R6002 floating point support not loaded
Sometimes we can unpack protected executables in Windows but there is a runtime error
Microsoft Visual C++ Runtime Library
Runtime Error!
Program: ***.unp.exe
R6002
- floating point support not loaded
There is some info in UPX sources: https://github.com/upx/upx/blob/8d42b12117130b944023335cc2b76072c145db4d/src/p_w32pe.cpp#L200
// This works around a "protection" introduced in MSVCRT80, which
// works like this:
// When the compiler detects that it would link in some code from its
// C runtime library which references some data in a read only
// section then it compiles in a runtime check whether that data is
// still in a read only section by looking at the pe header of the
// file. If this check fails the runtime does "interesting" things
// like not running the floating point initialization code - the result
// is a R6002 runtime error.
// These supposed to be read only addresses are covered by the sections
// UPX0 & UPX1 in the compressed files, so we have to patch the PE header
// in the memory. And the page on which the PE header is stored is read
// only so we must make it rw, fix the flags (i.e. clear
// PEFL_WRITE of osection[x].flags), and make it ro again.
This code raises the exception:
.xvlk:0045A560 __IsNonwritableInCurrentImage proc near ; CODE XREF: __except_handler4+FF p
.xvlk:0045A560 ; __cinit+E p
.xvlk:0045A560 ; __cinit+79 p
.xvlk:0045A560 ; __endthreadex+E p
.xvlk:0045A560 ; _threadstartex(x)+6A p
.xvlk:0045A560
.xvlk:0045A560 ms_exc = CPPEH_RECORD ptr -18h
.xvlk:0045A560 arg_0 = dword ptr 8
.xvlk:0045A560
.xvlk:0045A560 push ebp
.xvlk:0045A561 mov ebp, esp
.xvlk:0045A563 push 0FFFFFFFEh
.xvlk:0045A565 push offset stru_4D2228
.xvlk:0045A56A push offset __except_handler4
.xvlk:0045A56F mov eax, large fs:0
.xvlk:0045A575 push eax
.xvlk:0045A576 sub esp, 8
.xvlk:0045A579 push ebx
.xvlk:0045A57A push esi
.xvlk:0045A57B push edi
.xvlk:0045A57C mov eax, dword_4D7A00
.xvlk:0045A581 xor [ebp+ms_exc.registration.ScopeTable], eax
.xvlk:0045A584 xor eax, ebp
.xvlk:0045A586 push eax
.xvlk:0045A587 lea eax, [ebp+ms_exc.registration]
.xvlk:0045A58A mov large fs:0, eax
.xvlk:0045A590 mov [ebp+ms_exc.old_esp], esp
.xvlk:0045A593 mov [ebp+ms_exc.registration.TryLevel], 0
.xvlk:0045A59A push offset __ImageBase
.xvlk:0045A59F call __ValidateImageBase
.xvlk:0045A5A4 add esp, 4
.xvlk:0045A5A7 test eax, eax
.xvlk:0045A5A9 jz short loc_45A600
.xvlk:0045A5AB mov eax, [ebp+arg_0]
.xvlk:0045A5AE sub eax, offset __ImageBase
.xvlk:0045A5B3 push eax
.xvlk:0045A5B4 push offset __ImageBase
.xvlk:0045A5B9 call __FindPESection
.xvlk:0045A5BE add esp, 8
.xvlk:0045A5C1 test eax, eax
.xvlk:0045A5C3 jz short loc_45A600
.xvlk:0045A5C5 mov eax, [eax+24h]
.xvlk:0045A5C8 shr eax, 1Fh
.xvlk:0045A5CB not eax
.xvlk:0045A5CD and eax, 1
I am using the trick in my projects to fix it
if(pDumpOptions->bPatchNWError6002)
{
// 004947D5 |. 8B40 24 MOV EAX,DWORD PTR DS:[EAX+24]
// 004947D8 |. C1E8 1F SHR EAX,1F
// 004947DB |. F7D0 NOT EAX
// 004947DD |. 83E0 01 AND EAX,00000001
qint64 nNWAddress=findSignature(nImageBase,nImageSize,"8B4024C1E81FF7D083E001");
if(nNWAddress!=-1)
{
_messageString(MESSAGE_TYPE_WARNING,tr("NW Address found: 0x%1").arg(nNWAddress,0,16));
// 83 c8
// AND ->OR
write_uint8(nNWAddress+9,0xC8);
}
}
Discussions about the exception: https://forum.exetools.com/showthread.php?t=15330
Written on June 17, 2021