protected ProxyCallFixer2(ModuleDefMD module, ProxyCallFixer2 oldOne)
: base(module, oldOne)
{
foreach (var oldMethod in oldOne.proxyMethodToDelegateInfo.getKeys())
{
var oldDi = oldOne.proxyMethodToDelegateInfo.find(oldMethod);
var method = lookup(oldMethod, "Could not find proxy method");
proxyMethodToDelegateInfo.add(method, copy(oldDi));
}
}
bool initializeDecrypterInfos(TypeDef type)
{
foreach (var method in type.Methods)
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
var sig = method.MethodSig;
if (sig == null)
{
continue;
}
if (sig.Params.Count != 0)
{
continue;
}
if (!isStringType(sig.RetType))
{
continue;
}
var info = createInfo(method);
if (info == null)
{
continue;
}
methodToInfo.add(method, info);
}
return(methodToInfo.Count != 0);
}
public void add(MethodDef method, Func <MethodDef, MethodSpec, object[], string> handler)
{
if (method != null)
{
stringDecrypters.add(method, handler);
}
}
protected void add(MethodDef oldMethod, IMethod newMethod, OpCode opCode)
{
if (oldMethod == null)
{
return;
}
oldToNewMethod.add(oldMethod, new NewMethodInfo(opCode, newMethod));
}
public void find(ISimpleDeobfuscator simpleDeobfuscator)
{
if (module.Assembly == null)
{
return;
}
var pkt = module.Assembly.PublicKeyToken;
bool hasPublicKeyToken = !PublicKeyBase.IsNullOrEmpty2(pkt);
foreach (var type in module.GetTypes())
{
var cctor = type.FindStaticConstructor();
if (cctor == null)
{
continue;
}
bool deobfuscatedCctor = false;
bool?v13State = null, v40State = null, v41State = null;
foreach (var method in type.Methods)
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
IDecrypterInfo info = null;
if (DecrypterInfo13.isPossibleDecrypterMethod(method, ref v13State))
{
deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
simpleDeobfuscator.deobfuscate(method);
info = getInfoV13(cctor, method);
}
else if (DecrypterInfo40.isPossibleDecrypterMethod(method, ref v40State))
{
deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
simpleDeobfuscator.deobfuscate(method);
info = getInfoV40(cctor, method);
}
else if (DecrypterInfo41.isPossibleDecrypterMethod(method, ref v41State))
{
deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
simpleDeobfuscator.deobfuscate(method);
info = getInfoV41(cctor, method);
}
if (info == null)
{
continue;
}
methodToInfo.add(method, info);
version = info.Version;
}
}
}
public void find()
{
foreach (var type in module.Types)
{
MethodDef decrypterMethod;
var decrypterVersion = checkType(type, out decrypterMethod);
if (decrypterVersion == Version.Unknown)
{
continue;
}
version = decrypterVersion;
stringEncrypterInfos.add(decrypterMethod, new StringEncrypterInfo(decrypterMethod));
}
}
public void add(MethodDef method, Func <MethodDef, MethodSpec, object[], object> handler)
{
if (method == null)
{
return;
}
if (decrypterMethods.find(method) != null)
{
throw new ApplicationException(string.Format("Handler for method {0:X8} has already been added", method.MDToken.ToInt32()));
}
if (method != null)
{
decrypterMethods.add(method, handler);
}
}
public void add(MethodDef method, MethodDef methodToBeRemoved)
{
if (method == null || methodToBeRemoved == null)
{
return;
}
checkMethod(methodToBeRemoved);
var dict = methodRefInfos.find(method);
if (dict == null)
{
methodRefInfos.add(method, dict = new MethodDefAndDeclaringTypeDict <bool>());
}
dict.add(methodToBeRemoved, true);
}
public void initializeEventHandlerNames()
{
var ourFields = new FieldDefAndDeclaringTypeDict <MFieldDef>();
foreach (var fieldDef in type.AllFields)
{
ourFields.add(fieldDef.FieldDef, fieldDef);
}
var ourMethods = new MethodDefAndDeclaringTypeDict <MMethodDef>();
foreach (var methodDef in type.AllMethods)
{
ourMethods.add(methodDef.MethodDef, methodDef);
}
initVbEventHandlers(ourFields, ourMethods);
initFieldEventHandlers(ourFields, ourMethods);
initTypeEventHandlers(ourFields, ourMethods);
}
void findStringDecrypterMethods(TypeDef type, ISimpleDeobfuscator simpleDeobfuscator)
{
foreach (var method in DotNetUtils.findMethods(type.Methods, "System.String", new string[] { "System.String", "System.Int32" }))
{
if (method.Body.HasExceptionHandlers)
{
continue;
}
if (DotNetUtils.getMethodCalls(method, "System.Char[] System.String::ToCharArray()") != 1)
{
continue;
}
if (DotNetUtils.getMethodCalls(method, "System.String System.String::Intern(System.String)") != 1)
{
continue;
}
simpleDeobfuscator.deobfuscate(method);
var instructions = method.Body.Instructions;
for (int i = 0; i <= instructions.Count - 3; i++)
{
var ldci4 = method.Body.Instructions[i];
if (!ldci4.IsLdcI4())
{
continue;
}
if (instructions[i + 1].OpCode.Code != Code.Ldarg_1)
{
continue;
}
if (instructions[i + 2].OpCode.Code != Code.Add)
{
continue;
}
var info = new StringDecrypterInfo(method, ldci4.GetLdcI4Value());
stringDecrypterMethods.add(info.method, info);
Logger.v("Found string decrypter method: {0}, magic: 0x{1:X8}", Utils.removeNewlines(info.method), info.magic);
break;
}
}
}
void initializeCtors(TypeDef manager, MethodDefAndDeclaringTypeDict <IMethod> ctors)
{
if (manager == null)
{
return;
}
foreach (var ctor in manager.Methods)
{
if (ctor.Name != ".ctor")
{
continue;
}
var newCtor = new MemberRefUser(module, ctor.Name, ctor.MethodSig.Clone(), manager.BaseType);
module.UpdateRowId(newCtor);
ctors.add(ctor, newCtor);
}
}
public void findDelegateCreator()
{
var requiredTypes = new string[] {
"System.ModuleHandle",
};
foreach (var type in module.Types)
{
if (!new FieldTypes(type).exactly(requiredTypes))
{
continue;
}
foreach (var method in type.Methods)
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
if (!DotNetUtils.isMethod(method, "System.Void", "(System.RuntimeTypeHandle,System.Int32,System.RuntimeFieldHandle)") &&
!DotNetUtils.isMethod(method, "System.Void", "(System.RuntimeTypeHandle,System.Int32,System.Int32,System.RuntimeFieldHandle)"))
{
continue;
}
var creatorType = getProxyCreatorType(method);
if (creatorType == ProxyCreatorType.None)
{
continue;
}
methodToType.add(method, creatorType);
setDelegateCreatorMethod(method);
}
if (methodToType.Count == 0)
{
continue;
}
return;
}
}
protected override void getCallInfo(object context, FieldDef field, out IMethod calledMethod, out OpCode callOpcode)
{
uint rid = 0;
foreach (var c in field.Name.String)
{
rid = (rid << 4) + (uint)hexToInt((char)((byte)c + 0x2F));
}
rid &= 0x00FFFFFF;
calledMethod = module.ResolveMemberRef(rid);
var calledMethodDef = DotNetUtils.getMethod2(module, calledMethod);
if (calledMethodDef != null)
{
proxyMethodsType = calledMethodDef.DeclaringType;
proxyTargetMethods.add(calledMethodDef, true);
calledMethod = calledMethodDef;
}
callOpcode = OpCodes.Call;
}
public TypeDefDict <bool> getInlinedTypes(IEnumerable <MethodDef> unusedMethods)
{
var unused = new MethodDefAndDeclaringTypeDict <bool>();
foreach (var method in unusedMethods)
{
unused.add(method, true);
}
var types = new TypeDefDict <bool>();
foreach (var type in methodsTypes.getKeys())
{
if (checkAllMethodsUnused(unused, type))
{
types.add(type, true);
}
}
return(types);
}
void restoreMethodBodies()
{
var methodToOrigMethods = new MethodDefAndDeclaringTypeDict <List <MethodDef> >();
foreach (var t in module.Types)
{
var types = new List <TypeDef>(AllTypesHelper.Types(new List <TypeDef> {
t
}));
foreach (var type in types)
{
if (methodsTypes.find(type))
{
continue;
}
foreach (var method in type.Methods)
{
if (method.Name == ".ctor" || method.Name == ".cctor")
{
continue;
}
MethodDef calledMethod;
if (!checkRestoreBody(method, out calledMethod))
{
continue;
}
if (!checkSameMethods(method, calledMethod))
{
continue;
}
if (!methodsTypes.find(calledMethod.DeclaringType))
{
continue;
}
if (types.IndexOf(calledMethod.DeclaringType) < 0)
{
continue;
}
var list = methodToOrigMethods.find(calledMethod);
if (list == null)
{
methodToOrigMethods.add(calledMethod, list = new List <MethodDef>());
}
list.Add(method);
}
}
}
foreach (var calledMethod in methodToOrigMethods.getKeys())
{
var list = methodToOrigMethods.find(calledMethod);
var method = list[0];
Logger.v("Restored method body {0:X8} from method {1:X8}",
method.MDToken.ToInt32(),
calledMethod.MDToken.ToInt32());
DotNetUtils.copyBodyFromTo(calledMethod, method);
classMethods.add(calledMethod, method);
}
}
public void add(MethodDef exceptionLogger)
{
exceptionLoggerMethods.add(exceptionLogger, true);
}
void initializeWindowsFormsFieldsAndProps()
{
var checker = NameChecker;
var ourFields = new FieldDefAndDeclaringTypeDict <MFieldDef>();
foreach (var fieldDef in type.AllFields)
{
ourFields.add(fieldDef.FieldDef, fieldDef);
}
var ourMethods = new MethodDefAndDeclaringTypeDict <MMethodDef>();
foreach (var methodDef in type.AllMethods)
{
ourMethods.add(methodDef.MethodDef, methodDef);
}
foreach (var methodDef in type.AllMethods)
{
if (methodDef.MethodDef.Body == null)
{
continue;
}
if (methodDef.MethodDef.IsStatic || methodDef.MethodDef.IsVirtual)
{
continue;
}
var instructions = methodDef.MethodDef.Body.Instructions;
for (int i = 2; i < instructions.Count; i++)
{
var call = instructions[i];
if (call.OpCode.Code != Code.Call && call.OpCode.Code != Code.Callvirt)
{
continue;
}
if (!isWindowsFormsSetNameMethod(call.Operand as IMethod))
{
continue;
}
var ldstr = instructions[i - 1];
if (ldstr.OpCode.Code != Code.Ldstr)
{
continue;
}
var fieldName = ldstr.Operand as string;
if (fieldName == null || !checker.isValidFieldName(fieldName))
{
continue;
}
var instr = instructions[i - 2];
IField fieldRef = null;
if (instr.OpCode.Code == Code.Call || instr.OpCode.Code == Code.Callvirt)
{
var calledMethod = instr.Operand as IMethod;
if (calledMethod == null)
{
continue;
}
var calledMethodDef = ourMethods.find(calledMethod);
if (calledMethodDef == null)
{
continue;
}
fieldRef = getFieldRef(calledMethodDef.MethodDef);
var propDef = calledMethodDef.Property;
if (propDef == null)
{
continue;
}
memberInfos.prop(propDef).suggestedName = fieldName;
fieldName = "_" + fieldName;
}
else if (instr.OpCode.Code == Code.Ldfld)
{
fieldRef = instr.Operand as IField;
}
if (fieldRef == null)
{
continue;
}
var fieldDef = ourFields.find(fieldRef);
if (fieldDef == null)
{
continue;
}
var fieldInfo = memberInfos.field(fieldDef);
if (fieldInfo.renamed)
{
continue;
}
fieldInfo.suggestedName = variableNameState.getNewFieldName(fieldInfo.oldName, new NameCreator2(fieldName));
}
}
}
public void initialize()
{
if (encryptedResource == null)
{
return;
}
decryptedReader = new BinaryReader(new MemoryStream(decrypt(encryptedResource.GetResourceData())));
delegateType = null;
foreach (var type in module.GetTypes())
{
var cctor = type.FindStaticConstructor();
if (cctor == null)
{
continue;
}
if (type.Fields.Count != 1)
{
continue;
}
var field = type.Fields[0];
var tmpDelegateType = DotNetUtils.getType(module, field.FieldType);
if (tmpDelegateType == null)
{
continue;
}
if (!checkDelegateType(tmpDelegateType))
{
continue;
}
if (delegateType != null && delegateType != tmpDelegateType)
{
continue;
}
if (!checkCctor(cctor))
{
continue;
}
delegateType = tmpDelegateType;
foreach (var method in type.Methods)
{
if (method.Name == ".cctor")
{
continue;
}
if (!method.IsStatic || method.Body == null)
{
continue;
}
var sig = method.MethodSig;
if (sig == null || sig.Params.Count != 0)
{
continue;
}
if (sig.RetType.GetElementType() == ElementType.Void)
{
continue;
}
var info = getDecrypterInfo(method, field);
if (info == null)
{
continue;
}
decrypterMethods.add(info.method, info);
}
}
}
void restoreMethodBodies()
{
var methodToOrigMethods = new MethodDefAndDeclaringTypeDict<List<MethodDef>>();
foreach (var t in module.Types) {
var types = new List<TypeDef>(AllTypesHelper.Types(new List<TypeDef> { t }));
foreach (var type in types) {
if (methodsTypes.find(type))
continue;
foreach (var method in type.Methods) {
if (method.Name == ".ctor" || method.Name == ".cctor")
continue;
MethodDef calledMethod;
if (!checkRestoreBody(method, out calledMethod))
continue;
if (!checkSameMethods(method, calledMethod))
continue;
if (!methodsTypes.find(calledMethod.DeclaringType))
continue;
if (types.IndexOf(calledMethod.DeclaringType) < 0)
continue;
var list = methodToOrigMethods.find(calledMethod);
if (list == null)
methodToOrigMethods.add(calledMethod, list = new List<MethodDef>());
list.Add(method);
}
}
}
foreach (var calledMethod in methodToOrigMethods.getKeys()) {
var list = methodToOrigMethods.find(calledMethod);
var method = list[0];
Logger.v("Restored method body {0:X8} from method {1:X8}",
method.MDToken.ToInt32(),
calledMethod.MDToken.ToInt32());
DotNetUtils.copyBodyFromTo(calledMethod, method);
classMethods.add(calledMethod, method);
}
}
void initializeCtors(TypeDef manager, MethodDefAndDeclaringTypeDict<IMethod> ctors)
{
if (manager == null)
return;
foreach (var ctor in manager.Methods) {
if (ctor.Name != ".ctor")
continue;
var newCtor = new MemberRefUser(module, ctor.Name, ctor.MethodSig.Clone(), manager.BaseType);
module.UpdateRowId(newCtor);
ctors.add(ctor, newCtor);
}
}
public void initializeEventHandlerNames()
{
var ourFields = new FieldDefAndDeclaringTypeDict<MFieldDef>();
foreach (var fieldDef in type.AllFields)
ourFields.add(fieldDef.FieldDef, fieldDef);
var ourMethods = new MethodDefAndDeclaringTypeDict<MMethodDef>();
foreach (var methodDef in type.AllMethods)
ourMethods.add(methodDef.MethodDef, methodDef);
initVbEventHandlers(ourFields, ourMethods);
initFieldEventHandlers(ourFields, ourMethods);
initTypeEventHandlers(ourFields, ourMethods);
}
void initializeWindowsFormsFieldsAndProps()
{
var checker = NameChecker;
var ourFields = new FieldDefAndDeclaringTypeDict<MFieldDef>();
foreach (var fieldDef in type.AllFields)
ourFields.add(fieldDef.FieldDef, fieldDef);
var ourMethods = new MethodDefAndDeclaringTypeDict<MMethodDef>();
foreach (var methodDef in type.AllMethods)
ourMethods.add(methodDef.MethodDef, methodDef);
foreach (var methodDef in type.AllMethods) {
if (methodDef.MethodDef.Body == null)
continue;
if (methodDef.MethodDef.IsStatic || methodDef.MethodDef.IsVirtual)
continue;
var instructions = methodDef.MethodDef.Body.Instructions;
for (int i = 2; i < instructions.Count; i++) {
var call = instructions[i];
if (call.OpCode.Code != Code.Call && call.OpCode.Code != Code.Callvirt)
continue;
if (!isWindowsFormsSetNameMethod(call.Operand as IMethod))
continue;
var ldstr = instructions[i - 1];
if (ldstr.OpCode.Code != Code.Ldstr)
continue;
var fieldName = ldstr.Operand as string;
if (fieldName == null || !checker.isValidFieldName(fieldName))
continue;
var instr = instructions[i - 2];
IField fieldRef = null;
if (instr.OpCode.Code == Code.Call || instr.OpCode.Code == Code.Callvirt) {
var calledMethod = instr.Operand as IMethod;
if (calledMethod == null)
continue;
var calledMethodDef = ourMethods.find(calledMethod);
if (calledMethodDef == null)
continue;
fieldRef = getFieldRef(calledMethodDef.MethodDef);
var propDef = calledMethodDef.Property;
if (propDef == null)
continue;
memberInfos.prop(propDef).suggestedName = fieldName;
fieldName = "_" + fieldName;
}
else if (instr.OpCode.Code == Code.Ldfld) {
fieldRef = instr.Operand as IField;
}
if (fieldRef == null)
continue;
var fieldDef = ourFields.find(fieldRef);
if (fieldDef == null)
continue;
var fieldInfo = memberInfos.field(fieldDef);
if (fieldInfo.renamed)
continue;
fieldInfo.suggestedName = variableNameState.getNewFieldName(fieldInfo.oldName, new NameCreator2(fieldName));
}
}
}
public TypeDefDict<bool> getInlinedTypes(IEnumerable<MethodDef> unusedMethods)
{
var unused = new MethodDefAndDeclaringTypeDict<bool>();
foreach (var method in unusedMethods)
unused.add(method, true);
var types = new TypeDefDict<bool>();
foreach (var type in methodsTypes.getKeys()) {
if (checkAllMethodsUnused(unused, type))
types.add(type, true);
}
return types;
}
public void add(MethodDef method)
{
methods.add(method, true);
}
