PDA

View Full Version : mem or running app patching


jomamameister
January 24th, 2002, 12:09
hello all,
ok, here's an interesting question in which i would apreciate some feedback. there are several progs out, like dzapatcher which can patch a primary .exe and get it to work with its loader. now what about the packed prog which calls a packed .dll where the "real" area to be patched is. the dzapatcher doesn't seem to support an extended patching scheme like that. it only works through the primary target, which isn't the prob particularly. also we must presume that the .dll won't be easily unpacked, but that it can be patched in memory and it runs just fine. so, what i'm looking for is a prog that can do primary and/or secondary pathing on the fly. i look forward to any discussion here to shed some light for me and others.
thanks
jomamameister

Aimless
January 25th, 2002, 00:53
Not really qualified to answer but would like to share what I know...

Before we start, let me reiterate what you have mentioned below so that we both are on the right track:

1. There is a packed exe (called, say, A.EXE)

2. This exe is easily patched with a memory patcher

3. This exe also calls a packed dll (called, say, A.DLL)

4. The actual patching is to be done in memory, not in A.EXE, but in A.DLL, because that's where the protection lies.

If the above scenario is what you require, then I feel that the solution is at hand.

You will need to understand (I am sure that you do) that the dll runs in the exe's process space, because the dll was called by the exe. Therefore, the A.DLL is actually the CHILD process or DEPENDENT process of A.EXE

You can patch the A.DLL in memory by 2 ways:

[continued below...]

Aimless
January 25th, 2002, 00:54
[cont'd from above...]

1. Find a patcher that fixes memory addresses of an executable and all related CHILD processes also (you will have to search the web. Unfortunately, programmerstools.org has shut down so you will have to wait. Good news is that it'll soon be hosted here )

2. Find a patcher that scans the memory for processes, displays a list of the same to you, a-la task manager, and allows you to ATTACH yourself to the same. Then modify the necessary. I am afraid, I have seen only one such patcher, but forget the name.

I hope that the meagre explanations above are good enough to at least *get* you started off.

...Have Phun

+SplAj
January 25th, 2002, 08:41
Hi jo

YES it is possible to use tools like r!sc process patcher and others. However the later protections catch such debug activity and refuse to play....

You can 'modify' these utilities to play a smarter game. By knowing the layers and the debug trick you can patch out that code too....

But just for real-time 'memory' patching HexWorks can do that easily.... You can find these tools around I am sure of that

Spl/\j

DakienDX
January 25th, 2002, 12:07
Hello jomamameister !

You should look for a tool called "Process Patcher".
It is has a special feature which allows to patch up to three DLLs loaded with the main executable, even if they are relocated to different addresses every time.
I only know two versions. One is v3.60 and includes many examples, the other one is 3.93 which I only got without any examples and a readme.

It's author is thewd, but I don't know if the author and the member registered here are the same person.

SpeKKeL
January 26th, 2002, 18:50
Allso try :FuckFmn v0.1 (beta version) - 14.11.2001
Written by..: smola^cp +some support
Program type: new technology loader working under ring0 for w9x/w2k
IS able to patch *ANY* commercial product packed with
*ANY* exepacker (included latest asprotect)
See protools.......

Succes ,

Spek

jomamameister
January 26th, 2002, 23:39
thanks to all who contributed their knowledge. i did get to download the ? latest process patcher from thewd 4.00. i will keep my eyes open and keep trying new things. here's a quick def for insanity:
you keep on trying the same things hoping to get different results.

thanks again everyone.
jomamameister

DakienDX
January 27th, 2002, 05:49
Quote:
Originally posted by SpeKKeL
Allso try :FuckFmn v0.1 (beta version) - 14.11.2001
Written by..: smola^cp +some support
Program type: new technology loader working under ring0 for w9x/w2k
IS able to patch *ANY* commercial product packed with
*ANY* exepacker (included latest asprotect)
See protools.......

Succes ,

Spek


"i tested his on many, many packed appz and i always get the positive effects but is the only one limitation: this loader cannot patch applications written in win32asm... hmm, one question: who write a commercial soft in win32asm? hehe, sado-maso? so, try it on any appz written in delphi, vc, vb or other high languages."


I already can see the high-level stub patchers floting around. Do you remember UPC, TEU and XPack -ux?