@@ -1,3 +1,8 @@

+Sat Jan 13 15:37:51 CET 2007 (acab)

+-----------------------------------

+  * libclamav: add Upack support from Michal Spadlinski <gim913 * gmail.com>

+  	       Part of the Google Summer of Code program

+

 Sat Jan 13 13:33:53 CET 2007 (tk)

 ---------------------------------

   * libclamav/scanners.c: print temp filenames in cli_scanzip() (bb#138)

@@ -97,6 +97,8 @@ libclamav_la_SOURCES = \

 	fsg.h \

 	mew.c \

 	mew.h \

+	upack.c \

+	upack.h \

 	line.c \

 	line.h \

 	untar.c \

@@ -83,7 +83,7 @@ am_libclamav_la_OBJECTS = matcher-ac.lo matcher-bm.lo matcher-ncore.lo \

 	snprintf.lo table.lo text.lo ole2_extract.lo vba_extract.lo \

 	msexpand.lo pe.lo upx.lo htmlnorm.lo chmunpack.lo rebuildpe.lo \

 	petite.lo wwunpack.lo suecrypt.lo unsp.lo packlibs.lo fsg.lo \

-	mew.lo line.lo untar.lo unzip.lo special.lo binhex.lo \

+	mew.lo upack.lo line.lo untar.lo unzip.lo special.lo binhex.lo \

 	is_tar.lo tnef.lo unrar15.lo unrarvm.lo unrar.lo \

 	unrarfilter.lo unrarppm.lo unrar20.lo unrarcmd.lo pdf.lo \

 	spin.lo yc.lo elf.lo sis.lo uuencode.lo pst.lo phishcheck.lo \

@@ -309,6 +309,8 @@ libclamav_la_SOURCES = \

 	fsg.h \

 	mew.c \

 	mew.h \

+	upack.c \

+	upack.h \

 	line.c \

 	line.h \

 	untar.c \

@@ -506,6 +508,7 @@ distclean-compile:

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unsp.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/untar.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unzip.Plo@am__quote@

+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/upack.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/upx.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/uuencode.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vba_extract.Plo@am__quote@

@@ -40,7 +40,6 @@

 #include "cltypes.h"

 #include "pe.h"

-#include "rebuildpe.h"

 #include "others.h"

 #include "mew.h"

 #include "packlibs.h"

@@ -335,7 +334,7 @@ uint32_t lzma_48631a (struct lzmastate *p, char **old_ecx, uint32_t *old_edx, ui

 	return 0;

 }

-//int mew_lzma(struct pe_image_section_hdr *section_hdr, char *orgsource, char *buf, uint32_t size_sum, uint32_t vma, uint32_t special)

+

 int mew_lzma(char *orgsource, char *buf, uint32_t size_sum, uint32_t vma, uint32_t special)

 {

 	uint32_t var08, var0C, var10, var14, var18, var20, var24, var28, var34;

@@ -762,7 +761,6 @@ uint32_t lzma_upack_esi_54(struct lzmastate *p, uint32_t old_eax, uint32_t *old_

 }

-//int unmew11(struct pe_image_section_hdr *section_hdr, int sectnum, char *src, int off, int ssize, int dsize, uint32_t base, uint32_t vadd, int uselzma, char **endsrc, char **enddst, int filedesc)

 int unmew11(int sectnum, char *src, int off, int ssize, int dsize, uint32_t base, uint32_t vadd, int uselzma, char **endsrc, char **enddst, int filedesc)

 {

 	uint32_t entry_point, newedi, loc_ds=dsize, loc_ss=ssize;

@@ -845,7 +843,7 @@ int unmew11(int sectnum, char *src, int off, int ssize, int dsize, uint32_t base

 			free(section);

 			return -1;

 		}

-		//		if(mew_lzma(&(section_hdr[sectnum]), src, f1+4, size_sum, vma, *(src + uselzma+8) == '\x50'))

+

 		if(mew_lzma(src, f1+4, size_sum, vma, *(src + uselzma+8) == '\x50'))

 		{

 			free(section);

@@ -51,6 +51,7 @@

 #include "md5.h"

 #ifdef CL_EXPERIMENTAL

 #include "mew.h"

+#include "upack.h"

 #endif

 #ifndef	O_BINARY

@@ -253,7 +254,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)

 	unsigned int ssize = 0, dsize = 0, dll = 0, pe_plus = 0;

 	int (*upxfn)(char *, uint32_t, char *, uint32_t *, uint32_t, uint32_t, uint32_t) = NULL;

 	char *src = NULL, *dest = NULL;

-	int ndesc, ret = CL_CLEAN;

+	int ndesc, ret = CL_CLEAN, upack = 0;

 	size_t fsize;

 	uint32_t valign, falign;

 	struct cli_exe_section *exe_sections;

@@ -483,6 +484,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)

 	    lseek(desc, (EC16(file_hdr.SizeOfOptionalHeader)-sizeof(struct pe_image_optional_hdr32)), SEEK_CUR);

 	}

+	upack = (EC16(file_hdr.SizeOfOptionalHeader)==0x148);

 	vep = EC32(optional_hdr32.AddressOfEntryPoint);

 	cli_dbgmsg("File format: PE\n");

@@ -1250,13 +1252,13 @@ int cli_scanpe(int desc, cli_ctx *ctx)

 	    }

 	} while (0);

     }

-#endif

-

+    if(found || upack) {

+#else

     if(found) {

-

-	/* Check EP for UPX vs. FSG */

+#endif

+	/* Check EP for UPX vs. FSG vs. Upack */

 	if(lseek(desc, ep, SEEK_SET) == -1) {

 	    cli_dbgmsg("UPX/FSG: lseek() failed\n");

 	    free(section_hdr);

@@ -1272,6 +1274,158 @@ int cli_scanpe(int desc, cli_ctx *ctx)

 	    return CL_CLEAN;

 	}

+#ifdef CL_EXPERIMENTAL

+	/* Upack 0.39 produces 2 types of executables

+	 * 3 sections:           | 2 sections (one empty, I don't chech found if !upack, since it's in OR above):

+	 *   mov esi, value      |   pusha

+	 *   lodsd               |   call $+0x9

+	 *   push eax            |

+	 *

+	 * Upack 1.1/1.2 Beta produces [based on 2 samples (sUx) provided by aCaB]:

+	 * 2 sections

+	 *   mov esi, value

+	 *   loads

+	 *   mov edi, eax

+	 *

+	 * Upack unknown [sample 0297729]

+	 * 3 sections

+	 *   mov esi, value

+	 *   push [esi]

+	 *   jmp

+	 * 

+	 */

+	/* upack 0.39-3s + sample 0151477*/

+ 	if((upack && buff[0] == '\xbe' && cli_readint32(buff + 1) - EC32(optional_hdr32.ImageBase) > min && /* mov esi */

+				buff[5] == '\xad' && buff[6] == '\x50' && /* lodsd; push eax */

+				EC16(file_hdr.NumberOfSections) == 3) || /* 3 sections */

+			/* based on 0297729 sample from aCaB */

+			(upack && buff[0] == '\xbe' && cli_readint32(buff + 1) - EC32(optional_hdr32.ImageBase) > min && /* mov esi */

+			 buff[5] == '\xff' && buff[6] == '\x36' && /* push [esi] */

+			 EC16(file_hdr.NumberOfSections) == 3) ||

+			/* upack 0.39-2s */

+			(!upack && buff[0] == '\x60' && buff[1] == '\xe8' && cli_readint32(buff+2) == 0x9 && /* pusha; call+9 */

+			 EC16(file_hdr.NumberOfSections) == 2) || /* 2 sections */

+			/* upack 1.1/1.2, based on 2 samples */

+			(!upack && buff[0] == '\xbe' && cli_readint32(buff+1) - EC32(optional_hdr32.ImageBase) < min &&  /* mov esi */

+			 cli_readint32(buff + 1) - EC32(optional_hdr32.ImageBase) > 0 && 

+			 buff[5] == '\xad' && buff[6] == '\x8b' && buff[7] == '\xf8' && /* loads;  mov edi, eax */

+			 EC16(file_hdr.NumberOfSections) == 2)) { /* 2 sections */

+		uint32_t vma, off;

+		int a,b,c, file;

+

+		cli_dbgmsg("Upack characteristics found.\n");

+		a = EC32(section_hdr[0].VirtualSize);

+		b = EC32(section_hdr[1].VirtualSize);

+		if (upack) {

+			cli_dbgmsg("upack var set\n");

+			c = EC32(section_hdr[2].VirtualSize);

+			ssize = EC32(section_hdr[0].SizeOfRawData) + EC32(section_hdr[0].PointerToRawData);

+			off = EC32(section_hdr[0].VirtualAddress);

+			vma = EC32(optional_hdr32.ImageBase) + EC32(section_hdr[0].VirtualAddress);

+		} else {

+			cli_dbgmsg("upack var NOT set\n");

+			c = EC32(section_hdr[1].VirtualAddress);

+			ssize = EC32(section_hdr[1].PointerToRawData);

+			off = 0;

+			vma = EC32(section_hdr[1].VirtualAddress) - EC32(section_hdr[1].PointerToRawData);

+		}

+

+		dsize = a+b+c;

+		if (ctx->limits && ctx->limits->maxfilesize && (dsize > ctx->limits->maxfilesize || ssize > ctx->limits->maxfilesize || EC32(section_hdr[1].SizeOfRawData) > ctx->limits->maxfilesize))

+		{

+		    cli_dbgmsg("Upack: Sizes exceeded (a: %u, b: %u, c: %ux, max: %lu)\n", a, b, c, ctx->limits->maxfilesize);

+		    free(section_hdr);

+		    if(BLOCKMAX) {

+			*ctx->virname = "PE.Upack.ExceededFileSize";

+			return CL_VIRUS;

+		    } else {

+			return CL_CLEAN;

+		    }

+		}

+		/* these are unsigned so if vaddr - off < 0, it should be ok */

+		if (EC32(section_hdr[1].VirtualAddress) - off > dsize || EC32(section_hdr[1].VirtualAddress) - off > dsize - EC32(section_hdr[1].SizeOfRawData) || (upack && (EC32(section_hdr[2].VirtualAddress) - EC32(section_hdr[0].VirtualAddress) > dsize || EC32(section_hdr[2].VirtualAddress) - EC32(section_hdr[0].VirtualAddress) > dsize - ssize)) || ssize > dsize)

+		{

+		    cli_dbgmsg("Upack: probably malformed pe-header, skipping to next unpacker\n");

+		    goto skip_upack_and_go_to_next_unpacker; /* I didn't want to add additional do while + break, can it be this way ? */

+		}

+			

+		if((dest = (char *) cli_calloc(dsize, sizeof(char))) == NULL) {

+		    free(section_hdr);

+		    return CL_EMEM;

+		}

+		src = NULL;

+		cli_dbgmsg("Upack: min: %08x %08x max: %08x\n", dest, a+b+c, dest+a+b+c);

+	

+		lseek(desc, 0, SEEK_SET);

+		if(read(desc, dest, ssize) != ssize) { /* 2vGiM: i think this can be overflowed - should you check for ssize < dsize ?

+		                                        * yup, I think you're right, added above

+							*/

+		    cli_dbgmsg("Upack: Can't read raw data of section 0\n");

+		    free(section_hdr);

+		    free(dest);

+		    return CL_EIO;

+		}

+

+		if (upack)

+			memmove(dest + EC32(section_hdr[2].VirtualAddress) - EC32(section_hdr[0].VirtualAddress), dest, ssize);

+

+		lseek(desc, EC32(section_hdr[1].PointerToRawData), SEEK_SET);

+

+		if(read(desc, dest+EC32(section_hdr[1].VirtualAddress) - off, EC32(section_hdr[1].SizeOfRawData)) != EC32(section_hdr[1].SizeOfRawData)) {

+		    cli_dbgmsg("Upack: Can't read raw data of section 1\n");

+		    free(section_hdr);

+		    free(dest);

+		    return CL_EIO;

+		}

+

+		if(!(tempfile = cli_gentemp(NULL)))

+		    return CL_EMEM;

+

+		if((file = open(tempfile, O_RDWR|O_CREAT|O_TRUNC, S_IRWXU)) < 0) {

+		    cli_dbgmsg("Upack: Can't create file %s\n", tempfile);

+		    free(tempfile);

+		    free(section_hdr);

+		    free(dest);

+		    return CL_EIO;

+		}

+

+		switch (unupack(upack, dest, dsize, buff, vma, ep, EC32(optional_hdr32.ImageBase), EC32(section_hdr[0].VirtualAddress), file))

+		{

+			case 1: /* Everything OK */

+				cli_dbgmsg("Upack: Unpacked and rebuilt executable saved in %s\n", tempfile);

+				free(dest);

+				fsync(file);

+				lseek(file, 0, SEEK_SET);

+

+				cli_dbgmsg("***** Scanning rebuilt PE file *****\n");

+				if(cli_magic_scandesc(file, ctx) == CL_VIRUS) {

+					free(section_hdr);

+					close(file);

+					if(!cli_leavetemps_flag)

+						unlink(tempfile);

+					free(tempfile);

+					return CL_VIRUS;

+				}

+

+				close(file);

+				if(!cli_leavetemps_flag)

+					unlink(tempfile);

+				free(tempfile);

+				free(section_hdr);

+				return CL_CLEAN;

+

+			default: /* Everything gone wrong */

+				cli_dbgmsg("Upack: Unpacking failed\n");

+				close(file);

+				unlink(tempfile); /* It's empty anyway */

+				free(tempfile);

+				free(dest);

+				break;

+		}

+	}

+skip_upack_and_go_to_next_unpacker:

+#endif

+

 	if((DCONF & PE_CONF_FSG) && buff[0] == '\x87' && buff[1] == '\x25') {

 	    /* FSG v2.0 support - thanks to aCaB ! */

new file mode 100644

@@ -0,0 +1,676 @@

+/*

+ *  Copyright (C) 2006 Michal 'GiM' Spadlinski http://gim.org.pl/

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License as published by

+ *  the Free Software Foundation; either version 2 of the License, or

+ *  (at your option) any later version.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program; if not, write to the Free Software

+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,

+ *  MA 02110-1301, USA.

+ */

+

+/*

+ * upack.c

+ *

+ *

+ */

+

+#if HAVE_CONFIG_H

+#include "clamav-config.h"

+#endif

+

+#ifdef CL_EXPERIMENTAL

+#include <stdio.h>

+#include <stdlib.h>

+#include <sys/types.h>

+#include <sys/stat.h>

+#include <unistd.h>

+#include <string.h>

+

+#include "cltypes.h"

+#include "pe.h"

+#include "rebuildpe.h"

+#include "others.h"

+#include "mew.h"

+

+#define EC32(x) le32_to_host(x) /* Convert little endian to host */

+#define CE32(x) be32_to_host(x) /* Convert big endian to host */

+

+int unupack399(char *, uint32_t, uint32_t, char *, uint32_t, char *, char *, uint32_t, char *);

+

+enum { UPACK_399, UPACK_11_12, UPACK_0151477, UPACK_0297729 };

+

+int unupack(int upack, char *dest, uint32_t dsize, char *buff, uint32_t vma, uint32_t ep, uint32_t base, uint32_t va, int file)

+{

+	int j, searchval;

+	char *loc_esi, *loc_edi, *loc_ebx, *end_edi, *save_edi, *rpeb, *alvalue;

+	char *paddr, *pushed_esi, *save2;

+	uint32_t save1, save3, loc_ecx, count, shlsize, original_ep, ret, loc_ebx_u;

+	struct cli_exe_section section;

+	int upack_version = UPACK_399;

+

+	/* buff [168 bytes] doesn't have to be checked, since it was checked in pe.c */

+	if (upack)

+	{

+		uint32_t aljump, shroff, lngjmpoff;

+

+		/* dummy characteristics ;/ */

+		if (buff[5] == '\xff' && buff[6] == '\x36')

+			upack_version = UPACK_0297729;

+		loc_esi = dest + (cli_readint32(buff + 1) -  vma);

+

+		if (!CLI_ISCONTAINED(dest, dsize, loc_esi, 12))

+			return -1;

+		original_ep = cli_readint32(loc_esi);

+		loc_esi += 4;

+		/*cli_readint32(loc_esi);*/

+		loc_esi += 4;

+

+		original_ep -= vma;

+		cli_dbgmsg("Upack: EP: %08x original:  %08X || %08x\n", ep, original_ep, cli_readint32(loc_esi-8));

+

+		if (upack_version == UPACK_399)

+		{

+			/* jmp 1 */

+			loc_edi = dest + (cli_readint32(loc_esi) -  vma);

+			if (!CLI_ISCONTAINED(dest, dsize, dest+ep+0xa, 2) || dest[ep+0xa] != '\xeb')

+				return -1;

+			loc_esi = dest + *(dest + ep + 0xb) + ep + 0xc;

+

+			/* use this as a temp var */

+			/* jmp 2 + 0xa */

+			alvalue = loc_esi+0x1a;

+			if (!CLI_ISCONTAINED(dest, dsize, alvalue, 2) || *alvalue != '\xeb')

+				return -1;

+			alvalue++;

+			alvalue += (*alvalue&0xff) + 1 + 0xa;

+			lngjmpoff = 8;

+		} else {

+			if (!CLI_ISCONTAINED(dest, dsize, dest+ep+7, 5) || dest[ep+7] != '\xe9')

+				return -1;

+			loc_esi = dest + cli_readint32(dest + ep + 8) + ep + 0xc;

+			alvalue = loc_esi + 0x25;

+			lngjmpoff = 10;

+		}

+

+		if (!CLI_ISCONTAINED(dest, dsize, alvalue, 2) || *alvalue != '\xb5')

+			return -1;

+		alvalue++;

+		count = *alvalue&0xff;

+

+		if (!CLI_ISCONTAINED(dest, dsize, alvalue, lngjmpoff+5) || *(alvalue+lngjmpoff) != '\xe9')

+			return -1;

+		/* use this as a temp to make a long jmp to head of unpacking proc */

+		shlsize = cli_readint32(alvalue + lngjmpoff+1);

+		/* upack_399 + upack_0151477 */

+		if (upack_version == UPACK_399)

+			shlsize = shlsize + (loc_esi - dest) + *(loc_esi+0x1b) + 0x1c + 0x018; /* read checked above */

+		else

+			/* there is no additional jump in upack_0297729 */

+			shlsize = shlsize + (loc_esi - dest) + 0x035;

+		/* do the jump, 43 - point to jecxz */

+		alvalue = dest+shlsize+43;

+

+		/* 0.39 */

+		aljump = 8;

+		shroff = 24;

+		if (!CLI_ISCONTAINED(dest, dsize, alvalue-1, 2) || *(alvalue-1) != '\xe3')

+		{

+			/* in upack_0297729 and upack_0151477 jecxz is at offset: 46 */

+			alvalue = dest+shlsize+46;

+			if (!CLI_ISCONTAINED(dest, dsize, alvalue-1, 2) || *(alvalue-1) != '\xe3')

+				return -1;

+			else {

+				if (upack_version != UPACK_0297729)

+					upack_version = UPACK_0151477;

+				aljump = 7;

+				shroff = 26;

+			}

+			

+		}

+		/* do jecxz */

+		alvalue += (*alvalue&0xff) + 1;

+		/* is there a long jump ? */

+		if (!CLI_ISCONTAINED(dest, dsize, alvalue, aljump+5) || *(alvalue+aljump) != '\xe9')

+			return -1;

+		/* do jmp, 1+4 - size of jmp instruction, aljump - instruction offset, 27 offset to cmp al,xx*/

+		ret = cli_readint32(alvalue+aljump+1);

+		alvalue += ret + aljump+1+4 + 27;

+		if (upack_version == UPACK_0297729)

+			alvalue += 2;

+		/* shr ebp */

+		if (!CLI_ISCONTAINED(dest, dsize, dest+shlsize+shroff, 3) || *(dest+shlsize+shroff) != '\xc1' || *(dest+shlsize+shroff+1) != '\xed')

+			return -1;

+		shlsize = (*(dest + shlsize + shroff+2))&0xff;

+		count *= 0x100;

+		if (shlsize < 2 || shlsize > 8)

+		{

+			cli_dbgmsg ("Upack: context bits out of bounds\n");

+			return -1;

+		}

+		cli_dbgmsg("Upack: Context Bits parameter used with lzma: %02x, %02x\n", shlsize, count);

+		/* check if loc_esi + .. == 0xbe -> mov esi */

+		/* upack_0297729 has mov esi, .. + mov edi, .., in upack_0151477 and upack_399 EDI has been already set before */

+		if (upack_version == UPACK_0297729)

+		{

+			if (!CLI_ISCONTAINED(dest, dsize, loc_esi+6, 10) || *(loc_esi+6) != '\xbe' || *(loc_esi+11) != '\xbf')

+				return -1;

+			if (cli_readint32(loc_esi + 7) < base || cli_readint32(loc_esi+7) > vma)

+				return -1;

+			loc_edi = dest + (cli_readint32(loc_esi + 12) - vma);

+			loc_esi = dest + (cli_readint32(loc_esi + 7) - base);

+		} else {

+			if (!CLI_ISCONTAINED(dest, dsize, loc_esi+7, 5) || *(loc_esi+7) != '\xbe')

+				return -1;

+			loc_esi = dest + (cli_readint32(loc_esi + 8) - vma);

+		}

+

+		if (upack_version == UPACK_0297729)

+		{

+			/* 0x16*4=0x58, 6longs*4 = 24, 0x64-last loc_esi read location */

+			if (!CLI_ISCONTAINED(dest, dsize, loc_edi, (0x58 + 24 + 4*count)) || !CLI_ISCONTAINED(dest, dsize, loc_esi, (0x58 + 0x64 + 4)))

+				return -1;

+

+			/* XXX I don't know if this [0x16] is constant number, not enough samples provided */

+			for (j=0; j<0x16; j++, loc_esi+=4, loc_edi+=4)

+				cli_writeint32(loc_edi, cli_readint32(loc_esi)); 

+		} else {

+			/* 0x27*4=0x9c, 6longs*4 = 24, 0x34-last loc_esi read location */

+			if (!CLI_ISCONTAINED(dest, dsize, loc_edi, (0x9c + 24 + 4*count)) || !CLI_ISCONTAINED(dest, dsize, loc_esi, (0x9c + 0x34 + 4)))

+				return -1;

+			for (j=0; j<0x27; j++, loc_esi+=4, loc_edi+=4)

+				cli_writeint32(loc_edi, cli_readint32(loc_esi)); 

+		}

+		save3 = cli_readint32(loc_esi + 4);

+		paddr = dest + ((uint32_t)cli_readint32(loc_edi - 4)) - vma;

+		loc_ebx = loc_edi;

+		cli_writeint32(loc_edi, 0xffffffff);

+		loc_edi+=4;

+		cli_writeint32(loc_edi, 0);

+		loc_edi+=4;

+		for (j=0; j<4; j++, loc_edi+=4)

+		    cli_writeint32(loc_edi, (1));

+

+		for (j=0; j<count; j++, loc_edi+=4)

+		    cli_writeint32(loc_edi, 0x400);

+		

+		loc_edi = dest + cli_readint32(loc_esi + 0xc) - vma;

+		if (upack_version == UPACK_0297729)

+			loc_edi = dest+vma-base; /* XXX not enough samples provided to be sure of it! */

+

+		pushed_esi = loc_edi;

+		end_edi = dest + cli_readint32(loc_esi + 0x34) - vma;

+		if (upack_version == UPACK_0297729)

+		{

+			end_edi = dest + cli_readint32(loc_esi + 0x64) - vma;

+			save3 = cli_readint32(loc_esi + 0x40);

+		}

+		/* begin end */

+		cli_dbgmsg("data initialized, before upack lzma call!\n");

+		if ((ret = unupack399(dest, dsize, 0, loc_ebx, 0, loc_edi, end_edi, shlsize, paddr)) == -1)

+			return -1;

+	/* alternative begin */

+	} else {

+		int ep_jmp_offs, rep_stosd_count_offs, context_bits_offs;

+		loc_esi = dest + vma + ep;

+		/* yet another dummy characteristics ;/ */

+		if (buff[0] == '\xbe' && buff[5] == '\xad' && buff[6] == '\x8b' && buff[7] == '\xf8')

+			upack_version = UPACK_11_12;

+

+		if (upack_version == UPACK_11_12)

+		{

+			ep_jmp_offs = 0x1a4;

+			rep_stosd_count_offs = 0x1b;

+			context_bits_offs = 0x41;

+			alvalue = loc_esi + 0x184;

+		} else {

+			ep_jmp_offs = 0x217;

+			rep_stosd_count_offs = 0x3a;

+			context_bits_offs = 0x5f;

+			alvalue = loc_esi + 0x1c1;

+		}

+

+		if (!CLI_ISCONTAINED(dest, dsize, loc_esi, ep_jmp_offs+4))

+			return -1;

+		save1 = cli_readint32(loc_esi + ep_jmp_offs);

+		original_ep = (loc_esi - dest) + ep_jmp_offs + 4;

+		original_ep += (int32_t)save1;

+		cli_dbgmsg("Upack: EP: %08x original %08x\n", ep, original_ep);

+

+		/* this are really ugly hacks,

+		 * rep_stosd_count_offs & context_bits_offs are < ep_jmp_offs,

+		 * so checked in CLI_ISCONTAINED above */

+		count = (*(loc_esi + rep_stosd_count_offs))&0xff;

+		shlsize = (*(loc_esi + context_bits_offs))&0xff;

+		shlsize = 8 - shlsize;

+		if (shlsize < 2 || shlsize > 8)

+		{

+			cli_dbgmsg ("Upack: context bits out of bounds\n");

+			return -1;

+		}

+		count *= 0x100;

+		cli_dbgmsg("Upack: Context Bits parameter used with lzma: %02x, %02x\n", shlsize, count);

+		if (upack_version == UPACK_399)

+		{

+			loc_esi += 4;

+			loc_ecx = cli_readint32(loc_esi+2);

+			cli_writeint32(loc_esi+2,0);

+			if (!loc_ecx)

+			{

+				cli_dbgmsg("Upack: something's wrong, report back\n");

+				return -1;/* XXX XXX XXX XXX */

+			}

+			loc_esi -= (loc_ecx - 2);

+			if (!CLI_ISCONTAINED(dest, dsize, loc_esi, 12))

+				return -1;

+

+			cli_dbgmsg("%08x %08x %08x %08x\n", loc_esi, dest, cli_readint32(loc_esi), base);

+			loc_ebx_u = loc_esi - (dest + cli_readint32(loc_esi) - base);

+			cli_dbgmsg("EBX: %08x\n", loc_ebx_u);

+			loc_esi += 4;

+			save2 = loc_edi = dest + cli_readint32(loc_esi) - base;

+			cli_dbgmsg("DEST: %08x, %08x\n", cli_readint32(loc_esi), cli_readint32(loc_esi) - base);

+			loc_esi += 4;

+			/* 2vGiM: j is signed. Is that really what you want? Will it cause problems with the following checks?

+			 * yes! this is wrong! how did you notice that?!

+			 */

+			j = cli_readint32(loc_esi);

+			if (j<0)

+			{

+				cli_dbgmsg("Upack: probably hand-crafted data, report back\n");

+				return -1;

+			}

+			loc_esi += 4;

+			cli_dbgmsg("ecx counter: %08x\n", j);

+

+			if (!CLI_ISCONTAINED(dest, dsize, loc_esi, (j*4)) || !CLI_ISCONTAINED(dest, dsize, loc_edi, ((j+count)*4)))

+				return -1;

+			for (;j--; loc_edi+=4, loc_esi+=4)

+				cli_writeint32(loc_edi, cli_readint32(loc_esi));

+			if (!CLI_ISCONTAINED(dest, dsize, save2, 8))

+				return -1;

+			loc_ecx = cli_readint32(save2);

+			save2 += 4;

+			loc_esi = save2;

+			/* I could probably do simple loc_esi+= (0xe<<2),

+			 *  but I'm not sure if there is always 0xe and is always ebx =0

+			 */

+			do {

+				loc_esi += loc_ebx_u;

+				loc_esi += 4;

+			} while (--loc_ecx);

+			if (!CLI_ISCONTAINED(dest, dsize, loc_esi, 4))

+				return -1;

+			save1 = cli_readint32(loc_esi); /* loc_eax = 0x400 */

+			loc_esi += 4;

+

+			for (j=0; j<count; j++, loc_edi+=4) /* checked above */

+				cli_writeint32(loc_edi, (save1));

+

+			if (!CLI_ISCONTAINED(dest, dsize, (loc_esi+0x10), 4))

+				return -1;

+			cli_writeint32(loc_esi+0x10, (uint32_t)cli_readint32(loc_esi+0x10)+loc_ebx_u);

+			loc_ebx = loc_esi+0x14;

+			loc_esi = save2;

+			/* loc_ebx_u gets saved */

+			/* checked above, (...save2, 8) */

+			save_edi = loc_edi = dest + ((uint32_t)cli_readint32(loc_esi) - base);

+			loc_esi +=4;

+			cli_dbgmsg("before_fixing\n");

+			/* fix values */

+			if (!CLI_ISCONTAINED(dest, dsize, loc_ebx-4, (12 + 4*4)) || !CLI_ISCONTAINED(dest, dsize, loc_esi+0x24, 4) || !CLI_ISCONTAINED(dest, dsize, loc_esi+0x40, 4))

+				return -1;

+			for (j=2; j<6; j++)

+			      cli_writeint32(loc_ebx+(j<<2), cli_readint32(loc_ebx+(j<<2)));

+			paddr = dest + cli_readint32(loc_ebx - 4) - base;

+			save1 = loc_ecx;

+			pushed_esi = loc_edi;

+			end_edi = dest + cli_readint32(loc_esi+0x24) - base;

+			vma = cli_readint32(loc_ebx); cli_writeint32(loc_ebx, cli_readint32(loc_ebx + 4)); cli_writeint32((loc_ebx + 4), vma);

+		/* Upack 1.1/1.2 is something between 0.39 2-section and 0.39 3-section */

+		} else if (upack_version == UPACK_11_12) {

+			cli_dbgmsg("Upack v 1.1/1.2\n");

+			loc_esi = dest + 0x148; /* always constant? */

+			loc_edi = dest + cli_readint32(loc_esi) - base; /* read checked above */

+			loc_esi += 4;

+			save_edi = loc_edi;

+			/* movsd */

+			paddr = dest + ((uint32_t)cli_readint32(loc_esi)) - base;

+			loc_esi += 4;

+			loc_edi += 4;

+			loc_ebx = loc_edi;

+		

+			if (!CLI_ISCONTAINED(dest, dsize, loc_edi, ((6+count)*4)))

+				return -1;

+			cli_writeint32(loc_edi, 0xffffffff);

+			loc_edi += 4;

+			cli_writeint32(loc_edi, 0);

+			loc_edi += 4;

+			for (j=0; j<4; j++, loc_edi+=4)

+				cli_writeint32(loc_edi, (1));

+

+			for (j=0; j<count; j++, loc_edi+=4)

+				cli_writeint32(loc_edi, 0x400);

+			

+			loc_edi = dest + cli_readint32(loc_esi) - base; /* read checked above */

+			pushed_esi = loc_edi;

+			loc_esi += 4;

+			loc_ecx = 0;

+

+			loc_esi += 4;

+

+			end_edi = dest + cli_readint32(loc_esi-0x28) - base; /* read checked above */

+			loc_esi = save_edi;

+		}

+		cli_dbgmsg("data initialized, before upack lzma call!\n");

+		if ((ret = unupack399(dest, dsize, loc_ecx, loc_ebx, loc_ecx, loc_edi, end_edi, shlsize, paddr)) == -1)

+			return -1;

+		if (upack_version == UPACK_399)

+			save3 = cli_readint32(loc_esi + 0x40);

+		else if (upack_version == UPACK_11_12)

+			save3 = cli_readint32(dest + vma + ep + 0x174);

+	}

+

+	/* let's fix calls */

+	loc_ecx = 0;

+	searchval = *alvalue&0xff;

+	cli_dbgmsg("Upack: loops: %08x search value: %02x\n", save3, searchval);

+	while(save3) {

+		if (!CLI_ISCONTAINED(dest, dsize, pushed_esi + loc_ecx, 1))

+		{

+			cli_dbgmsg("callfixerr %08x %08x = %08x, %08x\n", dest, dsize, dest+dsize, pushed_esi+loc_ecx);

+			return -1;

+		}

+		if (pushed_esi[loc_ecx] == '\xe8' || pushed_esi[loc_ecx] == '\xe9')

+		{

+			char *adr = (pushed_esi + loc_ecx + 1);

+			loc_ecx++;

+			if (!CLI_ISCONTAINED(dest, dsize, adr, 4))

+			{

+				cli_dbgmsg("callfixerr\n");

+				return -1;

+			}

+			if ((cli_readint32(adr)&0xff) != searchval)

+				continue;

+			cli_writeint32(adr, EC32(CE32((uint32_t)(cli_readint32(adr)&0xffffff00)))-loc_ecx-4);

+			loc_ecx += 4;

+			save3--;

+		} else 

+			loc_ecx++;

+	}

+

+	section.raw = 0;

+	section.rva = va;

+	section.rsz = end_edi-loc_edi;

+	section.vsz = end_edi-loc_edi;

+

+	if (!cli_rebuildpe(dest + (upack?0:va), &section, 1, base, original_ep, 0, 0, file)) {

+		cli_dbgmsg("Upack: Rebuilding failed\n");

+		return 0;

+	}

+	return 1;

+}

+

+

+int unupack399(char *bs, uint32_t bl, uint32_t init_eax, char *init_ebx, uint32_t init_ecx, char *init_edi, char *end_edi, uint32_t shlsize, char *paddr)

+{

+	struct lzmastate p;

+	uint32_t loc_eax, ret, loc_al, loc_ecx = init_ecx, loc_ebp, eax_copy = init_eax, temp, i, jakas_kopia;

+	uint32_t state[6], temp_ebp;

+	char *loc_edx, *loc_ebx = init_ebx, *loc_edi = init_edi, *loc_ebp8, *edi_copy;

+	p.p0 = paddr;

+	p.p1 = cli_readint32(init_ebx);

+	p.p2 = cli_readint32(init_ebx + 4);

+

+	cli_dbgmsg("\n\tp0: %08x\n\tp1: %08x\n\tp2: %08x\n", p.p0, p.p1, p.p2);

+	for (i = 0; i<6; i++)

+		state[i] = cli_readint32(loc_ebx + (i<<2)),

+		cli_dbgmsg("state[%d] = %08x\n", i, state[i]);

+	do {

+		loc_eax = eax_copy;

+		loc_edx = loc_ebx + (loc_eax<<2) + 0x58;

+

+		if ((ret = lzma_upack_esi_00(&p, loc_edx, bs, bl)))

+		{

+			/* loc_483927 */

+			loc_al = loc_eax&0xff;

+			loc_al = ((loc_al + 0xf9) > 0xff)?(3+8):8;

+			loc_eax = (loc_eax&0xffffff00)|(loc_al&0xff);

+			loc_ebp = state[2];

+			loc_ecx = (loc_ecx&0xffffff00)|0x30;

+			loc_edx += loc_ecx;

+			/* *(uint32_t *)(loc_ebx + 14) = loc_ebp; ???? */

+			if (!(ret = lzma_upack_esi_00(&p, loc_edx, bs, bl))) {

+				/* loc_48397c */

+				loc_eax--;

+				/*

+				temp_ebp = loc_ebp; loc_ebp = cli_readint32(loc_ebx+0x0c); cli_writeint32(loc_ebx+0x0c, temp_ebp);

+				temp_ebp = loc_ebp; loc_ebp = cli_readint32(loc_ebx+0x10); cli_writeint32(loc_ebx+0x10, temp_ebp);

+				*/

+				temp_ebp = loc_ebp;

+				loc_ebp = state[4];

+				state[4] = state[3];

+				state[3] = temp_ebp;

+				eax_copy = loc_eax;

+				loc_edx = loc_ebx + 0xbc0;

+				state[5] = loc_ebp;

+				if (lzma_upack_esi_54(&p, loc_eax, &loc_ecx, &loc_edx, &temp, bs, bl) == -1)

+					return -1;

+				loc_ecx = 3;

+				jakas_kopia = temp;

+				loc_eax = temp-1;

+				if (loc_eax >= loc_ecx)

+					loc_eax = loc_ecx;

+				loc_ecx = 0x40;

+				loc_eax <<= 6; /* ecx=0x40, mul cl */

+				loc_ebp8 = loc_ebx + ((loc_eax<<2) + 0x378);

+				if (lzma_upack_esi_50(&p, 1, loc_ecx, &loc_edx, loc_ebp8, &loc_eax, bs, bl) == -1)

+					return -1;

+				loc_ebp = loc_eax;

+				if ((loc_eax&0xff) >= 4)

+				{

+					/* loc_4839af */

+					loc_ebp = 2 + (loc_eax&1);

+					loc_eax >>= 1;

+					loc_eax--;

+					temp_ebp = loc_eax; loc_eax = loc_ecx; loc_ecx = temp_ebp;

+					loc_ebp <<= (loc_ecx&0xff);

+					loc_edx = loc_ebx + (loc_ebp<<2) + 0x178;

+					if ((loc_ecx&0xff) > 5)

+					{

+						/* loc_4839c6 */

+						loc_ecx = (loc_ecx&0xffffff00)|(((loc_ecx&0xff)-4)&0xff);

+						loc_eax = 0;

+						do {

+							uint32_t temp_edx;

+							/* compare with lzma_upack_esi_00 */

+							/* do not put in one statment because of difference in signedness */

+							if (!CLI_ISCONTAINED(bs, bl, p.p0, 4))

+								return -1;

+							temp_edx = cli_readint32((char *)p.p0);

+							temp_edx = EC32(CE32(temp_edx));

+							p.p1 >>= 1;

+							temp_edx -= p.p2;

+							loc_eax <<= 1;

+							if (temp_edx >= p.p1)

+							{

+								temp_edx = p.p1;

+								loc_eax++;

+								p.p2 += temp_edx;

+							}

+							if(((p.p1)&0xff000000) == 0)

+							{

+								p.p2 <<= 8;

+								p.p1 <<= 8;

+								p.p0++;

+							}

+						} while (--loc_ecx);

+						/* loc_4839e8 */

+						loc_ecx = (loc_ecx&0xffffff00)|4;

+						loc_eax <<= 4;

+						loc_ebp += loc_eax;

+						loc_edx = loc_ebx + 0x18;

+					}

+					/* loc4839f1 */

+					loc_eax = 1;

+					loc_eax <<= (loc_ecx&0xff);

+					loc_ebp8 = loc_edx;

+					temp_ebp = loc_ecx; loc_ecx = loc_eax; loc_eax = temp_ebp;

+					if (lzma_upack_esi_50(&p, 1, loc_ecx, &loc_edx, loc_ebp8, &loc_eax, bs, bl) == -1)

+						return -1;

+					/* cdq, loc_edx = (loc_eax&0x80000000)?0xffffffff:0; */

+					loc_ecx = temp_ebp;

+					temp_ebp = (int32_t)loc_eax >> 31; /* thx, desp */

+					/* loc_483a00 */

+					do {

+						temp_ebp += temp_ebp;

+						temp_ebp += (loc_eax&1);

+						loc_eax >>= 1;

+					} while (--loc_ecx);

+					loc_ebp += temp_ebp;

+					/* loc_483a06 */

+				}

+				/* loc_483a09 */

+				loc_ebp++;

+				loc_ecx = jakas_kopia;

+			} else {

+				/* loc_48393a */

+				loc_edx += loc_ecx;

+				if ((ret = lzma_upack_esi_00(&p, loc_edx, bs, bl))) {

+					/* loc_483954 */

+					loc_edx += 0x60;

+					if ((ret = lzma_upack_esi_00(&p, loc_edx, bs, bl))) {

+						/* loc_48395e */

+						loc_edx += loc_ecx;

+						ret = lzma_upack_esi_00(&p, loc_edx, bs, bl);

+						temp_ebp = loc_ebp;

+						loc_ebp = state[4];

+						state[4] = state[3];

+						state[3] = temp_ebp;

+						if (ret)

+						{

+							temp_ebp = loc_ebp; loc_ebp = state[5]; state[5] = temp_ebp;

+						}

+					} else {

+						temp_ebp = loc_ebp; loc_ebp = state[3]; state[3] = temp_ebp;

+					}

+				} else {

+					/* loc_483940 */

+					loc_edx += loc_ecx;

+					if ((ret = lzma_upack_esi_00(&p, loc_edx, bs, bl))) {

+					} else {

+						/* loc_483946 */

+						loc_eax |= 1;

+						eax_copy = loc_eax;

+						edi_copy = loc_edi;

+						edi_copy -= state[2];

+						loc_ecx = (loc_ecx&0xffffff00)|0x80;

+						if (!CLI_ISCONTAINED(bs, bl, edi_copy, 1) || !CLI_ISCONTAINED(bs, bl, loc_edi, 1))

+							return -1;

+						loc_al = (*(uint8_t *)edi_copy)&0xff;

+						/* loc_483922 */

+						/* ok jmp to 483a19 */

+						/* loc_483a19 */

+						*loc_edi++ = loc_al;

+						continue;

+					}

+				}

+				/* loc_48396a */

+				eax_copy = loc_eax;

+				loc_edx = loc_ebx + 0x778;

+				if (lzma_upack_esi_54(&p, loc_eax, &loc_ecx, &loc_edx, &temp, bs, bl) == -1)

+					return -1;

+				loc_eax = loc_ecx;

+				loc_ecx = temp;

+			}

+			/* loc_483a0b */

+			if (!CLI_ISCONTAINED(bs, bl, loc_edi, loc_ecx) || !CLI_ISCONTAINED(bs, bl, loc_edi-loc_ebp, loc_ecx+1))

+				return -1;

+			state[2] = loc_ebp;