byte[] DecryptResource_v18_r75367_normal(byte[] encrypted) { var key = GetSigKey(); var decrypted = ConfuserUtils.Decrypt(BitConverter.ToUInt32(key, 12) * (uint)key0, encrypted); return(Decompress(DeobUtils.AesDecrypt(decrypted, key, DeobUtils.Md5Sum(key)))); }
byte[] DecryptAndDecompress(byte[] encrypted, byte[] key) { byte[] iv = DeobUtils.Md5Sum(key); try { return(Decompress(DeobUtils.AesDecrypt(encrypted, key, iv))); } catch { return(DeobUtils.AesDecrypt(Decompress(encrypted), key, iv)); } }
byte[] DecryptMethodsData_v14_r57884(MyPEImage peImage, bool hasStrongNameInfo) { var reader = peImage.Reader; reader.Position = 0; var md5SumData = reader.ReadBytes((int)peImage.OptionalHeader.CheckSum ^ (int)key0); int csOffs = (int)peImage.OptionalHeader.StartOffset + 0x40; Array.Clear(md5SumData, csOffs, 4); /*var md5Sum =*/ DeobUtils.Md5Sum(md5SumData); ulong checkSum = reader.ReadUInt64() ^ lkey0; if (hasStrongNameInfo) { int sn = reader.ReadInt32(); int snLen = reader.ReadInt32(); if (sn != 0) { if (peImage.RvaToOffset((uint)peImage.Cor20Header.StrongNameSignature.VirtualAddress) != sn || peImage.Cor20Header.StrongNameSignature.Size != snLen) { throw new ApplicationException("Invalid sn and snLen"); } Array.Clear(md5SumData, sn, snLen); } } if (checkSum != CalcChecksum(md5SumData)) { throw new ApplicationException("Invalid checksum. File has been modified."); } var iv = reader.ReadBytes(reader.ReadInt32() ^ (int)key2); var encrypted = reader.ReadBytes(reader.ReadInt32() ^ (int)key3); var decrypted = Decrypt(encrypted, iv, md5SumData); if (BitConverter.ToInt16(decrypted, 0) != 0x6FD6) { throw new ApplicationException("Invalid magic"); } return(decrypted); }
protected static ulong CalcChecksum(byte[] data) { var sum = DeobUtils.Md5Sum(data); return(BitConverter.ToUInt64(sum, 0) ^ BitConverter.ToUInt64(sum, 8)); }