Friday, 2025-01-03, 6:28 AM
Welcome Guest | RSS
Farhan Khalid
Main | Patching Tips - Forum | Registration | Login
[ New messages · Members · Forum rules · Search · RSS ]
  • Page 1 of 1
  • 1
Forum moderator: uniquefourm, farhan411, ILIA  
Patching Tips
sab_jhoot_hi
Messages: 9
Group: Super Moderators
Rank: Private
Reputation: 1
Status: Offline

Awards: 1Loading awards ...
Date:
Wednesday,
2009-04-29,
7:30 AM

Message # 1
1. Jump patching
When you want that a jump jumps always make this...
xxx(any jump)--->JMP
Another possibility (I think this is better, but you must be carefull!)
JNE--->JN
JNZ--->JE

That are the VERY Basics in Jump oatching!
Please edit or close this topic when it exsist alredy

--------------------

More patching examples:

0FB680 D8020000 MOVZX EAX,BYTE PTR DS:[EAX+2D8]
83F8 07 CMP EAX,7 // 3 bytes of a routine could be replaced in many ways depending on the previous or next instructions.

0F95C0 SETNE AL // condition is TRUE
or
0F94C0 SETE AL // condition is FALSE

and sometimes you only need one byte to change the whole story(redirecting a jump):

JE SHORT 0048970B
00489692 (instruction)
(instruction)
(instruction)
(instruction)
(instruction)
(instruction)
(instruction)
(instruction)
(instruction)
(inst ruction)
(...)
0048970B (instruction to Jmp to if conditions are met)

Sometimes can be changed just with a simple jmp redirect
JE SHORT 00489692
00489692 (instruction)
(instruction)
(instruction)
(instruction)
(instruction)
(instruction)
(instruction)
(instruction)
(instruction)
(inst ruction)
(...)
0048970B (instruction will be executed in all cases)

Changing a Flag:

CMP BYTE PTR DS:[EBX+114],0
CMP BYTE PTR DS:[EBX+114],1 // and vice versa

Changing conditional to unconditional JMPs and vice versa, NOPing works, but there is always an elegantly way to do one and the same thing with less code change!

--------------------

in my opinion its better to make a clear patch, not just reverse the instruction.

for short jumps (Jx XX)
CODE
always jump:
Jx XX --> EB xx

never jump:
Jx XX --> Jx 00

for long jumps (OF xx XX XX XX XX)
CODE
always jump:
OF xx XX XX XX XX --> 90 E9 XX XX XX XX

never jump:
OF xx XX XX XX XX --> OF xx 00 00 00 00
Go to the top of the page

--------------------

Well sometimes it is not possible to patch the conditional jump at all, because in some cases this can result in causing exceptions. Some people patch 15 bytes, just to make sure that the patch works, where only one simple byte can do it as well, but I assume that everyone has his own style of patching, just like everyone has his own style of walking wink.gif
Personally, what I think that should be avoided is the situation described here:

QUOTE
Another possibility (I think this is better, but you must be carefull!)
JNE--->JN
JNZ--->JE

--------------------

Well Diablo2oo2 is right you should use those bytes to reverse in case you get an exception then you better check the size if you've overwritten used instruction before or below it then it should give one, else you can try inline "in worst cases when out of space" get a cave and inject the code it's a peice of cake in some apps especialy unprotected ones.

as for JE and JNZ you know what would happen in case you reversed such as a stupid thing like accept fake serial and not the right one ^^ but useless i prefer advanced patching after all biggrin.gif

if you think most patches are methods then you might be mistaken cause some reversers use specific methods to patch and hard ways sometimes just to mark their own releases so no one rips them so 11 bytes of patching might be 2 for a cracked soft and 9 for screwing around !! that's all....

--------------------

fine points, however to be fair, its best to patch the proc that sets the conditional, rather than the conditional itself, because it may be called indirectly later and you wont see / catch it...
Go to the top of the page

--------------------

Registration checks is often done several times, so tracing down the procedure that sets the registration status often saves a lot of work, like patching disabled functions, watermarks etc.

Join Our Community and Learn knowledge and share ur commenments...... www.uniquefourm.freeforums.org


This user has not applied a signature yet.
HTML code to this post
BB-code to this post
Direct link to this post
  • Page 1 of 1
  • 1
Search:

Copyright MyCorp © 2025

Hosted by uCoz