public static void DeobfuscateCflow(MethodDef meth)
{
for (int i = 0; i < 1; i++)
{
CfDeob = new BlocksCflowDeobfuscator();
Blocks blocks = new Blocks(meth);
List <Block> test = blocks.MethodBlocks.GetAllBlocks();
blocks.RemoveDeadBlocks();
blocks.RepartitionBlocks();
blocks.UpdateBlocks();
blocks.Method.Body.SimplifyBranches();
blocks.Method.Body.OptimizeBranches();
CfDeob.Initialize(blocks);
//CfDeob.Deobfuscate();
CfDeob.Add(new Cflow());
// CfDeob.Add(new Cflow());
CfDeob.Deobfuscate();
blocks.RepartitionBlocks();
IList <Instruction> instructions;
IList <ExceptionHandler> exceptionHandlers;
blocks.GetCode(out instructions, out exceptionHandlers);
DotNetUtils.RestoreBody(meth, instructions, exceptionHandlers);
}
}
public static void Execute()
{
foreach (TypeDef type in Context.module.GetTypes())
{
foreach (MethodDef method in type.Methods)
{
bool flag = method.HasBody && ContainsControlFlow(method);
if (flag)
{
for (int i = 0; i < 1; i++)
{
CfDeob = new BlocksCflowDeobfuscator();
Blocks blocks = new Blocks(method);
List <Block> test = blocks.MethodBlocks.GetAllBlocks();
blocks.RemoveDeadBlocks();
blocks.RepartitionBlocks();
blocks.UpdateBlocks();
blocks.Method.Body.SimplifyBranches();
blocks.Method.Body.OptimizeBranches();
CfDeob.Initialize(blocks);
CfDeob.Add(new ControlFlow_BlockDeobfuscator());
CfDeob.Deobfuscate();
blocks.RepartitionBlocks();
IList <Instruction> instructions;
IList <ExceptionHandler> exceptionHandlers;
blocks.GetCode(out instructions, out exceptionHandlers);
DotNetUtils.RestoreBody(method, instructions, exceptionHandlers);
}
}
}
}
}
public static void DeobfuscateCflow2(MethodDef meth)
{
var blocks = new Blocks(meth);
CfDeob.Initialize(blocks);
Inemu = new InstructionEmulator(meth);
// CfDeob.Add(new LocalsSolver());
CfDeob.Add(new De4DotClass());
CfDeob.Add(new VariableMelting());
CfDeob.Deobfuscate();
blocks.RepartitionBlocks();
// de4dot.blocks.NetguardCflow tfhdgrs = new de4dot.blocks.NetguardCflow();
// de4dot.blocks.NetguardCflow.test2 = blocks;
// tfhdgrs.Deobfuscate(test);
IList <Instruction> instructions;
IList <ExceptionHandler> exceptionHandlers;
blocks.GetCode(out instructions, out exceptionHandlers);
DotNetUtils.RestoreBody(meth, instructions, exceptionHandlers);
}
private static void ControlFlowClean()
{
try
{
foreach (ModuleDef module in Globals.ASM.Modules) //Go through all the modules in the assembly
{
foreach (TypeDef type in module.GetTypes()) //Go through all the type and nested types in the module
{
foreach (MethodDef method in type.Methods) //Go through all the methods in the type
{
if (method.HasBody && ContainsControlFlow(method)) //Check to see if the method has a body and it contains a (Switch) opcode which is used in the Agile controlflow
{
for (int i = 0; i < 1; i++)
{
CfDeob = new BlocksCflowDeobfuscator();
Blocks blocks = new Blocks(method);
List <Block> test = blocks.MethodBlocks.GetAllBlocks();
blocks.RemoveDeadBlocks();
blocks.RepartitionBlocks();
blocks.UpdateBlocks();
blocks.Method.Body.SimplifyBranches();
blocks.Method.Body.OptimizeBranches();
CfDeob.Initialize(blocks);
//CfDeob.Deobfuscate();
CfDeob.Add(new ControlFlow());
// CfDeob.Add(new Cflow());
CfDeob.Deobfuscate();
blocks.RepartitionBlocks();
IList <Instruction> instructions;
IList <ExceptionHandler> exceptionHandlers;
blocks.GetCode(out instructions, out exceptionHandlers);
DotNetUtils.RestoreBody(method, instructions, exceptionHandlers);
}
controlflowCleaned++;
}
}
}
}
}
catch (Exception ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("[-] Looks like something bad happened in the controlflow phase, please contact me to fix this issue.");
}
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine(string.Format("[+] Controlflow cleaned in {0} methods", controlflowCleaned));
}
public static (int, int) RemoveCF(ModuleDef moduleDef)
{
int success = 0;
int failed = 0;
foreach (TypeDef type in moduleDef.GetTypes())
{
foreach (MethodDef method in type.Methods)
{
if (method.HasBody && HasCF(method))
{
try
{
var cflowDeobfuscator = new BlocksCflowDeobfuscator();
Blocks blocks = new Blocks(method);
List <Block> test = blocks.MethodBlocks.GetAllBlocks();
blocks.RemoveDeadBlocks();
blocks.RepartitionBlocks();
blocks.UpdateBlocks();
blocks.Method.Body.OptimizeBranches();
blocks.UpdateBlocks();
blocks.Method.Body.SimplifyBranches();
blocks.UpdateBlocks();
cflowDeobfuscator.Initialize(blocks);
cflowDeobfuscator.Add(new ControlFlow_BlockDeobfuscator());
cflowDeobfuscator.Deobfuscate();
blocks.RepartitionBlocks();
IList <Instruction> instructions;
IList <ExceptionHandler> exceptionHandlers;
blocks.GetCode(out instructions, out exceptionHandlers);
DotNetUtils.RestoreBody(method, instructions, exceptionHandlers);
success++;
}
catch (Exception e)
{
Console.WriteLine($"Failed to deobfuscate {method.DeclaringType.Name}:{method.Name} with exception: {e.Message}");
failed++;
}
}
}
}
return(success, failed);
}
