void decryptStrings(uint[] key) { var data = stringDataField.InitialValue; var encryptedData = new uint[data.Length / 4]; Buffer.BlockCopy(data, 0, encryptedData, 0, data.Length); DeobUtils.xxteaDecrypt(encryptedData, key); var decryptedData = new byte[data.Length]; Buffer.BlockCopy(encryptedData, 0, decryptedData, 0, data.Length); var inflated = DeobUtils.inflate(decryptedData, 0, decryptedData.Length, true); var reader = new BinaryReader(new MemoryStream(inflated)); int deflatedLength = DeobUtils.readVariableLengthInt32(reader); int numStrings = DeobUtils.readVariableLengthInt32(reader); decryptedStrings = new string[numStrings]; var offsets = new int[numStrings]; for (int i = 0; i < numStrings; i++) { offsets[i] = DeobUtils.readVariableLengthInt32(reader); } int startOffset = (int)reader.BaseStream.Position; for (int i = 0; i < numStrings; i++) { reader.BaseStream.Position = startOffset + offsets[i]; decryptedStrings[i] = reader.ReadString(); } }
void decryptStrings(uint[] key) { var data = stringDataField.InitialValue; var encryptedData = new uint[data.Length / 4]; Buffer.BlockCopy(data, 0, encryptedData, 0, data.Length); DeobUtils.xxteaDecrypt(encryptedData, key); var decryptedData = new byte[data.Length]; Buffer.BlockCopy(encryptedData, 0, decryptedData, 0, data.Length); var inflated = DeobUtils.inflate(decryptedData, 0, decryptedData.Length, true); var reader = MemoryImageStream.Create(inflated); int deflatedLength = (int)reader.ReadCompressedUInt32(); int numStrings = (int)reader.ReadCompressedUInt32(); decryptedStrings = new string[numStrings]; var offsets = new int[numStrings]; for (int i = 0; i < numStrings; i++) { offsets[i] = (int)reader.ReadCompressedUInt32(); } int startOffset = (int)reader.Position; for (int i = 0; i < numStrings; i++) { reader.Position = startOffset + offsets[i]; decryptedStrings[i] = reader.ReadString(); } }
public byte[] unpack() { if (peImage.PEImage.Win32Resources == null) { return(null); } var dataEntry = peImage.PEImage.Win32Resources.Find(10, "__", 0); if (dataEntry == null) { return(null); } var encryptedData = dataEntry.Data.ReadAllBytes(); var keyData = getKeyData(); if (keyData == null) { return(null); } var decrypter = new NativeFileDecrypter(keyData); decrypter.decrypt(encryptedData, 0, encryptedData.Length); byte[] inflatedData; if (isNet1x) { inflatedData = DeobUtils.inflate(encryptedData, false); } else { int inflatedSize = BitConverter.ToInt32(encryptedData, 0); inflatedData = new byte[inflatedSize]; var inflater = new Inflater(false); inflater.SetInput(encryptedData, 4, encryptedData.Length - 4); int count = inflater.Inflate(inflatedData); if (count != inflatedSize) { return(null); } } // CLR 1.x or DNR v4.0 - v4.4 if (BitConverter.ToInt16(inflatedData, 0) == 0x5A4D) { return(inflatedData); } // DNR v4.5 if (BitConverter.ToInt16(inflatedData, loaderHeaderSizeV45) == 0x5A4D) { return(unpackLoader(inflatedData)); } return(null); }
public override void initialize(byte[] methodsData) { var data = DeobUtils.inflate(methodsData, true); decryptKey = BitConverter.GetBytes(BitConverter.ToUInt32(data, 0)); var newMethodsData = new byte[data.Length - 4]; Array.Copy(data, 4, newMethodsData, 0, newMethodsData.Length); base.initialize(newMethodsData); }
protected static byte[] inflateIfNeeded(byte[] data, int start, int len) { if (BitConverter.ToInt16(data, start) != 0x5A4D) { return(DeobUtils.inflate(data, start, len, true)); } var data2 = new byte[len]; Array.Copy(data, start, data2, 0, data2.Length); return(data2); }
public byte[] decrypt(byte[] encryptedData) { int index = 0; byte[] key, iv; bool isCompressed = getKeyIv(getHeaderData(encryptedData, ref index), out key, out iv); var data = DeobUtils.desDecrypt(encryptedData, index, encryptedData.Length - index, key, iv); if (isCompressed) { data = DeobUtils.inflate(data, inflater); } return(data); }
public void initialize() { if (info.dataField == null) { return; } findOtherTypes(); var decompressed = DeobUtils.inflate(info.dataField.InitialValue, true); reader = new BinaryReader(new MemoryStream(decompressed)); info.dataField.FieldType = module.TypeSystem.Byte; info.dataField.InitialValue = new byte[1]; }
public byte[] decrypt(byte[] encryptedData) { byte[] key, iv; var reader = new BinaryReader(new MemoryStream(encryptedData)); bool isCompressed = getHeaderData(reader, out key, out iv); var data = DeobUtils.desDecrypt(encryptedData, (int)reader.BaseStream.Position, (int)(reader.BaseStream.Length - reader.BaseStream.Position), key, iv); if (isCompressed) { data = DeobUtils.inflate(data, true); } return(data); }
public void initialize() { if (info.dataField == null) { return; } findOtherTypes(); var decompressed = DeobUtils.inflate(info.dataField.InitialValue, true); reader = MemoryImageStream.Create(decompressed); info.dataField.FieldSig.Type = module.CorLibTypes.Byte; info.dataField.InitialValue = new byte[1]; info.dataField.RVA = 0; }
protected static byte[] decryptResource(byte[] data, int start, int len, int magic) { for (int i = start; i < start + len; i++) { data[i] ^= (byte)(i - start + magic); } if (BitConverter.ToInt16(data, start) != 0x5A4D) { return(DeobUtils.inflate(data, start, len, true)); } var data2 = new byte[len]; Array.Copy(data, start, data2, 0, data2.Length); return(data2); }
void findEmbeddedAssemblies() { var data = bundleData.Data.ReadAllBytes(); var doc = new XmlDocument(); bundleXmlFile.Data.Position = 0; doc.Load(XmlReader.Create(bundleXmlFile.Data.CreateStream())); var manifest = doc.DocumentElement; if (manifest.Name.ToLowerInvariant() != "manifest") { Logger.w("Could not find Manifest element"); return; } foreach (var tmp in manifest.ChildNodes) { var assemblyElem = tmp as XmlElement; if (assemblyElem == null) { continue; } if (assemblyElem.Name.ToLowerInvariant() != "assembly") { Logger.w("Unknown element: {0}", assemblyElem.Name); continue; } int offset = getAttributeValueInt32(assemblyElem, "offset"); if (offset < 0) { Logger.w("Could not find offset attribute"); continue; } var assemblyData = DeobUtils.inflate(data, offset, data.Length - offset, true); var mod = ModuleDefMD.Load(assemblyData); infos.Add(new AssemblyInfo(mod.Assembly.FullName, DeobUtils.getExtension(mod.Kind), assemblyData)); } }
IBinaryReader inflate(int length) { var data = reader.ReadRemainingBytes(); return(MemoryImageStream.Create(DeobUtils.inflate(data, true))); }
public ResourceInfo[] read() { if (reader.ReadUInt32() != 0xBEEFCACE) { throw new InvalidDataException("Invalid magic"); } if (reader.ReadUInt32() <= 0) { throw new InvalidDataException("Invalid number"); } reader.ReadUInt32(); resourceReader = reader.ReadString(); if (Utils.StartsWith(resourceReader, "System.Resources.ResourceReader", StringComparison.Ordinal)) { throw new InvalidDataException("Resource isn't encrypted"); } resourceSet = reader.ReadString(); if (reader.ReadByte() != 1) { throw new ApplicationException("Invalid version"); } int flags = reader.ReadByte(); if ((flags & 0xFC) != 0) { throw new ApplicationException("Invalid flags"); } bool inflateData = (flags & 1) != 0; bool encrypted = (flags & 2) != 0; int numResources = reader.ReadInt32(); if (numResources < 0) { throw new ApplicationException("Invalid number of resources"); } var infos = new ResourceInfo[numResources]; for (int i = 0; i < numResources; i++) { var resourceName = readResourceName(reader, encrypted); int offset = reader.ReadInt32(); byte resourceFlags = reader.ReadByte(); int resourceLength = (resourceFlags & 0x80) == 0 ? -1 : reader.ReadInt32(); infos[i] = new ResourceInfo(resourceName, resourceFlags, offset, resourceLength); } var dataReader = reader; if (encrypted) { var key = new uint[4]; key[0] = dataReader.ReadUInt32(); key[1] = dataReader.ReadUInt32(); int numDwords = dataReader.ReadInt32(); if (numDwords < 0 || numDwords >= 0x40000000) { throw new ApplicationException("Invalid number of encrypted dwords"); } var encryptedData = new uint[numDwords]; for (int i = 0; i < numDwords; i++) { encryptedData[i] = dataReader.ReadUInt32(); } key[2] = dataReader.ReadUInt32(); key[3] = dataReader.ReadUInt32(); DeobUtils.xxteaDecrypt(encryptedData, key); byte[] decryptedData = new byte[encryptedData.Length * 4]; Buffer.BlockCopy(encryptedData, 0, decryptedData, 0, decryptedData.Length); dataReader = MemoryImageStream.Create(decryptedData); } if (inflateData) { var data = dataReader.ReadRemainingBytes(); data = DeobUtils.inflate(data, true); dataReader = MemoryImageStream.Create(data); } foreach (var info in infos) { info.dataReader = dataReader; } return(infos); }
byte[] decompress(byte[] compressedData) { // First dword is sig: 0x9B728BC7 // Second dword is decompressed length return(DeobUtils.inflate(compressedData, 8, compressedData.Length - 8, true)); }
Stream inflate(int length) { var data = reader.ReadBytes((int)(reader.BaseStream.Length - reader.BaseStream.Position)); return(new MemoryStream(DeobUtils.inflate(data, true))); }
byte[] decrypt(byte[] encrypted) { var keyGenerator = new PasswordDeriveBytes(resourcePassword, Encoding.ASCII.GetBytes(resourceSalt)); return(DeobUtils.inflate(DeobUtils.aesDecrypt(encrypted, keyGenerator.GetBytes(32), keyGenerator.GetBytes(16)), false)); }
public byte[] unpack() { var resources = peImage.Resources; var dir = resources.getRoot(); if ((dir = dir.getDirectory(10)) == null) { return(null); } if ((dir = dir.getDirectory("__")) == null) { return(null); } var dataEntry = dir.getData(0); if (dataEntry == null) { return(null); } var encryptedData = peImage.readBytes(dataEntry.RVA, (int)dataEntry.Size); if (encryptedData.Length != dataEntry.Size) { return(null); } var keyData = getKeyData(); if (keyData == null) { return(null); } var decrypter = new NativeFileDecrypter(keyData); decrypter.decrypt(encryptedData, 0, encryptedData.Length); byte[] inflatedData; if (isNet1x) { inflatedData = DeobUtils.inflate(encryptedData, false); } else { int inflatedSize = BitConverter.ToInt32(encryptedData, 0); inflatedData = new byte[inflatedSize]; var inflater = new Inflater(false); inflater.SetInput(encryptedData, 4, encryptedData.Length - 4); int count = inflater.Inflate(inflatedData); if (count != inflatedSize) { return(null); } } if (BitConverter.ToInt16(inflatedData, 0) != 0x5A4D) { return(null); } return(inflatedData); }