Link to home
Create AccountLog in
Avatar of BeerFizz
BeerFizz

asked on

Patching a Windows EXE


Hi,

I wrote some code about 10 years ago using MS Visual C++ 6.0...  Not in my wildest dreams did I think that my client would still be using this code.

 It is a dialog based app, uses mysql and several other external libraries.

I'm not sure I have all of the code and I certainly do not have the compiler.   I was wondering if someone could give be advice as to whether it would be worthwhile to attempt a quick patch.

If you look at the attached code, I foolishly validated the year portion of the date by checking to make sure it was less than 2010.

To fix this, I would either have to patch out that test completely or change the value from 10 to say 50.  I am not sure if the exe would contain enough information to find this piece of code.

Thanks for all advice
Phil

bool CKeyFromSource::ValDepDate()
{
		m_ebDepMonthCtrl.GetWindowText(m_ebDepMonthVal);
		m_ebDepDayCtrl.GetWindowText(m_ebDepDayVal);
		m_ebDepYearCtrl.GetWindowText(m_ebDepYearVal);

		if ((atoi(m_ebDepMonthVal) < 1) | (atoi(m_ebDepMonthVal) > 12))
			return 0;
		if ((atoi(m_ebDepDayVal) < 1) | (atoi(m_ebDepDayVal) > 31))
			return 0;
		if ((atoi(m_ebDepYearVal) < 0) | (atoi(m_ebDepYearVal) > 10))
			return 0;
	
		m_DepMonth = atoi(m_ebDepMonthVal);
		m_DepDay = atoi(m_ebDepDayVal);
		m_DepYear = atoi(m_ebDepYearVal) + 2000;

		return 1;
}

Open in new window

Avatar of logic_chopper
logic_chopper

Yes I think a patch is possible, if you download IDA Pro (the free version) you can load the EXE (or DLL) into the dissassembler.  You can then use it to find the code where you are making the 3 calls to GetWindowText (this is easy to do with IDA Pro).  The assembler code after that should be fairly straight forward to read and find the place where you are making the 2010 check.  Then write down the byte values (choose hex view in IDA pro) so you can find the location of them using a hex editor.  Use the hex editor to find the byte values and change 0x0a to whatever value you want greater than that.
Avatar of Tom Scott
If you don't have the compiler, nor all the code, then a hack-patch seems all that is left.  Even if you have the compiler, if you are missing code, you can't compile anything that could be expected to be sound.

As for finding the "10" and replacing it with "50", it is possible and trial and error may, indeed, be faster than trying to reinvent your program.

If you do find a way to acquire all your source and the compiler and the client is willing to pay for all that, you may consider changing this routine to use four digit dates as a more sound programming practice that will avoid a similar situation in the future.

 - Tom
I agree with logic_chopper, it shouldn't be very difficult patch the file as he described.
If you cannot manage to do it yourself or don't have the necessary time to do it, just post the .exe.
Avatar of BeerFizz

ASKER

@Lirma,

Thanks in advance for your offer and help.

Attached is a zip file.  There is a readme inside.

Phil
Scanner.zip
ASKER CERTIFIED SOLUTION
Avatar of logic_chopper
logic_chopper

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Hello,

I hope that this patch will do the job. I cannot test it because I don't have all the required dll's to run it. Please do it yourself. If you have a virtual machine I recommend using if for testing.
 
I put 30 instead of 10.
ScannerPW-patched.exe
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Yes well done to you Lirima, I just did a file comparison and the same bytes were changed, this should be a good enough check ;-)
@ Lirima and logic_chopper,

You guys :)  Fantastic.

Will let you know how it runs an a couple of hours.

Thanks for all your assistance
Phil
@ Lirima and logic_chopper,

Guys, thanks for the patch.  One of the validation points is now working, but the second one is not...

as per the readme I attached, there are two areas that require patching... bad programming on my part :(

the patch you applied corrected this function:
bool CKeyFromSource::ValDepDate()

but the other function still validates incorrectly, this one:
bool Scan::ValDepDate()

If you could patch this other area, I think I would be back in business.

My email address is in the readme if you need any additional information.
Best Regards
Phil

We patched 2 functions containing the code you mentioned, and I cannot see any other place to make year (2010) validation.
There is a(nother) place where month, day, hour and seconds are checked, but that's all.

I'm out of time now, I'll try to recheck tomorrow.

Have a nice day!


@ Lirima and logic_chopper,

looked at the code again and those are the only two areas.   I had the client recheck and this time it was reported as working.   So the client must have run the original for the second test.   Sorry for the confusion.

Thanks for all your help, you have saved me a lot if time and I do appreciate it.

Best
Phil
It's good news that it's working correctly.  Just as a question though, you have split the points between two answers from Lirima; I guess it was your intention to split the points between us?
Hi logic_chopper,

Yes it was my intention to split the points, as you both did the work at the same time.  Not sure what else I can do.   I will open another question you can answer for full points if you are quick.  Will title "Patching and EXE".

Phil
BeerFizz,
you are always free to click the "Request Attention" link in your original post and ask a moderator to reopen the question for you so that you can close it again, this time as intended.
Hello,

This time, all the points were assigned to logic_chopper, weren't split.  
Lirima, let's just do this, I'll make a question for you for 250 points which you can answer.
Hi logic_chopper,
     In my oppinion, it would be better to have the points split again (correctly), so that both of us receive the same number of points. It seems that this was the intention of BeerFizz.
Yes OK, no problem, use request attention to alert the admin...
Guys,

I apologies for all the issues here.

First, I did not reopen the question,  someone else did. However, once it was reopened, I closed it in exactly the same manner, as I was comfortable with my original decision.  I have no idea why the split ended up different.

I will attempt to reopen and split again.

Aside from all this crap, I really appreciate both of you working on this and solving the issues.  The application is back in production!

Best Phil
OK, I've allocate the points evenly between you both.

Again, thanks for the help.

All the best
Phil