示例#1
0
		public PeHeader(MainType mainType, MyPEImage peImage) {
			version = GetHeaderOffsetAndVersion(peImage, out uint headerOffset);
			headerData = peImage.OffsetReadBytes(headerOffset, 0x1000);
			// MC uses 4-byte xorKey, 2 Hex for 1 Byte
			GuessXorKey(false, peImage, 4);

			switch (version) {
			case EncryptionVersion.V1:
			case EncryptionVersion.V2:
			case EncryptionVersion.V3:
			case EncryptionVersion.V4:
			case EncryptionVersion.V5:
			default:
				xorKey = 0x7ABF931;
				break;

			case EncryptionVersion.V6:
				xorKey = 0x7ABA931;
				break;

			case EncryptionVersion.V7:
				xorKey = 0x8ABA931;
				break;

			case EncryptionVersion.V8:
				if (CheckMcKeyRva(peImage, 0x99BA9A13))
					break;
				if (CheckMcKeyRva(peImage, 0x18ABA931))
					break;
				if (CheckMcKeyRva(peImage, 0x18ABA933))
					break;
				break;
			}
		}
示例#2
0
 public MainType(ModuleDefinition module, MainType oldOne)
 {
     this.module    = module;
     this.mcType    = lookup(oldOne.mcType, "Could not find main type");
     this.mcModule1 = DeobUtils.lookup(module, oldOne.mcModule1, "Could not find MC runtime module ref #1");
     this.mcModule2 = DeobUtils.lookup(module, oldOne.mcModule2, "Could not find MC runtime module ref #2");
 }
示例#3
0
        public PeHeader(MainType mainType, PeImage peImage)
        {
            uint headerOffset;

            version    = getHeaderOffsetAndVersion(peImage, out headerOffset);
            headerData = peImage.offsetReadBytes(headerOffset, 0x1000);
        }
示例#4
0
 public DecrypterInfo(MainType mainType, byte[] fileData)
 {
     this.mainType = mainType;
     peImage       = new MyPEImage(fileData);
     peHeader      = new PeHeader(mainType, peImage);
     mcKey         = new McKey(peImage, peHeader);
     this.fileData = fileData;
 }
示例#5
0
            public PeHeader(MainType mainType, PeImage peImage)
            {
                headerData = getPeHeaderData(peImage);

                if (!mainType.IsOld && peImage.readUInt32(0x2008) != 0x48)
                {
                    rvaDispl1 = readUInt32(0x0FB0) ^ XOR_KEY;
                    rvaDispl2 = readUInt32(0x0FB4) ^ XOR_KEY;
                }
            }
示例#6
0
            public MethodInfos(MainType mainType, PeImage peImage, PeHeader peHeader, McKey mcKey)
            {
                this.mainType = mainType;
                this.peImage  = peImage;
                this.peHeader = peHeader;
                this.mcKey    = mcKey;

                structSize = getStructSize(mcKey);

                uint methodInfosRva   = peHeader.getRva2(0x0FF8, mcKey.readUInt32(0x005A));
                uint encryptedDataRva = peHeader.getRva2(0x0FF0, mcKey.readUInt32(0x0046));

                methodInfosOffset   = peImage.rvaToOffset(methodInfosRva);
                encryptedDataOffset = peImage.rvaToOffset(encryptedDataRva);
            }
示例#7
0
            public MethodInfos(ModuleDef module, MainType mainType, MyPEImage peImage, PeHeader peHeader, McKey mcKey)
            {
                this.module   = module;
                this.mainType = mainType;
                this.peImage  = peImage;
                this.peHeader = peHeader;
                this.mcKey    = mcKey;

                structSize = GetStructSize(mcKey);

                uint methodInfosRva   = peHeader.GetRva(0x0FF8, mcKey.ReadUInt32(0x005A));
                uint encryptedDataRva = peHeader.GetRva(0x0FF0, mcKey.ReadUInt32(0x0046));

                methodInfosOffset   = peImage.RvaToOffset(methodInfosRva);
                encryptedDataOffset = peImage.RvaToOffset(encryptedDataRva);
            }
示例#8
0
        public PeHeader(MainType mainType, MyPEImage peImage)
        {
            uint headerOffset;

            version    = GetHeaderOffsetAndVersion(peImage, out headerOffset);
            headerData = peImage.OffsetReadBytes(headerOffset, 0x1000);

            switch (version)
            {
            case EncryptionVersion.V1:
            case EncryptionVersion.V2:
            case EncryptionVersion.V3:
            case EncryptionVersion.V4:
            case EncryptionVersion.V5:
            default:
                xorKey = 0x7ABF931;
                break;

            case EncryptionVersion.V6:
                xorKey = 0x7ABA931;
                break;

            case EncryptionVersion.V7:
                xorKey = 0x8ABA931;
                break;

            case EncryptionVersion.V8:
                if (CheckMcKeyRva(peImage, 0x99BA9A13))
                {
                    break;
                }
                if (CheckMcKeyRva(peImage, 0x18ABA931))
                {
                    break;
                }
                if (CheckMcKeyRva(peImage, 0x18ABA933))
                {
                    break;
                }
                break;
            }
        }
示例#9
0
            public MethodInfos(MainType mainType, PeImage peImage, PeHeader peHeader, McKey mcKey)
            {
                this.mainType = mainType;
                this.peImage  = peImage;
                this.peHeader = peHeader;
                this.mcKey    = mcKey;

                decryptHandlersV1  = new Decrypt[] { decrypt1a, decrypt4a, decrypt2a, decrypt3a, decrypt5, decrypt6, decrypt7 };
                decryptHandlersV2  = new Decrypt[] { decrypt3a, decrypt2a, decrypt1a, decrypt4a, decrypt5, decrypt6, decrypt7 };
                decryptHandlersV3  = new Decrypt[] { decrypt1a, decrypt2a, decrypt3a, decrypt4a, decrypt5, decrypt6, decrypt7 };
                decryptHandlersV4  = new Decrypt[] { decrypt2a, decrypt1a, decrypt3a, decrypt4a, decrypt5, decrypt6, decrypt7 };
                decryptHandlersV5a = new Decrypt[] { decrypt4a, decrypt2a, decrypt3a, decrypt1a, decrypt5, decrypt6, decrypt7 };
                decryptHandlersV5b = new Decrypt[] { decrypt4b, decrypt2b, decrypt3b, decrypt1b, decrypt6, decrypt7, decrypt5 };
                decryptHandlersV5c = new Decrypt[] { decrypt4c, decrypt2c, decrypt3c, decrypt1c, decrypt6, decrypt7, decrypt5 };

                structSize = getStructSize(mcKey);

                uint methodInfosRva   = peHeader.getRva(0x0FF8, mcKey.readUInt32(0x005A));
                uint encryptedDataRva = peHeader.getRva(0x0FF0, mcKey.readUInt32(0x0046));

                methodInfosOffset   = peImage.rvaToOffset(methodInfosRva);
                encryptedDataOffset = peImage.rvaToOffset(encryptedDataRva);
            }
示例#10
0
        public PeHeader(MainType mainType, MyPEImage peImage)
        {
            uint headerOffset;

            version = getHeaderOffsetAndVersion(peImage, out headerOffset);

            switch (version)
            {
            case EncryptionVersion.V1:
            case EncryptionVersion.V2:
            case EncryptionVersion.V3:
            case EncryptionVersion.V4:
            case EncryptionVersion.V5:
            default:
                xorKey = 0x7ABF931;
                break;

            case EncryptionVersion.V6:
                xorKey = 0x7ABA931;
                break;
            }

            headerData = peImage.offsetReadBytes(headerOffset, 0x1000);
        }
示例#11
0
 protected override void scanForObfuscator()
 {
     mainType = new MainType(module);
     mainType.find();
 }
示例#12
0
 public FileDecrypter(MainType mainType)
 {
     this.mainType = mainType;
 }
示例#13
0
 public MainType(ModuleDefMD module, MainType oldOne)
 {
     this.module = module;
     this.mcType = Lookup(oldOne.mcType, "Could not find main type");
 }
示例#14
0
 protected override void ScanForObfuscator()
 {
     mainType = new MainType(Module);
     mainType.Find();
 }