byte[] unpack2() { shouldUnpack = false; uint headerOffset = peImage.ImageLength - 12; uint offsetEncryptedAssembly = checkOffset(peImage.offsetReadUInt32(headerOffset)); uint ezencryptionLibLength = peImage.offsetReadUInt32(headerOffset + 4); uint iniFileLength = peImage.offsetReadUInt32(headerOffset + 8); uint offsetClrVersionNumber = checked (offsetEncryptedAssembly - 12); uint iniFileOffset = checked (headerOffset - iniFileLength); uint ezencryptionLibOffset = checked (iniFileOffset - ezencryptionLibLength); uint clrVerMajor = peImage.offsetReadUInt32(offsetClrVersionNumber); uint clrVerMinor = peImage.offsetReadUInt32(offsetClrVersionNumber + 4); uint clrVerBuild = peImage.offsetReadUInt32(offsetClrVersionNumber + 8); if (clrVerMajor <= 0 || clrVerMajor >= 20 || clrVerMinor >= 20 || clrVerBuild >= 1000000) { return(null); } var settings = new IniFile(decompress2(peImage.offsetReadBytes(iniFileOffset, (int)iniFileLength))); sizes = getSizes(settings["General_App_Satellite_Assemblies_Sizes"]); if (sizes == null || sizes.Length <= 1) { return(null); } shouldUnpack = true; if (sizes[0] != offsetEncryptedAssembly) { return(null); } filenames = settings["General_App_Satellite_Assemblies"].Split('|'); if (sizes.Length - 1 != filenames.Length) { return(null); } byte[] ezencryptionLibData = decompress1(peImage.offsetReadBytes(ezencryptionLibOffset, (int)ezencryptionLibLength)); var ezencryptionLibModule = ModuleDefinition.ReadModule(new MemoryStream(ezencryptionLibData)); var decrypter = new ApplicationModeDecrypter(ezencryptionLibModule); if (!decrypter.Detected) { return(null); } var mainAssembly = unpackEmbeddedFile(0, decrypter); decrypter.MemoryPatcher.patch(mainAssembly.data); for (int i = 1; i < filenames.Length; i++) { satelliteAssemblies.Add(unpackEmbeddedFile(i, decrypter)); } clearDllBit(mainAssembly.data); return(mainAssembly.data); }
UnpackedFile unpackEmbeddedFile(int index, ApplicationModeDecrypter decrypter) { uint offset = 0; for (int i = 0; i < index + 1; i++) { offset += sizes[i]; } string filename = Win32Path.GetFileName(filenames[index]); var data = peImage.offsetReadBytes(offset, (int)sizes[index + 1]); data = DeobUtils.aesDecrypt(data, decrypter.AssemblyKey, decrypter.AssemblyIv); data = decompress(data); return(new UnpackedFile(filename, data)); }
UnpackedFile UnpackEmbeddedFile(MyPEImage peImage, int index, ApplicationModeDecrypter decrypter) { uint offset = 0; for (int i = 0; i < index + 1; i++) offset += sizes[i]; string filename = Win32Path.GetFileName(filenames[index]); var data = peImage.OffsetReadBytes(offset, (int)sizes[index + 1]); data = DeobUtils.AesDecrypt(data, decrypter.AssemblyKey, decrypter.AssemblyIv); data = Decompress(data); return new UnpackedFile(filename, data); }
byte[] Unpack2(MyPEImage peImage) { shouldUnpack = false; uint headerOffset = (uint)peImage.Length - 12; uint offsetEncryptedAssembly = CheckOffset(peImage, peImage.OffsetReadUInt32(headerOffset)); uint ezencryptionLibLength = peImage.OffsetReadUInt32(headerOffset + 4); uint iniFileLength = peImage.OffsetReadUInt32(headerOffset + 8); uint offsetClrVersionNumber = checked(offsetEncryptedAssembly - 12); uint iniFileOffset = checked(headerOffset - iniFileLength); uint ezencryptionLibOffset = checked(iniFileOffset - ezencryptionLibLength); uint clrVerMajor = peImage.OffsetReadUInt32(offsetClrVersionNumber); uint clrVerMinor = peImage.OffsetReadUInt32(offsetClrVersionNumber + 4); uint clrVerBuild = peImage.OffsetReadUInt32(offsetClrVersionNumber + 8); if (clrVerMajor <= 0 || clrVerMajor >= 20 || clrVerMinor >= 20 || clrVerBuild >= 1000000) return null; var settings = new IniFile(Decompress2(peImage.OffsetReadBytes(iniFileOffset, (int)iniFileLength))); sizes = GetSizes(settings["General_App_Satellite_Assemblies_Sizes"]); if (sizes == null || sizes.Length <= 1) return null; shouldUnpack = true; if (sizes[0] != offsetEncryptedAssembly) return null; filenames = settings["General_App_Satellite_Assemblies"].Split('|'); if (sizes.Length - 1 != filenames.Length) return null; byte[] ezencryptionLibData = Decompress1(peImage.OffsetReadBytes(ezencryptionLibOffset, (int)ezencryptionLibLength)); var ezencryptionLibModule = ModuleDefMD.Load(ezencryptionLibData); var decrypter = new ApplicationModeDecrypter(ezencryptionLibModule); if (!decrypter.Detected) return null; var mainAssembly = UnpackEmbeddedFile(peImage, 0, decrypter); decrypter.MemoryPatcher.Patch(mainAssembly.data); for (int i = 1; i < filenames.Length; i++) satelliteAssemblies.Add(UnpackEmbeddedFile(peImage, i, decrypter)); ClearDllBit(mainAssembly.data); return mainAssembly.data; }