protected ProxyCallFixer2(ModuleDefMD module, ProxyCallFixer2 oldOne) : base(module, oldOne) { foreach (var oldMethod in oldOne.proxyMethodToDelegateInfo.getKeys()) { var oldDi = oldOne.proxyMethodToDelegateInfo.find(oldMethod); var method = lookup(oldMethod, "Could not find proxy method"); proxyMethodToDelegateInfo.add(method, copy(oldDi)); } }
bool initializeDecrypterInfos(TypeDef type) { foreach (var method in type.Methods) { if (!method.IsStatic || method.Body == null) { continue; } var sig = method.MethodSig; if (sig == null) { continue; } if (sig.Params.Count != 0) { continue; } if (!isStringType(sig.RetType)) { continue; } var info = createInfo(method); if (info == null) { continue; } methodToInfo.add(method, info); } return(methodToInfo.Count != 0); }
public void add(MethodDef method, Func <MethodDef, MethodSpec, object[], string> handler) { if (method != null) { stringDecrypters.add(method, handler); } }
protected void add(MethodDef oldMethod, IMethod newMethod, OpCode opCode) { if (oldMethod == null) { return; } oldToNewMethod.add(oldMethod, new NewMethodInfo(opCode, newMethod)); }
public void find(ISimpleDeobfuscator simpleDeobfuscator) { if (module.Assembly == null) { return; } var pkt = module.Assembly.PublicKeyToken; bool hasPublicKeyToken = !PublicKeyBase.IsNullOrEmpty2(pkt); foreach (var type in module.GetTypes()) { var cctor = type.FindStaticConstructor(); if (cctor == null) { continue; } bool deobfuscatedCctor = false; bool?v13State = null, v40State = null, v41State = null; foreach (var method in type.Methods) { if (!method.IsStatic || method.Body == null) { continue; } IDecrypterInfo info = null; if (DecrypterInfo13.isPossibleDecrypterMethod(method, ref v13State)) { deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken); simpleDeobfuscator.deobfuscate(method); info = getInfoV13(cctor, method); } else if (DecrypterInfo40.isPossibleDecrypterMethod(method, ref v40State)) { deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken); simpleDeobfuscator.deobfuscate(method); info = getInfoV40(cctor, method); } else if (DecrypterInfo41.isPossibleDecrypterMethod(method, ref v41State)) { deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken); simpleDeobfuscator.deobfuscate(method); info = getInfoV41(cctor, method); } if (info == null) { continue; } methodToInfo.add(method, info); version = info.Version; } } }
public void find() { foreach (var type in module.Types) { MethodDef decrypterMethod; var decrypterVersion = checkType(type, out decrypterMethod); if (decrypterVersion == Version.Unknown) { continue; } version = decrypterVersion; stringEncrypterInfos.add(decrypterMethod, new StringEncrypterInfo(decrypterMethod)); } }
public void add(MethodDef method, Func <MethodDef, MethodSpec, object[], object> handler) { if (method == null) { return; } if (decrypterMethods.find(method) != null) { throw new ApplicationException(string.Format("Handler for method {0:X8} has already been added", method.MDToken.ToInt32())); } if (method != null) { decrypterMethods.add(method, handler); } }
public void add(MethodDef method, MethodDef methodToBeRemoved) { if (method == null || methodToBeRemoved == null) { return; } checkMethod(methodToBeRemoved); var dict = methodRefInfos.find(method); if (dict == null) { methodRefInfos.add(method, dict = new MethodDefAndDeclaringTypeDict <bool>()); } dict.add(methodToBeRemoved, true); }
public void initializeEventHandlerNames() { var ourFields = new FieldDefAndDeclaringTypeDict <MFieldDef>(); foreach (var fieldDef in type.AllFields) { ourFields.add(fieldDef.FieldDef, fieldDef); } var ourMethods = new MethodDefAndDeclaringTypeDict <MMethodDef>(); foreach (var methodDef in type.AllMethods) { ourMethods.add(methodDef.MethodDef, methodDef); } initVbEventHandlers(ourFields, ourMethods); initFieldEventHandlers(ourFields, ourMethods); initTypeEventHandlers(ourFields, ourMethods); }
void findStringDecrypterMethods(TypeDef type, ISimpleDeobfuscator simpleDeobfuscator) { foreach (var method in DotNetUtils.findMethods(type.Methods, "System.String", new string[] { "System.String", "System.Int32" })) { if (method.Body.HasExceptionHandlers) { continue; } if (DotNetUtils.getMethodCalls(method, "System.Char[] System.String::ToCharArray()") != 1) { continue; } if (DotNetUtils.getMethodCalls(method, "System.String System.String::Intern(System.String)") != 1) { continue; } simpleDeobfuscator.deobfuscate(method); var instructions = method.Body.Instructions; for (int i = 0; i <= instructions.Count - 3; i++) { var ldci4 = method.Body.Instructions[i]; if (!ldci4.IsLdcI4()) { continue; } if (instructions[i + 1].OpCode.Code != Code.Ldarg_1) { continue; } if (instructions[i + 2].OpCode.Code != Code.Add) { continue; } var info = new StringDecrypterInfo(method, ldci4.GetLdcI4Value()); stringDecrypterMethods.add(info.method, info); Logger.v("Found string decrypter method: {0}, magic: 0x{1:X8}", Utils.removeNewlines(info.method), info.magic); break; } } }
void initializeCtors(TypeDef manager, MethodDefAndDeclaringTypeDict <IMethod> ctors) { if (manager == null) { return; } foreach (var ctor in manager.Methods) { if (ctor.Name != ".ctor") { continue; } var newCtor = new MemberRefUser(module, ctor.Name, ctor.MethodSig.Clone(), manager.BaseType); module.UpdateRowId(newCtor); ctors.add(ctor, newCtor); } }
public void findDelegateCreator() { var requiredTypes = new string[] { "System.ModuleHandle", }; foreach (var type in module.Types) { if (!new FieldTypes(type).exactly(requiredTypes)) { continue; } foreach (var method in type.Methods) { if (!method.IsStatic || method.Body == null) { continue; } if (!DotNetUtils.isMethod(method, "System.Void", "(System.RuntimeTypeHandle,System.Int32,System.RuntimeFieldHandle)") && !DotNetUtils.isMethod(method, "System.Void", "(System.RuntimeTypeHandle,System.Int32,System.Int32,System.RuntimeFieldHandle)")) { continue; } var creatorType = getProxyCreatorType(method); if (creatorType == ProxyCreatorType.None) { continue; } methodToType.add(method, creatorType); setDelegateCreatorMethod(method); } if (methodToType.Count == 0) { continue; } return; } }
protected override void getCallInfo(object context, FieldDef field, out IMethod calledMethod, out OpCode callOpcode) { uint rid = 0; foreach (var c in field.Name.String) { rid = (rid << 4) + (uint)hexToInt((char)((byte)c + 0x2F)); } rid &= 0x00FFFFFF; calledMethod = module.ResolveMemberRef(rid); var calledMethodDef = DotNetUtils.getMethod2(module, calledMethod); if (calledMethodDef != null) { proxyMethodsType = calledMethodDef.DeclaringType; proxyTargetMethods.add(calledMethodDef, true); calledMethod = calledMethodDef; } callOpcode = OpCodes.Call; }
public TypeDefDict <bool> getInlinedTypes(IEnumerable <MethodDef> unusedMethods) { var unused = new MethodDefAndDeclaringTypeDict <bool>(); foreach (var method in unusedMethods) { unused.add(method, true); } var types = new TypeDefDict <bool>(); foreach (var type in methodsTypes.getKeys()) { if (checkAllMethodsUnused(unused, type)) { types.add(type, true); } } return(types); }
void restoreMethodBodies() { var methodToOrigMethods = new MethodDefAndDeclaringTypeDict <List <MethodDef> >(); foreach (var t in module.Types) { var types = new List <TypeDef>(AllTypesHelper.Types(new List <TypeDef> { t })); foreach (var type in types) { if (methodsTypes.find(type)) { continue; } foreach (var method in type.Methods) { if (method.Name == ".ctor" || method.Name == ".cctor") { continue; } MethodDef calledMethod; if (!checkRestoreBody(method, out calledMethod)) { continue; } if (!checkSameMethods(method, calledMethod)) { continue; } if (!methodsTypes.find(calledMethod.DeclaringType)) { continue; } if (types.IndexOf(calledMethod.DeclaringType) < 0) { continue; } var list = methodToOrigMethods.find(calledMethod); if (list == null) { methodToOrigMethods.add(calledMethod, list = new List <MethodDef>()); } list.Add(method); } } } foreach (var calledMethod in methodToOrigMethods.getKeys()) { var list = methodToOrigMethods.find(calledMethod); var method = list[0]; Logger.v("Restored method body {0:X8} from method {1:X8}", method.MDToken.ToInt32(), calledMethod.MDToken.ToInt32()); DotNetUtils.copyBodyFromTo(calledMethod, method); classMethods.add(calledMethod, method); } }
public void add(MethodDef exceptionLogger) { exceptionLoggerMethods.add(exceptionLogger, true); }
void initializeWindowsFormsFieldsAndProps() { var checker = NameChecker; var ourFields = new FieldDefAndDeclaringTypeDict <MFieldDef>(); foreach (var fieldDef in type.AllFields) { ourFields.add(fieldDef.FieldDef, fieldDef); } var ourMethods = new MethodDefAndDeclaringTypeDict <MMethodDef>(); foreach (var methodDef in type.AllMethods) { ourMethods.add(methodDef.MethodDef, methodDef); } foreach (var methodDef in type.AllMethods) { if (methodDef.MethodDef.Body == null) { continue; } if (methodDef.MethodDef.IsStatic || methodDef.MethodDef.IsVirtual) { continue; } var instructions = methodDef.MethodDef.Body.Instructions; for (int i = 2; i < instructions.Count; i++) { var call = instructions[i]; if (call.OpCode.Code != Code.Call && call.OpCode.Code != Code.Callvirt) { continue; } if (!isWindowsFormsSetNameMethod(call.Operand as IMethod)) { continue; } var ldstr = instructions[i - 1]; if (ldstr.OpCode.Code != Code.Ldstr) { continue; } var fieldName = ldstr.Operand as string; if (fieldName == null || !checker.isValidFieldName(fieldName)) { continue; } var instr = instructions[i - 2]; IField fieldRef = null; if (instr.OpCode.Code == Code.Call || instr.OpCode.Code == Code.Callvirt) { var calledMethod = instr.Operand as IMethod; if (calledMethod == null) { continue; } var calledMethodDef = ourMethods.find(calledMethod); if (calledMethodDef == null) { continue; } fieldRef = getFieldRef(calledMethodDef.MethodDef); var propDef = calledMethodDef.Property; if (propDef == null) { continue; } memberInfos.prop(propDef).suggestedName = fieldName; fieldName = "_" + fieldName; } else if (instr.OpCode.Code == Code.Ldfld) { fieldRef = instr.Operand as IField; } if (fieldRef == null) { continue; } var fieldDef = ourFields.find(fieldRef); if (fieldDef == null) { continue; } var fieldInfo = memberInfos.field(fieldDef); if (fieldInfo.renamed) { continue; } fieldInfo.suggestedName = variableNameState.getNewFieldName(fieldInfo.oldName, new NameCreator2(fieldName)); } } }
public void initialize() { if (encryptedResource == null) { return; } decryptedReader = new BinaryReader(new MemoryStream(decrypt(encryptedResource.GetResourceData()))); delegateType = null; foreach (var type in module.GetTypes()) { var cctor = type.FindStaticConstructor(); if (cctor == null) { continue; } if (type.Fields.Count != 1) { continue; } var field = type.Fields[0]; var tmpDelegateType = DotNetUtils.getType(module, field.FieldType); if (tmpDelegateType == null) { continue; } if (!checkDelegateType(tmpDelegateType)) { continue; } if (delegateType != null && delegateType != tmpDelegateType) { continue; } if (!checkCctor(cctor)) { continue; } delegateType = tmpDelegateType; foreach (var method in type.Methods) { if (method.Name == ".cctor") { continue; } if (!method.IsStatic || method.Body == null) { continue; } var sig = method.MethodSig; if (sig == null || sig.Params.Count != 0) { continue; } if (sig.RetType.GetElementType() == ElementType.Void) { continue; } var info = getDecrypterInfo(method, field); if (info == null) { continue; } decrypterMethods.add(info.method, info); } } }
void restoreMethodBodies() { var methodToOrigMethods = new MethodDefAndDeclaringTypeDict<List<MethodDef>>(); foreach (var t in module.Types) { var types = new List<TypeDef>(AllTypesHelper.Types(new List<TypeDef> { t })); foreach (var type in types) { if (methodsTypes.find(type)) continue; foreach (var method in type.Methods) { if (method.Name == ".ctor" || method.Name == ".cctor") continue; MethodDef calledMethod; if (!checkRestoreBody(method, out calledMethod)) continue; if (!checkSameMethods(method, calledMethod)) continue; if (!methodsTypes.find(calledMethod.DeclaringType)) continue; if (types.IndexOf(calledMethod.DeclaringType) < 0) continue; var list = methodToOrigMethods.find(calledMethod); if (list == null) methodToOrigMethods.add(calledMethod, list = new List<MethodDef>()); list.Add(method); } } } foreach (var calledMethod in methodToOrigMethods.getKeys()) { var list = methodToOrigMethods.find(calledMethod); var method = list[0]; Logger.v("Restored method body {0:X8} from method {1:X8}", method.MDToken.ToInt32(), calledMethod.MDToken.ToInt32()); DotNetUtils.copyBodyFromTo(calledMethod, method); classMethods.add(calledMethod, method); } }
void initializeCtors(TypeDef manager, MethodDefAndDeclaringTypeDict<IMethod> ctors) { if (manager == null) return; foreach (var ctor in manager.Methods) { if (ctor.Name != ".ctor") continue; var newCtor = new MemberRefUser(module, ctor.Name, ctor.MethodSig.Clone(), manager.BaseType); module.UpdateRowId(newCtor); ctors.add(ctor, newCtor); } }
public void initializeEventHandlerNames() { var ourFields = new FieldDefAndDeclaringTypeDict<MFieldDef>(); foreach (var fieldDef in type.AllFields) ourFields.add(fieldDef.FieldDef, fieldDef); var ourMethods = new MethodDefAndDeclaringTypeDict<MMethodDef>(); foreach (var methodDef in type.AllMethods) ourMethods.add(methodDef.MethodDef, methodDef); initVbEventHandlers(ourFields, ourMethods); initFieldEventHandlers(ourFields, ourMethods); initTypeEventHandlers(ourFields, ourMethods); }
void initializeWindowsFormsFieldsAndProps() { var checker = NameChecker; var ourFields = new FieldDefAndDeclaringTypeDict<MFieldDef>(); foreach (var fieldDef in type.AllFields) ourFields.add(fieldDef.FieldDef, fieldDef); var ourMethods = new MethodDefAndDeclaringTypeDict<MMethodDef>(); foreach (var methodDef in type.AllMethods) ourMethods.add(methodDef.MethodDef, methodDef); foreach (var methodDef in type.AllMethods) { if (methodDef.MethodDef.Body == null) continue; if (methodDef.MethodDef.IsStatic || methodDef.MethodDef.IsVirtual) continue; var instructions = methodDef.MethodDef.Body.Instructions; for (int i = 2; i < instructions.Count; i++) { var call = instructions[i]; if (call.OpCode.Code != Code.Call && call.OpCode.Code != Code.Callvirt) continue; if (!isWindowsFormsSetNameMethod(call.Operand as IMethod)) continue; var ldstr = instructions[i - 1]; if (ldstr.OpCode.Code != Code.Ldstr) continue; var fieldName = ldstr.Operand as string; if (fieldName == null || !checker.isValidFieldName(fieldName)) continue; var instr = instructions[i - 2]; IField fieldRef = null; if (instr.OpCode.Code == Code.Call || instr.OpCode.Code == Code.Callvirt) { var calledMethod = instr.Operand as IMethod; if (calledMethod == null) continue; var calledMethodDef = ourMethods.find(calledMethod); if (calledMethodDef == null) continue; fieldRef = getFieldRef(calledMethodDef.MethodDef); var propDef = calledMethodDef.Property; if (propDef == null) continue; memberInfos.prop(propDef).suggestedName = fieldName; fieldName = "_" + fieldName; } else if (instr.OpCode.Code == Code.Ldfld) { fieldRef = instr.Operand as IField; } if (fieldRef == null) continue; var fieldDef = ourFields.find(fieldRef); if (fieldDef == null) continue; var fieldInfo = memberInfos.field(fieldDef); if (fieldInfo.renamed) continue; fieldInfo.suggestedName = variableNameState.getNewFieldName(fieldInfo.oldName, new NameCreator2(fieldName)); } } }
public TypeDefDict<bool> getInlinedTypes(IEnumerable<MethodDef> unusedMethods) { var unused = new MethodDefAndDeclaringTypeDict<bool>(); foreach (var method in unusedMethods) unused.add(method, true); var types = new TypeDefDict<bool>(); foreach (var type in methodsTypes.getKeys()) { if (checkAllMethodsUnused(unused, type)) types.add(type, true); } return types; }
public void add(MethodDef method) { methods.add(method, true); }