public void Phase5(Stream stream, MetadataProcessor.ImageAccessor accessor)
{
stream.Seek(0, SeekOrigin.Begin);
uint csOffset;
uint sn;
uint snLen;
ExtractCodes(stream, accessor, out csOffset, out sn, out snLen);
stream.Position = 0;
MemoryStream ms = new MemoryStream();
ms.WriteByte(0xd6);
ms.WriteByte(0x6f);
BinaryWriter wtr = new BinaryWriter(ms);
wtr.Write((uint)codes.Length);
for (int i = 0; i < codes.Length; i++)
{
wtr.Write((int)(ptrs[i] ^ key4));
if (ptrs[i] == 0) continue;
Confuser.Database.AddEntry("AntiTamper", rvas[i].ToString("X8"), ms.Position);
wtr.Write((int)(rvas[i] ^ key5));
wtr.Write(codes[i].Length);
wtr.Write(codes[i]);
}
byte[] buff;
BinaryReader sReader = new BinaryReader(stream);
using (MemoryStream str = new MemoryStream())
{
var mdPtr = accessor.ResolveVirtualAddress(accessor.GetTextSegmentRange(TextSegment.MetadataHeader).Start);
stream.Position = mdPtr + 12;
stream.Position += sReader.ReadUInt32() + 4;
stream.Position += 2;
ushort streams = sReader.ReadUInt16();
for (int i = 0; i < streams; i++)
{
uint offset = mdPtr + sReader.ReadUInt32();
uint size = sReader.ReadUInt32();
int c = 0;
while (sReader.ReadByte() != 0) c++;
long ori = stream.Position += (((c + 1) + 3) & ~3) - (c + 1);
stream.Position = offset;
str.Write(sReader.ReadBytes((int)size), 0, (int)size);
stream.Position = ori;
}
buff = str.ToArray();
}
byte[] iv;
byte[] dat = Encrypt(Confuser.ObfuscationHelper, buff, ms.ToArray(), out iv, key6);
byte[] md5 = MD5.Create().ComputeHash(buff);
long checkSum = BitConverter.ToInt64(md5, 0) ^ BitConverter.ToInt64(md5, 8);
wtr = new BinaryWriter(stream);
stream.Seek(csOffset, SeekOrigin.Begin);
wtr.Write(accessor.GetTextSegmentRange(TextSegment.MetadataHeader).Start ^ (uint)key0);
stream.Seek(accessor.GetSection(sectName).PointerToRawData, SeekOrigin.Begin);
wtr.Write(checkSum ^ key1);
wtr.Write(sn);
wtr.Write(snLen);
wtr.Write(iv.Length ^ key2);
wtr.Write(iv);
wtr.Write(dat.Length ^ key3);
wtr.Write(dat);
}
void ExtractCodes(Stream stream, MetadataProcessor.ImageAccessor accessor, out uint csOffset, out uint sn, out uint snLen)
{
BinaryReader rdr = new BinaryReader(stream);
stream.Seek(0x3c, SeekOrigin.Begin);
uint offset = rdr.ReadUInt32();
stream.Seek(offset, SeekOrigin.Begin);
stream.Seek(0x6, SeekOrigin.Current);
uint sections = rdr.ReadUInt16();
stream.Seek(offset = offset + 0x18, SeekOrigin.Begin); //Optional hdr
bool pe32 = (rdr.ReadUInt16() == 0x010b);
csOffset = offset + 0x40;
stream.Seek(offset = offset + (pe32 ? 0xE0U : 0xF0U), SeekOrigin.Begin); //sections
for (int i = 0; i < rvas.Length; i++)
{
if (rvas[i] == 0) continue;
ptrs[i] = accessor.ResolveVirtualAddress(rvas[i]);
stream.Seek(ptrs[i], SeekOrigin.Begin);
byte b = rdr.ReadByte();
if ((b & 0x3) == 0x2)
{
stream.Seek((uint)b >> 2, SeekOrigin.Current);
}
else
{
stream.Seek(-1, SeekOrigin.Current);
ushort f = rdr.ReadUInt16();
stream.Seek(2, SeekOrigin.Current);
uint size = rdr.ReadUInt32();
stream.Seek(4 + size, SeekOrigin.Current);
if ((f & 0x80) != 0)
{
stream.Seek((stream.Position + 3) & ~3, SeekOrigin.Begin);
bool more;
do
{
byte fl = rdr.ReadByte();
more = ((fl & 0x80) != 0);
if ((fl & 0x40) != 0)
{
stream.Seek(-1, SeekOrigin.Current);
uint sectLen = rdr.ReadUInt32() >> 8;
stream.Seek(-4 + sectLen, SeekOrigin.Current);
}
else
{
byte sectLen = rdr.ReadByte();
stream.Seek(-1 + sectLen, SeekOrigin.Current);
}
} while (more);
}
}
long len = stream.Position - ptrs[i];
stream.Seek(ptrs[i], SeekOrigin.Begin);
codes[i] = rdr.ReadBytes((int)len);
stream.Seek(ptrs[i], SeekOrigin.Begin);
byte[] bs = new byte[len];
stream.Write(bs, 0, (int)len);
}
stream.Seek(offset - 16, SeekOrigin.Begin);
uint mdDir = accessor.ResolveVirtualAddress(rdr.ReadUInt32());
stream.Seek(mdDir + 0x20, SeekOrigin.Begin);
sn = accessor.ResolveVirtualAddress(rdr.ReadUInt32());
snLen = rdr.ReadUInt32();
}
static void ExtractOffsets(Stream stream, MetadataProcessor.ImageAccessor accessor, out uint csOffset, out uint sn, out uint snLen)
{
BinaryReader rdr = new BinaryReader(stream);
stream.Seek(0x3c, SeekOrigin.Begin);
uint offset = rdr.ReadUInt32();
stream.Seek(offset, SeekOrigin.Begin);
stream.Seek(0x6, SeekOrigin.Current);
uint sections = rdr.ReadUInt16();
stream.Seek(offset = offset + 0x18, SeekOrigin.Begin); //Optional hdr
bool pe32 = (rdr.ReadUInt16() == 0x010b);
csOffset = offset + 0x40;
stream.Seek(offset = offset + (pe32 ? 0xE0U : 0xF0U), SeekOrigin.Begin); //sections
stream.Seek(offset - 16, SeekOrigin.Begin);
uint mdDir = accessor.ResolveVirtualAddress(rdr.ReadUInt32());
stream.Seek(mdDir + 0x20, SeekOrigin.Begin);
sn = accessor.ResolveVirtualAddress(rdr.ReadUInt32());
snLen = rdr.ReadUInt32();
}
