public PeHeader(MainType mainType, MyPEImage peImage) {
version = GetHeaderOffsetAndVersion(peImage, out uint headerOffset);
headerData = peImage.OffsetReadBytes(headerOffset, 0x1000);
// MC uses 4-byte xorKey, 2 Hex for 1 Byte
GuessXorKey(false, peImage, 4);
switch (version) {
case EncryptionVersion.V1:
case EncryptionVersion.V2:
case EncryptionVersion.V3:
case EncryptionVersion.V4:
case EncryptionVersion.V5:
default:
xorKey = 0x7ABF931;
break;
case EncryptionVersion.V6:
xorKey = 0x7ABA931;
break;
case EncryptionVersion.V7:
xorKey = 0x8ABA931;
break;
case EncryptionVersion.V8:
if (CheckMcKeyRva(peImage, 0x99BA9A13))
break;
if (CheckMcKeyRva(peImage, 0x18ABA931))
break;
if (CheckMcKeyRva(peImage, 0x18ABA933))
break;
break;
}
}
public MainType(ModuleDefinition module, MainType oldOne)
{
this.module = module;
this.mcType = lookup(oldOne.mcType, "Could not find main type");
this.mcModule1 = DeobUtils.lookup(module, oldOne.mcModule1, "Could not find MC runtime module ref #1");
this.mcModule2 = DeobUtils.lookup(module, oldOne.mcModule2, "Could not find MC runtime module ref #2");
}
public PeHeader(MainType mainType, PeImage peImage)
{
uint headerOffset;
version = getHeaderOffsetAndVersion(peImage, out headerOffset);
headerData = peImage.offsetReadBytes(headerOffset, 0x1000);
}
public DecrypterInfo(MainType mainType, byte[] fileData)
{
this.mainType = mainType;
peImage = new MyPEImage(fileData);
peHeader = new PeHeader(mainType, peImage);
mcKey = new McKey(peImage, peHeader);
this.fileData = fileData;
}
public PeHeader(MainType mainType, PeImage peImage)
{
headerData = getPeHeaderData(peImage);
if (!mainType.IsOld && peImage.readUInt32(0x2008) != 0x48)
{
rvaDispl1 = readUInt32(0x0FB0) ^ XOR_KEY;
rvaDispl2 = readUInt32(0x0FB4) ^ XOR_KEY;
}
}
public MethodInfos(MainType mainType, PeImage peImage, PeHeader peHeader, McKey mcKey)
{
this.mainType = mainType;
this.peImage = peImage;
this.peHeader = peHeader;
this.mcKey = mcKey;
structSize = getStructSize(mcKey);
uint methodInfosRva = peHeader.getRva2(0x0FF8, mcKey.readUInt32(0x005A));
uint encryptedDataRva = peHeader.getRva2(0x0FF0, mcKey.readUInt32(0x0046));
methodInfosOffset = peImage.rvaToOffset(methodInfosRva);
encryptedDataOffset = peImage.rvaToOffset(encryptedDataRva);
}
public MethodInfos(ModuleDef module, MainType mainType, MyPEImage peImage, PeHeader peHeader, McKey mcKey)
{
this.module = module;
this.mainType = mainType;
this.peImage = peImage;
this.peHeader = peHeader;
this.mcKey = mcKey;
structSize = GetStructSize(mcKey);
uint methodInfosRva = peHeader.GetRva(0x0FF8, mcKey.ReadUInt32(0x005A));
uint encryptedDataRva = peHeader.GetRva(0x0FF0, mcKey.ReadUInt32(0x0046));
methodInfosOffset = peImage.RvaToOffset(methodInfosRva);
encryptedDataOffset = peImage.RvaToOffset(encryptedDataRva);
}
public PeHeader(MainType mainType, MyPEImage peImage)
{
uint headerOffset;
version = GetHeaderOffsetAndVersion(peImage, out headerOffset);
headerData = peImage.OffsetReadBytes(headerOffset, 0x1000);
switch (version)
{
case EncryptionVersion.V1:
case EncryptionVersion.V2:
case EncryptionVersion.V3:
case EncryptionVersion.V4:
case EncryptionVersion.V5:
default:
xorKey = 0x7ABF931;
break;
case EncryptionVersion.V6:
xorKey = 0x7ABA931;
break;
case EncryptionVersion.V7:
xorKey = 0x8ABA931;
break;
case EncryptionVersion.V8:
if (CheckMcKeyRva(peImage, 0x99BA9A13))
{
break;
}
if (CheckMcKeyRva(peImage, 0x18ABA931))
{
break;
}
if (CheckMcKeyRva(peImage, 0x18ABA933))
{
break;
}
break;
}
}
public MethodInfos(MainType mainType, PeImage peImage, PeHeader peHeader, McKey mcKey)
{
this.mainType = mainType;
this.peImage = peImage;
this.peHeader = peHeader;
this.mcKey = mcKey;
decryptHandlersV1 = new Decrypt[] { decrypt1a, decrypt4a, decrypt2a, decrypt3a, decrypt5, decrypt6, decrypt7 };
decryptHandlersV2 = new Decrypt[] { decrypt3a, decrypt2a, decrypt1a, decrypt4a, decrypt5, decrypt6, decrypt7 };
decryptHandlersV3 = new Decrypt[] { decrypt1a, decrypt2a, decrypt3a, decrypt4a, decrypt5, decrypt6, decrypt7 };
decryptHandlersV4 = new Decrypt[] { decrypt2a, decrypt1a, decrypt3a, decrypt4a, decrypt5, decrypt6, decrypt7 };
decryptHandlersV5a = new Decrypt[] { decrypt4a, decrypt2a, decrypt3a, decrypt1a, decrypt5, decrypt6, decrypt7 };
decryptHandlersV5b = new Decrypt[] { decrypt4b, decrypt2b, decrypt3b, decrypt1b, decrypt6, decrypt7, decrypt5 };
decryptHandlersV5c = new Decrypt[] { decrypt4c, decrypt2c, decrypt3c, decrypt1c, decrypt6, decrypt7, decrypt5 };
structSize = getStructSize(mcKey);
uint methodInfosRva = peHeader.getRva(0x0FF8, mcKey.readUInt32(0x005A));
uint encryptedDataRva = peHeader.getRva(0x0FF0, mcKey.readUInt32(0x0046));
methodInfosOffset = peImage.rvaToOffset(methodInfosRva);
encryptedDataOffset = peImage.rvaToOffset(encryptedDataRva);
}
public PeHeader(MainType mainType, MyPEImage peImage)
{
uint headerOffset;
version = getHeaderOffsetAndVersion(peImage, out headerOffset);
switch (version)
{
case EncryptionVersion.V1:
case EncryptionVersion.V2:
case EncryptionVersion.V3:
case EncryptionVersion.V4:
case EncryptionVersion.V5:
default:
xorKey = 0x7ABF931;
break;
case EncryptionVersion.V6:
xorKey = 0x7ABA931;
break;
}
headerData = peImage.offsetReadBytes(headerOffset, 0x1000);
}
protected override void scanForObfuscator()
{
mainType = new MainType(module);
mainType.find();
}
public FileDecrypter(MainType mainType)
{
this.mainType = mainType;
}
public MainType(ModuleDefMD module, MainType oldOne)
{
this.module = module;
this.mcType = Lookup(oldOne.mcType, "Could not find main type");
}
protected override void ScanForObfuscator()
{
mainType = new MainType(Module);
mainType.Find();
}
