Example #1
0
        bool checkMemoryManagerType(TypeDefinition type, MethodDefinition method)
        {
            // Only two fields: itself and a long
            int fields = 0;

            foreach (var field in type.Fields)
            {
                if (MemberReferenceHelper.compareTypes(field.FieldType, type) ||
                    field.FieldType.FullName == "System.Int64")
                {
                    fields++;
                    continue;
                }
                if (DotNetUtils.derivesFromDelegate(DotNetUtils.getType(module, field.FieldType)))
                {
                    continue;
                }

                return(false);
            }
            if (fields != 2)
            {
                return(false);
            }

            if (DotNetUtils.getPInvokeMethod(type, "kernel32", "SetProcessWorkingSetSize") == null)
            {
                return(false);
            }

            return(true);
        }
Example #2
0
        public void findDelegateCreator(ModuleDefinition module)
        {
            var callCounter = new CallCounter();

            foreach (var type in module.Types)
            {
                if (type.Namespace != "" || !DotNetUtils.derivesFromDelegate(type))
                {
                    continue;
                }
                var cctor = DotNetUtils.getMethod(type, ".cctor");
                if (cctor == null)
                {
                    continue;
                }
                foreach (var method in DotNetUtils.getMethodCalls(cctor))
                {
                    callCounter.add(method);
                }
            }

            var mostCalls = callCounter.most();

            if (mostCalls == null)
            {
                return;
            }

            setDelegateCreatorMethod(DotNetUtils.getMethod(module, mostCalls));
        }
Example #3
0
        bool canRenameMethod(MethodDef methodDef)
        {
            var methodInfo = method(methodDef);

            if (methodDef.isStatic())
            {
                if (methodInfo.oldName == ".cctor")
                {
                    return(false);
                }
            }
            else if (methodDef.isVirtual())
            {
                if (DotNetUtils.derivesFromDelegate(type.TypeDefinition))
                {
                    switch (methodInfo.oldName)
                    {
                    case "BeginInvoke":
                    case "EndInvoke":
                    case "Invoke":
                        return(false);
                    }
                }
            }
            else
            {
                if (methodInfo.oldName == ".ctor")
                {
                    return(false);
                }
            }
            return(true);
        }
        // Finds the SmartAssembly.StringsEncoding.Strings class. This class decrypts the
        // strings in the resources. It gets called by the SmartAssembly.Delegates.GetString
        // delegate instances which were created by SmartAssembly.HouseOfCards.Strings.
        TypeDef findStringDecrypterClass(MethodDef stringsCreateDelegateMethod)
        {
            if (!stringsCreateDelegateMethod.HasBody)
            {
                return(null);
            }

            foreach (var ldtoken in stringsCreateDelegateMethod.Body.Instructions)
            {
                if (ldtoken.OpCode.Code != Code.Ldtoken)
                {
                    continue;
                }
                var typeToken = ldtoken.Operand as ITypeDefOrRef;
                if (typeToken == null)
                {
                    continue;
                }
                var type = getType(typeToken);
                if (type == null || DotNetUtils.derivesFromDelegate(type))
                {
                    continue;
                }
                if (!couldBeStringDecrypterClass(type))
                {
                    continue;
                }

                return(type);
            }

            return(null);
        }
        // Finds the SmartAssembly.Delegates.GetString delegate
        TypeDef findGetStringDelegate(MethodDef stringsCreateDelegateMethod)
        {
            if (!stringsCreateDelegateMethod.HasBody)
            {
                return(null);
            }

            foreach (var ldtoken in stringsCreateDelegateMethod.Body.Instructions)
            {
                if (ldtoken.OpCode.Code != Code.Ldtoken)
                {
                    continue;
                }
                var typeToken = ldtoken.Operand as ITypeDefOrRef;
                if (typeToken == null)
                {
                    continue;
                }
                var delegateType = getType(typeToken);
                if (!DotNetUtils.derivesFromDelegate(delegateType))
                {
                    continue;
                }
                var invoke = delegateType.FindMethod("Invoke");
                if (invoke == null || !DotNetUtils.isMethod(invoke, "System.String", "(System.Int32)"))
                {
                    continue;
                }

                return(delegateType);
            }

            return(null);
        }
Example #6
0
 static TypeReference getCommonBaseClass(ModuleDefinition module, TypeReference a, TypeReference b)
 {
     if (DotNetUtils.isDelegate(a) && DotNetUtils.derivesFromDelegate(DotNetUtils.getType(module, b)))
     {
         return(b);
     }
     if (DotNetUtils.isDelegate(b) && DotNetUtils.derivesFromDelegate(DotNetUtils.getType(module, a)))
     {
         return(a);
     }
     return(null);               //TODO:
 }
Example #7
0
 static TypeSig getCommonBaseClass(ModuleDef module, TypeSig a, TypeSig b)
 {
     if (DotNetUtils.isDelegate(a) && DotNetUtils.derivesFromDelegate(module.Find(b.ToTypeDefOrRef())))
     {
         return(b);
     }
     if (DotNetUtils.isDelegate(b) && DotNetUtils.derivesFromDelegate(module.Find(a.ToTypeDefOrRef())))
     {
         return(a);
     }
     return(null);               //TODO:
 }
Example #8
0
        public override void deobfuscateBegin()
        {
            base.deobfuscateBegin();

            cliSecureRtType.findStringDecrypterMethod();
            stringDecrypter.Method = cliSecureRtType.StringDecrypterMethod;

            addAttributesToBeRemoved(cliSecureAttributes, "Obfuscator attribute");

            if (options.DecryptResources)
            {
                decryptResources(resourceDecrypter);
                addCctorInitCallToBeRemoved(resourceDecrypter.RsrcRrrMethod);
            }

            stackFrameHelper = new StackFrameHelper(module);
            stackFrameHelper.find();

            foreach (var type in module.Types)
            {
                if (type.FullName == "InitializeDelegate" && DotNetUtils.derivesFromDelegate(type))
                {
                    this.addTypeToBeRemoved(type, "Obfuscator type");
                }
            }

            proxyCallFixer.find();

            staticStringInliner.add(stringDecrypter.Method, (method, gim, args) => stringDecrypter.decrypt((string)args[0]));
            DeobfuscatedFile.stringDecryptersAdded();

            if (options.DecryptMethods)
            {
                addCctorInitCallToBeRemoved(cliSecureRtType.InitializeMethod);
                addCctorInitCallToBeRemoved(cliSecureRtType.PostInitializeMethod);
                findPossibleNamesToRemove(cliSecureRtType.LoadMethod);
            }

            if (options.RestoreVmCode)
            {
                if (csvm.restore())
                {
                    addResourceToBeRemoved(csvm.Resource, "CSVM data resource");
                }
                else
                {
                    Logger.e("Couldn't restore VM methods. Use --dont-rename or it will not run");
                    preserveTokensAndTypes();
                }
            }
        }
Example #9
0
        bool checkDelegateType(TypeDefinition type)
        {
            if (!DotNetUtils.derivesFromDelegate(type))
            {
                return(false);
            }
            var invoke = DotNetUtils.getMethod(type, "Invoke");

            if (invoke == null)
            {
                return(false);
            }
            return(checkDelegateInvokeMethod(invoke));
        }
Example #10
0
        bool checkDelegateType(TypeDef type)
        {
            if (!DotNetUtils.derivesFromDelegate(type))
            {
                return(false);
            }
            var invoke = type.FindMethod("Invoke");

            if (invoke == null)
            {
                return(false);
            }
            return(checkDelegateInvokeMethod(invoke));
        }
Example #11
0
        public override void deobfuscateBegin()
        {
            base.deobfuscateBegin();

            addAttributeToBeRemoved(cliSecureAttribute, "Obfuscator attribute");

            if (options.DecryptResources)
            {
                var resourceDecrypter = new ResourceDecrypter(module);
                resourceDecrypter.find();
                decryptResources(resourceDecrypter);
                addCctorInitCallToBeRemoved(resourceDecrypter.RsrcRrrMethod);
            }

            stackFrameHelper = new StackFrameHelper(module);
            stackFrameHelper.find();

            foreach (var type in module.Types)
            {
                if (type.FullName == "InitializeDelegate" && DotNetUtils.derivesFromDelegate(type))
                {
                    this.addTypeToBeRemoved(type, "Obfuscator type");
                }
            }

            proxyDelegateFinder.find();

            staticStringInliner.add(stringDecrypter.Method, (method, args) => stringDecrypter.decrypt((string)args[0]));
            DeobfuscatedFile.stringDecryptersAdded();

            if (options.DecryptMethods)
            {
                addCctorInitCallToBeRemoved(cliSecureRtType.InitializeMethod);
                addCctorInitCallToBeRemoved(cliSecureRtType.PostInitializeMethod);
                findPossibleNamesToRemove(cliSecureRtType.LoadMethod);
            }

            if (options.RestoreVmCode)
            {
                csvm.restore();
                addAssemblyReferenceToBeRemoved(csvm.VmAssemblyReference, "CSVM assembly reference");
                addResourceToBeRemoved(csvm.Resource, "CSVM data resource");
            }
        }
        protected override bool checkResolverType(TypeDef type)
        {
            if (DotNetUtils.findFieldType(type, "System.Collections.Hashtable", true) != null)
            {
                return(true);
            }

            foreach (var field in type.Fields)
            {
                if (DotNetUtils.derivesFromDelegate(DotNetUtils.getType(module, field.FieldType)))
                {
                    continue;
                }
                if (field.IsLiteral && field.FieldType.ToString() == "System.String")
                {
                    continue;
                }
                return(false);
            }
            return(true);
        }
 public void read()
 {
     flags        = (MethodFlags)reader.ReadByte();
     delegateType = resolve <TypeDef>(readTypeToken());
     if (!DotNetUtils.derivesFromDelegate(delegateType))
     {
         throw new ApplicationException("Invalid delegate type");
     }
     if (HasLocals)
     {
         readLocals((int)reader.Read7BitEncodedUInt32());
     }
     if (HasInstructions)
     {
         ReadInstructions((int)reader.Read7BitEncodedUInt32());
     }
     if (HasExceptionHandlers)
     {
         readExceptionHandlers((int)reader.Read7BitEncodedUInt32());
     }
 }
Example #14
0
        bool checkMethod(MethodDef cctor)
        {
            if (cctor == null || cctor.Body == null)
            {
                return(false);
            }
            if (!new LocalTypes(cctor).exactly(ilpLocals))
            {
                return(false);
            }

            var type    = cctor.DeclaringType;
            var methods = getPinvokeMethods(type, "Protect");

            if (methods.Count == 0)
            {
                methods = getPinvokeMethods(type, "P0");
            }
            if (methods.Count != 2)
            {
                return(false);
            }
            if (type.Fields.Count != 1)
            {
                return(false);
            }

            var theField    = type.Fields[0];
            var theDelegate = theField.FieldType.TryGetTypeDef();

            if (theDelegate == null || !DotNetUtils.derivesFromDelegate(theDelegate))
            {
                return(false);
            }

            protectMethods       = methods;
            invokerDelegate      = theDelegate;
            invokerInstanceField = theField;
            return(true);
        }