Accurately get OverlayAddress for UPX-compressed executables#67
Open
HeroponRikiBestest wants to merge 2 commits intoSabreTools:mainfrom
Open
Accurately get OverlayAddress for UPX-compressed executables#67HeroponRikiBestest wants to merge 2 commits intoSabreTools:mainfrom
HeroponRikiBestest wants to merge 2 commits intoSabreTools:mainfrom
Conversation
… for benefit of extractions that need an accurate overlay address.
mnadareski
reviewed
Jan 29, 2026
mnadareski
reviewed
Jan 30, 2026
Contributor
|
As an update here since it may seem to casual observers that this was just abandoned: We ended up having a much longer conversation in Discord with both of us having hesitancy with changes in either direction. Some testing was done on how consistent a flat replacement of the logic would be (i.e. always use the section data as truth). Initial tests were optimistic that it is generally more reliable than the size of headers. More testing and thought needs to be done because this will impact the vast majority of scanned files. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
For UPX-packed executables, OptionalHeader.SizeOfHeaders is consistently 4096 and wrong, wheras PointerToRawData is consistently 1024 and correct. This PR gets the proper size for UPX-compressed executables, since it's needed for most SFX executables.