void decryptStrings(uint[] key)
{
var data = stringDataField.InitialValue;
var encryptedData = new uint[data.Length / 4];
Buffer.BlockCopy(data, 0, encryptedData, 0, data.Length);
DeobUtils.xxteaDecrypt(encryptedData, key);
var decryptedData = new byte[data.Length];
Buffer.BlockCopy(encryptedData, 0, decryptedData, 0, data.Length);
var inflated = DeobUtils.inflate(decryptedData, 0, decryptedData.Length, true);
var reader = new BinaryReader(new MemoryStream(inflated));
int deflatedLength = DeobUtils.readVariableLengthInt32(reader);
int numStrings = DeobUtils.readVariableLengthInt32(reader);
decryptedStrings = new string[numStrings];
var offsets = new int[numStrings];
for (int i = 0; i < numStrings; i++)
{
offsets[i] = DeobUtils.readVariableLengthInt32(reader);
}
int startOffset = (int)reader.BaseStream.Position;
for (int i = 0; i < numStrings; i++)
{
reader.BaseStream.Position = startOffset + offsets[i];
decryptedStrings[i] = reader.ReadString();
}
}
void decryptStrings(uint[] key)
{
var data = stringDataField.InitialValue;
var encryptedData = new uint[data.Length / 4];
Buffer.BlockCopy(data, 0, encryptedData, 0, data.Length);
DeobUtils.xxteaDecrypt(encryptedData, key);
var decryptedData = new byte[data.Length];
Buffer.BlockCopy(encryptedData, 0, decryptedData, 0, data.Length);
var inflated = DeobUtils.inflate(decryptedData, 0, decryptedData.Length, true);
var reader = MemoryImageStream.Create(inflated);
int deflatedLength = (int)reader.ReadCompressedUInt32();
int numStrings = (int)reader.ReadCompressedUInt32();
decryptedStrings = new string[numStrings];
var offsets = new int[numStrings];
for (int i = 0; i < numStrings; i++)
{
offsets[i] = (int)reader.ReadCompressedUInt32();
}
int startOffset = (int)reader.Position;
for (int i = 0; i < numStrings; i++)
{
reader.Position = startOffset + offsets[i];
decryptedStrings[i] = reader.ReadString();
}
}
public byte[] unpack()
{
if (peImage.PEImage.Win32Resources == null)
{
return(null);
}
var dataEntry = peImage.PEImage.Win32Resources.Find(10, "__", 0);
if (dataEntry == null)
{
return(null);
}
var encryptedData = dataEntry.Data.ReadAllBytes();
var keyData = getKeyData();
if (keyData == null)
{
return(null);
}
var decrypter = new NativeFileDecrypter(keyData);
decrypter.decrypt(encryptedData, 0, encryptedData.Length);
byte[] inflatedData;
if (isNet1x)
{
inflatedData = DeobUtils.inflate(encryptedData, false);
}
else
{
int inflatedSize = BitConverter.ToInt32(encryptedData, 0);
inflatedData = new byte[inflatedSize];
var inflater = new Inflater(false);
inflater.SetInput(encryptedData, 4, encryptedData.Length - 4);
int count = inflater.Inflate(inflatedData);
if (count != inflatedSize)
{
return(null);
}
}
// CLR 1.x or DNR v4.0 - v4.4
if (BitConverter.ToInt16(inflatedData, 0) == 0x5A4D)
{
return(inflatedData);
}
// DNR v4.5
if (BitConverter.ToInt16(inflatedData, loaderHeaderSizeV45) == 0x5A4D)
{
return(unpackLoader(inflatedData));
}
return(null);
}
public override void initialize(byte[] methodsData)
{
var data = DeobUtils.inflate(methodsData, true);
decryptKey = BitConverter.GetBytes(BitConverter.ToUInt32(data, 0));
var newMethodsData = new byte[data.Length - 4];
Array.Copy(data, 4, newMethodsData, 0, newMethodsData.Length);
base.initialize(newMethodsData);
}
protected static byte[] inflateIfNeeded(byte[] data, int start, int len)
{
if (BitConverter.ToInt16(data, start) != 0x5A4D)
{
return(DeobUtils.inflate(data, start, len, true));
}
var data2 = new byte[len];
Array.Copy(data, start, data2, 0, data2.Length);
return(data2);
}
public byte[] decrypt(byte[] encryptedData)
{
int index = 0;
byte[] key, iv;
bool isCompressed = getKeyIv(getHeaderData(encryptedData, ref index), out key, out iv);
var data = DeobUtils.desDecrypt(encryptedData, index, encryptedData.Length - index, key, iv);
if (isCompressed)
{
data = DeobUtils.inflate(data, inflater);
}
return(data);
}
public void initialize()
{
if (info.dataField == null)
{
return;
}
findOtherTypes();
var decompressed = DeobUtils.inflate(info.dataField.InitialValue, true);
reader = new BinaryReader(new MemoryStream(decompressed));
info.dataField.FieldType = module.TypeSystem.Byte;
info.dataField.InitialValue = new byte[1];
}
public byte[] decrypt(byte[] encryptedData)
{
byte[] key, iv;
var reader = new BinaryReader(new MemoryStream(encryptedData));
bool isCompressed = getHeaderData(reader, out key, out iv);
var data = DeobUtils.desDecrypt(encryptedData,
(int)reader.BaseStream.Position,
(int)(reader.BaseStream.Length - reader.BaseStream.Position),
key, iv);
if (isCompressed)
{
data = DeobUtils.inflate(data, true);
}
return(data);
}
public void initialize()
{
if (info.dataField == null)
{
return;
}
findOtherTypes();
var decompressed = DeobUtils.inflate(info.dataField.InitialValue, true);
reader = MemoryImageStream.Create(decompressed);
info.dataField.FieldSig.Type = module.CorLibTypes.Byte;
info.dataField.InitialValue = new byte[1];
info.dataField.RVA = 0;
}
protected static byte[] decryptResource(byte[] data, int start, int len, int magic)
{
for (int i = start; i < start + len; i++)
{
data[i] ^= (byte)(i - start + magic);
}
if (BitConverter.ToInt16(data, start) != 0x5A4D)
{
return(DeobUtils.inflate(data, start, len, true));
}
var data2 = new byte[len];
Array.Copy(data, start, data2, 0, data2.Length);
return(data2);
}
void findEmbeddedAssemblies()
{
var data = bundleData.Data.ReadAllBytes();
var doc = new XmlDocument();
bundleXmlFile.Data.Position = 0;
doc.Load(XmlReader.Create(bundleXmlFile.Data.CreateStream()));
var manifest = doc.DocumentElement;
if (manifest.Name.ToLowerInvariant() != "manifest")
{
Logger.w("Could not find Manifest element");
return;
}
foreach (var tmp in manifest.ChildNodes)
{
var assemblyElem = tmp as XmlElement;
if (assemblyElem == null)
{
continue;
}
if (assemblyElem.Name.ToLowerInvariant() != "assembly")
{
Logger.w("Unknown element: {0}", assemblyElem.Name);
continue;
}
int offset = getAttributeValueInt32(assemblyElem, "offset");
if (offset < 0)
{
Logger.w("Could not find offset attribute");
continue;
}
var assemblyData = DeobUtils.inflate(data, offset, data.Length - offset, true);
var mod = ModuleDefMD.Load(assemblyData);
infos.Add(new AssemblyInfo(mod.Assembly.FullName, DeobUtils.getExtension(mod.Kind), assemblyData));
}
}
IBinaryReader inflate(int length)
{
var data = reader.ReadRemainingBytes();
return(MemoryImageStream.Create(DeobUtils.inflate(data, true)));
}
public ResourceInfo[] read()
{
if (reader.ReadUInt32() != 0xBEEFCACE)
{
throw new InvalidDataException("Invalid magic");
}
if (reader.ReadUInt32() <= 0)
{
throw new InvalidDataException("Invalid number");
}
reader.ReadUInt32();
resourceReader = reader.ReadString();
if (Utils.StartsWith(resourceReader, "System.Resources.ResourceReader", StringComparison.Ordinal))
{
throw new InvalidDataException("Resource isn't encrypted");
}
resourceSet = reader.ReadString();
if (reader.ReadByte() != 1)
{
throw new ApplicationException("Invalid version");
}
int flags = reader.ReadByte();
if ((flags & 0xFC) != 0)
{
throw new ApplicationException("Invalid flags");
}
bool inflateData = (flags & 1) != 0;
bool encrypted = (flags & 2) != 0;
int numResources = reader.ReadInt32();
if (numResources < 0)
{
throw new ApplicationException("Invalid number of resources");
}
var infos = new ResourceInfo[numResources];
for (int i = 0; i < numResources; i++)
{
var resourceName = readResourceName(reader, encrypted);
int offset = reader.ReadInt32();
byte resourceFlags = reader.ReadByte();
int resourceLength = (resourceFlags & 0x80) == 0 ? -1 : reader.ReadInt32();
infos[i] = new ResourceInfo(resourceName, resourceFlags, offset, resourceLength);
}
var dataReader = reader;
if (encrypted)
{
var key = new uint[4];
key[0] = dataReader.ReadUInt32();
key[1] = dataReader.ReadUInt32();
int numDwords = dataReader.ReadInt32();
if (numDwords < 0 || numDwords >= 0x40000000)
{
throw new ApplicationException("Invalid number of encrypted dwords");
}
var encryptedData = new uint[numDwords];
for (int i = 0; i < numDwords; i++)
{
encryptedData[i] = dataReader.ReadUInt32();
}
key[2] = dataReader.ReadUInt32();
key[3] = dataReader.ReadUInt32();
DeobUtils.xxteaDecrypt(encryptedData, key);
byte[] decryptedData = new byte[encryptedData.Length * 4];
Buffer.BlockCopy(encryptedData, 0, decryptedData, 0, decryptedData.Length);
dataReader = MemoryImageStream.Create(decryptedData);
}
if (inflateData)
{
var data = dataReader.ReadRemainingBytes();
data = DeobUtils.inflate(data, true);
dataReader = MemoryImageStream.Create(data);
}
foreach (var info in infos)
{
info.dataReader = dataReader;
}
return(infos);
}
byte[] decompress(byte[] compressedData)
{
// First dword is sig: 0x9B728BC7
// Second dword is decompressed length
return(DeobUtils.inflate(compressedData, 8, compressedData.Length - 8, true));
}
Stream inflate(int length)
{
var data = reader.ReadBytes((int)(reader.BaseStream.Length - reader.BaseStream.Position));
return(new MemoryStream(DeobUtils.inflate(data, true)));
}
byte[] decrypt(byte[] encrypted)
{
var keyGenerator = new PasswordDeriveBytes(resourcePassword, Encoding.ASCII.GetBytes(resourceSalt));
return(DeobUtils.inflate(DeobUtils.aesDecrypt(encrypted, keyGenerator.GetBytes(32), keyGenerator.GetBytes(16)), false));
}
public byte[] unpack()
{
var resources = peImage.Resources;
var dir = resources.getRoot();
if ((dir = dir.getDirectory(10)) == null)
{
return(null);
}
if ((dir = dir.getDirectory("__")) == null)
{
return(null);
}
var dataEntry = dir.getData(0);
if (dataEntry == null)
{
return(null);
}
var encryptedData = peImage.readBytes(dataEntry.RVA, (int)dataEntry.Size);
if (encryptedData.Length != dataEntry.Size)
{
return(null);
}
var keyData = getKeyData();
if (keyData == null)
{
return(null);
}
var decrypter = new NativeFileDecrypter(keyData);
decrypter.decrypt(encryptedData, 0, encryptedData.Length);
byte[] inflatedData;
if (isNet1x)
{
inflatedData = DeobUtils.inflate(encryptedData, false);
}
else
{
int inflatedSize = BitConverter.ToInt32(encryptedData, 0);
inflatedData = new byte[inflatedSize];
var inflater = new Inflater(false);
inflater.SetInput(encryptedData, 4, encryptedData.Length - 4);
int count = inflater.Inflate(inflatedData);
if (count != inflatedSize)
{
return(null);
}
}
if (BitConverter.ToInt16(inflatedData, 0) != 0x5A4D)
{
return(null);
}
return(inflatedData);
}
