el.caracol
November 8th, 2000, 18:04
Hi +Tsehp,
first of all: excuse-me for my very bad english !
(I'm French and I have used an electronic translator to write this message..)
Well, I also worked on Asprotect and I followed with much interest your essays on the call fixer and import table rebuilder.
For my part I had already put in practice the idea consisting in finding the function name and the DLL name starting from its address mem. It is a very simple idea, which has certainly weaknesses, but I can ensure you that it goes! (works fine).
Two months ago, I developed a (lame) tool prototype (with Delphi 5) based on the (nearly) same idea, which makes it possible to examine the IAT of a dumped prog, to visually detect "abnormal" IAT, to facilitate the validity of an IAT call fixer, and especially to rebuild a new import table.
(I recently worked on a program Asprotected v1.1: "AZPR351" (elcomsoft), and I dumped it, call-fixed and rebuilded Import Table without any problem :-)
Well, i will not explain in detail how works the prototype, but here is the essential points :
- from files containing the names of the export functions for each DLL (ie: 'kernel32.txt'), it builds a directory of these functions with the addresses corresponding to your system (with getprocaddress).
- It use these directories to solve the IAT adresses contained in the executable target and create a file called 'addr-FunctResolved.TXT'
- finally it use this text file to rebuild an Import Table (of Borland type) directly in the executable dumped, according to the parameters specified by the user.
some details :
It is preferable to work on programs dumped with Raw Offset and Virtual Offset aligned.
The design of the prototype enables you to solve the IAT on a dumped program (even incomplete) and rebuild an import table on another dump of this same program (dump complete).
(look at the example on Notepad Asprotected on "Caracol-Readme.doc"

.
The rebuilding of the IAT only starting from the txt file 'addr-FunctResolved.txt', it is possible for you to make corrections directly on the txt file.
That can be useful in the case of a " call fixer " doesn't fix all the IAT addresses on once and once only .
It is possible to back up the partially solved file, then modify the call fixer to correct only the bad addresses, then paste the corrected addresses.
(Voluntarily) the prototype does not write the offset values of the Import Table and size in the PE Header of the target file. But if you miss that, you can to add this on the source code.
In short, to treat a program asprotected here is the stages which I used with the prototype:
1- launching prog, then dump full
2- examination of the IAT with the prototype to determine the limits of the iAT and to see which are the "abnormal" addresses
3- writing a simply call fixer after the launching of the contamined program, then dump it
4- examination of the result and solve the IAT addresses with the prototype
5- rebuild an import table in the prog dumped on the entry point with the prototype.
If you give me an available e-mail address, y will send to you "caracol.zip" wich contains the following files :
(sorry but the majority of the documents are in French and I'm too lazy and too weak to try to translate them. But I am sure that you will understand the main point by reading only the listings and the logs..)
- Caracol-Readme.doc (well.. a readme on how works the prototype + some tuts on how to use it)
- AZPR321-Asprotected.doc ((asprotected 1.05) a tut on how to make a simply call fixer and use the prototype)
- Caracol-eng.exe (the prototype)
- Delphi-Caracol-Project-Eng (the code source with a little translation.. the first release..there was no modification since.)
- Address-DLL-TXT (contains some txt files with functions names)
- Work (a directory with some little examples (Win 98))
Well, that's all..
best regards,
el.caracol@caramail.com