static DecryptType getDecryptType(MethodDef method)
 {
     if (DeobUtils.hasInteger(method, 0xFFF0))
     {
         return(DecryptType.Type2);
     }
     if (DeobUtils.hasInteger(method, 0xFFC0))
     {
         return(DecryptType.Type3);
     }
     return(DecryptType.Type1);                      // trial
 }
Ejemplo n.º 2
0
 IDecrypter createDecrypter(byte[] encryptedData)
 {
     if (decryptMethod != null && DeobUtils.hasInteger(decryptMethod, 6))
     {
         return(new Decrypter3(module, decryptMethod));
     }
     if (isV30(encryptedData))
     {
         return(new Decrypter1(module));
     }
     return(new Decrypter2(module));
 }
Ejemplo n.º 3
0
        Version detectVersion()
        {
            var ep = module.EntryPoint;

            if (ep == null || ep.Body == null)
            {
                return(Version.Unknown);
            }
            var type = ep.DeclaringType;

            if (type == null)
            {
                return(Version.Unknown);
            }
            if (!new FieldTypes(type).exactly(requiredFields))
            {
                return(Version.Unknown);
            }
            if (module.Types.Count != 2)
            {
                return(Version.Unknown);
            }
            if (module.Types[1] != type)
            {
                return(Version.Unknown);
            }
            if (module.Types[0].Methods.Count != 0)
            {
                return(Version.Unknown);
            }

            if (checkMethods(type, methods_v0x))
            {
                return(Version.V0x);
            }
            if (checkMethods(type, methods_v1x))
            {
                var lfMethod = DotNetUtils.getMethod(type, "System.Boolean", "(System.String,System.Byte[]&)");
                if (lfMethod != null)
                {
                    if (DeobUtils.hasInteger(lfMethod, (int)Machine.AMD64))
                    {
                        return(Version.V218);
                    }
                    return(Version.V1x_217);
                }
            }
            return(Version.Unknown);
        }
Ejemplo n.º 4
0
        bool checkMethodV2(MethodDef method)
        {
            if (!DeobUtils.hasInteger(method, ' '))
            {
                return(false);
            }
            foreach (var calledMethodName in callsMethodsV2)
            {
                if (!DotNetUtils.callsMethod(method, calledMethodName))
                {
                    return(false);
                }
            }

            decrypter = new DecrypterV2();
            return(true);
        }
Ejemplo n.º 5
0
        static bool isOldStringDecrypterMethod(MethodDefinition method)
        {
            if (method == null || method.Body == null || !method.IsStatic)
            {
                return(false);
            }
            if (!DotNetUtils.isMethod(method, "System.String", "(System.String)"))
            {
                return(false);
            }
            if (!DeobUtils.hasInteger(method, 0xFF))
            {
                return(false);
            }

            return(true);
        }
Ejemplo n.º 6
0
        bool createAssemblyInfos()
        {
            int numElements = DeobUtils.hasInteger(handlerMethod, 3) ? 3 : 2;

            foreach (var s in DotNetUtils.getCodeStrings(handlerMethod))
            {
                var infos = createAssemblyInfos(s, numElements);
                if (infos == null)
                {
                    continue;
                }

                assemblyInfos = infos;
                return(true);
            }

            return(false);
        }
Ejemplo n.º 7
0
		bool initializeInfos(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
			if (handlerMethod == null)
				return true;

			foreach (var method in resolverType.Methods) {
				if (!method.IsStatic || method.Body == null)
					continue;
				if (!DotNetUtils.isMethod(method, "System.Void", "()"))
					continue;
				if (!DeobUtils.hasInteger(method, ':') || !DeobUtils.hasInteger(method, '|'))
					continue;

				simpleDeobfuscator.deobfuscate(method);
				simpleDeobfuscator.decryptStrings(method, deob);
				if (!initializeInfos(method))
					continue;

				return true;
			}

			return false;
		}
Ejemplo n.º 8
0
        MethodDefinition getDecryptMethod()
        {
            foreach (var method in resolverType.Methods)
            {
                if (!method.IsStatic || method.Body == null)
                {
                    continue;
                }
                if (!DotNetUtils.isMethod(method, "System.Byte[]", "(System.Byte[])"))
                {
                    continue;
                }
                if (!DeobUtils.hasInteger(method, 32) ||
                    !DeobUtils.hasInteger(method, 121))
                {
                    continue;
                }

                return(method);
            }

            throw new ApplicationException("Could not find decrypt method");
        }
Ejemplo n.º 9
0
        MethodDefinition getProxyCreateMethod(TypeDefinition type)
        {
            if (DotNetUtils.findFieldType(type, "System.ModuleHandle", true) == null)
            {
                return(null);
            }
            if (type.Fields.Count < 1 || type.Fields.Count > 10)
            {
                return(null);
            }

            MethodDefinition createMethod = null;

            foreach (var m in type.Methods)
            {
                if (m.Name == ".ctor" || m.Name == ".cctor")
                {
                    continue;
                }
                if (createMethod == null && DotNetUtils.isMethod(m, "System.Void", "(System.Int32,System.Int32,System.Int32)"))
                {
                    createMethod = m;
                    continue;
                }
                continue;
            }
            if (createMethod == null || !createMethod.HasBody)
            {
                return(null);
            }
            if (!DeobUtils.hasInteger(createMethod, 0xFFFFFF))
            {
                return(null);
            }

            return(createMethod);
        }
Ejemplo n.º 10
0
            public bool initialize()
            {
                if (!findMagic(Method, out arg1, out arg2, out magic))
                {
                    return(false);
                }

                fields = getFields(Method);
                if (fields == null)
                {
                    return(false);
                }

                arrayInfo = getArrayInfo(cctor);
                if (arrayInfo == null)
                {
                    return(false);
                }

                if (arrayInfo.initField.InitialValue.Length % 2 == 1)
                {
                    return(false);
                }
                encryptedData = new ushort[arrayInfo.initField.InitialValue.Length / 2];
                Buffer.BlockCopy(arrayInfo.initField.InitialValue, 0, encryptedData, 0, arrayInfo.initField.InitialValue.Length);

                isTrial  = !DeobUtils.hasInteger(Method, 0xFFF0);
                keyShift = findKeyShift(cctor);
                key      = findKey();
                if (key == null || key.Length == 0)
                {
                    return(false);
                }

                return(true);
            }
Ejemplo n.º 11
0
        bool findConstants(ISimpleDeobfuscator simpleDeobfuscator)
        {
            simpleDeobfuscator.deobfuscate(stringMethod);
            stringMethodConsts = new EfConstantsReader(stringMethod);

            if (!findResource(stringMethod))
            {
                return(false);
            }

            checkMinus2       = isV32OrLater || DeobUtils.hasInteger(stringMethod, -2);
            usePublicKeyToken = callsGetPublicKeyToken(stringMethod);

            var int64Method = findInt64Method(stringMethod);

            if (int64Method != null)
            {
                decrypterType.Type = int64Method.DeclaringType;
            }

            if (!findShorts())
            {
                return(false);
            }
            if (!findInt3())
            {
                return(false);
            }
            if (!findInt4())
            {
                return(false);
            }
            if (checkMinus2 && !findInt5())
            {
                return(false);
            }
            dataDecrypterType = findDataDecrypterType(stringMethod);
            if (dataDecrypterType == null)
            {
                return(false);
            }

            if (isV32OrLater)
            {
                bool initializedAll;
                if (!findInts(out initializedAll))
                {
                    return(false);
                }

                var cctor = DotNetUtils.getMethod(stringType, ".cctor");
                if (!initializedAll && cctor != null)
                {
                    simpleDeobfuscator.deobfuscate(cctor);
                    if (!findIntsCctor(cctor))
                    {
                        return(false);
                    }
                }

                if (decrypterType.Detected && !decrypterType.initialize())
                {
                    return(false);
                }
            }

            initializeFlags();
            initialize();

            return(true);
        }
Ejemplo n.º 12
0
        public string detect()
        {
            var decryptStringType   = stringDecrypter.Type;
            var decryptStringMethod = stringDecrypter.Method;

            if (decryptStringType == null || decryptStringMethod == null)
            {
                return(null);
            }

            var otherMethods       = new List <MethodDefinition>();
            MethodDefinition cctor = null;

            foreach (var method in decryptStringType.Methods)
            {
                if (method == decryptStringMethod)
                {
                    continue;
                }
                if (method.Name == ".cctor")
                {
                    cctor = method;
                }
                else
                {
                    otherMethods.Add(method);
                }
            }
            if (cctor == null)
            {
                return(null);
            }

            bool hasConstantM2 = DeobUtils.hasInteger(decryptStringMethod, -2);
            var  frameworkType = DotNetUtils.getFrameworkType(decryptStringType.Module);

            /////////////////////////////////////////////////////////////////
            /////////////////////////////////////////////////////////////////
            /////////////////////////////////////////////////////////////////

            var fields11 = new string[] {
                "System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
                "System.IO.BinaryReader",
                "System.Byte[]",
                "System.Int16",
                "System.Boolean",
            };
            var locals11 = createLocalsArray(
                "System.Boolean",
                "System.Byte[]",
                "System.Char[]",
                "System.Int16",
                "System.Int32",
                "System.Reflection.Assembly",
                "System.String"
                );

            if (otherMethods.Count == 0 &&
                decryptStringType.NestedTypes.Count == 0 &&
                !hasConstantM2 &&
                !decryptStringMethod.NoInlining &&
                decryptStringMethod.IsPublic &&
                decryptStringMethod.IsSynchronized &&
                decryptStringMethod.Body.MaxStackSize >= 35 &&
                decryptStringMethod.Body.MaxStackSize <= 50 &&
                decryptStringMethod.Body.ExceptionHandlers.Count == 0 &&
                new LocalTypes(decryptStringMethod).exactly(locals11) &&
                checkTypeFields(fields11))
            {
                return("1.1 - 1.2");
            }

            /////////////////////////////////////////////////////////////////
            /////////////////////////////////////////////////////////////////
            /////////////////////////////////////////////////////////////////

            var fields13 = new string[] {
                "System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
                "System.IO.BinaryReader",
                "System.Byte[]",
                "System.Int16",
                "System.Boolean",
                "System.Byte[]",
            };
            var locals13 = createLocalsArray(
                "System.Boolean",
                "System.Byte",
                "System.Byte[]",
                "System.Char[]",
                "System.Int16",
                "System.Int32",
                "System.Reflection.Assembly",
                "System.String"
                );

            if (otherMethods.Count == 0 &&
                decryptStringType.NestedTypes.Count == 0 &&
                !hasConstantM2 &&
                !decryptStringMethod.NoInlining &&
                decryptStringMethod.IsPublic &&
                decryptStringMethod.IsSynchronized &&
                decryptStringMethod.Body.MaxStackSize >= 35 &&
                decryptStringMethod.Body.MaxStackSize <= 50 &&
                decryptStringMethod.Body.ExceptionHandlers.Count == 0 &&
                new LocalTypes(decryptStringMethod).exactly(locals13) &&
                checkTypeFields(fields13))
            {
                return("1.3");
            }

            /////////////////////////////////////////////////////////////////
            /////////////////////////////////////////////////////////////////
            /////////////////////////////////////////////////////////////////

            var fields14 = new string[] {
                "System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
                "System.IO.BinaryReader",
                "System.Byte[]",
                "System.Int16",
                "System.Boolean",
                "System.Byte[]",
            };
            var locals14 = createLocalsArray(
                "System.Boolean",
                "System.Byte",
                "System.Byte[]",
                "System.Char[]",
                "System.Int16",
                "System.Int32",
                "System.Reflection.Assembly",
                "System.String"
                );

            if (otherMethods.Count == 0 &&
                decryptStringType.NestedTypes.Count == 0 &&
                !hasConstantM2 &&
                !decryptStringMethod.NoInlining &&
                decryptStringMethod.IsPublic &&
                decryptStringMethod.IsSynchronized &&
                decryptStringMethod.Body.MaxStackSize >= 150 &&
                decryptStringMethod.Body.MaxStackSize <= 200 &&
                decryptStringMethod.Body.ExceptionHandlers.Count == 0 &&
                new LocalTypes(decryptStringMethod).exactly(locals14) &&
                checkTypeFields(fields14))
            {
                return("1.4 - 2.3");
            }

            /////////////////////////////////////////////////////////////////
            /////////////////////////////////////////////////////////////////
            /////////////////////////////////////////////////////////////////

            var fields24 = new string[] {
                "System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
                "System.IO.BinaryReader",
                "System.Byte[]",
                "System.Int16",
                "System.Boolean",
                "System.Byte[]",
            };
            var locals24 = createLocalsArray(
                "System.Boolean",
                "System.Byte",
                "System.Byte[]",
                "System.Char[]",
                "System.Int16",
                "System.Int32",
                "System.Reflection.Assembly",
                "System.Reflection.AssemblyName",
                "System.String"
                );

            if (otherMethods.Count == 0 &&
                decryptStringType.NestedTypes.Count == 0 &&
                !hasConstantM2 &&
                !decryptStringMethod.NoInlining &&
                decryptStringMethod.IsPublic &&
                decryptStringMethod.IsSynchronized &&
                decryptStringMethod.Body.MaxStackSize >= 1 &&
                decryptStringMethod.Body.MaxStackSize <= 8 &&
                decryptStringMethod.Body.ExceptionHandlers.Count == 0 &&
                new LocalTypes(decryptStringMethod).exactly(locals24) &&
                checkTypeFields(fields24))
            {
                return("2.4 - 2.5");
            }

            /////////////////////////////////////////////////////////////////
            /////////////////////////////////////////////////////////////////
            /////////////////////////////////////////////////////////////////

            var fields26 = new string[] {
                "System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
                "System.IO.BinaryReader",
                "System.Byte[]",
                "System.Int16",
                "System.Boolean",
                "System.Byte[]",
            };
            var locals26 = createLocalsArray(
                "System.Boolean",
                "System.Byte",
                "System.Byte[]",
                "System.Char[]",
                "System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
                "System.Int16",
                "System.Int32",
                "System.Reflection.Assembly",
                "System.Reflection.AssemblyName",
                "System.String"
                );

            if (otherMethods.Count == 0 &&
                decryptStringType.NestedTypes.Count == 0 &&
                !hasConstantM2 &&
                !decryptStringMethod.NoInlining &&
                decryptStringMethod.IsPublic &&
                !decryptStringMethod.IsSynchronized &&
                decryptStringMethod.Body.MaxStackSize >= 1 &&
                decryptStringMethod.Body.MaxStackSize <= 8 &&
                decryptStringMethod.Body.ExceptionHandlers.Count == 1 &&
                new LocalTypes(decryptStringMethod).exactly(locals26) &&
                checkTypeFields(fields26))
            {
                return("2.6");
            }

            /////////////////////////////////////////////////////////////////
            /////////////////////////////////////////////////////////////////
            /////////////////////////////////////////////////////////////////

            var fields27 = new string[] {
                "System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
                "System.IO.BinaryReader",
                "System.Byte[]",
                "System.Int16",
                "System.Boolean",
                "System.Byte[]",
            };
            var locals27 = createLocalsArray(
                "System.Boolean",
                "System.Byte",
                "System.Byte[]",
                "System.Char[]",
                "System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
                "System.Int16",
                "System.Int32",
                "System.Reflection.Assembly",
                "System.Reflection.AssemblyName",
                "System.String"
                );

            if (otherMethods.Count == 0 &&
                decryptStringType.NestedTypes.Count == 0 &&
                !hasConstantM2 &&
                decryptStringMethod.NoInlining &&
                decryptStringMethod.IsPublic &&
                !decryptStringMethod.IsSynchronized &&
                decryptStringMethod.Body.MaxStackSize >= 1 &&
                decryptStringMethod.Body.MaxStackSize <= 8 &&
                decryptStringMethod.Body.ExceptionHandlers.Count == 1 &&
                new LocalTypes(decryptStringMethod).exactly(locals27) &&
                checkTypeFields(fields27))
            {
                return("2.7");
            }

            /////////////////////////////////////////////////////////////////
            /////////////////////////////////////////////////////////////////
            /////////////////////////////////////////////////////////////////

            var fields28 = new string[] {
                "System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
                "System.IO.BinaryReader",
                "System.Byte[]",
                "System.Int16",
                "System.Boolean",
                "System.Byte[]",
                "System.Boolean",
            };
            var locals28 = createLocalsArray(
                "System.Boolean",
                "System.Byte",
                "System.Byte[]",
                "System.Char[]",
                "System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
                "System.Int16",
                "System.Int32",
                "System.Reflection.Assembly",
                "System.Reflection.AssemblyName",
                "System.String"
                );

            if (otherMethods.Count == 0 &&
                decryptStringType.NestedTypes.Count == 0 &&
                !hasConstantM2 &&
                decryptStringMethod.NoInlining &&
                decryptStringMethod.IsAssembly &&
                !decryptStringMethod.IsSynchronized &&
                decryptStringMethod.Body.MaxStackSize >= 1 &&
                decryptStringMethod.Body.MaxStackSize <= 8 &&
                decryptStringMethod.Body.ExceptionHandlers.Count == 1 &&
                new LocalTypes(decryptStringMethod).exactly(locals28) &&
                checkTypeFields(fields28))
            {
                return("2.8");
            }

            /////////////////////////////////////////////////////////////////
            /////////////////////////////////////////////////////////////////
            /////////////////////////////////////////////////////////////////

            var fields29 = new string[] {
                "System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
                "System.IO.BinaryReader",
                "System.Byte[]",
                "System.Int16",
                "System.Int32",
                "System.Byte[]",
            };
            var locals29 = createLocalsArray(
                "System.Boolean",
                "System.Byte",
                "System.Byte[]",
                "System.Char[]",
                "System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
                "System.Diagnostics.StackFrame",
                "System.Diagnostics.StackTrace",
                "System.Int16",
                "System.Int32",
                "System.IO.Stream",
                "System.Reflection.Assembly",
                "System.Reflection.AssemblyName",
                "System.Reflection.MethodBase",
                "System.String",
                "System.Type"
                );

            if (otherMethods.Count == 0 &&
                decryptStringType.NestedTypes.Count == 0 &&
                !hasConstantM2 &&
                decryptStringMethod.NoInlining &&
                decryptStringMethod.IsAssembly &&
                !decryptStringMethod.IsSynchronized &&
                decryptStringMethod.Body.MaxStackSize >= 1 &&
                decryptStringMethod.Body.MaxStackSize <= 8 &&
                (decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) &&
                new LocalTypes(decryptStringMethod).exactly(locals29) &&
                checkTypeFields(fields29))
            {
                return("2.9");
            }

            /////////////////////////////////////////////////////////////////
            /////////////////////////////////////////////////////////////////
            /////////////////////////////////////////////////////////////////

            var fields30 = new string[] {
                "System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
                "System.IO.BinaryReader",
                "System.Byte[]",
                "System.Int16",
                "System.Int32",
                "System.Byte[]",
            };
            var locals30 = createLocalsArray(
                "System.Boolean",
                "System.Byte",
                "System.Byte[]",
                "System.Char[]",
                "System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
                "System.Diagnostics.StackFrame",
                "System.Diagnostics.StackTrace",
                "System.Int16",
                "System.Int32",
                "System.IO.Stream",
                "System.Reflection.Assembly",
                "System.Reflection.AssemblyName",
                "System.Reflection.MethodBase",
                "System.String",
                "System.Type"
                );
            var olocals30 = createLocalsArray(
                "System.Int32"
                );

            if (otherMethods.Count == 1 &&
                decryptStringType.NestedTypes.Count == 0 &&
                DotNetUtils.isMethod(otherMethods[0], "System.Int32", "(System.Byte[],System.Int32,System.Byte[])") &&
                otherMethods[0].IsPrivate &&
                otherMethods[0].IsStatic &&
                new LocalTypes(otherMethods[0]).exactly(olocals30) &&
                !hasConstantM2 &&
                decryptStringMethod.NoInlining &&
                decryptStringMethod.IsAssembly &&
                !decryptStringMethod.IsSynchronized &&
                decryptStringMethod.Body.MaxStackSize >= 1 &&
                decryptStringMethod.Body.MaxStackSize <= 8 &&
                (decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) &&
                new LocalTypes(decryptStringMethod).exactly(locals30) &&
                checkTypeFields(fields30))
            {
                return("3.0");
            }

            /////////////////////////////////////////////////////////////////
            /////////////////////////////////////////////////////////////////
            /////////////////////////////////////////////////////////////////

            var fields31 = new string[] {
                "System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
                "System.IO.BinaryReader",
                "System.Byte[]",
                "System.Int16",
                "System.Int32",
                "System.Byte[]",
            };
            var locals31 = createLocalsArray(
                "System.Boolean",
                "System.Byte",
                "System.Byte[]",
                "System.Char[]",
                "System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
                "System.Diagnostics.StackFrame",
                "System.Diagnostics.StackTrace",
                "System.Int16",
                "System.Int32",
                "System.IO.Stream",
                "System.Reflection.Assembly",
                "System.Reflection.AssemblyName",
                "System.Reflection.MethodBase",
                "System.String",
                "System.Type"
                );
            var olocals31 = createLocalsArray(
                "System.Int32"
                );

            if (otherMethods.Count == 1 &&
                decryptStringType.NestedTypes.Count == 0 &&
                DotNetUtils.isMethod(otherMethods[0], "System.Int32", "(System.Byte[],System.Int32,System.Byte[])") &&
                otherMethods[0].IsPrivate &&
                otherMethods[0].IsStatic &&
                new LocalTypes(otherMethods[0]).exactly(olocals31) &&
                hasConstantM2 &&
                decryptStringMethod.NoInlining &&
                decryptStringMethod.IsAssembly &&
                !decryptStringMethod.IsSynchronized &&
                decryptStringMethod.Body.MaxStackSize >= 1 &&
                decryptStringMethod.Body.MaxStackSize <= 8 &&
                (decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) &&
                new LocalTypes(decryptStringMethod).exactly(locals31) &&
                checkTypeFields(fields31))
            {
                return("3.1");
            }

            /////////////////////////////////////////////////////////////////
            /////////////////////////////////////////////////////////////////
            /////////////////////////////////////////////////////////////////

            var fields32 = new string[] {
                "System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
                "System.IO.BinaryReader",
                "System.Byte[]",
                "System.Int16",
                "System.Int32",
                "System.Byte[]",
                "System.Int32",
            };
            var locals32 = createLocalsArray(
                "System.Boolean",
                "System.Byte",
                "System.Byte[]",
                "System.Char[]",
                "System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
                "System.Diagnostics.StackFrame",
                "System.Diagnostics.StackTrace",
                "System.Int16",
                "System.Int32",
                "System.Int64",
                "System.IO.Stream",
                "System.Reflection.Assembly",
                "System.Reflection.AssemblyName",
                "System.Reflection.MethodBase",
                "System.String",
                "System.Type"
                );
            var olocals32 = createLocalsArray(
                "System.Int32"
                );

            if (otherMethods.Count == 1 &&
                decryptStringType.NestedTypes.Count == 0 &&
                DotNetUtils.isMethod(otherMethods[0], "System.Void", "(System.Byte[],System.Int32,System.Byte[])") &&
                otherMethods[0].IsPrivate &&
                otherMethods[0].IsStatic &&
                new LocalTypes(otherMethods[0]).exactly(olocals32) &&
                hasConstantM2 &&
                decryptStringMethod.NoInlining &&
                decryptStringMethod.IsAssembly &&
                !decryptStringMethod.IsSynchronized &&
                decryptStringMethod.Body.MaxStackSize >= 1 &&
                decryptStringMethod.Body.MaxStackSize <= 8 &&
                (decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) &&
                new LocalTypes(decryptStringMethod).exactly(locals32) &&
                checkTypeFields(fields32))
            {
                return("3.2");
            }

            /////////////////////////////////////////////////////////////////
            /////////////////////////////////////////////////////////////////
            /////////////////////////////////////////////////////////////////

            if (decryptStringType.NestedTypes.Count == 1)
            {
                var fields33 = new string[] {
                    "System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
                    "System.IO.BinaryReader",
                    "System.Byte[]",
                    "System.Int16",
                    "System.Int32",
                    "System.Byte[]",
                    "System.Int32",
                    "System.Int32",
                    decryptStringType.NestedTypes[0].FullName,
                };
                var locals33 = createLocalsArray(
                    "System.Boolean",
                    "System.Byte",
                    "System.Byte[]",
                    "System.Char[]",
                    "System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
                    "System.Diagnostics.StackFrame",
                    "System.Diagnostics.StackTrace",
                    "System.Int16",
                    "System.Int32",
                    "System.Int64",
                    "System.IO.Stream",
                    "System.Reflection.Assembly",
                    "System.Reflection.AssemblyName",
                    "System.Reflection.MethodBase",
                    "System.String",
                    "System.Type"
                    );
                var olocals33 = createLocalsArray(
                    "System.Int32"
                    );
                if (otherMethods.Count == 1 &&
                    decryptStringType.NestedTypes.Count == 1 &&
                    DotNetUtils.isMethod(otherMethods[0], "System.Void", "(System.Byte[],System.Int32,System.Byte[])") &&
                    otherMethods[0].IsPrivate &&
                    otherMethods[0].IsStatic &&
                    new LocalTypes(otherMethods[0]).exactly(olocals33) &&
                    hasConstantM2 &&
                    decryptStringMethod.NoInlining &&
                    decryptStringMethod.IsAssembly &&
                    !decryptStringMethod.IsSynchronized &&
                    decryptStringMethod.Body.MaxStackSize >= 1 &&
                    decryptStringMethod.Body.MaxStackSize <= 8 &&
                    (decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) &&
                    new LocalTypes(decryptStringMethod).exactly(locals33) &&
                    checkTypeFields(fields33))
                {
                    return("3.3.29 - 3.3.57 (BETA)");
                }
            }

            /////////////////////////////////////////////////////////////////
            /////////////////////////////////////////////////////////////////
            /////////////////////////////////////////////////////////////////

            if (decryptStringType.NestedTypes.Count == 3)
            {
                var fields33 = new string[] {
                    getNestedTypeName(0),
                    getNestedTypeName(1),
                    "System.Byte[]",
                    "System.Int16",
                    "System.Int32",
                    "System.Byte[]",
                    "System.Int32",
                    "System.Int32",
                    getNestedTypeName(2),
                };
                var locals33 = createLocalsArray(
                    "System.Boolean",
                    "System.Byte",
                    "System.Byte[]",
                    "System.Char[]",
                    getNestedTypeName(0),
                    "System.Diagnostics.StackFrame",
                    "System.Diagnostics.StackTrace",
                    "System.Int16",
                    "System.Int32",
                    "System.Int64",
                    "System.IO.Stream",
                    "System.Reflection.Assembly",
                    "System.Reflection.AssemblyName",
                    "System.Reflection.MethodBase",
                    "System.String",
                    "System.Type"
                    );
                var olocals33 = createLocalsArray(
                    "System.Int32"
                    );
                if (otherMethods.Count == 1 &&
                    decryptStringType.NestedTypes.Count == 3 &&
                    DotNetUtils.isMethod(otherMethods[0], "System.Void", "(System.Byte[],System.Int32,System.Byte[])") &&
                    otherMethods[0].IsPrivate &&
                    otherMethods[0].IsStatic &&
                    new LocalTypes(otherMethods[0]).exactly(olocals33) &&
                    decryptStringMethod.NoInlining &&
                    decryptStringMethod.IsAssembly &&
                    !decryptStringMethod.IsSynchronized &&
                    decryptStringMethod.Body.MaxStackSize >= 1 &&
                    decryptStringMethod.Body.MaxStackSize <= 8 &&
                    (decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) &&
                    new LocalTypes(decryptStringMethod).exactly(locals33) &&
                    checkTypeFields(fields33))
                {
                    return("3.3");
                }

                var fields33_149 = new string[] {
                    getNestedTypeName(0),
                    getNestedTypeName(1),
                    "System.Byte[]",
                    "System.Int16",
                    "System.Int32",
                    "System.Byte[]",
                    "System.Int32",
                    "System.Int32",
                    getNestedTypeName(2),
                };
                var locals33_149 = createLocalsArray(
                    "System.Boolean",
                    "System.Byte",
                    "System.Byte[]",
                    "System.Char[]",
                    getNestedTypeName(0),
                    "System.Diagnostics.StackFrame",
                    "System.Diagnostics.StackTrace",
                    "System.Int16",
                    "System.Int32",
                    "System.Int64",
                    "System.IO.Stream",
                    "System.Reflection.Assembly",
                    "System.Reflection.AssemblyName",
                    "System.Reflection.MethodBase",
                    "System.String",
                    "System.Text.StringBuilder",
                    "System.Type"
                    );
                var olocals33_149 = createLocalsArray(
                    "System.Int32"
                    );
                if (otherMethods.Count == 1 &&
                    decryptStringType.NestedTypes.Count == 3 &&
                    DotNetUtils.isMethod(otherMethods[0], "System.Void", "(System.Byte[],System.Int32,System.Byte[])") &&
                    otherMethods[0].IsPrivate &&
                    otherMethods[0].IsStatic &&
                    new LocalTypes(otherMethods[0]).exactly(olocals33_149) &&
                    decryptStringMethod.NoInlining &&
                    decryptStringMethod.IsAssembly &&
                    !decryptStringMethod.IsSynchronized &&
                    decryptStringMethod.Body.MaxStackSize >= 1 &&
                    decryptStringMethod.Body.MaxStackSize <= 8 &&
                    (decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) &&
                    new LocalTypes(decryptStringMethod).exactly(locals33_149) &&
                    checkTypeFields(fields33_149))
                {
                    return("3.3");                      // 3.3.149 (but not SL or CF)
                }
            }

            return(null);
        }
        public bool init(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator)
        {
            var cctor = stringsEncodingClass.FindStaticConstructor();

            if (cctor != null)
            {
                simpleDeobfuscator.deobfuscate(cctor);
            }

            decrypterVersion = guessVersion(cctor);

            if (!findDecrypterMethod())
            {
                throw new ApplicationException("Could not find string decrypter method");
            }

            if (!findStringsResource(deob, simpleDeobfuscator, cctor))
            {
                return(false);
            }

            if (decrypterVersion <= StringDecrypterVersion.V3)
            {
                MethodDef initMethod;
                if (decrypterVersion == StringDecrypterVersion.V3)
                {
                    initMethod = cctor;
                }
                else if (decrypterVersion == StringDecrypterVersion.V2)
                {
                    initMethod = stringDecrypterMethod;
                }
                else
                {
                    initMethod = stringDecrypterMethod;
                }

                stringOffset = 0;
                if (decrypterVersion != StringDecrypterVersion.V1)
                {
                    if (callsGetPublicKeyToken(initMethod))
                    {
                        var pkt = PublicKeyBase.ToPublicKeyToken(module.Assembly.PublicKeyToken);
                        if (!PublicKeyBase.IsNullOrEmpty2(pkt))
                        {
                            for (int i = 0; i < pkt.Data.Length - 1; i += 2)
                            {
                                stringOffset ^= ((int)pkt.Data[i] << 8) + pkt.Data[i + 1];
                            }
                        }
                    }

                    if (DeobUtils.hasInteger(initMethod, 0xFFFFFF) &&
                        DeobUtils.hasInteger(initMethod, 0xFFFF))
                    {
                        stringOffset ^= ((stringDecrypterMethod.MDToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF;
                    }
                }
            }
            else
            {
                var offsetVal = findOffsetValue(cctor);
                if (offsetVal == null)
                {
                    throw new ApplicationException("Could not find string offset");
                }
                stringOffset     = offsetVal.Value;
                decrypterVersion = StringDecrypterVersion.V4;
            }

            simpleZipTypeMethod = findSimpleZipTypeMethod(cctor) ?? findSimpleZipTypeMethod(stringDecrypterMethod);
            if (simpleZipTypeMethod != null)
            {
                resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator));
            }

            return(true);
        }
Ejemplo n.º 14
0
        string detectVersion()
        {
            /*
             * Methods decrypter locals (not showing its own types):
             * 3.7.0.3:
             *              "System.Byte[]"
             *              "System.Int32"
             *              "System.Int32[]"
             *              "System.IntPtr"
             *              "System.IO.BinaryReader"
             *              "System.IO.MemoryStream"
             *              "System.Object"
             *              "System.Reflection.Assembly"
             *              "System.Security.Cryptography.CryptoStream"
             *              "System.Security.Cryptography.ICryptoTransform"
             *              "System.Security.Cryptography.RijndaelManaged"
             *              "System.String"
             *
             * 3.9.8.0:
             * -		"System.Int32[]"
             +		"System.Diagnostics.StackFrame"
             +
             + 4.0.0.0: (jitter)
             + -		"System.Diagnostics.StackFrame"
             + -		"System.Object"
             +		"System.Boolean"
             +		"System.Collections.IEnumerator"
             +		"System.Delegate"
             +		"System.Diagnostics.Process"
             +		"System.Diagnostics.ProcessModule"
             +		"System.Diagnostics.ProcessModuleCollection"
             +		"System.IDisposable"
             +		"System.Int64"
             +		"System.UInt32"
             +		"System.UInt64"
             +
             + 4.1.0.0: (jitter)
             +		"System.Reflection.Assembly"
             +
             + 4.3.1.0: (jitter)
             +		"System.Byte&"
             */

            LocalTypes localTypes;
            int        minVer = -1;

            foreach (var info in stringDecrypter.DecrypterInfos)
            {
                if (info.key == null)
                {
                    continue;
                }
                localTypes = new LocalTypes(info.method);
                if (!localTypes.exists("System.IntPtr"))
                {
                    return(DeobfuscatorInfo.THE_NAME + " <= 3.7");
                }
                minVer = 3800;
                break;
            }

            if (methodsDecrypter.Method == null)
            {
                if (minVer >= 3800)
                {
                    return(DeobfuscatorInfo.THE_NAME + " >= 3.8");
                }
                return(DeobfuscatorInfo.THE_NAME);
            }
            localTypes = new LocalTypes(methodsDecrypter.Method);

            if (localTypes.exists("System.Int32[]"))
            {
                if (minVer >= 3800)
                {
                    return(DeobfuscatorInfo.THE_NAME + " 3.8.4.1 - 3.9.0.1");
                }
                return(DeobfuscatorInfo.THE_NAME + " <= 3.9.0.1");
            }
            if (!localTypes.exists("System.Diagnostics.Process"))               // If < 4.0
            {
                if (localTypes.exists("System.Diagnostics.StackFrame"))
                {
                    return(DeobfuscatorInfo.THE_NAME + " 3.9.8.0");
                }
            }

            var compileMethod = MethodsDecrypter.findDnrCompileMethod(methodsDecrypter.Method.DeclaringType);

            if (compileMethod == null)
            {
                return(DeobfuscatorInfo.THE_NAME + " < 4.0");
            }
            DeobfuscatedFile.deobfuscate(compileMethod);
            bool compileMethodHasConstant_0x70000000 = DeobUtils.hasInteger(compileMethod, 0x70000000);                 // 4.0-4.1

            DeobfuscatedFile.deobfuscate(methodsDecrypter.Method);
            bool hasCorEnableProfilingString = findString(methodsDecrypter.Method, "Cor_Enable_Profiling");             // 4.1-4.4

            if (compileMethodHasConstant_0x70000000)
            {
                if (hasCorEnableProfilingString)
                {
                    return(DeobfuscatorInfo.THE_NAME + " 4.1");
                }
                return(DeobfuscatorInfo.THE_NAME + " 4.0");
            }
            if (!hasCorEnableProfilingString)
            {
                return(DeobfuscatorInfo.THE_NAME);
            }
            // 4.2-4.4

            if (!localTypes.exists("System.Byte&"))
            {
                return(DeobfuscatorInfo.THE_NAME + " 4.2");
            }

            localTypes = new LocalTypes(compileMethod);
            if (localTypes.exists("System.Object"))
            {
                return(DeobfuscatorInfo.THE_NAME + " 4.4");
            }
            return(DeobfuscatorInfo.THE_NAME + " 4.3");
        }