List <TypeDef> FindVmHandlerTypes()
{
var requiredFields = new string[] {
null,
"System.Collections.Generic.Dictionary`2<System.UInt16,System.Type>",
"System.UInt16",
};
var cflowDeobfuscator = new CflowDeobfuscator();
foreach (var type in module.Types)
{
var cctor = type.FindStaticConstructor();
if (cctor == null)
{
continue;
}
requiredFields[0] = type.FullName;
var fieldTypes = new FieldTypes(type);
if (!fieldTypes.All(requiredFields))
{
continue;
}
cflowDeobfuscator.Deobfuscate(cctor);
var handlers = FindVmHandlerTypes(cctor);
return(handlers);
}
return(null);
}
void Find()
{
var cflowDeobfuscator = new CflowDeobfuscator(new MethodCallInliner(true));
foreach (var type in module.Types)
{
if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "CloseHandle") == null)
{
continue;
}
var resolver = new AssemblyResolver(type, cflowDeobfuscator);
if (!resolver.Detected)
{
continue;
}
var patcher = new MemoryPatcher(type, cflowDeobfuscator);
if (!patcher.Detected)
{
continue;
}
assemblyResolver = resolver;
memoryPatcher = patcher;
return;
}
}
List <TypeDefinition> findVmHandlerTypes()
{
var requiredFields = new string[] {
null,
"System.Collections.Generic.Dictionary`2<System.UInt16,System.Type>",
"System.UInt16",
};
var cflowDeobfuscator = new CflowDeobfuscator(new NoMethodInliner());
foreach (var type in module.Types)
{
var cctor = DotNetUtils.getMethod(type, ".cctor");
if (cctor == null)
{
continue;
}
requiredFields[0] = type.FullName;
if (!new FieldTypes(type).exactly(requiredFields))
{
continue;
}
cflowDeobfuscator.deobfuscate(cctor);
var handlers = findVmHandlerTypes(cctor);
if (handlers.Count != 31)
{
continue;
}
return(handlers);
}
return(null);
}
private void Window_Loaded(object sender, RoutedEventArgs e)
{
ilOutput = TextColorWriterToDecompilerOutput.Create(new RichTextBoxTextColorOutput(ILView, ManualMode.Theme));
exprOutput = new RichTextBoxTextColorOutput(ExprView, ManualMode.Theme);
ILView.Document.PageWidth = 1000;
method = DotNetUtils.Clone(((IMethodNode)(((object[])this.DataContext)[0])).MethodDef);
Blocks blocks = new Blocks(method);
CancellationToken token = default(CancellationToken);
cflowDeobfuscator = new CflowDeobfuscator();
cflowDeobfuscator.Initialize(blocks, token);
cflowDeobfuscator.CheckBlocks();
for (int i = 0; i < cflowDeobfuscator.UnsolvedBlocks.Count(); i++)
{
BlocksListView.Items.Add("Block " + i.ToString());
}
if (BlocksListView.Items.Count > 0)
{
BlocksListView.SelectedIndex = 0;
}
else
{
Consts.IsEnabled = false;
Value.IsEnabled = false;
SetButton.IsEnabled = false;
SolveButton.IsEnabled = false;
MsgBox.Instance.Show("There is no unpredictable control transfers in this method");
}
}
public static bool Phase1()
{
var cflowCleaner = new CflowDeobfuscator();
var mCounter = 0;
foreach (var mDef in AsmDef.FindMethods(m => true))
{
cflowCleaner.deobfuscate(mDef);
mCounter++;
Logger.VLog("Cleaned method: " + mDef.Name);
}
Logger.VSLog(string.Format("{0} methods cleaned...", mCounter));
return(true);
}
public static void Deobfuscate(MethodDef method, CancellationToken token)
{
bool result;
CflowDeobfuscator cflowDeobfuscator = new CflowDeobfuscator();
IList <Instruction> allInstructions;
IList <ExceptionHandler> allExceptionHandlers;
MethodDef tempMethod = DotNetUtils.Clone(method);
Blocks blocks = new Blocks(tempMethod);
cflowDeobfuscator.Initialize(blocks, token);
result = cflowDeobfuscator.Deobfuscate();
blocks.GetCode(out allInstructions, out allExceptionHandlers);
DotNetUtils.RestoreBody(tempMethod, (IEnumerable <Instruction>)allInstructions, (IEnumerable <ExceptionHandler>)allExceptionHandlers);
RestoreMethod(method, tempMethod);
if (result)
{
DeadCodeHandler(method, token);
}
}
public static void DeobfuscateAssisted(MethodDef method, CancellationToken token, Context ctx, BoolExpr expr, Block block)
{
CflowDeobfuscator cflowDeobfuscator = new CflowDeobfuscator();
IList <Instruction> allInstructions;
IList <ExceptionHandler> allExceptionHandlers;
MethodDef tempMethod = DotNetUtils.Clone(method);
Blocks blocks = new Blocks(tempMethod);
cflowDeobfuscator.Initialize(blocks, token);
List <Block> allBlocks = new List <Block>();
blocks.MethodBlocks.GetAllBlocks(allBlocks);
var newBlock = allBlocks.Find(x => x.FirstInstr.Instruction.Offset == block.FirstInstr.Instruction.Offset);
cflowDeobfuscator.SolveBlockAssisted(ctx, expr, newBlock);
blocks.GetCode(out allInstructions, out allExceptionHandlers);
DotNetUtils.RestoreBody(tempMethod, (IEnumerable <Instruction>)allInstructions, (IEnumerable <ExceptionHandler>)allExceptionHandlers);
RestoreMethod(method, tempMethod);
DeadCodeHandler(method, token);
}
