Thread: [Delphi] Simple loader and patcher for packed program

Loader and patcher for packed program

Here presented a simple algorithm for loading and patching packed program.
The main idea is to wait until the target program will not be unpacked. So the block scheme will look like this:

Concept1.png

---

Code and example
I’ll use Battle of the Immortal client, which packed by Themida and I’ll want to make some jmp’s to allow multiclient.

”BOI multiclient patch”

 004673F0    68 082D9200     push    00922D08                         ; ASCII "CheckClientMaxNum.........."

004673F5    E8 96A50A00     call    00511990

004673FA    50              push    eax

004673FB    E8 C0A30A00     call    005117C0

00467400    83C4 08         add     esp, 0x8

00467403    E8 28D4FEFF     call    00454830

00467408    3BC3            cmp     eax, ebx

0046740A    894424 28       mov     dword ptr [esp+0x28], eax

=> 0046740E    75 44           jnz     short 00467454

00467410    8B15 EC32B000   mov     edx, dword ptr [0xB032EC]        ; Game.01220E44



75 44

->

EB 44 

We will create a program without forms.

 //**************************************************  ***********//

// Loader and patcher for Battle of the Immortal

// by Dwar

// 2010-09-02

// Feel free using our knowledge and guides, but please,  keep linkbacks to the original article

//**************************************************  ***********//



program Loader;

uses

  Windows,

  Messages;



//**************************************************  ***********//

// ChangePrivilege of process

//**************************************************  ***********//

procedure ChangePrivilege(szPrivilege: PChar; fEnable: Boolean);

var

  NewState: TTokenPrivileges;

  luid: TLargeInteger;

  hToken: THandle;

  ReturnLength: DWord;

begin

  OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, hToken);

  LookupPrivilegeValue(nil, szPrivilege, luid);



  NewState.PrivilegeCount := 1;

  NewState.Privileges[0].Luid := luid;

  if (fEnable) then

    NewState.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED

  else

    NewState.Privileges[0].Attributes := 0;



  AdjustTokenPrivileges(hToken, False, NewState, SizeOf(NewState), nil, ReturnLength);

  CloseHandle(hToken);

end;





//**************************************************  ***********//

// Main Routines

//**************************************************  ***********//

var

 si : Startupinfo;

 pi : Process_Information;

 NewData : array[0..1] of byte = ($EB,$44);  // data for replacing

 Olddata : array[0..1] of byte;              // array to store readed data

 NewDataSize : DWORD;

 Bytesread : DWORD;

 unpacked : boolean;

 ttimer   : integer;

Begin

 ZeroMemory(@si,sizeof(si));

 ZeroMemory(@pi,sizeof(pi));

 FillChar(Si,Sizeof(si),0);

 Si.cb:=Sizeof(si);



 unpacked := false;

 ttimer   := 0;

 ChangePrivilege('SeDebugPrivilege', True); // Setting debug Privilege

  // Creating process

  if CreateProcess(PChar('Game.exe'), nil,nil,nil,FALSE,0,nil,nil,si,pi) = true then

  begin

    // reading process memory in cycle

    while not unpacked do

      begin

        ReadProcessMemory(pi.hprocess,Pointer($0046740E),@  olddata,length(Olddata),bytesread);

        // check if program was unpacked

        if (olddata[0] = $75) and (olddata[1] = $44) then

          begin

            // Suspend the target program

            SuspendThread(pi.hThread);

            unpacked := true;

            // Show message thath the program was unpacked

            Messagebox(0,pchar('Unpacked'),pchar('Good'),mb_ic  oninformation);

            // stop the cycle

            break;

          end;

        inc(ttimer);

        if ttimer > 500 then

          break;

        //wait a little bit

        sleep(10);

      end;

   if unpacked then 

     begin

      ReadProcessMemory(pi.hprocess,Pointer($0046740E),@  olddata,length(Olddata),bytesread);

        if (olddata[0] = $75) and (olddata[1] = $44) then

          begin

            // write new bytes to the process memory

            WriteProcessMemory(pi.hProcess, Pointer($0046740E), @NewData, sizeof(NewData), bytesread);

            // all went OK, resume application

            ResumeThread(pi.hThread);

            CloseHandle(pi.hProcess);

            CloseHandle(PI.hThread);            

          end

        else

          begin

            Messagebox(0,pchar('Bytes not found! Wrong version?...'),pchar('Error'),mb_iconinformation);

            TerminateProcess(PI.hProcess,0);

            CloseHandle(PI.hProcess);

            CloseHandle(PI.hThread);

          end;

     end

   else

    begin

      Messagebox(0,pchar('Program not unpacked...'),pchar('Error'),mb_iconinformation);

      TerminateProcess(PI.hProcess,0);

      CloseHandle(PI.hProcess);

      CloseHandle(PI.hThread);  

    end;

  end;

end. 

Small disadvantages of this code that the any update of executable file will require re-search the instruction address and re-compile the loader. So, the next step will be creation of autosearch algorithm, but this is another story

© Dwar
Feel free using our knowledge and guides, but please,
keep linkbacks to the original article