Inline Patching
Theory and implementation of inline patching binaries during runtime...
31 files
-
Armadillo 7.40 (Inline Patching CRC)
By Teddy Rogers
Video tutorial walking through the process of unpacking and then inline patching (by API hooking) Armadillo 7.40 with Debug-Blocker enabled.
Protected By Armadillo <-Find Protect Protection system (Professional) <Protection Options> Debug-Blocker <Backup Key Options> Variable Backup Keys <Compression Options> Best/Slowest Compression <-Find Version Version 7.40 27-07-2010 Unregistered Copy ------------------------------------- Unpacking OpenMutexA(For Inline Patching) 00E5AE86 JNZ wmtplus6.00E5B094 OEP == (RVA) 9B30E0 == (VA) 0DB30E0 IAT == 09D22A4 Size == C98 ------------------------------------- Cracking Bytes: 00C0B3DC B0 01 MOV AL,1 00C0B3DE 90 NOP ************************************* ************************************* Inline Patching 1- Add Free Space == 00EEA00B 2- Find Real CRC32 CRC1 = D2B572BF --> [EBP-10] CRC2 = FDF61F49 --> [EBP-18] CRC3 = 97EF85E3 --> [EBP-1C] CRC4 = BB989269 --> [EBP-20] CRC5 = 4E45D7E8 --> [EBP-24] Armadillo EntryPoint = 00EA841F 2- Patch Debug-Blocker == 00E5AE86 3 - ADD Free Space = 00EEA00B 4 - Write Inline Patching Codes 00EEA00B PUSHAD ; ;SAVE All Register 00EEA00C PUSH wmtplus6.00EEA13D ; /pModule = "kernel32.dll" 00EEA011 CALL DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>; \GetModuleHandleA 00EEA017 PUSH EAX ; ;SAVE "kernel32.dll" -> GetModuleHandleA 00EEA018 PUSH EAX ; ;SAVE "kernel32.dll" -> OutputDebugStringA 00EEA019 NOP 00EEA01A PUSH wmtplus6.00EEA14D ; /ProcNameOrOrdinal = "VirtualProtect" 00EEA01F PUSH EAX ; |hModule = NULL 00EEA020 CALL DWORD PTR DS:[<&KERNEL32.GetProcAddress>] ; \GetProcAddress 00EEA026 MOV DWORD PTR DS:[EEA18D],EAX ; ;SAVE "VirtualProtect" Address 00EEA02B NOP 00EEA02C POP EAX ; ;Load kernel32 00EEA02D PUSH wmtplus6.00EEA15D ; /ProcNameOrOrdinal = "GetModuleHandleA" 00EEA032 PUSH EAX ; |hModule = NULL 00EEA033 CALL DWORD PTR DS:[<&KERNEL32.GetProcAddress>] ; \GetProcAddress 00EEA039 MOV DWORD PTR DS:[EEA191],EAX ; ;SAVE "GetModuleHandleA" Address 00EEA03E NOP 00EEA03F POP EAX ; ;Load kernel32 00EEA040 PUSH wmtplus6.00EEA16E ; /ProcNameOrOrdinal = "OutputDebugStringA" 00EEA045 PUSH EAX ; |hModule = NULL 00EEA046 CALL DWORD PTR DS:[<&KERNEL32.GetProcAddress>] ; \GetProcAddress 00EEA04C MOV DWORD PTR DS:[EEA195],EAX ; ;SAVE "OutputDebugStringA" Address 00EEA051 NOP 00EEA052 PUSH wmtplus6.00EEA1AE ; /pOldProtect = wmtplus6.00EEA1AE 00EEA057 PUSH 40 ; |NewProtect = PAGE_EXECUTE_READWRITE 00EEA059 PUSH 5 ; |Size = 5 00EEA05B PUSH DWORD PTR DS:[EEA191] ; |Address = kernel32.GetModuleHandleA 00EEA061 CALL DWORD PTR DS:[EEA18D] ; \VirtualProtect 00EEA067 NOP 00EEA068 MOV ESI,DWORD PTR DS:[EEA191] ; ;ESI = GetModuleHandleA Address 00EEA06E MOV EDI,wmtplus6.00EEA0D5 ; ;EDI = First Paching Codes 00EEA073 MOV ECX,5 ; ;ECX = 5 Byte 00EEA078 REP MOVS BYTE PTR ES:[EDI],BYTE PTR ES:[ESI] ; ;First Paching Codes = 5 Bytes GetModuleHandleA 00EEA07B MOV ESI,wmtplus6.00EEA1A0 ; ;ESI = Jmap to First Paching Codes 00EEA080 MOV EDI,DWORD PTR DS:[EEA191] ; ;EDI = "GetModuleHandleA" Address 00EEA086 MOV ECX,5 ; ;ECX = 5 Byte 00EEA08B REP MOVS BYTE PTR ES:[EDI],BYTE PTR ES:[ESI] ; ;GetModuleHandleA = Jmap to First Paching Codes 00EEA08E NOP 00EEA08F PUSH wmtplus6.00EEA1BE ; /pOldProtect = wmtplus6.00EEA1BE 00EEA094 PUSH 40 ; |NewProtect = PAGE_EXECUTE_READWRITE 00EEA096 PUSH 5 ; |Size = 5 00EEA098 PUSH DWORD PTR DS:[EEA195] ; |Address = kernel32.OutputDebugStringA 00EEA09E CALL DWORD PTR DS:[EEA18D] ; \VirtualProtect 00EEA0A4 NOP 00EEA0A5 MOV ESI,DWORD PTR DS:[EEA195] ; ;ESI = "OutputDebugStringA" Address 00EEA0AB MOV EDI,wmtplus6.00EEA105 ; ;EDI = First CRC32 Patching Codes 00EEA0B0 MOV ECX,5 ; ;ECX = 5 Byte 00EEA0B5 REP MOVS BYTE PTR ES:[EDI],BYTE PTR ES:[ESI] ; ;First CRC32 Paching Codes = 5 Bytes "OutputDebugStringA" 00EEA0B8 MOV ESI,wmtplus6.00EEA1A6 ; ;ESI = Jmap to First CRC32 Paching Codes 00EEA0BD MOV EDI,DWORD PTR DS:[EEA195] ; ;EDI = "OutputDebugStringA" Address 00EEA0C3 MOV ECX,5 ; ;ECX = 5 Byte 00EEA0C8 REP MOVS BYTE PTR ES:[EDI],BYTE PTR ES:[ESI] ; ;"OutputDebugStringA" = Jmap to First CRC32 Paching Codes 00EEA0CB NOP 00EEA0CC POPAD 00EEA0CD JMP wmtplus6.00EA841F ; Jamp To Armadillo EntryPoint 00EEA0D2 NOP 00EEA0D3 NOP 00EEA0D4 NOP ; ; First Patching Codes ---| 00EEA0D5 NOP ; ; Jamp Here By GetModuleHandleA <--| 00EEA0D6 NOP 00EEA0D7 NOP 00EEA0D8 NOP 00EEA0D9 NOP 00EEA0DA PUSHFD 00EEA0DB CMP DWORD PTR SS:[EBP+8],0 00EEA0DF JNZ SHORT wmtplus6.00EEA0F2 00EEA0E1 DEC BYTE PTR DS:[EEA199] 00EEA0E7 JNZ SHORT wmtplus6.00EEA0F2 00EEA0E9 NOP 00EEA0EA NOP 00EEA0EB JMP wmtplus6.00EEA1CA 00EEA0F0 NOP 00EEA0F1 NOP 00EEA0F2 POPFD 00EEA0F3 JMP kernel32.7C80B736 00EEA0F8 NOP ; ; First Patching Codes 00EEA0F9 NOP 00EEA0FA NOP 00EEA0FB NOP 00EEA0FC NOP 00EEA0FD NOP 00EEA0FE NOP 00EEA0FF NOP 00EEA100 NOP 00EEA101 NOP 00EEA102 NOP 00EEA103 NOP 00EEA104 NOP 00EEA105 NOP ; ; First CRC32 Patching Codes ---| 00EEA106 NOP ; ; Jamp Here By "OutputDebugStringA" <--| 00EEA107 NOP 00EEA108 NOP 00EEA109 NOP 00EEA10A PUSHFD 00EEA10B DEC BYTE PTR DS:[EEA19A] 00EEA111 JNZ SHORT wmtplus6.00EEA136 00EEA113 MOV DWORD PTR SS:[EBP-10],D2B572BF 00EEA11A MOV DWORD PTR SS:[EBP-18],FDF61F49 00EEA121 MOV DWORD PTR SS:[EBP-1C],97EF85E3 00EEA128 MOV DWORD PTR SS:[EBP-20],BB989269 00EEA12F MOV DWORD PTR SS:[EBP-24],4E45D7E8 00EEA136 POPFD 00EEA137 JMP kernel32.7C85AC81 ; ; End CRC32 Patching Codes 00EEA13C NOP 00EEA13D ASCII "kernel32.dll",0 00EEA14A DB 00 00EEA14B DB 00 00EEA14C DB 00 00EEA14D ASCII "VirtualProtect",0 00EEA15C DB 00 00EEA15D ASCII "GetModuleHandleA" 00EEA16D ASCII 0 00EEA16E ASCII "OutputDebugStrin" 00EEA17E ASCII "gA",0 00EEA181 NOP 00EEA182 NOP 00EEA183 NOP 00EEA184 NOP 00EEA185 NOP 00EEA186 NOP 00EEA187 NOP 00EEA188 NOP 00EEA189 NOP 00EEA18A NOP 00EEA18B NOP 00EEA18C NOP 00EEA18D DD kernel32.VirtualProtect 00EEA191 DD kernel32.GetModuleHandleA 00EEA195 DD kernel32.OutputDebugStringA 00EEA199 DB 39 ; CHAR '9' 00EEA19A DB 02 00EEA19B NOP 00EEA19C NOP 00EEA19D NOP 00EEA19E NOP 00EEA19F NOP 00EEA1A0 DB E9 00EEA1A1 DB 9F 00EEA1A2 DB E9 00EEA1A3 DB 6D ; CHAR 'm' 00EEA1A4 DB 84 00EEA1A5 NOP 00EEA1A6 DB E9 00EEA1A7 TEST AH,DH 00EEA1A9 PUSH 90909084 00EEA1AE NOP 00EEA1AF NOP 00EEA1B0 NOP 00EEA1B1 NOP 00EEA1B2 NOP 00EEA1B3 NOP 00EEA1B4 NOP 00EEA1B5 NOP 00EEA1B6 NOP 00EEA1B7 NOP 00EEA1B8 NOP 00EEA1B9 NOP 00EEA1BA NOP 00EEA1BB NOP 00EEA1BC NOP 00EEA1BD NOP 00EEA1BE NOP 00EEA1BF NOP 00EEA1C0 NOP 00EEA1C1 NOP 00EEA1C2 NOP 00EEA1C3 NOP 00EEA1C4 NOP 00EEA1C5 NOP 00EEA1C6 NOP 00EEA1C7 NOP 00EEA1C8 NOP 00EEA1C9 NOP 00EEA1CA PUSH wmtplus6.00EEA200 ; /pOldProtect = wmtplus6.00EEA200 00EEA1CF PUSH 40 ; |NewProtect = PAGE_EXECUTE_READWRITE 00EEA1D1 PUSH 3 ; |Size = 3 00EEA1D3 PUSH wmtplus6.00C0B3DC ; |Address = wmtplus6.00C0B3DC 00EEA1D8 CALL DWORD PTR DS:[EEA18D] ; \VirtualProtect 00EEA1DE NOP 00EEA1DF NOP 00EEA1E0 MOV BYTE PTR DS:[C0B3DC],0B0 00EEA1E7 MOV BYTE PTR DS:[C0B3DD],1 00EEA1EE MOV BYTE PTR DS:[C0B3DE],90 00EEA1F5 NOP 00EEA1F6 NOP 00EEA1F7 JMP wmtplus6.00EEA0F0 60 68 3D A1 EE 00 FF 15 48 A2 EF 00 50 50 90 68 4D A1 EE 00 50 FF 15 8C A0 EF 00 A3 8D A1 EE 00 90 58 68 5D A1 EE 00 50 FF 15 8C A0 EF 00 A3 91 A1 EE 00 90 58 68 6E A1 EE 00 50 FF 15 8C A0 EF 00 A3 95 A1 EE 00 90 68 AE A1 EE 00 6A 40 6A 05 FF 35 91 A1 EE 00 FF 15 8D A1 EE 00 90 8B 35 91 A1 EE 00 BF D5 A0 EE 00 B9 05 00 00 00 26 F3 A4 BE A0 A1 EE 00 8B 3D 91 A1 EE 00 B9 05 00 00 00 26 F3 A4 90 68 BE A1 EE 00 6A 40 6A 05 FF 35 95 A1 EE 00 FF 15 8D A1 EE 00 90 8B 35 95 A1 EE 00 BF 05 A1 EE 00 B9 05 00 00 00 26 F3 A4 BE A6 A1 EE 00 8B 3D 95 A1 EE 00 B9 05 00 00 00 26 F3 A4 90 61 E9 4D E3 FB FF 90 90 90 90 90 90 90 90 9C 83 7D 08 00 75 11 FE 0D 99 A1 EE 00 75 09 90 90 E9 DA 00 00 00 90 90 9D E9 3E 16 92 7B 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 9C FE 0D 9A A1 EE 00 75 23 C7 45 F0 BF 72 B5 D2 C7 45 E8 49 1F F6 FD C7 45 E4 E3 85 EF 97 C7 45 E0 69 92 98 BB C7 45 DC E8 D7 45 4E 9D E9 45 0B 97 7B 90 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 4F 75 74 70 75 74 44 65 62 75 67 53 74 72 69 6E 67 41 00 90 90 90 90 90 90 90 90 90 90 90 90 D4 1A 80 7C 31 B7 80 7C 7C AC 85 7C 39 02 90 90 90 90 90 E9 9F E9 6D 84 90 E9 84 F4 68 84 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 68 00 A2 EE 00 6A 40 6A 03 68 DC B3 C0 00 FF 15 8D A1 EE 00 90 90 C6 05 DC B3 C0 00 B0 C6 05 DD B3 C0 00 01 C6 05 DE B3 C0 00 90 90 90 E9 F4 FE FF FF
562 downloads
0 comments
Updated
-
ActiveMARK 6.xx (Inline Patching)
By Teddy Rogers
ActiveMARK 6.xx (Inline Patching) Part 1
ActiveMARK 6.xx (Inline Patching) Part 2
ActiveMARK 6.2 (Inline Patching)
151 downloads
0 comments
Updated
-
Armadillo 3.xx - 4.xx (Debug-Blocker + Nanomites & Inline Patching)
By Teddy Rogers
Very nice tutorial explaining a certain method to inline patch Armadillo.
384 downloads
0 comments
Submitted
-
Armadillo 4.xx (Inline Patching CopyMem-II)
By Teddy Rogers
Hallo you readerz of the Storm! Yes, I'm back with a nice little tutorial about patching the Loader of Armadillo and create a clear code section, defeating CopyMEM 2 protection.
378 downloads
0 comments
Submitted
-
Armadillo 4.xx (Inline Patching)
By Teddy Rogers
Inline patching Armadillo 4.xx using SoftICE.
148 downloads
0 comments
Submitted
-
ASPack 2.12 (Inline Patching)
By Teddy Rogers
Some basic asm knowledge, some idea of the PE-format (e.g. what the whole shamazzle about EP's and OEP's which I will vaguely discuss).
209 downloads
0 comments
Submitted
-
ASProtect 1.xx - 2.xx (Inline Patching)
By Teddy Rogers
In this tutorial i'll show you how to inline patch ASProtect 1.2 -> 2.x without dealing with any crypto stuff. The example program (PatchMe.exe) which will be our target has a startup NAG we need to patch away. The target is protect with ASProtect 2.1.
308 downloads
0 comments
Submitted
-
ASProtect 2.11 SKE (Inline Patching)
By Teddy Rogers
First we debug our target and note down all redirection details like addresses, return addresses original bytes etc. Then we prepare our target file for our patch cave by adding bytes to a already existing section. Finally we write our patch code into our patch cave and then we redirect to our patch cave.
149 downloads
0 comments
Submitted
-
ASProtect 2.1x SKE (Inline Patching)
By Teddy Rogers
This tutorial is in Russian language.
144 downloads
0 comments
Submitted
-
ASProtect 2.3 SKE (Inline Patching)
By Teddy Rogers
Nice tutorial covering inline patching recent ASProtect versions.
192 downloads
0 comments
Submitted
-
ASProtect 2.xx SKE (Inline Patching Synopsis)
By Teddy Rogers
A complete and long walkthru on AsProtect SKE patching up to version 2.3 (advanced).
162 downloads
0 comments
Updated
-
ASProtect 2.xx SKE (Inline Patching & Defeating Memory CRC)
By Teddy Rogers
Inline Patching ASProtect 2.x SKE and defeating the memory CRC.
210 downloads
0 comments
Submitted
-
Enigma Protector 1.5x - 4.2x (Inline Patching)
By Teddy Rogers
Today I release a new tutorial and script I made for Enigma what can patch your new valid HWID XY. As you will see the included script works for all Enigma Versions.
You have a choice to choose a Inline or loader file what the script will create for you and your target XY.
InLine File: Script creates a new _DP file with the added inline into new section.
Loader File: Script creates a new - Loader file which starts & patched your original file.
899 downloads
0 comments
Submitted
-
Enigma Protector 2.x - 3.x (HWID + Inline Patching)
By Teddy Rogers
Video tutorials on bypassing the HWID and inline patching of Enigma Protector protected files from version 2.x to 3.x.
397 downloads
0 comments
Submitted
-
ExeCryptor 2.3x (Inline Patching)
By Teddy Rogers
Because I've write this notes to show how inline ExeCryptor I'll don't cover the target cracking stage, paper aim is to show how we can defeat some ExeCryptor protection system, all the stuff will be cover in great detail and from a general approach to give some general detail and make the info usable also for other target.
157 downloads
0 comments
Submitted
-
ExeCryptor 2.4.x (Disabling CRC Checks)
By Teddy Rogers
In this short tutorial I'll show you how to easily disable both file and memory CRC checks in programs packed with EXECryptor 2.4.x.
204 downloads
0 comments
Submitted
-
ExeStealth 2.75a (Unpacking & Inline Patching)
By Teddy Rogers
A Shockwave Flash tutorial showing and explaining a method of inline patching ExeStealth 3.75a. This tutorial is also broken down in to three stages; unpacking, reversing then the inline patching.
121 downloads
0 comments
Submitted
-
Inline Patching Protected Applications By Hooking API Functions
By Teddy Rogers
Nice tutorial covering a method of inline patching protected applications through hooking API functions.
365 downloads
0 comments
Submitted
-
Inlining via TLS Callbacks
By Teddy Rogers
Due to my immortal drive and addiction to EXECryptor, I've started learning a bit about TLS Callbacks and how we could make good use of them to achieve simple inlines, without having to worry about CRCs and custom protector checks.
152 downloads
0 comments
Submitted
-
MoleBox 2.2.3 (Inline Patching)
By Teddy Rogers
This is my first tutorial about cracking famous protections. In this tut, you will learn how to inline patch MoleBox 2.3.x Pro.
281 downloads
0 comments
Submitted
-
NsPack 2.4 (Unpacking & Inline Patching)
By Teddy Rogers
This is a fairly new packer, at least I never heard about it until a few months back when version 2.3 was released. It supports both 32/64 bit Windows OS and can compress the usual formats; .exe, .dll, .ocx, .scr as well as support for C# .NET compiled files. Its compression ratio is superior to ASPack, UPX and PeCompact (at least all the files I tried it on) so it is definitely worth a look at if you haven’t done so already. Compressed files are supposed to work under Win98 but the files I packed and tested did not work however, you may have a different experience. It hasn’t been designed as a protector so you won’t have any difficulty unpacking this.
145 downloads
0 comments
Updated
-
Morphine 2.xx (Unpacking & Inline Patching)
By Teddy Rogers
Morphine is primarily a wrapper/encryptor originally designed to encrypt already compressed executables with the likes of UPX to prevent the original file being detected. It uses a polymorphic engine so all newly encrypted executables will never be the same. It also uses a PE loader which puts the entire source image to the .text section of the new PE file which helps to prevent the image being dumped from memory with tools like LordPE and OllyDump. This believe it or not is the weakness which we will be exploiting in this tutorial.
There are already a few tutorials on the internet for unpacking Morphine but I want to talk about methods that have not been approached before. Mainly I want to talk about inline patching but I will also describe an extremely easy way of unpacking it completely and in its original unpacked content in less than a couple of minutes without having to use a PE tool to manually correct section information. Yep! It is actually really very simple. I was also going to talk a little in depth about the way it works but as it is no longer being developed I don�t think there is much need to analyse this encryptor further.
I will be working with and referring to UnPackMe_Morphine2.7b.exe from Tuts 4 You website throughout this tutorial.
153 downloads
0 comments
Submitted
-
Softwrap XtreamLok 6.1.1 (Inline Patching)
By Teddy Rogers
Let's find out what to where to patch to get rid of that annoying NAG dialogue and the time/usage limit.
120 downloads
0 comments
Updated
-
PeBundle 3.20 (Unpacking & Inline Patching)
By Teddy Rogers
I haven't seen many tutorials on how to unpack PE Bundle and I have seen even less on how to create an inline patch for it so I hope this may un-fog any problems anyone has with it. PE Bundle may look difficult to begin with but it is very much the same as PE Compact and as you will shortly see it really is a piece of cake.
What is PE Bundle and why is it different yet similar to PE Compact? The main difference with PE Bundle to PE Compact and other PE packer/protectors is that it allows any .dll files that need to be distributed with the main executable to be included and compressed in to one complete file for distribution. There are numerous logical advantages to this both for the author of the software and the end user. There are two methods that can be used to extract the .dll files by PE Bundle (set during the packing process); the first is to extract the files to disk from where they can then be run or the second method is to bind them with the executable and extract/run them directly in memory. Neither method will affect us in extracting or unpacking the PE Bundle files manually.
There seems to be a little miss-information regarding the unpacking of PE Bundle when it comes to extracting and running .dll files in memory. PE Bundle does a very nice job of packing and including all the .dll files with the executable in memory by binding them to the main executable through a loader. This is good for you (the unpacker) because it means less work as we will not need to extract every single .dll file back to disk; we will unpack all the files complete with the loader in to one complete repackaged executable.
Okay, let us get to work, if you have unpacked PE Compact before then nothing here will surprise you!
307 downloads
0 comments
Submitted
-
Themida + WinLicense 2.0.6.5 (Inline Patching)
By Teddy Rogers
Again I have written a new script called "TM - WL HWID & BASIC Inline Patcher 1.0"
So maybe you have sometime trouble to unpack a TM / WL app and for this case I have written this new script. It writes the Inline automatically {+ addresses adjustment} & HWID Inline too if needed.For a HWID app you have just to find the jump address to attack for this you can use my older Unpacker script to get the data which you have to fill in the inline.So I don´t want to explain now all here on this post so watch the 3 movies and do it too.If something not works or you have some trouble with something then you can ask me on this topic.
Features:
***************************************************
- The script writes a BASIC Inline patch + 1 API Hook in the new section or at a free address
- Script is checking for CISC or RISC
- Script is checking for CRC address & DWORD and it filled the new one
- Script is checking for HWID & TRIAL / Old & New till v.20.65
- Script also writes the HWID & TRIAL Inline / Old or New / CISC or RISC into the .MaThiO section
- End Results Box after script finish.
***************************************************
So I have record three movies how to use and how to fill the needed command addresses and the calculations of distance in RISC.The first movie is CISC the second is RISC and the last is CRC and some examples.
593 downloads
0 comments
Submitted
-
Download Statistics