// Finds the SmartAssembly.Delegates.GetString delegate
TypeDef FindGetStringDelegate(MethodDef stringsCreateDelegateMethod)
{
if (!stringsCreateDelegateMethod.HasBody)
{
return(null);
}
foreach (var ldtoken in stringsCreateDelegateMethod.Body.Instructions)
{
if (ldtoken.OpCode.Code != Code.Ldtoken)
{
continue;
}
var typeToken = ldtoken.Operand as ITypeDefOrRef;
if (typeToken == null)
{
continue;
}
var delegateType = GetType(typeToken);
if (!DotNetUtils.DerivesFromDelegate(delegateType))
{
continue;
}
var invoke = delegateType.FindMethod("Invoke");
if (invoke == null || !DotNetUtils.IsMethod(invoke, "System.String", "(System.Int32)"))
{
continue;
}
return(delegateType);
}
return(null);
}
// Finds the SmartAssembly.StringsEncoding.Strings class. This class decrypts the
// strings in the resources. It gets called by the SmartAssembly.Delegates.GetString
// delegate instances which were created by SmartAssembly.HouseOfCards.Strings.
TypeDef FindStringDecrypterClass(MethodDef stringsCreateDelegateMethod)
{
if (!stringsCreateDelegateMethod.HasBody)
{
return(null);
}
foreach (var ldtoken in stringsCreateDelegateMethod.Body.Instructions)
{
if (ldtoken.OpCode.Code != Code.Ldtoken)
{
continue;
}
var typeToken = ldtoken.Operand as ITypeDefOrRef;
if (typeToken == null)
{
continue;
}
var type = GetType(typeToken);
if (type == null || DotNetUtils.DerivesFromDelegate(type))
{
continue;
}
if (!CouldBeStringDecrypterClass(type))
{
continue;
}
return(type);
}
return(null);
}
bool CanRenameMethod(MMethodDef methodDef)
{
var methodInfo = Method(methodDef);
if (methodDef.IsStatic())
{
if (methodInfo.oldName == ".cctor")
{
return(false);
}
}
else if (methodDef.IsVirtual())
{
if (DotNetUtils.DerivesFromDelegate(type.TypeDef))
{
switch (methodInfo.oldName)
{
case "BeginInvoke":
case "EndInvoke":
case "Invoke":
return(false);
}
}
}
else
{
if (methodInfo.oldName == ".ctor")
{
return(false);
}
}
return(true);
}
public void Read(MethodDef method)
{
gpContext = GenericParamContext.Create(method);
flags = (MethodFlags)reader.ReadByte();
if (HasDelegateType)
{
delegateType = Resolve <TypeDef>(ReadTypeToken());
if (!DotNetUtils.DerivesFromDelegate(delegateType))
{
throw new ApplicationException("Invalid delegate type");
}
}
if (HasLocals)
{
ReadLocals((int)reader.Read7BitEncodedUInt32());
}
if (HasInstructions)
{
ReadInstructions((int)reader.Read7BitEncodedUInt32());
}
if (HasExceptionHandlers)
{
ReadExceptionHandlers((int)reader.Read7BitEncodedUInt32());
}
}
public void FindDelegateCreator(ModuleDefMD module)
{
var callCounter = new CallCounter();
foreach (var type in module.Types)
{
if (type.Namespace != "" || !DotNetUtils.DerivesFromDelegate(type))
{
continue;
}
var cctor = type.FindStaticConstructor();
if (cctor == null)
{
continue;
}
foreach (var method in DotNetUtils.GetMethodCalls(cctor))
{
callCounter.Add(method);
}
}
var mostCalls = callCounter.Most();
if (mostCalls == null)
{
return;
}
SetDelegateCreatorMethod(DotNetUtils.GetMethod(module, mostCalls));
}
FieldDefAndDeclaringTypeDict<DelegateInitInfo> CreateDelegateInitInfos_v10_r42915(MethodDef method) {
var infos = new FieldDefAndDeclaringTypeDict<DelegateInitInfo>();
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 2; i++) {
var ldstr = instrs[i];
if (ldstr.OpCode.Code != Code.Ldstr)
continue;
var info = ldstr.Operand as string;
if (info == null)
continue;
var ldtoken = instrs[i + 1];
if (ldtoken.OpCode.Code != Code.Ldtoken)
continue;
var delegateField = ldtoken.Operand as FieldDef;
if (delegateField == null)
continue;
var delegateType = delegateField.FieldType.TryGetTypeDef();
if (!DotNetUtils.DerivesFromDelegate(delegateType))
continue;
var call = instrs[i + 2];
if (call.OpCode.Code != Code.Call)
continue;
var delegateCreatorMethod = call.Operand as MethodDef;
if (delegateCreatorMethod == null || !IsDelegateCreatorMethod(delegateCreatorMethod))
continue;
infos.Add(delegateField, new DelegateInitInfo(info, delegateField, delegateCreatorMethod));
i += 2;
}
return infos;
}
bool CheckMemoryManagerType(TypeDef type, MethodDef method)
{
// Only two fields: itself and a long
int fields = 0;
foreach (var field in type.Fields)
{
if (new SigComparer().Equals(field.FieldType, type) ||
field.FieldType.FullName == "System.Int64")
{
fields++;
continue;
}
if (DotNetUtils.DerivesFromDelegate(DotNetUtils.GetType(module, field.FieldType)))
{
continue;
}
return(false);
}
if (fields != 2)
{
return(false);
}
if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "SetProcessWorkingSetSize") == null)
{
return(false);
}
return(true);
}
public override void DeobfuscateBegin()
{
base.DeobfuscateBegin();
cliSecureRtType.FindStringDecrypterMethod();
stringDecrypter.AddDecrypterInfos(cliSecureRtType.StringDecrypterInfos);
stringDecrypter.Initialize();
AddAttributesToBeRemoved(cliSecureAttributes, "Obfuscator attribute");
if (options.DecryptResources)
{
DecryptResources(resourceDecrypter);
AddCctorInitCallToBeRemoved(resourceDecrypter.RsrcRrrMethod);
}
stackFrameHelper = new StackFrameHelper(Module);
stackFrameHelper.Find();
foreach (var type in Module.Types)
{
if (type.FullName == "InitializeDelegate" && DotNetUtils.DerivesFromDelegate(type))
{
this.AddTypeToBeRemoved(type, "Obfuscator type");
}
}
proxyCallFixer.Find();
foreach (var info in stringDecrypter.StringDecrypterInfos)
{
staticStringInliner.Add(info.Method, (method, gim, args) => stringDecrypter.Decrypt((string)args[0]));
}
DeobfuscatedFile.StringDecryptersAdded();
if (options.DecryptMethods)
{
AddCctorInitCallToBeRemoved(cliSecureRtType.InitializeMethod);
AddCctorInitCallToBeRemoved(cliSecureRtType.PostInitializeMethod);
FindPossibleNamesToRemove(cliSecureRtType.LoadMethod);
}
if (options.RestoreVmCode && (csvmV1.Detected || csvmV2.Detected))
{
if (csvmV1.Detected && csvmV1.Restore())
{
AddResourceToBeRemoved(csvmV1.Resource, "CSVM data resource");
}
else if (csvmV2.Detected && csvmV2.Restore())
{
AddResourceToBeRemoved(csvmV2.Resource, "CSVM data resource");
}
else
{
Logger.e("Couldn't restore VM methods. Use --dont-rename or it will not run");
PreserveTokensAndTypes();
}
}
}
static TypeSig GetCommonBaseClass(ModuleDef module, TypeSig a, TypeSig b)
{
if (DotNetUtils.IsDelegate(a) && DotNetUtils.DerivesFromDelegate(module.Find(b.ToTypeDefOrRef())))
{
return(b);
}
if (DotNetUtils.IsDelegate(b) && DotNetUtils.DerivesFromDelegate(module.Find(a.ToTypeDefOrRef())))
{
return(a);
}
return(null); //TODO:
}
static MethodDef FindStringDecrypters(TypeDef type, FieldDef keyArrayField, out FieldDef field)
{
FieldDef foundField = null;
foreach (var method in type.Methods)
{
if (!method.IsAssembly || !method.IsStatic)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.String", "(System.String)"))
{
continue;
}
if (!method.HasBody)
{
continue;
}
bool accessedArrayField = false;
foreach (var instr in method.Body.Instructions)
{
var f = instr.Operand as FieldDef;
accessedArrayField |= f == keyArrayField;
if (f == null || f == keyArrayField || f == foundField)
{
continue;
}
if (DotNetUtils.DerivesFromDelegate(f.DeclaringType))
{
continue;
}
if (f.FieldSig.GetFieldType().GetFullName() != "System.Collections.Hashtable" ||
foundField != null)
{
goto exit;
}
foundField = f;
}
if (!accessedArrayField)
{
continue;
}
field = foundField;
return(method);
}
exit :;
field = null;
return(null);
}
bool CheckDelegateType(TypeDef type)
{
if (!DotNetUtils.DerivesFromDelegate(type))
{
return(false);
}
var invoke = type.FindMethod("Invoke");
if (invoke == null)
{
return(false);
}
return(CheckDelegateInvokeMethod(invoke));
}
bool GetDelegate(TypeDef type, out FieldDef field, out TypeDef del)
{
foreach (var fld in type.Fields)
{
var theDelegate = fld.FieldType.TryGetTypeDef();
if (theDelegate != null && DotNetUtils.DerivesFromDelegate(theDelegate))
{
field = fld;
del = theDelegate;
return(true);
}
}
field = null;
del = null;
return(false);
}
protected override bool CheckResolverType(TypeDef type)
{
if (DotNetUtils.FindFieldType(type, "System.Collections.Hashtable", true) != null ||
DotNetUtils.FindFieldType(type, "System.Collections.Generic.Dictionary`2<System.String,System.Reflection.Assembly>", true) != null)
{
return(true);
}
foreach (var field in type.Fields)
{
if (DotNetUtils.DerivesFromDelegate(DotNetUtils.GetType(module, field.FieldType)))
{
continue;
}
if (field.IsLiteral && field.FieldType.ToString() == "System.String")
{
continue;
}
return(false);
}
return(true);
}
public void FindFields()
{
if (Methods == null || Methods.Count == 0)
{
return;
}
var initializations = new List <DelegateInitInfo>();
var mnoduleType = DotNetUtils.GetModuleType(Module);
if (mnoduleType != null)
{
foreach (var method in mnoduleType.Methods)
{
var inits = FindFieldInitializations(method);
if (inits == null || inits.Count == 0)
{
continue;
}
initializations.AddRange(inits);
}
}
foreach (var type in Module.GetTypes())
{
if (!DotNetUtils.DerivesFromDelegate(type))
{
continue;
}
var inits = FindFieldInitializations(type.FindStaticConstructor());
if (inits == null || inits.Count == 0)
{
continue;
}
initializations.AddRange(inits);
}
Initializations = initializations;
}
static FieldDef GetDelegateField(MethodDef method) {
if (method == null || method.Body == null)
return null;
FieldDef field = null;
bool foundInvoke = false;
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code == Code.Ldsfld) {
var field2 = instr.Operand as FieldDef;
if (field2 == null || field2.DeclaringType != method.DeclaringType)
continue;
if (field != null)
return null;
if (!DotNetUtils.DerivesFromDelegate(field2.FieldType.TryGetTypeDef()))
continue;
field = field2;
}
else if (instr.OpCode.Code == Code.Call || instr.OpCode.Code == Code.Callvirt) {
var calledMethod = instr.Operand as IMethod;
foundInvoke |= calledMethod != null && calledMethod.Name == "Invoke";
}
}
return foundInvoke ? field : null;
}
