Beispiel #1
0
 protected override void ScanForObfuscator()
 {
     methodsDecrypter = new MethodsDecrypter(module);
     methodsDecrypter.Find();
     proxyCallFixer = new ProxyCallFixer(module, DeobfuscatedFile);
     proxyCallFixer.FindDelegateCreator(module);
     stringDecrypter = new StringDecrypter(module);
     stringDecrypter.Find(DeobfuscatedFile);
     booleanDecrypter = new BooleanDecrypter(module);
     booleanDecrypter.Find();
     assemblyResolver = new AssemblyResolver(module);
     assemblyResolver.Find(DeobfuscatedFile);
     obfuscatorName = DetectVersion();
     if (unpackedNativeFile)
     {
         obfuscatorName += " (native)";
     }
     resourceResolver = new ResourceResolver(module);
     resourceResolver.Find(DeobfuscatedFile);
 }
Beispiel #2
0
        public override void DeobfuscateBegin()
        {
            base.DeobfuscateBegin();

            proxyCallFixer = new ProxyCallFixer(Module, DeobfuscatedFile);
            proxyCallFixer.FindDelegateCreator();
            proxyCallFixer.Find();

            stringDecrypter.Initialize(peImage, fileData, DeobfuscatedFile);
            if (!stringDecrypter.Detected)
            {
                FreePEImage();
            }
            booleanDecrypter.Initialize(fileData, DeobfuscatedFile);
            booleanValueInliner = new BooleanValueInliner();
            emptyClass          = new EmptyClass(Module);

            if (options.DecryptBools)
            {
                booleanValueInliner.Add(booleanDecrypter.Method, (method, gim, args) => {
                    return(booleanDecrypter.Decrypt((int)args[0]));
                });
            }

            foreach (var info in stringDecrypter.DecrypterInfos)
            {
                staticStringInliner.Add(info.method, (method2, gim, args) => {
                    return(stringDecrypter.Decrypt(method2, (int)args[0]));
                });
            }
            if (stringDecrypter.OtherStringDecrypter != null)
            {
                staticStringInliner.Add(stringDecrypter.OtherStringDecrypter, (method2, gim, args) => {
                    return(stringDecrypter.Decrypt((string)args[0]));
                });
            }
            DeobfuscatedFile.StringDecryptersAdded();

            metadataTokenObfuscator = new MetadataTokenObfuscator(Module);
            antiStrongname          = new AntiStrongName(GetDecrypterType());

            bool removeResourceResolver = false;

            if (options.DecryptResources)
            {
                resourceResolver.Initialize(DeobfuscatedFile, this);
                DecryptResources();
                if (options.InlineMethods)
                {
                    AddTypeToBeRemoved(resourceResolver.Type, "Resource decrypter type");
                    removeResourceResolver = true;
                }
                AddEntryPointCallToBeRemoved(resourceResolver.InitMethod);
                AddCctorInitCallToBeRemoved(resourceResolver.InitMethod);
            }
            if (resourceResolver.Detected && !removeResourceResolver && !resourceResolver.FoundResource)
            {
                canRemoveDecrypterType = false;                 // There may be calls to its .ctor
            }
            if (Operations.DecryptStrings != OpDecryptString.None)
            {
                AddResourceToBeRemoved(stringDecrypter.Resource, "Encrypted strings");
            }
            else
            {
                canRemoveDecrypterType = false;
            }

            if (options.DecryptMethods && !methodsDecrypter.HasNativeMethods)
            {
                AddResourceToBeRemoved(methodsDecrypter.Resource, "Encrypted methods");
                AddCctorInitCallToBeRemoved(methodsDecrypter.Method);
            }
            else
            {
                canRemoveDecrypterType = false;
            }

            if (options.DecryptBools)
            {
                AddResourceToBeRemoved(booleanDecrypter.Resource, "Encrypted booleans");
            }
            else
            {
                canRemoveDecrypterType = false;
            }

            if (!options.RemoveAntiStrongName)
            {
                canRemoveDecrypterType = false;
            }

            // The inlined methods may contain calls to the decrypter class
            if (!options.InlineMethods)
            {
                canRemoveDecrypterType = false;
            }

            if (options.DumpEmbeddedAssemblies)
            {
                if (options.InlineMethods)
                {
                    AddTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver");
                }
                AddEntryPointCallToBeRemoved(assemblyResolver.InitMethod);
                AddCctorInitCallToBeRemoved(assemblyResolver.InitMethod);
                DumpEmbeddedAssemblies();
            }

            if (options.InlineMethods)
            {
                AddTypeToBeRemoved(metadataTokenObfuscator.Type, "Metadata token obfuscator");
            }

            AddCctorInitCallToBeRemoved(emptyClass.Method);
            AddCtorInitCallToBeRemoved(emptyClass.Method);
            AddEntryPointCallToBeRemoved(emptyClass.Method);
            if (options.InlineMethods)
            {
                AddTypeToBeRemoved(emptyClass.Type, "Empty class");
            }

            startedDeobfuscating = true;
        }
		public override void DeobfuscateBegin() {
			base.DeobfuscateBegin();

			proxyCallFixer = new ProxyCallFixer(module, DeobfuscatedFile);
			proxyCallFixer.FindDelegateCreator();
			proxyCallFixer.Find();

			stringDecrypter.Initialize(peImage, fileData, DeobfuscatedFile);
			if (!stringDecrypter.Detected)
				FreePEImage();
			booleanDecrypter.Initialize(fileData, DeobfuscatedFile);
			booleanValueInliner = new BooleanValueInliner();
			emptyClass = new EmptyClass(module);

			if (options.DecryptBools) {
				booleanValueInliner.Add(booleanDecrypter.Method, (method, gim, args) => {
					return booleanDecrypter.Decrypt((int)args[0]);
				});
			}

			foreach (var info in stringDecrypter.DecrypterInfos) {
				staticStringInliner.Add(info.method, (method2, gim, args) => {
					return stringDecrypter.Decrypt(method2, (int)args[0]);
				});
			}
			if (stringDecrypter.OtherStringDecrypter != null) {
				staticStringInliner.Add(stringDecrypter.OtherStringDecrypter, (method2, gim, args) => {
					return stringDecrypter.Decrypt((string)args[0]);
				});
			}
			DeobfuscatedFile.StringDecryptersAdded();

			metadataTokenObfuscator = new MetadataTokenObfuscator(module);
			antiStrongname = new AntiStrongName(GetDecrypterType());

			bool removeResourceResolver = false;
			if (options.DecryptResources) {
				resourceResolver.Initialize(DeobfuscatedFile, this);
				DecryptResources();
				if (options.InlineMethods) {
					AddTypeToBeRemoved(resourceResolver.Type, "Resource decrypter type");
					removeResourceResolver = true;
				}
				AddEntryPointCallToBeRemoved(resourceResolver.InitMethod);
				AddCctorInitCallToBeRemoved(resourceResolver.InitMethod);
			}
			if (resourceResolver.Detected && !removeResourceResolver && !resourceResolver.FoundResource)
				canRemoveDecrypterType = false;	// There may be calls to its .ctor

			if (Operations.DecryptStrings != OpDecryptString.None)
				AddResourceToBeRemoved(stringDecrypter.Resource, "Encrypted strings");
			else
				canRemoveDecrypterType = false;

			if (options.DecryptMethods && !methodsDecrypter.HasNativeMethods) {
				AddResourceToBeRemoved(methodsDecrypter.Resource, "Encrypted methods");
				AddCctorInitCallToBeRemoved(methodsDecrypter.Method);
			}
			else
				canRemoveDecrypterType = false;

			if (options.DecryptBools)
				AddResourceToBeRemoved(booleanDecrypter.Resource, "Encrypted booleans");
			else
				canRemoveDecrypterType = false;

			if (!options.RemoveAntiStrongName)
				canRemoveDecrypterType = false;

			// The inlined methods may contain calls to the decrypter class
			if (!options.InlineMethods)
				canRemoveDecrypterType = false;

			if (options.DumpEmbeddedAssemblies) {
				if (options.InlineMethods)
					AddTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver");
				AddEntryPointCallToBeRemoved(assemblyResolver.InitMethod);
				AddCctorInitCallToBeRemoved(assemblyResolver.InitMethod);
				DumpEmbeddedAssemblies();
			}

			if (options.InlineMethods)
				AddTypeToBeRemoved(metadataTokenObfuscator.Type, "Metadata token obfuscator");

			AddCctorInitCallToBeRemoved(emptyClass.Method);
			AddCtorInitCallToBeRemoved(emptyClass.Method);
			AddEntryPointCallToBeRemoved(emptyClass.Method);
			if (options.InlineMethods)
				AddTypeToBeRemoved(emptyClass.Type, "Empty class");

			startedDeobfuscating = true;
		}