search

ergrelet / unlicense

Dynamic unpacker and import fixer for Themida/WinLicense 2.x and 3.x.
GNU General Public License v3.0
926 stars 182 forks source link

Error: IAT not found - v0.4.0 #97

Open ReverseThatApp opened 10 months ago

ReverseThatApp commented 10 months ago

I got below IAT not found error for version v.0.4.0 when I tried to unpack this file (packed with Themida 3.x), I have attached the .dll file for your reference https://vnpik.net/boom/hook.dll

INFO - Detected packer version: 3.x DEBUG - Probed .text section at (0x1000, 0x5c4aa8) DEBUG - Probed .text section at (0x5c6000, 0x3014) frida-agent: Setting up OEP tracing for "hook.dll" frida-agent: Target module has been loaded (thread #11820) ... frida-agent: Exception handler registered frida-agent: OEP found (thread #11820): 0x4af13c4 frida-agent: OEP found (thread #11820): 0x50967b4 frida-agent: OEP found (thread #11820): 0x4ae9b9c INFO - OEP reached: OEP=0x4ae9b9c BASE=0x4ae0000 DOTNET=False INFO - Looking for the IAT... DEBUG - Exports count: 20356 INFO - Performing linear scan in data sections... DEBUG - Looking for the IAT at (0x4ae1000, 0x1000) DEBUG - Scanning 100 elements, pointer size is 4 DEBUG - Potential start offset 0x0 for the IAT DEBUG - Non-null pointer count: 45 DEBUG - Valid APIs count: 0 DEBUG - RX destination count: 0 DEBUG - Looking for the IAT at (0x50a6000, 0x1000) DEBUG - Scanning 100 elements, pointer size is 4 DEBUG - Potential start offset 0x0 for the IAT DEBUG - Non-null pointer count: 51 DEBUG - Valid APIs count: 0 DEBUG - RX destination count: 0 DEBUG - Looking for the IAT at (0x50aa000, 0x1000) DEBUG - Scanning 100 elements, pointer size is 4 DEBUG - Potential start offset 0x0 for the IAT DEBUG - Non-null pointer count: 66 DEBUG - Valid APIs count: 0 DEBUG - RX destination count: 0 DEBUG - Looking for the IAT at (0x50b8000, 0x1000) DEBUG - Scanning 100 elements, pointer size is 4 DEBUG - Potential start offset 0x0 for the IAT DEBUG - Non-null pointer count: 47 DEBUG - Valid APIs count: 0 DEBUG - RX destination count: 0 DEBUG - Looking for the IAT at (0x50c0000, 0x1000) DEBUG - Scanning 100 elements, pointer size is 4 DEBUG - Potential start offset 0x0 for the IAT DEBUG - Non-null pointer count: 62 DEBUG - Valid APIs count: 0 DEBUG - RX destination count: 0 DEBUG - Looking for the IAT at (0x50c4000, 0x1000) DEBUG - Scanning 100 elements, pointer size is 4 DEBUG - Potential start offset 0x0 for the IAT DEBUG - Non-null pointer count: 51 DEBUG - Valid APIs count: 0 DEBUG - RX destination count: 0 DEBUG - Looking for the IAT at (0x50c5000, 0x1000) DEBUG - Scanning 100 elements, pointer size is 4 DEBUG - Potential start offset 0x0 for the IAT DEBUG - Non-null pointer count: 62 DEBUG - Valid APIs count: 0 DEBUG - RX destination count: 0 DEBUG - Looking for the IAT at (0x50c6000, 0x1000) DEBUG - Scanning 100 elements, pointer size is 4 DEBUG - Potential start offset 0x0 for the IAT DEBUG - Non-null pointer count: 68 DEBUG - Valid APIs count: 0 DEBUG - RX destination count: 0 DEBUG - Looking for the IAT at (0x50c7000, 0x1000) DEBUG - Scanning 100 elements, pointer size is 4 DEBUG - Potential start offset 0x0 for the IAT DEBUG - Non-null pointer count: 50 DEBUG - Valid APIs count: 0 DEBUG - RX destination count: 0 DEBUG - Looking for the IAT at (0x5152000, 0x1000) DEBUG - Scanning 100 elements, pointer size is 4 DEBUG - Potential start offset 0x0 for the IAT DEBUG - Non-null pointer count: 69 DEBUG - Valid APIs count: 0 DEBUG - RX destination count: 0 DEBUG - Looking for the IAT at (0x59c8000, 0x1000) DEBUG - Scanning 100 elements, pointer size is 4 DEBUG - Potential start offset 0x0 for the IAT DEBUG - Non-null pointer count: 40 DEBUG - Valid APIs count: 0 DEBUG - RX destination count: 0 DEBUG - Looking for the IAT at (0x59c9000, 0x1000) DEBUG - Scanning 100 elements, pointer size is 4 DEBUG - Potential start offset 0x0 for the IAT DEBUG - Non-null pointer count: 37 DEBUG - Valid APIs count: 0 DEBUG - RX destination count: 0 DEBUG - Looking for the IAT at (0x59ca000, 0x1000) DEBUG - Scanning 100 elements, pointer size is 4 DEBUG - Potential start offset 0x0 for the IAT DEBUG - Non-null pointer count: 41 DEBUG - Valid APIs count: 0 DEBUG - RX destination count: 0 DEBUG - Looking for the IAT at (0x59cb000, 0x1000) DEBUG - Scanning 100 elements, pointer size is 4 DEBUG - Potential start offset 0x0 for the IAT DEBUG - Non-null pointer count: 48 DEBUG - Valid APIs count: 0 DEBUG - RX destination count: 0 DEBUG - Looking for the IAT at (0x5f43000, 0x1000) DEBUG - Scanning 100 elements, pointer size is 4 DEBUG - Potential start offset 0x0 for the IAT DEBUG - Non-null pointer count: 49 DEBUG - Valid APIs count: 0 DEBUG - R*X destination count: 0 INFO - Looking for wrapped imports in code sections... ERROR - IAT not found

ergrelet commented 10 months ago

Hi, thanks for the report! I pushed a fix for this on the dev branch.

tuanbca commented 5 months ago

D:\UG\unpackertool\unlicense>unlicense.exe DaasPreloader.exe -- INFO - Detected packer version: 3.x frida-agent: Setting up OEP tracing for "DaasPreloader.exe" frida-agent: Exception handler registered frida-agent: OEP found (thread #5224): 0xe02338 INFO - OEP reached: OEP=0xe02338 BASE=0xe00000 DOTNET=False INFO - Looking for the IAT... INFO - Performing linear scan in data sections... INFO - Looking for wrapped imports in code sections... INFO - Potential import wrappers found: 7 INFO - IAT found: 0x10ad678-0x10ad678 INFO - Resolving imports ... ERROR - IAT unwrapping failed