/// <summary>
/// Gets the SteamStub header size from the given file.
/// </summary>
/// <param name="f"></param>
/// <returns></returns>
private uint GetHeaderSize(Pe64File f)
{
// Obtain the bind section data..
var bind = f.GetSectionData(".bind");
// Attempt to locate the known v3.x signature..
var varient = Pe64Helpers.FindPattern(bind, "E8 00 00 00 00 50 53 51 52 56 57 55 41 50");
if (varient == 0)
{
return(0);
}
// Attempt to determine the varient version..
var offset = Pe64Helpers.FindPattern(bind, "48 8D 91 ?? ?? ?? ?? 48"); // 3.0
if (offset == 0)
{
offset = Pe64Helpers.FindPattern(bind, "48 8D 91 ?? ?? ?? ?? 41"); // 3.1
}
// Ensure a pattern was found..
if (offset == 0)
{
return(0);
}
// Read the header size.. (The header size is only 32bit!)
return((uint)Math.Abs(BitConverter.ToInt32(bind, (int)offset + 3)));
}
/// <summary>
/// Step #1
///
/// Read, decode and validate the SteamStub DRM header.
/// </summary>
/// <returns></returns>
private bool Step1()
{
// Obtain the header size..
var headerSize = this.GetHeaderSize(this.File);
// Obtain the DRM header data..
var fileOffset = this.File.GetFileOffsetFromRva(this.File.NtHeaders.OptionalHeader.AddressOfEntryPoint);
var headerData = new byte[headerSize];
Array.Copy(this.File.FileData, (long)(fileOffset - headerSize), headerData, 0, headerSize);
// Xor decode the header data..
this.XorKey = SteamStubHelpers.SteamXor(ref headerData, headerSize);
this.StubHeader = Pe64Helpers.GetStructure <SteamStub64Var30Header>(headerData);
// Validate the structure signature..
if (this.StubHeader.Signature == 0xC0DEC0DE)
{
return(true);
}
// Try again using the Tls callback (if any) as the OEP instead..
if (this.File.TlsCallbacks.Count == 0)
{
return(false);
}
// Obtain the DRM header data..
fileOffset = this.File.GetRvaFromVa(this.File.TlsCallbacks[0]);
fileOffset = this.File.GetFileOffsetFromRva(fileOffset);
headerData = new byte[headerSize];
Array.Copy(this.File.FileData, (long)(fileOffset - headerSize), headerData, 0, headerSize);
// Xor decode the header data..
this.XorKey = SteamStubHelpers.SteamXor(ref headerData, headerSize);
this.StubHeader = Pe64Helpers.GetStructure <SteamStub64Var30Header>(headerData);
// Validate the structure signature..
if (this.StubHeader.Signature != 0xC0DEC0DE)
{
return(false);
}
// Tls was valid for the real oep..
this.TlsAsOep = true;
this.TlsOepRva = this.File.GetRvaFromVa(this.File.TlsCallbacks[0]);
// Is the TlsCallback replacing the OEP..
if (this.StubHeader.HasTlsCallback != 1 || this.File.TlsCallbacks[0] == 0)
{
return(true);
}
// Rebuild the file Tls callback information..
return(this.RebuildTlsCallbackInformation());
}
/// <summary>
/// Processing function called when a file is being unpacked. Allows plugins to check the file
/// and see if it can handle the file for its intended purpose.
/// </summary>
/// <param name="file"></param>
/// <returns></returns>
public override bool CanProcessFile(string file)
{
try
{
// Load the file..
var f = new Pe64File(file);
if (!f.Parse() || !f.IsFile64Bit() || !f.HasSection(".bind"))
{
return(false);
}
// Obtain the bind section data..
var bind = f.GetSectionData(".bind");
// Attempt to locate the known v3.x signature..
var varient = Pe64Helpers.FindPattern(bind, "E8 00 00 00 00 50 53 51 52 56 57 55 41 50");
if (varient == 0)
{
return(false);
}
// Attempt to determine the varient version..
var offset = Pe64Helpers.FindPattern(bind, "48 8D 91 ?? ?? ?? ?? 48"); // 3.0
if (offset == 0)
{
offset = Pe64Helpers.FindPattern(bind, "48 8D 91 ?? ?? ?? ?? 41"); // 3.1
}
if (offset == 0)
{
offset = Pe64Helpers.FindPattern(bind, "48 C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 48"); // 3.1.2
if (offset > 0)
{
offset += 5;
}
}
// Ensure a pattern was found..
if (offset == 0)
{
return(false);
}
// Read the header size.. (The header size is only 32bit!)
var headerSize = Math.Abs(BitConverter.ToInt32(bind, (int)offset + 3));
// Check for the known 3.1 header size..
return(headerSize == 0xF0);
}
catch
{
return(false);
}
}
/// <summary>
/// Step #7
///
/// Recalculate the file checksum.
/// </summary>
/// <returns></returns>
private bool Step7()
{
var unpackedPath = this.File.FilePath + ".unpacked.exe";
if (!Pe64Helpers.UpdateFileChecksum(unpackedPath))
{
this.Log(" --> Error trying to recalculate unpacked file checksum!", LogMessageType.Error);
return(false);
}
this.Log(" --> Unpacked file updated with new checksum!", LogMessageType.Success);
return(true);
}
/// <summary>
/// Rebuilds the file TlsCallback information and repairs the proper OEP.
/// </summary>
/// <returns></returns>
private bool RebuildTlsCallbackInformation()
{
// Ensure the modified main TlsCallback is within the .bind section..
var section = this.File.GetOwnerSection(this.File.GetRvaFromVa(this.File.TlsCallbacks[0]));
if (!section.IsValid || string.Compare(section.SectionName, ".bind", System.Globalization.CultureInfo.InvariantCulture, System.Globalization.CompareOptions.IgnoreCase) != 0)
{
return(false);
}
// Obtain the section that holds the Tls directory information..
var addr = this.File.GetFileOffsetFromRva(this.File.GetRvaFromVa(this.File.TlsDirectory.AddressOfCallBacks));
var tlsd = this.File.GetOwnerSection(addr);
if (!tlsd.IsValid)
{
return(false);
}
addr -= tlsd.PointerToRawData;
// Restore the true original TlsCallback address..
var callback = BitConverter.GetBytes(this.File.NtHeaders.OptionalHeader.ImageBase + this.StubHeader.OriginalEntryPoint);
Array.Copy(callback, 0, this.File.GetSectionData(this.File.GetSectionIndex(tlsd)), (int)addr, callback.Length);
// Find the original entry point function..
var entry = this.File.GetFileOffsetFromRva(this.File.NtHeaders.OptionalHeader.AddressOfEntryPoint);
var data = this.File.FileData.Skip((int)entry).Take(0x100).ToArray();
// Find the XOR key from within the function..
var res = Pe64Helpers.FindPattern(data, "48 81 EA ?? ?? ?? ?? 8B 12 81 F2");
if (res == -1)
{
return(false);
}
// Decrypt and recalculate the true OEP address..
var key = (ulong)(this.StubHeader.XorKey ^ BitConverter.ToInt32(data, (int)res + 0x0B));
var off = (ulong)((this.File.NtHeaders.OptionalHeader.ImageBase + this.File.NtHeaders.OptionalHeader.AddressOfEntryPoint) + key);
// Store the proper OEP..
this.TlsOepOverride = (uint)(off - this.File.NtHeaders.OptionalHeader.ImageBase);
return(true);
}
/// <summary>
/// Step #1
///
/// Read, decode and validate the SteamStub DRM header.
/// </summary>
/// <returns></returns>
private bool Step1()
{
// Obtain the DRM header data..
var fileOffset = this.File.GetFileOffsetFromRva(this.File.NtHeaders.OptionalHeader.AddressOfEntryPoint);
var headerData = new byte[0xF0];
Array.Copy(this.File.FileData, (long)(fileOffset - 0xF0), headerData, 0, 0xF0);
// Xor decode the header data..
this.XorKey = SteamStubHelpers.SteamXor(ref headerData, 0xF0);
this.StubHeader = Pe64Helpers.GetStructure <SteamStub64Var31Header>(headerData);
// Validate the header signature..
if (this.StubHeader.Signature == 0xC0DEC0DF)
{
return(true);
}
// Try again using the Tls callback (if any) as the OEP instead..
if (this.File.TlsCallbacks.Count == 0)
{
return(false);
}
// Obtain the DRM header data..
fileOffset = this.File.GetRvaFromVa(this.File.TlsCallbacks[0]);
fileOffset = this.File.GetFileOffsetFromRva(fileOffset);
headerData = new byte[0xF0];
Array.Copy(this.File.FileData, (long)(fileOffset - 0xF0), headerData, 0, 0xF0);
// Xor decode the header data..
this.XorKey = SteamStubHelpers.SteamXor(ref headerData, 0xF0);
this.StubHeader = Pe64Helpers.GetStructure <SteamStub64Var31Header>(headerData);
// Validate the header signature..
if (this.StubHeader.Signature != 0xC0DEC0DF)
{
return(false);
}
// Tls was valid for the real oep..
this.TlsAsOep = true;
this.TlsOepRva = fileOffset;
return(true);
}
/// <summary>
/// Step #1
///
/// Read, decode and validate the SteamStub DRM header.
/// </summary>
/// <returns></returns>
private bool Step1()
{
// Obtain the header size..
var headerSize = this.GetHeaderSize(this.File);
// Obtain the DRM header data..
var fileOffset = this.File.GetFileOffsetFromRva(this.File.NtHeaders.OptionalHeader.AddressOfEntryPoint);
var headerData = new byte[headerSize];
Array.Copy(this.File.FileData, (long)(fileOffset - headerSize), headerData, 0, headerSize);
// Xor decode the header data..
this.XorKey = SteamStubHelpers.SteamXor(ref headerData, headerSize);
this.StubHeader = Pe64Helpers.GetStructure <SteamStub64Var30Header>(headerData);
// Validate the structure signature..
return(this.StubHeader.Signature == 0xC0DEC0DE);
}
/// <summary>
/// Step #6
///
/// Rebuild and save the unpacked file.
/// </summary>
/// <returns></returns>
private bool Step6()
{
FileStream fStream = null;
try
{
// Rebuild the file sections..
this.File.RebuildSections();
// Open the unpacked file for writing..
var unpackedPath = this.File.FilePath + ".unpacked.exe";
fStream = new FileStream(unpackedPath, FileMode.Create, FileAccess.ReadWrite);
// Write the DOS header to the file..
fStream.WriteBytes(Pe64Helpers.GetStructureBytes(this.File.DosHeader));
// Write the DOS stub to the file..
if (this.File.DosStubSize > 0)
{
fStream.WriteBytes(this.File.DosStubData);
}
// Update the entry point of the file..
var ntHeaders = this.File.NtHeaders;
ntHeaders.OptionalHeader.AddressOfEntryPoint = this.StubHeader.OriginalEntryPoint;
this.File.NtHeaders = ntHeaders;
// Write the NT headers to the file..
fStream.WriteBytes(Pe64Helpers.GetStructureBytes(ntHeaders));
// Write the sections to the file..
for (var x = 0; x < this.File.Sections.Count; x++)
{
var section = this.File.Sections[x];
var sectionData = this.File.SectionData[x];
// Write the section header to the file..
fStream.WriteBytes(Pe64Helpers.GetStructureBytes(section));
// Set the file pointer to the sections raw data..
var sectionOffset = fStream.Position;
fStream.Position = section.PointerToRawData;
// Write the sections raw data..
var sectionIndex = this.File.Sections.IndexOf(section);
if (sectionIndex == this.CodeSectionIndex)
{
fStream.WriteBytes(this.CodeSectionData ?? sectionData);
}
else
{
fStream.WriteBytes(sectionData);
}
// Reset the file offset..
fStream.Position = sectionOffset;
}
// Set the stream to the end of the file..
fStream.Position = fStream.Length;
// Write the overlay data if it exists..
if (this.File.OverlayData != null)
{
fStream.WriteBytes(this.File.OverlayData);
}
this.Log(" --> Unpacked file saved to disk!", LogMessageType.Success);
this.Log($" --> File Saved As: {unpackedPath}", LogMessageType.Success);
return(true);
}
catch
{
this.Log(" --> Error trying to save unpacked file!", LogMessageType.Error);
return(false);
}
finally
{
fStream?.Dispose();
}
}
private void TextBox1DragDrop(object sender, DragEventArgs e)
{
try
{
Array arrayyy = (Array)e.Data.GetData(DataFormats.FileDrop);
if (arrayyy != null)
{
string text = arrayyy.GetValue(0).ToString();
int num = text.LastIndexOf(".", StringComparison.Ordinal);
if (num != -1)
{
string text2 = text.Substring(num);
text2 = text2.ToLower();
if (text2 == ".exe" || text2 == ".dll")
{
Activate();
ExePath = text;
label2.Text = "Status : Exe Loaded";
int num2 = text.LastIndexOf("\\", StringComparison.Ordinal);
if (num2 != -1)
{
DirectoryName = text.Remove(num2, text.Length - num2);
}
if (DirectoryName.Length == 2)
{
DirectoryName += "\\";
}
}
}
}
}
catch
{
}
this.FileData = File.ReadAllBytes(ExePath);
if (IntPtr.Size == 4)
{
this.NtHeaders32 = new NativeApi32.ImageNtHeaders32();
this.DosHeader32 = new NativeApi32.ImageDosHeader32();
this.DosHeader32 = Pe32Helpers.GetStructure <NativeApi32.ImageDosHeader32>(this.FileData);
this.NtHeaders32 = Pe32Helpers.GetStructure <NativeApi32.ImageNtHeaders32>(this.FileData, this.DosHeader32.e_lfanew);
int num = NtHeaders32.FileHeader.NumberOfSections;
for (var x = 0; x < num; x++)
{
var section = Pe32Helpers.GetSection(this.FileData, x, this.DosHeader32, this.NtHeaders32);
if (section.SectionName.Equals(".bxpck"))
{
var sectionData = new byte[this.GetAlignment(section.SizeOfRawData, this.NtHeaders32.OptionalHeader.FileAlignment)];
Array.Copy(this.FileData, section.PointerToRawData, sectionData, 0, section.SizeOfRawData);
string filename = DirectoryName + "\\" + Path.GetFileNameWithoutExtension(ExePath) + "-Unpacked" + Path.GetExtension(ExePath);
int firstIndex = GetNthIndex(sectionData, 0x5A, 1);
if (sectionData[firstIndex - 1] == 0x4D)
{
File.WriteAllBytes(filename, sectionData.Skip(firstIndex - 1).ToArray());
label3.Text += (firstIndex - 1).ToString("X");
}
else
{
int secondIndex = GetNthIndex(sectionData, 0x5A, 2);
if (sectionData[secondIndex - 1] == 0x4A)
{
File.WriteAllBytes(filename, sectionData.Skip(secondIndex - 1).ToArray());
label3.Text += (secondIndex - 1).ToString("X");
}
else
{
int lastIndex = GetNthIndex(sectionData, 0x4D, 3);
if (sectionData[lastIndex - 1] == 0x4D)
{
File.WriteAllBytes(filename, sectionData.Skip(lastIndex - 1).ToArray());
label3.Text += (lastIndex - 1).ToString("X");
}
else
{
}
}
}
goto sucess;
}
}
}
else
{
this.DosHeader64 = new NativeApi64.ImageDosHeader64();
this.NtHeaders64 = new NativeApi64.ImageNtHeaders64();
this.DosHeader64 = Pe64Helpers.GetStructure <NativeApi64.ImageDosHeader64>(this.FileData);
this.NtHeaders64 = Pe64Helpers.GetStructure <NativeApi64.ImageNtHeaders64>(this.FileData, this.DosHeader64.e_lfanew);
for (var x = 0; x < this.NtHeaders64.FileHeader.NumberOfSections; x++)
{
var section = Pe64Helpers.GetSection(this.FileData, x, this.DosHeader64, this.NtHeaders64);
if (section.SectionName.Equals(".bxpck"))
{
var sectionData = new byte[this.GetAlignment(section.SizeOfRawData, this.NtHeaders64.OptionalHeader.FileAlignment)];
Array.Copy(this.FileData, section.PointerToRawData, sectionData, 0, section.SizeOfRawData);
string filename = DirectoryName + "\\" + Path.GetFileNameWithoutExtension(ExePath) + "-Unpacked" + Path.GetExtension(ExePath);
File.WriteAllBytes(filename, sectionData.Skip(182).ToArray());
goto sucess;
}
}
}
MessageBox.Show("BoxedAppPacker section not found (.bxpck) ! ", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
sucess:
label2.Text = "Status : Success ! ";
}
