static DecryptType getDecryptType(MethodDef method) { if (DeobUtils.hasInteger(method, 0xFFF0)) { return(DecryptType.Type2); } if (DeobUtils.hasInteger(method, 0xFFC0)) { return(DecryptType.Type3); } return(DecryptType.Type1); // trial }
IDecrypter createDecrypter(byte[] encryptedData) { if (decryptMethod != null && DeobUtils.hasInteger(decryptMethod, 6)) { return(new Decrypter3(module, decryptMethod)); } if (isV30(encryptedData)) { return(new Decrypter1(module)); } return(new Decrypter2(module)); }
Version detectVersion() { var ep = module.EntryPoint; if (ep == null || ep.Body == null) { return(Version.Unknown); } var type = ep.DeclaringType; if (type == null) { return(Version.Unknown); } if (!new FieldTypes(type).exactly(requiredFields)) { return(Version.Unknown); } if (module.Types.Count != 2) { return(Version.Unknown); } if (module.Types[1] != type) { return(Version.Unknown); } if (module.Types[0].Methods.Count != 0) { return(Version.Unknown); } if (checkMethods(type, methods_v0x)) { return(Version.V0x); } if (checkMethods(type, methods_v1x)) { var lfMethod = DotNetUtils.getMethod(type, "System.Boolean", "(System.String,System.Byte[]&)"); if (lfMethod != null) { if (DeobUtils.hasInteger(lfMethod, (int)Machine.AMD64)) { return(Version.V218); } return(Version.V1x_217); } } return(Version.Unknown); }
bool checkMethodV2(MethodDef method) { if (!DeobUtils.hasInteger(method, ' ')) { return(false); } foreach (var calledMethodName in callsMethodsV2) { if (!DotNetUtils.callsMethod(method, calledMethodName)) { return(false); } } decrypter = new DecrypterV2(); return(true); }
static bool isOldStringDecrypterMethod(MethodDefinition method) { if (method == null || method.Body == null || !method.IsStatic) { return(false); } if (!DotNetUtils.isMethod(method, "System.String", "(System.String)")) { return(false); } if (!DeobUtils.hasInteger(method, 0xFF)) { return(false); } return(true); }
bool createAssemblyInfos() { int numElements = DeobUtils.hasInteger(handlerMethod, 3) ? 3 : 2; foreach (var s in DotNetUtils.getCodeStrings(handlerMethod)) { var infos = createAssemblyInfos(s, numElements); if (infos == null) { continue; } assemblyInfos = infos; return(true); } return(false); }
bool initializeInfos(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { if (handlerMethod == null) return true; foreach (var method in resolverType.Methods) { if (!method.IsStatic || method.Body == null) continue; if (!DotNetUtils.isMethod(method, "System.Void", "()")) continue; if (!DeobUtils.hasInteger(method, ':') || !DeobUtils.hasInteger(method, '|')) continue; simpleDeobfuscator.deobfuscate(method); simpleDeobfuscator.decryptStrings(method, deob); if (!initializeInfos(method)) continue; return true; } return false; }
MethodDefinition getDecryptMethod() { foreach (var method in resolverType.Methods) { if (!method.IsStatic || method.Body == null) { continue; } if (!DotNetUtils.isMethod(method, "System.Byte[]", "(System.Byte[])")) { continue; } if (!DeobUtils.hasInteger(method, 32) || !DeobUtils.hasInteger(method, 121)) { continue; } return(method); } throw new ApplicationException("Could not find decrypt method"); }
MethodDefinition getProxyCreateMethod(TypeDefinition type) { if (DotNetUtils.findFieldType(type, "System.ModuleHandle", true) == null) { return(null); } if (type.Fields.Count < 1 || type.Fields.Count > 10) { return(null); } MethodDefinition createMethod = null; foreach (var m in type.Methods) { if (m.Name == ".ctor" || m.Name == ".cctor") { continue; } if (createMethod == null && DotNetUtils.isMethod(m, "System.Void", "(System.Int32,System.Int32,System.Int32)")) { createMethod = m; continue; } continue; } if (createMethod == null || !createMethod.HasBody) { return(null); } if (!DeobUtils.hasInteger(createMethod, 0xFFFFFF)) { return(null); } return(createMethod); }
public bool initialize() { if (!findMagic(Method, out arg1, out arg2, out magic)) { return(false); } fields = getFields(Method); if (fields == null) { return(false); } arrayInfo = getArrayInfo(cctor); if (arrayInfo == null) { return(false); } if (arrayInfo.initField.InitialValue.Length % 2 == 1) { return(false); } encryptedData = new ushort[arrayInfo.initField.InitialValue.Length / 2]; Buffer.BlockCopy(arrayInfo.initField.InitialValue, 0, encryptedData, 0, arrayInfo.initField.InitialValue.Length); isTrial = !DeobUtils.hasInteger(Method, 0xFFF0); keyShift = findKeyShift(cctor); key = findKey(); if (key == null || key.Length == 0) { return(false); } return(true); }
bool findConstants(ISimpleDeobfuscator simpleDeobfuscator) { simpleDeobfuscator.deobfuscate(stringMethod); stringMethodConsts = new EfConstantsReader(stringMethod); if (!findResource(stringMethod)) { return(false); } checkMinus2 = isV32OrLater || DeobUtils.hasInteger(stringMethod, -2); usePublicKeyToken = callsGetPublicKeyToken(stringMethod); var int64Method = findInt64Method(stringMethod); if (int64Method != null) { decrypterType.Type = int64Method.DeclaringType; } if (!findShorts()) { return(false); } if (!findInt3()) { return(false); } if (!findInt4()) { return(false); } if (checkMinus2 && !findInt5()) { return(false); } dataDecrypterType = findDataDecrypterType(stringMethod); if (dataDecrypterType == null) { return(false); } if (isV32OrLater) { bool initializedAll; if (!findInts(out initializedAll)) { return(false); } var cctor = DotNetUtils.getMethod(stringType, ".cctor"); if (!initializedAll && cctor != null) { simpleDeobfuscator.deobfuscate(cctor); if (!findIntsCctor(cctor)) { return(false); } } if (decrypterType.Detected && !decrypterType.initialize()) { return(false); } } initializeFlags(); initialize(); return(true); }
public string detect() { var decryptStringType = stringDecrypter.Type; var decryptStringMethod = stringDecrypter.Method; if (decryptStringType == null || decryptStringMethod == null) { return(null); } var otherMethods = new List <MethodDefinition>(); MethodDefinition cctor = null; foreach (var method in decryptStringType.Methods) { if (method == decryptStringMethod) { continue; } if (method.Name == ".cctor") { cctor = method; } else { otherMethods.Add(method); } } if (cctor == null) { return(null); } bool hasConstantM2 = DeobUtils.hasInteger(decryptStringMethod, -2); var frameworkType = DotNetUtils.getFrameworkType(decryptStringType.Module); ///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////// var fields11 = new string[] { "System.Collections.Generic.Dictionary`2<System.Int32,System.String>", "System.IO.BinaryReader", "System.Byte[]", "System.Int16", "System.Boolean", }; var locals11 = createLocalsArray( "System.Boolean", "System.Byte[]", "System.Char[]", "System.Int16", "System.Int32", "System.Reflection.Assembly", "System.String" ); if (otherMethods.Count == 0 && decryptStringType.NestedTypes.Count == 0 && !hasConstantM2 && !decryptStringMethod.NoInlining && decryptStringMethod.IsPublic && decryptStringMethod.IsSynchronized && decryptStringMethod.Body.MaxStackSize >= 35 && decryptStringMethod.Body.MaxStackSize <= 50 && decryptStringMethod.Body.ExceptionHandlers.Count == 0 && new LocalTypes(decryptStringMethod).exactly(locals11) && checkTypeFields(fields11)) { return("1.1 - 1.2"); } ///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////// var fields13 = new string[] { "System.Collections.Generic.Dictionary`2<System.Int32,System.String>", "System.IO.BinaryReader", "System.Byte[]", "System.Int16", "System.Boolean", "System.Byte[]", }; var locals13 = createLocalsArray( "System.Boolean", "System.Byte", "System.Byte[]", "System.Char[]", "System.Int16", "System.Int32", "System.Reflection.Assembly", "System.String" ); if (otherMethods.Count == 0 && decryptStringType.NestedTypes.Count == 0 && !hasConstantM2 && !decryptStringMethod.NoInlining && decryptStringMethod.IsPublic && decryptStringMethod.IsSynchronized && decryptStringMethod.Body.MaxStackSize >= 35 && decryptStringMethod.Body.MaxStackSize <= 50 && decryptStringMethod.Body.ExceptionHandlers.Count == 0 && new LocalTypes(decryptStringMethod).exactly(locals13) && checkTypeFields(fields13)) { return("1.3"); } ///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////// var fields14 = new string[] { "System.Collections.Generic.Dictionary`2<System.Int32,System.String>", "System.IO.BinaryReader", "System.Byte[]", "System.Int16", "System.Boolean", "System.Byte[]", }; var locals14 = createLocalsArray( "System.Boolean", "System.Byte", "System.Byte[]", "System.Char[]", "System.Int16", "System.Int32", "System.Reflection.Assembly", "System.String" ); if (otherMethods.Count == 0 && decryptStringType.NestedTypes.Count == 0 && !hasConstantM2 && !decryptStringMethod.NoInlining && decryptStringMethod.IsPublic && decryptStringMethod.IsSynchronized && decryptStringMethod.Body.MaxStackSize >= 150 && decryptStringMethod.Body.MaxStackSize <= 200 && decryptStringMethod.Body.ExceptionHandlers.Count == 0 && new LocalTypes(decryptStringMethod).exactly(locals14) && checkTypeFields(fields14)) { return("1.4 - 2.3"); } ///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////// var fields24 = new string[] { "System.Collections.Generic.Dictionary`2<System.Int32,System.String>", "System.IO.BinaryReader", "System.Byte[]", "System.Int16", "System.Boolean", "System.Byte[]", }; var locals24 = createLocalsArray( "System.Boolean", "System.Byte", "System.Byte[]", "System.Char[]", "System.Int16", "System.Int32", "System.Reflection.Assembly", "System.Reflection.AssemblyName", "System.String" ); if (otherMethods.Count == 0 && decryptStringType.NestedTypes.Count == 0 && !hasConstantM2 && !decryptStringMethod.NoInlining && decryptStringMethod.IsPublic && decryptStringMethod.IsSynchronized && decryptStringMethod.Body.MaxStackSize >= 1 && decryptStringMethod.Body.MaxStackSize <= 8 && decryptStringMethod.Body.ExceptionHandlers.Count == 0 && new LocalTypes(decryptStringMethod).exactly(locals24) && checkTypeFields(fields24)) { return("2.4 - 2.5"); } ///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////// var fields26 = new string[] { "System.Collections.Generic.Dictionary`2<System.Int32,System.String>", "System.IO.BinaryReader", "System.Byte[]", "System.Int16", "System.Boolean", "System.Byte[]", }; var locals26 = createLocalsArray( "System.Boolean", "System.Byte", "System.Byte[]", "System.Char[]", "System.Collections.Generic.Dictionary`2<System.Int32,System.String>", "System.Int16", "System.Int32", "System.Reflection.Assembly", "System.Reflection.AssemblyName", "System.String" ); if (otherMethods.Count == 0 && decryptStringType.NestedTypes.Count == 0 && !hasConstantM2 && !decryptStringMethod.NoInlining && decryptStringMethod.IsPublic && !decryptStringMethod.IsSynchronized && decryptStringMethod.Body.MaxStackSize >= 1 && decryptStringMethod.Body.MaxStackSize <= 8 && decryptStringMethod.Body.ExceptionHandlers.Count == 1 && new LocalTypes(decryptStringMethod).exactly(locals26) && checkTypeFields(fields26)) { return("2.6"); } ///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////// var fields27 = new string[] { "System.Collections.Generic.Dictionary`2<System.Int32,System.String>", "System.IO.BinaryReader", "System.Byte[]", "System.Int16", "System.Boolean", "System.Byte[]", }; var locals27 = createLocalsArray( "System.Boolean", "System.Byte", "System.Byte[]", "System.Char[]", "System.Collections.Generic.Dictionary`2<System.Int32,System.String>", "System.Int16", "System.Int32", "System.Reflection.Assembly", "System.Reflection.AssemblyName", "System.String" ); if (otherMethods.Count == 0 && decryptStringType.NestedTypes.Count == 0 && !hasConstantM2 && decryptStringMethod.NoInlining && decryptStringMethod.IsPublic && !decryptStringMethod.IsSynchronized && decryptStringMethod.Body.MaxStackSize >= 1 && decryptStringMethod.Body.MaxStackSize <= 8 && decryptStringMethod.Body.ExceptionHandlers.Count == 1 && new LocalTypes(decryptStringMethod).exactly(locals27) && checkTypeFields(fields27)) { return("2.7"); } ///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////// var fields28 = new string[] { "System.Collections.Generic.Dictionary`2<System.Int32,System.String>", "System.IO.BinaryReader", "System.Byte[]", "System.Int16", "System.Boolean", "System.Byte[]", "System.Boolean", }; var locals28 = createLocalsArray( "System.Boolean", "System.Byte", "System.Byte[]", "System.Char[]", "System.Collections.Generic.Dictionary`2<System.Int32,System.String>", "System.Int16", "System.Int32", "System.Reflection.Assembly", "System.Reflection.AssemblyName", "System.String" ); if (otherMethods.Count == 0 && decryptStringType.NestedTypes.Count == 0 && !hasConstantM2 && decryptStringMethod.NoInlining && decryptStringMethod.IsAssembly && !decryptStringMethod.IsSynchronized && decryptStringMethod.Body.MaxStackSize >= 1 && decryptStringMethod.Body.MaxStackSize <= 8 && decryptStringMethod.Body.ExceptionHandlers.Count == 1 && new LocalTypes(decryptStringMethod).exactly(locals28) && checkTypeFields(fields28)) { return("2.8"); } ///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////// var fields29 = new string[] { "System.Collections.Generic.Dictionary`2<System.Int32,System.String>", "System.IO.BinaryReader", "System.Byte[]", "System.Int16", "System.Int32", "System.Byte[]", }; var locals29 = createLocalsArray( "System.Boolean", "System.Byte", "System.Byte[]", "System.Char[]", "System.Collections.Generic.Dictionary`2<System.Int32,System.String>", "System.Diagnostics.StackFrame", "System.Diagnostics.StackTrace", "System.Int16", "System.Int32", "System.IO.Stream", "System.Reflection.Assembly", "System.Reflection.AssemblyName", "System.Reflection.MethodBase", "System.String", "System.Type" ); if (otherMethods.Count == 0 && decryptStringType.NestedTypes.Count == 0 && !hasConstantM2 && decryptStringMethod.NoInlining && decryptStringMethod.IsAssembly && !decryptStringMethod.IsSynchronized && decryptStringMethod.Body.MaxStackSize >= 1 && decryptStringMethod.Body.MaxStackSize <= 8 && (decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) && new LocalTypes(decryptStringMethod).exactly(locals29) && checkTypeFields(fields29)) { return("2.9"); } ///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////// var fields30 = new string[] { "System.Collections.Generic.Dictionary`2<System.Int32,System.String>", "System.IO.BinaryReader", "System.Byte[]", "System.Int16", "System.Int32", "System.Byte[]", }; var locals30 = createLocalsArray( "System.Boolean", "System.Byte", "System.Byte[]", "System.Char[]", "System.Collections.Generic.Dictionary`2<System.Int32,System.String>", "System.Diagnostics.StackFrame", "System.Diagnostics.StackTrace", "System.Int16", "System.Int32", "System.IO.Stream", "System.Reflection.Assembly", "System.Reflection.AssemblyName", "System.Reflection.MethodBase", "System.String", "System.Type" ); var olocals30 = createLocalsArray( "System.Int32" ); if (otherMethods.Count == 1 && decryptStringType.NestedTypes.Count == 0 && DotNetUtils.isMethod(otherMethods[0], "System.Int32", "(System.Byte[],System.Int32,System.Byte[])") && otherMethods[0].IsPrivate && otherMethods[0].IsStatic && new LocalTypes(otherMethods[0]).exactly(olocals30) && !hasConstantM2 && decryptStringMethod.NoInlining && decryptStringMethod.IsAssembly && !decryptStringMethod.IsSynchronized && decryptStringMethod.Body.MaxStackSize >= 1 && decryptStringMethod.Body.MaxStackSize <= 8 && (decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) && new LocalTypes(decryptStringMethod).exactly(locals30) && checkTypeFields(fields30)) { return("3.0"); } ///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////// var fields31 = new string[] { "System.Collections.Generic.Dictionary`2<System.Int32,System.String>", "System.IO.BinaryReader", "System.Byte[]", "System.Int16", "System.Int32", "System.Byte[]", }; var locals31 = createLocalsArray( "System.Boolean", "System.Byte", "System.Byte[]", "System.Char[]", "System.Collections.Generic.Dictionary`2<System.Int32,System.String>", "System.Diagnostics.StackFrame", "System.Diagnostics.StackTrace", "System.Int16", "System.Int32", "System.IO.Stream", "System.Reflection.Assembly", "System.Reflection.AssemblyName", "System.Reflection.MethodBase", "System.String", "System.Type" ); var olocals31 = createLocalsArray( "System.Int32" ); if (otherMethods.Count == 1 && decryptStringType.NestedTypes.Count == 0 && DotNetUtils.isMethod(otherMethods[0], "System.Int32", "(System.Byte[],System.Int32,System.Byte[])") && otherMethods[0].IsPrivate && otherMethods[0].IsStatic && new LocalTypes(otherMethods[0]).exactly(olocals31) && hasConstantM2 && decryptStringMethod.NoInlining && decryptStringMethod.IsAssembly && !decryptStringMethod.IsSynchronized && decryptStringMethod.Body.MaxStackSize >= 1 && decryptStringMethod.Body.MaxStackSize <= 8 && (decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) && new LocalTypes(decryptStringMethod).exactly(locals31) && checkTypeFields(fields31)) { return("3.1"); } ///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////// var fields32 = new string[] { "System.Collections.Generic.Dictionary`2<System.Int32,System.String>", "System.IO.BinaryReader", "System.Byte[]", "System.Int16", "System.Int32", "System.Byte[]", "System.Int32", }; var locals32 = createLocalsArray( "System.Boolean", "System.Byte", "System.Byte[]", "System.Char[]", "System.Collections.Generic.Dictionary`2<System.Int32,System.String>", "System.Diagnostics.StackFrame", "System.Diagnostics.StackTrace", "System.Int16", "System.Int32", "System.Int64", "System.IO.Stream", "System.Reflection.Assembly", "System.Reflection.AssemblyName", "System.Reflection.MethodBase", "System.String", "System.Type" ); var olocals32 = createLocalsArray( "System.Int32" ); if (otherMethods.Count == 1 && decryptStringType.NestedTypes.Count == 0 && DotNetUtils.isMethod(otherMethods[0], "System.Void", "(System.Byte[],System.Int32,System.Byte[])") && otherMethods[0].IsPrivate && otherMethods[0].IsStatic && new LocalTypes(otherMethods[0]).exactly(olocals32) && hasConstantM2 && decryptStringMethod.NoInlining && decryptStringMethod.IsAssembly && !decryptStringMethod.IsSynchronized && decryptStringMethod.Body.MaxStackSize >= 1 && decryptStringMethod.Body.MaxStackSize <= 8 && (decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) && new LocalTypes(decryptStringMethod).exactly(locals32) && checkTypeFields(fields32)) { return("3.2"); } ///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////// if (decryptStringType.NestedTypes.Count == 1) { var fields33 = new string[] { "System.Collections.Generic.Dictionary`2<System.Int32,System.String>", "System.IO.BinaryReader", "System.Byte[]", "System.Int16", "System.Int32", "System.Byte[]", "System.Int32", "System.Int32", decryptStringType.NestedTypes[0].FullName, }; var locals33 = createLocalsArray( "System.Boolean", "System.Byte", "System.Byte[]", "System.Char[]", "System.Collections.Generic.Dictionary`2<System.Int32,System.String>", "System.Diagnostics.StackFrame", "System.Diagnostics.StackTrace", "System.Int16", "System.Int32", "System.Int64", "System.IO.Stream", "System.Reflection.Assembly", "System.Reflection.AssemblyName", "System.Reflection.MethodBase", "System.String", "System.Type" ); var olocals33 = createLocalsArray( "System.Int32" ); if (otherMethods.Count == 1 && decryptStringType.NestedTypes.Count == 1 && DotNetUtils.isMethod(otherMethods[0], "System.Void", "(System.Byte[],System.Int32,System.Byte[])") && otherMethods[0].IsPrivate && otherMethods[0].IsStatic && new LocalTypes(otherMethods[0]).exactly(olocals33) && hasConstantM2 && decryptStringMethod.NoInlining && decryptStringMethod.IsAssembly && !decryptStringMethod.IsSynchronized && decryptStringMethod.Body.MaxStackSize >= 1 && decryptStringMethod.Body.MaxStackSize <= 8 && (decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) && new LocalTypes(decryptStringMethod).exactly(locals33) && checkTypeFields(fields33)) { return("3.3.29 - 3.3.57 (BETA)"); } } ///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////// if (decryptStringType.NestedTypes.Count == 3) { var fields33 = new string[] { getNestedTypeName(0), getNestedTypeName(1), "System.Byte[]", "System.Int16", "System.Int32", "System.Byte[]", "System.Int32", "System.Int32", getNestedTypeName(2), }; var locals33 = createLocalsArray( "System.Boolean", "System.Byte", "System.Byte[]", "System.Char[]", getNestedTypeName(0), "System.Diagnostics.StackFrame", "System.Diagnostics.StackTrace", "System.Int16", "System.Int32", "System.Int64", "System.IO.Stream", "System.Reflection.Assembly", "System.Reflection.AssemblyName", "System.Reflection.MethodBase", "System.String", "System.Type" ); var olocals33 = createLocalsArray( "System.Int32" ); if (otherMethods.Count == 1 && decryptStringType.NestedTypes.Count == 3 && DotNetUtils.isMethod(otherMethods[0], "System.Void", "(System.Byte[],System.Int32,System.Byte[])") && otherMethods[0].IsPrivate && otherMethods[0].IsStatic && new LocalTypes(otherMethods[0]).exactly(olocals33) && decryptStringMethod.NoInlining && decryptStringMethod.IsAssembly && !decryptStringMethod.IsSynchronized && decryptStringMethod.Body.MaxStackSize >= 1 && decryptStringMethod.Body.MaxStackSize <= 8 && (decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) && new LocalTypes(decryptStringMethod).exactly(locals33) && checkTypeFields(fields33)) { return("3.3"); } var fields33_149 = new string[] { getNestedTypeName(0), getNestedTypeName(1), "System.Byte[]", "System.Int16", "System.Int32", "System.Byte[]", "System.Int32", "System.Int32", getNestedTypeName(2), }; var locals33_149 = createLocalsArray( "System.Boolean", "System.Byte", "System.Byte[]", "System.Char[]", getNestedTypeName(0), "System.Diagnostics.StackFrame", "System.Diagnostics.StackTrace", "System.Int16", "System.Int32", "System.Int64", "System.IO.Stream", "System.Reflection.Assembly", "System.Reflection.AssemblyName", "System.Reflection.MethodBase", "System.String", "System.Text.StringBuilder", "System.Type" ); var olocals33_149 = createLocalsArray( "System.Int32" ); if (otherMethods.Count == 1 && decryptStringType.NestedTypes.Count == 3 && DotNetUtils.isMethod(otherMethods[0], "System.Void", "(System.Byte[],System.Int32,System.Byte[])") && otherMethods[0].IsPrivate && otherMethods[0].IsStatic && new LocalTypes(otherMethods[0]).exactly(olocals33_149) && decryptStringMethod.NoInlining && decryptStringMethod.IsAssembly && !decryptStringMethod.IsSynchronized && decryptStringMethod.Body.MaxStackSize >= 1 && decryptStringMethod.Body.MaxStackSize <= 8 && (decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) && new LocalTypes(decryptStringMethod).exactly(locals33_149) && checkTypeFields(fields33_149)) { return("3.3"); // 3.3.149 (but not SL or CF) } } return(null); }
public bool init(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator) { var cctor = stringsEncodingClass.FindStaticConstructor(); if (cctor != null) { simpleDeobfuscator.deobfuscate(cctor); } decrypterVersion = guessVersion(cctor); if (!findDecrypterMethod()) { throw new ApplicationException("Could not find string decrypter method"); } if (!findStringsResource(deob, simpleDeobfuscator, cctor)) { return(false); } if (decrypterVersion <= StringDecrypterVersion.V3) { MethodDef initMethod; if (decrypterVersion == StringDecrypterVersion.V3) { initMethod = cctor; } else if (decrypterVersion == StringDecrypterVersion.V2) { initMethod = stringDecrypterMethod; } else { initMethod = stringDecrypterMethod; } stringOffset = 0; if (decrypterVersion != StringDecrypterVersion.V1) { if (callsGetPublicKeyToken(initMethod)) { var pkt = PublicKeyBase.ToPublicKeyToken(module.Assembly.PublicKeyToken); if (!PublicKeyBase.IsNullOrEmpty2(pkt)) { for (int i = 0; i < pkt.Data.Length - 1; i += 2) { stringOffset ^= ((int)pkt.Data[i] << 8) + pkt.Data[i + 1]; } } } if (DeobUtils.hasInteger(initMethod, 0xFFFFFF) && DeobUtils.hasInteger(initMethod, 0xFFFF)) { stringOffset ^= ((stringDecrypterMethod.MDToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF; } } } else { var offsetVal = findOffsetValue(cctor); if (offsetVal == null) { throw new ApplicationException("Could not find string offset"); } stringOffset = offsetVal.Value; decrypterVersion = StringDecrypterVersion.V4; } simpleZipTypeMethod = findSimpleZipTypeMethod(cctor) ?? findSimpleZipTypeMethod(stringDecrypterMethod); if (simpleZipTypeMethod != null) { resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator)); } return(true); }
string detectVersion() { /* * Methods decrypter locals (not showing its own types): * 3.7.0.3: * "System.Byte[]" * "System.Int32" * "System.Int32[]" * "System.IntPtr" * "System.IO.BinaryReader" * "System.IO.MemoryStream" * "System.Object" * "System.Reflection.Assembly" * "System.Security.Cryptography.CryptoStream" * "System.Security.Cryptography.ICryptoTransform" * "System.Security.Cryptography.RijndaelManaged" * "System.String" * * 3.9.8.0: * - "System.Int32[]" + "System.Diagnostics.StackFrame" + + 4.0.0.0: (jitter) + - "System.Diagnostics.StackFrame" + - "System.Object" + "System.Boolean" + "System.Collections.IEnumerator" + "System.Delegate" + "System.Diagnostics.Process" + "System.Diagnostics.ProcessModule" + "System.Diagnostics.ProcessModuleCollection" + "System.IDisposable" + "System.Int64" + "System.UInt32" + "System.UInt64" + + 4.1.0.0: (jitter) + "System.Reflection.Assembly" + + 4.3.1.0: (jitter) + "System.Byte&" */ LocalTypes localTypes; int minVer = -1; foreach (var info in stringDecrypter.DecrypterInfos) { if (info.key == null) { continue; } localTypes = new LocalTypes(info.method); if (!localTypes.exists("System.IntPtr")) { return(DeobfuscatorInfo.THE_NAME + " <= 3.7"); } minVer = 3800; break; } if (methodsDecrypter.Method == null) { if (minVer >= 3800) { return(DeobfuscatorInfo.THE_NAME + " >= 3.8"); } return(DeobfuscatorInfo.THE_NAME); } localTypes = new LocalTypes(methodsDecrypter.Method); if (localTypes.exists("System.Int32[]")) { if (minVer >= 3800) { return(DeobfuscatorInfo.THE_NAME + " 3.8.4.1 - 3.9.0.1"); } return(DeobfuscatorInfo.THE_NAME + " <= 3.9.0.1"); } if (!localTypes.exists("System.Diagnostics.Process")) // If < 4.0 { if (localTypes.exists("System.Diagnostics.StackFrame")) { return(DeobfuscatorInfo.THE_NAME + " 3.9.8.0"); } } var compileMethod = MethodsDecrypter.findDnrCompileMethod(methodsDecrypter.Method.DeclaringType); if (compileMethod == null) { return(DeobfuscatorInfo.THE_NAME + " < 4.0"); } DeobfuscatedFile.deobfuscate(compileMethod); bool compileMethodHasConstant_0x70000000 = DeobUtils.hasInteger(compileMethod, 0x70000000); // 4.0-4.1 DeobfuscatedFile.deobfuscate(methodsDecrypter.Method); bool hasCorEnableProfilingString = findString(methodsDecrypter.Method, "Cor_Enable_Profiling"); // 4.1-4.4 if (compileMethodHasConstant_0x70000000) { if (hasCorEnableProfilingString) { return(DeobfuscatorInfo.THE_NAME + " 4.1"); } return(DeobfuscatorInfo.THE_NAME + " 4.0"); } if (!hasCorEnableProfilingString) { return(DeobfuscatorInfo.THE_NAME); } // 4.2-4.4 if (!localTypes.exists("System.Byte&")) { return(DeobfuscatorInfo.THE_NAME + " 4.2"); } localTypes = new LocalTypes(compileMethod); if (localTypes.exists("System.Object")) { return(DeobfuscatorInfo.THE_NAME + " 4.4"); } return(DeobfuscatorInfo.THE_NAME + " 4.3"); }