From a9f4fb912f663a42e358dbacc5206b4be7207aa5 Mon Sep 17 00:00:00 2001
From: Zezula Ladislav <ladislav.zezula@avast.com>
Date: Tue, 23 Jul 2019 10:28:15 +0200
Subject: [PATCH 1/2] Added detection of RLPack

---
 .../heuristics/pe_heuristics.h                 |  3 ++-
 .../heuristics/pe_heuristics.cpp               | 18 +++++++++++++++++-
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/include/retdec/cpdetect/compiler_detector/heuristics/pe_heuristics.h b/include/retdec/cpdetect/compiler_detector/heuristics/pe_heuristics.h
index 4ceb25091..2c8badd04 100644
--- a/include/retdec/cpdetect/compiler_detector/heuristics/pe_heuristics.h
+++ b/include/retdec/cpdetect/compiler_detector/heuristics/pe_heuristics.h
@@ -60,7 +60,8 @@ class PeHeuristics : public Heuristics
 		void getSecuROMHeuristics();
 		void getMPRMMGVAHeuristics();
 		void getActiveMarkHeuristics();
-		void getPetiteHeuristics();
+        void getRLPackHeuristics();
+        void getPetiteHeuristics();
 		void getPelockHeuristics();
 		void getEzirizReactorHeuristics();
 		void getUpxHeuristics();
diff --git a/src/cpdetect/compiler_detector/heuristics/pe_heuristics.cpp b/src/cpdetect/compiler_detector/heuristics/pe_heuristics.cpp
index 1f871d1b8..1461e062e 100644
--- a/src/cpdetect/compiler_detector/heuristics/pe_heuristics.cpp
+++ b/src/cpdetect/compiler_detector/heuristics/pe_heuristics.cpp
@@ -675,6 +675,21 @@ void PeHeuristics::getActiveMarkHeuristics()
 	}
 }
 
+/**
+ * Detection of RLPack packer
+ */
+void PeHeuristics::getRLPackHeuristics()
+{
+    if (search.exactComparison("B800000000600BC07458E8000000005805430000008038E9750361EB35E800000000582500F0FFFF33FF66BB195A6683C33466391875120FB7503C03D0BBE944", toolInfo.epOffset) ||
+        search.exactComparison("57C7C772AFB4DF8D3D5FBA581AFFCF0FACF7F20FBDFEF7C75CDC30270FBAF7330FBBF70FCFBF64A909DB85F681DFAC194648F7DF0FA3F7C7C741BC79A085F7D1", toolInfo.epOffset))
+    {
+        addPacker(DetectionMethod::STRING_SEARCH_H, DetectionStrength::HIGH, "RLPack");
+    }
+
+    // TODO: Need to scan other RLPack variants. We would need a disassembler that normalizes instructions
+    // with jump removing, so we can check sequence like "60E8--8D6424--8B6C24"
+}
+
 /**
  * Detection of Petite packer
  */
@@ -1973,7 +1988,8 @@ void PeHeuristics::getFormatSpecificCompilerHeuristics()
 	getSecuROMHeuristics();
 	getMPRMMGVAHeuristics();
 	getActiveMarkHeuristics();
-	getPetiteHeuristics();
+    getRLPackHeuristics();
+    getPetiteHeuristics();
 	getPelockHeuristics();
 	getEzirizReactorHeuristics();
 	getUpxHeuristics();

From 70971399616118ced157fc5a984e43c151f0a84b Mon Sep 17 00:00:00 2001
From: Zezula Ladislav <ladislav.zezula@avast.com>
Date: Tue, 23 Jul 2019 10:31:08 +0200
Subject: [PATCH 2/2] Spaces -> tabs

---
 .../heuristics/pe_heuristics.h                |  4 ++--
 .../heuristics/pe_heuristics.cpp              | 20 +++++++++----------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/include/retdec/cpdetect/compiler_detector/heuristics/pe_heuristics.h b/include/retdec/cpdetect/compiler_detector/heuristics/pe_heuristics.h
index 2c8badd04..f502cde1f 100644
--- a/include/retdec/cpdetect/compiler_detector/heuristics/pe_heuristics.h
+++ b/include/retdec/cpdetect/compiler_detector/heuristics/pe_heuristics.h
@@ -60,8 +60,8 @@ class PeHeuristics : public Heuristics
 		void getSecuROMHeuristics();
 		void getMPRMMGVAHeuristics();
 		void getActiveMarkHeuristics();
-        void getRLPackHeuristics();
-        void getPetiteHeuristics();
+		void getRLPackHeuristics();
+		void getPetiteHeuristics();
 		void getPelockHeuristics();
 		void getEzirizReactorHeuristics();
 		void getUpxHeuristics();
diff --git a/src/cpdetect/compiler_detector/heuristics/pe_heuristics.cpp b/src/cpdetect/compiler_detector/heuristics/pe_heuristics.cpp
index 1461e062e..602804d54 100644
--- a/src/cpdetect/compiler_detector/heuristics/pe_heuristics.cpp
+++ b/src/cpdetect/compiler_detector/heuristics/pe_heuristics.cpp
@@ -680,14 +680,14 @@ void PeHeuristics::getActiveMarkHeuristics()
  */
 void PeHeuristics::getRLPackHeuristics()
 {
-    if (search.exactComparison("B800000000600BC07458E8000000005805430000008038E9750361EB35E800000000582500F0FFFF33FF66BB195A6683C33466391875120FB7503C03D0BBE944", toolInfo.epOffset) ||
-        search.exactComparison("57C7C772AFB4DF8D3D5FBA581AFFCF0FACF7F20FBDFEF7C75CDC30270FBAF7330FBBF70FCFBF64A909DB85F681DFAC194648F7DF0FA3F7C7C741BC79A085F7D1", toolInfo.epOffset))
-    {
-        addPacker(DetectionMethod::STRING_SEARCH_H, DetectionStrength::HIGH, "RLPack");
-    }
-
-    // TODO: Need to scan other RLPack variants. We would need a disassembler that normalizes instructions
-    // with jump removing, so we can check sequence like "60E8--8D6424--8B6C24"
+	if (search.exactComparison("B800000000600BC07458E8000000005805430000008038E9750361EB35E800000000582500F0FFFF33FF66BB195A6683C33466391875120FB7503C03D0BBE944", toolInfo.epOffset) ||
+		search.exactComparison("57C7C772AFB4DF8D3D5FBA581AFFCF0FACF7F20FBDFEF7C75CDC30270FBAF7330FBBF70FCFBF64A909DB85F681DFAC194648F7DF0FA3F7C7C741BC79A085F7D1", toolInfo.epOffset))
+	{
+		addPacker(DetectionMethod::STRING_SEARCH_H, DetectionStrength::HIGH, "RLPack");
+	}
+
+	// TODO: Need to scan other RLPack variants. We would need a disassembler that normalizes instructions
+	// with jump removing, so we can check sequence like "60E8--8D6424--8B6C24"
 }
 
 /**
@@ -1988,8 +1988,8 @@ void PeHeuristics::getFormatSpecificCompilerHeuristics()
 	getSecuROMHeuristics();
 	getMPRMMGVAHeuristics();
 	getActiveMarkHeuristics();
-    getRLPackHeuristics();
-    getPetiteHeuristics();
+	getRLPackHeuristics();
+	getPetiteHeuristics();
 	getPelockHeuristics();
 	getEzirizReactorHeuristics();
 	getUpxHeuristics();