/// <summary>
/// Step #1
///
/// Read, disassemble and decode the SteamStub DRM header.
/// </summary>
/// <returns></returns>
private bool Step1()
{
// Obtain the file entry offset..
var fileOffset = this.File.GetFileOffsetFromRva(this.File.NtHeaders.OptionalHeader.AddressOfEntryPoint);
// Validate the DRM header..
if (BitConverter.ToUInt32(this.File.FileData, (int)fileOffset - 4) != 0xC0DEC0DE)
{
return(false);
}
// Disassemble the file to locate the needed DRM information..
if (!this.DisassembleFile(out var structOffset, out var structSize, out var structXorKey))
{
return(false);
}
// Obtain the DRM header data..
var headerData = new byte[structSize];
Array.Copy(this.File.FileData, this.File.GetFileOffsetFromRva(structOffset), headerData, 0, structSize);
// Xor decode the header data..
this.XorKey = SteamStubHelpers.SteamXor(ref headerData, (uint)headerData.Length, 0);
// Create the stub header..
this.StubHeader = Pe32Helpers.GetStructure <SteamStub32Var20Header>(headerData);
return(true);
}
/// <summary>
/// Step #1
///
/// Read, decode and validate the SteamStub DRM header.
/// </summary>
/// <returns></returns>
private bool Step1()
{
// Obtain the bind section..
var section = this.File.GetSection(".bind");
if (!section.IsValid)
{
return(false);
}
// Find the header information from the unpacker call..
var bind = this.File.GetSectionData(".bind");
var offset = Pe32Helpers.FindPattern(bind, "60 81 EC 00 10 00 00 BE ?? ?? ?? ?? B9 6A");
if (offset == -1)
{
return(false);
}
// Read the needed header information..
var headerPointer = BitConverter.ToUInt32(bind, (int)offset + 8);
var headerSize = BitConverter.ToUInt32(bind, (int)offset + 13) * 4;
// Calculate the file offset from the pointer..
var fileOffset = this.File.GetFileOffsetFromRva(headerPointer - this.File.NtHeaders.OptionalHeader.ImageBase);
// Read the header data..
var headerData = new byte[headerSize];
Array.Copy(this.File.FileData, fileOffset, headerData, 0, headerSize);
// Decrypt the header data..
for (var x = 0; x < headerSize; x++)
{
headerData[x] ^= (byte)(x * x);
}
// Store the header and validate it..
this.StubHeader = Pe32Helpers.GetStructure <SteamStub32Var10Header>(headerData);
// Validate the header via the unpacker function matching the file entry point..
if (this.StubHeader.BindFunction - this.File.NtHeaders.OptionalHeader.ImageBase != this.File.NtHeaders.OptionalHeader.AddressOfEntryPoint)
{
return(false);
}
// Find the OEP from the unpacker function..
offset = Pe32Helpers.FindPattern(bind, "61 B8 ?? ?? ?? ?? FF E0");
if (offset == -1)
{
return(false);
}
// Read and store the real OEP..
this.OriginalEntryPoint = BitConverter.ToUInt32(bind, (int)offset + 2) - this.File.NtHeaders.OptionalHeader.ImageBase;
return(true);
}
/// <summary>
/// Step #1
///
/// Read, decode and validate the SteamStub DRM header.
/// </summary>
/// <returns></returns>
private bool Step1()
{
// Obtain the header size..
var headerSize = this.GetHeaderSize(this.File);
// Obtain the DRM header data..
var fileOffset = this.File.GetFileOffsetFromRva(this.File.NtHeaders.OptionalHeader.AddressOfEntryPoint);
var headerData = new byte[headerSize];
Array.Copy(this.File.FileData, (int)(fileOffset - headerSize), headerData, 0, headerSize);
// Xor decode the header data..
this.XorKey = SteamStubHelpers.SteamXor(ref headerData, headerSize);
this.StubHeader = Pe32Helpers.GetStructure <SteamStub32Var30Header>(headerData);
// Validate the structure signature..
if (this.StubHeader.Signature == 0xC0DEC0DE)
{
return(true);
}
// Try again using the Tls callback (if any) as the OEP instead..
if (this.File.TlsCallbacks.Count == 0)
{
return(false);
}
// Obtain the DRM header data..
fileOffset = this.File.GetRvaFromVa(this.File.TlsCallbacks[0]);
fileOffset = this.File.GetFileOffsetFromRva(fileOffset);
headerData = new byte[headerSize];
Array.Copy(this.File.FileData, (int)(fileOffset - headerSize), headerData, 0, headerSize);
// Xor decode the header data..
this.XorKey = SteamStubHelpers.SteamXor(ref headerData, headerSize);
this.StubHeader = Pe32Helpers.GetStructure <SteamStub32Var30Header>(headerData);
// Validate the structure signature..
if (this.StubHeader.Signature == 0xC0DEC0DE)
{
return(true);
}
// Tls was valid for the real oep..
this.TlsAsOep = true;
this.TlsOepRva = fileOffset;
return(true);
}
/// <summary>
/// Step #1
///
/// Read, disassemble and decode the SteamStub DRM header.
/// </summary>
/// <returns></returns>
private bool Step1()
{
/**
* Note: This version of the stub has a variable length header due to how it builds the
* header information. When the stub is generated, the header has additional string data
* that can be dynamically built based on the various options of the protection being used
* and other needed API imports. Inside of the stub header, this field is 'StubData'.
*/
// Obtain the file entry offset..
var fileOffset = this.File.GetFileOffsetFromRva(this.File.NtHeaders.OptionalHeader.AddressOfEntryPoint);
// Validate the DRM header..
if (BitConverter.ToUInt32(this.File.FileData, (int)fileOffset - 4) != 0xC0DEC0DE)
{
return(false);
}
// Disassemble the file to locate the needed DRM information..
if (!this.DisassembleFile(out var structOffset, out var structSize, out var structXorKey))
{
return(false);
}
// Obtain the DRM header data..
var headerData = new byte[structSize];
Array.Copy(this.File.FileData, this.File.GetFileOffsetFromRva(structOffset), headerData, 0, structSize);
// Xor decode the header data..
this.XorKey = SteamStubHelpers.SteamXor(ref headerData, (uint)headerData.Length, structXorKey);
// Determine how to handle the header based on the size..
if ((structSize / 4) == 0xD0)
{
this.StubHeader = Pe32Helpers.GetStructure <SteamStub32Var21Header_D0Variant>(headerData);
this.StubData = headerData.Skip(Marshal.SizeOf(typeof(SteamStub32Var21Header_D0Variant))).ToArray();
}
else
{
this.StubHeader = Pe32Helpers.GetStructure <SteamStub32Var21Header>(headerData);
this.StubData = headerData.Skip(Marshal.SizeOf(typeof(SteamStub32Var21Header))).ToArray();
}
return(true);
}
private void TextBox1DragDrop(object sender, DragEventArgs e)
{
try
{
Array arrayyy = (Array)e.Data.GetData(DataFormats.FileDrop);
if (arrayyy != null)
{
string text = arrayyy.GetValue(0).ToString();
int num = text.LastIndexOf(".", StringComparison.Ordinal);
if (num != -1)
{
string text2 = text.Substring(num);
text2 = text2.ToLower();
if (text2 == ".exe" || text2 == ".dll")
{
Activate();
ExePath = text;
label2.Text = "Status : Exe Loaded";
int num2 = text.LastIndexOf("\\", StringComparison.Ordinal);
if (num2 != -1)
{
DirectoryName = text.Remove(num2, text.Length - num2);
}
if (DirectoryName.Length == 2)
{
DirectoryName += "\\";
}
}
}
}
}
catch
{
}
this.FileData = File.ReadAllBytes(ExePath);
if (IntPtr.Size == 4)
{
this.NtHeaders32 = new NativeApi32.ImageNtHeaders32();
this.DosHeader32 = new NativeApi32.ImageDosHeader32();
this.DosHeader32 = Pe32Helpers.GetStructure <NativeApi32.ImageDosHeader32>(this.FileData);
this.NtHeaders32 = Pe32Helpers.GetStructure <NativeApi32.ImageNtHeaders32>(this.FileData, this.DosHeader32.e_lfanew);
int num = NtHeaders32.FileHeader.NumberOfSections;
for (var x = 0; x < num; x++)
{
var section = Pe32Helpers.GetSection(this.FileData, x, this.DosHeader32, this.NtHeaders32);
if (section.SectionName.Equals(".bxpck"))
{
var sectionData = new byte[this.GetAlignment(section.SizeOfRawData, this.NtHeaders32.OptionalHeader.FileAlignment)];
Array.Copy(this.FileData, section.PointerToRawData, sectionData, 0, section.SizeOfRawData);
string filename = DirectoryName + "\\" + Path.GetFileNameWithoutExtension(ExePath) + "-Unpacked" + Path.GetExtension(ExePath);
int firstIndex = GetNthIndex(sectionData, 0x5A, 1);
if (sectionData[firstIndex - 1] == 0x4D)
{
File.WriteAllBytes(filename, sectionData.Skip(firstIndex - 1).ToArray());
label3.Text += (firstIndex - 1).ToString("X");
}
else
{
int secondIndex = GetNthIndex(sectionData, 0x5A, 2);
if (sectionData[secondIndex - 1] == 0x4A)
{
File.WriteAllBytes(filename, sectionData.Skip(secondIndex - 1).ToArray());
label3.Text += (secondIndex - 1).ToString("X");
}
else
{
int lastIndex = GetNthIndex(sectionData, 0x4D, 3);
if (sectionData[lastIndex - 1] == 0x4D)
{
File.WriteAllBytes(filename, sectionData.Skip(lastIndex - 1).ToArray());
label3.Text += (lastIndex - 1).ToString("X");
}
else
{
}
}
}
goto sucess;
}
}
}
else
{
this.DosHeader64 = new NativeApi64.ImageDosHeader64();
this.NtHeaders64 = new NativeApi64.ImageNtHeaders64();
this.DosHeader64 = Pe64Helpers.GetStructure <NativeApi64.ImageDosHeader64>(this.FileData);
this.NtHeaders64 = Pe64Helpers.GetStructure <NativeApi64.ImageNtHeaders64>(this.FileData, this.DosHeader64.e_lfanew);
for (var x = 0; x < this.NtHeaders64.FileHeader.NumberOfSections; x++)
{
var section = Pe64Helpers.GetSection(this.FileData, x, this.DosHeader64, this.NtHeaders64);
if (section.SectionName.Equals(".bxpck"))
{
var sectionData = new byte[this.GetAlignment(section.SizeOfRawData, this.NtHeaders64.OptionalHeader.FileAlignment)];
Array.Copy(this.FileData, section.PointerToRawData, sectionData, 0, section.SizeOfRawData);
string filename = DirectoryName + "\\" + Path.GetFileNameWithoutExtension(ExePath) + "-Unpacked" + Path.GetExtension(ExePath);
File.WriteAllBytes(filename, sectionData.Skip(182).ToArray());
goto sucess;
}
}
}
MessageBox.Show("BoxedAppPacker section not found (.bxpck) ! ", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
sucess:
label2.Text = "Status : Success ! ";
}