DumpedMethods Decrypt(MyPEImage peImage, byte[] fileData, DecryptMethodData decrypter) { var dumpedMethods = new DumpedMethods(); var methodDef = peImage.MetaData.TablesStream.MethodTable; for (uint rid = 1; rid <= methodDef.Rows; rid++) { var dm = new DumpedMethod(); peImage.ReadMethodTableRowTo(dm, rid); if (dm.mdRVA == 0) { continue; } uint bodyOffset = peImage.RvaToOffset(dm.mdRVA); if (!IsEncryptedMethod(fileData, (int)bodyOffset)) { continue; } int key = BitConverter.ToInt32(fileData, (int)bodyOffset + 6); int mdOffs = BitConverter.ToInt32(fileData, (int)bodyOffset + 2) ^ key; int len = BitConverter.ToInt32(fileData, (int)bodyOffset + 11) ^ ~key; int methodDataOffset = mdOffs + 2; uint[] methodData; byte[] codeData; decrypter.Decrypt(methodsData, methodDataOffset, (uint)key, len, out methodData, out codeData); dm.mhFlags = 0x03; int maxStack = (int)methodData[methodDataIndexes.maxStack]; dm.mhMaxStack = (ushort)maxStack; dm.mhLocalVarSigTok = methodData[methodDataIndexes.localVarSigTok]; if (dm.mhLocalVarSigTok != 0 && dm.mhLocalVarSigTok >> 24 != 0x11) { throw new ApplicationException("Invalid local var sig token"); } int numExceptions = (int)methodData[methodDataIndexes.ehs]; uint options = methodData[methodDataIndexes.options]; int codeSize = (int)methodData[methodDataIndexes.codeSize]; var codeDataReader = MemoryImageStream.Create(codeData); if (decrypter.IsCodeFollowedByExtraSections(options)) { dm.code = codeDataReader.ReadBytes(codeSize); dm.extraSections = ReadExceptionHandlers(codeDataReader, numExceptions); } else { dm.extraSections = ReadExceptionHandlers(codeDataReader, numExceptions); dm.code = codeDataReader.ReadBytes(codeSize); } if (codeDataReader.Position != codeDataReader.Length) { throw new ApplicationException("Invalid method data"); } if (dm.extraSections != null) { dm.mhFlags |= 8; } dm.mhCodeSize = (uint)dm.code.Length; // Figure out if the original method was tiny or not. bool isTiny = dm.code.Length <= 0x3F && dm.mhLocalVarSigTok == 0 && dm.extraSections == null && dm.mhMaxStack == 8; if (isTiny) { dm.mhFlags |= 0x10; // Set 'init locals' } dm.mhFlags |= (ushort)(options & 0x10); // copy 'init locals' bit dumpedMethods.Add(dm); } return(dumpedMethods); }
DumpedMethods Decrypt(MyPEImage peImage, byte[] fileData, DecryptMethodData decrypter) { var dumpedMethods = new DumpedMethods(); var methodDef = peImage.MetaData.TablesStream.MethodTable; for (uint rid = 1; rid <= methodDef.Rows; rid++) { var dm = new DumpedMethod(); peImage.ReadMethodTableRowTo(dm, rid); if (dm.mdRVA == 0) continue; uint bodyOffset = peImage.RvaToOffset(dm.mdRVA); if (!IsEncryptedMethod(fileData, (int)bodyOffset)) continue; int key = BitConverter.ToInt32(fileData, (int)bodyOffset + 6); int mdOffs = BitConverter.ToInt32(fileData, (int)bodyOffset + 2) ^ key; int len = BitConverter.ToInt32(fileData, (int)bodyOffset + 11) ^ ~key; int methodDataOffset = mdOffs + 2; uint[] methodData; byte[] codeData; decrypter.Decrypt(methodsData, methodDataOffset, (uint)key, len, out methodData, out codeData); dm.mhFlags = 0x03; int maxStack = (int)methodData[methodDataIndexes.maxStack]; dm.mhMaxStack = (ushort)maxStack; dm.mhLocalVarSigTok = methodData[methodDataIndexes.localVarSigTok]; if (dm.mhLocalVarSigTok != 0 && (dm.mhLocalVarSigTok >> 24) != 0x11) throw new ApplicationException("Invalid local var sig token"); int numExceptions = (int)methodData[methodDataIndexes.ehs]; uint options = methodData[methodDataIndexes.options]; int codeSize = (int)methodData[methodDataIndexes.codeSize]; var codeDataReader = MemoryImageStream.Create(codeData); if (decrypter.IsCodeFollowedByExtraSections(options)) { dm.code = codeDataReader.ReadBytes(codeSize); dm.extraSections = ReadExceptionHandlers(codeDataReader, numExceptions); } else { dm.extraSections = ReadExceptionHandlers(codeDataReader, numExceptions); dm.code = codeDataReader.ReadBytes(codeSize); } if (codeDataReader.Position != codeDataReader.Length) throw new ApplicationException("Invalid method data"); if (dm.extraSections != null) dm.mhFlags |= 8; dm.mhCodeSize = (uint)dm.code.Length; // Figure out if the original method was tiny or not. bool isTiny = dm.code.Length <= 0x3F && dm.mhLocalVarSigTok == 0 && dm.extraSections == null && dm.mhMaxStack == 8; if (isTiny) dm.mhFlags |= 0x10; // Set 'init locals' dm.mhFlags |= (ushort)(options & 0x10); // copy 'init locals' bit dumpedMethods.Add(dm); } return dumpedMethods; }