/// <summary>
/// Step #6
///
/// Rebuild and save the unpacked file.
/// </summary>
/// <returns></returns>
private bool Step6()
{
FileStream fStream = null;
try
{
// Rebuild the file sections..
this.File.RebuildSections();
// Open the unpacked file for writing..
var unpackedPath = this.File.FilePath + ".unpacked.exe";
fStream = new FileStream(unpackedPath, FileMode.Create, FileAccess.ReadWrite);
// Write the DOS header to the file..
fStream.WriteBytes(Pe32Helpers.GetStructureBytes(this.File.DosHeader));
// Write the DOS stub to the file..
if (this.File.DosStubSize > 0)
{
fStream.WriteBytes(this.File.DosStubData);
}
// Update the entry point of the file..
var ntHeaders = this.File.NtHeaders;
ntHeaders.OptionalHeader.AddressOfEntryPoint = (uint)this.StubHeader.OriginalEntryPoint;
this.File.NtHeaders = ntHeaders;
// Write the NT headers to the file..
fStream.WriteBytes(Pe32Helpers.GetStructureBytes(ntHeaders));
// Write the sections to the file..
for (var x = 0; x < this.File.Sections.Count; x++)
{
var section = this.File.Sections[x];
var sectionData = this.File.SectionData[x];
// Write the section header to the file..
fStream.WriteBytes(Pe32Helpers.GetStructureBytes(section));
// Set the file pointer to the sections raw data..
var sectionOffset = fStream.Position;
fStream.Position = section.PointerToRawData;
// Write the sections raw data..
var sectionIndex = this.File.Sections.IndexOf(section);
if (sectionIndex == this.CodeSectionIndex)
{
fStream.WriteBytes(this.CodeSectionData ?? sectionData);
}
else
{
fStream.WriteBytes(sectionData);
}
// Reset the file offset..
fStream.Position = sectionOffset;
}
// Set the stream to the end of the file..
fStream.Position = fStream.Length;
// Write the overlay data if it exists..
if (this.File.OverlayData != null)
{
fStream.WriteBytes(this.File.OverlayData);
}
this.Log(" --> Unpacked file saved to disk!", LogMessageType.Success);
this.Log($" --> File Saved As: {unpackedPath}", LogMessageType.Success);
return(true);
}
catch
{
this.Log(" --> Error trying to save unpacked file!", LogMessageType.Error);
return(false);
}
finally
{
fStream?.Dispose();
}
}
private void TextBox1DragDrop(object sender, DragEventArgs e)
{
try
{
Array arrayyy = (Array)e.Data.GetData(DataFormats.FileDrop);
if (arrayyy != null)
{
string text = arrayyy.GetValue(0).ToString();
int num = text.LastIndexOf(".", StringComparison.Ordinal);
if (num != -1)
{
string text2 = text.Substring(num);
text2 = text2.ToLower();
if (text2 == ".exe" || text2 == ".dll")
{
Activate();
ExePath = text;
label2.Text = "Status : Exe Loaded";
int num2 = text.LastIndexOf("\\", StringComparison.Ordinal);
if (num2 != -1)
{
DirectoryName = text.Remove(num2, text.Length - num2);
}
if (DirectoryName.Length == 2)
{
DirectoryName += "\\";
}
}
}
}
}
catch
{
}
this.FileData = File.ReadAllBytes(ExePath);
if (IntPtr.Size == 4)
{
this.NtHeaders32 = new NativeApi32.ImageNtHeaders32();
this.DosHeader32 = new NativeApi32.ImageDosHeader32();
this.DosHeader32 = Pe32Helpers.GetStructure <NativeApi32.ImageDosHeader32>(this.FileData);
this.NtHeaders32 = Pe32Helpers.GetStructure <NativeApi32.ImageNtHeaders32>(this.FileData, this.DosHeader32.e_lfanew);
int num = NtHeaders32.FileHeader.NumberOfSections;
for (var x = 0; x < num; x++)
{
var section = Pe32Helpers.GetSection(this.FileData, x, this.DosHeader32, this.NtHeaders32);
if (section.SectionName.Equals(".bxpck"))
{
var sectionData = new byte[this.GetAlignment(section.SizeOfRawData, this.NtHeaders32.OptionalHeader.FileAlignment)];
Array.Copy(this.FileData, section.PointerToRawData, sectionData, 0, section.SizeOfRawData);
string filename = DirectoryName + "\\" + Path.GetFileNameWithoutExtension(ExePath) + "-Unpacked" + Path.GetExtension(ExePath);
int firstIndex = GetNthIndex(sectionData, 0x5A, 1);
if (sectionData[firstIndex - 1] == 0x4D)
{
File.WriteAllBytes(filename, sectionData.Skip(firstIndex - 1).ToArray());
label3.Text += (firstIndex - 1).ToString("X");
}
else
{
int secondIndex = GetNthIndex(sectionData, 0x5A, 2);
if (sectionData[secondIndex - 1] == 0x4A)
{
File.WriteAllBytes(filename, sectionData.Skip(secondIndex - 1).ToArray());
label3.Text += (secondIndex - 1).ToString("X");
}
else
{
int lastIndex = GetNthIndex(sectionData, 0x4D, 3);
if (sectionData[lastIndex - 1] == 0x4D)
{
File.WriteAllBytes(filename, sectionData.Skip(lastIndex - 1).ToArray());
label3.Text += (lastIndex - 1).ToString("X");
}
else
{
}
}
}
goto sucess;
}
}
}
else
{
this.DosHeader64 = new NativeApi64.ImageDosHeader64();
this.NtHeaders64 = new NativeApi64.ImageNtHeaders64();
this.DosHeader64 = Pe64Helpers.GetStructure <NativeApi64.ImageDosHeader64>(this.FileData);
this.NtHeaders64 = Pe64Helpers.GetStructure <NativeApi64.ImageNtHeaders64>(this.FileData, this.DosHeader64.e_lfanew);
for (var x = 0; x < this.NtHeaders64.FileHeader.NumberOfSections; x++)
{
var section = Pe64Helpers.GetSection(this.FileData, x, this.DosHeader64, this.NtHeaders64);
if (section.SectionName.Equals(".bxpck"))
{
var sectionData = new byte[this.GetAlignment(section.SizeOfRawData, this.NtHeaders64.OptionalHeader.FileAlignment)];
Array.Copy(this.FileData, section.PointerToRawData, sectionData, 0, section.SizeOfRawData);
string filename = DirectoryName + "\\" + Path.GetFileNameWithoutExtension(ExePath) + "-Unpacked" + Path.GetExtension(ExePath);
File.WriteAllBytes(filename, sectionData.Skip(182).ToArray());
goto sucess;
}
}
}
MessageBox.Show("BoxedAppPacker section not found (.bxpck) ! ", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
sucess:
label2.Text = "Status : Success ! ";
}
/// <summary>
/// Processing function called when a file is being unpacked. Allows plugins to check the file
/// and see if it can handle the file for its intended purpose.
/// </summary>
/// <param name="file"></param>
/// <returns></returns>
public override bool CanProcessFile(string file)
{
try
{
// Load the file..
var f = new Pe32File(file);
if (!f.Parse())
{
this.Log("Failed to parse PE", LogMessageType.Information);
return(false);
}
if (f.IsFile64Bit())
{
this.Log("Is not 32bit", LogMessageType.Information);
return(false);
}
if (!f.HasSection(".bind"))
{
this.Log("No bind section", LogMessageType.Information);
return(false);
}
// Obtain the bind section data..
var bind = f.GetSectionData(".bind");
// Attempt to locate the known v3.x signature..
var varient = Pe32Helpers.FindPattern(bind, "E8 00 00 00 00 50 53 51 52 56 57 55 8B 44 24 1C 2D 05 00 00 00 8B CC 83 E4 F0 51 51 51 50");
if (varient == 0)
{
return(false);
}
// Version patterns..
var varientPatterns = new List <KeyValuePair <string, int> >
{
new KeyValuePair <string, int>("55 8B EC 81 EC ?? ?? ?? ?? 53 ?? ?? ?? ?? ?? 68", 0x10), // v3.1 [Original version?]
new KeyValuePair <string, int>("55 8B EC 81 EC ?? ?? ?? ?? 53 ?? ?? ?? ?? ?? 8D 83", 0x16), // v3.1.1 [Newer, 3.1.1? (Seen 2015?)]
new KeyValuePair <string, int>("55 8B EC 81 EC ?? ?? ?? ?? 56 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 8D", 0x10) // v3.1.2 [Newer, 3.1.2? (Seen late 2017.)]
};
var headerSize = 0;
uint offset = 0;
foreach (var p in varientPatterns)
{
offset = Pe32Helpers.FindPattern(bind, p.Key);
if (offset <= 0)
{
continue;
}
headerSize = BitConverter.ToInt32(bind, (int)offset + p.Value);
break;
}
// Ensure valid data was found..
if (offset == 0 || headerSize == 0)
{
return(false);
}
return(headerSize == 0xF0);
}
catch (Exception e)
{
this.Log(e.ToString(), LogMessageType.Warning);
return(false);
}
}
/// <summary>
/// Step #6
///
/// Rebuild and save the unpacked file.
/// </summary>
/// <returns></returns>
private bool Step6()
{
FileStream fStream = null;
try
{
// Zero the DosStubData if desired..
if (this.Options.ZeroDosStubData && this.File.DosStubSize > 0)
{
this.File.DosStubData = Enumerable.Repeat((byte)0, (int)this.File.DosStubSize).ToArray();
}
// Rebuild the file sections..
this.File.RebuildSections(this.Options.DontRealignSections == false);
// Open the unpacked file for writing..
var unpackedPath = this.File.FilePath + ".unpacked.exe";
fStream = new FileStream(unpackedPath, FileMode.Create, FileAccess.ReadWrite);
// Write the DOS header to the file..
fStream.WriteBytes(Pe32Helpers.GetStructureBytes(this.File.DosHeader));
// Write the DOS stub to the file..
if (this.File.DosStubSize > 0)
{
fStream.WriteBytes(this.File.DosStubData);
}
// Update the NT headers..
var ntHeaders = this.File.NtHeaders;
var lastSection = this.File.Sections[this.File.Sections.Count - 1];
var originalEntry = BitConverter.ToUInt32(this.PayloadData.Skip(this.SteamDrmpOffsets[2]).Take(4).ToArray(), 0);
ntHeaders.OptionalHeader.AddressOfEntryPoint = this.File.GetRvaFromVa(originalEntry);
ntHeaders.OptionalHeader.CheckSum = 0;
ntHeaders.OptionalHeader.SizeOfImage = this.File.GetAlignment(lastSection.VirtualAddress + lastSection.VirtualSize, this.File.NtHeaders.OptionalHeader.SectionAlignment);
this.File.NtHeaders = ntHeaders;
// Write the NT headers to the file..
fStream.WriteBytes(Pe32Helpers.GetStructureBytes(ntHeaders));
// Write the sections to the file..
for (var x = 0; x < this.File.Sections.Count; x++)
{
var section = this.File.Sections[x];
var sectionData = this.File.SectionData[x];
// Write the section header to the file..
fStream.WriteBytes(Pe32Helpers.GetStructureBytes(section));
// Set the file pointer to the sections raw data..
var sectionOffset = fStream.Position;
fStream.Position = section.PointerToRawData;
// Write the sections raw data..
var sectionIndex = this.File.Sections.IndexOf(section);
if (sectionIndex == this.CodeSectionIndex)
{
fStream.WriteBytes(this.CodeSectionData ?? sectionData);
}
else
{
fStream.WriteBytes(sectionData);
}
// Reset the file offset..
fStream.Position = sectionOffset;
}
// Set the stream to the end of the file..
fStream.Position = fStream.Length;
// Write the overlay data if it exists..
if (this.File.OverlayData != null)
{
fStream.WriteBytes(this.File.OverlayData);
}
this.Log(" --> Unpacked file saved to disk!", LogMessageType.Success);
this.Log($" --> File Saved As: {unpackedPath}", LogMessageType.Success);
return(true);
}
catch
{
this.Log(" --> Error trying to save unpacked file!", LogMessageType.Error);
return(false);
}
finally
{
fStream?.Dispose();
}
}