News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

Overwritten the last bytes into exe file???

Started by x64Core, September 29, 2012, 03:17:09 PM

Previous topic - Next topic

x64Core

Hello MASM32, I'm trying to make this but without sucess...
My aim is: I want to overwrite the last bytes from my exe file ( which is running ) . why?
because I want to know if the exe file was executted for first time, to clarify this , here it's my Pseudocode:

this Pseudocode would show only the first time that the file was executed:

if( checkIfexistsBytes() == 0)
     ; no, bytes not found
      writeBytes()
      showMessage()
else
      ; yes, bytes found
      nothing



I tried with CreateFile ( with some flags, for example: WRITE_OWNER ) but without success :(
guys, I have several hours trying to do this, or is it impossible?


any help, thanks guys


TouEnMasm

Quote
because I want know if the exe file was executted for first time, for clarify this , here it's my Pseudocode:

There is better methods than that:
_ made a list of running process (EnumProcessModules)
_ create a semaphore CreateSemaphore
Fa is a musical note to play with CL

x64Core

Quote from: ToutEnMasm on September 29, 2012, 03:48:34 PM
Quote
because I want know if the exe file was executted for first time, for clarify this , here it's my Pseudocode:

There is better methods than that:
_ made a list of running process (EnumProcessModules)
_ create a semaphore CreateSemaphore

I think you talk about mutex, right?
sorry if I did not explain well, it's not about multiple instance programs , what I mean is:
I want to write some bytes into exe file ( the raw file in the disk ) to know if the exe file has not been executed for the first time and show a message box, otherwise we can know the exe file has not been executed for the first time.

TouEnMasm


Write something in an executable files can be used for many things else.
Pirates techniques are not allowed in this forum.
If you want only to know if he had been executed one time,you can made it write a register key,like this you can even know the number of times he had be used.
Fa is a musical note to play with CL

MichaelW

#4
RHL,

You have been given the benefit of the doubt so far, but the doubt is wearing thin. There are straightforward methods of knowing if your program has been executed that will not violate the forum rules, use one of them.

Well Microsoft, here's another nice mess you've gotten us into.

x64Core

hey guys, I do not want to use it to"Pirates techniques" or like that, I want to know if it is possible to make a program for a number of PCs. I'm trying to make a kind of software license, I know I could use the registry but is very easy to know if a program has modified it :S

CodeDog

CreateFile won't work either way, the other guy will simply just hook that api function and redirect it to trick your code. And you can't write to your own executable while it is mapped to memory because the file is locked. Also if you need to access some portion of a file easily, using memory mapped files is easier than CreateFile. But CreateFile also works for that purpose, but you can't write to your own executable while it is still mapped it is also bad practice because if you edit your executable, AV scanners or firewalls sees it with a different signature and produce a mess out of it.

There are tricks to write directly to your harddrive, avoiding file structures, data that can't be detected, game protection systems use this method. I don't recall exactly how you do it, google it. I think its called RawDisk.

hutch--

I think you would have got the drift by now, the OS protects a running file so it cannot be deleted. It is a similar situation to program uninstalls in that something gets left that the OS normally deletes on next boot if its set up correctly. If you want to change something in an EXE file, do it at installation by patching it. Just note that by patching an EXE file you alter the CRC for the file which in some circumstances can be a security problem.

There is a far more complicated technique that requires either the compiler or the assembler as well as a linker and resource compiler where you drop the source code in its modified form then build the file on the local machine. This technique is useful if you need to detect the available instruction sets and produce an optimised version for a particular machine but it is a lot of work and usually only for major applications where the end performance is important.

jj2007

Quote from: RHL on September 29, 2012, 03:17:09 PM
I want to know if the exe file was executted for first time

Assuming that you zip the original:
- modify the lowest bits of the original timestamp to obtain a checksum
- on first exit, launch a separate exe that marks the lowest bits as "used".

CodeDog

If you use an extra executable remember to remove all symbols from the executable and don't make indirect calls to api functions, load each api function by using GetProcAddress, and preferably use two individual processes where each checks that the api code isn't hooked, if one of the exe detects hooking, the other one should transfer the original code through a pipe back to the other executable, and then execute again. Be sure to encrypt the excutable that deals with safety mechanism. Use repetitive macros to produce confusing instructions, preferably a hundred thousand instructions so that it becomes hard to find the relevant instructions that deals with safety. Make a function that rotates the names of the api functions you use and remove the null terminator, then have a function add the null terminator to it as you need it, so that olly cant detect string names at program startup. To detect if your executable is being debugged, have each executable constantly signal each other through a pipe, if signaling stops for one of the executables, it has probably been paused in olly. If one of them stops signaling have the other executable inject random data and overwrite the code and data section of the other executable so that it becomes messed up in olly.

dedndave

seems like you could just use GetFileTime and examine the lpLastAccessTime parameter   :P
even though you cannot open the current EXE or write to it, you should be able to examine the times

jj2007

Quote from: dedndave on September 30, 2012, 05:29:02 AM
seems like you could just use GetFileTime and examine the lpLastAccessTime parameter   :P
even though you cannot open the current EXE or write to it, you should be able to examine the times

I have never tested that idea. When launching an exe, does it (while running) still the previous access time? Does it update when closing?

qWord

You can create a file stream for a running EXE - maybe thats a simple option for you. (requires NTFS)
MREAL macros - when you need floating point arithmetic while assembling!

johnparker29

If you want only to know if he had been executed one time,you can made it write a register key,like this you can even know the number of times he had be used.