/// <summary>
/// Processing function called when a file is being unpacked. Allows plugins to check the file
/// and see if it can handle the file for its intended purpose.
/// </summary>
/// <param name="file"></param>
/// <returns></returns>
public override bool CanProcessFile(string file)
{
try
{
// Load the file..
var f = new Pe32File(file);
if (!f.Parse() || f.IsFile64Bit() || !f.HasSection(".bind"))
{
return(false);
}
// Obtain the bind section data..
var bind = f.GetSectionData(".bind");
// Attempt to locate the known v1.x signature..
var variant = Pe32Helpers.FindPattern(bind, "60 81 EC 00 10 00 00 BE ?? ?? ?? ?? B9 6A");
if (variant == -1)
{
return(false);
}
return(true);
}
catch
{
return(false);
}
}
/// <summary>
/// Processing function called when a file is being unpacked. Allows plugins to check the file
/// and see if it can handle the file for its intended purpose.
/// </summary>
/// <param name="file"></param>
/// <returns></returns>
public override bool CanProcessFile(string file)
{
try
{
// Load the file..
var f = new Pe32File(file);
if (!f.Parse())
{
this.Log("Failed to parse PE", LogMessageType.Information);
return(false);
}
if (f.IsFile64Bit())
{
this.Log("Is not 32bit", LogMessageType.Information);
return(false);
}
if (!f.HasSection(".bind"))
{
this.Log("No bind section", LogMessageType.Information);
return(false);
}
// Obtain the bind section data..
var bind = f.GetSectionData(".bind");
// Attempt to locate the known v2.x signature..
return(Pe32Helpers.FindPattern(bind, "53 51 52 56 57 55 8B EC 81 EC 00 10 00 00 C7") > 0);
}
catch (Exception e)
{
this.Log(e.ToString(), LogMessageType.Warning);
return(false);
}
}
/// <summary>
/// Gets the SteamStub header size from the given file.
/// </summary>
/// <param name="f"></param>
/// <returns></returns>
private uint GetHeaderSize(Pe32File f)
{
// Obtain the bind section data..
var bind = f.GetSectionData(".bind");
// Attempt to locate the known v3.x signature..
var varient = Pe32Helpers.FindPattern(bind, "E8 00 00 00 00 50 53 51 52 56 57 55 8B 44 24 1C 2D 05 00 00 00 8B CC 83 E4 F0 51 51 51 50");
if (varient == 0)
{
return(0);
}
// Attempt to determine the varient version..
uint headerSize;
var offset = Pe32Helpers.FindPattern(bind, "55 8B EC 81 EC ?? ?? ?? ?? 53 ?? ?? ?? ?? ?? 68");
if (offset == 0)
{
offset = Pe32Helpers.FindPattern(bind, "55 8B EC 81 EC ?? ?? ?? ?? 53 ?? ?? ?? ?? ?? 8D 83");
if (offset == 0)
{
return(0);
}
headerSize = (uint)BitConverter.ToInt32(bind, (int)offset + 22);
}
else
{
headerSize = (uint)BitConverter.ToInt32(bind, (int)offset + 16);
}
return(headerSize);
}
/// <summary>
/// Processing function called when a file is being unpacked. Allows plugins to check the file
/// and see if it can handle the file for its intended purpose.
/// </summary>
/// <param name="file"></param>
/// <returns></returns>
public override bool CanProcessFile(string file)
{
try
{
// Load the file..
var f = new Pe32File(file);
if (!f.Parse())
{
this.Log("Failed to parse PE", LogMessageType.Information);
return(false);
}
if (f.IsFile64Bit())
{
this.Log("Is not 32bit", LogMessageType.Information);
return(false);
}
if (!f.HasSection(".bind"))
{
this.Log("No bind section", LogMessageType.Information);
return(false);
}
// Check for the known 3.0 header sizes..
var headerSize = this.GetHeaderSize(f);
return(headerSize == 0xB0 || headerSize == 0xD0);
}
catch (Exception e)
{
this.Log(e.ToString(), LogMessageType.Warning);
return(false);
}
}
/// <summary>
/// Processes the given file in attempt to unpack the Steam Stub variant 2.
/// </summary>
/// <param name="file"></param>
/// <returns></returns>
public override bool Process(Pe32File file)
{
Program.Output("File is packed with SteamStub Variant #2!", ConsoleOutputType.Info);
// Store the file object being processed..
this.File = file;
// Step #1 - Read the steam stub header.
Program.Output("Info: Unpacker Stage #1", ConsoleOutputType.Custom, ConsoleColor.Magenta);
if (!this.Step1())
{
Program.Output("Failed to read SteamStub header from file.", ConsoleOutputType.Error);
return(false);
}
// Step #2 - Read the payload.
Program.Output("Info: Unpacker Stage #2", ConsoleOutputType.Custom, ConsoleColor.Magenta);
if (!this.Step2())
{
Program.Output("Failed to read payload from file.", ConsoleOutputType.Error);
return(false);
}
// Step #3 - Read the SteamDRMP.dll file.
Program.Output("Info: Unpacker Stage #3", ConsoleOutputType.Custom, ConsoleColor.Magenta);
if (!this.Step3())
{
Program.Output("Failed to read/dump SteamDRMP.dll from file.", ConsoleOutputType.Error);
return(false);
}
// Step #4 - Find needed offsets within the SteamDRMP.dll file..
Program.Output("Info: Unpacker Stage #4", ConsoleOutputType.Custom, ConsoleColor.Magenta);
if (!this.Step4())
{
Program.Output("Failed to obtain needed offsets from within SteamDRMP.dll.", ConsoleOutputType.Error);
return(false);
}
// Step #5 - Read the code section.
Program.Output("Info: Unpacker Stage #5", ConsoleOutputType.Custom, ConsoleColor.Magenta);
if (!this.Step5())
{
Program.Output("Failed to handle the code section of the file.", ConsoleOutputType.Error);
return(false);
}
// Step #6 - Save the file.
Program.Output("Info: Unpacker Stage #6", ConsoleOutputType.Custom, ConsoleColor.Magenta);
if (!this.Step6())
{
Program.Output("Failed to save unpacked file to disk.", ConsoleOutputType.Error);
return(false);
}
Program.Output("Processed the file successfully!", ConsoleOutputType.Success);
return(true);
}
/// <summary>
/// Processing function called when a file is being unpacked. Allows plugins to check the file
/// and see if it can handle the file for its intended purpose.
/// </summary>
/// <param name="file"></param>
/// <returns></returns>
public override bool CanProcessFile(string file)
{
try
{
// Load the file..
var f = new Pe32File(file);
if (!f.Parse() || f.IsFile64Bit() || !f.HasSection(".bind"))
{
return(false);
}
// Obtain the bind section data..
var bind = f.GetSectionData(".bind");
// Attempt to locate the known v3.x signature..
var varient = Pe32Helpers.FindPattern(bind, "E8 00 00 00 00 50 53 51 52 56 57 55 8B 44 24 1C 2D 05 00 00 00 8B CC 83 E4 F0 51 51 51 50");
if (varient == 0)
{
return(false);
}
// Version patterns..
var varientPatterns = new List <KeyValuePair <string, int> >
{
new KeyValuePair <string, int>("55 8B EC 81 EC ?? ?? ?? ?? 53 ?? ?? ?? ?? ?? 68", 0x10), // v3.1 [Original version?]
new KeyValuePair <string, int>("55 8B EC 81 EC ?? ?? ?? ?? 53 ?? ?? ?? ?? ?? 8D 83", 0x16), // v3.1.1 [Newer, 3.1.1? (Seen 2015?)]
new KeyValuePair <string, int>("55 8B EC 81 EC ?? ?? ?? ?? 56 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D", 0x10) // v3.1.2 [Newer, 3.1.2? (Seen late 2017.)]
};
var headerSize = 0;
uint offset = 0;
foreach (var p in varientPatterns)
{
offset = Pe32Helpers.FindPattern(bind, p.Key);
if (offset <= 0)
{
continue;
}
headerSize = BitConverter.ToInt32(bind, (int)offset + p.Value);
break;
}
// Ensure valid data was found..
if (offset == 0 || headerSize == 0)
{
return(false);
}
return(headerSize == 0xF0);
}
catch
{
return(false);
}
}
/// <summary>
/// Processing function called when a file is being unpacked. Allows plugins to check the file
/// and see if it can handle the file for its intended purpose.
/// </summary>
/// <param name="file"></param>
/// <returns></returns>
public override bool CanProcessFile(string file)
{
try
{
// Load the file..
var f = new Pe32File(file);
if (!f.Parse() || f.IsFile64Bit() || !f.HasSection(".bind"))
{
return(false);
}
// Obtain the bind section data..
var bind = f.GetSectionData(".bind");
// Attempt to locate the known v3.x signature..
var varient = Pe32Helpers.FindPattern(bind, "E8 00 00 00 00 50 53 51 52 56 57 55 8B 44 24 1C 2D 05 00 00 00 8B CC 83 E4 F0 51 51 51 50");
if (varient == 0)
{
return(false);
}
// Attempt to determine the varient version..
int headerSize;
var offset = Pe32Helpers.FindPattern(bind, "55 8B EC 81 EC ?? ?? ?? ?? 53 ?? ?? ?? ?? ?? 68");
if (offset == 0)
{
offset = Pe32Helpers.FindPattern(bind, "55 8B EC 81 EC ?? ?? ?? ?? 53 ?? ?? ?? ?? ?? 8D 83");
if (offset == 0)
{
return(false);
}
headerSize = BitConverter.ToInt32(bind, (int)offset + 22);
}
else
{
headerSize = BitConverter.ToInt32(bind, (int)offset + 16);
}
return(headerSize == 0xF0);
}
catch
{
return(false);
}
}
/// <summary>
/// Processes the given file in attempt to unpack the Steam Stub variant 3.
/// </summary>
/// <param name="file"></param>
/// <returns></returns>
public override bool Process(Pe32File file)
{
Program.Output("File is packed with SteamStub Variant #3!", ConsoleOutputType.Info);
// Store the file object being processed..
this.File = file;
// Step #1 - Read the steam stub header.
Program.Output("Info: Unpacker Stage #1", ConsoleOutputType.Custom, ConsoleColor.Magenta);
if (!this.Step1())
{
return(false);
}
// Step #2 - Read the payload.
Program.Output("Info: Unpacker Stage #2", ConsoleOutputType.Custom, ConsoleColor.Magenta);
if (!this.Step2())
{
return(false);
}
// Step #3 - Read the SteamDRMP.dll file.
Program.Output("Info: Unpacker Stage #3", ConsoleOutputType.Custom, ConsoleColor.Magenta);
if (!this.Step3())
{
return(false);
}
// Step #4 - Read the code section.
Program.Output("Info: Unpacker Stage #4", ConsoleOutputType.Custom, ConsoleColor.Magenta);
if (!this.Step4())
{
return(false);
}
// Step #5 - Save the file.
Program.Output("Info: Unpacker Stage #5", ConsoleOutputType.Custom, ConsoleColor.Magenta);
if (!this.Step5())
{
return(false);
}
Program.Output("Processed the file successfully!", ConsoleOutputType.Success);
return(true);
}
/// <summary>
/// Processing function called when a file is being unpacked. Allows plugins to check the file
/// and see if it can handle the file for its intended purpose.
/// </summary>
/// <param name="file"></param>
/// <returns></returns>
public override bool CanProcessFile(string file)
{
try
{
// Load the file..
var f = new Pe32File(file);
if (!f.Parse() || f.IsFile64Bit() || !f.HasSection(".bind"))
{
return(false);
}
// Check for the known 3.0 header sizes..
var headerSize = this.GetHeaderSize(f);
return(headerSize == 0xB0 || headerSize == 0xD0);
}
catch
{
return(false);
}
}
/// <summary>
/// Processing function called when a file is being unpacked. Allows plugins to check the file
/// and see if it can handle the file for its intended purpose.
/// </summary>
/// <param name="file"></param>
/// <returns></returns>
public override bool CanProcessFile(string file)
{
try
{
// Load the file..
var f = new Pe32File(file);
if (!f.Parse() || f.IsFile64Bit() || !f.HasSection(".bind"))
{
return(false);
}
// Obtain the bind section data..
var bind = f.GetSectionData(".bind");
// Attempt to locate the known v2.0 signature..
return(Pe32Helpers.FindPattern(bind, "53 51 52 56 57 55 8B EC 81 EC 00 10 00 00 BE") != -1);
}
catch
{
return(false);
}
}
/// <summary> /// /// </summary> /// <param name="file"></param> /// <returns></returns> public abstract bool Process(Pe32File file);
/// <summary>
/// Application entry point.
/// </summary>
/// <param name="args"></param>
private static void Main(string[] args)
{
// Override the assembly resolve event for this application..
AppDomain.CurrentDomain.AssemblyResolve += CurrentDomainOnAssemblyResolve;
// Print the application header..
PrintHeader();
// Parse the command line arguments..
Arguments = new List<string>();
Arguments.AddRange(Environment.GetCommandLineArgs());
// Ensure a file was given..
if (args.Length == 0 || string.IsNullOrEmpty(args[0]))
{
PrintHelp();
}
else
{
// Load the file and ensure it is valid..
var file = new Pe32File(args[0]);
if (!file.Parse() || file.IsFile64Bit() || !file.HasSection(".bind"))
return;
// Build a list of known unpackers within our local source..
var unpackers = (from t in Assembly.GetExecutingAssembly().GetTypes()
from a in t.GetCustomAttributes(typeof(SteamStubUnpackerAttribute), false)
select t).ToList();
// Print out the known unpackers we found..
Output("Found the following unpackers (internal):", ConsoleOutputType.Info);
foreach (var attr in unpackers.Select(unpacker => (SteamStubUnpackerAttribute)unpacker.GetCustomAttributes(typeof(SteamStubUnpackerAttribute)).FirstOrDefault()))
Output($" >> Unpacker: {attr?.Name} - by: {attr?.Author}", ConsoleOutputType.Custom, ConsoleColor.Yellow);
Console.WriteLine();
// Process function to try and handle the file..
Func<bool> processed = () =>
{
// Obtain the .bind section data..
var bindSectionData = file.GetSectionData(".bind");
// Attempt to process the file..
return (from unpacker in unpackers
let attr = (SteamStubUnpackerAttribute)unpacker.GetCustomAttributes(typeof(SteamStubUnpackerAttribute)).FirstOrDefault()
where attr != null
where Helpers.FindPattern(bindSectionData, attr.Pattern) != 0
select Activator.CreateInstance(unpacker) as SteamStubUnpacker).Select(stubUnpacker => stubUnpacker.Process(file)).FirstOrDefault();
};
// Process the file..
if (!processed())
{
Console.WriteLine();
Output("Failed to process file.", ConsoleOutputType.Error);
}
}
// Pause the console so newbies can read the results..
Console.WriteLine();
Console.WriteLine("Press any key to exit...");
Console.ReadKey();
}
/// <summary>
/// Processes the given file in attempt to unpack the Steam Stub variant 1.
/// </summary>
/// <param name="file"></param>
/// <returns></returns>
public override bool Process(Pe32File file)
{
Program.Output("File is packed with SteamStub Variant #1!", ConsoleOutputType.Info);
return(false);
}
/// <summary>
/// Processes the given file in attempt to unpack the Steam Stub variant 3.
/// </summary>
/// <param name="file"></param>
/// <returns></returns>
public override bool Process(Pe32File file)
{
Program.Output("File is packed with SteamStub Variant #3!", ConsoleOutputType.Info);
// Store the file object being processed..
this.File = file;
// Step #1 - Read the steam stub header.
Program.Output("Info: Unpacker Stage #1", ConsoleOutputType.Custom, ConsoleColor.Magenta);
if (!this.Step1())
return false;
// Step #2 - Read the payload.
Program.Output("Info: Unpacker Stage #2", ConsoleOutputType.Custom, ConsoleColor.Magenta);
if (!this.Step2())
return false;
// Step #3 - Read the SteamDRMP.dll file.
Program.Output("Info: Unpacker Stage #3", ConsoleOutputType.Custom, ConsoleColor.Magenta);
if (!this.Step3())
return false;
// Step #4 - Read the code section.
Program.Output("Info: Unpacker Stage #4", ConsoleOutputType.Custom, ConsoleColor.Magenta);
if (!this.Step4())
return false;
// Step #5 - Save the file.
Program.Output("Info: Unpacker Stage #5", ConsoleOutputType.Custom, ConsoleColor.Magenta);
if (!this.Step5())
return false;
Program.Output("Processed the file successfully!", ConsoleOutputType.Success);
return true;
}
/// <summary>
/// Processes the given file in attempt to unpack the Steam Stub variant 1.
/// </summary>
/// <param name="file"></param>
/// <returns></returns>
public override bool Process(Pe32File file)
{
Program.Output("File is packed with SteamStub Variant #1!", ConsoleOutputType.Info);
return false;
}
/// <summary>
/// Application entry point.
/// </summary>
/// <param name="args"></param>
private static void Main(string[] args)
{
// Override the assembly resolve event for this application..
AppDomain.CurrentDomain.AssemblyResolve += CurrentDomainOnAssemblyResolve;
// Print the application header..
PrintHeader();
// Parse the command line arguments..
Arguments = new List <string>();
Arguments.AddRange(Environment.GetCommandLineArgs());
// Ensure a file was given..
if (args.Length == 0 || string.IsNullOrEmpty(args[0]))
{
PrintHelp();
}
else
{
// Load the file and ensure it is valid..
var file = new Pe32File(args[0]);
if (!file.Parse() || file.IsFile64Bit() || !file.HasSection(".bind"))
{
return;
}
// Build a list of known unpackers within our local source..
var unpackers = (from t in Assembly.GetExecutingAssembly().GetTypes()
from a in t.GetCustomAttributes(typeof(SteamStubUnpackerAttribute), false)
select t).ToList();
// Print out the known unpackers we found..
Output("Found the following unpackers (internal):", ConsoleOutputType.Info);
foreach (var attr in unpackers.Select(unpacker => (SteamStubUnpackerAttribute)unpacker.GetCustomAttributes(typeof(SteamStubUnpackerAttribute)).FirstOrDefault()))
{
Output($" >> Unpacker: {attr?.Name} - by: {attr?.Author}", ConsoleOutputType.Custom, ConsoleColor.Yellow);
}
Console.WriteLine();
// Process function to try and handle the file..
Func <bool> processed = () =>
{
// Obtain the .bind section data..
var bindSectionData = file.GetSectionData(".bind");
// Attempt to process the file..
return((from unpacker in unpackers
let attr = (SteamStubUnpackerAttribute)unpacker.GetCustomAttributes(typeof(SteamStubUnpackerAttribute)).FirstOrDefault()
where attr != null
where Helpers.FindPattern(bindSectionData, attr.Pattern) != 0
select Activator.CreateInstance(unpacker) as SteamStubUnpacker).Select(stubUnpacker => stubUnpacker.Process(file)).FirstOrDefault());
};
// Process the file..
if (!processed())
{
Console.WriteLine();
Output("Failed to process file.", ConsoleOutputType.Error);
}
}
// Pause the console so newbies can read the results..
Console.WriteLine();
Console.WriteLine("Press any key to exit...");
Console.ReadKey();
}
/// <summary>
/// Processes the given file in attempt to unpack the Steam Stub variant 2.
/// </summary>
/// <param name="file"></param>
/// <returns></returns>
public override bool Process(Pe32File file)
{
Program.Output("File is packed with SteamStub Variant #2!", ConsoleOutputType.Info);
// Store the file object being processed..
this.File = file;
// Step #1 - Read the steam stub header.
Program.Output("Info: Unpacker Stage #1", ConsoleOutputType.Custom, ConsoleColor.Magenta);
if (!this.Step1())
{
Program.Output("Failed to read SteamStub header from file.", ConsoleOutputType.Error);
return false;
}
// Step #2 - Read the payload.
Program.Output("Info: Unpacker Stage #2", ConsoleOutputType.Custom, ConsoleColor.Magenta);
if (!this.Step2())
{
Program.Output("Failed to read payload from file.", ConsoleOutputType.Error);
return false;
}
// Step #3 - Read the SteamDRMP.dll file.
Program.Output("Info: Unpacker Stage #3", ConsoleOutputType.Custom, ConsoleColor.Magenta);
if (!this.Step3())
{
Program.Output("Failed to read/dump SteamDRMP.dll from file.", ConsoleOutputType.Error);
return false;
}
// Step #4 - Find needed offsets within the SteamDRMP.dll file..
Program.Output("Info: Unpacker Stage #4", ConsoleOutputType.Custom, ConsoleColor.Magenta);
if (!this.Step4())
{
Program.Output("Failed to obtain needed offsets from within SteamDRMP.dll.", ConsoleOutputType.Error);
return false;
}
// Step #5 - Read the code section.
Program.Output("Info: Unpacker Stage #5", ConsoleOutputType.Custom, ConsoleColor.Magenta);
if (!this.Step5())
{
Program.Output("Failed to handle the code section of the file.", ConsoleOutputType.Error);
return false;
}
// Step #6 - Save the file.
Program.Output("Info: Unpacker Stage #6", ConsoleOutputType.Custom, ConsoleColor.Magenta);
if (!this.Step6())
{
Program.Output("Failed to save unpacked file to disk.", ConsoleOutputType.Error);
return false;
}
Program.Output("Processed the file successfully!", ConsoleOutputType.Success);
return true;
}
/// <summary> /// /// </summary> /// <param name="file"></param> /// <returns></returns> public abstract bool Process(Pe32File file);
