public static bool CouldBeResourceDecrypter(MethodDef method, LocalTypes localTypes, IList <string> additionalTypes) { var requiredTypes = new List <string> { "System.Byte[]", "System.IO.BinaryReader", "System.IO.MemoryStream", "System.Security.Cryptography.CryptoStream", "System.Security.Cryptography.ICryptoTransform", }; requiredTypes.AddRange(additionalTypes); if (!localTypes.All(requiredTypes)) { return(false); } if (DotNetUtils.GetMethod(method.DeclaringType, "System.Security.Cryptography.SymmetricAlgorithm", "()") != null) { if (localTypes.Exists("System.UInt64") || (localTypes.Exists("System.UInt32") && !localTypes.Exists("System.Reflection.Assembly"))) { return(false); } } if (!localTypes.Exists("System.Security.Cryptography.RijndaelManaged") && !localTypes.Exists("System.Security.Cryptography.AesManaged") && !localTypes.Exists("System.Security.Cryptography.SymmetricAlgorithm")) { return(false); } return(true); }
public static bool CouldBeDecryptMethod(MethodDef method, IEnumerable <string> additionalTypes) { if (method.Body == null) { return(false); } var localTypes = new LocalTypes(method); var requiredTypes = new List <string> { "System.Byte[]", "System.IO.MemoryStream", "System.Security.Cryptography.CryptoStream", "System.Security.Cryptography.ICryptoTransform", }; requiredTypes.AddRange(additionalTypes); if (!localTypes.All(requiredTypes)) { return(false); } if (!localTypes.Exists("System.Security.Cryptography.RijndaelManaged") && !localTypes.Exists("System.Security.Cryptography.AesManaged")) { return(false); } return(true); }
public static bool CouldBeDecryptMethod(MethodDef method, IEnumerable<string> additionalTypes) { if (method.Body == null) return false; var localTypes = new LocalTypes(method); var requiredTypes = new List<string> { "System.Byte[]", "System.IO.MemoryStream", "System.Security.Cryptography.CryptoStream", "System.Security.Cryptography.ICryptoTransform", }; requiredTypes.AddRange(additionalTypes); if (!localTypes.All(requiredTypes)) return false; if (!localTypes.Exists("System.Security.Cryptography.RijndaelManaged") && !localTypes.Exists("System.Security.Cryptography.AesManaged")) return false; return true; }
void InitializeStringDecrypterVersion(MethodDef method) { var localTypes = new LocalTypes(method); if (localTypes.Exists("System.IntPtr")) { stringDecrypterVersion = StringDecrypterVersion.VER_38; } else { stringDecrypterVersion = StringDecrypterVersion.VER_37; } }
public bool CouldBeResourceDecrypter(MethodDef method, IEnumerable <string> additionalTypes, bool checkResource) { if (!method.IsStatic) { return(false); } if (method.Body == null) { return(false); } var localTypes = new LocalTypes(method); var requiredTypes = new List <string> { "System.Byte[]", "System.IO.BinaryReader", "System.IO.MemoryStream", "System.Security.Cryptography.CryptoStream", "System.Security.Cryptography.ICryptoTransform", }; requiredTypes.AddRange(additionalTypes); if (!localTypes.All(requiredTypes)) { return(false); } if (!localTypes.Exists("System.Security.Cryptography.RijndaelManaged") && !localTypes.Exists("System.Security.Cryptography.AesManaged") && !localTypes.Exists("System.Security.Cryptography.SymmetricAlgorithm")) { return(false); } if (checkResource && FindMethodsDecrypterResource(method) == null) { return(false); } return(true); }
public static bool CouldBeResourceDecrypter(MethodDef method, LocalTypes localTypes, IList <string> additionalTypes) { var requiredTypes = new List <string> { "System.Byte[]", "System.IO.BinaryReader", "System.IO.MemoryStream", "System.Security.Cryptography.CryptoStream", "System.Security.Cryptography.ICryptoTransform", }; requiredTypes.AddRange(additionalTypes); if (!localTypes.All(requiredTypes)) { return(false); } if (!localTypes.Exists("System.Security.Cryptography.RijndaelManaged") && !localTypes.Exists("System.Security.Cryptography.AesManaged") && !localTypes.Exists("System.Security.Cryptography.SymmetricAlgorithm")) { return(false); } return(true); }
string DetectVersion() { /* * Methods decrypter locals (not showing its own types): * 3.7.0.3: * "System.Byte[]" * "System.Int32" * "System.Int32[]" * "System.IntPtr" * "System.IO.BinaryReader" * "System.IO.MemoryStream" * "System.Object" * "System.Reflection.Assembly" * "System.Security.Cryptography.CryptoStream" * "System.Security.Cryptography.ICryptoTransform" * "System.Security.Cryptography.RijndaelManaged" * "System.String" * * 3.9.8.0: * - "System.Int32[]" + "System.Diagnostics.StackFrame" + + 4.0.0.0: (jitter) + - "System.Diagnostics.StackFrame" + - "System.Object" + "System.Boolean" + "System.Collections.IEnumerator" + "System.Delegate" + "System.Diagnostics.Process" + "System.Diagnostics.ProcessModule" + "System.Diagnostics.ProcessModuleCollection" + "System.IDisposable" + "System.Int64" + "System.UInt32" + "System.UInt64" + + 4.1.0.0: (jitter) + "System.Reflection.Assembly" + + 4.3.1.0: (jitter) + "System.Byte&" */ LocalTypes localTypes; int minVer = -1; foreach (var info in stringDecrypter.DecrypterInfos) { if (info.key == null) { continue; } localTypes = new LocalTypes(info.method); if (!localTypes.Exists("System.IntPtr")) { return(DeobfuscatorInfo.THE_NAME + " <= 3.7"); } minVer = 3800; break; } if (methodsDecrypter.DecrypterTypeVersion != DnrDecrypterType.V1) { return(DeobfuscatorInfo.THE_NAME); } if (methodsDecrypter.Method == null) { if (minVer >= 3800) { return(DeobfuscatorInfo.THE_NAME + " >= 3.8"); } return(DeobfuscatorInfo.THE_NAME); } localTypes = new LocalTypes(methodsDecrypter.Method); if (localTypes.Exists("System.Int32[]")) { if (minVer >= 3800) { return(DeobfuscatorInfo.THE_NAME + " 3.8.4.1 - 3.9.0.1"); } return(DeobfuscatorInfo.THE_NAME + " <= 3.9.0.1"); } if (!localTypes.Exists("System.Diagnostics.Process")) // If < 4.0 { if (localTypes.Exists("System.Diagnostics.StackFrame")) { return(DeobfuscatorInfo.THE_NAME + " 3.9.8.0"); } } var compileMethod = MethodsDecrypter.FindDnrCompileMethod(methodsDecrypter.Method.DeclaringType); if (compileMethod == null) { DeobfuscatedFile.Deobfuscate(methodsDecrypter.Method); if (!MethodsDecrypter.IsNewer45Decryption(methodsDecrypter.Method)) { return(DeobfuscatorInfo.THE_NAME + " < 4.0"); } return(DeobfuscatorInfo.THE_NAME + " 4.5+"); } DeobfuscatedFile.Deobfuscate(compileMethod); bool compileMethodHasConstant_0x70000000 = DeobUtils.HasInteger(compileMethod, 0x70000000); // 4.0-4.1 DeobfuscatedFile.Deobfuscate(methodsDecrypter.Method); bool hasCorEnableProfilingString = FindString(methodsDecrypter.Method, "Cor_Enable_Profiling"); // 4.1-4.4 bool hasCatchString = FindString(methodsDecrypter.Method, "catch: "); // <= 4.7 if (compileMethodHasConstant_0x70000000) { if (hasCorEnableProfilingString) { return(DeobfuscatorInfo.THE_NAME + " 4.1"); } return(DeobfuscatorInfo.THE_NAME + " 4.0"); } if (!hasCorEnableProfilingString) { bool callsReverse = DotNetUtils.CallsMethod(methodsDecrypter.Method, "System.Void System.Array::Reverse(System.Array)"); if (!callsReverse) { return(DeobfuscatorInfo.THE_NAME + " 4.0 - 4.4"); } int numIntPtrSizeCompares = CountCompareSystemIntPtrSize(methodsDecrypter.Method); bool hasSymmetricAlgorithm = new LocalTypes(methodsDecrypter.Method).Exists("System.Security.Cryptography.SymmetricAlgorithm"); if (Module.IsClr40) { switch (numIntPtrSizeCompares) { case 7: case 9: return(DeobfuscatorInfo.THE_NAME + " 4.5"); case 10: if (!hasSymmetricAlgorithm) { return(DeobfuscatorInfo.THE_NAME + " 4.6"); } if (hasCatchString) { return(DeobfuscatorInfo.THE_NAME + " 4.7"); } return(DeobfuscatorInfo.THE_NAME + " 4.8"); } } else { switch (numIntPtrSizeCompares) { case 6: case 8: return(DeobfuscatorInfo.THE_NAME + " 4.5"); case 9: if (!hasSymmetricAlgorithm) { return(DeobfuscatorInfo.THE_NAME + " 4.6"); } if (hasCatchString) { return(DeobfuscatorInfo.THE_NAME + " 4.7"); } return(DeobfuscatorInfo.THE_NAME + " 4.8"); } } // Should never be reached unless it's a new version return(DeobfuscatorInfo.THE_NAME + " 4.5+"); } // 4.2-4.4 if (!localTypes.Exists("System.Byte&")) { return(DeobfuscatorInfo.THE_NAME + " 4.2"); } localTypes = new LocalTypes(compileMethod); if (localTypes.Exists("System.Object")) { return(DeobfuscatorInfo.THE_NAME + " 4.4"); } return(DeobfuscatorInfo.THE_NAME + " 4.3"); }
public void Find() { var type = DotNetUtils.GetModuleType(module); if (type == null) { return; } foreach (var method in type.Methods) { if (!method.IsStatic || method.Body == null) { continue; } if (!DotNetUtils.IsMethod(method, "System.Object", "(System.UInt32)")) { continue; } var info = new DecrypterInfo(); var localTypes = new LocalTypes(method); if (localTypes.All(requiredLocals1)) { if (localTypes.Exists("System.Collections.BitArray")) // or System.Random { version = ConfuserVersion.v15_r60785_normal; } else if (DeobUtils.HasInteger(method, 0x100) && DeobUtils.HasInteger(method, 0x10000) && DeobUtils.HasInteger(method, 0xFFFF)) { version = ConfuserVersion.v17_r73404_normal; } else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[])")) { if (FindInstruction(method.Body.Instructions, 0, Code.Conv_I8) >= 0) { if (DotNetUtils.CallsMethod(method, "System.Void System.Console::WriteLine()")) { version = ConfuserVersion.v15_r60785_dynamic; } else { version = ConfuserVersion.v17_r72989_dynamic; } } else { version = ConfuserVersion.v17_r73740_dynamic; } } else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[],System.Int32,System.Int32)")) { if ((nativeMethod = FindNativeMethod(method)) == null) { version = ConfuserVersion.v17_r73764_dynamic; } else { version = ConfuserVersion.v17_r73764_native; } } else { continue; } } else if (localTypes.All(requiredLocals2)) { if (DeobUtils.HasInteger(method, 0x100) && DeobUtils.HasInteger(method, 0x10000) && DeobUtils.HasInteger(method, 0xFFFF)) { version = ConfuserVersion.v17_r73822_normal; } else if (DotNetUtils.CallsMethod(method, "System.Int32 System.Object::GetHashCode()")) { if ((nativeMethod = FindNativeMethod(method)) == null) { version = ConfuserVersion.v17_r74021_dynamic; } else { version = ConfuserVersion.v17_r74021_native; } } else if ((nativeMethod = FindNativeMethod(method)) == null) { version = ConfuserVersion.v17_r73822_dynamic; } else { version = ConfuserVersion.v17_r73822_native; } } else { continue; } info.decryptMethod = method; theDecrypterInfo = info; Add(info); break; } }
public void Find(ISimpleDeobfuscator simpleDeobfuscator) { var type = DotNetUtils.GetModuleType(module); if (type == null) { return; } foreach (var method in type.Methods) { if (!method.IsStatic || method.Body == null) { continue; } if (!DotNetUtils.IsMethod(method, "System.String", "(System.Int32)")) { continue; } var localTypes = new LocalTypes(method); if (!localTypes.All(requiredLocals)) { continue; } simpleDeobfuscator.Deobfuscate(method); bool foundOldMagic1; if (FindMagic1(method, out magic1)) { foundOldMagic1 = true; } else if (FindNewMagic1(method, out magic1)) { foundOldMagic1 = false; } else { continue; } if (!FindMagic2(method, out magic2)) { continue; } version = ConfuserVersion.Unknown; if (DotNetUtils.CallsMethod(method, "System.Text.Encoding System.Text.Encoding::get_UTF8()")) { if (foundOldMagic1) { if (DotNetUtils.CallsMethod(method, "System.Object System.AppDomain::GetData(System.String)")) { version = ConfuserVersion.v13_r55604_safe; } else { version = ConfuserVersion.v10_r42915; } } else { if (!FindSafeKey1(method, out key1)) { continue; } version = ConfuserVersion.v14_r58802_safe; } } else if (!localTypes.Exists("System.Random")) { if (foundOldMagic1) { version = ConfuserVersion.v11_r49299; } else { version = ConfuserVersion.v14_r58802_dynamic; } } else if (localTypes.Exists("System.Collections.Generic.Dictionary`2<System.Int32,System.String>")) { version = ConfuserVersion.v10_r48832; } if (version == ConfuserVersion.Unknown) { continue; } decryptMethod = method; break; } }
public void Find(ISimpleDeobfuscator simpleDeobfuscator) { var type = DotNetUtils.GetModuleType(module); if (type == null) return; foreach (var method in type.Methods) { if (!method.IsStatic || method.Body == null) continue; if (!DotNetUtils.IsMethod(method, "System.String", "(System.Int32)")) continue; var localTypes = new LocalTypes(method); if (!localTypes.All(requiredLocals)) continue; simpleDeobfuscator.Deobfuscate(method); bool foundOldMagic1; if (FindMagic1(method, out magic1)) foundOldMagic1 = true; else if (FindNewMagic1(method, out magic1)) foundOldMagic1 = false; else continue; if (!FindMagic2(method, out magic2)) continue; version = ConfuserVersion.Unknown; if (DotNetUtils.CallsMethod(method, "System.Text.Encoding System.Text.Encoding::get_UTF8()")) { if (foundOldMagic1) { if (DotNetUtils.CallsMethod(method, "System.Object System.AppDomain::GetData(System.String)")) version = ConfuserVersion.v13_r55604_safe; else version = ConfuserVersion.v10_r42915; } else { if (!FindSafeKey1(method, out key1)) continue; version = ConfuserVersion.v14_r58802_safe; } } else if (!localTypes.Exists("System.Random")) { if (foundOldMagic1) version = ConfuserVersion.v11_r49299; else version = ConfuserVersion.v14_r58802_dynamic; } else if (localTypes.Exists("System.Collections.Generic.Dictionary`2<System.Int32,System.String>")) version = ConfuserVersion.v10_r48832; if (version == ConfuserVersion.Unknown) continue; decryptMethod = method; break; } }
string DetectVersion() { /* Methods decrypter locals (not showing its own types): 3.7.0.3: "System.Byte[]" "System.Int32" "System.Int32[]" "System.IntPtr" "System.IO.BinaryReader" "System.IO.MemoryStream" "System.Object" "System.Reflection.Assembly" "System.Security.Cryptography.CryptoStream" "System.Security.Cryptography.ICryptoTransform" "System.Security.Cryptography.RijndaelManaged" "System.String" 3.9.8.0: - "System.Int32[]" + "System.Diagnostics.StackFrame" 4.0.0.0: (jitter) - "System.Diagnostics.StackFrame" - "System.Object" + "System.Boolean" + "System.Collections.IEnumerator" + "System.Delegate" + "System.Diagnostics.Process" + "System.Diagnostics.ProcessModule" + "System.Diagnostics.ProcessModuleCollection" + "System.IDisposable" + "System.Int64" + "System.UInt32" + "System.UInt64" 4.1.0.0: (jitter) + "System.Reflection.Assembly" 4.3.1.0: (jitter) + "System.Byte&" */ LocalTypes localTypes; int minVer = -1; foreach (var info in stringDecrypter.DecrypterInfos) { if (info.key == null) continue; localTypes = new LocalTypes(info.method); if (!localTypes.Exists("System.IntPtr")) return DeobfuscatorInfo.THE_NAME + " <= 3.7"; minVer = 3800; break; } if (methodsDecrypter.Method == null) { if (minVer >= 3800) return DeobfuscatorInfo.THE_NAME + " >= 3.8"; return DeobfuscatorInfo.THE_NAME; } localTypes = new LocalTypes(methodsDecrypter.Method); if (localTypes.Exists("System.Int32[]")) { if (minVer >= 3800) return DeobfuscatorInfo.THE_NAME + " 3.8.4.1 - 3.9.0.1"; return DeobfuscatorInfo.THE_NAME + " <= 3.9.0.1"; } if (!localTypes.Exists("System.Diagnostics.Process")) { // If < 4.0 if (localTypes.Exists("System.Diagnostics.StackFrame")) return DeobfuscatorInfo.THE_NAME + " 3.9.8.0"; } var compileMethod = MethodsDecrypter.FindDnrCompileMethod(methodsDecrypter.Method.DeclaringType); if (compileMethod == null) { DeobfuscatedFile.Deobfuscate(methodsDecrypter.Method); if (!MethodsDecrypter.IsNewer45Decryption(methodsDecrypter.Method)) return DeobfuscatorInfo.THE_NAME + " < 4.0"; return DeobfuscatorInfo.THE_NAME + " 4.5+"; } DeobfuscatedFile.Deobfuscate(compileMethod); bool compileMethodHasConstant_0x70000000 = DeobUtils.HasInteger(compileMethod, 0x70000000); // 4.0-4.1 DeobfuscatedFile.Deobfuscate(methodsDecrypter.Method); bool hasCorEnableProfilingString = FindString(methodsDecrypter.Method, "Cor_Enable_Profiling"); // 4.1-4.4 bool hasCatchString = FindString(methodsDecrypter.Method, "catch: "); // <= 4.7 if (compileMethodHasConstant_0x70000000) { if (hasCorEnableProfilingString) return DeobfuscatorInfo.THE_NAME + " 4.1"; return DeobfuscatorInfo.THE_NAME + " 4.0"; } if (!hasCorEnableProfilingString) { bool callsReverse = DotNetUtils.CallsMethod(methodsDecrypter.Method, "System.Void System.Array::Reverse(System.Array)"); if (!callsReverse) return DeobfuscatorInfo.THE_NAME + " 4.0 - 4.4"; int numIntPtrSizeCompares = CountCompareSystemIntPtrSize(methodsDecrypter.Method); bool hasSymmetricAlgorithm = new LocalTypes(methodsDecrypter.Method).Exists("System.Security.Cryptography.SymmetricAlgorithm"); if (module.IsClr40) { switch (numIntPtrSizeCompares) { case 7: case 9: return DeobfuscatorInfo.THE_NAME + " 4.5"; case 10: if (!hasSymmetricAlgorithm) return DeobfuscatorInfo.THE_NAME + " 4.6"; if (hasCatchString) return DeobfuscatorInfo.THE_NAME + " 4.7"; return DeobfuscatorInfo.THE_NAME + " 4.8"; } } else { switch (numIntPtrSizeCompares) { case 6: case 8: return DeobfuscatorInfo.THE_NAME + " 4.5"; case 9: if (!hasSymmetricAlgorithm) return DeobfuscatorInfo.THE_NAME + " 4.6"; if (hasCatchString) return DeobfuscatorInfo.THE_NAME + " 4.7"; return DeobfuscatorInfo.THE_NAME + " 4.8"; } } // Should never be reached unless it's a new version return DeobfuscatorInfo.THE_NAME + " 4.5+"; } // 4.2-4.4 if (!localTypes.Exists("System.Byte&")) return DeobfuscatorInfo.THE_NAME + " 4.2"; localTypes = new LocalTypes(compileMethod); if (localTypes.Exists("System.Object")) return DeobfuscatorInfo.THE_NAME + " 4.4"; return DeobfuscatorInfo.THE_NAME + " 4.3"; }
public void Find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { var entryPoint = module.EntryPoint; if (entryPoint == null) { return; } if (!new LocalTypes(entryPoint).All(requiredEntryPointLocals)) { return; } var type = entryPoint.DeclaringType; if (!new FieldTypes(type).All(requiredFields)) { return; } bool use7zip = type.NestedTypes.Count == 6; MethodDef decyptMethod; if (use7zip) { decyptMethod = FindDecryptMethod_7zip(type); } else { decyptMethod = FindDecryptMethod_inflate(type); } if (decyptMethod == null) { return; } var theVersion = ConfuserVersion.Unknown; var decryptLocals = new LocalTypes(decyptMethod); if (decryptLocals.Exists("System.IO.MemoryStream")) { if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.String,System.Byte[])")) { theVersion = ConfuserVersion.v10_r42915; } else if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.Security.Permissions.PermissionState)")) { theVersion = ConfuserVersion.v10_r48717; } else { theVersion = ConfuserVersion.v14_r57778; } } else { theVersion = ConfuserVersion.v14_r58564; } var cctor = type.FindStaticConstructor(); if (cctor == null) { return; } if ((asmResolverMethod = FindAssemblyResolverMethod(entryPoint.DeclaringType)) != null) { theVersion = ConfuserVersion.v14_r58802; simpleDeobfuscator.Deobfuscate(asmResolverMethod); if (!FindKey1(asmResolverMethod, out uint key1)) { return; } } switch (theVersion) { case ConfuserVersion.v10_r42915: case ConfuserVersion.v10_r48717: case ConfuserVersion.v14_r57778: break; case ConfuserVersion.v14_r58564: case ConfuserVersion.v14_r58802: simpleDeobfuscator.Deobfuscate(decyptMethod); if (FindKey0_v14_r58564(decyptMethod, out key0)) { break; } if (FindKey0_v14_r58852(decyptMethod, out key0)) { if (!decryptLocals.Exists("System.Security.Cryptography.RijndaelManaged")) { theVersion = ConfuserVersion.v14_r58852; break; } if (use7zip) { if (new LocalTypes(decyptMethod).Exists("System.IO.MemoryStream")) { theVersion = ConfuserVersion.v17_r75076; } else if (module.Name == "Stub.exe") { theVersion = ConfuserVersion.v18_r75184; } else if (!IsGetLenToPosStateMethodPrivate(type)) { theVersion = ConfuserVersion.v18_r75367; } else { theVersion = ConfuserVersion.v19_r77172; } } else if (IsDecryptMethod_v17_r73404(decyptMethod)) { theVersion = ConfuserVersion.v17_r73404; } else { theVersion = ConfuserVersion.v15_r60785; } break; } throw new ApplicationException("Could not find magic"); default: throw new ApplicationException("Invalid version"); } simpleDeobfuscator.Deobfuscate(cctor); simpleDeobfuscator.DecryptStrings(cctor, deob); if (FindEntryPointToken(simpleDeobfuscator, cctor, entryPoint, out entryPointToken) && !use7zip) { if (DotNetUtils.CallsMethod(asmResolverMethod, "System.Void", "(System.String)")) { theVersion = ConfuserVersion.v17_r73477; } else { theVersion = ConfuserVersion.v17_r73566; } } mainAsmResource = FindResource(cctor); if (mainAsmResource == null) { throw new ApplicationException("Could not find main assembly resource"); } version = theVersion; }
public void Find() { var type = DotNetUtils.GetModuleType(module); if (type == null) return; foreach (var method in type.Methods) { if (!method.IsStatic || method.Body == null) continue; if (!DotNetUtils.IsMethod(method, "System.Object", "(System.UInt32)")) continue; DecrypterInfo info = new DecrypterInfo(); var localTypes = new LocalTypes(method); if (localTypes.All(requiredLocals1)) { if (localTypes.Exists("System.Collections.BitArray")) // or System.Random version = ConfuserVersion.v15_r60785_normal; else if (DeobUtils.HasInteger(method, 0x100) && DeobUtils.HasInteger(method, 0x10000) && DeobUtils.HasInteger(method, 0xFFFF)) version = ConfuserVersion.v17_r73404_normal; else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[])")) { if (FindInstruction(method.Body.Instructions, 0, Code.Conv_I8) >= 0) { if (DotNetUtils.CallsMethod(method, "System.Void System.Console::WriteLine()")) version = ConfuserVersion.v15_r60785_dynamic; else version = ConfuserVersion.v17_r72989_dynamic; } else version = ConfuserVersion.v17_r73740_dynamic; } else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[],System.Int32,System.Int32)")) { if ((nativeMethod = FindNativeMethod(method)) == null) version = ConfuserVersion.v17_r73764_dynamic; else version = ConfuserVersion.v17_r73764_native; } else continue; } else if (localTypes.All(requiredLocals2)) { if (DeobUtils.HasInteger(method, 0x100) && DeobUtils.HasInteger(method, 0x10000) && DeobUtils.HasInteger(method, 0xFFFF)) version = ConfuserVersion.v17_r73822_normal; else if (DotNetUtils.CallsMethod(method, "System.Int32 System.Object::GetHashCode()")) { if ((nativeMethod = FindNativeMethod(method)) == null) version = ConfuserVersion.v17_r74021_dynamic; else version = ConfuserVersion.v17_r74021_native; } else if ((nativeMethod = FindNativeMethod(method)) == null) version = ConfuserVersion.v17_r73822_dynamic; else version = ConfuserVersion.v17_r73822_native; } else continue; info.decryptMethod = method; theDecrypterInfo = info; Add(info); break; } }
public void Find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { var entryPoint = module.EntryPoint; if (entryPoint == null) return; if (!new LocalTypes(entryPoint).All(requiredEntryPointLocals)) return; var type = entryPoint.DeclaringType; if (!new FieldTypes(type).All(requiredFields)) return; bool use7zip = type.NestedTypes.Count == 6; MethodDef decyptMethod; if (use7zip) decyptMethod = FindDecryptMethod_7zip(type); else decyptMethod = FindDecryptMethod_inflate(type); if (decyptMethod == null) return; ConfuserVersion theVersion = ConfuserVersion.Unknown; var decryptLocals = new LocalTypes(decyptMethod); if (decryptLocals.Exists("System.IO.MemoryStream")) { if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.String,System.Byte[])")) theVersion = ConfuserVersion.v10_r42915; else if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.Security.Permissions.PermissionState)")) theVersion = ConfuserVersion.v10_r48717; else theVersion = ConfuserVersion.v14_r57778; } else theVersion = ConfuserVersion.v14_r58564; var cctor = type.FindStaticConstructor(); if (cctor == null) return; if ((asmResolverMethod = FindAssemblyResolverMethod(entryPoint.DeclaringType)) != null) { theVersion = ConfuserVersion.v14_r58802; simpleDeobfuscator.Deobfuscate(asmResolverMethod); if (!FindKey1(asmResolverMethod, out key1)) return; } switch (theVersion) { case ConfuserVersion.v10_r42915: case ConfuserVersion.v10_r48717: case ConfuserVersion.v14_r57778: break; case ConfuserVersion.v14_r58564: case ConfuserVersion.v14_r58802: simpleDeobfuscator.Deobfuscate(decyptMethod); if (FindKey0_v14_r58564(decyptMethod, out key0)) break; if (FindKey0_v14_r58852(decyptMethod, out key0)) { if (!decryptLocals.Exists("System.Security.Cryptography.RijndaelManaged")) { theVersion = ConfuserVersion.v14_r58852; break; } if (use7zip) { if (new LocalTypes(decyptMethod).Exists("System.IO.MemoryStream")) theVersion = ConfuserVersion.v17_r75076; else if (module.Name == "Stub.exe") theVersion = ConfuserVersion.v18_r75184; else if (!IsGetLenToPosStateMethodPrivate(type)) theVersion = ConfuserVersion.v18_r75367; else theVersion = ConfuserVersion.v19_r77172; } else if (IsDecryptMethod_v17_r73404(decyptMethod)) theVersion = ConfuserVersion.v17_r73404; else theVersion = ConfuserVersion.v15_r60785; break; } throw new ApplicationException("Could not find magic"); default: throw new ApplicationException("Invalid version"); } simpleDeobfuscator.Deobfuscate(cctor); simpleDeobfuscator.DecryptStrings(cctor, deob); if (FindEntryPointToken(simpleDeobfuscator, cctor, entryPoint, out entryPointToken) && !use7zip) { if (DotNetUtils.CallsMethod(asmResolverMethod, "System.Void", "(System.String)")) theVersion = ConfuserVersion.v17_r73477; else theVersion = ConfuserVersion.v17_r73566; } mainAsmResource = FindResource(cctor); if (mainAsmResource == null) throw new ApplicationException("Could not find main assembly resource"); version = theVersion; }