Example #1
0
        public void Find()
        {
            var additionalTypes = new string[] {
                "System.Boolean",
            };

            foreach (var type in module.Types)
            {
                if (type.BaseType == null || type.BaseType.FullName != "System.Object")
                {
                    continue;
                }
                foreach (var method in type.Methods)
                {
                    if (!method.IsStatic || !method.HasBody)
                    {
                        continue;
                    }
                    if (!DotNetUtils.IsMethod(method, "System.Boolean", "(System.Int32)"))
                    {
                        continue;
                    }
                    if (!encryptedResource.CouldBeResourceDecrypter(method, additionalTypes))
                    {
                        continue;
                    }

                    encryptedResource.Method = method;
                    return;
                }
            }
        }
Example #2
0
        public void Find(ISimpleDeobfuscator simpleDeobfuscator)
        {
            var additionalTypes = new string[] {
                "System.String",
            };
            EmbeddedResource stringsResource = null;

            foreach (var type in module.Types)
            {
                if (decrypterInfos.Count > 0)
                {
                    break;
                }
                if (type.BaseType == null || type.BaseType.FullName != "System.Object")
                {
                    continue;
                }
                foreach (var method in type.Methods)
                {
                    if (!method.IsStatic || !method.HasBody)
                    {
                        continue;
                    }
                    if (!DotNetUtils.IsMethod(method, "System.String", "(System.Int32)"))
                    {
                        continue;
                    }
                    if (!encryptedResource.CouldBeResourceDecrypter(method, additionalTypes))
                    {
                        continue;
                    }

                    var resource = DotNetUtils.GetResource(module, DotNetUtils.GetCodeStrings(method)) as EmbeddedResource;
                    if (resource == null)
                    {
                        throw new ApplicationException("Could not find strings resource");
                    }
                    if (stringsResource != null && stringsResource != resource)
                    {
                        throw new ApplicationException("Two different string resources found");
                    }

                    stringsResource          = resource;
                    encryptedResource.Method = method;

                    var info = new DecrypterInfo(method, null, null);
                    simpleDeobfuscator.Deobfuscate(info.method);
                    FindKeyIv(info.method, out info.key, out info.iv);

                    decrypterInfos.Add(info);
                }
            }

            if (decrypterInfos.Count > 0)
            {
                FindOtherStringDecrypter(decrypterInfos[0].method.DeclaringType);
            }
        }
Example #3
0
        MethodDef GetResourceDecrypterInitMethod(MethodDef method, string[] additionalTypes, bool checkResource)
        {
            if (encryptedResource.CouldBeResourceDecrypter(method, additionalTypes, checkResource))
            {
                return(method);
            }

            foreach (var calledMethod in DotNetUtils.GetCalledMethods(module, method))
            {
                if (!DotNetUtils.IsMethod(calledMethod, "System.Void", "()"))
                {
                    continue;
                }
                if (encryptedResource.CouldBeResourceDecrypter(calledMethod, additionalTypes, checkResource))
                {
                    return(calledMethod);
                }
            }

            return(null);
        }
Example #4
0
        public void Find()
        {
            var additionalTypes = new string[] {
                "System.IntPtr",
//				"System.Reflection.Assembly",		//TODO: Not in unknown DNR version with jitter support
            };
            var checkedMethods = new Dictionary <IMethod, bool>(MethodEqualityComparer.CompareDeclaringTypes);
            var callCounter    = new CallCounter();
            int typesLeft      = 30;

            foreach (var type in module.GetTypes())
            {
                var cctor = type.FindStaticConstructor();
                if (cctor == null || cctor.Body == null)
                {
                    continue;
                }
                if (typesLeft-- <= 0)
                {
                    break;
                }

                foreach (var method in DotNetUtils.GetCalledMethods(module, cctor))
                {
                    if (!checkedMethods.ContainsKey(method))
                    {
                        checkedMethods[method] = false;
                        if (method.DeclaringType.BaseType == null || method.DeclaringType.BaseType.FullName != "System.Object")
                        {
                            continue;
                        }
                        if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
                        {
                            continue;
                        }
                        if (!encryptedResource.CouldBeResourceDecrypter(method, additionalTypes))
                        {
                            continue;
                        }
                        checkedMethods[method] = true;
                    }
                    else if (!checkedMethods[method])
                    {
                        continue;
                    }
                    callCounter.Add(method);
                }
            }

            encryptedResource.Method = (MethodDef)callCounter.Most();
        }
Example #5
0
        public void Find(ISimpleDeobfuscator simpleDeobfuscator)
        {
            var additionalTypes = new string[] {
                "System.String",
            };

            foreach (var type in module.Types)
            {
                if (type.BaseType == null || type.BaseType.FullName != "System.Object")
                {
                    continue;
                }
                if (!CheckFields(type.Fields))
                {
                    continue;
                }
                foreach (var method in type.Methods)
                {
                    if (!method.IsStatic || !method.HasBody)
                    {
                        continue;
                    }
                    if (!DotNetUtils.IsMethod(method, "System.Reflection.Assembly", "(System.Object,System.ResolveEventArgs)") &&
                        !DotNetUtils.IsMethod(method, "System.Reflection.Assembly", "(System.Object,System.Object)"))
                    {
                        continue;
                    }
                    if (!encryptedResource.CouldBeResourceDecrypter(method, additionalTypes, false))
                    {
                        continue;
                    }

                    encryptedResource.Method = method;
                    return;
                }
            }
        }