ergrelet / unlicense Goto Github PK

Dynamic unpacker and import fixer for Themida/WinLicense 2.x and 3.x.

License: GNU General Public License v3.0

Python 83.58% JavaScript 16.42%

unpacker themida winlicense windows dump python malware-analysis malware-unpacker frida scylla dotnet-assembly portable-executable

unlicense's Introduction

Unlicense

A Python 3 tool to dynamically unpack executables protected with Themida/WinLicense 2.x and 3.x.

Warning: This tool will execute the target executable. Make sure to use this tool in a VM if you're unsure about what the target executable does.

Note: You need to use a 32-bit Python interpreter to dump 32-bit executables.

Features

Handles Themida/Winlicense 2.x and 3.x
Handles 32-bit and 64-bit PEs (EXEs and DLLs)
Handles 32-bit and 64-bit .NET assemblies (EXEs only)
Recovers the original entry point (OEP) automatically
Recovers the (obfuscated) import table automatically

Known Limitations

Doesn't handle .NET assembly DLLs
Doesn't produce runnable dumps in most cases
Resolving imports for 32-bit executables packed with Themida 2.x is pretty slow
Requires a valid license file to unpack WinLicense-protected executables that require license files to start

How To

Download

You can either download the PyInstaller-generated executables from the "Releases" section or fetch the project with git and install it with pip:

pip install git+https://github.com/ergrelet/unlicense.git

Use

If you don't want to deal the command-line interface (CLI) you can simply drag-and-drop the target binary on the appropriate (32-bit or 64-bit) unlicense executable (which is available in the "Releases" section).

Otherwise here's what the CLI looks like:

unlicense --help
NAME
    unlicense.exe - Unpack executables protected with Themida/WinLicense 2.x and 3.x

SYNOPSIS
    unlicense.exe PE_TO_DUMP <flags>

DESCRIPTION
    Unpack executables protected with Themida/WinLicense 2.x and 3.x

POSITIONAL ARGUMENTS
    PE_TO_DUMP
        Type: str

FLAGS
    --verbose=VERBOSE
        Type: bool
        Default: False
    --pause_on_oep=PAUSE_ON_OEP
        Type: bool
        Default: False
    --no_imports=NO_IMPORTS
        Type: bool
        Default: False
    --force_oep=FORCE_OEP
        Type: Optional[Optional]
        Default: None
    --target_version=TARGET_VERSION
        Type: Optional[Optional]
        Default: None
    --timeout=TIMEOUT
        Type: int
        Default: 10

NOTES
    You can also use flags syntax for POSITIONAL ARGUMENTS

unlicense's People

Contributors

Stargazers

Watchers

Forkers

amimul732 b30wulf kangzq0530 0x4d696e68 saddam1999 coolsnake bronxc sandrasavic motz61 gmh5225 killvxk boogie77 fcccode xalicex fr0gger peta909 fzkiritsugu dewee-dev ckwindowsproject crackercat ssp4rk kingking888 vn-os alehacksp koeningyou clayne baby-233 onesorzer0es simhigo qazxsw1597532018 heartingrass qqq-tech pmatoso nikosnalmpantis enovella helloong jigneshbadrakhiya kungia09 hello-xbugs hanhanname zha0 justinhachemeister rainysoul little3388 nanaao zhanghanbin fkeym thanh109 okandok qyouqme djnandinho26 mkcs121 wdnmd-rushb cpo-eh ydhnwb y0ny0ns0n yaoguen andreimanigbas chen-yijie hartl3y94 einstrasse edygert kernullist anhnh121 zzfeed captincook reverse-brain redxhawk xcarx ddddhkim burningcyclebike sadnecc kimjunseo319 zenixyang coderduc zhangminghe opoet7 quangnv97 jdzjames markro sunwm518 asuralove redquantum juhaszzs demot1vator coders-vechai fxsihad raitou absceptual dunggau labguy94 yud1s lucia361 fangyushuma proflylab useman ykankaya kuustudio omgkaka cloutain

unlicense's Issues

IAT Being Truncated

I have worked with the tool quite a bit and noticed that the last last nullptr truncation

unlicense/unlicense/winlicense3.py

Line 154 in d1d545d

last_nullptr_offset = (current_page_addr - iat_range.base) + i

tends to cut off a large portions of the IAT in some samples that I've ran it on. I have removed this line in my local copy and it managed to recover everything nicely. Is there a particular reason for why this line is there?

Improve overall performance

There's a lot to be done on the code base, performance-wise.

Handle function hash collisions on 32-bit

If an export function hash matches another export function, it is undefined which function will be used during import resolution. This results in call sites being patched with incorrect imports and an output that ultimately does not work.

How can I be sure _cinit is not invoked during OEP discovery?

For C++ executables, WinMainCRTStartup is responsible for calling a procedure named _cinit, which initializes all C++ statics prior to calling WinMain.

I have a Winlicense 2 packed EXE which I have unpacking successfully (additionally with support for patching a specific call pattern for imports inside the CRT functions), but when it gets inside _cinit and begins initializing things, it eventually hits a seg fault dereferencing null. My hypothesis is that _cinit may have already been called in the process at this point, and it is running initializers on memory that is in an unexpected state because of it. (Either that, or the location of the static memory is not where it should be, which may be symptomatic of Scylla failing to properly dump and fix the running process)

So, during OEP discovery, is there a way to know for sure that it has not executed any part of the entrypoint by the time it is caught after unpacking?

CLI for x32?

I just installed it through git, using unlicense in the command-line interface only reflects x64 by default. What is the correct interpreter command for x32?

EDIT: Just figured this out. So, please remove it.

ERROR - Target PE cannot be dumped with this interpreter. This is most likely a 32 vs 64 bit mismatch.

Fix pyinstaller-generated executable's working directory issue

This manifests when dumping DLLs with particular dependencies fetched by WinLicense at runtime and seems to only happen on the pyinstaller version.
This can be mitigated by installing unlicense with pip instead in the mean time.

Make dumps runnable

Add a timeout for OEP detection

Something like 30 seconds by default, configurable via a command-line option.

unable to run pip install unlicense/

PS C:\Users\user\Documents\code\github> pip install unlicense/
Processing c:\users\user\documents\code\github\unlicense
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Collecting lief<0.12,>=0.11
  Using cached lief-0.11.5.zip (15.7 MB)
  Preparing metadata (setup.py) ... done
ERROR: Could not find a version that satisfies the requirement pyscylla<0.11.0,>=0.10.0 (from unlicense) (from versions: none)
ERROR: No matching distribution found for pyscylla<0.11.0,>=0.10.0

using pyver 3.10

ERROR - Original entry point wasn't reached before timeout

getting the above error, any way to get around that using this tool?

Detected packer version: 3.x

Any idea how to fix this

Traceback (most recent call last):
File "unlicense_main_.py", line 4, in
File "unlicense\application.py", line 20, in main
File "fire\core.py", line 141, in Fire
File "fire\core.py", line 466, in _Fire
File "fire\core.py", line 681, in CallAndUpdateTrace
File "unlicense\application.py", line 73, in run_unlicense
File "unlicense\frida_exec.py", line 152, in spawn_and_instrument
File "frida_init.py", line 57, in spawn
File "frida\core.py", line 26, in wrapper
File "frida\core.py", line 149, in spawn
frida.NotSupportedError: unable to spawn executable at 'Loader.exe': 0x000002e4
[3760] Failed to execute script 'main' due to unhandled exception!

does not install, and does not run

How to install it, because I run the commands, next it downloads perfect but it never installs or runs because it does not see the dependencies please update and perfect the installation method, it does not work $ git clone https://github.com/ergrelet/unlicense .git
$ pip install unlicense /

infinite loop in resolving imports section

Hello,

I mentioned this issue in #32.

in some samples (like the one I sent you by email) resolving imports sections gets stuck in an infinite loop when trying to map some memory sections.

Skip hashing non-function exports

Hashing of data exports will give bogus results, so the hashing stage should only hash function exports from Frida.

Add support for .NET assembly PEs

At the moment .NET PEs can't be dumped because the OEP detection doesn't support the .NET runtime.

frida.NotSupportedError

INFO - Detected packer version: 3.x

Traceback (most recent call last):
File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.10_3.10.1776.0_x64__qbz5n2kfra8p0\lib\runpy.py", line 196, in _run_module_as_main
return _run_code(code, main_globals, None,
File "C:\Program Files\WindowsApps\PythonSoftwareFoundation.Python.3.10_3.10.1776.0_x64__qbz5n2kfra8p0\lib\runpy.py", line 86, in run_code
exec(code, run_globals)
File "C:\Users\Abril\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\Scripts\unlicense.exe_main.py", line 7, in
File "C:\Users\Abril\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\unlicense\application.py", line 20, in main
fire.Fire(run_unlicense)
File "C:\Users\Abril\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\fire\core.py", line 141, in Fire
component_trace = _Fire(component, args, parsed_flag_args, context, name)
File "C:\Users\Abril\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\fire\core.py", line 466, in _Fire
component, remaining_args = _CallAndUpdateTrace(
File "C:\Users\Abril\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\fire\core.py", line 681, in CallAndUpdateTrace
component = fn(*varargs, **kwargs)
File "C:\Users\Abril\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\unlicense\application.py", line 78, in run_unlicense
process_controller = frida_exec.spawn_and_instrument(
File "C:\Users\Abril\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\unlicense\frida_exec.py", line 162, in spawn_and_instrument
pid = frida.spawn((str(pe_path), ))
File "C:\Users\Abril\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\frida_init.py", line 59, in spawn
return get_local_device().spawn(*args, **kwargs)
File "C:\Users\Abril\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\frida\core.py", line 34, in wrapper
return f(*args, **kwargs)
File "C:\Users\Abril\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\LocalCache\local-packages\Python310\site-packages\frida\core.py", line 157, in spawn
return self._impl.spawn(program, argv, envp, env, cwd, stdio, aux_options)

frida.NotSupportedError: unable to spawn executable at 'C:\Users\Abril\Desktop\mogker\unlicense\Updater.exe': 0x000002e4

ERROR:unlicense.winlicense3:IAT not found

a12_mini.zip
Erwan Grelet:
hello,I was try to unpack the 1a.exe, it can not find IAT (ERROR:unlicense.winlicense3:IAT not found) .are ther has some bugs?

Building exe

hi i get an error when running the application when using the following command like it compiles but when i run the build execution i get this error i ran pyinstaller unlicense.spec

im not sure im just wanting to add a icon as well i want to be able to write the command in cmd example unlicense.exe test.exe

Traceback (most recent call last):
File "unlicense_main_.py", line 1, in
File "PyInstaller\loader\pyimod02_importers.py", line 499, in exec_module
File "unlicense\application.py", line 7, in
ModuleNotFoundError: No module named 'fire'
[42480] Failed to execute script 'main' due to unhandled exception!

Fail on x64 native dll: ERROR - IAT not found

Any hints into which piece of code should I look in order to move forward?
thanks in advance!
Input: native x64 dll, Win7x64 OS,
Python 3.8.10 (tags/v3.8.10:3d8993a, May 3 2021, 11:48:03) [MSC v.1928 64 bit (AMD64)] on win32

c:\123>unlicense db64.dll --verbose=true
INFO - Detected packer version: 3.x
DEBUG - Probed .text section at (0x1000, 0x1d0a6ba)
frida-agent: Setting up OEP tracing for "db64.dll"
frida-agent: Target module has been loaded (thread #8276) ...
frida-agent: Exception handler registered
frida-agent: OEP found (thread #8276): 0x7fe9fdb2108
INFO - OEP reached: OEP=0x7fe9fdb2108 BASE=0x7fe9fdb0000 DOTNET=False
DEBUG - Exports count: 16460
DEBUG - Looking for the IAT at (0x7fe9fdb0000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 83
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fe9fdb1000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fe9fdb2000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fe9fdb3000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fe9fdb4000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea1abc000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 21
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 21
DEBUG - Looking for the IAT at (0x7fea1abd000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 16
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 1
DEBUG - Looking for the IAT at (0x7fea1abe000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 79
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 60
DEBUG - Looking for the IAT at (0x7fea1abf000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 84
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 82
DEBUG - Looking for the IAT at (0x7fea2095000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 64
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 16
DEBUG - Looking for the IAT at (0x7fea2096000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 58
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2097000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2098000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 38
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2146000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 0
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2147000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 0
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2148000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 0
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2149000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 0
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea21a4000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 0
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea21a5000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 0
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea21a6000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 0
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea21a7000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 0
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea21a8000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 0
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea21c5000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea21c6000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea21c7000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea21c8000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea22a2000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 75
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea22a3000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 0
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea22a4000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 1
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea22a5000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 5
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 5
DEBUG - Looking for the IAT at (0x7fea22a6000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 60
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea22a7000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea22a8000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea244f000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x158 for the IAT
DEBUG - Non-null pointer count: 56
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 49
DEBUG - Looking for the IAT at (0x7fea2450000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 100
DEBUG - Looking for the IAT at (0x7fea2451000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 79
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 79
DEBUG - Looking for the IAT at (0x7fea2452000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 0
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2453000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2454000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 6
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2455000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 95
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2456000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0xd8 for the IAT
DEBUG - Non-null pointer count: 70
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 1
DEBUG - Looking for the IAT at (0x7fea2457000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2458000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2459000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2a32000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 95
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2a33000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2a34000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2a35000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
DEBUG - Looking for the IAT at (0x7fea2dba000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 64
DEBUG - Valid APIs count: 0
DEBUG - R*X destination count: 0
ERROR - IAT not found

failed to load external DLL for DLL unpacking.

Hello,

I tried to unpack a DLL packed with winlicense 2.x and when drag and dropping the DLL into unlicense.exe i get "cannot find xxx.dll please reinstall this application" the xxx.dll is in the same directory as the target dll and I'm running unlicense from the same directory as well.

Stuck on unpacking

Trying unpack winlicense 2.0-2.46 x64 and unlicense just stuck on unmapping memory on some address (tried few times and leave on full day, i see full load 1-st CPU core but no result just stuck) and progress after that memory address unmapping not go.
Add screenshot and target exe.

target.zip

Add support for .NET assembly DLLs

DLL files aren't supported

how to install it and use it

hello,I don't know how to install it. a python package needs setup.py。so I have created setup.py

import setuptools

with open("README.md", "r") as fh:
long_description = fh.read()

setuptools.setup(
name="unlicense",
version="0.0.1",
author="ken",
author_email="[email protected]",
description="Image kernel.",
long_description=long_description,
long_description_content_type="text/markdown",
url="https://github.com/kenblikylee/imgkernel",
packages=setuptools.find_packages(),
classifiers=[
"Programming Language :: Python :: 3",
"License :: OSI Approved :: MIT License",
"Operating System :: OS Independent",
],
python_requires='>=3.6',
)
and do the python setup.py install command

but i don't know how to use it ?

Unable to find OEP of .NET WPF programs for a long time

The program I need to unpack is a .NET WPF program, and it protects winlicense2.0-2.4.6 and uses Babel's confusion, but unlicense can't find the OEP of this program for a long time, even if the timeout is set.
Log:
PS C:\Users[Protected]\Desktop> .\unlicense_x32.exe "C:\Program Files (x86)\Netease\MCLauncher\WPFLauncher.exe"
INFO - Detected packer version: 2.x
frida-agent: Setting up OEP tracing for "WPFLauncher.exe"
frida-agent: Exception handler registered
ERROR - Original entry point wasn't reached before timeout
WPFLauncher.zip

Some files open after dump some dont...

hi there i tryed various peices of themida protected executables and some of them run after dump succesfully and some dont. just wanted to address this issue hopefully theres a fix :)

OEP recovery might be inaccurate for 32-bit executables

This needs further investigation.

[Error] Can`t install unlicense with pyscylla

test@machine:~$ python3 -m pip install unlicense/
Defaulting to user installation because normal site-packages is not writeable
Processing ./unlicense
Installing build dependencies ... done
Getting requirements to build wheel ... done
Preparing metadata (pyproject.toml) ... done
Collecting fire<0.5,>=0.4
Using cached fire-0.4.0.tar.gz (87 kB)
Preparing metadata (setup.py) ... done
Collecting capstone<5.0,>=4.0
Using cached capstone-4.0.2-py2.py3-none-manylinux1_x86_64.whl (2.1 MB)
Collecting xxhash<3.0,>=2.0
Using cached xxhash-2.0.2.tar.gz (64 kB)
Preparing metadata (setup.py) ... done
ERROR: Could not find a version that satisfies the requirement pyscylla<0.12.0,>=0.11.0 (from unlicense) (from versions: none)
ERROR: No matching distribution found for pyscylla<0.12.0,>=0.11.0

Optionally cache export hashes

Since the hash for any given export should be the same on each run as long as the DLLs loaded by the application don't change, it would save a lot of time to cache the export hashes to disk and try to use them. I'm noticing it particularly become a problem for working on a solution for #42 by tracing branches for the hash.

Add linting jobs in a CI

ERROR: Invalid parameters

←[1;32mINFO←[0m - Detected packer version: 2.x
←[1;36mfrida-agent←[0m: Setting up OEP tracing for "VBAPass.exe"
←[1;36mfrida-agent←[0m: Exception handler registered
←[1;36mfrida-agent←[0m: OEP found (thread #6816): 0x43ef4f
←[1;32mINFO←[0m - OEP reached: OEP=0x43ef4f BASE=0x400000 DOTNET=False
←[1;32mINFO←[0m - Looking for wrapped imports ...
←[1;32mINFO←[0m - Potential import wrappers found: 828
←[1;32mINFO←[0m - Generating exports' hashes, this might take some time ...
←[1;32mINFO←[0m - Resolving imports ...
←[31;20mERROR - ERROR: invalid parameters←[0m
←[31;20mERROR - ERROR: invalid parameters←[0m
←[31;20mERROR - ERROR: invalid parameters←[0m
←[31;20mERROR - ERROR: invalid parameters←[0m
←[1;32mINFO←[0m - Imports resolved: 244
←[1;32mINFO←[0m - Generated the fake IAT at 0xe20000, size=0x3d0
←[1;32mINFO←[0m - Patching call and jmp sites ...
←[1;32mINFO←[0m - Dumping PE with OEP=0x43ef4f ...
←[1;32mINFO←[0m - Fixing dump ...
←[1;32mINFO←[0m - Output file has been saved at unpacked_VBAPass.exe

Here's the target file: target file

ERROR - IAT not found

D:\>unlicense a.exe --verbose --pause_on_oep
INFO - Detected packer version: 3.x
frida-agent: Setting up OEP tracing for "a.exe"
frida-agent: Target module is loaded ...
frida-agent: Potential OEP (thread #6596): 0x7ff62a59d2dc
INFO - OEP reached: OEP=0x7ff62a59d2dc BASE=0x7ff62a430000 DOTNET=False
Thread blocked, press ENTER to proceed with the dumping.
DEBUG - Exports count: 20352
DEBUG - Looking for the IAT at (0x7ff62a430000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 76
DEBUG - Valid APIs count: 0
DEBUG - RWX destination count: 0
DEBUG - Looking for the IAT at (0x7ff62a431000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 95
DEBUG - Valid APIs count: 0
DEBUG - RWX destination count: 0
DEBUG - Looking for the IAT at (0x7ff62a432000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - RWX destination count: 0
DEBUG - Looking for the IAT at (0x7ff62a433000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - RWX destination count: 0
DEBUG - Looking for the IAT at (0x7ff62a434000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - RWX destination count: 0
DEBUG - Looking for the IAT at (0x7ff62a59f000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 98
DEBUG - Valid APIs count: 97
DEBUG - RWX destination count: 10
DEBUG - Looking for the IAT at (0x7ff62a5a0000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - RWX destination count: 0
DEBUG - Looking for the IAT at (0x7ff62a5a1000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - RWX destination count: 0
DEBUG - Looking for the IAT at (0x7ff62a5a2000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - RWX destination count: 0
DEBUG - Looking for the IAT at (0x7ff62a5c3000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 44
DEBUG - Valid APIs count: 0
DEBUG - RWX destination count: 0
DEBUG - Looking for the IAT at (0x7ff62a5c4000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 1
DEBUG - Valid APIs count: 0
DEBUG - RWX destination count: 0
DEBUG - Looking for the IAT at (0x7ff62a5c5000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 0
DEBUG - Valid APIs count: 0
DEBUG - RWX destination count: 0
DEBUG - Looking for the IAT at (0x7ff62a5c6000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 0
DEBUG - Valid APIs count: 0
DEBUG - RWX destination count: 0
DEBUG - Looking for the IAT at (0x7ff62a5c7000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 68
DEBUG - Valid APIs count: 0
DEBUG - RWX destination count: 0
DEBUG - Looking for the IAT at (0x7ff62a5c8000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 28
DEBUG - Valid APIs count: 0
DEBUG - RWX destination count: 0
DEBUG - Looking for the IAT at (0x7ff62a5c9000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 7
DEBUG - Valid APIs count: 0
DEBUG - RWX destination count: 0
DEBUG - Looking for the IAT at (0x7ff62a5ca000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 69
DEBUG - Valid APIs count: 0
DEBUG - RWX destination count: 0
DEBUG - Looking for the IAT at (0x7ff62a5d2000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 93
DEBUG - Valid APIs count: 0
DEBUG - RWX destination count: 0
DEBUG - Looking for the IAT at (0x7ff62a5d3000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 74
DEBUG - Valid APIs count: 0
DEBUG - RWX destination count: 0
DEBUG - Looking for the IAT at (0x7ff62a5d4000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 34
DEBUG - Valid APIs count: 0
DEBUG - RWX destination count: 0
DEBUG - Looking for the IAT at (0x7ff62a5d5000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 2
DEBUG - Valid APIs count: 0
DEBUG - RWX destination count: 0
DEBUG - Looking for the IAT at (0x7ff62a5d6000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 72
DEBUG - Valid APIs count: 0
DEBUG - RWX destination count: 0
DEBUG - Looking for the IAT at (0x7ff62a5dc000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 95
DEBUG - Valid APIs count: 0
DEBUG - RWX destination count: 0
DEBUG - Looking for the IAT at (0x7ff62a5dd000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 99
DEBUG - Valid APIs count: 0
DEBUG - RWX destination count: 0
DEBUG - Looking for the IAT at (0x7ff62a5de000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - RWX destination count: 0
DEBUG - Looking for the IAT at (0x7ff62a5df000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - RWX destination count: 0
DEBUG - Looking for the IAT at (0x7ff62b676000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 95
DEBUG - Valid APIs count: 0
DEBUG - RWX destination count: 0
DEBUG - Looking for the IAT at (0x7ff62b677000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - RWX destination count: 0
DEBUG - Looking for the IAT at (0x7ff62b678000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - RWX destination count: 0
DEBUG - Looking for the IAT at (0x7ff62b679000, 0x1000)
DEBUG - Scanning 100 elements, pointer size is 8
DEBUG - Potential start offset 0x0 for the IAT
DEBUG - Non-null pointer count: 100
DEBUG - Valid APIs count: 0
DEBUG - RWX destination count: 0
ERROR - IAT not found

Failed to automatically detect .text section for 3.x target

Hello,

in my tests, I also found out that for the example program vc_example in the winlicense directory WinLicenseSDK\ExamplesSDK\Activation\Visual C++, unlicensed fails to detect the .text section, whereas in PE explorers the .text section is clearly visible

sample protected with the demo version 3.1.3.0
vc_example_protected.zip

ERROR - Original entry point wasn't reached before timeout

ERROR - Original entry point wasn't reached before timeout
please help
https://www.dropbox.com/s/bla7juxmigo9zvb/FINAL%202022%20-.exe?dl=0

(frida:8320): GLib-GIO-WARNING **: 03:15:49.172: _g_dbus_worker_do_read_cb: error determining bytes needed: Blob indicates that message exceeds maximum message length (128MiB)

Getting this message when i want to unlicense x32 executable

Make it possible to dump executables with missing dependencies

Dumping a sample that imports symbols from unavailable dependencies is not straightforward.
It should be possible to do without them at the cost of being able to resolve the IAT only partially.

Cannot `pip install` with Python 3.10.4 due to `<=3.10` requirement

With Python 3.10.4 installed, pip install . gives:

Defaulting to user installation because normal site-packages is not writeable
Processing c:\users\alex\source\repos\unlicense
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Collecting lief<0.12,>=0.11
  Downloading lief-0.11.5-cp310-cp310-win_amd64.whl (4.5 MB)
     ---------------------------------------- 4.5/4.5 MB 22.0 MB/s eta 0:00:00
Collecting fire<0.5,>=0.4
  Downloading fire-0.4.0.tar.gz (87 kB)
     ---------------------------------------- 87.7/87.7 kB ? eta 0:00:00
  Preparing metadata (setup.py) ... done
Collecting unicorn<2.0,>=1.0
  Downloading unicorn-1.0.3-py2.py3-none-win_amd64.whl (1.7 MB)
     ---------------------------------------- 1.7/1.7 MB 35.0 MB/s eta 0:00:00
Collecting xxhash<3.0,>=2.0
  Downloading xxhash-2.0.2.tar.gz (64 kB)
     ---------------------------------------- 64.3/64.3 kB 3.6 MB/s eta 0:00:00
  Preparing metadata (setup.py) ... done
Collecting capstone<5.0,>=4.0
  Downloading capstone-4.0.2-py2.py3-none-win_amd64.whl (896 kB)
     ---------------------------------------- 896.4/896.4 kB 28.6 MB/s eta 0:00:00
Collecting frida<16.0,>=15.1
  Downloading frida-15.2.2.tar.gz (11 kB)
  Preparing metadata (setup.py) ... done
Collecting pyscylla<0.12.0,>=0.11.0
  Downloading pyscylla-0.11.0-cp310-cp310-win_amd64.whl (545 kB)
     ---------------------------------------- 545.7/545.7 kB 33.5 MB/s eta 0:00:00
ERROR: Package 'unlicense' requires a different Python: 3.10.4 not in '<=3.10,>=3.8'
WARNING: There was an error checking the latest version of pip.

Maybe that should be <3.11 (or something) to allow minor Python updates in the 3.10.z range?

Unable to found IAT

I'm getting: ERROR:unlicense.winlicense3:IAT not found.
Anything I can do about it? Also it didin't recognize Themide version, so i forced it with flag. I'm sure its Themida 3, 32bit.

Imports recovery fails on some particular executables

Only common section layouts are supported for Themida/WinLicense 2.x

Given how the code is currently written, PEs with uncommon section layouts won't be unpacked properly.

Extra sections

I'm unsure if this is an actual error with unlicense due to my lack of knowledge with themida packed executables but there seems to be some extra sections in the unpacked binary?

The data also seems to contain strings that would only exist at runtime.
But feel free to close this if it's not due to unlicense.

stuck in oep tracing

stuck in
frida-agent: Setting up OEP tracing for "Application.exe"

Allow dumping executables without performing the IAT recovery phase

Add support for PEs compiled from Delphi

Error: access violation accessing 0xe05000

Good job for that tool.
anyway, there is an exception when resolving imports.

OS: Windows 11

the stack exception

frida-agent: Setting up OEP tracing for "unpackchallenge.exe"
frida-agent: Possible OEP (thread #19448): 0x640029
INFO:unlicense:OEP reached: OEP=0x640029 BASE=0x5c0000)
INFO:unlicense.winlicense3:IAT found: 0xe05000
INFO:unlicense.winlicense3:Resolving imports ...
Traceback (most recent call last):
  File "M:\My_Projects\unlicense\unlicense\frida_exec.py", line 91, in write_process_memory
    self._frida_rpc.write_process_memory(address, data)
  File "C:\Users\Abo Tabekh\AppData\Roaming\Python\Python39\site-packages\frida\core.py", line 468, in method
    return script._rpc_request('call', js_name, args, **kwargs)
  File "C:\Users\Abo Tabekh\AppData\Roaming\Python\Python39\site-packages\frida\core.py", line 26, in wrapper
    return f(*args, **kwargs)
  File "C:\Users\Abo Tabekh\AppData\Roaming\Python\Python39\site-packages\frida\core.py", line 400, in _rpc_request
    raise result[2]
frida.core.RPCException: Error: access violation accessing 0xe05000
    at writeProcessMemory (/script1.js:129)
    at apply (native)
    at <anonymous> (frida/runtime/message-dispatcher.js:13)
    at c (frida/runtime/message-dispatcher.js:23)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "C:\Program Files (x86)\Microsoft Visual Studio\Shared\Python39_86\lib\runpy.py", line 197, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "C:\Program Files (x86)\Microsoft Visual Studio\Shared\Python39_86\lib\runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "M:\My_Projects\unlicense\unlicense\__main__.py", line 4, in <module>
    main()
  File "M:\My_Projects\unlicense\unlicense\application.py", line 19, in main
    fire.Fire(run_unlicense)
  File "C:\Users\Abo Tabekh\AppData\Roaming\Python\Python39\site-packages\fire\core.py", line 141, in Fire
    component_trace = _Fire(component, args, parsed_flag_args, context, name)
  File "C:\Users\Abo Tabekh\AppData\Roaming\Python\Python39\site-packages\fire\core.py", line 466, in _Fire
    component, remaining_args = _CallAndUpdateTrace(
  File "C:\Users\Abo Tabekh\AppData\Roaming\Python\Python39\site-packages\fire\core.py", line 681, in _CallAndUpdateTrace
    component = fn(*varargs, **kwargs)
  File "M:\My_Projects\unlicense\unlicense\application.py", line 84, in run_unlicense
    winlicense3.fix_and_dump_pe(process_controller, exe_to_dump,
  File "M:\My_Projects\unlicense\unlicense\winlicense3.py", line 25, in fix_and_dump_pe
    unwrap_res = _unwrap_iat(iat_range, process_controller)
  File "M:\My_Projects\unlicense\unlicense\winlicense3.py", line 118, in _unwrap_iat
    process_controller.write_process_memory(
  File "M:\My_Projects\unlicense\unlicense\frida_exec.py", line 93, in write_process_memory
    raise WriteProcessMemoryError from e
unlicense.process_control.WriteProcessMemoryError

Universal Windows Platform Applications: - INFO:unlicense.winlicense2:Looking for wrapped imports ...

Ulthough in my case i was able to solve this simply by using a win32 varient of the application, i think i should mention that when i tried this on the release version from the microsoft store, i get
"ERROR:unlicense:Failed to automatically detect packer version" error

C:\Users\User\Downloads>py -m unlicense "C:\Program Files\WindowsApps\Microsoft.MinecraftUWP_1.18.1201.0_x64__8wekyb3d8bbwe\Minecraft.Windows.exe" ERROR:unlicense:Failed to automatically detect packer version

i am guessing this is because of the fact it is a executable for the Universal Windows Platform.

MemoryError: bad allocation (NetEase, Minecraft.Windows.exe)

C:\Users\User\Downloads\2.1.0.159689>py -m unlicense Minecraft.Windows.exe --pause_on_oep
frida-agent: Setting up OEP tracing for "Minecraft.Windows.exe"
frida-agent: Possible OEP (thread #23592): 0x900921e
INFO:unlicense:OEP reached: OEP=0x900921e BASE=0xb40000)
Thread blocked, press ENTER to proceed with the dumping.
ERROR:unlicense.winlicense3:IAT not found

stuck in Generating exports' hashes

Hello again,

I tried the recent v0.3.0 that you released (thanks a lot btw) to try and unpack the Delphi binary I sent you.

the compiled pyinstaller still has issues with external DLL dependencies so I tried the pip method as you suggested.
it now correctly detects the OEP but gets stuck in Generating exports' hashes

I ran it with verbose in case it helps

INFO - Detected packer version: 2.x
DEBUG - Probed .text section at (0x1000, 0xd3d000)
frida-agent: Setting up OEP tracing for "xxx.dll"
frida-agent: Target module has been loaded (thread #2492) ...
frida-agent: Exception handler registered
frida-agent: OEP found (thread #2492): 0x4a3aa7c
INFO - OEP reached: OEP=0x4a3aa7c BASE=0x4500000 DOTNET=False
DEBUG - 0x4501000 - 0xd3d000
DEBUG - .text section: (base=0x4501000, size=0xd3d000, prot=r-x)
INFO - Looking for wrapped imports ...
INFO - Potential import wrappers found: 23
INFO - Generating exports' hashes, this might take some time ...

looking at the code it seems the Generating exports' hashes is only necessary for 32-bit binaries
since this debug line is not reached

unlicense/unlicense/winlicense2.py

Line 273 in 3671b8f

LOG.debug("Hashing exports for %s", str(modules))

i suspect the program is stuck in process_controller.enumerate_modules()

also when looking at CPU usage in task manager unlicensed uses around 20% CPU time but it drops to 0 as soon as the INFO - Generating exports' hashes, this might take some time ... line is reached. I hope this helps.

any ideas ?

Failed to diagnostic signature with Themida

I've got the problem with Themida signature detector, please check with this file.
pass: 123456
https://drive.google.com/file/d/1YUlFyCVnkkgcgbTndEXEAIp5rI3BptGB/view?usp=sharing

ergrelet / unlicense Goto Github PK

unlicense's Introduction

Unlicense

Features

Known Limitations

How To

Download

Use

unlicense's People

Contributors

Stargazers

Watchers

Forkers

unlicense's Issues

Recommend Projects

Recommend Topics

Recommend Org