void DecryptStrings(uint[] key)
{
var data = stringDataField.InitialValue;
var encryptedData = new uint[data.Length / 4];
Buffer.BlockCopy(data, 0, encryptedData, 0, data.Length);
DeobUtils.XxteaDecrypt(encryptedData, key);
var decryptedData = new byte[data.Length];
Buffer.BlockCopy(encryptedData, 0, decryptedData, 0, data.Length);
var inflated = DeobUtils.Inflate(decryptedData, 0, decryptedData.Length, true);
var reader = ByteArrayDataReaderFactory.CreateReader(inflated);
/*int deflatedLength = (int)*/ reader.ReadCompressedUInt32();
int numStrings = (int)reader.ReadCompressedUInt32();
decryptedStrings = new string[numStrings];
var offsets = new int[numStrings];
for (int i = 0; i < numStrings; i++)
{
offsets[i] = (int)reader.ReadCompressedUInt32();
}
int startOffset = (int)reader.Position;
for (int i = 0; i < numStrings; i++)
{
reader.Position = (uint)(startOffset + offsets[i]);
decryptedStrings[i] = reader.ReadSerializedString();
}
}
byte[] Decrypt_v17_r73404(byte[] data)
{
var reader = new BinaryReader(new MemoryStream(data));
data = Decrypt_v15_r60785(reader, out var key, out var iv);
reader = new BinaryReader(new MemoryStream(DeobUtils.Inflate(DeobUtils.AesDecrypt(data, key, iv), true)));
return(reader.ReadBytes(reader.ReadInt32()));
}
byte[] Decrypt_v10_r42915(byte[] data)
{
for (int i = 0; i < data.Length; i++)
{
data[i] ^= (byte)(i ^ key0);
}
return(DeobUtils.Inflate(data, true));
}
byte[] Decompress(byte[] compressed)
{
if (lzmaType != null)
{
return(ConfuserUtils.SevenZipDecompress(compressed));
}
return(DeobUtils.Inflate(compressed, true));
}
public byte[] Unpack()
{
if (peImage.PEImage.Win32Resources == null)
{
return(null);
}
var dataEntry = peImage.PEImage.Win32Resources.Find(10, "__", 0);
if (dataEntry == null)
{
return(null);
}
var encryptedData = dataEntry.CreateReader().ToArray();
var keyData = GetKeyData();
if (keyData == null)
{
return(null);
}
var decrypter = new NativeFileDecrypter(keyData);
decrypter.Decrypt(encryptedData, 0, encryptedData.Length);
byte[] inflatedData;
if (isNet1x)
{
inflatedData = DeobUtils.Inflate(encryptedData, false);
}
else
{
int inflatedSize = BitConverter.ToInt32(encryptedData, 0);
inflatedData = new byte[inflatedSize];
var inflater = new Inflater(false);
inflater.SetInput(encryptedData, 4, encryptedData.Length - 4);
int count = inflater.Inflate(inflatedData);
if (count != inflatedSize)
{
return(null);
}
}
// CLR 1.x or DNR v4.0 - v4.4
if (BitConverter.ToInt16(inflatedData, 0) == 0x5A4D)
{
return(inflatedData);
}
// DNR v4.5
if (BitConverter.ToInt16(inflatedData, loaderHeaderSizeV45) == 0x5A4D)
{
return(UnpackLoader(inflatedData));
}
return(null);
}
public override void Initialize(byte[] methodsData)
{
var data = DeobUtils.Inflate(methodsData, true);
decryptKey = BitConverter.GetBytes(BitConverter.ToUInt32(data, 0));
var newMethodsData = new byte[data.Length - 4];
Array.Copy(data, 4, newMethodsData, 0, newMethodsData.Length);
base.Initialize(newMethodsData);
}
protected static byte[] InflateIfNeeded(byte[] data, int start, int len)
{
if (BitConverter.ToInt16(data, start) != 0x5A4D)
{
return(DeobUtils.Inflate(data, start, len, true));
}
var data2 = new byte[len];
Array.Copy(data, start, data2, 0, data2.Length);
return(data2);
}
public byte[] Decrypt(byte[] encryptedData)
{
int index = 0;
byte[] key, iv;
bool isCompressed = GetKeyIv(GetHeaderData(encryptedData, ref index), out key, out iv);
var data = DeobUtils.DesDecrypt(encryptedData, index, encryptedData.Length - index, key, iv);
if (isCompressed)
{
data = DeobUtils.Inflate(data, inflater);
}
return(data);
}
public byte[] Decrypt(byte[] encryptedData)
{
var reader = new BinaryReader(new MemoryStream(encryptedData));
bool isCompressed = GetHeaderData(reader, out var key, out var iv);
var data = DeobUtils.DesDecrypt(encryptedData,
(int)reader.BaseStream.Position,
(int)(reader.BaseStream.Length - reader.BaseStream.Position),
key, iv);
if (isCompressed)
{
data = DeobUtils.Inflate(data, true);
}
return(data);
}
public override void Initialize()
{
if ((resource = FindResource(theDecrypterInfo.decryptMethod)) == null)
{
throw new ApplicationException("Could not find encrypted consts resource");
}
InitializeDecrypterInfos();
if (!InitializeFields(theDecrypterInfo))
{
throw new ApplicationException("Could not find all fields");
}
SetConstantsData(DeobUtils.Inflate(resource.CreateReader().ToArray(), true));
}
public void Initialize()
{
if (info.dataField == null)
{
return;
}
FindOtherTypes();
var decompressed = DeobUtils.Inflate(info.dataField.InitialValue, true);
reader = MemoryImageStream.Create(decompressed);
info.dataField.FieldSig.Type = module.CorLibTypes.Byte;
info.dataField.InitialValue = new byte[1];
info.dataField.RVA = 0;
}
byte[] Decrypt_v14_r58852(byte[] data)
{
var reader = new BinaryReader(new MemoryStream(DeobUtils.Inflate(data, true)));
data = reader.ReadBytes(reader.ReadInt32());
for (int i = 0; i < data.Length; i++)
{
if ((i & 1) == 0)
{
data[i] ^= (byte)((key0 & 0xF) - i);
}
else
{
data[i] ^= (byte)((key0 >> 4) + i);
}
data[i] -= (byte)i;
}
return(data);
}
public override void Initialize()
{
if (resourceName != null)
{
resource = DotNetUtils.GetResource(module, resourceName) as EmbeddedResource;
}
else
{
resource = FindResource(initMethod);
}
if (resource == null)
{
throw new ApplicationException("Could not find encrypted consts resource");
}
FindDecrypterInfos();
InitializeDecrypterInfos();
SetConstantsData(DeobUtils.Inflate(resource.CreateReader().ToArray(), true));
}
void FindEmbeddedAssemblies()
{
var data = bundleData.Data.ReadAllBytes();
var doc = new XmlDocument();
bundleXmlFile.Data.Position = 0;
doc.Load(XmlReader.Create(bundleXmlFile.Data.CreateStream()));
var manifest = doc.DocumentElement;
if (manifest.Name.ToLowerInvariant() != "manifest")
{
Logger.w("Could not find Manifest element");
return;
}
foreach (var tmp in manifest.ChildNodes)
{
var assemblyElem = tmp as XmlElement;
if (assemblyElem == null)
{
continue;
}
if (assemblyElem.Name.ToLowerInvariant() != "assembly")
{
Logger.w("Unknown element: {0}", assemblyElem.Name);
continue;
}
int offset = GetAttributeValueInt32(assemblyElem, "offset");
if (offset < 0)
{
Logger.w("Could not find offset attribute");
continue;
}
var assemblyData = DeobUtils.Inflate(data, offset, data.Length - offset, true);
var mod = ModuleDefMD.Load(assemblyData);
infos.Add(new AssemblyInfo(mod.Assembly.FullName, DeobUtils.GetExtension(mod.Kind), assemblyData));
}
}
public EmbeddedResource MergeResources()
{
if (encryptedResource.Resource == null)
{
return(null);
}
DeobUtils.DecryptAndAddResources(module, encryptedResource.Resource.Name.String, () => {
try {
return(QuickLZ.Decompress(encryptedResource.Decrypt()));
}
catch {
try {
return(DeobUtils.Inflate(encryptedResource.Decrypt(), true));
}
catch {
return(null);
}
}
});
return(encryptedResource.Resource);
}
public void Initialize()
{
if (decryptMethod == null)
{
return;
}
resource = FindResource(decryptMethod);
if (resource == null)
{
throw new ApplicationException("Could not find encrypted strings resource");
}
reader = MemoryImageStream.Create(DeobUtils.Inflate(resource.GetResourceData(), true));
switch (version)
{
case ConfuserVersion.v10_r42915:
case ConfuserVersion.v13_r55604_safe:
decrypter = new Decrypter_v10_r42915(this);
break;
case ConfuserVersion.v10_r48832:
decrypter = new Decrypter_v10_r48832(this);
break;
case ConfuserVersion.v11_r49299:
case ConfuserVersion.v14_r58802_dynamic:
decrypter = new Decrypter_v11_r49299(this);
break;
case ConfuserVersion.v14_r58802_safe:
decrypter = new Decrypter_v10_r42915(this, (int)key1);
break;
default:
throw new ApplicationException("Invalid version");
}
}
public ResourceInfo[] Read()
{
if (reader.ReadUInt32() != 0xBEEFCACE)
{
throw new InvalidDataException("Invalid magic");
}
if (reader.ReadUInt32() <= 0)
{
throw new InvalidDataException("Invalid number");
}
reader.ReadUInt32();
resourceReader = reader.ReadString();
if (Utils.StartsWith(resourceReader, "System.Resources.ResourceReader", StringComparison.Ordinal))
{
throw new InvalidDataException("Resource isn't encrypted");
}
resourceSet = reader.ReadString();
if (reader.ReadByte() != 1)
{
throw new ApplicationException("Invalid version");
}
int flags = reader.ReadByte();
if ((flags & 0xFC) != 0)
{
throw new ApplicationException("Invalid flags");
}
bool inflateData = (flags & 1) != 0;
bool encrypted = (flags & 2) != 0;
int numResources = reader.ReadInt32();
if (numResources < 0)
{
throw new ApplicationException("Invalid number of resources");
}
var infos = new ResourceInfo[numResources];
for (int i = 0; i < numResources; i++)
{
var resourceName = ReadResourceName(reader, encrypted);
int offset = reader.ReadInt32();
byte resourceFlags = reader.ReadByte();
int resourceLength = (resourceFlags & 0x80) == 0 ? -1 : reader.ReadInt32();
infos[i] = new ResourceInfo(resourceName, resourceFlags, offset, resourceLength);
}
var dataReader = reader;
if (encrypted)
{
var key = new uint[4];
key[0] = dataReader.ReadUInt32();
key[1] = dataReader.ReadUInt32();
int numDwords = dataReader.ReadInt32();
if (numDwords < 0 || numDwords >= 0x40000000)
{
throw new ApplicationException("Invalid number of encrypted dwords");
}
var encryptedData = new uint[numDwords];
for (int i = 0; i < numDwords; i++)
{
encryptedData[i] = dataReader.ReadUInt32();
}
key[2] = dataReader.ReadUInt32();
key[3] = dataReader.ReadUInt32();
DeobUtils.XxteaDecrypt(encryptedData, key);
byte[] decryptedData = new byte[encryptedData.Length * 4];
Buffer.BlockCopy(encryptedData, 0, decryptedData, 0, decryptedData.Length);
dataReader = MemoryImageStream.Create(decryptedData);
}
if (inflateData)
{
var data = dataReader.ReadRemainingBytes();
data = DeobUtils.Inflate(data, true);
dataReader = MemoryImageStream.Create(data);
}
foreach (var info in infos)
{
info.dataReader = dataReader;
}
return(infos);
}
IBinaryReader Inflate(int length)
{
var data = reader.ReadRemainingBytes();
return(MemoryImageStream.Create(DeobUtils.Inflate(data, true)));
}
byte[] Decompress(byte[] compressed) {
if (lzmaType != null)
return ConfuserUtils.SevenZipDecompress(compressed);
return DeobUtils.Inflate(compressed, true);
}
byte[] Decrypt(byte[] encrypted)
{
var keyGenerator = new PasswordDeriveBytes(resourcePassword, Encoding.ASCII.GetBytes(resourceSalt));
return(DeobUtils.Inflate(DeobUtils.AesDecrypt(encrypted, keyGenerator.GetBytes(32), keyGenerator.GetBytes(16)), false));
}
byte[] Decompress(byte[] compressedData)
{
// First dword is sig: 0x9B728BC7
// Second dword is decompressed length
return(DeobUtils.Inflate(compressedData, 8, compressedData.Length - 8, true));
}