bool findNativeCode(byte[] moduleBytes)
{
var bytes = moduleBytes != null ? moduleBytes : DeobUtils.readModule(module);
using (var peImage = new MyPEImage(bytes))
return(foundSig = MethodsDecrypter.detect(peImage));
}
bool find2()
{
foreach (var cctor in DeobUtils.getInitCctors(module, 3))
{
foreach (var calledMethod in DotNetUtils.getCalledMethods(module, cctor))
{
var type = calledMethod.DeclaringType;
if (type.IsPublic)
{
continue;
}
var fieldTypes = new FieldTypes(type);
if (!fieldTypes.exactly(requiredFields1) && !fieldTypes.exactly(requiredFields2) &&
!fieldTypes.exactly(requiredFields3) && !fieldTypes.exactly(requiredFields4))
{
continue;
}
if (!hasInitializeMethod(type, "_Initialize") && !hasInitializeMethod(type, "_Initialize64"))
{
continue;
}
stringDecrypterMethod = findStringDecrypterMethod(type);
initializeMethod = calledMethod;
postInitializeMethod = findMethod(type, "System.Void", "PostInitialize", "()");
loadMethod = findMethod(type, "System.IntPtr", "Load", "()");
cliSecureRtType = type;
return(true);
}
}
return(false);
}
public bool MergeResources(out EmbeddedResource rsrc)
{
rsrc = null;
switch (version)
{
case ResourceVersion.V3:
if (data30.resource == null)
{
return(false);
}
DeobUtils.DecryptAndAddResources(module, data30.resource.Name.String, () => DecryptResourceV3(data30.resource));
rsrc = data30.resource;
return(true);
case ResourceVersion.V40:
return(DecryptResource(data40.resourceField, data40.magic));
case ResourceVersion.V41:
return(DecryptResource(data41.resourceField, data41.magic));
default:
return(true);
}
}
void DecryptStrings(uint[] key)
{
var data = stringDataField.InitialValue;
var encryptedData = new uint[data.Length / 4];
Buffer.BlockCopy(data, 0, encryptedData, 0, data.Length);
DeobUtils.XxteaDecrypt(encryptedData, key);
var decryptedData = new byte[data.Length];
Buffer.BlockCopy(encryptedData, 0, decryptedData, 0, data.Length);
var inflated = DeobUtils.Inflate(decryptedData, 0, decryptedData.Length, true);
var reader = ByteArrayDataReaderFactory.CreateReader(inflated);
/*int deflatedLength = (int)*/ reader.ReadCompressedUInt32();
int numStrings = (int)reader.ReadCompressedUInt32();
decryptedStrings = new string[numStrings];
var offsets = new int[numStrings];
for (int i = 0; i < numStrings; i++)
{
offsets[i] = (int)reader.ReadCompressedUInt32();
}
int startOffset = (int)reader.Position;
for (int i = 0; i < numStrings; i++)
{
reader.Position = (uint)(startOffset + offsets[i]);
decryptedStrings[i] = reader.ReadSerializedString();
}
}
static MethodDef CheckMethods(TypeDef type)
{
MethodDef creatorMethod = null;
foreach (var method in type.Methods)
{
if (method.Body == null)
{
return(null);
}
if (method.Name == ".cctor" || method.Name == ".ctor")
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.Void", "(System.Int32)"))
{
return(null);
}
if (!DeobUtils.HasInteger(method, 0x02000000))
{
return(null);
}
if (!DeobUtils.HasInteger(method, 0x06000000))
{
return(null);
}
creatorMethod = method;
}
return(creatorMethod);
}
public string Decrypt(MethodDef method, int offset)
{
var info = GetDecrypterInfo(method);
if (info.key == null)
{
int length = BitConverter.ToInt32(decryptedData, offset);
return(Encoding.Unicode.GetString(decryptedData, offset + 4, length));
}
else
{
byte[] encryptedStringData;
if (stringDecrypterVersion == StringDecrypterVersion.VER_37)
{
int fileOffset = BitConverter.ToInt32(decryptedData, offset);
int length = BitConverter.ToInt32(fileData, fileOffset);
encryptedStringData = new byte[length];
Array.Copy(fileData, fileOffset + 4, encryptedStringData, 0, length);
}
else if (stringDecrypterVersion == StringDecrypterVersion.VER_38)
{
uint rva = BitConverter.ToUInt32(decryptedData, offset);
int length = peImage.ReadInt32(rva);
encryptedStringData = peImage.ReadBytes(rva + 4, length);
}
else
{
throw new ApplicationException("Unknown string decrypter version");
}
return(Encoding.Unicode.GetString(DeobUtils.AesDecrypt(encryptedStringData, info.key, info.iv)));
}
}
bool CheckInitMethod(MethodDef method)
{
if (method == null || !method.IsStatic || method.Body == null)
{
return(false);
}
if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
{
return(false);
}
var type = method.DeclaringType;
if (type.NestedTypes.Count != 1)
{
return(false);
}
if (DotNetUtils.GetField(type, "System.Reflection.Assembly") == null)
{
return(false);
}
var resolveHandler = DeobUtils.GetResolveMethod(method);
if (resolveHandler == null)
{
return(false);
}
initMethod = method;
resolverType = type;
handlerMethod = resolveHandler;
return(true);
}
public byte[] decrypt()
{
if (assemblyEncryptedResource == null)
{
return(null);
}
assemblyEncryptedResource.Data.Position = 0;
var reader = new BinaryReader(assemblyEncryptedResource.Data.CreateStream());
var encryptedData = DeobUtils.gunzip(reader.BaseStream, reader.ReadInt32());
reader = new BinaryReader(new MemoryStream(encryptedData));
var serializedData = reader.ReadBytes(reader.ReadInt32());
for (int i = 0; i < serializedData.Length; i++)
{
serializedData[i] ^= 0xAD;
}
var encryptedAssembly = reader.ReadBytes((int)(reader.BaseStream.Length - reader.BaseStream.Position));
var passwordFinder = new PasswordFinder(serializedData);
PasswordInfo mainAsmPassword;
passwordFinder.find(out mainAsmPassword, out embedPassword);
return(decrypt(mainAsmPassword, encryptedAssembly));
}
byte[] Decrypt_v17_r75076(byte[] data)
{
var reader = new BinaryReader(new MemoryStream(data));
data = Decrypt_v15_r60785(reader, out var key, out var iv);
return(SevenZipDecompress(DeobUtils.AesDecrypt(data, key, iv)));
}
static void InitializeNameAndExtension(AssemblyInfo info)
{
try {
var mod = ModuleDefMD.Load(info.Data);
info.AssemblyFullName = mod.Assembly.FullName;
info.SimpleName = mod.Assembly.Name.String;
info.Extension = DeobUtils.GetExtension(mod.Kind);
return;
}
catch {
}
Logger.w("Could not load assembly from decrypted resource {0}", Utils.ToCsharpString(info.ResourceName));
int index = info.Filename.LastIndexOf('.');
if (index < 0)
{
info.SimpleName = info.Filename;
info.Extension = "";
}
else
{
info.SimpleName = info.Filename.Substring(0, index);
info.Extension = info.Filename.Substring(index);
}
}
protected override object checkCctor(TypeDefinition type, MethodDefinition cctor)
{
var instrs = cctor.Body.Instructions;
for (int i = 0; i < instrs.Count - 1; i++)
{
var ldci4 = instrs[i];
if (!DotNetUtils.isLdcI4(ldci4))
{
continue;
}
var call = instrs[i + 1];
if (call.OpCode.Code != Code.Call)
{
continue;
}
if (call.Operand != info.initMethod)
{
continue;
}
int offset = DotNetUtils.getLdcI4Value(ldci4);
reader.BaseStream.Position = offset;
int rid = DeobUtils.readVariableLengthInt32(reader);
if (rid != type.MetadataToken.RID)
{
throw new ApplicationException("Invalid RID");
}
return(string.Empty); // It's non-null
}
return(null);
}
bool CheckInitMethod(MethodDef method)
{
var type = method.DeclaringType;
if (type.NestedTypes.Count < 2 || type.NestedTypes.Count > 6)
{
return(false);
}
if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "MoveFileEx") == null)
{
return(false);
}
var resolveHandler = DeobUtils.GetResolveMethod(method);
if (resolveHandler == null)
{
return(false);
}
if (!DeobUtils.HasInteger(resolveHandler, ',') ||
!DeobUtils.HasInteger(resolveHandler, '|'))
{
return(false);
}
initMethod = method;
resolverType = type;
handlerMethod = resolveHandler;
return(true);
}
static MethodDef GetResolveMethodSilverlight(MethodDef initMethod)
{
foreach (var instr in initMethod.Body.Instructions)
{
if (instr.OpCode.Code != Code.Call)
{
continue;
}
var calledMethod = instr.Operand as MethodDef;
if (calledMethod == null)
{
continue;
}
if (!DotNetUtils.IsMethod(calledMethod, "System.Void", "()"))
{
continue;
}
if (!DeobUtils.HasInteger(calledMethod, ',') ||
!DeobUtils.HasInteger(calledMethod, '|'))
{
continue;
}
return(calledMethod);
}
return(null);
}
string decrypt(int stringId)
{
reader.BaseStream.Position = reader.BaseStream.Length + (stringId * 4 - fileDispl);
uint v0 = reader.ReadUInt32();
uint v1 = reader.ReadUInt32();
DeobUtils.xteaDecrypt(ref v0, ref v1, key, 32);
int utf8Length = (int)v0;
var decrypted = new uint[(utf8Length + 11) / 8 * 2 - 1];
decrypted[0] = v1;
for (int i = 1; i + 1 < decrypted.Length; i += 2)
{
v0 = reader.ReadUInt32();
v1 = reader.ReadUInt32();
DeobUtils.xteaDecrypt(ref v0, ref v1, key, 32);
decrypted[i] = v0;
decrypted[i + 1] = v1;
}
var utf8 = new byte[utf8Length];
Buffer.BlockCopy(decrypted, 0, utf8, 0, utf8.Length);
return(Encoding.UTF8.GetString(utf8));
}
public RealAssemblyInfo(AssemblyDef realAssembly, uint entryPointToken, ModuleKind kind)
{
this.realAssembly = realAssembly;
this.entryPointToken = entryPointToken;
this.kind = kind;
this.moduleName = realAssembly.Name.String + DeobUtils.GetExtension(kind);
}
public static DecrypterV106 Create(ref DataReader reader)
{
try {
int keyXorOffs7 = (ReadByteAt(ref reader, 0) ^ ReadByteAt(ref reader, 2)) + 2;
reader.Position = (uint)(keyXorOffs7 + (ReadByteAt(ref reader, 1) ^ ReadByteAt(ref reader, keyXorOffs7)));
int sha1DataLen = reader.Read7BitEncodedInt32() + 0x80;
int keyXorOffs6 = (int)reader.Position;
int encryptedOffs = (int)reader.Position + sha1DataLen;
var sha1Data = reader.ReadBytes(sha1DataLen);
uint crc32 = CRC32.CheckSum(sha1Data);
reader.Position = reader.Length - 0x18;
uint origCrc32 = reader.ReadUInt32();
if (crc32 != origCrc32)
{
return(null);
}
var key0 = DeobUtils.Sha1Sum(sha1Data); // 1.0.6.0
var key6 = GetKey(ref reader, key0, keyXorOffs6); // 1.0.6.6
var key7 = GetKey(ref reader, key0, keyXorOffs7); // 1.0.6.7
return(new DecrypterV106(key0, key6, key7, encryptedOffs));
}
catch (Exception ex) when(ex is IOException || ex is ArgumentException)
{
return(null);
}
}
public EmbeddedAssemblyInfo UnpackMainAssembly(bool createAssembly)
{
if (mainAsmResource == null)
{
return(null);
}
var info = CreateEmbeddedAssemblyInfo(mainAsmResource, Decrypt(mainAsmResource));
var asm = module.Assembly;
if (createAssembly && asm != null && entryPointToken != 0 && info.kind == ModuleKind.NetModule)
{
info.extension = DeobUtils.GetExtension(module.Kind);
info.kind = module.Kind;
var realAsm = module.UpdateRowId(new AssemblyDefUser(asm.Name, new Version(0, 0, 0, 0)));
info.realAssemblyInfo = new RealAssemblyInfo(realAsm, entryPointToken, info.kind);
if (module.Name != "Stub.exe")
{
info.realAssemblyInfo.moduleName = module.Name.String;
}
info.asmFullName = realAsm.FullName;
info.asmSimpleName = realAsm.Name.String;
}
return(info);
}
static TypeDef FindInflaterType(MethodDef method)
{
if (method == null || method.Body == null)
{
return(null);
}
foreach (var instr in method.Body.Instructions)
{
if (instr.OpCode.Code != Code.Call)
{
continue;
}
var calledMethod = instr.Operand as MethodDef;
if (calledMethod == null || !calledMethod.IsStatic)
{
continue;
}
var type = calledMethod.DeclaringType;
foreach (var nested in type.NestedTypes)
{
if (DeobUtils.HasInteger(nested.FindMethod(".ctor"), 0x8001))
{
return(type);
}
}
}
return(null);
}
bool InitializeInfos(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
if (handlerMethod == null)
{
return(true);
}
foreach (var method in resolverType.Methods)
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
{
continue;
}
if (!DeobUtils.HasInteger(method, ':') || !DeobUtils.HasInteger(method, '|'))
{
continue;
}
simpleDeobfuscator.Deobfuscate(method);
simpleDeobfuscator.DecryptStrings(method, deob);
if (!InitializeInfos(method))
{
continue;
}
return(true);
}
return(false);
}
public string Decrypt(int token, int id)
{
if (!CanDecrypt)
{
throw new ApplicationException("Can't decrypt strings since decryptedData is null");
}
int index = id - (token & 0x00FFFFFF) - stringOffset;
int len = DeobUtils.ReadVariableLengthInt32(decryptedData, ref index);
switch (StringDecrypterInfo.DecrypterVersion)
{
case StringDecrypterVersion.V1:
// Some weird problem with 1.x decrypted strings. They all have a \x01 char at the end.
var buf = Convert.FromBase64String(Encoding.ASCII.GetString(decryptedData, index, len));
if (buf.Length % 2 != 0)
{
Array.Resize(ref buf, buf.Length - 1);
}
return(Encoding.Unicode.GetString(buf));
case StringDecrypterVersion.V2:
return(Encoding.UTF8.GetString(Convert.FromBase64String(Encoding.ASCII.GetString(decryptedData, index, len))));
default:
return(Encoding.UTF8.GetString(Convert.FromBase64String(Encoding.UTF8.GetString(decryptedData, index, len))));
}
}
bool checkInitMethod(MethodDef checkMethod, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
var requiredFields = new string[] {
"System.Collections.Hashtable",
"System.Boolean",
};
foreach (var method in DotNetUtils.getCalledMethods(module, checkMethod))
{
if (method.Body == null)
{
continue;
}
if (!method.IsStatic)
{
continue;
}
if (!DotNetUtils.isMethod(method, "System.Void", "()"))
{
continue;
}
var type = method.DeclaringType;
if (!new FieldTypes(type).exactly(requiredFields))
{
continue;
}
var ctor = type.FindMethod(".ctor");
if (ctor == null)
{
continue;
}
var handler = DeobUtils.getResolveMethod(ctor);
if (handler == null)
{
continue;
}
simpleDeobfuscator.decryptStrings(handler, deob);
var resourcePrefix = getResourcePrefix(handler);
if (resourcePrefix == null)
{
continue;
}
for (int i = 0; ; i++)
{
var resource = DotNetUtils.getResource(module, resourcePrefix + i.ToString("D5")) as EmbeddedResource;
if (resource == null)
{
break;
}
resources.Add(resource);
}
initMethod = method;
return(true);
}
return(false);
}
static MethodDefinition findXxteaMethod(TypeDefinition type)
{
foreach (var method in type.Methods)
{
if (!method.IsPrivate || method.IsStatic || method.Body == null)
{
continue;
}
if (DotNetUtils.isMethod(method, "System.Void", "(System.UInt32[],System.UInt32[])"))
{
if (!DeobUtils.hasInteger(method, 0x9E3779B9))
{
continue;
}
}
else if (DotNetUtils.isMethod(method, "System.Void", "(System.UInt32[],System.UInt32[],System.UInt32,System.UInt32,System.UInt32,System.UInt32,System.UInt32,System.UInt32,System.UInt32,System.UInt32,System.UInt32)"))
{
// Here if 5.0. 0x9E3779B9 is passed to it as the last arg.
}
else
{
continue;
}
if (!DeobUtils.hasInteger(method, 52))
{
continue;
}
return(method);
}
return(null);
}
public bool mergeResources(out EmbeddedResource rsrc)
{
rsrc = null;
if (isV3)
{
if (resource == null)
{
return(false);
}
DeobUtils.decryptAndAddResources(module, resource.Name, () => decryptResourceV3(resource));
rsrc = resource;
}
else
{
if (resourceField == null)
{
return(false);
}
string name = string.Format("Embedded data field {0:X8} RVA {1:X8}", resourceField.MetadataToken.ToInt32(), resourceField.RVA);
DeobUtils.decryptAndAddResources(module, name, () => decryptResourceV4(resourceField.InitialValue, magicV4));
resourceField.InitialValue = new byte[1];
resourceField.FieldType = module.TypeSystem.Byte;
}
return(true);
}
public void initialize(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
if (resolverType == null)
{
return;
}
encryptedResource = BabelUtils.findEmbeddedResource(module, resolverType, simpleDeobfuscator, deob);
if (encryptedResource == null)
{
Log.w("Could not find embedded assemblies resource");
return;
}
var decrypted = resourceDecrypter.decrypt(encryptedResource.GetResourceData());
var reader = new BinaryReader(new MemoryStream(decrypted));
int numAssemblies = reader.ReadInt32();
embeddedAssemblyInfos = new EmbeddedAssemblyInfo[numAssemblies];
for (int i = 0; i < numAssemblies; i++)
{
string name = reader.ReadString();
var data = reader.ReadBytes(reader.ReadInt32());
var mod = ModuleDefinition.ReadModule(new MemoryStream(data));
embeddedAssemblyInfos[i] = new EmbeddedAssemblyInfo(name, DeobUtils.getExtension(mod.Kind), data);
}
}
byte[] DecryptResource_v18_r75367_normal(byte[] encrypted)
{
var key = GetSigKey();
var decrypted = ConfuserUtils.Decrypt(BitConverter.ToUInt32(key, 12) * (uint)key0, encrypted);
return(Decompress(DeobUtils.AesDecrypt(decrypted, key, DeobUtils.Md5Sum(key))));
}
byte[] Decompress(byte[] compressed)
{
if (lzmaType != null)
{
return(ConfuserUtils.SevenZipDecompress(compressed));
}
return(DeobUtils.Inflate(compressed, true));
}
byte[] Decrypt_v17_r73404(byte[] data)
{
var reader = new BinaryReader(new MemoryStream(data));
data = Decrypt_v15_r60785(reader, out var key, out var iv);
reader = new BinaryReader(new MemoryStream(DeobUtils.Inflate(DeobUtils.AesDecrypt(data, key, iv), true)));
return(reader.ReadBytes(reader.ReadInt32()));
}
byte[] GetFileData()
{
if (ModuleBytes != null)
{
return(ModuleBytes);
}
return(ModuleBytes = DeobUtils.ReadModule(Module));
}
byte[] Decrypt_v10_r42915(byte[] data)
{
for (int i = 0; i < data.Length; i++)
{
data[i] ^= (byte)(i ^ key0);
}
return(DeobUtils.Inflate(data, true));
}
void InitVersion(MethodDef installMethod, ConfuserVersion normal, ConfuserVersion dynamic, ConfuserVersion native) {
if (nativeMethod != null)
version = native;
else if (DeobUtils.HasInteger(installMethod, 0x10000))
version = normal;
else
version = dynamic;
}