public ResourceDecrypter(ModuleDefinition module, ResourceDecrypter oldOne)
{
this.module = module;
rsrcType = lookup(oldOne.rsrcType, "Could not find rsrcType");
rsrcRrrMethod = lookup(oldOne.rsrcRrrMethod, "Could not find rsrcRrrMethod");
rsrcResolveMethod = lookup(oldOne.rsrcResolveMethod, "Could not find rsrcResolveMethod");
}
void decryptResources(ResourceDecrypter resourceDecrypter)
{
var rsrc = resourceDecrypter.mergeResources();
if (rsrc == null)
{
return;
}
addResourceToBeRemoved(rsrc, "Encrypted resources");
addTypeToBeRemoved(resourceDecrypter.Type, "Resource decrypter type");
}
protected override void scanForObfuscator()
{
findCliSecureAttribute();
cliSecureRtType = new CliSecureRtType(module);
cliSecureRtType.find(ModuleBytes);
stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterMethod);
stringDecrypter.find();
resourceDecrypter = new ResourceDecrypter(module);
resourceDecrypter.find();
proxyCallFixer = new ProxyCallFixer(module);
proxyCallFixer.findDelegateCreator();
csvm = new vm.Csvm(DeobfuscatedFile.DeobfuscatorContext, module);
csvm.find();
}
public override void deobfuscateBegin()
{
base.deobfuscateBegin();
addAttributeToBeRemoved(cliSecureAttribute, "Obfuscator attribute");
if (options.DecryptResources)
{
var resourceDecrypter = new ResourceDecrypter(module);
resourceDecrypter.find();
decryptResources(resourceDecrypter);
addCctorInitCallToBeRemoved(resourceDecrypter.RsrcRrrMethod);
}
stackFrameHelper = new StackFrameHelper(module);
stackFrameHelper.find();
foreach (var type in module.Types)
{
if (type.FullName == "InitializeDelegate" && DotNetUtils.derivesFromDelegate(type))
{
this.addTypeToBeRemoved(type, "Obfuscator type");
}
}
proxyDelegateFinder.find();
staticStringInliner.add(stringDecrypter.Method, (method, args) => stringDecrypter.decrypt((string)args[0]));
DeobfuscatedFile.stringDecryptersAdded();
if (options.DecryptMethods)
{
addCctorInitCallToBeRemoved(cliSecureRtType.InitializeMethod);
addCctorInitCallToBeRemoved(cliSecureRtType.PostInitializeMethod);
findPossibleNamesToRemove(cliSecureRtType.LoadMethod);
}
if (options.RestoreVmCode)
{
csvm.restore();
addAssemblyReferenceToBeRemoved(csvm.VmAssemblyReference, "CSVM assembly reference");
addResourceToBeRemoved(csvm.Resource, "CSVM data resource");
}
}
void decryptResources(ResourceDecrypter resourceDecrypter)
{
var rsrc = resourceDecrypter.mergeResources();
if (rsrc == null)
return;
addResourceToBeRemoved(rsrc, "Encrypted resources");
addTypeToBeRemoved(resourceDecrypter.Type, "Resource decrypter type");
}
protected override void scanForObfuscator()
{
findCliSecureAttribute();
cliSecureRtType = new CliSecureRtType(module);
cliSecureRtType.find(ModuleBytes);
stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterMethod);
stringDecrypter.find();
resourceDecrypter = new ResourceDecrypter(module);
resourceDecrypter.find();
proxyCallFixer = new ProxyCallFixer(module);
proxyCallFixer.findDelegateCreator();
csvm = new vm.Csvm(DeobfuscatedFile.DeobfuscatorContext, module);
csvm.find();
}
public override void deobfuscateBegin()
{
base.deobfuscateBegin();
addAttributeToBeRemoved(cliSecureAttribute, "Obfuscator attribute");
resourceDecrypter = new ResourceDecrypter(module);
resourceDecrypter.find();
stackFrameHelper = new StackFrameHelper(module);
stackFrameHelper.find();
foreach (var type in module.Types) {
if (type.FullName == "InitializeDelegate" && DotNetUtils.derivesFromDelegate(type))
this.addTypeToBeRemoved(type, "Obfuscator type");
}
proxyDelegateFinder.find();
staticStringDecrypter.add(stringDecrypter.Method, (method, args) => stringDecrypter.decrypt((string)args[0]));
if (options.DecryptMethods) {
addCctorInitCallToBeRemoved(cliSecureRtType.InitializeMethod);
addCctorInitCallToBeRemoved(cliSecureRtType.PostInitializeMethod);
findPossibleNamesToRemove(cliSecureRtType.LoadMethod);
}
if (options.DecryptResources)
addCctorInitCallToBeRemoved(resourceDecrypter.RsrcRrrMethod);
}
