search

ergrelet / unlicense

Dynamic unpacker and import fixer for Themida/WinLicense 2.x and 3.x.
GNU General Public License v3.0
1.06k stars 191 forks source link

New `A resolved API wasn't an export` warnings in `dev` branch #91

Closed alexrp closed 1 year ago

alexrp commented 1 year ago

I don't know if this is expected, but the dev branch currently gives these warnings:

$ unlicense TERA.exe
INFO - Detected packer version: 3.x
frida-agent: Setting up OEP tracing for "TERA.exe"
frida-agent: Exception handler registered
frida-agent: TLS callback #0 detected (at 0x7ff7e7b05090), skipping ...
frida-agent: TLS callback #1 detected (at 0x7ff7e7b05490), skipping ...
frida-agent: OEP found (thread #5932): 0x7ff7e7b0587c
INFO - OEP reached: OEP=0x7ff7e7b0587c BASE=0x7ff7e5c20000 DOTNET=False
INFO - Looking for the IAT...
INFO - Performing linear scan in data sections...
INFO - IAT found: 0x7ff7e7c29000-0x7ff7e89b4000
INFO - Resolving imports ...
WARNING - A resolved API wasn't an export, it's been replaced with 'kernel32.ExitProcess'.
WARNING - A resolved API wasn't an export, it's been replaced with 'kernel32.ExitProcess'.
WARNING - A resolved API wasn't an export, it's been replaced with 'kernel32.ExitProcess'.
WARNING - A resolved API wasn't an export, it's been replaced with 'kernel32.ExitProcess'.
INFO - Imports resolved: 773
INFO - Fixed IAT at 0x7ff7e7c29000, size=0xa728
INFO - Dumping PE with OEP=0x7ff7e7b0587c ...
INFO - Fixing dump ...
INFO - Rebuilding PE ...
INFO - Output file has been saved at 'unpacked_TERA.exe'

These didn't appear before for this binary.

alexrp commented 1 year ago

I'll compare an older unpacked binary to this one and see if I can make out anything interesting.

alexrp commented 1 year ago

I'll compare an older unpacked binary to this one and see if I can make out anything interesting.

Nothing stands out; ExitProcess is called in all the same places as before. @ergrelet any thoughts?

ergrelet commented 1 year ago

Hi @alexrp! Thanks for taking the time to report and take a look at this! It seems to be due to a regression I introduced during my recent changes to the IAT search algorithm. I managed to reproduce something similar during my regression testing and just pushed a fix for that on dev. You can pull dev again (and reset your local branch as I have rewritten the git history).

alexrp commented 1 year ago

Looks to be working as expected now:

$ unlicense TERA.exe
INFO - Detected packer version: 3.x
frida-agent: Setting up OEP tracing for "TERA.exe"
frida-agent: Exception handler registered
frida-agent: TLS callback #0 detected (at 0x7ff720ae5090), skipping ...
frida-agent: TLS callback #1 detected (at 0x7ff720ae5490), skipping ...
frida-agent: OEP found (thread #18152): 0x7ff720ae587c
INFO - OEP reached: OEP=0x7ff720ae587c BASE=0x7ff71ec00000 DOTNET=False
INFO - Looking for the IAT...
INFO - Performing linear scan in data sections...
INFO - IAT found: 0x7ff720c09000-0x7ff7219934fa
INFO - Resolving imports ...
INFO - Imports resolved: 768
INFO - Fixed IAT at 0x7ff720c09000, size=0x1979
INFO - Dumping PE with OEP=0x7ff720ae587c ...
INFO - Fixing dump ...
INFO - Rebuilding PE ...
INFO - Output file has been saved at 'unpacked_TERA.exe'
TheMu19099 commented 3 months ago

Can you could help me? I'm getting the same result, but in my case only 2 pointers to IAT are offucused. The exe unpacked run normally, but in middle of execution entering in the game, it crashes because some function not found on IAT.