967 lines
30 KiB
C#
967 lines
30 KiB
C#
/*
|
|
Copyright (C) 2011-2015 de4dot@gmail.com
|
|
|
|
This file is part of de4dot.
|
|
|
|
de4dot is free software: you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
de4dot is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
using System;
|
|
using System.Collections.Generic;
|
|
using System.IO;
|
|
using System.Text;
|
|
using dnlib.DotNet;
|
|
using dnlib.IO;
|
|
using dnlib.PE;
|
|
using de4dot.blocks;
|
|
|
|
namespace de4dot.code.deobfuscators.MaxtoCode {
|
|
// Decrypts methods, resources and strings (#US heap)
|
|
class MethodsDecrypter {
|
|
ModuleDef module;
|
|
DecrypterInfo decrypterInfo;
|
|
|
|
class MethodInfos {
|
|
ModuleDef module;
|
|
MainType mainType;
|
|
MyPEImage peImage;
|
|
PeHeader peHeader;
|
|
McKey mcKey;
|
|
uint structSize;
|
|
uint methodInfosOffset;
|
|
uint encryptedDataOffset;
|
|
uint xorKey;
|
|
Dictionary<uint, DecryptedMethodInfo> infos = new Dictionary<uint, DecryptedMethodInfo>();
|
|
List<IDecrypter> decrypters = new List<IDecrypter>();
|
|
const int ENCRYPTED_DATA_INFO_SIZE = 0x13;
|
|
|
|
delegate byte[] DecryptFunc(byte[] encrypted);
|
|
|
|
public class DecryptedMethodInfo {
|
|
public uint bodyRva;
|
|
public byte[] body;
|
|
|
|
public DecryptedMethodInfo(uint bodyRva, byte[] body) {
|
|
this.bodyRva = bodyRva;
|
|
this.body = body;
|
|
}
|
|
}
|
|
|
|
public MethodInfos(ModuleDef module, MainType mainType, MyPEImage peImage, PeHeader peHeader, McKey mcKey) {
|
|
this.module = module;
|
|
this.mainType = mainType;
|
|
this.peImage = peImage;
|
|
this.peHeader = peHeader;
|
|
this.mcKey = mcKey;
|
|
|
|
structSize = GetStructSize(mcKey);
|
|
|
|
uint methodInfosRva = peHeader.GetRva(0x0FF8, mcKey.ReadUInt32(0x005A));
|
|
uint encryptedDataRva = peHeader.GetRva(0x0FF0, mcKey.ReadUInt32(0x0046));
|
|
|
|
methodInfosOffset = peImage.RvaToOffset(methodInfosRva);
|
|
encryptedDataOffset = peImage.RvaToOffset(encryptedDataRva);
|
|
}
|
|
|
|
static uint GetStructSize(McKey mcKey) {
|
|
uint magicLo = mcKey.ReadUInt32(0x8C0);
|
|
uint magicHi = mcKey.ReadUInt32(0x8C4);
|
|
foreach (var info in EncryptionInfos.McKey8C0h) {
|
|
if (magicLo == info.MagicLo && magicHi == info.MagicHi)
|
|
return 0xC + 6 * ENCRYPTED_DATA_INFO_SIZE;
|
|
}
|
|
return 0xC + 3 * ENCRYPTED_DATA_INFO_SIZE;
|
|
}
|
|
|
|
EncryptionVersion GetVersion() {
|
|
if (peHeader.EncryptionVersion != EncryptionVersion.Unknown)
|
|
return peHeader.EncryptionVersion;
|
|
|
|
uint m2lo = mcKey.ReadUInt32(0x8C0);
|
|
uint m2hi = mcKey.ReadUInt32(0x8C4);
|
|
|
|
foreach (var info in EncryptionInfos.McKey8C0h) {
|
|
if (info.MagicLo == m2lo && info.MagicHi == m2hi)
|
|
return info.Version;
|
|
}
|
|
|
|
Logger.w("Could not detect MC version. Magic2: {0:X8} {1:X8}", m2lo, m2hi);
|
|
return EncryptionVersion.Unknown;
|
|
}
|
|
|
|
public DecryptedMethodInfo Lookup(uint bodyRva) {
|
|
DecryptedMethodInfo info;
|
|
infos.TryGetValue(bodyRva, out info);
|
|
return info;
|
|
}
|
|
|
|
byte ReadByte(uint offset) {
|
|
return peImage.OffsetReadByte(methodInfosOffset + offset);
|
|
}
|
|
|
|
short ReadInt16(uint offset) {
|
|
return (short)peImage.OffsetReadUInt16(methodInfosOffset + offset);
|
|
}
|
|
|
|
uint ReadUInt32(uint offset) {
|
|
return peImage.OffsetReadUInt32(methodInfosOffset + offset);
|
|
}
|
|
|
|
int ReadInt32(uint offset) {
|
|
return (int)ReadUInt32(offset);
|
|
}
|
|
|
|
short ReadEncryptedInt16(uint offset) {
|
|
return (short)(ReadInt16(offset) ^ xorKey);
|
|
}
|
|
|
|
int ReadEncryptedInt32(uint offset) {
|
|
return (int)ReadEncryptedUInt32(offset);
|
|
}
|
|
|
|
uint ReadEncryptedUInt32(uint offset) {
|
|
return ReadUInt32(offset) ^ xorKey;
|
|
}
|
|
|
|
interface IDecrypter {
|
|
byte[] Decrypt(int type, byte[] encrypted);
|
|
bool HasTimeStamp(uint timeStamp);
|
|
}
|
|
|
|
class Decrypter : IDecrypter {
|
|
DecryptFunc[] decrypterHandlers;
|
|
uint[] timeStamps;
|
|
|
|
public Decrypter(DecryptFunc[] decrypterHandlers)
|
|
: this(decrypterHandlers, null) {
|
|
}
|
|
|
|
public Decrypter(DecryptFunc[] decrypterHandlers, uint[] timeStamps) {
|
|
this.decrypterHandlers = decrypterHandlers;
|
|
this.timeStamps = timeStamps ?? new uint[0];
|
|
}
|
|
|
|
public byte[] Decrypt(int type, byte[] encrypted) {
|
|
if (1 <= type && type <= decrypterHandlers.Length)
|
|
return decrypterHandlers[type - 1](encrypted);
|
|
throw new ApplicationException(string.Format("Invalid encryption type: {0:X2}", type));
|
|
}
|
|
|
|
public bool HasTimeStamp(uint timeStamp) {
|
|
foreach (var ts in timeStamps) {
|
|
if (timeStamp == ts)
|
|
return true;
|
|
}
|
|
return false;
|
|
}
|
|
}
|
|
|
|
void InitializeDecrypter() {
|
|
switch (GetVersion()) {
|
|
case EncryptionVersion.V1:
|
|
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt1_v1, Decrypt4_v1, Decrypt2_v1, Decrypt3_v1, Decrypt5, Decrypt6, Decrypt7 }, new uint[] { 0x462FA2D2 }));
|
|
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v1, Decrypt1_v1, Decrypt2_v1, Decrypt3_v1, Decrypt5, Decrypt6, Decrypt7 }, new uint[] { 0x471299D3 }));
|
|
break;
|
|
|
|
case EncryptionVersion.V2: decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt3_v1, Decrypt2_v1, Decrypt1_v1, Decrypt4_v1, Decrypt5, Decrypt6, Decrypt7 }, new uint[] { 0x482384FB, 0x4A5EEC64, 0x4BD6F703, 0x4C6220EC, 0x4C622357, 0x4C6E4605, 0x4D0E220D, 0x4DC2FC75, 0x4DC2FE0C, 0x4DFA3D5D })); break;
|
|
case EncryptionVersion.V3: decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt1_v1, Decrypt2_v1, Decrypt3_v1, Decrypt4_v1, Decrypt5, Decrypt6, Decrypt7 }, new uint[] { 0x4ECF2195, 0x4ED76740, 0x4EE1FAD1 })); break;
|
|
case EncryptionVersion.V4: decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt2_v1, Decrypt1_v1, Decrypt3_v1, Decrypt4_v1, Decrypt5, Decrypt6, Decrypt7 }, new uint[] { 0x4F832868, 0x4F8C86BE, 0x4F9447DB, 0x4FDEF2FF })); break;
|
|
|
|
case EncryptionVersion.V5:
|
|
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v1, Decrypt2_v1, Decrypt3_v1, Decrypt1_v1, Decrypt5, Decrypt6, Decrypt7 }, new uint[] { 0x4F8E262C, 0x4F966B0B, 0x4FAB3CCF }));
|
|
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v2, Decrypt2_v2, Decrypt3_v2, Decrypt1_v2, Decrypt6, Decrypt7, Decrypt5 }, new uint[] { 0x4FC7459E, 0x4FCEBD7B }));
|
|
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v3, Decrypt2_v3, Decrypt3_v3, Decrypt1_v3, Decrypt6, Decrypt7, Decrypt5 }, new uint[] { 0x4FBE81DE }));
|
|
break;
|
|
|
|
case EncryptionVersion.V6: decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v4, Decrypt2_v4, Decrypt3_v4, Decrypt1_v4, Decrypt6, Decrypt7, Decrypt5 }, new uint[] { 0x50A0963C })); break;
|
|
case EncryptionVersion.V7: decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v5, Decrypt2_v5, Decrypt3_v5, Decrypt1_v5, Decrypt6, Decrypt8_v5, Decrypt9_v5, Decrypt7, Decrypt5 }, new uint[] { 0x50D367A5 })); break;
|
|
|
|
case EncryptionVersion.V8:
|
|
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v6, Decrypt2_v2, Decrypt3_v6, Decrypt1_v6, Decrypt6, Decrypt8_v6, Decrypt9_v6, Decrypt7, Decrypt10, Decrypt5 }, new uint[] { 0x5166DB4F, 0x51927495 }));
|
|
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v7, Decrypt2_v2, Decrypt3_v6, Decrypt1_v7, Decrypt6, Decrypt8_v7, Decrypt9_v7, Decrypt7, Decrypt5 }, new uint[] { 0x51413D68 }));
|
|
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v7, Decrypt2_v2, Decrypt3_v6, Decrypt1_v7, Decrypt6, Decrypt8_v8, Decrypt9_v8, Decrypt7, Decrypt5 }, new uint[] { 0x513D7124, 0x51413BD8 }));
|
|
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v5, Decrypt2_v2, Decrypt3_v6, Decrypt1_v9, Decrypt6, Decrypt8_v8, Decrypt9_v9, Decrypt7, Decrypt5 }, new uint[] { 0x513D4492, 0x5113E277 }));
|
|
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt3_v6, Decrypt2_v2, Decrypt4_v8, Decrypt1_v10, Decrypt8_v9, Decrypt9_v10, Decrypt6, Decrypt7, Decrypt5 }, new uint[] { 0x526BDD12 }));
|
|
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt1_v10, Decrypt4_v8, Decrypt2_v2, Decrypt3_v6, Decrypt6, Decrypt8_v9, Decrypt9_v10, Decrypt7, Decrypt5 }, new uint[] { 0x526BC020 }));
|
|
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt3_v7, Decrypt2_v6, Decrypt4_v9, Decrypt1_v11, Decrypt8_v10, Decrypt11_v1, Decrypt6, Decrypt7, Decrypt5 }, new uint[] { 0x5296E242, 0x52B3043C }));
|
|
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt4_v10, Decrypt1_v12, Decrypt3_v8, Decrypt2_v7, Decrypt6, Decrypt8_v11, Decrypt9_v11, Decrypt7, Decrypt5 }, new uint[] { 0x531729C4 }));
|
|
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt1_v13, Decrypt4_v11, Decrypt2_v8, Decrypt3_v9, Decrypt6, Decrypt8_v11, Decrypt9_v12, Decrypt7, Decrypt5 }, new uint[] { 0x52B2B2A3 }));
|
|
decrypters.Add(new Decrypter(new DecryptFunc[] { Decrypt2_v9, Decrypt3_v10, Decrypt1_v10, Decrypt4_v12, Decrypt8_v12, Decrypt9_v13, Decrypt6, Decrypt7, Decrypt5 }, new uint[] { 0x53172907 }));
|
|
break;
|
|
|
|
case EncryptionVersion.Unknown:
|
|
default:
|
|
throw new ApplicationException("Unknown MC version");
|
|
}
|
|
}
|
|
|
|
public void InitializeInfos() {
|
|
InitializeDecrypter();
|
|
if (!InitializeInfos2())
|
|
throw new ApplicationException("Could not decrypt methods");
|
|
}
|
|
|
|
uint GetRuntimeTimeStamp() {
|
|
string path = module.Location;
|
|
if (string.IsNullOrEmpty(path))
|
|
return 0;
|
|
|
|
try {
|
|
var rtNames = new List<string>();
|
|
foreach (var rtModRef in mainType.RuntimeModuleRefs) {
|
|
string dllName = rtModRef.Name;
|
|
if (!dllName.ToUpperInvariant().EndsWith(".DLL"))
|
|
dllName += ".dll";
|
|
rtNames.Add(dllName);
|
|
}
|
|
if (rtNames.Count == 0)
|
|
return 0;
|
|
|
|
for (var di = new DirectoryInfo(Path.GetDirectoryName(path)); di != null; di = di.Parent) {
|
|
foreach (var dllName in rtNames) {
|
|
try {
|
|
using (var peImage = new PEImage(Path.Combine(di.FullName, dllName))) {
|
|
if (peImage.ImageNTHeaders.FileHeader.Machine == Machine.I386)
|
|
return peImage.ImageNTHeaders.FileHeader.TimeDateStamp;
|
|
}
|
|
}
|
|
catch {
|
|
}
|
|
}
|
|
}
|
|
}
|
|
catch {
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
bool InitializeInfos2() {
|
|
uint rtTimeStamp = GetRuntimeTimeStamp();
|
|
if (rtTimeStamp != 0) {
|
|
var decrypter = GetCorrectDecrypter(rtTimeStamp);
|
|
if (decrypter != null) {
|
|
try {
|
|
if (InitializeInfos2(decrypter))
|
|
return true;
|
|
}
|
|
catch {
|
|
}
|
|
}
|
|
}
|
|
|
|
Dictionary<uint, DecryptedMethodInfo> savedInfos = null;
|
|
foreach (var decrypter in decrypters) {
|
|
try {
|
|
if (InitializeInfos2(decrypter)) {
|
|
if (savedInfos != null) {
|
|
Logger.w("Decryption probably failed. Make sure the correct MaxtoCode runtime file is present.");
|
|
break;
|
|
}
|
|
savedInfos = infos;
|
|
infos = new Dictionary<uint, DecryptedMethodInfo>();
|
|
}
|
|
}
|
|
catch {
|
|
}
|
|
}
|
|
if (savedInfos == null)
|
|
return false;
|
|
infos = savedInfos;
|
|
return true;
|
|
}
|
|
|
|
IDecrypter GetCorrectDecrypter(uint timeStamp) {
|
|
foreach (var decrypter in decrypters) {
|
|
if (decrypter.HasTimeStamp(timeStamp))
|
|
return decrypter;
|
|
}
|
|
return null;
|
|
}
|
|
|
|
bool InitializeInfos2(IDecrypter decrypter) {
|
|
int numMethods = ReadInt32(0) ^ ReadInt32(4);
|
|
if (numMethods < 0)
|
|
throw new ApplicationException("Invalid number of encrypted methods");
|
|
|
|
xorKey = (uint)numMethods;
|
|
int numEncryptedDataInfos = ((int)structSize - 0xC) / ENCRYPTED_DATA_INFO_SIZE;
|
|
var encryptedDataInfos = new byte[numEncryptedDataInfos][];
|
|
|
|
uint offset = 8;
|
|
infos.Clear();
|
|
for (int i = 0; i < numMethods; i++, offset += structSize) {
|
|
uint methodBodyRva = ReadEncryptedUInt32(offset);
|
|
uint totalSize = ReadEncryptedUInt32(offset + 4);
|
|
/*uint methodInstructionRva =*/ ReadEncryptedUInt32(offset + 8);
|
|
|
|
// Read the method body header and method body (instrs + exception handlers).
|
|
// The method body header is always in the first one. The instrs + ex handlers
|
|
// are always in the last 4, and evenly divided (each byte[] is totalLen / 4).
|
|
// The 2nd one is for the exceptions (or padding), but it may be null.
|
|
uint offset2 = offset + 0xC;
|
|
int exOffset = 0;
|
|
for (int j = 0; j < encryptedDataInfos.Length; j++, offset2 += ENCRYPTED_DATA_INFO_SIZE) {
|
|
// readByte(offset2); <-- index
|
|
int encryptionType = ReadEncryptedInt16(offset2 + 1);
|
|
uint dataOffset = ReadEncryptedUInt32(offset2 + 3);
|
|
uint encryptedSize = ReadEncryptedUInt32(offset2 + 7);
|
|
uint realSize = ReadEncryptedUInt32(offset2 + 11);
|
|
if (j >= 3 && dataOffset == xorKey && encryptedSize == xorKey) {
|
|
encryptedDataInfos[j] = null;
|
|
continue;
|
|
}
|
|
if (j == 1)
|
|
exOffset = ReadEncryptedInt32(offset2 + 15);
|
|
if (j == 1 && exOffset == 0)
|
|
encryptedDataInfos[j] = null;
|
|
else
|
|
encryptedDataInfos[j] = Decrypt(decrypter, encryptionType, dataOffset, encryptedSize, realSize);
|
|
}
|
|
|
|
var decryptedData = new byte[totalSize];
|
|
int copyOffset = 0;
|
|
copyOffset = CopyData(decryptedData, encryptedDataInfos[0], copyOffset);
|
|
for (int j = 2; j < encryptedDataInfos.Length; j++)
|
|
copyOffset = CopyData(decryptedData, encryptedDataInfos[j], copyOffset);
|
|
CopyData(decryptedData, encryptedDataInfos[1], exOffset); // Exceptions or padding
|
|
|
|
if (!MethodBodyParser.Verify(decryptedData))
|
|
throw new InvalidMethodBody();
|
|
|
|
var info = new DecryptedMethodInfo(methodBodyRva, decryptedData);
|
|
infos[info.bodyRva] = info;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
static int CopyData(byte[] dest, byte[] source, int offset) {
|
|
if (source == null)
|
|
return offset;
|
|
Array.Copy(source, 0, dest, offset, source.Length);
|
|
return offset + source.Length;
|
|
}
|
|
|
|
byte[] ReadData(uint offset, int size) {
|
|
return peImage.OffsetReadBytes(encryptedDataOffset + offset, size);
|
|
}
|
|
|
|
byte[] Decrypt(IDecrypter decrypter, int type, uint dataOffset, uint encryptedSize, uint realSize) {
|
|
if (realSize == 0)
|
|
return null;
|
|
if (realSize > encryptedSize)
|
|
throw new ApplicationException("Invalid realSize");
|
|
|
|
var encrypted = ReadData(dataOffset, (int)encryptedSize);
|
|
var decrypted = decrypter.Decrypt(type, encrypted);
|
|
if (realSize > decrypted.Length)
|
|
throw new ApplicationException("Invalid decrypted length");
|
|
Array.Resize(ref decrypted, (int)realSize);
|
|
return decrypted;
|
|
}
|
|
|
|
byte[] Decrypt1_v1(byte[] encrypted) {
|
|
return Decrypt1(encrypted, 0, 0, 0x2000);
|
|
}
|
|
|
|
byte[] Decrypt1_v2(byte[] encrypted) {
|
|
return Decrypt1(encrypted, 6, 6, 0x500);
|
|
}
|
|
|
|
byte[] Decrypt1_v3(byte[] encrypted) {
|
|
return Decrypt1(encrypted, 6, 0, 0x1000);
|
|
}
|
|
|
|
byte[] Decrypt1_v4(byte[] encrypted) {
|
|
return Decrypt1(encrypted, 5, 5, 0x500);
|
|
}
|
|
|
|
byte[] Decrypt1_v5(byte[] encrypted) {
|
|
return Decrypt1(encrypted, 9, 9, 0x500);
|
|
}
|
|
|
|
byte[] Decrypt1_v6(byte[] encrypted) {
|
|
return Decrypt1(encrypted, 0x27, 0x27, 0x100);
|
|
}
|
|
|
|
byte[] Decrypt1_v7(byte[] encrypted) {
|
|
return Decrypt1(encrypted, 0x1D, 0x1D, 0x400);
|
|
}
|
|
|
|
byte[] Decrypt1_v9(byte[] encrypted) {
|
|
return Decrypt1(encrypted, 9, 0x13, 0x400);
|
|
}
|
|
|
|
byte[] Decrypt1_v10(byte[] encrypted) {
|
|
return Decrypt1(encrypted, 0x11, 0x11, 0x400);
|
|
}
|
|
|
|
byte[] Decrypt1_v11(byte[] encrypted) {
|
|
return Decrypt1(encrypted, 0x13, 0x13, 0x400);
|
|
}
|
|
|
|
byte[] Decrypt1_v12(byte[] encrypted) {
|
|
return Decrypt1(encrypted, 0x12, 0x12, 0x200);
|
|
}
|
|
|
|
byte[] Decrypt1_v13(byte[] encrypted) {
|
|
return Decrypt1(encrypted, 0x11, 0x11, 0x200);
|
|
}
|
|
|
|
byte[] Decrypt1(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
|
|
var decrypted = new byte[encrypted.Length];
|
|
for (int i = 0, ki = keyStart; i < decrypted.Length; i++) {
|
|
decrypted[i] = (byte)(encrypted[i] ^ mcKey.ReadByte(ki));
|
|
if (++ki == keyEnd)
|
|
ki = keyReset;
|
|
}
|
|
return decrypted;
|
|
}
|
|
|
|
byte[] Decrypt2_v1(byte[] encrypted) {
|
|
return Decrypt2(encrypted, 0x00FA);
|
|
}
|
|
|
|
byte[] Decrypt2_v2(byte[] encrypted) {
|
|
return Decrypt2(encrypted, 0x00FA + 9);
|
|
}
|
|
|
|
byte[] Decrypt2_v3(byte[] encrypted) {
|
|
return Decrypt2(encrypted, 0x00FA + 0x24);
|
|
}
|
|
|
|
byte[] Decrypt2_v4(byte[] encrypted) {
|
|
return Decrypt2(encrypted, 0x00FA + 7);
|
|
}
|
|
|
|
byte[] Decrypt2_v5(byte[] encrypted) {
|
|
return Decrypt2(encrypted, 0x00FA + 0x63);
|
|
}
|
|
|
|
byte[] Decrypt2_v6(byte[] encrypted) {
|
|
return Decrypt2(encrypted, 0x00FA + 0x0B);
|
|
}
|
|
|
|
byte[] Decrypt2_v7(byte[] encrypted) {
|
|
return Decrypt2(encrypted, 0x00FA + 0x0E);
|
|
}
|
|
|
|
byte[] Decrypt2_v8(byte[] encrypted) {
|
|
return Decrypt2(encrypted, 0x00FA + 0x0D);
|
|
}
|
|
|
|
byte[] Decrypt2_v9(byte[] encrypted) {
|
|
return Decrypt2(encrypted, 0x00FA + 0x0C);
|
|
}
|
|
|
|
byte[] Decrypt2(byte[] encrypted, int offset) {
|
|
if ((encrypted.Length & 7) != 0)
|
|
throw new ApplicationException("Invalid encryption #2 length");
|
|
uint key4 = mcKey.ReadUInt32(offset + 4 * 4);
|
|
uint key5 = mcKey.ReadUInt32(offset + 5 * 4);
|
|
|
|
byte[] decrypted = new byte[encrypted.Length & ~7];
|
|
var writer = new BinaryWriter(new MemoryStream(decrypted));
|
|
|
|
int loopCount = encrypted.Length / 8;
|
|
for (int i = 0; i < loopCount; i++) {
|
|
uint val0 = BitConverter.ToUInt32(encrypted, i * 8);
|
|
uint val1 = BitConverter.ToUInt32(encrypted, i * 8 + 4);
|
|
uint x = (val1 >> 26) + (val0 << 6);
|
|
uint y = (val0 >> 26) + (val1 << 6);
|
|
|
|
writer.Write(x ^ key4);
|
|
writer.Write(y ^ key5);
|
|
}
|
|
|
|
return decrypted;
|
|
}
|
|
|
|
byte[] Decrypt3_v1(byte[] encrypted) {
|
|
return Decrypt3(encrypted, 0x015E);
|
|
}
|
|
|
|
byte[] Decrypt3_v2(byte[] encrypted) {
|
|
return Decrypt3(encrypted, 0x015E + 0xE5);
|
|
}
|
|
|
|
byte[] Decrypt3_v3(byte[] encrypted) {
|
|
return Decrypt3(encrypted, 0x015E + 0x28);
|
|
}
|
|
|
|
byte[] Decrypt3_v4(byte[] encrypted) {
|
|
return Decrypt3(encrypted, 0x015E + 8);
|
|
}
|
|
|
|
byte[] Decrypt3_v5(byte[] encrypted) {
|
|
return Decrypt3(encrypted, 0x015E + 7);
|
|
}
|
|
|
|
byte[] Decrypt3_v6(byte[] encrypted) {
|
|
return Decrypt3(encrypted, 0x015E + 0x7F);
|
|
}
|
|
|
|
byte[] Decrypt3_v7(byte[] encrypted) {
|
|
return Decrypt3(encrypted, 0x015E + 0x0D);
|
|
}
|
|
|
|
byte[] Decrypt3_v8(byte[] encrypted) {
|
|
return Decrypt3(encrypted, 0x015E + 0x0F);
|
|
}
|
|
|
|
byte[] Decrypt3_v9(byte[] encrypted) {
|
|
return Decrypt3(encrypted, 0x015E + 0x12);
|
|
}
|
|
|
|
byte[] Decrypt3_v10(byte[] encrypted) {
|
|
return Decrypt3(encrypted, 0x015E + 0x0E);
|
|
}
|
|
|
|
static readonly byte[] decrypt3Shifts = new byte[16] { 5, 11, 14, 21, 6, 20, 17, 29, 4, 10, 3, 2, 7, 1, 26, 18 };
|
|
byte[] Decrypt3(byte[] encrypted, int offset) {
|
|
if ((encrypted.Length & 7) != 0)
|
|
throw new ApplicationException("Invalid encryption #3 length");
|
|
uint key0 = mcKey.ReadUInt32(offset + 0 * 4);
|
|
uint key3 = mcKey.ReadUInt32(offset + 3 * 4);
|
|
|
|
byte[] decrypted = new byte[encrypted.Length & ~7];
|
|
var writer = new BinaryWriter(new MemoryStream(decrypted));
|
|
|
|
int loopCount = encrypted.Length / 8;
|
|
for (int i = 0; i < loopCount; i++) {
|
|
uint x = BitConverter.ToUInt32(encrypted, i * 8);
|
|
uint y = BitConverter.ToUInt32(encrypted, i * 8 + 4);
|
|
foreach (var shift in decrypt3Shifts) {
|
|
int shift1 = 32 - shift;
|
|
uint x1 = (y >> shift1) + (x << shift);
|
|
uint y1 = (x >> shift1) + (y << shift);
|
|
x = x1;
|
|
y = y1;
|
|
}
|
|
|
|
writer.Write(x ^ key0);
|
|
writer.Write(y ^ key3);
|
|
}
|
|
|
|
return decrypted;
|
|
}
|
|
|
|
byte[] Decrypt4_v1(byte[] encrypted) {
|
|
return Decrypt4(encrypted, 0, 0, 0x2000);
|
|
}
|
|
|
|
byte[] Decrypt4_v2(byte[] encrypted) {
|
|
return Decrypt4(encrypted, 0x14, 0x14, 0x1000);
|
|
}
|
|
|
|
byte[] Decrypt4_v3(byte[] encrypted) {
|
|
return Decrypt4(encrypted, 5, 0, 0x2000);
|
|
}
|
|
|
|
byte[] Decrypt4_v4(byte[] encrypted) {
|
|
return Decrypt4(encrypted, 0x0B, 0x0B, 0x1000);
|
|
}
|
|
|
|
byte[] Decrypt4_v5(byte[] encrypted) {
|
|
return Decrypt4(encrypted, 0x15, 0x15, 0x100);
|
|
}
|
|
|
|
byte[] Decrypt4_v6(byte[] encrypted) {
|
|
return Decrypt4(encrypted, 0x63, 0x63, 0x150);
|
|
}
|
|
|
|
byte[] Decrypt4_v7(byte[] encrypted) {
|
|
return Decrypt4(encrypted, 0x0B, 0x0B, 0x100);
|
|
}
|
|
|
|
byte[] Decrypt4_v8(byte[] encrypted) {
|
|
return Decrypt4(encrypted, 9, 9, 0x100);
|
|
}
|
|
|
|
byte[] Decrypt4_v9(byte[] encrypted) {
|
|
return Decrypt4(encrypted, 0x0B, 0x0B, 0x150);
|
|
}
|
|
|
|
byte[] Decrypt4_v10(byte[] encrypted) {
|
|
return Decrypt4(encrypted, 0x10, 0x10, 0x120);
|
|
}
|
|
|
|
byte[] Decrypt4_v11(byte[] encrypted) {
|
|
return Decrypt4(encrypted, 0x0F, 0x0E, 0x120);
|
|
}
|
|
|
|
byte[] Decrypt4_v12(byte[] encrypted) {
|
|
return Decrypt4(encrypted, 0x0C, 0x0C, 0x150);
|
|
}
|
|
|
|
byte[] Decrypt4(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
|
|
var decrypted = new byte[encrypted.Length / 3 * 2 + 1];
|
|
|
|
int count = encrypted.Length / 3;
|
|
int i = 0, ki = keyStart, j = 0;
|
|
while (count-- > 0) {
|
|
byte k1 = mcKey.ReadByte(ki + 1);
|
|
byte k2 = mcKey.ReadByte(ki + 2);
|
|
byte k3 = mcKey.ReadByte(ki + 3);
|
|
decrypted[j++] = (byte)(((encrypted[i + 1] ^ k2) >> 4) | ((encrypted[i] ^ k1) & 0xF0));
|
|
decrypted[j++] = (byte)(((encrypted[i + 1] ^ k2) << 4) | ((encrypted[i + 2] ^ k3) & 0x0F));
|
|
i += 3;
|
|
ki += 4;
|
|
if (ki >= keyEnd)
|
|
ki = keyReset;
|
|
}
|
|
|
|
if ((encrypted.Length % 3) != 0)
|
|
decrypted[j] = (byte)(encrypted[i] ^ mcKey.ReadByte(ki));
|
|
|
|
return decrypted;
|
|
}
|
|
|
|
byte[] Decrypt5(byte[] encrypted) {
|
|
return CryptDecrypter.Decrypt(mcKey.ReadBytes(0x0032, 15), encrypted);
|
|
}
|
|
|
|
byte[] Decrypt6(byte[] encrypted) {
|
|
return Decrypter6.Decrypt(mcKey.ReadBytes(0x0096, 32), encrypted);
|
|
}
|
|
|
|
byte[] Decrypt7(byte[] encrypted) {
|
|
var decrypted = (byte[])encrypted.Clone();
|
|
new Blowfish(GetBlowfishKey()).Decrypt_LE(decrypted);
|
|
return decrypted;
|
|
}
|
|
|
|
byte[] Decrypt8_v5(byte[] encrypted) {
|
|
return Decrypt8(encrypted, 7, 7, 0x600);
|
|
}
|
|
|
|
byte[] Decrypt8_v6(byte[] encrypted) {
|
|
return Decrypt8(encrypted, 0x1B, 0x1B, 0x100);
|
|
}
|
|
|
|
byte[] Decrypt8_v7(byte[] encrypted) {
|
|
return Decrypt8(encrypted, 0x0D, 0x0D, 0x600);
|
|
}
|
|
|
|
byte[] Decrypt8_v8(byte[] encrypted) {
|
|
return Decrypt8(encrypted, 0x11, 0x11, 0x600);
|
|
}
|
|
|
|
byte[] Decrypt8_v9(byte[] encrypted) {
|
|
return Decrypt8(encrypted, 0xA, 0xA, 0x600);
|
|
}
|
|
|
|
byte[] Decrypt8_v10(byte[] encrypted) {
|
|
return Decrypt8(encrypted, 0x14, 0x14, 0x600);
|
|
}
|
|
|
|
byte[] Decrypt8_v11(byte[] encrypted) {
|
|
return Decrypt8(encrypted, 0x19, 0x19, 0x500);
|
|
}
|
|
|
|
byte[] Decrypt8_v12(byte[] encrypted) {
|
|
return Decrypt8(encrypted, 0x14, 0x14, 0x600);
|
|
}
|
|
|
|
byte[] Decrypt8(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
|
|
var decrypted = new byte[encrypted.Length];
|
|
int ki = keyStart;
|
|
for (int i = 0; i < encrypted.Length; i++) {
|
|
int b = mcKey.ReadByte(ki++) ^ encrypted[i];
|
|
decrypted[i] = (byte)((b << 4) | (b >> 4));
|
|
if (ki >= keyEnd)
|
|
ki = keyReset;
|
|
}
|
|
|
|
return decrypted;
|
|
}
|
|
|
|
byte[] Decrypt9_v5(byte[] encrypted) {
|
|
return Decrypt9(encrypted, 0x11, 0x11, 0x610);
|
|
}
|
|
|
|
byte[] Decrypt9_v6(byte[] encrypted) {
|
|
return Decrypt9(encrypted, 0x2E, 0x2E, 0x310);
|
|
}
|
|
|
|
byte[] Decrypt9_v7(byte[] encrypted) {
|
|
return Decrypt9(encrypted, 0x28, 0x28, 0x510);
|
|
}
|
|
|
|
byte[] Decrypt9_v8(byte[] encrypted) {
|
|
return Decrypt9(encrypted, 0x2C, 0x2C, 0x510);
|
|
}
|
|
|
|
byte[] Decrypt9_v9(byte[] encrypted) {
|
|
return Decrypt9(encrypted, 0x10, 0x10, 0x510);
|
|
}
|
|
|
|
byte[] Decrypt9_v10(byte[] encrypted) {
|
|
return Decrypt9(encrypted, 5, 5, 0x510);
|
|
}
|
|
|
|
byte[] Decrypt9_v11(byte[] encrypted) {
|
|
return Decrypt9(encrypted, 0x19, 0x19, 0x500);
|
|
}
|
|
|
|
byte[] Decrypt9_v12(byte[] encrypted) {
|
|
return Decrypt9(encrypted, 0x19, 0x19, 0x500);
|
|
}
|
|
|
|
byte[] Decrypt9_v13(byte[] encrypted) {
|
|
return Decrypt9(encrypted, 5, 5, 0x510);
|
|
}
|
|
|
|
byte[] Decrypt9(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
|
|
var decrypted = new byte[encrypted.Length];
|
|
int ki = keyStart;
|
|
for (int i = 0; ; ) {
|
|
byte b, k;
|
|
|
|
if (i >= encrypted.Length) break;
|
|
k = mcKey.ReadByte(ki++);
|
|
b = encrypted[i];
|
|
b ^= k;
|
|
decrypted[i] = b;
|
|
i++;
|
|
if (ki >= keyEnd) ki = keyReset;
|
|
|
|
if (i >= encrypted.Length) break;
|
|
k = mcKey.ReadByte(ki++);
|
|
b = encrypted[i];
|
|
b ^= k;
|
|
b = (byte)((b << 4) | (b >> 4));
|
|
decrypted[i] = b;
|
|
i++;
|
|
if (ki >= keyEnd) ki = keyReset;
|
|
|
|
if (i >= encrypted.Length) break;
|
|
b = encrypted[i];
|
|
b = (byte)((b << 4) | (b >> 4));
|
|
decrypted[i] = b;
|
|
ki++;
|
|
i++;
|
|
if (ki >= keyEnd) ki = keyReset;
|
|
}
|
|
return decrypted;
|
|
}
|
|
|
|
byte[] Decrypt10(byte[] encrypted) {
|
|
byte[] enc = (byte[])encrypted.Clone();
|
|
byte[] dest = new byte[enc.Length];
|
|
int halfSize = enc.Length / 2;
|
|
|
|
byte b = enc[0];
|
|
b ^= 0xA1;
|
|
dest[0] = b;
|
|
|
|
b = enc[enc.Length - 1];
|
|
b ^= 0x1A;
|
|
dest[enc.Length - 1] = b;
|
|
|
|
enc[0] = dest[0];
|
|
enc[enc.Length - 1] = b;
|
|
|
|
for (int i = 1; i < halfSize; i++)
|
|
dest[i] = (byte)(enc[i] ^ dest[i - 1]);
|
|
|
|
for (int i = enc.Length - 2; i >= halfSize; i--)
|
|
dest[i] = (byte)(enc[i] ^ dest[i + 1]);
|
|
|
|
return dest;
|
|
}
|
|
|
|
byte[] Decrypt11_v1(byte[] encrypted) {
|
|
return Decrypt11(encrypted, 5, 5, 0x510);
|
|
}
|
|
|
|
byte[] Decrypt11(byte[] encrypted, int keyStart, int keyReset, int keyEnd) {
|
|
byte[] dest = new byte[encrypted.Length];
|
|
|
|
for (int i = 0, ki = keyStart; i < encrypted.Length; i++, ki++) {
|
|
if (ki >= keyEnd)
|
|
ki = keyStart;
|
|
|
|
byte b;
|
|
switch (i % 3) {
|
|
case 0:
|
|
dest[i] = (byte)(encrypted[i] ^ mcKey.ReadByte(ki));
|
|
break;
|
|
|
|
case 1:
|
|
b = (byte)(encrypted[i] ^ mcKey.ReadByte(ki));
|
|
dest[i] = (byte)((b << 4) | (b >> 4));
|
|
break;
|
|
|
|
case 2:
|
|
b = encrypted[i];
|
|
dest[i] = (byte)((b << 4) | (b >> 4));
|
|
break;
|
|
}
|
|
}
|
|
|
|
return dest;
|
|
}
|
|
|
|
byte[] blowfishKey;
|
|
byte[] GetBlowfishKey() {
|
|
if (blowfishKey != null)
|
|
return blowfishKey;
|
|
var key = new byte[100];
|
|
int i;
|
|
for (i = 0; i < key.Length; i++) {
|
|
byte b = mcKey.ReadByte(i);
|
|
if (b == 0)
|
|
break;
|
|
key[i] = b;
|
|
}
|
|
for (; i < key.Length; i++)
|
|
key[i] = 0;
|
|
key[key.Length - 1] = 0;
|
|
return blowfishKey = key;
|
|
}
|
|
}
|
|
|
|
public MethodsDecrypter(ModuleDef module, DecrypterInfo decrypterInfo) {
|
|
this.module = module;
|
|
this.decrypterInfo = decrypterInfo;
|
|
}
|
|
|
|
public bool Decrypt(ref DumpedMethods dumpedMethods) {
|
|
dumpedMethods = DecryptMethods();
|
|
if (dumpedMethods == null)
|
|
return false;
|
|
|
|
DecryptResources();
|
|
DecryptStrings();
|
|
|
|
return true;
|
|
}
|
|
|
|
DumpedMethods DecryptMethods() {
|
|
var dumpedMethods = new DumpedMethods();
|
|
|
|
var peImage = decrypterInfo.peImage;
|
|
var methodInfos = new MethodInfos(module, decrypterInfo.mainType, peImage, decrypterInfo.peHeader, decrypterInfo.mcKey);
|
|
methodInfos.InitializeInfos();
|
|
|
|
var methodDef = peImage.MetaData.TablesStream.MethodTable;
|
|
for (uint rid = 1; rid <= methodDef.Rows; rid++) {
|
|
var dm = new DumpedMethod();
|
|
peImage.ReadMethodTableRowTo(dm, rid);
|
|
|
|
var info = methodInfos.Lookup(dm.mdRVA);
|
|
if (info == null)
|
|
continue;
|
|
|
|
ushort magic = peImage.ReadUInt16(dm.mdRVA);
|
|
if (magic != 0xFFF3)
|
|
continue;
|
|
|
|
var mbHeader = MethodBodyParser.ParseMethodBody(MemoryImageStream.Create(info.body), out dm.code, out dm.extraSections);
|
|
peImage.UpdateMethodHeaderInfo(dm, mbHeader);
|
|
|
|
dumpedMethods.Add(dm);
|
|
}
|
|
|
|
return dumpedMethods;
|
|
}
|
|
|
|
void DecryptResources() {
|
|
var peHeader = decrypterInfo.peHeader;
|
|
var mcKey = decrypterInfo.mcKey;
|
|
var peImage = decrypterInfo.peImage;
|
|
var fileData = decrypterInfo.fileData;
|
|
|
|
uint decryptedResources = peHeader.ReadUInt32(0xFE8) ^ mcKey.ReadUInt32(0);
|
|
uint resourceRva = peHeader.GetRva(0x0E10, mcKey.ReadUInt32(0x00A0));
|
|
int resourceSize = (int)(peHeader.ReadUInt32(0x0E14) ^ mcKey.ReadUInt32(0x00AA));
|
|
if (decryptedResources == 1) {
|
|
Logger.v("Resources have already been decrypted");
|
|
return;
|
|
}
|
|
if (resourceRva == 0 || resourceSize <= 0)
|
|
return;
|
|
if (resourceRva != (uint)peImage.Cor20Header.Resources.VirtualAddress ||
|
|
resourceSize != peImage.Cor20Header.Resources.Size) {
|
|
Logger.w("Invalid resource RVA and size found");
|
|
}
|
|
|
|
Logger.v("Decrypting resources @ RVA {0:X8}, {1} bytes", resourceRva, resourceSize);
|
|
|
|
int resourceOffset = (int)peImage.RvaToOffset(resourceRva);
|
|
for (int i = 0; i < resourceSize; i++)
|
|
fileData[resourceOffset + i] ^= mcKey[i % 0x2000];
|
|
}
|
|
|
|
void DecryptStrings() {
|
|
var peHeader = decrypterInfo.peHeader;
|
|
var mcKey = decrypterInfo.mcKey;
|
|
var peImage = decrypterInfo.peImage;
|
|
var fileData = decrypterInfo.fileData;
|
|
|
|
uint usHeapRva = peHeader.GetRva(0x0E00, mcKey.ReadUInt32(0x0078));
|
|
uint usHeapSize = peHeader.ReadUInt32(0x0E04) ^ mcKey.ReadUInt32(0x0082);
|
|
if (usHeapRva == 0 || usHeapSize == 0)
|
|
return;
|
|
var usHeap = peImage.MetaData.USStream;
|
|
if (usHeap.StartOffset == 0 || // Start offset is 0 if it's not present in the file
|
|
peImage.RvaToOffset(usHeapRva) != (uint)usHeap.StartOffset ||
|
|
usHeapSize != (uint)(usHeap.EndOffset - usHeap.StartOffset)) {
|
|
Logger.w("Invalid #US heap RVA and size found");
|
|
}
|
|
|
|
Logger.v("Decrypting strings @ RVA {0:X8}, {1} bytes", usHeapRva, usHeapSize);
|
|
Logger.Instance.Indent();
|
|
|
|
int mcKeyOffset = 0;
|
|
int usHeapOffset = (int)peImage.RvaToOffset(usHeapRva);
|
|
int usHeapEnd = usHeapOffset + (int)usHeapSize;
|
|
usHeapOffset++;
|
|
while (usHeapOffset < usHeapEnd) {
|
|
if (fileData[usHeapOffset] == 0 || fileData[usHeapOffset] == 1) {
|
|
usHeapOffset++;
|
|
continue;
|
|
}
|
|
|
|
int usHeapOffsetOrig = usHeapOffset;
|
|
int stringDataLength = DeobUtils.ReadVariableLengthInt32(fileData, ref usHeapOffset);
|
|
int usHeapOffsetString = usHeapOffset;
|
|
int encryptedLength = stringDataLength - (usHeapOffset - usHeapOffsetOrig == 1 ? 1 : 2);
|
|
for (int i = 0; i < encryptedLength; i++) {
|
|
byte k = mcKey.ReadByte(mcKeyOffset++ % 0x2000);
|
|
fileData[usHeapOffset] = Rolb((byte)(fileData[usHeapOffset] ^ k), 3);
|
|
usHeapOffset++;
|
|
}
|
|
|
|
try {
|
|
Logger.v("Decrypted string: {0}", Utils.ToCsharpString(Encoding.Unicode.GetString(fileData, usHeapOffsetString, stringDataLength - 1)));
|
|
}
|
|
catch {
|
|
Logger.v("Could not decrypt string at offset {0:X8}", usHeapOffsetOrig);
|
|
}
|
|
|
|
usHeapOffset++;
|
|
}
|
|
|
|
Logger.Instance.DeIndent();
|
|
}
|
|
|
|
byte Rolb(byte b, int n) {
|
|
return (byte)((b << n) | (b >> (8 - n)));
|
|
}
|
|
}
|
|
}
|