Hi Coders,
i've downloaded _masta_'s tutorial no. 1 (i.e. the search & destroy patcher). This Program reads a file in memory, searches for a specific pattern and changes it to the new value. The problem is that my pattern isn't found. The source is TASM specific and I want it to work under MASM. Maybe you find the errors and can help me... :)
I've posted my try to convert it to MASM... Have a look at it...

Here's the link to _masta_'s tutorial:

Thx a lot,
Posted on 2001-12-01 10:16:13 by DaEagle99
File patchers are technically very simple things to write, know the address of the data you wish to change, write the bytes you want at that location.

File patching is a method of upgrading software or alternatively for registering software. It is a common method used by shareware programmers and companies that supply upgrades to their existing products. The MASM 6.14 patch from Microsoft is a good example.

Just make sure that these toys are not set up or used for illegal purposes as this forum will not allow unacceptable content and the "furry paw" of fearless leader will come down upon those who try it.


Posted on 2001-12-01 14:19:03 by hutch--
Here's some code from the patcher I wrote. Should be easy to understand :)

invoke CreateFile, addr szBakBuffer, GENERIC_READ or GENERIC_WRITE,
mov hFile, eax
inc eax
or eax, eax
jz @@error_open

invoke GetFileSize, hFile, 0
mov hSize, eax
cmp eax, nSize
jne @@error_size

invoke GlobalAlloc, GHND, hSize
mov hMem, eax

invoke GlobalLock, eax
mov pMem, eax

invoke ReadFile, hFile, pMem, hSize, addr hTmp, 0

mov ecx, pMem

mov byte ptr [ecx+00033131h], 090h ; 90h = nop

invoke CreateFile, addr szCrkTarget, GENERIC_WRITE, 0, 0,
push eax
invoke WriteFile, eax, pMem, hSize, addr hTmp, 0
pop eax
invoke CloseHandle, eax
invoke MessageBox, hWin, addr szFinished, addr szCopyright, MB_ICONINFORMATION or MB_OK

jmp @@exit

invoke MessageBox, hWin, addr szOpenError, 0, MB_ICONERROR or MB_OK
jmp @@exit

invoke MessageBox, hWin, addr szSizeError, 0, MB_ICONERROR or MB_OK
jmp @@exit

invoke GlobalUnlock, pMem
invoke GlobalFree, hMem
invoke CloseHandle, hFile
Posted on 2001-12-01 14:39:45 by bazik
Hi bAZiK,
thanks for your reply but this is not what i am looking for. I am looking for a code that searches a given string in a exe file an replaces this. I want to write a config program for my login program. The values that the user sets (i.e. password, etc.) should be written directly in the main executable so no additional ini's or reg entrys are made.

Posted on 2001-12-02 06:58:28 by DaEagle99

...The values that the user sets (i.e. password, etc.) should be written directly in the main executable so no additional ini's or reg entrys are made.

Why to search for the string, if you want to do what you described? You can look up the location of the strings with a hex editor and place the correct offsets in my code. Just do a loop, wich increments the offset by one for each char of the password and you're done :cool:
Posted on 2001-12-02 07:51:08 by bazik
Well, you're right... This would be the easiest and fastest way to do... I'll give it a try... Thanx
Posted on 2001-12-02 09:51:15 by DaEagle99
Just remember that you will have to do the configuration from an
external program, as you cannot write to an executable file that is

Back in the old dos days, this was all very easy. You could calculate
file offset of a variable from a SEG:OFS pair.
Posted on 2001-12-02 11:56:19 by f0dder
Ok, I don't want to be too naive on this subject, however, I'm really curious how this works...

if you want to search through a file for a specific hex/dec code how do you go about that?

sorta like those programs like "gamecheater" -- the ones that search a program for the hex or dec. code and then you change it's value and they check for it again with its new value.

I don't mind source on the issue, but any information on the subject would be nice... I'm checking out Icz tutorials on debugging, but they seem a bit too specific (eip must contain the next value so all we have to do with put in 2 nop's -- example 29)

Posted on 2001-12-28 05:23:58 by Sliver
Those GAMECHEAT style patchers require that the target file be loaded into memory, either by you, or by the operating system. Either way, you may now search through the range of memory for your data and modify it in any way you wish - but the changes are NOT permanent.

Should you wish to make the changes permanent, and the target is not executable, you may simply save the new file... but if it is executable, you have two ways to go - you can write a small program which makes this change in memory every time the exe is loaded into memory (AFTER it is loaded) or you can attempt to save the new exe image and then correct the CRC checksum.

A CRC (cyclic redundancy check) is basically just a tally of all the data in the file ... although there are several different algorythms for calculating these, depending on the situation.

The checksum is the Tally stored within the file also (checksum is usually calculated with tally=0)

It is used to determine if the data in the file is at all corrupted (which is what you have done by modifying it).

I will only confuse you further by attempting to describe the easiest methods of CRC-repair, so I won't go there right now.
Rest assured there are existing tools to repair incorrect CRC in executables and you don't need to worry about it.

Don't use these techniques to mess with copyrighted software or else Hutch will stomp on you !! LOL
(BTW Hutch I'm from Melbourne, Vic. and a cranky old bastard also :p)
Posted on 2001-12-28 07:37:54 by Homer
Thanks, I've been working at a program to edit the "memory" of the program -- not the program itself (disclaimer) :)

Other thread about trainers

Anyway, I thought this would be alot easier to do than it actually is -- I've never written a patcher and scanning for byte patterns isn't going to well as of yet.

but I'm still working :) If you come across anything that might help out please pass it along...

Posted on 2001-12-28 13:49:12 by Sliver
No need to update PE checksum unless you're messing with NT drivers.
And then you'll have a lot more to think about than just the PE checksum :).
Posted on 2001-12-28 13:54:08 by f0dder
Somewhere, or someplace, I remember seeing a TEXT on converting from MASM to TASM source, not sure it would apply to MASM32, but you never know, will dive into my HD, and try and find it.

If you don't hear from me in 5 days, assume, the drive crashed, with me in it. tell my MOM, I died a without any pain ...:).

Well, except for that terminal eyestrain...:)

Posted on 2001-12-29 14:52:31 by Anunitu