Пример #1
0
            static void ExtractOffsets(Stream stream, MetadataProcessor.ImageAccessor accessor, out uint csOffset, out uint sn, out uint snLen)
            {
                BinaryReader rdr = new BinaryReader(stream);

                stream.Seek(0x3c, SeekOrigin.Begin);
                uint offset = rdr.ReadUInt32();

                stream.Seek(offset, SeekOrigin.Begin);
                stream.Seek(0x6, SeekOrigin.Current);
                uint sections = rdr.ReadUInt16();

                stream.Seek(offset = offset + 0x18, SeekOrigin.Begin);  //Optional hdr
                bool pe32 = (rdr.ReadUInt16() == 0x010b);

                csOffset           = offset + 0x40;
                stream.Seek(offset = offset + (pe32 ? 0xE0U : 0xF0U), SeekOrigin.Begin);   //sections

                stream.Seek(offset - 16, SeekOrigin.Begin);
                uint mdDir = accessor.ResolveVirtualAddress(rdr.ReadUInt32());

                stream.Seek(mdDir + 0x20, SeekOrigin.Begin);
                sn    = accessor.ResolveVirtualAddress(rdr.ReadUInt32());
                snLen = rdr.ReadUInt32();
            }
Пример #2
0
            public override void Process(NameValueCollection parameters, Stream stream, MetadataProcessor.ImageAccessor accessor)
            {
                Random       rand = new Random();
                BinaryReader rdr  = new BinaryReader(stream);

                stream.Seek(0x3c, SeekOrigin.Begin);
                uint offset = rdr.ReadUInt32();

                stream.Seek(offset, SeekOrigin.Begin);
                stream.Seek(0x6, SeekOrigin.Current);
                uint sections = rdr.ReadUInt16();

                stream.Seek(offset = offset + 0x18, SeekOrigin.Begin);  //Optional hdr
                bool pe32 = (rdr.ReadUInt16() == 0x010b);

                stream.Seek(offset = offset + (pe32 ? 0xE0U : 0xF0U), SeekOrigin.Begin);   //sections
                stream.Seek(-0xc, SeekOrigin.Current);
                for (int i = 0; i < sections; i++)
                {
                    bool seen = false;
                    for (int j = 0; j < 8; j++)
                    {
                        byte b = rdr.ReadByte();
                        if (b == 0 & !seen)
                        {
                            seen = true;
                            stream.Seek(-1, SeekOrigin.Current);
                            stream.WriteByte(0x20);
                        }
                    }
                    uint vSize = rdr.ReadUInt32();
                    uint vLoc  = rdr.ReadUInt32();
                    uint rSize = rdr.ReadUInt32();
                    uint rLoc  = rdr.ReadUInt32();
                    stream.Seek(0x10, SeekOrigin.Current);
                }

                var mdPtr = accessor.ResolveVirtualAddress(accessor.GetTextSegmentRange(TextSegment.MetadataHeader).Start);

                stream.Position = mdPtr + 12;
                long verLenPos = stream.Position;
                uint verLen    = rdr.ReadUInt32();

                stream.Position += verLen;
                stream.Position += 2;

                ushort streams = rdr.ReadUInt16();

                uint startOfStreams = 0xffffffff;

                for (int i = 0; i < streams; i++)
                {
                    startOfStreams   = Math.Min(rdr.ReadUInt32(), startOfStreams);
                    stream.Position += 4;
                    long begin = stream.Position;

                    int    c = 0;
                    string s = "";
                    byte   b;
                    while ((b = rdr.ReadByte()) != 0)
                    {
                        s += (char)b;
                        c++;
                    }
                    if (s == "#~")
                    {
                        stream.Position = begin + 1;
                        stream.WriteByte((byte)'-');
                    }
                    stream.Position = (stream.Position + 3) & ~3;
                }

                uint m    = startOfStreams - (uint)(stream.Position - mdPtr);
                uint size = (uint)(stream.Position - (verLenPos + 4));

                stream.Position = verLenPos;
                stream.Write(BitConverter.GetBytes(verLen + m), 0, 4);
                byte[] x = new byte[verLen];
                stream.Read(x, 0, (int)verLen);
                byte[] t = new byte[size - verLen];
                stream.Read(t, 0, (int)t.Length);
                stream.Position = verLenPos + 4;
                stream.Write(x, 0, x.Length);
                stream.Write(new byte[m], 0, (int)m);
                stream.Write(t, 0, t.Length);
            }
Пример #3
0
            public void Phase5(Stream stream, MetadataProcessor.ImageAccessor accessor)
            {
                stream.Seek(0, SeekOrigin.Begin);
                uint csOffset;
                uint sn;
                uint snLen;

                ExtractCodes(stream, accessor, out csOffset, out sn, out snLen);
                stream.Position = 0;

                MemoryStream ms = new MemoryStream();

                ms.WriteByte(0xd6);
                ms.WriteByte(0x6f);
                BinaryWriter wtr = new BinaryWriter(ms);

                wtr.Write((uint)codes.Length);
                for (int i = 0; i < codes.Length; i++)
                {
                    wtr.Write((int)(ptrs[i] ^ key4));
                    if (ptrs[i] == 0)
                    {
                        continue;
                    }
                    Confuser.Database.AddEntry("AntiTamper", rvas[i].ToString("X8"), ms.Position);
                    wtr.Write((int)(rvas[i] ^ key5));
                    wtr.Write(codes[i].Length);
                    wtr.Write(codes[i]);
                }

                byte[]       buff;
                BinaryReader sReader = new BinaryReader(stream);

                using (MemoryStream str = new MemoryStream())
                {
                    var mdPtr = accessor.ResolveVirtualAddress(accessor.GetTextSegmentRange(TextSegment.MetadataHeader).Start);
                    stream.Position  = mdPtr + 12;
                    stream.Position += sReader.ReadUInt32() + 4;
                    stream.Position += 2;

                    ushort streams = sReader.ReadUInt16();

                    for (int i = 0; i < streams; i++)
                    {
                        uint offset = mdPtr + sReader.ReadUInt32();
                        uint size   = sReader.ReadUInt32();

                        int c = 0;
                        while (sReader.ReadByte() != 0)
                        {
                            c++;
                        }
                        long ori = stream.Position += (((c + 1) + 3) & ~3) - (c + 1);

                        stream.Position = offset;
                        str.Write(sReader.ReadBytes((int)size), 0, (int)size);
                        stream.Position = ori;
                    }

                    buff = str.ToArray();
                }

                byte[] iv;
                byte[] dat = Encrypt(Confuser.ObfuscationHelper, buff, ms.ToArray(), out iv, key6);

                byte[] md5      = MD5.Create().ComputeHash(buff);
                long   checkSum = BitConverter.ToInt64(md5, 0) ^ BitConverter.ToInt64(md5, 8);

                wtr = new BinaryWriter(stream);
                stream.Seek(csOffset, SeekOrigin.Begin);
                wtr.Write(accessor.GetTextSegmentRange(TextSegment.MetadataHeader).Start ^ (uint)key0);

                // Write to section
                stream.Seek(accessor.GetSection(sectName).PointerToRawData, SeekOrigin.Begin);
                wtr.Write(checkSum ^ key1);
                wtr.Write(sn);
                wtr.Write(snLen);
                wtr.Write(iv.Length ^ key2);
                wtr.Write(iv);
                wtr.Write(dat.Length ^ key3);
                wtr.Write(dat);
            }
Пример #4
0
            void ExtractCodes(Stream stream, MetadataProcessor.ImageAccessor accessor, out uint csOffset, out uint sn, out uint snLen)
            {
                BinaryReader rdr = new BinaryReader(stream);

                stream.Seek(0x3c, SeekOrigin.Begin);
                uint offset = rdr.ReadUInt32();

                stream.Seek(offset, SeekOrigin.Begin);
                stream.Seek(0x6, SeekOrigin.Current);
                uint sections = rdr.ReadUInt16();

                stream.Seek(offset = offset + 0x18, SeekOrigin.Begin);  //Optional hdr
                bool pe32 = (rdr.ReadUInt16() == 0x010b);

                csOffset           = offset + 0x40;
                stream.Seek(offset = offset + (pe32 ? 0xE0U : 0xF0U), SeekOrigin.Begin);   //sections

                for (int i = 0; i < rvas.Length; i++)
                {
                    if (rvas[i] == 0)
                    {
                        continue;
                    }
                    ptrs[i] = accessor.ResolveVirtualAddress(rvas[i]);
                    stream.Seek(ptrs[i], SeekOrigin.Begin);
                    byte b = rdr.ReadByte();
                    if ((b & 0x3) == 0x2)
                    {
                        stream.Seek((uint)b >> 2, SeekOrigin.Current);
                    }
                    else
                    {
                        stream.Seek(-1, SeekOrigin.Current);
                        ushort f = rdr.ReadUInt16();
                        stream.Seek(2, SeekOrigin.Current);
                        uint size = rdr.ReadUInt32();
                        stream.Seek(4 + size, SeekOrigin.Current);
                        if ((f & 0x80) != 0)
                        {
                            stream.Seek((stream.Position + 3) & ~3, SeekOrigin.Begin);
                            bool more;
                            do
                            {
                                byte fl = rdr.ReadByte();
                                more = ((fl & 0x80) != 0);
                                if ((fl & 0x40) != 0)
                                {
                                    stream.Seek(-1, SeekOrigin.Current);
                                    uint sectLen = rdr.ReadUInt32() >> 8;
                                    stream.Seek(-4 + sectLen, SeekOrigin.Current);
                                }
                                else
                                {
                                    byte sectLen = rdr.ReadByte();
                                    stream.Seek(-1 + sectLen, SeekOrigin.Current);
                                }
                            } while (more);
                        }
                    }
                    long len = stream.Position - ptrs[i];
                    stream.Seek(ptrs[i], SeekOrigin.Begin);
                    codes[i] = rdr.ReadBytes((int)len);
                    stream.Seek(ptrs[i], SeekOrigin.Begin);
                    byte[] bs = new byte[len];
                    // write null to the method?
                    //Confuser.Random.NextBytes(bs);
                    //byte[] bs2 = bs.Reverse().ToArray();
                    //stream.Write(bs2, 0, (int)len / 2);
                    //stream.Write(bs2, (int)len / 2, (int)len / 2);

                    // write nothing but 0's to the method
                    stream.Write(bs, 0, (int)len);
                }

                stream.Seek(offset - 16, SeekOrigin.Begin);
                uint mdDir = accessor.ResolveVirtualAddress(rdr.ReadUInt32());

                stream.Seek(mdDir + 0x20, SeekOrigin.Begin);
                sn    = accessor.ResolveVirtualAddress(rdr.ReadUInt32());
                snLen = rdr.ReadUInt32();
            }