IAT restoration problems

[sciasplusplus]

Hello,

I discovered few issues with Themida 2.x unpacking and will begin listing them:

1. It seems like frida fails to load understand ordinals (for example mfc100u.dll in the attachements, can be a lot more).
2. Sometimes there is IAT reference inside a mov instruction, however unlicense fails to find those and pyscylla doesn't repair it.
3. Some calls cannot be identified at all, so for example with this binary the issue is that majority of the filters do not work.
   
   stuff like this will not be restored, but it should be restored as a jump
   a lot of calls like this:
   
   also fail to get restored

In total around 600 imports were restored, however it should restore 1.2k in total-ish

You can find the binary here if needed: https://easyupload.io/wal48d ; the start parameter pxk19slammsu286nfha02kpqnf729ck is also required when going past OEP.

[ergrelet]

Hi! Thanks for the detailed report! I'll take a look when I have the time 👍