Merge pull request #402 from j-t-1/rich

Improve parse_rich_header
erocarrera · Aug 26, 2024 · 7756098 · 7756098
2 parents ad2d7e6 + 4f1f49b
commit 7756098
Showing 1 changed file with 6 additions and 5 deletions.
diff --git a/pefile.py b/pefile.py
@@ -3375,7 +3375,7 @@ def parse_rich_header(self):
         # Read a block of data
         try:
             # The end of the structure is 8 bytes after the start of the Rich
-            # string.
+            # string (although there is padding after this).
             rich_data = self.__data__[0x80 : rich_index + 8]
             # Make the data have length a multiple of 4, otherwise the
             # subsequent parsing will fail. It's not impossible that we retrieve
@@ -3401,11 +3401,12 @@ def parse_rich_header(self):
             clear_data.append(ord_(val) ^ ord_(key[idx % len(key)]))
         result["clear_data"] = bytes(clear_data)
 
+        # PE files are stored in little-endian order, the same byte order as an x86
+        # https://wiki.osdev.org/PE
+        checksum = int.from_bytes(key, 'little')
         # the checksum should be present 3 times after the DanS signature
-        #
-        checksum = data[1]
-        if data[0] ^ checksum != DANS or data[2] != checksum or data[3] != checksum:
-            return None
+        if data[0] ^ checksum != DANS or data[1] != checksum or data[2] != checksum or data[3] != checksum:
+            self.__warnings.append("Rich Header is not in Microsoft format, possibly malformed")
 
         result["checksum"] = checksum
         headervalues = []