RubyGems - pedump - Versions diffs - 0.4.5 → 0.4.6 - Mend

pedump 0.4.5 → 0.4.6

Files changed (28) hide show

data/Gemfile +3 -1
data/Gemfile.lock +5 -1
data/README.md +22 -20
data/Rakefile +25 -0
data/VERSION +1 -1
data/lib/pedump.rb +92 -45
data/lib/pedump/cli.rb +56 -16
data/lib/pedump/comparer.rb +147 -0
data/lib/pedump/core.rb +12 -18
data/lib/pedump/loader.rb +131 -0
data/lib/pedump/loader/section.rb +51 -0
data/lib/pedump/logger.rb +67 -0
data/lib/pedump/pe.rb +3 -0
data/lib/pedump/resources.rb +3 -3
data/lib/pedump/unpacker.rb +26 -0
data/lib/pedump/unpacker/aspack.rb +853 -0
data/lib/pedump/unpacker/upx.rb +13 -0
data/lib/pedump/version.rb +1 -1
data/lib/pedump/version_info.rb +8 -3
data/misc/aspack/Makefile +3 -0
data/misc/aspack/aspack_unlzx.c +92 -0
data/misc/aspack/lzxdec.c +479 -0
data/misc/aspack/lzxdec.h +56 -0
data/pedump.gemspec +24 -5
data/spec/pe_spec.rb +61 -0
data/spec/unpackers/aspack_spec.rb +69 -0
data/spec/unpackers/find_spec.rb +17 -0
metadata +53 -18

@@ -0,0 +1,67 @@
+require 'awesome_print' # for colored tty logging
+class PEdump
+  class Logger < ::Logger
+    def initialize *args
+      super
+      @formatter = proc do |severity,_,_,msg|
+        # quick and dirty way to remove duplicate messages
+        if @prevmsg == msg && severity != 'DEBUG' && severity != 'INFO'
+          ''
+        else
+          @prevmsg = msg
+          "#{msg}\n"
+        end
+      end
+      @level = WARN
+    end
+  end
+  def Logger.create params
+    logger =
+      if params[:logger]
+        params[:logger]
+      else
+        logdev = params[:logdev] || STDERR
+        logger_class =
+          if params.key?(:color)
+            # forced color or not
+            params[:color] ? ColoredLogger : Logger
+          else
+            # set color if logdev is TTY
+            (logdev.respond_to?(:tty?) && logdev.tty?) ? ColoredLogger : Logger
+          end
+        logger_class.new(logdev)
+      end
+    logger.level = params[:log_level] if params[:log_level]
+    logger
+  end
+  class ColoredLogger < ::Logger
+    def initialize *args
+      super
+      @formatter = proc do |severity,_,_,msg|
+        # quick and dirty way to remove duplicate messages
+        if @prevmsg == msg && severity != 'DEBUG' && severity != 'INFO'
+          ''
+        else
+          @prevmsg = msg
+          color =
+            case severity
+            when 'FATAL'
+              :redish
+            when 'ERROR'
+              :red
+            when 'WARN'
+              :yellowish
+            when 'DEBUG'
+              :gray
+            end
+          "#{color ? msg.send(color) : msg}\n"
+        end
+      end
+      @level = WARN
+    end
+  end
+end

data/lib/pedump/pe.rb CHANGED

@@ -18,6 +18,9 @@ class PEdump
       ifh && ifh.flags.include?('DLL')
     end
+    def pack
+      signature + ifh.pack + ioh.pack
+    end
     def self.read f, args = nil
       force = args.is_a?(Hash) && args[:force]

data/lib/pedump/resources.rb CHANGED

@@ -1,6 +1,6 @@
 class PEdump
-  def resource_directory f=nil
+  def resource_directory f=@io
     @resource_directory ||= _read_resource_directory_tree(f)
   end
@@ -181,7 +181,7 @@ class PEdump
   STRING = Struct.new(:id, :lang, :value)
-  def strings f=nil
+  def strings f=@io
     r = []
     Array(resources(f)).find_all{ |x| x.type == 'STRING'}.each do |res|
       res.data.each_with_index do |string,idx|
@@ -319,7 +319,7 @@ class PEdump
     end
   end
-  def _scan_resources f=nil, dir=nil
+  def _scan_resources f=@io, dir=nil
     dir ||= resource_directory(f)
     return nil unless dir
     dir.entries.map do |entry|

data/lib/pedump/unpacker.rb ADDED

@@ -0,0 +1,26 @@
+require 'pedump'
+require 'pedump/unpacker/aspack'
+require 'pedump/unpacker/upx'
+module PEdump::Unpacker
+  class << self
+    def find io
+      if io.is_a?(String)
+        return File.open(io,"rb"){ |f| find(f) }
+      end
+      pedump = PEdump.new(io)
+      packer = Array(pedump.packers).first
+      return nil unless packer
+      case packer.name
+      when /UPX/
+        UPX
+      when /ASPack/i
+        ASPack
+      else
+        nil
+      end
+    end
+  end
+end

data/lib/pedump/unpacker/aspack.rb ADDED

@@ -0,0 +1,853 @@
+#!/usr/bin/env ruby
+# coding: binary
+require 'pedump/loader'
+require 'pedump/cli'
+module PEdump::Unpacker; end
+class PEdump::Unpacker::ASPack
+  def self.unpack src_fname, dst_fname, log = ''
+    File.open(src_fname, "rb") do |f|
+      if ldr = new(f).unpack
+        File.open(dst_fname,"wb"){ |fo| ldr.dump(fo) }
+        return ldr   # looks like 'true'
+      else
+        return false
+      end
+    end
+  end
+  ########################################################################
+  attr_accessor :logger
+  def initialize io, params = {}
+    params[:logger] ||= PEdump::Logger.create(params)
+    @logger = params[:logger]
+    @ldr = PEdump::Loader.new(io, params)
+    @io = io
+    @e8e9_mode = @e8e9_cmp = @e8e9_flag = @ebp = nil
+  end
+  ########################################################################
+  DATA_ROOT = File.dirname(File.dirname(File.dirname(File.dirname(__FILE__))))
+  UNLZX_SRC = File.join(DATA_ROOT, "misc", "aspack", "aspack_unlzx.c")
+  UNLZXes   = [
+    # default path for RVM
+    File.join(DATA_ROOT, "misc", "aspack", "aspack_unlzx"),
+    # XXX path for normal linux installs
+    File.expand_path("~/.pedump_unlzx")
+  ]
+  ########################################################################
+  def self.code2re code
+    idx = -1
+    was_any = false
+    Regexp.new(
+      code.strip.
+      split("\n").map{|line| line.strip.split('    ',2).first}.join("\n").
+      gsub(/\.{2,}/){ |x| x.split('').join(' ') }.
+      split.map do |x|
+        idx += 1
+        case x
+        when /\A[a-f0-9]{2}\Z/i
+          x = x.to_i(16)
+          if block_given?
+            x = yield(x,idx)
+            if x == :any
+              was_any = true
+              '.'
+            else
+              Regexp.escape(x.chr)
+            end
+          else
+            Regexp.escape(x.chr)
+          end
+        else
+          if was_any && (x.count('.') > 1 || x[/[+*?{}]/])
+            raise "[!] cannot use :any with more-than-1-char-long #{x.inspect}"
+          end
+          x
+        end
+      end.join, Regexp::MULTILINE
+    )
+  end
+  def code2re code, &block; self.class.code2re(code, &block); end
+  def code2re_dw code, shift=0, mode=nil
+    raise "shift must be in 0..3, got #{shift.inspect}" unless (0..3).include?(shift)
+    Regexp.new(
+      (
+        'X '*shift +
+        code.strip.
+        split("\n").map{|line| line.strip.split('    ',2).first}.join("\n")
+      ).gsub(/\.{2,}/){ |x| x.split('').join(' ') }.
+      split.each_slice(4).map do |a|
+        a.map! do |x|
+          case x
+          when /\A[a-f0-9]{2}\Z/i
+            x.to_i(16)
+          else
+            x
+          end
+        end
+        dw = a.reverse.inject(0){ |x,y| (x<<8) + (y.is_a?(Numeric) ? y : 0)}
+        dw = yield(dw)
+        if dw.is_a?(Array)
+          # value + mask, mask = number of exact bytes in dw
+          (dw[1]..[3,a.size-1].min).each{ |i| a[i] = '.' }
+          dw = dw[0]
+        end
+        dw <<= 8
+        if mode == :add
+          # ADD mode
+          if a.all?{ |x| x.is_a?(Numeric)}
+            # all bytes are known
+            a.map do |x|
+              dw >>= 8
+              Regexp::escape((dw & 0xff).chr)
+            end
+          else
+            # some bytes are masked
+            # => ALL bytes after FIRST MASKED byte should be masked too
+            # due to carry flag when doing ADD or SUB
+            was_mask = false
+            a.map do |x|
+              dw >>= 8
+              if x.is_a?(Numeric)
+                was_mask ? '.' : Regexp::escape((dw & 0xff).chr)
+              else
+                was_mask = true
+                x
+              end
+            end
+          end
+        else
+          # generic mode, applicable for XOR
+          a.map do |x|
+            dw >>= 8
+            x.is_a?(Numeric) ? Regexp::escape((dw & 0xff).chr) : x
+          end
+        end
+      end.join[shift..-1], Regexp::MULTILINE
+    )
+  end
+  @@xordetect_codes = []
+  OBJ_TBL_CODE = <<-EOC
+    8D B5 (....)            lea     esi, [ebp+442A5Ah]  ; obj_tbl
+    83 3E 00                cmp     dword ptr [esi], 0
+    0F 84 . . 00 00         jz      no_obj_tbl
+    .{0,6}                  lea     esi, [ebp+442A5Ah]  ; obj_tbl
+    6A 04                   push    4
+    68 00 10 00 00          push    1000h
+    68 00 18 00 00          push    1800h
+    6A 00                   push    0
+    FF .{2,5}               call    dword ptr [ebp+4429B9h] ; [41503d]
+    89 85 ....              mov     [ebp+4429B5h], eax      ; [415039]
+    8B 46 04                mov     eax, [esi+4]
+  EOC
+  VIRTUALPROTECT_RE = code2re <<-EOC
+    50                      push    eax
+    FF .{2,5}               call    dword ptr [ebp+6Ah] ; VirtualProtect
+    59                      pop     ecx
+    AD                      lodsd
+    AD                      lodsd
+    89 47 24                mov     [edi+24h], eax
+  EOC
+#  CODE1 = <<-EOC
+#    8B 44 24 10             mov     eax, [esp+arg_C]
+#    81 EC 54 03 00 00       sub     esp, 354h
+#    8D 4C 24 04             lea     ecx, [esp+354h+var_350]
+#    50                      push    eax
+#    E8 A8 03 00 00          call    sub_465A28
+#    8B 8C 24 5C 03 00 00    mov     ecx, [esp+354h+arg_4]
+#    8B 94 24 58 03 00 00    mov     edx, [esp+354h+arg_0]
+#    51                      push    ecx
+#    52                      push    edx
+#    8D 4C 24 0C             lea     ecx, [esp+35Ch+var_350]
+#    E8 0D 04 00 00          call    sub_465AA6
+#    84 C0                   test    al, al
+#    75 0A                   jnz     short loc_4656A7
+#    83 C8 FF                or      eax, 0FFFFFFFFh
+#    81 C4 54 03 00 00       add     esp, 354h
+#    C3                      retn
+#  EOC
+  E8_CODE = <<-EOC
+    8B 06                   mov     eax, [esi]
+    EB (.)                  jmp     short ??                ; ModE8E9
+    80 3E (.)               cmp     byte ptr [esi], ??      ; CmpE8E9
+    75 F3                   jnz     short loc_450141
+    24 00                   and     al, 0
+    C1 C0 18                rol     eax, 18h
+    2B C3                   sub     eax, ebx
+    89 06                   mov     [esi], eax
+    83 C3 05                add     ebx, 5
+    83 C6 04                add     esi, 4
+    83 E9 05                sub     ecx, 5
+    EB                      jmp     short loc_450130
+  EOC
+  E8_RE = code2re E8_CODE
+  @@xordetect_codes << E8_CODE
+  E8_FLAG_RE_IMM1 = code2re <<-EOC
+    B3 (.)                  mov     bl, ?
+    80 FB 00                cmp     bl, 0
+    75 .                    jnz     short loc_465163
+    FE 85 ....              inc     byte ptr [ebp+0ECh]
+    8B 3E                   mov     edi, [esi]
+    03 BD ....              add     edi, [ebp+422h]
+    FF 37                   push    dword ptr [edi]
+    C6 07 C3                mov     byte ptr [edi], 0C3h
+    FF D7                   call    edi
+    8F 07                   pop     dword ptr [edi]
+  EOC
+  E8_FLAG_RE_IMM2 = code2re <<-EOC
+    B3 (.)                  mov     bl, 0
+    80 FB 00                cmp     bl, 0
+    75 .                    jnz     short loc_4C6155
+    FE 85 ....              inc     byte ptr [ebp+0EFh]
+    50                      push    eax
+    51                      push    ecx
+    56                      push    esi
+    53                      push    ebx
+    8B C8                   mov     ecx, eax
+  EOC
+  E8_FLAG_RE_EBP = code2re <<-EOC
+    80 BD (....) 00         cmp     byte ptr [ebp+443A11h], 0
+    75 .                    jnz     short loc_465163
+    FE 85 ....              inc     byte ptr [ebp+0ECh]
+    8B 3E                   mov     edi, [esi]
+    03 BD ....              add     edi, [ebp+422h]
+    FF 37                   push    dword ptr [edi]
+    C6 07 C3                mov     byte ptr [edi], 0C3h
+    FF D7                   call    edi
+    8F 07                   pop     dword ptr [edi]
+  EOC
+  OEP_CODE1 = <<-EOC
+    B8 (....)               mov     eax, 101Ah
+    50                      push    eax
+    03 85 ....              add     eax, [ebp+444A28h]
+    59                      pop     ecx
+    0B C9                   or      ecx, ecx
+    89 85 ....              mov     [ebp+443CF1h], eax
+    61                      popa
+    75 08                   jnz     short loc_40A3C0
+    B8 01 00 00 00          mov     eax, 1
+    C2 0C 00                retn    0Ch
+  EOC
+  OEP_RE1 = code2re OEP_CODE1
+  @@xordetect_codes << OEP_CODE1
+  OEP_CODE2 = <<-EOC
+    8B 85 (....)            mov     eax, [ebp+442A4Eh]  ; 004150D2
+    50                      push    eax
+    03 85 ....              add     eax, [ebp+4437E0h]  ; [415e64] = self_base
+    59                      pop     ecx
+    0B C9                   or      ecx, ecx
+    89 85 ....              mov     [ebp+442E7Bh], eax  ; offset of '0' of 'push 0' after 'retn 0Ch'
+    61                      popa
+    75 08                   jnz     short loc_4154FE
+    B8 01 00 00 00          mov     eax, 1
+    C2 0C 00                retn    0Ch
+  EOC
+  OEP_RE2 = code2re OEP_CODE2
+  @@xordetect_codes << OEP_CODE2
+  IMPORTS_CODE1 = <<-EOC
+    EB F1                   jmp ...
+    BE (....)               mov     esi, 55000h       ; immediate imports rva
+    8B 95 ....              mov     edx, [ebp+422h]
+    03 F2                   add     esi, edx
+    8B 46 0C                mov     eax, [esi+0Ch]
+    85 C0                   test    eax, eax
+    0F 84 . . 00 00         jz      ep_rva
+    03 C2                   add     eax, edx
+    8B D8                   mov     ebx, eax
+    50                      push    eax
+    FF 95 (....)            call    dword ptr [ebp+0F4Dh]
+    85 C0                   test    eax, eax
+  EOC
+  IMPORTS_RE1 = code2re IMPORTS_CODE1
+  @@xordetect_codes  << IMPORTS_CODE1
+  IMPORTS_CODE2 = <<-EOC
+    EB F1                   jmp ...
+    8B B5 (....)            mov     esi, [ebp+442A4Ah]  ; [0x4150CE] = imports_rva
+    8B 95 ....              mov     edx, [ebp+4437E0h]  ; [0x415e64] = image_base
+    03 F2                   add     esi, edx
+    8B 46 0C                mov     eax, [esi+0Ch]
+    85 C0                   test    eax, eax
+    0F 84 . . 00 00         jz      ep_rva
+    03 C2                   add     eax, edx
+    8B D8                   mov     ebx, eax
+    50                      push    eax
+    FF 95 (....)            call    dword ptr [ebp+4438F4h] ; 415f78 = GetModuleHandleA
+    85 C0                   test    eax, eax
+  EOC
+  IMPORTS_RE2 = code2re IMPORTS_CODE2
+  @@xordetect_codes  << IMPORTS_CODE2
+  RELOCS_RE = code2re <<-EOC
+    2B D0                   sub     edx, eax
+    74 79                   jz      short exit_relocs_loop
+    8B C2                   mov     eax, edx
+    C1 E8 10                shr     eax, 10h
+    33 DB                   xor     ebx, ebx
+    8B B5 (....)            mov     esi, [ebp+539h]         ; relocs_rva
+    03 B5 ....              add     esi, [ebp+422h]         ; image_base
+    83 3E 00                cmp     dword ptr [esi], 0
+    74                      jz      short exit_relocs_loop
+  EOC
+  SECTION_INFO = PEdump.create_struct 'VlV', :va, :size, :flags
+  ########################################################################
+  def _decrypt
+    @data = @data.dup
+    @data.size.times do |j|
+      @data[j] = (yield(@data[j].ord,j)&0xff).chr
+    end
+    @data
+  end
+  def _decrypt_dw shift=0
+    orig_size = @data.size
+    @data = @data.dup
+    i = shift                  # FIXME: first 'shift' bytes of data is not decrypted!
+    while i < @data.size
+      t = @data[i,4]
+      t<<"\x00" while t.size < 4
+      dw = t.unpack('V').first
+      dw = yield(dw)
+      @data[i,4] = [dw].pack('V')
+      i += 4
+    end
+    @data = @data[0,orig_size] if @data.size != orig_size
+    @data
+  end
+  def check_re data, comment = '', re = E8_RE
+    if m = data.match(re)
+      logger.debug "[.] E8_RE %s found at %4x : %-20s" % [comment, m.begin(0), m[1..-1].inspect]
+      m
+    end
+  end
+  def decrypt
+    r=nil
+    # check raw
+    return r if r=check_re(@data)
+    (1..255).each do |i|
+      # check byte add
+      if check_re(@data, "[add b,#{i}]", code2re(E8_CODE){ |x| (x+i)&0xff })
+        return check_re(_decrypt{|x| x-i})
+      end
+      # check byte xor
+      if check_re(@data, "[xor b,#{i}]", code2re(E8_CODE){ |x| x^i })
+        return check_re(_decrypt{|x| x^i})
+      end
+    end
+    # check dword dec
+    4.times do |shift|
+      re = code2re_dw(E8_CODE,shift){ |dw| dw+1 }
+      if r=check_re(@data, "[dec dw:#{shift}]", re)
+        shift = (r.begin(0)-shift)%4
+        return check_re(_decrypt_dw(shift){ |x| x-1 })
+      end
+    end
+    # detect dword xor
+    h = xordetect
+    if h && h.size == 4
+      h.keys.permutation.each do |xor_bytes|
+        xor_dw = xor_bytes.inject{ |x,y| (x<<8) + y}
+        re = code2re_dw(E8_CODE){ |dw| dw^xor_dw }
+        if r=check_re(@data, "[xor dw,#{xor_dw.to_s(16)}]", re)
+          return check_re(_decrypt_dw(r.begin(0)%4){ |dw| dw^xor_dw })
+        end
+      end
+    end
+    # detect dword add
+    if add_dw = add_detect
+      4.times do |shift|
+        re = code2re_dw(E8_CODE,shift, :add){ |dw| dw-add_dw }
+        if r=check_re(@data, "[add dw:#{shift},#{add_dw.to_s(16)}]", re)
+          return check_re(_decrypt_dw((r.begin(0)+shift)%4){ |dw| dw+add_dw })
+        end
+      end
+    end
+    # failed
+    false
+  end
+  # detects if code is crypted by a dword-xor
+  # @data must be original, not modified!
+  def xordetect
+    logger.info "[*] guessing DWORD-XOR key..."
+    h = Hash.new{ |k,v| k[v] = 0 }
+    @@xordetect_codes.each do |code|
+      4.times do |shift|
+        0x100.times do |x1|
+          re = code2re(code.tr('()','')){ |x,idx| idx%4 == shift ? x^x1 : :any }
+          @data.scan(re).each do
+            logger.debug "[.] %02x: %2d : %s" % [x1, ($~.begin(0)+shift)%4, re.inspect]
+            h[x1] += 1
+          end
+        end
+      end
+    end
+    case h.size
+    when 0
+      logger.debug "[?] %s: no matches" % __method__
+    when 1..3
+      logger.info  "[?] %s: not xored, or %d-byte xor key: %s" % [__method__, h.size, h.inspect]
+    when 4
+      logger.info  "[*] %s: FOUND xor key bytes: [%02x %02x %02x %02x]" % [__method__, *h.keys].flatten
+    else
+      logger.info  "[?] %s: %d possible bytes: %s" % [__method__, h.size, h.inspect]
+    end
+    h
+  end
+  def add_detect known_bytes = [], step = 1
+    s = known_bytes.map{ |x| "%02x" % x}.join(' ')
+    logger.info "[*] guessing DWORD-ADD key... [#{s}]"
+    h = Hash.new{ |k,v| k[v] = 0 }
+    dec = known_bytes.reverse.inject(0){ |x,y| (x<<8) + y}
+    @@xordetect_codes.each do |code|
+      4.times do |shift|
+        0x100.times do |x1|
+          #re = code2re_dw(code.tr('()',''),shift){ |x,idx| idx%4 == shift ? ((x-x1)&0xff) : :any }
+          re = code2re_dw(code.tr('()',''),shift) do |x|
+            [x-dec-(x1<<(known_bytes.size*8)), known_bytes.size+1]
+          end
+          @data.scan(re).each do
+            logger.debug "[.] %02x: %2d : %s" % [x1, ($~.begin(0)+shift)%4, re.inspect[0,75]]
+            h[x1] += 1
+          end
+        end
+      end
+    end
+    if h.any?
+      known_bytes << h.sort_by(&:last).last[0] # most frequent byte
+    end
+    if known_bytes.size == step && step < 4
+      add_detect known_bytes, step+1
+    else
+      kb = known_bytes
+      case kb.size
+      when 0
+        logger.debug "[?] %s: no matches" % __method__
+      when 1..3
+        logger.info  "[?] %s: not 'add' or %d-byte key: %s" % [__method__, kb.size, kb.inspect]
+      when 4
+        logger.info  "[*] %s: FOUND 'add' key bytes: [%02x %02x %02x %02x]" % [__method__, *kb].flatten
+        return known_bytes.reverse.inject(0){ |x,y| (x<<8) + y}
+      else
+        logger.info  "[?] %s: %d possible bytes: %s" % [__method__, kb.size, kb.inspect]
+      end
+      return nil
+    end
+  end
+  def _scan_obj_tbl
+    unless @ebp
+      logger.warn "[?] %s: EBP undefined, skipping" % __method__
+      return
+    end
+    re = code2re OBJ_TBL_CODE
+    va = nil
+    if m = @data.match(re)
+      a = m[1..-1].map{|x| x.unpack('V').first }
+      logger.debug "[d] OBJ_TBL_RE found at %4x : %s" % [m.begin(0), a.map{|x| x.to_s(16)}.join(', ')]
+      va = (a[0] + @ebp) & 0xffff_ffff
+      logger.debug "[.] obj_tbl VA = %4x (using EBP)" % va
+    else
+      logger.error "[!] cannot find obj_tbl"
+      return
+    end
+    # obj_tbl contains flags if there is a call to VirtualProtect in loader code
+    record_size = (@data['VirtualProtect'] && @data[VIRTUALPROTECT_RE]) ? 4*3 : 4*2
+#    @ldr[va-0x3c,0x3c].unpack('V*').each do |x|
+#      printf("%8x\n",x);
+#    end
+    r = []
+    while true
+      obj = SECTION_INFO.new(*@ldr[va, record_size].unpack(SECTION_INFO::FORMAT))
+      break if obj.va == 0
+      unless @ldr.va2section(obj.va)
+        logger.error "[!] can't get section for obj %4x : %4x" % [obj.va, obj.size]
+      end
+      va += record_size
+      r << obj
+      if r.size > 0x200
+        logger.error "[!] stopped obj_tbl parsing. too many sections!"
+        break
+      end
+    end
+    r
+  end
+  ########################################################################
+  def find_e8e9
+    if m = @data.match(E8_RE)
+      @e8e9_mode, @e8e9_cmp = m[1].ord, m[2].ord
+    else
+      logger.error "[!] can't find E8/E9 patch sub! unpacked code may be invalid!"
+    end
+    if m = (@data.match(E8_FLAG_RE_IMM1) || @data.match(E8_FLAG_RE_IMM2))
+      @e8e9_flag = m[1].ord
+    elsif m = @data.match(E8_FLAG_RE_EBP)
+      offset = m[1].unpack('V').first
+      @e8e9_flag = @ldr[(@ebp + offset) & 0xffff_ffff, 1].ord
+    else
+      logger.error "[!] can't find E8/E9 flag! unpacked code may be invalid!"
+      raise
+    end
+    logger.debug "[.] E8/E9: flag=%s, mode=%s, cmp=%s" % [@e8e9_flag||'???', @e8e9_mode, @e8e9_cmp]
+  end
+  def find_obj_tbl
+    if @obj_tbl = _scan_obj_tbl
+      if logger.level <= ::Logger::INFO
+        @obj_tbl.each do |obj|
+          if obj.flags
+            logger.info "[.] ASP::SECTION va: %8x  size: %8x  flags: %8x" % [
+              obj.va, obj.size&0xffff_ffff, obj.flags]
+          else
+            logger.info "[.] ASP::SECTION va: %8x  size: %8x" % [
+              obj.va, obj.size&0xffff_ffff]
+          end
+        end
+      end
+    end
+  end
+  def find_oep
+    @oep = nil
+    if m = @data.match(OEP_RE1)
+      logger.debug "[.] OEP_RE1 found at %4x" % m.begin(0)
+      @oep = m[1].unpack('V').first
+    elsif @ebp && m = @data.match(OEP_RE2)
+      logger.debug "[.] OEP_RE2 found at %4x (using EBP)" % m.begin(0)
+      offset = m[1].unpack('V').first
+      @oep = @ldr[(@ebp + offset) & 0xffff_ffff, 4].unpack('V').first
+    end
+    if @oep
+      logger.info "[.] OEP = %8x" % @oep
+    else
+      logger.error "[!] cannot find EntryPoint"
+    end
+  end
+  def find_imports
+    @imports_rva = nil
+    if m = @data.match(IMPORTS_RE1)
+      a = m[1..-1].map{|x| x.unpack('V').first }
+      @imports_rva = a[0]
+    elsif m = @data.match(IMPORTS_RE2)
+      a = m[1..-1].map{|x| x.unpack('V').first }
+    else
+      logger.error "[!] cannot find imports"
+      return
+    end
+    logger.debug "[d] IMPORTS_REx found at %4x : %s" % [m.begin(0), a.map{|x| x.to_s(16)}.join(', ')]
+    # actually following code is not necessary for IMPORTS_RE1
+    # using it to get EBP register value
+    f = @ldr.pedump.imports.map(&:first_thunk).flatten.compact.find{ |x| x.name == "GetModuleHandleA"}
+    unless f
+      logger.error "[!] GetModuleHandleA not found"
+      return
+    end
+    vaGetModuleHandle = f.va
+    logger.debug "[d] GetModuleHandle is at %x" % vaGetModuleHandle
+    @ebp = (f.va - a[1]) & 0xffff_ffff
+    logger.debug "[d] assume EBP = %x" % @ebp
+    # @imports_rva may already be filled by IMPORTS_RE1
+    @imports_rva ||= @data[(@ebp + a[0] - @section.va) & 0xffff_ffff, 4].unpack('V').first
+    logger.info "[.] imports RVA = %x" % @imports_rva
+  end
+  def find_relocs
+    @relocs_rva = nil
+    if m = @data.match(RELOCS_RE)
+      a = m[1..-1].map{|x| x.unpack('V').first }
+    else
+      logger.error "[!] cannot find imports"
+      raise
+      return
+    end
+    @relocs_rva ||= @ldr[(@ebp + a[0]) & 0xffff_ffff, 4].unpack('V').first
+    logger.info "[.] relocs RVA = %x" % @relocs_rva
+  end
+  ########################################################################
+  def rebuild_imports
+    return unless @imports_rva
+    iids = []
+    va = @imports_rva
+    sz = PEdump::IMAGE_IMPORT_DESCRIPTOR::SIZE
+    while true
+      iid = PEdump::IMAGE_IMPORT_DESCRIPTOR.read(@ldr[va,sz])
+      va += sz # increase ptr before breaking, req'd 4 saving total import table size in data dir
+      break if iid.Name.to_i == 0
+      [:original_first_thunk, :first_thunk].each do |tbl|
+        camel = tbl.capitalize.to_s.gsub(/_./){ |char| char[1..-1].upcase}
+        iid[tbl] ||= []
+        if (va1 = iid[camel].to_i) != 0
+          while true
+            # intentionally include zero terminator in table to count IAT size
+            t = @ldr[va1,4].unpack('V').first
+            iid[tbl] << t
+            break if t == 0
+            va1 += 4
+          end
+        end
+      end
+      iids << iid
+    end
+    @ldr.pe_hdr.ioh.DataDirectory[PEdump::IMAGE_DATA_DIRECTORY::IMPORT].tap do |dd|
+      dd.va   = @imports_rva
+      dd.size = va-@imports_rva
+    end
+    if iids.any?
+      iids.sort_by!(&:FirstThunk)
+      @ldr.pe_hdr.ioh.DataDirectory[PEdump::IMAGE_DATA_DIRECTORY::IAT].tap do |dd|
+        # Points to the beginning of the first Import Address Table (IAT).
+        dd.va   = iids.first.FirstThunk
+        # The Size field indicates the total size of all the IATs.
+        dd.size = iids.last.FirstThunk - iids.first.FirstThunk + iids.last.first_thunk.size*4
+        # ... to temporarily mark the IATs as read-write during import resolution.
+        # http://msdn.microsoft.com/en-us/magazine/bb985997.aspx
+      end
+    end
+  end
+  def rebuild_relocs
+    return if @relocs_rva.to_i == 0
+    va = @relocs_rva
+    while true
+      a = @ldr[va,4*2].to_s.unpack('V*')
+      break if a[0] == 0 || a[1] == 0
+      va += a[1]
+    end
+    @ldr.pe_hdr.ioh.DataDirectory[PEdump::IMAGE_DATA_DIRECTORY::BASERELOC].tap do |dd|
+      dd.va   = @relocs_rva
+      dd.size = va-@relocs_rva
+    end
+  end
+  def rebuild_tls h = {}
+    dd = @ldr.pe_hdr.ioh.DataDirectory[PEdump::IMAGE_DATA_DIRECTORY::TLS]
+    return if dd.va.to_i == 0 || dd.size.to_i == 0
+    case h[:step]
+    when 1 # store @tls_data
+      @tls_data = @ldr[dd.va, dd.size]
+    when 2 # search in unpacked sections
+      return unless @tls_data if h[:step] == 2
+      # search for original TLS data in all unpacked sections
+      @ldr.sections.each do |section|
+        if offset = section.data.index(@tls_data)
+          # found a TLS section
+          dd.va = section.va + offset
+          return
+        end
+      end
+      logger.error "[!] can't find TLS section"
+    else
+      raise "invalid step"
+    end
+  end
+  def compile_unlzx dest
+    logger.info "[*] compiling #{File.basename(dest)} .."
+    system("gcc", UNLZX_SRC, "-o", dest)
+    unless File.file?(dest) && File.executable?(dest)
+      logger.fatal "[!] %s compile failed, please compile it yourself at %s" % [
+        File.basename(dest), File.dirname(dest)
+      ]
+    end
+  end
+  def unlzx_pathname
+    UNLZXes.each do |unlzx|
+      return unlzx if File.file?(unlzx) && File.executable?(unlzx)
+    end
+    # nothing found, try to compile
+    UNLZXes.each do |unlzx|
+      compile_unlzx unlzx
+      return unlzx if File.file?(unlzx) && File.executable?(unlzx)
+    end
+    # all compiles failed
+    raise "no aspack_unlzx binary"
+  end
+  def unpack_section data, packed_size, unpacked_size
+    data = IO.popen("#{unlzx_pathname} #{packed_size.to_i} #{unpacked_size.to_i}","r+") do |f|
+      f.write data
+      f.close_write
+      f.read
+    end
+    raise $?.inspect unless $?.success?
+    data
+  end
+  def decode_e8e9 data
+    return if !data || data.size < 6
+    return if [@e8e9_flag, @e8e9_mode, @e8e9_cmp].any?(&:nil?)
+    return if @e8e9_flag != 0
+    size = data.size - 6
+    offs = 0
+    while size > 0
+      b0 = data[offs]
+      if b0 != "\xE8" && b0 != "\xE9"
+        size-=1; offs+=1
+        next
+      end
+      dw = data[offs+1,4].unpack('V').first
+      if @e8e9_mode == 0
+        if (dw & 0xff) != @e8e9_cmp
+          size-=1; offs+=1
+          next
+        end
+        # dw &= 0xffffff00; dw = ROL(dw, 24)
+        dw >>= 8
+      end
+      t = (dw-offs) & 0xffffffff  # keep value in 32 bits
+      #logger.debug "[d] data[%6x] = %8x" % [offs+1, t]
+      data[offs+1,4] = [t].pack('V')
+      offs += 5; size -= [size, 5].min
+    end
+  end
+  ########################################################################
+  def unpack
+    if @section = @ldr.va2section(@ldr.ep)
+      @data = @section.data
+      logger.debug "[.] EP section: #{@section.inspect}"
+    else
+      logger.fatal "[!] cannot determine EP section"
+      return
+    end
+    decrypt      # must be called before any other finds
+    find_imports # also fills @ebp for other finds
+    find_e8e9
+    find_obj_tbl
+    find_oep
+    find_relocs
+    ###
+    rebuild_tls :step => 1
+    sorted_obj_tbl = @obj_tbl.sort_by{ |x| @ldr.pedump.va2file(x.va) }
+    sorted_obj_tbl.each_with_index do |obj,idx|
+      # restore section flags, if any
+      @ldr.va2section(obj.va).flags = obj.flags if obj.flags
+      next if obj.size < 0 # empty section
+      #file_offset = @ldr.pedump.va2file(obj.va)
+      #@io.seek file_offset
+      packed_size =
+        if idx == sorted_obj_tbl.size - 1
+          # last obj
+          obj.size
+        else
+          # subtract this file_offset from next object file_offset
+          @ldr.pedump.va2file(sorted_obj_tbl[idx+1].va) - @ldr.pedump.va2file(obj.va)
+        end
+      #packed_data = @io.read packed_size
+      packed_data = @ldr[obj.va, packed_size]
+      unpacked_data = unpack_section(packed_data, packed_data.size, obj.size).force_encoding('binary')
+      # decode e8/e9 only on 1st section?
+      decode_e8e9(unpacked_data) if obj == @obj_tbl.first
+      @ldr[obj.va, unpacked_data.size] = unpacked_data
+      logger.debug "[.] %8x: %8x -> %8x" % [obj.va, packed_size, unpacked_data.size]
+    end
+    rebuild_imports
+    rebuild_relocs
+    rebuild_tls :step => 2
+    @ldr.pe_hdr.ioh.AddressOfEntryPoint = @oep.to_i
+    @ldr
+  end
+end
+##########################################################################
+if __FILE__ == $0
+  fnames =
+    if ARGV.empty?
+      Dir['samples/*.{dll,exe,bin,ocx}']
+    else
+      ARGV
+    end
+  require 'pp'
+  fnames.each do |fname|
+    @fname = fname
+    File.open(fname,"rb") do |f|
+      pedump = PEdump.new :log_level => Logger::DEBUG
+      next unless packer = Array(pedump.packer(f)).first
+      next unless packer.name =~ /aspack/i
+      STDERR.puts "\n=== #{fname}".green
+      f.rewind
+      unpacker = PEdump::Unpacker::ASPack.new(f,
+                                              :log_level => Logger::DEBUG,
+                                              :color => true)
+      if l = unpacker.unpack
+        # returns PEdump::Loader with unpacked data
+        File.open("unpacked.exe","wb") do |f|
+          l.dump(f)
+        end
+      end
+    end
+  end
+end