byte[] unpack2(MyPEImage peImage)
{
shouldUnpack = false;
uint headerOffset = (uint)peImage.Length - 12;
uint offsetEncryptedAssembly = checkOffset(peImage, peImage.offsetReadUInt32(headerOffset));
uint ezencryptionLibLength = peImage.offsetReadUInt32(headerOffset + 4);
uint iniFileLength = peImage.offsetReadUInt32(headerOffset + 8);
uint offsetClrVersionNumber = checked (offsetEncryptedAssembly - 12);
uint iniFileOffset = checked (headerOffset - iniFileLength);
uint ezencryptionLibOffset = checked (iniFileOffset - ezencryptionLibLength);
uint clrVerMajor = peImage.offsetReadUInt32(offsetClrVersionNumber);
uint clrVerMinor = peImage.offsetReadUInt32(offsetClrVersionNumber + 4);
uint clrVerBuild = peImage.offsetReadUInt32(offsetClrVersionNumber + 8);
if (clrVerMajor <= 0 || clrVerMajor >= 20 || clrVerMinor >= 20 || clrVerBuild >= 1000000)
{
return(null);
}
var settings = new IniFile(decompress2(peImage.offsetReadBytes(iniFileOffset, (int)iniFileLength)));
sizes = getSizes(settings["General_App_Satellite_Assemblies_Sizes"]);
if (sizes == null || sizes.Length <= 1)
{
return(null);
}
shouldUnpack = true;
if (sizes[0] != offsetEncryptedAssembly)
{
return(null);
}
filenames = settings["General_App_Satellite_Assemblies"].Split('|');
if (sizes.Length - 1 != filenames.Length)
{
return(null);
}
byte[] ezencryptionLibData = decompress1(peImage.offsetReadBytes(ezencryptionLibOffset, (int)ezencryptionLibLength));
var ezencryptionLibModule = ModuleDefMD.Load(ezencryptionLibData);
var decrypter = new ApplicationModeDecrypter(ezencryptionLibModule);
if (!decrypter.Detected)
{
return(null);
}
var mainAssembly = unpackEmbeddedFile(peImage, 0, decrypter);
decrypter.MemoryPatcher.patch(mainAssembly.data);
for (int i = 1; i < filenames.Length; i++)
{
satelliteAssemblies.Add(unpackEmbeddedFile(peImage, i, decrypter));
}
clearDllBit(mainAssembly.data);
return(mainAssembly.data);
}
void readCodeHeader(uint offset)
{
codeHeader.signature = peImage.offsetReadBytes(offset, 16);
codeHeader.decryptionKey = peImage.offsetReadBytes(offset + 0x10, 16);
codeHeader.totalCodeSize = peImage.offsetReadUInt32(offset + 0x20);
codeHeader.numMethods = peImage.offsetReadUInt32(offset + 0x24);
codeHeader.methodDefTableOffset = peImage.offsetReadUInt32(offset + 0x28);
codeHeader.methodDefElemSize = peImage.offsetReadUInt32(offset + 0x2C);
}
public override bool getDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
{
if (count != 0 || version == Version.Unknown)
{
return(false);
}
byte[] fileData = ModuleBytes ?? DeobUtils.readModule(module);
byte[] decompressed;
using (var peImage = new MyPEImage(fileData)) {
var section = peImage.Sections[peImage.Sections.Count - 1];
var offset = section.PointerToRawData;
offset += 16;
byte[] compressed;
int compressedLen;
switch (version)
{
case Version.V0x:
compressedLen = fileData.Length - (int)offset;
compressed = peImage.offsetReadBytes(offset, compressedLen);
decompressed = Lzmat.decompress_old(compressed);
if (decompressed == null)
{
throw new ApplicationException("LZMAT decompression failed");
}
break;
case Version.V1x_217:
case Version.V218:
if (peImage.PEImage.ImageNTHeaders.FileHeader.Machine == Machine.AMD64 && version == Version.V218)
{
offset = section.PointerToRawData + section.VirtualSize;
}
int decompressedLen = (int)peImage.offsetReadUInt32(offset);
compressedLen = fileData.Length - (int)offset - 4;
compressed = peImage.offsetReadBytes(offset + 4, compressedLen);
decompressed = new byte[decompressedLen];
uint decompressedLen2;
if (Lzmat.decompress(decompressed, out decompressedLen2, compressed) != LzmatStatus.OK)
{
throw new ApplicationException("LZMAT decompression failed");
}
break;
default:
throw new ApplicationException("Unknown MPRESS version");
}
}
newFileData = decompressed;
return(true);
}
public static bool detect(MyPEImage peImage)
{
try {
uint codeHeaderOffset = getCodeHeaderOffset(peImage);
if (isValidSignature(peImage.offsetReadBytes(codeHeaderOffset, 16)))
{
return(true);
}
}
catch {
}
try {
uint codeHeaderOffset = getOldCodeHeaderOffset(peImage);
if (codeHeaderOffset != 0 && isValidSignature(peImage.offsetReadBytes(codeHeaderOffset, 16)))
{
return(true);
}
}
catch {
}
return(false);
}
UnpackedFile unpackEmbeddedFile(MyPEImage peImage, int index, ApplicationModeDecrypter decrypter)
{
uint offset = 0;
for (int i = 0; i < index + 1; i++)
{
offset += sizes[i];
}
string filename = Win32Path.GetFileName(filenames[index]);
var data = peImage.offsetReadBytes(offset, (int)sizes[index + 1]);
data = DeobUtils.aesDecrypt(data, decrypter.AssemblyKey, decrypter.AssemblyIv);
data = decompress(data);
return(new UnpackedFile(filename, data));
}
byte[] getKeyData()
{
isNet1x = false;
for (int i = 0; i < baseOffsets.Length; i++)
{
var code = peImage.offsetReadBytes(baseOffsets[i], decryptMethodPattern.Length);
if (DeobUtils.isCode(decryptMethodPattern, code))
{
return(getKeyData(baseOffsets[i]));
}
}
var net1xCode = peImage.offsetReadBytes(0x207E0, startMethodNet1xPattern.Length);
if (DeobUtils.isCode(startMethodNet1xPattern, net1xCode))
{
isNet1x = true;
return(new byte[6] {
0x34, 0x38, 0x63, 0x65, 0x7A, 0x35
});
}
return(null);
}
public PeHeader(MainType mainType, MyPEImage peImage)
{
uint headerOffset;
version = getHeaderOffsetAndVersion(peImage, out headerOffset);
switch (version)
{
case EncryptionVersion.V1:
case EncryptionVersion.V2:
case EncryptionVersion.V3:
case EncryptionVersion.V4:
case EncryptionVersion.V5:
default:
xorKey = 0x7ABF931;
break;
case EncryptionVersion.V6:
xorKey = 0x7ABA931;
break;
}
headerData = peImage.offsetReadBytes(headerOffset, 0x1000);
}
byte[] readData(uint offset, int size)
{
return(peImage.offsetReadBytes(encryptedDataOffset + offset, size));
}
UnpackedFile unpackEmbeddedFile(MyPEImage peImage, int index, ApplicationModeDecrypter decrypter)
{
uint offset = 0;
for (int i = 0; i < index + 1; i++)
offset += sizes[i];
string filename = Win32Path.GetFileName(filenames[index]);
var data = peImage.offsetReadBytes(offset, (int)sizes[index + 1]);
data = DeobUtils.aesDecrypt(data, decrypter.AssemblyKey, decrypter.AssemblyIv);
data = decompress(data);
return new UnpackedFile(filename, data);
}
byte[] unpack2(MyPEImage peImage)
{
shouldUnpack = false;
uint headerOffset = (uint)peImage.Length - 12;
uint offsetEncryptedAssembly = checkOffset(peImage, peImage.offsetReadUInt32(headerOffset));
uint ezencryptionLibLength = peImage.offsetReadUInt32(headerOffset + 4);
uint iniFileLength = peImage.offsetReadUInt32(headerOffset + 8);
uint offsetClrVersionNumber = checked(offsetEncryptedAssembly - 12);
uint iniFileOffset = checked(headerOffset - iniFileLength);
uint ezencryptionLibOffset = checked(iniFileOffset - ezencryptionLibLength);
uint clrVerMajor = peImage.offsetReadUInt32(offsetClrVersionNumber);
uint clrVerMinor = peImage.offsetReadUInt32(offsetClrVersionNumber + 4);
uint clrVerBuild = peImage.offsetReadUInt32(offsetClrVersionNumber + 8);
if (clrVerMajor <= 0 || clrVerMajor >= 20 || clrVerMinor >= 20 || clrVerBuild >= 1000000)
return null;
var settings = new IniFile(decompress2(peImage.offsetReadBytes(iniFileOffset, (int)iniFileLength)));
sizes = getSizes(settings["General_App_Satellite_Assemblies_Sizes"]);
if (sizes == null || sizes.Length <= 1)
return null;
shouldUnpack = true;
if (sizes[0] != offsetEncryptedAssembly)
return null;
filenames = settings["General_App_Satellite_Assemblies"].Split('|');
if (sizes.Length - 1 != filenames.Length)
return null;
byte[] ezencryptionLibData = decompress1(peImage.offsetReadBytes(ezencryptionLibOffset, (int)ezencryptionLibLength));
var ezencryptionLibModule = ModuleDefMD.Load(ezencryptionLibData);
var decrypter = new ApplicationModeDecrypter(ezencryptionLibModule);
if (!decrypter.Detected)
return null;
var mainAssembly = unpackEmbeddedFile(peImage, 0, decrypter);
decrypter.MemoryPatcher.patch(mainAssembly.data);
for (int i = 1; i < filenames.Length; i++)
satelliteAssemblies.Add(unpackEmbeddedFile(peImage, i, decrypter));
clearDllBit(mainAssembly.data);
return mainAssembly.data;
}
public override bool getDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
{
if (count != 0 || version == Version.Unknown)
return false;
byte[] fileData = ModuleBytes ?? DeobUtils.readModule(module);
byte[] decompressed;
using (var peImage = new MyPEImage(fileData)) {
var section = peImage.Sections[peImage.Sections.Count - 1];
var offset = section.PointerToRawData;
offset += 16;
byte[] compressed;
int compressedLen;
switch (version) {
case Version.V0x:
compressedLen = fileData.Length - (int)offset;
compressed = peImage.offsetReadBytes(offset, compressedLen);
decompressed = Lzmat.decompress_old(compressed);
if (decompressed == null)
throw new ApplicationException("LZMAT decompression failed");
break;
case Version.V1x_217:
case Version.V218:
if (peImage.PEImage.ImageNTHeaders.FileHeader.Machine == Machine.AMD64 && version == Version.V218)
offset = section.PointerToRawData + section.VirtualSize;
int decompressedLen = (int)peImage.offsetReadUInt32(offset);
compressedLen = fileData.Length - (int)offset - 4;
compressed = peImage.offsetReadBytes(offset + 4, compressedLen);
decompressed = new byte[decompressedLen];
uint decompressedLen2;
if (Lzmat.decompress(decompressed, out decompressedLen2, compressed) != LzmatStatus.OK)
throw new ApplicationException("LZMAT decompression failed");
break;
default:
throw new ApplicationException("Unknown MPRESS version");
}
}
newFileData = decompressed;
return true;
}
public static bool detect(MyPEImage peImage)
{
try {
uint codeHeaderOffset = getCodeHeaderOffset(peImage);
if (isValidSignature(peImage.offsetReadBytes(codeHeaderOffset, 16)))
return true;
}
catch {
}
try {
uint codeHeaderOffset = getOldCodeHeaderOffset(peImage);
if (codeHeaderOffset != 0 && isValidSignature(peImage.offsetReadBytes(codeHeaderOffset, 16)))
return true;
}
catch {
}
return false;
}