Struggling with the offset patch engines on masm32

[r0ger]

hi guys , i was patching an app called Macrorit disk partiton expert. Then i wanted to test the patcher by using the patch engine coded by Jowy, inserted patch offsets and the patterns, got the CRC32 number from dup2, and when i tried to patch, my patcher got same crc32 error even though it was the correct one :

.data

MSGTitle	db	"PERYFERiAH`z generic patch",0

PatchAborted db "aborted.",0

CRCFailed	db	"sorry, wrong version or already cracked.",13
		db	"patch aborted .",0

SizeFailed	db	"wrong file size.",13
		db	"make sure the app has the correct version",13,13
		db	"patch aborted .",0

CannotAccess	db	"seems that ur program is running, you must close it.",0

PatchSuccess	db	"bazinga ! patch succeded , now ur good to go ! ;)",13
		db	"btw if you like the program,go buy it.",13,13
		db	"cheerz from PRF tEAM !",0

FileName	db	"dm.exe",0 ; target app
FileCRC		dd	8F1A6801h ; <-- checked with dup2 .. :E
FileSize	dd	00BBB5A0h ; <-- -----///////-----------

	; replacing the patterns as cracked using x64dbg :
	
RAWOffset1	dd	005F85BAh ;
Byterepl1	db	0B0h, 001h; <--- 005F85BA : 8B --> B0
                          ;  >--------------------------->>> 005F85BA : 8B C3 (MOV EAX,EBX) ==>> C0 01 (MOV AL,1) this will jump to esi:L"mde.lkeys" string in order to get registered (perhaps cracked)
                          ; <--- 005F85BB : C0 --> 01
                             ; 
RAWOffset2	dd	0079580Ah
Byterepl2	db	000h ; <-- replaced on (00795809 [ 75 07 ] : JNE dm.79580B) [ 07 --> 00 ] so it can jump to the "Unlimited Edition" string and get the full version of the app.

bwrite		            db	512 dup(?)
PatchFlag               dd  ?

Filebackup	db	".BAK",0
ofn	OPENFILENAME	<>
Filterstring	db	"dm.exe",0,"dm.exe",0,0
OpenTitle	db	"find the correct file as shown on the combobox ..",0 
Filebuffer	db	256 dup(?)
FilenameBak	db	256 dup(?)
Buffer          db  256 dup(?)

.data?

hFile			dd					?
hFileSize		dd					?
hMapFile		dd					?
hViewFile		dd					?

.code

PatchEngine proc hWnd:DWORD

	mov ofn.lStructSize,SIZEOF ofn
	mov ofn.lpstrFilter, OFFSET Filterstring
	mov ofn.lpstrFile, OFFSET Filebuffer
	mov ofn.nMaxFile,300
	mov eax,hWnd
	mov ofn.hwndOwner,eax
	mov ofn.Flags, OFN_FILEMUSTEXIST or \
		OFN_PATHMUSTEXIST or OFN_LONGNAMES or\
		OFN_EXPLORER or OFN_HIDEREADONLY
	mov  ofn.lpstrTitle, OFFSET OpenTitle
	invoke GetOpenFileName, ADDR ofn				; opens up the browser window when "PATCH" is clicked on.
	test eax,eax
	je _cancel
	
	; creates backup file
	invoke lstrcat,addr FilenameBak,addr Filebuffer
	invoke lstrcat,addr FilenameBak,addr Filebackup
	invoke FindFirstFile,addr FilenameBak,addr FilenameBak+100
		.if eax == -1
			push 1
			push offset FilenameBak
			push offset Filebuffer
			call CopyFile
		.endif

	invoke CreateFile,addr Filebuffer,GENERIC_READ or GENERIC_WRITE, FILE_SHARE_WRITE, NULL,OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL
	cmp eax,-1
	je _cant_access		; jumps to this subprogram if the app is opened
	mov hFile,eax
	invoke CreateFileMapping,eax,0,PAGE_READWRITE,0,0,0	; creates file map
	mov hMapFile,eax
	invoke MapViewOfFile,eax,FILE_MAP_WRITE,0,0,0	;opens up the file map
	mov hViewFile,eax
	invoke GetFileSize,hFile,0	; gets the size of the file
	mov hFileSize,eax
	cmp eax,FileSize
	jnz _wrong_size	; if its size is different than the app then it'll jump to this subprogram.
	cmp eax,FileCRC
	jnz _wrong_crc	; if its CRC32 string is different than the app then it'll jump to this subprogram.

	mov esi,RAWOffset1
	invoke SetFilePointer,hFile,esi,NULL,0	; sets the pointer in the first offset
	invoke WriteFile,hFile,addr Byterepl1,2,addr bwrite,0	; number of bytes to be replaced with .
	
	mov esi,RAWOffset2
	invoke SetFilePointer,hFile,esi,NULL,0	; sets the pointer in the second offset
	invoke WriteFile,hFile,addr Byterepl2,1,addr bwrite,0	; number of bytes to be replaced with .
	
	
	mov PatchFlag,1
	jmp patch_end
	
_wrong_size: ; <-- if the file with the same target app name has a different file size,will jump to this subprogram
	mov PatchFlag,2
	jmp patch_end
	
_wrong_crc: ; <-- if the file's CRC32 doesn't match with the correct one then it will jump to this subprogram
	mov PatchFlag,4 
	jmp patch_end
	
_cant_access: ; <-- moves to this subprogram if the app is already open .
	invoke GetFileAttributes,addr Filebuffer
	mov PatchFlag,3
	jmp patch_end
	
_cancel: ;<-- jumps to this subprogram if the patch is canceled.
	mov PatchFlag,0

patch_end:
	;quits the whole patch process .
	invoke UnmapViewOfFile,hViewFile
	invoke CloseHandle,hFile
	invoke CloseHandle,hMapFile

	ret
PatchEngine endp 

then i've tried the one that Xylitol coded and yes, it says that "bazinga, succesfully patched" but when i opened up the app it still says "Server Edition (Unregistered)" on the splash screen , this one is from the patch tempate , i wanted to test that one too:

TargetName		db		"dm.exe",0
BackupName		db		"dm.exe.BAK",0

; replacing the patterns as cracked using x64dbg :

Byterepl1		db		0B0h
RAWOffset1		dd		005F85BAh 

Byterepl2		db		001h
RAWOffset2		dd		005F85BBh ; 005F85BA : 8B C3 (MOV EAX,EBX) ==>> C0 01 (MOV AL,1) this will jump to esi:L"mde.lkeys" string in order to get registered (perhaps cracked)

Byterepl3		db		000h
RAWOffset3		dd		0079580Ah ; replaced on (00795809 [ 75 07 ] : JNE dm.79580B) [ 07 --> 00 ] so it can jump to the "Unlimited Edition" string and get the full version of the app.

TargetCRC32  	dd 		8D86F13Dh ; used dup2 to get its crc32 number .

NoFile			db		"file not found",13
				db		"place the patcher into its installation directory.",13,13
				db      "(Program Files/Macrorit/Disk Partition Expert)",0

Checksumfail	db		"checksum failed. make sure this is the correct version.",0

Notready		db		"file not ready yet.",0

Backup			db		"backup made.",0

PatchSuccess	db		"bazinga ! patch succeded , now ur good to go ! ;)",13
				db		"btw if you like the program,go buy it.",13,13
				db		"cheerz from PRF tEAM !",0

.data?
hTarget			HINSTANCE	?
BytesWritten	db		?

.code
.if wParam==IDB_PATCH
			invoke FindFirstFile,addr TargetName,ADDR ff32
			.if eax == INVALID_HANDLE_VALUE
			invoke MessageBox,hWnd,addr NoFile,addr MSGTitle,MB_ICONERROR
			.else
				call InitCRC32Table
				mov pFileMem,InputFile(ADDR TargetName)
				invoke CRC32,pFileMem,ff32.nFileSizeLow
				mov edx,TargetCRC32
				.if eax != edx
					invoke MessageBox,hWnd,addr Checksumfail,addr MSGTitle,MB_ICONERROR
				.else
					invoke GetFileAttributes,addr TargetName
					.if eax!=FILE_ATTRIBUTE_NORMAL
						invoke SetFileAttributes,addr TargetName,FILE_ATTRIBUTE_NORMAL
					.endif
					invoke CreateFile,addr TargetName,GENERIC_READ+GENERIC_WRITE,FILE_SHARE_READ+FILE_SHARE_WRITE,\
													NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL
					.if eax!=INVALID_HANDLE_VALUE
						mov hTarget,eax
			invoke SendDlgItemMessage,hWnd,IDC_CHECKBOX,BM_GETCHECK,0,0
        .if eax==BST_CHECKED
            invoke CopyFile, addr TargetName, addr BackupName, TRUE
            invoke MessageBox,hWnd,addr Backup,addr MSGTitle,MB_ICONINFORMATION
        .endif
					patch MACRO offsetAdr,_bytes,_byteSize
					invoke SetFilePointer,hTarget,offsetAdr,NULL,FILE_BEGIN
						.if eax==0FFFFFFFFh
							invoke CloseHandle,hTarget
							invoke MessageBox,hWnd,addr Notready,addr MSGTitle,MB_ICONEXCLAMATION
							ret
						.endif
						invoke WriteFile,hTarget,addr _bytes,_byteSize,addr BytesWritten,FALSE
					ENDM
				patch RAWOffset1,Byterepl1,2
				patch RAWOffset2,Byterepl2,2
				invoke MessageBox,hWnd,addr PatchSuccess,addr MSGTitle,MB_ICONINFORMATION
				invoke CloseHandle,hTarget
			.endif
		.endif
	.endif

then i patched Advanced find and replace 7.8.1 too , and same errors i get... any suggestions ?

[r0ger]

i'm gonna hide the topic if absolutely no one responds and then post on other forums ... idk what to say...

[tonyweb]

@r0ger
You posted this one very recently.

Please be a bit more patient
Reversing requires [a looooooooooot of] patience.

 

First question.

What do you mean with

Quote

my patcher got same crc32 error

?

Do you mean the patcher gives you '

sorry, wrong version or already cracked.

?

You have:

invoke GetFileSize,hFile,0	; gets the size of the file
cmp eax,FileSize
jnz _wrong_size	; if its size is different than the app then it'll jump to this subprogram.
cmp eax,FileCRC
jnz _wrong_crc	; if its CRC32 string is different than the app then it'll jump to this subprogram.

Why should file size match FileCRC?
You missed the actual code that computes the CRC ...

Second question

Quote

when i opened up the app it still says "Server Edition (Unregistered)

Try to debug the application and see if your patches are actually applied, or the application might be able to detect your changes.
Did you try to apply the patches with an hex editor and see if the app acts the same?
 

Regards,
Tony

Edited March 25, 2021 by tonyweb

[kao]

1 hour ago, tonyweb said:

Reversing requires [a looooooooooot of] patience.

This!

 

15 hours ago, r0ger said:

Byterepl1		db		0B0h
RAWOffset1		dd		005F85BAh 

Byterepl2		db		001h
RAWOffset2		dd		005F85BBh ; 005F85BA : 8B C3 (MOV EAX,EBX) ==>> C0 01 (MOV AL,1) this will jump to esi:L"mde.lkeys" string in order to get registered (perhaps cracked)

Byterepl3		db		000h
RAWOffset3		dd		0079580Ah ; replaced on (00795809 [ 75 07 ] : JNE dm.79580B) [ 07 --> 00 ] so it can jump to the "Unlimited Edition" string and get the full version of the app.

...
patch RAWOffset1,Byterepl1,2 
patch RAWOffset2,Byterepl2,2

 

You have defined 3 patches, all of them 1 byte in size. But you apply only 2 patches, each 2 bytes in size.

Makes no sense.

 

[r0ger]

19 hours ago, kao said:

You have defined 3 patches, all of them 1 byte in size. But you apply only 2 patches, each 2 bytes in size.

Makes no sense.

 

yeah, now i actually applied 3 patches in every one byte in size , and still didn't patch the app...

Quote

 

What do you mean with

  Quote

my patcher got same crc32 error

?

Do you mean the patcher gives you '

sorry, wrong version or already cracked.

?

 

yes that one...

btw now i will post a crack template with a new effect i've found.

Edited March 26, 2021 by r0ger

[r0ger]

@kao  @tonyweb 

Okay, thanks for all these infos and suggestions you gave, i finally got it how to use it a week ago , now i've patched 5 apps. i was actually struggling with the RAW offsets only 

x64dbg isn't that good for making a patcher in masm32 , only to save the cracked .exe with a different name. so OllyDbg is more better than that one.

can someone should close this topic btw ?

Edited May 28, 2021 by r0ger

[tarequl.hassan]

On 5/28/2021 at 7:10 PM, r0ger said:

@kao  @tonyweb 

Okay, thanks for all these infos and suggestions you gave, i finally got it how to use it a week ago , now i've patched 5 apps. i was actually struggling with the RAW offsets only 

x64dbg isn't that good for making a patcher in masm32 , only to save the cracked .exe with a different name. so OllyDbg is more better than that one.

can someone should close this topic btw ?

Hi Roger 

Would you please share you patch source code?

 

Thanks 

 

[r0ger]

22 minutes ago, tarequl.hassan said:

Would you please share you patch source code?

got the new patcher source code from there :

http://xtxteam.free.fr/tutos/archives/Xylitol/avsve12.1.html

[Xyl2k]

my patch engine work fine, idk what's your missing.
also added an example with comdlg32 if you want to search for file instead of dropping the patch into install dir.

Xylitol patch engine (basic).zip

[r0ger]

1 hour ago, Xyl2k said:

my patch engine work fine, idk what's your missing.
also added an example with comdlg32 if you want to search for file instead of dropping the patch into install dir.

Xylitol patch engine (basic).zip 11.21 kB · 1 download

that was because i had to get the right offset addresses when you click copy all modifications to executable . indeed it works fine .

however, x64dbg doesn’t know how to calculate the offsets just like olly.

Edited May 30, 2021 by r0ger

[jowy_]

I even forget ever coded tools like that before 😅