Ejemplo n.º 1
0
        public PkLiteUnpacker(IServiceProvider services, string filename, byte [] rawImg) : base(services, filename, rawImg)
        {
            var exe    = new ExeImageLoader(services, filename, rawImg);
            var cfgSvc = services.RequireService <IConfigurationService>();

            this.arch = cfgSvc.GetArchitecture("x86-real-16");
            platform  = cfgSvc.GetEnvironment("ms-dos")
                        .Load(services, arch);

            uint pkLiteHdrOffset = (uint)(exe.e_cparHeader * 0x10);

            if (RawImage[pkLiteHdrOffset] != 0xB8)
            {
                throw new ApplicationException(string.Format("Expected MOV AX,XXXX at offset 0x{0:X4}.", pkLiteHdrOffset));
            }
            uint cparUncompressed = MemoryArea.ReadLeUInt16(RawImage, pkLiteHdrOffset + 1);

            abU = new byte[cparUncompressed * 0x10U];

            if (RawImage[pkLiteHdrOffset + 0x04C] != 0x83)
            {
                throw new ApplicationException(string.Format("Expected ADD BX,+XX at offset 0x{0:X4}.", pkLiteHdrOffset + 0x04C));
            }
            uint offCompressedData = pkLiteHdrOffset + RawImage[pkLiteHdrOffset + 0x04E] * 0x10u - PspSize;

            bitStm = new BitStream(RawImage, (int)offCompressedData);
        }
Ejemplo n.º 2
0
 public void ValidateImage()
 {
     Program prog = new Program();
     LoadedImage rawImage = new LoadedImage(Address.SegPtr(0x0C00, 0), CreateMsdosHeader());
     ExeImageLoader exe = new ExeImageLoader(null, "foo.exe", rawImage.Bytes);
     Assert.IsTrue(PkLiteUnpacker.IsCorrectUnpacker(exe, rawImage.Bytes));
 }
Ejemplo n.º 3
0
		public LzExeUnpacker(IServiceProvider services, ExeImageLoader exe, string filename, byte [] rawImg) : base(services, filename, rawImg)
		{
            this.arch = new IntelArchitecture(ProcessorMode.Real);
            this.platform = new MsdosPlatform(services, arch);

            Validate(exe);
		}
Ejemplo n.º 4
0
		static public bool IsCorrectUnpacker(ExeImageLoader exe, byte [] rawImg)
		{
			if (exe.e_ovno != 0)
				return false;

			return LoadedImage.CompareArrays(rawImg, (int) signatureOffset, signature, signature.Length);
		}
Ejemplo n.º 5
0
        public ExePackLoader(IServiceProvider services, string filename, byte[] imgRaw)
            : base(services, filename, imgRaw)
        {
            var cfgSvc = services.RequireService<IConfigurationService>();
            arch = cfgSvc.GetArchitecture("x86-real-16");
            platform =cfgSvc.GetEnvironment("ms-dos")
                .Load(Services, arch);

            var exe = new ExeImageLoader(services, filename, imgRaw);
            this.exeHdrSize = (uint)(exe.e_cparHeader * 0x10U);
            this.hdrOffset = (uint)(exe.e_cparHeader + exe.e_cs) * 0x10U;
            ImageReader rdr = new LeImageReader(RawImage, hdrOffset);
            this.ip = rdr.ReadLeUInt16();
            this.cs = rdr.ReadLeUInt16();
            rdr.ReadLeUInt16();
            this.cbExepackHeader = rdr.ReadLeUInt16();
            this.sp = rdr.ReadLeUInt16();
            this.ss = rdr.ReadLeUInt16();
            this.cpUncompressed = rdr.ReadLeUInt16();

            int offset = ExePackHeaderOffset(exe);
            if (MemoryArea.CompareArrays(imgRaw, offset, signature, signature.Length))
            {
                relocationsOffset = 0x012D;
            }
            else if (MemoryArea.CompareArrays(imgRaw, offset, signature2, signature2.Length))
            {
                relocationsOffset = 0x0125;
            }
            else
                throw new ApplicationException("Not a recognized EXEPACK image.");
        }
Ejemplo n.º 6
0
        public ExePackLoader(IServiceProvider services, string filename, byte[] imgRaw)
            : base(services, filename, imgRaw)
        {
            arch = new IntelArchitecture(ProcessorMode.Real);
            platform = new MsdosPlatform(Services, arch);

            var exe = new ExeImageLoader(services, filename, imgRaw);
            this.exeHdrSize = (uint)(exe.e_cparHeader * 0x10U);
            this.hdrOffset = (uint)(exe.e_cparHeader + exe.e_cs) * 0x10U;
            ImageReader rdr = new LeImageReader(RawImage, hdrOffset);
            this.ip = rdr.ReadLeUInt16();
            this.cs = rdr.ReadLeUInt16();
            rdr.ReadLeUInt16();
            this.cbExepackHeader = rdr.ReadLeUInt16();
            this.sp = rdr.ReadLeUInt16();
            this.ss = rdr.ReadLeUInt16();
            this.cpUncompressed = rdr.ReadLeUInt16();

            int offset = ExePackHeaderOffset(exe);
            if (LoadedImage.CompareArrays(imgRaw, offset, signature, signature.Length))
            {
                relocationsOffset = 0x012D;
            }
            else if (LoadedImage.CompareArrays(imgRaw, offset, signature2, signature2.Length))
            {
                relocationsOffset = 0x0125;
            }
            else
                throw new ApplicationException("Not a recognized EXEPACK image.");
        }
Ejemplo n.º 7
0
        public PkLiteUnpacker(IServiceProvider services, string filename, byte [] rawImg) : base(services, filename, rawImg)
        {
            var exe = new ExeImageLoader(services, filename, rawImg);

            arch     = new IntelArchitecture(ProcessorMode.Real);
            platform = new MsdosPlatform(services, arch);

            uint pkLiteHdrOffset = (uint)(exe.e_cparHeader * 0x10);

            if (RawImage[pkLiteHdrOffset] != 0xB8)
            {
                throw new ApplicationException(string.Format("Expected MOV AX,XXXX at offset 0x{0:X4}.", pkLiteHdrOffset));
            }
            uint cparUncompressed = LoadedImage.ReadLeUInt16(RawImage, pkLiteHdrOffset + 1);

            abU = new byte[cparUncompressed * 0x10U];

            if (RawImage[pkLiteHdrOffset + 0x04C] != 0x83)
            {
                throw new ApplicationException(string.Format("Expected ADD BX,+XX at offset 0x{0:X4}.", pkLiteHdrOffset + 0x04C));
            }
            uint offCompressedData = pkLiteHdrOffset + RawImage[pkLiteHdrOffset + 0x04E] * 0x10u - PspSize;

            bitStm = new BitStream(RawImage, (int)offCompressedData);
        }
Ejemplo n.º 8
0
        public LzExeUnpacker(IServiceProvider services, ExeImageLoader exe, string filename, byte [] rawImg) : base(services, filename, rawImg)
        {
            this.arch     = new IntelArchitecture(ProcessorMode.Real);
            this.platform = new MsdosPlatform(services, arch);

            Validate(exe);
        }
Ejemplo n.º 9
0
        public ExePackLoader(IServiceProvider services, string filename, byte[] imgRaw)
            : base(services, filename, imgRaw)
        {
            arch     = new IntelArchitecture(ProcessorMode.Real);
            platform = new MsdosPlatform(Services, arch);

            var exe = new ExeImageLoader(services, filename, imgRaw);

            this.exeHdrSize = (uint)(exe.e_cparHeader * 0x10U);
            this.hdrOffset  = (uint)(exe.e_cparHeader + exe.e_cs) * 0x10U;
            ImageReader rdr = new LeImageReader(RawImage, hdrOffset);

            this.ip = rdr.ReadLeUInt16();
            this.cs = rdr.ReadLeUInt16();
            rdr.ReadLeUInt16();
            this.cbExepackHeader = rdr.ReadLeUInt16();
            this.sp             = rdr.ReadLeUInt16();
            this.ss             = rdr.ReadLeUInt16();
            this.cpUncompressed = rdr.ReadLeUInt16();

            int offset = ExePackHeaderOffset(exe);

            if (LoadedImage.CompareArrays(imgRaw, offset, signature, signature.Length))
            {
                relocationsOffset = 0x012D;
            }
            else if (LoadedImage.CompareArrays(imgRaw, offset, signature2, signature2.Length))
            {
                relocationsOffset = 0x0125;
            }
            else
            {
                throw new ApplicationException("Not a recognized EXEPACK image.");
            }
        }
Ejemplo n.º 10
0
        static public bool IsCorrectUnpacker(ExeImageLoader exe, byte[] rawImg)
        {
            int offset = ExePackHeaderOffset(exe);

            return(MemoryArea.CompareArrays(rawImg, offset, signature, signature.Length) ||
                   MemoryArea.CompareArrays(rawImg, offset, signature2, signature2.Length));
        }
Ejemplo n.º 11
0
 public MsdosImageLoader(IServiceProvider services, string filename, ExeImageLoader exe) : base(services, filename, exe.RawImage)
 {
     this.exe      = exe;
     this.arch     = new IntelArchitecture(ProcessorMode.Real);
     this.platform = this.platform = services.RequireService <IConfigurationService>()
                                     .GetEnvironment("ms-dos")
                                     .Load(services, arch);
 }
Ejemplo n.º 12
0
		public MsdosImageLoader(IServiceProvider services, string filename, ExeImageLoader exe) : base(services, filename, exe.RawImage)
		{
			this.exe = exe;
            this.arch = new IntelArchitecture(ProcessorMode.Real);
            this.platform = this.platform = services.RequireService<IConfigurationService>()
                .GetEnvironment("ms-dos")
                .Load(services, arch);
		}
Ejemplo n.º 13
0
		public MsdosImageLoader(IServiceProvider services, string filename, ExeImageLoader exe) : base(services, filename, exe.RawImage)
		{
			this.exe = exe;
            var cfgSvc = services.RequireService<IConfigurationService>();
            this.arch = cfgSvc.GetArchitecture("x86-real-16");
            this.platform = cfgSvc.GetEnvironment("ms-dos")
                .Load(services, arch);
		}
Ejemplo n.º 14
0
 public LzExeUnpacker(IServiceProvider services, ExeImageLoader exe, string filename, byte [] rawImg) : base(services, filename, rawImg)
 {
     this.arch     = new IntelArchitecture(ProcessorMode.Real);
     this.platform = services.RequireService <IConfigurationService>()
                     .GetEnvironment("ms-dos")
                     .Load(services, arch);
     Validate(exe);
 }
Ejemplo n.º 15
0
		public LzExeUnpacker(IServiceProvider services, ExeImageLoader exe, string filename, byte [] rawImg) : base(services, filename, rawImg)
		{
            this.arch = new IntelArchitecture(ProcessorMode.Real);
            this.platform = services.RequireService<IConfigurationService>()
                .GetEnvironment("ms-dos")
                .Load(services, arch);
            Validate(exe);
		}
Ejemplo n.º 16
0
		public LzExeUnpacker(IServiceProvider services, ExeImageLoader exe, string filename, byte [] rawImg) : base(services, filename, rawImg)
		{
            var cfgSvc = services.RequireService<IConfigurationService>();
            this.arch = cfgSvc.GetArchitecture("x86-real-16");
            this.platform = cfgSvc.GetEnvironment("ms-dos")
                .Load(services, arch);
            Validate(exe);
		}
Ejemplo n.º 17
0
		public LzExeUnpacker(IServiceProvider services, ExeImageLoader exe, string filename, byte [] rawImg) : base(services, filename, rawImg)
		{
            var cfgSvc = services.RequireService<IConfigurationService>();
            this.arch = cfgSvc.GetArchitecture("x86-real-16");
            this.platform = cfgSvc.GetEnvironment("ms-dos")
                .Load(services, arch);
            Validate(exe);
		}
Ejemplo n.º 18
0
        public MsdosImageLoader(IServiceProvider services, string filename, ExeImageLoader exe) : base(services, filename, exe.RawImage)
        {
            this.exe = exe;
            var cfgSvc = services.RequireService <IConfigurationService>();

            this.arch     = cfgSvc.GetArchitecture("x86-real-16");
            this.platform = cfgSvc.GetEnvironment("ms-dos")
                            .Load(services, arch);
        }
Ejemplo n.º 19
0
        static public bool IsCorrectUnpacker(ExeImageLoader exe, byte [] rawImg)
        {
            if (exe.e_ovno != 0)
            {
                return(false);
            }

            return(ByteMemoryArea.CompareArrays(rawImg, (int)signatureOffset, signature, signature.Length));
        }
Ejemplo n.º 20
0
        // EXE header test (is it LZEXE file?)
        public static bool IsCorrectUnpacker(ExeImageLoader exe, byte [] rawImg)
        {
            if (exe.e_ovno != 0 || exe.e_lfaRelocations != 0x1C)
                return false;

            int lzHdrOffset = ((int) exe.e_cparHeader + (int) exe.e_cs) << 4;
            int entry = lzHdrOffset + exe.e_ip;
            return (ByteMemoryArea.CompareArrays(rawImg, entry, s_sig91, s_sig91.Length) ||
                    ByteMemoryArea.CompareArrays(rawImg, entry, s_sig90, s_sig90.Length));
        }
Ejemplo n.º 21
0
        public MsdosImageLoader(ExeImageLoader exe)
            : base(exe.Services, exe.Filename, exe.RawImage)
        {
            this.ExeLoader = exe;
            var cfgSvc = Services.RequireService <IConfigurationService>();

            this.arch     = cfgSvc.GetArchitecture("x86-real-16");
            this.platform = cfgSvc.GetEnvironment("ms-dos")
                            .Load(Services, arch);
        }
Ejemplo n.º 22
0
        public MsdosImageLoader(ExeImageLoader exe)
            : base(exe.Services, exe.ImageLocation, exe.RawImage)
        {
            this.ExeLoader = exe;
            var cfgSvc = Services.RequireService <IConfigurationService>();

            this.arch     = cfgSvc.GetArchitecture("x86-real-16") !;
            this.platform = cfgSvc.GetEnvironment("ms-dos")
                            .Load(Services, arch);
            this.imgLoaded    = null !;
            this.segmentMap   = null !;
            this.addrStackTop = null !;
        }
Ejemplo n.º 23
0
		public PkLiteUnpacker(IServiceProvider services, string filename, byte [] rawImg) : base(services, filename, rawImg)
		{
            var exe = new ExeImageLoader(services, filename, rawImg);
            arch = new IntelArchitecture(ProcessorMode.Real);
            platform = new MsdosPlatform(services, arch);

			uint pkLiteHdrOffset = (uint) (exe.e_cparHeader * 0x10);

			if (RawImage[pkLiteHdrOffset] != 0xB8)
				throw new ApplicationException(string.Format("Expected MOV AX,XXXX at offset 0x{0:X4}.", pkLiteHdrOffset));
			uint cparUncompressed = LoadedImage.ReadLeUInt16(RawImage, pkLiteHdrOffset + 1);
			abU = new byte[cparUncompressed * 0x10U];

			if (RawImage[pkLiteHdrOffset + 0x04C] != 0x83)
				throw new ApplicationException(string.Format("Expected ADD BX,+XX at offset 0x{0:X4}.", pkLiteHdrOffset + 0x04C));
			uint offCompressedData = pkLiteHdrOffset + RawImage[pkLiteHdrOffset + 0x04E] * 0x10u - PspSize;
			bitStm = new BitStream(RawImage, (int) offCompressedData);
		}
Ejemplo n.º 24
0
 private void emulatorToolStripMenuItem_Click(object sender, EventArgs e)
 {
     var sc = new ServiceContainer();
     var fs = new FileStream(@"D:\dev\jkl\dec\halsten\decompiler_paq\upx\demo.exe", FileMode.Open);
     var size = fs.Length;
     var abImage = new byte[size];
     fs.Read(abImage, 0, (int) size);
     var exe = new ExeImageLoader(sc, "foolexe", abImage);
     var peLdr = new PeImageLoader(sc, "foo.exe" ,abImage, exe.e_lfanew);
     var addr = peLdr.PreferredBaseAddress;
     var program = peLdr.Load(addr);
     var rr = peLdr.Relocate(program, addr);
     var win32 = new Win32Emulator(program.Image, program.Platform, program.ImportReferences);
     var emu = new X86Emulator((IntelArchitecture) program.Architecture, program.Image, win32);
     emu.InstructionPointer = rr.EntryPoints[0].Address;
     emu.ExceptionRaised += delegate { throw new Exception(); };
     emu.WriteRegister(Registers.esp, (uint) peLdr.PreferredBaseAddress.ToLinear() + 0x0FFC);
     emu.Start();
 }
Ejemplo n.º 25
0
		public PkLiteUnpacker(IServiceProvider services, string filename, byte [] rawImg) : base(services, filename, rawImg)
		{
            var exe = new ExeImageLoader(services, filename, rawImg);
            var cfgSvc = services.RequireService<IConfigurationService>();
            this.arch = cfgSvc.GetArchitecture("x86-real-16");
            platform = cfgSvc.GetEnvironment("ms-dos")
                .Load(services, arch);

			uint pkLiteHdrOffset = (uint) (exe.e_cparHeader * 0x10);

			if (RawImage[pkLiteHdrOffset] != 0xB8)
				throw new ApplicationException(string.Format("Expected MOV AX,XXXX at offset 0x{0:X4}.", pkLiteHdrOffset));
			uint cparUncompressed = MemoryArea.ReadLeUInt16(RawImage, pkLiteHdrOffset + 1);
			abU = new byte[cparUncompressed * 0x10U];

			if (RawImage[pkLiteHdrOffset + 0x04C] != 0x83)
				throw new ApplicationException(string.Format("Expected ADD BX,+XX at offset 0x{0:X4}.", pkLiteHdrOffset + 0x04C));
			uint offCompressedData = pkLiteHdrOffset + RawImage[pkLiteHdrOffset + 0x04E] * 0x10u - PspSize;
			bitStm = new BitStream(RawImage, (int) offCompressedData);
		}
Ejemplo n.º 26
0
        public ExePackLoader(IServiceProvider services, string filename, byte[] imgRaw)
            : base(services, filename, imgRaw)
        {
            var cfgSvc = services.RequireService <IConfigurationService>();

            arch     = cfgSvc.GetArchitecture("x86-real-16");
            platform = cfgSvc.GetEnvironment("ms-dos")
                       .Load(Services, arch);

            var exe = new ExeImageLoader(services, filename, imgRaw);

            this.exeHdrSize = (uint)(exe.e_cparHeader * 0x10U);
            this.hdrOffset  = (uint)(exe.e_cparHeader + exe.e_cs) * 0x10U;
            EndianImageReader rdr = new LeImageReader(RawImage, hdrOffset);

            this.ip = rdr.ReadLeUInt16();
            this.cs = rdr.ReadLeUInt16();
            rdr.ReadLeUInt16();
            this.cbExepackHeader = rdr.ReadLeUInt16();
            this.sp             = rdr.ReadLeUInt16();
            this.ss             = rdr.ReadLeUInt16();
            this.cpUncompressed = rdr.ReadLeUInt16();

            int offset = ExePackHeaderOffset(exe);

            if (MemoryArea.CompareArrays(imgRaw, offset, signature, signature.Length))
            {
                relocationsOffset = 0x012D;
            }
            else if (MemoryArea.CompareArrays(imgRaw, offset, signature2, signature2.Length))
            {
                relocationsOffset = 0x0125;
            }
            else
            {
                throw new ApplicationException("Not a recognized EXEPACK image.");
            }
        }
Ejemplo n.º 27
0
        private void Validate(ExeImageLoader exe)
        {
            this.lzHdrOffset = (exe.e_cparHeader + exe.e_cs) << 4;

            // Locate the LzExe header and verify signature.

            byte[] abC = RawImage;
            int entry = lzHdrOffset + exe.e_ip;
            if (LoadedImage.CompareArrays(abC, entry, s_sig90, s_sig90.Length))
            {
                // Untested binary version
                isLz91 = false;
                throw new NotImplementedException("Untested");
            }
            else if (LoadedImage.CompareArrays(abC, entry, s_sig91, s_sig91.Length))
            {
                isLz91 = true;
            }
            else
            {
                throw new ApplicationException("Image is not an LzExe-compressed binary");
            }
        }
Ejemplo n.º 28
0
        private void Validate(ExeImageLoader exe)
        {
            this.lzHdrOffset = (exe.e_cparHeader + exe.e_cs) << 4;

            // Locate the LzExe header and verify signature.

            byte[] abC = RawImage;
            int entry = lzHdrOffset + exe.e_ip;
            if (ByteMemoryArea.CompareArrays(abC, entry, s_sig90, s_sig90.Length))
            {
                // Untested binary version
                isLz91 = false;
                throw new NotImplementedException("Untested");
            }
            else if (ByteMemoryArea.CompareArrays(abC, entry, s_sig91, s_sig91.Length))
            {
                isLz91 = true;
            }
            else
            {
                throw new ApplicationException("Image is not an LzExe-compressed binary");
            }
        }
Ejemplo n.º 29
0
 private static int ExePackHeaderOffset(ExeImageLoader exe)
 {
     return((exe.e_cparHeader + exe.e_cs) * 0x10 + exe.e_ip);
 }
Ejemplo n.º 30
0
		public MsdosImageLoader(IServiceProvider services, string filename, ExeImageLoader exe) : base(services, filename, exe.RawImage)
		{
			this.exe = exe;
            this.arch = new IntelArchitecture(ProcessorMode.Real);
            this.platform = new MsdosPlatform(services, arch);
		}
Ejemplo n.º 31
0
 public virtual PeImageLoader CreatePeImageLoader()
 {
     ExeImageLoader mz = new ExeImageLoader(Services, Filename, RawImage);
     PeImageLoader pe = new PeImageLoader(Services, Filename, RawImage, mz.e_lfanew);
     return pe;
 }
Ejemplo n.º 32
0
 private static int ExePackHeaderOffset(ExeImageLoader exe)
 {
     return (exe.e_cparHeader + exe.e_cs) * 0x10 + exe.e_ip;
 }
Ejemplo n.º 33
0
 public MsdosImageLoader(IServiceProvider services, string filename, ExeImageLoader exe) : base(services, filename, exe.RawImage)
 {
     this.exe      = exe;
     this.arch     = new IntelArchitecture(ProcessorMode.Real);
     this.platform = new MsdosPlatform(services, arch);
 }
Ejemplo n.º 34
0
        // EXE header test (is it LZEXE file?)
        public static bool IsCorrectUnpacker(ExeImageLoader exe, byte [] rawImg)
        {
            if (exe.e_ovno != 0 || exe.e_lfaRelocations != 0x1C)
                return false;

            int lzHdrOffset = ((int) exe.e_cparHeader + (int) exe.e_cs) << 4;
            int entry = lzHdrOffset + exe.e_ip;
            return (LoadedImage.CompareArrays(rawImg, entry, s_sig91, s_sig91.Length) ||
                    LoadedImage.CompareArrays(rawImg, entry, s_sig90, s_sig90.Length));
        }
Ejemplo n.º 35
0
 static public bool IsCorrectUnpacker(ExeImageLoader exe, byte[] rawImg)
 {
     int offset = ExePackHeaderOffset(exe);
     return LoadedImage.CompareArrays(rawImg, offset, signature, signature.Length) ||
            LoadedImage.CompareArrays(rawImg, offset, signature2, signature2.Length);
 }
Ejemplo n.º 36
0
 public void ValidateImage()
 {
     MemoryArea rawImage = new MemoryArea(Address.SegPtr(0x0C00, 0), CreateMsdosHeader());
     ExeImageLoader exe = new ExeImageLoader(null, "foo.exe", rawImage.Bytes);
     Assert.IsTrue(PkLiteUnpacker.IsCorrectUnpacker(exe, rawImage.Bytes));
 }