TypeDef GetResolverType(MethodDef resolveHandler)
        {
            if (resolveHandler.Body == null)
            {
                return(null);
            }
            foreach (var instr in resolveHandler.Body.Instructions)
            {
                if (instr.OpCode.Code != Code.Ldsfld && instr.OpCode.Code != Code.Stsfld)
                {
                    continue;
                }
                var field = DotNetUtils.GetField(module, instr.Operand as IField);
                if (field == null)
                {
                    continue;
                }
                if (!CheckResolverType(field.DeclaringType))
                {
                    continue;
                }

                return(field.DeclaringType);
            }

            if (CheckResolverType(resolveHandler.DeclaringType))
            {
                return(resolveHandler.DeclaringType);
            }

            return(null);
        }
Beispiel #2
0
        bool CheckInitMethod(MethodDef method)
        {
            if (method == null || !method.IsStatic || method.Body == null)
            {
                return(false);
            }
            if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
            {
                return(false);
            }
            var type = method.DeclaringType;

            if (type.NestedTypes.Count != 1)
            {
                return(false);
            }
            if (DotNetUtils.GetField(type, "System.Reflection.Assembly") == null)
            {
                return(false);
            }

            var resolveHandler = DeobUtils.GetResolveMethod(method);

            if (resolveHandler == null)
            {
                return(false);
            }

            initMethod    = method;
            resolverType  = type;
            handlerMethod = resolveHandler;
            return(true);
        }
        void Initialize(ISimpleDeobfuscator simpleDeobfuscator, MethodDef method)
        {
            var desList = new List <byte[]>(2);
            var aesList = new List <byte[]>(2);

            var instructions = method.Body.Instructions;

            simpleDeobfuscator.Deobfuscate(method);
            for (int i = 0; i <= instructions.Count - 2; i++)
            {
                var ldtoken = instructions[i];
                if (ldtoken.OpCode.Code != Code.Ldtoken)
                {
                    continue;
                }
                var field = DotNetUtils.GetField(module, ldtoken.Operand as IField);
                if (field == null)
                {
                    continue;
                }
                if (field.InitialValue == null)
                {
                    continue;
                }

                var call = instructions[i + 1];
                if (call.OpCode.Code != Code.Call)
                {
                    continue;
                }
                var calledMethod = call.Operand as IMethod;
                if (!DotNetUtils.IsMethod(calledMethod, "System.Void", "(System.Array,System.RuntimeFieldHandle)"))
                {
                    continue;
                }

                if (field.InitialValue.Length == 8)
                {
                    desList.Add(field.InitialValue);
                }
                else if (field.InitialValue.Length == 16)
                {
                    aesList.Add(field.InitialValue);
                }
            }

            if (desList.Count >= 2)
            {
                DES_Key = desList[desList.Count - 2];
                DES_IV  = desList[desList.Count - 1];
            }
            if (aesList.Count >= 2)
            {
                AES_Key = aesList[aesList.Count - 2];
                AES_IV  = aesList[aesList.Count - 1];
            }
        }
Beispiel #4
0
        bool CheckFieldType(TypeDef type)
        {
            if (type == null || type.BaseType == null || type.BaseType.FullName != "System.Object")
            {
                return(false);
            }
            if (DotNetUtils.GetField(type, "System.Reflection.FieldInfo") == null)
            {
                return(false);
            }

            return(true);
        }
Beispiel #5
0
        public void Find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
        {
            foreach (var type in module.Types)
            {
                if (type.Fields.Count != 1)
                {
                    continue;
                }
                if (type.HasNestedTypes || type.HasGenericParameters || type.IsValueType)
                {
                    continue;
                }
                if (DotNetUtils.GetField(type, "System.Reflection.Assembly") == null)
                {
                    continue;
                }
                if (type.FindStaticConstructor() == null)
                {
                    continue;
                }

                var getStream2 = GetTheOnlyMethod(type, "System.IO.Stream", "(System.Reflection.Assembly,System.Type,System.String)");
                var getNames   = GetTheOnlyMethod(type, "System.String[]", "(System.Reflection.Assembly)");
                var getRefAsms = GetTheOnlyMethod(type, "System.Reflection.AssemblyName[]", "(System.Reflection.Assembly)");
                var bitmapCtor = GetTheOnlyMethod(type, "System.Drawing.Bitmap", "(System.Type,System.String)");
                var iconCtor   = GetTheOnlyMethod(type, "System.Drawing.Icon", "(System.Type,System.String)");
                if (getStream2 == null && getNames == null && getRefAsms == null &&
                    bitmapCtor == null && iconCtor == null)
                {
                    continue;
                }

                var resource = FindGetManifestResourceStreamTypeResource(type, simpleDeobfuscator, deob);
                if (resource == null && getStream2 != null)
                {
                    continue;
                }

                getManifestResourceStreamType = type;
                CreateGetManifestResourceStream2(getStream2);
                CreateGetManifestResourceNames(getNames);
                CreateGetReferencedAssemblies(getRefAsms);
                CreateBitmapCtor(bitmapCtor);
                CreateIconCtor(iconCtor);
                getManifestResourceStreamTypeResource = resource;
                break;
            }
        }
        public IField TryGetFieldDef(IField fieldRef)
        {
            var fieldDef = fieldRef as FieldDef;

            if (fieldDef != null)
            {
                return(fieldDef);
            }

            var declaringType = DotNetUtils.GetType(module, fieldRef.DeclaringType);

            if (declaringType == null)
            {
                return(fieldRef);
            }
            return(DotNetUtils.GetField(declaringType, fieldRef));
        }
Beispiel #7
0
        bool CheckIlGeneratorType(TypeDef type)
        {
            if (type == null || type.BaseType == null || type.BaseType.FullName != "System.Object")
            {
                return(false);
            }
            if (type.Fields.Count != 1)
            {
                return(false);
            }
            if (DotNetUtils.GetField(type, "System.Reflection.Emit.ILGenerator") == null)
            {
                return(false);
            }

            return(true);
        }
Beispiel #8
0
        void InitStringDecrypter(StringDecrypterInfo info)
        {
            Logger.v("Adding string decrypter. Resource: {0}", Utils.ToCsharpString(info.StringsResource.Name));
            var decrypter = new StringDecrypter(info);

            if (decrypter.CanDecrypt)
            {
                var invokeMethod = info.GetStringDelegate?.FindMethod("Invoke");
                staticStringInliner.Add(invokeMethod, (method, gim, args) => {
                    var fieldDef = DotNetUtils.GetField(module, (IField)args[0]);
                    return(decrypter.Decrypt(fieldDef.MDToken.ToInt32(), (int)args[1]));
                });
                staticStringInliner.Add(info.StringDecrypterMethod, (method, gim, args) => {
                    return(decrypter.Decrypt(0, (int)args[0]));
                });
            }
            stringDecrypters.Add(decrypter);
            DeobfuscatedFile.StringDecryptersAdded();
        }