public void FindDelegateCreator(ModuleDefMD module)
        {
            var callCounter = new CallCounter();

            foreach (var type in module.Types)
            {
                if (type.Namespace != "" || !DotNetUtils.DerivesFromDelegate(type))
                {
                    continue;
                }
                var cctor = type.FindStaticConstructor();
                if (cctor == null)
                {
                    continue;
                }
                foreach (var method in DotNetUtils.GetMethodCalls(cctor))
                {
                    callCounter.Add(method);
                }
            }

            var mostCalls = callCounter.Most();

            if (mostCalls == null)
            {
                return;
            }

            SetDelegateCreatorMethod(DotNetUtils.GetMethod(module, mostCalls));
        }
Example #2
0
        /// <summary>
        /// Search for and return all called methods.
        /// </summary>
        /// <param name="method">Method to search</param>
        /// <returns>Called methods</returns>
        public static IEnumerable <IMethod> Calls(this MethodDef method)
        {
            if (method == null)
            {
                throw new ArgumentNullException();
            }

            return(DotNetUtils.GetMethodCalls(method));
        }
Example #3
0
        void FindStringDecrypterMethods(TypeDef type, ISimpleDeobfuscator simpleDeobfuscator)
        {
            foreach (var method in DotNetUtils.FindMethods(type.Methods, "System.String", new string[] { "System.String", "System.Int32" }))
            {
                if (method.Body.HasExceptionHandlers)
                {
                    continue;
                }

                if (DotNetUtils.GetMethodCalls(method, "System.Char[] System.String::ToCharArray()") != 1)
                {
                    continue;
                }
                if (DotNetUtils.GetMethodCalls(method, "System.String System.String::Intern(System.String)") != 1)
                {
                    continue;
                }

                simpleDeobfuscator.Deobfuscate(method);
                var instrs = method.Body.Instructions;
                for (int i = 0; i < instrs.Count - 3; i++)
                {
                    var ldarg = instrs[i];
                    if (!ldarg.IsLdarg() || ldarg.GetParameterIndex() != 0)
                    {
                        continue;
                    }
                    var callvirt = instrs[i + 1];
                    if (callvirt.OpCode.Code != Code.Callvirt)
                    {
                        continue;
                    }
                    var calledMethod = callvirt.Operand as MemberRef;
                    if (calledMethod == null || calledMethod.FullName != "System.Char[] System.String::ToCharArray()")
                    {
                        continue;
                    }
                    var stloc = instrs[i + 2];
                    if (!stloc.IsStloc())
                    {
                        continue;
                    }
                    var ldci4 = instrs[i + 3];
                    if (!ldci4.IsLdcI4())
                    {
                        continue;
                    }

                    var info = new StringDecrypterInfo(method, ldci4.GetLdcI4Value());
                    stringDecrypterMethods.Add(info.method, info);
                    Logger.v("Found string decrypter method: {0}, magic: 0x{1:X8}", Utils.RemoveNewlines(info.method), info.magic);
                    break;
                }
            }
        }
Example #4
0
 bool CallsGetPublicKeyToken(MethodDef method)
 {
     foreach (var calledMethod in DotNetUtils.GetMethodCalls(method))
     {
         if (calledMethod.ToString() == "System.Byte[] System.Reflection.AssemblyName::GetPublicKeyToken()")
         {
             return(true);
         }
     }
     return(false);
 }
Example #5
0
        // Find the string decrypter xor value or null if none found
        int?FindXorValue(MethodDef method, bool hasNested, ISimpleDeobfuscator simpleDeobfuscator)
        {
            if (hasNested)
            {
                var calls = DotNetUtils.GetMethodCalls(method);
                foreach (var call in calls)
                {
                    if (DotNetUtils.IsMethod(method, "System.String", "(System.Int32)"))
                    {
                        method = call as MethodDef;
                        break;
                    }
                }
            }

            simpleDeobfuscator.Deobfuscate(method);

            if (method == null || method.Body == null)
            {
                return(null);
            }
            var instructions = method.Body.Instructions;

            for (int i = 0; i < instructions.Count; i++)
            {
                var ldci4 = instructions[i];
                if (ldci4.OpCode != OpCodes.Ldc_I4)
                {
                    continue;
                }
                var xor = instructions[i + 1];
                if (xor.OpCode != OpCodes.Xor)
                {
                    continue;
                }

                return(ldci4.GetLdcI4Value());
            }

            return(null);
        }