From f9d9b56f01d9a117eb00269e1eb566da5285f515 Mon Sep 17 00:00:00 2001 From: chylex <contact@chylex.com> Date: Fri, 6 Mar 2020 00:47:13 +0100 Subject: [PATCH] Update post - Origin OS Version Bypass & add advanced patching guide Updated for Origin 10.5.64.37936. --- ...s.md => 2020-02-22-origin-os-bypass-r6.md} | 9 ++- ...rigin-os-bypass-advanced-patching-guide.md | 75 +++++++++++++++++++ _posts/2020-03-06-origin-os-bypass.md | 68 +++++++++++++++++ 3 files changed, 151 insertions(+), 1 deletion(-) rename _posts/{2020-02-22-origin-os-bypass.md => 2020-02-22-origin-os-bypass-r6.md} (95%) create mode 100644 _posts/2020-03-06-origin-os-bypass-advanced-patching-guide.md create mode 100644 _posts/2020-03-06-origin-os-bypass.md diff --git a/_posts/2020-02-22-origin-os-bypass.md b/_posts/2020-02-22-origin-os-bypass-r6.md similarity index 95% rename from _posts/2020-02-22-origin-os-bypass.md rename to _posts/2020-02-22-origin-os-bypass-r6.md index bea6578..46d65c5 100644 --- a/_posts/2020-02-22-origin-os-bypass.md +++ b/_posts/2020-02-22-origin-os-bypass-r6.md @@ -1,8 +1,15 @@ --- title: "Origin OS Version Bypass" -subtitle: "revision 5, %pub" +subtitle: "revision 6, %pub" date: 2020-02-22 commentid: 1 + +permalink: /post/origin-os-bypass/revision-6 +hidden: true + +breadcrumbs: + - revlatest: /post/origin-os-bypass + - revcurrent: 6 --- This guide shows how to hex-edit Origin to disable operating system check, which allows NFS Heat to download and install on Windows 7. diff --git a/_posts/2020-03-06-origin-os-bypass-advanced-patching-guide.md b/_posts/2020-03-06-origin-os-bypass-advanced-patching-guide.md new file mode 100644 index 0000000..1656fe2 --- /dev/null +++ b/_posts/2020-03-06-origin-os-bypass-advanced-patching-guide.md @@ -0,0 +1,75 @@ +--- +title: "Origin OS Version Bypass" +subtitle: "advanced patching guide, %pub" +date: 2020-03-02 +commentid: 1 + +permalink: /post/origin-os-bypass/advanced-patching-guide +hidden: true + +breadcrumbs: + - revlatest: /post/origin-os-bypass + - revcustom: advanced patching guide +--- + +This is an advanced version of the guide to disable operating system check in Origin. It might be a bit rough, maybe I'll add some pictures later, but it should work if you carefully follow the instructions. + +If this works for you, I'd appreciate if you [bought me a coffee](https://ko-fi.com/chylex). + +# Prerequisites + +[Ghidra](https://ghidra-sre.org). + +# Setup + +Open Ghidra, create a new project, drag the following files into the window and confirm: + +* Origin.exe +* OriginClient.dll +* OriginClientService.exe + +To edit a file, double-click it in the project window, click **Yes** when asked to analyze it, and uncheck `Windows x86 PE Exception Handling` and `Windows x86 PE RTTI Analyzer` because they take forever, and `PDB` because we don't have one. Could probably turn off some other stuff as well, but I didn't check. Then wait until the bottom right thingy finishes. Make yourself some tea or coffee or whatever you like, `OriginClient.dll` takes an eternity. + +Follow the guides below. Keep in mind everything is case-sensitive, if the guide tells you to type `NOP`, don't type `nop`. + +After editing a file, go to `File -> Export Program...`, open the `Format` drop-down and select `Binary`, and save the file. The file will end up with a `.bin` extension, make sure to remove it. + +## OriginClient.dll + +Go to `Search -> Program Text...`, type in `checkPrerequisites`, click `Next`. + +In the `Decompile` panel, there are 3 occurrences of `if (bVar2 != false) {`. If you click the `if`, the `Listing` panel will scroll down and highlight a line labeled `JZ LAB_...`. + +Do this for the first occurrence, then right-click the `JZ LAB_...` line, click `Patch Instruction...`, replace `JZ` with `JMP`, wait, then select `e9 ** ** ** **` (asterisks don't matter, only the beginning). Next line will become `?? 00h`, so do this again but replace `??` with `NOP` and select `90`. + +Afterwards, the first 2 occurrences will disappear (sometimes this might take a short while, watch the progress bar in bottom right after patching an instruction). Repeat the same process for the third occurence. + +Now that you know the workflow, the rest of the guide will be more brief. + +## Origin.exe + +### Part 1 + +Go to `Search -> Program Text...`, check `All Fields`, type in `Problem found in executable`, click `Search All`. Double-click on the first line with `FUN_...` under `Namespace` and close the search results. + +In the `Decompile` panel, click the `if` in `if (cVar3 == '\0') {` right above the found text, and patch `JNZ LAB_...` to `JMP` (`eb **`). + +Above, click the `if` in `if (hObject == (undefined4 *)0x0) {`, and patch `JNZ LAB_...` to `JMP` (`eb **`). + +A little further below, click the `if` in `if (cVar4 == '\0') {`, and patch `JNZ LAB_...` to `JMP` (`e9 ** ** ** **`), then patch `?? 00h` to `NOP` (`90`). + +Finally, click the `if` in `if (cVar3 == '\0') {` that just appeared, and patch `JNZ LAB_...` to `JMP` (`eb **`). + +### Part 2 + +Go to `Search -> Program Text...`, check `Program Database` and `Instruction Operands`, type in `WinVerifyTrust`, click `Next`. + +In the `Decompile` panel, click the `if` in `if (LVar1 < -0x7ff4feee) {`, and patch `JG LAB_...` to `JMP` (`e9 ** ** ** **`). Then patch the `?? 00h` to `NOP` (`90`). + +In the `Decompile` panel, click the `if` in `if (LVar1 == 0) {`, and patch `JZ LAB_...` to `JMP` (`eb ** `). + +## OriginClientService.exe + +Go to `Seach -> Program Text...`, check `Instruction Operands`, type in `isValidEACertificate`, click `Search All`. The opened panel has 4 occurrences, 2 of which should contain `validateCaller` or `executeProcess`. + +For each of the 2 occurrences, first click it. This will highlight a line in the `Listing` panel that contains `CALL Origin::...`, a few lines below there should be a `JNZ LAB_...`, patch it to `JMP` - one of them will be short (`eb **`), the other one will be long (`e9 ** ** ** **`) and will require patching `?? 00h` with `NOP` (`90`) again. diff --git a/_posts/2020-03-06-origin-os-bypass.md b/_posts/2020-03-06-origin-os-bypass.md new file mode 100644 index 0000000..bb84f24 --- /dev/null +++ b/_posts/2020-03-06-origin-os-bypass.md @@ -0,0 +1,68 @@ +--- +title: "Origin OS Version Bypass" +subtitle: "revision 7, %pub" +date: 2020-03-06 +commentid: 1 +--- + +This guide shows how to hex-edit Origin to disable operating system check, which allows NFS Heat to download and install on Windows 7. + +If this works for you, I'd appreciate if you [bought me a coffee](https://ko-fi.com/chylex). + +# Prerequisites + +Get a hex editor that can handle big files. I'm using [HxD](https://mh-nexus.de/en/hxd/) (Portable). + +**Check your Origin.exe version:** +- For **10.5.64.37936**, this revision should work +- For **10.5.63.37653**, see [previous revision]({% post_url 2020-02-22-origin-os-bypass-r6 %}) +- For **10.5.60.37244**, see [previous revision]({% post_url 2020-01-26-origin-os-bypass-r5 %}) +- For **10.5.57.35162**, see [previous revision]({% post_url 2019-12-20-origin-os-bypass-r4 %}) +- For **10.5.56.33908**, see [previous revision]({% post_url 2019-12-13-origin-os-bypass-r3 %}) +- For **10.5.55.33574**, see [previous revision]({% post_url 2019-11-14-origin-os-bypass-r2 %}) +- For **10.5.52.32372**, see [previous revision]({% post_url 2019-11-12-origin-os-bypass-r1 %}) + +If the most recent version is missing, please check the comments; if nobody has commented about it yet, please let me know. + +Alternatively, you can try the [advanced patching guide](https://blog.chylex.com/post/origin-os-bypass/advanced-patching-guide) that should work on any version, but the advanced guide is a lot more involved and there be dragons. + +I recommend switching Origin to offline mode, because if the game needs an update, you will have to do this again. + +# Edits + +Open each file in the hex editor. Go to each offset, make sure the sequence of bytes at that offset is the same as what's in the **Old** column, change it to what's in the **New** column. + +In HxD, use *Search - Go to...* (Ctrl+G), paste in the offset, click OK, **make sure your cursor is inside the hex section and not the decoded text section**, and type in the new hex values. + +## Origin.exe + +| Offset | Old | New | +| ------ | --- | --- | +| 1FE60 | 75 | EB | +| 1FED1 | 75 | EB | +| 1FF3B | 0F 85 92 00 00 00 | E9 93 00 00 00 90 | +| 1FF8A | 75 | EB | +| 29C30 | 0F 8F 07 01 00 00 | E9 08 01 00 00 90 | +| 29D3F | 74 | EB | + +## OriginClient.dll + +| Offset | Old | New | +| ------ | --- | --- | +| 386965 | 0F 84 37 01 00 00 | E9 38 01 00 00 90 | +| 386AEA | 0F 84 4B 01 00 00 | E9 4C 01 00 00 90 | + +## OriginClientService.exe + +| Offset | Old | New | +| ------ | --- | --- | +| 2E1AF | 75 | EB | +| 42ABC | 0F 85 93 00 00 00 | E9 94 00 00 00 90 | + +# Explanation + +If you want a very brief explanation, hex `74`/`75` are conditional jumps, and we turn them into `EB`, which is a forced jump, to skip over a bunch of code. Sequences `0F 8x` are generally variants of jumps that can jump further, and their forced jump equivalent is `E9` which takes 1 byte less, so whatever follows after the jump destination (4 bytes) is turned into `90`, a no-op instruction that does nothing but prevents shifting everything by a byte. + +In all cases, we skip over code that either acts upon the result of an OS version check, or the result of a signature check. Most of it is signature checks that *throw a fit* (technical term) when one of the exe/dll files is modified. It's so effective that you need to modify 3 files instead of 1 to get this working (although it's probably a good idea to be validating exe files because parts of Origin run with SYSTEM level privileges, more privileged than your *poweruser* administrator account). + +HxD also has a handy Data Inspector panel where, if you select one or more bytes, you can see the x86-64 instruction it represents.