public void Find() { foreach (var calledMethod in DotNetUtils.GetCalledMethods(module, DotNetUtils.GetModuleTypeCctor(module))) { if (!DotNetUtils.IsMethod(calledMethod, "System.Void", "()")) { continue; } if (calledMethod.DeclaringType.FullName != "<PrivateImplementationDetails>{F1C5056B-0AFC-4423-9B83-D13A26B48869}") { continue; } nativeLibCallerType = calledMethod.DeclaringType; initMethod = calledMethod; foreach (var s in DotNetUtils.GetCodeStrings(initMethod)) { nativeFileResource = DotNetUtils.GetResource(module, s); if (nativeFileResource != null) { break; } } return; } }
EmbeddedResource FindGetManifestResourceStreamTypeResource(TypeDef type, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { foreach (var method in type.Methods) { if (!method.IsPrivate || !method.IsStatic || method.Body == null) { continue; } if (!DotNetUtils.IsMethod(method, "System.String", "(System.Reflection.Assembly,System.Type,System.String)")) { continue; } simpleDeobfuscator.Deobfuscate(method); simpleDeobfuscator.DecryptStrings(method, deob); foreach (var s in DotNetUtils.GetCodeStrings(method)) { var resource = DotNetUtils.GetResource(module, s) as EmbeddedResource; if (resource != null) { return(resource); } } } return(null); }
bool ContainsString(MethodDef method, string part) { foreach (var s in DotNetUtils.GetCodeStrings(method)) { if (s.Contains(part)) return true; } return false; }
static EmbeddedResource FindEmbeddedResource2(ModuleDefMD module, MethodDef method) { var strings = new List <string>(DotNetUtils.GetCodeStrings(method)); if (strings.Count != 1) { return(null); } var encryptedString = strings[0]; int xorKey; if (!GetXorKey2(method, out xorKey)) { return(null); } var sb = new StringBuilder(encryptedString.Length); foreach (var c in encryptedString) { sb.Append((char)(c ^ xorKey)); } return(DotNetUtils.GetResource(module, sb.ToString()) as EmbeddedResource); }
protected override bool CheckHandlerMethod(MethodDef method) { if (!method.IsStatic || !method.HasBody) { return(false); } var infos = new List <EmbeddedAssemblyInfo>(); foreach (var s in DotNetUtils.GetCodeStrings(method)) { if (string.IsNullOrEmpty(s)) { continue; } if (!InitInfos(infos, s.Split(','))) { continue; } embeddedAssemblyInfos = infos; FindSimpleZipType(method); return(true); } return(false); }
bool CheckEncryptedMethod(MethodDef method, out EncryptInfo info) { info = null; if (method.Body == null) { return(false); } if (!CallsExecuteMethod(method)) { return(false); } var strings = DotNetUtils.GetCodeStrings(method); if (strings.Count != 1) { throw new ApplicationException("Could not find name of encrypted method"); } string feature = ""; string name = strings[0]; int index = name.IndexOf(':'); if (index >= 0) { feature = name.Substring(0, index); name = name.Substring(index + 1); } info = new EncryptInfo(name, feature, method); return(true); }
string GetResourceName() { var defaultName = module.Assembly.Name.String + module.Assembly.Name.String; var cctor = stringDecrypterType.FindStaticConstructor(); if (cctor == null) { return(defaultName); } foreach (var s in DotNetUtils.GetCodeStrings(cctor)) { if (DotNetUtils.GetResource(module, s) != null) { return(s); } try { return(Encoding.UTF8.GetString(Convert.FromBase64String(s))); } catch { } } return(defaultName); }
public static EmbeddedResource GetResource(ModuleDefMD module, MethodDef method) { if (method == null || method.Body == null) { return(null); } return(GetResource(module, DotNetUtils.GetCodeStrings(method))); }
public void Find(ISimpleDeobfuscator simpleDeobfuscator) { var additionalTypes = new string[] { "System.String", }; EmbeddedResource stringsResource = null; foreach (var type in module.Types) { if (decrypterInfos.Count > 0) { break; } if (type.BaseType == null || type.BaseType.FullName != "System.Object") { continue; } foreach (var method in type.Methods) { if (!method.IsStatic || !method.HasBody) { continue; } if (!DotNetUtils.IsMethod(method, "System.String", "(System.Int32)")) { continue; } if (!encryptedResource.CouldBeResourceDecrypter(method, additionalTypes)) { continue; } var resource = DotNetUtils.GetResource(module, DotNetUtils.GetCodeStrings(method)) as EmbeddedResource; if (resource == null) { throw new ApplicationException("Could not find strings resource"); } if (stringsResource != null && stringsResource != resource) { throw new ApplicationException("Two different string resources found"); } stringsResource = resource; encryptedResource.Method = method; var info = new DecrypterInfo(method, null, null); simpleDeobfuscator.Deobfuscate(info.method); FindKeyIv(info.method, out info.key, out info.iv); decrypterInfos.Add(info); } } if (decrypterInfos.Count > 0) { FindOtherStringDecrypter(decrypterInfos[0].method.DeclaringType); } }
static EmbeddedResource FindEmbeddedResource1(ModuleDefMD module, MethodDef method) { foreach (var s in DotNetUtils.GetCodeStrings(method)) { if (DotNetUtils.GetResource(module, s) is EmbeddedResource resource) { return(resource); } } return(null); }
static bool FindString(MethodDef method, string s) { foreach (var cs in DotNetUtils.GetCodeStrings(method)) { if (cs == s) { return(true); } } return(false); }
public void Initialize(ResourceDecrypter resourceDecrypter) { if (decrypterType == null) { return; } encryptedResource = CoUtils.GetResource(module, DotNetUtils.GetCodeStrings(decrypterType.FindStaticConstructor())); encryptedResource.Data.Position = 0; constantsData = resourceDecrypter.Decrypt(encryptedResource.Data.CreateStream()); }
static bool HasCodeString(MethodDef method, string str) { foreach (var s in DotNetUtils.GetCodeStrings(method)) { if (s == str) { return(true); } } return(false); }
string GetResourcePrefix(MethodDef handler) { foreach (var s in DotNetUtils.GetCodeStrings(handler)) { var resource = DotNetUtils.GetResource(module, s + "00000") as EmbeddedResource; if (resource != null) { return(s); } } return(null); }
EmbeddedResource FindMethodsDecrypterResource(MethodDef method) { foreach (var s in DotNetUtils.GetCodeStrings(method)) { var resource = DotNetUtils.GetResource(module, s) as EmbeddedResource; if (resource != null) { return(resource); } } return(null); }
public static EmbeddedResource GetEmbeddedResourceFromCodeStrings(ModuleDef module, MethodDef method) { foreach (var s in DotNetUtils.GetCodeStrings(method)) { var resource = DotNetUtils.GetResource(module, s) as EmbeddedResource; if (resource != null) { return(resource); } } return(null); }
static byte[] GetSalt(MethodDef method) { foreach (var s in DotNetUtils.GetCodeStrings(method)) { var saltAry = FixSalt(s); if (saltAry != null) { return(saltAry); } } return(null); }
public EmbeddedResource MergeResources() { if (rsrcResolveMethod == null) { return(null); } var resource = DotNetUtils.GetResource(module, DotNetUtils.GetCodeStrings(rsrcResolveMethod)) as EmbeddedResource; if (resource == null) { return(null); } DeobUtils.DecryptAndAddResources(module, resource.Name.String, () => DecryptResource(resource)); return(resource); }
// Find the embedded resource where all the strings are encrypted EmbeddedResource FindStringResource(MethodDef method) { foreach (var s in DotNetUtils.GetCodeStrings(method)) { if (s == null) { continue; } if (DotNetUtils.GetResource(module, s) is EmbeddedResource resource) { return(resource); } } return(null); }
public List <ResourceInfo> GetEmbeddedAssemblies(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { var infos = new List <ResourceInfo>(); if (assemblyResolverMethod == null) { return(infos); } simpleDeobfuscator.Deobfuscate(assemblyResolverMethod); simpleDeobfuscator.DecryptStrings(assemblyResolverMethod, deob); foreach (var resourcePrefix in DotNetUtils.GetCodeStrings(assemblyResolverMethod)) { infos.AddRange(GetResourceInfos(resourcePrefix)); } return(infos); }
string GetPassword3(MethodDef method) { var strings = new List <string>(DotNetUtils.GetCodeStrings(method)); if (strings.Count != 1) { return(null); } var s = strings[0]; if (!Regex.IsMatch(s, @"^[a-fA-F0-9]{2} $")) { return(null); } return(s); }
bool CreateAssemblyInfos() { int numElements = DeobUtils.HasInteger(handlerMethod, 3) ? 3 : 2; foreach (var s in DotNetUtils.GetCodeStrings(handlerMethod)) { var infos = CreateAssemblyInfos(s, numElements); if (infos == null) { continue; } assemblyInfos = infos; return(true); } return(false); }
public void Initialize(ResourceDecrypter resourceDecrypter) { if (decrypterType == null) { return; } var cctor = decrypterType.FindStaticConstructor(); encryptedResource = CoUtils.GetResource(module, DotNetUtils.GetCodeStrings(cctor)); //if the return value is null, it is possible that resource name is encrypted if (encryptedResource == null) { var Resources = new string[] { CoUtils.DecryptResourceName(module, cctor) }; encryptedResource = CoUtils.GetResource(module, Resources); } constantsData = resourceDecrypter.Decrypt(encryptedResource.GetReader().AsStream()); }
bool InitializeInfos(MethodDef method) { foreach (var s in DotNetUtils.GetCodeStrings(method)) { if (string.IsNullOrEmpty(s)) { continue; } var ary = s.Split(':'); foreach (var asmInfo in ary) { resourceInfos.Add(asmInfo.Split('|')[0]); } return(true); } return(false); }
bool CreateDecryptKey() { if (decryptMethod == null) { return(false); } foreach (var s in DotNetUtils.GetCodeStrings(decryptMethod)) { decryptKey = DecodeBase64(s); if (decryptKey == null || decryptKey.Length == 0) { continue; } if (decrypterType.Detected) { var data = new byte[8]; ulong magic = decrypterType.GetMagic(); data[0] = (byte)magic; data[7] = (byte)(magic >> 8); data[6] = (byte)(magic >> 16); data[5] = (byte)(magic >> 24); data[4] = (byte)(magic >> 32); data[1] = (byte)(magic >> 40); data[3] = (byte)(magic >> 48); data[2] = (byte)(magic >> 56); for (int i = 0; i < decryptKey.Length; i++) { decryptKey[i] ^= (byte)(i + data[i % data.Length]); } } return(true); } decryptKey = null; return(false); }
EmbeddedResource GetResource(MethodDef method, out ModuleDefMD theResourceModule) { string resourceDllFileName = null; theResourceModule = module; foreach (var s in DotNetUtils.GetCodeStrings(method)) { if (s.Length > 0 && s[0] == '\\') { resourceDllFileName = s; } var resource = DotNetUtils.GetResource(theResourceModule, s + ".resources") as EmbeddedResource; if (resource != null) { return(resource); } } if (resourceDllFileName == null) { return(null); } // Here if CW 2.x theResourceModule = GetResourceModule(resourceDllFileName); if (theResourceModule == null) { return(null); } foreach (var s in DotNetUtils.GetCodeStrings(method)) { var resource = DotNetUtils.GetResource(theResourceModule, s + ".resources") as EmbeddedResource; if (resource != null) { return(resource); } } theResourceModule = null; return(null); }
bool CheckType(TypeDef type, MethodDef initMethod, ISimpleDeobfuscator simpleDeobfuscator) { if (DotNetUtils.FindFieldType(type, "System.Collections.Hashtable", true) == null) { return(false); } simpleDeobfuscator.Deobfuscate(initMethod); if (!CheckInitMethod(initMethod)) { return(false); } if ((asmSeparator = FindAssemblySeparator(initMethod)) == null) { return(false); } List <AssemblyInfo> newAssemblyInfos = null; foreach (var s in DotNetUtils.GetCodeStrings(initMethod)) { newAssemblyInfos = InitializeEmbeddedAssemblies(s); if (newAssemblyInfos != null) { break; } } if (newAssemblyInfos == null) { return(false); } resolverType = type; resolverMethod = initMethod; assemblyInfos = newAssemblyInfos; return(true); }
public static string DecryptResourceName(ModuleDefMD module, MethodDef method) { string resourceName = ""; MethodDef cctor = method, orginalResMethod = null; // retrive key and encrypted resource name int key = 0; var instrs = cctor.Body.Instructions; for (int i = 0; i < instrs.Count - 2; i++) { if (instrs[i].OpCode != OpCodes.Ldstr) { continue; } if (!instrs[i + 1].IsLdcI4()) { break; } key = instrs[i + 1].GetLdcI4Value(); resourceName = instrs[i].Operand as String; cctor = instrs[i + 2].Operand as MethodDef; break; } // Find the method that contains resource name while (orginalResMethod == null) { foreach (var instr in cctor.Body.Instructions) { if (instr.OpCode == OpCodes.Ldftn) { var tempMethod = instr.Operand as MethodDef; if (tempMethod.ReturnType.FullName != "System.String") { continue; } orginalResMethod = tempMethod; break; } else if (instr.OpCode == OpCodes.Callvirt) { cctor = instr.Operand as MethodDef; cctor = cctor.DeclaringType.FindStaticConstructor(); break; } } } // Get encrypted Resource name string encResourcename = DotNetUtils.GetCodeStrings(orginalResMethod)[0]; // get Decryption key int xorKey = 0; for (int i = 0; i < orginalResMethod.Body.Instructions.Count; i++) { if (orginalResMethod.Body.Instructions[i].OpCode == OpCodes.Xor) { xorKey = orginalResMethod.Body.Instructions[i - 1].GetLdcI4Value(); } } encResourcename = XorCipher(encResourcename, xorKey); var firstResource = GetResource(module, new string[] { encResourcename }); resourceName = DecryptResourceName(resourceName, key, firstResource.CreateReader().ToArray()); return(resourceName); }
EmbeddedResource FindResourceFromCodeString(MethodDef method) { return(DotNetUtils.GetResource(module, DotNetUtils.GetCodeStrings(method)) as EmbeddedResource); }
EmbeddedResource FindResource(MethodDef method) => DotNetUtils.GetResource(module, DotNetUtils.GetCodeStrings(method)) as EmbeddedResource;