pedump 0.6.0 → 0.6.4

data/lib/pedump.rb

@@ -30,7 +30,7 @@ class PEdump
   VERSION    = Version::STRING
   MAX_ERRORS = 100
   MAX_IMAGE_IMPORT_DESCRIPTORS = 1000
-  MAX_EXPORT_NUMBER_OF_NAMES = 16384 # got 7977 in http://pedump.me/03ad7400080678c6b1984f995d36fd04
+  MAX_EXPORT_NUMBER_OF_NAMES = 16384 # got 7977 in https://pedump.me/03ad7400080678c6b1984f995d36fd04
   GOOD_FUNCTION_NAME_RE = /\A[\x21-\x7f]+\Z/
   SUPPORTED_SIGNATURES = ['MZ', 'ZM', 'VZ']
 
@@ -261,7 +261,7 @@ class PEdump
 
   # http://ntcore.com/files/richsign.htm
   class RichHdr < String
-    attr_accessor :offset, :key # xor key
+    attr_accessor :offset, :skip, :key # xor key
 
     class Entry < Struct.new(:version,:id,:times)
       def inspect
@@ -270,8 +270,21 @@ class PEdump
     end
 
     def self.from_dos_stub stub
+      #stub.hexdump
       key = stub[stub.index('Rich')+4,4]
       start_idx = stub.index(key.xor('DanS'))
+      skip = 0
+      if start_idx
+        skip = 4
+      else
+        PEdump.logger.warn "[?] cannot find rich_hdr start_idx, using heuristics"
+        start_idx = stub.index("$\x00\x00\x00\x00\x00\x00\x00")
+        unless start_idx
+          PEdump.logger.warn "[?] heuristics failed :("
+          return nil
+        end
+        start_idx += 8
+      end
       end_idx   = stub.index('Rich')+8
       if stub[end_idx..-1].tr("\x00",'') != ''
         t = stub[end_idx..-1]
@@ -279,14 +292,16 @@ class PEdump
         PEdump.logger.error "[!] non-zero dos stub after rich_hdr: #{t.inspect}"
         return nil
       end
+      #stub[start_idx, end_idx-start_idx].hexdump
       RichHdr.new(stub[start_idx, end_idx-start_idx]).tap do |x|
         x.key = key
         x.offset = stub.offset + start_idx
+        x.skip = skip
       end
     end
 
     def dexor
-      self[4..-9].sub(/\A(#{Regexp::escape(key)}){3}/,'').xor(key)
+      self[skip..-9].sub(/\A(#{Regexp::escape(key)}){3}/,'').xor(key)
     end
 
     def decode
@@ -382,6 +397,13 @@ class PEdump
   def va2file va, h={}
     return nil if va.nil?
 
+    va0 = va # save for log output of original addr
+    if pe?
+      # most common case, do nothing
+    elsif te?
+      va = va - te_shift()
+    end
+
     sections.each do |s|
       if (s.VirtualAddress...(s.VirtualAddress+s.VirtualSize)).include?(va)
         offset = va - s.VirtualAddress
@@ -413,9 +435,9 @@ class PEdump
     # TODO: not all VirtualAdresses == 0 case
 
     if h[:quiet]
-      logger.debug "[?] can't find file_offset of VA 0x#{va.to_i.to_s(16)} (quiet=true)"
+      logger.debug "[?] can't find file_offset of VA 0x#{va0.to_i.to_s(16)} (quiet=true)"
     else
-      logger.error "[?] can't find file_offset of VA 0x#{va.to_i.to_s(16)}"
+      logger.error "[?] can't find file_offset of VA 0x#{va0.to_i.to_s(16)}"
     end
     nil
   end
@@ -546,6 +568,8 @@ class PEdump
       pe_imports(f)
     elsif ne(f)
       ne(f).imports
+    else
+      []
     end
   end
 
@@ -633,7 +657,7 @@ class PEdump
                 nil
               else
                 hint = f.read(2).unpack('v').first
-                name = f.gets("\x00").chomp("\x00")
+                name = f.gets("\x00").to_s.chomp("\x00")
                 if !name.empty? && name !~ GOOD_FUNCTION_NAME_RE
                   n_bad_names += 1
                   if n_bad_names > MAX_ERRORS

data/pedump.gemspec

@@ -1,17 +1,17 @@
-# Generated by jeweler
+# Generated by juwelier
 # DO NOT EDIT THIS FILE DIRECTLY
-# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
+# Instead, edit Juwelier::Tasks in Rakefile, and run 'rake gemspec'
 # -*- encoding: utf-8 -*-
-# stub: pedump 0.6.0 ruby lib
+# stub: pedump 0.6.4 ruby lib
 
 Gem::Specification.new do |s|
   s.name = "pedump".freeze
-  s.version = "0.6.0"
+  s.version = "0.6.4"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0".freeze) if s.respond_to? :required_rubygems_version=
   s.require_paths = ["lib".freeze]
   s.authors = ["Andrey \"Zed\" Zaikin".freeze]
-  s.date = "2020-07-27"
+  s.date = "2022-01-29"
   s.description = "dump headers, sections, extract resources of win32 PE exe,dll,etc".freeze
   s.email = "zed.0xff@gmail.com".freeze
   s.executables = ["pedump".freeze]
@@ -20,8 +20,6 @@ Gem::Specification.new do |s|
     "README.md"
   ]
   s.files = [
-    ".github/FUNDING.yml",
-    ".github/dependabot.yml",
     "CODE_OF_CONDUCT.md",
     "Gemfile",
     "Gemfile.lock",
@@ -30,6 +28,7 @@ Gem::Specification.new do |s|
     "Rakefile",
     "VERSION",
     "bin/pedump",
+    "data/comp_id.txt",
     "data/fs.txt",
     "data/jc-userdb.txt",
     "data/sig.bin",
@@ -50,6 +49,7 @@ Gem::Specification.new do |s|
     "lib/pedump/packer.rb",
     "lib/pedump/pe.rb",
     "lib/pedump/resources.rb",
+    "lib/pedump/rich.rb",
     "lib/pedump/security.rb",
     "lib/pedump/sig_parser.rb",
     "lib/pedump/te.rb",
@@ -68,43 +68,33 @@ Gem::Specification.new do |s|
   ]
   s.homepage = "http://github.com/zed-0xff/pedump".freeze
   s.licenses = ["MIT".freeze]
-  s.rubygems_version = "2.7.10".freeze
+  s.rubygems_version = "3.2.32".freeze
   s.summary = "dump win32 PE executable files with a pure ruby".freeze
 
   if s.respond_to? :specification_version then
     s.specification_version = 4
+  end
 
-    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
-      s.add_runtime_dependency(%q<rainbow>.freeze, [">= 0"])
-      s.add_runtime_dependency(%q<awesome_print>.freeze, [">= 0"])
-      s.add_runtime_dependency(%q<iostruct>.freeze, [">= 0.0.4"])
-      s.add_runtime_dependency(%q<multipart-post>.freeze, [">= 2.0.0"])
-      s.add_runtime_dependency(%q<zhexdump>.freeze, [">= 0.0.2"])
-      s.add_development_dependency(%q<rspec>.freeze, ["~> 3.9.0"])
-      s.add_development_dependency(%q<rspec-its>.freeze, ["~> 1.3.0"])
-      s.add_development_dependency(%q<bundler>.freeze, ["~> 2.1.4"])
-      s.add_development_dependency(%q<jeweler>.freeze, ["~> 2.3.9"])
-    else
-      s.add_dependency(%q<rainbow>.freeze, [">= 0"])
-      s.add_dependency(%q<awesome_print>.freeze, [">= 0"])
-      s.add_dependency(%q<iostruct>.freeze, [">= 0.0.4"])
-      s.add_dependency(%q<multipart-post>.freeze, [">= 2.0.0"])
-      s.add_dependency(%q<zhexdump>.freeze, [">= 0.0.2"])
-      s.add_dependency(%q<rspec>.freeze, ["~> 3.9.0"])
-      s.add_dependency(%q<rspec-its>.freeze, ["~> 1.3.0"])
-      s.add_dependency(%q<bundler>.freeze, ["~> 2.1.4"])
-      s.add_dependency(%q<jeweler>.freeze, ["~> 2.3.9"])
-    end
+  if s.respond_to? :add_runtime_dependency then
+    s.add_runtime_dependency(%q<rainbow>.freeze, [">= 0"])
+    s.add_runtime_dependency(%q<awesome_print>.freeze, [">= 0"])
+    s.add_runtime_dependency(%q<iostruct>.freeze, [">= 0.0.4"])
+    s.add_runtime_dependency(%q<multipart-post>.freeze, [">= 2.0.0"])
+    s.add_runtime_dependency(%q<zhexdump>.freeze, [">= 0.0.2"])
+    s.add_development_dependency(%q<rspec>.freeze, [">= 0"])
+    s.add_development_dependency(%q<rspec-its>.freeze, [">= 0"])
+    s.add_development_dependency(%q<bundler>.freeze, [">= 0"])
+    s.add_development_dependency(%q<juwelier>.freeze, [">= 0"])
   else
     s.add_dependency(%q<rainbow>.freeze, [">= 0"])
     s.add_dependency(%q<awesome_print>.freeze, [">= 0"])
     s.add_dependency(%q<iostruct>.freeze, [">= 0.0.4"])
     s.add_dependency(%q<multipart-post>.freeze, [">= 2.0.0"])
     s.add_dependency(%q<zhexdump>.freeze, [">= 0.0.2"])
-    s.add_dependency(%q<rspec>.freeze, ["~> 3.9.0"])
-    s.add_dependency(%q<rspec-its>.freeze, ["~> 1.3.0"])
-    s.add_dependency(%q<bundler>.freeze, ["~> 2.1.4"])
-    s.add_dependency(%q<jeweler>.freeze, ["~> 2.3.9"])
+    s.add_dependency(%q<rspec>.freeze, [">= 0"])
+    s.add_dependency(%q<rspec-its>.freeze, [">= 0"])
+    s.add_dependency(%q<bundler>.freeze, [">= 0"])
+    s.add_dependency(%q<juwelier>.freeze, [">= 0"])
   end
 end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: pedump
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.6.4
 platform: ruby
 authors:
 - Andrey "Zed" Zaikin
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-07-27 00:00:00.000000000 Z
+date: 2022-01-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rainbow
@@ -84,58 +84,58 @@ dependencies:
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 3.9.0
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 3.9.0
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec-its
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.3.0
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.3.0
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 2.1.4
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 2.1.4
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: jeweler
+  name: juwelier
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 2.3.9
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 2.3.9
+        version: '0'
 description: dump headers, sections, extract resources of win32 PE exe,dll,etc
 email: zed.0xff@gmail.com
 executables:
@@ -145,8 +145,6 @@ extra_rdoc_files:
 - LICENSE.txt
 - README.md
 files:
-- ".github/FUNDING.yml"
-- ".github/dependabot.yml"
 - CODE_OF_CONDUCT.md
 - Gemfile
 - Gemfile.lock
@@ -155,6 +153,7 @@ files:
 - Rakefile
 - VERSION
 - bin/pedump
+- data/comp_id.txt
 - data/fs.txt
 - data/jc-userdb.txt
 - data/sig.bin
@@ -175,6 +174,7 @@ files:
 - lib/pedump/packer.rb
 - lib/pedump/pe.rb
 - lib/pedump/resources.rb
+- lib/pedump/rich.rb
 - lib/pedump/security.rb
 - lib/pedump/sig_parser.rb
 - lib/pedump/te.rb
@@ -194,7 +194,7 @@ homepage: http://github.com/zed-0xff/pedump
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -209,9 +209,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.10
-signing_key: 
+rubygems_version: 3.2.32
+signing_key:
 specification_version: 4
 summary: dump win32 PE executable files with a pure ruby
 test_files: []

data/.github/FUNDING.yml

@@ -1,2 +0,0 @@
-#github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
-ko_fi: zed_0xff

data/.github/dependabot.yml

@@ -1,8 +0,0 @@
-# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
-
-version: 2
-updates:
-  - package-ecosystem: bundler
-    directory: "/"
-    schedule:
-      interval: "weekly"