For certain aspack versions, the code wasn't restoring the correct
entrypoint. This had ramifications for unpacked file scanning,
since now an EP that points outside of a file makes the PE not
have .MDB sigs evaluated against it (a change from earlier versions,
but one which the MRT is OK with).
... | ... |
@@ -43,6 +43,10 @@ |
43 | 43 |
#define ASPACK_WRKBUF_OFFSET_OTHER 0x13a |
44 | 44 |
#define ASPACK_WRKBUF_OFFSET_242 0x148 |
45 | 45 |
|
46 |
+#define ASPACK_OEP_OFFSET_212 0x39b |
|
47 |
+#define ASPACK_OEP_OFFSET_OTHER 0x401 |
|
48 |
+#define ASPACK_OEP_OFFSET_242 0x40d |
|
49 |
+ |
|
46 | 50 |
struct DICT_HELPER { |
47 | 51 |
uint32_t *starts; |
48 | 52 |
uint8_t *ends; |
... | ... |
@@ -358,7 +362,7 @@ int unaspack(uint8_t *image, unsigned int size, struct cli_exe_section *sections |
358 | 358 |
uint32_t block_rva = 1, block_size; |
359 | 359 |
struct cli_exe_section *outsects; |
360 | 360 |
|
361 |
- uint32_t blocks_offset, stream_init_multiplier_offset, comp_block_offset, wrkbuf_offset; |
|
361 |
+ uint32_t blocks_offset, stream_init_multiplier_offset, comp_block_offset, wrkbuf_offset, oep_offset; |
|
362 | 362 |
|
363 | 363 |
switch (version) { |
364 | 364 |
case ASPACK_VER_212: |
... | ... |
@@ -367,6 +371,7 @@ int unaspack(uint8_t *image, unsigned int size, struct cli_exe_section *sections |
367 | 367 |
stream_init_multiplier_offset = ASPACK_STR_INIT_MLT_OFFSET_212; |
368 | 368 |
comp_block_offset = ASPACK_COMP_BLOCK_OFFSET_212; |
369 | 369 |
wrkbuf_offset = ASPACK_WRKBUF_OFFSET_212; |
370 |
+ oep_offset = ASPACK_OEP_OFFSET_212; |
|
370 | 371 |
break; |
371 | 372 |
case ASPACK_VER_OTHER: |
372 | 373 |
cli_dbgmsg("Aspack: Attempting to unpack Aspack >2.12, <2.42.\n"); |
... | ... |
@@ -374,6 +379,7 @@ int unaspack(uint8_t *image, unsigned int size, struct cli_exe_section *sections |
374 | 374 |
stream_init_multiplier_offset = ASPACK_STR_INIT_MLT_OFFSET_OTHER; |
375 | 375 |
comp_block_offset = ASPACK_COMP_BLOCK_OFFSET_OTHER; |
376 | 376 |
wrkbuf_offset = ASPACK_WRKBUF_OFFSET_OTHER; |
377 |
+ oep_offset = ASPACK_OEP_OFFSET_OTHER; |
|
377 | 378 |
break; |
378 | 379 |
case ASPACK_VER_242: |
379 | 380 |
cli_dbgmsg("Aspack: Attempting to unpack Aspack 2.42.\n"); |
... | ... |
@@ -381,6 +387,7 @@ int unaspack(uint8_t *image, unsigned int size, struct cli_exe_section *sections |
381 | 381 |
stream_init_multiplier_offset = ASPACK_STR_INIT_MLT_OFFSET_242; |
382 | 382 |
comp_block_offset = ASPACK_COMP_BLOCK_OFFSET_242; |
383 | 383 |
wrkbuf_offset = ASPACK_WRKBUF_OFFSET_242; |
384 |
+ oep_offset = ASPACK_OEP_OFFSET_242; |
|
384 | 385 |
break; |
385 | 386 |
default: |
386 | 387 |
cli_dbgmsg("Aspack: Unexpected/Unknown version number.\n"); |
... | ... |
@@ -484,7 +491,8 @@ int unaspack(uint8_t *image, unsigned int size, struct cli_exe_section *sections |
484 | 484 |
outsects[i].raw = outsects[i].rva; |
485 | 485 |
outsects[i].rsz = outsects[i].vsz; |
486 | 486 |
} |
487 |
- if (!cli_rebuildpe((char *)image, outsects, sectcount, base, cli_readint32(image + ep + 0x39b), 0, 0, f)) { |
|
487 |
+ |
|
488 |
+ if (!cli_rebuildpe((char *)image, outsects, sectcount, base, cli_readint32(image + ep + oep_offset), 0, 0, f)) { |
|
488 | 489 |
cli_dbgmsg("Aspack: rebuild failed\n"); |
489 | 490 |
cli_writen(f, image, size); |
490 | 491 |
} else { |