1
I'm trying to hex a *.exe file to change the font from Arial to Tahoma. I already did it, the issue is that the program notices something has changed.
I'm relatively newbie to hexing, so I am not sure if whenever you hex an exe, some date also changes (and probably that's how the program notices it). Can anybody confirm this and if possible propose a solution?
Christopher Francisco
Posted 2014-09-14T23:04:44.410
Reputation: 238
1
Normally, the date timestamp on an executable is meaningless, because the timestamp won't be the original compile time, but instead the installation time. There's no way the executable could depend on an external timestamp to verify if it is intact.
Some executable files are digitally signed. This means that an cryptographic function is applied against the file using the publisher's key, and affixed to the executable. This signature can be verified by the OS (such as Windows), or by the executable itself.
Any changes to the binary structure of the executable will be noticed because the signature won't match the computed value. There's usually no way to generate the correct signature without the original key, which is a security feature that prevents tampering (e.g. to crack software, or a virus infection).
Beyond that, there can also be CRC (e.g. CRC-32) that can simply detect changes to the executable as well. In this case, the executable might be verifying the check internally, which you might be able to bypass by tracing through the executable code until you find the check routine and no-op (0x90) out the function call to the checking function.
phyrfox
Posted 2014-09-14T23:04:44.410
Reputation: 2 424
If the programmer wrote their own installation routine, then the date and time stamp can be set to any date and time the programmer wanted. If fact, it is possible to do that from a batch file. – LDC3 – 2014-09-15T00:01:30.620
1@LDC3 That's true, and I've seen install dates that precede my computer's purchase date, but I suspect very few developers do this, because it's too easy to trick the system into applying a timestamp that would trick the program into thinking it hadn't been modified. As a developer of some odd 30 years, I know I wouldn't trust something that could be so easily modified by a competent user. – phyrfox – 2014-09-15T00:03:54.340
1
It seems that the exe has a self-protection logic, which is quite normal nowadays. However, the ways to achieve this protection are not the same. Some use digital signatures, some use CRC checks, some use 3rd party module protection tools and so on. But I believe the 3rd party one is not your case as usually the modules generated by those tools are compressed and/or encrypted so that you couldn't find the information directly.
However, although it's possible to use that timestamp information to detect modification, it should be pretty rare to use timestamp only for the protection as anybody can change it using this sort of tools. You may revert the attributes if you have the original as it does not harm, but probably it won't work.
So, what's the next step? To overcome the problem, we need to know what sort of checking is done for modification detecting which must be much more complicated than hexing a module. After doing that, we may take some advanced approaches like in-process memory modification, cracking the detecting routine or hooking Windows API calls to achieve the goal of font replacement, but none of them can be achieved by hexing only. You need to learn how to use debuggers at least. Perhaps somebody cracked the file already for different purposes such as NO-CD patch and then you may grab it for hexing and probably it will work as the logic will be already deactivated. But please consider legality all the time before taking any action.
However, you're trying to just change the font in use. This looks somewhat legit for me - why don't you ask the application vendor to make an option to change fonts?
Scott Rhee
Posted 2014-09-14T23:04:44.410
Reputation: 1 923
Yeah I already asked, it's a private server for a game, so the legal stuff is not an issue. I do know how to use debbugers, I was also thinking of going that far. Could you suggest a link or similar so I can have some directions on finding the checking? Also, it's not really a self-checking program. It is an *.exe (the one I hex) opened by another *.exe (the one that does the checking) – Christopher Francisco – 2014-09-15T02:04:38.927
Christopher // If you're able to use debuggers such as OllyDbg and WinDBG, try to detect when the target EXE is being opened. "CreateFile" API is a good starting point. Then, track carefully until the "modified exe" error appears. By doing this, you may get to know what logic is used for detection and change that flow by hexing "the caller". However - the caller can be also a "self-protected" one. If so, the question goes back to the original. – Scott Rhee – 2014-09-15T03:10:00.450
By the way, what happens if you run the callee EXE directly? I know it didn't work, or you wouldn't raise this question :) but I'd like to know WHY it didn't work. If you know the reason, perhaps I can give you some more options by fooling either of callee or caller. – Scott Rhee – 2014-09-15T03:15:32.197
I will give a try this afternoon with both OllyDbg and WinDbg. When I open the EXE directly (before and after hexing) nothing happens: so I checked on windows task manager and the EXE appeared and disappeared immediately – Christopher Francisco – 2014-09-15T16:07:06.987
Did you try the exact same command line parameters as if the callee is being called by the original caller? To get the parameters, you may use Process Explorer. Just start the apps in the usual way, find the target on Process Explorer and check properties. This link may help you. http://www.bleepingcomputer.com/tutorials/determine-command-line-arguments/
– Scott Rhee – 2014-09-15T21:30:36.907
If it is a simple issue of time modification, you can use a time stamp editor such as touch. There are many windows equivalents out there. – Sun – 2014-09-15T02:35:28.640