Jump to content
Tuts 4 You

Archived

This topic is now archived and is closed to further replies.

TBBW

The -OK- Button (Debug/Trace)

Recommended Posts

TBBW

In addition what should be the exact values;

CALL to CreateFileA

FileName = "C:\\Users\\THEBIG~1\\AppData\\Local\\Temp\\GLC8EAC.tmp"

Access = 0

ShareMode = 0

pSecurity = NULL

Mode = OPEN_EXISTING

Attributes = 0

hTemplateFile = NULL

and;

CALL to WriteFile

hFile = NULL <<----- from ecx or eax ???

Buffer = 720000

nBytesToWrite = 4

pBytesWritten = NULL

pOverlapped = NULL

Ger

Share this post


Link to post
Share on other sites
mrexodia

Hi,

your call to create file is correct... try also checking if the return value is good. (inc eax, test eax,eax jne is bad..)

Write file

Should be (I think)

push 0 (no overlapped structure)
push some_00000000_dword_address
push 4 (bytes to write)
push 720000 (some buffer)
call WriteFile

Share this post


Link to post
Share on other sites
TBBW

Hi All,

After some hard work I manged to get the things working!!

As this is an old installer it uses calls like _lopen, _lclose

So I used these calls also

so the sequence is;

call kernel32._lopen

call kernel32._llseek

call kernel32._lwrite

call kernel32._lclose

What I do, is edit the file (remove a compare string and replace it with a XOR EAX, EAX so the disk CD check is allways true!)

Next problem I only can run the edited setup in Olly.

the original setup uses segment 00401000 to 00403125. (2126)

my setup program uses segment 00401000 to 0040318B (218C)

so I have to change some value(s) to make It run on it's own.

So I need some kind of a PE editor.

regards,

Ger

Share this post


Link to post
Share on other sites
deepzero

you`re probably using virtual space.

Either find empty raw space to place your stuff or extend the last section (physically and virtually) and place it there.

Share this post


Link to post
Share on other sites
TBBW

@deepzero

what should I change?

00400000 1000 PE header

00401000 3000 .text code

00404000 1000 .rdata imports, exports

00405000 1000 .data data

00406000 1000 .rsrc resources

PE header in attachment

regards,

ger

PE header.txt

Share this post


Link to post
Share on other sites
chickenbutt

run till prompt, pause, animate over to find loop. Trace back to return referencing stack. you can also get the callback address from the call for window creation witch most likely creates a thread you'll have to trace statically unless there is a way to switch threads..

for the cd patch, this game isn't that old, hope it doesn't have iso protector that does crypto with volume and press data.

Share this post


Link to post
Share on other sites
deepzero

it might be even cleaner to just attach a new section.

Grab a PE editor like LordPE or (better) CFF explorer and just add one. That`ll buy you all space you want.

Share this post


Link to post
Share on other sites
TBBW

Using CFF Explorer I managed to get the fixed setup working.

filled the original setup with a block of NOPs, saved the file. Opened the File in Olly put in the real code, saved the file.

Opened the last save in CFF, did rebuild with checksum and Voila !!

Still the Insert CD windows are shown, put pressing the -OK- button will continue the setup.

Next step is to remove these windows.

Also the Load of the Dx 9.0b dll results in an error (it cannot find the file, yep it is there), have to fix that aswell.

but if You ignore the DX setup everything works well !!

next step remove the cd windows

regards,

ger

Share this post


Link to post
Share on other sites
mrexodia

You could do the lame way to remove the windows :)

Just code a DLL that does:


HWND hwnd;
while(!hwnd)
{
Sleep(100);
hwnd=FindWindow(0, "Insert CD2");
}
SendMessageA(hwnd, WM_CLOSE, 0, 0);

I attached a CodeBlocks project for use with Visual Studio 2008/2005... I also included a compiled version, you can modify it for

your needs if you like..

Oh, btw:


<some_empty_addr>
push @dll
call dword ptr ds:[XXXXXXXX] ; LoadLibraryA
jmp XXXXXXX ; original code
@dll
"TBBW.dll\0"

Multimate assembler code..

TBBW.rar

Share this post


Link to post
Share on other sites
TBBW

Thanks you all for the input, will have a go !!

Keep you informed !!

regards,

ger

Share this post


Link to post
Share on other sites
TBBW

Aaaaargggh,

My cries of joy where to soon.......

If I edit the orginal setup.exe, I can only use it a couple off times...

what do I have to set/check.

Do not know if it does some time/date check, or a times used or something like that check.....

regards,

Ger

Share this post


Link to post
Share on other sites
deepzero

I can only use it a couple off times...

why? (nag, msg, crash, ...)

Share this post


Link to post
Share on other sites
TBBW

I get the following message;

Dialog title: Setup.exe

Dialog message/text: Setup.exe has stopped workning

Windows is checking for a solution to the problem

Dialog button avail; -Cancel-

regards,

Ger

Share this post


Link to post
Share on other sites
deepzero

in that case windows creates a crash report, doesnt it?

Check it out... :)

Also try installing olly as a post-mortem debugger.

Best thing would ofcourse if you were able to reproduce this in a debugger....

Share this post


Link to post
Share on other sites
TBBW

Hi all,

after some digging with Olly and IDA.

IDA gave me bad reference calls (to access denied memory)

back to Olly I found that

CALL KERNEL32._lwrite

and

CALL DWORD PTR DS:[<&KERNEL32._lwrite>]

are not the same......... (Hex sequence is different.)

changed all the kernel32 calls to the dword kernel32 call, and things are working!!

but, I can not input a call like ""CALL DWORD PTR DS:[<&KERNEL32._lwrite>]"" in Olly....

I have to do this by editing the memory locations with FF15 7C404000.

strange...

regards,

ger

Share this post


Link to post
Share on other sites
deepzero

The adresses of APIs are differet across dlls, if you have ASLR (vista+) even for each process.

WHich means you can never use "call kernel:lwrite".

This problem is handled by the winloader, keyword: import table.


/>http://win32assembly.online.fr/pe-tut6.html

for olly to assemble the comand, you will have to enter the address of <&KERNEL32._lwrite>.

Just select the dword-call command in olly and hit space to see it in a form that can be reassembled.

Share this post


Link to post
Share on other sites

×