AntiWPA Forum

Full Version: Reopen/Decompile dUP2(v2.26)-Patch exe's
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
[Image: diablo2oo2s-universal-patcher-1.png]
Here you find Version 2.25 and 2.26 for Download.


It's a little sad that the original page has disappeared however it's still in the internet archive:
http://bit.do/dUP


Hmm well patcher is pretty self explaining and yep you need to know about reverse engineering else it'll be a whole book to write about Ollydebug and finding and creating patch patterns. (But you may ask some specific question ich ya feel so.)

One nice thing about dup2 is that you can open a created patch.exe and load it again as project. This decompiling supports was removed in v2.26.

However you can still open Patch exe created with v2.26 in v2.25.
Here is how to do this:
  1. Run the patch
  2. Get %temp%\dup2patcher.dll
  3. Test it via rundll32.exe dup2patcher.dll,load_patcher

Now You may copy the .rsrc to some v2.25-patch exe
OR
Transform dup2patcher.dll into an exe.
With LordPE, CFF Explorer In PE-Header change
  1. Change Extension: *.dll -> *.exe (because dup2 only runs "OpenProjectFromExe" if "IsFileExtension" ==
  2. PE- FileHeader.Characteristics: 0x2102 -> 0x0102 ( DLL ) (because dup2 uses CreateProcessA for dumping which will only runs on exe)
  3. (PE- OptionalHeader.AddressOfEntryPoint: 0x000020D0 -> 0x000020F9 (<- Export: load_patcher)
    ".exe" )) - not really needed - but on the other hand this keeps the exe open when its started so it can be dumped. You may also set this to 0 with a good change to crash it; The crash report window will archive the same effect - keep it running until dump is done

Now you can open the patch file in dUP2.25.
[Image: Sc_dUP_2011-3-9_21.34.png]
So now happy reviewing/improving ya's and other's patches Big Grin

Attention the transformed dll to exe has two flaws.
1. GetModuleHandleA(0x0) is not set so dialog may look strange
2. ExitProcess is missing so exe don't really quits (you'll need to kill it in the Taskmanager)

Recommended tools: LordPE(<-is inside myTools), Restorator 2009 (4.00)

Well for debugging purpose that is how dups2 'dumps' some *.exe
  1. Check is extension is '.exe' and if it's an PE-File ( checks for 'MZ' and 'PE') "LoadFileToMem" & "IsPEFile"
  2. uses CreateProcess to start it and Sleep 500ms ( *sign* man I wouldn't use WaitForInputIdle to exactly return when loading is finished - but well it is as it is)
  3. does some handstands in "GetProcessImageBase" with TEB to PEB to finally get where the Base the exe was load into
  4. VirtualAlloc + Copy/dump the data via ReadProcessMemory
  5. Save data into a new created file %Temp%/dump_<Name>%
  6. Open that file again and use FindResource to extract the dup2 project data from .rsrc
when i ran the command nothing happens
Dumping Failed!

3. (Unpack it)? Whats means?
(03-28-2016 10:30 PM)krafg Wrote: [ -> ]Dumping Failed!
(03-28-2016 10:30 PM)krafg Wrote: [ -> ]Well the common major two's problem for that are
* When started the file isn't loaded into memory
->you didn't turn off the dll-flag in the PE-Header to turn it into some 'real' exe
[Image: ONRqGO.png]
Hmm hard to tell if the exe was load since windows 7 errormessage on loading some exe got suppressed. But if you can make it crash as written in the next step i'll imply that exe was load and started so it can crash.
* that the exe quits to early for the dumper.
dome Simple but dirty trick for that maybe to use LordPE's Break and enter.
when you see 'Click on OK to restore original file state...' don't click ok but try to dump it with dup2 now.
Some other ways to that'll have the same effect:
* change the flags for .text from 0xE0000020 to 0x000000 what means NoAccess or set rawsize to 0
* Fill whole .text section with 0x00 or 0xCC or
* manually place some 0xCC (or 0xEB FE) at the OEP or
* to fix the OEP so it points to the adress of export 'loadPatcher'()


3. (Unpack it)? Whats means?
Well normal patch.exe is mostly packed with UPX an runtime packer. (Image a SFX-Zip that is all the time for ran just extracted into memory)
with some luck "Upx.exe -d packed.exe" might work.
Some other option for unpack UPX may be PEExplorer. Open the patched.exe /check log output and if it says all okay save the it to unpacked.exe

However I elobarated the steps unpacking is not need anymore.
Reference URL's