public override bool getDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
{
if (count != 0 || version == Version.Unknown)
{
return(false);
}
byte[] fileData = ModuleBytes ?? DeobUtils.readModule(module);
byte[] decompressed;
using (var peImage = new MyPEImage(fileData)) {
var section = peImage.Sections[peImage.Sections.Count - 1];
var offset = section.PointerToRawData;
offset += 16;
byte[] compressed;
int compressedLen;
switch (version)
{
case Version.V0x:
compressedLen = fileData.Length - (int)offset;
compressed = peImage.offsetReadBytes(offset, compressedLen);
decompressed = Lzmat.decompress_old(compressed);
if (decompressed == null)
{
throw new ApplicationException("LZMAT decompression failed");
}
break;
case Version.V1x_217:
case Version.V218:
if (peImage.PEImage.ImageNTHeaders.FileHeader.Machine == Machine.AMD64 && version == Version.V218)
{
offset = section.PointerToRawData + section.VirtualSize;
}
int decompressedLen = (int)peImage.offsetReadUInt32(offset);
compressedLen = fileData.Length - (int)offset - 4;
compressed = peImage.offsetReadBytes(offset + 4, compressedLen);
decompressed = new byte[decompressedLen];
uint decompressedLen2;
if (Lzmat.decompress(decompressed, out decompressedLen2, compressed) != LzmatStatus.OK)
{
throw new ApplicationException("LZMAT decompression failed");
}
break;
default:
throw new ApplicationException("Unknown MPRESS version");
}
}
newFileData = decompressed;
return(true);
}
public override bool getDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
{
if (count != 0 || !methodsDecrypter.Detected)
{
return(false);
}
var fileData = DeobUtils.readModule(module);
if (!methodsDecrypter.decrypt(fileData, ref dumpedMethods))
{
return(false);
}
newFileData = fileData;
return(true);
}
public override bool getDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
{
if (count != 0 || !needsPatching())
{
return(false);
}
var fileData = ModuleBytes ?? DeobUtils.readModule(module);
if (!decrypterType.patch(fileData))
{
return(false);
}
newFileData = fileData;
return(true);
}
public override bool getDecryptedModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods)
{
if (!needsPatching())
{
return(false);
}
var fileData = ModuleBytes ?? DeobUtils.readModule(module);
var peImage = new PeImage(fileData);
if (!decrypterType.patch(peImage))
{
return(false);
}
newFileData = fileData;
return(true);
}
bool decryptModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods)
{
if (!methodsDecrypter.Detected)
{
return(false);
}
byte[] fileData = ModuleBytes ?? DeobUtils.readModule(module);
using (var peImage = new MyPEImage(fileData)) {
if (!methodsDecrypter.decrypt(peImage, ref dumpedMethods))
{
return(false);
}
}
newFileData = fileData;
return(true);
}
public override bool getDecryptedModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods)
{
if (!mainType.Detected)
{
return(false);
}
var fileDecrypter = new FileDecrypter(mainType);
var fileData = DeobUtils.readModule(module);
if (!fileDecrypter.decrypt(fileData, ref dumpedMethods))
{
return(false);
}
newFileData = fileData;
return(true);
}
public override bool getDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
{
if (count != 0 || !options.DecryptMethods)
{
return(false);
}
byte[] fileData = ModuleBytes ?? DeobUtils.readModule(module);
using (var peImage = new MyPEImage(fileData)) {
if (!new MethodsDecrypter().decrypt(peImage, module, cliSecureRtType, ref dumpedMethods))
{
Logger.v("Methods aren't encrypted or invalid signature");
return(false);
}
}
newFileData = fileData;
return(true);
}
public override bool getDecryptedModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods)
{
if (!options.DecryptMethods)
{
return(false);
}
byte[] fileData = DeobUtils.readModule(module);
var peImage = new PeImage(fileData);
if (!new MethodsDecrypter().decrypt(peImage, module.FullyQualifiedName, cliSecureRtType, ref dumpedMethods))
{
Log.v("Methods aren't encrypted or invalid signature");
return(false);
}
newFileData = fileData;
return(true);
}
public override bool getDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
{
if (count != 0 || !mainType.Detected)
{
return(false);
}
var fileData = DeobUtils.readModule(module);
decrypterInfo = new DecrypterInfo(mainType, fileData);
var methodsDecrypter = new MethodsDecrypter(decrypterInfo);
if (!methodsDecrypter.decrypt(ref dumpedMethods))
{
return(false);
}
newFileData = fileData;
return(true);
}
public override bool getDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
{
if (count != 0)
{
return(false);
}
fileData = ModuleBytes ?? DeobUtils.readModule(module);
peImage = new PeImage(fileData);
if (!options.DecryptMethods)
{
return(false);
}
var tokenToNativeCode = new Dictionary <uint, byte[]>();
if (!methodsDecrypter.decrypt(peImage, DeobfuscatedFile, ref dumpedMethods, tokenToNativeCode))
{
return(false);
}
if (options.DumpNativeMethods)
{
using (var fileStream = new FileStream(module.FullyQualifiedName + ".native", FileMode.Create, FileAccess.Write, FileShare.Read)) {
var sortedTokens = new List <uint>(tokenToNativeCode.Keys);
sortedTokens.Sort();
var writer = new BinaryWriter(fileStream);
var nops = new byte[] { 0x90, 0x90, 0x90, 0x90 };
foreach (var token in sortedTokens)
{
writer.Write((byte)0xB8);
writer.Write(token);
writer.Write(tokenToNativeCode[token]);
writer.Write(nops);
}
}
}
newFileData = fileData;
return(true);
}
public override bool getDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
{
if (count != 0)
{
return(false);
}
fileData = ModuleBytes ?? DeobUtils.readModule(module);
peImage = new MyPEImage(fileData);
if (!options.DecryptMethods)
{
return(false);
}
var tokenToNativeCode = new Dictionary <uint, byte[]>();
if (!methodsDecrypter.decrypt(peImage, DeobfuscatedFile, ref dumpedMethods, tokenToNativeCode, unpackedNativeFile))
{
return(false);
}
newFileData = fileData;
return(true);
}