bool checkType(TypeDefinition type, MethodDefinition initMethod) { if (DotNetUtils.findFieldType(type, "System.Collections.Hashtable", true) == null) { return(false); } if (!checkInitMethod(initMethod)) { return(false); } List <AssemblyInfo> newAssemblyInfos = null; foreach (var s in DotNetUtils.getCodeStrings(initMethod)) { newAssemblyInfos = initializeEmbeddedAssemblies(s); if (newAssemblyInfos != null) { break; } } if (newAssemblyInfos == null) { return(false); } resolverType = type; resolverMethod = initMethod; assemblyInfos = newAssemblyInfos; return(true); }
protected override bool checkHandlerMethod(MethodDef method) { if (!method.IsStatic || !method.HasBody) { return(false); } var infos = new List <EmbeddedAssemblyInfo>(); foreach (var s in DotNetUtils.getCodeStrings(method)) { if (string.IsNullOrEmpty(s)) { continue; } if (!initInfos(infos, s.Split(','))) { continue; } embeddedAssemblyInfos = infos; findSimpleZipType(method); return(true); } return(false); }
string getResourceName() { var defaultName = module.Assembly.Name.Name + module.Assembly.Name.Name; var cctor = DotNetUtils.getMethod(stringDecrypterType, ".cctor"); if (cctor == null) { return(defaultName); } foreach (var s in DotNetUtils.getCodeStrings(cctor)) { if (DotNetUtils.getResource(module, s) != null) { return(s); } try { return(Encoding.UTF8.GetString(Convert.FromBase64String(s))); } catch { } } return(defaultName); }
bool checkEncryptedMethod(MethodDefinition method, out EncryptInfo info) { info = null; if (method.Body == null) { return(false); } if (!callsExecuteMethod(method)) { return(false); } var strings = DotNetUtils.getCodeStrings(method); if (strings.Count != 1) { throw new ApplicationException(string.Format("Could not find name of encrypted method")); } string feature = ""; string name = strings[0]; int index = name.IndexOf(':'); if (index >= 0) { feature = name.Substring(0, index); name = name.Substring(index + 1); } info = new EncryptInfo(name, feature, method); return(true); }
EmbeddedResource findGetManifestResourceStreamTypeResource(TypeDefinition type, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { foreach (var method in type.Methods) { if (!method.IsPrivate || !method.IsStatic || method.Body == null) { continue; } if (!DotNetUtils.isMethod(method, "System.String", "(System.Reflection.Assembly,System.Type,System.String)")) { continue; } simpleDeobfuscator.deobfuscate(method); simpleDeobfuscator.decryptStrings(method, deob); foreach (var s in DotNetUtils.getCodeStrings(method)) { var resource = DotNetUtils.getResource(module, s) as EmbeddedResource; if (resource != null) { return(resource); } } } return(null); }
static EmbeddedResource findEmbeddedResource2(ModuleDefinition module, MethodDefinition method) { var strings = new List <string>(DotNetUtils.getCodeStrings(method)); if (strings.Count != 1) { return(null); } var encryptedString = strings[0]; int xorKey; if (!getXorKey2(method, out xorKey)) { return(null); } var sb = new StringBuilder(encryptedString.Length); foreach (var c in encryptedString) { sb.Append((char)(c ^ xorKey)); } return(DotNetUtils.getResource(module, sb.ToString()) as EmbeddedResource); }
public void find() { foreach (var calledMethod in DotNetUtils.getCalledMethods(module, DotNetUtils.getModuleTypeCctor(module))) { if (!DotNetUtils.isMethod(calledMethod, "System.Void", "()")) { continue; } if (calledMethod.DeclaringType.FullName != "<PrivateImplementationDetails>{F1C5056B-0AFC-4423-9B83-D13A26B48869}") { continue; } nativeLibCallerType = calledMethod.DeclaringType; initMethod = calledMethod; foreach (var s in DotNetUtils.getCodeStrings(initMethod)) { nativeFileResource = DotNetUtils.getResource(module, s); if (nativeFileResource != null) { break; } } return; } }
public static EmbeddedResource getResource(ModuleDefinition module, MethodDefinition method) { if (method == null || method.Body == null) { return(null); } return(getResource(module, DotNetUtils.getCodeStrings(method))); }
public void find(ISimpleDeobfuscator simpleDeobfuscator) { var additionalTypes = new string[] { "System.String", }; EmbeddedResource stringsResource = null; foreach (var type in module.Types) { if (decrypterInfos.Count > 0) { break; } if (type.BaseType == null || type.BaseType.FullName != "System.Object") { continue; } foreach (var method in type.Methods) { if (!method.IsStatic || !method.HasBody) { continue; } if (!DotNetUtils.isMethod(method, "System.String", "(System.Int32)")) { continue; } if (!encryptedResource.couldBeResourceDecrypter(method, additionalTypes)) { continue; } var resource = DotNetUtils.getResource(module, DotNetUtils.getCodeStrings(method)) as EmbeddedResource; if (resource == null) { throw new ApplicationException("Could not find strings resource"); } if (stringsResource != null && stringsResource != resource) { throw new ApplicationException("Two different string resources found"); } stringsResource = resource; encryptedResource.Method = method; var info = new DecrypterInfo(method, null, null); simpleDeobfuscator.deobfuscate(info.method); findKeyIv(info.method, out info.key, out info.iv); decrypterInfos.Add(info); } } if (decrypterInfos.Count > 0) { findOtherStringDecrypter(decrypterInfos[0].method.DeclaringType); } }
public void init(ResourceDecrypter resourceDecrypter) { if (decrypterType == null) { return; } encryptedResource = CoUtils.getResource(module, DotNetUtils.getCodeStrings(DotNetUtils.getMethod(decrypterType, ".cctor"))); constantsData = resourceDecrypter.decrypt(encryptedResource.GetResourceStream()); }
static bool hasCodeString(MethodDef method, string str) { foreach (var s in DotNetUtils.getCodeStrings(method)) { if (s == str) { return(true); } } return(false); }
bool containsString(MethodDef method, string part) { foreach (var s in DotNetUtils.getCodeStrings(method)) { if (s.Contains(part)) { return(true); } } return(false); }
static bool findString(MethodDefinition method, string s) { foreach (var cs in DotNetUtils.getCodeStrings(method)) { if (cs == s) { return(true); } } return(false); }
public void init(ResourceDecrypter resourceDecrypter) { if (decrypterType == null) { return; } encryptedResource = CoUtils.getResource(module, DotNetUtils.getCodeStrings(decrypterType.FindStaticConstructor())); encryptedResource.Data.Position = 0; constantsData = resourceDecrypter.decrypt(encryptedResource.Data.CreateStream()); }
string getResourcePrefix(MethodDefinition handler) { foreach (var s in DotNetUtils.getCodeStrings(handler)) { var resource = DotNetUtils.getResource(module, s + "00000") as EmbeddedResource; if (resource != null) { return(s); } } return(null); }
public static EmbeddedResource getEmbeddedResourceFromCodeStrings(ModuleDef module, MethodDef method) { foreach (var s in DotNetUtils.getCodeStrings(method)) { var resource = DotNetUtils.getResource(module, s) as EmbeddedResource; if (resource != null) { return(resource); } } return(null); }
EmbeddedResource findMethodsDecrypterResource(MethodDefinition method) { foreach (var s in DotNetUtils.getCodeStrings(method)) { var resource = DotNetUtils.getResource(module, s) as EmbeddedResource; if (resource != null) { return(resource); } } return(null); }
static EmbeddedResource findEmbeddedResource1(ModuleDefinition module, MethodDefinition method) { foreach (var s in DotNetUtils.getCodeStrings(method)) { var resource = DotNetUtils.getResource(module, s) as EmbeddedResource; if (resource != null) { return(resource); } } return(null); }
static byte[] getSalt(MethodDef method) { foreach (var s in DotNetUtils.getCodeStrings(method)) { var saltAry = fixSalt(s); if (saltAry != null) { return(saltAry); } } return(null); }
bool initializeInfos(MethodDefinition method) { foreach (var s in DotNetUtils.getCodeStrings(method)) { if (string.IsNullOrEmpty(s)) continue; var ary = s.Split(':'); foreach (var asmInfo in ary) resourceInfos.Add(asmInfo.Split('|')[0]); return true; } return false; }
public EmbeddedResource mergeResources() { if (rsrcDecryptMethod == null) { return(null); } var resource = DotNetUtils.getResource(module, DotNetUtils.getCodeStrings(rsrcDecryptMethod)) as EmbeddedResource; if (resource == null) { return(null); } DeobUtils.decryptAndAddResources(module, resource.Name, () => decryptResource(resource)); return(resource); }
// Find the embedded resource where all the strings are encrypted EmbeddedResource findStringResource(MethodDef method) { foreach (var s in DotNetUtils.getCodeStrings(method)) { if (s == null) { continue; } var resource = DotNetUtils.getResource(module, s) as EmbeddedResource; if (resource != null) { return(resource); } } return(null); }
string getPassword3(MethodDef method) { var strings = new List <string>(DotNetUtils.getCodeStrings(method)); if (strings.Count != 1) { return(null); } var s = strings[0]; if (!Regex.IsMatch(s, @"^[a-fA-F0-9]{2} $")) { return(null); } return(s); }
bool createAssemblyInfos() { int numElements = DeobUtils.hasInteger(handlerMethod, 3) ? 3 : 2; foreach (var s in DotNetUtils.getCodeStrings(handlerMethod)) { var infos = createAssemblyInfos(s, numElements); if (infos == null) { continue; } assemblyInfos = infos; return(true); } return(false); }
public List <ResourceInfo> getEmbeddedAssemblies(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { var infos = new List <ResourceInfo>(); if (assemblyResolverMethod == null) { return(infos); } simpleDeobfuscator.deobfuscate(assemblyResolverMethod); simpleDeobfuscator.decryptStrings(assemblyResolverMethod, deob); foreach (var resourcePrefix in DotNetUtils.getCodeStrings(assemblyResolverMethod)) { infos.AddRange(getResourceInfos(resourcePrefix)); } return(infos); }
EmbeddedResource getResource(MethodDef method, out ModuleDefMD theResourceModule) { string resourceDllFileName = null; theResourceModule = module; foreach (var s in DotNetUtils.getCodeStrings(method)) { if (s.Length > 0 && s[0] == '\\') { resourceDllFileName = s; } var resource = DotNetUtils.getResource(theResourceModule, s + ".resources") as EmbeddedResource; if (resource != null) { return(resource); } } if (resourceDllFileName == null) { return(null); } // Here if CW 2.x theResourceModule = getResourceModule(resourceDllFileName); if (theResourceModule == null) { return(null); } foreach (var s in DotNetUtils.getCodeStrings(method)) { var resource = DotNetUtils.getResource(theResourceModule, s + ".resources") as EmbeddedResource; if (resource != null) { return(resource); } } theResourceModule = null; return(null); }
bool createDecryptKey() { if (decryptMethod == null) { return(false); } foreach (var s in DotNetUtils.getCodeStrings(decryptMethod)) { decryptKey = decodeBase64(s); if (decryptKey == null || decryptKey.Length == 0) { continue; } if (decrypterType.Detected) { var data = new byte[8]; ulong magic = decrypterType.getMagic(); data[0] = (byte)magic; data[7] = (byte)(magic >> 8); data[6] = (byte)(magic >> 16); data[5] = (byte)(magic >> 24); data[4] = (byte)(magic >> 32); data[1] = (byte)(magic >> 40); data[3] = (byte)(magic >> 48); data[2] = (byte)(magic >> 56); for (int i = 0; i < decryptKey.Length; i++) { decryptKey[i] ^= (byte)(i + data[i % data.Length]); } } return(true); } return(false); }
public static EmbeddedResource findEmbeddedResource(ModuleDefinition module, TypeDefinition decrypterType, Action <MethodDefinition> fixMethod) { foreach (var method in decrypterType.Methods) { if (!DotNetUtils.isMethod(method, "System.String", "()")) { continue; } if (!method.IsStatic) { continue; } fixMethod(method); foreach (var s in DotNetUtils.getCodeStrings(method)) { var resource = DotNetUtils.getResource(module, s) as EmbeddedResource; if (resource != null) { return(resource); } } } return(null); }
EmbeddedResource findResource(MethodDefinition method) { return(DotNetUtils.getResource(module, DotNetUtils.getCodeStrings(method)) as EmbeddedResource); }