175
176
*********************/
178
static int ea05(int desc, cli_ctx *ctx, char *tmpd) {
179
static int ea05(cli_ctx *ctx, uint8_t *base, char *tmpd) {
179
180
uint8_t b[300], comp;
181
181
uint32_t s, m4sum=0;
183
183
unsigned int files=0;
184
184
char tempfile[1024];
186
fmap_t *map = *ctx->fmap;
187
if (cli_readn(desc, buf, 16)!=16)
188
if(!fmap_need_ptr_once(map, base, 16))
190
191
for (i=0; i<16; i++)
193
194
while((ret=cli_checklimits("autoit", ctx, 0, 0, 0))==CL_CLEAN) {
195
if (cli_readn(desc, buf, 8)!=8)
195
if(!fmap_need_ptr_once(map, base, 8))
198
198
/* MT_decrypt(buf,4,0x16fa); waste of time */
199
if((uint32_t)cli_readint32((char *)buf) != 0xceb06dff) {
199
if((uint32_t)cli_readint32(base) != 0xceb06dff) {
200
200
cli_dbgmsg("autoit: no FILE magic found, extraction complete\n");
204
s = cli_readint32((char *)buf+4) ^ 0x29bc;
204
s = cli_readint32(base+4) ^ 0x29bc;
205
205
if ((int32_t)s<0)
206
206
return CL_CLEAN; /* the original code wouldn't seek back here */
207
208
if(cli_debug_flag && s<sizeof(b)) {
208
if (cli_readn(desc, buf, s)!=(int)s)
209
if (!fmap_need_ptr_once(map, base, s))
211
MT_decrypt(buf,s,s+0xa25e);
212
cli_dbgmsg("autoit: magic string '%s'\n", buf);
214
lseek(desc, s, SEEK_CUR);
212
MT_decrypt(b,s,s+0xa25e);
214
cli_dbgmsg("autoit: magic string '%s'\n", b);
217
if (cli_readn(desc, buf, 4)!=4)
218
if (!fmap_need_ptr_once(map, base, 4))
219
s = cli_readint32((char *)buf) ^ 0x29ac;
220
s = cli_readint32(base) ^ 0x29ac;
220
221
if ((int32_t)s<0)
221
222
return CL_CLEAN; /* the original code wouldn't seek back here */
222
224
if (cli_debug_flag && s<sizeof(b)) {
223
if (cli_readn(desc, buf, s)!=(int)s)
225
if (!fmap_need_ptr_once(map, base, s))
225
MT_decrypt(buf,s,s+0xf25e);
227
cli_dbgmsg("autoit: original filename '%s'\n", buf);
229
lseek(desc, s, SEEK_CUR);
228
MT_decrypt(b,s,s+0xf25e);
230
cli_dbgmsg("autoit: original filename '%s'\n", b);
232
if (cli_readn(desc, buf, 13)!=13)
234
if (!fmap_need_ptr_once(map, base, 13))
235
UNP.csize = cli_readint32((char *)buf+1) ^ 0x45aa;
237
UNP.csize = cli_readint32(base+1) ^ 0x45aa;
236
238
if ((int32_t)UNP.csize<0) {
237
239
cli_dbgmsg("autoit: bad file size - giving up\n");
241
lseek(desc, 16, SEEK_CUR);
244
244
cli_dbgmsg("autoit: skipping empty file\n");
247
248
cli_dbgmsg("autoit: compressed size: %x\n", UNP.csize);
248
cli_dbgmsg("autoit: advertised uncompressed size %x\n", cli_readint32((char *)buf+5) ^ 0x45aa);
249
cli_dbgmsg("autoit: ref chksum: %x\n", cli_readint32((char *)buf+9) ^ 0xc3d2);
249
cli_dbgmsg("autoit: advertised uncompressed size %x\n", cli_readint32(base+5) ^ 0x45aa);
250
cli_dbgmsg("autoit: ref chksum: %x\n", cli_readint32(base+9) ^ 0xc3d2);
252
254
if(cli_checklimits("autoit", ctx, UNP.csize, 0, 0)!=CL_CLEAN) {
253
lseek(desc, UNP.csize, SEEK_CUR);
257
if (!(buf = cli_malloc(UNP.csize)))
259
if (!(UNP.inputbuf = cli_malloc(UNP.csize)))
259
if (cli_readn(desc, buf, UNP.csize)!=(int)UNP.csize) {
261
if (!fmap_need_ptr_once(map, base, UNP.csize)) {
260
262
cli_dbgmsg("autoit: failed to read compressed stream. broken/truncated file?\n");
264
MT_decrypt(buf,UNP.csize,0x22af+m4sum);
266
memcpy(UNP.inputbuf, base, UNP.csize);
268
MT_decrypt(UNP.inputbuf,UNP.csize,0x22af+m4sum);
267
271
cli_dbgmsg("autoit: file is compressed\n");
268
if (cli_readint32((char *)buf)!=0x35304145) {
272
if (cli_readint32(UNP.inputbuf)!=0x35304145) {
269
273
cli_dbgmsg("autoit: bad magic or unsupported version\n");
274
if(!(UNP.usize = be32_to_host(*(uint32_t *)(buf+4))))
278
if(!(UNP.usize = be32_to_host(*(uint32_t *)(UNP.inputbuf+4))))
275
279
UNP.usize = UNP.csize; /* only a specifically crafted or badly corrupted sample should land here */
276
280
if(cli_checklimits("autoit", ctx, UNP.usize, 0, 0)!=CL_CLEAN) {
281
285
if (!(UNP.outputbuf = cli_malloc(UNP.usize))) {
285
289
cli_dbgmsg("autoit: uncompressed size again: %x\n", UNP.usize);
288
291
UNP.cur_output = 0;
289
292
UNP.cur_input = 8;
290
293
UNP.bitmap.full = 0;
479
481
const char prefixes[] = { '\0', '\0', '@', '$', '\0', '.', '"', '#' };
480
482
const char *opers[] = { ",", "=", ">", "<", "<>", ">=", "<=", "(", ")", "+", "-", "/", "*", "&", "[", "]", "==", "^", "+=", "-=", "/=", "*=", "&=" };
484
fmap_t *map = *ctx->fmap;
483
487
/* Useless due to a bug in CRC calculation - LMAO!!1 */
484
488
/* if (cli_readn(desc, buf, 24)!=24) */
485
489
/* return CL_CLEAN; */
486
490
/* LAME_decrypt(buf, 0x10, 0x99f2); */
488
lseek(desc, 16, SEEK_CUR); /* for now we just skip the garbage */
492
base += 16; /* for now we just skip the garbage */
490
494
while((ret=cli_checklimits("cli_autoit", ctx, 0, 0, 0))==CL_CLEAN) {
492
if (cli_readn(desc, buf, 8)!=8)
495
if(!fmap_need_ptr_once(map, base, 8))
494
497
/* LAME_decrypt(buf, 4, 0x18ee); waste of time */
495
if(cli_readint32((char *)buf) != 0x52ca436b) {
498
if(cli_readint32(base) != 0x52ca436b) {
496
499
cli_dbgmsg("autoit: no FILE magic found, giving up\n");
502
s = cli_readint32((char *)buf+4) ^ 0xadbc;
505
s = cli_readint32(base+4) ^ 0xadbc;
503
506
if ((int32_t)(s*2)<0)
504
507
return CL_CLEAN; /* the original code wouldn't seek back here */
506
if (cli_readn(desc, buf, s*2)!=(int)s*2)
509
if(s < sizeof(b) / 2) {
510
if(!fmap_need_ptr_once(map, base, s*2))
508
LAME_decrypt(buf,s*2,s+0xb33f);
510
cli_dbgmsg("autoit: magic string '%s'\n", buf);
511
if (s==19 && !memcmp(">>>AUTOIT SCRIPT<<<", buf, 19))
512
memcpy(b, base, s*2);
513
LAME_decrypt(b,s*2,s+0xb33f);
515
cli_dbgmsg("autoit: magic string '%s'\n", b);
516
if (s==19 && !memcmp(">>>AUTOIT SCRIPT<<<", b, 19))
514
519
cli_dbgmsg("autoit: magic string too long to print\n");
515
lseek(desc, s*2, SEEK_CUR);
518
if (cli_readn(desc, buf, 4)!=4)
523
if (!fmap_need_ptr_once(map, base, 4))
520
s = cli_readint32((char *)buf) ^ 0xf820;
525
s = cli_readint32(base) ^ 0xf820;
521
526
if ((int32_t)(s*2)<0)
522
527
return CL_CLEAN; /* the original code wouldn't seek back here */
523
if(cli_debug_flag && s<300) {
524
if (cli_readn(desc, buf, s*2)!=(int)s*2)
529
if(cli_debug_flag && s<sizeof(b) / 2) {
530
if(!fmap_need_ptr_once(map, base, s*2))
526
LAME_decrypt(buf,s*2,s+0xf479);
527
buf[s*2]='\0'; buf[s*2+1]='\0';
529
cli_dbgmsg("autoit: original filename '%s'\n", buf);
531
lseek(desc, s*2, SEEK_CUR);
532
memcpy(b, base, s*2);
533
LAME_decrypt(b,s*2,s+0xf479);
534
b[s*2]='\0'; b[s*2+1]='\0';
536
cli_dbgmsg("autoit: original filename '%s'\n", b);
534
if (cli_readn(desc, buf, 13)!=13)
540
if(!fmap_need_ptr_once(map, base, 13))
537
UNP.csize = cli_readint32((char *)buf+1) ^ 0x87bc;
543
UNP.csize = cli_readint32(base+1) ^ 0x87bc;
538
544
if ((int32_t)UNP.csize<0) {
539
545
cli_dbgmsg("autoit: bad file size - giving up\n");
543
lseek(desc, 16, SEEK_CUR);
546
550
cli_dbgmsg("autoit: skipping empty file\n");
549
554
cli_dbgmsg("autoit: compressed size: %x\n", UNP.csize);
550
cli_dbgmsg("autoit: advertised uncompressed size %x\n", cli_readint32((char *)buf+5) ^ 0x87bc);
551
cli_dbgmsg("autoit: ref chksum: %x\n", cli_readint32((char *)buf+9) ^ 0xa685);
555
cli_dbgmsg("autoit: advertised uncompressed size %x\n", cli_readint32(base+5) ^ 0x87bc);
556
cli_dbgmsg("autoit: ref chksum: %x\n", cli_readint32(base+9) ^ 0xa685);
553
560
if(cli_checklimits("autoit", ctx, UNP.csize, 0, 0)!=CL_CLEAN) {
554
lseek(desc, UNP.csize, SEEK_CUR);
559
if (!(buf = cli_malloc(UNP.csize)))
566
if (!(UNP.inputbuf = cli_malloc(UNP.csize)))
561
if (cli_readn(desc, buf, UNP.csize)!=(int)UNP.csize) {
568
if (!fmap_need_ptr_once(map, base, UNP.csize)) {
562
569
cli_dbgmsg("autoit: failed to read compressed stream. broken/truncated file?\n");
566
LAME_decrypt(buf,UNP.csize,0x2477 /* + m4sum (broken by design) */ );
573
memcpy(UNP.inputbuf, base, UNP.csize);
575
LAME_decrypt(UNP.inputbuf,UNP.csize,0x2477 /* + m4sum (broken by design) */ );
569
578
cli_dbgmsg("autoit: file is compressed\n");
570
if (cli_readint32((char *)buf)!=0x36304145) {
579
if (cli_readint32(UNP.inputbuf)!=0x36304145) {
571
580
cli_dbgmsg("autoit: bad magic or unsupported version\n");
576
if(!(UNP.usize = be32_to_host(*(uint32_t *)(buf+4))))
585
if(!(UNP.usize = be32_to_host(*(uint32_t *)(UNP.inputbuf+4))))
577
586
UNP.usize = UNP.csize; /* only a specifically crafted or badly corrupted sample should land here */
578
587
if(cli_checklimits("autoit", ctx, UNP.usize, 0, 0)!=CL_CLEAN) {
582
591
if (!(UNP.outputbuf = cli_malloc(UNP.usize))) {
586
595
cli_dbgmsg("autoit: uncompressed size again: %x\n", UNP.usize);
589
597
UNP.cur_output = 0;
590
598
UNP.cur_input = 8;
591
599
UNP.bitmap.full = 0;