public void Find()
{
foreach (var calledMethod in DotNetUtils.GetCalledMethods(module, DotNetUtils.GetModuleTypeCctor(module)))
{
if (!DotNetUtils.IsMethod(calledMethod, "System.Void", "()"))
{
continue;
}
if (calledMethod.DeclaringType.FullName != "<PrivateImplementationDetails>{F1C5056B-0AFC-4423-9B83-D13A26B48869}")
{
continue;
}
nativeLibCallerType = calledMethod.DeclaringType;
initMethod = calledMethod;
foreach (var s in DotNetUtils.GetCodeStrings(initMethod))
{
nativeFileResource = DotNetUtils.GetResource(module, s);
if (nativeFileResource != null)
{
break;
}
}
return;
}
}
EmbeddedResource FindGetManifestResourceStreamTypeResource(TypeDef type, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
foreach (var method in type.Methods)
{
if (!method.IsPrivate || !method.IsStatic || method.Body == null)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.String", "(System.Reflection.Assembly,System.Type,System.String)"))
{
continue;
}
simpleDeobfuscator.Deobfuscate(method);
simpleDeobfuscator.DecryptStrings(method, deob);
foreach (var s in DotNetUtils.GetCodeStrings(method))
{
var resource = DotNetUtils.GetResource(module, s) as EmbeddedResource;
if (resource != null)
{
return(resource);
}
}
}
return(null);
}
bool ContainsString(MethodDef method, string part) {
foreach (var s in DotNetUtils.GetCodeStrings(method)) {
if (s.Contains(part))
return true;
}
return false;
}
static EmbeddedResource FindEmbeddedResource2(ModuleDefMD module, MethodDef method)
{
var strings = new List <string>(DotNetUtils.GetCodeStrings(method));
if (strings.Count != 1)
{
return(null);
}
var encryptedString = strings[0];
int xorKey;
if (!GetXorKey2(method, out xorKey))
{
return(null);
}
var sb = new StringBuilder(encryptedString.Length);
foreach (var c in encryptedString)
{
sb.Append((char)(c ^ xorKey));
}
return(DotNetUtils.GetResource(module, sb.ToString()) as EmbeddedResource);
}
protected override bool CheckHandlerMethod(MethodDef method)
{
if (!method.IsStatic || !method.HasBody)
{
return(false);
}
var infos = new List <EmbeddedAssemblyInfo>();
foreach (var s in DotNetUtils.GetCodeStrings(method))
{
if (string.IsNullOrEmpty(s))
{
continue;
}
if (!InitInfos(infos, s.Split(',')))
{
continue;
}
embeddedAssemblyInfos = infos;
FindSimpleZipType(method);
return(true);
}
return(false);
}
bool CheckEncryptedMethod(MethodDef method, out EncryptInfo info)
{
info = null;
if (method.Body == null)
{
return(false);
}
if (!CallsExecuteMethod(method))
{
return(false);
}
var strings = DotNetUtils.GetCodeStrings(method);
if (strings.Count != 1)
{
throw new ApplicationException("Could not find name of encrypted method");
}
string feature = "";
string name = strings[0];
int index = name.IndexOf(':');
if (index >= 0)
{
feature = name.Substring(0, index);
name = name.Substring(index + 1);
}
info = new EncryptInfo(name, feature, method);
return(true);
}
string GetResourceName()
{
var defaultName = module.Assembly.Name.String + module.Assembly.Name.String;
var cctor = stringDecrypterType.FindStaticConstructor();
if (cctor == null)
{
return(defaultName);
}
foreach (var s in DotNetUtils.GetCodeStrings(cctor))
{
if (DotNetUtils.GetResource(module, s) != null)
{
return(s);
}
try {
return(Encoding.UTF8.GetString(Convert.FromBase64String(s)));
}
catch {
}
}
return(defaultName);
}
public static EmbeddedResource GetResource(ModuleDefMD module, MethodDef method)
{
if (method == null || method.Body == null)
{
return(null);
}
return(GetResource(module, DotNetUtils.GetCodeStrings(method)));
}
public void Find(ISimpleDeobfuscator simpleDeobfuscator)
{
var additionalTypes = new string[] {
"System.String",
};
EmbeddedResource stringsResource = null;
foreach (var type in module.Types)
{
if (decrypterInfos.Count > 0)
{
break;
}
if (type.BaseType == null || type.BaseType.FullName != "System.Object")
{
continue;
}
foreach (var method in type.Methods)
{
if (!method.IsStatic || !method.HasBody)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.String", "(System.Int32)"))
{
continue;
}
if (!encryptedResource.CouldBeResourceDecrypter(method, additionalTypes))
{
continue;
}
var resource = DotNetUtils.GetResource(module, DotNetUtils.GetCodeStrings(method)) as EmbeddedResource;
if (resource == null)
{
throw new ApplicationException("Could not find strings resource");
}
if (stringsResource != null && stringsResource != resource)
{
throw new ApplicationException("Two different string resources found");
}
stringsResource = resource;
encryptedResource.Method = method;
var info = new DecrypterInfo(method, null, null);
simpleDeobfuscator.Deobfuscate(info.method);
FindKeyIv(info.method, out info.key, out info.iv);
decrypterInfos.Add(info);
}
}
if (decrypterInfos.Count > 0)
{
FindOtherStringDecrypter(decrypterInfos[0].method.DeclaringType);
}
}
static EmbeddedResource FindEmbeddedResource1(ModuleDefMD module, MethodDef method)
{
foreach (var s in DotNetUtils.GetCodeStrings(method))
{
if (DotNetUtils.GetResource(module, s) is EmbeddedResource resource)
{
return(resource);
}
}
return(null);
}
static bool FindString(MethodDef method, string s)
{
foreach (var cs in DotNetUtils.GetCodeStrings(method))
{
if (cs == s)
{
return(true);
}
}
return(false);
}
public void Initialize(ResourceDecrypter resourceDecrypter)
{
if (decrypterType == null)
{
return;
}
encryptedResource = CoUtils.GetResource(module, DotNetUtils.GetCodeStrings(decrypterType.FindStaticConstructor()));
encryptedResource.Data.Position = 0;
constantsData = resourceDecrypter.Decrypt(encryptedResource.Data.CreateStream());
}
static bool HasCodeString(MethodDef method, string str)
{
foreach (var s in DotNetUtils.GetCodeStrings(method))
{
if (s == str)
{
return(true);
}
}
return(false);
}
string GetResourcePrefix(MethodDef handler)
{
foreach (var s in DotNetUtils.GetCodeStrings(handler))
{
var resource = DotNetUtils.GetResource(module, s + "00000") as EmbeddedResource;
if (resource != null)
{
return(s);
}
}
return(null);
}
EmbeddedResource FindMethodsDecrypterResource(MethodDef method)
{
foreach (var s in DotNetUtils.GetCodeStrings(method))
{
var resource = DotNetUtils.GetResource(module, s) as EmbeddedResource;
if (resource != null)
{
return(resource);
}
}
return(null);
}
public static EmbeddedResource GetEmbeddedResourceFromCodeStrings(ModuleDef module, MethodDef method)
{
foreach (var s in DotNetUtils.GetCodeStrings(method))
{
var resource = DotNetUtils.GetResource(module, s) as EmbeddedResource;
if (resource != null)
{
return(resource);
}
}
return(null);
}
static byte[] GetSalt(MethodDef method)
{
foreach (var s in DotNetUtils.GetCodeStrings(method))
{
var saltAry = FixSalt(s);
if (saltAry != null)
{
return(saltAry);
}
}
return(null);
}
public EmbeddedResource MergeResources()
{
if (rsrcResolveMethod == null)
{
return(null);
}
var resource = DotNetUtils.GetResource(module, DotNetUtils.GetCodeStrings(rsrcResolveMethod)) as EmbeddedResource;
if (resource == null)
{
return(null);
}
DeobUtils.DecryptAndAddResources(module, resource.Name.String, () => DecryptResource(resource));
return(resource);
}
// Find the embedded resource where all the strings are encrypted
EmbeddedResource FindStringResource(MethodDef method)
{
foreach (var s in DotNetUtils.GetCodeStrings(method))
{
if (s == null)
{
continue;
}
if (DotNetUtils.GetResource(module, s) is EmbeddedResource resource)
{
return(resource);
}
}
return(null);
}
public List <ResourceInfo> GetEmbeddedAssemblies(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
var infos = new List <ResourceInfo>();
if (assemblyResolverMethod == null)
{
return(infos);
}
simpleDeobfuscator.Deobfuscate(assemblyResolverMethod);
simpleDeobfuscator.DecryptStrings(assemblyResolverMethod, deob);
foreach (var resourcePrefix in DotNetUtils.GetCodeStrings(assemblyResolverMethod))
{
infos.AddRange(GetResourceInfos(resourcePrefix));
}
return(infos);
}
string GetPassword3(MethodDef method)
{
var strings = new List <string>(DotNetUtils.GetCodeStrings(method));
if (strings.Count != 1)
{
return(null);
}
var s = strings[0];
if (!Regex.IsMatch(s, @"^[a-fA-F0-9]{2} $"))
{
return(null);
}
return(s);
}
bool CreateAssemblyInfos()
{
int numElements = DeobUtils.HasInteger(handlerMethod, 3) ? 3 : 2;
foreach (var s in DotNetUtils.GetCodeStrings(handlerMethod))
{
var infos = CreateAssemblyInfos(s, numElements);
if (infos == null)
{
continue;
}
assemblyInfos = infos;
return(true);
}
return(false);
}
public void Initialize(ResourceDecrypter resourceDecrypter)
{
if (decrypterType == null)
{
return;
}
var cctor = decrypterType.FindStaticConstructor();
encryptedResource = CoUtils.GetResource(module, DotNetUtils.GetCodeStrings(cctor));
//if the return value is null, it is possible that resource name is encrypted
if (encryptedResource == null)
{
var Resources = new string[] { CoUtils.DecryptResourceName(module, cctor) };
encryptedResource = CoUtils.GetResource(module, Resources);
}
constantsData = resourceDecrypter.Decrypt(encryptedResource.GetReader().AsStream());
}
bool InitializeInfos(MethodDef method)
{
foreach (var s in DotNetUtils.GetCodeStrings(method))
{
if (string.IsNullOrEmpty(s))
{
continue;
}
var ary = s.Split(':');
foreach (var asmInfo in ary)
{
resourceInfos.Add(asmInfo.Split('|')[0]);
}
return(true);
}
return(false);
}
bool CreateDecryptKey()
{
if (decryptMethod == null)
{
return(false);
}
foreach (var s in DotNetUtils.GetCodeStrings(decryptMethod))
{
decryptKey = DecodeBase64(s);
if (decryptKey == null || decryptKey.Length == 0)
{
continue;
}
if (decrypterType.Detected)
{
var data = new byte[8];
ulong magic = decrypterType.GetMagic();
data[0] = (byte)magic;
data[7] = (byte)(magic >> 8);
data[6] = (byte)(magic >> 16);
data[5] = (byte)(magic >> 24);
data[4] = (byte)(magic >> 32);
data[1] = (byte)(magic >> 40);
data[3] = (byte)(magic >> 48);
data[2] = (byte)(magic >> 56);
for (int i = 0; i < decryptKey.Length; i++)
{
decryptKey[i] ^= (byte)(i + data[i % data.Length]);
}
}
return(true);
}
decryptKey = null;
return(false);
}
EmbeddedResource GetResource(MethodDef method, out ModuleDefMD theResourceModule)
{
string resourceDllFileName = null;
theResourceModule = module;
foreach (var s in DotNetUtils.GetCodeStrings(method))
{
if (s.Length > 0 && s[0] == '\\')
{
resourceDllFileName = s;
}
var resource = DotNetUtils.GetResource(theResourceModule, s + ".resources") as EmbeddedResource;
if (resource != null)
{
return(resource);
}
}
if (resourceDllFileName == null)
{
return(null);
}
// Here if CW 2.x
theResourceModule = GetResourceModule(resourceDllFileName);
if (theResourceModule == null)
{
return(null);
}
foreach (var s in DotNetUtils.GetCodeStrings(method))
{
var resource = DotNetUtils.GetResource(theResourceModule, s + ".resources") as EmbeddedResource;
if (resource != null)
{
return(resource);
}
}
theResourceModule = null;
return(null);
}
bool CheckType(TypeDef type, MethodDef initMethod, ISimpleDeobfuscator simpleDeobfuscator)
{
if (DotNetUtils.FindFieldType(type, "System.Collections.Hashtable", true) == null)
{
return(false);
}
simpleDeobfuscator.Deobfuscate(initMethod);
if (!CheckInitMethod(initMethod))
{
return(false);
}
if ((asmSeparator = FindAssemblySeparator(initMethod)) == null)
{
return(false);
}
List <AssemblyInfo> newAssemblyInfos = null;
foreach (var s in DotNetUtils.GetCodeStrings(initMethod))
{
newAssemblyInfos = InitializeEmbeddedAssemblies(s);
if (newAssemblyInfos != null)
{
break;
}
}
if (newAssemblyInfos == null)
{
return(false);
}
resolverType = type;
resolverMethod = initMethod;
assemblyInfos = newAssemblyInfos;
return(true);
}
public static string DecryptResourceName(ModuleDefMD module, MethodDef method)
{
string resourceName = "";
MethodDef cctor = method, orginalResMethod = null;
// retrive key and encrypted resource name
int key = 0;
var instrs = cctor.Body.Instructions;
for (int i = 0; i < instrs.Count - 2; i++)
{
if (instrs[i].OpCode != OpCodes.Ldstr)
{
continue;
}
if (!instrs[i + 1].IsLdcI4())
{
break;
}
key = instrs[i + 1].GetLdcI4Value();
resourceName = instrs[i].Operand as String;
cctor = instrs[i + 2].Operand as MethodDef;
break;
}
// Find the method that contains resource name
while (orginalResMethod == null)
{
foreach (var instr in cctor.Body.Instructions)
{
if (instr.OpCode == OpCodes.Ldftn)
{
var tempMethod = instr.Operand as MethodDef;
if (tempMethod.ReturnType.FullName != "System.String")
{
continue;
}
orginalResMethod = tempMethod;
break;
}
else if (instr.OpCode == OpCodes.Callvirt)
{
cctor = instr.Operand as MethodDef;
cctor = cctor.DeclaringType.FindStaticConstructor();
break;
}
}
}
// Get encrypted Resource name
string encResourcename = DotNetUtils.GetCodeStrings(orginalResMethod)[0];
// get Decryption key
int xorKey = 0;
for (int i = 0; i < orginalResMethod.Body.Instructions.Count; i++)
{
if (orginalResMethod.Body.Instructions[i].OpCode == OpCodes.Xor)
{
xorKey = orginalResMethod.Body.Instructions[i - 1].GetLdcI4Value();
}
}
encResourcename = XorCipher(encResourcename, xorKey);
var firstResource = GetResource(module, new string[] { encResourcename });
resourceName = DecryptResourceName(resourceName, key, firstResource.CreateReader().ToArray());
return(resourceName);
}
EmbeddedResource FindResourceFromCodeString(MethodDef method)
{
return(DotNetUtils.GetResource(module, DotNetUtils.GetCodeStrings(method)) as EmbeddedResource);
}
EmbeddedResource FindResource(MethodDef method) => DotNetUtils.GetResource(module, DotNetUtils.GetCodeStrings(method)) as EmbeddedResource;
