Unpack CS packed files
This commit is contained in:
parent
bb58b0b7e4
commit
d47a03f51a
|
@ -19,6 +19,7 @@
|
||||||
|
|
||||||
using System;
|
using System;
|
||||||
using System.Collections.Generic;
|
using System.Collections.Generic;
|
||||||
|
using dot10.IO;
|
||||||
using dot10.PE;
|
using dot10.PE;
|
||||||
using dot10.DotNet;
|
using dot10.DotNet;
|
||||||
using dot10.DotNet.MD;
|
using dot10.DotNet.MD;
|
||||||
|
@ -123,45 +124,42 @@ namespace de4dot.code.deobfuscators.Agile_NET {
|
||||||
|
|
||||||
// Old CS versions
|
// Old CS versions
|
||||||
byte[] unpackNativeFile1(PEImage peImage) {
|
byte[] unpackNativeFile1(PEImage peImage) {
|
||||||
#if PORT
|
|
||||||
const int dataDirNum = 6; // debug dir
|
const int dataDirNum = 6; // debug dir
|
||||||
const int dotNetDirNum = 14;
|
const int dotNetDirNum = 14;
|
||||||
|
|
||||||
if (peImage.OptionalHeader.dataDirectories[dataDirNum].virtualAddress == 0)
|
var optHeader = peImage.ImageNTHeaders.OptionalHeader;
|
||||||
|
if (optHeader.DataDirectories[dataDirNum].VirtualAddress == 0)
|
||||||
return null;
|
return null;
|
||||||
if (peImage.OptionalHeader.dataDirectories[dataDirNum].size != 0x48)
|
if (optHeader.DataDirectories[dataDirNum].Size != 0x48)
|
||||||
return null;
|
return null;
|
||||||
|
|
||||||
var fileData = peImage.readAllBytes();
|
var fileData = peImage.GetImageAsByteArray();
|
||||||
int dataDir = (int)peImage.OptionalHeader.offsetOfDataDirectory(dataDirNum);
|
long dataDirBaseOffset = (long)optHeader.DataDirectories[0].StartOffset;
|
||||||
int dotNetDir = (int)peImage.OptionalHeader.offsetOfDataDirectory(dotNetDirNum);
|
int dataDir = (int)dataDirBaseOffset + dataDirNum * 8;
|
||||||
|
int dotNetDir = (int)dataDirBaseOffset + dotNetDirNum * 8;
|
||||||
writeUInt32(fileData, dotNetDir, BitConverter.ToUInt32(fileData, dataDir));
|
writeUInt32(fileData, dotNetDir, BitConverter.ToUInt32(fileData, dataDir));
|
||||||
writeUInt32(fileData, dotNetDir + 4, BitConverter.ToUInt32(fileData, dataDir + 4));
|
writeUInt32(fileData, dotNetDir + 4, BitConverter.ToUInt32(fileData, dataDir + 4));
|
||||||
writeUInt32(fileData, dataDir, 0);
|
writeUInt32(fileData, dataDir, 0);
|
||||||
writeUInt32(fileData, dataDir + 4, 0);
|
writeUInt32(fileData, dataDir + 4, 0);
|
||||||
ModuleBytes = fileData;
|
ModuleBytes = fileData;
|
||||||
return fileData;
|
return fileData;
|
||||||
#else
|
|
||||||
return null;
|
|
||||||
#endif
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// CS 1.x
|
// CS 1.x
|
||||||
byte[] unpackNativeFile2(PEImage peImage) {
|
byte[] unpackNativeFile2(PEImage peImage) {
|
||||||
#if PORT
|
var resources = peImage.Win32Resources;
|
||||||
var dir = peImage.Resources.getRoot();
|
if (resources == null)
|
||||||
if ((dir = dir.getDirectory("ASSEMBLY")) == null)
|
|
||||||
return null;
|
return null;
|
||||||
if ((dir = dir.getDirectory(101)) == null)
|
var dir = resources.Root;
|
||||||
|
if ((dir = dir.FindDirectory("ASSEMBLY")) == null)
|
||||||
return null;
|
return null;
|
||||||
var data = dir.getData(0);
|
if ((dir = dir.FindDirectory(101)) == null)
|
||||||
|
return null;
|
||||||
|
var data = dir.FindData(0);
|
||||||
if (data == null)
|
if (data == null)
|
||||||
return null;
|
return null;
|
||||||
|
|
||||||
return ModuleBytes = peImage.readBytes(data.RVA, (int)data.Size);
|
return ModuleBytes = data.Data.ReadAllBytes();
|
||||||
#else
|
|
||||||
return null;
|
|
||||||
#endif
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static void writeUInt32(byte[] data, int offset, uint value) {
|
static void writeUInt32(byte[] data, int offset, uint value) {
|
||||||
|
|
Loading…
Reference in New Issue
Block a user