public override IDeobfuscator ModuleReloaded(ModuleDefMD module)
{
if (module.Assembly != null)
{
realAssemblyInfo = null;
}
if (realAssemblyInfo != null)
{
realAssemblyInfo.realAssembly.Modules.Insert(0, module);
if (realAssemblyInfo.entryPointToken != 0)
{
module.EntryPoint = module.ResolveToken((int)realAssemblyInfo.entryPointToken) as MethodDef;
}
module.Kind = realAssemblyInfo.kind;
module.Name = new UTF8String(realAssemblyInfo.moduleName);
}
var newOne = new Deobfuscator(options);
DeobfuscatedFile.SetDeobfuscator(newOne);
newOne.realAssemblyInfo = realAssemblyInfo;
newOne.decryptState = decryptState;
newOne.DeobfuscatedFile = DeobfuscatedFile;
newOne.ModuleBytes = ModuleBytes;
newOne.embeddedAssemblyInfos.AddRange(embeddedAssemblyInfos);
newOne.SetModule(module);
newOne.RemoveObfuscatorAttribute();
newOne.jitMethodsDecrypter = hasUnpacked ? new JitMethodsDecrypter(module, DeobfuscatedFile) :
new JitMethodsDecrypter(module, DeobfuscatedFile, jitMethodsDecrypter);
if ((newOne.decryptState & DecryptState.CanDecryptMethods) != 0)
{
try {
newOne.jitMethodsDecrypter.Find();
}
catch {
}
if (newOne.jitMethodsDecrypter.Detected)
{
return(newOne);
}
}
newOne.memoryMethodsDecrypter = hasUnpacked ? new MemoryMethodsDecrypter(module, DeobfuscatedFile) :
new MemoryMethodsDecrypter(module, DeobfuscatedFile, memoryMethodsDecrypter);
if ((newOne.decryptState & DecryptState.CanDecryptMethods) != 0)
{
newOne.memoryMethodsDecrypter.Find();
if (newOne.memoryMethodsDecrypter.Detected)
{
return(newOne);
}
}
newOne.InitializeTheRest(this);
return(newOne);
}
public override IDeobfuscator ModuleReloaded(ModuleDefMD module) {
if (module.Assembly != null)
realAssemblyInfo = null;
if (realAssemblyInfo != null) {
realAssemblyInfo.realAssembly.Modules.Insert(0, module);
if (realAssemblyInfo.entryPointToken != 0)
module.EntryPoint = module.ResolveToken((int)realAssemblyInfo.entryPointToken) as MethodDef;
module.Kind = realAssemblyInfo.kind;
module.Name = new UTF8String(realAssemblyInfo.moduleName);
}
var newOne = new Deobfuscator(options);
DeobfuscatedFile.SetDeobfuscator(newOne);
newOne.realAssemblyInfo = realAssemblyInfo;
newOne.decryptState = decryptState;
newOne.DeobfuscatedFile = DeobfuscatedFile;
newOne.ModuleBytes = ModuleBytes;
newOne.embeddedAssemblyInfos.AddRange(embeddedAssemblyInfos);
newOne.SetModule(module);
newOne.RemoveObfuscatorAttribute();
newOne.jitMethodsDecrypter = hasUnpacked ? new JitMethodsDecrypter(module, DeobfuscatedFile) :
new JitMethodsDecrypter(module, DeobfuscatedFile, jitMethodsDecrypter);
if ((newOne.decryptState & DecryptState.CanDecryptMethods) != 0) {
try {
newOne.jitMethodsDecrypter.Find();
}
catch {
}
if (newOne.jitMethodsDecrypter.Detected)
return newOne;
}
newOne.memoryMethodsDecrypter = hasUnpacked ? new MemoryMethodsDecrypter(module, DeobfuscatedFile) :
new MemoryMethodsDecrypter(module, DeobfuscatedFile, memoryMethodsDecrypter);
if ((newOne.decryptState & DecryptState.CanDecryptMethods) != 0) {
newOne.memoryMethodsDecrypter.Find();
if (newOne.memoryMethodsDecrypter.Detected)
return newOne;
}
newOne.InitializeTheRest(this);
return newOne;
}
public override bool GetDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
{
hasUnpacked = false;
byte[] fileData = GetFileData();
using (var peImage = new MyPEImage(fileData)) {
if ((decryptState & DecryptState.CanDecryptMethods) != 0)
{
bool decrypted = false;
if (jitMethodsDecrypter != null && jitMethodsDecrypter.Detected)
{
jitMethodsDecrypter.Initialize();
if (!jitMethodsDecrypter.Decrypt(peImage, fileData, ref dumpedMethods))
{
return(false);
}
decrypted = true;
}
else if (memoryMethodsDecrypter != null && memoryMethodsDecrypter.Detected)
{
memoryMethodsDecrypter.Initialize();
if (!memoryMethodsDecrypter.Decrypt(peImage, fileData))
{
return(false);
}
decrypted = true;
}
if (decrypted)
{
decryptState &= ~DecryptState.CanDecryptMethods;
decryptState |= DecryptState.CanUnpack;
newFileData = fileData;
ModuleBytes = newFileData;
return(true);
}
}
}
if ((decryptState & DecryptState.CanUnpack) != 0)
{
if (unpacker != null && unpacker.Detected)
{
if (options.DecryptMainAsm)
{
decryptState |= DecryptState.CanDecryptMethods | DecryptState.CanUnpack;
var mainInfo = unpacker.UnpackMainAssembly(true);
newFileData = mainInfo.data;
realAssemblyInfo = mainInfo.realAssemblyInfo;
embeddedAssemblyInfos.AddRange(unpacker.GetEmbeddedAssemblyInfos());
ModuleBytes = newFileData;
hasUnpacked = true;
return(true);
}
else
{
decryptState &= ~DecryptState.CanUnpack;
mainAsmInfo = unpacker.UnpackMainAssembly(false);
embeddedAssemblyInfos.AddRange(unpacker.GetEmbeddedAssemblyInfos());
return(false);
}
}
}
return(false);
}
public override bool GetDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods) {
hasUnpacked = false;
byte[] fileData = GetFileData();
using (var peImage = new MyPEImage(fileData)) {
if ((decryptState & DecryptState.CanDecryptMethods) != 0) {
bool decrypted = false;
if (jitMethodsDecrypter != null && jitMethodsDecrypter.Detected) {
jitMethodsDecrypter.Initialize();
if (!jitMethodsDecrypter.Decrypt(peImage, fileData, ref dumpedMethods))
return false;
decrypted = true;
}
else if (memoryMethodsDecrypter != null && memoryMethodsDecrypter.Detected) {
memoryMethodsDecrypter.Initialize();
if (!memoryMethodsDecrypter.Decrypt(peImage, fileData))
return false;
decrypted = true;
}
if (decrypted) {
decryptState &= ~DecryptState.CanDecryptMethods;
decryptState |= DecryptState.CanUnpack;
newFileData = fileData;
ModuleBytes = newFileData;
return true;
}
}
}
if ((decryptState & DecryptState.CanUnpack) != 0) {
if (unpacker != null && unpacker.Detected) {
if (options.DecryptMainAsm) {
decryptState |= DecryptState.CanDecryptMethods | DecryptState.CanUnpack;
var mainInfo = unpacker.UnpackMainAssembly(true);
newFileData = mainInfo.data;
realAssemblyInfo = mainInfo.realAssemblyInfo;
embeddedAssemblyInfos.AddRange(unpacker.GetEmbeddedAssemblyInfos());
ModuleBytes = newFileData;
hasUnpacked = true;
return true;
}
else {
decryptState &= ~DecryptState.CanUnpack;
mainAsmInfo = unpacker.UnpackMainAssembly(false);
embeddedAssemblyInfos.AddRange(unpacker.GetEmbeddedAssemblyInfos());
return false;
}
}
}
return false;
}
