Ejemplo n.º 1
0
        void InitializeConstantsDecrypterV18()
        {
            if (hasInitializedConstantsDecrypter || constantsDecrypterV18 == null || !constantsDecrypterV18.Detected)
            {
                return;
            }
            hasInitializedConstantsDecrypter = true;

            DecryptResources();
            constantsDecrypterV18.Initialize();
            int32ValueInliner  = new Int32ValueInliner();
            int64ValueInliner  = new Int64ValueInliner();
            singleValueInliner = new SingleValueInliner();
            doubleValueInliner = new DoubleValueInliner();
            foreach (var info in constantsDecrypterV18.Decrypters)
            {
                staticStringInliner.Add(info.method, (method, gim, args) => constantsDecrypterV18.DecryptString(method, gim, (uint)args[0], (ulong)args[1]));
                int32ValueInliner.Add(info.method, (method, gim, args) => constantsDecrypterV18.DecryptInt32(method, gim, (uint)args[0], (ulong)args[1]));
                int64ValueInliner.Add(info.method, (method, gim, args) => constantsDecrypterV18.DecryptInt64(method, gim, (uint)args[0], (ulong)args[1]));
                singleValueInliner.Add(info.method, (method, gim, args) => constantsDecrypterV18.DecryptSingle(method, gim, (uint)args[0], (ulong)args[1]));
                doubleValueInliner.Add(info.method, (method, gim, args) => constantsDecrypterV18.DecryptDouble(method, gim, (uint)args[0], (ulong)args[1]));
            }
            DeobfuscatedFile.StringDecryptersAdded();
            AddTypesToBeRemoved(constantsDecrypterV18.Types, "Constants decrypter type");
            AddFieldsToBeRemoved(constantsDecrypterV18.Fields, "Constants decrypter field");
            AddMethodToBeRemoved(constantsDecrypterV18.NativeMethod, "Constants decrypter native method");
            AddTypeToBeRemoved(constantsDecrypterV18.LzmaType, "LZMA type");
            AddResourceToBeRemoved(constantsDecrypterV18.Resource, "Encrypted constants");
        }
Ejemplo n.º 2
0
        public override void DeobfuscateBegin()
        {
            base.DeobfuscateBegin();

            if (options.DecryptResources)
            {
                AddCctorInitCallToBeRemoved(resourceResolver.InitMethod);
                AddTypeToBeRemoved(resourceResolver.Type, "Resource resolver type");
            }

            DecryptResources();
            stringDecrypter.Initialize();

            if (Operations.DecryptStrings != OpDecryptString.None)
            {
                if (stringDecrypter.Resource != null)
                {
                    Logger.v("Adding string decrypter. Resource: {0}", Utils.ToCsharpString(stringDecrypter.Resource.Name));
                }
                staticStringInliner.Add(stringDecrypter.DecryptMethod, (method, gim, args) => {
                    return(stringDecrypter.Decrypt(args));
                });
                DeobfuscatedFile.StringDecryptersAdded();
            }

            if (options.DumpEmbeddedAssemblies)
            {
                assemblyResolver.Initialize(DeobfuscatedFile, this);

                // Need to dump the assemblies before decrypting methods in case there's a reference
                // in the encrypted code to one of these assemblies.
                DumpEmbeddedAssemblies();
            }

            if (options.DecryptMethods)
            {
                methodsDecrypter.Initialize(DeobfuscatedFile, this);
                methodsDecrypter.decrypt();
            }

            if (options.DecryptConstants)
            {
                constantsDecrypter.Initialize(DeobfuscatedFile, this);

                AddTypeToBeRemoved(constantsDecrypter.Type, "Constants decrypter type");
                AddResourceToBeRemoved(constantsDecrypter.Resource, "Encrypted constants");
                int32ValueInliner = new Int32ValueInliner();
                int32ValueInliner.Add(constantsDecrypter.Int32Decrypter, (method, gim, args) => constantsDecrypter.DecryptInt32((int)args[0]));
                int64ValueInliner = new Int64ValueInliner();
                int64ValueInliner.Add(constantsDecrypter.Int64Decrypter, (method, gim, args) => constantsDecrypter.DecryptInt64((int)args[0]));
                singleValueInliner = new SingleValueInliner();
                singleValueInliner.Add(constantsDecrypter.SingleDecrypter, (method, gim, args) => constantsDecrypter.DecryptSingle((int)args[0]));
                doubleValueInliner = new DoubleValueInliner();
                doubleValueInliner.Add(constantsDecrypter.DoubleDecrypter, (method, gim, args) => constantsDecrypter.DecryptDouble((int)args[0]));
            }

            proxyCallFixer.Find();
            startedDeobfuscating = true;
        }
Ejemplo n.º 3
0
            public override void DeobfuscateBegin()
            {
                if (_constantDecrypter.Detected)
                {
                    _sbyteValueInliner  = new SByteValueInliner();
                    _byteValueInliner   = new ByteValueInliner();
                    _int16ValueInliner  = new Int16ValueInliner();
                    _uint16ValueInliner = new UInt16ValueInliner();
                    _int32ValueInliner  = new Int32ValueInliner();
                    _uint32ValueInliner = new UInt32ValueInliner();
                    _int64ValueInliner  = new Int64ValueInliner();
                    _uint64ValueInliner = new UInt64ValueInliner();
                    _singleValueInliner = new SingleValueInliner();
                    _doubleValueInliner = new DoubleValueInliner();
                    _arrayValueInliner  = new ArrayValueInliner(initializedDataCreator);
                    foreach (var info in _constantDecrypter.Decrypters)
                    {
                        staticStringInliner.Add(info.Method,
                                                (method, gim, args) => _constantDecrypter.DecryptString(info, gim, (uint)args[0]));
                        _sbyteValueInliner.Add(info.Method,
                                               (method, gim, args) => _constantDecrypter.DecryptSByte(info, gim, (uint)args[0]));
                        _byteValueInliner.Add(info.Method,
                                              (method, gim, args) => _constantDecrypter.DecryptByte(info, gim, (uint)args[0]));
                        _int16ValueInliner.Add(info.Method,
                                               (method, gim, args) => _constantDecrypter.DecryptInt16(info, gim, (uint)args[0]));
                        _uint16ValueInliner.Add(info.Method,
                                                (method, gim, args) => _constantDecrypter.DecryptUInt16(info, gim, (uint)args[0]));
                        _int32ValueInliner.Add(info.Method,
                                               (method, gim, args) => _constantDecrypter.DecryptInt32(info, gim, (uint)args[0]));
                        _uint32ValueInliner.Add(info.Method,
                                                (method, gim, args) => _constantDecrypter.DecryptUInt32(info, gim, (uint)args[0]));
                        _int64ValueInliner.Add(info.Method,
                                               (method, gim, args) => _constantDecrypter.DecryptInt64(info, gim, (uint)args[0]));
                        _uint64ValueInliner.Add(info.Method,
                                                (method, gim, args) => _constantDecrypter.DecryptUInt64(info, gim, (uint)args[0]));
                        _singleValueInliner.Add(info.Method,
                                                (method, gim, args) => _constantDecrypter.DecryptSingle(info, gim, (uint)args[0]));
                        _doubleValueInliner.Add(info.Method,
                                                (method, gim, args) => _constantDecrypter.DecryptDouble(info, gim, (uint)args[0]));
                        _arrayValueInliner.Add(info.Method,
                                               (method, gim, args) => _constantDecrypter.DecryptArray(info, gim, (uint)args[0]));
                    }
                    _deobfuscating = true;
                }
                if (_resourceDecrypter.Detected)
                {
                    _resourceDecrypter.Fix();
                }

                base.DeobfuscateBegin();
            }
Ejemplo n.º 4
0
        void Initialize(ConstantsDecrypterBase constDecrypter, ref bool hasInitialized)
        {
            if (hasInitialized || constDecrypter == null || !constDecrypter.Detected)
            {
                return;
            }
            hasInitializedConstantsDecrypter15 = true;

            DecryptResources();
            constDecrypter.Initialize();
            int32ValueInliner  = new Int32ValueInliner();
            int64ValueInliner  = new Int64ValueInliner();
            singleValueInliner = new SingleValueInliner();
            doubleValueInliner = new DoubleValueInliner();
            foreach (var info in constDecrypter.DecrypterInfos)
            {
                staticStringInliner.Add(info.decryptMethod, (method, gim, args) => constDecrypter.DecryptString(staticStringInliner.Method, method, args));
                int32ValueInliner.Add(info.decryptMethod, (method, gim, args) => constDecrypter.DecryptInt32(int32ValueInliner.Method, method, args));
                int64ValueInliner.Add(info.decryptMethod, (method, gim, args) => constDecrypter.DecryptInt64(int64ValueInliner.Method, method, args));
                singleValueInliner.Add(info.decryptMethod, (method, gim, args) => constDecrypter.DecryptSingle(singleValueInliner.Method, method, args));
                doubleValueInliner.Add(info.decryptMethod, (method, gim, args) => constDecrypter.DecryptDouble(doubleValueInliner.Method, method, args));
            }
            int32ValueInliner.RemoveUnbox  = true;
            int64ValueInliner.RemoveUnbox  = true;
            singleValueInliner.RemoveUnbox = true;
            doubleValueInliner.RemoveUnbox = true;
            DeobfuscatedFile.StringDecryptersAdded();
            AddFieldsToBeRemoved(constDecrypter.Fields, "Constants decrypter field");
            var moduleType = DotNetUtils.GetModuleType(Module);

            foreach (var info in constDecrypter.DecrypterInfos)
            {
                if (info.decryptMethod.DeclaringType == moduleType)
                {
                    AddMethodToBeRemoved(info.decryptMethod, "Constants decrypter method");
                }
                else
                {
                    AddTypeToBeRemoved(info.decryptMethod.DeclaringType, "Constants decrypter type");
                }
            }
            AddMethodToBeRemoved(constDecrypter.NativeMethod, "Constants decrypter native method");
            AddResourceToBeRemoved(constDecrypter.Resource, "Encrypted constants");
        }
Ejemplo n.º 5
0
        public override void DeobfuscateBegin()
        {
            base.DeobfuscateBegin();

            if (options.DecryptResources) {
                AddCctorInitCallToBeRemoved(resourceResolver.InitMethod);
                AddTypeToBeRemoved(resourceResolver.Type, "Resource resolver type");
            }

            DecryptResources();
            stringDecrypter.Initialize();

            if (Operations.DecryptStrings != OpDecryptString.None) {
                if (stringDecrypter.Resource != null)
                    Logger.v("Adding string decrypter. Resource: {0}", Utils.ToCsharpString(stringDecrypter.Resource.Name));
                staticStringInliner.Add(stringDecrypter.DecryptMethod, (method, gim, args) => {
                    return stringDecrypter.Decrypt(args);
                });
                DeobfuscatedFile.StringDecryptersAdded();
            }

            if (options.DumpEmbeddedAssemblies) {
                assemblyResolver.Initialize(DeobfuscatedFile, this);

                // Need to dump the assemblies before decrypting methods in case there's a reference
                // in the encrypted code to one of these assemblies.
                DumpEmbeddedAssemblies();
            }

            if (options.DecryptMethods) {
                methodsDecrypter.Initialize(DeobfuscatedFile, this);
                methodsDecrypter.decrypt();
            }

            if (options.DecryptConstants) {
                constantsDecrypter.Initialize(DeobfuscatedFile, this);

                AddTypeToBeRemoved(constantsDecrypter.Type, "Constants decrypter type");
                AddResourceToBeRemoved(constantsDecrypter.Resource, "Encrypted constants");
                int32ValueInliner = new Int32ValueInliner();
                int32ValueInliner.Add(constantsDecrypter.Int32Decrypter, (method, gim, args) => constantsDecrypter.DecryptInt32((int)args[0]));
                int64ValueInliner = new Int64ValueInliner();
                int64ValueInliner.Add(constantsDecrypter.Int64Decrypter, (method, gim, args) => constantsDecrypter.DecryptInt64((int)args[0]));
                singleValueInliner = new SingleValueInliner();
                singleValueInliner.Add(constantsDecrypter.SingleDecrypter, (method, gim, args) => constantsDecrypter.DecryptSingle((int)args[0]));
                doubleValueInliner = new DoubleValueInliner();
                doubleValueInliner.Add(constantsDecrypter.DoubleDecrypter, (method, gim, args) => constantsDecrypter.DecryptDouble((int)args[0]));
            }

            proxyCallFixer.Find();
            startedDeobfuscating = true;
        }
Ejemplo n.º 6
0
        public override void DeobfuscateBegin()
        {
            base.DeobfuscateBegin();

            resourceDecrypter = new ResourceDecrypter(module, DeobfuscatedFile);
            resourceResolver  = new ResourceResolver(module, resourceDecrypter);
            assemblyResolver  = new AssemblyResolver(module);
            resourceResolver.Find();
            assemblyResolver.Find(DeobfuscatedFile);

            DecryptResources();
            stringDecrypter.Initialize(resourceDecrypter);
            if (stringDecrypter.Method != null)
            {
                staticStringInliner.Add(stringDecrypter.Method, (method, gim, args) => {
                    return(stringDecrypter.Decrypt((int)args[0]));
                });
                DeobfuscatedFile.StringDecryptersAdded();
            }

            methodsDecrypter.Decrypt(resourceDecrypter, DeobfuscatedFile);

            if (methodsDecrypter.Detected)
            {
                if (!assemblyResolver.Detected)
                {
                    assemblyResolver.Find(DeobfuscatedFile);
                }
                if (!tamperDetection.Detected)
                {
                    tamperDetection.Find();
                }
            }
            antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this);
            antiDebugger.Find();

            if (options.DecryptConstants)
            {
                constantsDecrypter.Initialize(resourceDecrypter);
                int32ValueInliner = new Int32ValueInliner();
                int32ValueInliner.Add(constantsDecrypter.Int32Decrypter, (method, gim, args) => constantsDecrypter.DecryptInt32((int)args[0]));
                int64ValueInliner = new Int64ValueInliner();
                int64ValueInliner.Add(constantsDecrypter.Int64Decrypter, (method, gim, args) => constantsDecrypter.DecryptInt64((int)args[0]));
                singleValueInliner = new SingleValueInliner();
                singleValueInliner.Add(constantsDecrypter.SingleDecrypter, (method, gim, args) => constantsDecrypter.DecryptSingle((int)args[0]));
                doubleValueInliner = new DoubleValueInliner();
                doubleValueInliner.Add(constantsDecrypter.DoubleDecrypter, (method, gim, args) => constantsDecrypter.DecryptDouble((int)args[0]));
                AddTypeToBeRemoved(constantsDecrypter.Type, "Constants decrypter type");
                AddResourceToBeRemoved(constantsDecrypter.Resource, "Encrypted constants");
            }

            AddModuleCctorInitCallToBeRemoved(resourceResolver.Method);
            AddModuleCctorInitCallToBeRemoved(assemblyResolver.Method);
            AddCallToBeRemoved(module.EntryPoint, tamperDetection.Method);
            AddModuleCctorInitCallToBeRemoved(tamperDetection.Method);
            AddCallToBeRemoved(module.EntryPoint, antiDebugger.Method);
            AddModuleCctorInitCallToBeRemoved(antiDebugger.Method);
            AddTypeToBeRemoved(resourceResolver.Type, "Resource resolver type");
            AddTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver type");
            AddTypeToBeRemoved(tamperDetection.Type, "Tamper detection type");
            AddTypeToBeRemoved(antiDebugger.Type, "Anti-debugger type");
            AddTypeToBeRemoved(methodsDecrypter.Type, "Methods decrypter type");
            AddTypesToBeRemoved(methodsDecrypter.DelegateTypes, "Methods decrypter delegate type");
            AddResourceToBeRemoved(methodsDecrypter.Resource, "Encrypted methods");

            proxyCallFixer.Find();

            DumpEmbeddedAssemblies();

            startedDeobfuscating = true;
        }
Ejemplo n.º 7
0
		public override void DeobfuscateBegin() {
			base.DeobfuscateBegin();

			resourceDecrypter = new ResourceDecrypter(module, DeobfuscatedFile);
			resourceResolver = new ResourceResolver(module, resourceDecrypter);
			assemblyResolver = new AssemblyResolver(module);
			resourceResolver.Find();
			assemblyResolver.Find(DeobfuscatedFile);

			DecryptResources();
			stringDecrypter.Initialize(resourceDecrypter);
			if (stringDecrypter.Method != null) {
				staticStringInliner.Add(stringDecrypter.Method, (method, gim, args) => {
					return stringDecrypter.Decrypt((int)args[0]);
				});
				DeobfuscatedFile.StringDecryptersAdded();
			}

			methodsDecrypter.Decrypt(resourceDecrypter, DeobfuscatedFile);

			if (methodsDecrypter.Detected) {
				if (!assemblyResolver.Detected)
					assemblyResolver.Find(DeobfuscatedFile);
				if (!tamperDetection.Detected)
					tamperDetection.Find();
			}
			antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this);
			antiDebugger.Find();

			if (options.DecryptConstants) {
				constantsDecrypter.Initialize(resourceDecrypter);
				int32ValueInliner = new Int32ValueInliner();
				int32ValueInliner.Add(constantsDecrypter.Int32Decrypter, (method, gim, args) => constantsDecrypter.DecryptInt32((int)args[0]));
				int64ValueInliner = new Int64ValueInliner();
				int64ValueInliner.Add(constantsDecrypter.Int64Decrypter, (method, gim, args) => constantsDecrypter.DecryptInt64((int)args[0]));
				singleValueInliner = new SingleValueInliner();
				singleValueInliner.Add(constantsDecrypter.SingleDecrypter, (method, gim, args) => constantsDecrypter.DecryptSingle((int)args[0]));
				doubleValueInliner = new DoubleValueInliner();
				doubleValueInliner.Add(constantsDecrypter.DoubleDecrypter, (method, gim, args) => constantsDecrypter.DecryptDouble((int)args[0]));
				AddTypeToBeRemoved(constantsDecrypter.Type, "Constants decrypter type");
				AddResourceToBeRemoved(constantsDecrypter.Resource, "Encrypted constants");
			}

			AddModuleCctorInitCallToBeRemoved(resourceResolver.Method);
			AddModuleCctorInitCallToBeRemoved(assemblyResolver.Method);
			AddCallToBeRemoved(module.EntryPoint, tamperDetection.Method);
			AddModuleCctorInitCallToBeRemoved(tamperDetection.Method);
			AddCallToBeRemoved(module.EntryPoint, antiDebugger.Method);
			AddModuleCctorInitCallToBeRemoved(antiDebugger.Method);
			AddTypeToBeRemoved(resourceResolver.Type, "Resource resolver type");
			AddTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver type");
			AddTypeToBeRemoved(tamperDetection.Type, "Tamper detection type");
			AddTypeToBeRemoved(antiDebugger.Type, "Anti-debugger type");
			AddTypeToBeRemoved(methodsDecrypter.Type, "Methods decrypter type");
			AddTypesToBeRemoved(methodsDecrypter.DelegateTypes, "Methods decrypter delegate type");
			AddResourceToBeRemoved(methodsDecrypter.Resource, "Encrypted methods");

			proxyCallFixer.Find();

			DumpEmbeddedAssemblies();

			startedDeobfuscating = true;
		}
Ejemplo n.º 8
0
		void Initialize(ConstantsDecrypterBase constDecrypter, ref bool hasInitialized) {
			if (hasInitialized || (constDecrypter == null || !constDecrypter.Detected))
				return;
			hasInitializedConstantsDecrypter15 = true;

			DecryptResources();
			constDecrypter.Initialize();
			int32ValueInliner = new Int32ValueInliner();
			int64ValueInliner = new Int64ValueInliner();
			singleValueInliner = new SingleValueInliner();
			doubleValueInliner = new DoubleValueInliner();
			foreach (var info in constDecrypter.DecrypterInfos) {
				staticStringInliner.Add(info.decryptMethod, (method, gim, args) => constDecrypter.DecryptString(staticStringInliner.Method, method, args));
				int32ValueInliner.Add(info.decryptMethod, (method, gim, args) => constDecrypter.DecryptInt32(int32ValueInliner.Method, method, args));
				int64ValueInliner.Add(info.decryptMethod, (method, gim, args) => constDecrypter.DecryptInt64(int64ValueInliner.Method, method, args));
				singleValueInliner.Add(info.decryptMethod, (method, gim, args) => constDecrypter.DecryptSingle(singleValueInliner.Method, method, args));
				doubleValueInliner.Add(info.decryptMethod, (method, gim, args) => constDecrypter.DecryptDouble(doubleValueInliner.Method, method, args));
			}
			int32ValueInliner.RemoveUnbox = true;
			int64ValueInliner.RemoveUnbox = true;
			singleValueInliner.RemoveUnbox = true;
			doubleValueInliner.RemoveUnbox = true;
			DeobfuscatedFile.StringDecryptersAdded();
			AddFieldsToBeRemoved(constDecrypter.Fields, "Constants decrypter field");
			var moduleType = DotNetUtils.GetModuleType(module);
			foreach (var info in constDecrypter.DecrypterInfos) {
				if (info.decryptMethod.DeclaringType == moduleType)
					AddMethodToBeRemoved(info.decryptMethod, "Constants decrypter method");
				else
					AddTypeToBeRemoved(info.decryptMethod.DeclaringType, "Constants decrypter type");
			}
			AddMethodToBeRemoved(constDecrypter.NativeMethod, "Constants decrypter native method");
			AddResourceToBeRemoved(constDecrypter.Resource, "Encrypted constants");
		}
Ejemplo n.º 9
0
		void InitializeConstantsDecrypterV18() {
			if (hasInitializedConstantsDecrypter || (constantsDecrypterV18 == null || !constantsDecrypterV18.Detected))
				return;
			hasInitializedConstantsDecrypter = true;

			DecryptResources();
			constantsDecrypterV18.Initialize();
			int32ValueInliner = new Int32ValueInliner();
			int64ValueInliner = new Int64ValueInliner();
			singleValueInliner = new SingleValueInliner();
			doubleValueInliner = new DoubleValueInliner();
			foreach (var info in constantsDecrypterV18.Decrypters) {
				staticStringInliner.Add(info.method, (method, gim, args) => constantsDecrypterV18.DecryptString(method, gim, (uint)args[0], (ulong)args[1]));
				int32ValueInliner.Add(info.method, (method, gim, args) => constantsDecrypterV18.DecryptInt32(method, gim, (uint)args[0], (ulong)args[1]));
				int64ValueInliner.Add(info.method, (method, gim, args) => constantsDecrypterV18.DecryptInt64(method, gim, (uint)args[0], (ulong)args[1]));
				singleValueInliner.Add(info.method, (method, gim, args) => constantsDecrypterV18.DecryptSingle(method, gim, (uint)args[0], (ulong)args[1]));
				doubleValueInliner.Add(info.method, (method, gim, args) => constantsDecrypterV18.DecryptDouble(method, gim, (uint)args[0], (ulong)args[1]));
			}
			DeobfuscatedFile.StringDecryptersAdded();
			AddTypesToBeRemoved(constantsDecrypterV18.Types, "Constants decrypter type");
			AddFieldsToBeRemoved(constantsDecrypterV18.Fields, "Constants decrypter field");
			AddMethodToBeRemoved(constantsDecrypterV18.NativeMethod, "Constants decrypter native method");
			AddTypeToBeRemoved(constantsDecrypterV18.LzmaType, "LZMA type");
			AddResourceToBeRemoved(constantsDecrypterV18.Resource, "Encrypted constants");
		}