Пример #1
0
        public string Decrypt(int token, int id)
        {
            if (!CanDecrypt)
            {
                throw new ApplicationException("Can't decrypt strings since decryptedData is null");
            }

            int index = id - (token & 0x00FFFFFF) - stringOffset;
            int len   = DeobUtils.ReadVariableLengthInt32(decryptedData, ref index);

            switch (StringDecrypterInfo.DecrypterVersion)
            {
            case StringDecrypterVersion.V1:
                // Some weird problem with 1.x decrypted strings. They all have a \x01 char at the end.
                var buf = Convert.FromBase64String(Encoding.ASCII.GetString(decryptedData, index, len));
                if (buf.Length % 2 != 0)
                {
                    Array.Resize(ref buf, buf.Length - 1);
                }
                return(Encoding.Unicode.GetString(buf));

            case StringDecrypterVersion.V2:
                return(Encoding.UTF8.GetString(Convert.FromBase64String(Encoding.ASCII.GetString(decryptedData, index, len))));

            default:
                return(Encoding.UTF8.GetString(Convert.FromBase64String(Encoding.UTF8.GetString(decryptedData, index, len))));
            }
        }
Пример #2
0
        byte[] DecryptArray(ArrayInfo aryInfo)
        {
            var ary       = new byte[aryInfo.arySize * aryInfo.arrayType.ElementType.GetPrimitiveSize()];
            int dataIndex = aryInfo.index;
            int len       = DeobUtils.ReadVariableLengthInt32(constantsData, ref dataIndex);

            Buffer.BlockCopy(constantsData, dataIndex, ary, 0, len);
            return(ary);
        }
        public string Decrypt(int index)
        {
            int len = DeobUtils.ReadVariableLengthInt32(decryptedData, ref index);

            return(Encoding.Unicode.GetString(decryptedData, index, len));
        }
Пример #4
0
        void DecryptStrings()
        {
            var peHeader = decrypterInfo.peHeader;
            var mcKey    = decrypterInfo.mcKey;
            var peImage  = decrypterInfo.peImage;
            var fileData = decrypterInfo.fileData;

            uint usHeapRva  = peHeader.GetRva(0x0E00, mcKey.ReadUInt32(0x0078));
            uint usHeapSize = peHeader.ReadUInt32(0x0E04) ^ mcKey.ReadUInt32(0x0082);

            if (usHeapRva == 0 || usHeapSize == 0)
            {
                return;
            }
            var usHeap = peImage.Metadata.USStream;

            if (usHeap.StartOffset == 0 ||              // Start offset is 0 if it's not present in the file
                peImage.RvaToOffset(usHeapRva) != (uint)usHeap.StartOffset ||
                usHeapSize != (uint)(usHeap.EndOffset - usHeap.StartOffset))
            {
                Logger.w("Invalid #US heap RVA and size found");
            }

            Logger.v("Decrypting strings @ RVA {0:X8}, {1} bytes", usHeapRva, usHeapSize);
            Logger.Instance.Indent();

            int mcKeyOffset  = 0;
            int usHeapOffset = (int)peImage.RvaToOffset(usHeapRva);
            int usHeapEnd    = usHeapOffset + (int)usHeapSize;

            usHeapOffset++;
            while (usHeapOffset < usHeapEnd)
            {
                if (fileData[usHeapOffset] == 0 || fileData[usHeapOffset] == 1)
                {
                    usHeapOffset++;
                    continue;
                }

                int usHeapOffsetOrig   = usHeapOffset;
                int stringDataLength   = DeobUtils.ReadVariableLengthInt32(fileData, ref usHeapOffset);
                int usHeapOffsetString = usHeapOffset;
                int encryptedLength    = stringDataLength - (usHeapOffset - usHeapOffsetOrig == 1 ? 1 : 2);
                for (int i = 0; i < encryptedLength; i++)
                {
                    byte k = mcKey.ReadByte(mcKeyOffset++ % 0x2000);
                    fileData[usHeapOffset] = Rolb((byte)(fileData[usHeapOffset] ^ k), 3);
                    usHeapOffset++;
                }

                try {
                    Logger.v("Decrypted string: {0}", Utils.ToCsharpString(Encoding.Unicode.GetString(fileData, usHeapOffsetString, stringDataLength - 1)));
                }
                catch {
                    Logger.v("Could not decrypt string at offset {0:X8}", usHeapOffsetOrig);
                }

                usHeapOffset++;
            }

            Logger.Instance.DeIndent();
        }