search

ergrelet / unlicense

Dynamic unpacker and import fixer for Themida/WinLicense 2.x and 3.x.
GNU General Public License v3.0
1.06k stars 191 forks source link

Fail on x64 native dll: ERROR - IAT not found #48

Closed greenozon closed 1 year ago

greenozon commented 2 years ago

Any hints into which piece of code should I look in order to move forward? thanks in advance! Input: native x64 dll, Win7x64 OS, Python 3.8.10 (tags/v3.8.10:3d8993a, May 3 2021, 11:48:03) [MSC v.1928 64 bit (AMD64)] on win32

c:\123>unlicense db64.dll --verbose=true
INFO - Detected packer version: 3.x
DEBUG - Probed .text section at (0x1000, 0x1d0a6ba)
frida-agent: Setting up OEP tracing for "db64.dll"
frida-agent: Target module has been loaded (thread #8276) ...
frida-agent: Exception handler registered
frida-agent: OEP found (thread #8276): 0x7fe9fdb2108
INFO - OEP reached: OEP=0x7fe9fdb2108 BASE=0x7fe9fdb0000 DOTNET=False
DEBUG - Exports count: 16460
DEBUG - Looking for the IAT at (0x7fe9fdb0000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 83
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fe9fdb1000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fe9fdb2000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fe9fdb3000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fe9fdb4000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea1abc000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 21
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 21
DEBUG - Looking for the IAT at (0x7fea1abd000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 16
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 1
DEBUG - Looking for the IAT at (0x7fea1abe000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 79
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 60
DEBUG - Looking for the IAT at (0x7fea1abf000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 84
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 82
DEBUG - Looking for the IAT at (0x7fea2095000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 64
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 16
DEBUG - Looking for the IAT at (0x7fea2096000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 58
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2097000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2098000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 38
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2146000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 0
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2147000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 0
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2148000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 0
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2149000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 0
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea21a4000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 0
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea21a5000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 0
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea21a6000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 0
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea21a7000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 0
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea21a8000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 0
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea21c5000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea21c6000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea21c7000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea21c8000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea22a2000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 75
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea22a3000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 0
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea22a4000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 1
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea22a5000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 5
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 5
DEBUG - Looking for the IAT at (0x7fea22a6000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 60
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea22a7000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea22a8000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea244f000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x158 for the IAT
DEBUG - Non-null pointer count: 56
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 49
DEBUG - Looking for the IAT at (0x7fea2450000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 100
DEBUG - Looking for the IAT at (0x7fea2451000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 79
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 79
DEBUG - Looking for the IAT at (0x7fea2452000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 0
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2453000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2454000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 6
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2455000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 95
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2456000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0xd8 for the IAT
DEBUG - Non-null pointer count: 70
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 1
DEBUG - Looking for the IAT at (0x7fea2457000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2458000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2459000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2a32000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 95
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2a33000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2a34000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2a35000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2dba000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 64
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
ERROR - IAT not found
ergrelet commented 2 years ago

Hi!

Hmm it seems like the obfuscated IAT isn't quite as expected by unlicense so it doesn't find anything. If you could share the binary I could confirm the potential solution to this issue.

greenozon commented 2 years ago

Here it is: https://www.sendspace.com/file/w27it1 thanks

greenozon commented 2 years ago

@ergrelet does it help to understand theissue and shed some light to the tool?...

filamento commented 1 year ago

I'm having exactly the same problem of "IAT not found" with this program (uses Themida/Winlicense 3.x)

https://download.softros.com/SoftrosLANMessengerSetup.exe

Does anyone know how to unpack it?

ergrelet commented 1 year ago

@greenozon @filamento Hi! I've pushed a fix on the dev branch, please check it out