git-svn: trunk@1684
Tomasz Kojm authored on 2005/08/05 09:59:37... | ... |
@@ -1,3 +1,7 @@ |
1 |
+Fri Aug 5 02:48:47 CEST 2005 (tk) |
|
2 |
+---------------------------------- |
|
3 |
+ * libclamav: merge PESpin unpacker from aCaB |
|
4 |
+ |
|
1 | 5 |
Wed Aug 3 16:28:20 CEST 2005 (tk) |
2 | 6 |
---------------------------------- |
3 | 7 |
* libclamav/others.c: cli_rmdirs: ENOTEMPTY is EBADF on AIX (thanks to |
... | ... |
@@ -88,7 +88,7 @@ am_libclamav_la_OBJECTS = matcher-ac.lo matcher-bm.lo matcher.lo \ |
88 | 88 |
chmunpack.lo rebuildpe.lo petite.lo fsg.lo line.lo untar.lo \ |
89 | 89 |
special.lo binhex.lo is_tar.lo tnef.lo unrar15.lo unrarvm.lo \ |
90 | 90 |
unrar.lo unrarfilter.lo unrarppm.lo unrar20.lo unrarcmd.lo \ |
91 |
- pdf.lo |
|
91 |
+ pdf.lo spin.lo |
|
92 | 92 |
libclamav_la_OBJECTS = $(am_libclamav_la_OBJECTS) |
93 | 93 |
DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir) |
94 | 94 |
depcomp = $(SHELL) $(top_srcdir)/depcomp |
... | ... |
@@ -334,7 +334,9 @@ libclamav_la_SOURCES = \ |
334 | 334 |
unrar/unrarfilter.h \ |
335 | 335 |
unrar/unrarppm.h \ |
336 | 336 |
pdf.c \ |
337 |
- pdf.h |
|
337 |
+ pdf.h \ |
|
338 |
+ spin.c \ |
|
339 |
+ spin.h |
|
338 | 340 |
|
339 | 341 |
lib_LTLIBRARIES = libclamav.la |
340 | 342 |
all: all-am |
... | ... |
@@ -437,6 +439,7 @@ distclean-compile: |
437 | 437 |
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scanners.Plo@am__quote@ |
438 | 438 |
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/snprintf.Plo@am__quote@ |
439 | 439 |
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/special.Plo@am__quote@ |
440 |
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/spin.Plo@am__quote@ |
|
440 | 441 |
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/str.Plo@am__quote@ |
441 | 442 |
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/strc.Plo@am__quote@ |
442 | 443 |
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/strrcpy.Plo@am__quote@ |
... | ... |
@@ -38,6 +38,7 @@ |
38 | 38 |
#include "upx.h" |
39 | 39 |
#include "petite.h" |
40 | 40 |
#include "fsg.h" |
41 |
+#include "spin.h" |
|
41 | 42 |
#include "scanners.h" |
42 | 43 |
#include "rebuildpe.h" |
43 | 44 |
#include "str.h" |
... | ... |
@@ -1359,6 +1360,75 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c |
1359 | 1359 |
} |
1360 | 1360 |
} |
1361 | 1361 |
|
1362 |
+ /* PESpin 1.1 */ |
|
1363 |
+ |
|
1364 |
+ if(nsections > 1 && |
|
1365 |
+ EC32(optional_hdr.AddressOfEntryPoint) >= EC32(section_hdr[nsections - 1].VirtualAddress) && |
|
1366 |
+ EC32(optional_hdr.AddressOfEntryPoint) < EC32(section_hdr[nsections - 1].VirtualAddress) + EC32(section_hdr[nsections - 1].SizeOfRawData) - 0x3217 - 4 && |
|
1367 |
+ memcmp(buff+4, "\xe8\x00\x00\x00\x00\x8b\x1c\x24\x83\xc3", 10) == 0) { |
|
1368 |
+ |
|
1369 |
+ struct stat fstats; |
|
1370 |
+ char *spinned; |
|
1371 |
+ |
|
1372 |
+ if(fstat(desc, &fstats) == -1) { |
|
1373 |
+ free(section_hdr); |
|
1374 |
+ return CL_EIO; |
|
1375 |
+ } |
|
1376 |
+ |
|
1377 |
+ if((spinned = (char *) cli_malloc(fstats.st_size)) == NULL) { |
|
1378 |
+ free(section_hdr); |
|
1379 |
+ return CL_EMEM; |
|
1380 |
+ } |
|
1381 |
+ |
|
1382 |
+ lseek(desc, 0, SEEK_SET); |
|
1383 |
+ if(read(desc, spinned, fstats.st_size) != fstats.st_size) { |
|
1384 |
+ cli_dbgmsg("PESpin: Can't read %d bytes\n", fstats.st_size); |
|
1385 |
+ free(spinned); |
|
1386 |
+ free(section_hdr); |
|
1387 |
+ return CL_EIO; |
|
1388 |
+ } |
|
1389 |
+ |
|
1390 |
+ tempfile = cli_gentemp(NULL); |
|
1391 |
+ if((ndesc = open(tempfile, O_RDWR|O_CREAT|O_TRUNC, S_IRWXU)) < 0) { |
|
1392 |
+ cli_dbgmsg("PESpin: Can't create file %s\n", tempfile); |
|
1393 |
+ free(tempfile); |
|
1394 |
+ free(spinned); |
|
1395 |
+ free(section_hdr); |
|
1396 |
+ return CL_EIO; |
|
1397 |
+ } |
|
1398 |
+ |
|
1399 |
+ if(!unspin(spinned, fstats.st_size, section_hdr, nsections - 1, EC32(optional_hdr.AddressOfEntryPoint), ndesc)) { |
|
1400 |
+ free(spinned); |
|
1401 |
+ cli_dbgmsg("PESpin: Unpacked and rebuilt executable saved in %s\n", tempfile); |
|
1402 |
+ fsync(ndesc); |
|
1403 |
+ lseek(ndesc, 0, SEEK_SET); |
|
1404 |
+ |
|
1405 |
+ if(cli_magic_scandesc(ndesc, virname, scanned, root, limits, options, arec, mrec) == CL_VIRUS) { |
|
1406 |
+ free(section_hdr); |
|
1407 |
+ close(ndesc); |
|
1408 |
+ if(!cli_leavetemps_flag) { |
|
1409 |
+ unlink(tempfile); |
|
1410 |
+ free(tempfile); |
|
1411 |
+ } else { |
|
1412 |
+ free(tempfile); |
|
1413 |
+ } |
|
1414 |
+ return CL_VIRUS; |
|
1415 |
+ } |
|
1416 |
+ |
|
1417 |
+ } else { |
|
1418 |
+ free(spinned); |
|
1419 |
+ cli_dbgmsg("PESpin: Rebuilding failed\n"); |
|
1420 |
+ } |
|
1421 |
+ |
|
1422 |
+ close(ndesc); |
|
1423 |
+ if(!cli_leavetemps_flag) { |
|
1424 |
+ unlink(tempfile); |
|
1425 |
+ free(tempfile); |
|
1426 |
+ } else { |
|
1427 |
+ free(tempfile); |
|
1428 |
+ } |
|
1429 |
+ } |
|
1430 |
+ |
|
1362 | 1431 |
/* to be continued ... */ |
1363 | 1432 |
|
1364 | 1433 |
free(section_hdr); |
1365 | 1434 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,609 @@ |
0 |
+/* |
|
1 |
+ * Copyright (C) 2005 aCaB <acab@clamav.net> |
|
2 |
+ * |
|
3 |
+ * This program is free software; you can redistribute it and/or modify |
|
4 |
+ * it under the terms of the GNU General Public License as published by |
|
5 |
+ * the Free Software Foundation; either version 2 of the License, or |
|
6 |
+ * (at your option) any later version. |
|
7 |
+ * |
|
8 |
+ * This program is distributed in the hope that it will be useful, |
|
9 |
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
10 |
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
11 |
+ * GNU General Public License for more details. |
|
12 |
+ * |
|
13 |
+ * You should have received a copy of the GNU General Public License |
|
14 |
+ * along with this program; if not, write to the Free Software |
|
15 |
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. |
|
16 |
+ */ |
|
17 |
+ |
|
18 |
+/* |
|
19 |
+** spin.c |
|
20 |
+** |
|
21 |
+** 19/07/2k5 - Finally started coding something |
|
22 |
+** 21/07/2k5 - Works, started clearing the mess |
|
23 |
+** 31/07/2k5 - Porting to libclamav |
|
24 |
+*/ |
|
25 |
+ |
|
26 |
+/* |
|
27 |
+** Unpacks pespin v1.1 |
|
28 |
+** |
|
29 |
+** Funny thing to reverse |
|
30 |
+** |
|
31 |
+** [ A big fat thank to christoph for not letting me give up ] |
|
32 |
+*/ |
|
33 |
+ |
|
34 |
+ |
|
35 |
+/* |
|
36 |
+** TODO ( a fat one ): |
|
37 |
+** |
|
38 |
+** OEP restore and unhijacking |
|
39 |
+** code redir handling (at least near OEP) |
|
40 |
+** passwd protection (didn't really look at it) |
|
41 |
+** |
|
42 |
+** All this stuff really needs a way better emu and a hell of unlaming |
|
43 |
+** ATM not worth the effort... and pespin v1.3 is out :@ |
|
44 |
+** |
|
45 |
+*/ |
|
46 |
+ |
|
47 |
+ |
|
48 |
+#if HAVE_CONFIG_H |
|
49 |
+#include "clamav-config.h" |
|
50 |
+#endif |
|
51 |
+ |
|
52 |
+#include <stdio.h> |
|
53 |
+#include <stdlib.h> |
|
54 |
+#include <sys/types.h> |
|
55 |
+#include <sys/stat.h> |
|
56 |
+#include <unistd.h> |
|
57 |
+#include <string.h> |
|
58 |
+ |
|
59 |
+#include "cltypes.h" |
|
60 |
+#include "pe.h" |
|
61 |
+#include "rebuildpe.h" |
|
62 |
+#include "others.h" |
|
63 |
+ |
|
64 |
+#if WORDS_BIGENDIAN == 0 |
|
65 |
+#define EC32(v) (v) |
|
66 |
+#else |
|
67 |
+static inline uint32_t EC32(uint32_t v) |
|
68 |
+{ |
|
69 |
+ return ((v >> 24) | ((v & 0x00FF0000) >> 8) | ((v & 0x0000FF00) << 8) | (v << 24)); |
|
70 |
+} |
|
71 |
+#endif |
|
72 |
+ |
|
73 |
+#define ROL(a,b) a = ( a << (b % (sizeof(a)<<3) )) | (a >> ( (sizeof(a)<<3) - (b % (sizeof(a)<<3 )) ) ) |
|
74 |
+#define ROR(a,b) a = ( a >> (b % (sizeof(a)<<3) )) | (a << ( (sizeof(a)<<3) - (b % (sizeof(a)<<3 )) ) ) |
|
75 |
+ |
|
76 |
+ |
|
77 |
+/* FIXME: poly block is fixed size */ |
|
78 |
+static char exec86(uint8_t aelle, uint8_t cielle, char *curremu) { |
|
79 |
+ while (*curremu!='\xaa') { |
|
80 |
+ uint8_t opcode = *curremu, support; |
|
81 |
+ curremu++; |
|
82 |
+ switch (opcode) { |
|
83 |
+ case 0xeb: |
|
84 |
+ curremu++; |
|
85 |
+ case 0x0a: |
|
86 |
+ curremu++; |
|
87 |
+ case 0x90: |
|
88 |
+ case 0xf8: |
|
89 |
+ case 0xf9: |
|
90 |
+ break; |
|
91 |
+ |
|
92 |
+ case 0x02: /* add al, cl */ |
|
93 |
+ aelle+=cielle; |
|
94 |
+ curremu++; |
|
95 |
+ break; |
|
96 |
+ case 0x2a: /* sub al, cl */ |
|
97 |
+ aelle-=cielle; |
|
98 |
+ curremu++; |
|
99 |
+ break; |
|
100 |
+ case 0x04: /* add al, ?? */ |
|
101 |
+ aelle+=*curremu; |
|
102 |
+ curremu++; |
|
103 |
+ break; |
|
104 |
+ case 0x2c: /* sub al, ?? */ |
|
105 |
+ aelle-=*curremu; |
|
106 |
+ curremu++; |
|
107 |
+ break; |
|
108 |
+ case 0x32: /* xor al, cl */ |
|
109 |
+ aelle^=cielle; |
|
110 |
+ curremu++; |
|
111 |
+ break; |
|
112 |
+ case 0x34: /* xor al, ?? */ |
|
113 |
+ aelle^=*curremu; |
|
114 |
+ curremu++; |
|
115 |
+ break; |
|
116 |
+ |
|
117 |
+ case 0xfe: /* inc/dec al */ |
|
118 |
+ if ( *curremu == '\xc0' ) aelle++; |
|
119 |
+ else aelle--; |
|
120 |
+ curremu++; |
|
121 |
+ break; |
|
122 |
+ |
|
123 |
+ case 0xc0: /* ror/rol al, ?? */ |
|
124 |
+ support = *curremu; |
|
125 |
+ curremu++; |
|
126 |
+ if ( support == 0xc0 ) ROL(aelle, *curremu); |
|
127 |
+ else ROR(aelle, *curremu); |
|
128 |
+ curremu++; |
|
129 |
+ break; |
|
130 |
+ |
|
131 |
+ default: |
|
132 |
+ cli_dbgmsg("Bogus opcode %x\n", opcode); |
|
133 |
+ } |
|
134 |
+ } |
|
135 |
+ return aelle; |
|
136 |
+} |
|
137 |
+ |
|
138 |
+ |
|
139 |
+static int doubledl(char **scur, uint8_t *mydlptr, char *buffer, int buffersize) |
|
140 |
+{ |
|
141 |
+ unsigned char mydl = *mydlptr; |
|
142 |
+ unsigned char olddl = mydl; |
|
143 |
+ |
|
144 |
+ mydl*=2; |
|
145 |
+ if ( !(olddl & 0x7f)) { |
|
146 |
+ if ( *scur < buffer || *scur >= buffer+buffersize-1 ) |
|
147 |
+ return -1; |
|
148 |
+ olddl = **scur; |
|
149 |
+ mydl = olddl*2+1; |
|
150 |
+ *scur=*scur + 1; |
|
151 |
+ } |
|
152 |
+ *mydlptr = mydl; |
|
153 |
+ return (olddl>>7)&1; |
|
154 |
+} |
|
155 |
+ |
|
156 |
+ |
|
157 |
+static int unfsg(char *source, char *dest, int ssize, int dsize) { |
|
158 |
+ uint8_t mydl=0x80; |
|
159 |
+ uint32_t backbytes, backsize, oldback = 0; |
|
160 |
+ char *csrc = source, *cdst = dest; |
|
161 |
+ int oob, lostbit = 1; |
|
162 |
+ |
|
163 |
+ /* I assume buffers size is >0 - No checking! */ |
|
164 |
+ *cdst++=*csrc++; |
|
165 |
+ |
|
166 |
+ while ( 1 ) { |
|
167 |
+ if ((oob=doubledl(&csrc, &mydl, source, ssize))) { |
|
168 |
+ if (oob == -1) |
|
169 |
+ return -1; |
|
170 |
+ /* 164 */ |
|
171 |
+ backsize = 0; |
|
172 |
+ if ((oob=doubledl(&csrc, &mydl, source, ssize))) { |
|
173 |
+ if (oob == -1) |
|
174 |
+ return -1; |
|
175 |
+ /* 16a */ |
|
176 |
+ backbytes = 0; |
|
177 |
+ if ((oob=doubledl(&csrc, &mydl, source, ssize))) { |
|
178 |
+ if (oob == -1) |
|
179 |
+ return -1; |
|
180 |
+ /* 170 */ |
|
181 |
+ lostbit = 1; |
|
182 |
+ backsize++; |
|
183 |
+ backbytes = 0x10; |
|
184 |
+ while ( backbytes < 0x100 ) { |
|
185 |
+ if ((oob=doubledl(&csrc, &mydl, source, ssize)) == -1) |
|
186 |
+ return -1; |
|
187 |
+ backbytes = backbytes*2+oob; |
|
188 |
+ } |
|
189 |
+ backbytes &= 0xff; |
|
190 |
+ if ( ! backbytes ) { |
|
191 |
+ if (cdst >= dest+dsize) |
|
192 |
+ return -1; |
|
193 |
+ *cdst++=0x00; |
|
194 |
+ continue; |
|
195 |
+ } else { |
|
196 |
+ /* repne movsb - FIXME dont remove for now */ |
|
197 |
+ } |
|
198 |
+ } else { |
|
199 |
+ /* 18f */ |
|
200 |
+ if (csrc >= source+ssize) |
|
201 |
+ return -1; |
|
202 |
+ backbytes = *(unsigned char*)csrc; |
|
203 |
+ backsize = backsize * 2 + (backbytes & 1); |
|
204 |
+ backbytes = (backbytes & 0xff)>>1; |
|
205 |
+ csrc++; |
|
206 |
+ if (! backbytes) |
|
207 |
+ break; |
|
208 |
+ backsize+=2; |
|
209 |
+ oldback = backbytes; |
|
210 |
+ lostbit = 0; |
|
211 |
+ } |
|
212 |
+ } else { |
|
213 |
+ /* 180 */ |
|
214 |
+ backsize = 1; |
|
215 |
+ do { |
|
216 |
+ if ((oob=doubledl(&csrc, &mydl, source, ssize)) == -1) |
|
217 |
+ return -1; |
|
218 |
+ backsize = backsize*2+oob; |
|
219 |
+ if ((oob=doubledl(&csrc, &mydl, source, ssize)) == -1) |
|
220 |
+ return -1; |
|
221 |
+ } while (oob); |
|
222 |
+ |
|
223 |
+ backsize = backsize - 1 - lostbit; |
|
224 |
+ if (! backsize) { |
|
225 |
+ /* 18a */ |
|
226 |
+ backsize = 1; |
|
227 |
+ do { |
|
228 |
+ if ((oob=doubledl(&csrc, &mydl, source, ssize)) == -1) |
|
229 |
+ return -1; |
|
230 |
+ backsize = backsize*2+oob; |
|
231 |
+ if ((oob=doubledl(&csrc, &mydl, source, ssize)) == -1) |
|
232 |
+ return -1; |
|
233 |
+ } while (oob); |
|
234 |
+ |
|
235 |
+ backbytes = oldback; |
|
236 |
+ } else { |
|
237 |
+ /* 198 */ |
|
238 |
+ if (csrc >= source+ssize) |
|
239 |
+ return -1; |
|
240 |
+ backbytes = *(unsigned char*)csrc; |
|
241 |
+ backbytes += (backsize-1)<<8; |
|
242 |
+ backsize = 1; |
|
243 |
+ csrc++; |
|
244 |
+ do { |
|
245 |
+ if ((oob=doubledl(&csrc, &mydl, source, ssize)) == -1) |
|
246 |
+ return -1; |
|
247 |
+ backsize = backsize*2+oob; |
|
248 |
+ if ((oob=doubledl(&csrc, &mydl, source, ssize)) == -1) |
|
249 |
+ return -1; |
|
250 |
+ } while (oob); |
|
251 |
+ |
|
252 |
+ if (backbytes >= 0x7d00) |
|
253 |
+ backsize++; |
|
254 |
+ if (backbytes >= 0x500) |
|
255 |
+ backsize++; |
|
256 |
+ if (backbytes <= 0x7f) |
|
257 |
+ backsize += 2; |
|
258 |
+ |
|
259 |
+ oldback = backbytes; |
|
260 |
+ } |
|
261 |
+ lostbit = 0; |
|
262 |
+ } |
|
263 |
+ if ((backsize >= dest + dsize - cdst) || (backbytes > cdst - dest)) |
|
264 |
+ return -1; |
|
265 |
+ while(backsize--) { |
|
266 |
+ *cdst=*(cdst-backbytes); |
|
267 |
+ cdst++; |
|
268 |
+ } |
|
269 |
+ |
|
270 |
+ } else { |
|
271 |
+ /* 15d */ |
|
272 |
+ if (cdst < dest || cdst >= dest+dsize || csrc < source || csrc >= source+ssize) |
|
273 |
+ return -1; |
|
274 |
+ *cdst++=*csrc++; |
|
275 |
+ lostbit=1; |
|
276 |
+ } |
|
277 |
+ } |
|
278 |
+ |
|
279 |
+ return 0; |
|
280 |
+} |
|
281 |
+ |
|
282 |
+ |
|
283 |
+static uint32_t summit (char *src, int size) |
|
284 |
+{ |
|
285 |
+ uint32_t eax=0xffffffff, ebx=0xffffffff; |
|
286 |
+ int i; |
|
287 |
+ |
|
288 |
+ while(size) { |
|
289 |
+ eax ^= *src++<<8 & 0xff00; |
|
290 |
+ eax = eax>>3 & 0x1fffffff; |
|
291 |
+ for (i=0; i<4; i++) { |
|
292 |
+ uint32_t swap; |
|
293 |
+ eax ^= ebx>>8 & 0xff; |
|
294 |
+ eax += 0x7801a108; |
|
295 |
+ eax ^= ebx; |
|
296 |
+ ROR(eax, ebx&0xff); |
|
297 |
+ swap = eax; |
|
298 |
+ eax = ebx; |
|
299 |
+ ebx = swap; |
|
300 |
+ } |
|
301 |
+ size--; |
|
302 |
+ } |
|
303 |
+ return ebx; |
|
304 |
+} |
|
305 |
+ |
|
306 |
+ |
|
307 |
+int unspin(char *src, int ssize, struct pe_image_section_hdr *sections, int sectcnt, uint32_t nep, int desc) { |
|
308 |
+ char *curr, *emu, *ep, *spinned; |
|
309 |
+ char **sects; |
|
310 |
+ int blobsz=0, j; |
|
311 |
+ uint32_t key32, bitmap, bitman; |
|
312 |
+ uint32_t len; |
|
313 |
+ uint8_t key8; |
|
314 |
+ |
|
315 |
+ cli_dbgmsg("in unspin\n"); |
|
316 |
+ |
|
317 |
+ if ( (spinned = (char *) cli_malloc(EC32(sections[sectcnt].SizeOfRawData))) == NULL ) |
|
318 |
+ return 1; |
|
319 |
+ |
|
320 |
+ memcpy(spinned, src + EC32(sections[sectcnt].PointerToRawData), EC32(sections[sectcnt].SizeOfRawData)); |
|
321 |
+ ep = spinned + nep - sections[sectcnt].VirtualAddress; |
|
322 |
+ |
|
323 |
+ // ep = src + nep + sections[sectcnt].PointerToRawData - sections[sectcnt].VirtualAddress; // Just a helper |
|
324 |
+ |
|
325 |
+ curr = ep+0xdb; // HELP: as a general rule, can i do char* math or should use monsters like "&ep[0xdb]" instead? |
|
326 |
+ if ( *curr != '\xbb' ) { |
|
327 |
+ free(spinned); |
|
328 |
+ cli_dbgmsg("spin: Not spinned or bad version\n"); |
|
329 |
+ return 1; |
|
330 |
+ } |
|
331 |
+ |
|
332 |
+ key8 = (uint8_t)*++curr; |
|
333 |
+ curr+=4; |
|
334 |
+ if ( *curr != '\xb9' ) { |
|
335 |
+ free(spinned); |
|
336 |
+ cli_dbgmsg("spin: Not spinned or bad version\n"); |
|
337 |
+ return 1; |
|
338 |
+ } |
|
339 |
+ |
|
340 |
+ if ( (len = cli_readint32(curr+1)) != 0x11fe ) { |
|
341 |
+ free(spinned); |
|
342 |
+ cli_dbgmsg("spin: Not spinned or bad version\n"); |
|
343 |
+ return 1; |
|
344 |
+ } |
|
345 |
+ |
|
346 |
+ cli_dbgmsg("spin: Key8 is %x, Len is %x\n", key8, len); |
|
347 |
+ |
|
348 |
+ if ( ep - spinned >= EC32(sections[sectcnt].SizeOfRawData) - len - 0x1fe5 ) { |
|
349 |
+ free(spinned); |
|
350 |
+ cli_dbgmsg("spin: len out of bounds, giving up\n"); |
|
351 |
+ return 1; // Outta bounds - HELP: i suppose i should check for wraps.. not sure though |
|
352 |
+ } |
|
353 |
+ |
|
354 |
+ curr = ep+0x1fe5+len-1; |
|
355 |
+ while ( len-- ) { |
|
356 |
+ *curr=(*curr)^(key8--); |
|
357 |
+ curr--; |
|
358 |
+ } |
|
359 |
+ |
|
360 |
+ curr = ep+0x26eb; |
|
361 |
+ key32 = cli_readint32(curr); |
|
362 |
+ if ( (len = cli_readint32(curr+5)) != 0x5a0) { |
|
363 |
+ free(spinned); |
|
364 |
+ cli_dbgmsg("spin: Not spinned or bad version\n"); |
|
365 |
+ return 1; // FIXME: apparently static |
|
366 |
+ } |
|
367 |
+ |
|
368 |
+ curr = ep+0x2d5; // 0x2d5+5a0 < 0x3217 - still within bounds (checked by caller) |
|
369 |
+ cli_dbgmsg("spin: Key is %x, Len is %x\n", key32, len); |
|
370 |
+ |
|
371 |
+ while ( len-- ) { |
|
372 |
+ if ( key32 & 1 ) { |
|
373 |
+ key32 = key32>>1&0x7fffffff; |
|
374 |
+ key32 ^= 0x8c328834; |
|
375 |
+ } else { |
|
376 |
+ key32 = key32>>1 & 0x7fffffff; |
|
377 |
+ } |
|
378 |
+ *curr = *curr ^ (key32 & 0xff); |
|
379 |
+ curr++; |
|
380 |
+ } |
|
381 |
+ |
|
382 |
+ |
|
383 |
+ cli_dbgmsg("spin: here\n"); |
|
384 |
+ len = ssize - cli_readint32(ep+0x429); // sub size, value |
|
385 |
+ if ( len >= ssize ) { |
|
386 |
+ free(spinned); |
|
387 |
+ cli_dbgmsg("spin: crc out of bounds, giving up\n"); |
|
388 |
+ return 1; // We wrapped |
|
389 |
+ } |
|
390 |
+ key32 = cli_readint32(ep+0x3217) - summit(src,len); |
|
391 |
+ |
|
392 |
+ memcpy(src + EC32(sections[sectcnt].PointerToRawData), spinned, EC32(sections[sectcnt].SizeOfRawData)); |
|
393 |
+ free(spinned); // done CRC'ing - can have a dirty buffer now |
|
394 |
+ ep = src + nep + sections[sectcnt].PointerToRawData - sections[sectcnt].VirtualAddress; // Fix the helper |
|
395 |
+ |
|
396 |
+ cli_dbgmsg("spin: Key32 is %x\n", key32); |
|
397 |
+ |
|
398 |
+ bitmap = cli_readint32(ep+0x3207); |
|
399 |
+ cli_dbgmsg("spin: XORbitmap is %x\n", bitmap); |
|
400 |
+ |
|
401 |
+ for (j=0; j<sectcnt; j++) { |
|
402 |
+ if (bitmap&1) { |
|
403 |
+ uint32_t size = EC32(sections[j].SizeOfRawData); |
|
404 |
+ char *ptr = src + EC32(sections[j].PointerToRawData); |
|
405 |
+ uint32_t keydup = key32; |
|
406 |
+ |
|
407 |
+ if ( EC32(sections[j].PointerToRawData) + size >= ssize ) { |
|
408 |
+ cli_dbgmsg("spin: sect %d out of file, giving up\n", j); |
|
409 |
+ return 1; // sect outta bounds - HELP: i suppose i should check for wraps.. not sure though |
|
410 |
+ } |
|
411 |
+ |
|
412 |
+ while (size--) { |
|
413 |
+ if (! (keydup & 1)) { |
|
414 |
+ keydup = keydup>>1&0x7fffffff; /* HELP: clear sign bit for unsigned values too? */ |
|
415 |
+ keydup ^= 0xed43af31; |
|
416 |
+ } else { |
|
417 |
+ keydup = keydup>>1 & 0x7fffffff; /* HELP: clear sign bit for unsigned values too? */ |
|
418 |
+ } |
|
419 |
+ *ptr = *ptr ^ (keydup & 0xff); |
|
420 |
+ ptr++; |
|
421 |
+ } |
|
422 |
+ |
|
423 |
+ bitmap = bitmap >>1 & 0x7fffffff; /* HELP: clear sign bit for unsigned values too? */ |
|
424 |
+ } |
|
425 |
+ } |
|
426 |
+ cli_dbgmsg("spin: done\n"); |
|
427 |
+ |
|
428 |
+ |
|
429 |
+ curr = ep+0x644; // 0x28d3+0x180 < 0x3217 - still within bounds (checked by caller) |
|
430 |
+ if ( (len = cli_readint32(curr)) != 0x180) { |
|
431 |
+ cli_dbgmsg("spin: Not spinned or bad version\n"); |
|
432 |
+ return 1; |
|
433 |
+ } |
|
434 |
+ |
|
435 |
+ key32 = cli_readint32(curr+0x0c); |
|
436 |
+ cli_dbgmsg("spin: Key is %x, Len is %x\n", key32, len); |
|
437 |
+ curr = ep+0x28d3; |
|
438 |
+ |
|
439 |
+ while ( len-- ) { |
|
440 |
+ if ( key32 & 1 ) { |
|
441 |
+ key32 = key32>>1&0x7fffffff; |
|
442 |
+ key32 ^= 0xed43af32; |
|
443 |
+ } else { |
|
444 |
+ key32 = key32>>1 & 0x7fffffff; |
|
445 |
+ } |
|
446 |
+ *curr = *curr ^ (key32 & 0xff); |
|
447 |
+ curr++; |
|
448 |
+ } |
|
449 |
+ |
|
450 |
+ |
|
451 |
+ curr = ep+0x28dd; |
|
452 |
+ if ( (len = cli_readint32(curr)) != 0x1a1 ) { |
|
453 |
+ cli_dbgmsg("spin: Not spinned or bad version\n"); |
|
454 |
+ return 1; |
|
455 |
+ } |
|
456 |
+ |
|
457 |
+ cli_dbgmsg("spin: POLY1 len is %x\n", len); |
|
458 |
+ curr+=0xf; // POLY1 |
|
459 |
+ |
|
460 |
+ emu = ep+0x6d4; // Still within bounds |
|
461 |
+ |
|
462 |
+ while (len) { |
|
463 |
+ *emu=exec86(*emu, len-- & 0xff, curr); // unlame POLY1 |
|
464 |
+ emu++; |
|
465 |
+ } |
|
466 |
+ |
|
467 |
+ bitmap = cli_readint32(ep+0x6f1); |
|
468 |
+ cli_dbgmsg("spin: POLYbitmap is %x\n", bitmap); |
|
469 |
+ curr = ep+0x755; |
|
470 |
+ |
|
471 |
+ for (j=0; j<sectcnt; j++) { |
|
472 |
+ if (bitmap&1) { |
|
473 |
+ uint32_t len = EC32(sections[j].SizeOfRawData); |
|
474 |
+ |
|
475 |
+ emu = src + EC32(sections[j].PointerToRawData); |
|
476 |
+ |
|
477 |
+ if ( emu < src || EC32(sections[j].PointerToRawData) + len >= ssize) { // HELP: Is this enough for me to be within bounds? |
|
478 |
+ cli_dbgmsg("spin: code to exec is out of file?\n"); |
|
479 |
+ return 1; |
|
480 |
+ } |
|
481 |
+ |
|
482 |
+ while (len) { |
|
483 |
+ *emu=exec86(*emu, len-- & 0xff, curr); |
|
484 |
+ emu++; |
|
485 |
+ } |
|
486 |
+ |
|
487 |
+ bitmap = bitmap >>1 & 0x7fffffff; |
|
488 |
+ |
|
489 |
+ } |
|
490 |
+ } |
|
491 |
+ |
|
492 |
+ bitmap = cli_readint32(ep+0x3061); |
|
493 |
+ bitman = bitmap; |
|
494 |
+ cli_dbgmsg("spin: Compression bitmap is %x\n", bitmap); |
|
495 |
+ if ( (sects= (char **) cli_malloc(sectcnt*sizeof(char *))) == NULL ) |
|
496 |
+ return 1; |
|
497 |
+ |
|
498 |
+ len = 0; |
|
499 |
+ for (j=0; j<sectcnt; j++) { |
|
500 |
+ if (bitmap&1) { |
|
501 |
+ if ( (sects[j] = (char *) cli_malloc(EC32(sections[j].VirtualSize)) ) == NULL ) { // FIXME: use "static" maxmalloc @4380b6 instead??? |
|
502 |
+ len = 1; |
|
503 |
+ break; |
|
504 |
+ } |
|
505 |
+ blobsz+=EC32(sections[j].VirtualSize); |
|
506 |
+ memset(sects[j], 0, EC32(sections[j].VirtualSize)); |
|
507 |
+ cli_dbgmsg("spin: Growing sect%d: was %x will be %x\n", j, EC32(sections[j].SizeOfRawData), EC32(sections[j].VirtualSize)); |
|
508 |
+ len = unfsg(src + EC32(sections[j].PointerToRawData), sects[j], EC32(sections[j].SizeOfRawData), EC32(sections[j].VirtualSize)); // FIXME: checr retval |
|
509 |
+ // sections[j].rsz = sections[j].vsz; FIXME: can't hack the caller, gotta find a better way! |
|
510 |
+ } else { |
|
511 |
+ blobsz+=EC32(sections[j].SizeOfRawData); |
|
512 |
+ sects[j] = src + EC32(sections[j].PointerToRawData); |
|
513 |
+ cli_dbgmsg("spin: Not growing sect%d\n", j); |
|
514 |
+ } |
|
515 |
+ bitmap = bitmap >>1 & 0x7fffffff; |
|
516 |
+ } |
|
517 |
+ |
|
518 |
+ if ( len ) { |
|
519 |
+ int t; |
|
520 |
+ for (t=0 ; t<j ; t++) |
|
521 |
+ if (bitman&1) |
|
522 |
+ free(sects[t]); |
|
523 |
+ free(sects); |
|
524 |
+ return 1; |
|
525 |
+ } |
|
526 |
+ |
|
527 |
+ |
|
528 |
+ key32 = cli_readint32(ep+0x2fee); |
|
529 |
+ if (key32) { |
|
530 |
+ /* len = cli_readint32(ep+0x2fc8); -- Using vsizes instead */ |
|
531 |
+ |
|
532 |
+ for (j=0; j<sectcnt; j++) { |
|
533 |
+ if (EC32(sections[j].VirtualAddress) <= key32 && EC32(sections[j].VirtualAddress)+EC32(sections[j].SizeOfRawData) > key32) // HELP: wraps? |
|
534 |
+ break; |
|
535 |
+ } |
|
536 |
+ |
|
537 |
+ cli_dbgmsg("spin: --- %x < %x < %x %d / %d\n", EC32(sections[j].VirtualAddress), key32, EC32(sections[j].VirtualAddress)+EC32(sections[j].SizeOfRawData), j, sectcnt); |
|
538 |
+ |
|
539 |
+ if (j!=sectcnt && ((bitman & (1<<j)) == 0)) { // FIXME: not really sure either the res sect is lamed or just compressed, but this'll save some major headakes |
|
540 |
+ cli_dbgmsg("spin: Resources (sect%d) appear to be compressed\n uncompressed offset %x, len %x\n compressed offset %x, len %x\n", j, EC32(sections[j].VirtualAddress), key32 - EC32(sections[j].VirtualAddress), key32, EC32(sections[j].VirtualSize) - (key32 - EC32(sections[j].VirtualAddress))); |
|
541 |
+ |
|
542 |
+ if ( (curr=(char *)cli_malloc(EC32(sections[j].VirtualSize))) != NULL ) { |
|
543 |
+ memcpy(curr, src + EC32(sections[j].PointerToRawData), key32 - EC32(sections[j].VirtualAddress)); // Uncompressed part |
|
544 |
+ memset(curr + key32 - EC32(sections[j].VirtualAddress), 0, EC32(sections[j].VirtualSize) - (key32 - EC32(sections[j].VirtualAddress))); // bzero |
|
545 |
+ if ( unfsg(src + EC32(sections[j].PointerToRawData) + key32 - EC32(sections[j].VirtualAddress), curr + key32 - EC32(sections[j].VirtualAddress), EC32(sections[j].SizeOfRawData) - (key32 - EC32(sections[j].VirtualAddress)), EC32(sections[j].VirtualSize) - (key32 - EC32(sections[j].VirtualAddress))) ) { // HELP: i can't read my own line - hope's ok :( |
|
546 |
+ |
|
547 |
+ free(curr); |
|
548 |
+ cli_dbgmsg("spin: Failed to grow resources, continuing anyway\n"); |
|
549 |
+ blobsz+=EC32(sections[j].SizeOfRawData); |
|
550 |
+ } else { |
|
551 |
+ sects[j]=curr; // FIXME: bitman check above should save me from leaks |
|
552 |
+ bitman|=1<<j; |
|
553 |
+ cli_dbgmsg("spin: Resources grown\n"); |
|
554 |
+ blobsz+=EC32(sections[j].VirtualSize); |
|
555 |
+ } |
|
556 |
+ } else { |
|
557 |
+ // HELP: malloc failed but i'm too deep into this crap to worry... what to do next? |
|
558 |
+ blobsz+=EC32(sections[j].SizeOfRawData); |
|
559 |
+ } |
|
560 |
+ } else { |
|
561 |
+ cli_dbgmsg("spin: No res?!\n"); |
|
562 |
+ } |
|
563 |
+ } |
|
564 |
+ |
|
565 |
+ |
|
566 |
+ bitmap=bitman; // save as a free() bitmap |
|
567 |
+ |
|
568 |
+ if ( (ep = (char *) cli_malloc(blobsz)) != NULL ) { |
|
569 |
+ struct SECTION *rebhlp; |
|
570 |
+ if ( (rebhlp = (struct SECTION *) cli_malloc(sizeof(struct SECTION)*(sectcnt))) != NULL ) { |
|
571 |
+ char *to = ep; |
|
572 |
+ int retval = 0; |
|
573 |
+ |
|
574 |
+ for (j = 0; j < sectcnt; j++) { |
|
575 |
+ rebhlp[j].raw = (j>0)*(rebhlp[j-1].raw + rebhlp[j-1].rsz); |
|
576 |
+ rebhlp[j].rsz = (bitmap &1) ? EC32(sections[j].VirtualSize) : EC32(sections[j].SizeOfRawData); |
|
577 |
+ rebhlp[j].rva = EC32(sections[j].VirtualAddress); |
|
578 |
+ rebhlp[j].vsz = EC32(sections[j].VirtualSize); |
|
579 |
+ |
|
580 |
+ memcpy(to, sects[j], rebhlp[j].rsz); |
|
581 |
+ to+=rebhlp[j].rsz; |
|
582 |
+ if ( bitmap & 1 ) free(sects[j]); |
|
583 |
+ bitmap = bitmap >>1 & 0x7fffffff; |
|
584 |
+ } |
|
585 |
+ |
|
586 |
+ if ( (to = rebuildpe(ep, rebhlp, sectcnt, 0x400000, 0x1000, 0, 0))) { // HELP: should i bother fixing those values? the rebuilt exe is completely broken anyway. |
|
587 |
+ write(desc, to, 0x148+0x80+0x28*j+rebhlp[j-1].raw+rebhlp[j-1].rsz); |
|
588 |
+ free(to); |
|
589 |
+ } else { |
|
590 |
+ cli_dbgmsg("spin: Cannot write unpacked file\n"); |
|
591 |
+ retval = 1; |
|
592 |
+ } |
|
593 |
+ free(rebhlp); |
|
594 |
+ free(ep); |
|
595 |
+ free(sects); |
|
596 |
+ return retval; |
|
597 |
+ } |
|
598 |
+ free(ep); |
|
599 |
+ } |
|
600 |
+ |
|
601 |
+ cli_dbgmsg ("spin: free bitmap is %x\n", bitman); |
|
602 |
+ for (j=0; j<sectcnt; j++) { |
|
603 |
+ if (bitmap&1) free(sects[j]); |
|
604 |
+ bitman = bitman >>1 & 0x7fffffff; |
|
605 |
+ } |
|
606 |
+ free(sects); |
|
607 |
+ return 1; // :( |
|
608 |
+} |
0 | 609 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,27 @@ |
0 |
+/* |
|
1 |
+ * Copyright (C) 2005 aCaB <acab@clamav.net> |
|
2 |
+ * |
|
3 |
+ * This program is free software; you can redistribute it and/or modify |
|
4 |
+ * it under the terms of the GNU General Public License as published by |
|
5 |
+ * the Free Software Foundation; either version 2 of the License, or |
|
6 |
+ * (at your option) any later version. |
|
7 |
+ * |
|
8 |
+ * This program is distributed in the hope that it will be useful, |
|
9 |
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
10 |
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
11 |
+ * GNU General Public License for more details. |
|
12 |
+ * |
|
13 |
+ * You should have received a copy of the GNU General Public License |
|
14 |
+ * along with this program; if not, write to the Free Software |
|
15 |
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. |
|
16 |
+ */ |
|
17 |
+ |
|
18 |
+#ifndef __SPIN_H |
|
19 |
+#define __SPIN_H |
|
20 |
+ |
|
21 |
+#include "cltypes.h" |
|
22 |
+#include "rebuildpe.h" |
|
23 |
+ |
|
24 |
+int unspin(char *, int, struct pe_image_section_hdr *, int, uint32_t, int); |
|
25 |
+ |
|
26 |
+#endif |