public CodeReader(Section section, MetadataReader reader, DumpedMethods dumpedMethods = null)
: base(section.Data)
{
this.code_section = section;
this.reader = reader;
this.dumpedMethods = dumpedMethods;
}
public bool decrypt(ref DumpedMethods dumpedMethods)
{
dumpedMethods = decryptMethods();
if (dumpedMethods == null)
return false;
decryptResources();
decryptStrings();
return true;
}
public bool decrypt(PeImage peImage, ref DumpedMethods dumpedMethods)
{
this.peImage = peImage;
uint offset = peImage.rvaToOffset(peImage.Cor20Header.metadataDirectory.virtualAddress + peImage.Cor20Header.metadataDirectory.size);
if (!readCodeHeader(offset))
return false;
var metadataTables = peImage.Cor20Header.createMetadataTables();
var methodDefTable = metadataTables.getMetadataType(PE.MetadataIndex.iMethodDef);
if (methodDefTable.totalSize != codeHeader.methodDefElemSize)
return false;
var methodInfos = getMethodInfos(offset + 0x30 + codeHeader.totalCodeSize);
offset = methodDefTable.fileOffset - methodDefTable.totalSize;
foreach (var methodInfo in methodInfos) {
offset += methodDefTable.totalSize;
if (methodInfo.flags == 0 || methodInfo.codeOffs == 0)
continue;
uint rva = peImage.offsetReadUInt32(offset);
peImage.writeUint16(rva, (ushort)methodInfo.flags);
peImage.writeUint32(rva + 8, methodInfo.localVarSigTok);
}
dumpedMethods = new DumpedMethods();
offset = methodDefTable.fileOffset;
for (int i = 0; i < methodInfos.Count; i++, offset += methodDefTable.totalSize) {
var methodInfo = methodInfos[i];
if (methodInfo.codeOffs == 0)
continue;
var dm = new DumpedMethod();
dm.token = 0x06000001 + (uint)i;
uint rva = peImage.offsetReadUInt32(offset);
dm.mdImplFlags = peImage.offsetReadUInt16(offset + (uint)methodDefTable.fields[1].offset);
dm.mdFlags = peImage.offsetReadUInt16(offset + (uint)methodDefTable.fields[2].offset);
dm.mdName = peImage.offsetRead(offset + (uint)methodDefTable.fields[3].offset, methodDefTable.fields[3].size);
dm.mdSignature = peImage.offsetRead(offset + (uint)methodDefTable.fields[4].offset, methodDefTable.fields[4].size);
dm.mdParamList = peImage.offsetRead(offset + (uint)methodDefTable.fields[5].offset, methodDefTable.fields[5].size);
dm.code = decrypter.decrypt(methodInfo);
if ((peImage.readByte(rva) & 3) == 2) {
dm.mhFlags = 2;
dm.mhMaxStack = 8;
dm.mhCodeSize = (uint)dm.code.Length;
dm.mhLocalVarSigTok = 0;
}
else {
dm.mhFlags = peImage.readUInt16(rva);
dm.mhMaxStack = peImage.readUInt16(rva + 2);
dm.mhCodeSize = (uint)dm.code.Length;
dm.mhLocalVarSigTok = peImage.readUInt32(rva + 8);
}
dumpedMethods.add(dm);
}
return true;
}
DumpedMethods decryptMethods()
{
var dumpedMethods = new DumpedMethods();
var methodInfos = new MethodInfos(mainType, peImage, peHeader, mcKey);
methodInfos.initializeInfos();
var metadataTables = peImage.Cor20Header.createMetadataTables();
var methodDef = metadataTables.getMetadataType(MetadataIndex.iMethodDef);
uint methodDefOffset = methodDef.fileOffset;
for (int i = 0; i < methodDef.rows; i++, methodDefOffset += methodDef.totalSize) {
uint bodyRva = peImage.offsetReadUInt32(methodDefOffset);
if (bodyRva == 0)
continue;
var info = methodInfos.lookup(bodyRva);
if (info == null)
continue;
uint bodyOffset = peImage.rvaToOffset(bodyRva);
ushort magic = peImage.offsetReadUInt16(bodyOffset);
if (magic != 0xFFF3)
continue;
var dm = new DumpedMethod();
dm.token = (uint)(0x06000001 + i);
dm.mdImplFlags = peImage.offsetReadUInt16(methodDefOffset + (uint)methodDef.fields[1].offset);
dm.mdFlags = peImage.offsetReadUInt16(methodDefOffset + (uint)methodDef.fields[2].offset);
dm.mdName = peImage.offsetRead(methodDefOffset + (uint)methodDef.fields[3].offset, methodDef.fields[3].size);
dm.mdSignature = peImage.offsetRead(methodDefOffset + (uint)methodDef.fields[4].offset, methodDef.fields[4].size);
dm.mdParamList = peImage.offsetRead(methodDefOffset + (uint)methodDef.fields[5].offset, methodDef.fields[5].size);
var reader = new BinaryReader(new MemoryStream(info.body));
byte b = reader.ReadByte();
if ((b & 3) == 2) {
dm.mhFlags = 2;
dm.mhMaxStack = 8;
dm.mhCodeSize = (uint)(b >> 2);
dm.mhLocalVarSigTok = 0;
}
else {
reader.BaseStream.Position--;
dm.mhFlags = reader.ReadUInt16();
dm.mhMaxStack = reader.ReadUInt16();
dm.mhCodeSize = reader.ReadUInt32();
dm.mhLocalVarSigTok = reader.ReadUInt32();
uint codeOffset = (uint)(dm.mhFlags >> 12) * 4;
reader.BaseStream.Position += codeOffset - 12;
}
dm.code = reader.ReadBytes((int)dm.mhCodeSize);
if ((dm.mhFlags & 8) != 0) {
reader.BaseStream.Position = (reader.BaseStream.Position + 3) & ~3;
dm.extraSections = reader.ReadBytes((int)(reader.BaseStream.Length - reader.BaseStream.Position));
}
dumpedMethods.add(dm);
}
return dumpedMethods;
}
public bool decrypt(byte[] fileData, ref DumpedMethods dumpedMethods)
{
peImage = new PeImage(fileData);
peHeader = new PeHeader(mainType, peImage);
mcKey = new McKey(peImage, peHeader);
this.fileData = fileData;
dumpedMethods = decryptMethods();
if (dumpedMethods == null)
return false;
decryptResources();
decryptStrings();
return true;
}
public override bool getDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
{
if (count != 0 || !mainType.Detected)
return false;
var fileData = DeobUtils.readModule(module);
decrypterInfo = new DecrypterInfo(mainType, fileData);
var methodsDecrypter = new MethodsDecrypter(decrypterInfo);
if (!methodsDecrypter.decrypt(ref dumpedMethods))
return false;
newFileData = fileData;
return true;
}
public override bool getDecryptedModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods)
{
if (!mainType.Detected)
return false;
var fileDecrypter = new FileDecrypter(mainType);
var fileData = DeobUtils.readModule(module);
if (!fileDecrypter.decrypt(fileData, ref dumpedMethods))
return false;
newFileData = fileData;
return true;
}
public bool decrypt(byte[] fileData, ref DumpedMethods dumpedMethods)
{
var peImage = new PeImage(fileData);
var peHeader = new PeHeader(mainType, peImage);
var mcHeader = new McHeader(peImage, peHeader);
dumpedMethods = decryptMethods(peImage, peHeader, mcHeader);
if (dumpedMethods == null)
return false;
decryptResources(fileData, peImage, peHeader, mcHeader);
return true;
}