git-svn: trunk@3350
aCaB authored on 2007/11/02 01:04:53... | ... |
@@ -153,7 +153,7 @@ struct UNP { |
153 | 153 |
static uint32_t getbits(struct UNP *UNP, uint32_t size) { |
154 | 154 |
UNP->bitmap.half.h = 0; |
155 | 155 |
if (size > UNP->bits_avail && ((size - UNP->bits_avail - 1)/16+1)*2 > UNP->csize - UNP->cur_input) { |
156 |
- cli_dbgmsg("autoit: getbits() - not enough bits available"); |
|
156 |
+ cli_dbgmsg("autoit: getbits() - not enough bits available\n"); |
|
157 | 157 |
UNP->error = 1; |
158 | 158 |
return 0; /* won't infloop nor spam */ |
159 | 159 |
} |
... | ... |
@@ -325,11 +325,15 @@ static int ea05(int desc, cli_ctx *ctx, char *tmpd) { |
325 | 325 |
} |
326 | 326 |
|
327 | 327 |
free(buf); |
328 |
- if (UNP.error) { |
|
329 |
- cli_dbgmsg("autoit: decompression error\n"); |
|
330 |
- free(UNP.outputbuf); |
|
331 |
- continue; |
|
332 |
- } |
|
328 |
+ /* Sometimes the autoit exe is in turn packed/lamed with a runtime compressor and similar shit. |
|
329 |
+ * However, since the autoit script doesn't compress a second time very well, chances are we're |
|
330 |
+ * still able to match the headers and unpack something (see sample 0811129) |
|
331 |
+ * I'd rather unpack something (although possibly highly corrupted) than nothing at all |
|
332 |
+ * |
|
333 |
+ * - Fortuna audaces iuvat - |
|
334 |
+ */ |
|
335 |
+ if (UNP.error) |
|
336 |
+ cli_dbgmsg("autoit: decompression error - partial file may exist\n"); |
|
333 | 337 |
} else { |
334 | 338 |
cli_dbgmsg("autoit: file is not compressed\n"); |
335 | 339 |
UNP.outputbuf = buf; |
... | ... |
@@ -630,11 +634,8 @@ static int ea06(int desc, cli_ctx *ctx, char *tmpd) { |
630 | 630 |
} |
631 | 631 |
|
632 | 632 |
free(buf); |
633 |
- if (UNP.error) { |
|
634 |
- cli_dbgmsg("autoit: decompression error\n"); |
|
635 |
- free(UNP.outputbuf); |
|
636 |
- continue; |
|
637 |
- } |
|
633 |
+ if (UNP.error) |
|
634 |
+ cli_dbgmsg("autoit: decompression error - partial file may exist\n"); |
|
638 | 635 |
} else { |
639 | 636 |
cli_dbgmsg("autoit: file is not compressed\n"); |
640 | 637 |
UNP.outputbuf = buf; |
... | ... |
@@ -677,10 +678,36 @@ static int ea06(int desc, cli_ctx *ctx, char *tmpd) { |
677 | 677 |
} |
678 | 678 |
buf = newout; |
679 | 679 |
} |
680 |
- UNP.cur_output += snprintf((char *)&buf[UNP.cur_output], 12, "0x%08x ", cli_readint32((char *)&UNP.outputbuf[UNP.cur_input])); |
|
680 |
+ snprintf((char *)&buf[UNP.cur_output], 12, "0x%08x ", cli_readint32((char *)&UNP.outputbuf[UNP.cur_input])); |
|
681 |
+ UNP.cur_output += 11; |
|
681 | 682 |
UNP.cur_input += 4; |
682 | 683 |
break; |
683 | 684 |
|
685 |
+ case 0x10: /* <INT64> */ { |
|
686 |
+ uint64_t val; |
|
687 |
+ if (UNP.usize < 8 || UNP.cur_input >= UNP.usize-8) { |
|
688 |
+ UNP.error = 1; |
|
689 |
+ cli_dbgmsg("autoit: not enough space for an int64\n"); |
|
690 |
+ break; |
|
691 |
+ } |
|
692 |
+ if (UNP.cur_output+20 >= UNP.csize) { |
|
693 |
+ uint8_t *newout; |
|
694 |
+ UNP.csize += 512; |
|
695 |
+ if (!(newout = cli_realloc(buf, UNP.csize))) { |
|
696 |
+ UNP.error = 1; |
|
697 |
+ break; |
|
698 |
+ } |
|
699 |
+ buf = newout; |
|
700 |
+ } |
|
701 |
+ val = (uint64_t)cli_readint32((char *)&UNP.outputbuf[UNP.cur_input+4]); |
|
702 |
+ val <<=32; |
|
703 |
+ val += (uint64_t)cli_readint32((char *)&UNP.outputbuf[UNP.cur_input]); |
|
704 |
+ snprintf((char *)&buf[UNP.cur_output], 20, "0x%016lx ", val); |
|
705 |
+ UNP.cur_output += 19; |
|
706 |
+ UNP.cur_input += 8; |
|
707 |
+ break; |
|
708 |
+ } |
|
709 |
+ |
|
684 | 710 |
case 0x20: /* <DOUBLE> */ |
685 | 711 |
if (UNP.usize < 8 || UNP.cur_input >= UNP.usize-8) { |
686 | 712 |
UNP.error = 1; |
... | ... |
@@ -834,8 +861,6 @@ static int ea06(int desc, cli_ctx *ctx, char *tmpd) { |
834 | 834 |
UNP.cur_output = UNP.usize ; |
835 | 835 |
} |
836 | 836 |
|
837 |
- /* FIXME: TODO send to text notmalization */ |
|
838 |
- |
|
839 | 837 |
snprintf(tempfile, 1023, "%s/autoit.%.3u", tmpd, files); |
840 | 838 |
tempfile[1023]='\0'; |
841 | 839 |
if((i = open(tempfile, O_RDWR|O_CREAT|O_TRUNC|O_BINARY, S_IRWXU)) < 0) { |
... | ... |
@@ -856,7 +881,7 @@ static int ea06(int desc, cli_ctx *ctx, char *tmpd) { |
856 | 856 |
cli_dbgmsg("autoit: %s successfully extracted\n", (script)?"script":"file"); |
857 | 857 |
fsync(i); |
858 | 858 |
lseek(i, 0, SEEK_SET); |
859 |
- if(cli_magic_scandesc(i, ctx) == CL_VIRUS) { |
|
859 |
+ if(0 /*cli_magic_scandesc(i, ctx) == CL_VIRUS*/) { /* FIXME REENABLE */ |
|
860 | 860 |
close(i); |
861 | 861 |
if(!cli_leavetemps_flag) unlink(tempfile); |
862 | 862 |
return CL_VIRUS; |