protected override void inlineAllCalls() { foreach (var tmp in callResults) { var callResult = (MyCallResult)tmp; var handler = stringDecrypters.find(callResult.IMethod); callResult.returnValue = handler((MethodDef)callResult.IMethod, callResult.gim, callResult.args); } }
public void add(MethodDef method, Func <MethodDef, MethodSpec, object[], object> handler) { if (method == null) { return; } if (decrypterMethods.find(method) != null) { throw new ApplicationException(string.Format("Handler for method {0:X8} has already been added", method.MDToken.ToInt32())); } if (method != null) { decrypterMethods.add(method, handler); } }
// VB initializes the handlers in the property setter, where it first removes the handler // from the previous control, and then adds the handler to the new control. void initVbEventHandlers(FieldDefAndDeclaringTypeDict <MFieldDef> ourFields, MethodDefAndDeclaringTypeDict <MMethodDef> ourMethods) { var checker = NameChecker; foreach (var propDef in type.AllProperties) { var setterDef = propDef.SetMethod; if (setterDef == null) { continue; } string eventName; var handler = getVbHandler(setterDef.MethodDef, out eventName); if (handler == null) { continue; } var handlerDef = ourMethods.find(handler); if (handlerDef == null) { continue; } if (!checker.isValidEventName(eventName)) { continue; } memberInfos.method(handlerDef).suggestedName = string.Format("{0}_{1}", memberInfos.prop(propDef).newName, eventName); } }
protected override bool deobfuscate(Blocks blocks, IList <Block> allBlocks) { var removeInfos = new Dictionary <Block, List <RemoveInfo> >(); foreach (var block in allBlocks) { var instrs = block.Instructions; for (int i = 0; i < instrs.Count; i++) { var instr = instrs[i]; if (instr.OpCode != OpCodes.Call) { continue; } var method = instr.Operand as IMethod; if (method == null) { continue; } var di = proxyMethodToDelegateInfo.find(method); if (di == null) { continue; } add(removeInfos, block, i, di); } } return(fixProxyCalls(removeInfos)); }
public void deobfuscate(Blocks blocks) { if (oldToNewMethod.Count == 0) { return; } foreach (var block in blocks.MethodBlocks.getAllBlocks()) { var instrs = block.Instructions; for (int i = 0; i < instrs.Count; i++) { var call = instrs[i]; if (call.OpCode.Code != Code.Call) { continue; } var calledMethod = call.Operand as MethodDef; if (calledMethod == null) { continue; } var newMethodInfo = oldToNewMethod.find(calledMethod); if (newMethodInfo == null) { continue; } instrs[i] = new Instr(Instruction.Create(newMethodInfo.opCode, newMethodInfo.method)); } } }
public void add(MethodDef method, MethodDef methodToBeRemoved) { if (method == null || methodToBeRemoved == null) { return; } checkMethod(methodToBeRemoved); var dict = methodRefInfos.find(method); if (dict == null) { methodRefInfos.add(method, dict = new MethodDefAndDeclaringTypeDict <bool>()); } dict.add(methodToBeRemoved, true); }
public void deobfuscate(Blocks blocks) { if (resourceManagerType == null && componentResourceManagerType == null) { return; } foreach (var block in blocks.MethodBlocks.getAllBlocks()) { var instrs = block.Instructions; for (int i = 0; i < instrs.Count; i++) { var instr = instrs[i]; if (instr.OpCode.Code != Code.Newobj) { continue; } var ctor = instr.Operand as IMethod; if (ctor == null) { continue; } var newCtor = resourceManagerCtors.find(ctor); if (newCtor == null) { newCtor = componentManagerCtors.find(ctor); } if (newCtor == null) { continue; } instr.Operand = newCtor; } } }
void removeCalls(IList <Block> allBlocks, Blocks blocks, MethodDefAndDeclaringTypeDict <bool> info) { var instrsToDelete = new List <int>(); foreach (var block in allBlocks) { instrsToDelete.Clear(); for (int i = 0; i < block.Instructions.Count; i++) { var instr = block.Instructions[i]; if (instr.OpCode != OpCodes.Call) { continue; } var destMethod = instr.Operand as IMethod; if (destMethod == null) { continue; } if (info.find(destMethod)) { Logger.v("Removed call to {0}", Utils.removeNewlines(destMethod)); instrsToDelete.Add(i); } } block.remove(instrsToDelete); } }
protected override object checkCctor(TypeDef type, MethodDef cctor) { var instructions = cctor.Body.Instructions; for (int i = 0; i < instructions.Count; i++) { ITypeDefOrRef delegateType; IField delegateField; IMethod createMethod; int methodToken, declaringTypeToken; var instrs = DotNetUtils.getInstructions(instructions, i, OpCodes.Ldtoken, OpCodes.Ldc_I4, OpCodes.Ldc_I4, OpCodes.Ldtoken, OpCodes.Call); if (instrs != null) { delegateType = instrs[0].Operand as ITypeDefOrRef; methodToken = instrs[1].GetLdcI4Value(); declaringTypeToken = instrs[2].GetLdcI4Value(); delegateField = instrs[3].Operand as IField; createMethod = instrs[4].Operand as IMethod; } else if ((instrs = DotNetUtils.getInstructions(instructions, i, OpCodes.Ldtoken, OpCodes.Ldc_I4, OpCodes.Ldtoken, OpCodes.Call)) != null) { delegateType = instrs[0].Operand as ITypeDefOrRef; methodToken = instrs[1].GetLdcI4Value(); declaringTypeToken = -1; delegateField = instrs[2].Operand as IField; createMethod = instrs[3].Operand as IMethod; } else { continue; } if (delegateType == null) { continue; } if (delegateField == null) { continue; } if (createMethod == null) { continue; } var proxyCreatorType = methodToType.find(createMethod); if (proxyCreatorType == ProxyCreatorType.None) { continue; } return(new Context(delegateType, methodToken, declaringTypeToken, proxyCreatorType)); } return(null); }
static bool checkAllMethodsUnused(MethodDefAndDeclaringTypeDict <bool> unused, TypeDef type) { foreach (var method in type.Methods) { if (!unused.find(method)) { return(false); } } return(true); }
protected Info getInfo(MethodDef method) { var info = decrypterMethods.find(method); if (info == null) { return(null); } info.referenced = true; return(info); }
public bool exists(IMethod method) { if (method == null) { return(false); } if (method.DeclaringType != null && types.find(method.DeclaringType)) { return(true); } return(methods.find(method)); }
public void deobfuscate(Blocks blocks) { foreach (var block in blocks.MethodBlocks.getAllBlocks()) { var instrs = block.Instructions; for (int i = 0; i < instrs.Count; i++) { var call = instrs[i]; if (call.OpCode.Code != Code.Call) { continue; } var realInstanceMethod = classMethods.find(call.Operand as IMethod); if (realInstanceMethod == null) { continue; } call.Operand = realInstanceMethod; } } }
public string decrypt(MethodDef method, int magic1, int magic2, int magic3) { var info = stringEncrypterInfos.find(method); return(info.decrypt(magic1, magic2, magic3)); }
void restoreMethodBodies() { var methodToOrigMethods = new MethodDefAndDeclaringTypeDict <List <MethodDef> >(); foreach (var t in module.Types) { var types = new List <TypeDef>(AllTypesHelper.Types(new List <TypeDef> { t })); foreach (var type in types) { if (methodsTypes.find(type)) { continue; } foreach (var method in type.Methods) { if (method.Name == ".ctor" || method.Name == ".cctor") { continue; } MethodDef calledMethod; if (!checkRestoreBody(method, out calledMethod)) { continue; } if (!checkSameMethods(method, calledMethod)) { continue; } if (!methodsTypes.find(calledMethod.DeclaringType)) { continue; } if (types.IndexOf(calledMethod.DeclaringType) < 0) { continue; } var list = methodToOrigMethods.find(calledMethod); if (list == null) { methodToOrigMethods.add(calledMethod, list = new List <MethodDef>()); } list.Add(method); } } } foreach (var calledMethod in methodToOrigMethods.getKeys()) { var list = methodToOrigMethods.find(calledMethod); var method = list[0]; Logger.v("Restored method body {0:X8} from method {1:X8}", method.MDToken.ToInt32(), calledMethod.MDToken.ToInt32()); DotNetUtils.copyBodyFromTo(calledMethod, method); classMethods.add(calledMethod, method); } }
public bool isProxyTargetMethod(IMethod method) { return(proxyTargetMethods.find(method)); }
protected virtual bool isExceptionLogger(IMethod method) { return(exceptionLoggerMethods.find(method)); }
void initializeWindowsFormsFieldsAndProps() { var checker = NameChecker; var ourFields = new FieldDefAndDeclaringTypeDict <MFieldDef>(); foreach (var fieldDef in type.AllFields) { ourFields.add(fieldDef.FieldDef, fieldDef); } var ourMethods = new MethodDefAndDeclaringTypeDict <MMethodDef>(); foreach (var methodDef in type.AllMethods) { ourMethods.add(methodDef.MethodDef, methodDef); } foreach (var methodDef in type.AllMethods) { if (methodDef.MethodDef.Body == null) { continue; } if (methodDef.MethodDef.IsStatic || methodDef.MethodDef.IsVirtual) { continue; } var instructions = methodDef.MethodDef.Body.Instructions; for (int i = 2; i < instructions.Count; i++) { var call = instructions[i]; if (call.OpCode.Code != Code.Call && call.OpCode.Code != Code.Callvirt) { continue; } if (!isWindowsFormsSetNameMethod(call.Operand as IMethod)) { continue; } var ldstr = instructions[i - 1]; if (ldstr.OpCode.Code != Code.Ldstr) { continue; } var fieldName = ldstr.Operand as string; if (fieldName == null || !checker.isValidFieldName(fieldName)) { continue; } var instr = instructions[i - 2]; IField fieldRef = null; if (instr.OpCode.Code == Code.Call || instr.OpCode.Code == Code.Callvirt) { var calledMethod = instr.Operand as IMethod; if (calledMethod == null) { continue; } var calledMethodDef = ourMethods.find(calledMethod); if (calledMethodDef == null) { continue; } fieldRef = getFieldRef(calledMethodDef.MethodDef); var propDef = calledMethodDef.Property; if (propDef == null) { continue; } memberInfos.prop(propDef).suggestedName = fieldName; fieldName = "_" + fieldName; } else if (instr.OpCode.Code == Code.Ldfld) { fieldRef = instr.Operand as IField; } if (fieldRef == null) { continue; } var fieldDef = ourFields.find(fieldRef); if (fieldDef == null) { continue; } var fieldInfo = memberInfos.field(fieldDef); if (fieldInfo.renamed) { continue; } fieldInfo.suggestedName = variableNameState.getNewFieldName(fieldInfo.oldName, new NameCreator2(fieldName)); } } }
void initFieldEventHandlers(FieldDefAndDeclaringTypeDict<MFieldDef> ourFields, MethodDefAndDeclaringTypeDict<MMethodDef> ourMethods) { var checker = NameChecker; foreach (var methodDef in type.AllMethods) { if (methodDef.MethodDef.Body == null) continue; if (methodDef.MethodDef.IsStatic) continue; var instructions = methodDef.MethodDef.Body.Instructions; for (int i = 0; i < instructions.Count - 6; i++) { // We're looking for this code pattern: // ldarg.0 // ldfld field // ldarg.0 // ldftn method / ldarg.0 + ldvirtftn // newobj event_handler_ctor // callvirt add_SomeEvent if (instructions[i].GetParameterIndex() != 0) continue; int index = i + 1; var ldfld = instructions[index++]; if (ldfld.OpCode.Code != Code.Ldfld) continue; var fieldRef = ldfld.Operand as IField; if (fieldRef == null) continue; var fieldDef = ourFields.find(fieldRef); if (fieldDef == null) continue; if (instructions[index++].GetParameterIndex() != 0) continue; IMethod methodRef; var instr = instructions[index + 1]; if (instr.OpCode.Code == Code.Ldvirtftn) { if (!isThisOrDup(instructions[index++])) continue; var ldvirtftn = instructions[index++]; methodRef = ldvirtftn.Operand as IMethod; } else { var ldftn = instructions[index++]; if (ldftn.OpCode.Code != Code.Ldftn) continue; methodRef = ldftn.Operand as IMethod; } if (methodRef == null) continue; var handlerMethod = ourMethods.find(methodRef); if (handlerMethod == null) continue; var newobj = instructions[index++]; if (newobj.OpCode.Code != Code.Newobj) continue; if (!isEventHandlerCtor(newobj.Operand as IMethod)) continue; var call = instructions[index++]; if (call.OpCode.Code != Code.Call && call.OpCode.Code != Code.Callvirt) continue; var addHandler = call.Operand as IMethod; if (addHandler == null) continue; if (!Utils.StartsWith(addHandler.Name.String, "add_", StringComparison.Ordinal)) continue; var eventName = addHandler.Name.String.Substring(4); if (!checker.isValidEventName(eventName)) continue; memberInfos.method(handlerMethod).suggestedName = string.Format("{0}_{1}", memberInfos.field(fieldDef).newName, eventName); } } }
void initFieldEventHandlers(FieldDefAndDeclaringTypeDict <MFieldDef> ourFields, MethodDefAndDeclaringTypeDict <MMethodDef> ourMethods) { var checker = NameChecker; foreach (var methodDef in type.AllMethods) { if (methodDef.MethodDef.Body == null) { continue; } if (methodDef.MethodDef.IsStatic) { continue; } var instructions = methodDef.MethodDef.Body.Instructions; for (int i = 0; i < instructions.Count - 6; i++) { // We're looking for this code pattern: // ldarg.0 // ldfld field // ldarg.0 // ldftn method / ldarg.0 + ldvirtftn // newobj event_handler_ctor // callvirt add_SomeEvent if (instructions[i].GetParameterIndex() != 0) { continue; } int index = i + 1; var ldfld = instructions[index++]; if (ldfld.OpCode.Code != Code.Ldfld) { continue; } var fieldRef = ldfld.Operand as IField; if (fieldRef == null) { continue; } var fieldDef = ourFields.find(fieldRef); if (fieldDef == null) { continue; } if (instructions[index++].GetParameterIndex() != 0) { continue; } IMethod methodRef; var instr = instructions[index + 1]; if (instr.OpCode.Code == Code.Ldvirtftn) { if (!isThisOrDup(instructions[index++])) { continue; } var ldvirtftn = instructions[index++]; methodRef = ldvirtftn.Operand as IMethod; } else { var ldftn = instructions[index++]; if (ldftn.OpCode.Code != Code.Ldftn) { continue; } methodRef = ldftn.Operand as IMethod; } if (methodRef == null) { continue; } var handlerMethod = ourMethods.find(methodRef); if (handlerMethod == null) { continue; } var newobj = instructions[index++]; if (newobj.OpCode.Code != Code.Newobj) { continue; } if (!isEventHandlerCtor(newobj.Operand as IMethod)) { continue; } var call = instructions[index++]; if (call.OpCode.Code != Code.Call && call.OpCode.Code != Code.Callvirt) { continue; } var addHandler = call.Operand as IMethod; if (addHandler == null) { continue; } if (!Utils.StartsWith(addHandler.Name.String, "add_", StringComparison.Ordinal)) { continue; } var eventName = addHandler.Name.String.Substring(4); if (!checker.isValidEventName(eventName)) { continue; } memberInfos.method(handlerMethod).suggestedName = string.Format("{0}_{1}", memberInfos.field(fieldDef).newName, eventName); } } }
void initTypeEventHandlers(FieldDefAndDeclaringTypeDict <MFieldDef> ourFields, MethodDefAndDeclaringTypeDict <MMethodDef> ourMethods) { var checker = NameChecker; foreach (var methodDef in type.AllMethods) { if (methodDef.MethodDef.Body == null) { continue; } if (methodDef.MethodDef.IsStatic) { continue; } var method = methodDef.MethodDef; var instructions = method.Body.Instructions; for (int i = 0; i < instructions.Count - 5; i++) { // ldarg.0 // ldarg.0 / dup // ldarg.0 / dup // ldvirtftn handler // newobj event handler ctor // call add_Xyz if (instructions[i].GetParameterIndex() != 0) { continue; } int index = i + 1; if (!isThisOrDup(instructions[index++])) { continue; } IMethod handler; if (instructions[index].OpCode.Code == Code.Ldftn) { handler = instructions[index++].Operand as IMethod; } else { if (!isThisOrDup(instructions[index++])) { continue; } var instr = instructions[index++]; if (instr.OpCode.Code != Code.Ldvirtftn) { continue; } handler = instr.Operand as IMethod; } if (handler == null) { continue; } var handlerDef = ourMethods.find(handler); if (handlerDef == null) { continue; } var newobj = instructions[index++]; if (newobj.OpCode.Code != Code.Newobj) { continue; } if (!isEventHandlerCtor(newobj.Operand as IMethod)) { continue; } var call = instructions[index++]; if (call.OpCode.Code != Code.Call && call.OpCode.Code != Code.Callvirt) { continue; } var addMethod = call.Operand as IMethod; if (addMethod == null) { continue; } if (!Utils.StartsWith(addMethod.Name.String, "add_", StringComparison.Ordinal)) { continue; } var eventName = addMethod.Name.String.Substring(4); if (!checker.isValidEventName(eventName)) { continue; } memberInfos.method(handlerDef).suggestedName = string.Format("{0}_{1}", newName, eventName); } } }
public string decrypt(MethodDef method) { var info = methodToInfo.find(method); return(Encoding.Unicode.GetString(decryptedData, info.offset, info.length)); }
void initializeWindowsFormsFieldsAndProps() { var checker = NameChecker; var ourFields = new FieldDefAndDeclaringTypeDict<MFieldDef>(); foreach (var fieldDef in type.AllFields) ourFields.add(fieldDef.FieldDef, fieldDef); var ourMethods = new MethodDefAndDeclaringTypeDict<MMethodDef>(); foreach (var methodDef in type.AllMethods) ourMethods.add(methodDef.MethodDef, methodDef); foreach (var methodDef in type.AllMethods) { if (methodDef.MethodDef.Body == null) continue; if (methodDef.MethodDef.IsStatic || methodDef.MethodDef.IsVirtual) continue; var instructions = methodDef.MethodDef.Body.Instructions; for (int i = 2; i < instructions.Count; i++) { var call = instructions[i]; if (call.OpCode.Code != Code.Call && call.OpCode.Code != Code.Callvirt) continue; if (!isWindowsFormsSetNameMethod(call.Operand as IMethod)) continue; var ldstr = instructions[i - 1]; if (ldstr.OpCode.Code != Code.Ldstr) continue; var fieldName = ldstr.Operand as string; if (fieldName == null || !checker.isValidFieldName(fieldName)) continue; var instr = instructions[i - 2]; IField fieldRef = null; if (instr.OpCode.Code == Code.Call || instr.OpCode.Code == Code.Callvirt) { var calledMethod = instr.Operand as IMethod; if (calledMethod == null) continue; var calledMethodDef = ourMethods.find(calledMethod); if (calledMethodDef == null) continue; fieldRef = getFieldRef(calledMethodDef.MethodDef); var propDef = calledMethodDef.Property; if (propDef == null) continue; memberInfos.prop(propDef).suggestedName = fieldName; fieldName = "_" + fieldName; } else if (instr.OpCode.Code == Code.Ldfld) { fieldRef = instr.Operand as IField; } if (fieldRef == null) continue; var fieldDef = ourFields.find(fieldRef); if (fieldDef == null) continue; var fieldInfo = memberInfos.field(fieldDef); if (fieldInfo.renamed) continue; fieldInfo.suggestedName = variableNameState.getNewFieldName(fieldInfo.oldName, new NameCreator2(fieldName)); } } }
void initTypeEventHandlers(FieldDefAndDeclaringTypeDict<MFieldDef> ourFields, MethodDefAndDeclaringTypeDict<MMethodDef> ourMethods) { var checker = NameChecker; foreach (var methodDef in type.AllMethods) { if (methodDef.MethodDef.Body == null) continue; if (methodDef.MethodDef.IsStatic) continue; var method = methodDef.MethodDef; var instructions = method.Body.Instructions; for (int i = 0; i < instructions.Count - 5; i++) { // ldarg.0 // ldarg.0 / dup // ldarg.0 / dup // ldvirtftn handler // newobj event handler ctor // call add_Xyz if (instructions[i].GetParameterIndex() != 0) continue; int index = i + 1; if (!isThisOrDup(instructions[index++])) continue; IMethod handler; if (instructions[index].OpCode.Code == Code.Ldftn) { handler = instructions[index++].Operand as IMethod; } else { if (!isThisOrDup(instructions[index++])) continue; var instr = instructions[index++]; if (instr.OpCode.Code != Code.Ldvirtftn) continue; handler = instr.Operand as IMethod; } if (handler == null) continue; var handlerDef = ourMethods.find(handler); if (handlerDef == null) continue; var newobj = instructions[index++]; if (newobj.OpCode.Code != Code.Newobj) continue; if (!isEventHandlerCtor(newobj.Operand as IMethod)) continue; var call = instructions[index++]; if (call.OpCode.Code != Code.Call && call.OpCode.Code != Code.Callvirt) continue; var addMethod = call.Operand as IMethod; if (addMethod == null) continue; if (!Utils.StartsWith(addMethod.Name.String, "add_", StringComparison.Ordinal)) continue; var eventName = addMethod.Name.String.Substring(4); if (!checker.isValidEventName(eventName)) continue; memberInfos.method(handlerDef).suggestedName = string.Format("{0}_{1}", newName, eventName); } } }
static bool checkAllMethodsUnused(MethodDefAndDeclaringTypeDict<bool> unused, TypeDef type) { foreach (var method in type.Methods) { if (!unused.find(method)) return false; } return true; }
// VB initializes the handlers in the property setter, where it first removes the handler // from the previous control, and then adds the handler to the new control. void initVbEventHandlers(FieldDefAndDeclaringTypeDict<MFieldDef> ourFields, MethodDefAndDeclaringTypeDict<MMethodDef> ourMethods) { var checker = NameChecker; foreach (var propDef in type.AllProperties) { var setterDef = propDef.SetMethod; if (setterDef == null) continue; string eventName; var handler = getVbHandler(setterDef.MethodDef, out eventName); if (handler == null) continue; var handlerDef = ourMethods.find(handler); if (handlerDef == null) continue; if (!checker.isValidEventName(eventName)) continue; memberInfos.method(handlerDef).suggestedName = string.Format("{0}_{1}", memberInfos.prop(propDef).newName, eventName); } }
void restoreMethodBodies() { var methodToOrigMethods = new MethodDefAndDeclaringTypeDict<List<MethodDef>>(); foreach (var t in module.Types) { var types = new List<TypeDef>(AllTypesHelper.Types(new List<TypeDef> { t })); foreach (var type in types) { if (methodsTypes.find(type)) continue; foreach (var method in type.Methods) { if (method.Name == ".ctor" || method.Name == ".cctor") continue; MethodDef calledMethod; if (!checkRestoreBody(method, out calledMethod)) continue; if (!checkSameMethods(method, calledMethod)) continue; if (!methodsTypes.find(calledMethod.DeclaringType)) continue; if (types.IndexOf(calledMethod.DeclaringType) < 0) continue; var list = methodToOrigMethods.find(calledMethod); if (list == null) methodToOrigMethods.add(calledMethod, list = new List<MethodDef>()); list.Add(method); } } } foreach (var calledMethod in methodToOrigMethods.getKeys()) { var list = methodToOrigMethods.find(calledMethod); var method = list[0]; Logger.v("Restored method body {0:X8} from method {1:X8}", method.MDToken.ToInt32(), calledMethod.MDToken.ToInt32()); DotNetUtils.copyBodyFromTo(calledMethod, method); classMethods.add(calledMethod, method); } }
public string decrypt(IMethod method, object[] args) { var info = methodToInfo.find(method); return(info.decrypt(args)); }