search

ergrelet / unlicense

Dynamic unpacker and import fixer for Themida/WinLicense 2.x and 3.x.
GNU General Public License v3.0
993 stars 185 forks source link

IAT restoration problems #99

Open sciasplusplus opened 1 year ago

sciasplusplus commented 1 year ago

Hello,

I discovered few issues with Themida 2.x unpacking and will begin listing them:

  1. It seems like frida fails to load understand ordinals (for example mfc100u.dll in the attachements, can be a lot more).
  2. Sometimes there is IAT reference inside a mov instruction, however unlicense fails to find those and pyscylla doesn't repair it.
  3. Some calls cannot be identified at all, so for example with this binary the issue is that majority of the filters do not work. image stuff like this will not be restored, but it should be restored as a jump a lot of calls like this: image also fail to get restored

In total around 600 imports were restored, however it should restore 1.2k in total-ish

You can find the binary here if needed: https://easyupload.io/wal48d ; the start parameter pxk19slammsu286nfha02kpqnf729ck is also required when going past OEP.

ergrelet commented 1 year ago

Hi! Thanks for the detailed report! I'll take a look when I have the time 👍