public override bool getDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods) { if (count != 0) { return(false); } fileData = ModuleBytes ?? DeobUtils.readModule(module); peImage = new PeImage(fileData); if (!options.DecryptMethods) { return(false); } var tokenToNativeCode = new Dictionary <uint, byte[]>(); if (!methodsDecrypter.decrypt(peImage, DeobfuscatedFile, ref dumpedMethods, tokenToNativeCode)) { return(false); } if (options.DumpNativeMethods) { using (var fileStream = new FileStream(module.FullyQualifiedName + ".native", FileMode.Create, FileAccess.Write, FileShare.Read)) { var sortedTokens = new List <uint>(tokenToNativeCode.Keys); sortedTokens.Sort(); var writer = new BinaryWriter(fileStream); var nops = new byte[] { 0x90, 0x90, 0x90, 0x90 }; foreach (var token in sortedTokens) { writer.Write((byte)0xB8); writer.Write(token); writer.Write(tokenToNativeCode[token]); writer.Write(nops); } } } newFileData = fileData; return(true); }
public override bool getDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods) { if (count != 0) { return(false); } fileData = ModuleBytes ?? DeobUtils.readModule(module); peImage = new MyPEImage(fileData); if (!options.DecryptMethods) { return(false); } var tokenToNativeCode = new Dictionary <uint, byte[]>(); if (!methodsDecrypter.decrypt(peImage, DeobfuscatedFile, ref dumpedMethods, tokenToNativeCode, unpackedNativeFile)) { return(false); } newFileData = fileData; return(true); }