TypeDef GetResolverType(MethodDef resolveHandler)
{
if (resolveHandler.Body == null)
{
return(null);
}
foreach (var instr in resolveHandler.Body.Instructions)
{
if (instr.OpCode.Code != Code.Ldsfld && instr.OpCode.Code != Code.Stsfld)
{
continue;
}
var field = DotNetUtils.GetField(module, instr.Operand as IField);
if (field == null)
{
continue;
}
if (!CheckResolverType(field.DeclaringType))
{
continue;
}
return(field.DeclaringType);
}
if (CheckResolverType(resolveHandler.DeclaringType))
{
return(resolveHandler.DeclaringType);
}
return(null);
}
bool CheckInitMethod(MethodDef method)
{
if (method == null || !method.IsStatic || method.Body == null)
{
return(false);
}
if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
{
return(false);
}
var type = method.DeclaringType;
if (type.NestedTypes.Count != 1)
{
return(false);
}
if (DotNetUtils.GetField(type, "System.Reflection.Assembly") == null)
{
return(false);
}
var resolveHandler = DeobUtils.GetResolveMethod(method);
if (resolveHandler == null)
{
return(false);
}
initMethod = method;
resolverType = type;
handlerMethod = resolveHandler;
return(true);
}
void Initialize(ISimpleDeobfuscator simpleDeobfuscator, MethodDef method)
{
var desList = new List <byte[]>(2);
var aesList = new List <byte[]>(2);
var instructions = method.Body.Instructions;
simpleDeobfuscator.Deobfuscate(method);
for (int i = 0; i <= instructions.Count - 2; i++)
{
var ldtoken = instructions[i];
if (ldtoken.OpCode.Code != Code.Ldtoken)
{
continue;
}
var field = DotNetUtils.GetField(module, ldtoken.Operand as IField);
if (field == null)
{
continue;
}
if (field.InitialValue == null)
{
continue;
}
var call = instructions[i + 1];
if (call.OpCode.Code != Code.Call)
{
continue;
}
var calledMethod = call.Operand as IMethod;
if (!DotNetUtils.IsMethod(calledMethod, "System.Void", "(System.Array,System.RuntimeFieldHandle)"))
{
continue;
}
if (field.InitialValue.Length == 8)
{
desList.Add(field.InitialValue);
}
else if (field.InitialValue.Length == 16)
{
aesList.Add(field.InitialValue);
}
}
if (desList.Count >= 2)
{
DES_Key = desList[desList.Count - 2];
DES_IV = desList[desList.Count - 1];
}
if (aesList.Count >= 2)
{
AES_Key = aesList[aesList.Count - 2];
AES_IV = aesList[aesList.Count - 1];
}
}
bool CheckFieldType(TypeDef type)
{
if (type == null || type.BaseType == null || type.BaseType.FullName != "System.Object")
{
return(false);
}
if (DotNetUtils.GetField(type, "System.Reflection.FieldInfo") == null)
{
return(false);
}
return(true);
}
public void Find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
foreach (var type in module.Types)
{
if (type.Fields.Count != 1)
{
continue;
}
if (type.HasNestedTypes || type.HasGenericParameters || type.IsValueType)
{
continue;
}
if (DotNetUtils.GetField(type, "System.Reflection.Assembly") == null)
{
continue;
}
if (type.FindStaticConstructor() == null)
{
continue;
}
var getStream2 = GetTheOnlyMethod(type, "System.IO.Stream", "(System.Reflection.Assembly,System.Type,System.String)");
var getNames = GetTheOnlyMethod(type, "System.String[]", "(System.Reflection.Assembly)");
var getRefAsms = GetTheOnlyMethod(type, "System.Reflection.AssemblyName[]", "(System.Reflection.Assembly)");
var bitmapCtor = GetTheOnlyMethod(type, "System.Drawing.Bitmap", "(System.Type,System.String)");
var iconCtor = GetTheOnlyMethod(type, "System.Drawing.Icon", "(System.Type,System.String)");
if (getStream2 == null && getNames == null && getRefAsms == null &&
bitmapCtor == null && iconCtor == null)
{
continue;
}
var resource = FindGetManifestResourceStreamTypeResource(type, simpleDeobfuscator, deob);
if (resource == null && getStream2 != null)
{
continue;
}
getManifestResourceStreamType = type;
CreateGetManifestResourceStream2(getStream2);
CreateGetManifestResourceNames(getNames);
CreateGetReferencedAssemblies(getRefAsms);
CreateBitmapCtor(bitmapCtor);
CreateIconCtor(iconCtor);
getManifestResourceStreamTypeResource = resource;
break;
}
}
public IField TryGetFieldDef(IField fieldRef)
{
var fieldDef = fieldRef as FieldDef;
if (fieldDef != null)
{
return(fieldDef);
}
var declaringType = DotNetUtils.GetType(module, fieldRef.DeclaringType);
if (declaringType == null)
{
return(fieldRef);
}
return(DotNetUtils.GetField(declaringType, fieldRef));
}
bool CheckIlGeneratorType(TypeDef type)
{
if (type == null || type.BaseType == null || type.BaseType.FullName != "System.Object")
{
return(false);
}
if (type.Fields.Count != 1)
{
return(false);
}
if (DotNetUtils.GetField(type, "System.Reflection.Emit.ILGenerator") == null)
{
return(false);
}
return(true);
}
void InitStringDecrypter(StringDecrypterInfo info)
{
Logger.v("Adding string decrypter. Resource: {0}", Utils.ToCsharpString(info.StringsResource.Name));
var decrypter = new StringDecrypter(info);
if (decrypter.CanDecrypt)
{
var invokeMethod = info.GetStringDelegate?.FindMethod("Invoke");
staticStringInliner.Add(invokeMethod, (method, gim, args) => {
var fieldDef = DotNetUtils.GetField(module, (IField)args[0]);
return(decrypter.Decrypt(fieldDef.MDToken.ToInt32(), (int)args[1]));
});
staticStringInliner.Add(info.StringDecrypterMethod, (method, gim, args) => {
return(decrypter.Decrypt(0, (int)args[0]));
});
}
stringDecrypters.Add(decrypter);
DeobfuscatedFile.StringDecryptersAdded();
}