From 3402b000429c6189b0103ed549edd811d68e7d5e Mon Sep 17 00:00:00 2001
From: Cyrille Bagard <nocbos@gmail.com>
Date: Wed, 18 Oct 2023 09:18:33 +0200
Subject: Fix (one again) matches for base64 encodings.

---
 plugins/encodings/rost/base64.c | 42 +++++++++++++++++------------------------
 tests/analysis/scan/pyapi.py    |  6 +++---
 2 files changed, 20 insertions(+), 28 deletions(-)

diff --git a/plugins/encodings/rost/base64.c b/plugins/encodings/rost/base64.c
index 15a3ec1..5472ec0 100644
--- a/plugins/encodings/rost/base64.c
+++ b/plugins/encodings/rost/base64.c
@@ -61,7 +61,7 @@ static void g_scan_base64_modifier_finalize(GScanBase64Modifier *);
 static char *g_scan_base64_modifier_get_name(const GScanBase64Modifier *);
 
 /* Finalise l'encoddage en Base64 d'un motif transformé. */
-static void strip_base64_modifier_output(const sized_binary_t *, size_t, sized_binary_t *);
+static void strip_base64_modifier_output(const sized_binary_t *, const sized_binary_t *, size_t, sized_binary_t *);
 
 /* Transforme une séquence d'octets pour motif de recherche. */
 static bool g_scan_base64_modifier_transform(const GScanBase64Modifier *, const sized_binary_t *, size_t, sized_binary_t **, size_t *);
@@ -230,7 +230,8 @@ static char *g_scan_base64_modifier_get_name(const GScanBase64Modifier *modifier
 
 /******************************************************************************
 *                                                                             *
-*  Paramètres  : input  = encodage en Base64 obtenu.                          *
+*  Paramètres  : input  = contenu brut d'origine.                             *
+*                tmpput = encodage en Base64 intermédiaire obtenu.            *
 *                skip   = nombre de caractères initiaux à sauter.             *
 *                output = encodage en Base64 final à conserver.               *
 *                                                                             *
@@ -242,32 +243,23 @@ static char *g_scan_base64_modifier_get_name(const GScanBase64Modifier *modifier
 *                                                                             *
 ******************************************************************************/
 
-static void strip_base64_modifier_output(const sized_binary_t *input, size_t skip, sized_binary_t *output)
+static void strip_base64_modifier_output(const sized_binary_t *input, const sized_binary_t *tmpput, size_t skip, sized_binary_t *output)
 {
-    size_t final_len;                       /* Taille de représentation    */
+    size_t keep;                            /* Nombre d'octets immuables   */
 
-    final_len = input->len;
+    keep = (input->len * 8) / 6;
 
-    if (final_len > 0 && input->bin_data[final_len - 1] == '=')
-    {
-        while (final_len > 0 && input->bin_data[final_len - 1] == '=')
-            final_len--;
-
-        final_len--;
-
-    }
+    assert(keep >= skip);
 
     if (skip > 0)
         skip++;
 
-    assert(final_len >= skip);
-
-    final_len -= skip;
+    keep -= skip;
 
-    output->len = final_len;
-    output->bin_data = malloc(final_len * sizeof(bin_t));
+    output->len = keep;
+    output->bin_data = malloc(keep * sizeof(bin_t));
 
-    memcpy(output->bin_data, input->static_bin_data + skip, final_len);
+    memcpy(output->bin_data, tmpput->static_bin_data + skip, keep);
 
 }
 
@@ -320,7 +312,7 @@ static bool g_scan_base64_modifier_transform(const GScanBase64Modifier *modifier
         result = base64_encode(_src, &tmp_out);
         if (!result) goto exit;
 
-        strip_base64_modifier_output(&tmp_out, 0, binary++);
+        strip_base64_modifier_output(_src, &tmp_out, 0, binary++);
 
         exit_szstr(&tmp_out);
 
@@ -334,7 +326,7 @@ static bool g_scan_base64_modifier_transform(const GScanBase64Modifier *modifier
         result = base64_encode(&tmp_in, &tmp_out);
         if (!result) goto exit;
 
-        strip_base64_modifier_output(&tmp_out, 1, binary++);
+        strip_base64_modifier_output(&tmp_in, &tmp_out, 1, binary++);
 
         exit_szstr(&tmp_out);
 
@@ -349,7 +341,7 @@ static bool g_scan_base64_modifier_transform(const GScanBase64Modifier *modifier
         result = base64_encode(&tmp_in, &tmp_out);
         if (!result) goto exit;
 
-        strip_base64_modifier_output(&tmp_out, 2, binary++);
+        strip_base64_modifier_output(&tmp_in, &tmp_out, 2, binary++);
 
         exit_szstr(&tmp_out);
 
@@ -459,7 +451,7 @@ static bool g_scan_base64_modifier_transform_with_arg(const GScanBase64Modifier
         result = _base64_encode(_src, &tmp_out, &arg->value.string);
         if (!result) goto exit;
 
-        strip_base64_modifier_output(&tmp_out, 0, binary++);
+        strip_base64_modifier_output(_src, &tmp_out, 0, binary++);
 
         exit_szstr(&tmp_out);
 
@@ -473,7 +465,7 @@ static bool g_scan_base64_modifier_transform_with_arg(const GScanBase64Modifier
         result = _base64_encode(&tmp_in, &tmp_out, &arg->value.string);
         if (!result) goto exit;
 
-        strip_base64_modifier_output(&tmp_out, 1, binary++);
+        strip_base64_modifier_output(&tmp_in, &tmp_out, 1, binary++);
 
         exit_szstr(&tmp_out);
 
@@ -488,7 +480,7 @@ static bool g_scan_base64_modifier_transform_with_arg(const GScanBase64Modifier
         result = _base64_encode(&tmp_in, &tmp_out, &arg->value.string);
         if (!result) goto exit;
 
-        strip_base64_modifier_output(&tmp_out, 2, binary++);
+        strip_base64_modifier_output(&tmp_in, &tmp_out, 2, binary++);
 
         exit_szstr(&tmp_out);
 
diff --git a/tests/analysis/scan/pyapi.py b/tests/analysis/scan/pyapi.py
index abc6265..0574d2c 100644
--- a/tests/analysis/scan/pyapi.py
+++ b/tests/analysis/scan/pyapi.py
@@ -127,9 +127,9 @@ class TestRostPythonAPI(ChrysalideTestCase):
         transformed = mod.transform(source)
 
         self.assertEqual(len(transformed), 3)
-        # self.assertEqual(transformed[0], b'QUJD')
-        # self.assertEqual(transformed[1], b'FCQw')
-        # self.assertEqual(transformed[2], b'BQkM')
+        self.assertEqual(transformed[0], b'QUJD')
+        self.assertEqual(transformed[1], b'FCQ')
+        self.assertEqual(transformed[2], b'BQk')
 
 
     def testClassicalAPIHashing(self):
-- 
cgit v0.11.2-87-g4458