diff --git a/Offsets/ExtractOffsets.py b/Offsets/ExtractOffsets.py index 33f675c..1c9dd8e 100644 --- a/Offsets/ExtractOffsets.py +++ b/Offsets/ExtractOffsets.py @@ -17,6 +17,14 @@ machineType = dict(x86=332, x64=34404) knownImageVersions = dict(ntoskrnl=list(), wdigest=list()) extensions_by_mode = dict(ntoskrnl="exe", wdigest="dll") +def find(key, value): + for k, v in value.items(): + if k == key: + return v + elif isinstance(v, dict): + return find(key, v) + return None + def printl(s, lock, **kwargs): with lock: print(s, **kwargs) @@ -47,10 +55,15 @@ def downloadSpecificFile(entry, pe_basename, pe_ext, knownPEVersions, output_fol virtual_size = entry['fileInfo']['virtualSize'] file_id = hex(timestamp).replace('0x','').zfill(8).upper() + hex(virtual_size).replace('0x','') url = 'https://msdl.microsoft.com/download/symbols/' + pe_name + '/' + file_id + '/' + pe_name - if "version" not in entry['fileInfo']: + try: + version = entry['fileInfo']['version'].split(' ')[0] + except: + version = find('version', entry).split(' ')[0] + + if not version: + printl(f'[*] Error parsing version', lock) return "SKIP" - version = entry['fileInfo']['version'].split(' ')[0] - + # Output file format: _build-revision. output_version = '-'.join(version.split('.')[-2:]) output_file = f'{pe_basename}_{output_version}.{pe_ext}' @@ -257,7 +270,7 @@ if __name__ == '__main__': * a simple tag "5.8.2-158-gca9763f20d" """ ma,me,mi = map(int, output.splitlines()[0].split(" ")[0].split("-")[0].split(".")) - if (ma, me, mi) < (5,0,0): + if (ma, me, mi) < (5, 0, 0): print("WARNING : This script has been tested with radare2 5.0.0 (works) and 4.3.1 (does NOT work)") print(f"You have version {ma}.{me}.{mi}, if is does not work correctly, meaning most of the offsets are not found (i.e. 0), check radare2's 'idpi' command output and modify get_symbol_offset() & get_field_offset() to parse symbols correctly") input("Press enter to continue")