section '.rsrc' resource data readable

  directory RT_DIALOG,dialogs

  resource dialogs,\
       37,LANG_ENGLISH+SUBLANG_DEFAULT,demonstration

  dialog demonstration,'Minesweeper crack for XP.',100,100,355,77,DS_MODALFRAME
    dialogitem 'STATIC','---->>> !!!This only works on WinXP!!! <<<----',175,21,5,300,8,WS_VISIBLE
    dialogitem 'STATIC','Choose one of the speeds below for the timer.',175,180,5,300,8,WS_VISIBLE
    dialogitem 'BUTTON','Uber Slow',IDUS,5,20,45,15,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON
    dialogitem 'BUTTON','Just Slow',IDJS,55,20,45,15,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON
    dialogitem 'BUTTON','A Bit Slow',IDBS,105,20,45,15,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON
    dialogitem 'BUTTON','Normal',IDNM,155,20,45,15,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON
    dialogitem 'BUTTON','A Bit Fast',IDBF,205,20,45,15,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON
    dialogitem 'BUTTON','Just Fast',IDJF,255,20,45,15,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON
    dialogitem 'BUTTON','l33t',IDLT,305,20,45,15,WS_VISIBLE+WS_TABSTOP+BS_PUSHBUTTON
    dialogitem 'STATIC','16 thou',5,16,39,300,8,WS_VISIBLE
    dialogitem 'STATIC','44 secs',55,66,39,300,8,WS_VISIBLE
    dialogitem 'STATIC','4 secs',105,116,39,300,8,WS_VISIBLE
    dialogitem 'STATIC','1 sec',155,168,39,300,8,WS_VISIBLE
    dialogitem 'STATIC','0.2 secs',105,216,39,300,8,WS_VISIBLE
    dialogitem 'STATIC','0.02 secs',105,264,39,300,8,WS_VISIBLE
    dialogitem 'STATIC','0!',155,325,39,300,8,WS_VISIBLE
    dialogitem 'STATIC','(c)2005 liteonish || johnnyspoon@gmail.com || Made with FASM || http://www.flatassembler.net/',175,30,50,300,8,WS_VISIBLE
  enddialog

.end rewt

Greetings

03 Mar 2005, 02:56

liteonish

Joined: 24 Feb 2005
Posts: 26

liteonish 03 Mar 2005, 04:09

Awesome. That makes life so much easier. Hooray for Windows API calls! Very Happy

_________________
I just own that much.

03 Mar 2005, 04:09

sylwek32

Joined: 27 Apr 2006
Posts: 339

sylwek32 26 May 2006, 05:53

But it doesnt compile under FASM!

Description:	Doesnt compile as you see...
Filesize:	41.18 KB
Viewed:	8794 Time(s)

26 May 2006, 05:53

sylwek32

Joined: 27 Apr 2006
Posts: 339

sylwek32 26 May 2006, 05:58

so no it works but i had to change return to ret.

Can somebody tell me how to modify the dialog's title ?

26 May 2006, 05:58

Vasilev Vjacheslav

Joined: 11 Aug 2004
Posts: 392

Vasilev Vjacheslav 26 May 2006, 06:56

SetWindowText

26 May 2006, 06:56

sylwek32

Joined: 27 Apr 2006
Posts: 339

sylwek32 26 May 2006, 07:24

But how to make a patcher which patches a programs title ?

26 May 2006, 07:24

Vasilev Vjacheslav

Joined: 11 Aug 2004
Posts: 392

Vasilev Vjacheslav 26 May 2006, 14:26

FindWindow + SetWindowText

26 May 2006, 14:26

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum