bool CheckType_v14_r58564(TypeDef type, MethodDef initMethod) { var virtualProtect = DotNetUtils.GetPInvokeMethod(type, "VirtualProtect"); if (virtualProtect == null) { return(false); } if (!DotNetUtils.CallsMethod(initMethod, "System.IntPtr System.Runtime.InteropServices.Marshal::GetHINSTANCE(System.Reflection.Module)")) { return(false); } if (ConfuserUtils.CountCalls(initMethod, virtualProtect) != 3) { return(false); } if (!DeobUtils.HasInteger(initMethod, 224)) { return(false); } if (!DeobUtils.HasInteger(initMethod, 240)) { return(false); } if (!DeobUtils.HasInteger(initMethod, 267)) { return(false); } version = ConfuserVersion.v14_r58564; return(true); }
void InitVersion(MethodDef installMethod, ConfuserVersion normal, ConfuserVersion dynamic, ConfuserVersion native) { if (nativeMethod != null) version = native; else if (DeobUtils.HasInteger(installMethod, 0x10000)) version = normal; else version = dynamic; }
public Unpacker(ModuleDefMD module, Unpacker other) { this.module = module; if (other != null) { version = other.version; } }
public ProxyCreatorInfo(MethodDef creatorMethod, ProxyCreatorType proxyCreatorType, ConfuserVersion version, uint magic, MethodDef nativeMethod, ushort callvirtChar) { this.creatorMethod = creatorMethod; this.proxyCreatorType = proxyCreatorType; this.version = version; this.magic = magic; this.nativeMethod = nativeMethod; this.callvirtChar = callvirtChar; }
protected override bool CheckType(TypeDef type, MethodDef initMethod) { if (type == null) return false; if (type.Methods.Count != 3) return false; var virtProtect = DotNetUtils.GetPInvokeMethod(type, "kernel32", "VirtualProtect"); if (virtProtect == null) return false; if (!DotNetUtils.HasString(initMethod, "Broken file")) return false; if ((decryptMethod = FindDecryptMethod(type)) == null) return false; bool callsFileStreamCtor = DotNetUtils.CallsMethod(initMethod, "System.Void System.IO.FileStream::.ctor(System.String,System.IO.FileMode,System.IO.FileAccess,System.IO.FileShare)"); if (!DotNetUtils.HasString(initMethod, "Module error")) version = ConfuserVersion.v14_r57884; else if (virtProtect.IsPrivate && callsFileStreamCtor) { int calls = ConfuserUtils.CountCalls(initMethod, "System.Void System.Buffer::BlockCopy(System.Array,System.Int32,System.Array,System.Int32,System.Int32)"); if (calls <= 1) version = ConfuserVersion.v14_r58564; else if (calls == 2) version = ConfuserVersion.v14_r58852; else if (calls == 4) version = ConfuserVersion.v15_r59014; else return false; } else if (callsFileStreamCtor) version = ConfuserVersion.v14_r58004; else if (DotNetUtils.CallsMethod(initMethod, "System.Int32 System.Object::GetHashCode()")) { if (DotNetUtils.HasString(initMethod, "<Unknown>")) version = ConfuserVersion.v17_r72989; else version = ConfuserVersion.v16_r71742; } else if (DotNetUtils.CallsMethod(decryptMethod, "System.Security.Cryptography.Rijndael System.Security.Cryptography.Rijndael::Create()")) version = ConfuserVersion.v17_r73605; else if (DotNetUtils.HasString(initMethod, "<Unknown>")) version = ConfuserVersion.v18_r75288; else version = ConfuserVersion.v19_r75725; return true; }
bool CheckMethod_safe(TypeDef type, MethodDef initMethod) { if (type == DotNetUtils.GetModuleType(module)) { if (!DotNetUtils.HasString(initMethod, "Debugger detected (Managed)")) return false; if (!CheckProfilerStrings1(initMethod)) return false; version = ConfuserVersion.v14_r57588_safe; } else { var ntQueryInformationProcess = DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtQueryInformationProcess"); if (ntQueryInformationProcess == null) return false; if (DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtSetInformationProcess") == null) return false; if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "CloseHandle") == null) return false; var antiDebugMethod = GetAntiDebugMethod(type, initMethod); if (antiDebugMethod == null) return false; bool hasDebuggerStrings = DotNetUtils.HasString(antiDebugMethod, "Debugger detected (Managed)") || DotNetUtils.HasString(antiDebugMethod, "Debugger is detected (Managed)"); if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)")) return false; if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 0) return false; if (!CheckProfilerStrings1(initMethod) && !CheckProfilerStrings2(initMethod)) return false; int failFastCalls = ConfuserUtils.CountCalls(antiDebugMethod, "System.Void System.Environment::FailFast(System.String)"); if (failFastCalls != 2) return false; if (hasDebuggerStrings) { if (!DotNetUtils.CallsMethod(antiDebugMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)")) version = ConfuserVersion.v16_r61954_safe; else if (DotNetUtils.GetPInvokeMethod(type, "IsDebuggerPresent") == null) version = ConfuserVersion.v17_r73822_safe; else if (CheckProfilerStrings1(initMethod)) version = ConfuserVersion.v17_r74021_safe; else version = ConfuserVersion.v19_r76119_safe; } else { version = ConfuserVersion.v19_r78363_safe; } } return true; }
bool CheckType_v14_r58852(TypeDef type, MethodDef initMethod) { var virtualProtect = DotNetUtils.GetPInvokeMethod(type, "VirtualProtect"); if (virtualProtect == null) return false; if (!DotNetUtils.CallsMethod(initMethod, "System.IntPtr System.Runtime.InteropServices.Marshal::GetHINSTANCE(System.Reflection.Module)")) return false; int virtualProtectCalls = ConfuserUtils.CountCalls(initMethod, virtualProtect); if (virtualProtectCalls != 14 && virtualProtectCalls != 16) return false; if (!DeobUtils.HasInteger(initMethod, 0x3C)) return false; if (!DeobUtils.HasInteger(initMethod, 0x6c64746e)) return false; if (!DeobUtils.HasInteger(initMethod, 0x6c642e6c)) return false; if (!DeobUtils.HasInteger(initMethod, 0x6f43744e)) return false; if (!DeobUtils.HasInteger(initMethod, 0x6e69746e)) return false; int locallocs = ConfuserUtils.CountOpCode(initMethod, Code.Localloc); if (DeobUtils.HasInteger(initMethod, 0x18)) version = ConfuserVersion.v14_r58852; else if (virtualProtectCalls == 16) version = ConfuserVersion.v16_r69339; else if (virtualProtectCalls == 14) { if (locallocs == 2) version = ConfuserVersion.v17_r74708; else if (locallocs == 1) { if (DotNetUtils.HasString(initMethod, "<Unknown>")) version = ConfuserVersion.v18_r75257; else if (IsRev75725(initMethod)) version = ConfuserVersion.v19_r75725; else version = ConfuserVersion.v19_r76186; } else return false; } else return false; return true; }
public void Find() { var type = DotNetUtils.GetModuleType(module); if (type == null) return; foreach (var method in type.Methods) { if (!method.IsStatic || method.Body == null) continue; if (!DotNetUtils.IsMethod(method, "System.Object", "(System.UInt32)")) continue; DecrypterInfo info = new DecrypterInfo(); var localTypes = new LocalTypes(method); if (localTypes.All(requiredLocals1)) { if (localTypes.Exists("System.Collections.BitArray")) // or System.Random version = ConfuserVersion.v15_r60785_normal; else if (DeobUtils.HasInteger(method, 0x100) && DeobUtils.HasInteger(method, 0x10000) && DeobUtils.HasInteger(method, 0xFFFF)) version = ConfuserVersion.v17_r73404_normal; else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[])")) { if (FindInstruction(method.Body.Instructions, 0, Code.Conv_I8) >= 0) { if (DotNetUtils.CallsMethod(method, "System.Void System.Console::WriteLine()")) version = ConfuserVersion.v15_r60785_dynamic; else version = ConfuserVersion.v17_r72989_dynamic; } else version = ConfuserVersion.v17_r73740_dynamic; } else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[],System.Int32,System.Int32)")) { if ((nativeMethod = FindNativeMethod(method)) == null) version = ConfuserVersion.v17_r73764_dynamic; else version = ConfuserVersion.v17_r73764_native; } else continue; } else if (localTypes.All(requiredLocals2)) { if (DeobUtils.HasInteger(method, 0x100) && DeobUtils.HasInteger(method, 0x10000) && DeobUtils.HasInteger(method, 0xFFFF)) version = ConfuserVersion.v17_r73822_normal; else if (DotNetUtils.CallsMethod(method, "System.Int32 System.Object::GetHashCode()")) { if ((nativeMethod = FindNativeMethod(method)) == null) version = ConfuserVersion.v17_r74021_dynamic; else version = ConfuserVersion.v17_r74021_native; } else if ((nativeMethod = FindNativeMethod(method)) == null) version = ConfuserVersion.v17_r73822_dynamic; else version = ConfuserVersion.v17_r73822_native; } else continue; info.decryptMethod = method; theDecrypterInfo = info; Add(info); break; } }
public void Find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { var entryPoint = module.EntryPoint; if (entryPoint == null) return; if (!new LocalTypes(entryPoint).All(requiredEntryPointLocals)) return; var type = entryPoint.DeclaringType; if (!new FieldTypes(type).All(requiredFields)) return; bool use7zip = type.NestedTypes.Count == 6; MethodDef decyptMethod; if (use7zip) decyptMethod = FindDecryptMethod_7zip(type); else decyptMethod = FindDecryptMethod_inflate(type); if (decyptMethod == null) return; ConfuserVersion theVersion = ConfuserVersion.Unknown; var decryptLocals = new LocalTypes(decyptMethod); if (decryptLocals.Exists("System.IO.MemoryStream")) { if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.String,System.Byte[])")) theVersion = ConfuserVersion.v10_r42915; else if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.Security.Permissions.PermissionState)")) theVersion = ConfuserVersion.v10_r48717; else theVersion = ConfuserVersion.v14_r57778; } else theVersion = ConfuserVersion.v14_r58564; var cctor = type.FindStaticConstructor(); if (cctor == null) return; if ((asmResolverMethod = FindAssemblyResolverMethod(entryPoint.DeclaringType)) != null) { theVersion = ConfuserVersion.v14_r58802; simpleDeobfuscator.Deobfuscate(asmResolverMethod); if (!FindKey1(asmResolverMethod, out key1)) return; } switch (theVersion) { case ConfuserVersion.v10_r42915: case ConfuserVersion.v10_r48717: case ConfuserVersion.v14_r57778: break; case ConfuserVersion.v14_r58564: case ConfuserVersion.v14_r58802: simpleDeobfuscator.Deobfuscate(decyptMethod); if (FindKey0_v14_r58564(decyptMethod, out key0)) break; if (FindKey0_v14_r58852(decyptMethod, out key0)) { if (!decryptLocals.Exists("System.Security.Cryptography.RijndaelManaged")) { theVersion = ConfuserVersion.v14_r58852; break; } if (use7zip) { if (new LocalTypes(decyptMethod).Exists("System.IO.MemoryStream")) theVersion = ConfuserVersion.v17_r75076; else if (module.Name == "Stub.exe") theVersion = ConfuserVersion.v18_r75184; else if (!IsGetLenToPosStateMethodPrivate(type)) theVersion = ConfuserVersion.v18_r75367; else theVersion = ConfuserVersion.v19_r77172; } else if (IsDecryptMethod_v17_r73404(decyptMethod)) theVersion = ConfuserVersion.v17_r73404; else theVersion = ConfuserVersion.v15_r60785; break; } throw new ApplicationException("Could not find magic"); default: throw new ApplicationException("Invalid version"); } simpleDeobfuscator.Deobfuscate(cctor); simpleDeobfuscator.DecryptStrings(cctor, deob); if (FindEntryPointToken(simpleDeobfuscator, cctor, entryPoint, out entryPointToken) && !use7zip) { if (DotNetUtils.CallsMethod(asmResolverMethod, "System.Void", "(System.String)")) theVersion = ConfuserVersion.v17_r73477; else theVersion = ConfuserVersion.v17_r73566; } mainAsmResource = FindResource(cctor); if (mainAsmResource == null) throw new ApplicationException("Could not find main assembly resource"); version = theVersion; }
public Unpacker(ModuleDefMD module, Unpacker other) { this.module = module; if (other != null) this.version = other.version; }
protected override bool CheckType(TypeDef type, MethodDef initMethod) { if (type == null) return false; compileMethod = FindCompileMethod(type); if (compileMethod == null) return false; decryptMethod = FindDecryptMethod(type); if (decryptMethod == null) return false; var theVersion = ConfuserVersion.Unknown; switch (type.NestedTypes.Count) { case 35: if (type.Fields.Count == 9) theVersion = ConfuserVersion.v17_r73404; else if (type.Fields.Count == 10) theVersion = ConfuserVersion.v17_r73430; else return false; break; case 38: switch (CountInt32s(compileMethod, 0xFF)) { case 2: theVersion = ConfuserVersion.v17_r73477; break; case 4: theVersion = ConfuserVersion.v17_r73479; break; default: return false; } break; case 39: if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Console::WriteLine(System.Char)")) { if (DotNetUtils.CallsMethod(decryptMethod, "System.Security.Cryptography.Rijndael System.Security.Cryptography.Rijndael::Create()")) theVersion = ConfuserVersion.v17_r74021; else theVersion = ConfuserVersion.v18_r75291; } else if (DotNetUtils.CallsMethod(decryptMethod, "System.Security.Cryptography.Rijndael System.Security.Cryptography.Rijndael::Create()")) theVersion = ConfuserVersion.v18_r75257; else theVersion = ConfuserVersion.v18_r75288; break; case 27: if (DotNetUtils.CallsMethod(initMethod, "System.Int32 System.String::get_Length()")) theVersion = ConfuserVersion.v18_r75402; else theVersion = ConfuserVersion.v19_r75725; break; default: return false; } if (theVersion >= ConfuserVersion.v17_r73477) { hookConstructStr = FindHookConstructStr(type); if (hookConstructStr == null) return false; } version = theVersion; return true; }
bool CheckMethod_safe(TypeDef type, MethodDef initMethod) { if (type == DotNetUtils.GetModuleType(module)) { if (!DotNetUtils.HasString(initMethod, "Debugger detected (Managed)")) { return(false); } if (!CheckProfilerStrings1(initMethod)) { return(false); } version = ConfuserVersion.v14_r57588_safe; } else { var ntQueryInformationProcess = DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtQueryInformationProcess"); if (ntQueryInformationProcess == null) { return(false); } if (DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtSetInformationProcess") == null) { return(false); } if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "CloseHandle") == null) { return(false); } var antiDebugMethod = GetAntiDebugMethod(type, initMethod); if (antiDebugMethod == null) { return(false); } bool hasDebuggerStrings = DotNetUtils.HasString(antiDebugMethod, "Debugger detected (Managed)") || DotNetUtils.HasString(antiDebugMethod, "Debugger is detected (Managed)"); if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)")) { return(false); } if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 0) { return(false); } if (!CheckProfilerStrings1(initMethod) && !CheckProfilerStrings2(initMethod)) { return(false); } int failFastCalls = ConfuserUtils.CountCalls(antiDebugMethod, "System.Void System.Environment::FailFast(System.String)"); if (failFastCalls != 2) { return(false); } if (hasDebuggerStrings) { if (!DotNetUtils.CallsMethod(antiDebugMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)")) { version = ConfuserVersion.v16_r61954_safe; } else if (DotNetUtils.GetPInvokeMethod(type, "IsDebuggerPresent") == null) { version = ConfuserVersion.v17_r73822_safe; } else if (CheckProfilerStrings1(initMethod)) { version = ConfuserVersion.v17_r74021_safe; } else { version = ConfuserVersion.v19_r76119_safe; } } else { version = ConfuserVersion.v19_r78363_safe; } } return(true); }
bool CheckMethod_normal(TypeDef type, MethodDef initMethod) { var ntQueryInformationProcess = DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtQueryInformationProcess"); if (ntQueryInformationProcess == null) { return(false); } if (DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtSetInformationProcess") == null) { return(false); } if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "CloseHandle") == null) { return(false); } var antiDebugMethod = GetAntiDebugMethod(type, initMethod); if (antiDebugMethod == null) { return(false); } bool hasDebuggerStrings = DotNetUtils.HasString(antiDebugMethod, "Debugger detected (Managed)"); if (DotNetUtils.CallsMethod(initMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)")) { int failFastCalls = ConfuserUtils.CountCalls(antiDebugMethod, "System.Void System.Environment::FailFast(System.String)"); if (failFastCalls != 6 && failFastCalls != 8) { return(false); } if (!CheckProfilerStrings1(initMethod)) { return(false); } if (!DotNetUtils.CallsMethod(antiDebugMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)")) { if (!hasDebuggerStrings) { return(false); } if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 2) { return(false); } version = ConfuserVersion.v16_r61954_normal; } else if (failFastCalls == 8) { if (!hasDebuggerStrings) { return(false); } if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 2) { return(false); } version = ConfuserVersion.v17_r73822_normal; } else if (failFastCalls == 6) { if (DotNetUtils.GetPInvokeMethod(type, "IsDebuggerPresent") == null) { return(false); } if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 0) { return(false); } if (hasDebuggerStrings) { version = ConfuserVersion.v17_r74021_normal; } else { version = ConfuserVersion.v19_r78363_normal; } } else { return(false); } } else if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr)")) { if (!hasDebuggerStrings) { return(false); } if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Diagnostics.Process::EnterDebugMode()")) { return(false); } if (!CheckProfilerStrings1(antiDebugMethod)) { return(false); } version = ConfuserVersion.v14_r57588_normal; } else { if (!hasDebuggerStrings) { return(false); } if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Diagnostics.Process::EnterDebugMode()")) { return(false); } if (!CheckProfilerStrings1(antiDebugMethod)) { return(false); } version = ConfuserVersion.v14_r60785_normal; } return(true); }
bool CheckMethod(MethodDef method) { if (method == null || method.Body == null) return false; if (!DotNetUtils.CallsMethod(method, "System.Void System.AppDomain::add_ResourceResolve(System.ResolveEventHandler)")) return false; simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs); fields.Clear(); var tmpHandler = GetHandler(method); if (tmpHandler == null || tmpHandler.DeclaringType != method.DeclaringType) return false; var tmpResource = FindResource(tmpHandler); if (tmpResource == null) return false; simpleDeobfuscator.Deobfuscate(tmpHandler, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs); ConfuserVersion tmpVersion = ConfuserVersion.Unknown; if (DotNetUtils.CallsMethod(tmpHandler, "System.Object System.AppDomain::GetData(System.String)")) { if (!DotNetUtils.CallsMethod(tmpHandler, "System.Void System.Buffer::BlockCopy(System.Array,System.Int32,System.Array,System.Int32,System.Int32)")) { if (!FindKey0Key1_v14_r55802(tmpHandler, out key0, out key1)) return false; tmpVersion = ConfuserVersion.v14_r55802; } else if (FindKey0_v17_r73404(tmpHandler, out key0) && FindKey1_v17_r73404(tmpHandler, out key1)) tmpVersion = ConfuserVersion.v17_r73404; else return false; } else { if (AddFields(FindFields(tmpHandler, method.DeclaringType)) != 1) return false; if (FindKey0_v17_r73404(tmpHandler, out key0) && FindKey1_v17_r73404(tmpHandler, out key1)) tmpVersion = ConfuserVersion.v17_r73822; else if (FindKey0_v18_r75367(tmpHandler, out key0) && FindKey1_v17_r73404(tmpHandler, out key1)) tmpVersion = ConfuserVersion.v18_r75367; else if (FindKey0_v18_r75369(tmpHandler, out key0) && FindKey1_v18_r75369(tmpHandler, out key1)) { lzmaType = ConfuserUtils.FindLzmaType(tmpHandler); if (lzmaType == null) tmpVersion = ConfuserVersion.v18_r75369; else tmpVersion = ConfuserVersion.v19_r77172; } else return false; } handler = tmpHandler; resource = tmpResource; installMethod = method; version = tmpVersion; return true; }
bool CheckType_v14_r58852(TypeDef type, MethodDef initMethod) { var virtualProtect = DotNetUtils.GetPInvokeMethod(type, "VirtualProtect"); if (virtualProtect == null) { return(false); } if (!DotNetUtils.CallsMethod(initMethod, "System.IntPtr System.Runtime.InteropServices.Marshal::GetHINSTANCE(System.Reflection.Module)")) { return(false); } int virtualProtectCalls = ConfuserUtils.CountCalls(initMethod, virtualProtect); if (virtualProtectCalls != 14 && virtualProtectCalls != 16) { return(false); } if (!DeobUtils.HasInteger(initMethod, 0x3C)) { return(false); } if (!DeobUtils.HasInteger(initMethod, 0x6c64746e)) { return(false); } if (!DeobUtils.HasInteger(initMethod, 0x6c642e6c)) { return(false); } if (!DeobUtils.HasInteger(initMethod, 0x6f43744e)) { return(false); } if (!DeobUtils.HasInteger(initMethod, 0x6e69746e)) { return(false); } int locallocs = ConfuserUtils.CountOpCode(initMethod, Code.Localloc); if (DeobUtils.HasInteger(initMethod, 0x18)) { version = ConfuserVersion.v14_r58852; } else if (virtualProtectCalls == 16) { version = ConfuserVersion.v16_r69339; } else if (virtualProtectCalls == 14) { if (locallocs == 2) { version = ConfuserVersion.v17_r74708; } else if (locallocs == 1) { if (DotNetUtils.HasString(initMethod, "<Unknown>")) { version = ConfuserVersion.v18_r75257; } else if (IsRev75725(initMethod)) { version = ConfuserVersion.v19_r75725; } else { version = ConfuserVersion.v19_r76186; } } else { return(false); } } else { return(false); } return(true); }
void InitVersion(MethodDef method, ConfuserVersion normal, ConfuserVersion dynamic, ConfuserVersion native) { if (DeobUtils.HasInteger(method, 0x100) && DeobUtils.HasInteger(method, 0x10000) && DeobUtils.HasInteger(method, 0xFFFF)) version = normal; else if ((nativeMethod = FindNativeMethod(method)) == null) version = dynamic; else version = native; }
public MemoryMethodsDecrypter(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, MemoryMethodsDecrypter other) : base(module, simpleDeobfuscator, other) { if (other != null) this.version = other.version; }
public DecrypterInfoV17(ConfuserVersion version, MethodDef decryptMethod) { this.version = version; this.decryptMethod = decryptMethod; }
public void Find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { var entryPoint = module.EntryPoint; if (entryPoint == null) { return; } if (!new LocalTypes(entryPoint).All(requiredEntryPointLocals)) { return; } var type = entryPoint.DeclaringType; if (!new FieldTypes(type).All(requiredFields)) { return; } bool use7zip = type.NestedTypes.Count == 6; MethodDef decyptMethod; if (use7zip) { decyptMethod = FindDecryptMethod_7zip(type); } else { decyptMethod = FindDecryptMethod_inflate(type); } if (decyptMethod == null) { return; } var theVersion = ConfuserVersion.Unknown; var decryptLocals = new LocalTypes(decyptMethod); if (decryptLocals.Exists("System.IO.MemoryStream")) { if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.String,System.Byte[])")) { theVersion = ConfuserVersion.v10_r42915; } else if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.Security.Permissions.PermissionState)")) { theVersion = ConfuserVersion.v10_r48717; } else { theVersion = ConfuserVersion.v14_r57778; } } else { theVersion = ConfuserVersion.v14_r58564; } var cctor = type.FindStaticConstructor(); if (cctor == null) { return; } if ((asmResolverMethod = FindAssemblyResolverMethod(entryPoint.DeclaringType)) != null) { theVersion = ConfuserVersion.v14_r58802; simpleDeobfuscator.Deobfuscate(asmResolverMethod); if (!FindKey1(asmResolverMethod, out uint key1)) { return; } } switch (theVersion) { case ConfuserVersion.v10_r42915: case ConfuserVersion.v10_r48717: case ConfuserVersion.v14_r57778: break; case ConfuserVersion.v14_r58564: case ConfuserVersion.v14_r58802: simpleDeobfuscator.Deobfuscate(decyptMethod); if (FindKey0_v14_r58564(decyptMethod, out key0)) { break; } if (FindKey0_v14_r58852(decyptMethod, out key0)) { if (!decryptLocals.Exists("System.Security.Cryptography.RijndaelManaged")) { theVersion = ConfuserVersion.v14_r58852; break; } if (use7zip) { if (new LocalTypes(decyptMethod).Exists("System.IO.MemoryStream")) { theVersion = ConfuserVersion.v17_r75076; } else if (module.Name == "Stub.exe") { theVersion = ConfuserVersion.v18_r75184; } else if (!IsGetLenToPosStateMethodPrivate(type)) { theVersion = ConfuserVersion.v18_r75367; } else { theVersion = ConfuserVersion.v19_r77172; } } else if (IsDecryptMethod_v17_r73404(decyptMethod)) { theVersion = ConfuserVersion.v17_r73404; } else { theVersion = ConfuserVersion.v15_r60785; } break; } throw new ApplicationException("Could not find magic"); default: throw new ApplicationException("Invalid version"); } simpleDeobfuscator.Deobfuscate(cctor); simpleDeobfuscator.DecryptStrings(cctor, deob); if (FindEntryPointToken(simpleDeobfuscator, cctor, entryPoint, out entryPointToken) && !use7zip) { if (DotNetUtils.CallsMethod(asmResolverMethod, "System.Void", "(System.String)")) { theVersion = ConfuserVersion.v17_r73477; } else { theVersion = ConfuserVersion.v17_r73566; } } mainAsmResource = FindResource(cctor); if (mainAsmResource == null) { throw new ApplicationException("Could not find main assembly resource"); } version = theVersion; }
public void FindDelegateCreator(ISimpleDeobfuscator simpleDeobfuscator) { var type = DotNetUtils.GetModuleType(module); if (type == null) return; foreach (var method in type.Methods) { if (method.Body == null || !method.IsStatic || !method.IsAssembly) continue; ConfuserVersion theVersion = ConfuserVersion.Unknown; if (DotNetUtils.IsMethod(method, "System.Void", "(System.String,System.RuntimeFieldHandle)")) theVersion = ConfuserVersion.v10_r42915; else if (DotNetUtils.IsMethod(method, "System.Void", "(System.RuntimeFieldHandle)")) theVersion = ConfuserVersion.v10_r48717; else continue; int tmpVer; var proxyType = GetProxyCreatorType(method, simpleDeobfuscator, out tmpVer); if (proxyType == ProxyCreatorType.None) continue; if (proxyType == ProxyCreatorType.Newobj) foundNewobjProxy = true; simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs); MethodDef nativeMethod = null; uint magic; if (FindMagic_v14_r58564(method, out magic)) { if (!DotNetUtils.CallsMethod(method, "System.Byte[] System.Convert::FromBase64String(System.String)")) { if (!IsMethodCreator_v14_r58802(method, proxyType)) theVersion = ConfuserVersion.v14_r58564; else theVersion = ConfuserVersion.v14_r58802; } else if (DotNetUtils.CallsMethod(method, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()")) theVersion = ConfuserVersion.v17_r73479; else if (proxyType != ProxyCreatorType.CallOrCallvirt || !HasFieldReference(method, "System.Reflection.Emit.OpCode System.Reflection.Emit.OpCodes::Castclass")) theVersion = ConfuserVersion.v14_r58857; else if (proxyType == ProxyCreatorType.CallOrCallvirt && DotNetUtils.CallsMethod(method, "System.Void System.Reflection.Emit.DynamicMethod::.ctor(System.String,System.Type,System.Type[],System.Boolean)")) theVersion = ConfuserVersion.v16_r66631; else if (proxyType == ProxyCreatorType.CallOrCallvirt) theVersion = ConfuserVersion.v16_r70489; } else if (!DotNetUtils.CallsMethod(method, "System.Byte[] System.Convert::FromBase64String(System.String)") && DotNetUtils.CallsMethod(method, "System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)")) { if (proxyType == ProxyCreatorType.CallOrCallvirt && !FindCallvirtChar(method, out callvirtChar)) continue; if ((nativeMethod = FindNativeMethod_v18_r75367(method)) != null) theVersion = proxyType != ProxyCreatorType.CallOrCallvirt || callvirtChar == 9 ? ConfuserVersion.v18_r75367_native : ConfuserVersion.v18_r75369_native; else if (FindMagic_v18_r75367(method, out magic)) theVersion = proxyType != ProxyCreatorType.CallOrCallvirt || callvirtChar == 9 ? ConfuserVersion.v18_r75367_normal : ConfuserVersion.v18_r75369_normal; else if (FindMagic_v19_r76101(method, out magic)) CommonCheckVersion19(method, true, tmpVer, ref theVersion); else if ((nativeMethod = FindNativeMethod_v19_r76101(method)) != null) CommonCheckVersion19(method, false, tmpVer, ref theVersion); else { if (proxyType == ProxyCreatorType.CallOrCallvirt && !DotNetUtils.CallsMethod(method, "System.Int32 System.String::get_Length()")) theVersion = ConfuserVersion.v11_r50378; int numCalls = ConfuserUtils.CountCalls(method, "System.Byte[] System.Text.Encoding::GetBytes(System.Char[],System.Int32,System.Int32)"); if (numCalls == 2) theVersion = ConfuserVersion.v12_r54564; if (!DotNetUtils.CallsMethod(method, "System.Reflection.Assembly System.Reflection.Assembly::Load(System.Reflection.AssemblyName)")) theVersion = ConfuserVersion.v13_r55346; if (DotNetUtils.CallsMethod(method, "System.Void System.Runtime.CompilerServices.RuntimeHelpers::RunClassConstructor(System.RuntimeTypeHandle)")) theVersion = ConfuserVersion.v13_r55604; } } else if (Is_v17_r73740(method)) { if (DotNetUtils.CallsMethod(method, "System.Boolean System.Type::get_IsArray()")) { if ((nativeMethod = FindNativeMethod_v17_r73740(method)) != null) theVersion = ConfuserVersion.v17_r74708_native; else if (FindMagic_v17_r73740(method, out magic)) theVersion = ConfuserVersion.v17_r74708_normal; else continue; } else { if ((nativeMethod = FindNativeMethod_v17_r73740(method)) != null) theVersion = ConfuserVersion.v17_r73740_native; else if (FindMagic_v17_r73740(method, out magic)) theVersion = ConfuserVersion.v17_r73740_normal; else continue; } } else if (theVersion == ConfuserVersion.v10_r42915) { if (DeobUtils.HasInteger(method, 0x06000000)) theVersion = ConfuserVersion.v10_r42919; } SetDelegateCreatorMethod(method); methodToInfo.Add(method, new ProxyCreatorInfo(method, proxyType, theVersion, magic, nativeMethod, callvirtChar)); version = (ConfuserVersion)Math.Max((int)version, (int)theVersion); } }
public void Find(ISimpleDeobfuscator simpleDeobfuscator) { var type = DotNetUtils.GetModuleType(module); if (type == null) return; foreach (var method in type.Methods) { if (!method.IsStatic || method.Body == null) continue; if (!DotNetUtils.IsMethod(method, "System.String", "(System.Int32)")) continue; var localTypes = new LocalTypes(method); if (!localTypes.All(requiredLocals)) continue; simpleDeobfuscator.Deobfuscate(method); bool foundOldMagic1; if (FindMagic1(method, out magic1)) foundOldMagic1 = true; else if (FindNewMagic1(method, out magic1)) foundOldMagic1 = false; else continue; if (!FindMagic2(method, out magic2)) continue; version = ConfuserVersion.Unknown; if (DotNetUtils.CallsMethod(method, "System.Text.Encoding System.Text.Encoding::get_UTF8()")) { if (foundOldMagic1) { if (DotNetUtils.CallsMethod(method, "System.Object System.AppDomain::GetData(System.String)")) version = ConfuserVersion.v13_r55604_safe; else version = ConfuserVersion.v10_r42915; } else { if (!FindSafeKey1(method, out key1)) continue; version = ConfuserVersion.v14_r58802_safe; } } else if (!localTypes.Exists("System.Random")) { if (foundOldMagic1) version = ConfuserVersion.v11_r49299; else version = ConfuserVersion.v14_r58802_dynamic; } else if (localTypes.Exists("System.Collections.Generic.Dictionary`2<System.Int32,System.String>")) version = ConfuserVersion.v10_r48832; if (version == ConfuserVersion.Unknown) continue; decryptMethod = method; break; } }
static bool CommonCheckVersion19(MethodDef method, bool isNormal, int tmpProxyVer, ref ConfuserVersion theVersion) { if (tmpProxyVer == 1) { theVersion = isNormal ? ConfuserVersion.v19_r76101_normal : ConfuserVersion.v19_r76101_native; return true; } else if (tmpProxyVer == 2) { if (!CheckCtorProxyType_v19_r78963(method)) theVersion = isNormal ? ConfuserVersion.v19_r78363_normal : ConfuserVersion.v19_r78363_native; else theVersion = isNormal ? ConfuserVersion.v19_r78963_normal_Newobj : ConfuserVersion.v19_r78963_native_Newobj; return true; } return false; }
bool CheckType_v14_r58564(TypeDef type, MethodDef initMethod) { var virtualProtect = DotNetUtils.GetPInvokeMethod(type, "VirtualProtect"); if (virtualProtect == null) return false; if (!DotNetUtils.CallsMethod(initMethod, "System.IntPtr System.Runtime.InteropServices.Marshal::GetHINSTANCE(System.Reflection.Module)")) return false; if (ConfuserUtils.CountCalls(initMethod, virtualProtect) != 3) return false; if (!DeobUtils.HasInteger(initMethod, 224)) return false; if (!DeobUtils.HasInteger(initMethod, 240)) return false; if (!DeobUtils.HasInteger(initMethod, 267)) return false; version = ConfuserVersion.v14_r58564; return true; }
static ProxyCreatorType GetProxyCreatorType(MethodDef method, ISimpleDeobfuscator simpleDeobfuscator, out int version) { var type = GetProxyCreatorTypeV1(method); if (type != ProxyCreatorType.None) { version = 1; return type; } simpleDeobfuscator.Deobfuscate(method); type = GetProxyCreatorTypeV2(method); if (type != ProxyCreatorType.None) { version = 2; return type; } version = 0; return ProxyCreatorType.None; }
public DecrypterInfo(ConstantsDecrypterV18 constantsDecrypter, MethodDef method, ConfuserVersion version) { this.constantsDecrypter = constantsDecrypter; this.method = method; this.version = version; }
bool CheckMethod_normal(TypeDef type, MethodDef initMethod) { var ntQueryInformationProcess = DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtQueryInformationProcess"); if (ntQueryInformationProcess == null) return false; if (DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtSetInformationProcess") == null) return false; if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "CloseHandle") == null) return false; var antiDebugMethod = GetAntiDebugMethod(type, initMethod); if (antiDebugMethod == null) return false; bool hasDebuggerStrings = DotNetUtils.HasString(antiDebugMethod, "Debugger detected (Managed)"); if (DotNetUtils.CallsMethod(initMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)")) { int failFastCalls = ConfuserUtils.CountCalls(antiDebugMethod, "System.Void System.Environment::FailFast(System.String)"); if (failFastCalls != 6 && failFastCalls != 8) return false; if (!CheckProfilerStrings1(initMethod)) return false; if (!DotNetUtils.CallsMethod(antiDebugMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)")) { if (!hasDebuggerStrings) return false; if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 2) return false; version = ConfuserVersion.v16_r61954_normal; } else if (failFastCalls == 8) { if (!hasDebuggerStrings) return false; if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 2) return false; version = ConfuserVersion.v17_r73822_normal; } else if (failFastCalls == 6) { if (DotNetUtils.GetPInvokeMethod(type, "IsDebuggerPresent") == null) return false; if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 0) return false; if (hasDebuggerStrings) version = ConfuserVersion.v17_r74021_normal; else version = ConfuserVersion.v19_r78363_normal; } else return false; } else if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr)")) { if (!hasDebuggerStrings) return false; if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Diagnostics.Process::EnterDebugMode()")) return false; if (!CheckProfilerStrings1(antiDebugMethod)) return false; version = ConfuserVersion.v14_r57588_normal; } else { if (!hasDebuggerStrings) return false; if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Diagnostics.Process::EnterDebugMode()")) return false; if (!CheckProfilerStrings1(antiDebugMethod)) return false; version = ConfuserVersion.v14_r60785_normal; } return true; }