void Deobfuscate(MethodDef method, string msg, Action<Blocks> handler) {
if (savedMethodBodies != null)
savedMethodBodies.Save(method);
Logger.v("{0}: {1} ({2:X8})", msg, Utils.RemoveNewlines(method), method.MDToken.ToUInt32());
Logger.Instance.Indent();
if (HasNonEmptyBody(method)) {
try {
var blocks = new Blocks(method);
handler(blocks);
IList<Instruction> allInstructions;
IList<ExceptionHandler> allExceptionHandlers;
blocks.GetCode(out allInstructions, out allExceptionHandlers);
DotNetUtils.RestoreBody(method, allInstructions, allExceptionHandlers);
}
catch {
Logger.v("Could not deobfuscate {0:X8}", method.MDToken.ToInt32());
}
}
Logger.Instance.DeIndent();
}
void Deobfuscate(MethodDef method, BlocksCflowDeobfuscator cflowDeobfuscator, MethodPrinter methodPrinter, bool isVerbose, bool isVV) {
if (!HasNonEmptyBody(method))
return;
var blocks = new Blocks(method);
int numRemovedLocals = 0;
int oldNumInstructions = method.Body.Instructions.Count;
deob.DeobfuscateMethodBegin(blocks);
if (options.ControlFlowDeobfuscation) {
cflowDeobfuscator.Initialize(blocks);
cflowDeobfuscator.Deobfuscate();
}
if (deob.DeobfuscateOther(blocks) && options.ControlFlowDeobfuscation)
cflowDeobfuscator.Deobfuscate();
if (options.ControlFlowDeobfuscation) {
if (CanOptimizeLocals())
numRemovedLocals = blocks.OptimizeLocals();
blocks.RepartitionBlocks();
}
DeobfuscateStrings(blocks);
deob.DeobfuscateMethodEnd(blocks);
IList<Instruction> allInstructions;
IList<ExceptionHandler> allExceptionHandlers;
blocks.GetCode(out allInstructions, out allExceptionHandlers);
DotNetUtils.RestoreBody(method, allInstructions, allExceptionHandlers);
if (isVerbose && numRemovedLocals > 0)
Logger.v("Removed {0} unused local(s)", numRemovedLocals);
int numRemovedInstructions = oldNumInstructions - method.Body.Instructions.Count;
if (isVerbose && numRemovedInstructions > 0)
Logger.v("Removed {0} dead instruction(s)", numRemovedInstructions);
if (isVV) {
Logger.Log(LoggerEvent.VeryVerbose, "Deobfuscated code:");
Logger.Instance.Indent();
methodPrinter.Print(LoggerEvent.VeryVerbose, allInstructions, allExceptionHandlers);
Logger.Instance.DeIndent();
}
}
void RestoreMethod(Blocks blocks) {
IList<Instruction> allInstructions;
IList<ExceptionHandler> allExceptionHandlers;
blocks.GetCode(out allInstructions, out allExceptionHandlers);
DotNetUtils.RestoreBody(blocks.Method, allInstructions, allExceptionHandlers);
}
void StringDecrypterBugWorkaround() {
// There's a bug in Eazfuscator.NET when the VM and string encryption features are
// enabled. The string decrypter's initialization code checks to make sure it's not
// called by eg. a dynamic method. When it's called from the VM code, it is
// called by MethodBase.Invoke() and the string decrypter antis set in causing it
// to fail.
// One way to work around this is to make sure the string decrypter has been called
// once. That way, any VM code calling it won't trigger a failure.
// We can put this code in <Module>::.cctor() since it gets executed before any
// other code.
// Note that we can't call the string decrypter from <Module>::.cctor() since
// its DeclaringType property will return null (since it's the global type). We
// must call another created class which calls the string decrypter.
// You must use --dont-rename --keep-types --preserve-tokens and decrypt strings
if (!Operations.KeepObfuscatorTypes || Operations.DecryptStrings == OpDecryptString.None ||
(Operations.RenamerFlags & (RenamerFlags.RenameNamespaces | RenamerFlags.RenameTypes)) != 0)
return;
if (stringDecrypter.ValidStringDecrypterValue == null)
return;
var newType = module.UpdateRowId(new TypeDefUser(Guid.NewGuid().ToString("B"), module.CorLibTypes.Object.TypeDefOrRef));
module.Types.Add(newType);
var newMethod = module.UpdateRowId(new MethodDefUser("x", MethodSig.CreateStatic(module.CorLibTypes.Void), 0, MethodAttributes.Static | MethodAttributes.HideBySig));
newType.Methods.Add(newMethod);
newMethod.Body = new CilBody();
newMethod.Body.MaxStack = 1;
newMethod.Body.Instructions.Add(Instruction.CreateLdcI4(stringDecrypter.ValidStringDecrypterValue.Value));
newMethod.Body.Instructions.Add(OpCodes.Call.ToInstruction(stringDecrypter.Method));
newMethod.Body.Instructions.Add(OpCodes.Pop.ToInstruction());
newMethod.Body.Instructions.Add(OpCodes.Ret.ToInstruction());
var cctor = module.GlobalType.FindOrCreateStaticConstructor();
var blocks = new Blocks(cctor);
var block = blocks.MethodBlocks.GetAllBlocks()[0];
block.Insert(0, OpCodes.Call.ToInstruction(newMethod));
IList<Instruction> allInstructions;
IList<ExceptionHandler> allExceptionHandlers;
blocks.GetCode(out allInstructions, out allExceptionHandlers);
DotNetUtils.RestoreBody(cctor, allInstructions, allExceptionHandlers);
}
public void CreateMethod(MethodBase realMethod) {
if (realMethodToNewMethod.ContainsKey(realMethod))
return;
var newMethodInfo = new NewMethodInfo(realMethod, newMethodInfos.Count, GetDelegateMethodName(realMethod), GetDelegateMethodName(realMethod));
newMethodInfos.Add(newMethodInfo);
delegateNameToNewMethodInfo[newMethodInfo.delegateMethodName] = newMethodInfo;
delegateNameToNewMethodInfo[newMethodInfo.rewrittenMethodName] = newMethodInfo;
realMethodToNewMethod[realMethod] = newMethodInfo;
var moduleInfo = Resolver.LoadAssembly(realMethod.Module);
var methodInfo = moduleInfo.GetMethod(realMethod);
if (!methodInfo.HasInstructions())
throw new ApplicationException(string.Format("Method {0} ({1:X8}) has no body", methodInfo.methodDef, methodInfo.methodDef.MDToken.Raw));
var codeGenerator = new CodeGenerator(this, newMethodInfo.delegateMethodName);
codeGenerator.SetMethodInfo(methodInfo);
newMethodInfo.delegateType = codeGenerator.DelegateType;
var blocks = new Blocks(methodInfo.methodDef);
foreach (var block in blocks.MethodBlocks.GetAllBlocks())
Update(block, newMethodInfo);
IList<Instruction> allInstructions;
IList<ExceptionHandler> allExceptionHandlers;
blocks.GetCode(out allInstructions, out allExceptionHandlers);
newMethodInfo.delegateInstance = codeGenerator.Generate(allInstructions, allExceptionHandlers);
}
public IEnumerable<FieldDef> CleanUp() {
var removedFields = new List<FieldDef>();
var moduleCctor = DotNetUtils.GetModuleTypeCctor(module);
if (moduleCctor == null)
return removedFields;
var moduleCctorBlocks = new Blocks(moduleCctor);
var keep = FindFieldsToKeep();
foreach (var fieldInfo in fieldToInfo.GetValues()) {
if (keep.ContainsKey(fieldInfo))
continue;
if (RemoveInitCode(moduleCctorBlocks, fieldInfo)) {
removedFields.Add(fieldInfo.field);
removedFields.Add(fieldInfo.arrayInitField);
}
fieldInfo.arrayInitField.InitialValue = new byte[1];
fieldInfo.arrayInitField.FieldSig.Type = module.CorLibTypes.Byte;
fieldInfo.arrayInitField.RVA = 0;
}
IList<Instruction> allInstructions;
IList<ExceptionHandler> allExceptionHandlers;
moduleCctorBlocks.GetCode(out allInstructions, out allExceptionHandlers);
DotNetUtils.RestoreBody(moduleCctorBlocks.Method, allInstructions, allExceptionHandlers);
return removedFields;
}
