Unlicense (dynamically unpack executables protected with Themida/WinLicense)

风吹屁屁凉

Unlicense

A Python 3 tool to dynamically unpack executables protected with
Themida/WinLicense 2.x and 3.x.

Warning: This tool will execute the target executable. Make sure to use this
tool in a VM if you're unsure about what the target executable does.

Note: You need to use a 32-bit Python interpreter to dump 32-bit executables.

Features

• Handles Themida/Winlicense 2.x and 3.x
• Handles 32-bit and 64-bit PEs (EXEs and DLLs)
• Handles 32-bit and 64-bit .NET assemblies (EXEs only)
• Recovers the original entry point (OEP) automatically
• Recovers the (obfuscated) import table automatically

Known Limitations

• Doesn't handle .NET assembly DLLs
• Doesn't automatically recover OEPs for executables with virtualized entry points
• Doesn't produce runnable dumps in most cases
• Resolving imports for 32-bit executables packed with Themida 2.x is pretty slow

How To

Download

You can either download the PyInstaller-generated executables from the "Releases"
section or fetch the project with git and install it with pip:

$ git clone https://github.com/ergrelet/unlicense.git
$ pip install unlicense/

Use

If you don't want to deal the command-line interface (CLI) you can simply
drag-and-drop the target binary on the appropriate (32-bit or 64-bit) unlicense
executable (which is available in the "Releases" section).

Otherwise here's what the CLI looks like:

$ unlicense --help
NAME
    unlicense - Unpack executables protected with Themida/WinLicense 2.x and 3.x

SYNOPSIS
    unlicense EXE_TO_DUMP <flags>

DESCRIPTION
    Unpack executables protected with Themida/WinLicense 2.x and 3.x

POSITIONAL ARGUMENTS
    EXE_TO_DUMP
        Type: str

FLAGS
    --verbose=VERBOSE
        Type: bool
        Default: False
    --pause_on_oep=PAUSE_ON_OEP
        Type: bool
        Default: False
    --force_oep=FORCE_OEP
        Type: Optional[typing.Optional[int]]
        Default: None
    --target_version=TARGET_VERSION
        Type: Optional[typing.Optional[int]]
        Default: None
    --timeout=TIMEOUT
        Type: int
        Default: 10

NOTES
    You can also use flags syntax for POSITIONAL ARGUMENTS

Down:
https://github.com/ergrelet/unlicense/releases

qqcs6

Themida/WinLicense自动脱壳哦

szbloger

要脱壳的是个32位的exe，系统是win10 64位，python以前装的3.10.8，运行没报错，只是最后dump很慢，得到了一个3倍大的exe，图标正常，但无法运行。用查壳工具看这个脱壳后的exe，没有壳了。

D:\P***>unlicense.exe P***.exe
INFO - Detected packer version: 2.x
frida-agent: Setting up OEP tracing for "P***.exe"
frida-agent: Exception handler registered
frida-agent: OEP found (thread #7036): 0x4012a0
INFO - OEP reached: OEP=0x4012a0 BASE=0x400000 DOTNET=False
INFO - Looking for wrapped imports ...
INFO - Potential import wrappers found: 43
INFO - Generating exports' hashes, this might take some time ...
INFO - Resolving imports ...
INFO - Imports resolved: 287
INFO - Generated the fake IAT at 0xef0000, size=0x47c
INFO - Patching call and jmp sites ...
INFO - Dumping PE with OEP=0x4012a0 ...
INFO - Fixing dump ...
INFO - Rebuilding PE ...
INFO - Output file has been saved at 'unpacked_P***.exe'

178111512233

超级棒👍🏻

nihao3312

小白求问这是啥

云烟成雨

一个中文都没有，这不是考研吾友吗

kexue8

英语大佬才能看懂，谢谢！

cyantea

提示包版本错误，

[Shell] 纯文本查看 复制代码

ERROR: Could not find a version that satisfies the requirement pyscylla<0.12.0,>=0.11.0 (from unlicense) (from versions: 0.10.0)
ERROR: No matching distribution found for pyscylla<0.12.0,>=0.11.0

请问如何解决，谢谢！

cyantea

请问有安装成功的吗。

yasenhacker

有没有成品exe????楼主把编译版本发过来吧，谢谢

黑色靓点

不行啊返回这个 ERROR - Original entry point wasn't reached before timeout