Patching programs
[Newbie section]
Content:
Explains how to patch programs with HIEW (a hexeditor)
1. Introduction (why I wrote this)

The reason I wrote this is because there are many newbies that don't know how to properly patch a program. This can only be done with a good hex editor that supports direct assembler instructions. The only prog I know that does is Hiew. Every cracker should have it! If you haven't download it first.
Note that this isn't a tutorial on how to write cracks for a program used for distribution. It's a tutorial on how to modify a program with a hex editor.

2. Howto patch with HIEW

First of all I'll give a bit of basic Assembler and machine code info that you should know. Every assembler instruction corresponds with a fixed hex value (=the real machine code). If you want to change , let's take, a JE into a JNE, you have to know the machine code hex value of JNE to do so. Well actually you can let Hiew take care of that, but anyway, it's good if you know!
Here are some basic machine code hex values:

  • jmps = EB
  • je = 74
  • jne = 75
  • ret = C3
  • nop = 90
Example: you have to change 7407 JE 00424573 into a JMPS (=jump short) instruction. You can do that by changing the 74 into EB:
EB07 JMP 00424573. The 07 is of no importance.

But how do you find the location of a certain instruction? Therefore you'll need the offset adress of the instruction. You can find it in two ways:

1. Goto the instruction in the Win32Dasm dead list of the prog and you can find the offset adress in the status bar.
2. Offset adress = code adress - entry point adress

Personally I prefer the first way. Once you've got the offset adress, write it down or keep it in mind and start Hiew. Open the .exe you want to patch, then press F4 (=choose mode), then F3 (assembler mode). Now press F5 (goto offset adress) and type in the offset adress you just wrote down. Now you should see the instruction you want to patch. Let's take the previous example where we wanted to change a JE into a JMP(S) instruction. Press F3 (=modify code) and type "EB". Now press F9 to save the changes. Easy huh? You can do that with any hex editor, so why using the DOS-program Hiew? The reason is quite obvious: you can't know all of the assembler instructions in hex! Ouch! What if you don't know? No problem: press F3 (=modify code) then press F2 (insert assembler instruction). Type the assembler instruction and hit enter, then escape. Hiew made the changes! Press F9 to save them.

REMARK! If you make changes with the Hiew-insert-assembly-function, there's great chance that the instruction made by Hiew is shorter than the original instruction!! I.e. there will be some bytes that aren't necessary no more. Therefore do NOT forget to NOP out these hex values. Not doing so probably results in make the program you patched unusable!!

Example:

before changes: 7405 JE 00425687
after changes: C3 RET 05 -> hex value that's not necessary no more! change it in 90 (=NOP)
Also make sure that your new instruction isn't longer (in bytes) than the original instruction, because it also will make the program unusable!!

Well that's it, now go and crack/patch some programs! :-)

[ GO BACK ]
Cracking 4 Newbies by the Blackbird © 1999-2000