chylex/Blog
1
0
Fork 0
mirror of https://github.com/chylex/Blog.git synced 2025-05-18 00:34:06 +02:00
Code

Update post - Origin OS Version Bypass & add advanced patching guide

Browse Source 
Updated for Origin 10.5.64.37936.
This commit is contained in:
chylex 2020-03-06 00:47:13 +01:00
parent fd644db2a0
commit f9d9b56f01
3 changed files with 151 additions and 1 deletions

9
_posts/2020-02-22-origin-os-bypass.md → _posts/2020-02-22-origin-os-bypass-r6.md
View File

@ -1,8 +1,15 @@
---
title: "Origin OS Version Bypass"
subtitle: "revision 5, %pub"
subtitle: "revision 6, %pub"
date: 2020-02-22
commentid: 1
permalink: /post/origin-os-bypass/revision-6
hidden: true
breadcrumbs:
- revlatest: /post/origin-os-bypass
- revcurrent: 6
---
This guide shows how to hex-edit Origin to disable operating system check, which allows NFS Heat to download and install on Windows 7.

75
_posts/2020-03-06-origin-os-bypass-advanced-patching-guide.md Normal file
View File

@ -0,0 +1,75 @@
---
title: "Origin OS Version Bypass"
subtitle: "advanced patching guide, %pub"
date: 2020-03-02
commentid: 1
permalink: /post/origin-os-bypass/advanced-patching-guide
hidden: true
breadcrumbs:
- revlatest: /post/origin-os-bypass
- revcustom: advanced patching guide
---
This is an advanced version of the guide to disable operating system check in Origin. It might be a bit rough, maybe I'll add some pictures later, but it should work if you carefully follow the instructions.
If this works for you, I'd appreciate if you [bought me a coffee](https://ko-fi.com/chylex).
# Prerequisites
[Ghidra](https://ghidra-sre.org).
# Setup
Open Ghidra, create a new project, drag the following files into the window and confirm:
* Origin.exe
* OriginClient.dll
* OriginClientService.exe
To edit a file, double-click it in the project window, click **Yes** when asked to analyze it, and uncheck `Windows x86 PE Exception Handling` and `Windows x86 PE RTTI Analyzer` because they take forever, and `PDB` because we don't have one. Could probably turn off some other stuff as well, but I didn't check. Then wait until the bottom right thingy finishes. Make yourself some tea or coffee or whatever you like, `OriginClient.dll` takes an eternity.
Follow the guides below. Keep in mind everything is case-sensitive, if the guide tells you to type `NOP`, don't type `nop`.
After editing a file, go to `File -> Export Program...`, open the `Format` drop-down and select `Binary`, and save the file. The file will end up with a `.bin` extension, make sure to remove it.
## OriginClient.dll
Go to `Search -> Program Text...`, type in `checkPrerequisites`, click `Next`.
In the `Decompile` panel, there are 3 occurrences of `if (bVar2 != false) {`. If you click the `if`, the `Listing` panel will scroll down and highlight a line labeled `JZ LAB_...`.
Do this for the first occurrence, then right-click the `JZ LAB_...` line, click `Patch Instruction...`, replace `JZ` with `JMP`, wait, then select `e9 ** ** ** **` (asterisks don't matter, only the beginning). Next line will become `?? 00h`, so do this again but replace `??` with `NOP` and select `90`.
Afterwards, the first 2 occurrences will disappear (sometimes this might take a short while, watch the progress bar in bottom right after patching an instruction). Repeat the same process for the third occurence.
Now that you know the workflow, the rest of the guide will be more brief.
## Origin.exe
### Part 1
Go to `Search -> Program Text...`, check `All Fields`, type in `Problem found in executable`, click `Search All`. Double-click on the first line with `FUN_...` under `Namespace` and close the search results.
In the `Decompile` panel, click the `if` in `if (cVar3 == '\0') {` right above the found text, and patch `JNZ LAB_...` to `JMP` (`eb **`).
Above, click the `if` in `if (hObject == (undefined4 *)0x0) {`, and patch `JNZ LAB_...` to `JMP` (`eb **`).
A little further below, click the `if` in `if (cVar4 == '\0') {`, and patch `JNZ LAB_...` to `JMP` (`e9 ** ** ** **`), then patch `?? 00h` to `NOP` (`90`).
Finally, click the `if` in `if (cVar3 == '\0') {` that just appeared, and patch `JNZ LAB_...` to `JMP` (`eb **`).
### Part 2
Go to `Search -> Program Text...`, check `Program Database` and `Instruction Operands`, type in `WinVerifyTrust`, click `Next`.
In the `Decompile` panel, click the `if` in `if (LVar1 < -0x7ff4feee) {`, and patch `JG LAB_...` to `JMP` (`e9 ** ** ** **`). Then patch the `?? 00h` to `NOP` (`90`).
In the `Decompile` panel, click the `if` in `if (LVar1 == 0) {`, and patch `JZ LAB_...` to `JMP` (`eb ** `).
## OriginClientService.exe
Go to `Seach -> Program Text...`, check `Instruction Operands`, type in `isValidEACertificate`, click `Search All`. The opened panel has 4 occurrences, 2 of which should contain `validateCaller` or `executeProcess`.
For each of the 2 occurrences, first click it. This will highlight a line in the `Listing` panel that contains `CALL Origin::...`, a few lines below there should be a `JNZ LAB_...`, patch it to `JMP` - one of them will be short (`eb **`), the other one will be long (`e9 ** ** ** **`) and will require patching `?? 00h` with `NOP` (`90`) again.

68
_posts/2020-03-06-origin-os-bypass.md Normal file
View File

@ -0,0 +1,68 @@
---
title: "Origin OS Version Bypass"
subtitle: "revision 7, %pub"
date: 2020-03-06
commentid: 1
---
This guide shows how to hex-edit Origin to disable operating system check, which allows NFS Heat to download and install on Windows 7.
If this works for you, I'd appreciate if you [bought me a coffee](https://ko-fi.com/chylex).
# Prerequisites
Get a hex editor that can handle big files. I'm using [HxD](https://mh-nexus.de/en/hxd/) (Portable).
**Check your Origin.exe version:**
- For **10.5.64.37936**, this revision should work
- For **10.5.63.37653**, see [previous revision]({% post_url 2020-02-22-origin-os-bypass-r6 %})
- For **10.5.60.37244**, see [previous revision]({% post_url 2020-01-26-origin-os-bypass-r5 %})
- For **10.5.57.35162**, see [previous revision]({% post_url 2019-12-20-origin-os-bypass-r4 %})
- For **10.5.56.33908**, see [previous revision]({% post_url 2019-12-13-origin-os-bypass-r3 %})
- For **10.5.55.33574**, see [previous revision]({% post_url 2019-11-14-origin-os-bypass-r2 %})
- For **10.5.52.32372**, see [previous revision]({% post_url 2019-11-12-origin-os-bypass-r1 %})
If the most recent version is missing, please check the comments; if nobody has commented about it yet, please let me know.
Alternatively, you can try the [advanced patching guide](https://blog.chylex.com/post/origin-os-bypass/advanced-patching-guide) that should work on any version, but the advanced guide is a lot more involved and there be dragons.
I recommend switching Origin to offline mode, because if the game needs an update, you will have to do this again.
# Edits
Open each file in the hex editor. Go to each offset, make sure the sequence of bytes at that offset is the same as what's in the **Old** column, change it to what's in the **New** column.
In HxD, use *Search - Go to...* (Ctrl+G), paste in the offset, click OK, **make sure your cursor is inside the hex section and not the decoded text section**, and type in the new hex values.
## Origin.exe
| Offset | Old | New |
| ------ | --- | --- |
| 1FE60 | 75 | EB |
| 1FED1 | 75 | EB |
| 1FF3B | 0F 85 92 00 00 00 | E9 93 00 00 00 90 |
| 1FF8A | 75 | EB |
| 29C30 | 0F 8F 07 01 00 00 | E9 08 01 00 00 90 |
| 29D3F | 74 | EB |
## OriginClient.dll
| Offset | Old | New |
| ------ | --- | --- |
| 386965 | 0F 84 37 01 00 00 | E9 38 01 00 00 90 |
| 386AEA | 0F 84 4B 01 00 00 | E9 4C 01 00 00 90 |
## OriginClientService.exe
| Offset | Old | New |
| ------ | --- | --- |
| 2E1AF | 75 | EB |
| 42ABC | 0F 85 93 00 00 00 | E9 94 00 00 00 90 |
# Explanation
If you want a very brief explanation, hex `74`/`75` are conditional jumps, and we turn them into `EB`, which is a forced jump, to skip over a bunch of code. Sequences `0F 8x` are generally variants of jumps that can jump further, and their forced jump equivalent is `E9` which takes 1 byte less, so whatever follows after the jump destination (4 bytes) is turned into `90`, a no-op instruction that does nothing but prevents shifting everything by a byte.
In all cases, we skip over code that either acts upon the result of an OS version check, or the result of a signature check. Most of it is signature checks that *throw a fit* (technical term) when one of the exe/dll files is modified. It's so effective that you need to modify 3 files instead of 1 to get this working (although it's probably a good idea to be validating exe files because parts of Origin run with SYSTEM level privileges, more privileged than your *poweruser* administrator account).
HxD also has a handy Data Inspector panel where, if you select one or more bytes, you can see the x86-64 instruction it represents.