@@ -1,3 +1,8 @@

+Tue Sep  4 01:31:23 CEST 2007 (acab)

+------------------------------------

+  * libclamav:pe.c  General "tidy" and some algo hacks. Old and inefficient

+  			sue cryptor replaced with a signature.

+

 Sun Sep  2 12:41:46 BST 2007 (njh)

 ----------------------------------

   * clamav-milter:	Fix compilation error from fix to bug 577

@@ -86,8 +86,6 @@ libclamav_la_SOURCES = \

 	petite.h \

 	wwunpack.c \

 	wwunpack.h \

-	suecrypt.c \

-	suecrypt.h \

 	unsp.c \

 	unsp.h \

 	aspack.c \

@@ -82,12 +82,12 @@ am_libclamav_la_OBJECTS = matcher-ac.lo matcher-bm.lo matcher-ncore.lo \

 	scanners.lo filetypes.lo rtf.lo blob.lo mbox.lo message.lo \

 	snprintf.lo table.lo text.lo ole2_extract.lo vba_extract.lo \

 	msexpand.lo pe.lo upx.lo htmlnorm.lo chmunpack.lo rebuildpe.lo \

-	petite.lo wwunpack.lo suecrypt.lo unsp.lo aspack.lo \

-	packlibs.lo fsg.lo mew.lo upack.lo line.lo untar.lo unzip.lo \

-	special.lo binhex.lo is_tar.lo tnef.lo unrar15.lo unrarvm.lo \

-	unrar.lo unrarfilter.lo unrarppm.lo unrar20.lo unrarcmd.lo \

-	unarj.lo LZMADecode.lo bzlib.lo infblock.lo nulsft.lo pdf.lo \

-	spin.lo yc.lo elf.lo sis.lo uuencode.lo pst.lo phishcheck.lo \

+	petite.lo wwunpack.lo unsp.lo aspack.lo packlibs.lo fsg.lo \

+	mew.lo upack.lo line.lo untar.lo unzip.lo special.lo binhex.lo \

+	is_tar.lo tnef.lo unrar15.lo unrarvm.lo unrar.lo \

+	unrarfilter.lo unrarppm.lo unrar20.lo unrarcmd.lo unarj.lo \

+	LZMADecode.lo bzlib.lo infblock.lo nulsft.lo pdf.lo spin.lo \

+	yc.lo elf.lo sis.lo uuencode.lo pst.lo phishcheck.lo \

 	phish_domaincheck_db.lo phish_whitelist.lo regex_list.lo \

 	sha256.lo mspack.lo cab.lo entconv.lo hashtab.lo dconf.lo \

 	lockdb.lo

@@ -149,6 +149,7 @@ F77 = @F77@

 FFLAGS = @FFLAGS@

 FRESHCLAM_LIBS = @FRESHCLAM_LIBS@

 GETENT = @GETENT@

+GREP = @GREP@

 HAVE_MILTER_FALSE = @HAVE_MILTER_FALSE@

 HAVE_MILTER_TRUE = @HAVE_MILTER_TRUE@

 INSTALL_DATA = @INSTALL_DATA@

@@ -182,12 +183,9 @@ STRIP = @STRIP@

 THREAD_LIBS = @THREAD_LIBS@

 TH_SAFE = @TH_SAFE@

 VERSION = @VERSION@

-ac_ct_AR = @ac_ct_AR@

 ac_ct_CC = @ac_ct_CC@

 ac_ct_CXX = @ac_ct_CXX@

 ac_ct_F77 = @ac_ct_F77@

-ac_ct_RANLIB = @ac_ct_RANLIB@

-ac_ct_STRIP = @ac_ct_STRIP@

 am__fastdepCC_FALSE = @am__fastdepCC_FALSE@

 am__fastdepCC_TRUE = @am__fastdepCC_TRUE@

 am__fastdepCXX_FALSE = @am__fastdepCXX_FALSE@

@@ -204,23 +202,30 @@ build_cpu = @build_cpu@

 build_os = @build_os@

 build_vendor = @build_vendor@

 datadir = @datadir@

+datarootdir = @datarootdir@

+docdir = @docdir@

+dvidir = @dvidir@

 exec_prefix = @exec_prefix@

 host = @host@

 host_alias = @host_alias@

 host_cpu = @host_cpu@

 host_os = @host_os@

 host_vendor = @host_vendor@

+htmldir = @htmldir@

 includedir = @includedir@

 infodir = @infodir@

 install_sh = @install_sh@

 libdir = @libdir@

 libexecdir = @libexecdir@

+localedir = @localedir@

 localstatedir = @localstatedir@

 mandir = @mandir@

 mkdir_p = @mkdir_p@

 oldincludedir = @oldincludedir@

+pdfdir = @pdfdir@

 prefix = @prefix@

 program_transform_name = @program_transform_name@

+psdir = @psdir@

 sbindir = @sbindir@

 sendmailprog = @sendmailprog@

 sharedstatedir = @sharedstatedir@

@@ -295,8 +300,6 @@ libclamav_la_SOURCES = \

 	petite.h \

 	wwunpack.c \

 	wwunpack.h \

-	suecrypt.c \

-	suecrypt.h \

 	unsp.c \

 	unsp.h \

 	aspack.c \

@@ -513,7 +516,6 @@ distclean-compile:

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/special.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/spin.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/str.Plo@am__quote@

-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/suecrypt.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/table.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/text.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnef.Plo@am__quote@

@@ -55,8 +55,6 @@ static struct dconf_module modules[] = {

     { "PE",	    "UPX",	    PE_CONF_UPX,	    1 },

     { "PE",	    "FSG",	    PE_CONF_FSG,	    1 },

-    { "PE",	    "SUE",	    PE_CONF_SUE,	    1 },

-

     { "PE",	    "PETITE",	    PE_CONF_PETITE,	    1 },

     { "PE",	    "PESPIN",	    PE_CONF_PESPIN,	    1 },

     { "PE",	    "YC",	    PE_CONF_YC,		    1 },

@@ -42,7 +42,7 @@ struct cli_dconf {

 #define PE_CONF_MD5SECT	    0x10

 #define PE_CONF_UPX	    0x20

 #define PE_CONF_FSG	    0x40

-#define PE_CONF_SUE	    0x80

+/*#define PE_CONF_REUSEME	    0x80 */

 #define PE_CONF_PETITE	    0x100

 #define PE_CONF_PESPIN	    0x200

 #define PE_CONF_YC	    0x400

@@ -32,6 +32,7 @@

 #include <unistd.h>

 #endif

 #include <time.h>

+#include <stdarg.h>

 #include "cltypes.h"

 #include "clamav.h"

@@ -44,7 +45,6 @@

 #include "yc.h"

 #include "aspack.h"

 #include "wwunpack.h"

-#include "suecrypt.h"

 #include "unsp.h"

 #include "scanners.h"

 #include "str.h"

@@ -80,19 +80,114 @@

 #define PEALIGN(o,a) (((a))?(((o)/(a))*(a)):(o))

 #define PESALIGN(o,a) (((a))?(((o)/(a)+((o)%(a)!=0))*(a)):(o))

+#define CLI_UNPSIZELIMITS(NAME,CHK) \

+if(ctx->limits && ctx->limits->maxfilesize && (CHK) > ctx->limits->maxfilesize) { \

+    cli_dbgmsg(NAME": Sizes exceeded (%lu > %lu)\n", (CHK), ctx->limits->maxfilesize); \

+    free(exe_sections); \

+    if(BLOCKMAX) { \

+        *ctx->virname = "PE."NAME".ExceededFileSize"; \

+        return CL_VIRUS; \

+    } else { \

+        return CL_CLEAN; \

+    } \

+}

+

+#define CLI_UNPTEMP(NAME,...) \

+if(!(tempfile = cli_gentemp(NULL))) { \

+    cli_multifree(__VA_ARGS__,0); \

+    return CL_EMEM; \

+} \

+if((ndesc = open(tempfile, O_RDWR|O_CREAT|O_TRUNC|O_BINARY, S_IRWXU)) < 0) { \

+    cli_dbgmsg(NAME": Can't create file %s\n", tempfile); \

+    cli_multifree(tempfile,__VA_ARGS__,0); \

+    return CL_EIO; \

+}

+

+#define CLI_TMPUNLK() if(!cli_leavetemps_flag) unlink(tempfile)

+

+#define FSGCASE(NAME,FREESEC) \

+    case 0: /* Unpacked and NOT rebuilt */ \

+	cli_dbgmsg(NAME": Successfully decompressed\n"); \

+	close(ndesc); \

+	unlink(tempfile); \

+	free(tempfile); \

+	FREESEC; \

+	found = 0; \

+	upx_success = 1; \

+	break; /* FSG ONLY! - scan raw data after upx block */

+

+#define SPINCASE() \

+    case 2: \

+	free(spinned); \

+	close(ndesc); \

+	unlink(tempfile); \

+	cli_dbgmsg("PESpin: Size exceeded\n"); \

+	if(BLOCKMAX) { \

+	    free(tempfile); \

+	    free(exe_sections); \

+	    *ctx->virname = "PE.Pespin.ExceededFileSize"; \

+	    return CL_VIRUS; \

+	} \

+	free(tempfile); \

+	break; \

+

+#define CLI_UNPRESULTS_(NAME,FSGSTUFF,EXPR,GOOD,...) \

+    switch(EXPR) { \

+    case GOOD: /* Unpacked and rebuilt */ \

+	if(cli_leavetemps_flag) \

+	    cli_dbgmsg(NAME": Unpacked and rebuilt executable saved in %s\n", tempfile); \

+	else \

+	    cli_dbgmsg(NAME": Unpacked and rebuilt executable\n"); \

+	cli_multifree(__VA_ARGS__,exe_sections,0); \

+	fsync(ndesc); \

+	lseek(ndesc, 0, SEEK_SET); \

+	cli_dbgmsg("***** Scanning rebuilt PE file *****\n"); \

+	if(cli_magic_scandesc(ndesc, ctx) == CL_VIRUS) { \

+	    close(ndesc); \

+	    CLI_TMPUNLK(); \

+	    free(tempfile); \

+	    return CL_VIRUS; \

+	} \

+	close(ndesc); \

+	CLI_TMPUNLK(); \

+	free(tempfile); \

+	return CL_CLEAN; \

+\

+FSGSTUFF \

+\

+    default: \

+	cli_dbgmsg(NAME": Unpacking failed\n"); \

+	close(ndesc); \

+	unlink(tempfile); \

+	cli_multifree(__VA_ARGS__,tempfile,0); \

+    }

+

+

+#define CLI_UNPRESULTS(NAME,EXPR,GOOD,...) CLI_UNPRESULTS_(NAME,,EXPR,GOOD,__VA_ARGS__)

+#define CLI_UNPRESULTSFSG1(NAME,EXPR,GOOD,...) CLI_UNPRESULTS_(NAME,FSGCASE(NAME,free(sections)),EXPR,GOOD,__VA_ARGS__)

+#define CLI_UNPRESULTSFSG2(NAME,EXPR,GOOD,...) CLI_UNPRESULTS_(NAME,FSGCASE(NAME,),EXPR,GOOD,__VA_ARGS__)

 struct offset_list {

     uint32_t offset;

     struct offset_list *next;

 };

+static void cli_multifree(void *f, ...) {

+    void *ff;

+    va_list ap;

+    free(f);

+    va_start(ap, f);

+    while((ff=va_arg(ap, void*))) free(ff);

+    va_end(ap);

+}

+

 static uint32_t cli_rawaddr(uint32_t rva, struct cli_exe_section *shp, uint16_t nos, unsigned int *err,	size_t fsize, uint32_t hdr_size)

 {

-	int i, found = 0;

-	uint32_t ret;

+    int i, found = 0;

+    uint32_t ret;

     if (rva<hdr_size) { /* Out of section EP - mapped to imagebase+rva */

-        if (rva >= fsize) {

+	if (rva >= fsize) {

 	    *err=1;

 	    return 0;

 	}

@@ -117,33 +212,9 @@ static uint32_t cli_rawaddr(uint32_t rva, struct cli_exe_section *shp, uint16_t

     return ret;

 }

-static void xckriz(char **opcode, int *len, int checksize, int reg) {

-    while(*len>6) {

-        if (**opcode>='\x48' && **opcode<='\x4f' && **opcode!='\x4c') {

-	    if ((char)(**opcode-reg)=='\x48') break;

-	    (*len)--;

-	    (*opcode)++;

-	    continue;

-	}

-	if (**opcode>='\xb8' && **opcode<='\xbf' && **opcode!='\xbc') {

-	    if (checksize && cli_readint32(*opcode+1)==0x0fd2) break;

-	    (*len)-=5;

-	    (*opcode)+=5;

-	    continue;

-	}

-	if (**opcode=='\x81') {

-	    (*len)-=6;

-	    (*opcode)+=6;

-	    continue;

-	}

-	break;

-    }

-}

-

 /*

-static int cli_ddump(int desc, int offset, int size, const char *file)

-{

+static int cli_ddump(int desc, int offset, int size, const char *file) {

 	int pos, ndesc, bread, sum = 0;

 	char buff[FILEBUFF];

@@ -195,39 +266,40 @@ static int cli_ddump(int desc, int offset, int size, const char *file)

 }

 */

-static unsigned int cli_md5sect(int fd, uint32_t offset, uint32_t size, unsigned char *digest)

-{

-	size_t bread, sum = 0;

-	off_t pos;

-	char buff[FILEBUFF];

-	cli_md5_ctx md5ctx;

+static off_t cli_seeksect(int fd, struct cli_exe_section *s) {

+    off_t ret;

+    if(!s->rsz) return 0;

+    if((ret=lseek(fd, s->raw, SEEK_SET)) == -1)

+	cli_dbgmsg("cli_seeksect: lseek() failed\n");

+    return ret+1;

+}

+

+static unsigned int cli_md5sect(int fd, struct cli_exe_section *s, unsigned char *digest) {

+    void *hashme;

+    cli_md5_ctx md5;

-    if((pos = lseek(fd, 0, SEEK_CUR)) == -1) {

-	cli_dbgmsg("cli_md5sect: Invalid descriptor %d\n", fd);

+    if (s->rsz > CLI_MAX_ALLOCATION) {

+	cli_dbgmsg("cli_md5sect: skipping md5 calculation for too big section\n");

 	return 0;

     }

-    if(lseek(fd, offset, SEEK_SET) == -1) {

-	cli_dbgmsg("cli_md5sect: lseek() failed\n");

-	lseek(fd, pos, SEEK_SET);

+    if(!cli_seeksect(fd, s)) return 0;

+

+    if(!(hashme=cli_malloc(s->rsz))) {

+	cli_dbgmsg("cli_md5sect: out of memory\n");

 	return 0;

     }

-    cli_md5_init(&md5ctx);

-

-    while((bread = cli_readn(fd, buff, FILEBUFF)) > 0) {

-	if(sum + bread >= size) {

-	    cli_md5_update(&md5ctx, buff, size - sum);

-	    break;

-	} else {

-	    cli_md5_update(&md5ctx, buff, bread);

-	    sum += bread;

-	}

+    if(cli_readn(fd, hashme, s->rsz)!=s->rsz) {

+	cli_dbgmsg("cli_md5sect: unable to read section data\n");

+	return 0;

     }

-    cli_md5_final(digest, &md5ctx);

-    lseek(fd, pos, SEEK_SET);

+    cli_md5_init(&md5);

+    cli_md5_update(&md5, hashme, s->rsz);

+    free(hashme);

+    cli_md5_final(digest, &md5);

     return 1;

 }

@@ -246,7 +318,8 @@ int cli_scanpe(int desc, cli_ctx *ctx)

 	} pe_opt;

 	struct pe_image_section_hdr *section_hdr;

 	struct stat sb;

-	char sname[9], buff[4096], *tempfile;

+	char sname[9], buff[4096], epbuff[4096], *tempfile;

+	uint32_t epsize;

 	unsigned char *ubuff;

 	ssize_t bytes;

 	unsigned int i, found, upx_success = 0, min = 0, max = 0, err;

@@ -317,6 +390,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)

     switch(EC16(file_hdr.Machine)) {

 	case 0x0:

 	    cli_dbgmsg("Machine type: Unknown\n");

+	    break;

 	case 0x14c:

 	    cli_dbgmsg("Machine type: 80386\n");

 	    break;

@@ -700,7 +774,6 @@ int cli_scanpe(int desc, cli_ctx *ctx)

 	}

 	if (exe_sections[i].rsz) { /* Don't bother with virtual only sections */

-	    unsigned char md5_dig[16];

 	    if (exe_sections[i].raw >= fsize) { /* really broken */

 	        cli_dbgmsg("Broken PE file - Section %d starts beyond the end of file (Offset@ %d, Total filesize %d)\n", i, exe_sections[i].raw, fsize);

 		free(section_hdr);

@@ -713,26 +786,21 @@ int cli_scanpe(int desc, cli_ctx *ctx)

 		return CL_CLEAN; /* no ninjas to see here! move along! */

 	    }

+	    if(SCAN_ALGO && (DCONF & PE_CONF_POLIPOS) && !*sname && exe_sections[i].vsz > 40000 && exe_sections[i].vsz < 70000 && exe_sections[i].chr == 0xe0000060) polipos = i;

+

 	    /* check MD5 section sigs */

 	    md5_sect = ctx->engine->md5_sect;

 	    if((DCONF & PE_CONF_MD5SECT) && md5_sect) {

 		found = 0;

 		for(j = 0; j < md5_sect->soff_len && md5_sect->soff[j] <= exe_sections[i].rsz; j++) {

 		    if(md5_sect->soff[j] == exe_sections[i].rsz) {

-			found = 1;

-			break;

-		    }

-		}

-

-		if(found) {

-		    if(!cli_md5sect(desc, exe_sections[i].raw, exe_sections[i].rsz, md5_dig)) {

-			cli_errmsg("PE: Can't calculate MD5 for section %u\n", i);

-		    } else {

-			if(cli_bm_scanbuff(md5_dig, 16, ctx->virname, ctx->engine->md5_sect, 0, 0, -1) == CL_VIRUS) {

-			    free(section_hdr);

-			    free(exe_sections);

-			    return CL_VIRUS;

+			unsigned char md5_dig[16];

+			if(cli_md5sect(desc, &exe_sections[i], md5_dig) && cli_bm_scanbuff(md5_dig, 16, ctx->virname, ctx->engine->md5_sect, 0, 0, -1) == CL_VIRUS) {

+				free(section_hdr);

+				free(exe_sections);

+				return CL_VIRUS;

 			}

+			break;

 		    }

 		}

 	    }

@@ -764,15 +832,6 @@ int cli_scanpe(int desc, cli_ctx *ctx)

 	    if(exe_sections[i].rva + exe_sections[i].rsz > max)

 	        max = exe_sections[i].rva + exe_sections[i].rsz;

 	}

-

-	if(SCAN_ALGO && (DCONF & PE_CONF_POLIPOS) && !strlen(sname)) {

-	    if(exe_sections[i].vsz > 40000 && exe_sections[i].vsz < 70000) {

-		if(exe_sections[i].chr == 0xe0000060) {

-		    polipos = i;

-		}

-	    }

-	}

-

     }

     free(section_hdr);

@@ -795,91 +854,113 @@ int cli_scanpe(int desc, cli_ctx *ctx)

 	return CL_CLEAN;

     }

+    lseek(desc, ep, SEEK_SET);

+    epsize = cli_readn(desc, epbuff, 4096);

     /* Attempt to detect some popular polymorphic viruses */

     /* W32.Parite.B */

-    if(SCAN_ALGO && (DCONF & PE_CONF_PARITE) && !dll && ep == exe_sections[nsections - 1].raw) {

-	lseek(desc, ep, SEEK_SET);

-	if(cli_readn(desc, buff, 4096) == 4096) {

-		const char *pt = cli_memstr(buff, 4040, "\x47\x65\x74\x50\x72\x6f\x63\x41\x64\x64\x72\x65\x73\x73\x00", 15);

-	    if(pt) {

-		    uint32_t dw1, dw2;

-

-		pt += 15;

-		if(((dw1 = cli_readint32(pt)) ^ (dw2 = cli_readint32(pt + 4))) == 0x505a4f && ((dw1 = cli_readint32(pt + 8)) ^ (dw2 = cli_readint32(pt + 12))) == 0xffffb && ((dw1 = cli_readint32(pt + 16)) ^ (dw2 = cli_readint32(pt + 20))) == 0xb8) {

-		    *ctx->virname = "W32.Parite.B";

-		    free(exe_sections);

-		    return CL_VIRUS;

-		}

+    if(SCAN_ALGO && (DCONF & PE_CONF_PARITE) && !dll && epsize == 4096 && ep == exe_sections[nsections - 1].raw) {

+        const char *pt = cli_memstr(epbuff, 4040, "\x47\x65\x74\x50\x72\x6f\x63\x41\x64\x64\x72\x65\x73\x73\x00", 15);

+	if(pt) {

+	    pt += 15;

+	    if( (uint32_t)cli_readint32(pt) ^ (uint32_t)cli_readint32(pt + 4) == 0x505a4f && (uint32_t)cli_readint32(pt + 8) ^ (uint32_t)cli_readint32(pt + 12) == 0xffffb && (uint32_t)cli_readint32(pt + 16) ^ (uint32_t)cli_readint32(pt + 20) == 0xb8) {

+	        *ctx->virname = "W32.Parite.B";

+		free(exe_sections);

+		return CL_VIRUS;

 	    }

 	}

     }

     /* Kriz */

-    if(SCAN_ALGO && (DCONF & PE_CONF_KRIZ) && CLI_ISCONTAINED(exe_sections[nsections - 1].raw, exe_sections[nsections - 1].rsz, ep, 0x0fd2)) {

+    if(SCAN_ALGO && (DCONF & PE_CONF_KRIZ) && epsize >= 200 && CLI_ISCONTAINED(exe_sections[nsections - 1].raw, exe_sections[nsections - 1].rsz, ep, 0x0fd2) && epbuff[1]=='\x9c' || epbuff[2]=='\x60') {

+	enum {KZSTRASH,KZSCDELTA,KZSPDELTA,KZSGETSIZE,KZSXORPRFX,KZSXOR,KZSDDELTA,KZSLOOP,KZSTOP};

+	uint8_t kzs[] = {KZSTRASH,KZSCDELTA,KZSPDELTA,KZSGETSIZE,KZSTRASH,KZSXORPRFX,KZSXOR,KZSTRASH,KZSDDELTA,KZSTRASH,KZSLOOP,KZSTOP};

+	uint8_t *kzstate = kzs;

+	uint8_t *kzcode = epbuff + 3;

+	uint8_t kzdptr=0xff, kzdsize=0xff;

+	int kzlen = 197, kzinitlen=0xffff, kzxorlen=-1;

 	cli_dbgmsg("in kriz\n");

-	lseek(desc, ep, SEEK_SET);

-	if(cli_readn(desc, buff, 200) == 200) {

-	    while (1) {

-		char *krizpos=buff+3;

-		char *krizmov, *krizxor;

-		int krizleft = 200-3;

-		int krizrega,krizregb;

-

-		if (buff[1]!='\x9c' || buff[2]!='\x60') break; /* EP+1 */

-		xckriz(&krizpos, &krizleft, 0, 8);

-		if (krizleft < 6 || *krizpos!='\xe8' || krizpos[2] || krizpos[3] || krizpos[4]) break; /* call DELTA */

-		krizleft-=5+(unsigned char)krizpos[1];

-		if (krizleft < 2) break;

-		krizpos+=5+(unsigned char)krizpos[1];

-		if (*krizpos<'\x58' || *krizpos>'\x5f' || *krizpos=='\x5c') break; /* pop DELTA */

-		krizrega=*krizpos-'\x58';

-		cli_dbgmsg("kriz: pop delta using %d\n", krizrega);

-		krizpos+=1;

-		krizleft-=1;

-		xckriz(&krizpos, &krizleft, 1, 8);

-		if (krizleft <6 || *krizpos<'\xb8' || *krizpos>'\xbf' || *krizpos=='\xbc' || cli_readint32(krizpos+1)!=0x0fd2) break;

-		krizregb=*krizpos-'\xb8';

-		if (krizrega==krizregb) break;

-		cli_dbgmsg("kriz: using %d for size\n", krizregb);

-		krizpos+=5;

-		krizleft-=5;

-		krizmov = krizpos;

-		xckriz(&krizpos, &krizleft, 0, 8);

-		krizxor=krizpos;

-		if (krizleft && *krizpos=='\x3e') {

-		    /* strip ds: */

-		    krizpos++;

-		    krizleft--;

-		}

-		if (krizleft<8 || *krizpos!='\x80' || (char)(krizpos[1]-krizrega)!='\xb0') {

-		    cli_dbgmsg("kriz: bogus opcode or register\n");

+

+	while(*kzstate!=KZSTOP) {

+	    uint8_t op;

+	    if(kzlen<=6) break;

+	    op = *kzcode++;

+	    kzlen--;

+	    switch (*kzstate) {

+	    case KZSTRASH: case KZSGETSIZE: {

+		int opsz=0;

+		switch(op) {

+		case 0x81:

+		    kzcode+=5;

+		    kzlen-=5;

 		    break;

+		case 0xb8: case 0xb9: case 0xba: case 0xbb: case 0xbd: case 0xbe: case 0xbf:

+		    if(*kzstate==KZSGETSIZE && cli_readint32(kzcode)==0x0fd2) {

+			kzinitlen = kzlen-5;

+			kzdsize=op-0xb8;

+			kzstate++;

+			op=4; /* fake the register to avoid breaking out */

+			cli_dbgmsg("kriz: using #%d as size counter\n", kzdsize);

+		    }

+		    opsz=4;

+		case 0x48: case 0x49: case 0x4a: case 0x4b: case 0x4d: case 0x4e: case 0x4f:

+		    op&=7;

+		    if(op!=kzdptr && op!=kzdsize) {

+			kzcode+=opsz;

+			kzlen-=opsz;

+			break;

+		    }

+		default:

+		    kzcode--;

+		    kzlen++;

+		    kzstate++;

 		}

-		krizpos+=7;

-		krizleft-=7;

-		xckriz(&krizpos, &krizleft, 0, krizrega);

-		if (! krizleft || (char)(*krizpos-krizrega)!='\x48') break; /* dec delta */

-		krizpos++;

-		krizleft--;

-		cli_dbgmsg("kriz: dec delta found\n");

-		xckriz(&krizpos, &krizleft, 0, krizregb);

-		if (krizleft <4 || (char)(*krizpos-krizregb)!='\x48' || krizpos[1]!='\x75') break; /* dec size + jne loop */

-		if (krizpos+3+(int)krizpos[2]<krizmov || krizpos+3+(int)krizpos[2]>krizxor) {

-		    cli_dbgmsg("kriz: jmp back out of range (%d>%d>%d)\n", krizmov-(krizpos+3), (int)krizpos[2], krizxor-(krizpos+3));

-		    break;

+		break;

+	    }

+	    case KZSCDELTA:

+		if(op==0xe8 && (uint32_t)cli_readint32(kzcode) < 0xff) {

+		    kzlen-=*kzcode+4;

+		    kzcode+=*kzcode+4;

+		    kzstate++;

+		} else *kzstate=KZSTOP;

+		break;

+	    case KZSPDELTA:

+		if((op&0xf8)==0x58 && (kzdptr=op-0x58)!=4) {

+		    kzstate++;

+		    cli_dbgmsg("kriz: using #%d as pointer\n", kzdptr);

+		} else *kzstate=KZSTOP;

+		break;

+	    case KZSXORPRFX:

+		kzstate++;

+		if(op==0x3e) break;

+	    case KZSXOR:

+		if (op==0x80 && *kzcode==kzdptr+0xb0) {

+		    kzxorlen=kzlen;

+		    kzcode+=+6;

+		    kzlen-=+6;

+		    kzstate++;

+		} else *kzstate=KZSTOP;

+		break;

+	    case KZSDDELTA:

+		if (op==kzdptr+0x48) kzstate++;

+		else *kzstate=KZSTOP;

+		break;

+	    case KZSLOOP:

+		if (op==kzdsize+0x48 && *kzcode==0x75 && kzlen-(int8_t)kzcode[1]-3<=kzinitlen && kzlen-(int8_t)kzcode[1]>=kzxorlen) {

+		    *ctx->virname = "W32.Kriz";

+		    free(exe_sections);

+		    return CL_VIRUS;

 		}

-		*ctx->virname = "Win32.Kriz";

-		free(exe_sections);

-		return CL_VIRUS;

+		cli_dbgmsg("kriz: loop out of bounds, corrupted sample?\n");

+		kzstate++;

 	    }

 	}

     }

     /* W32.Magistr.A/B */

     if(SCAN_ALGO && (DCONF & PE_CONF_MAGISTR) && !dll && (nsections>1) && (exe_sections[nsections - 1].chr & 0x80000000)) {

-	    uint32_t rsize, vsize, dam = 0;

+        uint32_t rsize, vsize, dam = 0;

 	vsize = exe_sections[nsections - 1].uvsz;

 	rsize = exe_sections[nsections - 1].rsz;

@@ -915,169 +996,64 @@ int cli_scanpe(int desc, cli_ctx *ctx)

     }

     /* W32.Polipos.A */

-   if(polipos && !dll && nsections > 2 && nsections < 13 && e_lfanew <= 0x800 && (EC16(optional_hdr32.Subsystem) == 2 || EC16(optional_hdr32.Subsystem) == 3) && EC16(file_hdr.Machine) == 0x14c && optional_hdr32.SizeOfStackReserve >= 0x80000) {

-		uint32_t remaining = exe_sections[0].rsz;

-		uint32_t chunk = sizeof(buff);

-		uint32_t val, shift, raddr, total = 0;

-		const char *jpt;

-		struct offset_list *offlist = NULL, *offnode;

-

-

-	cli_dbgmsg("Detected W32.Polipos.A characteristics\n");

-

-	if(remaining < chunk)

-	    chunk = remaining;

-

-	lseek(desc, exe_sections[0].raw, SEEK_SET);

-	while((bytes = cli_readn(desc, buff, chunk)) > 0) {

-	    shift = 0;

-	    while((uint32_t)bytes - 5 > shift) {

-		jpt = buff + shift;

-		if(*jpt!='\xe9' && *jpt!='\xe8') {

-		    shift++;

-		    continue;

-		}

-		val = cli_readint32(jpt + 1);

-		val += 5 + exe_sections[0].rva + total + shift;

-		raddr = cli_rawaddr(val, exe_sections, nsections, &err, fsize, hdr_size);

-

-		if(!err && (raddr >= exe_sections[polipos].raw && raddr < exe_sections[polipos].raw + exe_sections[polipos].rsz) && (!offlist || (raddr != offlist->offset))) {

-		    offnode = (struct offset_list *) cli_malloc(sizeof(struct offset_list));

-		    if(!offnode) {

-			free(exe_sections);

-			while(offlist) {

-			    offnode = offlist;

-			    offlist = offlist->next;

-			    free(offnode);

-			}

-			return CL_EMEM;

-		    }

-		    offnode->offset = raddr;

-		    offnode->next = offlist;

-		    offlist = offnode;

-		}

-

-		shift++;

-	    }

-

-	    if(remaining < chunk) {

-		chunk = remaining;

-	    } else {

-		remaining -= bytes;

-		if(remaining < chunk) {

-		    chunk = remaining;

+    while(polipos && !dll && nsections > 2 && nsections < 13 && e_lfanew <= 0x800 && (EC16(optional_hdr32.Subsystem) == 2 || EC16(optional_hdr32.Subsystem) == 3) && EC16(file_hdr.Machine) == 0x14c && optional_hdr32.SizeOfStackReserve >= 0x80000) {

+	uint32_t jump, jold, *jumps = NULL;

+	uint8_t *code;

+	unsigned int xsjs = 0;

+

+	if(exe_sections[0].rsz > CLI_MAX_ALLOCATION) break;

+	if(!cli_seeksect(desc, &exe_sections[0])) break;

+	if(!(code=cli_malloc(exe_sections[0].rsz))) {

+	    free(exe_sections);

+	    return CL_EMEM;

+	}

+	if(cli_readn(desc, code, exe_sections[0].rsz)!=exe_sections[0].rsz) {

+	    free(exe_sections);

+	    return CL_EIO;

+	}

+	for(i=0; i<exe_sections[0].rsz - 5; i++) {

+	    if((uint8_t)(code[i]-0xe8) > 1) continue;

+	    jump = cli_rawaddr(exe_sections[0].rva+i+5+cli_readint32(&code[i+1]), exe_sections, nsections, &err, fsize, hdr_size);

+	    if(err || !CLI_ISCONTAINED(exe_sections[polipos].raw, exe_sections[polipos].rsz, jump, 9)) continue;

+	    if(xsjs % 128 == 0) {

+		if(xsjs == 1280) break;

+		if(!(jumps=(uint32_t *)cli_realloc2(jumps, (xsjs+128)*sizeof(uint32_t)))) {

+		    free(code);

+		    free(exe_sections);

+		    return CL_EMEM;

 		}

 	    }

-

-	    if(!remaining)

-		break;

-

-	    total += bytes;

-	}

-

-	offnode = offlist;

-	while(offnode) {

-	    cli_dbgmsg("Polipos: Checking offset 0x%x (%u)", offnode->offset, offnode->offset);

-	    lseek(desc, offnode->offset, SEEK_SET);

-	    if(cli_readn(desc, buff, 9) == 9) {

-		ubuff = (unsigned char *) buff;

-		if(ubuff[0] == 0x55 && ubuff[1] == 0x8b && ubuff[2] == 0xec &&

-		   ((ubuff[3] == 0x83 && ubuff[4] == 0xec && ubuff[6] == 0x60) ||  ubuff[3] == 0x60 ||

-		     (ubuff[3] == 0x81 && ubuff[4] == 0xec && ubuff[7] == 0x00 && ubuff[8] == 0x00))) {

-		    ret = CL_VIRUS;

-		    *ctx->virname = "W32.Polipos.A";

+	    j=0;

+	    for(; j<xsjs; j++) {

+		if(jumps[j]<jump) continue;

+		if(jumps[j]==jump) {

+		    xsjs--;

 		    break;

 		}

+		jold=jumps[j];

+		jumps[j]=jump;

+		jump=jold;

+	    }

+	    jumps[j]=jump;

+	    xsjs++;

+	}

+	free(code);

+	if(!xsjs) break;

+	cli_dbgmsg("Polipos: Checking %d xsect jump(s)\n", xsjs);

+	for(i=0;i<xsjs;i++) {

+	    lseek(desc, jumps[i], SEEK_SET);

+	    if(cli_readn(desc, buff, 9) != 9) continue;

+	    if((jump=cli_readint32(buff))==0x60ec8b55 || (buff[4]=='\xec' && ((jump==0x83ec8b55 && buff[6]=='\x60') || (jump==0x81ec8b55 && !buff[7] && !buff[8])))) {

+		*ctx->virname = "W32.Polipos.A";

+		free(jumps);

+		free(exe_sections);

+		return CL_VIRUS;

 	    }

-

-	    offnode = offnode->next;

-	}

-

-	while(offlist) {

-	    offnode = offlist;

-	    offlist = offlist->next;

-	    free(offnode);

-	}

-

-	if(ret == CL_VIRUS) {

-	    free(exe_sections);

-	    return CL_VIRUS;

 	}

+	free(jumps);

+	break;

     }

-    /* SUE */

-    

-    if((DCONF & PE_CONF_SUE) && nsections > 2 && vep == exe_sections[nsections - 1].rva && exe_sections[nsections - 1].rsz > 0x350 && exe_sections[nsections - 1].rsz < 0x292+0x350+1000) {

-  

-      

-      char *sue=buff+0x74;

-      uint32_t key = 0;

-      

-      if(lseek(desc, ep-4, SEEK_SET) == -1) {

-	cli_dbgmsg("SUE: lseek() failed\n");

-	free(exe_sections);

-	return CL_EIO;

-      }

-      if((unsigned int) cli_readn(desc, buff, exe_sections[nsections - 1].rsz+4) == exe_sections[nsections - 1].rsz+4) {

-	found=0;

-	while(CLI_ISCONTAINED(buff+4, exe_sections[nsections - 1].rsz, sue, 4*3)) {

-	  if((cli_readint32(sue)^cli_readint32(sue+4))==0x5c41090e && (cli_readint32(sue)^cli_readint32(sue+8))==0x021e0145) {

-	    found=1;

-	    key=(cli_readint32(sue)^0x6e72656b);

-	    break;

-	  }

-	  sue++;

-	}

-	cli_dbgmsg("SUE: key(%x) found @%x\n", key, sue-buff);

-	if (found && CLI_ISCONTAINED(buff, exe_sections[nsections - 1].rsz, sue-0x74, 0xbe) &&

-	    (sue=sudecrypt(desc, fsize, exe_sections, nsections-1, sue, key, cli_readint32(buff), e_lfanew))) {

-	  if(!(tempfile = cli_gentemp(NULL))) {

-	    free(sue);

-	    free(exe_sections);

-	    return CL_EMEM;

-	  }

-

-	  if((ndesc = open(tempfile, O_RDWR|O_CREAT|O_TRUNC|O_BINARY, S_IRWXU)) < 0) {

-	    cli_dbgmsg("sue: Can't create file %s\n", tempfile);

-	    free(tempfile);

-	    free(sue);

-	    free(exe_sections);

-	    return CL_EIO;

-	  }

-	  

-	  if((unsigned int) cli_writen(ndesc, sue, ep) != ep) {

-	    cli_dbgmsg("sue: Can't write %d bytes\n", ep);

-	    close(ndesc);

-	    free(tempfile);

-	    free(sue);

-	    free(exe_sections);

-	    return CL_EIO;

-	  }

-

-	  free(sue);

-	  if (cli_leavetemps_flag)

-	    cli_dbgmsg("SUE: Decrypted executable saved in %s\n", tempfile);

-	  else

-	    cli_dbgmsg("SUE: Executable decrypted\n");

-	  fsync(ndesc);

-	  lseek(ndesc, 0, SEEK_SET);

-

-	  if(cli_magic_scandesc(ndesc, ctx) == CL_VIRUS) {

-	    free(exe_sections);

-	    close(ndesc);

-	    if(!cli_leavetemps_flag)

-	      unlink(tempfile);

-	    free(tempfile);

-	    return CL_VIRUS;

-	  }

-	  close(ndesc);

-	  if(!cli_leavetemps_flag)

-	    unlink(tempfile);

-	  free(tempfile);

-	}

-      }

-

-    }

     /* UPX, FSG, MEW support */

@@ -1094,169 +1070,92 @@ int cli_scanpe(int desc, cli_ctx *ctx)

     }

     /* MEW support */

-    if (found && (DCONF & PE_CONF_MEW)) {

+    if (found && (DCONF & PE_CONF_MEW) && epsize>=16 && epbuff[0]=='\xe9') {

 	uint32_t fileoffset;

-	/* Check EP for MEW */

-	if(lseek(desc, ep, SEEK_SET) == -1) {

-	    cli_dbgmsg("MEW: lseek() failed\n");

-	    free(exe_sections);

-	    return CL_EIO;

-	}

-        if((bytes = read(desc, buff, 25)) != 25 && bytes < 16) {

-	    cli_dbgmsg("MEW: Can't read at least 16 bytes at 0x%x (%d) %d\n", ep, ep, bytes);

-	    cli_dbgmsg("MEW: Broken or not compressed file\n");

-	    free(exe_sections);

-	    return CL_CLEAN;

-	}

+	fileoffset = (vep + cli_readint32(epbuff + 1) + 5);

+	while (fileoffset == 0x154 || fileoffset == 0x158) {

+	    uint32_t offdiff, uselzma;

-	fileoffset = (vep + cli_readint32(buff + 1) + 5);

-	do {

-	    if (found && (buff[0] == '\xe9') && (fileoffset == 0x154 || fileoffset == 0x158))

-	    {

-		uint32_t offdiff, uselzma;

+	    cli_dbgmsg ("MEW: found MEW characteristics %08X + %08X + 5 = %08X\n", 

+			cli_readint32(epbuff + 1), vep, cli_readint32(epbuff + 1) + vep + 5);

-		cli_dbgmsg ("MEW characteristics found: %08X + %08X + 5 = %08X\n", 

-			cli_readint32(buff + 1), vep, cli_readint32(buff + 1) + vep + 5);

+	    if(lseek(desc, fileoffset, SEEK_SET) == -1) {

+	        cli_dbgmsg("MEW: lseek() failed\n");

+		free(exe_sections);

+		return CL_EIO;

+	    }

-		if(lseek(desc, fileoffset, SEEK_SET) == -1) {

-		    cli_dbgmsg("MEW: lseek() failed\n");

-		    free(exe_sections);

-		    return CL_EIO;

-		}

+	    if((bytes = read(desc, buff, 0xb0)) != 0xb0) {

+	        cli_dbgmsg("MEW: Can't read 0xb0 bytes at 0x%x (%d) %d\n", fileoffset, fileoffset, bytes);

+		break;

+	    }