Test environment
Download Address:https://github.com/sicaril/Baymax-Patch-toOls/releases
OS: windows 11
Article updated: 29 January 2023
Changing assembly instructions
Test example:
https://cyberarsenal.org/threads/reverse-analysis-on-windows-a-first-look.342/
C:
Original instructions
Modification Instructions
Patch production
Select the type of patch to be used and the relevant hijacking information
Add Entry
The case of a program without a random address
Module addres
Address=0000000140000000
Size=0000000000001000
Party=User
Page Information=test.exe
Allocation Type=IMG
Current Protection=-R---
Allocation Protection=ERWC-
demo : 000000014000113A Modifications
Click add when you have finished writing
Modify according to this method (fill in the data to be modified)
Save
Click on the 'Save' button when you have finished making changes
Once no patch data has been added, click on the 'Create Patch' button to create a patch.
Using the patch
Run the created patch and click on Patch
Patch anomalies
In this case, you can click Yes to test the injection scheme
Reason: The problem with the default solution requires modification of the patch generation solution (the default generation option is hijack mode)
Modify the patch generation method to address this issue based on the actual patching solution
Launch pop-ups can be selected before creating a patch by selecting the option to launch the patch without pop-ups
Modify the patch generation method to address this issue based on the actual patching solution
Changing the flag register
Test example:
https://cyberarsenal.org/threads/reverse-analysis-on-windows-a-first-look.342/
C:
zf = 1
Fill in along these lines
Download Address:https://github.com/sicaril/Baymax-Patch-toOls/releases
OS: windows 11
Article updated: 29 January 2023
Changing assembly instructions
Test example:
https://cyberarsenal.org/threads/reverse-analysis-on-windows-a-first-look.342/
C:
Code:
#include <stdio.h>
#include <windows.h>
int main()
{
int a;
printf("Please input a number:\n");
int x = scanf_s("%d", &a);
printf("%d\n", x);
if (a % 5 == 0 && a % 7 == 0 && a > 1 && a < 200)
printf("yes\n");
else
printf("no\n");
system("pause");
return 0;
}Modification Instructions
Patch production
Select the type of patch to be used and the relevant hijacking information
Add Entry
The case of a program without a random address
| Virtual addrs | Raw data | Patch data |
| 000000014000113A | 75 2F | 74 2F |
| 0000000140001157 | 75 12 | 74 12 |
| 0000000140001169 | 76 07 | EB 07 |
Address=0000000140000000
Size=0000000000001000
Party=User
Page Information=test.exe
Allocation Type=IMG
Current Protection=-R---
Allocation Protection=ERWC-
demo : 000000014000113A Modifications
Click add when you have finished writing
Modify according to this method (fill in the data to be modified)
Save
Click on the 'Save' button when you have finished making changes
Once no patch data has been added, click on the 'Create Patch' button to create a patch.
Using the patch
Run the created patch and click on Patch
Patch anomalies
In this case, you can click Yes to test the injection scheme
Reason: The problem with the default solution requires modification of the patch generation solution (the default generation option is hijack mode)
Modify the patch generation method to address this issue based on the actual patching solution
Launch pop-ups can be selected before creating a patch by selecting the option to launch the patch without pop-ups
Modify the patch generation method to address this issue based on the actual patching solution
Changing the flag register
Test example:
https://cyberarsenal.org/threads/reverse-analysis-on-windows-a-first-look.342/
C:
Code:
#include <stdio.h>
#include <windows.h>
int main()
{
int a;
printf("Please input a number:\n");
int x = scanf_s("%d", &a);
printf("%d\n", x);
if (a % 5 == 0 && a % 7 == 0 && a > 1 && a < 200)
printf("yes\n");
else
printf("no\n");
system("pause");
return 0;
}zf = 1
Fill in along these lines
