From f9d9b56f01d9a117eb00269e1eb566da5285f515 Mon Sep 17 00:00:00 2001
From: chylex <contact@chylex.com>
Date: Fri, 6 Mar 2020 00:47:13 +0100
Subject: [PATCH] Update post - Origin OS Version Bypass & add advanced
 patching guide

Updated for Origin 10.5.64.37936.
---
 ...s.md => 2020-02-22-origin-os-bypass-r6.md} |  9 ++-
 ...rigin-os-bypass-advanced-patching-guide.md | 75 +++++++++++++++++++
 _posts/2020-03-06-origin-os-bypass.md         | 68 +++++++++++++++++
 3 files changed, 151 insertions(+), 1 deletion(-)
 rename _posts/{2020-02-22-origin-os-bypass.md => 2020-02-22-origin-os-bypass-r6.md} (95%)
 create mode 100644 _posts/2020-03-06-origin-os-bypass-advanced-patching-guide.md
 create mode 100644 _posts/2020-03-06-origin-os-bypass.md

diff --git a/_posts/2020-02-22-origin-os-bypass.md b/_posts/2020-02-22-origin-os-bypass-r6.md
similarity index 95%
rename from _posts/2020-02-22-origin-os-bypass.md
rename to _posts/2020-02-22-origin-os-bypass-r6.md
index bea6578..46d65c5 100644
--- a/_posts/2020-02-22-origin-os-bypass.md
+++ b/_posts/2020-02-22-origin-os-bypass-r6.md
@@ -1,8 +1,15 @@
 ---
 title: "Origin OS Version Bypass"
-subtitle: "revision 5, %pub"
+subtitle: "revision 6, %pub"
 date: 2020-02-22
 commentid: 1
+
+permalink: /post/origin-os-bypass/revision-6
+hidden: true
+
+breadcrumbs:
+  - revlatest: /post/origin-os-bypass
+  - revcurrent: 6
 ---
 
 This guide shows how to hex-edit Origin to disable operating system check, which allows NFS Heat to download and install on Windows 7.
diff --git a/_posts/2020-03-06-origin-os-bypass-advanced-patching-guide.md b/_posts/2020-03-06-origin-os-bypass-advanced-patching-guide.md
new file mode 100644
index 0000000..1656fe2
--- /dev/null
+++ b/_posts/2020-03-06-origin-os-bypass-advanced-patching-guide.md
@@ -0,0 +1,75 @@
+---
+title: "Origin OS Version Bypass"
+subtitle: "advanced patching guide, %pub"
+date: 2020-03-02
+commentid: 1
+
+permalink: /post/origin-os-bypass/advanced-patching-guide
+hidden: true
+
+breadcrumbs:
+  - revlatest: /post/origin-os-bypass
+  - revcustom: advanced patching guide
+---
+
+This is an advanced version of the guide to disable operating system check in Origin. It might be a bit rough, maybe I'll add some pictures later, but it should work if you carefully follow the instructions.
+
+If this works for you, I'd appreciate if you [bought me a coffee](https://ko-fi.com/chylex).
+
+# Prerequisites
+
+[Ghidra](https://ghidra-sre.org).
+
+# Setup
+
+Open Ghidra, create a new project, drag the following files into the window and confirm:
+
+* Origin.exe
+* OriginClient.dll
+* OriginClientService.exe
+
+To edit a file, double-click it in the project window, click **Yes** when asked to analyze it, and uncheck `Windows x86 PE Exception Handling` and `Windows x86 PE RTTI Analyzer` because they take forever, and `PDB` because we don't have one. Could probably turn off some other stuff as well, but I didn't check. Then wait until the bottom right thingy finishes. Make yourself some tea or coffee or whatever you like, `OriginClient.dll` takes an eternity.
+
+Follow the guides below. Keep in mind everything is case-sensitive, if the guide tells you to type `NOP`, don't type `nop`.
+
+After editing a file, go to `File -> Export Program...`, open the `Format` drop-down and select `Binary`, and save the file. The file will end up with a `.bin` extension, make sure to remove it.
+
+## OriginClient.dll
+
+Go to `Search -> Program Text...`, type in `checkPrerequisites`, click `Next`.
+
+In the `Decompile` panel, there are 3 occurrences of `if (bVar2 != false) {`. If you click the `if`, the `Listing` panel will scroll down and highlight a line labeled `JZ LAB_...`.
+
+Do this for the first occurrence, then right-click the `JZ LAB_...` line, click `Patch Instruction...`, replace `JZ` with `JMP`, wait, then select `e9 ** ** ** **` (asterisks don't matter, only the beginning). Next line will become `?? 00h`, so do this again but replace `??` with `NOP` and select `90`.
+
+Afterwards, the first 2 occurrences will disappear (sometimes this might take a short while, watch the progress bar in bottom right after patching an instruction). Repeat the same process for the third occurence.
+
+Now that you know the workflow, the rest of the guide will be more brief.
+
+## Origin.exe
+
+### Part 1
+
+Go to `Search -> Program Text...`, check `All Fields`, type in `Problem found in executable`, click `Search All`. Double-click on the first line with `FUN_...` under `Namespace` and close the search results.
+
+In the `Decompile` panel, click the `if` in `if (cVar3 == '\0') {` right above the found text, and patch `JNZ LAB_...` to `JMP` (`eb **`).
+
+Above, click the `if` in `if (hObject == (undefined4 *)0x0) {`, and patch `JNZ LAB_...` to `JMP` (`eb **`).
+
+A little further below, click the `if` in `if (cVar4 == '\0') {`, and patch `JNZ LAB_...` to `JMP` (`e9 ** ** ** **`), then patch `?? 00h` to `NOP` (`90`).
+
+Finally, click the `if` in `if (cVar3 == '\0') {` that just appeared, and patch `JNZ LAB_...` to `JMP` (`eb **`).
+
+### Part 2
+
+Go to `Search -> Program Text...`, check `Program Database` and `Instruction Operands`, type in `WinVerifyTrust`, click `Next`.
+
+In the `Decompile` panel, click the `if` in `if (LVar1 < -0x7ff4feee) {`, and patch `JG LAB_...` to `JMP` (`e9 ** ** ** **`). Then patch the `?? 00h` to `NOP` (`90`).
+
+In the `Decompile` panel, click the `if` in `if (LVar1 == 0) {`, and patch `JZ LAB_...` to `JMP` (`eb ** `).
+
+## OriginClientService.exe
+
+Go to `Seach -> Program Text...`, check `Instruction Operands`, type in `isValidEACertificate`, click `Search All`. The opened panel has 4 occurrences, 2 of which should contain `validateCaller` or `executeProcess`.
+
+For each of the 2 occurrences, first click it. This will highlight a line in the `Listing` panel that contains `CALL Origin::...`, a few lines below there should be a `JNZ LAB_...`, patch it to `JMP` - one of them will be short (`eb **`), the other one will be long (`e9 ** ** ** **`) and will require patching `?? 00h` with `NOP` (`90`) again.
diff --git a/_posts/2020-03-06-origin-os-bypass.md b/_posts/2020-03-06-origin-os-bypass.md
new file mode 100644
index 0000000..bb84f24
--- /dev/null
+++ b/_posts/2020-03-06-origin-os-bypass.md
@@ -0,0 +1,68 @@
+---
+title: "Origin OS Version Bypass"
+subtitle: "revision 7, %pub"
+date: 2020-03-06
+commentid: 1
+---
+
+This guide shows how to hex-edit Origin to disable operating system check, which allows NFS Heat to download and install on Windows 7.
+
+If this works for you, I'd appreciate if you [bought me a coffee](https://ko-fi.com/chylex).
+
+# Prerequisites
+
+Get a hex editor that can handle big files. I'm using [HxD](https://mh-nexus.de/en/hxd/) (Portable).
+
+**Check your Origin.exe version:**
+- For **10.5.64.37936**, this revision should work
+- For **10.5.63.37653**, see [previous revision]({% post_url 2020-02-22-origin-os-bypass-r6 %})
+- For **10.5.60.37244**, see [previous revision]({% post_url 2020-01-26-origin-os-bypass-r5 %})
+- For **10.5.57.35162**, see [previous revision]({% post_url 2019-12-20-origin-os-bypass-r4 %})
+- For **10.5.56.33908**, see [previous revision]({% post_url 2019-12-13-origin-os-bypass-r3 %})
+- For **10.5.55.33574**, see [previous revision]({% post_url 2019-11-14-origin-os-bypass-r2 %})
+- For **10.5.52.32372**, see [previous revision]({% post_url 2019-11-12-origin-os-bypass-r1 %})
+
+If the most recent version is missing, please check the comments; if nobody has commented about it yet, please let me know.
+
+Alternatively, you can try the [advanced patching guide](https://blog.chylex.com/post/origin-os-bypass/advanced-patching-guide) that should work on any version, but the advanced guide is a lot more involved and there be dragons.
+
+I recommend switching Origin to offline mode, because if the game needs an update, you will have to do this again.
+
+# Edits
+
+Open each file in the hex editor. Go to each offset, make sure the sequence of bytes at that offset is the same as what's in the **Old** column, change it to what's in the **New** column.
+
+In HxD, use *Search - Go to...* (Ctrl+G), paste in the offset, click OK, **make sure your cursor is inside the hex section and not the decoded text section**, and type in the new hex values.
+
+## Origin.exe
+
+| Offset | Old | New |
+| ------ | --- | --- |
+| 1FE60 | 75 | EB |
+| 1FED1 | 75 | EB |
+| 1FF3B | 0F 85 92 00 00 00 | E9 93 00 00 00 90 |
+| 1FF8A | 75 | EB |
+| 29C30 | 0F 8F 07 01 00 00 | E9 08 01 00 00 90 |
+| 29D3F | 74 | EB |
+
+## OriginClient.dll
+
+| Offset | Old | New |
+| ------ | --- | --- |
+| 386965 | 0F 84 37 01 00 00 | E9 38 01 00 00 90 |
+| 386AEA | 0F 84 4B 01 00 00 | E9 4C 01 00 00 90 |
+
+## OriginClientService.exe
+
+| Offset | Old | New |
+| ------ | --- | --- |
+| 2E1AF | 75 | EB |
+| 42ABC | 0F 85 93 00 00 00 | E9 94 00 00 00 90 |
+
+# Explanation
+
+If you want a very brief explanation, hex `74`/`75` are conditional jumps, and we turn them into `EB`, which is a forced jump, to skip over a bunch of code. Sequences `0F 8x` are generally variants of jumps that can jump further, and their forced jump equivalent is `E9` which takes 1 byte less, so whatever follows after the jump destination (4 bytes) is turned into `90`, a no-op instruction that does nothing but prevents shifting everything by a byte.
+
+In all cases, we skip over code that either acts upon the result of an OS version check, or the result of a signature check. Most of it is signature checks that *throw a fit* (technical term) when one of the exe/dll files is modified. It's so effective that you need to modify 3 files instead of 1 to get this working (although it's probably a good idea to be validating exe files because parts of Origin run with SYSTEM level privileges, more privileged than your *poweruser* administrator account).
+
+HxD also has a handy Data Inspector panel where, if you select one or more bytes, you can see the x86-64 instruction it represents.