/** * Steamless - Copyright (c) 2015 - 2022 atom0s [atom0s@live.com] * * This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License. * To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/4.0/ or send a letter to * Creative Commons, PO Box 1866, Mountain View, CA 94042, USA. * * By using Steamless, you agree to the above license and its terms. * * Attribution - You must give appropriate credit, provide a link to the license and indicate if changes were * made. You must do so in any reasonable manner, but not in any way that suggests the licensor * endorses you or your use. * * Non-Commercial - You may not use the material (Steamless) for commercial purposes. * * No-Derivatives - If you remix, transform, or build upon the material (Steamless), you may not distribute the * modified material. You are, however, allowed to submit the modified works back to the original * Steamless project in attempt to have it added to the original project. * * You may not apply legal terms or technological measures that legally restrict others * from doing anything the license permits. * * No warranties are given. */ namespace Steamless.Unpacker.Variant20.x86 { using API; using API.Events; using API.Extensions; using API.Model; using API.PE32; using API.Services; using Classes; using SharpDisasm; using SharpDisasm.Udis86; using System; using System.Collections.Generic; using System.IO; using System.Linq; using System.Reflection; using System.Runtime.InteropServices; [SteamlessApiVersion(1, 0)] public class Main : SteamlessPlugin { /// /// Internal logging service instance. /// private LoggingService m_LoggingService; /// /// Gets the author of this plugin. /// public override string Author => "atom0s"; /// /// Gets the name of this plugin. /// public override string Name => "SteamStub Variant 2.0 Unpacker (x86)"; /// /// Gets the description of this plugin. /// public override string Description => "Unpacker for the 32bit SteamStub variant 2.0."; /// /// Gets the version of this plugin. /// public override Version Version => Assembly.GetExecutingAssembly().GetName().Version; /// /// Internal wrapper to log a message. /// /// /// private void Log(string msg, LogMessageType type) { this.m_LoggingService.OnAddLogMessage(this, new LogMessageEventArgs(msg, type)); } /// /// Initialize function called when this plugin is first loaded. /// /// /// public override bool Initialize(LoggingService logService) { this.m_LoggingService = logService; return true; } /// /// Processing function called when a file is being unpacked. Allows plugins to check the file /// and see if it can handle the file for its intended purpose. /// /// /// public override bool CanProcessFile(string file) { try { // Load the file.. var f = new Pe32File(file); if (!f.Parse() || f.IsFile64Bit() || !f.HasSection(".bind")) return false; // Obtain the bind section data.. var bind = f.GetSectionData(".bind"); // Attempt to locate the known v2.0 signature.. return Pe32Helpers.FindPattern(bind, "53 51 52 56 57 55 8B EC 81 EC 00 10 00 00 BE") > 0; } catch { return false; } } /// /// Processing function called to allow the plugin to process the file. /// /// /// /// public override bool ProcessFile(string file, SteamlessOptions options) { // Initialize the class members.. this.Options = options; this.CodeSectionData = null; this.CodeSectionIndex = -1; this.PayloadData = null; this.SteamDrmpData = null; this.SteamDrmpOffsets = new List(); this.UseFallbackDrmpOffsets = false; this.XorKey = 0; // Parse the file.. this.File = new Pe32File(file); if (!this.File.Parse()) return false; // Announce we are being unpacked with this packer.. this.Log("File is packed with SteamStub Variant 2.0!", LogMessageType.Information); this.Log("Step 1 - Read, disassemble and decode the SteamStub DRM header.", LogMessageType.Information); if (!this.Step1()) return false; this.Log("Step 2 - Read, decrypt and process the main code section.", LogMessageType.Information); if (!this.Step2()) return false; this.Log("Step 3 - Prepare the file sections.", LogMessageType.Information); if (!this.Step3()) return false; this.Log("Step 4 - Rebuild and save the unpacked file.", LogMessageType.Information); if (!this.Step4()) return false; return true; } /// /// Step #1 /// /// Read, disassemble and decode the SteamStub DRM header. /// /// private bool Step1() { // Obtain the file entry offset.. var fileOffset = this.File.GetFileOffsetFromRva(this.File.NtHeaders.OptionalHeader.AddressOfEntryPoint); // Validate the DRM header.. if (BitConverter.ToUInt32(this.File.FileData, (int)fileOffset - 4) != 0xC0DEC0DE) return false; // Disassemble the file to locate the needed DRM information.. if (!this.DisassembleFile(out var structOffset, out var structSize, out var structXorKey)) return false; // Obtain the DRM header data.. var headerData = new byte[structSize]; Array.Copy(this.File.FileData, this.File.GetFileOffsetFromRva(structOffset), headerData, 0, structSize); // Xor decode the header data.. this.XorKey = SteamStubHelpers.SteamXor(ref headerData, (uint)headerData.Length, 0); // Create the stub header.. this.StubHeader = Pe32Helpers.GetStructure(headerData); return true; } /// /// Step #2 /// /// Read, decrypt and process the main code section. /// /// private bool Step2() { /** * TODO: * * Should we add custom checks here that mimic the validations of the stub based on the header flags? * * 0x01 - Hash check validation of the .bind code and stub header. * 0x02 - WinTrustVerify validation of the file. * * These would just be for warnings to let users know if the file was broken/tampered, but unpacking should * still complete if it can. */ // Determine the code section RVA.. var codeSectionRVA = this.File.NtHeaders.OptionalHeader.BaseOfCode; if (this.StubHeader.CodeSectionVirtualAddress != 0) codeSectionRVA = this.File.GetRvaFromVa(this.StubHeader.CodeSectionVirtualAddress); // Get the code section.. var codeSection = this.File.GetOwnerSection(codeSectionRVA); if (codeSection.PointerToRawData == 0 || codeSection.SizeOfRawData == 0) return false; this.CodeSectionIndex = this.File.GetSectionIndex(codeSection); // Get the code section data.. var codeSectionData = new byte[codeSection.SizeOfRawData]; Array.Copy(this.File.FileData, this.File.GetFileOffsetFromRva(codeSection.VirtualAddress), codeSectionData, 0, codeSection.SizeOfRawData); // Skip the code section encoding if we do not need to process it.. if ((this.StubHeader.Flags & (uint)DrmFlags.UseEncodedCodeSection) == 0) return true; // Decode the code section data.. var key = this.StubHeader.CodeSectionXorKey; var offset = 0; for (var x = this.StubHeader.CodeSectionSize >> 2; x > 0; --x) { var val1 = BitConverter.ToUInt32(codeSectionData, offset); var val2 = val1 ^ key; key = val1; Array.Copy(BitConverter.GetBytes(val2), 0, codeSectionData, offset, 4); offset += 4; } // Store the section data.. this.CodeSectionData = codeSectionData; return true; } /// /// Step #3 /// /// Prepare the file sections. /// /// private bool Step3() { // Remove the bind section if its not requested to be saved.. if (!this.Options.KeepBindSection) { // Obtain the .bind section.. var bindSection = this.File.GetSection(".bind"); if (!bindSection.IsValid) return false; // Remove the section.. this.File.RemoveSection(bindSection); // Decrease the header section count.. var ntHeaders = this.File.NtHeaders; ntHeaders.FileHeader.NumberOfSections--; this.File.NtHeaders = ntHeaders; this.Log(" --> .bind section was removed from the file.", LogMessageType.Debug); } else this.Log(" --> .bind section was kept in the file.", LogMessageType.Debug); try { // Rebuild the file sections.. this.File.RebuildSections(this.Options.DontRealignSections == false); } catch { return false; } return true; } /// /// Step #4 /// /// Rebuild and save the unpacked file. /// /// private bool Step4() { FileStream fStream = null; try { // Open the unpacked file for writing.. var unpackedPath = this.File.FilePath + ".unpacked.exe"; fStream = new FileStream(unpackedPath, FileMode.Create, FileAccess.ReadWrite); // Write the DOS header to the file.. fStream.WriteBytes(Pe32Helpers.GetStructureBytes(this.File.DosHeader)); // Write the DOS stub to the file.. if (this.File.DosStubSize > 0) fStream.WriteBytes(this.File.DosStubData); // Update the NT headers.. var ntHeaders = this.File.NtHeaders; var lastSection = this.File.Sections[this.File.Sections.Count - 1]; ntHeaders.OptionalHeader.AddressOfEntryPoint = this.File.GetRvaFromVa(this.StubHeader.OEP); ntHeaders.OptionalHeader.SizeOfImage = lastSection.VirtualAddress + lastSection.VirtualSize; this.File.NtHeaders = ntHeaders; // Write the NT headers to the file.. fStream.WriteBytes(Pe32Helpers.GetStructureBytes(ntHeaders)); // Write the sections to the file.. for (var x = 0; x < this.File.Sections.Count; x++) { var section = this.File.Sections[x]; var sectionData = this.File.SectionData[x]; // Write the section header to the file.. fStream.WriteBytes(Pe32Helpers.GetStructureBytes(section)); // Set the file pointer to the sections raw data.. var sectionOffset = fStream.Position; fStream.Position = section.PointerToRawData; // Write the sections raw data.. var sectionIndex = this.File.Sections.IndexOf(section); if (sectionIndex == this.CodeSectionIndex) fStream.WriteBytes(this.CodeSectionData ?? sectionData); else fStream.WriteBytes(sectionData); // Reset the file offset.. fStream.Position = sectionOffset; } // Set the stream to the end of the file.. fStream.Position = fStream.Length; // Write the overlay data if it exists.. if (this.File.OverlayData != null) fStream.WriteBytes(this.File.OverlayData); this.Log(" --> Unpacked file saved to disk!", LogMessageType.Success); this.Log($" --> File Saved As: {unpackedPath}", LogMessageType.Success); return true; } catch { this.Log(" --> Error trying to save unpacked file!", LogMessageType.Error); return false; } finally { fStream?.Dispose(); } } /// /// Disassembles the file to locate the needed DRM header information. /// /// /// /// /// private bool DisassembleFile(out uint offset, out uint size, out uint xorKey) { // Prepare our needed variables.. Disassembler disasm = null; var dataPointer = IntPtr.Zero; uint structOffset = 0; uint structSize = 0; uint structXorKey = 0; // Determine the entry offset of the file.. var entryOffset = this.File.GetFileOffsetFromRva(this.File.NtHeaders.OptionalHeader.AddressOfEntryPoint); try { // Copy the file data to memory for disassembling.. dataPointer = Marshal.AllocHGlobal(this.File.FileData.Length); Marshal.Copy(this.File.FileData, 0, dataPointer, this.File.FileData.Length); // Create an offset pointer to our .bind function start.. var startPointer = IntPtr.Add(dataPointer, (int)entryOffset); // Create the disassembler.. Disassembler.Translator.IncludeAddress = true; Disassembler.Translator.IncludeBinary = true; disasm = new Disassembler(startPointer, 4096, ArchitectureMode.x86_32, entryOffset); // Disassemble our function.. foreach (var inst in disasm.Disassemble().Where(inst => !inst.Error)) { // If all values are found, return successfully.. if (structOffset > 0 && structSize > 0 && structXorKey > 0) { offset = structOffset; size = structSize; xorKey = structXorKey; return true; } // Looks for: mov reg, immediate if (inst.Mnemonic == ud_mnemonic_code.UD_Imov && inst.Operands[0].Type == ud_type.UD_OP_REG && inst.Operands[1].Type == ud_type.UD_OP_IMM) { if (structOffset == 0) { structOffset = inst.Operands[1].LvalUDWord - this.File.NtHeaders.OptionalHeader.ImageBase; continue; } } // Looks for: mov reg, immediate if (inst.Mnemonic == ud_mnemonic_code.UD_Imov && inst.Operands[0].Type == ud_type.UD_OP_REG && inst.Operands[1].Type == ud_type.UD_OP_IMM) { structSize = inst.Operands[1].LvalUDWord * 4; structXorKey = 1; } } offset = size = xorKey = 0; return false; } catch { offset = size = xorKey = 0; return false; } finally { disasm?.Dispose(); if (dataPointer != IntPtr.Zero) Marshal.FreeHGlobal(dataPointer); } } /// /// Gets or sets the Steamless options this file was requested to process with. /// private SteamlessOptions Options { get; set; } /// /// Gets or sets the file being processed. /// private Pe32File File { get; set; } /// /// Gets or sets the current xor key being used against the file data. /// private uint XorKey { get; set; } /// /// Gets or sets the DRM stub header. /// private dynamic StubHeader { get; set; } /// /// Gets or sets the payload data. /// public byte[] PayloadData { get; set; } /// /// Gets or sets the SteamDRMP.dll data. /// public byte[] SteamDrmpData { get; set; } /// /// Gets or sets the list of SteamDRMP.dll offsets. /// public List SteamDrmpOffsets { get; set; } /// /// Gets or sets if the offsets should be read using fallback values. /// private bool UseFallbackDrmpOffsets { get; set; } /// /// Gets or sets the index of the code section. /// private int CodeSectionIndex { get; set; } /// /// Gets or sets the decrypted code section data. /// private byte[] CodeSectionData { get; set; } } }