public ResourceDecrypter(ModuleDefinition module, ResourceDecrypter oldOne) { this.module = module; rsrcType = lookup(oldOne.rsrcType, "Could not find rsrcType"); rsrcRrrMethod = lookup(oldOne.rsrcRrrMethod, "Could not find rsrcRrrMethod"); rsrcResolveMethod = lookup(oldOne.rsrcResolveMethod, "Could not find rsrcResolveMethod"); }
void decryptResources(ResourceDecrypter resourceDecrypter) { var rsrc = resourceDecrypter.mergeResources(); if (rsrc == null) { return; } addResourceToBeRemoved(rsrc, "Encrypted resources"); addTypeToBeRemoved(resourceDecrypter.Type, "Resource decrypter type"); }
protected override void scanForObfuscator() { findCliSecureAttribute(); cliSecureRtType = new CliSecureRtType(module); cliSecureRtType.find(ModuleBytes); stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterMethod); stringDecrypter.find(); resourceDecrypter = new ResourceDecrypter(module); resourceDecrypter.find(); proxyCallFixer = new ProxyCallFixer(module); proxyCallFixer.findDelegateCreator(); csvm = new vm.Csvm(DeobfuscatedFile.DeobfuscatorContext, module); csvm.find(); }
public override void deobfuscateBegin() { base.deobfuscateBegin(); addAttributeToBeRemoved(cliSecureAttribute, "Obfuscator attribute"); if (options.DecryptResources) { var resourceDecrypter = new ResourceDecrypter(module); resourceDecrypter.find(); decryptResources(resourceDecrypter); addCctorInitCallToBeRemoved(resourceDecrypter.RsrcRrrMethod); } stackFrameHelper = new StackFrameHelper(module); stackFrameHelper.find(); foreach (var type in module.Types) { if (type.FullName == "InitializeDelegate" && DotNetUtils.derivesFromDelegate(type)) { this.addTypeToBeRemoved(type, "Obfuscator type"); } } proxyDelegateFinder.find(); staticStringInliner.add(stringDecrypter.Method, (method, args) => stringDecrypter.decrypt((string)args[0])); DeobfuscatedFile.stringDecryptersAdded(); if (options.DecryptMethods) { addCctorInitCallToBeRemoved(cliSecureRtType.InitializeMethod); addCctorInitCallToBeRemoved(cliSecureRtType.PostInitializeMethod); findPossibleNamesToRemove(cliSecureRtType.LoadMethod); } if (options.RestoreVmCode) { csvm.restore(); addAssemblyReferenceToBeRemoved(csvm.VmAssemblyReference, "CSVM assembly reference"); addResourceToBeRemoved(csvm.Resource, "CSVM data resource"); } }
void decryptResources(ResourceDecrypter resourceDecrypter) { var rsrc = resourceDecrypter.mergeResources(); if (rsrc == null) return; addResourceToBeRemoved(rsrc, "Encrypted resources"); addTypeToBeRemoved(resourceDecrypter.Type, "Resource decrypter type"); }
protected override void scanForObfuscator() { findCliSecureAttribute(); cliSecureRtType = new CliSecureRtType(module); cliSecureRtType.find(ModuleBytes); stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterMethod); stringDecrypter.find(); resourceDecrypter = new ResourceDecrypter(module); resourceDecrypter.find(); proxyCallFixer = new ProxyCallFixer(module); proxyCallFixer.findDelegateCreator(); csvm = new vm.Csvm(DeobfuscatedFile.DeobfuscatorContext, module); csvm.find(); }
public override void deobfuscateBegin() { base.deobfuscateBegin(); addAttributeToBeRemoved(cliSecureAttribute, "Obfuscator attribute"); resourceDecrypter = new ResourceDecrypter(module); resourceDecrypter.find(); stackFrameHelper = new StackFrameHelper(module); stackFrameHelper.find(); foreach (var type in module.Types) { if (type.FullName == "InitializeDelegate" && DotNetUtils.derivesFromDelegate(type)) this.addTypeToBeRemoved(type, "Obfuscator type"); } proxyDelegateFinder.find(); staticStringDecrypter.add(stringDecrypter.Method, (method, args) => stringDecrypter.decrypt((string)args[0])); if (options.DecryptMethods) { addCctorInitCallToBeRemoved(cliSecureRtType.InitializeMethod); addCctorInitCallToBeRemoved(cliSecureRtType.PostInitializeMethod); findPossibleNamesToRemove(cliSecureRtType.LoadMethod); } if (options.DecryptResources) addCctorInitCallToBeRemoved(resourceDecrypter.RsrcRrrMethod); }