public bool Phase1()
{
var decryptor = AsmDef.FindMethod(m => BaseIsDecryptor(m));
if (decryptor == null)
{
ThrowPhaseError("No string encryption?", 0, true);
return(true);
}
var resName = decryptor.Body.Instructions.GetOperandAt <string>(OpCodes.Ldstr, 1);
MarkMember(decryptor);
MarkMember(decryptor.DeclaringType.Methods.FirstOrDefault(m => m.IsConstructor));
if (resName == null)
{
ThrowPhaseError("Could not locate string resource!", 1, false);
return(false);
}
if (Globals.DeobContext.ResStreams.Count == 0)
{
PhaseParam = new object[]
{
Assembly.LoadFile(Globals.DeobContext.InPath).GetManifestResourceStream(resName),
decryptor
};
// Resource decryption compability
Globals.DeobContext.InPath = Globals.DeobContext.InPath.Replace("_resdump.exe", null);
}
else
{
PhaseParam = new object[] { Globals.DeobContext.ResStreams.First(res => res.Name == resName), decryptor }
};
if (PhaseParam[0] == null)
{
ThrowPhaseError("Null stream!", 1, false);
return(false);
}
MarkMember(AsmDef.MainModule.Resources.First(r => r.Name == resName));
Logger.VSLog("Found decryptor method at " + decryptor.Name);
return(true);
}
public static bool Phase1()
{
var cflowCleaner = new CflowDeobfuscator();
var mCounter = 0;
foreach (var mDef in AsmDef.FindMethods(m => true))
{
cflowCleaner.deobfuscate(mDef);
mCounter++;
Logger.VLog("Cleaned method: " + mDef.Name);
}
Logger.VSLog(string.Format("{0} methods cleaned...", mCounter));
return(true);
}
public bool Phase1()
{
var decryptor = AsmDef.FindMethod(IsDecryptor);
if (decryptor == null)
{
ThrowPhaseError("Could not find decryptor module!", 1, false);
return(false);
}
MarkMember(decryptor);
Logger.VSLog("Found decryptor module at: " + decryptor.Name);
PhaseParam = decryptor;
return(true);
}
// internal void Method21(int param19)
// {
// int metadataToken = param19 + 0x2000000;
// var typeDef = AsmDef.MainModule.Types.First(type => type.MetadataToken.ToInt32() == metadataToken);
// foreach (var fieldDef in typeDef.Fields)
// {
// string name = fieldDef.Name;
// StringBuilder builder = new StringBuilder();
// foreach (char t in name)
// {
// builder.Append((char) (((byte) t) + 0x2f));
// }
// int num3 = int.Parse(builder.ToString(), NumberStyles.HexNumber);
// int num4 = num3 & 0xffffff;
//// ReSharper disable UnusedVariable
// int num5 = num3 >> 0x18;
//// ReSharper restore UnusedVariable
// int num6 = 0xa000000 + num4;
//// ReSharper disable UnusedVariable
// var info2 = AsmDef.FindMethod(mDef => mDef.Resolve().MetadataToken.ToInt32() == num6);
//// ReSharper restore UnusedVariable
// // info.SetValue(null, Method_22(type, info2, num5));
// }
// }
#endregion
public MethodDefinition FindDecryptor()
{
var signature = new ILSignature
{
StartIndex = 0,
StartOpCode = OpCodes.Nop,
Instructions = new List <OpCode>
{
OpCodes.Ldsfld,
OpCodes.Call,
OpCodes.Newarr,
OpCodes.Stloc_0,
OpCodes.Ldc_R8,
OpCodes.Ldsfld,
OpCodes.Call
}
};
return(AsmDef.FindMethod(mDef => SignatureFinder.IsMatch(mDef, signature)));
}
public static MethodDefinition FindDecryptor()
{
var signature = new ILSignature
{
StartIndex = 1,
StartOpCode = OpCodes.Nop,
Instructions = new List <OpCode>
{
OpCodes.Callvirt,
OpCodes.Stloc_0,
OpCodes.Ldloc_0,
OpCodes.Newarr,
OpCodes.Stloc_1,
OpCodes.Ldc_I4_0,
OpCodes.Stloc_2
}
};
return(AsmDef.FindMethod(mdef => SignatureFinder.IsMatch(mdef, signature)));
}
public IEnumerable <TU> YieldProxyCalls <TU>(BasicResolverContext ctx)
{
foreach (var mDef in AsmDef.FindMethods(m => m.HasBody))
{
TypeDefinition targetType;
foreach (var instr in mDef.Body.Instructions.Where(i => i.OpCode == OpCodes.Call))
{
if (ctx.ProxyTypes.Contains(
(targetType = (instr.Operand as MethodReference).Resolve().DeclaringType)))
{
yield return((TU)Convert.ChangeType(new BasicResolverContext.ProxyCall
{
AssociatedProxyType = targetType,
Call = instr,
Source = mDef
}, typeof(TU)));
}
}
}
}
public bool Phase2()
{
var targetType = PhaseParam as TypeDefinition;
foreach (var mDef in AsmDef.FindMethods(m => m.HasBody))
{
if (mDef.Body.Instructions.GetOpCodeCount(OpCodes.Ldsfld) <= 0)
{
continue;
}
var badBranches = YieldBadBranches(targetType).ToList();
for (var i = 0; i < badBranches.Count; i++)
{
RemoveBranch(badBranches[i].Item1, badBranches[i].Item2);
}
}
return(true);
}
public IEnumerable <ObfusasmEntry> ConstructEntries(object param)
{
foreach (var mDef in AsmDef.FindMethods(m => m.HasBody))
{
for (var i = 0; i < mDef.Body.Instructions.Count; i++)
{
var instr = mDef.Body.Instructions[i];
MethodDefinition tmpTarget;
if (instr.OpCode == OpCodes.Call &&
(tmpTarget = (instr.Operand as MethodReference).Resolve()).DeclaringType == param as TypeDefinition)
{
if (!IsStringProxy(tmpTarget))
{
continue;
}
var decEntry = new ObfusasmEntry
{
Key =
tmpTarget.Body.Instructions.FindInstruction(
iinstr => iinstr.IsLdcI4(), 2).GetLdcI4(),
Key1 =
tmpTarget.Body.Instructions.FindInstruction(
iinstr => iinstr.IsLdcI4(), 3).GetLdcI4(),
Key2 =
tmpTarget.Body.Instructions.FindInstruction(
iinstr => iinstr.IsLdcI4(), 4).GetLdcI4(),
// TargetProxy = tmpTarget
};
decEntry.InsertTargets.Add(new Tuple <Instruction, MethodDefinition>(instr.Next, mDef));
MarkMember(instr, mDef);
yield return(decEntry);
}
}
}
}
public IEnumerable <T> ConstructEntries <T>(object param) where T : DecryptionContext
{
foreach (var mDef in AsmDef.FindMethods(m => m.HasBody))
{
foreach (var instr in mDef.Body.Instructions.Where(i => i.OpCode == OpCodes.Call))
{
if ((instr.Operand as MethodReference).Resolve() == param as MethodDefinition)
{
yield return(new HurpFuscatorEntry
{
Arg = instr.Previous.Operand as string,
Source = mDef,
BadInstructions = new List <Instruction>
{
instr.Previous,
instr
}
} as T);
}
}
}
}
public static bool Phase1()
{
var target = AsmDef.FindMethod(mDef => mDef.Name == "lf");
_offset = (int)Convert.ChangeType(target.Body.Instructions.First(instr => instr.IsLdcI4WOperand()).Operand, typeof(Int32));
PhaseParam = lf(Globals.DeobContext.InPath);
if (PhaseParam.Length == 0)
{
PhaseError = new PhaseError
{
Level = PhaseError.ErrorLevel.Critical,
Message = "Failed to retrieve data!"
};
return(false);
}
Logger.VSLog("Retrieved compressed data...");
return(true);
}
public bool Phase1()
{
// WEAK!
var target =
AsmDef.FindMethod(
mDef =>
mDef.Body.Instructions.GetOpCodeCount(OpCodes.Xor) == 4 &&
mDef.Body.Variables.Count == 10 &&
mDef.Parameters.Count == 1 &&
mDef.Parameters[0].ParameterType.ToString().Contains("Int32"));
if (target == null)
{
ThrowPhaseError("Could not locate decryption method!", 1, false);
return(false);
}
PhaseParam = target;
Logger.VSLog(string.Format("Located decryption method at {0}::{1}...", target.DeclaringType.Name,
target.Name));
return(true);
}
public IEnumerable <Confuser1_7Entry> ConstructEntries(object param)
{
foreach (var mDef in AsmDef.FindMethods(m => true).Where(mDef => !BaseIsDecryptor(mDef)))
{
if (!mDef.HasBody)
{
continue;
}
for (var i = 0; i < mDef.Body.Instructions.Count; i++)
{
var instr = mDef.Body.Instructions[i];
if (instr.Previous == null)
{
continue;
}
if (instr.OpCode != OpCodes.Call || instr.Previous.OpCode != OpCodes.Ldc_I4 ||
!BaseIsDecryptor((instr.Operand as MethodReference).Resolve()))
{
continue;
}
var entry = new Confuser1_7Entry
{
Id = (int)instr.Previous.Operand,
Caller = mDef,
MDToken = mDef.MetadataToken.ToUInt32(),
BadInstructions = mDef.Body.Instructions.GetInstructionBlock(i - 1, 3),
};
yield return(entry);
}
}
}
public IEnumerable <MancoContext> ConstructEntries(object param)
{
foreach (var mDef in AsmDef.FindMethods(m => m.HasBody))
{
if (mDef.Body.Instructions.GetOpCodeCount(OpCodes.Ldsfld) > 0)
{
foreach (var fLoad in mDef.Body.Instructions.Where(i => i.OpCode == OpCodes.Ldsfld))
{
if ((fLoad.Operand as FieldReference).Resolve().DeclaringType != _decryptor.DeclaringType)
{
continue;
}
yield return(new MancoContext
{
Caller = fLoad,
Source = mDef,
TargetField = (fLoad.Operand as FieldReference).Resolve(),
OrigString = FindAssociatedString((fLoad.Operand as FieldReference).Resolve())
});
}
}
}
}
public static void RenameMembers()
{
int tCount = 0,
mCount = 0,
eCount = 0,
nCount = 0,
rCount = 0,
moCount = 0,
dCounter = 0,
frmCount = 0;
var namespaces = new SortedList <string, List <TypeDefinition> >();
string oldName;
Logger.VSLog("Renaming symbols...");
Logger.VLog("");
foreach (var typeDef in AsmDef.Modules.SelectMany(modDef => modDef.Types))
{
if (namespaces.Keys.Contains(typeDef.Namespace))
{
namespaces[typeDef.Namespace].Add(typeDef);
}
else
{
namespaces.Add(typeDef.Namespace, new List <TypeDefinition> {
typeDef
});
}
}
foreach (var ns in namespaces)
{
if (_scheme.Namespaces && !ns.Key.EndsWith("My"))
{
oldName = ns.Key;
foreach (var typeDef in ns.Value)
{
typeDef.Namespace = "Namespace_" + nCount;
}
Logger.VLog("[Rename(Namespace)] " + oldName + " -> " + "Namespace_" + nCount);
nCount++;
}
}
namespaces.Clear();
foreach (var modDef in AsmDef.Modules)
{
modDef.Name = "Module_" + moCount++;
foreach (
var typeDef in
modDef.GetAllTypes().Where(
tDef =>
!tDef.IsRuntimeSpecialName &&
!tDef.IsSpecialName &&
!(tDef.Name.StartsWith("<") && tDef.Name.EndsWith(">"))))
{
if (typeDef.TopParentType().Namespace.EndsWith("My") || !_scheme.Types)
{
continue;
}
oldName = typeDef.Name;
if (typeDef.BaseType == null || typeDef.BaseType.Name != "Form")
{
typeDef.Name = "Type_" + tCount++;
}
else
{
typeDef.Name = "Form_" + frmCount++;
}
Logger.VLog("[Rename(Type)] " + oldName + " -> " + typeDef.Name);
}
foreach (var typeDef in modDef.GetAllTypes())
{
if (typeDef.Namespace.EndsWith("My") || !_scheme.Types)
{
continue;
}
if (typeDef.IsGenericInstance || typeDef.IsGenericParameter)
{
continue;
}
#region Methods
if (_scheme.Methods)
{
foreach (var mDef in typeDef.Methods.Where(mDef => !mDef.IsRuntimeSpecialName &&
!mDef.HasGenericParameters &&
!mDef.DeclaringType.HasGenericParameters))
{
oldName = mDef.Name;
mDef.Name = "Method_" + mCount++;
Logger.VLog("[Rename(Method)] " + oldName + " -> " + mDef.Name);
var pCount = 0;
foreach (var paramDef in mDef.Parameters)
{
oldName = paramDef.Name;
paramDef.Name = paramDef.ParameterType.Name.ToLower() + "_" + pCount++;
Logger.VLog("[Rename(Parameter)] " + oldName + " -> " + paramDef.Name);
}
}
}
#endregion
#region Fields
if (_scheme.Fields)
{
var fCount = 0;
foreach (var fieldDef in typeDef.Fields)
{
if (fieldDef.IsRuntimeSpecialName || fieldDef.DeclaringType.HasGenericParameters)
{
continue;
}
oldName = fieldDef.Name;
fieldDef.Name = fieldDef.FieldType.Name.ToLower() + "_" + fCount++;
Logger.VLog("[Rename(Field)] " + oldName + " -> " + fieldDef.Name);
}
}
#endregion
#region Events
if (_scheme.Events)
{
foreach (var eventDef in typeDef.Events)
{
if (eventDef.IsRuntimeSpecialName || eventDef.IsSpecialName)
{
continue;
}
oldName = eventDef.Name;
eventDef.Name = "Event_" + eCount++;
Logger.VLog("[Rename(Event)] " + oldName + " -> " + eventDef.Name);
}
}
#endregion
#region Properties
if (_scheme.Properties)
{
int prCount = 0;
foreach (var propDef in typeDef.Properties)
{
if (propDef.IsRuntimeSpecialName || propDef.IsSpecialName)
{
continue;
}
oldName = propDef.Name;
propDef.Name = "prop" + propDef.PropertyType.Name + "_" + prCount++;
Logger.VLog("[Rename(Property)] " + oldName + " -> " + propDef.Name);
}
}
#endregion
#region Delegates
if (typeDef.BaseType == null)
{
continue;
}
if (_scheme.Delegates)
{
if (typeDef.BaseType.ToString().ToLower().Contains("multicastdelegate"))
{
if (typeDef.IsRuntimeSpecialName || typeDef.IsSpecialName)
{
continue;
}
oldName = typeDef.Name;
typeDef.Name = "delegate_" + dCounter++;
Logger.VLog("[Rename(Delegate)] " + oldName + " -> " + typeDef.Name);
}
}
#endregion
}
if (_scheme.Resources)
{
foreach (var res in modDef.Resources)
{
oldName = res.Name;
res.Name = "Resource_" + rCount++;
// we need to update all resourcemanager initialization strings if we rename resources
AsmDef.ReplaceString(oldName.Replace(".resources", null), res.Name);
Logger.VLog("[Rename(Resource)] " + oldName + " -> " + res.Name);
}
}
}
}
