Error: unpack_from requires a buffer of at least 2 bytes.

[clr2of8]

Running pcodedump on VirusTotal sample db52f43dde8a8fff678640539011bff2882ab11d94537d84c6855c5ff1897f71
gives the following error. I can email you the sample if you don't have access to it.

Error: unpack_from requires a buffer of at least 2 bytes.
VarDefn VBA/Sheet2 - 1158 bytes

[bontchev]

I don't have download access to VirusTotal. Please either e-mail it to the e-mail address specified in my profile, or upload it to Hybrid-Analysis.

[malwageddon]

Not sure this is specific to my case, but i managed to fix this error by changing the following in 'disasmObject' function.

This:

flags = getWord(objectTable, offs, endian)
hlName = getWord(objectTable, offs + 6, endian)

to this:

flags = getWord(indirectTable, offs, endian)
hlName = getWord(indirectTable, offs + 6, endian)

[bontchev]

OK, I have reviewed the sample that you sent me. Do not make the changes that you suggested. I haven't made the stupid mistake of addressing the wrong table. Instead, somebody has been actively using a design flaw of pcodedmp and has patched this document so that pcodedmp does not see the modules.

I'll send you a detailed description by e-mail. For now, I am closing the issue. The design flaw will have to be addressed, eventually, in order to handle such attacks, but it involves parsing a very complex and undocumented stream format and I really don't have the time for such an adventure right now.