1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
|
diff --git a/api.c b/api.c
index e3ee339..67463a6 100755
--- a/api.c
+++ b/api.c
@@ -478,7 +478,7 @@ int dump_dirent(int which_one)
{
int i;
char *p;
- short unknown;
+ // short unknown;
struct OLE_DIR *dir;
dir = (struct OLE_DIR *) &buffer[which_one * sizeof(struct OLE_DIR)];
@@ -493,7 +493,7 @@ int dump_dirent(int which_one)
p = dir->name;
if (*p < ' ')
{
- unknown = *((short *)p);
+ //unknown = *((short *)p);
//fprintf (stderr, "%04x\t", unknown);
p += 2; /* step over unknown short */
diff --git a/engine.c b/engine.c
index 85add5f..4a1ef13 100755
--- a/engine.c
+++ b/engine.c
@@ -316,7 +316,6 @@ int search_chunk(f_state *s, unsigned char *buf, f_info *i, u_int64_t chunk_size
//u_int64_t buf_off = 0;
unsigned char *foundat = buf;
- unsigned char *current_pos = NULL;
unsigned char *header_pos = NULL;
unsigned char *newbuf = NULL;
unsigned char *ind_ptr = NULL;
@@ -461,7 +460,6 @@ int search_chunk(f_state *s, unsigned char *buf, f_info *i, u_int64_t chunk_size
}
c_offset = (foundat - buf);
- current_pos = foundat;
/*Now lets analyze the file and see if we can determine its size*/
@@ -511,12 +509,12 @@ int search_chunk(f_state *s, unsigned char *buf, f_info *i, u_int64_t chunk_size
newbuf = read_from_disk(c_offset + f_offset, i, needle->max_len);
if (newbuf == NULL)
break;
- current_pos = extract_file(s,
- c_offset,
- newbuf,
- needle->max_len,
- needle,
- f_offset);
+ extract_file(s,
+ c_offset,
+ newbuf,
+ needle->max_len,
+ needle,
+ f_offset);
/*Lets put the fp back*/
fseeko(i->handle, saveme, SEEK_SET);
diff --git a/extract.c b/extract.c
index 9639117..4fecde5 100755
--- a/extract.c
+++ b/extract.c
@@ -553,7 +553,6 @@ unsigned char *extract_htm(f_state *s, u_int64_t c_offset, unsigned char *founda
{
unsigned char *buf = foundat;
unsigned char *extractbuf = NULL;
- unsigned char *currentpos = NULL;
int bytes_to_search = 0;
int i = 0;
@@ -582,7 +581,6 @@ unsigned char *extract_htm(f_state *s, u_int64_t c_offset, unsigned char *founda
}
/*Store the current position and search for the HTML> tag*/
- currentpos = foundat;
foundat = bm_search(needle->footer,
needle->footer_len,
foundat,
@@ -1146,15 +1144,15 @@ unsigned char *extract_mov(f_state *s, u_int64_t c_offset, unsigned char *founda
unsigned char *extract_wmv(f_state *s, u_int64_t c_offset, unsigned char *foundat, u_int64_t buflen,
s_spec *needle, u_int64_t f_offset)
{
-
- unsigned char *currentpos = NULL;
+#ifdef DEBUG
+ u_int64_t fileObjHeaderSize = 0;
+#endif
unsigned char *header = foundat;
unsigned char *extractbuf = NULL;
unsigned char *buf = foundat;
unsigned int size = 0;
u_int64_t file_size = 0;
u_int64_t headerSize = 0;
- u_int64_t fileObjHeaderSize = 0;
int numberofHeaderObjects = 0;
int reserved[2];
int bytes_to_search = 0;
@@ -1184,7 +1182,6 @@ unsigned char *extract_wmv(f_state *s, u_int64_t c_offset, unsigned char *founda
return foundat;
}
- currentpos = foundat;
if (buflen - (foundat - buf) >= needle->max_len)
bytes_to_search = needle->max_len;
else
@@ -1201,7 +1198,9 @@ unsigned char *extract_wmv(f_state *s, u_int64_t c_offset, unsigned char *founda
if (foundat)
{
foundat += 16; /*jump to the headersize*/
+#ifdef DEBUG
fileObjHeaderSize = htoll(foundat, FOREMOST_LITTLE_ENDIAN);
+#endif
//printx(foundat,0,8);
foundat += 24; //Jump to the file size obj
size = htoi(foundat, FOREMOST_LITTLE_ENDIAN);
@@ -1401,7 +1400,6 @@ unsigned char *extract_gif(f_state *s, u_int64_t c_offset, unsigned char *founda
s_spec *needle, u_int64_t f_offset)
{
unsigned char *buf = foundat;
- unsigned char *currentpos = foundat;
unsigned char *extractbuf = NULL;
int bytes_to_search = 0;
unsigned short width = 0;
@@ -1420,7 +1418,6 @@ unsigned char *extract_gif(f_state *s, u_int64_t c_offset, unsigned char *founda
sprintf(comment, " (%d x %d)", width, height);
strcat(needle->comment, comment);
- currentpos = foundat;
if (buflen - (foundat - buf) >= needle->max_len)
bytes_to_search = needle->max_len;
else
@@ -1821,7 +1818,6 @@ unsigned char *extract_jpeg(f_state *s, u_int64_t c_offset, unsigned char *found
s_spec *needle, u_int64_t f_offset)
{
unsigned char *buf = foundat;
- unsigned char *currentpos = NULL;
unsigned char *extractbuf = NULL;
unsigned short headersize;
@@ -1899,8 +1895,6 @@ unsigned char *extract_jpeg(f_state *s, u_int64_t c_offset, unsigned char *found
return buf + needle->header_len;
}
- currentpos = foundat;
-
//sprintf("Searching for footer\n");
if (buflen < (foundat - buf)) {
#ifdef DEBUG
@@ -2094,19 +2088,21 @@ unsigned char *extract_exe(f_state *s, u_int64_t c_offset, unsigned char *founda
unsigned char *extractbuf = NULL;
u_int64_t file_size = 0;
unsigned short pe_offset = 0;
- unsigned int SizeOfCode = 0;
- unsigned int SizeOfInitializedData = 0;
- unsigned int SizeOfUninitializedData = 0;
- unsigned int rva = 0;
unsigned int offset = 0;
unsigned short sections = 0;
- unsigned int sizeofimage = 0;
unsigned int raw_section_size = 0;
- unsigned int size_of_headers = 0;
unsigned short dll = 0;
unsigned int sum = 0;
unsigned short exe_char = 0;
+#ifdef DEBUG
+ unsigned int SizeOfInitializedData = 0;
+ unsigned int SizeOfUninitializedData = 0;
+ unsigned int SizeOfCode = 0;
+ unsigned int rva = 0;
+ unsigned int sizeofimage = 0;
+ unsigned int size_of_headers = 0;
unsigned int align = 0;
+#endif
int i = 0;
time_t compile_time = 0;
struct tm *ret_time;
@@ -2167,14 +2163,16 @@ unsigned char *extract_exe(f_state *s, u_int64_t c_offset, unsigned char *founda
foundat += 0x18; /*Jump to opt header should be 0x0b 0x01*/
+#ifdef DEBUG
SizeOfCode = htoi(&foundat[4], FOREMOST_LITTLE_ENDIAN);
SizeOfInitializedData = htoi(&foundat[8], FOREMOST_LITTLE_ENDIAN);
SizeOfUninitializedData = htoi(&foundat[12], FOREMOST_LITTLE_ENDIAN);
rva = htoi(&foundat[16], FOREMOST_LITTLE_ENDIAN);
align = htoi(&foundat[36], FOREMOST_LITTLE_ENDIAN);
-
sizeofimage = htoi(&foundat[56], FOREMOST_LITTLE_ENDIAN);
size_of_headers = htoi(&foundat[60], FOREMOST_LITTLE_ENDIAN);
+#endif
+
foundat += 224;
/*Start of sections*/
@@ -2193,13 +2191,13 @@ unsigned char *extract_exe(f_state *s, u_int64_t c_offset, unsigned char *founda
sum = offset + raw_section_size;
}
- /*
+#ifdef DEBUG
printf("rva is %d sum= %d\n",rva,sum);
printf("soi is %d,soh is %d \n",sizeofimage,size_of_headers);
printf("we are off by %d\n",sum-buflen);
printf("soc=%d ,soidr=%d, souid=%d\n",SizeOfCode,SizeOfInitializedData,SizeOfUninitializedData);
printf("fs=%d ,extr=%d\n",SizeOfCode+SizeOfInitializedData,SizeOfUninitializedData);
- */
+#endif
file_size = sum;
if (file_size < 512 || file_size > 4 * MEGABYTE)
{
@@ -2267,7 +2265,6 @@ unsigned char *extract_rar(f_state *s, u_int64_t c_offset, unsigned char *founda
{
unsigned char *buf = foundat;
unsigned char *extractbuf = NULL;
- u_int64_t file_size = 0;
unsigned short headersize = 0;
unsigned short flags = 0;
unsigned int filesize = 0;
@@ -2424,8 +2421,6 @@ unsigned char *extract_rar(f_state *s, u_int64_t c_offset, unsigned char *founda
/*We found the EOF, write the file to disk and return*/
tot_file_size = (foundat - buf);
- if (tot_file_size > buflen)
- file_size = buflen;
extractbuf = buf;
write_to_disk(s, needle, tot_file_size, extractbuf, c_offset + f_offset);
|
