xplorer2 one byte patch

Dec 22, 2024    #reverse-engineering  

My favourite Windows explorer is xplorer2 .

This post is just my reverse engineering game.

You should support the author here .

Haha, let’s play.

Warning

For test purposes only!

Patch

7z password: 543210.

7z SHA-256: 080ABFEDCE0ABAA7A0A00387AB8DC3A141D1DA6CDD28037A7E85ABA0EA0B5382.

How to use

  1. Install the 64bit Ultimate Edition .
  2. Unpack the patch archive to the C:\Program Files\zabkat\xplorer2_ult folder.
  3. Restart the program.

ChangeLog

v1.0.0

There is only one byte different from the genuine file .

v1.1.0

It seems that the author sometimes calls WinVerifyTrust to check the file signature and then silently crashes the program.

Editing the file directly doesn’t seem to be a good way to apply the patch.

The patch was updated to a memory patch DLL.

v1.1.1

It seems the program still crashes from time to time…

And I found this.

000000000058B3C4 | 41:81FC E6820000         | cmp r12d,82E6                           |
000000000058B3CB | 75 0B                    | jne xplorer2_64.58B3D8                  |
000000000058B3CD | C70425 01000000 02000000 | mov dword ptr ds:[1],2                  |
000000000058B3D8 | B8 54810000              | mov eax,8154                            |
000000000058B3DD | 44:3BE0                  | cmp r12d,eax                            |
000000000058B3E0 | 0F87 8E000000            | ja xplorer2_64.58B474                   |
000000000058B3E6 | 0F84 DF000000            | je xplorer2_64.58B4CB                   |
000000000058B3EC | B8 C8800000              | mov eax,80C8                            |
000000000058B3F1 | 44:3BE0                  | cmp r12d,eax                            |
000000000058B3F4 | 77 37                    | ja xplorer2_64.58B42D                   |
000000000058B3F6 | 0F84 CF000000            | je xplorer2_64.58B4CB                   |
000000000058B3FC | 41:81EC 29800000         | sub r12d,8029                           |
000000000058B403 | 0F84 C2000000            | je xplorer2_64.58B4CB                   |
000000000058B409 | 41:83EC 4C               | sub r12d,4C                             |
000000000058B40D | 0F84 B8000000            | je xplorer2_64.58B4CB                   |
000000000058B413 | 41:83EC 12               | sub r12d,12                             |

mov dword ptr ds:[1],2 is strange, low address spaces are protected by the operating system, so the result is access violatation obviously.

The patch was updated to nop this instruction.

v1.1.2

Finally, I found the root cause of that crash. The author will scan memory patch dlls in the C:\Program Files\zabkat\xplorer2_ult folder, then post a message 0x82e6 which will trigger the access violatation instruction which I found in the previous version.

The patch was updated to nop this scan.

v1.1.3

Another scan found. The author encoded the string. Nop.

v1.1.4

Hacked the update check, to make it harder to detect.

v1.1.5

Fixed pattern for v6.1.0.5.