Beispiel #1
0
 public McKey(PeImage peImage, PeHeader peHeader)
 {
     this.peHeader = peHeader;
     try {
         this.data = peImage.readBytes(peHeader.getMcKeyRva(), 0x2000);
     }
     catch (IOException) {
         this.data = peImage.readBytes(peHeader.getMcKeyRva(), 0x1000);
     }
 }
Beispiel #2
0
        public string decrypt(MethodDefinition method, int offset)
        {
            var info = getDecrypterInfo(method);

            if (info.key == null)
            {
                int length = BitConverter.ToInt32(decryptedData, offset);
                return(Encoding.Unicode.GetString(decryptedData, offset + 4, length));
            }
            else
            {
                byte[] encryptedStringData;
                if (stringDecrypterVersion == StringDecrypterVersion.VER_37)
                {
                    int fileOffset = BitConverter.ToInt32(decryptedData, offset);
                    int length     = BitConverter.ToInt32(fileData, fileOffset);
                    encryptedStringData = new byte[length];
                    Array.Copy(fileData, fileOffset + 4, encryptedStringData, 0, length);
                }
                else if (stringDecrypterVersion == StringDecrypterVersion.VER_38)
                {
                    uint rva    = BitConverter.ToUInt32(decryptedData, offset);
                    int  length = peImage.readInt32(rva);
                    encryptedStringData = peImage.readBytes(rva + 4, length);
                }
                else
                {
                    throw new ApplicationException("Unknown string decrypter version");
                }

                return(Encoding.Unicode.GetString(DeobUtils.aesDecrypt(encryptedStringData, info.key, info.iv)));
            }
        }
Beispiel #3
0
        // CS 1.x
        byte[] unpackNativeFile2(PeImage peImage)
        {
            var dir = peImage.Resources.getRoot();

            if ((dir = dir.getDirectory("ASSEMBLY")) == null)
            {
                return(null);
            }
            if ((dir = dir.getDirectory(101)) == null)
            {
                return(null);
            }
            var data = dir.getData(0);

            if (data == null)
            {
                return(null);
            }

            return(ModuleBytes = peImage.readBytes(data.RVA, (int)data.Size));
        }
Beispiel #4
0
 public McKey(PeImage peImage, PeHeader peHeader)
 {
     this.peHeader = peHeader;
     this.data     = peImage.readBytes(peHeader.getMcKeyRva(), 0x2000);
 }
Beispiel #5
0
        public byte[] unpack()
        {
            var resources = peImage.Resources;
            var dir       = resources.getRoot();

            if ((dir = dir.getDirectory(10)) == null)
            {
                return(null);
            }
            if ((dir = dir.getDirectory("__")) == null)
            {
                return(null);
            }
            var dataEntry = dir.getData(0);

            if (dataEntry == null)
            {
                return(null);
            }

            var encryptedData = peImage.readBytes(dataEntry.RVA, (int)dataEntry.Size);

            if (encryptedData.Length != dataEntry.Size)
            {
                return(null);
            }

            var keyData = getKeyData();

            if (keyData == null)
            {
                return(null);
            }
            var decrypter = new NativeFileDecrypter(keyData);

            decrypter.decrypt(encryptedData, 0, encryptedData.Length);

            byte[] inflatedData;
            if (isNet1x)
            {
                inflatedData = DeobUtils.inflate(encryptedData, false);
            }
            else
            {
                int inflatedSize = BitConverter.ToInt32(encryptedData, 0);
                inflatedData = new byte[inflatedSize];
                var inflater = new Inflater(false);
                inflater.SetInput(encryptedData, 4, encryptedData.Length - 4);
                int count = inflater.Inflate(inflatedData);
                if (count != inflatedSize)
                {
                    return(null);
                }
            }

            if (BitConverter.ToInt16(inflatedData, 0) != 0x5A4D)
            {
                return(null);
            }

            return(inflatedData);
        }