Example #1
0
        bool FindNativeCode(byte[] moduleBytes)
        {
            var bytes = moduleBytes != null ? moduleBytes : DeobUtils.ReadModule(module);

            using (var peImage = new MyPEImage(bytes))
                return(foundSig = MethodsDecrypter.Detect(peImage));
        }
Example #2
0
 byte[] GetFileData()
 {
     if (ModuleBytes != null)
     {
         return(ModuleBytes);
     }
     return(ModuleBytes = DeobUtils.ReadModule(Module));
 }
Example #3
0
        public override bool GetDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
        {
            if (count != 0 || version == Version.Unknown)
            {
                return(false);
            }

            byte[] fileData = ModuleBytes ?? DeobUtils.ReadModule(Module);
            byte[] decompressed;
            using (var peImage = new MyPEImage(fileData)) {
                var section = peImage.Sections[peImage.Sections.Count - 1];
                var offset  = section.PointerToRawData;
                offset += 16;

                byte[] compressed;
                int    compressedLen;
                switch (version)
                {
                case Version.V0x:
                    compressedLen = fileData.Length - (int)offset;
                    compressed    = peImage.OffsetReadBytes(offset, compressedLen);
                    decompressed  = Lzmat.DecompressOld(compressed);
                    if (decompressed == null)
                    {
                        throw new ApplicationException("LZMAT decompression failed");
                    }
                    break;

                case Version.V1x_217:
                case Version.V218:
                    if (peImage.PEImage.ImageNTHeaders.FileHeader.Machine == Machine.AMD64 && version == Version.V218)
                    {
                        offset = section.PointerToRawData + section.VirtualSize;
                    }
                    int decompressedLen = (int)peImage.OffsetReadUInt32(offset);
                    compressedLen = fileData.Length - (int)offset - 4;
                    compressed    = peImage.OffsetReadBytes(offset + 4, compressedLen);
                    decompressed  = new byte[decompressedLen];
                    uint decompressedLen2;
                    if (Lzmat.Decompress(decompressed, out decompressedLen2, compressed) != LzmatStatus.OK)
                    {
                        throw new ApplicationException("LZMAT decompression failed");
                    }
                    break;

                default:
                    throw new ApplicationException("Unknown MPRESS version");
                }
            }

            newFileData = decompressed;
            return(true);
        }
Example #4
0
        public override bool GetDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
        {
            if (count != 0 || !NeedsPatching())
            {
                return(false);
            }

            var fileData = ModuleBytes ?? DeobUtils.ReadModule(module);

            if (!decrypterType.Patch(fileData))
            {
                return(false);
            }

            newFileData = fileData;
            return(true);
        }
Example #5
0
        public override bool GetDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
        {
            if (count != 0 || !methodsDecrypter.Detected)
            {
                return(false);
            }

            var fileData = DeobUtils.ReadModule(module);

            if (!methodsDecrypter.Decrypt(fileData, ref dumpedMethods))
            {
                return(false);
            }

            newFileData = fileData;
            return(true);
        }
Example #6
0
        bool DecryptModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods)
        {
            if (!methodsDecrypter.Detected)
            {
                return(false);
            }

            byte[] fileData = ModuleBytes ?? DeobUtils.ReadModule(module);
            using (var peImage = new MyPEImage(fileData)) {
                if (!methodsDecrypter.Decrypt(peImage, ref dumpedMethods))
                {
                    return(false);
                }
            }

            newFileData = fileData;
            return(true);
        }
Example #7
0
        public override bool GetDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
        {
            if (count != 0 || !options.DecryptMethods)
            {
                return(false);
            }

            byte[] fileData = ModuleBytes ?? DeobUtils.ReadModule(Module);
            using (var peImage = new MyPEImage(fileData)) {
                if (!new MethodsDecrypter().Decrypt(peImage, Module, cliSecureRtType, ref dumpedMethods))
                {
                    Logger.v("Methods aren't encrypted or invalid signature");
                    return(false);
                }
            }

            newFileData = fileData;
            return(true);
        }
Example #8
0
        public override bool GetDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
        {
            if (count != 0 || !mainType.Detected)
            {
                return(false);
            }

            var fileData = DeobUtils.ReadModule(module);

            decrypterInfo = new DecrypterInfo(mainType, fileData);
            var methodsDecrypter = new MethodsDecrypter(module, decrypterInfo);

            if (!methodsDecrypter.Decrypt(ref dumpedMethods))
            {
                return(false);
            }

            newFileData = fileData;
            return(true);
        }
Example #9
0
            protected override void ScanForObfuscator()
            {
                _nativeEmulator = new x86Emulator(DeobUtils.ReadModule(module));

                _controlFlowFixer = new ControlFlowFixer(_nativeEmulator);
                _lzmaFinder       = new LzmaFinder(module, DeobfuscatedFile);
                _lzmaFinder.Find();

                _constantDecrypter = new ConstantsDecrypter(module, _lzmaFinder.Method, DeobfuscatedFile, _nativeEmulator);
                _resourceDecrypter = new ResourceDecrypter(module, _lzmaFinder.Method, DeobfuscatedFile);

                if (_lzmaFinder.FoundLzma)
                {
                    _constantDecrypter.Find();
                    _resourceDecrypter.Find();
                }

                _proxyCallFixer = new ProxyCallFixer(module, DeobfuscatedFile, _nativeEmulator);
                _proxyCallFixer.FindDelegateCreatorMethod();
                _proxyCallFixer.Find();

                DetectConfuserExAttribute();
            }
Example #10
0
        public override bool GetDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
        {
            if (count != 0)
            {
                return(false);
            }
            fileData = ModuleBytes ?? DeobUtils.ReadModule(Module);
            peImage  = new MyPEImage(fileData);

            if (!options.DecryptMethods)
            {
                return(false);
            }

            var tokenToNativeCode = new Dictionary <uint, byte[]>();

            if (!methodsDecrypter.Decrypt(peImage, DeobfuscatedFile, ref dumpedMethods, tokenToNativeCode, unpackedNativeFile))
            {
                return(false);
            }

            newFileData = fileData;
            return(true);
        }