Results 1 to 4 of 4

Thread: How patching works?

  1. #1

    How patching works?

    Hi guys, this is my first post on the forum but I've read quite some interesting tuturials by now. Now I've noticed that all those tutorials use some kind of tool to modify the binary manually. I'm making a thesis on the process of cracking and that is why I'd like to know how these manual modifications are commonly implemented in a patch:

    - are most patches offset patches or do they search the binary in some way? Could someone give me a percentage on that?
    - is there some kind of patch generator that puts out a tailored patch for applying a certain modification to the binary?

    Thx in advance
    Last edited by keeth; March 29th, 2006 at 09:06.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Most patches (I'd say 90%) out there use an offset. All but the worst ones will check to make sure that offset originally contains what is expected before it goes ahead and does damage, but usually you'll get nothing more helpful than a poorly worded 'Filesize not match!' error if there isn't a match.

    However, it's this minority of patches (that actually perform a binary search, even a simple one) that are the most effective. Often a binary is updated between releases without the protection algorithm being as much as breathed on, so although the offset may change the bit-pattern will often remain the same. However, this is something of a double-edged sword, since some bit-patterns will appear several times in a binary (and so false-positives can occur). Provided the reverser knew what they were doing, they'd probably do a good job of making a quasi-multi-version patch. Otherwise, their attempts to be clever may do more harm than good.

    As for patch generators, these are plentiful (although I'm dubious of the quality of many of them). I think most cracking groups use their own templates for cracks and keygens, whereas the smalltime dabblers will tend to use something they grabbed off the net. This said, you'll often enough encounter a purpose-coded patcher or keygen UI.

    So I guess the answer to both of your questions is 'it depends' .


  3. #3
    Naides is Nobody
    Join Date
    Jan 2002
    Planet Earth
    If I understand you correcly, you are interested in patcher programs. right?

    Manual patching entails changing some bytes in the binary, usually with a hex editor. The secret of this sort of cracking is simple: To know where are the bytes to change and what to change them to. Nothing more. . .

    A patcher is a small executable that automates this process.
    The simplest patch generators compare the original and the cracked version of the binary, store away the differences in position ( file offset) and the contents of teh altered bytes. The patcher then blindly modify the specific bytes when run. Some patchers will perform some preliminary checking, making sure that the target binary is of the right size, version and perhaps the right CRC.

    It is plausible also, as you say, scan the target binary searching for some signature that marks the area you want to patch, but I have not seen very many of those. there could be false positives, non unique signatures.

    There are commercially available patch generators that automate these tasks: patching is frequent in commercial sofware updates and security updates, also in virus removal. Search the net and you will find. Also If you look in EXETOOLS and other tool repositories you will find some home-made patcher generators used by crackers.

    Admiral: From now on, you are not allowed to read my mind, or beat me to answer a posting
    Last edited by naides; March 8th, 2006 at 16:11.

  4. #4
    Quote Originally Posted by keeth
    - are most patches offset patches or do they search the binary in some way? Could someone give me a percentage on that?
    Almost all of them rely on hardcoded file offsets. This is much easier than searching for a specific sequence.
    Quote Originally Posted by keeth
    - is there some kind of patch generator that puts out a tailored patch for appliing a certain modification to the binary?
    There are many out there. One of the most interesting is known as the xor-difference patcher, which stores the patch data in such a way that the values of the patched bytes cannot be determined without the file that is intended to be patched. The patched bytes are generated from the xor of the original byte and the difference-byte.

Similar Threads

  1. Is there a plug-in which works as TSearch?
    By megatron in forum OllyDbg Support Forums
    Replies: 2
    Last Post: January 9th, 2009, 15:39
  2. Interesting patcher (the aPE), anyone knows how it works?
    By dELTA in forum Tools of Our Trade (TOT) Messageboard
    Replies: 10
    Last Post: November 30th, 2005, 09:22
  3. flexlm 8.0d using 8.0c sdk... works fine
    By stevematulis in forum Off Topic
    Replies: 0
    Last Post: April 23rd, 2004, 18:48
  4. If board works again then...
    By Petroff in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: April 22nd, 2001, 19:31
  5. ... diskcopy don't works... ???
    By xyzero in forum Advanced Reversing and Programming
    Replies: 9
    Last Post: March 18th, 2001, 11:39


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts