Results 1 to 4 of 4

Thread: Attention -> Possible new asprotect 1.2 scheme to reach the oep

  1. #1
    tsehp
    Guest

    Attention -> Possible new asprotect 1.2 scheme to reach the oep

    First, this is not my work, but a team work with
    kayaker and +splaj, kayaker did the most important work, I just managed to make this target work with a little more work.

    target : http://www.softshape.com/cham
    chameleon clock

    Normally, you trace the target until you find the oep, then dump it, reconstruct the iat's, paste them and that's all.

    Now things changes a little, there's an interact between asprotect 1.2 and this target, here's how :

    asprotect calls some target code at 492830, you'll see this with first icedumps trace after loading the target, this code makes local mem allocations, sets some flags, then it rets to asprotect, finally asprotect jumps to program's oep : 4aec88.
    if you dump it there, the target will not work, the flags could be detected and the target crashes.
    I choosed an easy way to solve this :
    dump with oep 4aec88 but avoid asprotect to jump to 492830 before, so the mem is clear.
    reconstruct iat's (thanks revirgin he he)
    realign sections, but put the oep to 492830, and change the code here :seg000:00492944 pop ebp
    seg000:00492945 jmp loc_4AEC88
    seg000:00492945 start endp
    see the jmp 4aec88, it was a ret before.

    So the target self initializes what asprotect did by calling this call
    and we jump to the normal oep.

    two apps are actually known :
    Advanced Link Catalog v1.00 (http://www.wizetech.com/alc/) and
    Chameleon Clock 2.51 (http://www.softshape.com)

    So alexey could apply the same scheme to other targets, or maybe change some things if he thinks to check if we have found something.

    Again, thanks for the team work, and stopping me driving nuts with this one.
    regards,

    +Tsehp
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373
    Tsehp

    Thanks for keeping me awake for the last 2 nights, shit my eyes are so swollen,red and blurry......actually just like that friggin chamelion :-)

    Cheers!

    I've found one to share back with you (? incorrect English) and you'll find this one has a funny blood shot iris as well

    Revirginated.........

    SplAj

  3. #3
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,106
    Blog Entries
    5
    Hey nice, by forcing the code in 492830 to process before jumping to the OEP, it does initialize the app properly. It's necessary to skip this code during the unpacking process, where it's normally called, before dumping because it will just cause all kinds of runtime errors later when running the rebuilt file. But even then you get an error at 4AEE12 because 0 is moved into a register instead of an address.

    As Tsehp says, this code sets (Asprotect?) flags of some sort, but it *also* initializes the app by querying the registry of setup parameters for the program such as Language, TimeFormat, ShowDate, Reg, etc. I was able to get the program to run w/o having this setup code processed, the shareware nag ran OK and the program started, but this particular program uses a Winamp type Skin, which was never put on with the way I patched it, so it ended up as a very unobtrusive kind of invisible clock ^_^

    With the other program mentioned, Advanced Link Catalog, I found it was only necessary to bypass the call to program code during unpacking, which can be found with /Tracex BTW, before dumping. For whatever reason it wasn't necessary to process the missed code before running the program at the normal OEP.

    Now both programs have a registration routine tied into Asprotect, at least as far as that the Registration Key was probably generated during packing. I'm not sure if the registration routine is still viable in the unpacked file, but if it is the 256 byte reg key is still an effective protection to "properly" register the app without patching. ALC at least has further limitations that Hz and I were able to get around.

    That said, what advice can we give to shareware authors in this new age of Share the Knowledge enlightenment? Well, I don't really know. I'm not a shareware programmer and I don't know how to beat the combined knowledge and skill of the reversing community. Sophisticated packing routines, registration protections, disabled demo programs, all a credit to their author's ingenuity and programming skills. All seem to fall eventually.

    I think for most of us here the thrill is in the chase, reversing is just another aspect of programming, in which we're all interested. I think few of the members here who normally post actually distribute cracks (ooh that word tastes bad), fewer still even keep many of the programs they 'reverse' and would never have bought them in the first place.

    I personally don't want to hurt any poor shareware programmer trying to make a buck by posting what I post. And I also know that I'm being a hypocrite just by doing so. But the reversing scene is not going to go away, crack distribution is not going to go away, the only way the shareware authors have a chance is if we all just shut up and go away ourselves. Ain't gonna happen. So if cagey shareware authors monitor this board and glean any new ways to come up with a protection scheme twist that will keep us up till the wee hours with swollen, red, blurry eyes, I say all the credit to them. They say the greatest technological advances occur during times of war. Which side are we on?

    Vive la guerre

    Cheers,
    Kayaker

  4. #4
    tsehp
    Guest
    It ain't do bad at all, those rce activities are first involved with cracking programs but we also serve to warn those shareware programmers about generic commercial protections that claim to be the ultimate protection, never cracked, etc... We also contribute for keeping the programs code available for people who want to verify
    eventual conceiled activities inside.
    It's kind like the napster case, killing the know and visible server, that the music companies could eventually control by asking napster to pay a small fee by each mp3 traded have much limited their loss.

    But not, those tough guys believes really in their power and kill the monster, so all the napster customers will move to gnutella and get in touch with this peer to peer file exchange system, absolutely impossible to control.

    So as long as people coming here don't request or upload ready made cracks, keygens, patches, we can stay, even if I was oblidged to remove the anti m$ pages as the evil empire requested...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Can't reach woodmann.com from home
    By TBone in forum Off Topic
    Replies: 5
    Last Post: September 25th, 2008, 16:41
  2. A nasty id/pass scheme
    By Bitman in forum Advanced Reversing and Programming
    Replies: 12
    Last Post: June 5th, 2007, 19:55
  3. The new MS protection scheme
    By Goat in forum Advanced Reversing and Programming
    Replies: 14
    Last Post: August 31st, 2001, 05:06
  4. microsoft's registration scheme
    By disavowed (restored) in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: May 20th, 2001, 10:51
  5. Attention CrackZ what is your new email ?
    By LaptoniC in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: January 24th, 2001, 18:04

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •