unpack: aspack: split dump from fixup

2025-12-12 15:49:46 -08:00 · 2020-08-25 19:08:00 -06:00
parent de3f223bb5
commit 52eef09c8b
2 changed files with 9 additions and 4 deletions
--- a/capa/unpack/init.py
+++ b/capa/unpack/init.py
@@ -80,8 +80,6 @@ INSN_POPA = 0x61
 class AspackUnpacker(speakeasy.Speakeasy):
    def __init__(self, buf, debug=False):
        super(AspackUnpacker, self).__init__(debug=debug)
-        self.buf = buf
-        self.pe = pefile.PE(data=buf)
        self.module = self.load_module(data=buf)
        load_module2(self, self.module)

@@ -120,7 +118,7 @@ class AspackUnpacker(speakeasy.Speakeasy):
        finally:
            self.remove_code_hook(handle)

-    def unpack(self):
+    def dump(self):
        # prime the emulator
        # this is derived from winemu::WindowsEmulator::start()
        self.emu.curr_run = Run()
@@ -180,11 +178,18 @@ class AspackUnpacker(speakeasy.Speakeasy):

        mm = self.get_address_map(self.module.get_base())
        buf = self.mem_read(mm.get_base(), mm.get_size())
+        return buf, oep

+    def fixup(self, buf, oep):
        pe = pefile.PE(data=buf)
        pe.OPTIONAL_HEADER.AddressOfEntryPoint = oep - self.module.base
        return pe.write()

+    def unpack(self):
+        buf, oep = self.dump()
+        buf = self.fixup(buf, oep)
+        return buf
+

 def unpack_aspack(buf):
    unpacker = AspackUnpacker(buf, debug=True)
--- a/tests/test_unpack.py
+++ b/tests/test_unpack.py
@@ -44,7 +44,7 @@ def test_aspack_unpack(aspack_extractor):
    unpacked = capa.unpack.unpack_pe(capa.unpack.ASPACK, buf)

    pe = pefile.PE(data=unpacked)
-    assert pe.OPTIONAL_HEADER.AddressOfEntryPoint == 0x1a610
+    assert pe.OPTIONAL_HEADER.AddressOfEntryPoint == 0x1A610
    assert b"This program cannot be run in DOS mode" in unpacked
    assert "(C) Copyright 1985-2000 Microsoft Corp.".encode("utf-16le") in unpacked
    assert "CMD.EXE has halted. %0".encode("utf-16le") in unpacked