Class: PEdump::RichHdr
Overview
Defined Under Namespace
Classes: Entry
Instance Attribute Summary collapse
-
#key ⇒ Object
xor key.
-
#offset ⇒ Object
xor key.
-
#skip ⇒ Object
xor key.
Class Method Summary collapse
Instance Method Summary collapse
Methods inherited from String
Instance Attribute Details
Class Method Details
.from_dos_stub(stub) ⇒ Object
275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 |
# File 'lib/pedump.rb', line 275 def self.from_dos_stub stub #stub.hexdump key = stub[stub.index('Rich')+4,4] start_idx = stub.index(key.xor('DanS')) skip = 0 if start_idx skip = 4 else PEdump.logger.warn "[?] cannot find rich_hdr start_idx, using heuristics" start_idx = stub.index("$\x00\x00\x00\x00\x00\x00\x00") unless start_idx PEdump.logger.warn "[?] heuristics failed :(" return nil end start_idx += 8 end end_idx = stub.index('Rich')+8 if stub[end_idx..-1].tr("\x00",'') != '' t = stub[end_idx..-1] t = "#{t[0,0x100]}..." if t.size > 0x100 PEdump.logger.error "[!] non-zero dos stub after rich_hdr: #{t.inspect}" return nil end #stub[start_idx, end_idx-start_idx].hexdump RichHdr.new(stub[start_idx, end_idx-start_idx]).tap do |x| x.key = key x.offset = stub.offset + start_idx x.skip = skip end end |
Instance Method Details
#decode ⇒ Object
310 311 312 313 314 315 316 317 318 |
# File 'lib/pedump.rb', line 310 def decode x = dexor if x.size%8 == 0 x.unpack('vvV'*(x.size/8)).each_slice(3).map{ |slice| Entry.new(*slice)} else PEdump.logger.error "[?] #{self.class}: dexored size(#{x.size}) must be a multiple of 8" nil end end |
#dexor ⇒ Object
306 307 308 |
# File 'lib/pedump.rb', line 306 def dexor self[skip..-9].sub(/\A(#{Regexp::escape(key)}){3}/,'').xor(key) end |