Results 1 to 9 of 9
  1. #1
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10

    [Delphi] Simple loader and patcher for packed program

    Loader and patcher for packed program

    Here presented a simple algorithm for loading and patching packed program.
    The main idea is to wait until the target program will not be unpacked. So the block scheme will look like this:



    Code and example
    I’ll use Battle of the Immortal client, which packed by Themida and I’ll want to make some jmp’s to allow multiclient.

    ”BOI multiclient patch”


    We will create a program without forms.

     //**************************************************  ***********//
    // Loader and patcher for Battle of the Immortal
    // by Dwar
    // 2010-09-02
    // Feel free using our knowledge and guides, but please, keep linkbacks to the original article
    //************************************************** ***********//

    program Loader;
    uses
    Windows,
    Messages;

    //************************************************** ***********//
    // ChangePrivilege of process
    //************************************************** ***********//
    procedure ChangePrivilege(szPrivilege: PChar; fEnable: Boolean);
    var
    NewState: TTokenPrivileges;
    luid: TLargeInteger;
    hToken: THandle;
    ReturnLength: DWord;
    begin
    OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, hToken);
    LookupPrivilegeValue(nil, szPrivilege, luid);

    NewState.PrivilegeCount := 1;
    NewState.Privileges[0].Luid := luid;
    if (fEnable) then
    NewState.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED
    else
    NewState.Privileges[0].Attributes := 0;

    AdjustTokenPrivileges(hToken, False, NewState, SizeOf(NewState), nil, ReturnLength);
    CloseHandle(hToken);
    end;


    //************************************************** ***********//
    // Main Routines
    //************************************************** ***********//
    var
    si : Startupinfo;
    pi : Process_Information;
    NewData : array[0..1] of byte = ($EB,$44); // data for replacing
    Olddata : array[0..1] of byte; // array to store readed data
    NewDataSize : DWORD;
    Bytesread : DWORD;
    unpacked : boolean;
    ttimer : integer;
    Begin
    ZeroMemory(@si,sizeof(si));
    ZeroMemory(@pi,sizeof(pi));
    FillChar(Si,Sizeof(si),0);
    Si.cb:=Sizeof(si);

    unpacked := false;
    ttimer := 0;
    ChangePrivilege('SeDebugPrivilege', True); // Setting debug Privilege
    // Creating process
    if CreateProcess(PChar('Game.exe'), nil,nil,nil,FALSE,0,nil,nil,si,pi) = true then
    begin
    // reading process memory in cycle
    while not unpacked do
    begin
    ReadProcessMemory(pi.hprocess,Pointer($0046740E),@ olddata,length(Olddata),bytesread);
    // check if program was unpacked
    if (olddata[0] = $75) and (olddata[1] = $44) then
    begin
    // Suspend the target program
    SuspendThread(pi.hThread);
    unpacked := true;
    // Show message thath the program was unpacked
    Messagebox(0,pchar('Unpacked'),pchar('Good'),mb_ic oninformation);
    // stop the cycle
    break;
    end;
    inc(ttimer);
    if ttimer > 500 then
    break;
    //wait a little bit
    sleep(10);
    end;
    if unpacked then
    begin
    ReadProcessMemory(pi.hprocess,Pointer($0046740E),@ olddata,length(Olddata),bytesread);
    if (olddata[0] = $75) and (olddata[1] = $44) then
    begin
    // write new bytes to the process memory
    WriteProcessMemory(pi.hProcess, Pointer($0046740E), @NewData, sizeof(NewData), bytesread);
    // all went OK, resume application
    ResumeThread(pi.hThread);
    CloseHandle(pi.hProcess);
    CloseHandle(PI.hThread);
    end
    else
    begin
    Messagebox(0,pchar('Bytes not found! Wrong version?...'),pchar('Error'),mb_iconinformation);
    TerminateProcess(PI.hProcess,0);
    CloseHandle(PI.hProcess);
    CloseHandle(PI.hThread);
    end;
    end
    else
    begin
    Messagebox(0,pchar('Program not unpacked...'),pchar('Error'),mb_iconinformation);
    TerminateProcess(PI.hProcess,0);
    CloseHandle(PI.hProcess);
    CloseHandle(PI.hThread);
    end;
    end;
    end.


    Small disadvantages of this code that the any update of executable file will require re-search the instruction address and re-compile the loader. So, the next step will be creation of autosearch algorithm, but this is another story

    © Dwar
    Feel free using our knowledge and guides, but please,
    keep linkbacks to the original article
    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  2. The Following User Says Thank You to Dwar For This Useful Post:


  3. #2
    MrSmith
    MrSmith is offline
    Member-in-training
    Join Date
    2010 Aug
    Posts
    85
    Thanks Thanks Given 
    9
    Thanks Thanks Received 
    7
    Thanked in
    4 Posts
    Rep Power
    0

    Re: [Delphi] Simple loader and patcher for packed program

    Great guide. I hope that someday i can use this knowledge
    Ever Danced With The Devil By The Pale Moonlight ?

  4. #3
    bl2000
    bl2000 is offline
    Guest
    Join Date
    2011 Nov
    Posts
    1
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    Thank;s for sharing, how about the article to search the address

  5. #4
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10
    Quote Originally Posted by bl2000 View Post
    Thank;s for sharing, how about the article to search the address
    there are a lot of articles in tutorial section. If you wanna find needed address for Battle of the Immortal , try to find string "CheckClientMaxNum"
    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  6. #5
    sh1ft
    sh1ft is offline
    New member sh1ft's Avatar
    Join Date
    2011 Dec
    Location
    Asia
    Posts
    17
    Thanks Thanks Given 
    9
    Thanks Thanks Received 
    10
    Thanked in
    4 Posts
    Rep Power
    0
    May I know which one is better, Delphi or C++.

    Btw,I never use Delphi before so im curious about its.
    Last edited by sh1ft; 2011-12-25 at 11:57 AM.

  7. #6
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10
    Quote Originally Posted by sh1ft View Post
    May I know which one is better, Delphi or C++.
    Wanna fast coding + fast GUI creation, then you should try Delphi
    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  8. #7
    althair
    althair is offline
    Guest
    Join Date
    2011 Dec
    Posts
    1
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    thanks for sharing it's help a lot.....

  9. #8
    LamiaD
    LamiaD is offline
    Guest
    Join Date
    2012 Oct
    Posts
    2
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0

    Target Completely Unpacked ?

    First thanks for sharing.
    Second i see you check for a jump to know it's unpacked
    what if it's not completely unpacked ? or there is crc check ?
    Third thanks for your time.

  10. #9
    motoanki
    motoanki is offline
    Guest
    Join Date
    2015 Nov
    Posts
    1
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    Thanks Dwar ..This code works perfectly for 32bit exes...
    Now i have tried it on a 64bit exe and it dose not work..i keep getting not unpacked error..
    My exe VA from cheat engine is : 14011612E and from x64dbg its 000000014011612E
    I tried to enter both values in pointer location but no result..
    I want to wait 300ms before exe gets unpacked and patch 0F 85 to 0F 84
    Any solution please ?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •