public bool Phase1() { var decryptor = AsmDef.FindMethod(m => BaseIsDecryptor(m)); if (decryptor == null) { ThrowPhaseError("No string encryption?", 0, true); return(true); } var resName = decryptor.Body.Instructions.GetOperandAt <string>(OpCodes.Ldstr, 1); MarkMember(decryptor); MarkMember(decryptor.DeclaringType.Methods.FirstOrDefault(m => m.IsConstructor)); if (resName == null) { ThrowPhaseError("Could not locate string resource!", 1, false); return(false); } if (Globals.DeobContext.ResStreams.Count == 0) { PhaseParam = new object[] { Assembly.LoadFile(Globals.DeobContext.InPath).GetManifestResourceStream(resName), decryptor }; // Resource decryption compability Globals.DeobContext.InPath = Globals.DeobContext.InPath.Replace("_resdump.exe", null); } else { PhaseParam = new object[] { Globals.DeobContext.ResStreams.First(res => res.Name == resName), decryptor } }; if (PhaseParam[0] == null) { ThrowPhaseError("Null stream!", 1, false); return(false); } MarkMember(AsmDef.MainModule.Resources.First(r => r.Name == resName)); Logger.VSLog("Found decryptor method at " + decryptor.Name); return(true); }
public static bool Phase1() { var cflowCleaner = new CflowDeobfuscator(); var mCounter = 0; foreach (var mDef in AsmDef.FindMethods(m => true)) { cflowCleaner.deobfuscate(mDef); mCounter++; Logger.VLog("Cleaned method: " + mDef.Name); } Logger.VSLog(string.Format("{0} methods cleaned...", mCounter)); return(true); }
public bool Phase1() { var decryptor = AsmDef.FindMethod(IsDecryptor); if (decryptor == null) { ThrowPhaseError("Could not find decryptor module!", 1, false); return(false); } MarkMember(decryptor); Logger.VSLog("Found decryptor module at: " + decryptor.Name); PhaseParam = decryptor; return(true); }
// internal void Method21(int param19) // { // int metadataToken = param19 + 0x2000000; // var typeDef = AsmDef.MainModule.Types.First(type => type.MetadataToken.ToInt32() == metadataToken); // foreach (var fieldDef in typeDef.Fields) // { // string name = fieldDef.Name; // StringBuilder builder = new StringBuilder(); // foreach (char t in name) // { // builder.Append((char) (((byte) t) + 0x2f)); // } // int num3 = int.Parse(builder.ToString(), NumberStyles.HexNumber); // int num4 = num3 & 0xffffff; //// ReSharper disable UnusedVariable // int num5 = num3 >> 0x18; //// ReSharper restore UnusedVariable // int num6 = 0xa000000 + num4; //// ReSharper disable UnusedVariable // var info2 = AsmDef.FindMethod(mDef => mDef.Resolve().MetadataToken.ToInt32() == num6); //// ReSharper restore UnusedVariable // // info.SetValue(null, Method_22(type, info2, num5)); // } // } #endregion public MethodDefinition FindDecryptor() { var signature = new ILSignature { StartIndex = 0, StartOpCode = OpCodes.Nop, Instructions = new List <OpCode> { OpCodes.Ldsfld, OpCodes.Call, OpCodes.Newarr, OpCodes.Stloc_0, OpCodes.Ldc_R8, OpCodes.Ldsfld, OpCodes.Call } }; return(AsmDef.FindMethod(mDef => SignatureFinder.IsMatch(mDef, signature))); }
public static MethodDefinition FindDecryptor() { var signature = new ILSignature { StartIndex = 1, StartOpCode = OpCodes.Nop, Instructions = new List <OpCode> { OpCodes.Callvirt, OpCodes.Stloc_0, OpCodes.Ldloc_0, OpCodes.Newarr, OpCodes.Stloc_1, OpCodes.Ldc_I4_0, OpCodes.Stloc_2 } }; return(AsmDef.FindMethod(mdef => SignatureFinder.IsMatch(mdef, signature))); }
public IEnumerable <TU> YieldProxyCalls <TU>(BasicResolverContext ctx) { foreach (var mDef in AsmDef.FindMethods(m => m.HasBody)) { TypeDefinition targetType; foreach (var instr in mDef.Body.Instructions.Where(i => i.OpCode == OpCodes.Call)) { if (ctx.ProxyTypes.Contains( (targetType = (instr.Operand as MethodReference).Resolve().DeclaringType))) { yield return((TU)Convert.ChangeType(new BasicResolverContext.ProxyCall { AssociatedProxyType = targetType, Call = instr, Source = mDef }, typeof(TU))); } } } }
public bool Phase2() { var targetType = PhaseParam as TypeDefinition; foreach (var mDef in AsmDef.FindMethods(m => m.HasBody)) { if (mDef.Body.Instructions.GetOpCodeCount(OpCodes.Ldsfld) <= 0) { continue; } var badBranches = YieldBadBranches(targetType).ToList(); for (var i = 0; i < badBranches.Count; i++) { RemoveBranch(badBranches[i].Item1, badBranches[i].Item2); } } return(true); }
public IEnumerable <ObfusasmEntry> ConstructEntries(object param) { foreach (var mDef in AsmDef.FindMethods(m => m.HasBody)) { for (var i = 0; i < mDef.Body.Instructions.Count; i++) { var instr = mDef.Body.Instructions[i]; MethodDefinition tmpTarget; if (instr.OpCode == OpCodes.Call && (tmpTarget = (instr.Operand as MethodReference).Resolve()).DeclaringType == param as TypeDefinition) { if (!IsStringProxy(tmpTarget)) { continue; } var decEntry = new ObfusasmEntry { Key = tmpTarget.Body.Instructions.FindInstruction( iinstr => iinstr.IsLdcI4(), 2).GetLdcI4(), Key1 = tmpTarget.Body.Instructions.FindInstruction( iinstr => iinstr.IsLdcI4(), 3).GetLdcI4(), Key2 = tmpTarget.Body.Instructions.FindInstruction( iinstr => iinstr.IsLdcI4(), 4).GetLdcI4(), // TargetProxy = tmpTarget }; decEntry.InsertTargets.Add(new Tuple <Instruction, MethodDefinition>(instr.Next, mDef)); MarkMember(instr, mDef); yield return(decEntry); } } } }
public IEnumerable <T> ConstructEntries <T>(object param) where T : DecryptionContext { foreach (var mDef in AsmDef.FindMethods(m => m.HasBody)) { foreach (var instr in mDef.Body.Instructions.Where(i => i.OpCode == OpCodes.Call)) { if ((instr.Operand as MethodReference).Resolve() == param as MethodDefinition) { yield return(new HurpFuscatorEntry { Arg = instr.Previous.Operand as string, Source = mDef, BadInstructions = new List <Instruction> { instr.Previous, instr } } as T); } } } }
public static bool Phase1() { var target = AsmDef.FindMethod(mDef => mDef.Name == "lf"); _offset = (int)Convert.ChangeType(target.Body.Instructions.First(instr => instr.IsLdcI4WOperand()).Operand, typeof(Int32)); PhaseParam = lf(Globals.DeobContext.InPath); if (PhaseParam.Length == 0) { PhaseError = new PhaseError { Level = PhaseError.ErrorLevel.Critical, Message = "Failed to retrieve data!" }; return(false); } Logger.VSLog("Retrieved compressed data..."); return(true); }
public bool Phase1() { // WEAK! var target = AsmDef.FindMethod( mDef => mDef.Body.Instructions.GetOpCodeCount(OpCodes.Xor) == 4 && mDef.Body.Variables.Count == 10 && mDef.Parameters.Count == 1 && mDef.Parameters[0].ParameterType.ToString().Contains("Int32")); if (target == null) { ThrowPhaseError("Could not locate decryption method!", 1, false); return(false); } PhaseParam = target; Logger.VSLog(string.Format("Located decryption method at {0}::{1}...", target.DeclaringType.Name, target.Name)); return(true); }
public IEnumerable <Confuser1_7Entry> ConstructEntries(object param) { foreach (var mDef in AsmDef.FindMethods(m => true).Where(mDef => !BaseIsDecryptor(mDef))) { if (!mDef.HasBody) { continue; } for (var i = 0; i < mDef.Body.Instructions.Count; i++) { var instr = mDef.Body.Instructions[i]; if (instr.Previous == null) { continue; } if (instr.OpCode != OpCodes.Call || instr.Previous.OpCode != OpCodes.Ldc_I4 || !BaseIsDecryptor((instr.Operand as MethodReference).Resolve())) { continue; } var entry = new Confuser1_7Entry { Id = (int)instr.Previous.Operand, Caller = mDef, MDToken = mDef.MetadataToken.ToUInt32(), BadInstructions = mDef.Body.Instructions.GetInstructionBlock(i - 1, 3), }; yield return(entry); } } }
public IEnumerable <MancoContext> ConstructEntries(object param) { foreach (var mDef in AsmDef.FindMethods(m => m.HasBody)) { if (mDef.Body.Instructions.GetOpCodeCount(OpCodes.Ldsfld) > 0) { foreach (var fLoad in mDef.Body.Instructions.Where(i => i.OpCode == OpCodes.Ldsfld)) { if ((fLoad.Operand as FieldReference).Resolve().DeclaringType != _decryptor.DeclaringType) { continue; } yield return(new MancoContext { Caller = fLoad, Source = mDef, TargetField = (fLoad.Operand as FieldReference).Resolve(), OrigString = FindAssociatedString((fLoad.Operand as FieldReference).Resolve()) }); } } } }
public static void RenameMembers() { int tCount = 0, mCount = 0, eCount = 0, nCount = 0, rCount = 0, moCount = 0, dCounter = 0, frmCount = 0; var namespaces = new SortedList <string, List <TypeDefinition> >(); string oldName; Logger.VSLog("Renaming symbols..."); Logger.VLog(""); foreach (var typeDef in AsmDef.Modules.SelectMany(modDef => modDef.Types)) { if (namespaces.Keys.Contains(typeDef.Namespace)) { namespaces[typeDef.Namespace].Add(typeDef); } else { namespaces.Add(typeDef.Namespace, new List <TypeDefinition> { typeDef }); } } foreach (var ns in namespaces) { if (_scheme.Namespaces && !ns.Key.EndsWith("My")) { oldName = ns.Key; foreach (var typeDef in ns.Value) { typeDef.Namespace = "Namespace_" + nCount; } Logger.VLog("[Rename(Namespace)] " + oldName + " -> " + "Namespace_" + nCount); nCount++; } } namespaces.Clear(); foreach (var modDef in AsmDef.Modules) { modDef.Name = "Module_" + moCount++; foreach ( var typeDef in modDef.GetAllTypes().Where( tDef => !tDef.IsRuntimeSpecialName && !tDef.IsSpecialName && !(tDef.Name.StartsWith("<") && tDef.Name.EndsWith(">")))) { if (typeDef.TopParentType().Namespace.EndsWith("My") || !_scheme.Types) { continue; } oldName = typeDef.Name; if (typeDef.BaseType == null || typeDef.BaseType.Name != "Form") { typeDef.Name = "Type_" + tCount++; } else { typeDef.Name = "Form_" + frmCount++; } Logger.VLog("[Rename(Type)] " + oldName + " -> " + typeDef.Name); } foreach (var typeDef in modDef.GetAllTypes()) { if (typeDef.Namespace.EndsWith("My") || !_scheme.Types) { continue; } if (typeDef.IsGenericInstance || typeDef.IsGenericParameter) { continue; } #region Methods if (_scheme.Methods) { foreach (var mDef in typeDef.Methods.Where(mDef => !mDef.IsRuntimeSpecialName && !mDef.HasGenericParameters && !mDef.DeclaringType.HasGenericParameters)) { oldName = mDef.Name; mDef.Name = "Method_" + mCount++; Logger.VLog("[Rename(Method)] " + oldName + " -> " + mDef.Name); var pCount = 0; foreach (var paramDef in mDef.Parameters) { oldName = paramDef.Name; paramDef.Name = paramDef.ParameterType.Name.ToLower() + "_" + pCount++; Logger.VLog("[Rename(Parameter)] " + oldName + " -> " + paramDef.Name); } } } #endregion #region Fields if (_scheme.Fields) { var fCount = 0; foreach (var fieldDef in typeDef.Fields) { if (fieldDef.IsRuntimeSpecialName || fieldDef.DeclaringType.HasGenericParameters) { continue; } oldName = fieldDef.Name; fieldDef.Name = fieldDef.FieldType.Name.ToLower() + "_" + fCount++; Logger.VLog("[Rename(Field)] " + oldName + " -> " + fieldDef.Name); } } #endregion #region Events if (_scheme.Events) { foreach (var eventDef in typeDef.Events) { if (eventDef.IsRuntimeSpecialName || eventDef.IsSpecialName) { continue; } oldName = eventDef.Name; eventDef.Name = "Event_" + eCount++; Logger.VLog("[Rename(Event)] " + oldName + " -> " + eventDef.Name); } } #endregion #region Properties if (_scheme.Properties) { int prCount = 0; foreach (var propDef in typeDef.Properties) { if (propDef.IsRuntimeSpecialName || propDef.IsSpecialName) { continue; } oldName = propDef.Name; propDef.Name = "prop" + propDef.PropertyType.Name + "_" + prCount++; Logger.VLog("[Rename(Property)] " + oldName + " -> " + propDef.Name); } } #endregion #region Delegates if (typeDef.BaseType == null) { continue; } if (_scheme.Delegates) { if (typeDef.BaseType.ToString().ToLower().Contains("multicastdelegate")) { if (typeDef.IsRuntimeSpecialName || typeDef.IsSpecialName) { continue; } oldName = typeDef.Name; typeDef.Name = "delegate_" + dCounter++; Logger.VLog("[Rename(Delegate)] " + oldName + " -> " + typeDef.Name); } } #endregion } if (_scheme.Resources) { foreach (var res in modDef.Resources) { oldName = res.Name; res.Name = "Resource_" + rCount++; // we need to update all resourcemanager initialization strings if we rename resources AsmDef.ReplaceString(oldName.Replace(".resources", null), res.Name); Logger.VLog("[Rename(Resource)] " + oldName + " -> " + res.Name); } } } }