byte[] unpack2()
{
shouldUnpack = false;
uint headerOffset = peImage.ImageLength - 12;
uint offsetEncryptedAssembly = checkOffset(peImage.offsetReadUInt32(headerOffset));
uint ezencryptionLibLength = peImage.offsetReadUInt32(headerOffset + 4);
uint iniFileLength = peImage.offsetReadUInt32(headerOffset + 8);
uint offsetClrVersionNumber = checked (offsetEncryptedAssembly - 12);
uint iniFileOffset = checked (headerOffset - iniFileLength);
uint ezencryptionLibOffset = checked (iniFileOffset - ezencryptionLibLength);
uint clrVerMajor = peImage.offsetReadUInt32(offsetClrVersionNumber);
uint clrVerMinor = peImage.offsetReadUInt32(offsetClrVersionNumber + 4);
uint clrVerBuild = peImage.offsetReadUInt32(offsetClrVersionNumber + 8);
if (clrVerMajor <= 0 || clrVerMajor >= 20 || clrVerMinor >= 20 || clrVerBuild >= 1000000)
{
return(null);
}
var settings = new IniFile(decompress2(peImage.offsetReadBytes(iniFileOffset, (int)iniFileLength)));
sizes = getSizes(settings["General_App_Satellite_Assemblies_Sizes"]);
if (sizes == null || sizes.Length <= 1)
{
return(null);
}
shouldUnpack = true;
if (sizes[0] != offsetEncryptedAssembly)
{
return(null);
}
filenames = settings["General_App_Satellite_Assemblies"].Split('|');
if (sizes.Length - 1 != filenames.Length)
{
return(null);
}
byte[] ezencryptionLibData = decompress1(peImage.offsetReadBytes(ezencryptionLibOffset, (int)ezencryptionLibLength));
var ezencryptionLibModule = ModuleDefinition.ReadModule(new MemoryStream(ezencryptionLibData));
var decrypter = new ApplicationModeDecrypter(ezencryptionLibModule);
if (!decrypter.Detected)
{
return(null);
}
var mainAssembly = unpackEmbeddedFile(0, decrypter);
decrypter.MemoryPatcher.patch(mainAssembly.data);
for (int i = 1; i < filenames.Length; i++)
{
satelliteAssemblies.Add(unpackEmbeddedFile(i, decrypter));
}
clearDllBit(mainAssembly.data);
return(mainAssembly.data);
}
UnpackedFile unpackEmbeddedFile(int index, ApplicationModeDecrypter decrypter)
{
uint offset = 0;
for (int i = 0; i < index + 1; i++)
{
offset += sizes[i];
}
string filename = Win32Path.GetFileName(filenames[index]);
var data = peImage.offsetReadBytes(offset, (int)sizes[index + 1]);
data = DeobUtils.aesDecrypt(data, decrypter.AssemblyKey, decrypter.AssemblyIv);
data = decompress(data);
return(new UnpackedFile(filename, data));
}
UnpackedFile UnpackEmbeddedFile(MyPEImage peImage, int index, ApplicationModeDecrypter decrypter) {
uint offset = 0;
for (int i = 0; i < index + 1; i++)
offset += sizes[i];
string filename = Win32Path.GetFileName(filenames[index]);
var data = peImage.OffsetReadBytes(offset, (int)sizes[index + 1]);
data = DeobUtils.AesDecrypt(data, decrypter.AssemblyKey, decrypter.AssemblyIv);
data = Decompress(data);
return new UnpackedFile(filename, data);
}
byte[] Unpack2(MyPEImage peImage) {
shouldUnpack = false;
uint headerOffset = (uint)peImage.Length - 12;
uint offsetEncryptedAssembly = CheckOffset(peImage, peImage.OffsetReadUInt32(headerOffset));
uint ezencryptionLibLength = peImage.OffsetReadUInt32(headerOffset + 4);
uint iniFileLength = peImage.OffsetReadUInt32(headerOffset + 8);
uint offsetClrVersionNumber = checked(offsetEncryptedAssembly - 12);
uint iniFileOffset = checked(headerOffset - iniFileLength);
uint ezencryptionLibOffset = checked(iniFileOffset - ezencryptionLibLength);
uint clrVerMajor = peImage.OffsetReadUInt32(offsetClrVersionNumber);
uint clrVerMinor = peImage.OffsetReadUInt32(offsetClrVersionNumber + 4);
uint clrVerBuild = peImage.OffsetReadUInt32(offsetClrVersionNumber + 8);
if (clrVerMajor <= 0 || clrVerMajor >= 20 || clrVerMinor >= 20 || clrVerBuild >= 1000000)
return null;
var settings = new IniFile(Decompress2(peImage.OffsetReadBytes(iniFileOffset, (int)iniFileLength)));
sizes = GetSizes(settings["General_App_Satellite_Assemblies_Sizes"]);
if (sizes == null || sizes.Length <= 1)
return null;
shouldUnpack = true;
if (sizes[0] != offsetEncryptedAssembly)
return null;
filenames = settings["General_App_Satellite_Assemblies"].Split('|');
if (sizes.Length - 1 != filenames.Length)
return null;
byte[] ezencryptionLibData = Decompress1(peImage.OffsetReadBytes(ezencryptionLibOffset, (int)ezencryptionLibLength));
var ezencryptionLibModule = ModuleDefMD.Load(ezencryptionLibData);
var decrypter = new ApplicationModeDecrypter(ezencryptionLibModule);
if (!decrypter.Detected)
return null;
var mainAssembly = UnpackEmbeddedFile(peImage, 0, decrypter);
decrypter.MemoryPatcher.Patch(mainAssembly.data);
for (int i = 1; i < filenames.Length; i++)
satelliteAssemblies.Add(UnpackEmbeddedFile(peImage, i, decrypter));
ClearDllBit(mainAssembly.data);
return mainAssembly.data;
}
