Exemplo n.º 1
0
        byte[] unpack2()
        {
            shouldUnpack = false;
            uint headerOffset            = peImage.ImageLength - 12;
            uint offsetEncryptedAssembly = checkOffset(peImage.offsetReadUInt32(headerOffset));
            uint ezencryptionLibLength   = peImage.offsetReadUInt32(headerOffset + 4);
            uint iniFileLength           = peImage.offsetReadUInt32(headerOffset + 8);

            uint offsetClrVersionNumber = checked (offsetEncryptedAssembly - 12);
            uint iniFileOffset          = checked (headerOffset - iniFileLength);
            uint ezencryptionLibOffset  = checked (iniFileOffset - ezencryptionLibLength);

            uint clrVerMajor = peImage.offsetReadUInt32(offsetClrVersionNumber);
            uint clrVerMinor = peImage.offsetReadUInt32(offsetClrVersionNumber + 4);
            uint clrVerBuild = peImage.offsetReadUInt32(offsetClrVersionNumber + 8);

            if (clrVerMajor <= 0 || clrVerMajor >= 20 || clrVerMinor >= 20 || clrVerBuild >= 1000000)
            {
                return(null);
            }

            var settings = new IniFile(decompress2(peImage.offsetReadBytes(iniFileOffset, (int)iniFileLength)));

            sizes = getSizes(settings["General_App_Satellite_Assemblies_Sizes"]);
            if (sizes == null || sizes.Length <= 1)
            {
                return(null);
            }
            shouldUnpack = true;
            if (sizes[0] != offsetEncryptedAssembly)
            {
                return(null);
            }
            filenames = settings["General_App_Satellite_Assemblies"].Split('|');
            if (sizes.Length - 1 != filenames.Length)
            {
                return(null);
            }

            byte[] ezencryptionLibData   = decompress1(peImage.offsetReadBytes(ezencryptionLibOffset, (int)ezencryptionLibLength));
            var    ezencryptionLibModule = ModuleDefinition.ReadModule(new MemoryStream(ezencryptionLibData));
            var    decrypter             = new ApplicationModeDecrypter(ezencryptionLibModule);

            if (!decrypter.Detected)
            {
                return(null);
            }

            var mainAssembly = unpackEmbeddedFile(0, decrypter);

            decrypter.MemoryPatcher.patch(mainAssembly.data);
            for (int i = 1; i < filenames.Length; i++)
            {
                satelliteAssemblies.Add(unpackEmbeddedFile(i, decrypter));
            }

            clearDllBit(mainAssembly.data);
            return(mainAssembly.data);
        }
Exemplo n.º 2
0
        UnpackedFile unpackEmbeddedFile(int index, ApplicationModeDecrypter decrypter)
        {
            uint offset = 0;

            for (int i = 0; i < index + 1; i++)
            {
                offset += sizes[i];
            }
            string filename = Win32Path.GetFileName(filenames[index]);
            var    data     = peImage.offsetReadBytes(offset, (int)sizes[index + 1]);

            data = DeobUtils.aesDecrypt(data, decrypter.AssemblyKey, decrypter.AssemblyIv);
            data = decompress(data);
            return(new UnpackedFile(filename, data));
        }
Exemplo n.º 3
0
		UnpackedFile UnpackEmbeddedFile(MyPEImage peImage, int index, ApplicationModeDecrypter decrypter) {
			uint offset = 0;
			for (int i = 0; i < index + 1; i++)
				offset += sizes[i];
			string filename = Win32Path.GetFileName(filenames[index]);
			var data = peImage.OffsetReadBytes(offset, (int)sizes[index + 1]);
			data = DeobUtils.AesDecrypt(data, decrypter.AssemblyKey, decrypter.AssemblyIv);
			data = Decompress(data);
			return new UnpackedFile(filename, data);
		}
Exemplo n.º 4
0
		byte[] Unpack2(MyPEImage peImage) {
			shouldUnpack = false;
			uint headerOffset = (uint)peImage.Length - 12;
			uint offsetEncryptedAssembly = CheckOffset(peImage, peImage.OffsetReadUInt32(headerOffset));
			uint ezencryptionLibLength = peImage.OffsetReadUInt32(headerOffset + 4);
			uint iniFileLength = peImage.OffsetReadUInt32(headerOffset + 8);

			uint offsetClrVersionNumber = checked(offsetEncryptedAssembly - 12);
			uint iniFileOffset = checked(headerOffset - iniFileLength);
			uint ezencryptionLibOffset = checked(iniFileOffset - ezencryptionLibLength);

			uint clrVerMajor = peImage.OffsetReadUInt32(offsetClrVersionNumber);
			uint clrVerMinor = peImage.OffsetReadUInt32(offsetClrVersionNumber + 4);
			uint clrVerBuild = peImage.OffsetReadUInt32(offsetClrVersionNumber + 8);
			if (clrVerMajor <= 0 || clrVerMajor >= 20 || clrVerMinor >= 20 || clrVerBuild >= 1000000)
				return null;

			var settings = new IniFile(Decompress2(peImage.OffsetReadBytes(iniFileOffset, (int)iniFileLength)));
			sizes = GetSizes(settings["General_App_Satellite_Assemblies_Sizes"]);
			if (sizes == null || sizes.Length <= 1)
				return null;
			shouldUnpack = true;
			if (sizes[0] != offsetEncryptedAssembly)
				return null;
			filenames = settings["General_App_Satellite_Assemblies"].Split('|');
			if (sizes.Length - 1 != filenames.Length)
				return null;

			byte[] ezencryptionLibData = Decompress1(peImage.OffsetReadBytes(ezencryptionLibOffset, (int)ezencryptionLibLength));
			var ezencryptionLibModule = ModuleDefMD.Load(ezencryptionLibData);
			var decrypter = new ApplicationModeDecrypter(ezencryptionLibModule);
			if (!decrypter.Detected)
				return null;

			var mainAssembly = UnpackEmbeddedFile(peImage, 0, decrypter);
			decrypter.MemoryPatcher.Patch(mainAssembly.data);
			for (int i = 1; i < filenames.Length; i++)
				satelliteAssemblies.Add(UnpackEmbeddedFile(peImage, i, decrypter));

			ClearDllBit(mainAssembly.data);
			return mainAssembly.data;
		}