Open DarkFrost89 opened 2 years ago
This file has a few problems actually. However, the outcome is probably not going to be what you're looking for at this time.
Invalid Certificate Handling
Steamless does not currently account, at all, for validation certificates. This is mainly because when I first started this project, the goal was not to ensure all resulting files will run, but rather the files would be used for static analysis when doing any kind of modding to the original file at runtime. Because of this, Steamless lacked a handful of specific features that mattered to ensure the resulting binaries are valid to run. (Over the last few years I've updated the various unpackers to deal with this and make most unpacked files run as-is though.)
When a PE file is digitally signed, the certificate is appended to the file as an overlay. The signing process also updates the files IMAGE_DIRECTORY_ENTRY_SECURITY
information, setting the VirtualAddress
to the file offset where the cert is located and its given size. This does not do anything special to pre-existing overlays as well, it's just added after those.
In the future, the following would need to be added to Steamless for me to be happy with handling certificates:
IMAGE_DIRECTORY_ENTRY_SECURITY
properly in the various use-cases and option settings.Thus, if a user wishes to drop the overlay data but keep the certificate, they can. (Or keep the overlay but drop the cert etc.)
Again, it is important to note that after unpacking the file, the digital signature is invalid. Regardless of it being added back to the file properly, it will still fail to validate.
I don't really feel like this is an important fix to make/have. (Except nulling out the IMAGE_DIRECTORY_ENTRY_SECURITY
to make the header valid at least.) If someone is unpacking a file that is explicitly checking its own certificate for being valid, it will always fail after being unpacked by Steamless because the hashes will no longer be valid. It is better off then to be removed and the file be modded to bypass the verification of the cert altogether.
IAT Inside .bind
Section
The next issue with this file is that the stub version used on this file has updated the IMAGE_DIRECTORY_ENTRY_IMPORT
address and copied it into the .bind
section. When unpacked, the IAT is not altered at all by Steamless, so the address remains inside of the .bind
section. If removed, then the IAT VirtualAddress
becomes invalid.
This is the first file I have seen do this. The original IAT is still in the file too when unpacked, so it is odd that the entire thing is copied into the .bind section. I'd assume this must have been an early version of the 2.x variant of the protection as there is really no reason the entire IAT should be moved like this when they are already dynamically resolving the imports the stub requires.
I am not really comfortable implementing a 'fix' for this until I see other samples doing the same thing and can see that it is being done in the same manner. Having Steamless make an educated guess at where the original IAT is may not work on all samples, especially if the protection offers a means to null the original IAT and force it to remain in the .bind section only.
Because of this, at the moment, you will have to leave the .bind section in the unpacked file for it to operate properly.
bin.zip Same problem with this file, keep bind section works.
Hi @atom0s Today I have Extraction Problem For Stalker Clear Sky Game I Try To Delete Bind Files With Steamless But Steamless Erease Bind Section With Signature File From The Game Same Time And Stripped Exe Doesnt Have Signature File After Exraction İf I Keep Bind Section Signature File Not Ereased Game Working Good But I Delete Bind Section Signature File Gone And Game Not Working ALL Files.zip Can You Fix This İssue Please ? Best Regards Dark Frost