/// <summary>
/// Step #1
///
/// Read, disassemble and decode the SteamStub DRM header.
/// </summary>
/// <returns></returns>
private bool Step1()
{
// Obtain the file entry offset..
var fileOffset = this.File.GetFileOffsetFromRva(this.File.NtHeaders.OptionalHeader.AddressOfEntryPoint);
// Validate the DRM header..
if (BitConverter.ToUInt32(this.File.FileData, (int)fileOffset - 4) != 0xC0DEC0DE)
{
return(false);
}
// Disassemble the file to locate the needed DRM information..
if (!this.DisassembleFile(out var structOffset, out var structSize, out var structXorKey))
{
return(false);
}
// Obtain the DRM header data..
var headerData = new byte[structSize];
Array.Copy(this.File.FileData, this.File.GetFileOffsetFromRva(structOffset), headerData, 0, structSize);
// Xor decode the header data..
this.XorKey = SteamStubHelpers.SteamXor(ref headerData, (uint)headerData.Length, 0);
// Create the stub header..
this.StubHeader = Pe32Helpers.GetStructure <SteamStub32Var20Header>(headerData);
return(true);
}
/// <summary>
/// Step #2
///
/// Read, decode and process the payload data.
/// </summary>
/// <returns></returns>
private bool Step2()
{
// Obtain the payload address and size..
var payloadAddr = this.File.GetFileOffsetFromRva(this.TlsAsOep ? this.TlsOepRva : this.File.NtHeaders.OptionalHeader.AddressOfEntryPoint - this.StubHeader.BindSectionOffset);
var payloadSize = (this.StubHeader.PayloadSize + 0x0F) & 0xFFFFFFF0;
// Do nothing if there is no payload..
if (payloadSize == 0)
{
return(true);
}
this.Log(" --> File has payload data!", LogMessageType.Debug);
// Obtain and decode the payload..
var payload = new byte[payloadSize];
Array.Copy(this.File.FileData, (long)payloadAddr, payload, 0, payloadSize);
this.XorKey = SteamStubHelpers.SteamXor(ref payload, payloadSize, this.XorKey);
try
{
if (this.Options.DumpPayloadToDisk)
{
System.IO.File.WriteAllBytes(this.File.FilePath + ".payload", payload);
this.Log(" --> Saved payload to disk!", LogMessageType.Debug);
}
}
catch
{
// Do nothing here since it doesn't matter if this fails..
}
return(true);
}
/// <summary>
/// Step #2
///
/// Read, decode and process the payload data.
/// </summary>
/// <returns></returns>
private bool Step2()
{
// Obtain the payload address and size..
var payloadAddr = this.File.GetFileOffsetFromRva(this.File.GetRvaFromVa(this.StubHeader.PayloadDataVirtualAddress));
var payloadData = new byte[this.StubHeader.PayloadDataSize];
Array.Copy(this.File.FileData, payloadAddr, payloadData, 0, this.StubHeader.PayloadDataSize);
// Decode the payload data..
this.XorKey = SteamStubHelpers.SteamXor(ref payloadData, this.StubHeader.PayloadDataSize, this.XorKey);
this.PayloadData = payloadData;
try
{
if (this.Options.DumpPayloadToDisk)
{
System.IO.File.WriteAllBytes(this.File.FilePath + ".payload", payloadData);
this.Log(" --> Saved payload to disk!", LogMessageType.Debug);
}
}
catch
{
// Do nothing here since it doesn't matter if this fails..
}
return(true);
}
/// <summary>
/// Step #1
///
/// Read, decode and validate the SteamStub DRM header.
/// </summary>
/// <returns></returns>
private bool Step1()
{
// Obtain the header size..
var headerSize = this.GetHeaderSize(this.File);
// Obtain the DRM header data..
var fileOffset = this.File.GetFileOffsetFromRva(this.File.NtHeaders.OptionalHeader.AddressOfEntryPoint);
var headerData = new byte[headerSize];
Array.Copy(this.File.FileData, (long)(fileOffset - headerSize), headerData, 0, headerSize);
// Xor decode the header data..
this.XorKey = SteamStubHelpers.SteamXor(ref headerData, headerSize);
this.StubHeader = Pe64Helpers.GetStructure <SteamStub64Var30Header>(headerData);
// Validate the structure signature..
if (this.StubHeader.Signature == 0xC0DEC0DE)
{
return(true);
}
// Try again using the Tls callback (if any) as the OEP instead..
if (this.File.TlsCallbacks.Count == 0)
{
return(false);
}
// Obtain the DRM header data..
fileOffset = this.File.GetRvaFromVa(this.File.TlsCallbacks[0]);
fileOffset = this.File.GetFileOffsetFromRva(fileOffset);
headerData = new byte[headerSize];
Array.Copy(this.File.FileData, (long)(fileOffset - headerSize), headerData, 0, headerSize);
// Xor decode the header data..
this.XorKey = SteamStubHelpers.SteamXor(ref headerData, headerSize);
this.StubHeader = Pe64Helpers.GetStructure <SteamStub64Var30Header>(headerData);
// Validate the structure signature..
if (this.StubHeader.Signature != 0xC0DEC0DE)
{
return(false);
}
// Tls was valid for the real oep..
this.TlsAsOep = true;
this.TlsOepRva = this.File.GetRvaFromVa(this.File.TlsCallbacks[0]);
// Is the TlsCallback replacing the OEP..
if (this.StubHeader.HasTlsCallback != 1 || this.File.TlsCallbacks[0] == 0)
{
return(true);
}
// Rebuild the file Tls callback information..
return(this.RebuildTlsCallbackInformation());
}
/// <summary>
/// Step #1
///
/// Read, disassemble and decode the SteamStub DRM header.
/// </summary>
/// <returns></returns>
private bool Step1()
{
/**
* Note: This version of the stub has a variable length header due to how it builds the
* header information. When the stub is generated, the header has additional string data
* that can be dynamically built based on the various options of the protection being used
* and other needed API imports. Inside of the stub header, this field is 'StubData'.
*/
// Obtain the file entry offset..
var fileOffset = this.File.GetFileOffsetFromRva(this.File.NtHeaders.OptionalHeader.AddressOfEntryPoint);
// Validate the DRM header..
if (BitConverter.ToUInt32(this.File.FileData, (int)fileOffset - 4) != 0xC0DEC0DE)
{
return(false);
}
// Disassemble the file to locate the needed DRM information..
if (!this.DisassembleFile(out var structOffset, out var structSize, out var structXorKey))
{
return(false);
}
// Obtain the DRM header data..
var headerData = new byte[structSize];
Array.Copy(this.File.FileData, this.File.GetFileOffsetFromRva(structOffset), headerData, 0, structSize);
// Xor decode the header data..
this.XorKey = SteamStubHelpers.SteamXor(ref headerData, (uint)headerData.Length, structXorKey);
// Determine how to handle the header based on the size..
if ((structSize / 4) == 0xD0)
{
this.StubHeader = Pe32Helpers.GetStructure <SteamStub32Var21Header_D0Variant>(headerData);
this.StubData = headerData.Skip(Marshal.SizeOf(typeof(SteamStub32Var21Header_D0Variant))).ToArray();
}
else
{
this.StubHeader = Pe32Helpers.GetStructure <SteamStub32Var21Header>(headerData);
this.StubData = headerData.Skip(Marshal.SizeOf(typeof(SteamStub32Var21Header))).ToArray();
}
return(true);
}
/// <summary>
/// Step #1
///
/// Read, decode and validate the SteamStub DRM header.
/// </summary>
/// <returns></returns>
private bool Step1()
{
// Obtain the DRM header data..
var fileOffset = this.File.GetFileOffsetFromRva(this.File.NtHeaders.OptionalHeader.AddressOfEntryPoint);
var headerData = new byte[0xF0];
Array.Copy(this.File.FileData, (long)(fileOffset - 0xF0), headerData, 0, 0xF0);
// Xor decode the header data..
this.XorKey = SteamStubHelpers.SteamXor(ref headerData, 0xF0);
this.StubHeader = Pe64Helpers.GetStructure <SteamStub64Var31Header>(headerData);
// Validate the header signature..
if (this.StubHeader.Signature == 0xC0DEC0DF)
{
return(true);
}
// Try again using the Tls callback (if any) as the OEP instead..
if (this.File.TlsCallbacks.Count == 0)
{
return(false);
}
// Obtain the DRM header data..
fileOffset = this.File.GetRvaFromVa(this.File.TlsCallbacks[0]);
fileOffset = this.File.GetFileOffsetFromRva(fileOffset);
headerData = new byte[0xF0];
Array.Copy(this.File.FileData, (long)(fileOffset - 0xF0), headerData, 0, 0xF0);
// Xor decode the header data..
this.XorKey = SteamStubHelpers.SteamXor(ref headerData, 0xF0);
this.StubHeader = Pe64Helpers.GetStructure <SteamStub64Var31Header>(headerData);
// Validate the header signature..
if (this.StubHeader.Signature != 0xC0DEC0DF)
{
return(false);
}
// Tls was valid for the real oep..
this.TlsAsOep = true;
this.TlsOepRva = fileOffset;
return(true);
}
/// <summary>
/// Step #1
///
/// Read, decode and validate the SteamStub DRM header.
/// </summary>
/// <returns></returns>
private bool Step1()
{
// Obtain the header size..
var headerSize = this.GetHeaderSize(this.File);
// Obtain the DRM header data..
var fileOffset = this.File.GetFileOffsetFromRva(this.File.NtHeaders.OptionalHeader.AddressOfEntryPoint);
var headerData = new byte[headerSize];
Array.Copy(this.File.FileData, (long)(fileOffset - headerSize), headerData, 0, headerSize);
// Xor decode the header data..
this.XorKey = SteamStubHelpers.SteamXor(ref headerData, headerSize);
this.StubHeader = Pe64Helpers.GetStructure <SteamStub64Var30Header>(headerData);
// Validate the structure signature..
return(this.StubHeader.Signature == 0xC0DEC0DE);
}