public McKey(PeImage peImage, PeHeader peHeader)
{
this.peHeader = peHeader;
try {
this.data = peImage.readBytes(peHeader.getMcKeyRva(), 0x2000);
}
catch (IOException) {
this.data = peImage.readBytes(peHeader.getMcKeyRva(), 0x1000);
}
}
public string decrypt(MethodDefinition method, int offset)
{
var info = getDecrypterInfo(method);
if (info.key == null)
{
int length = BitConverter.ToInt32(decryptedData, offset);
return(Encoding.Unicode.GetString(decryptedData, offset + 4, length));
}
else
{
byte[] encryptedStringData;
if (stringDecrypterVersion == StringDecrypterVersion.VER_37)
{
int fileOffset = BitConverter.ToInt32(decryptedData, offset);
int length = BitConverter.ToInt32(fileData, fileOffset);
encryptedStringData = new byte[length];
Array.Copy(fileData, fileOffset + 4, encryptedStringData, 0, length);
}
else if (stringDecrypterVersion == StringDecrypterVersion.VER_38)
{
uint rva = BitConverter.ToUInt32(decryptedData, offset);
int length = peImage.readInt32(rva);
encryptedStringData = peImage.readBytes(rva + 4, length);
}
else
{
throw new ApplicationException("Unknown string decrypter version");
}
return(Encoding.Unicode.GetString(DeobUtils.aesDecrypt(encryptedStringData, info.key, info.iv)));
}
}
// CS 1.x
byte[] unpackNativeFile2(PeImage peImage)
{
var dir = peImage.Resources.getRoot();
if ((dir = dir.getDirectory("ASSEMBLY")) == null)
{
return(null);
}
if ((dir = dir.getDirectory(101)) == null)
{
return(null);
}
var data = dir.getData(0);
if (data == null)
{
return(null);
}
return(ModuleBytes = peImage.readBytes(data.RVA, (int)data.Size));
}
public McKey(PeImage peImage, PeHeader peHeader)
{
this.peHeader = peHeader;
this.data = peImage.readBytes(peHeader.getMcKeyRva(), 0x2000);
}
public byte[] unpack()
{
var resources = peImage.Resources;
var dir = resources.getRoot();
if ((dir = dir.getDirectory(10)) == null)
{
return(null);
}
if ((dir = dir.getDirectory("__")) == null)
{
return(null);
}
var dataEntry = dir.getData(0);
if (dataEntry == null)
{
return(null);
}
var encryptedData = peImage.readBytes(dataEntry.RVA, (int)dataEntry.Size);
if (encryptedData.Length != dataEntry.Size)
{
return(null);
}
var keyData = getKeyData();
if (keyData == null)
{
return(null);
}
var decrypter = new NativeFileDecrypter(keyData);
decrypter.decrypt(encryptedData, 0, encryptedData.Length);
byte[] inflatedData;
if (isNet1x)
{
inflatedData = DeobUtils.inflate(encryptedData, false);
}
else
{
int inflatedSize = BitConverter.ToInt32(encryptedData, 0);
inflatedData = new byte[inflatedSize];
var inflater = new Inflater(false);
inflater.SetInput(encryptedData, 4, encryptedData.Length - 4);
int count = inflater.Inflate(inflatedData);
if (count != inflatedSize)
{
return(null);
}
}
if (BitConverter.ToInt16(inflatedData, 0) != 0x5A4D)
{
return(null);
}
return(inflatedData);
}
