bool checkMemoryManagerType(TypeDefinition type, MethodDefinition method)
{
// Only two fields: itself and a long
int fields = 0;
foreach (var field in type.Fields)
{
if (MemberReferenceHelper.compareTypes(field.FieldType, type) ||
field.FieldType.FullName == "System.Int64")
{
fields++;
continue;
}
if (DotNetUtils.derivesFromDelegate(DotNetUtils.getType(module, field.FieldType)))
{
continue;
}
return(false);
}
if (fields != 2)
{
return(false);
}
if (DotNetUtils.getPInvokeMethod(type, "kernel32", "SetProcessWorkingSetSize") == null)
{
return(false);
}
return(true);
}
public void findDelegateCreator(ModuleDefinition module)
{
var callCounter = new CallCounter();
foreach (var type in module.Types)
{
if (type.Namespace != "" || !DotNetUtils.derivesFromDelegate(type))
{
continue;
}
var cctor = DotNetUtils.getMethod(type, ".cctor");
if (cctor == null)
{
continue;
}
foreach (var method in DotNetUtils.getMethodCalls(cctor))
{
callCounter.add(method);
}
}
var mostCalls = callCounter.most();
if (mostCalls == null)
{
return;
}
setDelegateCreatorMethod(DotNetUtils.getMethod(module, mostCalls));
}
bool canRenameMethod(MethodDef methodDef)
{
var methodInfo = method(methodDef);
if (methodDef.isStatic())
{
if (methodInfo.oldName == ".cctor")
{
return(false);
}
}
else if (methodDef.isVirtual())
{
if (DotNetUtils.derivesFromDelegate(type.TypeDefinition))
{
switch (methodInfo.oldName)
{
case "BeginInvoke":
case "EndInvoke":
case "Invoke":
return(false);
}
}
}
else
{
if (methodInfo.oldName == ".ctor")
{
return(false);
}
}
return(true);
}
// Finds the SmartAssembly.StringsEncoding.Strings class. This class decrypts the
// strings in the resources. It gets called by the SmartAssembly.Delegates.GetString
// delegate instances which were created by SmartAssembly.HouseOfCards.Strings.
TypeDef findStringDecrypterClass(MethodDef stringsCreateDelegateMethod)
{
if (!stringsCreateDelegateMethod.HasBody)
{
return(null);
}
foreach (var ldtoken in stringsCreateDelegateMethod.Body.Instructions)
{
if (ldtoken.OpCode.Code != Code.Ldtoken)
{
continue;
}
var typeToken = ldtoken.Operand as ITypeDefOrRef;
if (typeToken == null)
{
continue;
}
var type = getType(typeToken);
if (type == null || DotNetUtils.derivesFromDelegate(type))
{
continue;
}
if (!couldBeStringDecrypterClass(type))
{
continue;
}
return(type);
}
return(null);
}
// Finds the SmartAssembly.Delegates.GetString delegate
TypeDef findGetStringDelegate(MethodDef stringsCreateDelegateMethod)
{
if (!stringsCreateDelegateMethod.HasBody)
{
return(null);
}
foreach (var ldtoken in stringsCreateDelegateMethod.Body.Instructions)
{
if (ldtoken.OpCode.Code != Code.Ldtoken)
{
continue;
}
var typeToken = ldtoken.Operand as ITypeDefOrRef;
if (typeToken == null)
{
continue;
}
var delegateType = getType(typeToken);
if (!DotNetUtils.derivesFromDelegate(delegateType))
{
continue;
}
var invoke = delegateType.FindMethod("Invoke");
if (invoke == null || !DotNetUtils.isMethod(invoke, "System.String", "(System.Int32)"))
{
continue;
}
return(delegateType);
}
return(null);
}
static TypeReference getCommonBaseClass(ModuleDefinition module, TypeReference a, TypeReference b)
{
if (DotNetUtils.isDelegate(a) && DotNetUtils.derivesFromDelegate(DotNetUtils.getType(module, b)))
{
return(b);
}
if (DotNetUtils.isDelegate(b) && DotNetUtils.derivesFromDelegate(DotNetUtils.getType(module, a)))
{
return(a);
}
return(null); //TODO:
}
static TypeSig getCommonBaseClass(ModuleDef module, TypeSig a, TypeSig b)
{
if (DotNetUtils.isDelegate(a) && DotNetUtils.derivesFromDelegate(module.Find(b.ToTypeDefOrRef())))
{
return(b);
}
if (DotNetUtils.isDelegate(b) && DotNetUtils.derivesFromDelegate(module.Find(a.ToTypeDefOrRef())))
{
return(a);
}
return(null); //TODO:
}
public override void deobfuscateBegin()
{
base.deobfuscateBegin();
cliSecureRtType.findStringDecrypterMethod();
stringDecrypter.Method = cliSecureRtType.StringDecrypterMethod;
addAttributesToBeRemoved(cliSecureAttributes, "Obfuscator attribute");
if (options.DecryptResources)
{
decryptResources(resourceDecrypter);
addCctorInitCallToBeRemoved(resourceDecrypter.RsrcRrrMethod);
}
stackFrameHelper = new StackFrameHelper(module);
stackFrameHelper.find();
foreach (var type in module.Types)
{
if (type.FullName == "InitializeDelegate" && DotNetUtils.derivesFromDelegate(type))
{
this.addTypeToBeRemoved(type, "Obfuscator type");
}
}
proxyCallFixer.find();
staticStringInliner.add(stringDecrypter.Method, (method, gim, args) => stringDecrypter.decrypt((string)args[0]));
DeobfuscatedFile.stringDecryptersAdded();
if (options.DecryptMethods)
{
addCctorInitCallToBeRemoved(cliSecureRtType.InitializeMethod);
addCctorInitCallToBeRemoved(cliSecureRtType.PostInitializeMethod);
findPossibleNamesToRemove(cliSecureRtType.LoadMethod);
}
if (options.RestoreVmCode)
{
if (csvm.restore())
{
addResourceToBeRemoved(csvm.Resource, "CSVM data resource");
}
else
{
Logger.e("Couldn't restore VM methods. Use --dont-rename or it will not run");
preserveTokensAndTypes();
}
}
}
bool checkDelegateType(TypeDefinition type)
{
if (!DotNetUtils.derivesFromDelegate(type))
{
return(false);
}
var invoke = DotNetUtils.getMethod(type, "Invoke");
if (invoke == null)
{
return(false);
}
return(checkDelegateInvokeMethod(invoke));
}
bool checkDelegateType(TypeDef type)
{
if (!DotNetUtils.derivesFromDelegate(type))
{
return(false);
}
var invoke = type.FindMethod("Invoke");
if (invoke == null)
{
return(false);
}
return(checkDelegateInvokeMethod(invoke));
}
public override void deobfuscateBegin()
{
base.deobfuscateBegin();
addAttributeToBeRemoved(cliSecureAttribute, "Obfuscator attribute");
if (options.DecryptResources)
{
var resourceDecrypter = new ResourceDecrypter(module);
resourceDecrypter.find();
decryptResources(resourceDecrypter);
addCctorInitCallToBeRemoved(resourceDecrypter.RsrcRrrMethod);
}
stackFrameHelper = new StackFrameHelper(module);
stackFrameHelper.find();
foreach (var type in module.Types)
{
if (type.FullName == "InitializeDelegate" && DotNetUtils.derivesFromDelegate(type))
{
this.addTypeToBeRemoved(type, "Obfuscator type");
}
}
proxyDelegateFinder.find();
staticStringInliner.add(stringDecrypter.Method, (method, args) => stringDecrypter.decrypt((string)args[0]));
DeobfuscatedFile.stringDecryptersAdded();
if (options.DecryptMethods)
{
addCctorInitCallToBeRemoved(cliSecureRtType.InitializeMethod);
addCctorInitCallToBeRemoved(cliSecureRtType.PostInitializeMethod);
findPossibleNamesToRemove(cliSecureRtType.LoadMethod);
}
if (options.RestoreVmCode)
{
csvm.restore();
addAssemblyReferenceToBeRemoved(csvm.VmAssemblyReference, "CSVM assembly reference");
addResourceToBeRemoved(csvm.Resource, "CSVM data resource");
}
}
protected override bool checkResolverType(TypeDef type)
{
if (DotNetUtils.findFieldType(type, "System.Collections.Hashtable", true) != null)
{
return(true);
}
foreach (var field in type.Fields)
{
if (DotNetUtils.derivesFromDelegate(DotNetUtils.getType(module, field.FieldType)))
{
continue;
}
if (field.IsLiteral && field.FieldType.ToString() == "System.String")
{
continue;
}
return(false);
}
return(true);
}
public void read()
{
flags = (MethodFlags)reader.ReadByte();
delegateType = resolve <TypeDef>(readTypeToken());
if (!DotNetUtils.derivesFromDelegate(delegateType))
{
throw new ApplicationException("Invalid delegate type");
}
if (HasLocals)
{
readLocals((int)reader.Read7BitEncodedUInt32());
}
if (HasInstructions)
{
ReadInstructions((int)reader.Read7BitEncodedUInt32());
}
if (HasExceptionHandlers)
{
readExceptionHandlers((int)reader.Read7BitEncodedUInt32());
}
}
bool checkMethod(MethodDef cctor)
{
if (cctor == null || cctor.Body == null)
{
return(false);
}
if (!new LocalTypes(cctor).exactly(ilpLocals))
{
return(false);
}
var type = cctor.DeclaringType;
var methods = getPinvokeMethods(type, "Protect");
if (methods.Count == 0)
{
methods = getPinvokeMethods(type, "P0");
}
if (methods.Count != 2)
{
return(false);
}
if (type.Fields.Count != 1)
{
return(false);
}
var theField = type.Fields[0];
var theDelegate = theField.FieldType.TryGetTypeDef();
if (theDelegate == null || !DotNetUtils.derivesFromDelegate(theDelegate))
{
return(false);
}
protectMethods = methods;
invokerDelegate = theDelegate;
invokerInstanceField = theField;
return(true);
}
