NSIS Extraction EOF Error

[Squiblydoo]

Description

The xtnsis fails to properly parse some NSIS files such as this one:
https://mega.nz/file/QrsG0STY#4uAml4wfCe8-aAUHIXGuHDMK9Po7JmZgrTyQpYwCbLw
When attempting to parse, the user is returned an error stating "failure in xtnsis: exception of type EOF; Unexpected end of buffer."

To Reproduce

Attempting to use the xtnsis to list or extract from this NSIS installer will produce the error.

emit malware.exe | xtnsis -l
(07:05:29) failure in xtnsis: exception of type EOF; Unexpected end of buffer.

or

emit malware.exe | xtnsis [| dump archive/{path} ]
(07:09:29) failure in xtnsis: exception of type EOFError

Environment

• Operating System: Ubuntu 22.04.4 LTS
• Python Version: Python 3.10.12
• Refinery Version: binary-refinery-0.6.39

Additional Context

I use an adapted copy of xtnsis in my debloat tool. When debugging debloat, the error occurs in the "read_exactly" method an returns the following, which I THINK suggests the error is occurring while parsing the NSIS Script, so perhaps there is another missing instruction or something?:

Exception has occurred: EOF
End of File
  File "/home/Documents/GitHub/debloat/src/debloat/utilities/readers.py", line 329, in read_exactly
    raise EOF(data)
  File "/home/Documents/GitHub/debloat/src/debloat/utilities/readers.py", line 376, in read_integer
    result = int.from_bytes(self.read_exactly(bytecount, peek), self.byteorder_name)
  File "/home/Documents/GitHub/debloat/src/debloat/utilities/readers.py", line 468, in u32
    return self.read_integer(32, peek)
  File "/home/Documents/GitHub/debloat/src/debloat/utilities/nsisParser.py", line 413, in <listcomp>
    self.arguments = [reader.u32() for _ in range(6)]
  File "/home/Documents/GitHub/debloat/src/debloat/utilities/nsisParser.py", line 413, in __init__
    self.arguments = [reader.u32() for _ in range(6)]
  File "/home/Documents/GitHub/debloat/src/debloat/utilities/readers.py", line 575, in wrapped__init__
    original__init__(self, reader, *args, **kwargs)
  File "/home/Documents/GitHub/debloat/src/debloat/utilities/nsisParser.py", line 988, in <listcomp>
    self.instructions: List[NSScriptInstruction] = [NSScriptInstruction(reader) for _ in range(self.block_header_entries.size)]
  File "/home/Documents/GitHub/debloat/src/debloat/utilities/nsisParser.py", line 988, in __init__
    self.instructions: List[NSScriptInstruction] = [NSScriptInstruction(reader) for _ in range(self.block_header_entries.size)]
  File "/home/Documents/GitHub/debloat/src/debloat/utilities/readers.py", line 575, in wrapped__init__
    original__init__(self, reader, *args, **kwargs)
  File "/home/Documents/GitHub/debloat/src/debloat/utilities/nsisParser.py", line 1148, in __init__
    self.header = NSHeader(header_data, size=header_size)
  File "/home/Documents/GitHub/debloat/src/debloat/utilities/readers.py", line 575, in wrapped__init__
    original__init__(self, reader, *args, **kwargs)
  File "/home/Documents/GitHub/debloat/src/debloat/utilities/nsisParser.py", line 1309, in unpack
    raise _error
  File "/home/Documents/GitHub/debloat/src/debloat/utilities/nsisParser.py", line 1309, in unpack
    raise _error
  File "/home/Documents/GitHub/debloat/src/debloat/processor.py", line 114, in check_and_extract_NSIS
    extracted_files = extractor.unpack(memoryview(pe.__data__))
    ```

[huettenhain]

This archive contains its files without any compression, I didn't have a good test case for this method until now, so the code was just buggy. A few offsets were off by 4 where a size prefix was incorrectly read as part of the data. Commit 5ccd3e3 should fix all of this.

[huettenhain]

This is fixed in release 0.6.40. I will close this out. Cheers!

[Squiblydoo]

Awesome work as always. Thank you. :)