@@ -1,3 +1,8 @@

+Fri Jan 14 14:51:01 CET 2006 (acab)

+---------------------------------

+  * libclamav: added yC support

+  		thanks a lot to Ivan Zlatev <pumqara*gmail.com>

+  

 Fri Jan 13 14:53:45 CET 2006 (tk)

 ---------------------------------

   * libclamav/vba_extract.c: fix possible memory leak, reported by  Cesar

@@ -141,6 +141,8 @@ libclamav_la_SOURCES = \

 	pdf.h \

 	spin.c \

 	spin.h \

+	yc.c \

+	yc.h \

 	elf.c \

 	elf.h \

 	execs.h \

@@ -86,7 +86,7 @@ am_libclamav_la_OBJECTS = matcher-ac.lo matcher-bm.lo matcher.lo \

 	chmunpack.lo rebuildpe.lo petite.lo fsg.lo line.lo untar.lo \

 	special.lo binhex.lo is_tar.lo tnef.lo unrar15.lo unrarvm.lo \

 	unrar.lo unrarfilter.lo unrarppm.lo unrar20.lo unrarcmd.lo \

-	pdf.lo spin.lo elf.lo sis.lo

+	pdf.lo spin.lo yc.lo elf.lo sis.lo

 libclamav_la_OBJECTS = $(am_libclamav_la_OBJECTS)

 DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)

 depcomp = $(SHELL) $(top_srcdir)/depcomp

@@ -335,6 +335,8 @@ libclamav_la_SOURCES = \

 	pdf.h \

 	spin.c \

 	spin.h \

+	yc.c \

+	yc.h \

 	elf.c \

 	elf.h \

 	execs.h \

@@ -462,6 +464,7 @@ distclean-compile:

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/untar.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/upx.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vba_extract.Plo@am__quote@

+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/yc.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/zzip-dir.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/zzip-err.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/zzip-file.Plo@am__quote@

@@ -35,10 +35,11 @@

 #include "clamav.h"

 #include "others.h"

 #include "pe.h"

-#include "upx.h"

 #include "petite.h"

 #include "fsg.h"

 #include "spin.h"

+#include "upx.h"

+#include "yc.h"

 #include "scanners.h"

 #include "rebuildpe.h"

 #include "str.h"

@@ -1581,6 +1582,79 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c

 	}

     }

+

+    /* yC 1.3 */

+

+    if(nsections > 1 &&

+       EC32(optional_hdr32.AddressOfEntryPoint) == EC32(section_hdr[nsections - 1].VirtualAddress) + 0x60 &&

+       memcmp(buff, "\x55\x8B\xEC\x53\x56\x57\x60\xE8\x00\x00\x00\x00\x5D\x81\xED\x6C\x28\x40\x00\xB9\x5D\x34\x40\x00\x81\xE9\xC6\x28\x40\x00\x8B\xD5\x81\xC2\xC6\x28\x40\x00\x8D\x3A\x8B\xF7\x33\xC0\xEB\x04\x90\xEB\x01\xC2\xAC", 51) == 0)  {

+

+	    struct stat fstats;

+	    char *spinned;

+

+	if(fstat(desc, &fstats) == -1) {

+	    free(section_hdr);

+	    return CL_EIO;

+	}

+

+	if ( fstats.st_size >= EC32(section_hdr[nsections - 1].PointerToRawData) + 0xC6 + 0xb97 ) { /* size check on yC sect */

+	  if((spinned = (char *) cli_malloc(fstats.st_size)) == NULL) {

+	    free(section_hdr);

+	    return CL_EMEM;

+	  }

+

+	  lseek(desc, 0, SEEK_SET);

+	  if(read(desc, spinned, fstats.st_size) != fstats.st_size) {

+	    cli_dbgmsg("yC: Can't read %d bytes\n", fstats.st_size);

+	    free(spinned);

+	    free(section_hdr);

+	    return CL_EIO;

+	  }

+	  

+	  tempfile = cli_gentemp(NULL);

+	  if((ndesc = open(tempfile, O_RDWR|O_CREAT|O_TRUNC, S_IRWXU)) < 0) {

+	    cli_dbgmsg("yC: Can't create file %s\n", tempfile);

+	    free(tempfile);

+	    free(spinned);

+	    free(section_hdr);

+	    return CL_EIO;

+	  }

+	  

+	  if(!yc_decrypt(spinned, fstats.st_size, section_hdr, nsections-1, e_lfanew, ndesc)) {

+	    free(spinned);

+	    cli_dbgmsg("yC: Unpacked and rebuilt executable saved in %s\n", tempfile);

+	    fsync(ndesc);

+	    lseek(ndesc, 0, SEEK_SET);

+	    

+	    if(cli_magic_scandesc(ndesc, virname, scanned, engine, limits, options, arec, mrec) == CL_VIRUS) {

+	      free(section_hdr);

+	      close(ndesc);

+	      if(!cli_leavetemps_flag) {

+		unlink(tempfile);

+		free(tempfile);

+	      } else {

+		free(tempfile);

+	      }

+	      return CL_VIRUS;

+	    }

+	    

+	  } else {

+	    free(spinned);

+	    cli_dbgmsg("yC: Rebuilding failed\n");

+	  }

+	  

+	  close(ndesc);

+	  if(!cli_leavetemps_flag) {

+	    unlink(tempfile);

+	    free(tempfile);

+	  } else {

+	    free(tempfile);

+	  }

+

+

+	}

+    }

+

     /* to be continued ... */

     free(section_hdr);

new file mode 100644

@@ -0,0 +1,253 @@

+/*

+ *  Copyright (C) 2005 Ivan Zlatev <pumqara@gmail.com>

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License as published by

+ *  the Free Software Foundation; either version 2 of the License, or

+ *  (at your option) any later version.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program; if not, write to the Free Software

+ *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

+ */

+

+/* Decrypts files, protected by Y0da Cryptor 1.3 */

+

+/* aCaB:

+ * 13/01/2006 - merged standalone unpacker into libclamav

+ * 14/01/2006 - major rewrite and bugfix

+ */

+ 

+

+#include <string.h>

+

+#if HAVE_CONFIG_H

+#include "clamav-config.h"

+#endif

+

+#include "cltypes.h"

+#include "pe.h"

+#include "others.h"

+

+

+// Macros were created by aCaB

+#define ROL(a,b) a = ( a << (b % (sizeof(a)<<3) ))  |  (a >> (  (sizeof(a)<<3)  -  (b % (sizeof(a)<<3 )) ) )

+#define ROR(a,b) a = ( a >> (b % (sizeof(a)<<3) ))  |  (a << (  (sizeof(a)<<3)  -  (b % (sizeof(a)<<3 )) ) )

+

+#if WORDS_BIGENDIAN == 0

+#define EC16(v)	(v)

+#define EC32(v) (v)

+#else

+static inline uint16_t EC16(uint16_t v)

+{

+  return ((v >> 8) + (v << 8));

+}

+

+static inline uint32_t EC32(uint32_t v)

+{

+  return ((v >> 24) | ((v & 0x00FF0000) >> 8) | ((v & 0x0000FF00) << 8) | (v << 24));

+}

+#endif

+

+//==================================================================================

+// "Emulates" the poly decryptors

+//

+static int yc_poly_emulator(char* decryptor_offset, char* code, unsigned int ecx)

+{

+

+  /* 

+     This is the instruction set of the poly code.

+     Numbers stand for example only.

+

+     2C 05            SUB AL,5

+     2AC1             SUB AL,CL

+     34 10            XOR AL,10

+     32C1             XOR AL,CL

+     FEC8             DEC AL

+     04 10            ADD AL,10

+     02C1             ADD AL,CL

+     C0C0 06          ROL AL,6

+     C0C8 05          ROR AL,5

+     D2C8             ROR AL,CL

+     D2C0             ROL AL,CL

+

+  */

+  //	unsigned int ecx = len2decrypt;

+  unsigned char al;

+  unsigned char cl = ecx & 0xff;

+  unsigned int j=0,i=0;

+

+  for(i;i<ecx;i++) // Byte looper - Decrypts every byte and write it back

+    {

+      al = code[i];

+

+      for(j=0;j<0x30;j++)   // Poly Decryptor "Emulator"

+	{

+	  switch(decryptor_offset[j])

+	    {

+

+	    case '\xEB':	// JMP short

+	      j++;

+	      j = j + decryptor_offset[j];

+	      break;

+

+	    case '\xFE':	// DEC  AL

+	      al--;

+	      j++;

+	      break;

+

+	    case '\x2A':	// SUB AL,CL

+	      al = al - cl;

+	      j++;

+	      break;

+

+	    case '\x02':	// ADD AL,CL

+	      al = al + cl;

+	      j++;

+	      break

+		;

+	    case '\x32':	// XOR AL,CL

+	      al = al ^ cl;

+	      j++;

+	      break;

+	      ;

+	    case '\x04':	// ADD AL,num

+	      j++;

+	      al = al + decryptor_offset[j];

+	      break;

+	      ;

+	    case '\x34':	// XOR AL,num

+	      j++;

+	      al = al ^ decryptor_offset[j];

+	      break;

+

+	    case '\x2C':	// SUB AL,num

+	      j++;

+	      al = al - decryptor_offset[j];

+	      break;

+

+			

+	    case '\xC0':

+	      j++;

+	      if(decryptor_offset[j]=='\xC0') // ROL AL,num

+		{

+		  j++;

+		  al = ROL(al,decryptor_offset[j]);

+		}

+	      else			// ROR AL,num

+		{

+		  j++;

+		  ROR(al,decryptor_offset[j]);

+		}

+	      break;

+

+	    case '\xD2':

+	      j++;

+	      if(decryptor_offset[j]=='\xC8') // ROR AL,CL

+		{

+		  j++;

+		  ROR(al,cl);

+		}

+	      else			// ROL AL,CL

+		{

+		  j++;

+		  ROL(al,cl);

+		}

+	      break;

+

+	    case '\x90':

+	    case '\xf8':

+	    case '\xf9':

+	      break;

+

+	    default:

+	      cli_dbgmsg("yC: Unhandled opcode %x\n", (unsigned char)decryptor_offset[j]);

+	    }

+	}

+      cl--;

+      code[i] = al;

+    }

+  return 0;

+

+}

+

+

+//==================================================================================

+// Main routine which calls all others

+//

+int yc_decrypt(char *fbuf, unsigned int filesize, struct pe_image_section_hdr *sections, unsigned int sectcount, uint32_t peoffset, int desc)

+{

+  uint32_t ycsect = EC32(sections[sectcount].PointerToRawData);

+  int i = 0;

+  struct pe_image_file_hdr *pe = (struct pe_image_file_hdr*) (fbuf + peoffset);

+

+  /* 

+

+  First layer (decryptor of the section decryptor) in last section 

+

+  Start offset for analyze: Start of yC Section + 0x93

+  End offset for analyze: Start of yC Section + 0xC3

+  Lenght to decrypt - ECX = 0xB97

+

+  */

+  cli_dbgmsg("yC: decrypting decryptor on sect %d\n", sectcount); 

+  if (yc_poly_emulator(fbuf + ycsect + 0x93, fbuf + ycsect + 0xc6 ,0xB97))

+    return 1;

+  filesize-=EC32(sections[sectcount].SizeOfRawData);

+

+  /* 

+

+  Second layer (decryptor of the sections) in last section 

+

+  Start offset for analyze: Start of yC Section + 0x457

+  End offset for analyze: Start of yC Section + 0x487

+  Lenght to decrypt - ECX = Raw Size of Section

+

+  */

+

+

+  // Loop through all sections and decrypt them...

+  for(i;i<sectcount;i++)

+    {

+      uint32_t name = (uint32_t) cli_readint32((char *)sections[i].Name);

+      if ( name == 0x63727372 || // rsrc

+	   name == 0x7273722E || // .rsr

+	   name == 0x6F6C6572 || // relo

+	   name == 0x6C65722E || // .rel

+	   name == 0x6164652E || // .eda

+	   name == 0x6164722E || // .rda

+	   name == 0x6164692E || // .ida

+	   name == 0x736C742E || // .tls

+	   name&0xffff == 0x4379 || // yC

+	   EC32(sections[i].PointerToRawData) == 0 ||

+	   EC32(sections[i].SizeOfRawData) == 0 ) continue;

+      cli_dbgmsg("yC: decrypting sect%d\n",i); 

+      if (yc_poly_emulator(fbuf + ycsect + 0x457, fbuf + EC32(sections[i].PointerToRawData), EC32(sections[i].SizeOfRawData)))

+	return 1;

+    }

+

+  // Remove yC section

+  pe->NumberOfSections=EC16(EC16(pe->NumberOfSections)-1);

+

+  // Remove IMPORT_DIRECTORY information

+  memset((char *)pe + sizeof(struct pe_image_file_hdr) + 0x68, 0, 8);

+

+  // OEP resolving

+  // OEP = DWORD PTR [ Start of yC section+ A0F]

+  cli_writeint32((char *)pe + sizeof(struct pe_image_file_hdr) + 16, cli_readint32(fbuf + ycsect + 0xa0f));

+

+  // Fix SizeOfImage

+  cli_writeint32((char *)pe + sizeof(struct pe_image_file_hdr) + 0x38, cli_readint32((char *)pe + sizeof(struct pe_image_file_hdr) + 0x38) - EC32(sections[sectcount].VirtualSize));

+

+  if (cli_writen(desc, fbuf, filesize)==-1) {

+    cli_dbgmsg("yc: Cannot write unpacked file\n");

+    return 1;

+  }

+  return 0;

+}

+

new file mode 100644

@@ -0,0 +1,27 @@

+/*

+ *  Copyright (C) 2005 aCaB <acab@clamav.net>

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License as published by

+ *  the Free Software Foundation; either version 2 of the License, or

+ *  (at your option) any later version.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program; if not, write to the Free Software

+ *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

+ */

+

+#ifndef __YC_H

+#define __YC_H

+

+#include "pe.h"

+#include "cltypes.h"

+

+int yc_decrypt(char *, unsigned int, struct pe_image_section_hdr *, unsigned int, uint32_t, int);

+

+#endif