My Generic Hex Fix Patchers.. I need your opinion

[masterchan777]

Hello everyone,

As some of you may know, I've made Shenmue I & II 16:9 Generic Hex Fix v1, an easy one click visual solution for windows to permanently patch Shenmue.exe and Shenmue2.exe based on @Esppiral's hard work and findings.

The only reason for making those patchers, has been to allow everyone to enjoy those findings as quickly, easily and hassle-free as possible, but like "any" file patchers that make permanent changes to an executable file, those can be detected by some AV software kits and flagged as false positives.

False positive detections are common in the antivirus industry.They occur when a benign program is wrongfully flagged as malicious due to an overly broad detection signature or algorithm used in an antivirus product.

From pcworld.com

More advanced security kits, however, use more advanced analysis and they don't flag such patchers. Windows Defender is one of the more basic kits so it works on a basic level, and although it's more common, it isn't as accurate as the more advanced solutions out there so it may flag the patchers as false positive.

Here's an analysis for the latest Shenmue and Shenmue2 v2 patchers from www.virustotal.com.

There will be at least another patch for Shenmue I & II landing sometimes next week, and probably the Generic Hex Fix patchers will need a compatibility update for the upcoming version of Shenmue and/or Shenmue II.

Although the patchers are perfectly safe, I realise that some might be concerned or maybe not fully aware of false positive flagging. Therefore, I want your opinion on what I should do with the patchers for now and the near future.

I'm thinking of four possible scenarios :

• Keep making them as an easy to use, flexible and more compatible patching solution.
• Take the patchers down, and distribute individual patches using Lunar IPS, which is a less flexible yet simple solution that has been in use for years.
• Take the patchers down, and use another patching solution of your suggestion.
• Take the patchers down, and stop making patches / patchers, they're not needed anymore.

I've included a 7-day poll that ends when the newer Shenmue I & II update will hopefully land, and I'd love to hear what you guys think and how to move forward, so please vote and share your opinions.

 

[Sappharad]

The IPS format was designed for small files, it's only capable of addressing 24-bit addresses. (Files under 16MB) You don't want to use IPS for a Windows EXE. If you really want to go the patching route, BPS is probably a better option since it handles large files and checks a hash of the file you're patching to ensure you only use it on the correct file.

Having said that, I still recommend that you consider using an actual mod loader. I was going to port Espprial's patch to Reloaded last weekend but ended up re-installing Windows twice instead due to what I've narrowed down to being a driver issue. I'm still planning to do that at some point soon, so if someone else doesn't I eventually will. I think all of the stuff being done is better off with a mod loader going forward so people can easily download multiple mods and turn them on and off without worrying about mixing files together.

 

[ner0]

It's unfortunate that a lot of great tools are (ab)used so much for nefarious ends that they end getting flagged like the above screen shows. It's difficult to find a straight-forward solution that is generic, complete, easy to use, versatile, compact, and is not flagged due to constant abuses. Take for example one of the generic tools used in my customized patcher, 'sed', it's a well known tool under Linux and its Windows port is quite useful for stuff like this (although there surely are other tools)... what I meant to say is, although this 'sed' tool passes VirusTotal analysis with flying colors (0/67), it has a (VirusTotal) community score of -29 (minus 29). This is mainly due to the fact that the tool is often times packed with malware kits to silently apply changes to binary files in ways that are all but benevolent, case in point:



Yes, red means 'BAD!'.
This is just a graph that tells you that a harmless tool like 'sed' has been bundled with malware on some cases.

As for the @masterchan777's patches, I understand when someone gets a flag from their AV product and gets skeptical, but on the other hand people have to understand that as important as the anti-virus, even more so I would argue, is to know how credible is the source of the thing you just downloaded. There are lots of recently released, or undocumented, or customized malware that do not get flagged by your AV. Also, let's not forget, the fact that the AV doesn't pick anything doesn't necessarily mean that it's okay. How can you trust/distrust a patch solely based on the AV detection? You can't. A patch could as easily be injecting malicious code that would either do bad things immediatly or act as a dropper/downloader to get the actual malware from the web.

EDIT: Forgot to add that I agree that a mod loader would probably be the best of both worlds.

 

[Sappharad]

EDIT: Forgot to add that I agree that a mod loader would probably be the best of both worlds.

Not to derail the thread's purpose but I did try porting the generic patches to Reloaded today. (Sorry for posting it here, but I figured I should mention it somewhere) I realized there are some outstanding problems that makes it not the best option right now and filed an issue with the developer. Based on specs it seems like it should be a good option - it's generic, has been used for file container redirection before like these ports have, and it already integrates with an online mod database. But the biggest obstacle I see for end-users right now is that it's only capable of launching an EXE directly and mods are patched in when that EXE starts up. While a mod can spawn it's own thread to keep running in the background, the loader will shut down as soon as the EXE it launched does. (So it's not designed to work for games that have a mandatory launcher like Shenmue I & II after the first patch) There's an "attach to process" option hidden away from normal users that can attach to the game once it's already running, but I think something like this should just be as simple as picking which mods you want enabled and clicking Launch.
Finally, my initial attempt to port the generic widescreen patch to the mod loader didn't actually work. Not sure if it's my fault or the mod loader's fault yet. It's able to find the areas to patch just fine, but overwriting them has no effect. It's basically doing the exact same thing that ner0's script does, just entirely in memory so it's not permanent. Based on where the executable is in memory I'm wondering if ASLR has something to do with the trouble, but I may consult with the author of reloaded to see if he knows why once he gets back to me on the issue I filed about supporting indirect launching. (I can always modify his code to do it, but would prefer something that he'd be willing to include in his builds.)

 

[ner0]

Finally, my initial attempt to port the generic widescreen patch to the mod loader didn't actually work. Not sure if it's my fault or the mod loader's fault yet. It's able to find the areas to patch just fine, but overwriting them has no effect. It's basically doing the exact same thing that ner0's script does, just entirely in memory so it's not permanent. Based on where the executable is in memory I'm wondering if ASLR has something to do with the trouble

I can't tell what the issue might be, but @masterchan777 also released patchers based on Cheat Engine which work entirely by patching the same things in memory. It works successfully as far as I could tell from the feedback. The perceived lack of traction for those patchers variants were that they had to be pre-run and applied every time the game was started. That being said, ASLR shouldn't be the issue.