public StringDecrypter(ModuleDefMD module, StringDecrypter oldOne) { this.module = module; stringDecrypterVersion = oldOne.stringDecrypterVersion; encryptedResource = new EncryptedResource(module, oldOne.encryptedResource); foreach (var oldInfo in oldOne.decrypterInfos) { var method = Lookup(oldInfo.method, "Could not find string decrypter method"); decrypterInfos.Add(new DecrypterInfo(method, oldInfo.key, oldInfo.iv)); } otherStringDecrypter = Lookup(oldOne.otherStringDecrypter, "Could not find string decrypter method"); }
void InitializeStringDecrypterVersion(MethodDef method) { var localTypes = new LocalTypes(method); if (localTypes.Exists("System.IntPtr")) { stringDecrypterVersion = StringDecrypterVersion.VER_38; } else { stringDecrypterVersion = StringDecrypterVersion.VER_37; } }
public StringDecrypter(StringDecrypterInfo stringDecrypterInfo) { StringDecrypterInfo = stringDecrypterInfo; if (stringDecrypterInfo != null) { if (!stringDecrypterInfo.StringsEncrypted) { stringOffset = stringDecrypterInfo.StringOffset; decryptedData = stringDecrypterInfo.StringsResource.GetResourceData(); } else if (stringDecrypterInfo.CanDecrypt) { stringOffset = stringDecrypterInfo.StringOffset; decryptedData = stringDecrypterInfo.Decrypt(); } stringDecrypterVersion = StringDecrypterInfo.DecrypterVersion; } }
public StringDecrypter(StringDecrypterInfo stringDecrypterInfo) { StringDecrypterInfo = stringDecrypterInfo; if (stringDecrypterInfo != null) { if (!stringDecrypterInfo.StringsEncrypted) { stringOffset = stringDecrypterInfo.StringOffset; decryptedData = stringDecrypterInfo.StringsResource.GetResourceData(); } else if (stringDecrypterInfo.CanDecrypt) { stringOffset = stringDecrypterInfo.StringOffset; decryptedData = stringDecrypterInfo.Decrypt(); } stringDecrypterVersion = StringDecrypterInfo.DecrypterVersion; } }
public bool Initialize(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator) { var cctor = stringsEncodingClass.FindStaticConstructor(); if (cctor != null) { simpleDeobfuscator.Deobfuscate(cctor); } decrypterVersion = GuessVersion(cctor); if (!FindDecrypterMethod()) { throw new ApplicationException("Could not find string decrypter method"); } if (!FindStringsResource(deob, simpleDeobfuscator, cctor)) { return(false); } if (decrypterVersion <= StringDecrypterVersion.V3) { MethodDef initMethod; if (decrypterVersion == StringDecrypterVersion.V3) { initMethod = cctor; } else if (decrypterVersion == StringDecrypterVersion.V2) { initMethod = stringDecrypterMethod; } else { initMethod = stringDecrypterMethod; } stringOffset = 0; if (decrypterVersion != StringDecrypterVersion.V1) { if (CallsGetPublicKeyToken(initMethod)) { var pkt = PublicKeyBase.ToPublicKeyToken(module.Assembly.PublicKeyToken); if (!PublicKeyBase.IsNullOrEmpty2(pkt)) { for (int i = 0; i < pkt.Data.Length - 1; i += 2) { stringOffset ^= ((int)pkt.Data[i] << 8) + pkt.Data[i + 1]; } } } if (DeobUtils.HasInteger(initMethod, 0xFFFFFF) && DeobUtils.HasInteger(initMethod, 0xFFFF)) { stringOffset ^= ((stringDecrypterMethod.MDToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF; } } } else { var offsetVal = FindOffsetValue(cctor); if (offsetVal == null) { throw new ApplicationException("Could not find string offset"); } stringOffset = offsetVal.Value; decrypterVersion = StringDecrypterVersion.V4; } simpleZipTypeMethod = FindSimpleZipTypeMethod(cctor) ?? FindSimpleZipTypeMethod(stringDecrypterMethod); if (simpleZipTypeMethod != null) { resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator)); } return(true); }
public bool Initialize(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator) { var cctor = stringsEncodingClass.FindStaticConstructor(); if (cctor != null) simpleDeobfuscator.Deobfuscate(cctor); decrypterVersion = GuessVersion(cctor); if (!FindDecrypterMethod()) throw new ApplicationException("Could not find string decrypter method"); if (!FindStringsResource(deob, simpleDeobfuscator, cctor)) return false; if (decrypterVersion <= StringDecrypterVersion.V3) { MethodDef initMethod; if (decrypterVersion == StringDecrypterVersion.V3) initMethod = cctor; else if (decrypterVersion == StringDecrypterVersion.V2) initMethod = stringDecrypterMethod; else initMethod = stringDecrypterMethod; stringOffset = 0; if (decrypterVersion != StringDecrypterVersion.V1) { if (CallsGetPublicKeyToken(initMethod)) { var pkt = PublicKeyBase.ToPublicKeyToken(module.Assembly.PublicKeyToken); if (!PublicKeyBase.IsNullOrEmpty2(pkt)) { for (int i = 0; i < pkt.Data.Length - 1; i += 2) stringOffset ^= ((int)pkt.Data[i] << 8) + pkt.Data[i + 1]; } } if (DeobUtils.HasInteger(initMethod, 0xFFFFFF) && DeobUtils.HasInteger(initMethod, 0xFFFF)) { stringOffset ^= ((stringDecrypterMethod.MDToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF; } } } else { var offsetVal = FindOffsetValue(cctor); if (offsetVal == null) throw new ApplicationException("Could not find string offset"); stringOffset = offsetVal.Value; decrypterVersion = StringDecrypterVersion.V4; } simpleZipTypeMethod = FindSimpleZipTypeMethod(cctor) ?? FindSimpleZipTypeMethod(stringDecrypterMethod); if (simpleZipTypeMethod != null) resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator)); return true; }
public bool init(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator) { var cctor = DotNetUtils.getMethod(stringsEncodingClass, ".cctor"); if (cctor != null) simpleDeobfuscator.deobfuscate(cctor); decrypterVersion = guessVersion(cctor); if (!findDecrypterMethod()) throw new ApplicationException("Could not find string decrypter method"); if (!findStringsResource(deob, simpleDeobfuscator, cctor)) return false; if (decrypterVersion <= StringDecrypterVersion.V3) { MethodDefinition initMethod; if (decrypterVersion == StringDecrypterVersion.V3) initMethod = cctor; else if (decrypterVersion == StringDecrypterVersion.V2) initMethod = stringDecrypterMethod; else initMethod = stringDecrypterMethod; stringOffset = 0; if (decrypterVersion != StringDecrypterVersion.V1) { if (callsGetPublicKeyToken(initMethod)) { var pkt = module.Assembly.Name.PublicKeyToken; if (pkt != null) { for (int i = 0; i < pkt.Length - 1; i += 2) stringOffset ^= ((int)pkt[i] << 8) + pkt[i + 1]; } } if (DotNetUtils.findLdcI4Constant(initMethod, 0xFFFFFF) && DotNetUtils.findLdcI4Constant(initMethod, 0xFFFF)) { stringOffset ^= ((stringDecrypterMethod.MetadataToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF; } } } else { var offsetVal = findOffsetValue(cctor); if (offsetVal == null) throw new ApplicationException("Could not find string offset"); stringOffset = offsetVal.Value; decrypterVersion = StringDecrypterVersion.V4; } simpleZipTypeMethod = findSimpleZipTypeMethod(cctor) ?? findSimpleZipTypeMethod(stringDecrypterMethod); if (simpleZipTypeMethod != null) resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator)); return true; }
public bool init(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator) { var cctor = DotNetUtils.getMethod(stringsEncodingClass, ".cctor"); if (cctor != null) { simpleDeobfuscator.deobfuscate(cctor); } decrypterVersion = guessVersion(cctor); if (!findDecrypterMethod()) { throw new ApplicationException("Could not find string decrypter method"); } if (!findStringsResource(deob, simpleDeobfuscator, cctor)) { return(false); } if (decrypterVersion <= StringDecrypterVersion.V3) { MethodDefinition initMethod; if (decrypterVersion == StringDecrypterVersion.V3) { initMethod = cctor; } else if (decrypterVersion == StringDecrypterVersion.V2) { initMethod = stringDecrypterMethod; } else { initMethod = stringDecrypterMethod; } stringOffset = 0; if (decrypterVersion != StringDecrypterVersion.V1) { if (callsGetPublicKeyToken(initMethod)) { var pkt = module.Assembly.Name.PublicKeyToken; if (pkt != null) { for (int i = 0; i < pkt.Length - 1; i += 2) { stringOffset ^= ((int)pkt[i] << 8) + pkt[i + 1]; } } } if (DeobUtils.hasInteger(initMethod, 0xFFFFFF) && DeobUtils.hasInteger(initMethod, 0xFFFF)) { stringOffset ^= ((stringDecrypterMethod.MetadataToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF; } } } else { var offsetVal = findOffsetValue(cctor); if (offsetVal == null) { throw new ApplicationException("Could not find string offset"); } stringOffset = offsetVal.Value; decrypterVersion = StringDecrypterVersion.V4; } simpleZipTypeMethod = findSimpleZipTypeMethod(cctor) ?? findSimpleZipTypeMethod(stringDecrypterMethod); if (simpleZipTypeMethod != null) { resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator)); } return(true); }