pestr adds/misses random characters

[TheBarret]

pestr sometimes removes or adds random characters at the beginning of a string.

command line pestr -o -s -n 5 <path>

screenshot of what we found was incorrect: https://i.imgur.com/rTIu9wc.png

[merces]

Hi there! Can you provide the binary you used to verify that? Thanks in advance!

[TheBarret]

github would not accept the zip/gz attachment for some reason so i made a temporary download link on my server for you, file called Test3.zip http://shares.lethal.click/merces/ Its a crack me type of deal processed by an obfuscator.

[merces]

Hi again. Any chance you could re-upload the binary?

Thanks a lot!

[GoGoOtaku]

I can tell you that at least 3System.Resources.Tools.StronglyTypedResourceBuilder is not wrong as you can find other executables with this string. Going by the image by the original poster my guess was that their executable was a C# generated executable.

And I found a similar output in yoda/c#_WinApp-COMDIR.exe from corkami BinaryCorpus_v2 where it ate the first letter from the text box string The calculations are complete as well. My guess is that the string is stored in UTF-16LE but pestr tries to read it as UTF-16BE.

[GoGoOtaku]

Update: Found the issue. .Net CLI Streams are made up of:

• string size byte
• The actual string in UTF-16LE (technically without terminating zero byte)
• extra byte (0x00 for ASCII character set, 0x01 if the string includes non ASCII characters)

In the current implementation this leads to issues if the string size byte is equivalent to a printable character. In the yoda example this was 59 (29 wide characters and an extra byte) which is equivalent to ;. In fact you can even see ;T show up if you use -n 2.

I will look into a fix in the next couple days.