How to make an executable hack?

[OpenRift]

Recently I've been doing research on executable hacks, as I've been looking to make my own hack for Final Doom's (non-anthology version) exe. I've been aaaall over the place with different ways I could do it, but the one method I found most interesting an understandable to my little ape brain was what came included in doom-plus and doom2-plus's source code. In it, comes cracker.exe and a crk file (udoom/doom2 respectively). Upon looking through the crk files, it is clear that the crack operates by applying changes to the executable via changing in hex values corresponding to certain variables (SAVEGAMESIZE, MAXVISPLANES, etc). So with that in mind, how does one even find the corresponding hex addresses for each executable? 

Any alternative exe hacking methods are also welcome.

[Redneckerz]

Although this stuff is rather uncharted territory (Exe hacks simply aren't as popular as source ports and for good reason, as they only apply to Vanilla) i am delighted to read a thread that actively wants to do something with it. The whole purpose of documenting these thus pays off :)

• First off, Lets keep the Executable Hack page on DoomWiki in the background. It provides a lot of information on the various kinds of hacks out there.
• Secondly, executable hacks are not for the faint of heart. Because you are working with disassemblers and assembly in general, a significant skill in programming is probably useful. As can be noted by the wiki page, the amount of people that are able to craft exe hacks is significant limited. Xttl/VV knows this, myk may have, E6y/Entryway knew of this, KGSWS knows of this, AXdoomer knows of this, and perhaps Ling.
• The ability to find the correct Hex addresses is done with a disassembler, like IDA, Ghidra or MIEW (Which i believe Xttl uses). To know where to look for, the above skill applies. You really are ought to know something about assembly in general to know where to look for.
• KGSWS's Doom_Ace is not a exe hack perse as it does not involve .crk files, but uses modified x86 code in a specialized wad and loader to inject custom code in the vanilla executable, without ever changing anything in said executable. This has been a very novel idea so far, but i couldn't help mentioning it.

On 9/27/2020 at 2:09 AM, OpenRift said:

Recently I've been doing research on executable hacks, as I've been looking to make my own hack for Final Doom's (non-anthology version) exe. I've been aaaall over the place with different ways I could do it, but the one method I found most interesting an understandable to my little ape brain was what came included in doom-plus and doom2-plus's source code. In it, comes cracker.exe and a crk file (udoom/doom2 respectively). Upon looking through the crk files, it is clear that the crack operates by applying changes to the executable via changing in hex values corresponding to certain variables (SAVEGAMESIZE, MAXVISPLANES, etc). So with that in mind, how does one even find the corresponding hex addresses for each executable? 

Any alternative exe hacking methods are also welcome.

There are a few ways afaik to apply patches:

• The aforementioned cracker.exe. .crk files are made from disassembler and provide some kind of a standard to distribute.
• Applying a patch directly in the exe without .crk. Xttl is known to do this by injecting the code in directly.

Hopefully this helps?

[axdoomer]

I'll answer the question that's in the title "How to make an executable hack?".

 

Here's somewhere to start:

 

Download the 7z archive here. It contains two files. One contains the adresses of most of the functions you'll find in Doom's source code. It'll help you find what each function is doing when you open Doom's executable in Ghidra or radare. For Ghidra, you should use a plugin so it can understand Doom's DOS executable format. There may be an easy way to load .idc and .map files, but I don't know how to do it outside of IDA Pro. Also, I found it an easy way to learn using a debugger (x64dbg, OllyDbg) because you see what the code is doing. There are plenty of videos on Youtube that can teach you how to use the tools I just named. 

 

If you learn the x86 assembly language, you'll be able to understand how Doom's C source code translates to assembly. From there, you can start modifying Doom's code. 

 

I wrote this writeup sometime ago after I made a patch that fixes the Arch-Vile fire bug in Doom. Read it, it will give you an idea of how hacks are created.

 

Once you've successfully hacked an executable, you can create a patch for Doom Patcher or CRACKER.EXE (.crk files). On Linux, it's as easy as running this command to print the offsets and the different bytes to be replaced. 

 

cmp -l DOOM2.EXE HACKED.EXE | gawk '{printf "[0x%08X, 0x%02X, 0x%02X],\n", $1-1, strtonum(0$2), strtonum(0$3)}'

 

I got hold of modifying the code, but I have yet to understand the structure of the executable and how to enlarge the size of arrays allocated on the stack. I got inspired to start hacking executable files when I read this, I started liking it and found an internship as a malware reverse engineer. It's not a skill that goes to waste once you've learned it. Yes, the learning curve is step, but once you climb the mountain, it's only a walk.