public void Find()
{
foreach (var calledMethod in DotNetUtils.GetCalledMethods(module, DotNetUtils.GetModuleTypeCctor(module)))
{
if (!DotNetUtils.IsMethod(calledMethod, "System.Void", "()"))
{
continue;
}
if (calledMethod.DeclaringType.FullName != "<PrivateImplementationDetails>{F1C5056B-0AFC-4423-9B83-D13A26B48869}")
{
continue;
}
nativeLibCallerType = calledMethod.DeclaringType;
initMethod = calledMethod;
foreach (var s in DotNetUtils.GetCodeStrings(initMethod))
{
nativeFileResource = DotNetUtils.GetResource(module, s);
if (nativeFileResource != null)
{
break;
}
}
return;
}
}
public void Find()
{
if (CheckMethod(DotNetUtils.GetModuleTypeCctor(module)))
{
return;
}
}
public void Find(ISimpleDeobfuscator simpleDeobfuscator)
{
var cctor = DotNetUtils.GetModuleTypeCctor(module);
if (cctor == null)
{
return;
}
foreach (var method in DotNetUtils.GetCalledMethods(module, cctor))
{
if (method.Name == ".cctor" || method.Name == ".ctor")
{
continue;
}
if (!method.IsStatic || !DotNetUtils.IsMethod(method, "System.Void", "()"))
{
continue;
}
if (CheckType(method.DeclaringType, method, simpleDeobfuscator))
{
break;
}
}
}
public void Find(ISimpleDeobfuscator simpleDeobfuscator)
{
if (CheckMethod(simpleDeobfuscator, DotNetUtils.GetModuleTypeCctor(module)))
{
return;
}
}
public void Find()
{
if (!assemblyResolver.Detected)
{
return;
}
CheckCalledMethods(DotNetUtils.GetModuleTypeCctor(module));
}
public void CleanUp() {
if (!Detected)
return;
var cctor = DotNetUtils.GetModuleTypeCctor(module);
if (cctor == null)
return;
cctor.Body.Instructions.Clear();
cctor.Body.Instructions.Add(Instruction.Create(OpCodes.Ret));
}
public new void Find() {
if (delegateCreatorMethods.Count == 0)
return;
var cctor = DotNetUtils.GetModuleTypeCctor(module);
if (cctor == null)
return;
Logger.v("Finding all proxy delegates");
var delegateInfos = CreateDelegateInitInfos(cctor);
fieldToMethods = CreateFieldToMethodsDictionary(cctor.DeclaringType);
if (delegateInfos.Count < fieldToMethods.Count)
throw new ApplicationException("Missing proxy delegates");
var delegateToFields = new Dictionary<TypeDef, List<FieldDef>>();
foreach (var field in fieldToMethods.GetKeys()) {
if (!delegateToFields.TryGetValue(field.FieldType.TryGetTypeDef(), out var list))
delegateToFields[field.FieldType.TryGetTypeDef()] = list = new List<FieldDef>();
list.Add(field);
}
foreach (var kv in delegateToFields) {
var type = kv.Key;
var fields = kv.Value;
Logger.v("Found proxy delegate: {0} ({1:X8})", Utils.RemoveNewlines(type), type.MDToken.ToInt32());
RemovedDelegateCreatorCalls++;
Logger.Instance.Indent();
foreach (var field in fields) {
var proxyMethods = fieldToMethods.Find(field);
if (proxyMethods == null)
continue;
var info = delegateInfos.Find(field);
if (info == null)
throw new ApplicationException("Missing proxy info");
GetCallInfo(info, field, out var calledMethod, out var callOpcode);
if (calledMethod == null)
continue;
foreach (var proxyMethod in proxyMethods) {
Add(proxyMethod, new DelegateInfo(field, calledMethod, callOpcode));
Logger.v("Field: {0}, Opcode: {1}, Method: {2} ({3:X8})",
Utils.RemoveNewlines(field.Name),
callOpcode,
Utils.RemoveNewlines(calledMethod),
calledMethod.MDToken.ToUInt32());
}
}
Logger.Instance.DeIndent();
delegateTypesDict[type] = true;
}
// 1.2 r54564 (almost 1.3) now moves method proxy init code to the delegate cctors
Find2();
}
public void Find()
{
if (CheckCalledMethods(DotNetUtils.GetModuleTypeCctor(module)))
{
return;
}
if (CheckCalledMethods(module.EntryPoint))
{
return;
}
}
public void Find()
{
if (Find(module.EntryPoint))
{
return;
}
if (Find(DotNetUtils.GetModuleTypeCctor(module)))
{
return;
}
}
public void Find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
if (CheckInitMethod(DotNetUtils.GetModuleTypeCctor(module), simpleDeobfuscator, deob))
{
return;
}
if (CheckInitMethod(module.EntryPoint, simpleDeobfuscator, deob))
{
return;
}
}
public bool Find()
{
if (CheckCalledMethods(DotNetUtils.GetModuleTypeCctor(module)))
{
return(true);
}
if (CheckCalledMethods(module.EntryPoint))
{
return(true);
}
return(false);
}
public void Find()
{
var moduleCctor = DotNetUtils.GetModuleTypeCctor(_module);
if (moduleCctor == null)
{
return;
}
foreach (var inst in moduleCctor.Body.Instructions)
{
if (inst.OpCode != OpCodes.Call)
{
continue;
}
if (!(inst.Operand is MethodDef))
{
continue;
}
var method = inst.Operand as MethodDef;
if (!method.HasBody || !method.IsStatic)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
{
continue;
}
_deobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.Force);
if (!IsResDecryptInit(method, out FieldDef aField, out FieldDef asmField, out MethodDef mtd))
{
continue;
}
try
{
_decryptedBytes = DecryptArray(method, aField.InitialValue);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
return;
}
_arrayField = aField;
Type = DotNetUtils.GetType(_module, aField.FieldSig.Type);
_asmField = asmField;
AssembyResolveMethod = mtd;
Method = method;
CanRemoveLzma = true;
}
}
public void Deobfuscate(Blocks blocks)
{
if (asmResolverMethod == null)
{
return;
}
if (blocks.Method != DotNetUtils.GetModuleTypeCctor(module))
{
return;
}
ConfuserUtils.RemoveResourceHookCode(blocks, asmResolverMethod);
}
public void Find()
{
var moduleCctor = DotNetUtils.GetModuleTypeCctor(_module);
if (moduleCctor == null)
{
return;
}
foreach (var inst in moduleCctor.Body.Instructions)
{
if (inst.OpCode != OpCodes.Call)
{
continue;
}
if (!(inst.Operand is MethodDef))
{
continue;
}
var method = (MethodDef)inst.Operand;
if (!method.HasBody || !method.IsStatic)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
{
continue;
}
_deobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.Force);
if (!IsStringDecrypterInit(method, out FieldDef aField, out FieldDef dField))
{
continue;
}
try
{
_decryptedBytes = DecryptArray(method, aField.InitialValue);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
return;
}
_arrayField = aField;
_decryptedField = dField;
ArrayType = DotNetUtils.GetType(_module, _arrayField.FieldSig.Type);
Method = method;
Decrypters.AddRange(FindStringDecrypters(moduleCctor.DeclaringType));
CanRemoveLzma = true;
}
}
public void CleanUp()
{
var cctor = DotNetUtils.GetModuleTypeCctor(module);
if (cctor != null)
{
cctor.Body.InitLocals = false;
cctor.Body.Variables.Clear();
cctor.Body.Instructions.Clear();
cctor.Body.Instructions.Add(OpCodes.Ret.ToInstruction());
cctor.Body.ExceptionHandlers.Clear();
}
}
public void Find()
{
var cctor = DotNetUtils.GetModuleTypeCctor(module);
if (cctor == null)
{
return;
}
var instrs = cctor.Body.Instructions;
for (int i = 0; i < instrs.Count - 2; i++)
{
var ldci4_1 = instrs[i];
if (!ldci4_1.IsLdcI4())
{
continue;
}
var ldci4_2 = instrs[i + 1];
if (!ldci4_2.IsLdcI4())
{
continue;
}
var call = instrs[i + 2];
if (call.OpCode.Code != Code.Call)
{
continue;
}
var initMethodTmp = call.Operand as MethodDef;
ObfuscatorVersion obfuscatorVersionTmp;
if (!CheckInitMethod(initMethodTmp, out obfuscatorVersionTmp))
{
continue;
}
if (!CheckMethodsType(initMethodTmp.DeclaringType))
{
continue;
}
obfuscatorVersion = obfuscatorVersionTmp;
theType = initMethodTmp.DeclaringType;
initMethod = initMethodTmp;
break;
}
}
public void Find()
{
var cctor = DotNetUtils.GetModuleTypeCctor(module);
if (cctor == null)
{
return;
}
// V3-V4 calls string decrypter init method in <Module>::.cctor().
if (Find(cctor))
{
return;
}
FindV5(cctor);
}
public void Find() {
var cctor = DotNetUtils.GetModuleTypeCctor(module);
if (cctor == null)
return;
simpleDeobfuscator.Deobfuscate(cctor, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
if ((dictField = ConstantsDecrypterUtils.FindDictField(cctor, cctor.DeclaringType)) == null)
return;
if ((dataField = ConstantsDecrypterUtils.FindDataField_v18_r75367(cctor, cctor.DeclaringType)) == null &&
(dataField = ConstantsDecrypterUtils.FindDataField_v19_r77172(cctor, cctor.DeclaringType)) == null)
return;
nativeMethod = FindNativeMethod(cctor, cctor.DeclaringType);
var method = GetDecryptMethod();
if (method == null)
return;
simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
var info = new DecrypterInfo(this, method, ConfuserVersion.Unknown);
if (FindKeys_v18_r75367(info))
InitVersion(cctor, ConfuserVersion.v18_r75367_normal, ConfuserVersion.v18_r75367_dynamic, ConfuserVersion.v18_r75367_native);
else if (FindKeys_v18_r75369(info)) {
lzmaType = ConfuserUtils.FindLzmaType(cctor);
if (lzmaType == null)
InitVersion(cctor, ConfuserVersion.v18_r75369_normal, ConfuserVersion.v18_r75369_dynamic, ConfuserVersion.v18_r75369_native);
else if (!DotNetUtils.CallsMethod(method, "System.Void System.Threading.Monitor::Exit(System.Object)"))
InitVersion(cctor, ConfuserVersion.v19_r77172_normal, ConfuserVersion.v19_r77172_dynamic, ConfuserVersion.v19_r77172_native);
else if (DotNetUtils.CallsMethod(method, "System.Void System.Diagnostics.StackFrame::.ctor(System.Int32)"))
InitVersion(cctor, ConfuserVersion.v19_r78363_normal, ConfuserVersion.v19_r78363_dynamic, ConfuserVersion.v19_r78363_native);
else {
int index1 = ConfuserUtils.FindCallMethod(cctor.Body.Instructions, 0, Code.Callvirt, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()");
int index2 = ConfuserUtils.FindCallMethod(cctor.Body.Instructions, 0, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()");
if (index1 < 0 || index2 < 0) {
}
if (index2 - index1 == 3)
InitVersion(cctor, ConfuserVersion.v19_r78056_normal, ConfuserVersion.v19_r78056_dynamic, ConfuserVersion.v19_r78056_native);
else if (index2 - index1 == -4)
InitVersion(cctor, ConfuserVersion.v19_r79630_normal, ConfuserVersion.v19_r79630_dynamic, ConfuserVersion.v19_r79630_native);
}
}
else
return;
installMethod = cctor;
}
public bool FindTypes()
{
if (resolverType != null)
{
return(true);
}
if (FindTypes(DotNetUtils.GetModuleTypeCctor(module)))
{
return(true);
}
if (FindTypes(module.EntryPoint))
{
return(true);
}
return(false);
}
void FindResourceType()
{
var cctor = DotNetUtils.GetModuleTypeCctor(module);
if (cctor == null)
{
return;
}
foreach (var calledMethod in DotNetUtils.GetCalledMethods(module, cctor))
{
if (!calledMethod.IsStatic || calledMethod.Body == null)
{
continue;
}
if (!DotNetUtils.IsMethod(calledMethod, "System.Void", "()"))
{
continue;
}
var type = calledMethod.DeclaringType;
var fieldTypes = new FieldTypes(type);
if (!fieldTypes.Exactly(requiredFields1) &&
!fieldTypes.Exactly(requiredFields2))
{
continue;
}
var resolveHandler = DotNetUtils.GetMethod(type, "System.Reflection.Assembly", "(System.Object,System.ResolveEventArgs)");
var decryptMethod = DotNetUtils.GetMethod(type, "System.Byte[]", "(System.IO.Stream)");
if (resolveHandler == null || !resolveHandler.IsStatic)
{
continue;
}
if (decryptMethod == null || !decryptMethod.IsStatic)
{
continue;
}
rsrcType = type;
rsrcRrrMethod = calledMethod;
rsrcResolveMethod = resolveHandler;
return;
}
}
public static IEnumerable <MethodDef> GetInitCctors(ModuleDef module, int maxCctors)
{
var cctor = DotNetUtils.GetModuleTypeCctor(module);
if (cctor != null)
{
yield return(cctor);
}
var entryPoint = module.EntryPoint;
if (entryPoint != null)
{
cctor = entryPoint.DeclaringType.FindStaticConstructor();
if (cctor != null)
{
yield return(cctor);
}
}
foreach (var type in module.GetTypes())
{
if (type == module.GlobalType)
{
continue;
}
cctor = type.FindStaticConstructor();
if (cctor == null)
{
continue;
}
yield return(cctor);
if (!type.IsEnum && --maxCctors <= 0)
{
break;
}
}
}
public IEnumerable <FieldDef> CleanUp()
{
var removedFields = new List <FieldDef>();
var moduleCctor = DotNetUtils.GetModuleTypeCctor(module);
if (moduleCctor == null)
{
return(removedFields);
}
var moduleCctorBlocks = new Blocks(moduleCctor);
var keep = FindFieldsToKeep();
foreach (var fieldInfo in fieldToInfo.GetValues())
{
if (keep.ContainsKey(fieldInfo))
{
continue;
}
if (RemoveInitCode(moduleCctorBlocks, fieldInfo))
{
removedFields.Add(fieldInfo.field);
removedFields.Add(fieldInfo.arrayInitField);
}
fieldInfo.arrayInitField.InitialValue = new byte[1];
fieldInfo.arrayInitField.FieldSig.Type = module.CorLibTypes.Byte;
fieldInfo.arrayInitField.RVA = 0;
}
IList <Instruction> allInstructions;
IList <ExceptionHandler> allExceptionHandlers;
moduleCctorBlocks.GetCode(out allInstructions, out allExceptionHandlers);
DotNetUtils.RestoreBody(moduleCctorBlocks.Method, allInstructions, allExceptionHandlers);
return(removedFields);
}
public override void DeobfuscateEnd()
{
FindAndRemoveInlinedMethods();
var toRemoveFromCctor = new List <MethodDef>();
if (_constantDecrypter.Detected)
{
if (CanRemoveStringDecrypterType)
{
toRemoveFromCctor.Add(_constantDecrypter.Method);
AddMethodToBeRemoved(_constantDecrypter.Method, "Constant Decrypter Initializer");
foreach (var dec in _constantDecrypter.Decrypters)
{
AddMethodToBeRemoved(dec.Method, "Constant Decrypter Method");
}
AddFieldsToBeRemoved(_constantDecrypter.Fields, "Constant Decrypter Fields");
AddTypeToBeRemoved(_constantDecrypter.Type, "Array field signature type");
}
else
{
_canRemoveLzma = false;
}
}
if (_resourceDecrypter.Detected && _resourceDecrypter.CanRemoveLzma)
{
toRemoveFromCctor.Add(_resourceDecrypter.Method);
AddMethodToBeRemoved(_resourceDecrypter.Method, "Resource decrypter Initializer method");
AddMethodToBeRemoved(_resourceDecrypter.AssembyResolveMethod,
"Resource decrypter AssemblyResolve method");
AddFieldsToBeRemoved(_resourceDecrypter.Fields, "Constant Decrypter Fields");
AddTypeToBeRemoved(_resourceDecrypter.Type, "Array field signature type");
}
if (!_constantDecrypter.CanRemoveLzma || !_resourceDecrypter.CanRemoveLzma)
{
_canRemoveLzma = false;
}
if (_lzmaFinder.FoundLzma && _canRemoveLzma)
{
AddMethodToBeRemoved(_lzmaFinder.Method, "Lzma Decompress method");
AddTypesToBeRemoved(_lzmaFinder.Types, "Lzma Nested Types");
}
if (_proxyCallFixer.Detected)
{
AddTypesToBeRemoved(_proxyCallFixer.DelegateTypes, "Proxy delegates");
AddMethodsToBeRemoved(_proxyCallFixer.DelegateCreatorMethods, "Proxy creator methods");
AddTypesToBeRemoved(_proxyCallFixer.AttributeTypes, "Proxy creator attributes");
AddMethodsToBeRemoved(_proxyCallFixer.NativeMethods, "Proxy native methods");
}
AddMethodsToBeRemoved(_controlFlowFixer.NativeMethods, "Control flow native methods");
var moduleCctor = DotNetUtils.GetModuleTypeCctor(module);
foreach (var instr in moduleCctor.Body.Instructions)
{
if (instr.OpCode == OpCodes.Call && instr.Operand is MethodDef &&
toRemoveFromCctor.Contains((MethodDef)instr.Operand))
{
instr.OpCode = OpCodes.Nop;
}
}
//TODO: Might not always be correct
//No more mixed!
module.IsILOnly = true;
base.DeobfuscateEnd();
}
bool HasModuleCctor() => DotNetUtils.GetModuleTypeCctor(module) != null;
public void Find()
{
var cctor = DotNetUtils.GetModuleTypeCctor(module);
if (cctor == null)
{
return;
}
if (!new LocalTypes(cctor).All(requiredLocalsCctor))
{
return;
}
simpleDeobfuscator.Deobfuscate(cctor, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
if (!Add(ConstantsDecrypterUtils.FindDictField(cctor, cctor.DeclaringType)))
{
return;
}
if (!Add(ConstantsDecrypterUtils.FindStreamField(cctor, cctor.DeclaringType)))
{
return;
}
var method = GetDecryptMethod();
if (method == null)
{
return;
}
resourceName = GetResourceName(cctor);
if (resourceName != null)
{
simpleDeobfuscator.Deobfuscate(method);
keyArraySize = GetKeyArraySize(method);
if (keyArraySize == 8)
{
InitVersion(method, ConfuserVersion.v17_r75056_normal, ConfuserVersion.v17_r75056_dynamic, ConfuserVersion.v17_r75056_native);
}
else if (keyArraySize == 16)
{
InitVersion(method, ConfuserVersion.v18_r75257_normal, ConfuserVersion.v18_r75257_dynamic, ConfuserVersion.v18_r75257_native);
}
else
{
return;
}
}
else if (DotNetUtils.CallsMethod(method, "System.String System.Reflection.Module::get_ScopeName()"))
{
InitVersion(method, ConfuserVersion.v17_r74816_normal, ConfuserVersion.v17_r74816_dynamic, ConfuserVersion.v17_r74816_native);
}
else if (DotNetUtils.CallsMethod(method, "System.Reflection.Module System.Reflection.Assembly::GetModule(System.String)"))
{
InitVersion(method, ConfuserVersion.v17_r74788_normal, ConfuserVersion.v17_r74788_dynamic, ConfuserVersion.v17_r74788_native);
}
else
{
InitVersion(method, ConfuserVersion.v17_r74708_normal, ConfuserVersion.v17_r74708_dynamic, ConfuserVersion.v17_r74708_native);
}
initMethod = cctor;
}
bool FindEmbedded()
{
return(FindEmbedded(DotNetUtils.GetModuleTypeCctor(module)) ||
FindEmbedded(module.EntryPoint));
}
public void Find() => CheckCalledMethods(DotNetUtils.GetModuleTypeCctor(module));
bool HasModuleCctor()
{
return(DotNetUtils.GetModuleTypeCctor(Module) != null);
}
public void AddModuleCctorInitCallToBeRemoved(MethodDef methodToBeRemoved)
{
methodCallRemover.Add(DotNetUtils.GetModuleTypeCctor(module), methodToBeRemoved);
}
public void Initialize(ISimpleDeobfuscator simpleDeobfuscator)
{
InitializeArrays(simpleDeobfuscator, DotNetUtils.GetModuleTypeCctor(module));
}
