/// <summary> /// Gets the SteamStub header size from the given file. /// </summary> /// <param name="f"></param> /// <returns></returns> private uint GetHeaderSize(Pe64File f) { // Obtain the bind section data.. var bind = f.GetSectionData(".bind"); // Attempt to locate the known v3.x signature.. var varient = Pe64Helpers.FindPattern(bind, "E8 00 00 00 00 50 53 51 52 56 57 55 41 50"); if (varient == 0) { return(0); } // Attempt to determine the varient version.. var offset = Pe64Helpers.FindPattern(bind, "48 8D 91 ?? ?? ?? ?? 48"); // 3.0 if (offset == 0) { offset = Pe64Helpers.FindPattern(bind, "48 8D 91 ?? ?? ?? ?? 41"); // 3.1 } // Ensure a pattern was found.. if (offset == 0) { return(0); } // Read the header size.. (The header size is only 32bit!) return((uint)Math.Abs(BitConverter.ToInt32(bind, (int)offset + 3))); }
/// <summary> /// Step #1 /// /// Read, decode and validate the SteamStub DRM header. /// </summary> /// <returns></returns> private bool Step1() { // Obtain the header size.. var headerSize = this.GetHeaderSize(this.File); // Obtain the DRM header data.. var fileOffset = this.File.GetFileOffsetFromRva(this.File.NtHeaders.OptionalHeader.AddressOfEntryPoint); var headerData = new byte[headerSize]; Array.Copy(this.File.FileData, (long)(fileOffset - headerSize), headerData, 0, headerSize); // Xor decode the header data.. this.XorKey = SteamStubHelpers.SteamXor(ref headerData, headerSize); this.StubHeader = Pe64Helpers.GetStructure <SteamStub64Var30Header>(headerData); // Validate the structure signature.. if (this.StubHeader.Signature == 0xC0DEC0DE) { return(true); } // Try again using the Tls callback (if any) as the OEP instead.. if (this.File.TlsCallbacks.Count == 0) { return(false); } // Obtain the DRM header data.. fileOffset = this.File.GetRvaFromVa(this.File.TlsCallbacks[0]); fileOffset = this.File.GetFileOffsetFromRva(fileOffset); headerData = new byte[headerSize]; Array.Copy(this.File.FileData, (long)(fileOffset - headerSize), headerData, 0, headerSize); // Xor decode the header data.. this.XorKey = SteamStubHelpers.SteamXor(ref headerData, headerSize); this.StubHeader = Pe64Helpers.GetStructure <SteamStub64Var30Header>(headerData); // Validate the structure signature.. if (this.StubHeader.Signature != 0xC0DEC0DE) { return(false); } // Tls was valid for the real oep.. this.TlsAsOep = true; this.TlsOepRva = this.File.GetRvaFromVa(this.File.TlsCallbacks[0]); // Is the TlsCallback replacing the OEP.. if (this.StubHeader.HasTlsCallback != 1 || this.File.TlsCallbacks[0] == 0) { return(true); } // Rebuild the file Tls callback information.. return(this.RebuildTlsCallbackInformation()); }
/// <summary> /// Processing function called when a file is being unpacked. Allows plugins to check the file /// and see if it can handle the file for its intended purpose. /// </summary> /// <param name="file"></param> /// <returns></returns> public override bool CanProcessFile(string file) { try { // Load the file.. var f = new Pe64File(file); if (!f.Parse() || !f.IsFile64Bit() || !f.HasSection(".bind")) { return(false); } // Obtain the bind section data.. var bind = f.GetSectionData(".bind"); // Attempt to locate the known v3.x signature.. var varient = Pe64Helpers.FindPattern(bind, "E8 00 00 00 00 50 53 51 52 56 57 55 41 50"); if (varient == 0) { return(false); } // Attempt to determine the varient version.. var offset = Pe64Helpers.FindPattern(bind, "48 8D 91 ?? ?? ?? ?? 48"); // 3.0 if (offset == 0) { offset = Pe64Helpers.FindPattern(bind, "48 8D 91 ?? ?? ?? ?? 41"); // 3.1 } if (offset == 0) { offset = Pe64Helpers.FindPattern(bind, "48 C7 84 24 ?? ?? ?? ?? ?? ?? ?? ?? 48"); // 3.1.2 if (offset > 0) { offset += 5; } } // Ensure a pattern was found.. if (offset == 0) { return(false); } // Read the header size.. (The header size is only 32bit!) var headerSize = Math.Abs(BitConverter.ToInt32(bind, (int)offset + 3)); // Check for the known 3.1 header size.. return(headerSize == 0xF0); } catch { return(false); } }
/// <summary> /// Step #7 /// /// Recalculate the file checksum. /// </summary> /// <returns></returns> private bool Step7() { var unpackedPath = this.File.FilePath + ".unpacked.exe"; if (!Pe64Helpers.UpdateFileChecksum(unpackedPath)) { this.Log(" --> Error trying to recalculate unpacked file checksum!", LogMessageType.Error); return(false); } this.Log(" --> Unpacked file updated with new checksum!", LogMessageType.Success); return(true); }
/// <summary> /// Rebuilds the file TlsCallback information and repairs the proper OEP. /// </summary> /// <returns></returns> private bool RebuildTlsCallbackInformation() { // Ensure the modified main TlsCallback is within the .bind section.. var section = this.File.GetOwnerSection(this.File.GetRvaFromVa(this.File.TlsCallbacks[0])); if (!section.IsValid || string.Compare(section.SectionName, ".bind", System.Globalization.CultureInfo.InvariantCulture, System.Globalization.CompareOptions.IgnoreCase) != 0) { return(false); } // Obtain the section that holds the Tls directory information.. var addr = this.File.GetFileOffsetFromRva(this.File.GetRvaFromVa(this.File.TlsDirectory.AddressOfCallBacks)); var tlsd = this.File.GetOwnerSection(addr); if (!tlsd.IsValid) { return(false); } addr -= tlsd.PointerToRawData; // Restore the true original TlsCallback address.. var callback = BitConverter.GetBytes(this.File.NtHeaders.OptionalHeader.ImageBase + this.StubHeader.OriginalEntryPoint); Array.Copy(callback, 0, this.File.GetSectionData(this.File.GetSectionIndex(tlsd)), (int)addr, callback.Length); // Find the original entry point function.. var entry = this.File.GetFileOffsetFromRva(this.File.NtHeaders.OptionalHeader.AddressOfEntryPoint); var data = this.File.FileData.Skip((int)entry).Take(0x100).ToArray(); // Find the XOR key from within the function.. var res = Pe64Helpers.FindPattern(data, "48 81 EA ?? ?? ?? ?? 8B 12 81 F2"); if (res == -1) { return(false); } // Decrypt and recalculate the true OEP address.. var key = (ulong)(this.StubHeader.XorKey ^ BitConverter.ToInt32(data, (int)res + 0x0B)); var off = (ulong)((this.File.NtHeaders.OptionalHeader.ImageBase + this.File.NtHeaders.OptionalHeader.AddressOfEntryPoint) + key); // Store the proper OEP.. this.TlsOepOverride = (uint)(off - this.File.NtHeaders.OptionalHeader.ImageBase); return(true); }
/// <summary> /// Step #1 /// /// Read, decode and validate the SteamStub DRM header. /// </summary> /// <returns></returns> private bool Step1() { // Obtain the DRM header data.. var fileOffset = this.File.GetFileOffsetFromRva(this.File.NtHeaders.OptionalHeader.AddressOfEntryPoint); var headerData = new byte[0xF0]; Array.Copy(this.File.FileData, (long)(fileOffset - 0xF0), headerData, 0, 0xF0); // Xor decode the header data.. this.XorKey = SteamStubHelpers.SteamXor(ref headerData, 0xF0); this.StubHeader = Pe64Helpers.GetStructure <SteamStub64Var31Header>(headerData); // Validate the header signature.. if (this.StubHeader.Signature == 0xC0DEC0DF) { return(true); } // Try again using the Tls callback (if any) as the OEP instead.. if (this.File.TlsCallbacks.Count == 0) { return(false); } // Obtain the DRM header data.. fileOffset = this.File.GetRvaFromVa(this.File.TlsCallbacks[0]); fileOffset = this.File.GetFileOffsetFromRva(fileOffset); headerData = new byte[0xF0]; Array.Copy(this.File.FileData, (long)(fileOffset - 0xF0), headerData, 0, 0xF0); // Xor decode the header data.. this.XorKey = SteamStubHelpers.SteamXor(ref headerData, 0xF0); this.StubHeader = Pe64Helpers.GetStructure <SteamStub64Var31Header>(headerData); // Validate the header signature.. if (this.StubHeader.Signature != 0xC0DEC0DF) { return(false); } // Tls was valid for the real oep.. this.TlsAsOep = true; this.TlsOepRva = fileOffset; return(true); }
/// <summary> /// Step #1 /// /// Read, decode and validate the SteamStub DRM header. /// </summary> /// <returns></returns> private bool Step1() { // Obtain the header size.. var headerSize = this.GetHeaderSize(this.File); // Obtain the DRM header data.. var fileOffset = this.File.GetFileOffsetFromRva(this.File.NtHeaders.OptionalHeader.AddressOfEntryPoint); var headerData = new byte[headerSize]; Array.Copy(this.File.FileData, (long)(fileOffset - headerSize), headerData, 0, headerSize); // Xor decode the header data.. this.XorKey = SteamStubHelpers.SteamXor(ref headerData, headerSize); this.StubHeader = Pe64Helpers.GetStructure <SteamStub64Var30Header>(headerData); // Validate the structure signature.. return(this.StubHeader.Signature == 0xC0DEC0DE); }
/// <summary> /// Step #6 /// /// Rebuild and save the unpacked file. /// </summary> /// <returns></returns> private bool Step6() { FileStream fStream = null; try { // Rebuild the file sections.. this.File.RebuildSections(); // Open the unpacked file for writing.. var unpackedPath = this.File.FilePath + ".unpacked.exe"; fStream = new FileStream(unpackedPath, FileMode.Create, FileAccess.ReadWrite); // Write the DOS header to the file.. fStream.WriteBytes(Pe64Helpers.GetStructureBytes(this.File.DosHeader)); // Write the DOS stub to the file.. if (this.File.DosStubSize > 0) { fStream.WriteBytes(this.File.DosStubData); } // Update the entry point of the file.. var ntHeaders = this.File.NtHeaders; ntHeaders.OptionalHeader.AddressOfEntryPoint = this.StubHeader.OriginalEntryPoint; this.File.NtHeaders = ntHeaders; // Write the NT headers to the file.. fStream.WriteBytes(Pe64Helpers.GetStructureBytes(ntHeaders)); // Write the sections to the file.. for (var x = 0; x < this.File.Sections.Count; x++) { var section = this.File.Sections[x]; var sectionData = this.File.SectionData[x]; // Write the section header to the file.. fStream.WriteBytes(Pe64Helpers.GetStructureBytes(section)); // Set the file pointer to the sections raw data.. var sectionOffset = fStream.Position; fStream.Position = section.PointerToRawData; // Write the sections raw data.. var sectionIndex = this.File.Sections.IndexOf(section); if (sectionIndex == this.CodeSectionIndex) { fStream.WriteBytes(this.CodeSectionData ?? sectionData); } else { fStream.WriteBytes(sectionData); } // Reset the file offset.. fStream.Position = sectionOffset; } // Set the stream to the end of the file.. fStream.Position = fStream.Length; // Write the overlay data if it exists.. if (this.File.OverlayData != null) { fStream.WriteBytes(this.File.OverlayData); } this.Log(" --> Unpacked file saved to disk!", LogMessageType.Success); this.Log($" --> File Saved As: {unpackedPath}", LogMessageType.Success); return(true); } catch { this.Log(" --> Error trying to save unpacked file!", LogMessageType.Error); return(false); } finally { fStream?.Dispose(); } }
private void TextBox1DragDrop(object sender, DragEventArgs e) { try { Array arrayyy = (Array)e.Data.GetData(DataFormats.FileDrop); if (arrayyy != null) { string text = arrayyy.GetValue(0).ToString(); int num = text.LastIndexOf(".", StringComparison.Ordinal); if (num != -1) { string text2 = text.Substring(num); text2 = text2.ToLower(); if (text2 == ".exe" || text2 == ".dll") { Activate(); ExePath = text; label2.Text = "Status : Exe Loaded"; int num2 = text.LastIndexOf("\\", StringComparison.Ordinal); if (num2 != -1) { DirectoryName = text.Remove(num2, text.Length - num2); } if (DirectoryName.Length == 2) { DirectoryName += "\\"; } } } } } catch { } this.FileData = File.ReadAllBytes(ExePath); if (IntPtr.Size == 4) { this.NtHeaders32 = new NativeApi32.ImageNtHeaders32(); this.DosHeader32 = new NativeApi32.ImageDosHeader32(); this.DosHeader32 = Pe32Helpers.GetStructure <NativeApi32.ImageDosHeader32>(this.FileData); this.NtHeaders32 = Pe32Helpers.GetStructure <NativeApi32.ImageNtHeaders32>(this.FileData, this.DosHeader32.e_lfanew); int num = NtHeaders32.FileHeader.NumberOfSections; for (var x = 0; x < num; x++) { var section = Pe32Helpers.GetSection(this.FileData, x, this.DosHeader32, this.NtHeaders32); if (section.SectionName.Equals(".bxpck")) { var sectionData = new byte[this.GetAlignment(section.SizeOfRawData, this.NtHeaders32.OptionalHeader.FileAlignment)]; Array.Copy(this.FileData, section.PointerToRawData, sectionData, 0, section.SizeOfRawData); string filename = DirectoryName + "\\" + Path.GetFileNameWithoutExtension(ExePath) + "-Unpacked" + Path.GetExtension(ExePath); int firstIndex = GetNthIndex(sectionData, 0x5A, 1); if (sectionData[firstIndex - 1] == 0x4D) { File.WriteAllBytes(filename, sectionData.Skip(firstIndex - 1).ToArray()); label3.Text += (firstIndex - 1).ToString("X"); } else { int secondIndex = GetNthIndex(sectionData, 0x5A, 2); if (sectionData[secondIndex - 1] == 0x4A) { File.WriteAllBytes(filename, sectionData.Skip(secondIndex - 1).ToArray()); label3.Text += (secondIndex - 1).ToString("X"); } else { int lastIndex = GetNthIndex(sectionData, 0x4D, 3); if (sectionData[lastIndex - 1] == 0x4D) { File.WriteAllBytes(filename, sectionData.Skip(lastIndex - 1).ToArray()); label3.Text += (lastIndex - 1).ToString("X"); } else { } } } goto sucess; } } } else { this.DosHeader64 = new NativeApi64.ImageDosHeader64(); this.NtHeaders64 = new NativeApi64.ImageNtHeaders64(); this.DosHeader64 = Pe64Helpers.GetStructure <NativeApi64.ImageDosHeader64>(this.FileData); this.NtHeaders64 = Pe64Helpers.GetStructure <NativeApi64.ImageNtHeaders64>(this.FileData, this.DosHeader64.e_lfanew); for (var x = 0; x < this.NtHeaders64.FileHeader.NumberOfSections; x++) { var section = Pe64Helpers.GetSection(this.FileData, x, this.DosHeader64, this.NtHeaders64); if (section.SectionName.Equals(".bxpck")) { var sectionData = new byte[this.GetAlignment(section.SizeOfRawData, this.NtHeaders64.OptionalHeader.FileAlignment)]; Array.Copy(this.FileData, section.PointerToRawData, sectionData, 0, section.SizeOfRawData); string filename = DirectoryName + "\\" + Path.GetFileNameWithoutExtension(ExePath) + "-Unpacked" + Path.GetExtension(ExePath); File.WriteAllBytes(filename, sectionData.Skip(182).ToArray()); goto sucess; } } } MessageBox.Show("BoxedAppPacker section not found (.bxpck) ! ", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); sucess: label2.Text = "Status : Success ! "; }