Beispiel #1
0
		public void find() {
			var additionalTypes = new string[] {
				"System.IntPtr",
//				"System.Reflection.Assembly",		//TODO: Not in unknown DNR version with jitter support
			};
			var checkedMethods = new Dictionary<IMethod, bool>(MethodEqualityComparer.CompareDeclaringTypes);
			var callCounter = new CallCounter();
			int typesLeft = 30;
			foreach (var type in module.GetTypes()) {
				var cctor = type.FindStaticConstructor();
				if (cctor == null || cctor.Body == null)
					continue;
				if (typesLeft-- <= 0)
					break;

				foreach (var method in DotNetUtils.getCalledMethods(module, cctor)) {
					if (!checkedMethods.ContainsKey(method)) {
						checkedMethods[method] = false;
						if (method.DeclaringType.BaseType == null || method.DeclaringType.BaseType.FullName != "System.Object")
							continue;
						if (!DotNetUtils.isMethod(method, "System.Void", "()"))
							continue;
						if (!encryptedResource.couldBeResourceDecrypter(method, additionalTypes))
							continue;
						checkedMethods[method] = true;
					}
					else if (!checkedMethods[method])
						continue;
					callCounter.add(method);
				}
			}

			encryptedResource.Method = (MethodDef)callCounter.most();
		}
Beispiel #2
0
        public void find()
        {
            var additionalTypes = new string[] {
                "System.Boolean",
            };

            foreach (var type in module.Types)
            {
                if (type.BaseType == null || type.BaseType.FullName != "System.Object")
                {
                    continue;
                }
                foreach (var method in type.Methods)
                {
                    if (!method.IsStatic || !method.HasBody)
                    {
                        continue;
                    }
                    if (!DotNetUtils.isMethod(method, "System.Boolean", "(System.Int32)"))
                    {
                        continue;
                    }
                    if (!encryptedResource.couldBeResourceDecrypter(method, additionalTypes))
                    {
                        continue;
                    }

                    encryptedResource.Method = method;
                    return;
                }
            }
        }
Beispiel #3
0
        public void find(ISimpleDeobfuscator simpleDeobfuscator)
        {
            var additionalTypes = new string[] {
                "System.String",
            };
            EmbeddedResource stringsResource = null;

            foreach (var type in module.Types)
            {
                if (decrypterInfos.Count > 0)
                {
                    break;
                }
                if (type.BaseType == null || type.BaseType.FullName != "System.Object")
                {
                    continue;
                }
                foreach (var method in type.Methods)
                {
                    if (!method.IsStatic || !method.HasBody)
                    {
                        continue;
                    }
                    if (!DotNetUtils.isMethod(method, "System.String", "(System.Int32)"))
                    {
                        continue;
                    }
                    if (!encryptedResource.couldBeResourceDecrypter(method, additionalTypes))
                    {
                        continue;
                    }

                    var resource = DotNetUtils.getResource(module, DotNetUtils.getCodeStrings(method)) as EmbeddedResource;
                    if (resource == null)
                    {
                        throw new ApplicationException("Could not find strings resource");
                    }
                    if (stringsResource != null && stringsResource != resource)
                    {
                        throw new ApplicationException("Two different string resources found");
                    }

                    stringsResource          = resource;
                    encryptedResource.Method = method;

                    var info = new DecrypterInfo(method, null, null);
                    simpleDeobfuscator.deobfuscate(info.method);
                    findKeyIv(info.method, out info.key, out info.iv);

                    decrypterInfos.Add(info);
                }
            }

            if (decrypterInfos.Count > 0)
            {
                findOtherStringDecrypter(decrypterInfos[0].method.DeclaringType);
            }
        }
Beispiel #4
0
        public void find()
        {
            var additionalTypes = new string[] {
                "System.IntPtr",
//				"System.Reflection.Assembly",		//TODO: Not in unknown DNR version with jitter support
            };
            var checkedMethods = new Dictionary <MethodReferenceAndDeclaringTypeKey, bool>();
            var callCounter    = new CallCounter();
            int typesLeft      = 30;

            foreach (var type in module.GetTypes())
            {
                var cctor = DotNetUtils.getMethod(type, ".cctor");
                if (cctor == null || cctor.Body == null)
                {
                    continue;
                }
                if (typesLeft-- <= 0)
                {
                    break;
                }

                foreach (var method in DotNetUtils.getCalledMethods(module, cctor))
                {
                    var key = new MethodReferenceAndDeclaringTypeKey(method);
                    if (!checkedMethods.ContainsKey(key))
                    {
                        checkedMethods[key] = false;
                        if (method.DeclaringType.BaseType == null || method.DeclaringType.BaseType.FullName != "System.Object")
                        {
                            continue;
                        }
                        if (!DotNetUtils.isMethod(method, "System.Void", "()"))
                        {
                            continue;
                        }
                        if (!encryptedResource.couldBeResourceDecrypter(method, additionalTypes))
                        {
                            continue;
                        }
                        checkedMethods[key] = true;
                    }
                    else if (!checkedMethods[key])
                    {
                        continue;
                    }
                    callCounter.add(method);
                }
            }

            encryptedResource.Method = (MethodDefinition)callCounter.most();
        }
Beispiel #5
0
		public void find(ISimpleDeobfuscator simpleDeobfuscator) {
			var additionalTypes = new string[] {
				"System.String",
			};
			foreach (var type in module.Types) {
				if (type.BaseType == null || type.BaseType.FullName != "System.Object")
					continue;
				if (!checkFields(type.Fields))
					continue;
				foreach (var method in type.Methods) {
					if (!method.IsStatic || !method.HasBody)
						continue;
					if (!DotNetUtils.isMethod(method, "System.Reflection.Assembly", "(System.Object,System.ResolveEventArgs)") &&
						!DotNetUtils.isMethod(method, "System.Reflection.Assembly", "(System.Object,System.Object)"))
						continue;
					if (!encryptedResource.couldBeResourceDecrypter(method, additionalTypes, false))
						continue;

					encryptedResource.Method = method;
					return;
				}
			}
		}