int PackTmt::canUnpack() { if (!readFileHeader()) return false; fi->seek(adam_offset, SEEK_SET); return readPackHeader(512) ? 1 : -1; }
int PackVmlinuzI386::canUnpack() { if (readFileHeader() != getFormat()) return false; fi->seek(setup_size, SEEK_SET); return readPackHeader(1024) ? 1 : -1; }
int PackCom::canUnpack() { if (!readPackHeader(128)) return false; if (file_size <= (off_t) ph.c_len) return false; return true; }
int PackTos::canUnpack() { if (!readFileHeader()) return false; if (!readPackHeader(768)) return false; // check header as set by packer if ((ih.fh_text & 3) != 0 || (ih.fh_data & 3) != 0 || (ih.fh_bss & 3) != 0 || ih.fh_sym != 0 || ih.fh_reserved != 0 || ih.fh_reloc > 1) throwCantUnpack("program header damaged"); // generic check if (!checkFileHeader()) throwCantUnpack("unsupported header flags"); return true; }
int PackArmPe::canUnpack() { if (!readFileHeader() || (ih.cpu != 0x1c0 && ih.cpu != 0x1c2)) return false; unsigned objs = ih.objects; isection = new pe_section_t[objs]; fi->seek(pe_offset+sizeof(ih),SEEK_SET); fi->readx(isection,sizeof(pe_section_t)*objs); if (ih.objects < 3) return -1; bool is_packed = ((ih.objects == 3 || ih.objects == 4) && (IDSIZE(15) || ih.entry > isection[1].vaddr)); bool found_ph = false; if (memcmp(isection[0].name,"UPX",3) == 0) { // current version fi->seek(isection[1].rawdataptr - 64, SEEK_SET); found_ph = readPackHeader(1024); if (!found_ph) { // old versions fi->seek(isection[2].rawdataptr, SEEK_SET); found_ph = readPackHeader(1024); } } if (is_packed && found_ph) return true; if (!is_packed && !found_ph) return -1; if (is_packed && ih.entry < isection[2].vaddr) { unsigned char buf[256]; bool x = false; memset(buf, 0, sizeof(buf)); try { fi->seek(ih.entry - isection[1].vaddr + isection[1].rawdataptr, SEEK_SET); fi->read(buf, sizeof(buf)); // FIXME this is for x86 static const unsigned char magic[] = "\x8b\x1e\x83\xee\xfc\x11\xdb"; // mov ebx, [esi]; sub esi, -4; adc ebx,ebx int offset = find(buf, sizeof(buf), magic, 7); if (offset >= 0 && find(buf + offset + 1, sizeof(buf) - offset - 1, magic, 7) >= 0) x = true; } catch (...) { //x = true; } if (x) throwCantUnpack("file is modified/hacked/protected; take care!!!"); else throwCantUnpack("file is possibly modified/hacked/protected; take care!"); return false; // not reached } // FIXME: what should we say here ? //throwCantUnpack("file is possibly modified/hacked/protected; take care!"); return false; }