Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extraction Problem İf Delete .Bind Section #72

Open
DarkFrost89 opened this issue Apr 15, 2022 · 2 comments
Open

Extraction Problem İf Delete .Bind Section #72

DarkFrost89 opened this issue Apr 15, 2022 · 2 comments
Assignees
@atom0s
Labels
c: core Category: Core c: plugin Category: Plugin p: medium Priority: Medium t: bug Type: Bug t: enhancement Type: Enhancement

Comments

@DarkFrost89
Copy link

Hi @atom0s
Today I have Extraction Problem For Stalker Clear Sky Game
I Try To Delete Bind Files With Steamless
But Steamless Erease Bind Section With Signature File From The Game Same Time And Stripped Exe Doesnt Have Signature File After Exraction
İf I Keep Bind Section Signature File Not Ereased Game Working Good But I Delete Bind Section Signature File Gone And Game Not Working
ALL Files.zip
Ekran Görüntüsü (1)
Can You Fix This İssue Please ?
Best Regards
Dark Frost
@atom0s
Copy link
Owner

atom0s commented Apr 25, 2022

This file has a few problems actually. However, the outcome is probably not going to be what you're looking for at this time.

Invalid Certificate Handling

Steamless does not currently account, at all, for validation certificates. This is mainly because when I first started this project, the goal was not to ensure all resulting files will run, but rather the files would be used for static analysis when doing any kind of modding to the original file at runtime. Because of this, Steamless lacked a handful of specific features that mattered to ensure the resulting binaries are valid to run. (Over the last few years I've updated the various unpackers to deal with this and make most unpacked files run as-is though.)

When a PE file is digitally signed, the certificate is appended to the file as an overlay. The signing process also updates the files IMAGE_DIRECTORY_ENTRY_SECURITY information, setting the VirtualAddress to the file offset where the cert is located and its given size. This does not do anything special to pre-existing overlays as well, it's just added after those.

In the future, the following would need to be added to Steamless for me to be happy with handling certificates:

  • Add support for detecting if a digital signature is present in the packed file.
  • Add support for specifically finding the certificate and its data. (Similar to how the overlay stuff works now.)
  • Add support for specifically finding non-certificate overlay data and keeping it separated from the certificate.
  • Add options to allow for:
    • Keep overlay data specifically.
    • Keep certificate specifically.
  • Add support for handling the IMAGE_DIRECTORY_ENTRY_SECURITY properly in the various use-cases and option settings.

Thus, if a user wishes to drop the overlay data but keep the certificate, they can. (Or keep the overlay but drop the cert etc.)

Again, it is important to note that after unpacking the file, the digital signature is invalid. Regardless of it being added back to the file properly, it will still fail to validate.

I don't really feel like this is an important fix to make/have. (Except nulling out the IMAGE_DIRECTORY_ENTRY_SECURITY to make the header valid at least.) If someone is unpacking a file that is explicitly checking its own certificate for being valid, it will always fail after being unpacked by Steamless because the hashes will no longer be valid. It is better off then to be removed and the file be modded to bypass the verification of the cert altogether.

IAT Inside .bind Section

The next issue with this file is that the stub version used on this file has updated the IMAGE_DIRECTORY_ENTRY_IMPORT address and copied it into the .bind section. When unpacked, the IAT is not altered at all by Steamless, so the address remains inside of the .bind section. If removed, then the IAT VirtualAddress becomes invalid.

This is the first file I have seen do this. The original IAT is still in the file too when unpacked, so it is odd that the entire thing is copied into the .bind section. I'd assume this must have been an early version of the 2.x variant of the protection as there is really no reason the entire IAT should be moved like this when they are already dynamically resolving the imports the stub requires.

I am not really comfortable implementing a 'fix' for this until I see other samples doing the same thing and can see that it is being done in the same manner. Having Steamless make an educated guess at where the original IAT is may not work on all samples, especially if the protection offers a means to null the original IAT and force it to remain in the .bind section only.

Because of this, at the moment, you will have to leave the .bind section in the unpacked file for it to operate properly.

@atom0s atom0s self-assigned this Apr 25, 2022
@atom0s atom0s added c: core Category: Core c: plugin Category: Plugin p: medium Priority: Medium t: bug Type: Bug t: enhancement Type: Enhancement labels Apr 25, 2022
@oureveryday
Copy link

oureveryday commented Jun 8, 2022
edited
Loading

bin.zip
Same problem with this file, keep bind section works.

@chestfindman chestfindman mentioned this issue Aug 8, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@atom0s atom0s

Labels
c: core Category: Core c: plugin Category: Plugin p: medium Priority: Medium t: bug Type: Bug t: enhancement Type: Enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@atom0s @oureveryday @DarkFrost89