bool CheckType_v14_r58564(TypeDef type, MethodDef initMethod)
{
var virtualProtect = DotNetUtils.GetPInvokeMethod(type, "VirtualProtect");
if (virtualProtect == null)
{
return(false);
}
if (!DotNetUtils.CallsMethod(initMethod, "System.IntPtr System.Runtime.InteropServices.Marshal::GetHINSTANCE(System.Reflection.Module)"))
{
return(false);
}
if (ConfuserUtils.CountCalls(initMethod, virtualProtect) != 3)
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 224))
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 240))
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 267))
{
return(false);
}
version = ConfuserVersion.v14_r58564;
return(true);
}
void InitVersion(MethodDef installMethod, ConfuserVersion normal, ConfuserVersion dynamic, ConfuserVersion native) {
if (nativeMethod != null)
version = native;
else if (DeobUtils.HasInteger(installMethod, 0x10000))
version = normal;
else
version = dynamic;
}
public Unpacker(ModuleDefMD module, Unpacker other)
{
this.module = module;
if (other != null)
{
version = other.version;
}
}
public ProxyCreatorInfo(MethodDef creatorMethod, ProxyCreatorType proxyCreatorType, ConfuserVersion version, uint magic, MethodDef nativeMethod, ushort callvirtChar) {
this.creatorMethod = creatorMethod;
this.proxyCreatorType = proxyCreatorType;
this.version = version;
this.magic = magic;
this.nativeMethod = nativeMethod;
this.callvirtChar = callvirtChar;
}
protected override bool CheckType(TypeDef type, MethodDef initMethod) {
if (type == null)
return false;
if (type.Methods.Count != 3)
return false;
var virtProtect = DotNetUtils.GetPInvokeMethod(type, "kernel32", "VirtualProtect");
if (virtProtect == null)
return false;
if (!DotNetUtils.HasString(initMethod, "Broken file"))
return false;
if ((decryptMethod = FindDecryptMethod(type)) == null)
return false;
bool callsFileStreamCtor = DotNetUtils.CallsMethod(initMethod, "System.Void System.IO.FileStream::.ctor(System.String,System.IO.FileMode,System.IO.FileAccess,System.IO.FileShare)");
if (!DotNetUtils.HasString(initMethod, "Module error"))
version = ConfuserVersion.v14_r57884;
else if (virtProtect.IsPrivate && callsFileStreamCtor) {
int calls = ConfuserUtils.CountCalls(initMethod, "System.Void System.Buffer::BlockCopy(System.Array,System.Int32,System.Array,System.Int32,System.Int32)");
if (calls <= 1)
version = ConfuserVersion.v14_r58564;
else if (calls == 2)
version = ConfuserVersion.v14_r58852;
else if (calls == 4)
version = ConfuserVersion.v15_r59014;
else
return false;
}
else if (callsFileStreamCtor)
version = ConfuserVersion.v14_r58004;
else if (DotNetUtils.CallsMethod(initMethod, "System.Int32 System.Object::GetHashCode()")) {
if (DotNetUtils.HasString(initMethod, "<Unknown>"))
version = ConfuserVersion.v17_r72989;
else
version = ConfuserVersion.v16_r71742;
}
else if (DotNetUtils.CallsMethod(decryptMethod, "System.Security.Cryptography.Rijndael System.Security.Cryptography.Rijndael::Create()"))
version = ConfuserVersion.v17_r73605;
else if (DotNetUtils.HasString(initMethod, "<Unknown>"))
version = ConfuserVersion.v18_r75288;
else
version = ConfuserVersion.v19_r75725;
return true;
}
bool CheckMethod_safe(TypeDef type, MethodDef initMethod) {
if (type == DotNetUtils.GetModuleType(module)) {
if (!DotNetUtils.HasString(initMethod, "Debugger detected (Managed)"))
return false;
if (!CheckProfilerStrings1(initMethod))
return false;
version = ConfuserVersion.v14_r57588_safe;
}
else {
var ntQueryInformationProcess = DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtQueryInformationProcess");
if (ntQueryInformationProcess == null)
return false;
if (DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtSetInformationProcess") == null)
return false;
if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "CloseHandle") == null)
return false;
var antiDebugMethod = GetAntiDebugMethod(type, initMethod);
if (antiDebugMethod == null)
return false;
bool hasDebuggerStrings = DotNetUtils.HasString(antiDebugMethod, "Debugger detected (Managed)") ||
DotNetUtils.HasString(antiDebugMethod, "Debugger is detected (Managed)");
if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)"))
return false;
if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 0)
return false;
if (!CheckProfilerStrings1(initMethod) && !CheckProfilerStrings2(initMethod))
return false;
int failFastCalls = ConfuserUtils.CountCalls(antiDebugMethod, "System.Void System.Environment::FailFast(System.String)");
if (failFastCalls != 2)
return false;
if (hasDebuggerStrings) {
if (!DotNetUtils.CallsMethod(antiDebugMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)"))
version = ConfuserVersion.v16_r61954_safe;
else if (DotNetUtils.GetPInvokeMethod(type, "IsDebuggerPresent") == null)
version = ConfuserVersion.v17_r73822_safe;
else if (CheckProfilerStrings1(initMethod))
version = ConfuserVersion.v17_r74021_safe;
else
version = ConfuserVersion.v19_r76119_safe;
}
else {
version = ConfuserVersion.v19_r78363_safe;
}
}
return true;
}
void InitVersion(MethodDef installMethod, ConfuserVersion normal, ConfuserVersion dynamic, ConfuserVersion native) {
if (nativeMethod != null)
version = native;
else if (DeobUtils.HasInteger(installMethod, 0x10000))
version = normal;
else
version = dynamic;
}
bool CheckType_v14_r58852(TypeDef type, MethodDef initMethod) {
var virtualProtect = DotNetUtils.GetPInvokeMethod(type, "VirtualProtect");
if (virtualProtect == null)
return false;
if (!DotNetUtils.CallsMethod(initMethod, "System.IntPtr System.Runtime.InteropServices.Marshal::GetHINSTANCE(System.Reflection.Module)"))
return false;
int virtualProtectCalls = ConfuserUtils.CountCalls(initMethod, virtualProtect);
if (virtualProtectCalls != 14 && virtualProtectCalls != 16)
return false;
if (!DeobUtils.HasInteger(initMethod, 0x3C))
return false;
if (!DeobUtils.HasInteger(initMethod, 0x6c64746e))
return false;
if (!DeobUtils.HasInteger(initMethod, 0x6c642e6c))
return false;
if (!DeobUtils.HasInteger(initMethod, 0x6f43744e))
return false;
if (!DeobUtils.HasInteger(initMethod, 0x6e69746e))
return false;
int locallocs = ConfuserUtils.CountOpCode(initMethod, Code.Localloc);
if (DeobUtils.HasInteger(initMethod, 0x18))
version = ConfuserVersion.v14_r58852;
else if (virtualProtectCalls == 16)
version = ConfuserVersion.v16_r69339;
else if (virtualProtectCalls == 14) {
if (locallocs == 2)
version = ConfuserVersion.v17_r74708;
else if (locallocs == 1) {
if (DotNetUtils.HasString(initMethod, "<Unknown>"))
version = ConfuserVersion.v18_r75257;
else if (IsRev75725(initMethod))
version = ConfuserVersion.v19_r75725;
else
version = ConfuserVersion.v19_r76186;
}
else
return false;
}
else
return false;
return true;
}
public void Find() {
var type = DotNetUtils.GetModuleType(module);
if (type == null)
return;
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
if (!DotNetUtils.IsMethod(method, "System.Object", "(System.UInt32)"))
continue;
DecrypterInfo info = new DecrypterInfo();
var localTypes = new LocalTypes(method);
if (localTypes.All(requiredLocals1)) {
if (localTypes.Exists("System.Collections.BitArray")) // or System.Random
version = ConfuserVersion.v15_r60785_normal;
else if (DeobUtils.HasInteger(method, 0x100) &&
DeobUtils.HasInteger(method, 0x10000) &&
DeobUtils.HasInteger(method, 0xFFFF))
version = ConfuserVersion.v17_r73404_normal;
else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[])")) {
if (FindInstruction(method.Body.Instructions, 0, Code.Conv_I8) >= 0) {
if (DotNetUtils.CallsMethod(method, "System.Void System.Console::WriteLine()"))
version = ConfuserVersion.v15_r60785_dynamic;
else
version = ConfuserVersion.v17_r72989_dynamic;
}
else
version = ConfuserVersion.v17_r73740_dynamic;
}
else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[],System.Int32,System.Int32)")) {
if ((nativeMethod = FindNativeMethod(method)) == null)
version = ConfuserVersion.v17_r73764_dynamic;
else
version = ConfuserVersion.v17_r73764_native;
}
else
continue;
}
else if (localTypes.All(requiredLocals2)) {
if (DeobUtils.HasInteger(method, 0x100) &&
DeobUtils.HasInteger(method, 0x10000) &&
DeobUtils.HasInteger(method, 0xFFFF))
version = ConfuserVersion.v17_r73822_normal;
else if (DotNetUtils.CallsMethod(method, "System.Int32 System.Object::GetHashCode()")) {
if ((nativeMethod = FindNativeMethod(method)) == null)
version = ConfuserVersion.v17_r74021_dynamic;
else
version = ConfuserVersion.v17_r74021_native;
}
else if ((nativeMethod = FindNativeMethod(method)) == null)
version = ConfuserVersion.v17_r73822_dynamic;
else
version = ConfuserVersion.v17_r73822_native;
}
else
continue;
info.decryptMethod = method;
theDecrypterInfo = info;
Add(info);
break;
}
}
public void Find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
var entryPoint = module.EntryPoint;
if (entryPoint == null)
return;
if (!new LocalTypes(entryPoint).All(requiredEntryPointLocals))
return;
var type = entryPoint.DeclaringType;
if (!new FieldTypes(type).All(requiredFields))
return;
bool use7zip = type.NestedTypes.Count == 6;
MethodDef decyptMethod;
if (use7zip)
decyptMethod = FindDecryptMethod_7zip(type);
else
decyptMethod = FindDecryptMethod_inflate(type);
if (decyptMethod == null)
return;
ConfuserVersion theVersion = ConfuserVersion.Unknown;
var decryptLocals = new LocalTypes(decyptMethod);
if (decryptLocals.Exists("System.IO.MemoryStream")) {
if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.String,System.Byte[])"))
theVersion = ConfuserVersion.v10_r42915;
else if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.Security.Permissions.PermissionState)"))
theVersion = ConfuserVersion.v10_r48717;
else
theVersion = ConfuserVersion.v14_r57778;
}
else
theVersion = ConfuserVersion.v14_r58564;
var cctor = type.FindStaticConstructor();
if (cctor == null)
return;
if ((asmResolverMethod = FindAssemblyResolverMethod(entryPoint.DeclaringType)) != null) {
theVersion = ConfuserVersion.v14_r58802;
simpleDeobfuscator.Deobfuscate(asmResolverMethod);
if (!FindKey1(asmResolverMethod, out key1))
return;
}
switch (theVersion) {
case ConfuserVersion.v10_r42915:
case ConfuserVersion.v10_r48717:
case ConfuserVersion.v14_r57778:
break;
case ConfuserVersion.v14_r58564:
case ConfuserVersion.v14_r58802:
simpleDeobfuscator.Deobfuscate(decyptMethod);
if (FindKey0_v14_r58564(decyptMethod, out key0))
break;
if (FindKey0_v14_r58852(decyptMethod, out key0)) {
if (!decryptLocals.Exists("System.Security.Cryptography.RijndaelManaged")) {
theVersion = ConfuserVersion.v14_r58852;
break;
}
if (use7zip) {
if (new LocalTypes(decyptMethod).Exists("System.IO.MemoryStream"))
theVersion = ConfuserVersion.v17_r75076;
else if (module.Name == "Stub.exe")
theVersion = ConfuserVersion.v18_r75184;
else if (!IsGetLenToPosStateMethodPrivate(type))
theVersion = ConfuserVersion.v18_r75367;
else
theVersion = ConfuserVersion.v19_r77172;
}
else if (IsDecryptMethod_v17_r73404(decyptMethod))
theVersion = ConfuserVersion.v17_r73404;
else
theVersion = ConfuserVersion.v15_r60785;
break;
}
throw new ApplicationException("Could not find magic");
default:
throw new ApplicationException("Invalid version");
}
simpleDeobfuscator.Deobfuscate(cctor);
simpleDeobfuscator.DecryptStrings(cctor, deob);
if (FindEntryPointToken(simpleDeobfuscator, cctor, entryPoint, out entryPointToken) && !use7zip) {
if (DotNetUtils.CallsMethod(asmResolverMethod, "System.Void", "(System.String)"))
theVersion = ConfuserVersion.v17_r73477;
else
theVersion = ConfuserVersion.v17_r73566;
}
mainAsmResource = FindResource(cctor);
if (mainAsmResource == null)
throw new ApplicationException("Could not find main assembly resource");
version = theVersion;
}
public Unpacker(ModuleDefMD module, Unpacker other)
{
this.module = module;
if (other != null)
this.version = other.version;
}
protected override bool CheckType(TypeDef type, MethodDef initMethod) {
if (type == null)
return false;
compileMethod = FindCompileMethod(type);
if (compileMethod == null)
return false;
decryptMethod = FindDecryptMethod(type);
if (decryptMethod == null)
return false;
var theVersion = ConfuserVersion.Unknown;
switch (type.NestedTypes.Count) {
case 35:
if (type.Fields.Count == 9)
theVersion = ConfuserVersion.v17_r73404;
else if (type.Fields.Count == 10)
theVersion = ConfuserVersion.v17_r73430;
else
return false;
break;
case 38:
switch (CountInt32s(compileMethod, 0xFF)) {
case 2: theVersion = ConfuserVersion.v17_r73477; break;
case 4: theVersion = ConfuserVersion.v17_r73479; break;
default: return false;
}
break;
case 39:
if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Console::WriteLine(System.Char)")) {
if (DotNetUtils.CallsMethod(decryptMethod, "System.Security.Cryptography.Rijndael System.Security.Cryptography.Rijndael::Create()"))
theVersion = ConfuserVersion.v17_r74021;
else
theVersion = ConfuserVersion.v18_r75291;
}
else if (DotNetUtils.CallsMethod(decryptMethod, "System.Security.Cryptography.Rijndael System.Security.Cryptography.Rijndael::Create()"))
theVersion = ConfuserVersion.v18_r75257;
else
theVersion = ConfuserVersion.v18_r75288;
break;
case 27:
if (DotNetUtils.CallsMethod(initMethod, "System.Int32 System.String::get_Length()"))
theVersion = ConfuserVersion.v18_r75402;
else
theVersion = ConfuserVersion.v19_r75725;
break;
default:
return false;
}
if (theVersion >= ConfuserVersion.v17_r73477) {
hookConstructStr = FindHookConstructStr(type);
if (hookConstructStr == null)
return false;
}
version = theVersion;
return true;
}
bool CheckMethod_safe(TypeDef type, MethodDef initMethod)
{
if (type == DotNetUtils.GetModuleType(module))
{
if (!DotNetUtils.HasString(initMethod, "Debugger detected (Managed)"))
{
return(false);
}
if (!CheckProfilerStrings1(initMethod))
{
return(false);
}
version = ConfuserVersion.v14_r57588_safe;
}
else
{
var ntQueryInformationProcess = DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtQueryInformationProcess");
if (ntQueryInformationProcess == null)
{
return(false);
}
if (DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtSetInformationProcess") == null)
{
return(false);
}
if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "CloseHandle") == null)
{
return(false);
}
var antiDebugMethod = GetAntiDebugMethod(type, initMethod);
if (antiDebugMethod == null)
{
return(false);
}
bool hasDebuggerStrings = DotNetUtils.HasString(antiDebugMethod, "Debugger detected (Managed)") ||
DotNetUtils.HasString(antiDebugMethod, "Debugger is detected (Managed)");
if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)"))
{
return(false);
}
if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 0)
{
return(false);
}
if (!CheckProfilerStrings1(initMethod) && !CheckProfilerStrings2(initMethod))
{
return(false);
}
int failFastCalls = ConfuserUtils.CountCalls(antiDebugMethod, "System.Void System.Environment::FailFast(System.String)");
if (failFastCalls != 2)
{
return(false);
}
if (hasDebuggerStrings)
{
if (!DotNetUtils.CallsMethod(antiDebugMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)"))
{
version = ConfuserVersion.v16_r61954_safe;
}
else if (DotNetUtils.GetPInvokeMethod(type, "IsDebuggerPresent") == null)
{
version = ConfuserVersion.v17_r73822_safe;
}
else if (CheckProfilerStrings1(initMethod))
{
version = ConfuserVersion.v17_r74021_safe;
}
else
{
version = ConfuserVersion.v19_r76119_safe;
}
}
else
{
version = ConfuserVersion.v19_r78363_safe;
}
}
return(true);
}
bool CheckMethod_normal(TypeDef type, MethodDef initMethod)
{
var ntQueryInformationProcess = DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtQueryInformationProcess");
if (ntQueryInformationProcess == null)
{
return(false);
}
if (DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtSetInformationProcess") == null)
{
return(false);
}
if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "CloseHandle") == null)
{
return(false);
}
var antiDebugMethod = GetAntiDebugMethod(type, initMethod);
if (antiDebugMethod == null)
{
return(false);
}
bool hasDebuggerStrings = DotNetUtils.HasString(antiDebugMethod, "Debugger detected (Managed)");
if (DotNetUtils.CallsMethod(initMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)"))
{
int failFastCalls = ConfuserUtils.CountCalls(antiDebugMethod, "System.Void System.Environment::FailFast(System.String)");
if (failFastCalls != 6 && failFastCalls != 8)
{
return(false);
}
if (!CheckProfilerStrings1(initMethod))
{
return(false);
}
if (!DotNetUtils.CallsMethod(antiDebugMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)"))
{
if (!hasDebuggerStrings)
{
return(false);
}
if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 2)
{
return(false);
}
version = ConfuserVersion.v16_r61954_normal;
}
else if (failFastCalls == 8)
{
if (!hasDebuggerStrings)
{
return(false);
}
if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 2)
{
return(false);
}
version = ConfuserVersion.v17_r73822_normal;
}
else if (failFastCalls == 6)
{
if (DotNetUtils.GetPInvokeMethod(type, "IsDebuggerPresent") == null)
{
return(false);
}
if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 0)
{
return(false);
}
if (hasDebuggerStrings)
{
version = ConfuserVersion.v17_r74021_normal;
}
else
{
version = ConfuserVersion.v19_r78363_normal;
}
}
else
{
return(false);
}
}
else if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr)"))
{
if (!hasDebuggerStrings)
{
return(false);
}
if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Diagnostics.Process::EnterDebugMode()"))
{
return(false);
}
if (!CheckProfilerStrings1(antiDebugMethod))
{
return(false);
}
version = ConfuserVersion.v14_r57588_normal;
}
else
{
if (!hasDebuggerStrings)
{
return(false);
}
if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Diagnostics.Process::EnterDebugMode()"))
{
return(false);
}
if (!CheckProfilerStrings1(antiDebugMethod))
{
return(false);
}
version = ConfuserVersion.v14_r60785_normal;
}
return(true);
}
bool CheckMethod(MethodDef method) {
if (method == null || method.Body == null)
return false;
if (!DotNetUtils.CallsMethod(method, "System.Void System.AppDomain::add_ResourceResolve(System.ResolveEventHandler)"))
return false;
simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
fields.Clear();
var tmpHandler = GetHandler(method);
if (tmpHandler == null || tmpHandler.DeclaringType != method.DeclaringType)
return false;
var tmpResource = FindResource(tmpHandler);
if (tmpResource == null)
return false;
simpleDeobfuscator.Deobfuscate(tmpHandler, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
ConfuserVersion tmpVersion = ConfuserVersion.Unknown;
if (DotNetUtils.CallsMethod(tmpHandler, "System.Object System.AppDomain::GetData(System.String)")) {
if (!DotNetUtils.CallsMethod(tmpHandler, "System.Void System.Buffer::BlockCopy(System.Array,System.Int32,System.Array,System.Int32,System.Int32)")) {
if (!FindKey0Key1_v14_r55802(tmpHandler, out key0, out key1))
return false;
tmpVersion = ConfuserVersion.v14_r55802;
}
else if (FindKey0_v17_r73404(tmpHandler, out key0) && FindKey1_v17_r73404(tmpHandler, out key1))
tmpVersion = ConfuserVersion.v17_r73404;
else
return false;
}
else {
if (AddFields(FindFields(tmpHandler, method.DeclaringType)) != 1)
return false;
if (FindKey0_v17_r73404(tmpHandler, out key0) && FindKey1_v17_r73404(tmpHandler, out key1))
tmpVersion = ConfuserVersion.v17_r73822;
else if (FindKey0_v18_r75367(tmpHandler, out key0) && FindKey1_v17_r73404(tmpHandler, out key1))
tmpVersion = ConfuserVersion.v18_r75367;
else if (FindKey0_v18_r75369(tmpHandler, out key0) && FindKey1_v18_r75369(tmpHandler, out key1)) {
lzmaType = ConfuserUtils.FindLzmaType(tmpHandler);
if (lzmaType == null)
tmpVersion = ConfuserVersion.v18_r75369;
else
tmpVersion = ConfuserVersion.v19_r77172;
}
else
return false;
}
handler = tmpHandler;
resource = tmpResource;
installMethod = method;
version = tmpVersion;
return true;
}
bool CheckType_v14_r58852(TypeDef type, MethodDef initMethod)
{
var virtualProtect = DotNetUtils.GetPInvokeMethod(type, "VirtualProtect");
if (virtualProtect == null)
{
return(false);
}
if (!DotNetUtils.CallsMethod(initMethod, "System.IntPtr System.Runtime.InteropServices.Marshal::GetHINSTANCE(System.Reflection.Module)"))
{
return(false);
}
int virtualProtectCalls = ConfuserUtils.CountCalls(initMethod, virtualProtect);
if (virtualProtectCalls != 14 && virtualProtectCalls != 16)
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 0x3C))
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 0x6c64746e))
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 0x6c642e6c))
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 0x6f43744e))
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 0x6e69746e))
{
return(false);
}
int locallocs = ConfuserUtils.CountOpCode(initMethod, Code.Localloc);
if (DeobUtils.HasInteger(initMethod, 0x18))
{
version = ConfuserVersion.v14_r58852;
}
else if (virtualProtectCalls == 16)
{
version = ConfuserVersion.v16_r69339;
}
else if (virtualProtectCalls == 14)
{
if (locallocs == 2)
{
version = ConfuserVersion.v17_r74708;
}
else if (locallocs == 1)
{
if (DotNetUtils.HasString(initMethod, "<Unknown>"))
{
version = ConfuserVersion.v18_r75257;
}
else if (IsRev75725(initMethod))
{
version = ConfuserVersion.v19_r75725;
}
else
{
version = ConfuserVersion.v19_r76186;
}
}
else
{
return(false);
}
}
else
{
return(false);
}
return(true);
}
void InitVersion(MethodDef method, ConfuserVersion normal, ConfuserVersion dynamic, ConfuserVersion native) {
if (DeobUtils.HasInteger(method, 0x100) &&
DeobUtils.HasInteger(method, 0x10000) &&
DeobUtils.HasInteger(method, 0xFFFF))
version = normal;
else if ((nativeMethod = FindNativeMethod(method)) == null)
version = dynamic;
else
version = native;
}
public MemoryMethodsDecrypter(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, MemoryMethodsDecrypter other)
: base(module, simpleDeobfuscator, other) {
if (other != null)
this.version = other.version;
}
public DecrypterInfoV17(ConfuserVersion version, MethodDef decryptMethod) {
this.version = version;
this.decryptMethod = decryptMethod;
}
public void Find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
var entryPoint = module.EntryPoint;
if (entryPoint == null)
{
return;
}
if (!new LocalTypes(entryPoint).All(requiredEntryPointLocals))
{
return;
}
var type = entryPoint.DeclaringType;
if (!new FieldTypes(type).All(requiredFields))
{
return;
}
bool use7zip = type.NestedTypes.Count == 6;
MethodDef decyptMethod;
if (use7zip)
{
decyptMethod = FindDecryptMethod_7zip(type);
}
else
{
decyptMethod = FindDecryptMethod_inflate(type);
}
if (decyptMethod == null)
{
return;
}
var theVersion = ConfuserVersion.Unknown;
var decryptLocals = new LocalTypes(decyptMethod);
if (decryptLocals.Exists("System.IO.MemoryStream"))
{
if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.String,System.Byte[])"))
{
theVersion = ConfuserVersion.v10_r42915;
}
else if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.Security.Permissions.PermissionState)"))
{
theVersion = ConfuserVersion.v10_r48717;
}
else
{
theVersion = ConfuserVersion.v14_r57778;
}
}
else
{
theVersion = ConfuserVersion.v14_r58564;
}
var cctor = type.FindStaticConstructor();
if (cctor == null)
{
return;
}
if ((asmResolverMethod = FindAssemblyResolverMethod(entryPoint.DeclaringType)) != null)
{
theVersion = ConfuserVersion.v14_r58802;
simpleDeobfuscator.Deobfuscate(asmResolverMethod);
if (!FindKey1(asmResolverMethod, out uint key1))
{
return;
}
}
switch (theVersion)
{
case ConfuserVersion.v10_r42915:
case ConfuserVersion.v10_r48717:
case ConfuserVersion.v14_r57778:
break;
case ConfuserVersion.v14_r58564:
case ConfuserVersion.v14_r58802:
simpleDeobfuscator.Deobfuscate(decyptMethod);
if (FindKey0_v14_r58564(decyptMethod, out key0))
{
break;
}
if (FindKey0_v14_r58852(decyptMethod, out key0))
{
if (!decryptLocals.Exists("System.Security.Cryptography.RijndaelManaged"))
{
theVersion = ConfuserVersion.v14_r58852;
break;
}
if (use7zip)
{
if (new LocalTypes(decyptMethod).Exists("System.IO.MemoryStream"))
{
theVersion = ConfuserVersion.v17_r75076;
}
else if (module.Name == "Stub.exe")
{
theVersion = ConfuserVersion.v18_r75184;
}
else if (!IsGetLenToPosStateMethodPrivate(type))
{
theVersion = ConfuserVersion.v18_r75367;
}
else
{
theVersion = ConfuserVersion.v19_r77172;
}
}
else if (IsDecryptMethod_v17_r73404(decyptMethod))
{
theVersion = ConfuserVersion.v17_r73404;
}
else
{
theVersion = ConfuserVersion.v15_r60785;
}
break;
}
throw new ApplicationException("Could not find magic");
default:
throw new ApplicationException("Invalid version");
}
simpleDeobfuscator.Deobfuscate(cctor);
simpleDeobfuscator.DecryptStrings(cctor, deob);
if (FindEntryPointToken(simpleDeobfuscator, cctor, entryPoint, out entryPointToken) && !use7zip)
{
if (DotNetUtils.CallsMethod(asmResolverMethod, "System.Void", "(System.String)"))
{
theVersion = ConfuserVersion.v17_r73477;
}
else
{
theVersion = ConfuserVersion.v17_r73566;
}
}
mainAsmResource = FindResource(cctor);
if (mainAsmResource == null)
{
throw new ApplicationException("Could not find main assembly resource");
}
version = theVersion;
}
public void FindDelegateCreator(ISimpleDeobfuscator simpleDeobfuscator) {
var type = DotNetUtils.GetModuleType(module);
if (type == null)
return;
foreach (var method in type.Methods) {
if (method.Body == null || !method.IsStatic || !method.IsAssembly)
continue;
ConfuserVersion theVersion = ConfuserVersion.Unknown;
if (DotNetUtils.IsMethod(method, "System.Void", "(System.String,System.RuntimeFieldHandle)"))
theVersion = ConfuserVersion.v10_r42915;
else if (DotNetUtils.IsMethod(method, "System.Void", "(System.RuntimeFieldHandle)"))
theVersion = ConfuserVersion.v10_r48717;
else
continue;
int tmpVer;
var proxyType = GetProxyCreatorType(method, simpleDeobfuscator, out tmpVer);
if (proxyType == ProxyCreatorType.None)
continue;
if (proxyType == ProxyCreatorType.Newobj)
foundNewobjProxy = true;
simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
MethodDef nativeMethod = null;
uint magic;
if (FindMagic_v14_r58564(method, out magic)) {
if (!DotNetUtils.CallsMethod(method, "System.Byte[] System.Convert::FromBase64String(System.String)")) {
if (!IsMethodCreator_v14_r58802(method, proxyType))
theVersion = ConfuserVersion.v14_r58564;
else
theVersion = ConfuserVersion.v14_r58802;
}
else if (DotNetUtils.CallsMethod(method, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()"))
theVersion = ConfuserVersion.v17_r73479;
else if (proxyType != ProxyCreatorType.CallOrCallvirt || !HasFieldReference(method, "System.Reflection.Emit.OpCode System.Reflection.Emit.OpCodes::Castclass"))
theVersion = ConfuserVersion.v14_r58857;
else if (proxyType == ProxyCreatorType.CallOrCallvirt && DotNetUtils.CallsMethod(method, "System.Void System.Reflection.Emit.DynamicMethod::.ctor(System.String,System.Type,System.Type[],System.Boolean)"))
theVersion = ConfuserVersion.v16_r66631;
else if (proxyType == ProxyCreatorType.CallOrCallvirt)
theVersion = ConfuserVersion.v16_r70489;
}
else if (!DotNetUtils.CallsMethod(method, "System.Byte[] System.Convert::FromBase64String(System.String)") &&
DotNetUtils.CallsMethod(method, "System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)")) {
if (proxyType == ProxyCreatorType.CallOrCallvirt && !FindCallvirtChar(method, out callvirtChar))
continue;
if ((nativeMethod = FindNativeMethod_v18_r75367(method)) != null)
theVersion = proxyType != ProxyCreatorType.CallOrCallvirt || callvirtChar == 9 ? ConfuserVersion.v18_r75367_native : ConfuserVersion.v18_r75369_native;
else if (FindMagic_v18_r75367(method, out magic))
theVersion = proxyType != ProxyCreatorType.CallOrCallvirt || callvirtChar == 9 ? ConfuserVersion.v18_r75367_normal : ConfuserVersion.v18_r75369_normal;
else if (FindMagic_v19_r76101(method, out magic))
CommonCheckVersion19(method, true, tmpVer, ref theVersion);
else if ((nativeMethod = FindNativeMethod_v19_r76101(method)) != null)
CommonCheckVersion19(method, false, tmpVer, ref theVersion);
else {
if (proxyType == ProxyCreatorType.CallOrCallvirt && !DotNetUtils.CallsMethod(method, "System.Int32 System.String::get_Length()"))
theVersion = ConfuserVersion.v11_r50378;
int numCalls = ConfuserUtils.CountCalls(method, "System.Byte[] System.Text.Encoding::GetBytes(System.Char[],System.Int32,System.Int32)");
if (numCalls == 2)
theVersion = ConfuserVersion.v12_r54564;
if (!DotNetUtils.CallsMethod(method, "System.Reflection.Assembly System.Reflection.Assembly::Load(System.Reflection.AssemblyName)"))
theVersion = ConfuserVersion.v13_r55346;
if (DotNetUtils.CallsMethod(method, "System.Void System.Runtime.CompilerServices.RuntimeHelpers::RunClassConstructor(System.RuntimeTypeHandle)"))
theVersion = ConfuserVersion.v13_r55604;
}
}
else if (Is_v17_r73740(method)) {
if (DotNetUtils.CallsMethod(method, "System.Boolean System.Type::get_IsArray()")) {
if ((nativeMethod = FindNativeMethod_v17_r73740(method)) != null)
theVersion = ConfuserVersion.v17_r74708_native;
else if (FindMagic_v17_r73740(method, out magic))
theVersion = ConfuserVersion.v17_r74708_normal;
else
continue;
}
else {
if ((nativeMethod = FindNativeMethod_v17_r73740(method)) != null)
theVersion = ConfuserVersion.v17_r73740_native;
else if (FindMagic_v17_r73740(method, out magic))
theVersion = ConfuserVersion.v17_r73740_normal;
else
continue;
}
}
else if (theVersion == ConfuserVersion.v10_r42915) {
if (DeobUtils.HasInteger(method, 0x06000000))
theVersion = ConfuserVersion.v10_r42919;
}
SetDelegateCreatorMethod(method);
methodToInfo.Add(method, new ProxyCreatorInfo(method, proxyType, theVersion, magic, nativeMethod, callvirtChar));
version = (ConfuserVersion)Math.Max((int)version, (int)theVersion);
}
}
public void Find(ISimpleDeobfuscator simpleDeobfuscator) {
var type = DotNetUtils.GetModuleType(module);
if (type == null)
return;
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
if (!DotNetUtils.IsMethod(method, "System.String", "(System.Int32)"))
continue;
var localTypes = new LocalTypes(method);
if (!localTypes.All(requiredLocals))
continue;
simpleDeobfuscator.Deobfuscate(method);
bool foundOldMagic1;
if (FindMagic1(method, out magic1))
foundOldMagic1 = true;
else if (FindNewMagic1(method, out magic1))
foundOldMagic1 = false;
else
continue;
if (!FindMagic2(method, out magic2))
continue;
version = ConfuserVersion.Unknown;
if (DotNetUtils.CallsMethod(method, "System.Text.Encoding System.Text.Encoding::get_UTF8()")) {
if (foundOldMagic1) {
if (DotNetUtils.CallsMethod(method, "System.Object System.AppDomain::GetData(System.String)"))
version = ConfuserVersion.v13_r55604_safe;
else
version = ConfuserVersion.v10_r42915;
}
else {
if (!FindSafeKey1(method, out key1))
continue;
version = ConfuserVersion.v14_r58802_safe;
}
}
else if (!localTypes.Exists("System.Random")) {
if (foundOldMagic1)
version = ConfuserVersion.v11_r49299;
else
version = ConfuserVersion.v14_r58802_dynamic;
}
else if (localTypes.Exists("System.Collections.Generic.Dictionary`2<System.Int32,System.String>"))
version = ConfuserVersion.v10_r48832;
if (version == ConfuserVersion.Unknown)
continue;
decryptMethod = method;
break;
}
}
static bool CommonCheckVersion19(MethodDef method, bool isNormal, int tmpProxyVer, ref ConfuserVersion theVersion) {
if (tmpProxyVer == 1) {
theVersion = isNormal ? ConfuserVersion.v19_r76101_normal : ConfuserVersion.v19_r76101_native;
return true;
}
else if (tmpProxyVer == 2) {
if (!CheckCtorProxyType_v19_r78963(method))
theVersion = isNormal ? ConfuserVersion.v19_r78363_normal : ConfuserVersion.v19_r78363_native;
else
theVersion = isNormal ? ConfuserVersion.v19_r78963_normal_Newobj : ConfuserVersion.v19_r78963_native_Newobj;
return true;
}
return false;
}
bool CheckType_v14_r58564(TypeDef type, MethodDef initMethod) {
var virtualProtect = DotNetUtils.GetPInvokeMethod(type, "VirtualProtect");
if (virtualProtect == null)
return false;
if (!DotNetUtils.CallsMethod(initMethod, "System.IntPtr System.Runtime.InteropServices.Marshal::GetHINSTANCE(System.Reflection.Module)"))
return false;
if (ConfuserUtils.CountCalls(initMethod, virtualProtect) != 3)
return false;
if (!DeobUtils.HasInteger(initMethod, 224))
return false;
if (!DeobUtils.HasInteger(initMethod, 240))
return false;
if (!DeobUtils.HasInteger(initMethod, 267))
return false;
version = ConfuserVersion.v14_r58564;
return true;
}
static ProxyCreatorType GetProxyCreatorType(MethodDef method, ISimpleDeobfuscator simpleDeobfuscator, out int version) {
var type = GetProxyCreatorTypeV1(method);
if (type != ProxyCreatorType.None) {
version = 1;
return type;
}
simpleDeobfuscator.Deobfuscate(method);
type = GetProxyCreatorTypeV2(method);
if (type != ProxyCreatorType.None) {
version = 2;
return type;
}
version = 0;
return ProxyCreatorType.None;
}
public DecrypterInfo(ConstantsDecrypterV18 constantsDecrypter, MethodDef method, ConfuserVersion version) {
this.constantsDecrypter = constantsDecrypter;
this.method = method;
this.version = version;
}
bool CheckMethod_normal(TypeDef type, MethodDef initMethod) {
var ntQueryInformationProcess = DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtQueryInformationProcess");
if (ntQueryInformationProcess == null)
return false;
if (DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtSetInformationProcess") == null)
return false;
if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "CloseHandle") == null)
return false;
var antiDebugMethod = GetAntiDebugMethod(type, initMethod);
if (antiDebugMethod == null)
return false;
bool hasDebuggerStrings = DotNetUtils.HasString(antiDebugMethod, "Debugger detected (Managed)");
if (DotNetUtils.CallsMethod(initMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)")) {
int failFastCalls = ConfuserUtils.CountCalls(antiDebugMethod, "System.Void System.Environment::FailFast(System.String)");
if (failFastCalls != 6 && failFastCalls != 8)
return false;
if (!CheckProfilerStrings1(initMethod))
return false;
if (!DotNetUtils.CallsMethod(antiDebugMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)")) {
if (!hasDebuggerStrings)
return false;
if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 2)
return false;
version = ConfuserVersion.v16_r61954_normal;
}
else if (failFastCalls == 8) {
if (!hasDebuggerStrings)
return false;
if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 2)
return false;
version = ConfuserVersion.v17_r73822_normal;
}
else if (failFastCalls == 6) {
if (DotNetUtils.GetPInvokeMethod(type, "IsDebuggerPresent") == null)
return false;
if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 0)
return false;
if (hasDebuggerStrings)
version = ConfuserVersion.v17_r74021_normal;
else
version = ConfuserVersion.v19_r78363_normal;
}
else
return false;
}
else if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr)")) {
if (!hasDebuggerStrings)
return false;
if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Diagnostics.Process::EnterDebugMode()"))
return false;
if (!CheckProfilerStrings1(antiDebugMethod))
return false;
version = ConfuserVersion.v14_r57588_normal;
}
else {
if (!hasDebuggerStrings)
return false;
if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Diagnostics.Process::EnterDebugMode()"))
return false;
if (!CheckProfilerStrings1(antiDebugMethod))
return false;
version = ConfuserVersion.v14_r60785_normal;
}
return true;
}
