Esempio n. 1
0
        /// <summary>
        /// Step #1
        ///
        /// Read, disassemble and decode the SteamStub DRM header.
        /// </summary>
        /// <returns></returns>
        private bool Step1()
        {
            // Obtain the file entry offset..
            var fileOffset = this.File.GetFileOffsetFromRva(this.File.NtHeaders.OptionalHeader.AddressOfEntryPoint);

            // Validate the DRM header..
            if (BitConverter.ToUInt32(this.File.FileData, (int)fileOffset - 4) != 0xC0DEC0DE)
            {
                return(false);
            }

            // Disassemble the file to locate the needed DRM information..
            if (!this.DisassembleFile(out var structOffset, out var structSize, out var structXorKey))
            {
                return(false);
            }

            // Obtain the DRM header data..
            var headerData = new byte[structSize];

            Array.Copy(this.File.FileData, this.File.GetFileOffsetFromRva(structOffset), headerData, 0, structSize);

            // Xor decode the header data..
            this.XorKey = SteamStubHelpers.SteamXor(ref headerData, (uint)headerData.Length, 0);

            // Create the stub header..
            this.StubHeader = Pe32Helpers.GetStructure <SteamStub32Var20Header>(headerData);

            return(true);
        }
Esempio n. 2
0
        /// <summary>
        /// Step #1
        ///
        /// Read, decode and validate the SteamStub DRM header.
        /// </summary>
        /// <returns></returns>
        private bool Step1()
        {
            // Obtain the bind section..
            var section = this.File.GetSection(".bind");

            if (!section.IsValid)
            {
                return(false);
            }

            // Find the header information from the unpacker call..
            var bind   = this.File.GetSectionData(".bind");
            var offset = Pe32Helpers.FindPattern(bind, "60 81 EC 00 10 00 00 BE ?? ?? ?? ?? B9 6A");

            if (offset == -1)
            {
                return(false);
            }

            // Read the needed header information..
            var headerPointer = BitConverter.ToUInt32(bind, (int)offset + 8);
            var headerSize    = BitConverter.ToUInt32(bind, (int)offset + 13) * 4;

            // Calculate the file offset from the pointer..
            var fileOffset = this.File.GetFileOffsetFromRva(headerPointer - this.File.NtHeaders.OptionalHeader.ImageBase);

            // Read the header data..
            var headerData = new byte[headerSize];

            Array.Copy(this.File.FileData, fileOffset, headerData, 0, headerSize);

            // Decrypt the header data..
            for (var x = 0; x < headerSize; x++)
            {
                headerData[x] ^= (byte)(x * x);
            }

            // Store the header and validate it..
            this.StubHeader = Pe32Helpers.GetStructure <SteamStub32Var10Header>(headerData);

            // Validate the header via the unpacker function matching the file entry point..
            if (this.StubHeader.BindFunction - this.File.NtHeaders.OptionalHeader.ImageBase != this.File.NtHeaders.OptionalHeader.AddressOfEntryPoint)
            {
                return(false);
            }

            // Find the OEP from the unpacker function..
            offset = Pe32Helpers.FindPattern(bind, "61 B8 ?? ?? ?? ?? FF E0");
            if (offset == -1)
            {
                return(false);
            }

            // Read and store the real OEP..
            this.OriginalEntryPoint = BitConverter.ToUInt32(bind, (int)offset + 2) - this.File.NtHeaders.OptionalHeader.ImageBase;

            return(true);
        }
Esempio n. 3
0
        /// <summary>
        /// Step #1
        ///
        /// Read, decode and validate the SteamStub DRM header.
        /// </summary>
        /// <returns></returns>
        private bool Step1()
        {
            // Obtain the header size..
            var headerSize = this.GetHeaderSize(this.File);

            // Obtain the DRM header data..
            var fileOffset = this.File.GetFileOffsetFromRva(this.File.NtHeaders.OptionalHeader.AddressOfEntryPoint);
            var headerData = new byte[headerSize];

            Array.Copy(this.File.FileData, (int)(fileOffset - headerSize), headerData, 0, headerSize);

            // Xor decode the header data..
            this.XorKey     = SteamStubHelpers.SteamXor(ref headerData, headerSize);
            this.StubHeader = Pe32Helpers.GetStructure <SteamStub32Var30Header>(headerData);

            // Validate the structure signature..
            if (this.StubHeader.Signature == 0xC0DEC0DE)
            {
                return(true);
            }

            // Try again using the Tls callback (if any) as the OEP instead..
            if (this.File.TlsCallbacks.Count == 0)
            {
                return(false);
            }

            // Obtain the DRM header data..
            fileOffset = this.File.GetRvaFromVa(this.File.TlsCallbacks[0]);
            fileOffset = this.File.GetFileOffsetFromRva(fileOffset);
            headerData = new byte[headerSize];
            Array.Copy(this.File.FileData, (int)(fileOffset - headerSize), headerData, 0, headerSize);

            // Xor decode the header data..
            this.XorKey     = SteamStubHelpers.SteamXor(ref headerData, headerSize);
            this.StubHeader = Pe32Helpers.GetStructure <SteamStub32Var30Header>(headerData);

            // Validate the structure signature..
            if (this.StubHeader.Signature == 0xC0DEC0DE)
            {
                return(true);
            }

            // Tls was valid for the real oep..
            this.TlsAsOep  = true;
            this.TlsOepRva = fileOffset;
            return(true);
        }
Esempio n. 4
0
        /// <summary>
        /// Step #1
        ///
        /// Read, disassemble and decode the SteamStub DRM header.
        /// </summary>
        /// <returns></returns>
        private bool Step1()
        {
            /**
             * Note: This version of the stub has a variable length header due to how it builds the
             * header information. When the stub is generated, the header has additional string data
             * that can be dynamically built based on the various options of the protection being used
             * and other needed API imports. Inside of the stub header, this field is 'StubData'.
             */

            // Obtain the file entry offset..
            var fileOffset = this.File.GetFileOffsetFromRva(this.File.NtHeaders.OptionalHeader.AddressOfEntryPoint);

            // Validate the DRM header..
            if (BitConverter.ToUInt32(this.File.FileData, (int)fileOffset - 4) != 0xC0DEC0DE)
            {
                return(false);
            }

            // Disassemble the file to locate the needed DRM information..
            if (!this.DisassembleFile(out var structOffset, out var structSize, out var structXorKey))
            {
                return(false);
            }

            // Obtain the DRM header data..
            var headerData = new byte[structSize];

            Array.Copy(this.File.FileData, this.File.GetFileOffsetFromRva(structOffset), headerData, 0, structSize);

            // Xor decode the header data..
            this.XorKey = SteamStubHelpers.SteamXor(ref headerData, (uint)headerData.Length, structXorKey);

            // Determine how to handle the header based on the size..
            if ((structSize / 4) == 0xD0)
            {
                this.StubHeader = Pe32Helpers.GetStructure <SteamStub32Var21Header_D0Variant>(headerData);
                this.StubData   = headerData.Skip(Marshal.SizeOf(typeof(SteamStub32Var21Header_D0Variant))).ToArray();
            }
            else
            {
                this.StubHeader = Pe32Helpers.GetStructure <SteamStub32Var21Header>(headerData);
                this.StubData   = headerData.Skip(Marshal.SizeOf(typeof(SteamStub32Var21Header))).ToArray();
            }

            return(true);
        }
Esempio n. 5
0
        private void TextBox1DragDrop(object sender, DragEventArgs e)
        {
            try
            {
                Array arrayyy = (Array)e.Data.GetData(DataFormats.FileDrop);
                if (arrayyy != null)
                {
                    string text = arrayyy.GetValue(0).ToString();
                    int    num  = text.LastIndexOf(".", StringComparison.Ordinal);
                    if (num != -1)
                    {
                        string text2 = text.Substring(num);
                        text2 = text2.ToLower();
                        if (text2 == ".exe" || text2 == ".dll")
                        {
                            Activate();
                            ExePath     = text;
                            label2.Text = "Status : Exe Loaded";
                            int num2 = text.LastIndexOf("\\", StringComparison.Ordinal);
                            if (num2 != -1)
                            {
                                DirectoryName = text.Remove(num2, text.Length - num2);
                            }
                            if (DirectoryName.Length == 2)
                            {
                                DirectoryName += "\\";
                            }
                        }
                    }
                }
            }
            catch
            {
            }
            this.FileData = File.ReadAllBytes(ExePath);
            if (IntPtr.Size == 4)
            {
                this.NtHeaders32 = new NativeApi32.ImageNtHeaders32();
                this.DosHeader32 = new NativeApi32.ImageDosHeader32();
                this.DosHeader32 = Pe32Helpers.GetStructure <NativeApi32.ImageDosHeader32>(this.FileData);
                this.NtHeaders32 = Pe32Helpers.GetStructure <NativeApi32.ImageNtHeaders32>(this.FileData, this.DosHeader32.e_lfanew);
                int num = NtHeaders32.FileHeader.NumberOfSections;
                for (var x = 0; x < num; x++)
                {
                    var section = Pe32Helpers.GetSection(this.FileData, x, this.DosHeader32, this.NtHeaders32);
                    if (section.SectionName.Equals(".bxpck"))
                    {
                        var sectionData = new byte[this.GetAlignment(section.SizeOfRawData, this.NtHeaders32.OptionalHeader.FileAlignment)];
                        Array.Copy(this.FileData, section.PointerToRawData, sectionData, 0, section.SizeOfRawData);
                        string filename = DirectoryName + "\\" + Path.GetFileNameWithoutExtension(ExePath) + "-Unpacked" + Path.GetExtension(ExePath);

                        int firstIndex = GetNthIndex(sectionData, 0x5A, 1);
                        if (sectionData[firstIndex - 1] == 0x4D)
                        {
                            File.WriteAllBytes(filename, sectionData.Skip(firstIndex - 1).ToArray());
                            label3.Text += (firstIndex - 1).ToString("X");
                        }
                        else
                        {
                            int secondIndex = GetNthIndex(sectionData, 0x5A, 2);
                            if (sectionData[secondIndex - 1] == 0x4A)
                            {
                                File.WriteAllBytes(filename, sectionData.Skip(secondIndex - 1).ToArray());
                                label3.Text += (secondIndex - 1).ToString("X");
                            }
                            else
                            {
                                int lastIndex = GetNthIndex(sectionData, 0x4D, 3);
                                if (sectionData[lastIndex - 1] == 0x4D)
                                {
                                    File.WriteAllBytes(filename, sectionData.Skip(lastIndex - 1).ToArray());
                                    label3.Text += (lastIndex - 1).ToString("X");
                                }
                                else
                                {
                                }
                            }
                        }
                        goto sucess;
                    }
                }
            }
            else
            {
                this.DosHeader64 = new NativeApi64.ImageDosHeader64();
                this.NtHeaders64 = new NativeApi64.ImageNtHeaders64();
                this.DosHeader64 = Pe64Helpers.GetStructure <NativeApi64.ImageDosHeader64>(this.FileData);
                this.NtHeaders64 = Pe64Helpers.GetStructure <NativeApi64.ImageNtHeaders64>(this.FileData, this.DosHeader64.e_lfanew);
                for (var x = 0; x < this.NtHeaders64.FileHeader.NumberOfSections; x++)
                {
                    var section = Pe64Helpers.GetSection(this.FileData, x, this.DosHeader64, this.NtHeaders64);
                    if (section.SectionName.Equals(".bxpck"))
                    {
                        var sectionData = new byte[this.GetAlignment(section.SizeOfRawData, this.NtHeaders64.OptionalHeader.FileAlignment)];
                        Array.Copy(this.FileData, section.PointerToRawData, sectionData, 0, section.SizeOfRawData);
                        string filename = DirectoryName + "\\" + Path.GetFileNameWithoutExtension(ExePath) + "-Unpacked" + Path.GetExtension(ExePath);
                        File.WriteAllBytes(filename, sectionData.Skip(182).ToArray());
                        goto sucess;
                    }
                }
            }
            MessageBox.Show("BoxedAppPacker section not found (.bxpck) ! ", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
sucess:
            label2.Text = "Status : Success ! ";
        }