readpe
readpe copied to clipboard
mentebinaria
pepack does not use default userdb.txt (Ubuntu)
pev 0.80 Ubuntu package
To reproduce:
-
pepack file.exe
pepack does not load the db file from /usr/share/pev/userdb.txt when no -d file is specified:
warning: without valid database file, pepack will search in generic mode only
packer: no packer found
Expected: loads default userdb.txt file https://github.com/merces/pev/blob/ef1a4c8a3f077c95cc7301e4c7b0abdd115c2891/doc/manpages/pepack.1#L19
Sorry for the small delay :-) We're checking the open issues and I found this to be a good start. How did you install the tool? I ask because it could be an issue in our packaging steps, or in a specific package.
I installed from Ubuntu/Debian package sudo apt install pev
Not sure if this was fixed for 0.81
@wesinator we debugged the package and are able to reproduce the issue on Ubuntu 18.04. We verified that the .deb package did overwrite the DEFAULT_PLUGINS_PATH to load plugins from /usr/lib/pev/plugins/ but did not overwrite the SHAREDIR path which is used to load the userdb.txt file. We notified the package maintainer about that and as soon as we get a reply, we'll let you know.
I believe this was a bug in the debian build for pev, since fixed in 0.81-1 currently in experimental.
Thanks for your input @petterreinholdtsen.
@jweyrich it will take some time until the package 0.81-1 makes its way to testing/stable builds. I'd suggest to keep this issue open until we can verify Ubuntu maintainers start using 0.81-1 from Debian.
@wesinator Thanks for reporting this. The bug actually exists in Debian, Ubuntu, Kali, etc. It will be nice to have it fixed.
I've verified this is fixed in 0.81-1!
$ cat /etc/apt/sources.list | grep exp
deb http://deb.debian.org/debian/ experimental main
$ sudo apt update
$ apt show pev
Package: pev
Version: 0.81-1
Priority: optional
Section: utils
Maintainer: Debian QA Group <[email protected]>
Installed-Size: 1,637 kB
Depends: libc6 (>= 2.14), libssl1.1 (>= 1.1.0)
Homepage: http://pev.sourceforge.net
Tag: implemented-in::c, interface::commandline, role::program,
scope::utility, security::forensics, use::analysing
Download-Size: 177 kB
APT-Sources: http://deb.debian.org/debian experimental/main amd64 Packages
Description: text-based tool to analyze PE files
pev is a tool to get information of PE32/PE32+
executables (EXE, DLL, OCX etc) like headers,
sections, resources and more.
$ sudo apt install pev
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
pev
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 177 kB of archives.
After this operation, 1,637 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian experimental/main amd64 pev amd64 0.81-1 [177 kB]
Fetched 177 kB in 3s (66.7 kB/s)
Selecting previously unselected package pev.
(Reading database ... 35710 files and directories currently installed.)
Preparing to unpack .../archives/pev_0.81-1_amd64.deb ...
Unpacking pev (0.81-1) ...
Setting up pev (0.81-1) ...
Processing triggers for libc-bin (2.31-5) ...
$ pepack unpackme1.exe
packer: Crypto-Lock v2.02 (Eng) -> Ryan Thian
user@debian64:~$ strace -e openat pepack unpackme1.exe
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/libpe.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libcrypto.so.1.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libm.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "pev.conf", O_RDWR) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/home/user/.config/pevpev.conf", O_RDWR) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/pev/plugins", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
openat(AT_FDCWD, "/usr/lib/pev/plugins/csv_plugin.so", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/usr/lib/pev/plugins/text_plugin.so", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/usr/lib/pev/plugins/json_plugin.so", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/usr/lib/pev/plugins/html_plugin.so", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/usr/lib/pev/plugins/xml_plugin.so", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "unpackme1.exe", O_RDONLY) = 3
openat(AT_FDCWD, "userdb.txt", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/pev/userdb.txt", O_RDONLY) = 3
packer: Crypto-Lock v2.02 (Eng) -> Ryan Thian
@merces it seems that .config/pevpev.conf is missing the dir separator. We did fix this in our last conversation, right? Not sure if the fix was in time to get into this package.
openat(AT_FDCWD, "/home/user/.config/pevpev.conf", O_RDWR) = -1 ENOENT (No such file or directory)
@jweyrich yes we did fix it. It was not in time for the package but since the only available option supported by pev.conf is the one that sets the plugins path, it makes no difference for our users. I think it's ok to have this fix in the next release but I'd like to hear you too. 🙂
Sure. No problem! Seeing that output line just made me think for a second if we correctly fixed it - my temporal confusion.
Is this still relevant?
It is not. userdb.txt is an outdated database of packers and protectors. We can just remove pepack from pev to be honest.