atom0s
commented
2 years ago This file has a few problems actually. However, the outcome is probably not going to be what you're looking for at this time.
Invalid Certificate Handling
Steamless does not currently account, at all, for validation certificates. This is mainly because when I first started this project, the goal was not to ensure all resulting files will run, but rather the files would be used for static analysis when doing any kind of modding to the original file at runtime. Because of this, Steamless lacked a handful of specific features that mattered to ensure the resulting binaries are valid to run. (Over the last few years I've updated the various unpackers to deal with this and make most unpacked files run as-is though.)
When a PE file is digitally signed, the certificate is appended to the file as an overlay. The signing process also updates the files IMAGE_DIRECTORY_ENTRY_SECURITY information, setting the VirtualAddress to the file offset where the cert is located and its given size. This does not do anything special to pre-existing overlays as well, it's just added after those.
In the future, the following would need to be added to Steamless for me to be happy with handling certificates:
- Add support for detecting if a digital signature is present in the packed file.
- Add support for specifically finding the certificate and its data. (Similar to how the overlay stuff works now.)
- Add support for specifically finding non-certificate overlay data and keeping it separated from the certificate.
- Add options to allow for:
- Keep overlay data specifically.
- Keep certificate specifically.
- Add support for handling the
IMAGE_DIRECTORY_ENTRY_SECURITYproperly in the various use-cases and option settings.
Thus, if a user wishes to drop the overlay data but keep the certificate, they can. (Or keep the overlay but drop the cert etc.)
Again, it is important to note that after unpacking the file, the digital signature is invalid. Regardless of it being added back to the file properly, it will still fail to validate.
I don't really feel like this is an important fix to make/have. (Except nulling out the IMAGE_DIRECTORY_ENTRY_SECURITY to make the header valid at least.) If someone is unpacking a file that is explicitly checking its own certificate for being valid, it will always fail after being unpacked by Steamless because the hashes will no longer be valid. It is better off then to be removed and the file be modded to bypass the verification of the cert altogether.
IAT Inside .bind Section
The next issue with this file is that the stub version used on this file has updated the IMAGE_DIRECTORY_ENTRY_IMPORT address and copied it into the .bind section. When unpacked, the IAT is not altered at all by Steamless, so the address remains inside of the .bind section. If removed, then the IAT VirtualAddress becomes invalid.
This is the first file I have seen do this. The original IAT is still in the file too when unpacked, so it is odd that the entire thing is copied into the .bind section. I'd assume this must have been an early version of the 2.x variant of the protection as there is really no reason the entire IAT should be moved like this when they are already dynamically resolving the imports the stub requires.
I am not really comfortable implementing a 'fix' for this until I see other samples doing the same thing and can see that it is being done in the same manner. Having Steamless make an educated guess at where the original IAT is may not work on all samples, especially if the protection offers a means to null the original IAT and force it to remain in the .bind section only.
Because of this, at the moment, you will have to leave the .bind section in the unpacked file for it to operate properly.
oureveryday
Hi @atom0s Today I have Extraction Problem For Stalker Clear Sky Game I Try To Delete Bind Files With Steamless But Steamless Erease Bind Section With Signature File From The Game Same Time And Stripped Exe Doesnt Have Signature File After Exraction İf I Keep Bind Section Signature File Not Ereased Game Working Good But I Delete Bind Section Signature File Gone And Game Not Working ALL Files.zip
Can You Fix This İssue Please ?
Best Regards
Dark Frost