Reopen/Decompile dUP2(v2.26)-Patch exe's

[cw2k]

Here you find Version 2.25 and 2.26 for Download.

It's a little sad that the original page has disappeared however it's still in the internet archive:
http://bit.do/dUP


Hmm well patcher is pretty self explaining and yep you need to know about reverse engineering else it'll be a whole book to write about Ollydebug and finding and creating patch patterns. (But you may ask some specific question ich ya feel so.)

One nice thing about dup2 is that you can open a created patch.exe and load it again as project. This decompiling supports was removed in v2.26.

However you can still open Patch exe created with v2.26 in v2.25.
Here is how to do this:

1. Run the patch
2. Get %temp%\dup2patcher.dll
3. Test it via rundll32.exe dup2patcher.dll,load_patcher
   

Now You may copy the .rsrc to some v2.25-patch exe
OR
Transform dup2patcher.dll into an exe.
With LordPE, CFF Explorer In PE-Header change

1. Change Extension: *.dll -> *.exe (because dup2 only runs "OpenProjectFromExe" if "IsFileExtension" ==
2. PE- FileHeader.Characteristics: 0x2102 -> 0x0102 ( DLL ) (because dup2 uses CreateProcessA for dumping which will only runs on exe)
3. (PE- OptionalHeader.AddressOfEntryPoint: 0x000020D0 -> 0x000020F9 (<- Export: load_patcher)
   ".exe" )) - not really needed - but on the other hand this keeps the exe open when its started so it can be dumped. You may also set this to 0 with a good change to crash it; The crash report window will archive the same effect - keep it running until dump is done
   

Now you can open the patch file in dUP2.25.

So now happy reviewing/improving ya's and other's patches

Attention the transformed dll to exe has two flaws.
1. GetModuleHandleA(0x0) is not set so dialog may look strange
2. ExitProcess is missing so exe don't really quits (you'll need to kill it in the Taskmanager)

Recommended tools: LordPE(<-is inside myTools), Restorator 2009 (4.00)

Well for debugging purpose that is how dups2 'dumps' some *.exe

1. Check is extension is '.exe' and if it's an PE-File ( checks for 'MZ' and 'PE') "LoadFileToMem" & "IsPEFile"
2. uses CreateProcess to start it and Sleep 500ms ( *sign* man I wouldn't use WaitForInputIdle to exactly return when loading is finished - but well it is as it is)
3. does some handstands in "GetProcessImageBase" with TEB to PEB to finally get where the Base the exe was load into
4. VirtualAlloc + Copy/dump the data via ReadProcessMemory
5. Save data into a new created file %Temp%/dump_<Name>%
6. Open that file again and use FindResource to extract the dup2 project data from .rsrc