git-svn: trunk@2613
aCaB authored on 2007/01/13 06:06:08... | ... |
@@ -335,7 +335,8 @@ uint32_t lzma_48631a (struct lzmastate *p, char **old_ecx, uint32_t *old_edx, ui |
335 | 335 |
return 0; |
336 | 336 |
} |
337 | 337 |
|
338 |
-int mew_lzma(struct pe_image_section_hdr *section_hdr, char *orgsource, char *buf, uint32_t size_sum, uint32_t vma, uint32_t special) |
|
338 |
+//int mew_lzma(struct pe_image_section_hdr *section_hdr, char *orgsource, char *buf, uint32_t size_sum, uint32_t vma, uint32_t special) |
|
339 |
+int mew_lzma(char *orgsource, char *buf, uint32_t size_sum, uint32_t vma, uint32_t special) |
|
339 | 340 |
{ |
340 | 341 |
uint32_t var08, var0C, var10, var14, var18, var20, var24, var28, var34; |
341 | 342 |
struct lzmastate var40; |
... | ... |
@@ -761,7 +762,8 @@ uint32_t lzma_upack_esi_54(struct lzmastate *p, uint32_t old_eax, uint32_t *old_ |
761 | 761 |
} |
762 | 762 |
|
763 | 763 |
|
764 |
-int unmew11(struct pe_image_section_hdr *section_hdr, int sectnum, char *src, int off, int ssize, int dsize, uint32_t base, uint32_t vadd, int uselzma, char **endsrc, char **enddst, int filedesc) |
|
764 |
+//int unmew11(struct pe_image_section_hdr *section_hdr, int sectnum, char *src, int off, int ssize, int dsize, uint32_t base, uint32_t vadd, int uselzma, char **endsrc, char **enddst, int filedesc) |
|
765 |
+int unmew11(int sectnum, char *src, int off, int ssize, int dsize, uint32_t base, uint32_t vadd, int uselzma, char **endsrc, char **enddst, int filedesc) |
|
765 | 766 |
{ |
766 | 767 |
uint32_t entry_point, newedi, loc_ds=dsize, loc_ss=ssize; |
767 | 768 |
char *source = src + dsize + off; /*EC32(section_hdr[sectnum].VirtualSize) + off;*/ |
... | ... |
@@ -771,10 +773,7 @@ int unmew11(struct pe_image_section_hdr *section_hdr, int sectnum, char *src, in |
771 | 771 |
struct cli_exe_section *section = NULL; |
772 | 772 |
uint32_t vma = base + vadd, size_sum = ssize + dsize; |
773 | 773 |
|
774 |
- entry_point = cli_readint32(source + 4); /* 2vGiM: ate these safe enough? |
|
775 |
- * yup, if (EC32(section_hdr[i + 1].SizeOfRawData) < ... |
|
776 |
- * ~line #879 in pe.c |
|
777 |
- */ |
|
774 |
+ entry_point = cli_readint32(source + 4); |
|
778 | 775 |
newedi = cli_readint32(source + 8); |
779 | 776 |
ledi = src + (newedi - vma); |
780 | 777 |
|
... | ... |
@@ -846,13 +845,14 @@ int unmew11(struct pe_image_section_hdr *section_hdr, int sectnum, char *src, in |
846 | 846 |
free(section); |
847 | 847 |
return -1; |
848 | 848 |
} |
849 |
- if(mew_lzma(&(section_hdr[sectnum]), src, f1+4, size_sum, vma, *(src + uselzma+8) == '\x50')) |
|
849 |
+ // if(mew_lzma(&(section_hdr[sectnum]), src, f1+4, size_sum, vma, *(src + uselzma+8) == '\x50')) |
|
850 |
+ if(mew_lzma(src, f1+4, size_sum, vma, *(src + uselzma+8) == '\x50')) |
|
850 | 851 |
{ |
851 | 852 |
free(section); |
852 | 853 |
return -1; |
853 | 854 |
} |
854 | 855 |
loc_ds >>= 12; loc_ds <<= 12; loc_ds += 0x1000; |
855 |
- /* I have EP but no section's information, so I weren't sure what to do with that */ /* 2vGiM: sounds fair */ |
|
856 |
+ |
|
856 | 857 |
section = cli_calloc(1, sizeof(struct cli_exe_section)); |
857 | 858 |
section[0].raw = 0; section[0].rva = vadd; |
858 | 859 |
section[0].rsz = section[0].vsz = dsize; |
... | ... |
@@ -30,12 +30,14 @@ struct lzmastate { |
30 | 30 |
uint32_t p1, p2; |
31 | 31 |
}; |
32 | 32 |
|
33 |
-int mew_lzma(struct pe_image_section_hdr *, char *, char *, uint32_t, uint32_t, uint32_t); |
|
33 |
+//int mew_lzma(struct pe_image_section_hdr *, char *, char *, uint32_t, uint32_t, uint32_t); |
|
34 |
+int mew_lzma(char *, char *, uint32_t, uint32_t, uint32_t); |
|
34 | 35 |
|
35 | 36 |
uint32_t lzma_upack_esi_00(struct lzmastate *, char *, char *, uint32_t); |
36 | 37 |
uint32_t lzma_upack_esi_50(struct lzmastate *, uint32_t, uint32_t, char **, char *, uint32_t *, char *, uint32_t); |
37 | 38 |
uint32_t lzma_upack_esi_54(struct lzmastate *, uint32_t, uint32_t *, char **, uint32_t *, char *, uint32_t); |
38 |
-int unmew11(struct pe_image_section_hdr *, int, char *, int, int, int, uint32_t, uint32_t, int, char **, char **, int); |
|
39 |
+//int unmew11(struct pe_image_section_hdr *, int, char *, int, int, int, uint32_t, uint32_t, int, char **, char **, int); |
|
40 |
+int unmew11(int, char *, int, int, int, uint32_t, uint32_t, int, char **, char **, int); |
|
39 | 41 |
#endif |
40 | 42 |
|
41 | 43 |
#endif |
... | ... |
@@ -1097,6 +1097,7 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
1097 | 1097 |
if(lseek(desc, ep, SEEK_SET) == -1) { |
1098 | 1098 |
cli_dbgmsg("MEW: lseek() failed\n"); |
1099 | 1099 |
free(section_hdr); |
1100 |
+ free(exe_sections); |
|
1100 | 1101 |
return CL_EIO; |
1101 | 1102 |
} |
1102 | 1103 |
|
... | ... |
@@ -1104,6 +1105,7 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
1104 | 1104 |
cli_dbgmsg("MEW: Can't read at least 16 bytes at 0x%x (%d) %d\n", ep, ep, bytes); |
1105 | 1105 |
cli_dbgmsg("MEW: Broken or not compressed file\n"); |
1106 | 1106 |
free(section_hdr); |
1107 |
+ free(exe_sections); |
|
1107 | 1108 |
return CL_CLEAN; |
1108 | 1109 |
} |
1109 | 1110 |
|
... | ... |
@@ -1119,6 +1121,7 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
1119 | 1119 |
if(lseek(desc, fileoffset, SEEK_SET) == -1) { |
1120 | 1120 |
cli_dbgmsg("MEW: lseek() failed\n"); |
1121 | 1121 |
free(section_hdr); |
1122 |
+ free(exe_sections); |
|
1122 | 1123 |
return CL_EIO; |
1123 | 1124 |
} |
1124 | 1125 |
|
... | ... |
@@ -1133,25 +1136,27 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
1133 | 1133 |
cli_dbgmsg("MEW: Win9x compatibility was NOT set!\n"); |
1134 | 1134 |
|
1135 | 1135 |
/* is it always 0x1C and 0x21C or not */ |
1136 |
- if((offdiff = cli_readint32(buff+1) - EC32(optional_hdr32.ImageBase)) <= EC32(section_hdr[i + 1].VirtualAddress) || offdiff >= EC32(section_hdr[i + 1].VirtualAddress) + EC32(section_hdr[i + 1].SizeOfRawData) - 4) |
|
1136 |
+ if((offdiff = cli_readint32(buff+1) - EC32(optional_hdr32.ImageBase)) <= exe_sections[i + 1].rva || offdiff >= exe_sections[i + 1].rva + exe_sections[i + 1].raw - 4) |
|
1137 | 1137 |
{ |
1138 | 1138 |
cli_dbgmsg("MEW: ESI is not in proper section\n"); |
1139 | 1139 |
break; |
1140 | 1140 |
} |
1141 |
- offdiff -= EC32(section_hdr[i + 1].VirtualAddress); |
|
1141 |
+ offdiff -= exe_sections[i + 1].rva; |
|
1142 | 1142 |
|
1143 |
- if(lseek(desc, EC32(section_hdr[i + 1].PointerToRawData), SEEK_SET) == -1) { |
|
1143 |
+ if(lseek(desc, exe_sections[i + 1].raw, SEEK_SET) == -1) { |
|
1144 | 1144 |
cli_dbgmsg("MEW: lseek() failed\n"); /* ACAB: lseek won't fail here but checking doesn't hurt even */ |
1145 | 1145 |
free(section_hdr); |
1146 |
+ free(exe_sections); |
|
1146 | 1147 |
return CL_EIO; |
1147 | 1148 |
} |
1148 |
- ssize = EC32(section_hdr[i + 1].VirtualSize); |
|
1149 |
- dsize = EC32(section_hdr[i].VirtualSize); |
|
1149 |
+ ssize = exe_sections[i + 1].vsz; |
|
1150 |
+ dsize = exe_sections[i].vsz; |
|
1150 | 1151 |
|
1151 | 1152 |
cli_dbgmsg("MEW: ssize %08x dsize %08x offdiff: %08x\n", ssize, dsize, offdiff); |
1152 |
- if(ctx->limits && ctx->limits->maxfilesize && (ssize + dsize > ctx->limits->maxfilesize || EC32(section_hdr[i + 1].SizeOfRawData) > ctx->limits->maxfilesize)) { |
|
1153 |
+ if(ctx->limits && ctx->limits->maxfilesize && (ssize + dsize > ctx->limits->maxfilesize || exe_sections[i + 1].rsz > ctx->limits->maxfilesize)) { |
|
1153 | 1154 |
cli_dbgmsg("MEW: Sizes exceeded (ssize: %u, dsize: %u, max: %lu)\n", ssize, dsize , ctx->limits->maxfilesize); |
1154 | 1155 |
free(section_hdr); |
1156 |
+ free(exe_sections); |
|
1155 | 1157 |
if(BLOCKMAX) { |
1156 | 1158 |
*ctx->virname = "PE.MEW.ExceededFileSize"; |
1157 | 1159 |
return CL_VIRUS; |
... | ... |
@@ -1163,20 +1168,21 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
1163 | 1163 |
/* allocate needed buffer */ |
1164 | 1164 |
if (!(src = cli_calloc (ssize + dsize, sizeof(char)))) { |
1165 | 1165 |
free(section_hdr); |
1166 |
+ free(exe_sections); |
|
1166 | 1167 |
return CL_EMEM; |
1167 | 1168 |
} |
1168 |
- cli_dbgmsg ("MY FUCKING src IS AT %x\n", src); |
|
1169 | 1169 |
|
1170 |
- if (EC32(section_hdr[i + 1].SizeOfRawData) < offdiff + 12 || EC32(section_hdr[i + 1].SizeOfRawData) > ssize) |
|
1170 |
+ if (exe_sections[i + 1].rsz < offdiff + 12 || exe_sections[i + 1].rsz > ssize) |
|
1171 | 1171 |
{ |
1172 |
- cli_dbgmsg("MEW: Size mismatch: %08x\n", EC32(section_hdr[i + 1].SizeOfRawData)); |
|
1172 |
+ cli_dbgmsg("MEW: Size mismatch: %08x\n", exe_sections[i + 1].rsz); |
|
1173 | 1173 |
free(src); |
1174 | 1174 |
break; |
1175 | 1175 |
} |
1176 | 1176 |
|
1177 |
- if((bytes = read(desc, src + dsize, EC32(section_hdr[i + 1].SizeOfRawData))) != EC32(section_hdr[i + 1].SizeOfRawData)) { |
|
1178 |
- cli_dbgmsg("MEW: Can't read %d bytes [readed: %d]\n", EC32(section_hdr[i + 1].SizeOfRawData), bytes); |
|
1177 |
+ if((bytes = read(desc, src + dsize, exe_sections[i + 1].rsz)) != exe_sections[i + 1].rsz) { |
|
1178 |
+ cli_dbgmsg("MEW: Can't read %d bytes [readed: %d]\n", exe_sections[i + 1].rsz, bytes); |
|
1179 | 1179 |
free(section_hdr); |
1180 |
+ free(exe_sections); |
|
1180 | 1181 |
free(src); |
1181 | 1182 |
return CL_EIO; |
1182 | 1183 |
} |
... | ... |
@@ -1184,18 +1190,19 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
1184 | 1184 |
/* count offset to lzma proc, if lzma used, 0xe8 -> call */ |
1185 | 1185 |
if (buff[0x7b] == '\xe8') |
1186 | 1186 |
{ |
1187 |
- if (!CLI_ISCONTAINED(EC32(section_hdr[1].VirtualAddress), EC32(section_hdr[1].VirtualSize), cli_readint32(buff + 0x7c) + fileoffset + 0x80, 4)) |
|
1187 |
+ if (!CLI_ISCONTAINED(exe_sections[1].rva, exe_sections[1].vsz, cli_readint32(buff + 0x7c) + fileoffset + 0x80, 4)) |
|
1188 | 1188 |
{ |
1189 | 1189 |
cli_dbgmsg("MEW: lzma proc out of bounds!\n"); |
1190 | 1190 |
free(src); |
1191 | 1191 |
break; /* to next unpacker in chain */ |
1192 | 1192 |
} |
1193 |
- uselzma = cli_readint32(buff + 0x7c) - (EC32(section_hdr[0].VirtualAddress) - fileoffset - 0x80); |
|
1193 |
+ uselzma = cli_readint32(buff + 0x7c) - (exe_sections[0].rva - fileoffset - 0x80); |
|
1194 | 1194 |
} else |
1195 | 1195 |
uselzma = 0; |
1196 | 1196 |
|
1197 | 1197 |
if(!(tempfile = cli_gentemp(NULL))) { |
1198 | 1198 |
free(section_hdr); |
1199 |
+ free(exe_sections); |
|
1199 | 1200 |
free(src); |
1200 | 1201 |
return CL_EMEM; |
1201 | 1202 |
} |
... | ... |
@@ -1203,11 +1210,12 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
1203 | 1203 |
cli_dbgmsg("MEW: Can't create file %s\n", tempfile); |
1204 | 1204 |
free(tempfile); |
1205 | 1205 |
free(section_hdr); |
1206 |
+ free(exe_sections); |
|
1206 | 1207 |
free(src); |
1207 | 1208 |
return CL_EIO; |
1208 | 1209 |
} |
1209 | 1210 |
dest = src; |
1210 |
- switch(unmew11(section_hdr, i, src, offdiff, ssize, dsize, EC32(optional_hdr32.ImageBase), EC32(section_hdr[0].VirtualAddress), uselzma, NULL, NULL, ndesc)) { |
|
1211 |
+ switch(unmew11(i, src, offdiff, ssize, dsize, EC32(optional_hdr32.ImageBase), exe_sections[0].rva, uselzma, NULL, NULL, ndesc)) { |
|
1211 | 1212 |
case 1: /* Everything OK */ |
1212 | 1213 |
cli_dbgmsg("MEW: Unpacked and rebuilt executable saved in %s\n", tempfile); |
1213 | 1214 |
free(src); |
... | ... |
@@ -1217,6 +1225,7 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
1217 | 1217 |
cli_dbgmsg("***** Scanning rebuilt PE file *****\n"); |
1218 | 1218 |
if(cli_magic_scandesc(ndesc, ctx) == CL_VIRUS) { |
1219 | 1219 |
free(section_hdr); |
1220 |
+ free(exe_sections); |
|
1220 | 1221 |
close(ndesc); |
1221 | 1222 |
if(!cli_leavetemps_flag) |
1222 | 1223 |
unlink(tempfile); |
... | ... |
@@ -1228,6 +1237,7 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
1228 | 1228 |
unlink(tempfile); |
1229 | 1229 |
free(tempfile); |
1230 | 1230 |
free(section_hdr); |
1231 |
+ free(exe_sections); |
|
1231 | 1232 |
return CL_CLEAN; |
1232 | 1233 |
default: /* Everything gone wrong */ |
1233 | 1234 |
cli_dbgmsg("MEW: Unpacking failed\n"); |