TBBW Posted May 23, 2012 Author Posted May 23, 2012 In addition what should be the exact values;CALL to CreateFileAFileName = "C:\\Users\\THEBIG~1\\AppData\\Local\\Temp\\GLC8EAC.tmp"Access = 0ShareMode = 0pSecurity = NULLMode = OPEN_EXISTINGAttributes = 0hTemplateFile = NULLand;CALL to WriteFilehFile = NULL <<----- from ecx or eax ???Buffer = 720000nBytesToWrite = 4pBytesWritten = NULLpOverlapped = NULLGer
mrexodia Posted May 24, 2012 Posted May 24, 2012 Hi,your call to create file is correct... try also checking if the return value is good. (inc eax, test eax,eax jne is bad..)Write fileShould be (I think)push 0 (no overlapped structure)push some_00000000_dword_addresspush 4 (bytes to write)push 720000 (some buffer)call WriteFile
TBBW Posted June 3, 2012 Author Posted June 3, 2012 Hi All,After some hard work I manged to get the things working!!As this is an old installer it uses calls like _lopen, _lcloseSo I used these calls alsoso the sequence is;call kernel32._lopencall kernel32._llseekcall kernel32._lwritecall kernel32._lcloseWhat I do, is edit the file (remove a compare string and replace it with a XOR EAX, EAX so the disk CD check is allways true!)Next problem I only can run the edited setup in Olly.the original setup uses segment 00401000 to 00403125. (2126)my setup program uses segment 00401000 to 0040318B (218C)so I have to change some value(s) to make It run on it's own.So I need some kind of a PE editor.regards,Ger
deepzero Posted June 3, 2012 Posted June 3, 2012 you`re probably using virtual space.Either find empty raw space to place your stuff or extend the last section (physically and virtually) and place it there.
TBBW Posted June 4, 2012 Author Posted June 4, 2012 (edited) @deepzerowhat should I change?00400000 1000 PE header00401000 3000 .text code00404000 1000 .rdata imports, exports00405000 1000 .data data00406000 1000 .rsrc resourcesPE header in attachmentregards,gerPE header.txt Edited June 4, 2012 by TBBW
chickenbutt Posted June 5, 2012 Posted June 5, 2012 run till prompt, pause, animate over to find loop. Trace back to return referencing stack. you can also get the callback address from the call for window creation witch most likely creates a thread you'll have to trace statically unless there is a way to switch threads..for the cd patch, this game isn't that old, hope it doesn't have iso protector that does crypto with volume and press data.
deepzero Posted June 5, 2012 Posted June 5, 2012 it might be even cleaner to just attach a new section.Grab a PE editor like LordPE or (better) CFF explorer and just add one. That`ll buy you all space you want.
TBBW Posted June 8, 2012 Author Posted June 8, 2012 Using CFF Explorer I managed to get the fixed setup working.filled the original setup with a block of NOPs, saved the file. Opened the File in Olly put in the real code, saved the file.Opened the last save in CFF, did rebuild with checksum and Voila !!Still the Insert CD windows are shown, put pressing the -OK- button will continue the setup.Next step is to remove these windows.Also the Load of the Dx 9.0b dll results in an error (it cannot find the file, yep it is there), have to fix that aswell.but if You ignore the DX setup everything works well !!next step remove the cd windowsregards,ger
mrexodia Posted June 8, 2012 Posted June 8, 2012 (edited) You could do the lame way to remove the windows Just code a DLL that does: HWND hwnd;while(!hwnd){ Sleep(100); hwnd=FindWindow(0, "Insert CD2");}SendMessageA(hwnd, WM_CLOSE, 0, 0); I attached a CodeBlocks project for use with Visual Studio 2008/2005... I also included a compiled version, you can modify it for your needs if you like.. Oh, btw: <some_empty_addr>push @dllcall dword ptr ds:[XXXXXXXX] ; LoadLibraryAjmp XXXXXXX ; original code@dll"TBBW.dll\0" Multimate assembler code.. TBBW.rar Edited June 8, 2012 by Mr. eXoDia
TBBW Posted June 13, 2012 Author Posted June 13, 2012 Thanks you all for the input, will have a go !!Keep you informed !!regards,ger
TBBW Posted July 9, 2012 Author Posted July 9, 2012 Aaaaargggh,My cries of joy where to soon.......If I edit the orginal setup.exe, I can only use it a couple off times...what do I have to set/check.Do not know if it does some time/date check, or a times used or something like that check.....regards,Ger
deepzero Posted July 9, 2012 Posted July 9, 2012 I can only use it a couple off times...why? (nag, msg, crash, ...)
TBBW Posted July 10, 2012 Author Posted July 10, 2012 I get the following message;Dialog title: Setup.exeDialog message/text: Setup.exe has stopped workning Windows is checking for a solution to the problemDialog button avail; -Cancel-regards,Ger
deepzero Posted July 10, 2012 Posted July 10, 2012 in that case windows creates a crash report, doesnt it? Check it out... Also try installing olly as a post-mortem debugger. Best thing would ofcourse if you were able to reproduce this in a debugger....
TBBW Posted July 19, 2012 Author Posted July 19, 2012 Hi all,after some digging with Olly and IDA.IDA gave me bad reference calls (to access denied memory)back to Olly I found thatCALL KERNEL32._lwriteandCALL DWORD PTR DS:[<&KERNEL32._lwrite>]are not the same......... (Hex sequence is different.)changed all the kernel32 calls to the dword kernel32 call, and things are working!!but, I can not input a call like ""CALL DWORD PTR DS:[<&KERNEL32._lwrite>]"" in Olly....I have to do this by editing the memory locations with FF15 7C404000.strange...regards,ger
deepzero Posted July 19, 2012 Posted July 19, 2012 The adresses of APIs are differet across dlls, if you have ASLR (vista+) even for each process.WHich means you can never use "call kernel:lwrite".This problem is handled by the winloader, keyword: import table./>http://win32assembly.online.fr/pe-tut6.htmlfor olly to assemble the comand, you will have to enter the address of <&KERNEL32._lwrite>.Just select the dword-call command in olly and hit space to see it in a form that can be reassembled.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now