tsehp
March 1st, 2001, 08:43
First, this is not my work, but a team work with
kayaker and +splaj, kayaker did the most important work, I just managed to make this target work with a little more work.
target : http://www.softshape.com/cham
chameleon clock
Normally, you trace the target until you find the oep, then dump it, reconstruct the iat's, paste them and that's all.
Now things changes a little, there's an interact between asprotect 1.2 and this target, here's how :
asprotect calls some target code at 492830, you'll see this with first icedumps trace after loading the target, this code makes local mem allocations, sets some flags, then it rets to asprotect, finally asprotect jumps to program's oep : 4aec88.
if you dump it there, the target will not work, the flags could be detected and the target crashes.
I choosed an easy way to solve this :
dump with oep 4aec88 but avoid asprotect to jump to 492830 before, so the mem is clear.
reconstruct iat's (thanks revirgin he he)
realign sections, but put the oep to 492830, and change the code here :seg000:00492944 pop ebp
seg000:00492945 jmp loc_4AEC88
seg000:00492945 start endp
see the jmp 4aec88, it was a ret before.
So the target self initializes what asprotect did by calling this call
and we jump to the normal oep.
two apps are actually known :
Advanced Link Catalog v1.00 (http://www.wizetech.com/alc/) and
Chameleon Clock 2.51 (http://www.softshape.com)
So alexey could apply the same scheme to other targets, or maybe change some things if he thinks to check if we have found something.
Again, thanks for the team work, and stopping me driving nuts with this one.
regards,
+Tsehp
kayaker and +splaj, kayaker did the most important work, I just managed to make this target work with a little more work.
target : http://www.softshape.com/cham
chameleon clock
Normally, you trace the target until you find the oep, then dump it, reconstruct the iat's, paste them and that's all.
Now things changes a little, there's an interact between asprotect 1.2 and this target, here's how :
asprotect calls some target code at 492830, you'll see this with first icedumps trace after loading the target, this code makes local mem allocations, sets some flags, then it rets to asprotect, finally asprotect jumps to program's oep : 4aec88.
if you dump it there, the target will not work, the flags could be detected and the target crashes.
I choosed an easy way to solve this :
dump with oep 4aec88 but avoid asprotect to jump to 492830 before, so the mem is clear.
reconstruct iat's (thanks revirgin he he)
realign sections, but put the oep to 492830, and change the code here :seg000:00492944 pop ebp
seg000:00492945 jmp loc_4AEC88
seg000:00492945 start endp
see the jmp 4aec88, it was a ret before.
So the target self initializes what asprotect did by calling this call
and we jump to the normal oep.
two apps are actually known :
Advanced Link Catalog v1.00 (http://www.wizetech.com/alc/) and
Chameleon Clock 2.51 (http://www.softshape.com)
So alexey could apply the same scheme to other targets, or maybe change some things if he thinks to check if we have found something.
Again, thanks for the team work, and stopping me driving nuts with this one.

regards,
+Tsehp