static uint getStructSize(McKey mcKey) { uint magicLo = mcKey.readUInt32(0x8C0); uint magicHi = mcKey.readUInt32(0x8C4); foreach (var info in EncryptionInfos.McKey8C0h) { if (magicLo == info.MagicLo && magicHi == info.MagicHi) { return(0xC + 6 * ENCRYPTED_DATA_INFO_SIZE); } } return(0xC + 3 * ENCRYPTED_DATA_INFO_SIZE); }
public MethodInfos(MainType mainType, PeImage peImage, PeHeader peHeader, McKey mcKey) { this.mainType = mainType; this.peImage = peImage; this.peHeader = peHeader; this.mcKey = mcKey; structSize = getStructSize(mcKey); uint methodInfosRva = peHeader.getRva2(0x0FF8, mcKey.readUInt32(0x005A)); uint encryptedDataRva = peHeader.getRva2(0x0FF0, mcKey.readUInt32(0x0046)); methodInfosOffset = peImage.rvaToOffset(methodInfosRva); encryptedDataOffset = peImage.rvaToOffset(encryptedDataRva); }
EncryptionVersion getVersion() { uint m1lo = peHeader.readUInt32(0x900); uint m1hi = peHeader.readUInt32(0x904); uint m2lo = mcKey.readUInt32(0x8C0); uint m2hi = mcKey.readUInt32(0x8C4); foreach (var info in encryptionInfos_McKey8C0h) { if (info.MagicLo == m2lo && info.MagicHi == m2hi) { return(info.Version); } } foreach (var info in encryptionInfos_Rva900h) { if (info.MagicLo == m1lo && info.MagicHi == m1hi) { return(info.Version); } } Log.w("Could not detect MC version. Magic1: {0:X8} {1:X8}, Magic2: {2:X8} {3:X8}", m1lo, m1hi, m2lo, m2hi); return(EncryptionVersion.Unknown); }
public MethodInfos(MainType mainType, PeImage peImage, PeHeader peHeader, McKey mcKey) { this.mainType = mainType; this.peImage = peImage; this.peHeader = peHeader; this.mcKey = mcKey; decryptHandlersV1 = new Decrypt[] { decrypt1a, decrypt4a, decrypt2a, decrypt3a, decrypt5, decrypt6, decrypt7 }; decryptHandlersV2 = new Decrypt[] { decrypt3a, decrypt2a, decrypt1a, decrypt4a, decrypt5, decrypt6, decrypt7 }; decryptHandlersV3 = new Decrypt[] { decrypt1a, decrypt2a, decrypt3a, decrypt4a, decrypt5, decrypt6, decrypt7 }; decryptHandlersV4 = new Decrypt[] { decrypt2a, decrypt1a, decrypt3a, decrypt4a, decrypt5, decrypt6, decrypt7 }; decryptHandlersV5a = new Decrypt[] { decrypt4a, decrypt2a, decrypt3a, decrypt1a, decrypt5, decrypt6, decrypt7 }; decryptHandlersV5b = new Decrypt[] { decrypt4b, decrypt2b, decrypt3b, decrypt1b, decrypt6, decrypt7, decrypt5 }; decryptHandlersV5c = new Decrypt[] { decrypt4c, decrypt2c, decrypt3c, decrypt1c, decrypt6, decrypt7, decrypt5 }; structSize = getStructSize(mcKey); uint methodInfosRva = peHeader.getRva(0x0FF8, mcKey.readUInt32(0x005A)); uint encryptedDataRva = peHeader.getRva(0x0FF0, mcKey.readUInt32(0x0046)); methodInfosOffset = peImage.rvaToOffset(methodInfosRva); encryptedDataOffset = peImage.rvaToOffset(encryptedDataRva); }
void decryptResources() { uint resourceRva = peHeader.getRva1(0x0E10, mcKey.readUInt32(0x00A0)); uint resourceSize = peHeader.readUInt32(0x0E14) ^ mcKey.readUInt32(0x00AA); if (resourceRva == 0 || resourceSize == 0) { return; } if (resourceRva != peImage.Cor20Header.resources.virtualAddress || resourceSize != peImage.Cor20Header.resources.size) { Log.w("Invalid resource RVA and size found"); } Log.v("Decrypting resources @ RVA {0:X8}, {1} bytes", resourceRva, resourceSize); int resourceOffset = (int)peImage.rvaToOffset(resourceRva); for (int i = 0; i < resourceSize; i++) { fileData[resourceOffset + i] ^= mcKey[i % 0x2000]; } }
EncryptionVersion getVersion() { if (peHeader.EncryptionVersion != EncryptionVersion.Unknown) { return(peHeader.EncryptionVersion); } uint m2lo = mcKey.readUInt32(0x8C0); uint m2hi = mcKey.readUInt32(0x8C4); foreach (var info in EncryptionInfos.McKey8C0h) { if (info.MagicLo == m2lo && info.MagicHi == m2hi) { return(info.Version); } } Log.w("Could not detect MC version. Magic2: {0:X8} {1:X8}", m2lo, m2hi); return(EncryptionVersion.Unknown); }
static uint getStructSize(McKey mcKey) { uint magicLo = mcKey.readUInt32(0x8C0); uint magicHi = mcKey.readUInt32(0x8C4); foreach (var info in encryptionInfos_McKey8C0h) { if (magicLo == info.MagicLo && magicHi == info.MagicHi) return 0xC + 6 * ENCRYPTED_DATA_INFO_SIZE; } return 0xC + 3 * ENCRYPTED_DATA_INFO_SIZE; }
public MethodInfos(MainType mainType, MyPEImage peImage, PeHeader peHeader, McKey mcKey) { this.mainType = mainType; this.peImage = peImage; this.peHeader = peHeader; this.mcKey = mcKey; decryptHandlersV1 = new Decrypt[] { decrypt1a, decrypt4a, decrypt2a, decrypt3a, decrypt5, decrypt6, decrypt7 }; decryptHandlersV2 = new Decrypt[] { decrypt3a, decrypt2a, decrypt1a, decrypt4a, decrypt5, decrypt6, decrypt7 }; decryptHandlersV3 = new Decrypt[] { decrypt1a, decrypt2a, decrypt3a, decrypt4a, decrypt5, decrypt6, decrypt7 }; decryptHandlersV4 = new Decrypt[] { decrypt2a, decrypt1a, decrypt3a, decrypt4a, decrypt5, decrypt6, decrypt7 }; decryptHandlersV5a = new Decrypt[] { decrypt4a, decrypt2a, decrypt3a, decrypt1a, decrypt5, decrypt6, decrypt7 }; decryptHandlersV5b = new Decrypt[] { decrypt4b, decrypt2b, decrypt3b, decrypt1b, decrypt6, decrypt7, decrypt5 }; decryptHandlersV5c = new Decrypt[] { decrypt4c, decrypt2c, decrypt3c, decrypt1c, decrypt6, decrypt7, decrypt5 }; decryptHandlersV6a = new Decrypt[] { decrypt4d, decrypt2d, decrypt3d, decrypt1d, decrypt6, decrypt7, decrypt5 }; structSize = getStructSize(mcKey); uint methodInfosRva = peHeader.getRva(0x0FF8, mcKey.readUInt32(0x005A)); uint encryptedDataRva = peHeader.getRva(0x0FF0, mcKey.readUInt32(0x0046)); methodInfosOffset = peImage.rvaToOffset(methodInfosRva); encryptedDataOffset = peImage.rvaToOffset(encryptedDataRva); }