public void Find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
foreach (var type in module.Types) {
if (type.Fields.Count != 1)
continue;
if (type.HasNestedTypes || type.HasGenericParameters || type.IsValueType)
continue;
if (DotNetUtils.GetField(type, "System.Reflection.Assembly") == null)
continue;
if (type.FindStaticConstructor() == null)
continue;
var getStream2 = GetTheOnlyMethod(type, "System.IO.Stream", "(System.Reflection.Assembly,System.Type,System.String)");
var getNames = GetTheOnlyMethod(type, "System.String[]", "(System.Reflection.Assembly)");
var getRefAsms = GetTheOnlyMethod(type, "System.Reflection.AssemblyName[]", "(System.Reflection.Assembly)");
var bitmapCtor = GetTheOnlyMethod(type, "System.Drawing.Bitmap", "(System.Type,System.String)");
var iconCtor = GetTheOnlyMethod(type, "System.Drawing.Icon", "(System.Type,System.String)");
if (getStream2 == null && getNames == null && getRefAsms == null &&
bitmapCtor == null && iconCtor == null)
continue;
var resource = FindGetManifestResourceStreamTypeResource(type, simpleDeobfuscator, deob);
if (resource == null && getStream2 != null)
continue;
getManifestResourceStreamType = type;
CreateGetManifestResourceStream2(getStream2);
CreateGetManifestResourceNames(getNames);
CreateGetReferencedAssemblies(getRefAsms);
CreateBitmapCtor(bitmapCtor);
CreateIconCtor(iconCtor);
getManifestResourceStreamTypeResource = resource;
break;
}
}
public void Find() {
var requiredTypes = new string[] {
"System.Reflection.Assembly",
"System.Object",
"System.Int32",
"System.String[]",
};
foreach (var type in module.Types) {
if (type.HasEvents)
continue;
if (!new FieldTypes(type).All(requiredTypes))
continue;
MethodDef regMethod, handler;
if (!BabelUtils.FindRegisterMethod(type, out regMethod, out handler))
continue;
var resource = BabelUtils.FindEmbeddedResource(module, type);
if (resource == null)
continue;
var decryptMethod = FindDecryptMethod(type);
if (decryptMethod == null)
throw new ApplicationException("Couldn't find resource type decrypt method");
resourceDecrypter.DecryptMethod = ResourceDecrypter.FindDecrypterMethod(decryptMethod);
InitXorKeys(decryptMethod);
resolverType = type;
registerMethod = regMethod;
encryptedResource = resource;
return;
}
}
public byte[] decrypt(EmbeddedResource resource)
{
if (!CanDecrypt)
throw new ApplicationException("Can't decrypt resources");
var encryptedData = resource.GetResourceData();
return decrypt(encryptedData);
}
public AssemblyInfo(byte[] data, EmbeddedResource resource, string asmFullName, string asmSimpleName, string extension) {
this.data = data;
this.resource = resource;
this.asmFullName = asmFullName;
this.asmSimpleName = asmSimpleName;
this.extension = extension;
}
public AssemblyInfo(byte[] data, string fullName, string simpleName, string extension, EmbeddedResource resource) {
this.data = data;
this.fullName = fullName;
this.simpleName = simpleName;
this.extension = extension;
this.resource = resource;
}
public Csvm(IDeobfuscatorContext deobfuscatorContext, ModuleDefMD module, Csvm oldOne) {
this.deobfuscatorContext = deobfuscatorContext;
this.module = module;
if (oldOne.resource != null)
this.resource = (EmbeddedResource)module.Resources[oldOne.module.Resources.IndexOf(oldOne.resource)];
if (oldOne.vmAssemblyRef != null)
this.vmAssemblyRef = module.ResolveAssemblyRef(oldOne.vmAssemblyRef.Rid);
}
public EmbeddedAssemblyInfo(EmbeddedResource resource, byte[] data, string asmFullName, ModuleKind kind) {
this.resource = resource;
this.data = data;
this.asmFullName = asmFullName;
this.asmSimpleName = Utils.GetAssemblySimpleName(asmFullName);
this.kind = kind;
this.extension = DeobUtils.GetExtension(kind);
}
public virtual byte[] GetMethodsData(EmbeddedResource resource) {
var reader = resource.Data;
reader.Position = startOffset;
if ((reader.ReadInt32() & 1) != 0)
return Decompress(reader);
else
return reader.ReadRemainingBytes();
}
public ResXProjectFile(ModuleDef module, string filename, string typeFullName, EmbeddedResource er) {
this.filename = filename;
TypeFullName = typeFullName;
embeddedResource = er;
newToOldAsm = new Dictionary<IAssembly, IAssembly>(new AssemblyNameComparer(AssemblyNameComparerFlags.All & ~AssemblyNameComparerFlags.Version));
foreach (var asmRef in module.GetAssemblyRefs())
newToOldAsm[asmRef] = asmRef;
}
public void Initialize(ResourceDecrypter resourceDecrypter) {
if (decryptedData != null || stringDecrypterType == null)
return;
var resourceName = GetResourceName();
stringResource = DotNetUtils.GetResource(module, resourceName) as EmbeddedResource;
if (stringResource == null)
return;
Logger.v("Adding string decrypter. Resource: {0}", Utils.ToCsharpString(stringResource.Name));
decryptedData = resourceDecrypter.Decrypt(stringResource.GetResourceStream());
}
public void Initialize() {
if (installMethod == null)
return;
if (!FindKeys())
throw new ApplicationException("Could not find keys");
if ((resource = FindResource(key0)) == null)
throw new ApplicationException("Could not find resource");
constants = DecryptResource(resource.GetResourceData());
FindDecrypters();
}
bool FindStringsResource2(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator, MethodDef initMethod) {
if (initMethod == null)
return false;
stringsResource = FindStringResource(initMethod);
if (stringsResource != null)
return true;
simpleDeobfuscator.DecryptStrings(initMethod, deob);
stringsResource = FindStringResource(initMethod);
if (stringsResource != null)
return true;
return false;
}
bool FindStringsResource(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator, MethodDef cctor) {
if (stringsResource != null)
return true;
if (decrypterVersion <= StringDecrypterVersion.V3) {
stringsResource = DotNetUtils.GetResource(module, (module.Mvid ?? Guid.NewGuid()).ToString("B")) as EmbeddedResource;
if (stringsResource != null)
return true;
}
if (FindStringsResource2(deob, simpleDeobfuscator, cctor))
return true;
if (FindStringsResource2(deob, simpleDeobfuscator, stringDecrypterMethod))
return true;
return false;
}
public void Find() {
foreach (var tmp in module.Resources) {
var resource = tmp as EmbeddedResource;
if (resource == null)
continue;
if (!resource.Name.String.EndsWith(".resources", StringComparison.Ordinal))
continue;
string ns, name;
SplitTypeName(resource.Name.String.Substring(0, resource.Name.String.Length - 10), out ns, out name);
var type = new TypeRefUser(module, ns, name, module).Resolve();
if (type == null)
continue;
if (!CheckDecrypterType(type))
continue;
encryptedResource = resource;
decrypterType = type;
break;
}
}
static void Execute(ILSpyTreeNode[] nodes)
{
if (!CanExecute(nodes))
return;
var rsrcListNode = Utils.GetResourceListTreeNode(nodes);
var module = ILSpyTreeNode.GetModule(nodes[0]);
Debug.Assert(module != null);
if (module == null)
throw new InvalidOperationException();
var dlg = new WF.OpenFileDialog {
RestoreDirectory = true,
Multiselect = true,
};
if (dlg.ShowDialog() != WF.DialogResult.OK)
return;
var fnames = dlg.FileNames;
if (fnames.Length == 0)
return;
var newNodes = new ResourceTreeNode[fnames.Length];
for (int i = 0; i < fnames.Length; i++) {
var fn = fnames[i];
try {
var rsrc = new EmbeddedResource(Path.GetFileName(fn), File.ReadAllBytes(fn), ManifestResourceAttributes.Public);
newNodes[i] = ResourceFactory.Create(module, rsrc);
}
catch (Exception ex) {
MainWindow.Instance.ShowMessageBox(string.Format("Error reading files: {0}", ex.Message));
return;
}
}
UndoCommandManager.Instance.Add(new CreateFileResourceCommand(rsrcListNode, newNodes));
}
protected static byte[] DecryptResourceV41SL(EmbeddedResource resource) {
var data = resource.GetResourceData();
byte k = data[0];
for (int i = 0; i < data.Length - 1; i++)
data[i + 1] ^= (byte)((k << (i & 5)) + i);
return InflateIfNeeded(data, 1, data.Length - 1);
}
static ResourceElementSet TryCreateResourceElementSet(ModuleDef module, EmbeddedResource er) {
if (er == null)
return null;
er.Data.Position = 0;
if (!ResourceReader.CouldBeResourcesFile(er.Data))
return null;
try {
er.Data.Position = 0;
return ResourceReader.Read(module, er.Data);
}
catch {
return null;
}
}
ResXProjectFile CreateResXFile(ModuleDef module, EmbeddedResource er, ResourceElementSet set, string filename, string typeFullName, bool isSatellite) {
Debug.Assert(options.CreateResX);
if (!options.CreateResX)
throw new InvalidOperationException();
return new ResXProjectFile(module, filename, typeFullName, er) {
IsSatelliteFile = isSatellite,
};
}
IEnumerable<ProjectFile> CreateEmbeddedResourceFiles(ModuleDef module, ResourceNameCreator resourceNameCreator, EmbeddedResource er) {
if (!options.UnpackResources) {
yield return CreateRawEmbeddedResourceProjectFile(module, resourceNameCreator, er);
yield break;
}
er.Data.Position = 0;
if (ResourceReader.CouldBeResourcesFile(er.Data)) {
var files = TryCreateResourceFiles(module, resourceNameCreator, er);
if (files != null) {
foreach (var file in files)
yield return file;
yield break;
}
}
yield return CreateRawEmbeddedResourceProjectFile(module, resourceNameCreator, er);
}
AssemblyInfo GetAssemblyInfo(byte[] decryptedData, EmbeddedResource resource) {
var asm = AssemblyDef.Load(decryptedData);
var fullName = asm.FullName;
var simpleName = asm.Name.String;
var extension = DeobUtils.GetExtension(asm.Modules[0].Kind);
return new AssemblyInfo(decryptedData, fullName, simpleName, extension, resource);
}
AssemblyInfo GetAssemblyInfo(EmbeddedResource resource, Func<EmbeddedResource, byte[]> decrypter) {
try {
var decrypted = decrypter(resource);
return GetAssemblyInfo(decrypted, resource);
}
catch (Exception) {
return null;
}
}
public override byte[] GetMethodsData(EmbeddedResource resource) {
var reader = resource.Data;
reader.Position = startOffset;
var decrypted = new byte[reader.Read7BitEncodedUInt32()];
uint origCrc32 = reader.ReadUInt32();
long pos = reader.Position;
var keys = new byte[][] { decryptionKey, decryptionKey6, decryptionKey7 };
foreach (var key in keys) {
try {
reader.Position = pos;
Decompress(decrypted, reader, key, decryptionKeyMod);
uint crc32 = CRC32.CheckSum(decrypted);
if (crc32 == origCrc32)
return decrypted;
}
catch (OutOfMemoryException) {
}
catch (IOException) {
}
}
throw new ApplicationException("Could not decrypt methods data");
}
List<ProjectFile> TryCreateResourceFiles(ModuleDef module, ResourceNameCreator resourceNameCreator, EmbeddedResource er) {
ResourceElementSet set;
try {
er.Data.Position = 0;
set = ResourceReader.Read(module, er.Data);
}
catch {
return null;
}
if (IsXamlResource(module, er.Name, set))
return CreateXamlResourceFiles(module, resourceNameCreator, set).ToList();
if (options.CreateResX) {
string typeFullName;
string filename = resourceNameCreator.GetResxFilename(er.Name, out typeFullName);
return new List<ProjectFile>() { CreateResXFile(module, er, set, filename, typeFullName, false) };
}
return null;
}
public void Find() {
var method = module.EntryPoint;
if (!CheckEntryPoint(method))
return;
MethodDef decryptAssemblyMethod;
var mainKey = GetMainResourceKey(method, out decryptAssemblyMethod);
if (mainKey == null)
return;
DeobfuscateAll(decryptAssemblyMethod);
ModuleDefMD theResourceModule;
var resource = GetResource(decryptAssemblyMethod, out theResourceModule);
if (resource == null)
return;
string password, salt;
if (!GetPassword(decryptAssemblyMethod, out password, out salt))
return;
entryPointAssemblyKey = mainKey;
resourcePassword = password;
resourceSalt = salt;
assemblyResource = resource;
resourceModule = theResourceModule;
DecryptAllAssemblies();
}
RawEmbeddedResourceProjectFile CreateRawEmbeddedResourceProjectFile(ModuleDef module, ResourceNameCreator resourceNameCreator, EmbeddedResource er) {
return new RawEmbeddedResourceProjectFile(resourceNameCreator.GetResourceFilename(er.Name), er);
}
void rename(TypeDef type, EmbeddedResource resource)
{
newNames.Clear();
resource.Data.Position = 0;
var resourceSet = ResourceReader.read(module, resource.Data);
var renamed = new List<RenameInfo>();
foreach (var elem in resourceSet.ResourceElements) {
if (nameChecker.isValidResourceKeyName(elem.Name)) {
newNames.Add(elem.Name, true);
continue;
}
renamed.Add(new RenameInfo(elem, getNewName(elem)));
}
if (renamed.Count == 0)
return;
rename(type, renamed);
var outStream = new MemoryStream();
ResourceWriter.write(module, outStream, resourceSet);
var newResource = new EmbeddedResource(resource.Name, outStream.ToArray(), resource.Attributes);
int resourceIndex = module.Resources.IndexOf(resource);
if (resourceIndex < 0)
throw new ApplicationException("Could not find index of resource");
module.Resources[resourceIndex] = newResource;
}
void dumpEmbeddedFile(EmbeddedResource resource, string assemblyName, string extension, string reason)
{
DeobfuscatedFile.createAssemblyFile(resourceDecrypter.decrypt(resource.GetResourceStream()), Utils.getAssemblySimpleName(assemblyName), extension);
addResourceToBeRemoved(resource, reason);
}
static bool HasXamlFiles(ModuleDef module, EmbeddedResource rsrc) {
try {
rsrc.Data.Position = 0;
var rsrcSet = ResourceReader.Read(module, rsrc.Data);
foreach (var elem in rsrcSet.ResourceElements) {
if (elem.Name.EndsWith(".baml"))
return true;
}
}
catch {
}
return false;
}
protected static byte[] DecryptResourceV3(EmbeddedResource resource) {
return DecryptResourceV3(resource.GetResourceData());
}
public void Initialize(ResourceDecrypter resourceDecrypter) {
if (decrypterType == null)
return;
encryptedResource = CoUtils.GetResource(module, DotNetUtils.GetCodeStrings(decrypterType.FindStaticConstructor()));
encryptedResource.Data.Position = 0;
constantsData = resourceDecrypter.Decrypt(encryptedResource.Data.CreateStream());
}
