CreateFileA, the mother of all self-checks

[diablo2oo2]

which protectors can be patched so?

but maybe sometime the app use thd createfile to open other file,and do other thing,that will cause problem.

I think the convenient way is to nop the checking code.

[taos]

No, I think Markus-DJM is right, you can filter in the parameter of createfile if the name of the file to open is the EXE file, then you must change this parameter to the dat file.

But when you use a system wide hook like cretatefile your system perfomance is down (it's an api very often used) and you must remember that other apps uses this hook (antivirus apps).
To launch the hook you must use a app that when finished your original app must unhooked the func. Bufff!
you can add a new section in the original app,change the entrypoint and then make an application hook to createfile and you don't need to hook ALL the processes in the system, but bufff again. :-)


I think it's less agressive using NOP patch.

If you can make a program that can add a new section in a exe and add a call to a func (with loadlibrary of course) in this section, I can make the hook for you or I can make a system wide hook with a app to test how it's affect system perfomance.

Bye

[MaRKuS-DJM]

well for asprotect it would be possible. it uses it's own IAT, and so i hooked it only for this file, ASProtect thought it isn't modified and let me change what i want.

Quote:

Originally Posted by lordor

but maybe sometime the app use thd createfile to open other file,and do other thing,that will cause problem.

I think the convenient way is to nop the checking code.

of course there must be a 100% working filter which only affects the loaded file.
i don't want to hook the complete system, i think this would be a bit too hard, and like taos said, not good for system performance.

Quote:

Originally Posted by diablo2oo2

which protectors can be patched so?

i was able to modify nearly all files which had a self-check this way. Protector? ASProtect for example.

Quote:

Originally Posted by taos

you can add a new section in the original app,change the entrypoint and then make an application hook to createfile and you don't need to hook ALL the processes in the system, but bufff again. :-)

where's the bufff in this case?

[taos]

you are right, there's not a lot of job in this case, only if you can make a generic add new section program that adds the func to execute the hook.

can you make this?

if the answer is yes then you can make a generic tool that patch ALL the CRC checks.
Even if you can call a DLL func without parameters (like void func() then you can use the generic hook DLL from validtec like I posted some time ago and you can HOOK ANY API FUNC in the program. (for example getwindowsdate for trial, or get windows title to avoid olly debug, or createfile to avoid SICE too,etc...)

I worked in a project to change entry point to redirect to my func last year, but I did not think in this possibility, can be a cool tool...

[diablo2oo2]

hmm, asprotect has also an process checksum check. how you killed it?

i know a little trick that its possible to kill the crc check from aprotect when u create a loader which patch the process after the crc check is done. maybe a nice feature for dup?

[taos]

simple, hooking createprocess too.
You can hook anything.