/// <summary>
///
/// </summary>
/// <param name="module">Main module of process being analyzed</param>
/// <param name="processPID">Process id of process being analyzed</param>
/// <returns></returns>
private bool HasRunPE(ProcessModule module, int processPID)
{
//Catch if process has been killed already
//try
//{
// Process.GetProcessById(processPID);
//}
//catch
//{
// return false;
//}
string modulePath = module.FileName;
PEInfomation procPE = PELoader.Load(processPID, module);
PEInfomation filePE = PELoader.Load(modulePath);
int unmachedValues = 0;
unmachedValues += ScanType(procPE.FileHeader, filePE.FileHeader); // File Header
unmachedValues += ScanType(procPE.OptionalHeader32, filePE.OptionalHeader32); // Optional Header
int sectionAmmount = Math.Min(Convert.ToInt32(procPE.Overview.NumberOfSections), Convert.ToInt32(filePE.Overview.NumberOfSections));
for (int i = 0; i < sectionAmmount; i++)
{
unmachedValues += ScanType(procPE.Sections[i], filePE.Sections[i]);
}
return(unmachedValues >= 8);
}
public static void LoadDll(int pID, byte[] dllBytes)
{
PEInfomation dllPE = PELoader.Load(dllBytes, string.Empty);
IntPtr pHandle = PELoader.OpenProcessHandle(pID);
if (pHandle == IntPtr.Zero)
{
throw new Exception("Invalid PID");
}
IntPtr vAlloc = NativeMethods.VirtualAllocEx(pHandle, 0, dllPE.Overview.SizeOfImage, 0x1000, 0x40);
if (vAlloc == IntPtr.Zero)
{
throw new Exception("Alloc failed");
}
NativeMethods.WriteProcessMemory(pHandle, vAlloc, dllBytes, dllPE.Overview.SizeOfHeaders, 0);
foreach (var section in dllPE.Sections)
{
byte[] sData = new byte[section.VirtualSize];
Buffer.BlockCopy(dllBytes, (int)section.PointerToRawData, sData, 0, sData.Length);
NativeMethods.WriteProcessMemory(pHandle, new IntPtr(vAlloc.ToInt32() + section.VirtualAddress), sData, (uint)sData.Length, 0);
}
}
private void processToolStripMenuItem1_Click(object sender, EventArgs e)
{
using (formLoadProcess procLoadForm = new formLoadProcess())
{
if (procLoadForm.ShowDialog() == DialogResult.OK)
{
LoadedPE = PELoader.Load(procLoadForm.SelectedProcessID, procLoadForm.SelectedModule);
LoadedPE.PESource = string.Format("Process: {0}", procLoadForm.ProcessName);
lbCurrentSection.Text = "Overview";
PopulateInfo(LoadedPE.Overview, false);
}
}
}
private void button1_Click(object sender, EventArgs e)
{
lbProcessList.Items.Clear();
lvFileList.Items.Clear();
ProcessModule moduleToScan = null;
int pid = 0;
using (formLoadProcess procLoadForm = new formLoadProcess())
{
if (procLoadForm.ShowDialog() != DialogResult.OK)
{
return;
}
this.Text = string.Format("{0} ({1})", WindowText, procLoadForm.ProcessName);
moduleToScan = procLoadForm.SelectedModule;
pid = procLoadForm.SelectedProcessID;
}
string modulePath = moduleToScan.FileName;
PEInfomation procPE = PELoader.Load(pid, moduleToScan);
PEInfomation filePE = PELoader.Load(modulePath);
int unmachedValues = 0;
unmachedValues += ScanType <IMAGE_FILE_HEADER>(procPE.FileHeader, filePE.FileHeader, "File Header");
unmachedValues += ScanType <IMAGE_OPTIONAL_HEADER32>(procPE.OptionalHeader32, filePE.OptionalHeader32, "Optional Header", "ImageBase");
int sectionAmmount = Math.Min(Convert.ToInt32(procPE.Overview.NumberOfSections), Convert.ToInt32(filePE.Overview.NumberOfSections));
for (int i = 0; i < sectionAmmount; i++)
{
unmachedValues += ScanType <IMAGE_SECTION_HEADER>(procPE.Sections[i], filePE.Sections[i], string.Format("Section {0}", i + 1));
}
Color tColor = Color.Green;
string warningText = "No RunPE Found (0 Unmached values)";
if (unmachedValues >= 1)
{
tColor = Color.DarkTurquoise;
warningText = string.Format("Possable RunPe ({0} Unmaching values)", unmachedValues);
}
if (unmachedValues > 4)
{
tColor = Color.Red;
warningText = string.Format("RunPe Found ({0} Unmaching values)", unmachedValues);
}
lbRunpeStatus.Text = warningText;
lbRunpeStatus.ForeColor = tColor;
}
private void fileToolStripMenuItem1_Click(object sender, EventArgs e)
{
using (OpenFileDialog ofd = new OpenFileDialog())
{
ofd.Filter = "Executable|*.exe|Library|*.dll";
if (ofd.ShowDialog() == DialogResult.OK)
{
LoadedPE = PELoader.Load(ofd.FileName);
LoadedPE.PESource = ofd.FileName;
lbCurrentSection.Text = "Overview";
PopulateInfo(LoadedPE.Overview, false);
}
}
}
public ModuleListViewItem(int procID, IntPtr _handle)
{
ModuleInfomation = PELoader.Load(procID, _handle);
Handle = _handle;
ProcessHandle = ModuleInfomation.GetProcessHandle();
StringBuilder sb = new StringBuilder(255);
NativeMethods.GetModuleFileNameEx(ProcessHandle, Handle, sb, 255);
ModulePath = sb.ToString();
Text = Path.GetFileName(ModulePath);
SubItems.Add(string.Format("0x{0:x2}", IntPtr.Size == 4 ? _handle.ToInt32() : _handle.ToInt64()));
SubItems.Add(ModuleInfomation.Overview.SizeOfImage.ToString());
if (!string.IsNullOrEmpty(Text))
{
SubItems.Add(ModulePath);
}
else
{
SubItems.Add("Byte loaded");
}
}
private bool ExtractCurrentData(string il2cppPath, string metadataPath, out Il2Cpp il2Cpp, out Il2CppExecutor executor, out Metadata metadata)
{
il2Cpp = null;
executor = null;
metadata = null;
var metadataBytes = File.ReadAllBytes(metadataPath);
metadata = new Metadata(new MemoryStream(metadataBytes));
var il2cppBytes = File.ReadAllBytes(il2cppPath);
var il2cppMagic = BitConverter.ToUInt32(il2cppBytes, 0);
var il2CppMemory = new MemoryStream(il2cppBytes);
if (il2cppMagic != IL2CPPMAGIC_PE)
{
throw new Exception("Unexpected il2cpp magic number.");
}
il2Cpp = new PE(il2CppMemory);
il2Cpp.SetProperties(metadata.Version, metadata.maxMetadataUsages);
if (il2Cpp.Version >= 27 && il2Cpp is ElfBase elf && elf.IsDumped)
{
metadata.Address = Convert.ToUInt64(Console.ReadLine(), 16);
}
try
{
var flag = il2Cpp.PlusSearch(metadata.methodDefs.Count(x => x.methodIndex >= 0), metadata.typeDefs.Length, metadata.imageDefs.Length);
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
if (!flag && il2Cpp is PE)
{
il2Cpp = PELoader.Load(il2cppPath);
il2Cpp.SetProperties(metadata.Version, metadata.maxMetadataUsages);
flag = il2Cpp.PlusSearch(metadata.methodDefs.Count(x => x.methodIndex >= 0), metadata.typeDefs.Length, metadata.imageDefs.Length);
}
}
if (!flag)
{
flag = il2Cpp.Search();
}
if (!flag)
{
flag = il2Cpp.SymbolSearch();
}
if (!flag)
{
var codeRegistration = Convert.ToUInt64(Console.ReadLine(), 16);
var metadataRegistration = Convert.ToUInt64(Console.ReadLine(), 16);
il2Cpp.Init(codeRegistration, metadataRegistration);
}
}
catch
{
throw new Exception("ERROR: An error occurred while processing.");
}
executor = new Il2CppExecutor(metadata, il2Cpp);
return(true);
}
private bool Init(string il2CppPath, string metadataPath, out Metadata metadata, out Il2Cpp il2Cpp)
{
WriteOutput("Read config...", Color.Black);
if (File.Exists(realPath + "config.json"))
{
_config = JsonConvert.DeserializeObject <Config>(File.ReadAllText(Application.StartupPath + Path.DirectorySeparatorChar + "config.json"));
}
else
{
_config = new Config();
WriteOutput("config.json file does not exist. Using defaults", Color.Yellow);
}
WriteOutput("Initializing metadata...");
var metadataBytes = File.ReadAllBytes(metadataPath);
metadata = new Metadata(new MemoryStream(metadataBytes));
WriteOutput($"Metadata Version: {metadata.Version}");
WriteOutput("Initializing il2cpp file...");
var il2CppBytes = File.ReadAllBytes(il2CppPath);
var il2CppMagic = BitConverter.ToUInt32(il2CppBytes, 0);
var il2CppMemory = new MemoryStream(il2CppBytes);
switch (il2CppMagic)
{
default:
WriteOutput("ERROR: il2cpp file not supported.");
throw new NotSupportedException("ERROR: il2cpp file not supported.");
case 0x6D736100:
var web = new WebAssembly(il2CppMemory);
il2Cpp = web.CreateMemory();
break;
case 0x304F534E:
var nso = new NSO(il2CppMemory);
il2Cpp = nso.UnCompress();
break;
case 0x905A4D: //PE
il2Cpp = new PE(il2CppMemory);
break;
case 0x464c457f: //ELF
if (il2CppBytes[4] == 2) //ELF64
{
var addressValue = "";
il2Cpp =
InputBox.Show("Input il2cpp dump address or leave empty to force continue:", "", ref addressValue) !=
DialogResult.OK
? string.IsNullOrWhiteSpace(addressValue) ? new Elf64(il2CppMemory) :
new Elf64(il2CppMemory, addressValue)
: new Elf64(il2CppMemory);
}
else
{
var addressValue = "";
il2Cpp =
InputBox.Show("Input il2cpp dump address or leave empty to force continue:", "", ref addressValue) !=
DialogResult.OK
? string.IsNullOrWhiteSpace(addressValue) ? new Elf(il2CppMemory) :
new Elf(il2CppMemory, addressValue)
: new Elf(il2CppMemory);
}
break;
case 0xCAFEBABE: //FAT Mach-O
case 0xBEBAFECA:
var machofat = new MachoFat(new MemoryStream(il2CppBytes));
WriteOutput("Select Platform: ");
for (var i = 0; i < machofat.fats.Length; i++)
{
var fat = machofat.fats[i];
WriteOutput(fat.magic == 0xFEEDFACF ? $"{i + 1}.64bit " : $"{i + 1}.32bit ");
}
WriteOutput("");
var key = Console.ReadKey(true);
var index = int.Parse(key.KeyChar.ToString()) - 1;
var magic = machofat.fats[index % 2].magic;
il2CppBytes = machofat.GetMacho(index % 2);
il2CppMemory = new MemoryStream(il2CppBytes);
if (magic == 0xFEEDFACF)
{
goto case 0xFEEDFACF;
}
else
{
goto case 0xFEEDFACE;
}
case 0xFEEDFACF: // 64bit Mach-O
il2Cpp = new Macho64(il2CppMemory);
break;
case 0xFEEDFACE: // 32bit Mach-O
il2Cpp = new Macho(il2CppMemory);
break;
}
var version = _config.ForceIl2CppVersion ? _config.ForceVersion : metadata.Version;
il2Cpp.SetProperties(version, metadata.maxMetadataUsages);
WriteOutput($"Il2Cpp Version: {il2Cpp.Version}");
if (il2Cpp.Version >= 27 && il2Cpp is ElfBase elf && elf.IsDumped)
{
var metadataValue = "";
if (InputBox.Show("Input global-metadata.dat dump address:", "", ref metadataValue) != DialogResult.OK)
{
return(false);
}
metadata.Address = Convert.ToUInt64(metadataValue, 16);
WriteOutput($"global-metadata.dat dump address: {metadataValue}");
}
WriteOutput("Searching...");
try
{
var flag = il2Cpp.PlusSearch(metadata.methodDefs.Count(x => x.methodIndex >= 0), metadata.typeDefs.Length, metadata.imageDefs.Length);
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows) && !flag && il2Cpp is PE)
{
WriteOutput("Use custom PE loader");
il2Cpp = PELoader.Load(il2CppPath);
il2Cpp.SetProperties(version, metadata.maxMetadataUsages);
flag = il2Cpp.PlusSearch(metadata.methodDefs.Count(x => x.methodIndex >= 0), metadata.typeDefs.Length, metadata.imageDefs.Length);
}
if (!flag)
{
flag = il2Cpp.Search();
}
if (!flag)
{
flag = il2Cpp.SymbolSearch();
}
if (!flag)
{
WriteOutput("ERROR: Can't use auto mode to process file, try manual mode.");
WriteOutput("Input CodeRegistration: ");
var codeValue = "";
if (InputBox.Show(@"Input CodeRegistration: ", "", ref codeValue) != DialogResult.OK)
{
return(false);
}
var codeRegistration = Convert.ToUInt64(codeValue, 16);
WriteOutput($"CodeRegistration: {codeValue}");
var metadataValue = "";
if (InputBox.Show("Input MetadataRegistration: ", "", ref metadataValue) != DialogResult.OK)
{
return(false);
}
var metadataRegistration = Convert.ToUInt64(metadataValue, 16);
WriteOutput($"MetadataRegistration: {metadataValue}");
il2Cpp.Init(codeRegistration, metadataRegistration);
return(true);
}
}
catch (Exception e)
{
WriteOutput(e.Message);
WriteOutput("ERROR: An error occurred while processing.");
return(false);
}
return(true);
}