public string Decrypt(int token, int id)
{
if (!CanDecrypt)
{
throw new ApplicationException("Can't decrypt strings since decryptedData is null");
}
int index = id - (token & 0x00FFFFFF) - stringOffset;
int len = DeobUtils.ReadVariableLengthInt32(decryptedData, ref index);
switch (StringDecrypterInfo.DecrypterVersion)
{
case StringDecrypterVersion.V1:
// Some weird problem with 1.x decrypted strings. They all have a \x01 char at the end.
var buf = Convert.FromBase64String(Encoding.ASCII.GetString(decryptedData, index, len));
if (buf.Length % 2 != 0)
{
Array.Resize(ref buf, buf.Length - 1);
}
return(Encoding.Unicode.GetString(buf));
case StringDecrypterVersion.V2:
return(Encoding.UTF8.GetString(Convert.FromBase64String(Encoding.ASCII.GetString(decryptedData, index, len))));
default:
return(Encoding.UTF8.GetString(Convert.FromBase64String(Encoding.UTF8.GetString(decryptedData, index, len))));
}
}
byte[] DecryptArray(ArrayInfo aryInfo)
{
var ary = new byte[aryInfo.arySize * aryInfo.arrayType.ElementType.GetPrimitiveSize()];
int dataIndex = aryInfo.index;
int len = DeobUtils.ReadVariableLengthInt32(constantsData, ref dataIndex);
Buffer.BlockCopy(constantsData, dataIndex, ary, 0, len);
return(ary);
}
public string Decrypt(int index)
{
int len = DeobUtils.ReadVariableLengthInt32(decryptedData, ref index);
return(Encoding.Unicode.GetString(decryptedData, index, len));
}
void DecryptStrings()
{
var peHeader = decrypterInfo.peHeader;
var mcKey = decrypterInfo.mcKey;
var peImage = decrypterInfo.peImage;
var fileData = decrypterInfo.fileData;
uint usHeapRva = peHeader.GetRva(0x0E00, mcKey.ReadUInt32(0x0078));
uint usHeapSize = peHeader.ReadUInt32(0x0E04) ^ mcKey.ReadUInt32(0x0082);
if (usHeapRva == 0 || usHeapSize == 0)
{
return;
}
var usHeap = peImage.Metadata.USStream;
if (usHeap.StartOffset == 0 || // Start offset is 0 if it's not present in the file
peImage.RvaToOffset(usHeapRva) != (uint)usHeap.StartOffset ||
usHeapSize != (uint)(usHeap.EndOffset - usHeap.StartOffset))
{
Logger.w("Invalid #US heap RVA and size found");
}
Logger.v("Decrypting strings @ RVA {0:X8}, {1} bytes", usHeapRva, usHeapSize);
Logger.Instance.Indent();
int mcKeyOffset = 0;
int usHeapOffset = (int)peImage.RvaToOffset(usHeapRva);
int usHeapEnd = usHeapOffset + (int)usHeapSize;
usHeapOffset++;
while (usHeapOffset < usHeapEnd)
{
if (fileData[usHeapOffset] == 0 || fileData[usHeapOffset] == 1)
{
usHeapOffset++;
continue;
}
int usHeapOffsetOrig = usHeapOffset;
int stringDataLength = DeobUtils.ReadVariableLengthInt32(fileData, ref usHeapOffset);
int usHeapOffsetString = usHeapOffset;
int encryptedLength = stringDataLength - (usHeapOffset - usHeapOffsetOrig == 1 ? 1 : 2);
for (int i = 0; i < encryptedLength; i++)
{
byte k = mcKey.ReadByte(mcKeyOffset++ % 0x2000);
fileData[usHeapOffset] = Rolb((byte)(fileData[usHeapOffset] ^ k), 3);
usHeapOffset++;
}
try {
Logger.v("Decrypted string: {0}", Utils.ToCsharpString(Encoding.Unicode.GetString(fileData, usHeapOffsetString, stringDataLength - 1)));
}
catch {
Logger.v("Could not decrypt string at offset {0:X8}", usHeapOffsetOrig);
}
usHeapOffset++;
}
Logger.Instance.DeIndent();
}
