Ejemplo n.º 1
0
        public override bool getDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
        {
            if (count != 0 || version == Version.Unknown)
            {
                return(false);
            }

            byte[] fileData = ModuleBytes ?? DeobUtils.readModule(module);
            byte[] decompressed;
            using (var peImage = new MyPEImage(fileData)) {
                var section = peImage.Sections[peImage.Sections.Count - 1];
                var offset  = section.PointerToRawData;
                offset += 16;

                byte[] compressed;
                int    compressedLen;
                switch (version)
                {
                case Version.V0x:
                    compressedLen = fileData.Length - (int)offset;
                    compressed    = peImage.offsetReadBytes(offset, compressedLen);
                    decompressed  = Lzmat.decompress_old(compressed);
                    if (decompressed == null)
                    {
                        throw new ApplicationException("LZMAT decompression failed");
                    }
                    break;

                case Version.V1x_217:
                case Version.V218:
                    if (peImage.PEImage.ImageNTHeaders.FileHeader.Machine == Machine.AMD64 && version == Version.V218)
                    {
                        offset = section.PointerToRawData + section.VirtualSize;
                    }
                    int decompressedLen = (int)peImage.offsetReadUInt32(offset);
                    compressedLen = fileData.Length - (int)offset - 4;
                    compressed    = peImage.offsetReadBytes(offset + 4, compressedLen);
                    decompressed  = new byte[decompressedLen];
                    uint decompressedLen2;
                    if (Lzmat.decompress(decompressed, out decompressedLen2, compressed) != LzmatStatus.OK)
                    {
                        throw new ApplicationException("LZMAT decompression failed");
                    }
                    break;

                default:
                    throw new ApplicationException("Unknown MPRESS version");
                }
            }

            newFileData = decompressed;
            return(true);
        }
Ejemplo n.º 2
0
        public override bool getDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
        {
            if (count != 0 || !methodsDecrypter.Detected)
            {
                return(false);
            }

            var fileData = DeobUtils.readModule(module);

            if (!methodsDecrypter.decrypt(fileData, ref dumpedMethods))
            {
                return(false);
            }

            newFileData = fileData;
            return(true);
        }
Ejemplo n.º 3
0
        public override bool getDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
        {
            if (count != 0 || !needsPatching())
            {
                return(false);
            }

            var fileData = ModuleBytes ?? DeobUtils.readModule(module);

            if (!decrypterType.patch(fileData))
            {
                return(false);
            }

            newFileData = fileData;
            return(true);
        }
Ejemplo n.º 4
0
        public override bool getDecryptedModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods)
        {
            if (!needsPatching())
            {
                return(false);
            }

            var fileData = ModuleBytes ?? DeobUtils.readModule(module);
            var peImage  = new PeImage(fileData);

            if (!decrypterType.patch(peImage))
            {
                return(false);
            }

            newFileData = fileData;
            return(true);
        }
Ejemplo n.º 5
0
        bool decryptModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods)
        {
            if (!methodsDecrypter.Detected)
            {
                return(false);
            }

            byte[] fileData = ModuleBytes ?? DeobUtils.readModule(module);
            using (var peImage = new MyPEImage(fileData)) {
                if (!methodsDecrypter.decrypt(peImage, ref dumpedMethods))
                {
                    return(false);
                }
            }

            newFileData = fileData;
            return(true);
        }
Ejemplo n.º 6
0
        public override bool getDecryptedModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods)
        {
            if (!mainType.Detected)
            {
                return(false);
            }

            var fileDecrypter = new FileDecrypter(mainType);

            var fileData = DeobUtils.readModule(module);

            if (!fileDecrypter.decrypt(fileData, ref dumpedMethods))
            {
                return(false);
            }

            newFileData = fileData;
            return(true);
        }
Ejemplo n.º 7
0
        public override bool getDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
        {
            if (count != 0 || !options.DecryptMethods)
            {
                return(false);
            }

            byte[] fileData = ModuleBytes ?? DeobUtils.readModule(module);
            using (var peImage = new MyPEImage(fileData)) {
                if (!new MethodsDecrypter().decrypt(peImage, module, cliSecureRtType, ref dumpedMethods))
                {
                    Logger.v("Methods aren't encrypted or invalid signature");
                    return(false);
                }
            }

            newFileData = fileData;
            return(true);
        }
Ejemplo n.º 8
0
        public override bool getDecryptedModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods)
        {
            if (!options.DecryptMethods)
            {
                return(false);
            }

            byte[] fileData = DeobUtils.readModule(module);
            var    peImage  = new PeImage(fileData);

            if (!new MethodsDecrypter().decrypt(peImage, module.FullyQualifiedName, cliSecureRtType, ref dumpedMethods))
            {
                Log.v("Methods aren't encrypted or invalid signature");
                return(false);
            }

            newFileData = fileData;
            return(true);
        }
Ejemplo n.º 9
0
        public override bool getDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
        {
            if (count != 0 || !mainType.Detected)
            {
                return(false);
            }

            var fileData = DeobUtils.readModule(module);

            decrypterInfo = new DecrypterInfo(mainType, fileData);
            var methodsDecrypter = new MethodsDecrypter(decrypterInfo);

            if (!methodsDecrypter.decrypt(ref dumpedMethods))
            {
                return(false);
            }

            newFileData = fileData;
            return(true);
        }
Ejemplo n.º 10
0
        public override bool getDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
        {
            if (count != 0)
            {
                return(false);
            }
            fileData = ModuleBytes ?? DeobUtils.readModule(module);
            peImage  = new PeImage(fileData);

            if (!options.DecryptMethods)
            {
                return(false);
            }

            var tokenToNativeCode = new Dictionary <uint, byte[]>();

            if (!methodsDecrypter.decrypt(peImage, DeobfuscatedFile, ref dumpedMethods, tokenToNativeCode))
            {
                return(false);
            }

            if (options.DumpNativeMethods)
            {
                using (var fileStream = new FileStream(module.FullyQualifiedName + ".native", FileMode.Create, FileAccess.Write, FileShare.Read)) {
                    var sortedTokens = new List <uint>(tokenToNativeCode.Keys);
                    sortedTokens.Sort();
                    var writer = new BinaryWriter(fileStream);
                    var nops   = new byte[] { 0x90, 0x90, 0x90, 0x90 };
                    foreach (var token in sortedTokens)
                    {
                        writer.Write((byte)0xB8);
                        writer.Write(token);
                        writer.Write(tokenToNativeCode[token]);
                        writer.Write(nops);
                    }
                }
            }

            newFileData = fileData;
            return(true);
        }
Ejemplo n.º 11
0
        public override bool getDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
        {
            if (count != 0)
            {
                return(false);
            }
            fileData = ModuleBytes ?? DeobUtils.readModule(module);
            peImage  = new MyPEImage(fileData);

            if (!options.DecryptMethods)
            {
                return(false);
            }

            var tokenToNativeCode = new Dictionary <uint, byte[]>();

            if (!methodsDecrypter.decrypt(peImage, DeobfuscatedFile, ref dumpedMethods, tokenToNativeCode, unpackedNativeFile))
            {
                return(false);
            }

            newFileData = fileData;
            return(true);
        }