public ResolverBase(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
this.module = module;
this.frameworkType = DotNetUtils.getFrameworkType(module);
this.simpleDeobfuscator = simpleDeobfuscator;
this.deob = deob;
}
public void find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
foreach (var type in module.Types) {
if (type.Fields.Count != 1)
continue;
if (type.HasNestedTypes || type.HasGenericParameters || type.IsValueType)
continue;
if (DotNetUtils.getField(type, "System.Reflection.Assembly") == null)
continue;
if (DotNetUtils.getMethod(type, ".cctor") == null)
continue;
var getStream2 = getTheOnlyMethod(type, "System.IO.Stream", "(System.Reflection.Assembly,System.Type,System.String)");
var getNames = getTheOnlyMethod(type, "System.String[]", "(System.Reflection.Assembly)");
if (getStream2 == null && getNames == null)
continue;
var resource = findGetManifestResourceStreamTypeResource(type, simpleDeobfuscator, deob);
if (resource == null && getStream2 != null)
continue;
getManifestResourceStreamType = type;
getManifestResourceStream1Method = null;
getManifestResourceStream2Method = getStream2;
getManifestResourceNamesMethod = getNames;
getManifestResourceStreamTypeResource = resource;
break;
}
}
public void find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
if (checkInitMethod(DotNetUtils.getModuleTypeCctor(module), simpleDeobfuscator, deob))
return;
if (checkInitMethod(module.EntryPoint, simpleDeobfuscator, deob))
return;
}
public static EmbeddedResource findEmbeddedResource(ModuleDefinition module, TypeDefinition decrypterType, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
return findEmbeddedResource(module, decrypterType, (method) => {
simpleDeobfuscator.deobfuscate(method);
simpleDeobfuscator.decryptStrings(method, deob);
});
}
public void Find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
foreach (var type in module.Types) {
if (type.Fields.Count != 1)
continue;
if (type.HasNestedTypes || type.HasGenericParameters || type.IsValueType)
continue;
if (DotNetUtils.GetField(type, "System.Reflection.Assembly") == null)
continue;
if (type.FindStaticConstructor() == null)
continue;
var getStream2 = GetTheOnlyMethod(type, "System.IO.Stream", "(System.Reflection.Assembly,System.Type,System.String)");
var getNames = GetTheOnlyMethod(type, "System.String[]", "(System.Reflection.Assembly)");
var getRefAsms = GetTheOnlyMethod(type, "System.Reflection.AssemblyName[]", "(System.Reflection.Assembly)");
var bitmapCtor = GetTheOnlyMethod(type, "System.Drawing.Bitmap", "(System.Type,System.String)");
var iconCtor = GetTheOnlyMethod(type, "System.Drawing.Icon", "(System.Type,System.String)");
if (getStream2 == null && getNames == null && getRefAsms == null &&
bitmapCtor == null && iconCtor == null)
continue;
var resource = FindGetManifestResourceStreamTypeResource(type, simpleDeobfuscator, deob);
if (resource == null && getStream2 != null)
continue;
getManifestResourceStreamType = type;
CreateGetManifestResourceStream2(getStream2);
CreateGetManifestResourceNames(getNames);
CreateGetReferencedAssemblies(getRefAsms);
CreateBitmapCtor(bitmapCtor);
CreateIconCtor(iconCtor);
getManifestResourceStreamTypeResource = resource;
break;
}
}
public ResolverInfoBase(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
this.module = module;
this.simpleDeobfuscator = simpleDeobfuscator;
this.deob = deob;
findTypes();
}
EmbeddedResource FindGetManifestResourceStreamTypeResource(TypeDef type, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
foreach (var method in type.Methods) {
if (!method.IsPrivate || !method.IsStatic || method.Body == null)
continue;
if (!DotNetUtils.IsMethod(method, "System.String", "(System.Reflection.Assembly,System.Type,System.String)"))
continue;
simpleDeobfuscator.Deobfuscate(method);
simpleDeobfuscator.DecryptStrings(method, deob);
foreach (var s in DotNetUtils.GetCodeStrings(method)) {
var resource = DotNetUtils.GetResource(module, s) as EmbeddedResource;
if (resource != null)
return resource;
}
}
return null;
}
public void find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
foreach (var type in module.Types)
{
if (type.Fields.Count != 1)
{
continue;
}
if (type.HasNestedTypes || type.HasGenericParameters || type.IsValueType)
{
continue;
}
if (DotNetUtils.getField(type, "System.Reflection.Assembly") == null)
{
continue;
}
if (DotNetUtils.getMethod(type, ".cctor") == null)
{
continue;
}
var getStream2 = getTheOnlyMethod(type, "System.IO.Stream", "(System.Reflection.Assembly,System.Type,System.String)");
var getNames = getTheOnlyMethod(type, "System.String[]", "(System.Reflection.Assembly)");
var bitmapCtor = getTheOnlyMethod(type, "System.Drawing.Bitmap", "(System.Type,System.String)");
var iconCtor = getTheOnlyMethod(type, "System.Drawing.Icon", "(System.Type,System.String)");
if (getStream2 == null && getNames == null && bitmapCtor == null && iconCtor == null)
{
continue;
}
var resource = findGetManifestResourceStreamTypeResource(type, simpleDeobfuscator, deob);
if (resource == null && getStream2 != null)
{
continue;
}
getManifestResourceStreamType = type;
createGetManifestResourceStream2(getStream2);
createGetManifestResourceNames(getNames);
createBitmapCtor(bitmapCtor);
createIconCtor(iconCtor);
getManifestResourceStreamTypeResource = resource;
break;
}
}
IDeobfuscator DetectObfuscator2(IEnumerable <IDeobfuscator> deobfuscators)
{
var allDetected = new List <IDeobfuscator>();
IDeobfuscator detected = null;
int detectVal = 0;
foreach (var deob in deobfuscators)
{
this.deob = deob; // So we can call deob.CanInlineMethods in deobfuscate()
int val;
//TODO: Re-enable exception handler
//try {
val = deob.Detect();
/*}
* catch {
* val = deob.Type == "un" ? 1 : 0;
* }*/
Logger.v("{0,3}: {1}", val, deob.TypeLong);
if (val > 0 && deob.Type != "un")
{
allDetected.Add(deob);
}
if (val > detectVal)
{
detectVal = val;
detected = deob;
}
}
this.deob = null;
if (allDetected.Count > 1)
{
Logger.n("More than one obfuscator detected:");
Logger.Instance.Indent();
foreach (var deob in allDetected)
{
Logger.n("{0} (use: -p {1})", deob.Name, deob.Type);
}
Logger.Instance.DeIndent();
}
return(detected);
}
bool checkInitMethod(MethodDef checkMethod, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
var requiredFields = new string[] {
"System.Collections.Hashtable",
"System.Boolean",
};
foreach (var method in DotNetUtils.getCalledMethods(module, checkMethod)) {
if (method.Body == null)
continue;
if (!method.IsStatic)
continue;
if (!DotNetUtils.isMethod(method, "System.Void", "()"))
continue;
var type = method.DeclaringType;
if (!new FieldTypes(type).exactly(requiredFields))
continue;
var ctor = type.FindMethod(".ctor");
if (ctor == null)
continue;
var handler = DeobUtils.getResolveMethod(ctor);
if (handler == null)
continue;
simpleDeobfuscator.decryptStrings(handler, deob);
var resourcePrefix = getResourcePrefix(handler);
if (resourcePrefix == null)
continue;
for (int i = 0; ; i++) {
var resource = DotNetUtils.getResource(module, resourcePrefix + i.ToString("D5")) as EmbeddedResource;
if (resource == null)
break;
resources.Add(resource);
}
initMethod = method;
return true;
}
return false;
}
IDeobfuscator detectObfuscator2(IEnumerable <IDeobfuscator> deobfuscators)
{
var allDetected = new List <IDeobfuscator>();
IDeobfuscator detected = null;
int detectVal = 0;
foreach (var deob in deobfuscators)
{
this.deob = deob; // So we can call deob.CanInlineMethods in deobfuscate()
int val;
try {
val = deob.detect();
}
catch {
val = deob.Type == "un" ? 1 : 0;
}
Log.v("{0,3}: {1}", val, deob.TypeLong);
if (val > 0 && deob.Type != "un")
{
allDetected.Add(deob);
}
if (val > detectVal)
{
detectVal = val;
detected = deob;
}
}
this.deob = null;
if (allDetected.Count > 1)
{
Log.n("More than one obfuscator detected:");
Log.indent();
foreach (var deob in allDetected)
{
Log.n("{0} (use: -p {1})", deob.Name, deob.Type);
}
Log.deIndent();
}
return(detected);
}
IDeobfuscator earlyDetectObfuscator(IEnumerable <IDeobfuscator> deobfuscators)
{
IDeobfuscator detected = null;
int detectVal = 0;
foreach (var deob in deobfuscators)
{
int val = deob.earlyDetect();
if (val > 0)
{
Log.v("{0,3}: {1}", val, deob.TypeLong);
}
if (val > detectVal)
{
detectVal = val;
detected = deob;
}
}
return(detected);
}
void DetectObfuscator(IEnumerable <IDeobfuscator> deobfuscators)
{
// The deobfuscators may call methods to deobfuscate control flow and decrypt
// strings (statically) in order to detect the obfuscator.
if (!options.ControlFlowDeobfuscation || options.StringDecrypterType == DecrypterType.None)
{
savedMethodBodies = new SavedMethodBodies();
}
// It's not null if it unpacked a native file
if (this.deob != null)
{
deob.Initialize(module);
deob.DeobfuscatedFile = this;
deob.Detect();
return;
}
foreach (var deob in deobfuscators)
{
deob.Initialize(module);
deob.DeobfuscatedFile = this;
}
if (options.ForcedObfuscatorType != null)
{
foreach (var deob in deobfuscators)
{
if (string.Equals(options.ForcedObfuscatorType, deob.Type, StringComparison.OrdinalIgnoreCase))
{
this.deob = deob;
deob.Detect();
return;
}
}
}
else
{
this.deob = DetectObfuscator2(deobfuscators);
}
}
/// <summary>
/// Adds a file to the deobfuscator and loads it.
/// </summary>
/// <param name="fileName">The name of the obfuscation map file to load.</param>
public void AddFile(string fileName)
{
if (deobfuscatorImpl == null)
{
// Find out what system we need for this file
if (SeeUnsharpDeobfuscator.SupportsFile(fileName))
{
deobfuscatorImpl = new SeeUnsharpDeobfuscator();
}
else if (DotfuscatorDeobfuscator.SupportsFile(fileName))
{
deobfuscatorImpl = new DotfuscatorDeobfuscator();
}
else
{
throw new NotSupportedException("The obfuscation map file is not supported.");
}
}
deobfuscatorImpl.AddFile(fileName);
}
bool initializeInfos(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
if (handlerMethod == null)
return true;
foreach (var method in resolverType.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
if (!DotNetUtils.isMethod(method, "System.Void", "()"))
continue;
if (!DeobUtils.hasInteger(method, ':') || !DeobUtils.hasInteger(method, '|'))
continue;
simpleDeobfuscator.deobfuscate(method);
simpleDeobfuscator.decryptStrings(method, deob);
if (!initializeInfos(method))
continue;
return true;
}
return false;
}
public void initialize(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
if (resolverType == null)
return;
encryptedResource = BabelUtils.findEmbeddedResource(module, resolverType, simpleDeobfuscator, deob);
if (encryptedResource == null) {
Log.w("Could not find embedded assemblies resource");
return;
}
var decrypted = new ResourceDecrypter(module).decrypt(encryptedResource.GetResourceData());
var reader = new BinaryReader(new MemoryStream(decrypted));
int numAssemblies = reader.ReadInt32();
embeddedAssemblyInfos = new EmbeddedAssemblyInfo[numAssemblies];
for (int i = 0; i < numAssemblies; i++) {
string name = reader.ReadString();
var data = reader.ReadBytes(reader.ReadInt32());
var mod = ModuleDefinition.ReadModule(new MemoryStream(data));
embeddedAssemblyInfos[i] = new EmbeddedAssemblyInfo(name, DeobUtils.getExtension(mod.Kind), data);
}
}
bool FindStringsResource2(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator, MethodDef initMethod)
{
if (initMethod == null)
{
return(false);
}
stringsResource = FindStringResource(initMethod);
if (stringsResource != null)
{
return(true);
}
simpleDeobfuscator.DecryptStrings(initMethod, deob);
stringsResource = FindStringResource(initMethod);
if (stringsResource != null)
{
return(true);
}
return(false);
}
public void initialize(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
if (handlerMethod == null)
{
return;
}
findOtherType();
simpleDeobfuscator.deobfuscate(handlerMethod);
simpleDeobfuscator.decryptStrings(handlerMethod, deob);
if (!createAssemblyInfos())
{
throw new ApplicationException("Could not initialize assembly infos");
}
simpleDeobfuscator.deobfuscate(decryptMethod);
simpleDeobfuscator.decryptStrings(decryptMethod, deob);
if (!createDecryptKey())
{
throw new ApplicationException("Could not initialize decryption key");
}
}
bool UnpackNativeImage(IEnumerable <IDeobfuscator> deobfuscators)
{
using (var peImage = new PEImage(Filename)) {
foreach (var deob in deobfuscators)
{
byte[] unpackedData = null;
try {
unpackedData = deob.UnpackNativeFile(peImage);
}
catch {
}
if (unpackedData == null)
{
continue;
}
var oldModule = module;
try {
module = assemblyModule.Load(unpackedData);
}
catch {
Logger.w("Could not load unpacked data. File: {0}, deobfuscator: {0}", peImage.FileName ?? "(unknown filename)", deob.TypeLong);
continue;
}
finally {
if (oldModule != null)
{
oldModule.Dispose();
}
}
this.deob = deob;
return(true);
}
}
return(false);
}
void detectObfuscator(IEnumerable<IDeobfuscator> deobfuscators)
{
// The deobfuscators may call methods to deobfuscate control flow and decrypt
// strings (statically) in order to detect the obfuscator.
if (!options.ControlFlowDeobfuscation || options.StringDecrypterType == DecrypterType.None)
savedMethodBodies = new SavedMethodBodies();
// It's not null if it unpacked a native file
if (this.deob != null) {
deob.init(module);
deob.DeobfuscatedFile = this;
deob.earlyDetect();
deob.detect();
return;
}
foreach (var deob in deobfuscators) {
deob.init(module);
deob.DeobfuscatedFile = this;
}
if (options.ForcedObfuscatorType != null) {
foreach (var deob in deobfuscators) {
if (string.Equals(options.ForcedObfuscatorType, deob.Type, StringComparison.OrdinalIgnoreCase)) {
deob.earlyDetect();
this.deob = deob;
deob.detect();
return;
}
}
}
else {
this.deob = earlyDetectObfuscator(deobfuscators);
if (this.deob == null)
this.deob = detectObfuscator2(deobfuscators);
else
this.deob.detect();
}
}
public List <ResourceInfo> GetEmbeddedAssemblies(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
var infos = new List <ResourceInfo>();
if (assemblyResolverMethod == null)
{
return(infos);
}
simpleDeobfuscator.Deobfuscate(assemblyResolverMethod);
simpleDeobfuscator.DecryptStrings(assemblyResolverMethod, deob);
foreach (var resourcePrefix in DotNetUtils.GetCodeStrings(assemblyResolverMethod))
{
infos.AddRange(GetResourceInfos(resourcePrefix));
}
return(infos);
}
public bool init(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator)
{
var cctor = DotNetUtils.getMethod(stringsEncodingClass, ".cctor");
if (cctor != null)
{
simpleDeobfuscator.deobfuscate(cctor);
}
decrypterVersion = guessVersion(cctor);
if (!findDecrypterMethod())
{
throw new ApplicationException("Could not find string decrypter method");
}
if (!findStringsResource(deob, simpleDeobfuscator, cctor))
{
return(false);
}
if (decrypterVersion <= StringDecrypterVersion.V3)
{
MethodDefinition initMethod;
if (decrypterVersion == StringDecrypterVersion.V3)
{
initMethod = cctor;
}
else if (decrypterVersion == StringDecrypterVersion.V2)
{
initMethod = stringDecrypterMethod;
}
else
{
initMethod = stringDecrypterMethod;
}
stringOffset = 0;
if (decrypterVersion != StringDecrypterVersion.V1)
{
if (callsGetPublicKeyToken(initMethod))
{
var pkt = module.Assembly.Name.PublicKeyToken;
if (pkt != null)
{
for (int i = 0; i < pkt.Length - 1; i += 2)
{
stringOffset ^= ((int)pkt[i] << 8) + pkt[i + 1];
}
}
}
if (DeobUtils.hasInteger(initMethod, 0xFFFFFF) &&
DeobUtils.hasInteger(initMethod, 0xFFFF))
{
stringOffset ^= ((stringDecrypterMethod.MetadataToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF;
}
}
}
else
{
var offsetVal = findOffsetValue(cctor);
if (offsetVal == null)
{
throw new ApplicationException("Could not find string offset");
}
stringOffset = offsetVal.Value;
decrypterVersion = StringDecrypterVersion.V4;
}
simpleZipTypeMethod = findSimpleZipTypeMethod(cctor) ?? findSimpleZipTypeMethod(stringDecrypterMethod);
if (simpleZipTypeMethod != null)
{
resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator));
}
return(true);
}
void IDeobfuscatedFile.SetDeobfuscator(IDeobfuscator deob) {
this.deob = deob;
}
bool UnpackNativeImage(IEnumerable<IDeobfuscator> deobfuscators) {
using (var peImage = new PEImage(Filename)) {
foreach (var deob in deobfuscators) {
byte[] unpackedData = null;
try {
unpackedData = deob.UnpackNativeFile(peImage);
}
catch {
}
if (unpackedData == null)
continue;
var oldModule = module;
try {
module = assemblyModule.Load(unpackedData);
}
catch {
Logger.w("Could not load unpacked data. File: {0}, deobfuscator: {0}", peImage.FileName ?? "(unknown filename)", deob.TypeLong);
continue;
}
finally {
if (oldModule != null)
oldModule.Dispose();
}
this.deob = deob;
return true;
}
}
return false;
}
public ResourceResolverInfo(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob, AssemblyResolverInfo assemblyResolverInfo)
: base(module, simpleDeobfuscator, deob)
{
this.assemblyResolverInfo = assemblyResolverInfo;
}
public bool Initialize(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator) {
var cctor = stringsEncodingClass.FindStaticConstructor();
if (cctor != null)
simpleDeobfuscator.Deobfuscate(cctor);
decrypterVersion = GuessVersion(cctor);
if (!FindDecrypterMethod())
throw new ApplicationException("Could not find string decrypter method");
if (!FindStringsResource(deob, simpleDeobfuscator, cctor))
return false;
if (decrypterVersion <= StringDecrypterVersion.V3) {
MethodDef initMethod;
if (decrypterVersion == StringDecrypterVersion.V3)
initMethod = cctor;
else if (decrypterVersion == StringDecrypterVersion.V2)
initMethod = stringDecrypterMethod;
else
initMethod = stringDecrypterMethod;
stringOffset = 0;
if (decrypterVersion != StringDecrypterVersion.V1) {
if (CallsGetPublicKeyToken(initMethod)) {
var pkt = PublicKeyBase.ToPublicKeyToken(module.Assembly.PublicKeyToken);
if (!PublicKeyBase.IsNullOrEmpty2(pkt)) {
for (int i = 0; i < pkt.Data.Length - 1; i += 2)
stringOffset ^= ((int)pkt.Data[i] << 8) + pkt.Data[i + 1];
}
}
if (DeobUtils.HasInteger(initMethod, 0xFFFFFF) &&
DeobUtils.HasInteger(initMethod, 0xFFFF)) {
stringOffset ^= ((stringDecrypterMethod.MDToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF;
}
}
}
else {
var offsetVal = FindOffsetValue(cctor);
if (offsetVal == null)
throw new ApplicationException("Could not find string offset");
stringOffset = offsetVal.Value;
decrypterVersion = StringDecrypterVersion.V4;
}
simpleZipTypeMethod = FindSimpleZipTypeMethod(cctor) ?? FindSimpleZipTypeMethod(stringDecrypterMethod);
if (simpleZipTypeMethod != null)
resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator));
return true;
}
public void initialize(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
if (methodsDecrypter == null)
return;
encryptedResource = BabelUtils.findEmbeddedResource(module, methodsDecrypter, simpleDeobfuscator, deob);
if (encryptedResource == null) {
Log.w("Could not find encrypted methods resource");
return;
}
addImageReader("", new ResourceDecrypter(module).decrypt(encryptedResource.GetResourceData()));
}
public ResolverInfoBase(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
this.module = module;
this.simpleDeobfuscator = simpleDeobfuscator;
this.deob = deob;
}
public static EmbeddedResource FindEmbeddedResource(ModuleDefMD module, TypeDef decrypterType, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
return(FindEmbeddedResource(module, decrypterType, (method) => {
simpleDeobfuscator.Deobfuscate(method);
simpleDeobfuscator.DecryptStrings(method, deob);
}));
}
public ResourceResolver(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
: base(module, simpleDeobfuscator, deob)
{
}
public ResourceResolverInfo(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob, AssemblyResolverInfo assemblyResolverInfo)
: base(module, simpleDeobfuscator, deob) {
this.assemblyResolverInfo = assemblyResolverInfo;
}
void reloadModule(byte[] newModuleData, DumpedMethods dumpedMethods)
{
Log.v("Reloading decrypted assembly (original filename: {0})", Filename);
simpleDeobfuscatorFlags.Clear();
module = assemblyModule.reload(newModuleData, dumpedMethods);
allMethods = getAllMethods();
deob = deob.moduleReloaded(module);
initializeDeobfuscator();
deob.DeobfuscatedFile = this;
updateDynamicStringInliner();
}
bool initializeInfos(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
if (handlerMethod == null)
return true;
foreach (var method in resolverType.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
if (!DotNetUtils.isMethod(method, "System.Void", "()"))
continue;
if (!DeobUtils.hasInteger(method, ':') || !DeobUtils.hasInteger(method, '|'))
continue;
simpleDeobfuscator.deobfuscate(method);
simpleDeobfuscator.decryptStrings(method, deob);
if (!initializeInfos(method))
continue;
return true;
}
return false;
}
public ResolverInfoBase(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
this.module = module;
this.simpleDeobfuscator = simpleDeobfuscator;
this.deob = deob;
}
bool FindStringsResource2(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator, MethodDef initMethod) {
if (initMethod == null)
return false;
stringsResource = FindStringResource(initMethod);
if (stringsResource != null)
return true;
simpleDeobfuscator.DecryptStrings(initMethod, deob);
stringsResource = FindStringResource(initMethod);
if (stringsResource != null)
return true;
return false;
}
public AssemblyDecrypter(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
this.module = module;
this.simpleDeobfuscator = simpleDeobfuscator;
this.deob = deob;
}
bool checkInitMethod(MethodDefinition checkMethod, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
var requiredFields = new string[] {
"System.Collections.Hashtable",
"System.Boolean",
};
foreach (var method in DotNetUtils.getCalledMethods(module, checkMethod))
{
if (method.Body == null)
{
continue;
}
if (!method.IsStatic)
{
continue;
}
if (!DotNetUtils.isMethod(method, "System.Void", "()"))
{
continue;
}
var type = method.DeclaringType;
if (!new FieldTypes(type).exactly(requiredFields))
{
continue;
}
var ctor = DotNetUtils.getMethod(type, ".ctor");
if (ctor == null)
{
continue;
}
var handler = getHandler(ctor);
if (handler == null)
{
continue;
}
simpleDeobfuscator.decryptStrings(handler, deob);
var resourcePrefix = getResourcePrefix(handler);
if (resourcePrefix == null)
{
continue;
}
for (int i = 0; ; i++)
{
var resource = DotNetUtils.getResource(module, resourcePrefix + i.ToString("D5")) as EmbeddedResource;
if (resource == null)
{
break;
}
resources.Add(resource);
}
initMethod = method;
return(true);
}
return(false);
}
public List <AssemblyInfo> GetAssemblyInfos(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
var infos = new List <AssemblyInfo>();
if (embedResolverMethod != null)
{
simpleDeobfuscator.Deobfuscate(embedResolverMethod);
simpleDeobfuscator.DecryptStrings(embedResolverMethod, deob);
embedPassword = GetEmbedPassword(embedResolverMethod);
}
if (embedPassword == null)
{
return(infos);
}
foreach (var rsrc in module.Resources)
{
var resource = rsrc as EmbeddedResource;
if (resource == null)
{
continue;
}
if (!Regex.IsMatch(resource.Name.String, "^cfd_([0-9a-f]{2})+_$"))
{
continue;
}
var asmData = Decrypt(embedPassword, Gunzip(resource.Data.ReadAllBytes()));
var mod = ModuleDefMD.Load(asmData);
infos.Add(new AssemblyInfo(asmData, resource, mod.Assembly.FullName, mod.Assembly.Name.String, DeobUtils.GetExtension(mod.Kind)));
}
return(infos);
}
void ReloadModule(byte[] newModuleData, DumpedMethods dumpedMethods) {
Logger.v("Reloading decrypted assembly (original filename: {0})", Filename);
simpleDeobfuscatorFlags.Clear();
using (var oldModule = module) {
module = assemblyModule.Reload(newModuleData, CreateDumpedMethodsRestorer(dumpedMethods), deob as IStringDecrypter);
deob = deob.ModuleReloaded(module);
}
InitializeDeobfuscator();
deob.DeobfuscatedFile = this;
UpdateDynamicStringInliner();
}
public bool Initialize(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator)
{
var cctor = stringsEncodingClass.FindStaticConstructor();
if (cctor != null)
{
simpleDeobfuscator.Deobfuscate(cctor);
}
decrypterVersion = GuessVersion(cctor);
if (!FindDecrypterMethod())
{
throw new ApplicationException("Could not find string decrypter method");
}
if (!FindStringsResource(deob, simpleDeobfuscator, cctor))
{
return(false);
}
if (decrypterVersion <= StringDecrypterVersion.V3)
{
MethodDef initMethod;
if (decrypterVersion == StringDecrypterVersion.V3)
{
initMethod = cctor;
}
else if (decrypterVersion == StringDecrypterVersion.V2)
{
initMethod = stringDecrypterMethod;
}
else
{
initMethod = stringDecrypterMethod;
}
stringOffset = 0;
if (decrypterVersion != StringDecrypterVersion.V1)
{
if (CallsGetPublicKeyToken(initMethod))
{
var pkt = PublicKeyBase.ToPublicKeyToken(module.Assembly.PublicKeyToken);
if (!PublicKeyBase.IsNullOrEmpty2(pkt))
{
for (int i = 0; i < pkt.Data.Length - 1; i += 2)
{
stringOffset ^= ((int)pkt.Data[i] << 8) + pkt.Data[i + 1];
}
}
}
if (DeobUtils.HasInteger(initMethod, 0xFFFFFF) &&
DeobUtils.HasInteger(initMethod, 0xFFFF))
{
stringOffset ^= ((stringDecrypterMethod.MDToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF;
}
}
}
else
{
var offsetVal = FindOffsetValue(cctor);
if (offsetVal == null)
{
throw new ApplicationException("Could not find string offset");
}
stringOffset = offsetVal.Value;
decrypterVersion = StringDecrypterVersion.V4;
}
simpleZipTypeMethod = FindSimpleZipTypeMethod(cctor) ?? FindSimpleZipTypeMethod(stringDecrypterMethod);
if (simpleZipTypeMethod != null)
{
resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator));
}
return(true);
}
public void Dispose() {
DeobfuscateCleanUp();
if (module != null)
module.Dispose();
if (deob != null)
deob.Dispose();
module = null;
deob = null;
}
public AntiDebugger(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
this.module = module;
this.simpleDeobfuscator = simpleDeobfuscator;
this.deob = deob;
}
/// <summary>
/// Removes all loaded map files from the deobfuscator.
/// </summary>
public void Clear()
{
deobfuscatorImpl = null;
}
public void initialize(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
if (!initializeInfos(simpleDeobfuscator, deob))
throw new ApplicationException("Could not initialize resource decrypter");
}
void ISimpleDeobfuscator.decryptStrings(MethodDefinition method, IDeobfuscator theDeob)
{
deobfuscate(method, "Static string decryption", (blocks) => theDeob.deobfuscateStrings(blocks));
}
public AssemblyDecrypter(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
this.module = module;
this.simpleDeobfuscator = simpleDeobfuscator;
this.deob = deob;
}
IDeobfuscator detectObfuscator2(IEnumerable<IDeobfuscator> deobfuscators)
{
var allDetected = new List<IDeobfuscator>();
IDeobfuscator detected = null;
int detectVal = 0;
foreach (var deob in deobfuscators) {
this.deob = deob; // So we can call deob.CanInlineMethods in deobfuscate()
int val = deob.detect();
Log.v("{0,3}: {1}", val, deob.TypeLong);
if (val > 0 && deob.Type != "un")
allDetected.Add(deob);
if (val > detectVal) {
detectVal = val;
detected = deob;
}
}
this.deob = null;
if (allDetected.Count > 1) {
Log.n("More than one obfuscator detected:");
Log.indent();
foreach (var deob in allDetected)
Log.n("{0} (use: -p {1})", deob.Name, deob.Type);
Log.deIndent();
}
return detected;
}
public void Initialize(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
if (encryptedResource.Method == null)
return;
initMethod = FindInitMethod(simpleDeobfuscator);
if (initMethod == null)
throw new ApplicationException("Could not find resource resolver init method");
simpleDeobfuscator.Deobfuscate(encryptedResource.Method);
simpleDeobfuscator.DecryptStrings(encryptedResource.Method, deob);
encryptedResource.Initialize(simpleDeobfuscator);
}
bool unpackNativeImage(IEnumerable<IDeobfuscator> deobfuscators)
{
var peImage = new PeImage(Utils.readFile(Filename));
foreach (var deob in deobfuscators) {
byte[] unpackedData = null;
try {
unpackedData = deob.unpackNativeFile(peImage);
}
catch {
}
if (unpackedData == null)
continue;
try {
module = assemblyModule.load(unpackedData);
}
catch {
Log.w("Could not load unpacked data. Deobfuscator: {0}", deob.TypeLong);
continue;
}
this.deob = deob;
return true;
}
return false;
}
EmbeddedResource FindGetManifestResourceStreamTypeResource(TypeDef type, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
foreach (var method in type.Methods)
{
if (!method.IsPrivate || !method.IsStatic || method.Body == null)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.String", "(System.Reflection.Assembly,System.Type,System.String)"))
{
continue;
}
simpleDeobfuscator.Deobfuscate(method);
simpleDeobfuscator.DecryptStrings(method, deob);
foreach (var s in DotNetUtils.GetCodeStrings(method))
{
if (DotNetUtils.GetResource(module, s) is EmbeddedResource resource)
{
return(resource);
}
}
}
return(null);
}
public void initialize(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
if (!initializeInfos(simpleDeobfuscator, deob))
throw new ApplicationException("Could not initialize resource decrypter");
}
void ISimpleDeobfuscator.DecryptStrings(MethodDef method, IDeobfuscator theDeob)
{
Deobfuscate(method, "Static string decryption", (blocks) => theDeob.DeobfuscateStrings(blocks));
}
bool FindStringsResource(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator, MethodDef cctor) {
if (stringsResource != null)
return true;
if (decrypterVersion <= StringDecrypterVersion.V3) {
stringsResource = DotNetUtils.GetResource(module, (module.Mvid ?? Guid.NewGuid()).ToString("B")) as EmbeddedResource;
if (stringsResource != null)
return true;
}
if (FindStringsResource2(deob, simpleDeobfuscator, cctor))
return true;
if (FindStringsResource2(deob, simpleDeobfuscator, stringDecrypterMethod))
return true;
return false;
}
void IDeobfuscatedFile.SetDeobfuscator(IDeobfuscator deob)
{
this.deob = deob;
}
public ResolverBase(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
this.module = module;
this.frameworkType = DotNetUtils.getFrameworkType(module);
this.simpleDeobfuscator = simpleDeobfuscator;
this.deob = deob;
}
public void Find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
var entryPoint = module.EntryPoint;
if (entryPoint == null)
{
return;
}
if (!new LocalTypes(entryPoint).All(requiredEntryPointLocals))
{
return;
}
var type = entryPoint.DeclaringType;
if (!new FieldTypes(type).All(requiredFields))
{
return;
}
bool use7zip = type.NestedTypes.Count == 6;
MethodDef decyptMethod;
if (use7zip)
{
decyptMethod = FindDecryptMethod_7zip(type);
}
else
{
decyptMethod = FindDecryptMethod_inflate(type);
}
if (decyptMethod == null)
{
return;
}
var theVersion = ConfuserVersion.Unknown;
var decryptLocals = new LocalTypes(decyptMethod);
if (decryptLocals.Exists("System.IO.MemoryStream"))
{
if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.String,System.Byte[])"))
{
theVersion = ConfuserVersion.v10_r42915;
}
else if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.Security.Permissions.PermissionState)"))
{
theVersion = ConfuserVersion.v10_r48717;
}
else
{
theVersion = ConfuserVersion.v14_r57778;
}
}
else
{
theVersion = ConfuserVersion.v14_r58564;
}
var cctor = type.FindStaticConstructor();
if (cctor == null)
{
return;
}
if ((asmResolverMethod = FindAssemblyResolverMethod(entryPoint.DeclaringType)) != null)
{
theVersion = ConfuserVersion.v14_r58802;
simpleDeobfuscator.Deobfuscate(asmResolverMethod);
if (!FindKey1(asmResolverMethod, out uint key1))
{
return;
}
}
switch (theVersion)
{
case ConfuserVersion.v10_r42915:
case ConfuserVersion.v10_r48717:
case ConfuserVersion.v14_r57778:
break;
case ConfuserVersion.v14_r58564:
case ConfuserVersion.v14_r58802:
simpleDeobfuscator.Deobfuscate(decyptMethod);
if (FindKey0_v14_r58564(decyptMethod, out key0))
{
break;
}
if (FindKey0_v14_r58852(decyptMethod, out key0))
{
if (!decryptLocals.Exists("System.Security.Cryptography.RijndaelManaged"))
{
theVersion = ConfuserVersion.v14_r58852;
break;
}
if (use7zip)
{
if (new LocalTypes(decyptMethod).Exists("System.IO.MemoryStream"))
{
theVersion = ConfuserVersion.v17_r75076;
}
else if (module.Name == "Stub.exe")
{
theVersion = ConfuserVersion.v18_r75184;
}
else if (!IsGetLenToPosStateMethodPrivate(type))
{
theVersion = ConfuserVersion.v18_r75367;
}
else
{
theVersion = ConfuserVersion.v19_r77172;
}
}
else if (IsDecryptMethod_v17_r73404(decyptMethod))
{
theVersion = ConfuserVersion.v17_r73404;
}
else
{
theVersion = ConfuserVersion.v15_r60785;
}
break;
}
throw new ApplicationException("Could not find magic");
default:
throw new ApplicationException("Invalid version");
}
simpleDeobfuscator.Deobfuscate(cctor);
simpleDeobfuscator.DecryptStrings(cctor, deob);
if (FindEntryPointToken(simpleDeobfuscator, cctor, entryPoint, out entryPointToken) && !use7zip)
{
if (DotNetUtils.CallsMethod(asmResolverMethod, "System.Void", "(System.String)"))
{
theVersion = ConfuserVersion.v17_r73477;
}
else
{
theVersion = ConfuserVersion.v17_r73566;
}
}
mainAsmResource = FindResource(cctor);
if (mainAsmResource == null)
{
throw new ApplicationException("Could not find main assembly resource");
}
version = theVersion;
}
public bool init(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator)
{
var cctor = DotNetUtils.getMethod(stringsEncodingClass, ".cctor");
if (cctor == null)
throw new ApplicationException("Could not find .cctor");
simpleDeobfuscator.deobfuscate(cctor);
stringsResource = findStringResource(cctor);
if (stringsResource == null) {
simpleDeobfuscator.decryptStrings(cctor, deob);
stringsResource = findStringResource(cctor);
if (stringsResource == null)
return false;
}
var offsetVal = findOffsetValue(cctor);
if (offsetVal == null)
throw new ApplicationException("Could not find string offset");
stringOffset = offsetVal.Value;
if (!findDecrypterMethod())
throw new ApplicationException("Could not find string decrypter method");
simpleZipType = findSimpleZipType(cctor);
if (simpleZipType != null)
resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipType, simpleDeobfuscator));
return true;
}
public void Initialize(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
if (decrypterType == null)
return;
encryptedResource = BabelUtils.FindEmbeddedResource(module, decrypterType, simpleDeobfuscator, deob);
if (encryptedResource == null) {
Logger.w("Could not find encrypted constants resource");
return;
}
var decrypted = resourceDecrypter.Decrypt(encryptedResource.Data.ReadAllBytes());
var reader = new BinaryReader(new MemoryStream(decrypted));
int count;
count = reader.ReadInt32();
decryptedInts = new int[count];
while (count-- > 0)
decryptedInts[count] = reader.ReadInt32();
count = reader.ReadInt32();
decryptedLongs = new long[count];
while (count-- > 0)
decryptedLongs[count] = reader.ReadInt64();
count = reader.ReadInt32();
decryptedFloats = new float[count];
while (count-- > 0)
decryptedFloats[count] = reader.ReadSingle();
count = reader.ReadInt32();
decryptedDoubles = new double[count];
while (count-- > 0)
decryptedDoubles[count] = reader.ReadDouble();
}
public AssemblyResolver(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
: base(module, simpleDeobfuscator, deob)
{
}
public AssemblyResolver(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
: base(module, simpleDeobfuscator, deob) {
}
