public StringDecrypter(ModuleDefMD module, StringDecrypter oldOne)
{
this.module = module;
stringDecrypterVersion = oldOne.stringDecrypterVersion;
encryptedResource = new EncryptedResource(module, oldOne.encryptedResource);
foreach (var oldInfo in oldOne.decrypterInfos)
{
var method = Lookup(oldInfo.method, "Could not find string decrypter method");
decrypterInfos.Add(new DecrypterInfo(method, oldInfo.key, oldInfo.iv));
}
otherStringDecrypter = Lookup(oldOne.otherStringDecrypter, "Could not find string decrypter method");
}
void InitializeStringDecrypterVersion(MethodDef method)
{
var localTypes = new LocalTypes(method);
if (localTypes.Exists("System.IntPtr"))
{
stringDecrypterVersion = StringDecrypterVersion.VER_38;
}
else
{
stringDecrypterVersion = StringDecrypterVersion.VER_37;
}
}
public StringDecrypter(StringDecrypterInfo stringDecrypterInfo) {
StringDecrypterInfo = stringDecrypterInfo;
if (stringDecrypterInfo != null) {
if (!stringDecrypterInfo.StringsEncrypted) {
stringOffset = stringDecrypterInfo.StringOffset;
decryptedData = stringDecrypterInfo.StringsResource.GetResourceData();
}
else if (stringDecrypterInfo.CanDecrypt) {
stringOffset = stringDecrypterInfo.StringOffset;
decryptedData = stringDecrypterInfo.Decrypt();
}
stringDecrypterVersion = StringDecrypterInfo.DecrypterVersion;
}
}
public StringDecrypter(StringDecrypterInfo stringDecrypterInfo)
{
StringDecrypterInfo = stringDecrypterInfo;
if (stringDecrypterInfo != null)
{
if (!stringDecrypterInfo.StringsEncrypted)
{
stringOffset = stringDecrypterInfo.StringOffset;
decryptedData = stringDecrypterInfo.StringsResource.GetResourceData();
}
else if (stringDecrypterInfo.CanDecrypt)
{
stringOffset = stringDecrypterInfo.StringOffset;
decryptedData = stringDecrypterInfo.Decrypt();
}
stringDecrypterVersion = StringDecrypterInfo.DecrypterVersion;
}
}
public bool Initialize(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator)
{
var cctor = stringsEncodingClass.FindStaticConstructor();
if (cctor != null)
{
simpleDeobfuscator.Deobfuscate(cctor);
}
decrypterVersion = GuessVersion(cctor);
if (!FindDecrypterMethod())
{
throw new ApplicationException("Could not find string decrypter method");
}
if (!FindStringsResource(deob, simpleDeobfuscator, cctor))
{
return(false);
}
if (decrypterVersion <= StringDecrypterVersion.V3)
{
MethodDef initMethod;
if (decrypterVersion == StringDecrypterVersion.V3)
{
initMethod = cctor;
}
else if (decrypterVersion == StringDecrypterVersion.V2)
{
initMethod = stringDecrypterMethod;
}
else
{
initMethod = stringDecrypterMethod;
}
stringOffset = 0;
if (decrypterVersion != StringDecrypterVersion.V1)
{
if (CallsGetPublicKeyToken(initMethod))
{
var pkt = PublicKeyBase.ToPublicKeyToken(module.Assembly.PublicKeyToken);
if (!PublicKeyBase.IsNullOrEmpty2(pkt))
{
for (int i = 0; i < pkt.Data.Length - 1; i += 2)
{
stringOffset ^= ((int)pkt.Data[i] << 8) + pkt.Data[i + 1];
}
}
}
if (DeobUtils.HasInteger(initMethod, 0xFFFFFF) &&
DeobUtils.HasInteger(initMethod, 0xFFFF))
{
stringOffset ^= ((stringDecrypterMethod.MDToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF;
}
}
}
else
{
var offsetVal = FindOffsetValue(cctor);
if (offsetVal == null)
{
throw new ApplicationException("Could not find string offset");
}
stringOffset = offsetVal.Value;
decrypterVersion = StringDecrypterVersion.V4;
}
simpleZipTypeMethod = FindSimpleZipTypeMethod(cctor) ?? FindSimpleZipTypeMethod(stringDecrypterMethod);
if (simpleZipTypeMethod != null)
{
resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator));
}
return(true);
}
public bool Initialize(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator) {
var cctor = stringsEncodingClass.FindStaticConstructor();
if (cctor != null)
simpleDeobfuscator.Deobfuscate(cctor);
decrypterVersion = GuessVersion(cctor);
if (!FindDecrypterMethod())
throw new ApplicationException("Could not find string decrypter method");
if (!FindStringsResource(deob, simpleDeobfuscator, cctor))
return false;
if (decrypterVersion <= StringDecrypterVersion.V3) {
MethodDef initMethod;
if (decrypterVersion == StringDecrypterVersion.V3)
initMethod = cctor;
else if (decrypterVersion == StringDecrypterVersion.V2)
initMethod = stringDecrypterMethod;
else
initMethod = stringDecrypterMethod;
stringOffset = 0;
if (decrypterVersion != StringDecrypterVersion.V1) {
if (CallsGetPublicKeyToken(initMethod)) {
var pkt = PublicKeyBase.ToPublicKeyToken(module.Assembly.PublicKeyToken);
if (!PublicKeyBase.IsNullOrEmpty2(pkt)) {
for (int i = 0; i < pkt.Data.Length - 1; i += 2)
stringOffset ^= ((int)pkt.Data[i] << 8) + pkt.Data[i + 1];
}
}
if (DeobUtils.HasInteger(initMethod, 0xFFFFFF) &&
DeobUtils.HasInteger(initMethod, 0xFFFF)) {
stringOffset ^= ((stringDecrypterMethod.MDToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF;
}
}
}
else {
var offsetVal = FindOffsetValue(cctor);
if (offsetVal == null)
throw new ApplicationException("Could not find string offset");
stringOffset = offsetVal.Value;
decrypterVersion = StringDecrypterVersion.V4;
}
simpleZipTypeMethod = FindSimpleZipTypeMethod(cctor) ?? FindSimpleZipTypeMethod(stringDecrypterMethod);
if (simpleZipTypeMethod != null)
resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator));
return true;
}
public bool init(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator)
{
var cctor = DotNetUtils.getMethod(stringsEncodingClass, ".cctor");
if (cctor != null)
simpleDeobfuscator.deobfuscate(cctor);
decrypterVersion = guessVersion(cctor);
if (!findDecrypterMethod())
throw new ApplicationException("Could not find string decrypter method");
if (!findStringsResource(deob, simpleDeobfuscator, cctor))
return false;
if (decrypterVersion <= StringDecrypterVersion.V3) {
MethodDefinition initMethod;
if (decrypterVersion == StringDecrypterVersion.V3)
initMethod = cctor;
else if (decrypterVersion == StringDecrypterVersion.V2)
initMethod = stringDecrypterMethod;
else
initMethod = stringDecrypterMethod;
stringOffset = 0;
if (decrypterVersion != StringDecrypterVersion.V1) {
if (callsGetPublicKeyToken(initMethod)) {
var pkt = module.Assembly.Name.PublicKeyToken;
if (pkt != null) {
for (int i = 0; i < pkt.Length - 1; i += 2)
stringOffset ^= ((int)pkt[i] << 8) + pkt[i + 1];
}
}
if (DotNetUtils.findLdcI4Constant(initMethod, 0xFFFFFF) &&
DotNetUtils.findLdcI4Constant(initMethod, 0xFFFF)) {
stringOffset ^= ((stringDecrypterMethod.MetadataToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF;
}
}
}
else {
var offsetVal = findOffsetValue(cctor);
if (offsetVal == null)
throw new ApplicationException("Could not find string offset");
stringOffset = offsetVal.Value;
decrypterVersion = StringDecrypterVersion.V4;
}
simpleZipTypeMethod = findSimpleZipTypeMethod(cctor) ?? findSimpleZipTypeMethod(stringDecrypterMethod);
if (simpleZipTypeMethod != null)
resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator));
return true;
}
public bool init(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator)
{
var cctor = DotNetUtils.getMethod(stringsEncodingClass, ".cctor");
if (cctor != null)
{
simpleDeobfuscator.deobfuscate(cctor);
}
decrypterVersion = guessVersion(cctor);
if (!findDecrypterMethod())
{
throw new ApplicationException("Could not find string decrypter method");
}
if (!findStringsResource(deob, simpleDeobfuscator, cctor))
{
return(false);
}
if (decrypterVersion <= StringDecrypterVersion.V3)
{
MethodDefinition initMethod;
if (decrypterVersion == StringDecrypterVersion.V3)
{
initMethod = cctor;
}
else if (decrypterVersion == StringDecrypterVersion.V2)
{
initMethod = stringDecrypterMethod;
}
else
{
initMethod = stringDecrypterMethod;
}
stringOffset = 0;
if (decrypterVersion != StringDecrypterVersion.V1)
{
if (callsGetPublicKeyToken(initMethod))
{
var pkt = module.Assembly.Name.PublicKeyToken;
if (pkt != null)
{
for (int i = 0; i < pkt.Length - 1; i += 2)
{
stringOffset ^= ((int)pkt[i] << 8) + pkt[i + 1];
}
}
}
if (DeobUtils.hasInteger(initMethod, 0xFFFFFF) &&
DeobUtils.hasInteger(initMethod, 0xFFFF))
{
stringOffset ^= ((stringDecrypterMethod.MetadataToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF;
}
}
}
else
{
var offsetVal = findOffsetValue(cctor);
if (offsetVal == null)
{
throw new ApplicationException("Could not find string offset");
}
stringOffset = offsetVal.Value;
decrypterVersion = StringDecrypterVersion.V4;
}
simpleZipTypeMethod = findSimpleZipTypeMethod(cctor) ?? findSimpleZipTypeMethod(stringDecrypterMethod);
if (simpleZipTypeMethod != null)
{
resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator));
}
return(true);
}
