bool readCodeHeader(uint offset)
{
codeHeader.signature = peImage.offsetReadBytes(offset, 16);
codeHeader.decryptionKey = peImage.offsetReadBytes(offset + 0x10, 16);
codeHeader.totalCodeSize = peImage.offsetReadUInt32(offset + 0x20);
codeHeader.numMethods = peImage.offsetReadUInt32(offset + 0x24);
codeHeader.methodDefTableOffset = peImage.offsetReadUInt32(offset + 0x28);
codeHeader.methodDefElemSize = peImage.offsetReadUInt32(offset + 0x2C);
if (Utils.compare(codeHeader.signature, normalSignature))
{
decrypter = new NormalDecrypter(peImage, codeHeader);
}
else if (Utils.compare(codeHeader.signature, proSignature))
{
decrypter = new ProDecrypter(peImage, codeHeader);
}
else
{
return(false);
}
if (codeHeader.totalCodeSize > 0x10000000)
{
return(false);
}
if (codeHeader.numMethods > 512 * 1024)
{
return(false);
}
return(true);
}
byte[] unpack2()
{
shouldUnpack = false;
uint headerOffset = peImage.ImageLength - 12;
uint offsetEncryptedAssembly = checkOffset(peImage.offsetReadUInt32(headerOffset));
uint ezencryptionLibLength = peImage.offsetReadUInt32(headerOffset + 4);
uint iniFileLength = peImage.offsetReadUInt32(headerOffset + 8);
uint offsetClrVersionNumber = checked (offsetEncryptedAssembly - 12);
uint iniFileOffset = checked (headerOffset - iniFileLength);
uint ezencryptionLibOffset = checked (iniFileOffset - ezencryptionLibLength);
uint clrVerMajor = peImage.offsetReadUInt32(offsetClrVersionNumber);
uint clrVerMinor = peImage.offsetReadUInt32(offsetClrVersionNumber + 4);
uint clrVerBuild = peImage.offsetReadUInt32(offsetClrVersionNumber + 8);
if (clrVerMajor <= 0 || clrVerMajor >= 20 || clrVerMinor >= 20 || clrVerBuild >= 1000000)
{
return(null);
}
var settings = new IniFile(decompress2(peImage.offsetReadBytes(iniFileOffset, (int)iniFileLength)));
sizes = getSizes(settings["General_App_Satellite_Assemblies_Sizes"]);
if (sizes == null || sizes.Length <= 1)
{
return(null);
}
shouldUnpack = true;
if (sizes[0] != offsetEncryptedAssembly)
{
return(null);
}
filenames = settings["General_App_Satellite_Assemblies"].Split('|');
if (sizes.Length - 1 != filenames.Length)
{
return(null);
}
byte[] ezencryptionLibData = decompress1(peImage.offsetReadBytes(ezencryptionLibOffset, (int)ezencryptionLibLength));
var ezencryptionLibModule = ModuleDefinition.ReadModule(new MemoryStream(ezencryptionLibData));
var decrypter = new ApplicationModeDecrypter(ezencryptionLibModule);
if (!decrypter.Detected)
{
return(null);
}
var mainAssembly = unpackEmbeddedFile(0, decrypter);
decrypter.MemoryPatcher.patch(mainAssembly.data);
for (int i = 1; i < filenames.Length; i++)
{
satelliteAssemblies.Add(unpackEmbeddedFile(i, decrypter));
}
clearDllBit(mainAssembly.data);
return(mainAssembly.data);
}
void readCodeHeader(uint offset)
{
codeHeader.signature = peImage.offsetReadBytes(offset, 16);
codeHeader.decryptionKey = peImage.offsetReadBytes(offset + 0x10, 16);
codeHeader.totalCodeSize = peImage.offsetReadUInt32(offset + 0x20);
codeHeader.numMethods = peImage.offsetReadUInt32(offset + 0x24);
codeHeader.methodDefTableOffset = peImage.offsetReadUInt32(offset + 0x28);
codeHeader.methodDefElemSize = peImage.offsetReadUInt32(offset + 0x2C);
}
public override bool getDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
{
if (count != 0 || version == Version.Unknown)
{
return(false);
}
byte[] fileData = ModuleBytes ?? DeobUtils.readModule(module);
var peImage = new PeImage(fileData);
var section = peImage.Sections[peImage.Sections.Length - 1];
var offset = section.pointerToRawData;
offset += 16;
byte[] decompressed, compressed;
int compressedLen;
switch (version)
{
case Version.V0x:
compressedLen = fileData.Length - (int)offset;
compressed = peImage.offsetReadBytes(offset, compressedLen);
decompressed = Lzmat.decompress_old(compressed);
if (decompressed == null)
{
throw new ApplicationException("LZMAT decompression failed");
}
break;
case Version.V1x_217:
case Version.V218:
if (peImage.FileHeader.machine == Machine.amd64 && version == Version.V218)
{
offset = section.pointerToRawData + section.virtualSize;
}
int decompressedLen = (int)peImage.offsetReadUInt32(offset);
compressedLen = fileData.Length - (int)offset - 4;
compressed = peImage.offsetReadBytes(offset + 4, compressedLen);
decompressed = new byte[decompressedLen];
uint decompressedLen2;
if (Lzmat.decompress(decompressed, out decompressedLen2, compressed) != LzmatStatus.OK)
{
throw new ApplicationException("LZMAT decompression failed");
}
break;
default:
throw new ApplicationException("Unknown MPRESS version");
}
newFileData = decompressed;
return(true);
}
public PeHeader(MainType mainType, PeImage peImage)
{
uint headerOffset;
version = getHeaderOffsetAndVersion(peImage, out headerOffset);
headerData = peImage.offsetReadBytes(headerOffset, 0x1000);
}
static void readTo(PeImage peImage, byte[] data, int destOffset, uint imageOffset, uint maxLength)
{
if (destOffset > data.Length)
{
return;
}
int len = Math.Min(data.Length - destOffset, (int)maxLength);
var newData = peImage.offsetReadBytes(imageOffset, len);
Array.Copy(newData, 0, data, destOffset, newData.Length);
}
public static bool detect(PeImage peImage)
{
try {
uint codeHeaderOffset = getCodeHeaderOffset(peImage);
if (isValidSignature(peImage.offsetReadBytes(codeHeaderOffset, 16)))
{
return(true);
}
}
catch {
}
try {
uint codeHeaderOffset = getOldCodeHeaderOffset(peImage);
if (codeHeaderOffset != 0 && isValidSignature(peImage.offsetReadBytes(codeHeaderOffset, 16)))
{
return(true);
}
}
catch {
}
return(false);
}
byte[] getKeyData()
{
isNet1x = false;
for (int i = 0; i < baseOffsets.Length; i++)
{
var code = peImage.offsetReadBytes(baseOffsets[i], decryptMethodPattern.Length);
if (DeobUtils.isCode(decryptMethodPattern, code))
{
return(getKeyData(baseOffsets[i]));
}
}
var net1xCode = peImage.offsetReadBytes(0x207E0, startMethodNet1xPattern.Length);
if (DeobUtils.isCode(startMethodNet1xPattern, net1xCode))
{
isNet1x = true;
return(new byte[6] {
0x34, 0x38, 0x63, 0x65, 0x7A, 0x35
});
}
return(null);
}
byte[] readData(uint offset, int size)
{
return(peImage.offsetReadBytes(encryptedDataOffset + offset, size));
}
