monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Decrypt the remaining (EREX) resources

Browse Source
This commit is contained in:
de4dot 2012-02-12 14:28:53 +01:00
parent 9a6bd53cb9
commit 037cb5bc68
3 changed files with 96 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
de4dot.code/de4dot.code.csproj
View File

@ -81,6 +81,7 @@
<Compile Include="deobfuscators\CliSecure\StackFrameHelper.cs" />
<Compile Include="deobfuscators\CliSecure\StringDecrypter.cs" />
<Compile Include="deobfuscators\CodeVeil\AssemblyResolver.cs" />
<Compile Include="deobfuscators\CodeVeil\ErexResourceReader.cs" />
<Compile Include="deobfuscators\CodeVeil\InvalidDataException.cs" />
<Compile Include="deobfuscators\CodeVeil\MainType.cs" />
<Compile Include="deobfuscators\CodeVeil\MethodsDecrypter.cs" />

88
de4dot.code/deobfuscators/CodeVeil/ErexResourceReader.cs Normal file
View File

@ -0,0 +1,88 @@
/*
Copyright (C) 2011-2012 de4dot@gmail.com
This file is part of de4dot.
de4dot is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
de4dot is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
*/
using System;
using System.IO;
namespace de4dot.code.deobfuscators.CodeVeil {
class ErexResourceReader {
BinaryReader reader;
uint[] key;
public ErexResourceReader(Stream stream) {
reader = new BinaryReader(stream);
}
public byte[] decrypt() {
if (reader.ReadUInt32() != 0x58455245)
throw new InvalidDataException("Invalid EREX sig");
if (reader.ReadInt32() > 1)
throw new ApplicationException("Invalid EREX file");
byte flags = reader.ReadByte();
bool isEncrypted = (flags & 1) != 0;
bool isDeflated = (flags & 2) != 0;
int length = reader.ReadInt32();
if (length < 0)
throw new ApplicationException("Invalid length");
if (isEncrypted)
readKey();
if (isDeflated)
reader = new BinaryReader(inflate(length));
if (isEncrypted)
reader = new BinaryReader(decrypt(length));
return reader.ReadBytes(length);
}
void readKey() {
key = new uint[reader.ReadByte()];
for (int i = 0; i < key.Length; i++)
key[i] = reader.ReadUInt32();
}
Stream inflate(int length) {
var data = reader.ReadBytes((int)(reader.BaseStream.Length - reader.BaseStream.Position));
return new MemoryStream(DeobUtils.inflate(data, true));
}
Stream decrypt(int length) {
var block = new uint[4];
var decrypted = new byte[16];
var outStream = new MemoryStream(length);
while (reader.BaseStream.Position < reader.BaseStream.Length) {
block[0] = reader.ReadUInt32();
block[1] = reader.ReadUInt32();
block[2] = reader.ReadUInt32();
block[3] = reader.ReadUInt32();
DeobUtils.xxteaDecrypt(block, key);
Buffer.BlockCopy(block, 0, decrypted, 0, decrypted.Length);
outStream.Write(decrypted, 0, decrypted.Length);
}
outStream.Position = 0;
return outStream;
}
}
}

8
de4dot.code/deobfuscators/CodeVeil/ResourceDecrypter.cs
View File

@ -340,9 +340,11 @@ namespace de4dot.code.deobfuscators.CodeVeil {
stream.Position = 0;
var reader = new BinaryReader(stream);
uint sig = reader.ReadUInt32();
stream.Position = 0;
if (sig == 0xBEEFCACE)
return decryptBeefcace(reader);
//TODO: Decrypt the other type
if (sig == 0x58455245)
return decryptErex(reader);
return null;
}
catch (InvalidDataException) {
@ -362,6 +364,10 @@ namespace de4dot.code.deobfuscators.CodeVeil {
return new ResourceConverter(module, resourceReader.read()).convert();
}
byte[] decryptErex(BinaryReader reader) {
return new ErexResourceReader(reader.BaseStream).decrypt();
}
public void deobfuscate(Blocks blocks) {
foreach (var block in blocks.MethodBlocks.getAllBlocks()) {
var instrs = block.Instructions;