public void FindDelegateCreator(ModuleDefMD module)
{
var callCounter = new CallCounter();
foreach (var type in module.Types)
{
if (type.Namespace != "" || !DotNetUtils.DerivesFromDelegate(type))
{
continue;
}
var cctor = type.FindStaticConstructor();
if (cctor == null)
{
continue;
}
foreach (var method in DotNetUtils.GetMethodCalls(cctor))
{
callCounter.Add(method);
}
}
var mostCalls = callCounter.Most();
if (mostCalls == null)
{
return;
}
SetDelegateCreatorMethod(DotNetUtils.GetMethod(module, mostCalls));
}
/// <summary>
/// Search for and return all called methods.
/// </summary>
/// <param name="method">Method to search</param>
/// <returns>Called methods</returns>
public static IEnumerable <IMethod> Calls(this MethodDef method)
{
if (method == null)
{
throw new ArgumentNullException();
}
return(DotNetUtils.GetMethodCalls(method));
}
void FindStringDecrypterMethods(TypeDef type, ISimpleDeobfuscator simpleDeobfuscator)
{
foreach (var method in DotNetUtils.FindMethods(type.Methods, "System.String", new string[] { "System.String", "System.Int32" }))
{
if (method.Body.HasExceptionHandlers)
{
continue;
}
if (DotNetUtils.GetMethodCalls(method, "System.Char[] System.String::ToCharArray()") != 1)
{
continue;
}
if (DotNetUtils.GetMethodCalls(method, "System.String System.String::Intern(System.String)") != 1)
{
continue;
}
simpleDeobfuscator.Deobfuscate(method);
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 3; i++)
{
var ldarg = instrs[i];
if (!ldarg.IsLdarg() || ldarg.GetParameterIndex() != 0)
{
continue;
}
var callvirt = instrs[i + 1];
if (callvirt.OpCode.Code != Code.Callvirt)
{
continue;
}
var calledMethod = callvirt.Operand as MemberRef;
if (calledMethod == null || calledMethod.FullName != "System.Char[] System.String::ToCharArray()")
{
continue;
}
var stloc = instrs[i + 2];
if (!stloc.IsStloc())
{
continue;
}
var ldci4 = instrs[i + 3];
if (!ldci4.IsLdcI4())
{
continue;
}
var info = new StringDecrypterInfo(method, ldci4.GetLdcI4Value());
stringDecrypterMethods.Add(info.method, info);
Logger.v("Found string decrypter method: {0}, magic: 0x{1:X8}", Utils.RemoveNewlines(info.method), info.magic);
break;
}
}
}
bool CallsGetPublicKeyToken(MethodDef method)
{
foreach (var calledMethod in DotNetUtils.GetMethodCalls(method))
{
if (calledMethod.ToString() == "System.Byte[] System.Reflection.AssemblyName::GetPublicKeyToken()")
{
return(true);
}
}
return(false);
}
// Find the string decrypter xor value or null if none found
int?FindXorValue(MethodDef method, bool hasNested, ISimpleDeobfuscator simpleDeobfuscator)
{
if (hasNested)
{
var calls = DotNetUtils.GetMethodCalls(method);
foreach (var call in calls)
{
if (DotNetUtils.IsMethod(method, "System.String", "(System.Int32)"))
{
method = call as MethodDef;
break;
}
}
}
simpleDeobfuscator.Deobfuscate(method);
if (method == null || method.Body == null)
{
return(null);
}
var instructions = method.Body.Instructions;
for (int i = 0; i < instructions.Count; i++)
{
var ldci4 = instructions[i];
if (ldci4.OpCode != OpCodes.Ldc_I4)
{
continue;
}
var xor = instructions[i + 1];
if (xor.OpCode != OpCodes.Xor)
{
continue;
}
return(ldci4.GetLdcI4Value());
}
return(null);
}
