search

ergrelet / unlicense

Dynamic unpacker and import fixer for Themida/WinLicense 2.x and 3.x.
GNU General Public License v3.0
946 stars 181 forks source link

Failed to automatic detection of .text section in some binary #94

Closed koast18 closed 11 months ago

koast18 commented 11 months ago

In some binary, .text section is not the first section with a non-blank striped fullname, when it occurs, this statement became true and the .text section detection would fail despite the next section is the .text section with the fullname of .text\00\00\00.

DrcHost.zip

This sample would trigger this issue and change the break to continue can fix this and get an executeable binary via python -m unlincense ./DrcHost.exe.

The log is below.

before

INFO - Detected packer version: 3.x
ERROR - Failed to automatically detect .text section

after

INFO - Detected packer version: 3.x
frida-agent: Setting up OEP tracing for "DrcHost.exe"
frida-agent: Exception handler registered
frida-agent: OEP found (thread #128812): 0x1400d60f3
INFO - OEP reached: OEP=0x1400d60f3 BASE=0x140000000 DOTNET=False
INFO - Looking for the IAT...
INFO - Performing linear scan in data sections...
INFO - IAT found: 0x1402d8000-0x1402dd160
INFO - Resolving imports ...
INFO - Imports resolved: 405
INFO - Fixed IAT at 0x1402d8000, size=0x6000
INFO - Dumping PE with OEP=0x1400d60f3 ...
INFO - Fixing dump ...
INFO - Rebuilding PE ...
INFO - Output file has been saved at 'unpacked_DrcHost.exe'

The fix is in #95 , I don't know if there is any other reason to use a break here and if this change would cause other problem, but thanks anyway for your fantastic unpacker!!

ergrelet commented 11 months ago

Hi! Thanks for creating an issue and proposing a fix! This is indeed a long-standing issue that I didn't take the time to fix!
The break is voluntarily conservative (i.e., it matches a quite precise layout). I'll check this out and see if a continue improves the situation without introducing regressions. 👍

ergrelet commented 11 months ago

Hi! So as I thought, switching to a continue has the unwanted effect to include Themida/WinLicense 2.x's (empty-named) sections in the list of sections and thus break OEP detection for 2.x.
I pushed a more conservative fix which just whitelists .textbss and .textidx (I'd like your confirmation to ensure that it does the trick). Maybe we could revamp the text section probing later. However, I'm planning to release 0.4.0 soon I want to avoid introducing bugs right now 😅

koast18 commented 11 months ago

That's really a good fix, I just test the 0.4.0 release on the sample and it just works fine! Thanks for your excellent fix and I think it's the time to close the issue and pr.