bool FindNativeCode(byte[] moduleBytes)
{
var bytes = moduleBytes != null ? moduleBytes : DeobUtils.ReadModule(module);
using (var peImage = new MyPEImage(bytes))
return(foundSig = MethodsDecrypter.Detect(peImage));
}
byte[] GetFileData()
{
if (ModuleBytes != null)
{
return(ModuleBytes);
}
return(ModuleBytes = DeobUtils.ReadModule(Module));
}
public override bool GetDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
{
if (count != 0 || version == Version.Unknown)
{
return(false);
}
byte[] fileData = ModuleBytes ?? DeobUtils.ReadModule(Module);
byte[] decompressed;
using (var peImage = new MyPEImage(fileData)) {
var section = peImage.Sections[peImage.Sections.Count - 1];
var offset = section.PointerToRawData;
offset += 16;
byte[] compressed;
int compressedLen;
switch (version)
{
case Version.V0x:
compressedLen = fileData.Length - (int)offset;
compressed = peImage.OffsetReadBytes(offset, compressedLen);
decompressed = Lzmat.DecompressOld(compressed);
if (decompressed == null)
{
throw new ApplicationException("LZMAT decompression failed");
}
break;
case Version.V1x_217:
case Version.V218:
if (peImage.PEImage.ImageNTHeaders.FileHeader.Machine == Machine.AMD64 && version == Version.V218)
{
offset = section.PointerToRawData + section.VirtualSize;
}
int decompressedLen = (int)peImage.OffsetReadUInt32(offset);
compressedLen = fileData.Length - (int)offset - 4;
compressed = peImage.OffsetReadBytes(offset + 4, compressedLen);
decompressed = new byte[decompressedLen];
uint decompressedLen2;
if (Lzmat.Decompress(decompressed, out decompressedLen2, compressed) != LzmatStatus.OK)
{
throw new ApplicationException("LZMAT decompression failed");
}
break;
default:
throw new ApplicationException("Unknown MPRESS version");
}
}
newFileData = decompressed;
return(true);
}
public override bool GetDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
{
if (count != 0 || !NeedsPatching())
{
return(false);
}
var fileData = ModuleBytes ?? DeobUtils.ReadModule(module);
if (!decrypterType.Patch(fileData))
{
return(false);
}
newFileData = fileData;
return(true);
}
public override bool GetDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
{
if (count != 0 || !methodsDecrypter.Detected)
{
return(false);
}
var fileData = DeobUtils.ReadModule(module);
if (!methodsDecrypter.Decrypt(fileData, ref dumpedMethods))
{
return(false);
}
newFileData = fileData;
return(true);
}
bool DecryptModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods)
{
if (!methodsDecrypter.Detected)
{
return(false);
}
byte[] fileData = ModuleBytes ?? DeobUtils.ReadModule(module);
using (var peImage = new MyPEImage(fileData)) {
if (!methodsDecrypter.Decrypt(peImage, ref dumpedMethods))
{
return(false);
}
}
newFileData = fileData;
return(true);
}
public override bool GetDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
{
if (count != 0 || !options.DecryptMethods)
{
return(false);
}
byte[] fileData = ModuleBytes ?? DeobUtils.ReadModule(Module);
using (var peImage = new MyPEImage(fileData)) {
if (!new MethodsDecrypter().Decrypt(peImage, Module, cliSecureRtType, ref dumpedMethods))
{
Logger.v("Methods aren't encrypted or invalid signature");
return(false);
}
}
newFileData = fileData;
return(true);
}
public override bool GetDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
{
if (count != 0 || !mainType.Detected)
{
return(false);
}
var fileData = DeobUtils.ReadModule(module);
decrypterInfo = new DecrypterInfo(mainType, fileData);
var methodsDecrypter = new MethodsDecrypter(module, decrypterInfo);
if (!methodsDecrypter.Decrypt(ref dumpedMethods))
{
return(false);
}
newFileData = fileData;
return(true);
}
protected override void ScanForObfuscator()
{
_nativeEmulator = new x86Emulator(DeobUtils.ReadModule(module));
_controlFlowFixer = new ControlFlowFixer(_nativeEmulator);
_lzmaFinder = new LzmaFinder(module, DeobfuscatedFile);
_lzmaFinder.Find();
_constantDecrypter = new ConstantsDecrypter(module, _lzmaFinder.Method, DeobfuscatedFile, _nativeEmulator);
_resourceDecrypter = new ResourceDecrypter(module, _lzmaFinder.Method, DeobfuscatedFile);
if (_lzmaFinder.FoundLzma)
{
_constantDecrypter.Find();
_resourceDecrypter.Find();
}
_proxyCallFixer = new ProxyCallFixer(module, DeobfuscatedFile, _nativeEmulator);
_proxyCallFixer.FindDelegateCreatorMethod();
_proxyCallFixer.Find();
DetectConfuserExAttribute();
}
public override bool GetDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
{
if (count != 0)
{
return(false);
}
fileData = ModuleBytes ?? DeobUtils.ReadModule(Module);
peImage = new MyPEImage(fileData);
if (!options.DecryptMethods)
{
return(false);
}
var tokenToNativeCode = new Dictionary <uint, byte[]>();
if (!methodsDecrypter.Decrypt(peImage, DeobfuscatedFile, ref dumpedMethods, tokenToNativeCode, unpackedNativeFile))
{
return(false);
}
newFileData = fileData;
return(true);
}
