public void ValidateImage()
{
Program prog = new Program();
LoadedImage rawImage = new LoadedImage(Address.SegPtr(0x0C00, 0), CreateMsdosHeader());
ExeImageLoader exe = new ExeImageLoader(null, "foo.exe", rawImage.Bytes);
Assert.IsTrue(PkLiteUnpacker.IsCorrectUnpacker(exe, rawImage.Bytes));
}
public LzExeUnpacker(IServiceProvider services, ExeImageLoader exe, string filename, byte [] rawImg) : base(services, filename, rawImg)
{
this.arch = new IntelArchitecture(ProcessorMode.Real);
this.platform = new MsdosPlatform(services, arch);
Validate(exe);
}
static public bool IsCorrectUnpacker(ExeImageLoader exe, byte [] rawImg)
{
if (exe.e_ovno != 0)
return false;
return LoadedImage.CompareArrays(rawImg, (int) signatureOffset, signature, signature.Length);
}
public ExePackLoader(IServiceProvider services, string filename, byte[] imgRaw)
: base(services, filename, imgRaw)
{
arch = new IntelArchitecture(ProcessorMode.Real);
platform = new MsdosPlatform(Services, arch);
var exe = new ExeImageLoader(services, filename, imgRaw);
this.exeHdrSize = (uint)(exe.e_cparHeader * 0x10U);
this.hdrOffset = (uint)(exe.e_cparHeader + exe.e_cs) * 0x10U;
ImageReader rdr = new LeImageReader(RawImage, hdrOffset);
this.ip = rdr.ReadLeUInt16();
this.cs = rdr.ReadLeUInt16();
rdr.ReadLeUInt16();
this.cbExepackHeader = rdr.ReadLeUInt16();
this.sp = rdr.ReadLeUInt16();
this.ss = rdr.ReadLeUInt16();
this.cpUncompressed = rdr.ReadLeUInt16();
int offset = ExePackHeaderOffset(exe);
if (LoadedImage.CompareArrays(imgRaw, offset, signature, signature.Length))
{
relocationsOffset = 0x012D;
}
else if (LoadedImage.CompareArrays(imgRaw, offset, signature2, signature2.Length))
{
relocationsOffset = 0x0125;
}
else
throw new ApplicationException("Not a recognized EXEPACK image.");
}
public PkLiteUnpacker(IServiceProvider services, string filename, byte [] rawImg) : base(services, filename, rawImg)
{
var exe = new ExeImageLoader(services, filename, rawImg);
arch = new IntelArchitecture(ProcessorMode.Real);
platform = new MsdosPlatform(services, arch);
uint pkLiteHdrOffset = (uint) (exe.e_cparHeader * 0x10);
if (RawImage[pkLiteHdrOffset] != 0xB8)
throw new ApplicationException(string.Format("Expected MOV AX,XXXX at offset 0x{0:X4}.", pkLiteHdrOffset));
uint cparUncompressed = LoadedImage.ReadLeUInt16(RawImage, pkLiteHdrOffset + 1);
abU = new byte[cparUncompressed * 0x10U];
if (RawImage[pkLiteHdrOffset + 0x04C] != 0x83)
throw new ApplicationException(string.Format("Expected ADD BX,+XX at offset 0x{0:X4}.", pkLiteHdrOffset + 0x04C));
uint offCompressedData = pkLiteHdrOffset + RawImage[pkLiteHdrOffset + 0x04E] * 0x10u - PspSize;
bitStm = new BitStream(RawImage, (int) offCompressedData);
}
private void Validate(ExeImageLoader exe)
{
this.lzHdrOffset = (exe.e_cparHeader + exe.e_cs) << 4;
// Locate the LzExe header and verify signature.
byte[] abC = RawImage;
int entry = lzHdrOffset + exe.e_ip;
if (LoadedImage.CompareArrays(abC, entry, s_sig90, s_sig90.Length))
{
// Untested binary version
isLz91 = false;
throw new NotImplementedException("Untested");
}
else if (LoadedImage.CompareArrays(abC, entry, s_sig91, s_sig91.Length))
{
isLz91 = true;
}
else
{
throw new ApplicationException("Image is not an LzExe-compressed binary");
}
}
public MsdosImageLoader(IServiceProvider services, string filename, ExeImageLoader exe) : base(services, filename, exe.RawImage)
{
this.exe = exe;
this.arch = new IntelArchitecture(ProcessorMode.Real);
this.platform = new MsdosPlatform(services, arch);
}
// EXE header test (is it LZEXE file?)
static public bool IsCorrectUnpacker(ExeImageLoader exe, byte [] rawImg)
{
if (exe.e_ovno != 0 || exe.e_lfaRelocations != 0x1C)
return false;
int lzHdrOffset = ((int) exe.e_cparHeader + (int) exe.e_cs) << 4;
int entry = lzHdrOffset + exe.e_ip;
return (LoadedImage.CompareArrays(rawImg, entry, s_sig91, s_sig91.Length) ||
LoadedImage.CompareArrays(rawImg, entry, s_sig90, s_sig90.Length));
}
public virtual PeImageLoader CreatePeImageLoader()
{
ExeImageLoader mz = new ExeImageLoader(Services, Filename, RawImage);
PeImageLoader pe = new PeImageLoader(Services, Filename, RawImage, mz.e_lfanew);
return pe;
}
private void emulatorToolStripMenuItem_Click(object sender, EventArgs e)
{
var sc = new ServiceContainer();
var fs = new FileStream(@"D:\dev\jkl\dec\halsten\decompiler_paq\upx\demo.exe", FileMode.Open);
var size = fs.Length;
var abImage = new byte[size];
fs.Read(abImage, 0, (int) size);
var exe = new ExeImageLoader(sc, "foolexe", abImage);
var peLdr = new PeImageLoader(sc, "foo.exe" ,abImage, exe.e_lfanew);
var addr = peLdr.PreferredBaseAddress;
var program = peLdr.Load(addr);
var rr = peLdr.Relocate(addr);
var win32 = new Win32Emulator(program.Image, program.Platform, program.ImportReferences);
var emu = new X86Emulator((IntelArchitecture) program.Architecture, program.Image, win32);
emu.InstructionPointer = rr.EntryPoints[0].Address;
emu.ExceptionRaised += delegate { throw new Exception(); };
emu.WriteRegister(Registers.esp, (uint) peLdr.PreferredBaseAddress.ToLinear() + 0x0FFC);
emu.Start();
}
private static int ExePackHeaderOffset(ExeImageLoader exe)
{
return (exe.e_cparHeader + exe.e_cs) * 0x10 + exe.e_ip;
}
static public bool IsCorrectUnpacker(ExeImageLoader exe, byte[] rawImg)
{
int offset = ExePackHeaderOffset(exe);
return LoadedImage.CompareArrays(rawImg, offset, signature, signature.Length) ||
LoadedImage.CompareArrays(rawImg, offset, signature2, signature2.Length);
}