monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Unpack CS packed files

Browse Source
This commit is contained in:
de4dot 2012-11-09 11:32:25 +01:00
parent bb58b0b7e4
commit d47a03f51a
1 changed files with 16 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
de4dot.code/deobfuscators/Agile_NET/Deobfuscator.cs
View File

@ -19,6 +19,7 @@
using System; using System;
using System.Collections.Generic; using System.Collections.Generic;
using dot10.IO;
using dot10.PE; using dot10.PE;
using dot10.DotNet; using dot10.DotNet;
using dot10.DotNet.MD; using dot10.DotNet.MD;
@ -123,45 +124,42 @@ namespace de4dot.code.deobfuscators.Agile_NET {
// Old CS versions // Old CS versions
byte[] unpackNativeFile1(PEImage peImage) { byte[] unpackNativeFile1(PEImage peImage) {
#if PORT
const int dataDirNum = 6; // debug dir const int dataDirNum = 6; // debug dir
const int dotNetDirNum = 14; const int dotNetDirNum = 14;
if (peImage.OptionalHeader.dataDirectories[dataDirNum].virtualAddress == 0) var optHeader = peImage.ImageNTHeaders.OptionalHeader;
if (optHeader.DataDirectories[dataDirNum].VirtualAddress == 0)
return null; return null;
if (peImage.OptionalHeader.dataDirectories[dataDirNum].size != 0x48) if (optHeader.DataDirectories[dataDirNum].Size != 0x48)
return null; return null;
var fileData = peImage.readAllBytes(); var fileData = peImage.GetImageAsByteArray();
int dataDir = (int)peImage.OptionalHeader.offsetOfDataDirectory(dataDirNum); long dataDirBaseOffset = (long)optHeader.DataDirectories[0].StartOffset;
int dotNetDir = (int)peImage.OptionalHeader.offsetOfDataDirectory(dotNetDirNum); int dataDir = (int)dataDirBaseOffset + dataDirNum * 8;
int dotNetDir = (int)dataDirBaseOffset + dotNetDirNum * 8;
writeUInt32(fileData, dotNetDir, BitConverter.ToUInt32(fileData, dataDir)); writeUInt32(fileData, dotNetDir, BitConverter.ToUInt32(fileData, dataDir));
writeUInt32(fileData, dotNetDir + 4, BitConverter.ToUInt32(fileData, dataDir + 4)); writeUInt32(fileData, dotNetDir + 4, BitConverter.ToUInt32(fileData, dataDir + 4));
writeUInt32(fileData, dataDir, 0); writeUInt32(fileData, dataDir, 0);
writeUInt32(fileData, dataDir + 4, 0); writeUInt32(fileData, dataDir + 4, 0);
ModuleBytes = fileData; ModuleBytes = fileData;
return fileData; return fileData;
#else
return null;
#endif
} }
// CS 1.x // CS 1.x
byte[] unpackNativeFile2(PEImage peImage) { byte[] unpackNativeFile2(PEImage peImage) {
#if PORT var resources = peImage.Win32Resources;
var dir = peImage.Resources.getRoot(); if (resources == null)
if ((dir = dir.getDirectory("ASSEMBLY")) == null)
return null; return null;
if ((dir = dir.getDirectory(101)) == null) var dir = resources.Root;
if ((dir = dir.FindDirectory("ASSEMBLY")) == null)
return null; return null;
var data = dir.getData(0); if ((dir = dir.FindDirectory(101)) == null)
return null;
var data = dir.FindData(0);
if (data == null) if (data == null)
return null; return null;
return ModuleBytes = peImage.readBytes(data.RVA, (int)data.Size); return ModuleBytes = data.Data.ReadAllBytes();
#else
return null;
#endif
} }
static void writeUInt32(byte[] data, int offset, uint value) { static void writeUInt32(byte[] data, int offset, uint value) {