public void Decrypt(ResourceDecrypter resourceDecrypter, ISimpleDeobfuscator simpleDeobfuscator) { if (decryptMethod == null) { return; } resource = CoUtils.GetResource(module, decrypterCctor); if (resource == null) { return; } var decrypted = resourceDecrypter.Decrypt(resource.GetResourceStream()); var reader = MemoryImageStream.Create(decrypted); int numEncrypted = reader.ReadInt32(); Logger.v("Restoring {0} encrypted methods", numEncrypted); Logger.Instance.Indent(); for (int i = 0; i < numEncrypted; i++) { int delegateTypeToken = reader.ReadInt32(); uint codeOffset = reader.ReadUInt32(); var origOffset = reader.Position; reader.Position = codeOffset; Decrypt(reader, delegateTypeToken, simpleDeobfuscator); reader.Position = origOffset; } Logger.Instance.DeIndent(); }
private static void SaveVersions(ModuleDefMD moduleDef, IEnumerable <VS_VERSIONINFO> versions) { var versionResourceName = new ResourceName(16); var resourceDirectory = moduleDef.MetaData.PEImage.Win32Resources.Root.FindDirectory(versionResourceName); if (resourceDirectory == null) { resourceDirectory = new ResourceDirectoryUser(versionResourceName); moduleDef.MetaData.PEImage.Win32Resources.Root.Directories.Add(resourceDirectory); } resourceDirectory.Directories.Clear(); foreach (var version in versions) { var resourceEntry = (ResourceDirectoryUser)resourceDirectory.FindDirectory(version.DirectoryName); if (resourceEntry == null) { resourceEntry = new ResourceDirectoryUser(version.DirectoryName); resourceDirectory.Directories.Add(resourceEntry); } using (var memoryStream = new MemoryStream()) { ResourceSerializer.Serialize(version, memoryStream); var versionEntry = new ResourceData(version.DataName, MemoryImageStream.Create(memoryStream.ToArray())); resourceEntry.Data.Add(versionEntry); } } }
public void PrepareEncryptNativeMethods(ModuleWriterBase moduleWriter) { if (methodToNativeMethod.Count == 0) { return; } validNativeMethods = new List <MethodDef>(methodToNativeMethod.Count); int len = 12; foreach (var kv in methodToNativeMethod) { if (kv.Key.DeclaringType == null) { continue; // Method was removed } if (kv.Key.DeclaringType.Module != module) { continue; // method.DeclaringType was removed } validNativeMethods.Add(kv.Key); len += 3 * 4 + kv.Value.Length; } if (validNativeMethods.Count == 0) { return; } len = (len & ~15) + 16; encryptedResource.Resource.Data = MemoryImageStream.Create(new byte[len]); }
//IDeobfuscatorContext deobfuscatorContext; public ImageReader(IDeobfuscatorContext deobfuscatorContext, ModuleDefMD module, byte[] data) { //this.deobfuscatorContext = deobfuscatorContext; this.module = module; this.reader = MemoryImageStream.Create(data); this.memberRefConverter = new MemberRefConverter(module); }
void Load(Resource obj) { if (obj == null) return; Add(obj.Offset); Add(obj.Name); Add(obj.Attributes); switch (obj.ResourceType) { case ResourceType.Embedded: var er = (EmbeddedResource)obj; // Make sure data is cached if (!(er.Data is MemoryImageStream)) er.Data = MemoryImageStream.Create(er.GetClonedResourceStream().ReadAllBytes()); break; case ResourceType.AssemblyLinked: var ar = (AssemblyLinkedResource)obj; Add(ar.Assembly); break; case ResourceType.Linked: var lr = (LinkedResource)obj; Add(lr.File); Add(lr.Hash); break; default: Debug.Fail("Unknown resource"); break; } }
static DecryptedMethodInfo[] ReadMethodInfos(byte[] data) { var toOffset = new Dictionary <DecryptedMethodInfo, int>(); var reader = MemoryImageStream.Create(data); int numMethods = (int)reader.Read7BitEncodedUInt32(); int totalCodeSize = (int)reader.Read7BitEncodedUInt32(); var methodInfos = new DecryptedMethodInfo[numMethods]; int offset = 0; for (int i = 0; i < numMethods; i++) { int id = (int)reader.Read7BitEncodedUInt32(); int size = (int)reader.Read7BitEncodedUInt32(); var info = new DecryptedMethodInfo(id, size); methodInfos[i] = info; toOffset[info] = offset; offset += size; } long dataOffset = reader.Position; foreach (var info in methodInfos) { reader.Position = dataOffset + toOffset[info]; reader.Read(info.data, 0, info.data.Length); } return(methodInfos); }
void decryptStrings(uint[] key) { var data = stringDataField.InitialValue; var encryptedData = new uint[data.Length / 4]; Buffer.BlockCopy(data, 0, encryptedData, 0, data.Length); DeobUtils.xxteaDecrypt(encryptedData, key); var decryptedData = new byte[data.Length]; Buffer.BlockCopy(encryptedData, 0, decryptedData, 0, data.Length); var inflated = DeobUtils.inflate(decryptedData, 0, decryptedData.Length, true); var reader = MemoryImageStream.Create(inflated); int deflatedLength = (int)reader.ReadCompressedUInt32(); int numStrings = (int)reader.ReadCompressedUInt32(); decryptedStrings = new string[numStrings]; var offsets = new int[numStrings]; for (int i = 0; i < numStrings; i++) { offsets[i] = (int)reader.ReadCompressedUInt32(); } int startOffset = (int)reader.Position; for (int i = 0; i < numStrings; i++) { reader.Position = startOffset + offsets[i]; decryptedStrings[i] = reader.ReadString(); } }
void Load(ResourceData obj) { if (obj == null) return; var data = obj.Data; if (data != null && !(data is MemoryImageStream)) obj.Data = MemoryImageStream.Create(data.ReadAllBytes()); }
public static void Erase(NativeModuleWriter writer, ModuleDefMD module) { if (writer == null || module == null) { return; } var sects = (IList)origSects.GetValue(writer); var sections = new List <Tuple <uint, uint, byte[]> >(); var s = new MemoryStream(); foreach (var origSect in sects) { var oldChunk = (BinaryReaderChunk)chunk.GetValue(origSect); var sectHdr = (ImageSectionHeader)peSection.GetValue(origSect); s.SetLength(0); oldChunk.WriteTo(new BinaryWriter(s)); var buf = s.ToArray(); var newChunk = new BinaryReaderChunk(MemoryImageStream.Create(buf), oldChunk.GetVirtualSize()); newChunk.SetOffset(oldChunk.FileOffset, oldChunk.RVA); chunk.SetValue(origSect, newChunk); sections.Add(Tuple.Create( sectHdr.PointerToRawData, sectHdr.PointerToRawData + sectHdr.SizeOfRawData, buf)); } var md = module.MetaData; var row = md.TablesStream.MethodTable.Rows; for (uint i = 1; i <= row; i++) { var method = md.TablesStream.ReadMethodRow(i); var codeType = ((MethodImplAttributes)method.ImplFlags & MethodImplAttributes.CodeTypeMask); if (codeType == MethodImplAttributes.IL) { Erase(sections, (uint)md.PEImage.ToFileOffset((RVA)method.RVA)); } } var res = md.ImageCor20Header.Resources; if (res.Size > 0) { Erase(sections, (uint)res.StartOffset, res.Size); } Erase(sections, md.ImageCor20Header); Erase(sections, md.MetaDataHeader); foreach (var stream in md.AllStreams) { Erase(sections, stream); } }
public static SymbolReader TryCreate(IMetaData metaData) { if (metaData == null) { return(null); } try { var peImage = metaData.PEImage; if (peImage == null) { return(null); } var embeddedDir = TryGetEmbeddedDebugDirectory(peImage); if (embeddedDir == null) { return(null); } using (var reader = peImage.CreateStream(embeddedDir.PointerToRawData, embeddedDir.SizeOfData)) { // "MPDB" = 0x4244504D if (reader.ReadUInt32() != 0x4244504D) { return(null); } uint uncompressedSize = reader.ReadUInt32(); // If this fails, see the (hopefully) updated spec: // https://github.com/dotnet/corefx/blob/master/src/System.Reflection.Metadata/specs/PE-COFF.md#embedded-portable-pdb-debug-directory-entry-type-17 bool newVersion = (uncompressedSize & 0x80000000) != 0; Debug.Assert(!newVersion); if (newVersion) { return(null); } var decompressedBytes = new byte[uncompressedSize]; using (var deflateStream = new DeflateStream(new MemoryStream(reader.ReadRemainingBytes()), CompressionMode.Decompress)) { int pos = 0; while (pos < decompressedBytes.Length) { int read = deflateStream.Read(decompressedBytes, pos, decompressedBytes.Length - pos); if (read == 0) { break; } pos += read; } if (pos != decompressedBytes.Length) { return(null); } var stream = MemoryImageStream.Create(decompressedBytes); return(TryCreate(stream, true)); } } } catch (IOException) { } return(null); }
public void PostRename(ConfuserContext context, INameService service, ProtectionParameters parameters, IDnlibDef def) { var module = def as ModuleDefMD; if (module == null) { return; } var wpfResInfo = context.Annotations.Get <Dictionary <string, Dictionary <string, BamlDocument> > >(module, BAMLKey); if (wpfResInfo == null) { return; } foreach (var res in module.Resources.OfType <EmbeddedResource>()) { Dictionary <string, BamlDocument> resInfo; if (!wpfResInfo.TryGetValue(res.Name, out resInfo)) { continue; } var stream = new MemoryStream(); var writer = new ResourceWriter(stream); res.Data.Position = 0; var reader = new ResourceReader(new ImageStream(res.Data)); var enumerator = reader.GetEnumerator(); while (enumerator.MoveNext()) { var name = (string)enumerator.Key; string typeName; byte[] data; reader.GetResourceData(name, out typeName, out data); BamlDocument document; if (resInfo.TryGetValue(name, out document)) { var docStream = new MemoryStream(); docStream.Position = 4; BamlWriter.WriteDocument(document, docStream); docStream.Position = 0; docStream.Write(BitConverter.GetBytes((int)docStream.Length - 4), 0, 4); data = docStream.ToArray(); name = document.DocumentName; } writer.AddResourceData(name, typeName, data); } writer.Generate(); res.Data = MemoryImageStream.Create(stream.ToArray()); } }
DumpedMethods CreateDumpedMethods(MyPEImage peImage, byte[] fileData, byte[] methodsData) { var dumpedMethods = new DumpedMethods(); var methodsDataReader = MemoryImageStream.Create(methodsData); var fileDataReader = MemoryImageStream.Create(fileData); var methodDef = peImage.MetaData.TablesStream.MethodTable; for (uint rid = 1; rid <= methodDef.Rows; rid++) { var dm = new DumpedMethod(); peImage.ReadMethodTableRowTo(dm, rid); if (dm.mdRVA == 0) { continue; } uint bodyOffset = peImage.RvaToOffset(dm.mdRVA); byte b = peImage.OffsetReadByte(bodyOffset); uint codeOffset; if ((b & 3) == 2) { if (b != 2) { continue; // not zero byte code size } dm.mhFlags = 2; dm.mhMaxStack = 8; dm.mhLocalVarSigTok = 0; codeOffset = bodyOffset + 1; } else { if (peImage.OffsetReadUInt32(bodyOffset + 4) != 0) { continue; // not zero byte code size } dm.mhFlags = peImage.OffsetReadUInt16(bodyOffset); dm.mhMaxStack = peImage.OffsetReadUInt16(bodyOffset + 2); dm.mhLocalVarSigTok = peImage.OffsetReadUInt32(bodyOffset + 8); codeOffset = bodyOffset + (uint)(dm.mhFlags >> 12) * 4; } fileDataReader.Position = codeOffset; if (!decrypter.Decrypt(fileDataReader, dm)) { continue; } dumpedMethods.Add(dm); } return(dumpedMethods); }
byte[] FindMethodsData(MyPEImage peImage, byte[] fileData) { var section = peImage.Sections[0]; var reader = MemoryImageStream.Create(fileData); const int RVA_EXECUTIVE_OFFSET = 1 * 4; const int ENC_CODE_OFFSET = 6 * 4; int lastOffset = Math.Min(fileData.Length, (int)(section.PointerToRawData + section.SizeOfRawData)); for (int offset = GetStartOffset(peImage); offset < lastOffset;) { offset = FindSig(fileData, offset, lastOffset, initializeMethodEnd); if (offset < 0) { return(null); } offset += initializeMethodEnd.Length; short retImm16 = BitConverter.ToInt16(fileData, offset); if (retImm16 != 0x0C && retImm16 != 0x10) { continue; } offset += 2; if (offset + ENC_CODE_OFFSET + 4 > lastOffset) { return(null); } // rva is 0 when the assembly has been embedded uint rva = BitConverter.ToUInt32(fileData, offset + RVA_EXECUTIVE_OFFSET); if (rva != 0 && mainType.Rvas.IndexOf(rva) < 0) { continue; } int relOffs = BitConverter.ToInt32(fileData, offset + ENC_CODE_OFFSET); if (relOffs <= 0 || relOffs >= section.SizeOfRawData) { continue; } reader.Position = section.PointerToRawData + relOffs; int size = (int)reader.ReadCompressedUInt32(); int endOffset = relOffs + size; if (endOffset < relOffs || endOffset > section.SizeOfRawData) { continue; } return(reader.ReadBytes(size)); } return(null); }
public static SymbolReader TryCreate(IMetaData metaData) { if (metaData == null) { return(null); } try { var peImage = metaData.PEImage; if (peImage == null) { return(null); } var embeddedDir = TryGetEmbeddedDebugDirectory(peImage); if (embeddedDir == null) { return(null); } using (var reader = peImage.CreateStream(embeddedDir.PointerToRawData, embeddedDir.SizeOfData)) { // "MPDB" = 0x4244504D if (reader.ReadUInt32() != 0x4244504D) { return(null); } uint uncompressedSize = reader.ReadUInt32(); if (uncompressedSize > int.MaxValue) { return(null); } var decompressedBytes = new byte[uncompressedSize]; using (var deflateStream = new DeflateStream(new MemoryStream(reader.ReadRemainingBytes()), CompressionMode.Decompress)) { int pos = 0; while (pos < decompressedBytes.Length) { int read = deflateStream.Read(decompressedBytes, pos, decompressedBytes.Length - pos); if (read == 0) { break; } pos += read; } if (pos != decompressedBytes.Length) { return(null); } var stream = MemoryImageStream.Create(decompressedBytes); return(TryCreate(stream, true)); } } } catch (IOException) { } return(null); }
static byte[] Decrypt(byte[] encrypted, uint key, Func <uint, int, byte> decryptFunc) { var reader = MemoryImageStream.Create(encrypted); var decrypted = new byte[reader.ReadInt32() ^ key]; for (int i = 0; i < decrypted.Length; i++) { uint magic = reader.Read7BitEncodedUInt32(); decrypted[i] = decryptFunc(magic, i); } return(decrypted); }
/// <summary> /// Creates a CIL method body or returns an empty one if <paramref name="code"/> is not /// a valid CIL method body. /// </summary> /// <param name="opResolver">The operand resolver</param> /// <param name="code">All code</param> /// <param name="exceptions">Exceptions or <c>null</c> if all exception handlers are in /// <paramref name="code"/></param> /// <param name="parameters">Method parameters</param> /// <param name="flags">Method header flags, eg. 2 if tiny method</param> /// <param name="maxStack">Max stack</param> /// <param name="codeSize">Code size</param> /// <param name="localVarSigTok">Local variable signature token or 0 if none</param> /// <param name="gpContext">Generic parameter context</param> public static CilBody CreateCilBody(IInstructionOperandResolver opResolver, byte[] code, byte[] exceptions, IList <Parameter> parameters, ushort flags, ushort maxStack, uint codeSize, uint localVarSigTok, GenericParamContext gpContext) { var codeReader = MemoryImageStream.Create(code); var ehReader = exceptions == null ? null : MemoryImageStream.Create(exceptions); var mbReader = new MethodBodyReader(opResolver, codeReader, ehReader, parameters, gpContext); mbReader.SetHeader(flags, maxStack, codeSize, localVarSigTok); if (!mbReader.Read()) { return(new CilBody()); } return(mbReader.CreateCilBody()); }
/// <summary> /// Reads custom debug info /// </summary> /// <param name="method">Method</param> /// <param name="body">The method's body. Needs to be provided by the caller since we're called from /// PDB-init code when the Body property hasn't been initialized yet</param> /// <param name="result">Place all custom debug info in this list</param> /// <param name="data">Custom debug info from the PDB file</param> public static void Read(MethodDef method, CilBody body, IList <PdbCustomDebugInfo> result, byte[] data) { try { using (var reader = new PdbCustomDebugInfoReader(method, body, MemoryImageStream.Create(data))) reader.Read(result); } catch (ArgumentException) { } catch (OutOfMemoryException) { } catch (IOException) { } }
static IBinaryReader CloneBlobReader(IBinaryReader reader) { if (reader == null) { return(null); } var imgStream = reader as IImageStream; if (imgStream != null) { return(imgStream.Clone()); } return(MemoryImageStream.Create(reader.ReadAllBytes())); }
public void Initialize() { if (info.dataField == null) { return; } FindOtherTypes(); var decompressed = DeobUtils.Inflate(info.dataField.InitialValue, true); reader = MemoryImageStream.Create(decompressed); info.dataField.FieldSig.Type = module.CorLibTypes.Byte; info.dataField.InitialValue = new byte[1]; info.dataField.RVA = 0; }
public static void Erase(NativeModuleWriter writer, ModuleDefMD module) { if (writer == null || module == null) { return; } List <Tuple <uint, uint, byte[]> > sections = new List <Tuple <uint, uint, byte[]> >(); MemoryStream s = new MemoryStream(); foreach (NativeModuleWriter.OrigSection origSect in writer.OrigSections) { var oldChunk = origSect.Chunk; ImageSectionHeader sectHdr = origSect.PESection; s.SetLength(0L); oldChunk.WriteTo(new BinaryWriter(s)); byte[] buf = s.ToArray(); var newChunk = new BinaryReaderChunk(MemoryImageStream.Create(buf), oldChunk.GetVirtualSize()); newChunk.SetOffset(oldChunk.FileOffset, oldChunk.RVA); origSect.Chunk = newChunk; sections.Add(Tuple.Create <uint, uint, byte[]>(sectHdr.PointerToRawData, sectHdr.PointerToRawData + sectHdr.SizeOfRawData, buf)); } var md = module.MetaData; uint row = md.TablesStream.MethodTable.Rows; for (uint i = 1u; i <= row; i += 1u) { RawMethodRow method = md.TablesStream.ReadMethodRow(i); if ((method.ImplFlags & 3) == 0) { Erase(sections, (uint)md.PEImage.ToFileOffset((RVA)method.RVA)); } } ImageDataDirectory res = md.ImageCor20Header.Resources; if (res.Size > 0u) { Erase(sections, (uint)res.StartOffset, res.Size); } Erase(sections, md.ImageCor20Header); Erase(sections, md.MetaDataHeader);// md.MetadataHeader); foreach (DotNetStream stream in md.AllStreams) { Erase(sections, stream); } }
private void SecondOption(object obj) { byte[] fieldValue = SuperDynamicReader.GetFieldValue <byte[]>(obj, "m_code"); bool flag = fieldValue == null; bool flag2 = flag; if (flag2) { throw new Exception("No code"); } this.codeSize = fieldValue.Length; MethodBase fieldValue2 = SuperDynamicReader.GetFieldValue <MethodBase>(obj, "m_method"); bool flag3 = fieldValue2 == null; bool flag4 = flag3; if (flag4) { throw new Exception("No method"); } this.maxStack = SuperDynamicReader.GetFieldValue <int>(obj, "m_maxStackSize"); object fieldValue3 = SuperDynamicReader.GetFieldValue <object>(obj, "m_scope"); bool flag5 = fieldValue3 == null; bool flag6 = flag5; if (flag6) { throw new Exception("No scope"); } IList fieldValue4 = SuperDynamicReader.GetFieldValue <IList>(fieldValue3, "m_tokens"); bool flag7 = fieldValue4 == null; bool flag8 = flag7; if (flag8) { throw new Exception("No tokens"); } this.tokens = new List <object>(fieldValue4.Count); for (int i = 0; i < fieldValue4.Count; i++) { this.tokens.Add(fieldValue4[i]); } this.ehHeader = SuperDynamicReader.GetFieldValue <byte[]>(obj, "m_exceptions"); this.UpdateLocals(SuperDynamicReader.GetFieldValue <byte[]>(obj, "m_localSignature")); this.reader = MemoryImageStream.Create(fieldValue); this.method = this.CreateMethodDef(fieldValue2); this.parameters = this.method.Parameters; }
/// <summary> /// Creates a new <see cref="ISymbolReader"/> instance /// </summary> /// <param name="mdStream">.NET metadata stream which is now owned by this method</param> /// <param name="pdbData">PDB file data</param> /// <returns>A new <see cref="ISymbolReader"/> instance or <c>null</c> if any of the COM /// methods fail.</returns> public static ISymbolReader Create(IImageStream mdStream, byte[] pdbData) { if (pdbData == null) { return(null); } try { return(Create(mdStream, MemoryImageStream.Create(pdbData))); } catch { if (mdStream != null) { mdStream.Dispose(); } throw; } }
byte[] DecryptResource(byte[] encrypted, Func <uint, byte> decryptFunc) { var key = GetSigKey(); byte[] decrypted = DecryptAndDecompress(encrypted, key); var reader = MemoryImageStream.Create(decrypted); var result = new MemoryStream(); var writer = new BinaryWriter(result); while (reader.Position < reader.Length) { uint magic = reader.Read7BitEncodedUInt32(); writer.Write(decryptFunc(magic)); } return(result.ToArray()); }
void SecondOption(object obj) { // this is entirely different from the one below var code = GetFieldValue <byte[]>(obj, "m_code"); if (code == null) { throw new Exception("No code"); } codeSize = code.Length; var delMethod = GetFieldValue <SR.MethodBase>(obj, "m_method"); if (delMethod == null) { throw new Exception("No method"); } maxStack = GetFieldValue <int>(obj, "m_maxStackSize"); var scope = GetFieldValue <object>(obj, "m_scope"); if (scope == null) { throw new Exception("No scope"); } var tokensList = GetFieldValue <System.Collections.IList>(scope, "m_tokens"); if (tokensList == null) { throw new Exception("No tokens"); } tokens = new List <object>(tokensList.Count); for (int i = 0; i < tokensList.Count; i++) { tokens.Add(tokensList[i]); } //ehInfos = (IList<object>)rslvExceptionsFieldInfo.Read(obj); ehHeader = GetFieldValue <byte[]>(obj, "m_exceptions"); UpdateLocals(GetFieldValue <byte[]>(obj, "m_localSignature")); this.reader = MemoryImageStream.Create(code); this.method = CreateMethodDef(delMethod); this.parameters = this.method.Parameters; return; }
public IResourceElementNode Create(ModuleDef module, ResourceElement resourceElement, ITreeNodeGroup treeNodeGroup) { if (resourceElement.ResourceData.Code != ResourceTypeCode.ByteArray && resourceElement.ResourceData.Code != ResourceTypeCode.Stream) { return(null); } var data = (byte[])((BuiltInResourceData)resourceElement.ResourceData).Data; var stream = MemoryImageStream.Create(data); if (!CouldBeImage(resourceElement.Name, stream)) { return(null); } return(new ImageResourceElementNode(treeNodeGroup, resourceElement)); }
public static IImageStream OpenImageStream(string fileName) { try { if (!File.Exists(fileName)) { return(null); } // Don't use memory mapped I/O return(MemoryImageStream.Create(File.ReadAllBytes(fileName))); } catch (IOException) { } catch (UnauthorizedAccessException) { } catch (SecurityException) { } return(null); }
byte[] DecryptConstant_v15_r60785_dynamic(DecrypterInfo info, byte[] encrypted, uint offs) { var instrs = info.decryptMethod.Body.Instructions; int startIndex = GetDynamicStartIndex_v15_r60785(instrs); int endIndex = GetDynamicEndIndex_v15_r60785(instrs, startIndex); if (endIndex < 0) { throw new ApplicationException("Could not find start/endIndex"); } var dataReader = MemoryImageStream.Create(encrypted); var decrypted = new byte[dataReader.ReadInt32()]; var constReader = new Arg64ConstantsReader(instrs, false); ConfuserUtils.DecryptCompressedInt32Data(constReader, startIndex, endIndex, dataReader, decrypted); return(decrypted); }
/// <summary> /// Creates a new <see cref="ISymbolReader"/> instance /// </summary> /// <param name="metaData">.NET metadata</param> /// <param name="pdbData">PDB file data</param> /// <returns>A new <see cref="ISymbolReader"/> instance or <c>null</c> if any of the COM /// methods fail.</returns> public static ISymbolReader Create(IMetaData metaData, byte[] pdbData) { if (pdbData == null) { return(null); } var mdStream = CreateMetaDataStream(metaData); try { return(Create(mdStream, MemoryImageStream.Create(pdbData))); } catch { if (mdStream != null) { mdStream.Dispose(); } throw; } }
IBinaryReader Decrypt(int length) { var block = new uint[4]; var decrypted = new byte[16]; var outStream = new MemoryStream(length); while (reader.Position < reader.Length) { block[0] = reader.ReadUInt32(); block[1] = reader.ReadUInt32(); block[2] = reader.ReadUInt32(); block[3] = reader.ReadUInt32(); DeobUtils.XxteaDecrypt(block, key); Buffer.BlockCopy(block, 0, decrypted, 0, decrypted.Length); outStream.Write(decrypted, 0, decrypted.Length); } return(MemoryImageStream.Create(outStream.ToArray())); }
DumpedMethods Decrypt_v17_r73404(MyPEImage peImage, byte[] fileData) { var dumpedMethods = new DumpedMethods(); var methodDef = peImage.MetaData.TablesStream.MethodTable; for (uint rid = 1; rid <= methodDef.Rows; rid++) { var dm = new DumpedMethod(); peImage.ReadMethodTableRowTo(dm, rid); if (dm.mdRVA == 0) { continue; } uint bodyOffset = peImage.RvaToOffset(dm.mdRVA); if (!IsEncryptedMethod(fileData, (int)bodyOffset)) { continue; } int key = BitConverter.ToInt32(fileData, (int)bodyOffset + 6); int mdOffs = BitConverter.ToInt32(fileData, (int)bodyOffset + 2) ^ key; int len = BitConverter.ToInt32(fileData, (int)bodyOffset + 11) ^ ~key; var codeData = DecryptMethodData_v17_r73404(methodsData, mdOffs + 2, (uint)key, len); var reader = MemoryImageStream.Create(codeData); var mbHeader = MethodBodyParser.ParseMethodBody(reader, out dm.code, out dm.extraSections); if (reader.Position != reader.Length) { throw new ApplicationException("Invalid method data"); } peImage.UpdateMethodHeaderInfo(dm, mbHeader); dumpedMethods.Add(dm); } return(dumpedMethods); }