TypeDef GetResolverType(MethodDef resolveHandler) { if (resolveHandler.Body == null) { return(null); } foreach (var instr in resolveHandler.Body.Instructions) { if (instr.OpCode.Code != Code.Ldsfld && instr.OpCode.Code != Code.Stsfld) { continue; } var field = DotNetUtils.GetField(module, instr.Operand as IField); if (field == null) { continue; } if (!CheckResolverType(field.DeclaringType)) { continue; } return(field.DeclaringType); } if (CheckResolverType(resolveHandler.DeclaringType)) { return(resolveHandler.DeclaringType); } return(null); }
bool CheckInitMethod(MethodDef method) { if (method == null || !method.IsStatic || method.Body == null) { return(false); } if (!DotNetUtils.IsMethod(method, "System.Void", "()")) { return(false); } var type = method.DeclaringType; if (type.NestedTypes.Count != 1) { return(false); } if (DotNetUtils.GetField(type, "System.Reflection.Assembly") == null) { return(false); } var resolveHandler = DeobUtils.GetResolveMethod(method); if (resolveHandler == null) { return(false); } initMethod = method; resolverType = type; handlerMethod = resolveHandler; return(true); }
void Initialize(ISimpleDeobfuscator simpleDeobfuscator, MethodDef method) { var desList = new List <byte[]>(2); var aesList = new List <byte[]>(2); var instructions = method.Body.Instructions; simpleDeobfuscator.Deobfuscate(method); for (int i = 0; i <= instructions.Count - 2; i++) { var ldtoken = instructions[i]; if (ldtoken.OpCode.Code != Code.Ldtoken) { continue; } var field = DotNetUtils.GetField(module, ldtoken.Operand as IField); if (field == null) { continue; } if (field.InitialValue == null) { continue; } var call = instructions[i + 1]; if (call.OpCode.Code != Code.Call) { continue; } var calledMethod = call.Operand as IMethod; if (!DotNetUtils.IsMethod(calledMethod, "System.Void", "(System.Array,System.RuntimeFieldHandle)")) { continue; } if (field.InitialValue.Length == 8) { desList.Add(field.InitialValue); } else if (field.InitialValue.Length == 16) { aesList.Add(field.InitialValue); } } if (desList.Count >= 2) { DES_Key = desList[desList.Count - 2]; DES_IV = desList[desList.Count - 1]; } if (aesList.Count >= 2) { AES_Key = aesList[aesList.Count - 2]; AES_IV = aesList[aesList.Count - 1]; } }
bool CheckFieldType(TypeDef type) { if (type == null || type.BaseType == null || type.BaseType.FullName != "System.Object") { return(false); } if (DotNetUtils.GetField(type, "System.Reflection.FieldInfo") == null) { return(false); } return(true); }
public void Find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { foreach (var type in module.Types) { if (type.Fields.Count != 1) { continue; } if (type.HasNestedTypes || type.HasGenericParameters || type.IsValueType) { continue; } if (DotNetUtils.GetField(type, "System.Reflection.Assembly") == null) { continue; } if (type.FindStaticConstructor() == null) { continue; } var getStream2 = GetTheOnlyMethod(type, "System.IO.Stream", "(System.Reflection.Assembly,System.Type,System.String)"); var getNames = GetTheOnlyMethod(type, "System.String[]", "(System.Reflection.Assembly)"); var getRefAsms = GetTheOnlyMethod(type, "System.Reflection.AssemblyName[]", "(System.Reflection.Assembly)"); var bitmapCtor = GetTheOnlyMethod(type, "System.Drawing.Bitmap", "(System.Type,System.String)"); var iconCtor = GetTheOnlyMethod(type, "System.Drawing.Icon", "(System.Type,System.String)"); if (getStream2 == null && getNames == null && getRefAsms == null && bitmapCtor == null && iconCtor == null) { continue; } var resource = FindGetManifestResourceStreamTypeResource(type, simpleDeobfuscator, deob); if (resource == null && getStream2 != null) { continue; } getManifestResourceStreamType = type; CreateGetManifestResourceStream2(getStream2); CreateGetManifestResourceNames(getNames); CreateGetReferencedAssemblies(getRefAsms); CreateBitmapCtor(bitmapCtor); CreateIconCtor(iconCtor); getManifestResourceStreamTypeResource = resource; break; } }
public IField TryGetFieldDef(IField fieldRef) { var fieldDef = fieldRef as FieldDef; if (fieldDef != null) { return(fieldDef); } var declaringType = DotNetUtils.GetType(module, fieldRef.DeclaringType); if (declaringType == null) { return(fieldRef); } return(DotNetUtils.GetField(declaringType, fieldRef)); }
bool CheckIlGeneratorType(TypeDef type) { if (type == null || type.BaseType == null || type.BaseType.FullName != "System.Object") { return(false); } if (type.Fields.Count != 1) { return(false); } if (DotNetUtils.GetField(type, "System.Reflection.Emit.ILGenerator") == null) { return(false); } return(true); }
void InitStringDecrypter(StringDecrypterInfo info) { Logger.v("Adding string decrypter. Resource: {0}", Utils.ToCsharpString(info.StringsResource.Name)); var decrypter = new StringDecrypter(info); if (decrypter.CanDecrypt) { var invokeMethod = info.GetStringDelegate?.FindMethod("Invoke"); staticStringInliner.Add(invokeMethod, (method, gim, args) => { var fieldDef = DotNetUtils.GetField(module, (IField)args[0]); return(decrypter.Decrypt(fieldDef.MDToken.ToInt32(), (int)args[1])); }); staticStringInliner.Add(info.StringDecrypterMethod, (method, gim, args) => { return(decrypter.Decrypt(0, (int)args[0])); }); } stringDecrypters.Add(decrypter); DeobfuscatedFile.StringDecryptersAdded(); }