string getPassword(MethodDefinition decryptMethod) { foreach (var method in DotNetUtils.getCalledMethods(module, decryptMethod)) { if (!method.IsStatic || method.Body == null) { continue; } if (!MemberReferenceHelper.compareTypes(method.DeclaringType, decryptMethod.DeclaringType)) { continue; } if (!DotNetUtils.isMethod(method, "System.String", "()")) { continue; } var hexChars = getPassword2(method); if (string.IsNullOrEmpty(hexChars)) { continue; } var password = fixPassword(hexChars); if (string.IsNullOrEmpty(password)) { continue; } return(password); } return(null); }
protected override bool isUnknownType(object o) { var arg = o as ParameterDefinition; if (arg != null) { return(MemberReferenceHelper.isSystemObject(arg.ParameterType)); } var field = o as FieldDefinition; if (field != null) { return(MemberReferenceHelper.isSystemObject(field.FieldType)); } var retType = o as MethodReturnType; if (retType != null) { return(MemberReferenceHelper.isSystemObject(retType.ReturnType)); } throw new ApplicationException(string.Format("Unknown type: {0}", o.GetType())); }
protected virtual bool canInline(MethodDefinition method) { if (method.GenericParameters.Count > 0) { return(false); } if (MemberReferenceHelper.compareMethodReferenceAndDeclaringType(method, blocks.Method)) { return(false); } if (!MemberReferenceHelper.compareTypes(method.DeclaringType, blocks.Method.DeclaringType)) { return(false); } if (method.IsStatic) { return(true); } if (method.IsVirtual) { return(false); } return(inlineInstanceMethods); }
public bool updateNewType(ModuleDefinition module) { if (types.Count == 0) { return(false); } TypeReference theNewType = null; foreach (var key in types.Keys) { if (theNewType == null) { theNewType = key.TypeReference; continue; } theNewType = getCommonBaseClass(module, theNewType, key.TypeReference); if (theNewType == null) { break; } } if (theNewType == null) { return(false); } if (MemberReferenceHelper.compareTypes(theNewType, newType)) { return(false); } newType = theNewType; return(true); }
void fixTypeofDecrypterInstructions(Blocks blocks) { var type = getDecrypterType(); if (type == null) { return; } foreach (var block in blocks.MethodBlocks.getAllBlocks()) { var instructions = block.Instructions; for (int i = 0; i < instructions.Count; i++) { var instr = instructions[i]; if (instr.OpCode.Code != Code.Ldtoken) { continue; } if (!MemberReferenceHelper.compareTypes(type, instr.Operand as TypeReference)) { continue; } instructions[i] = new Instr(Instruction.Create(OpCodes.Ldtoken, blocks.Method.DeclaringType)); } } }
protected override TypeReference updateGenericParameter(GenericParameter a) { switch (a.Type) { case GenericParameterType.Type: if (git == null || a.Position >= git.GenericArguments.Count || !MemberReferenceHelper.compareTypes(git.ElementType, a.Owner as TypeReference)) { return(a); } modified = true; return(update(git.GenericArguments[a.Position])); case GenericParameterType.Method: if (gim == null || a.Position >= gim.GenericArguments.Count) { return(a); } modified = true; return(update(gim.GenericArguments[a.Position])); default: return(a); } }
void deleteCustomAttributes(IList <CustomAttribute> customAttrs) { if (customAttrs == null) { return; } foreach (var info in attrsToRemove) { var typeDef = info.obj; if (typeDef == null) { continue; } for (int i = 0; i < customAttrs.Count; i++) { if (MemberReferenceHelper.compareTypes(customAttrs[i].AttributeType, typeDef)) { customAttrs.RemoveAt(i); Log.v("Removed custom attribute {0} ({1:X8}) (reason: {2})", Utils.removeNewlines(typeDef), typeDef.MetadataToken.ToUInt32(), info.reason); break; } } } }
bool addCast(Block block, int castIndex, int index, TypeReference type) { if (type == null) { return(false); } if (castIndex >= block.Instructions.Count || index >= block.Instructions.Count) { return(false); } var stloc = block.Instructions[index]; if (!stloc.isStloc()) { return(false); } var local = DotNetUtils.getLocalVar(blocks.Locals, stloc.Instruction); if (local == null) { return(false); } var localInfo = localInfos[local]; if (localInfo.CastType == null) { return(false); } if (!MemberReferenceHelper.compareTypes(localInfo.CastType, type)) { block.insert(castIndex, new Instruction(OpCodes.Castclass, localInfo.CastType)); } return(true); }
bool compareMethod(MethodReference method, BabelMethodreference babelMethodRef) { if (method.Parameters.Count != babelMethodRef.Parameters.Length) { return(false); } if (method.Name != babelMethodRef.Name) { return(false); } if (method.HasThis != babelMethodRef.HasThis) { return(false); } if (method.GenericParameters.Count != babelMethodRef.GenericArguments.Length) { return(false); } if (!MemberReferenceHelper.compareTypes(method.MethodReturnType.ReturnType, babelMethodRef.ReturnType)) { return(false); } for (int i = 0; i < babelMethodRef.Parameters.Length; i++) { if (!MemberReferenceHelper.compareTypes(method.Parameters[i].ParameterType, babelMethodRef.Parameters[i].ParameterType)) { return(false); } } return(true); }
public FieldDefinition resolve(FieldReference field) { if (field == null) { return(null); } var fieldDef = field as FieldDefinition; if (fieldDef != null) { return(fieldDef); } var type = resolve(field.DeclaringType); if (type == null) { return(null); } foreach (var f in type.Fields) { if (MemberReferenceHelper.compareFieldReference(field, f)) { return(f); } } return(null); }
public MethodDefinition resolve(MethodReference method) { if (method == null) { return(null); } var methodDef = method as MethodDefinition; if (methodDef != null) { return(methodDef); } var type = resolve(method.DeclaringType); if (type == null) { return(null); } foreach (var m in type.Methods) { if (MemberReferenceHelper.compareMethodReference(method, m)) { return(m); } } return(null); }
public void deobfuscate(Blocks blocks) { if (!Detected) { return; } if (stringStructField == null) { return; } foreach (var block in blocks.MethodBlocks.getAllBlocks()) { var instrs = block.Instructions; for (int i = 0; i < instrs.Count - 1; i++) { var ldstr = instrs[i]; if (ldstr.OpCode.Code != Code.Ldstr) { continue; } var ldfld = instrs[i + 1]; if (ldfld.OpCode.Code != Code.Ldfld) { continue; } if (!MemberReferenceHelper.compareFieldReferenceAndDeclaringType(stringStructField, ldfld.Operand as FieldReference)) { continue; } block.remove(i + 1, 1); } } }
public void deobfuscate(Blocks blocks) { foreach (var block in blocks.MethodBlocks.getAllBlocks()) { var instrs = block.Instructions; for (int i = 0; i < instrs.Count - 2; i++) { var ldsfld = instrs[i]; if (ldsfld.OpCode.Code != Code.Ldsfld) { continue; } var ldci4 = instrs[i + 1]; if (!ldci4.isLdcI4()) { continue; } var stfld = instrs[i + 2]; if (stfld.OpCode.Code != Code.Stfld) { continue; } var field = stfld.Operand as FieldReference; if (!MemberReferenceHelper.compareFieldReferenceAndDeclaringType(enumField, field)) { continue; } block.remove(i, 3); i--; } } }
bool checkMemoryManagerType(TypeDefinition type, MethodDefinition method) { // Only two fields: itself and a long int fields = 0; foreach (var field in type.Fields) { if (MemberReferenceHelper.compareTypes(field.FieldType, type) || field.FieldType.FullName == "System.Int64") { fields++; continue; } if (DotNetUtils.derivesFromDelegate(DotNetUtils.getType(module, field.FieldType))) { continue; } return(false); } if (fields != 2) { return(false); } if (DotNetUtils.getPInvokeMethod(type, "kernel32", "SetProcessWorkingSetSize") == null) { return(false); } return(true); }
void findInitializeComponentMethod(TypeDef type, MethodDef possibleInitMethod) { foreach (var methodDef in type.AllMethods) { if (methodDef.MethodDefinition.Name != ".ctor") { continue; } if (methodDef.MethodDefinition.Body == null) { continue; } foreach (var instr in methodDef.MethodDefinition.Body.Instructions) { if (instr.OpCode.Code != Code.Call && instr.OpCode.Code != Code.Callvirt) { continue; } if (!MemberReferenceHelper.compareMethodReferenceAndDeclaringType(possibleInitMethod.MethodDefinition, instr.Operand as MethodReference)) { continue; } memberInfos.method(possibleInitMethod).suggestedName = "InitializeComponent"; return; } } }
public void deobfuscate(Blocks blocks) { if (initMethod == null) { return; } if (blocks.Method.Name != ".cctor") { return; } foreach (var block in blocks.MethodBlocks.getAllBlocks()) { var instrs = block.Instructions; for (int i = 0; i < instrs.Count; i++) { var instr = instrs[i]; if (instr.OpCode.Code != Code.Call) { continue; } var calledMethod = instr.Operand as MethodReference; if (!MemberReferenceHelper.compareMethodReferenceAndDeclaringType(calledMethod, initMethod)) { continue; } block.remove(i, 1); i--; } } }
bool checkCctor(MethodDefinition cctor) { var ldtokenType = getLdtokenType(cctor); if (!MemberReferenceHelper.compareTypes(ldtokenType, cctor.DeclaringType)) { return(false); } MethodDefinition initMethod = null; foreach (var method in DotNetUtils.getCalledMethods(module, cctor)) { if (DotNetUtils.isMethod(method, "System.Void", "(System.Type)")) { initMethod = method; break; } } if (initMethod == null || initMethod.Body == null) { return(false); } return(true); }
public override bool Equals(object obj) { var other = obj as MethodDefKey; if (other == null) { return(false); } return(MemberReferenceHelper.compareMethodReferenceAndDeclaringType(methodDef.MethodDefinition, other.methodDef.MethodDefinition)); }
public TypeReference convert(TypeReference a) { var newOne = update(a); if (!(a is GenericParameter) && !MemberReferenceHelper.compareTypes(newOne, a)) { throw new ApplicationException("Could not convert type reference"); } return(newOne); }
static bool hasFieldType(IEnumerable <FieldDefinition> fields, TypeReference fieldType) { foreach (var field in fields) { if (MemberReferenceHelper.compareTypes(field.FieldType, fieldType)) { return(true); } } return(false); }
public override bool Equals(object obj) { var other = obj as TypeInfo; if (other == null) { return(false); } return(typeDef == other.typeDef && MemberReferenceHelper.compareTypes(typeReference, other.typeReference)); }
static bool matches(IEnumerable <FieldDefinition> ourFields, FieldReference field) { foreach (var ourField in ourFields) { if (MemberReferenceHelper.compareFieldReferenceAndDeclaringType(ourField, field)) { return(true); } } return(false); }
protected override bool isCompatibleType(int paramIndex, TypeReference origType, TypeReference newType) { if (MemberReferenceHelper.compareTypes(origType, newType)) { return(true); } if (newType.IsValueType || origType.IsValueType) { return(false); } return(newType.FullName == "System.Object"); }
public TypeReference update(TypeReference a) { if (a == null) { return(null); } var type = MemberReferenceHelper.getMemberReferenceType(a); switch (type) { case CecilType.ArrayType: return(updateArrayType((ArrayType)a)); case CecilType.ByReferenceType: return(updateByReferenceType((ByReferenceType)a)); case CecilType.FunctionPointerType: return(updateFunctionPointerType((FunctionPointerType)a)); case CecilType.GenericInstanceType: return(updateGenericInstanceType((GenericInstanceType)a)); case CecilType.GenericParameter: return(updateGenericParameter((GenericParameter)a)); case CecilType.OptionalModifierType: return(updateOptionalModifierType((OptionalModifierType)a)); case CecilType.PinnedType: return(updatePinnedType((PinnedType)a)); case CecilType.PointerType: return(updatePointerType((PointerType)a)); case CecilType.RequiredModifierType: return(updateRequiredModifierType((RequiredModifierType)a)); case CecilType.SentinelType: return(updateSentinelType((SentinelType)a)); case CecilType.TypeDefinition: return(updateTypeDefinition((TypeDefinition)a)); case CecilType.TypeReference: return(updateTypeReference((TypeReference)a)); default: throw new ApplicationException(string.Format("Unknown cecil type {0}", type)); } }
public static bool findRegisterMethod(TypeDefinition type, out MethodDefinition regMethod, out MethodDefinition handler) { foreach (var method in type.Methods) { if (!method.IsStatic || method.Body == null) { continue; } if (method.Body.ExceptionHandlers.Count != 1) { continue; } foreach (var instr in method.Body.Instructions) { if (instr.OpCode.Code != Code.Ldftn) { continue; } var handlerRef = instr.Operand as MethodReference; if (handlerRef == null) { continue; } if (!DotNetUtils.isMethod(handlerRef, "System.Reflection.Assembly", "(System.Object,System.ResolveEventArgs)")) { continue; } if (!MemberReferenceHelper.compareTypes(type, handlerRef.DeclaringType)) { continue; } handler = DotNetUtils.getMethod(type, handlerRef); if (handler == null) { continue; } if (handler.Body == null || handler.Body.ExceptionHandlers.Count != 1) { continue; } regMethod = method; return(true); } } regMethod = null; handler = null; return(false); }
public void initialize(ISimpleDeobfuscator deobfuscator) { if (decrypterCctor == null) { return; } deobfuscator.deobfuscate(decrypterCctor); var instrs = decrypterCctor.Body.Instructions; for (int i = 0; i < instrs.Count - 4; i++) { var ldstr = instrs[i]; if (ldstr.OpCode.Code != Code.Ldstr) { continue; } var encryptedString = ldstr.Operand as string; if (encryptedString == null) { continue; } if (instrs[i + 1].OpCode.Code != Code.Stsfld) { continue; } if (instrs[i + 2].OpCode.Code != Code.Ldsfld) { continue; } if (instrs[i + 3].OpCode.Code != Code.Call) { continue; } if (instrs[i + 4].OpCode.Code != Code.Stsfld) { continue; } var field = instrs[i + 4].Operand as FieldDefinition; if (field == null) { continue; } if (!MemberReferenceHelper.compareTypes(field.DeclaringType, decrypterType)) { continue; } fieldToDecryptedString.add(field, decrypter.decrypt(encryptedString)); } }
static bool checkCall(Instr instr, MethodReference expectedMethod) { if (instr.OpCode.Code != Code.Call && instr.OpCode.Code != Code.Callvirt) { return(false); } var calledMethod = instr.Operand as MethodReference; if (calledMethod == null) { return(false); } return(MemberReferenceHelper.compareMethodReferenceAndDeclaringType(calledMethod, expectedMethod)); }
static bool isCompatibleValueThisPtr(TypeReference origType, TypeReference newType) { var newByRef = newType as ByReferenceType; if (newByRef == null) { return(false); } if (!newByRef.ElementType.IsValueType || !origType.IsValueType) { return(false); } return(MemberReferenceHelper.compareTypes(origType, newByRef.ElementType)); }
bool isValidType(TypeReference type) { if (type == null) { return(false); } if (type.EType == ElementType.Void) { return(false); } while (type != null) { switch (MemberReferenceHelper.getMemberReferenceType(type)) { case CecilType.ArrayType: case CecilType.GenericInstanceType: case CecilType.PointerType: case CecilType.TypeDefinition: case CecilType.TypeReference: case CecilType.FunctionPointerType: break; case CecilType.GenericParameter: var gp = (GenericParameter)type; if (method.DeclaringType != gp.Owner && method != gp.Owner) { return(false); } break; case CecilType.ByReferenceType: case CecilType.OptionalModifierType: case CecilType.PinnedType: case CecilType.RequiredModifierType: case CecilType.SentinelType: default: return(false); } if (!(type is TypeSpecification)) { break; } type = ((TypeSpecification)type).ElementType; } return(type != null); }
bool checkNestedFields(TypeDefinition nested) { if (!new FieldTypes(nested).all(requiredTypes)) { return(false); } foreach (var field in nested.Fields) { if (MemberReferenceHelper.compareTypes(nested, field.FieldType)) { return(true); } } return(false); }