bool checkMemoryManagerType(TypeDefinition type, MethodDefinition method) { // Only two fields: itself and a long int fields = 0; foreach (var field in type.Fields) { if (MemberReferenceHelper.compareTypes(field.FieldType, type) || field.FieldType.FullName == "System.Int64") { fields++; continue; } if (DotNetUtils.derivesFromDelegate(DotNetUtils.getType(module, field.FieldType))) { continue; } return(false); } if (fields != 2) { return(false); } if (DotNetUtils.getPInvokeMethod(type, "kernel32", "SetProcessWorkingSetSize") == null) { return(false); } return(true); }
public void findDelegateCreator(ModuleDefinition module) { var callCounter = new CallCounter(); foreach (var type in module.Types) { if (type.Namespace != "" || !DotNetUtils.derivesFromDelegate(type)) { continue; } var cctor = DotNetUtils.getMethod(type, ".cctor"); if (cctor == null) { continue; } foreach (var method in DotNetUtils.getMethodCalls(cctor)) { callCounter.add(method); } } var mostCalls = callCounter.most(); if (mostCalls == null) { return; } setDelegateCreatorMethod(DotNetUtils.getMethod(module, mostCalls)); }
bool canRenameMethod(MethodDef methodDef) { var methodInfo = method(methodDef); if (methodDef.isStatic()) { if (methodInfo.oldName == ".cctor") { return(false); } } else if (methodDef.isVirtual()) { if (DotNetUtils.derivesFromDelegate(type.TypeDefinition)) { switch (methodInfo.oldName) { case "BeginInvoke": case "EndInvoke": case "Invoke": return(false); } } } else { if (methodInfo.oldName == ".ctor") { return(false); } } return(true); }
// Finds the SmartAssembly.StringsEncoding.Strings class. This class decrypts the // strings in the resources. It gets called by the SmartAssembly.Delegates.GetString // delegate instances which were created by SmartAssembly.HouseOfCards.Strings. TypeDef findStringDecrypterClass(MethodDef stringsCreateDelegateMethod) { if (!stringsCreateDelegateMethod.HasBody) { return(null); } foreach (var ldtoken in stringsCreateDelegateMethod.Body.Instructions) { if (ldtoken.OpCode.Code != Code.Ldtoken) { continue; } var typeToken = ldtoken.Operand as ITypeDefOrRef; if (typeToken == null) { continue; } var type = getType(typeToken); if (type == null || DotNetUtils.derivesFromDelegate(type)) { continue; } if (!couldBeStringDecrypterClass(type)) { continue; } return(type); } return(null); }
// Finds the SmartAssembly.Delegates.GetString delegate TypeDef findGetStringDelegate(MethodDef stringsCreateDelegateMethod) { if (!stringsCreateDelegateMethod.HasBody) { return(null); } foreach (var ldtoken in stringsCreateDelegateMethod.Body.Instructions) { if (ldtoken.OpCode.Code != Code.Ldtoken) { continue; } var typeToken = ldtoken.Operand as ITypeDefOrRef; if (typeToken == null) { continue; } var delegateType = getType(typeToken); if (!DotNetUtils.derivesFromDelegate(delegateType)) { continue; } var invoke = delegateType.FindMethod("Invoke"); if (invoke == null || !DotNetUtils.isMethod(invoke, "System.String", "(System.Int32)")) { continue; } return(delegateType); } return(null); }
static TypeReference getCommonBaseClass(ModuleDefinition module, TypeReference a, TypeReference b) { if (DotNetUtils.isDelegate(a) && DotNetUtils.derivesFromDelegate(DotNetUtils.getType(module, b))) { return(b); } if (DotNetUtils.isDelegate(b) && DotNetUtils.derivesFromDelegate(DotNetUtils.getType(module, a))) { return(a); } return(null); //TODO: }
static TypeSig getCommonBaseClass(ModuleDef module, TypeSig a, TypeSig b) { if (DotNetUtils.isDelegate(a) && DotNetUtils.derivesFromDelegate(module.Find(b.ToTypeDefOrRef()))) { return(b); } if (DotNetUtils.isDelegate(b) && DotNetUtils.derivesFromDelegate(module.Find(a.ToTypeDefOrRef()))) { return(a); } return(null); //TODO: }
public override void deobfuscateBegin() { base.deobfuscateBegin(); cliSecureRtType.findStringDecrypterMethod(); stringDecrypter.Method = cliSecureRtType.StringDecrypterMethod; addAttributesToBeRemoved(cliSecureAttributes, "Obfuscator attribute"); if (options.DecryptResources) { decryptResources(resourceDecrypter); addCctorInitCallToBeRemoved(resourceDecrypter.RsrcRrrMethod); } stackFrameHelper = new StackFrameHelper(module); stackFrameHelper.find(); foreach (var type in module.Types) { if (type.FullName == "InitializeDelegate" && DotNetUtils.derivesFromDelegate(type)) { this.addTypeToBeRemoved(type, "Obfuscator type"); } } proxyCallFixer.find(); staticStringInliner.add(stringDecrypter.Method, (method, gim, args) => stringDecrypter.decrypt((string)args[0])); DeobfuscatedFile.stringDecryptersAdded(); if (options.DecryptMethods) { addCctorInitCallToBeRemoved(cliSecureRtType.InitializeMethod); addCctorInitCallToBeRemoved(cliSecureRtType.PostInitializeMethod); findPossibleNamesToRemove(cliSecureRtType.LoadMethod); } if (options.RestoreVmCode) { if (csvm.restore()) { addResourceToBeRemoved(csvm.Resource, "CSVM data resource"); } else { Logger.e("Couldn't restore VM methods. Use --dont-rename or it will not run"); preserveTokensAndTypes(); } } }
bool checkDelegateType(TypeDefinition type) { if (!DotNetUtils.derivesFromDelegate(type)) { return(false); } var invoke = DotNetUtils.getMethod(type, "Invoke"); if (invoke == null) { return(false); } return(checkDelegateInvokeMethod(invoke)); }
bool checkDelegateType(TypeDef type) { if (!DotNetUtils.derivesFromDelegate(type)) { return(false); } var invoke = type.FindMethod("Invoke"); if (invoke == null) { return(false); } return(checkDelegateInvokeMethod(invoke)); }
public override void deobfuscateBegin() { base.deobfuscateBegin(); addAttributeToBeRemoved(cliSecureAttribute, "Obfuscator attribute"); if (options.DecryptResources) { var resourceDecrypter = new ResourceDecrypter(module); resourceDecrypter.find(); decryptResources(resourceDecrypter); addCctorInitCallToBeRemoved(resourceDecrypter.RsrcRrrMethod); } stackFrameHelper = new StackFrameHelper(module); stackFrameHelper.find(); foreach (var type in module.Types) { if (type.FullName == "InitializeDelegate" && DotNetUtils.derivesFromDelegate(type)) { this.addTypeToBeRemoved(type, "Obfuscator type"); } } proxyDelegateFinder.find(); staticStringInliner.add(stringDecrypter.Method, (method, args) => stringDecrypter.decrypt((string)args[0])); DeobfuscatedFile.stringDecryptersAdded(); if (options.DecryptMethods) { addCctorInitCallToBeRemoved(cliSecureRtType.InitializeMethod); addCctorInitCallToBeRemoved(cliSecureRtType.PostInitializeMethod); findPossibleNamesToRemove(cliSecureRtType.LoadMethod); } if (options.RestoreVmCode) { csvm.restore(); addAssemblyReferenceToBeRemoved(csvm.VmAssemblyReference, "CSVM assembly reference"); addResourceToBeRemoved(csvm.Resource, "CSVM data resource"); } }
protected override bool checkResolverType(TypeDef type) { if (DotNetUtils.findFieldType(type, "System.Collections.Hashtable", true) != null) { return(true); } foreach (var field in type.Fields) { if (DotNetUtils.derivesFromDelegate(DotNetUtils.getType(module, field.FieldType))) { continue; } if (field.IsLiteral && field.FieldType.ToString() == "System.String") { continue; } return(false); } return(true); }
public void read() { flags = (MethodFlags)reader.ReadByte(); delegateType = resolve <TypeDef>(readTypeToken()); if (!DotNetUtils.derivesFromDelegate(delegateType)) { throw new ApplicationException("Invalid delegate type"); } if (HasLocals) { readLocals((int)reader.Read7BitEncodedUInt32()); } if (HasInstructions) { ReadInstructions((int)reader.Read7BitEncodedUInt32()); } if (HasExceptionHandlers) { readExceptionHandlers((int)reader.Read7BitEncodedUInt32()); } }
bool checkMethod(MethodDef cctor) { if (cctor == null || cctor.Body == null) { return(false); } if (!new LocalTypes(cctor).exactly(ilpLocals)) { return(false); } var type = cctor.DeclaringType; var methods = getPinvokeMethods(type, "Protect"); if (methods.Count == 0) { methods = getPinvokeMethods(type, "P0"); } if (methods.Count != 2) { return(false); } if (type.Fields.Count != 1) { return(false); } var theField = type.Fields[0]; var theDelegate = theField.FieldType.TryGetTypeDef(); if (theDelegate == null || !DotNetUtils.derivesFromDelegate(theDelegate)) { return(false); } protectMethods = methods; invokerDelegate = theDelegate; invokerInstanceField = theField; return(true); }