Decrypt .resources files
This commit is contained in:
parent
e5a72396c2
commit
ccd7d2ac79
|
@ -84,6 +84,10 @@
|
||||||
<Compile Include="deobfuscators\CodeVeil\MainType.cs" />
|
<Compile Include="deobfuscators\CodeVeil\MainType.cs" />
|
||||||
<Compile Include="deobfuscators\CodeVeil\MethodsDecrypter.cs" />
|
<Compile Include="deobfuscators\CodeVeil\MethodsDecrypter.cs" />
|
||||||
<Compile Include="deobfuscators\CodeVeil\ObfuscatorVersion.cs" />
|
<Compile Include="deobfuscators\CodeVeil\ObfuscatorVersion.cs" />
|
||||||
|
<Compile Include="deobfuscators\CodeVeil\ResourceConverter.cs" />
|
||||||
|
<Compile Include="deobfuscators\CodeVeil\ResourceDecrypter.cs" />
|
||||||
|
<Compile Include="deobfuscators\CodeVeil\ResourceInfo.cs" />
|
||||||
|
<Compile Include="deobfuscators\CodeVeil\ResourceReader.cs" />
|
||||||
<Compile Include="deobfuscators\CodeVeil\StringDecrypter.cs" />
|
<Compile Include="deobfuscators\CodeVeil\StringDecrypter.cs" />
|
||||||
<Compile Include="deobfuscators\CodeVeil\Deobfuscator.cs" />
|
<Compile Include="deobfuscators\CodeVeil\Deobfuscator.cs" />
|
||||||
<Compile Include="deobfuscators\CodeVeil\ProxyDelegateFinder.cs" />
|
<Compile Include="deobfuscators\CodeVeil\ProxyDelegateFinder.cs" />
|
||||||
|
|
|
@ -205,6 +205,8 @@ namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
|
|
||||||
proxyDelegateFinder.initialize();
|
proxyDelegateFinder.initialize();
|
||||||
proxyDelegateFinder.find();
|
proxyDelegateFinder.find();
|
||||||
|
|
||||||
|
new ResourceDecrypter(module).decrypt();
|
||||||
}
|
}
|
||||||
|
|
||||||
void removeTamperDetection() {
|
void removeTamperDetection() {
|
||||||
|
|
149
de4dot.code/deobfuscators/CodeVeil/ResourceConverter.cs
Normal file
149
de4dot.code/deobfuscators/CodeVeil/ResourceConverter.cs
Normal file
|
@ -0,0 +1,149 @@
|
||||||
|
/*
|
||||||
|
Copyright (C) 2011-2012 de4dot@gmail.com
|
||||||
|
|
||||||
|
This file is part of de4dot.
|
||||||
|
|
||||||
|
de4dot is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
de4dot is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
using System;
|
||||||
|
using System.IO;
|
||||||
|
using Mono.Cecil;
|
||||||
|
using de4dot.code.resources;
|
||||||
|
|
||||||
|
namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
|
class ResourceConverter {
|
||||||
|
ModuleDefinition module;
|
||||||
|
ResourceInfo[] infos;
|
||||||
|
ResourceDataCreator dataCreator;
|
||||||
|
|
||||||
|
public ResourceConverter(ModuleDefinition module, ResourceInfo[] infos) {
|
||||||
|
this.module = module;
|
||||||
|
this.dataCreator = new ResourceDataCreator(module);
|
||||||
|
this.infos = infos;
|
||||||
|
}
|
||||||
|
|
||||||
|
public byte[] convert() {
|
||||||
|
var resources = new ResourceElementSet();
|
||||||
|
foreach (var info in infos)
|
||||||
|
resources.add(convert(info));
|
||||||
|
|
||||||
|
var memStream = new MemoryStream();
|
||||||
|
ResourceWriter.write(module, memStream, resources);
|
||||||
|
return memStream.ToArray();
|
||||||
|
}
|
||||||
|
|
||||||
|
ResourceElement convert(ResourceInfo info) {
|
||||||
|
var reader = info.dataReader;
|
||||||
|
reader.BaseStream.Position = info.offset;
|
||||||
|
|
||||||
|
IResourceData resourceData;
|
||||||
|
int type = (info.flags & 0x7F);
|
||||||
|
switch (type) {
|
||||||
|
case 1: // bool
|
||||||
|
resourceData = dataCreator.create(reader.ReadBoolean());
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 2: // byte
|
||||||
|
resourceData = dataCreator.create(reader.ReadByte());
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 3: // byte[]
|
||||||
|
resourceData = dataCreator.create(reader.ReadBytes(info.length));
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 4: // char[]
|
||||||
|
resourceData = dataCreator.create(reader.ReadChars(info.length));
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 5: // sbyte
|
||||||
|
resourceData = dataCreator.create(reader.ReadSByte());
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 6: // char
|
||||||
|
resourceData = dataCreator.create(reader.ReadChar());
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 7: // decimal
|
||||||
|
resourceData = dataCreator.create(reader.ReadDecimal());
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 8: // double
|
||||||
|
resourceData = dataCreator.create(reader.ReadDouble());
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 9: // short
|
||||||
|
resourceData = dataCreator.create(reader.ReadInt16());
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 10: // int
|
||||||
|
resourceData = dataCreator.create(reader.ReadInt32());
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 11: // long
|
||||||
|
resourceData = dataCreator.create(reader.ReadInt64());
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 12: // float
|
||||||
|
resourceData = dataCreator.create(reader.ReadSingle());
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 13: // string
|
||||||
|
resourceData = dataCreator.create(reader.ReadString());
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 14: // ushort
|
||||||
|
resourceData = dataCreator.create(reader.ReadUInt16());
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 15: // uint
|
||||||
|
resourceData = dataCreator.create(reader.ReadUInt32());
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 16: // ulong
|
||||||
|
resourceData = dataCreator.create(reader.ReadUInt64());
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 17: // DateTime
|
||||||
|
resourceData = dataCreator.create(DateTime.FromBinary(reader.ReadInt64()));
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 18: // TimeSpan
|
||||||
|
resourceData = dataCreator.create(TimeSpan.FromTicks(reader.ReadInt64()));
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 19: // Icon
|
||||||
|
resourceData = dataCreator.createIcon(reader.ReadBytes(info.length));
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 20: // Image
|
||||||
|
resourceData = dataCreator.createImage(reader.ReadBytes(info.length));
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 31: // binary
|
||||||
|
resourceData = dataCreator.createSerialized(reader.ReadBytes(info.length));
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 21: // Point (CV doesn't restore this type)
|
||||||
|
default:
|
||||||
|
throw new Exception("Unknown type");
|
||||||
|
}
|
||||||
|
|
||||||
|
return new ResourceElement() {
|
||||||
|
Name = info.name,
|
||||||
|
ResourceData = resourceData,
|
||||||
|
};
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
70
de4dot.code/deobfuscators/CodeVeil/ResourceDecrypter.cs
Normal file
70
de4dot.code/deobfuscators/CodeVeil/ResourceDecrypter.cs
Normal file
|
@ -0,0 +1,70 @@
|
||||||
|
/*
|
||||||
|
Copyright (C) 2011-2012 de4dot@gmail.com
|
||||||
|
|
||||||
|
This file is part of de4dot.
|
||||||
|
|
||||||
|
de4dot is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
de4dot is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
using System;
|
||||||
|
using System.IO;
|
||||||
|
using Mono.Cecil;
|
||||||
|
|
||||||
|
namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
|
class ResourceDecrypter {
|
||||||
|
ModuleDefinition module;
|
||||||
|
|
||||||
|
public ResourceDecrypter(ModuleDefinition module) {
|
||||||
|
this.module = module;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void decrypt() {
|
||||||
|
for (int i = 0; i < module.Resources.Count; i++) {
|
||||||
|
var resource = module.Resources[i] as EmbeddedResource;
|
||||||
|
if (resource == null)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
var decrypted = decrypt(resource.GetResourceStream());
|
||||||
|
if (decrypted == null)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
module.Resources[i] = new EmbeddedResource(resource.Name, resource.Attributes, decrypted);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
byte[] decrypt(Stream stream) {
|
||||||
|
try {
|
||||||
|
stream.Position = 0;
|
||||||
|
var reader = new BinaryReader(stream);
|
||||||
|
uint sig = reader.ReadUInt32();
|
||||||
|
if (sig == 0xBEEFCACE)
|
||||||
|
return decryptBeefcace(reader);
|
||||||
|
//TODO: Decrypt the other type
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
catch (ApplicationException) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
catch (Exception ex) {
|
||||||
|
Log.w("Got an exception when decrypting resources: {0}", ex.GetType());
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
byte[] decryptBeefcace(BinaryReader reader) {
|
||||||
|
var resourceReader = new ResourceReader(reader);
|
||||||
|
return new ResourceConverter(module, resourceReader.read()).convert();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
41
de4dot.code/deobfuscators/CodeVeil/ResourceInfo.cs
Normal file
41
de4dot.code/deobfuscators/CodeVeil/ResourceInfo.cs
Normal file
|
@ -0,0 +1,41 @@
|
||||||
|
/*
|
||||||
|
Copyright (C) 2011-2012 de4dot@gmail.com
|
||||||
|
|
||||||
|
This file is part of de4dot.
|
||||||
|
|
||||||
|
de4dot is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
de4dot is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
using System;
|
||||||
|
using System.IO;
|
||||||
|
|
||||||
|
namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
|
class ResourceInfo {
|
||||||
|
public string name;
|
||||||
|
public byte flags;
|
||||||
|
public int offset;
|
||||||
|
public int length;
|
||||||
|
public BinaryReader dataReader;
|
||||||
|
public ResourceInfo(string name, byte flags, int offset, int length) {
|
||||||
|
this.name = name;
|
||||||
|
this.flags = flags;
|
||||||
|
this.offset = offset;
|
||||||
|
this.length = length;
|
||||||
|
}
|
||||||
|
|
||||||
|
public override string ToString() {
|
||||||
|
return string.Format("{0:X2} {1:X8} {2} {3}", flags, offset, length, name);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
128
de4dot.code/deobfuscators/CodeVeil/ResourceReader.cs
Normal file
128
de4dot.code/deobfuscators/CodeVeil/ResourceReader.cs
Normal file
|
@ -0,0 +1,128 @@
|
||||||
|
/*
|
||||||
|
Copyright (C) 2011-2012 de4dot@gmail.com
|
||||||
|
|
||||||
|
This file is part of de4dot.
|
||||||
|
|
||||||
|
de4dot is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
de4dot is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
using System;
|
||||||
|
using System.Collections.Generic;
|
||||||
|
using System.IO;
|
||||||
|
using System.Text;
|
||||||
|
|
||||||
|
namespace de4dot.code.deobfuscators.CodeVeil {
|
||||||
|
class ResourceReader {
|
||||||
|
BinaryReader reader;
|
||||||
|
string resourceReader;
|
||||||
|
string resourceSet;
|
||||||
|
|
||||||
|
public string ResourceReaderName {
|
||||||
|
get { return resourceReader; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public string ResourceSetName {
|
||||||
|
get { return resourceSet; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public ResourceReader(Stream stream) {
|
||||||
|
stream.Position = 0;
|
||||||
|
reader = new BinaryReader(stream);
|
||||||
|
}
|
||||||
|
|
||||||
|
public ResourceReader(BinaryReader reader) {
|
||||||
|
reader.BaseStream.Position = 0;
|
||||||
|
this.reader = reader;
|
||||||
|
}
|
||||||
|
|
||||||
|
public ResourceInfo[] read() {
|
||||||
|
if (reader.ReadUInt32() != 0xBEEFCACE)
|
||||||
|
throw new ApplicationException("Invalid magic");
|
||||||
|
if (reader.ReadUInt32() <= 0)
|
||||||
|
throw new ApplicationException("Invalid number");
|
||||||
|
reader.ReadUInt32();
|
||||||
|
resourceReader = reader.ReadString();
|
||||||
|
resourceSet = reader.ReadString();
|
||||||
|
if (reader.ReadByte() != 1)
|
||||||
|
throw new ApplicationException("Invalid version");
|
||||||
|
|
||||||
|
int flags = reader.ReadByte();
|
||||||
|
if ((flags & 0xFC) != 0)
|
||||||
|
throw new ApplicationException("Invalid flags");
|
||||||
|
bool inflateData = (flags & 1) != 0;
|
||||||
|
bool encrypted = (flags & 2) != 0;
|
||||||
|
|
||||||
|
int numResources = reader.ReadInt32();
|
||||||
|
if (numResources < 0)
|
||||||
|
throw new ApplicationException("Invalid number of resources");
|
||||||
|
|
||||||
|
var infos = new ResourceInfo[numResources];
|
||||||
|
for (int i = 0; i < numResources; i++) {
|
||||||
|
var resourceName = readResourceName(reader, encrypted);
|
||||||
|
int offset = reader.ReadInt32();
|
||||||
|
byte resourceFlags = reader.ReadByte();
|
||||||
|
int resourceLength = (resourceFlags & 0x80) == 0 ? -1 : reader.ReadInt32();
|
||||||
|
infos[i] = new ResourceInfo(resourceName, resourceFlags, offset, resourceLength);
|
||||||
|
}
|
||||||
|
|
||||||
|
var dataReader = reader;
|
||||||
|
if (encrypted) {
|
||||||
|
var key = new uint[4];
|
||||||
|
key[0] = dataReader.ReadUInt32();
|
||||||
|
key[1] = dataReader.ReadUInt32();
|
||||||
|
int numDwords = dataReader.ReadInt32();
|
||||||
|
if (numDwords < 0 || numDwords >= 0x40000000)
|
||||||
|
throw new ApplicationException("Invalid number of encrypted dwords");
|
||||||
|
var encryptedData = new uint[numDwords];
|
||||||
|
for (int i = 0; i < numDwords; i++)
|
||||||
|
encryptedData[i] = dataReader.ReadUInt32();
|
||||||
|
key[2] = dataReader.ReadUInt32();
|
||||||
|
key[3] = dataReader.ReadUInt32();
|
||||||
|
DeobUtils.xxteaDecrypt(encryptedData, key);
|
||||||
|
byte[] decryptedData = new byte[encryptedData.Length * 4];
|
||||||
|
Buffer.BlockCopy(encryptedData, 0, decryptedData, 0, decryptedData.Length);
|
||||||
|
dataReader = new BinaryReader(new MemoryStream(decryptedData));
|
||||||
|
}
|
||||||
|
|
||||||
|
if (inflateData) {
|
||||||
|
var data = dataReader.ReadBytes((int)(dataReader.BaseStream.Length - dataReader.BaseStream.Position));
|
||||||
|
data = DeobUtils.inflate(data, true);
|
||||||
|
dataReader = new BinaryReader(new MemoryStream(data));
|
||||||
|
}
|
||||||
|
|
||||||
|
foreach (var info in infos)
|
||||||
|
info.dataReader = dataReader;
|
||||||
|
|
||||||
|
return infos;
|
||||||
|
}
|
||||||
|
|
||||||
|
static string readResourceName(BinaryReader reader, bool encrypted) {
|
||||||
|
if (!encrypted)
|
||||||
|
return reader.ReadString();
|
||||||
|
|
||||||
|
int len = reader.ReadInt32();
|
||||||
|
if (len < 0)
|
||||||
|
throw new ApplicationException("Invalid string length");
|
||||||
|
var sb = new StringBuilder(len);
|
||||||
|
for (int i = 0; i < len; i++)
|
||||||
|
sb.Append((char)rol3(reader.ReadChar()));
|
||||||
|
return sb.ToString();
|
||||||
|
}
|
||||||
|
|
||||||
|
static char rol3(char c) {
|
||||||
|
ushort s = (ushort)c;
|
||||||
|
return (char)((s << 3) | (s >> (16 - 3)));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user