From 4f1f49bb935d727986c7e0a394eaeb3a3c9b93ac Mon Sep 17 00:00:00 2001
From: j-t-1 <120829237+j-t-1@users.noreply.github.com>
Date: Wed, 5 Jun 2024 16:03:32 +0100
Subject: [PATCH] Improve parse_rich_header Modify a check failure to be a
 warning rather than just returning None.

---
 pefile.py | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/pefile.py b/pefile.py
index d28ada2..8272367 100644
--- a/pefile.py
+++ b/pefile.py
@@ -3387,7 +3387,7 @@ def parse_rich_header(self):
         # Read a block of data
         try:
             # The end of the structure is 8 bytes after the start of the Rich
-            # string.
+            # string (although there is padding after this).
             rich_data = self.__data__[0x80 : rich_index + 8]
             # Make the data have length a multiple of 4, otherwise the
             # subsequent parsing will fail. It's not impossible that we retrieve
@@ -3413,11 +3413,12 @@ def parse_rich_header(self):
             clear_data.append((ord_(val) ^ ord_(key[idx % len(key)])))
         result["clear_data"] = bytes(clear_data)
 
+        # PE files are stored in little-endian order, the same byte order as an x86
+        # https://wiki.osdev.org/PE
+        checksum = int.from_bytes(key, 'little')
         # the checksum should be present 3 times after the DanS signature
-        #
-        checksum = data[1]
-        if data[0] ^ checksum != DANS or data[2] != checksum or data[3] != checksum:
-            return None
+        if data[0] ^ checksum != DANS or data[1] != checksum or data[2] != checksum or data[3] != checksum:
+            self.__warnings.append("Rich Header is not in Microsoft format, possibly malformed")
 
         result["checksum"] = checksum
         headervalues = []