public void Find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { foreach (var type in module.Types) { if (type.Fields.Count != 1) continue; if (type.HasNestedTypes || type.HasGenericParameters || type.IsValueType) continue; if (DotNetUtils.GetField(type, "System.Reflection.Assembly") == null) continue; if (type.FindStaticConstructor() == null) continue; var getStream2 = GetTheOnlyMethod(type, "System.IO.Stream", "(System.Reflection.Assembly,System.Type,System.String)"); var getNames = GetTheOnlyMethod(type, "System.String[]", "(System.Reflection.Assembly)"); var getRefAsms = GetTheOnlyMethod(type, "System.Reflection.AssemblyName[]", "(System.Reflection.Assembly)"); var bitmapCtor = GetTheOnlyMethod(type, "System.Drawing.Bitmap", "(System.Type,System.String)"); var iconCtor = GetTheOnlyMethod(type, "System.Drawing.Icon", "(System.Type,System.String)"); if (getStream2 == null && getNames == null && getRefAsms == null && bitmapCtor == null && iconCtor == null) continue; var resource = FindGetManifestResourceStreamTypeResource(type, simpleDeobfuscator, deob); if (resource == null && getStream2 != null) continue; getManifestResourceStreamType = type; CreateGetManifestResourceStream2(getStream2); CreateGetManifestResourceNames(getNames); CreateGetReferencedAssemblies(getRefAsms); CreateBitmapCtor(bitmapCtor); CreateIconCtor(iconCtor); getManifestResourceStreamTypeResource = resource; break; } }
public void Find() { var requiredTypes = new string[] { "System.Reflection.Assembly", "System.Object", "System.Int32", "System.String[]", }; foreach (var type in module.Types) { if (type.HasEvents) continue; if (!new FieldTypes(type).All(requiredTypes)) continue; MethodDef regMethod, handler; if (!BabelUtils.FindRegisterMethod(type, out regMethod, out handler)) continue; var resource = BabelUtils.FindEmbeddedResource(module, type); if (resource == null) continue; var decryptMethod = FindDecryptMethod(type); if (decryptMethod == null) throw new ApplicationException("Couldn't find resource type decrypt method"); resourceDecrypter.DecryptMethod = ResourceDecrypter.FindDecrypterMethod(decryptMethod); InitXorKeys(decryptMethod); resolverType = type; registerMethod = regMethod; encryptedResource = resource; return; } }
public byte[] decrypt(EmbeddedResource resource) { if (!CanDecrypt) throw new ApplicationException("Can't decrypt resources"); var encryptedData = resource.GetResourceData(); return decrypt(encryptedData); }
public AssemblyInfo(byte[] data, EmbeddedResource resource, string asmFullName, string asmSimpleName, string extension) { this.data = data; this.resource = resource; this.asmFullName = asmFullName; this.asmSimpleName = asmSimpleName; this.extension = extension; }
public AssemblyInfo(byte[] data, string fullName, string simpleName, string extension, EmbeddedResource resource) { this.data = data; this.fullName = fullName; this.simpleName = simpleName; this.extension = extension; this.resource = resource; }
public Csvm(IDeobfuscatorContext deobfuscatorContext, ModuleDefMD module, Csvm oldOne) { this.deobfuscatorContext = deobfuscatorContext; this.module = module; if (oldOne.resource != null) this.resource = (EmbeddedResource)module.Resources[oldOne.module.Resources.IndexOf(oldOne.resource)]; if (oldOne.vmAssemblyRef != null) this.vmAssemblyRef = module.ResolveAssemblyRef(oldOne.vmAssemblyRef.Rid); }
public EmbeddedAssemblyInfo(EmbeddedResource resource, byte[] data, string asmFullName, ModuleKind kind) { this.resource = resource; this.data = data; this.asmFullName = asmFullName; this.asmSimpleName = Utils.GetAssemblySimpleName(asmFullName); this.kind = kind; this.extension = DeobUtils.GetExtension(kind); }
public virtual byte[] GetMethodsData(EmbeddedResource resource) { var reader = resource.Data; reader.Position = startOffset; if ((reader.ReadInt32() & 1) != 0) return Decompress(reader); else return reader.ReadRemainingBytes(); }
public ResXProjectFile(ModuleDef module, string filename, string typeFullName, EmbeddedResource er) { this.filename = filename; TypeFullName = typeFullName; embeddedResource = er; newToOldAsm = new Dictionary<IAssembly, IAssembly>(new AssemblyNameComparer(AssemblyNameComparerFlags.All & ~AssemblyNameComparerFlags.Version)); foreach (var asmRef in module.GetAssemblyRefs()) newToOldAsm[asmRef] = asmRef; }
public void Initialize(ResourceDecrypter resourceDecrypter) { if (decryptedData != null || stringDecrypterType == null) return; var resourceName = GetResourceName(); stringResource = DotNetUtils.GetResource(module, resourceName) as EmbeddedResource; if (stringResource == null) return; Logger.v("Adding string decrypter. Resource: {0}", Utils.ToCsharpString(stringResource.Name)); decryptedData = resourceDecrypter.Decrypt(stringResource.GetResourceStream()); }
public void Initialize() { if (installMethod == null) return; if (!FindKeys()) throw new ApplicationException("Could not find keys"); if ((resource = FindResource(key0)) == null) throw new ApplicationException("Could not find resource"); constants = DecryptResource(resource.GetResourceData()); FindDecrypters(); }
bool FindStringsResource2(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator, MethodDef initMethod) { if (initMethod == null) return false; stringsResource = FindStringResource(initMethod); if (stringsResource != null) return true; simpleDeobfuscator.DecryptStrings(initMethod, deob); stringsResource = FindStringResource(initMethod); if (stringsResource != null) return true; return false; }
bool FindStringsResource(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator, MethodDef cctor) { if (stringsResource != null) return true; if (decrypterVersion <= StringDecrypterVersion.V3) { stringsResource = DotNetUtils.GetResource(module, (module.Mvid ?? Guid.NewGuid()).ToString("B")) as EmbeddedResource; if (stringsResource != null) return true; } if (FindStringsResource2(deob, simpleDeobfuscator, cctor)) return true; if (FindStringsResource2(deob, simpleDeobfuscator, stringDecrypterMethod)) return true; return false; }
public void Find() { foreach (var tmp in module.Resources) { var resource = tmp as EmbeddedResource; if (resource == null) continue; if (!resource.Name.String.EndsWith(".resources", StringComparison.Ordinal)) continue; string ns, name; SplitTypeName(resource.Name.String.Substring(0, resource.Name.String.Length - 10), out ns, out name); var type = new TypeRefUser(module, ns, name, module).Resolve(); if (type == null) continue; if (!CheckDecrypterType(type)) continue; encryptedResource = resource; decrypterType = type; break; } }
static void Execute(ILSpyTreeNode[] nodes) { if (!CanExecute(nodes)) return; var rsrcListNode = Utils.GetResourceListTreeNode(nodes); var module = ILSpyTreeNode.GetModule(nodes[0]); Debug.Assert(module != null); if (module == null) throw new InvalidOperationException(); var dlg = new WF.OpenFileDialog { RestoreDirectory = true, Multiselect = true, }; if (dlg.ShowDialog() != WF.DialogResult.OK) return; var fnames = dlg.FileNames; if (fnames.Length == 0) return; var newNodes = new ResourceTreeNode[fnames.Length]; for (int i = 0; i < fnames.Length; i++) { var fn = fnames[i]; try { var rsrc = new EmbeddedResource(Path.GetFileName(fn), File.ReadAllBytes(fn), ManifestResourceAttributes.Public); newNodes[i] = ResourceFactory.Create(module, rsrc); } catch (Exception ex) { MainWindow.Instance.ShowMessageBox(string.Format("Error reading files: {0}", ex.Message)); return; } } UndoCommandManager.Instance.Add(new CreateFileResourceCommand(rsrcListNode, newNodes)); }
protected static byte[] DecryptResourceV41SL(EmbeddedResource resource) { var data = resource.GetResourceData(); byte k = data[0]; for (int i = 0; i < data.Length - 1; i++) data[i + 1] ^= (byte)((k << (i & 5)) + i); return InflateIfNeeded(data, 1, data.Length - 1); }
static ResourceElementSet TryCreateResourceElementSet(ModuleDef module, EmbeddedResource er) { if (er == null) return null; er.Data.Position = 0; if (!ResourceReader.CouldBeResourcesFile(er.Data)) return null; try { er.Data.Position = 0; return ResourceReader.Read(module, er.Data); } catch { return null; } }
ResXProjectFile CreateResXFile(ModuleDef module, EmbeddedResource er, ResourceElementSet set, string filename, string typeFullName, bool isSatellite) { Debug.Assert(options.CreateResX); if (!options.CreateResX) throw new InvalidOperationException(); return new ResXProjectFile(module, filename, typeFullName, er) { IsSatelliteFile = isSatellite, }; }
IEnumerable<ProjectFile> CreateEmbeddedResourceFiles(ModuleDef module, ResourceNameCreator resourceNameCreator, EmbeddedResource er) { if (!options.UnpackResources) { yield return CreateRawEmbeddedResourceProjectFile(module, resourceNameCreator, er); yield break; } er.Data.Position = 0; if (ResourceReader.CouldBeResourcesFile(er.Data)) { var files = TryCreateResourceFiles(module, resourceNameCreator, er); if (files != null) { foreach (var file in files) yield return file; yield break; } } yield return CreateRawEmbeddedResourceProjectFile(module, resourceNameCreator, er); }
AssemblyInfo GetAssemblyInfo(byte[] decryptedData, EmbeddedResource resource) { var asm = AssemblyDef.Load(decryptedData); var fullName = asm.FullName; var simpleName = asm.Name.String; var extension = DeobUtils.GetExtension(asm.Modules[0].Kind); return new AssemblyInfo(decryptedData, fullName, simpleName, extension, resource); }
AssemblyInfo GetAssemblyInfo(EmbeddedResource resource, Func<EmbeddedResource, byte[]> decrypter) { try { var decrypted = decrypter(resource); return GetAssemblyInfo(decrypted, resource); } catch (Exception) { return null; } }
public override byte[] GetMethodsData(EmbeddedResource resource) { var reader = resource.Data; reader.Position = startOffset; var decrypted = new byte[reader.Read7BitEncodedUInt32()]; uint origCrc32 = reader.ReadUInt32(); long pos = reader.Position; var keys = new byte[][] { decryptionKey, decryptionKey6, decryptionKey7 }; foreach (var key in keys) { try { reader.Position = pos; Decompress(decrypted, reader, key, decryptionKeyMod); uint crc32 = CRC32.CheckSum(decrypted); if (crc32 == origCrc32) return decrypted; } catch (OutOfMemoryException) { } catch (IOException) { } } throw new ApplicationException("Could not decrypt methods data"); }
List<ProjectFile> TryCreateResourceFiles(ModuleDef module, ResourceNameCreator resourceNameCreator, EmbeddedResource er) { ResourceElementSet set; try { er.Data.Position = 0; set = ResourceReader.Read(module, er.Data); } catch { return null; } if (IsXamlResource(module, er.Name, set)) return CreateXamlResourceFiles(module, resourceNameCreator, set).ToList(); if (options.CreateResX) { string typeFullName; string filename = resourceNameCreator.GetResxFilename(er.Name, out typeFullName); return new List<ProjectFile>() { CreateResXFile(module, er, set, filename, typeFullName, false) }; } return null; }
public void Find() { var method = module.EntryPoint; if (!CheckEntryPoint(method)) return; MethodDef decryptAssemblyMethod; var mainKey = GetMainResourceKey(method, out decryptAssemblyMethod); if (mainKey == null) return; DeobfuscateAll(decryptAssemblyMethod); ModuleDefMD theResourceModule; var resource = GetResource(decryptAssemblyMethod, out theResourceModule); if (resource == null) return; string password, salt; if (!GetPassword(decryptAssemblyMethod, out password, out salt)) return; entryPointAssemblyKey = mainKey; resourcePassword = password; resourceSalt = salt; assemblyResource = resource; resourceModule = theResourceModule; DecryptAllAssemblies(); }
RawEmbeddedResourceProjectFile CreateRawEmbeddedResourceProjectFile(ModuleDef module, ResourceNameCreator resourceNameCreator, EmbeddedResource er) { return new RawEmbeddedResourceProjectFile(resourceNameCreator.GetResourceFilename(er.Name), er); }
void rename(TypeDef type, EmbeddedResource resource) { newNames.Clear(); resource.Data.Position = 0; var resourceSet = ResourceReader.read(module, resource.Data); var renamed = new List<RenameInfo>(); foreach (var elem in resourceSet.ResourceElements) { if (nameChecker.isValidResourceKeyName(elem.Name)) { newNames.Add(elem.Name, true); continue; } renamed.Add(new RenameInfo(elem, getNewName(elem))); } if (renamed.Count == 0) return; rename(type, renamed); var outStream = new MemoryStream(); ResourceWriter.write(module, outStream, resourceSet); var newResource = new EmbeddedResource(resource.Name, outStream.ToArray(), resource.Attributes); int resourceIndex = module.Resources.IndexOf(resource); if (resourceIndex < 0) throw new ApplicationException("Could not find index of resource"); module.Resources[resourceIndex] = newResource; }
void dumpEmbeddedFile(EmbeddedResource resource, string assemblyName, string extension, string reason) { DeobfuscatedFile.createAssemblyFile(resourceDecrypter.decrypt(resource.GetResourceStream()), Utils.getAssemblySimpleName(assemblyName), extension); addResourceToBeRemoved(resource, reason); }
static bool HasXamlFiles(ModuleDef module, EmbeddedResource rsrc) { try { rsrc.Data.Position = 0; var rsrcSet = ResourceReader.Read(module, rsrc.Data); foreach (var elem in rsrcSet.ResourceElements) { if (elem.Name.EndsWith(".baml")) return true; } } catch { } return false; }
protected static byte[] DecryptResourceV3(EmbeddedResource resource) { return DecryptResourceV3(resource.GetResourceData()); }
public void Initialize(ResourceDecrypter resourceDecrypter) { if (decrypterType == null) return; encryptedResource = CoUtils.GetResource(module, DotNetUtils.GetCodeStrings(decrypterType.FindStaticConstructor())); encryptedResource.Data.Position = 0; constantsData = resourceDecrypter.Decrypt(encryptedResource.Data.CreateStream()); }