pedump 0.4.0 → 0.5.0

data/lib/pedump/security.rb

@@ -0,0 +1,58 @@
+class PEdump
+  def security f=@io
+    return nil unless pe(f) && pe(f).ioh && f
+    dir = @pe.ioh.DataDirectory[IMAGE_DATA_DIRECTORY::SECURITY]
+    return nil if !dir || dir.va == 0
+
+    # IMAGE_DIRECTORY_ENTRY_SECURITY
+    # Points to a list of WIN_CERTIFICATE structures, defined in WinTrust.H.
+    # Not mapped into memory as part of the image.
+    # Therefore, the VirtualAddress field is a file offset, rather than an RVA.
+    #
+    # http://msdn.microsoft.com/en-us/magazine/bb985997.aspx
+
+    f.seek dir.va
+    r = []
+    ofs = f.tell
+    while !f.eof? && (f.tell-ofs < dir.size)
+      r << WIN_CERTIFICATE.read(f)
+    end
+    r
+  end
+  alias :signature :security
+
+  # WIN_CERT_TYPE_X509             (0x0001) bCertificate contains an X.509 certificate.
+  # WIN_CERT_TYPE_PKCS_SIGNED_DATA (0x0002) bCertificate contains a PKCS SignedData structure.
+  # WIN_CERT_TYPE_RESERVED_1       (0x0003) Reserved.
+  # WIN_CERT_TYPE_PKCS1_SIGN       (0x0009) bCertificate contains PKCS1_MODULE_SIGN fields.
+
+  # http://msdn.microsoft.com/en-us/library/aa447037.aspx
+  class WIN_CERTIFICATE < IOStruct.new 'Vvv',
+    :dwLength,
+    :wRevision,
+    :wCertificateType,
+    # manual
+    :data
+
+    def self.read f
+      super.tap do |x|
+        if x.dwLength.to_i < 8
+          PEdump.logger.error "[!] #{x.class}: too small length #{x.dwLength}"
+        elsif x.dwLength.to_i > 0x100_000
+          PEdump.logger.error "[!] #{x.class}: too big length #{x.dwLength}"
+        else
+          x.data = f.read(x.dwLength - 8)
+          begin
+            case x.wCertificateType
+            when 2
+              require 'openssl'
+              x.data = OpenSSL::PKCS7.new(x.data)
+            end
+          rescue
+            PEdump.logger.error "[!] #{$!}"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/pedump/sig_parser.rb

@@ -6,9 +6,14 @@ class PEdump
     TEXT_SIGS_FILES = [
       File.join(DATA_ROOT, "data", "userdb.txt"),
       File.join(DATA_ROOT, "data", "signatures.txt"),
-      File.join(DATA_ROOT, "data", "fs.txt")
+      File.join(DATA_ROOT, "data", "jc-userdb.txt"),
+      File.join(DATA_ROOT, "data", "fs.txt"),         # has special parse options!
     ]
 
+    SPECIAL_PARSE_OPTIONS = {
+      File.join(DATA_ROOT, "data", "fs.txt") => {:fix1 => true}
+    }
+
     class OrBlock < Array; end
 
     class << self
@@ -19,19 +24,20 @@ class PEdump
         sigs = {}; sig = nil
 
         args[:fnames].each do |fname|
-          n0 = sigs.size
+          n0 = sigs.size; add_sig_args = args.dup
+          add_sig_args.merge!(SPECIAL_PARSE_OPTIONS[fname] || {})
           File.open(fname,'r:utf-8') do |f|
             while line = f.gets
               case line.strip
               when /^[<;#]/, /^$/ # comments & blank lines
                 next
               when /^\[(.+)=(.+)\]$/
-                _add_sig(sigs, Packer.new($1, $2, true), args )
-              when /^\[([^=]+)\]$/
+                _add_sig(sigs, Packer.new($1, $2, true), add_sig_args )
+              when /^\[([^=]+)\](\s+\/\/.+)?$/
                 sig = Packer.new($1)
               when /^signature = (.+)$/
                 sig.re = $1
-                _add_sig(sigs, sig, args)
+                _add_sig(sigs, sig, add_sig_args)
               when /^ep_only = (.+)$/
                 sig.ep_only = ($1.strip.downcase == 'true')
               else raise line
@@ -61,7 +67,13 @@ class PEdump
               when /\A[a-f0-9]{2}\Z/i
                 x = x.to_i(16).chr
                 bins[sig] << x
-                args[:raw] ? x : Regexp::escape(x)
+                if args[:raw]
+                  x
+                elsif args[:raword]
+                  x.ord
+                else
+                  Regexp::escape(x)
+                end
               else
                 puts "[?] unknown re element: #{x.inspect} in #{sig.inspect}" if args[:verbose]
                 "BAD_RE"
@@ -72,10 +84,10 @@ class PEdump
             a = sig.name.split(/-+>/,2).map(&:strip)
             sig.name = "#{a[0]} (#{a[1]})"
           end
-          sig.re.pop while sig.re.last == '??'
+          sig.re.pop while sig.re && sig.re.last == '??'
         end
         sigs.delete_if{ |sig| !sig.re || sig.re.index('BAD_RE') }
-        return sigs if args[:raw]
+        return sigs if args[:raw] || args[:raword]
 
 #        require 'awesome_print'
 #        bins.each do |bin_sig, bin|
@@ -125,6 +137,9 @@ class PEdump
         # bad sigs
         return if sig.re[/\A538BD833C0A30:::::/]
         return if sig.name == "Name of the Packer v1.0"
+        return if sig.name == "Alias PIX/Vivid IMG Graphics format"
+        return if sig.name == "JAR Archive"
+        return if sig.name == "Turbo / Borland Pascal v7.x Unit"
         return if sig.re == "54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F" # dos stub
 
         sig.name.sub!(/^\*\s+/,    '')
@@ -135,10 +150,47 @@ class PEdump
         sig.name.sub! 'RLP ','RLPack '
         sig.name.sub! '.beta', ' beta'
         sig.name.sub! '(com)','[com]'
+        sig.name.gsub!(/ V(\d)/, " v\\1") # V1.1 -> v1.1
         sig.name = sig.name.split(/\s*-+>\s*/).join(' -> ') # fix spaces around '->'
+        sig.name = sig.name.split(' ').delete_if do |x|
+          # delete words: vX.X, v?.?, ?.?, x.x
+          x =~ /\Av?[?x]\.[?x]\Z/i
+        end.join(' ')
 
         sig.re = sig.re.strip.upcase.tr(':','?')
         sig.re = sig.re.scan(/../).join(' ') if sig.re.split.first.size > 2
+
+        # sig contains entirely zeroes or masks or only both
+        a_bad = [%w'00', %w'??', %w'00 ??', %w'90', %w'90 ??']
+        # ?a, 0? => ??, ??
+        a_cur = sig.re.split.map{ |x| x['?'] ? '??' : x }.uniq.sort
+        return if a_bad.include?(a_cur)
+
+        # first byte is unique and all others are zeroes or masks
+        a_cur = sig.re.split[1..-1].map{ |x| x['?'] ? '??' : x }.uniq.sort
+        return if a_bad.include?(a_cur)
+
+        # too short signatures
+        if sig.re.split.delete_if{ |x| x['?'] }.size < 3
+          require 'awesome_print'
+          puts sig.inspect.red
+        end
+
+        # fs.txt contains a lot of signatures that copied from other sources
+        # BUT have all 01 replaced with '??'
+        # // replaced the file with filtered one (see 'fs-good' below) // zzz
+        if args[:fix1]
+          sigs.keys.each do |re|
+            if re.gsub("01","??") == sig.re
+              puts "[.] fix1: rejecting #{sig.name} - already present with 01 in place" if args[:verbose]
+              return
+            end
+          end
+#          File.open("fs-good.txt","a") do |f|
+#            f << "[#{sig.name}=#{sig.re.tr(' ','')}]\n"
+#          end
+        end
+
         if sigs[sig.re]
           a = [sig, sigs[sig.re]].map{ |x| x.name.upcase.split('->').first.tr('V ','') }
           return if a[0][a[1]] || a[1][a[0]]
@@ -161,14 +213,21 @@ class PEdump
         d.map! do |x|
           x - [
             'EXE','[EXE]',
-            'vx.x','v?.?',
             'DLL','(DLL)','[DLL]',
             '[LZMA]','(LZMA)','LZMA',
             '-','~','(pack)','(1)','(2)',
-            '19??'
+            '19??',
+            'with:', 'with?'
           ]
         end
-        return if d.all?(&:empty?) # no different words
+        return if d.all?(&:empty?) # no different words => can keep ANY name
+
+
+#        if name1 =~ /pecompact/i
+#          require 'awesome_print'
+#          puts "[d] #{name1}".yellow
+#          puts "[d] #{name2}".yellow
+#        end
 
         # [["v1.14/v1.20"], ["v1.14,", "v1.20"]]]
         # [["EXEShield", "v0.3b/v0.3", "v0.6"], ["Shield", "v0.3b,", "v0.3"]]]
@@ -182,21 +241,53 @@ class PEdump
           end
         end
 
+#        require 'awesome_print'
+#        puts "[d] #{name1.yellow} #{name2.green}"
+
         a = name1.split
         b = name2.split
+
+        # merge common head
         new_name_head = []
         while a.any? && b.any? && a.first.upcase == b.first.upcase
           new_name_head << a.shift
           b.shift
         end
+
+        # merge common tail
         new_name_tail = []
         while a.any? && b.any? && a.last.upcase == b.last.upcase
           new_name_tail.unshift a.pop
           b.pop
         end
+
+        # rm common words from middle
+        separators = [ "/", "->" ]
+        was = true
+        while was
+          was = false
+          b.each do |bw|
+            next if bw == "/" || bw == "->"
+            if a.include?(bw) || a.include?(bw+")") || a.include?("("+bw) || a.include?("(#{bw})")
+              b -= [bw]
+              was = true
+              break
+            end
+          end
+        end
+        while separators.include?(b.last)
+          b.pop
+        end
+
         new_name = new_name_head
         new_name << [a.join(' '), b.join(' ')].delete_if{|x| x.empty?}.join(' / ')
         new_name += new_name_tail
+#        if name1 =~ /pecompact/i
+#          p a
+#          p b
+#          p new_name_tail
+#        puts "[=] #{new_name.inspect}".red
+#        end
         new_name = new_name.join(' ')
       end
 
@@ -240,14 +331,16 @@ class PEdump
             if rd = _re_diff(sig1.re, sig2.re, max_diff)
               if    rd.all?{ |x| x[0].nil? || x[0] == '.' } && sig2.re.size >= sig1.re.size
                 if new_name = _merge_names(sig2.name, sig1.name)
-                  #pp ["FIRST", sig1.name, sig2.name, new_name, sig1.re.join, sig2.re.join] if new_name
+#                  require 'pp'
+#                  pp ["FIRST", sig1.name, sig2.name, new_name, sig1.re.join, sig2.re.join] if new_name =~ /pecompact/i
                   sig1.name = new_name
                 end
                 sig2.ep_only ||= sig1.ep_only
                 sig2.re = []
               elsif rd.all?{ |x| x[1].nil? || x[1] == '.' } && sig1.re.size >= sig2.re.size
                 if new_name = _merge_names(sig2.name, sig1.name)
-                  #pp ["SECOND", sig1.name, sig2.name, new_name, sig1.re.join, sig2.re.join] if new_name
+#                  require 'pp'
+#                  pp ["SECOND", sig1.name, sig2.name, new_name, sig1.re.join, sig2.re.join] if new_name =~ /pecompact/i
                   sig2.name = new_name
                 end
                 sig1.re = []
@@ -264,26 +357,53 @@ class PEdump
         sigs.delete_if{ |sig| sig.re.empty? }
       end
 
-      def optimize sigs
+      def _name2wordonly name
+        name.downcase.split(/[^a-z0-9_.]+/).join(' ').strip
+      end
+
+      def optimize_names sigs
         # replaces all duplicate names with references to one name
         # saves ~30k out of ~200k mem
         h = {}
+
+        # find shortest names
         sigs.each do |sig|
-          sig.name = (h[sig.name] ||= sig.name)
+          t = _name2wordonly(sig.name)
+          if h[t]
+            # keep shortest name
+            if h[t] != sig.name
+              #print "[d] #{[h[t], sig.name].inspect} -> "
+              h[t] = [h[t], sig.name].sort_by(&:size).first
+              #puts h[t]
+            else
+              # fully identical names
+            end
+          else
+            h[t] = sig.name
+          end
         end
 
-        print "[.] sigs merge: #{sigs.size}"; _optimize(sigs); puts  " -> #{sigs.size}"
+        # assign names back to sigs
+        sigs.each{ |sig| sig.name = h[_name2wordonly(sig.name)] }
+
+        puts "[.] sigs merge: #{h.size} unique names"
+      end
+
+      def optimize sigs
+        optimize_names sigs
+
+        # XXX no optimize from now, prefer more precise sigs
+        #print "[.] sigs merge: #{sigs.size}"; _optimize(sigs); puts  " -> #{sigs.size}"
 
         # try to merge signatures with same name, size & ep_only
-        sigs.group_by{ |sig|
-          [sig.re.size, sig.name, sig.ep_only]
-        }.values.each do |a|
-          next if a.size == 1
-          if merged_re = _merge(a)
-            a.first.re = merged_re
-            a[1..-1].each{ |sig| sig.re = nil }
+        sigs.group_by{ |sig| [sig.re.size, sig.name, sig.ep_only] }.
+          values.each do |a|
+            next if a.size == 1
+            if merged_re = _merge(a)
+              a.first.re = merged_re
+              a[1..-1].each{ |sig| sig.re = nil }
+            end
           end
-        end
         print "[.] sigs merge: #{sigs.size}"; sigs.delete_if{ |x| x.re.nil? }; puts  " -> #{sigs.size}"
 
 
@@ -361,6 +481,7 @@ class PEdump
           end
           prev_eq = eq
         end
+        dstart ||= 0
         r = dstart..dend
         r == (0..(size-1)) ? nil : r
       end

data/lib/pedump/tls.rb

@@ -0,0 +1,17 @@
+class PEdump
+  IMAGE_TLS_DIRECTORY32 = IOStruct.new 'V6',
+    :StartAddressOfRawData,
+    :EndAddressOfRawData,
+    :AddressOfIndex,
+    :AddressOfCallBacks,
+    :SizeOfZeroFill,
+    :Characteristics
+
+  IMAGE_TLS_DIRECTORY64 = IOStruct.new 'Q4V2',
+    :StartAddressOfRawData,
+    :EndAddressOfRawData,
+    :AddressOfIndex,
+    :AddressOfCallBacks,
+    :SizeOfZeroFill,
+    :Characteristics
+end

data/lib/pedump/unpacker.rb

@@ -0,0 +1,26 @@
+require 'pedump'
+require 'pedump/unpacker/aspack'
+require 'pedump/unpacker/upx'
+
+module PEdump::Unpacker
+  class << self
+    def find io
+      if io.is_a?(String)
+        return File.open(io,"rb"){ |f| find(f) }
+      end
+
+      pedump = PEdump.new(io)
+      packer = Array(pedump.packers).first
+      return nil unless packer
+
+      case packer.name
+      when /UPX/
+        UPX
+      when /ASPack/i
+        ASPack
+      else
+        nil
+      end
+    end
+  end
+end

data/lib/pedump/unpacker/aspack.rb

@@ -0,0 +1,858 @@
+#!/usr/bin/env ruby
+# coding: binary
+require 'pedump/loader'
+require 'pedump/cli'
+
+module PEdump::Unpacker; end
+
+class PEdump::Unpacker::ASPack
+
+  def self.unpack src_fname, dst_fname, log = ''
+    File.open(src_fname, "rb") do |f|
+      if ldr = new(f).unpack
+        File.open(dst_fname,"wb"){ |fo| ldr.dump(fo) }
+        return ldr   # looks like 'true'
+      else
+        return false
+      end
+    end
+  end
+
+  ########################################################################
+  attr_accessor :logger
+
+  def initialize io, params = {}
+    params[:logger]     ||= PEdump::Logger.create(params)
+
+    # XXX aspack unpacker code does not distinguish RVA from VA, so set
+    # image base to zero for RVA be equal VA
+    params[:image_base] ||= 0
+
+    @logger = params[:logger]
+    @ldr = PEdump::Loader.new(io, params)
+    @io = io
+
+    @e8e9_mode = @e8e9_cmp = @e8e9_flag = @ebp = nil
+  end
+
+  ########################################################################
+
+  DATA_ROOT = File.dirname(File.dirname(File.dirname(File.dirname(__FILE__))))
+  UNLZX_SRC = File.join(DATA_ROOT, "misc", "aspack", "aspack_unlzx.c")
+  UNLZXes   = [
+    # default path for RVM
+    File.join(DATA_ROOT, "misc", "aspack", "aspack_unlzx"),
+    # XXX path for normal linux installs
+    File.expand_path("~/.pedump_unlzx")
+  ]
+
+  ########################################################################
+
+  def self.code2re code
+    idx = -1
+    was_any = false
+    Regexp.new(
+      code.strip.
+      split("\n").map{|line| line.strip.split('    ',2).first}.join("\n").
+      gsub(/\.{2,}/){ |x| x.split('').join(' ') }.
+      split.map do |x|
+        idx += 1
+        case x
+        when /\A[a-f0-9]{2}\Z/i
+          x = x.to_i(16)
+          if block_given?
+            x = yield(x,idx)
+            if x == :any
+              was_any = true
+              '.'
+            else
+              Regexp.escape(x.chr)
+            end
+          else
+            Regexp.escape(x.chr)
+          end
+        else
+          if was_any && (x.count('.') > 1 || x[/[+*?{}]/])
+            raise "[!] cannot use :any with more-than-1-char-long #{x.inspect}"
+          end
+          x
+        end
+      end.join, Regexp::MULTILINE
+    )
+  end
+  def code2re code, █ self.class.code2re(code, &block); end
+
+  def code2re_dw code, shift=0, mode=nil
+    raise "shift must be in 0..3, got #{shift.inspect}" unless (0..3).include?(shift)
+    Regexp.new(
+      (
+        'X '*shift +
+        code.strip.
+        split("\n").map{|line| line.strip.split('    ',2).first}.join("\n")
+      ).gsub(/\.{2,}/){ |x| x.split('').join(' ') }.
+      split.each_slice(4).map do |a|
+        a.map! do |x|
+          case x
+          when /\A[a-f0-9]{2}\Z/i
+            x.to_i(16)
+          else
+            x
+          end
+        end
+        dw = a.reverse.inject(0){ |x,y| (x<<8) + (y.is_a?(Numeric) ? y : 0)}
+        dw = yield(dw)
+        if dw.is_a?(Array)
+          # value + mask, mask = number of exact bytes in dw
+          (dw[1]..[3,a.size-1].min).each{ |i| a[i] = '.' }
+          dw = dw[0]
+        end
+        dw <<= 8
+
+        if mode == :add
+          # ADD mode
+          if a.all?{ |x| x.is_a?(Numeric)}
+            # all bytes are known
+            a.map do |x|
+              dw >>= 8
+              Regexp::escape((dw & 0xff).chr)
+            end
+          else
+            # some bytes are masked
+            # => ALL bytes after FIRST MASKED byte should be masked too
+            # due to carry flag when doing ADD or SUB
+            was_mask = false
+            a.map do |x|
+              dw >>= 8
+              if x.is_a?(Numeric)
+                was_mask ? '.' : Regexp::escape((dw & 0xff).chr)
+              else
+                was_mask = true
+                x
+              end
+            end
+          end
+        else
+          # generic mode, applicable for XOR
+          a.map do |x|
+            dw >>= 8
+            x.is_a?(Numeric) ? Regexp::escape((dw & 0xff).chr) : x
+          end
+        end
+      end.join[shift..-1], Regexp::MULTILINE
+    )
+  end
+
+  @@xordetect_codes = []
+
+  OBJ_TBL_CODE = <<-EOC
+    8D B5 (....)            lea     esi, [ebp+442A5Ah]  ; obj_tbl
+    83 3E 00                cmp     dword ptr [esi], 0
+    0F 84 . . 00 00         jz      no_obj_tbl
+    .{0,6}                  lea     esi, [ebp+442A5Ah]  ; obj_tbl
+    6A 04                   push    4
+    68 00 10 00 00          push    1000h
+    68 00 18 00 00          push    1800h
+    6A 00                   push    0
+    FF .{2,5}               call    dword ptr [ebp+4429B9h] ; [41503d]
+    89 85 ....              mov     [ebp+4429B5h], eax      ; [415039]
+    8B 46 04                mov     eax, [esi+4]
+  EOC
+
+  VIRTUALPROTECT_RE = code2re <<-EOC
+    50                      push    eax
+    FF .{2,5}               call    dword ptr [ebp+6Ah] ; VirtualProtect
+    59                      pop     ecx
+    AD                      lodsd
+    AD                      lodsd
+    89 47 24                mov     [edi+24h], eax
+  EOC
+
+#  CODE1 = <<-EOC
+#    8B 44 24 10             mov     eax, [esp+arg_C]
+#    81 EC 54 03 00 00       sub     esp, 354h
+#    8D 4C 24 04             lea     ecx, [esp+354h+var_350]
+#    50                      push    eax
+#    E8 A8 03 00 00          call    sub_465A28
+#    8B 8C 24 5C 03 00 00    mov     ecx, [esp+354h+arg_4]
+#    8B 94 24 58 03 00 00    mov     edx, [esp+354h+arg_0]
+#    51                      push    ecx
+#    52                      push    edx
+#    8D 4C 24 0C             lea     ecx, [esp+35Ch+var_350]
+#    E8 0D 04 00 00          call    sub_465AA6
+#    84 C0                   test    al, al
+#    75 0A                   jnz     short loc_4656A7
+#    83 C8 FF                or      eax, 0FFFFFFFFh
+#    81 C4 54 03 00 00       add     esp, 354h
+#    C3                      retn
+#  EOC
+
+  E8_CODE = <<-EOC
+    8B 06                   mov     eax, [esi]
+    EB (.)                  jmp     short ??                ; ModE8E9
+    80 3E (.)               cmp     byte ptr [esi], ??      ; CmpE8E9
+    75 F3                   jnz     short loc_450141
+    24 00                   and     al, 0
+    C1 C0 18                rol     eax, 18h
+    2B C3                   sub     eax, ebx
+    89 06                   mov     [esi], eax
+    83 C3 05                add     ebx, 5
+    83 C6 04                add     esi, 4
+    83 E9 05                sub     ecx, 5
+    EB                      jmp     short loc_450130
+  EOC
+  E8_RE = code2re E8_CODE
+  @@xordetect_codes << E8_CODE
+
+  E8_FLAG_RE_IMM1 = code2re <<-EOC
+    B3 (.)                  mov     bl, ?
+    80 FB 00                cmp     bl, 0
+    75 .                    jnz     short loc_465163
+    FE 85 ....              inc     byte ptr [ebp+0ECh]
+    8B 3E                   mov     edi, [esi]
+    03 BD ....              add     edi, [ebp+422h]
+    FF 37                   push    dword ptr [edi]
+    C6 07 C3                mov     byte ptr [edi], 0C3h
+    FF D7                   call    edi
+    8F 07                   pop     dword ptr [edi]
+  EOC
+
+  E8_FLAG_RE_IMM2 = code2re <<-EOC
+    B3 (.)                  mov     bl, 0
+    80 FB 00                cmp     bl, 0
+    75 .                    jnz     short loc_4C6155
+    FE 85 ....              inc     byte ptr [ebp+0EFh]
+    50                      push    eax
+    51                      push    ecx
+    56                      push    esi
+    53                      push    ebx
+    8B C8                   mov     ecx, eax
+  EOC
+
+  E8_FLAG_RE_EBP = code2re <<-EOC
+    80 BD (....) 00         cmp     byte ptr [ebp+443A11h], 0
+    75 .                    jnz     short loc_465163
+    FE 85 ....              inc     byte ptr [ebp+0ECh]
+    8B 3E                   mov     edi, [esi]
+    03 BD ....              add     edi, [ebp+422h]
+    FF 37                   push    dword ptr [edi]
+    C6 07 C3                mov     byte ptr [edi], 0C3h
+    FF D7                   call    edi
+    8F 07                   pop     dword ptr [edi]
+  EOC
+
+  OEP_CODE1 = <<-EOC
+    B8 (....)               mov     eax, 101Ah
+    50                      push    eax
+    03 85 ....              add     eax, [ebp+444A28h]
+    59                      pop     ecx
+    0B C9                   or      ecx, ecx
+    89 85 ....              mov     [ebp+443CF1h], eax
+    61                      popa
+    75 08                   jnz     short loc_40A3C0
+    B8 01 00 00 00          mov     eax, 1
+    C2 0C 00                retn    0Ch
+  EOC
+  OEP_RE1 = code2re OEP_CODE1
+  @@xordetect_codes << OEP_CODE1
+
+  OEP_CODE2 = <<-EOC
+    8B 85 (....)            mov     eax, [ebp+442A4Eh]  ; 004150D2
+    50                      push    eax
+    03 85 ....              add     eax, [ebp+4437E0h]  ; [415e64] = self_base
+    59                      pop     ecx
+    0B C9                   or      ecx, ecx
+    89 85 ....              mov     [ebp+442E7Bh], eax  ; offset of '0' of 'push 0' after 'retn 0Ch'
+    61                      popa
+    75 08                   jnz     short loc_4154FE
+    B8 01 00 00 00          mov     eax, 1
+    C2 0C 00                retn    0Ch
+  EOC
+  OEP_RE2 = code2re OEP_CODE2
+  @@xordetect_codes << OEP_CODE2
+
+  IMPORTS_CODE1 = <<-EOC
+    EB F1                   jmp ...
+    BE (....)               mov     esi, 55000h       ; immediate imports rva
+    8B 95 ....              mov     edx, [ebp+422h]
+    03 F2                   add     esi, edx
+    8B 46 0C                mov     eax, [esi+0Ch]
+    85 C0                   test    eax, eax
+    0F 84 . . 00 00         jz      ep_rva
+    03 C2                   add     eax, edx
+    8B D8                   mov     ebx, eax
+    50                      push    eax
+    FF 95 (....)            call    dword ptr [ebp+0F4Dh]
+    85 C0                   test    eax, eax
+  EOC
+  IMPORTS_RE1 = code2re IMPORTS_CODE1
+  @@xordetect_codes  << IMPORTS_CODE1
+
+  IMPORTS_CODE2 = <<-EOC
+    EB F1                   jmp ...
+    8B B5 (....)            mov     esi, [ebp+442A4Ah]  ; [0x4150CE] = imports_rva
+    8B 95 ....              mov     edx, [ebp+4437E0h]  ; [0x415e64] = image_base
+    03 F2                   add     esi, edx
+    8B 46 0C                mov     eax, [esi+0Ch]
+    85 C0                   test    eax, eax
+    0F 84 . . 00 00         jz      ep_rva
+    03 C2                   add     eax, edx
+    8B D8                   mov     ebx, eax
+    50                      push    eax
+    FF 95 (....)            call    dword ptr [ebp+4438F4h] ; 415f78 = GetModuleHandleA
+    85 C0                   test    eax, eax
+  EOC
+  IMPORTS_RE2 = code2re IMPORTS_CODE2
+  @@xordetect_codes  << IMPORTS_CODE2
+
+  RELOCS_RE = code2re <<-EOC
+    2B D0                   sub     edx, eax
+    74 79                   jz      short exit_relocs_loop
+    8B C2                   mov     eax, edx
+    C1 E8 10                shr     eax, 10h
+    33 DB                   xor     ebx, ebx
+    8B B5 (....)            mov     esi, [ebp+539h]         ; relocs_rva
+    03 B5 ....              add     esi, [ebp+422h]         ; image_base
+    83 3E 00                cmp     dword ptr [esi], 0
+    74                      jz      short exit_relocs_loop
+  EOC
+
+  SECTION_INFO = IOStruct.new 'VlV', :va, :size, :flags
+
+  ########################################################################
+
+  def _decrypt
+    @data = @data.dup
+    @data.size.times do |j|
+      @data[j] = (yield(@data[j].ord,j)&0xff).chr
+    end
+    @data
+  end
+
+  def _decrypt_dw shift=0
+    orig_size = @data.size
+    @data = @data.dup
+    i = shift                  # FIXME: first 'shift' bytes of data is not decrypted!
+    while i < @data.size
+      t = @data[i,4]
+      t<<"\x00" while t.size < 4
+      dw = t.unpack('V').first
+      dw = yield(dw)
+      @data[i,4] = [dw].pack('V')
+      i += 4
+    end
+    @data = @data[0,orig_size] if @data.size != orig_size
+    @data
+  end
+
+  def check_re data, comment = '', re = E8_RE
+    if m = data.match(re)
+      logger.debug "[.] E8_RE %s found at %4x : %-20s" % [comment, m.begin(0), m[1..-1].inspect]
+      m
+    end
+  end
+
+  def decrypt
+    r=nil
+    # check raw
+    return r if r=check_re(@data)
+
+    (1..255).each do |i|
+      # check byte add
+      if check_re(@data, "[add b,#{i}]", code2re(E8_CODE){ |x| (x+i)&0xff })
+        return check_re(_decrypt{|x| x-i})
+      end
+
+      # check byte xor
+      if check_re(@data, "[xor b,#{i}]", code2re(E8_CODE){ |x| x^i })
+        return check_re(_decrypt{|x| x^i})
+      end
+    end
+
+    # check dword dec
+    4.times do |shift|
+      re = code2re_dw(E8_CODE,shift){ |dw| dw+1 }
+      if r=check_re(@data, "[dec dw:#{shift}]", re)
+        shift = (r.begin(0)-shift)%4
+        return check_re(_decrypt_dw(shift){ |x| x-1 })
+      end
+    end
+
+    # detect dword xor
+    h = xordetect
+    if h && h.size == 4
+      h.keys.permutation.each do |xor_bytes|
+        xor_dw = xor_bytes.inject{ |x,y| (x<<8) + y}
+        re = code2re_dw(E8_CODE){ |dw| dw^xor_dw }
+        if r=check_re(@data, "[xor dw,#{xor_dw.to_s(16)}]", re)
+          return check_re(_decrypt_dw(r.begin(0)%4){ |dw| dw^xor_dw })
+        end
+      end
+    end
+
+    # detect dword add
+    if add_dw = add_detect
+      4.times do |shift|
+        re = code2re_dw(E8_CODE,shift, :add){ |dw| dw-add_dw }
+        if r=check_re(@data, "[add dw:#{shift},#{add_dw.to_s(16)}]", re)
+          return check_re(_decrypt_dw((r.begin(0)+shift)%4){ |dw| dw+add_dw })
+        end
+      end
+    end
+
+    # failed
+    false
+  end
+
+  # detects if code is crypted by a dword-xor
+  # @data must be original, not modified!
+  def xordetect
+    logger.info "[*] guessing DWORD-XOR key..."
+    h = Hash.new{ |k,v| k[v] = 0 }
+    @@xordetect_codes.each do |code|
+      4.times do |shift|
+        0x100.times do |x1|
+          re = code2re(code.tr('()','')){ |x,idx| idx%4 == shift ? x^x1 : :any }
+          @data.scan(re).each do
+            logger.debug "[.] %02x: %2d : %s" % [x1, ($~.begin(0)+shift)%4, re.inspect]
+            h[x1] += 1
+          end
+        end
+      end
+    end
+    case h.size
+    when 0
+      logger.debug "[?] %s: no matches" % __method__
+    when 1..3
+      logger.info  "[?] %s: not xored, or %d-byte xor key: %s" % [__method__, h.size, h.inspect]
+    when 4
+      logger.info  "[*] %s: FOUND xor key bytes: [%02x %02x %02x %02x]" % [__method__, *h.keys].flatten
+    else
+      logger.info  "[?] %s: %d possible bytes: %s" % [__method__, h.size, h.inspect]
+    end
+    h
+  end
+
+  def add_detect known_bytes = [], step = 1
+    s = known_bytes.map{ |x| "%02x" % x}.join(' ')
+    logger.info "[*] guessing DWORD-ADD key... [#{s}]"
+    h = Hash.new{ |k,v| k[v] = 0 }
+    dec = known_bytes.reverse.inject(0){ |x,y| (x<<8) + y}
+    @@xordetect_codes.each do |code|
+      4.times do |shift|
+        0x100.times do |x1|
+          #re = code2re_dw(code.tr('()',''),shift){ |x,idx| idx%4 == shift ? ((x-x1)&0xff) : :any }
+          re = code2re_dw(code.tr('()',''),shift) do |x|
+            [x-dec-(x1<<(known_bytes.size*8)), known_bytes.size+1]
+          end
+          @data.scan(re).each do
+            logger.debug "[.] %02x: %2d : %s" % [x1, ($~.begin(0)+shift)%4, re.inspect[0,75]]
+            h[x1] += 1
+          end
+        end
+      end
+    end
+    if h.any?
+      known_bytes << h.sort_by(&:last).last[0] # most frequent byte
+    end
+    if known_bytes.size == step && step < 4
+      add_detect known_bytes, step+1
+    else
+      kb = known_bytes
+      case kb.size
+      when 0
+        logger.debug "[?] %s: no matches" % __method__
+      when 1..3
+        logger.info  "[?] %s: not 'add' or %d-byte key: %s" % [__method__, kb.size, kb.inspect]
+      when 4
+        logger.info  "[*] %s: FOUND 'add' key bytes: [%02x %02x %02x %02x]" % [__method__, *kb].flatten
+        return known_bytes.reverse.inject(0){ |x,y| (x<<8) + y}
+      else
+        logger.info  "[?] %s: %d possible bytes: %s" % [__method__, kb.size, kb.inspect]
+      end
+      return nil
+    end
+  end
+
+  def _scan_obj_tbl
+    unless @ebp
+      logger.warn "[?] %s: EBP undefined, skipping" % __method__
+      return
+    end
+
+    re = code2re OBJ_TBL_CODE
+    va = nil
+    if m = @data.match(re)
+      a = m[1..-1].map{|x| x.unpack('V').first }
+      logger.debug "[d] OBJ_TBL_RE found at %4x : %s" % [m.begin(0), a.map{|x| x.to_s(16)}.join(', ')]
+      va = (a[0] + @ebp) & 0xffff_ffff
+      logger.debug "[.] obj_tbl VA = %4x (using EBP)" % va
+    else
+      logger.error "[!] cannot find obj_tbl"
+      return
+    end
+
+    # obj_tbl contains flags if there is a call to VirtualProtect in loader code
+    record_size = (@data['VirtualProtect'] && @data[VIRTUALPROTECT_RE]) ? 4*3 : 4*2
+
+#    @ldr[va-0x3c,0x3c].unpack('V*').each do |x|
+#      printf("%8x\n",x);
+#    end
+
+    r = []
+    while true
+      obj = SECTION_INFO.new(*@ldr[va, record_size].unpack(SECTION_INFO::FORMAT))
+      break if obj.va == 0
+      unless @ldr.va2section(obj.va)
+        logger.error "[!] can't get section for obj %4x : %4x" % [obj.va, obj.size]
+      end
+      va += record_size
+      r << obj
+      if r.size > 0x200
+        logger.error "[!] stopped obj_tbl parsing. too many sections!"
+        break
+      end
+    end
+    r
+  end
+
+  ########################################################################
+
+  def find_e8e9
+    if m = @data.match(E8_RE)
+      @e8e9_mode, @e8e9_cmp = m[1].ord, m[2].ord
+    else
+      logger.error "[!] can't find E8/E9 patch sub! unpacked code may be invalid!"
+    end
+
+    if m = (@data.match(E8_FLAG_RE_IMM1) || @data.match(E8_FLAG_RE_IMM2))
+      @e8e9_flag = m[1].ord
+    elsif m = @data.match(E8_FLAG_RE_EBP)
+      offset = m[1].unpack('V').first
+      @e8e9_flag = @ldr[(@ebp + offset) & 0xffff_ffff, 1].ord
+    else
+      logger.error "[!] can't find E8/E9 flag! unpacked code may be invalid!"
+      raise
+    end
+
+    logger.debug "[.] E8/E9: flag=%s, mode=%s, cmp=%s" % [@e8e9_flag||'???', @e8e9_mode, @e8e9_cmp]
+  end
+
+  def find_obj_tbl
+    if @obj_tbl = _scan_obj_tbl
+      if logger.level <= ::Logger::INFO
+        @obj_tbl.each do |obj|
+          if obj.flags
+            logger.info "[.] ASP::SECTION va: %8x  size: %8x  flags: %8x" % [
+              obj.va, obj.size&0xffff_ffff, obj.flags]
+          else
+            logger.info "[.] ASP::SECTION va: %8x  size: %8x" % [
+              obj.va, obj.size&0xffff_ffff]
+          end
+        end
+      end
+    end
+  end
+
+  def find_oep
+    @oep = nil
+    if m = @data.match(OEP_RE1)
+      logger.debug "[.] OEP_RE1 found at %4x" % m.begin(0)
+      @oep = m[1].unpack('V').first
+    elsif @ebp && m = @data.match(OEP_RE2)
+      logger.debug "[.] OEP_RE2 found at %4x (using EBP)" % m.begin(0)
+      offset = m[1].unpack('V').first
+      @oep = @ldr[(@ebp + offset) & 0xffff_ffff, 4].unpack('V').first
+    end
+
+    if @oep
+      logger.info "[.] OEP = %8x" % @oep
+    else
+      logger.error "[!] cannot find EntryPoint"
+    end
+  end
+
+  def find_imports
+    @imports_rva = nil
+    if m = @data.match(IMPORTS_RE1)
+      a = m[1..-1].map{|x| x.unpack('V').first }
+      @imports_rva = a[0]
+    elsif m = @data.match(IMPORTS_RE2)
+      a = m[1..-1].map{|x| x.unpack('V').first }
+    else
+      logger.error "[!] cannot find imports"
+      return
+    end
+    logger.debug "[d] IMPORTS_REx found at %4x : %s" % [m.begin(0), a.map{|x| x.to_s(16)}.join(', ')]
+
+    # actually following code is not necessary for IMPORTS_RE1
+    # using it to get EBP register value
+
+    f = @ldr.pedump.imports.map(&:first_thunk).flatten.compact.find{ |x| x.name == "GetModuleHandleA"}
+    unless f
+      logger.error "[!] GetModuleHandleA not found"
+      return
+    end
+    vaGetModuleHandle = f.va
+    logger.debug "[d] GetModuleHandle is at %x" % vaGetModuleHandle
+    @ebp = (f.va - a[1]) & 0xffff_ffff
+    logger.debug "[d] assume EBP = %x" % @ebp
+
+    # @imports_rva may already be filled by IMPORTS_RE1
+    @imports_rva ||= @data[(@ebp + a[0] - @section.va) & 0xffff_ffff, 4].unpack('V').first
+    logger.info "[.] imports RVA = %x" % @imports_rva
+  end
+
+  def find_relocs
+    @relocs_rva = nil
+    if m = @data.match(RELOCS_RE)
+      a = m[1..-1].map{|x| x.unpack('V').first }
+    else
+      logger.error "[!] cannot find imports"
+      raise
+      return
+    end
+    @relocs_rva ||= @ldr[(@ebp + a[0]) & 0xffff_ffff, 4].unpack('V').first
+    logger.info "[.] relocs RVA = %x" % @relocs_rva
+  end
+
+  ########################################################################
+
+  def rebuild_imports
+    return unless @imports_rva
+
+    iids = []
+
+    va = @imports_rva
+    sz = PEdump::IMAGE_IMPORT_DESCRIPTOR::SIZE
+    while true
+      iid = PEdump::IMAGE_IMPORT_DESCRIPTOR.read(@ldr[va,sz])
+      va += sz # increase ptr before breaking, req'd 4 saving total import table size in data dir
+      break if iid.Name.to_i == 0
+
+      [:original_first_thunk, :first_thunk].each do |tbl|
+        camel = tbl.capitalize.to_s.gsub(/_./){ |char| char[1..-1].upcase}
+        iid[tbl] ||= []
+        if (va1 = iid[camel].to_i) != 0
+          while true
+            # intentionally include zero terminator in table to count IAT size
+            t = @ldr[va1,4].unpack('V').first
+            iid[tbl] << t
+            break if t == 0
+            va1 += 4
+          end
+        end
+      end
+      iids << iid
+    end
+    @ldr.pe_hdr.ioh.DataDirectory[PEdump::IMAGE_DATA_DIRECTORY::IMPORT].tap do |dd|
+      dd.va   = @imports_rva
+      dd.size = va-@imports_rva
+    end
+    if iids.any?
+      iids.sort_by!(&:FirstThunk)
+      @ldr.pe_hdr.ioh.DataDirectory[PEdump::IMAGE_DATA_DIRECTORY::IAT].tap do |dd|
+        # Points to the beginning of the first Import Address Table (IAT).
+        dd.va   = iids.first.FirstThunk
+        # The Size field indicates the total size of all the IATs.
+        dd.size = iids.last.FirstThunk - iids.first.FirstThunk + iids.last.first_thunk.size*4
+        # ... to temporarily mark the IATs as read-write during import resolution.
+        # http://msdn.microsoft.com/en-us/magazine/bb985997.aspx
+      end
+    end
+  end
+
+  def rebuild_relocs
+    return if @relocs_rva.to_i == 0
+
+    va = @relocs_rva
+    while true
+      a = @ldr[va,4*2].to_s.unpack('V*')
+      break if a[0] == 0 || a[1] == 0
+      va += a[1]
+    end
+
+    @ldr.pe_hdr.ioh.DataDirectory[PEdump::IMAGE_DATA_DIRECTORY::BASERELOC].tap do |dd|
+      dd.va   = @relocs_rva
+      dd.size = va-@relocs_rva
+    end
+  end
+
+  def rebuild_tls h = {}
+    dd = @ldr.pe_hdr.ioh.DataDirectory[PEdump::IMAGE_DATA_DIRECTORY::TLS]
+    return if dd.va.to_i == 0 || dd.size.to_i == 0
+
+    case h[:step]
+    when 1 # store @tls_data
+      @tls_data = @ldr[dd.va, dd.size]
+    when 2 # search in unpacked sections
+      return unless @tls_data if h[:step] == 2
+      # search for original TLS data in all unpacked sections
+      @ldr.sections.each do |section|
+        if offset = section.data.index(@tls_data)
+          # found a TLS section
+          dd.va = section.va + offset
+          return
+        end
+      end
+      logger.error "[!] can't find TLS section"
+    else
+      raise "invalid step"
+    end
+  end
+
+  def compile_unlzx dest
+    logger.info "[*] compiling #{File.basename(dest)} .."
+    system("gcc", UNLZX_SRC, "-o", dest)
+    unless File.file?(dest) && File.executable?(dest)
+      logger.fatal "[!] %s compile failed, please compile it yourself at %s" % [
+        File.basename(dest), File.dirname(dest)
+      ]
+    end
+  end
+
+  def unlzx_pathname
+    UNLZXes.each do |unlzx|
+      return unlzx if File.file?(unlzx) && File.executable?(unlzx)
+    end
+
+    # nothing found, try to compile
+    UNLZXes.each do |unlzx|
+      compile_unlzx unlzx
+      return unlzx if File.file?(unlzx) && File.executable?(unlzx)
+    end
+
+    # all compiles failed
+    raise "no aspack_unlzx binary"
+  end
+
+  def unpack_section data, packed_size, unpacked_size
+    data = IO.popen("#{unlzx_pathname} #{packed_size.to_i} #{unpacked_size.to_i}","r+") do |f|
+      f.write data
+      f.close_write
+      f.read
+    end
+    raise $?.inspect unless $?.success?
+    data
+  end
+
+  def decode_e8e9 data
+    return if !data || data.size < 6
+    return if [@e8e9_flag, @e8e9_mode, @e8e9_cmp].any?(&:nil?)
+    return if @e8e9_flag != 0
+
+    size = data.size - 6
+    offs = 0
+    while size > 0
+      b0 = data[offs]
+      if b0 != "\xE8" && b0 != "\xE9"
+        size-=1; offs+=1
+        next
+      end
+
+      dw = data[offs+1,4].unpack('V').first
+      if @e8e9_mode == 0
+        if (dw & 0xff) != @e8e9_cmp
+          size-=1; offs+=1
+          next
+        end
+        # dw &= 0xffffff00; dw = ROL(dw, 24)
+        dw >>= 8
+      end
+
+      t = (dw-offs) & 0xffffffff  # keep value in 32 bits
+      #logger.debug "[d] data[%6x] = %8x" % [offs+1, t]
+      data[offs+1,4] = [t].pack('V')
+      offs += 5; size -= [size, 5].min
+    end
+  end
+
+  ########################################################################
+
+  def unpack
+    if @section = @ldr.va2section(@ldr.ep)
+      @data = @section.data
+      logger.debug "[.] EP section: #{@section.inspect}"
+    else
+      logger.fatal "[!] cannot determine EP section"
+      return
+    end
+
+    decrypt      # must be called before any other finds
+
+    find_imports # also fills @ebp for other finds
+    find_e8e9
+    find_obj_tbl
+    find_oep
+    find_relocs
+
+    ###
+
+    rebuild_tls :step => 1
+    sorted_obj_tbl = @obj_tbl.sort_by{ |x| @ldr.pedump.va2file(x.va) }
+    sorted_obj_tbl.each_with_index do |obj,idx|
+      # restore section flags, if any
+      @ldr.va2section(obj.va).flags = obj.flags if obj.flags
+
+      next if obj.size < 0 # empty section
+      #file_offset = @ldr.pedump.va2file(obj.va)
+      #@io.seek file_offset
+      packed_size =
+        if idx == sorted_obj_tbl.size - 1
+          # last obj
+          obj.size
+        else
+          # subtract this file_offset from next object file_offset
+          @ldr.pedump.va2file(sorted_obj_tbl[idx+1].va) - @ldr.pedump.va2file(obj.va)
+        end
+      #packed_data = @io.read packed_size
+      packed_data = @ldr[obj.va, packed_size]
+      unpacked_data = unpack_section(packed_data, packed_data.size, obj.size).force_encoding('binary')
+      # decode e8/e9 only on 1st section?
+      decode_e8e9(unpacked_data) if obj == @obj_tbl.first
+      @ldr[obj.va, unpacked_data.size] = unpacked_data
+      logger.debug "[.] %8x: %8x -> %8x" % [obj.va, packed_size, unpacked_data.size]
+    end
+
+    rebuild_imports
+    rebuild_relocs
+    rebuild_tls :step => 2
+
+    @ldr.pe_hdr.ioh.AddressOfEntryPoint = @oep.to_i
+    @ldr
+  end
+end
+
+##########################################################################
+
+if __FILE__ == $0
+  fnames =
+    if ARGV.empty?
+      Dir['samples/*.{dll,exe,bin,ocx}']
+    else
+      ARGV
+    end
+
+  require 'pp'
+  fnames.each do |fname|
+    @fname = fname
+    File.open(fname,"rb") do |f|
+      pedump = PEdump.new :log_level => Logger::DEBUG
+      next unless packer = Array(pedump.packer(f)).first
+      next unless packer.name =~ /aspack/i
+
+      STDERR.puts "\n=== #{fname}".green
+
+      f.rewind
+      unpacker = PEdump::Unpacker::ASPack.new(f,
+                                              :log_level => Logger::DEBUG,
+                                              :color => true)
+      if l = unpacker.unpack
+        # returns PEdump::Loader with unpacked data
+        File.open("unpacked.exe","wb") do |f|
+          l.dump(f)
+        end
+      end
+    end
+  end
+end
+