public Decrypter45(PeImage peImage, CodeHeader codeHeader)
: base(peImage, codeHeader)
{
}
public void patch(byte[] peImageData)
{
var peImage = new PeImage(peImageData);
foreach (var info in patchInfos) {
for (int i = 0; i < info.offsets.Length; i++)
peImage.dotNetSafeWriteOffset((uint)info.offsets[i], BitConverter.GetBytes(info.values[i]));
}
}
public McKey(PeImage peImage, PeHeader peHeader)
{
this.peHeader = peHeader;
try {
this.data = peImage.readBytes(peHeader.getMcKeyRva(), 0x2000);
}
catch (IOException) {
this.data = peImage.readBytes(peHeader.getMcKeyRva(), 0x1000);
}
}
public bool decrypt(PeImage peImage, ref DumpedMethods dumpedMethods)
{
dumpedMethods = new DumpedMethods();
bool decrypted = false;
var metadataTables = peImage.Cor20Header.createMetadataTables();
var methodDef = metadataTables.getMetadataType(MetadataIndex.iMethodDef);
uint methodDefOffset = methodDef.fileOffset;
for (int i = 0; i < methodDef.rows; i++, methodDefOffset += methodDef.totalSize) {
uint bodyRva = peImage.offsetReadUInt32(methodDefOffset);
if (bodyRva == 0)
continue;
uint bodyOffset = peImage.rvaToOffset(bodyRva);
var dm = new DumpedMethod();
dm.token = (uint)(0x06000001 + i);
byte[] code, extraSections;
peImage.Reader.BaseStream.Position = bodyOffset;
var mbHeader = MethodBodyParser.parseMethodBody(peImage.Reader, out code, out extraSections);
if (code.Length < 6 || code[0] != 0x2A || code[1] != 0x2A)
continue;
dm.code = code;
dm.extraSections = extraSections;
int seed = BitConverter.ToInt32(code, 2);
Array.Copy(newCodeHeader, code, newCodeHeader.Length);
if (seed == 0)
decrypt(code);
else
decrypt(code, seed);
dm.mdImplFlags = peImage.offsetReadUInt16(methodDefOffset + (uint)methodDef.fields[1].offset);
dm.mdFlags = peImage.offsetReadUInt16(methodDefOffset + (uint)methodDef.fields[2].offset);
dm.mdName = peImage.offsetRead(methodDefOffset + (uint)methodDef.fields[3].offset, methodDef.fields[3].size);
dm.mdSignature = peImage.offsetRead(methodDefOffset + (uint)methodDef.fields[4].offset, methodDef.fields[4].size);
dm.mdParamList = peImage.offsetRead(methodDefOffset + (uint)methodDef.fields[5].offset, methodDef.fields[5].size);
dm.mhFlags = mbHeader.flags;
dm.mhMaxStack = mbHeader.maxStack;
dm.mhCodeSize = (uint)dm.code.Length;
dm.mhLocalVarSigTok = mbHeader.localVarSigTok;
dumpedMethods.add(dm);
decrypted = true;
}
return decrypted;
}
public MethodInfos(MainType mainType, PeImage peImage, PeHeader peHeader, McKey mcKey)
{
this.mainType = mainType;
this.peImage = peImage;
this.peHeader = peHeader;
this.mcKey = mcKey;
structSize = getStructSize(mcKey);
uint methodInfosRva = peHeader.getRva2(0x0FF8, mcKey.readUInt32(0x005A));
uint encryptedDataRva = peHeader.getRva2(0x0FF0, mcKey.readUInt32(0x0046));
methodInfosOffset = peImage.rvaToOffset(methodInfosRva);
encryptedDataOffset = peImage.rvaToOffset(encryptedDataRva);
}
public McKey(PeImage peImage, PeHeader peHeader)
{
this.peHeader = peHeader;
this.data = peImage.readBytes(peHeader.getMcKeyRva(), 0x2000);
}
static uint getOldCodeHeaderOffset(PeImage peImage)
{
var sect = getLastOf(peImage, sections);
if (sect == null || sect.virtualSize < 0x100)
return 0;
return peImage.rvaToOffset(sect.virtualAddress + sect.virtualSize - 0x100);
}
// CS 1.x
byte[] unpackNativeFile2(PeImage peImage)
{
var dir = peImage.Resources.getRoot();
if ((dir = dir.getDirectory("ASSEMBLY")) == null)
return null;
if ((dir = dir.getDirectory(101)) == null)
return null;
var data = dir.getData(0);
if (data == null)
return null;
return ModuleBytes = peImage.readBytes(data.RVA, (int)data.Size);
}
public override byte[] unpackNativeFile(PeImage peImage)
{
return unpackNativeFile1(peImage) ?? unpackNativeFile2(peImage);
}
public override byte[] unpackNativeFile(PeImage peImage)
{
var data = new NativeImageUnpacker(peImage).unpack();
if (data == null)
return null;
unpackedNativeFile = true;
ModuleBytes = data;
return data;
}
static void readTo(PeImage peImage, byte[] data, int destOffset, uint imageOffset, uint maxLength)
{
if (destOffset > data.Length)
return;
int len = Math.Min(data.Length - destOffset, (int)maxLength);
var newData = peImage.offsetReadBytes(imageOffset, len);
Array.Copy(newData, 0, data, destOffset, newData.Length);
}
static EncryptionVersion getVersion(PeImage peImage, uint headerOffset)
{
uint m1lo = peImage.offsetReadUInt32(headerOffset + 0x900);
uint m1hi = peImage.offsetReadUInt32(headerOffset + 0x904);
foreach (var info in EncryptionInfos.Rva900h) {
if (info.MagicLo == m1lo && info.MagicHi == m1hi)
return info.Version;
}
return EncryptionVersion.Unknown;
}
public ApplicationModeUnpacker(PeImage peImage)
{
this.peImage = peImage;
}
static void clearDllBit(byte[] peImageData)
{
var mainPeImage = new PeImage(peImageData);
uint characteristicsOffset = mainPeImage.FileHeaderOffset + 18;
ushort characteristics = mainPeImage.offsetReadUInt16(characteristicsOffset);
characteristics &= 0xDFFF;
characteristics |= 2;
mainPeImage.offsetWriteUInt16(characteristicsOffset, characteristics);
}
public ProDecrypter(PeImage peImage, CodeHeader codeHeader)
: base(peImage, codeHeader)
{
for (int i = 0; i < 4; i++)
key[i] = be_readUInt32(codeHeader.decryptionKey, i * 4);
}
public DecrypterBase(PeImage peImage, CodeHeader codeHeader)
{
this.peImage = peImage;
this.codeHeader = codeHeader;
endOfMetadata = peImage.rvaToOffset(peImage.Cor20Header.metadataDirectory.virtualAddress + peImage.Cor20Header.metadataDirectory.size);
}
public Decrypter5(PeImage peImage, CodeHeader codeHeader, uint codeHeaderSize)
: base(peImage, codeHeader)
{
this.codeHeaderSize = codeHeaderSize;
}
public PeHeader(MainType mainType, PeImage peImage)
{
headerData = getPeHeaderData(peImage);
if (!mainType.IsOld && peImage.readUInt32(0x2008) != 0x48) {
rvaDispl1 = readUInt32(0x0FB0) ^ XOR_KEY;
rvaDispl2 = readUInt32(0x0FB4) ^ XOR_KEY;
}
}
static byte[] getPeHeaderData(PeImage peImage)
{
var data = new byte[0x1000];
var firstSection = peImage.Sections[0];
readTo(peImage, data, 0, 0, firstSection.pointerToRawData);
foreach (var section in peImage.Sections) {
if (section.virtualAddress >= data.Length)
continue;
int offset = (int)section.virtualAddress;
readTo(peImage, data, offset, section.pointerToRawData, section.sizeOfRawData);
}
return data;
}
public PeHeader(MainType mainType, PeImage peImage)
{
uint headerOffset;
version = getHeaderOffsetAndVersion(peImage, out headerOffset);
headerData = peImage.offsetReadBytes(headerOffset, 0x1000);
}
public override bool getDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
{
if (count != 0)
return false;
fileData = ModuleBytes ?? DeobUtils.readModule(module);
peImage = new PeImage(fileData);
if (!options.DecryptMethods)
return false;
var tokenToNativeCode = new Dictionary<uint,byte[]>();
if (!methodsDecrypter.decrypt(peImage, DeobfuscatedFile, ref dumpedMethods, tokenToNativeCode))
return false;
if (options.DumpNativeMethods) {
using (var fileStream = new FileStream(module.FullyQualifiedName + ".native", FileMode.Create, FileAccess.Write, FileShare.Read)) {
var sortedTokens = new List<uint>(tokenToNativeCode.Keys);
sortedTokens.Sort();
var writer = new BinaryWriter(fileStream);
var nops = new byte[] { 0x90, 0x90, 0x90, 0x90 };
foreach (var token in sortedTokens) {
writer.Write((byte)0xB8);
writer.Write(token);
writer.Write(tokenToNativeCode[token]);
writer.Write(nops);
}
}
}
newFileData = fileData;
return true;
}
static EncryptionVersion getHeaderOffsetAndVersion(PeImage peImage, out uint headerOffset)
{
headerOffset = 0;
var version = getVersion(peImage, headerOffset);
if (version != EncryptionVersion.Unknown)
return version;
var section = peImage.findSection(".rsrc");
if (section == null)
return EncryptionVersion.Unknown;
headerOffset = section.pointerToRawData;
uint end = section.pointerToRawData + section.sizeOfRawData - 0x1000 + 1;
while (headerOffset < end) {
version = getVersion(peImage, headerOffset);
if (version != EncryptionVersion.Unknown)
return version;
headerOffset++;
}
return EncryptionVersion.Unknown;
}
public override bool getDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
{
if (count != 0 || !options.DecryptMethods)
return false;
byte[] fileData = ModuleBytes ?? DeobUtils.readModule(module);
var peImage = new PeImage(fileData);
if (!new MethodsDecrypter().decrypt(peImage, module, cliSecureRtType, ref dumpedMethods)) {
Log.v("Methods aren't encrypted or invalid signature");
return false;
}
newFileData = fileData;
return true;
}
bool decryptModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods)
{
if (!methodsDecrypter.Detected)
return false;
byte[] fileData = ModuleBytes ?? DeobUtils.readModule(module);
var peImage = new PeImage(fileData);
if (!methodsDecrypter.decrypt(peImage, ref dumpedMethods))
return false;
newFileData = fileData;
return true;
}
// Old CS versions
byte[] unpackNativeFile1(PeImage peImage)
{
const int dataDirNum = 6; // debug dir
const int dotNetDirNum = 14;
if (peImage.OptionalHeader.dataDirectories[dataDirNum].virtualAddress == 0)
return null;
if (peImage.OptionalHeader.dataDirectories[dataDirNum].size != 0x48)
return null;
var fileData = peImage.readAllBytes();
int dataDir = (int)peImage.OptionalHeader.offsetOfDataDirectory(dataDirNum);
int dotNetDir = (int)peImage.OptionalHeader.offsetOfDataDirectory(dotNetDirNum);
writeUInt32(fileData, dotNetDir, BitConverter.ToUInt32(fileData, dataDir));
writeUInt32(fileData, dotNetDir + 4, BitConverter.ToUInt32(fileData, dataDir + 4));
writeUInt32(fileData, dataDir, 0);
writeUInt32(fileData, dataDir + 4, 0);
ModuleBytes = fileData;
return fileData;
}
bool unpackNativeImage(IEnumerable<IDeobfuscator> deobfuscators)
{
var peImage = new PeImage(Utils.readFile(Filename));
foreach (var deob in deobfuscators) {
byte[] unpackedData = null;
try {
unpackedData = deob.unpackNativeFile(peImage);
}
catch {
}
if (unpackedData == null)
continue;
try {
module = assemblyModule.load(unpackedData);
}
catch {
Log.w("Could not load unpacked data. Deobfuscator: {0}", deob.TypeLong);
continue;
}
this.deob = deob;
return true;
}
return false;
}
static SectionHeader getLastOf(PeImage peImage, string[] sections)
{
SectionHeader sect = null;
foreach (var name in sections) {
var sect2 = peImage.findSection(name);
if (sect2 == null)
continue;
if (sect == null || sect2.virtualAddress > sect.virtualAddress)
sect = sect2;
}
return sect;
}
public Decrypter10(PeImage peImage, byte[] key)
{
this.peImage = peImage;
this.blowfish = new CsBlowfish(key);
}
public bool decrypt(byte[] fileData, ref DumpedMethods dumpedMethods)
{
peImage = new PeImage(fileData);
peHeader = new PeHeader(mainType, peImage);
mcKey = new McKey(peImage, peHeader);
this.fileData = fileData;
dumpedMethods = decryptMethods();
if (dumpedMethods == null)
return false;
decryptResources();
decryptStrings();
return true;
}
static uint getCodeHeaderOffset(PeImage peImage)
{
return peImage.rvaToOffset(peImage.Cor20Header.metadataDirectory.virtualAddress + peImage.Cor20Header.metadataDirectory.size);
}
