public void Find() { foreach (var calledMethod in DotNetUtils.GetCalledMethods(module, DotNetUtils.GetModuleTypeCctor(module))) { if (!DotNetUtils.IsMethod(calledMethod, "System.Void", "()")) { continue; } if (calledMethod.DeclaringType.FullName != "<PrivateImplementationDetails>{F1C5056B-0AFC-4423-9B83-D13A26B48869}") { continue; } nativeLibCallerType = calledMethod.DeclaringType; initMethod = calledMethod; foreach (var s in DotNetUtils.GetCodeStrings(initMethod)) { nativeFileResource = DotNetUtils.GetResource(module, s); if (nativeFileResource != null) { break; } } return; } }
public void Find() { if (CheckMethod(DotNetUtils.GetModuleTypeCctor(module))) { return; } }
public void Find(ISimpleDeobfuscator simpleDeobfuscator) { var cctor = DotNetUtils.GetModuleTypeCctor(module); if (cctor == null) { return; } foreach (var method in DotNetUtils.GetCalledMethods(module, cctor)) { if (method.Name == ".cctor" || method.Name == ".ctor") { continue; } if (!method.IsStatic || !DotNetUtils.IsMethod(method, "System.Void", "()")) { continue; } if (CheckType(method.DeclaringType, method, simpleDeobfuscator)) { break; } } }
public void Find(ISimpleDeobfuscator simpleDeobfuscator) { if (CheckMethod(simpleDeobfuscator, DotNetUtils.GetModuleTypeCctor(module))) { return; } }
public void Find() { if (!assemblyResolver.Detected) { return; } CheckCalledMethods(DotNetUtils.GetModuleTypeCctor(module)); }
public void CleanUp() { if (!Detected) return; var cctor = DotNetUtils.GetModuleTypeCctor(module); if (cctor == null) return; cctor.Body.Instructions.Clear(); cctor.Body.Instructions.Add(Instruction.Create(OpCodes.Ret)); }
public new void Find() { if (delegateCreatorMethods.Count == 0) return; var cctor = DotNetUtils.GetModuleTypeCctor(module); if (cctor == null) return; Logger.v("Finding all proxy delegates"); var delegateInfos = CreateDelegateInitInfos(cctor); fieldToMethods = CreateFieldToMethodsDictionary(cctor.DeclaringType); if (delegateInfos.Count < fieldToMethods.Count) throw new ApplicationException("Missing proxy delegates"); var delegateToFields = new Dictionary<TypeDef, List<FieldDef>>(); foreach (var field in fieldToMethods.GetKeys()) { if (!delegateToFields.TryGetValue(field.FieldType.TryGetTypeDef(), out var list)) delegateToFields[field.FieldType.TryGetTypeDef()] = list = new List<FieldDef>(); list.Add(field); } foreach (var kv in delegateToFields) { var type = kv.Key; var fields = kv.Value; Logger.v("Found proxy delegate: {0} ({1:X8})", Utils.RemoveNewlines(type), type.MDToken.ToInt32()); RemovedDelegateCreatorCalls++; Logger.Instance.Indent(); foreach (var field in fields) { var proxyMethods = fieldToMethods.Find(field); if (proxyMethods == null) continue; var info = delegateInfos.Find(field); if (info == null) throw new ApplicationException("Missing proxy info"); GetCallInfo(info, field, out var calledMethod, out var callOpcode); if (calledMethod == null) continue; foreach (var proxyMethod in proxyMethods) { Add(proxyMethod, new DelegateInfo(field, calledMethod, callOpcode)); Logger.v("Field: {0}, Opcode: {1}, Method: {2} ({3:X8})", Utils.RemoveNewlines(field.Name), callOpcode, Utils.RemoveNewlines(calledMethod), calledMethod.MDToken.ToUInt32()); } } Logger.Instance.DeIndent(); delegateTypesDict[type] = true; } // 1.2 r54564 (almost 1.3) now moves method proxy init code to the delegate cctors Find2(); }
public void Find() { if (CheckCalledMethods(DotNetUtils.GetModuleTypeCctor(module))) { return; } if (CheckCalledMethods(module.EntryPoint)) { return; } }
public void Find() { if (Find(module.EntryPoint)) { return; } if (Find(DotNetUtils.GetModuleTypeCctor(module))) { return; } }
public void Find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { if (CheckInitMethod(DotNetUtils.GetModuleTypeCctor(module), simpleDeobfuscator, deob)) { return; } if (CheckInitMethod(module.EntryPoint, simpleDeobfuscator, deob)) { return; } }
public bool Find() { if (CheckCalledMethods(DotNetUtils.GetModuleTypeCctor(module))) { return(true); } if (CheckCalledMethods(module.EntryPoint)) { return(true); } return(false); }
public void Find() { var moduleCctor = DotNetUtils.GetModuleTypeCctor(_module); if (moduleCctor == null) { return; } foreach (var inst in moduleCctor.Body.Instructions) { if (inst.OpCode != OpCodes.Call) { continue; } if (!(inst.Operand is MethodDef)) { continue; } var method = inst.Operand as MethodDef; if (!method.HasBody || !method.IsStatic) { continue; } if (!DotNetUtils.IsMethod(method, "System.Void", "()")) { continue; } _deobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.Force); if (!IsResDecryptInit(method, out FieldDef aField, out FieldDef asmField, out MethodDef mtd)) { continue; } try { _decryptedBytes = DecryptArray(method, aField.InitialValue); } catch (Exception e) { Console.WriteLine(e.Message); return; } _arrayField = aField; Type = DotNetUtils.GetType(_module, aField.FieldSig.Type); _asmField = asmField; AssembyResolveMethod = mtd; Method = method; CanRemoveLzma = true; } }
public void Deobfuscate(Blocks blocks) { if (asmResolverMethod == null) { return; } if (blocks.Method != DotNetUtils.GetModuleTypeCctor(module)) { return; } ConfuserUtils.RemoveResourceHookCode(blocks, asmResolverMethod); }
public void Find() { var moduleCctor = DotNetUtils.GetModuleTypeCctor(_module); if (moduleCctor == null) { return; } foreach (var inst in moduleCctor.Body.Instructions) { if (inst.OpCode != OpCodes.Call) { continue; } if (!(inst.Operand is MethodDef)) { continue; } var method = (MethodDef)inst.Operand; if (!method.HasBody || !method.IsStatic) { continue; } if (!DotNetUtils.IsMethod(method, "System.Void", "()")) { continue; } _deobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.Force); if (!IsStringDecrypterInit(method, out FieldDef aField, out FieldDef dField)) { continue; } try { _decryptedBytes = DecryptArray(method, aField.InitialValue); } catch (Exception e) { Console.WriteLine(e.Message); return; } _arrayField = aField; _decryptedField = dField; ArrayType = DotNetUtils.GetType(_module, _arrayField.FieldSig.Type); Method = method; Decrypters.AddRange(FindStringDecrypters(moduleCctor.DeclaringType)); CanRemoveLzma = true; } }
public void CleanUp() { var cctor = DotNetUtils.GetModuleTypeCctor(module); if (cctor != null) { cctor.Body.InitLocals = false; cctor.Body.Variables.Clear(); cctor.Body.Instructions.Clear(); cctor.Body.Instructions.Add(OpCodes.Ret.ToInstruction()); cctor.Body.ExceptionHandlers.Clear(); } }
public void Find() { var cctor = DotNetUtils.GetModuleTypeCctor(module); if (cctor == null) { return; } var instrs = cctor.Body.Instructions; for (int i = 0; i < instrs.Count - 2; i++) { var ldci4_1 = instrs[i]; if (!ldci4_1.IsLdcI4()) { continue; } var ldci4_2 = instrs[i + 1]; if (!ldci4_2.IsLdcI4()) { continue; } var call = instrs[i + 2]; if (call.OpCode.Code != Code.Call) { continue; } var initMethodTmp = call.Operand as MethodDef; ObfuscatorVersion obfuscatorVersionTmp; if (!CheckInitMethod(initMethodTmp, out obfuscatorVersionTmp)) { continue; } if (!CheckMethodsType(initMethodTmp.DeclaringType)) { continue; } obfuscatorVersion = obfuscatorVersionTmp; theType = initMethodTmp.DeclaringType; initMethod = initMethodTmp; break; } }
public void Find() { var cctor = DotNetUtils.GetModuleTypeCctor(module); if (cctor == null) { return; } // V3-V4 calls string decrypter init method in <Module>::.cctor(). if (Find(cctor)) { return; } FindV5(cctor); }
public void Find() { var cctor = DotNetUtils.GetModuleTypeCctor(module); if (cctor == null) return; simpleDeobfuscator.Deobfuscate(cctor, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs); if ((dictField = ConstantsDecrypterUtils.FindDictField(cctor, cctor.DeclaringType)) == null) return; if ((dataField = ConstantsDecrypterUtils.FindDataField_v18_r75367(cctor, cctor.DeclaringType)) == null && (dataField = ConstantsDecrypterUtils.FindDataField_v19_r77172(cctor, cctor.DeclaringType)) == null) return; nativeMethod = FindNativeMethod(cctor, cctor.DeclaringType); var method = GetDecryptMethod(); if (method == null) return; simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs); var info = new DecrypterInfo(this, method, ConfuserVersion.Unknown); if (FindKeys_v18_r75367(info)) InitVersion(cctor, ConfuserVersion.v18_r75367_normal, ConfuserVersion.v18_r75367_dynamic, ConfuserVersion.v18_r75367_native); else if (FindKeys_v18_r75369(info)) { lzmaType = ConfuserUtils.FindLzmaType(cctor); if (lzmaType == null) InitVersion(cctor, ConfuserVersion.v18_r75369_normal, ConfuserVersion.v18_r75369_dynamic, ConfuserVersion.v18_r75369_native); else if (!DotNetUtils.CallsMethod(method, "System.Void System.Threading.Monitor::Exit(System.Object)")) InitVersion(cctor, ConfuserVersion.v19_r77172_normal, ConfuserVersion.v19_r77172_dynamic, ConfuserVersion.v19_r77172_native); else if (DotNetUtils.CallsMethod(method, "System.Void System.Diagnostics.StackFrame::.ctor(System.Int32)")) InitVersion(cctor, ConfuserVersion.v19_r78363_normal, ConfuserVersion.v19_r78363_dynamic, ConfuserVersion.v19_r78363_native); else { int index1 = ConfuserUtils.FindCallMethod(cctor.Body.Instructions, 0, Code.Callvirt, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()"); int index2 = ConfuserUtils.FindCallMethod(cctor.Body.Instructions, 0, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()"); if (index1 < 0 || index2 < 0) { } if (index2 - index1 == 3) InitVersion(cctor, ConfuserVersion.v19_r78056_normal, ConfuserVersion.v19_r78056_dynamic, ConfuserVersion.v19_r78056_native); else if (index2 - index1 == -4) InitVersion(cctor, ConfuserVersion.v19_r79630_normal, ConfuserVersion.v19_r79630_dynamic, ConfuserVersion.v19_r79630_native); } } else return; installMethod = cctor; }
public bool FindTypes() { if (resolverType != null) { return(true); } if (FindTypes(DotNetUtils.GetModuleTypeCctor(module))) { return(true); } if (FindTypes(module.EntryPoint)) { return(true); } return(false); }
void FindResourceType() { var cctor = DotNetUtils.GetModuleTypeCctor(module); if (cctor == null) { return; } foreach (var calledMethod in DotNetUtils.GetCalledMethods(module, cctor)) { if (!calledMethod.IsStatic || calledMethod.Body == null) { continue; } if (!DotNetUtils.IsMethod(calledMethod, "System.Void", "()")) { continue; } var type = calledMethod.DeclaringType; var fieldTypes = new FieldTypes(type); if (!fieldTypes.Exactly(requiredFields1) && !fieldTypes.Exactly(requiredFields2)) { continue; } var resolveHandler = DotNetUtils.GetMethod(type, "System.Reflection.Assembly", "(System.Object,System.ResolveEventArgs)"); var decryptMethod = DotNetUtils.GetMethod(type, "System.Byte[]", "(System.IO.Stream)"); if (resolveHandler == null || !resolveHandler.IsStatic) { continue; } if (decryptMethod == null || !decryptMethod.IsStatic) { continue; } rsrcType = type; rsrcRrrMethod = calledMethod; rsrcResolveMethod = resolveHandler; return; } }
public static IEnumerable <MethodDef> GetInitCctors(ModuleDef module, int maxCctors) { var cctor = DotNetUtils.GetModuleTypeCctor(module); if (cctor != null) { yield return(cctor); } var entryPoint = module.EntryPoint; if (entryPoint != null) { cctor = entryPoint.DeclaringType.FindStaticConstructor(); if (cctor != null) { yield return(cctor); } } foreach (var type in module.GetTypes()) { if (type == module.GlobalType) { continue; } cctor = type.FindStaticConstructor(); if (cctor == null) { continue; } yield return(cctor); if (!type.IsEnum && --maxCctors <= 0) { break; } } }
public IEnumerable <FieldDef> CleanUp() { var removedFields = new List <FieldDef>(); var moduleCctor = DotNetUtils.GetModuleTypeCctor(module); if (moduleCctor == null) { return(removedFields); } var moduleCctorBlocks = new Blocks(moduleCctor); var keep = FindFieldsToKeep(); foreach (var fieldInfo in fieldToInfo.GetValues()) { if (keep.ContainsKey(fieldInfo)) { continue; } if (RemoveInitCode(moduleCctorBlocks, fieldInfo)) { removedFields.Add(fieldInfo.field); removedFields.Add(fieldInfo.arrayInitField); } fieldInfo.arrayInitField.InitialValue = new byte[1]; fieldInfo.arrayInitField.FieldSig.Type = module.CorLibTypes.Byte; fieldInfo.arrayInitField.RVA = 0; } IList <Instruction> allInstructions; IList <ExceptionHandler> allExceptionHandlers; moduleCctorBlocks.GetCode(out allInstructions, out allExceptionHandlers); DotNetUtils.RestoreBody(moduleCctorBlocks.Method, allInstructions, allExceptionHandlers); return(removedFields); }
public override void DeobfuscateEnd() { FindAndRemoveInlinedMethods(); var toRemoveFromCctor = new List <MethodDef>(); if (_constantDecrypter.Detected) { if (CanRemoveStringDecrypterType) { toRemoveFromCctor.Add(_constantDecrypter.Method); AddMethodToBeRemoved(_constantDecrypter.Method, "Constant Decrypter Initializer"); foreach (var dec in _constantDecrypter.Decrypters) { AddMethodToBeRemoved(dec.Method, "Constant Decrypter Method"); } AddFieldsToBeRemoved(_constantDecrypter.Fields, "Constant Decrypter Fields"); AddTypeToBeRemoved(_constantDecrypter.Type, "Array field signature type"); } else { _canRemoveLzma = false; } } if (_resourceDecrypter.Detected && _resourceDecrypter.CanRemoveLzma) { toRemoveFromCctor.Add(_resourceDecrypter.Method); AddMethodToBeRemoved(_resourceDecrypter.Method, "Resource decrypter Initializer method"); AddMethodToBeRemoved(_resourceDecrypter.AssembyResolveMethod, "Resource decrypter AssemblyResolve method"); AddFieldsToBeRemoved(_resourceDecrypter.Fields, "Constant Decrypter Fields"); AddTypeToBeRemoved(_resourceDecrypter.Type, "Array field signature type"); } if (!_constantDecrypter.CanRemoveLzma || !_resourceDecrypter.CanRemoveLzma) { _canRemoveLzma = false; } if (_lzmaFinder.FoundLzma && _canRemoveLzma) { AddMethodToBeRemoved(_lzmaFinder.Method, "Lzma Decompress method"); AddTypesToBeRemoved(_lzmaFinder.Types, "Lzma Nested Types"); } if (_proxyCallFixer.Detected) { AddTypesToBeRemoved(_proxyCallFixer.DelegateTypes, "Proxy delegates"); AddMethodsToBeRemoved(_proxyCallFixer.DelegateCreatorMethods, "Proxy creator methods"); AddTypesToBeRemoved(_proxyCallFixer.AttributeTypes, "Proxy creator attributes"); AddMethodsToBeRemoved(_proxyCallFixer.NativeMethods, "Proxy native methods"); } AddMethodsToBeRemoved(_controlFlowFixer.NativeMethods, "Control flow native methods"); var moduleCctor = DotNetUtils.GetModuleTypeCctor(module); foreach (var instr in moduleCctor.Body.Instructions) { if (instr.OpCode == OpCodes.Call && instr.Operand is MethodDef && toRemoveFromCctor.Contains((MethodDef)instr.Operand)) { instr.OpCode = OpCodes.Nop; } } //TODO: Might not always be correct //No more mixed! module.IsILOnly = true; base.DeobfuscateEnd(); }
bool HasModuleCctor() => DotNetUtils.GetModuleTypeCctor(module) != null;
public void Find() { var cctor = DotNetUtils.GetModuleTypeCctor(module); if (cctor == null) { return; } if (!new LocalTypes(cctor).All(requiredLocalsCctor)) { return; } simpleDeobfuscator.Deobfuscate(cctor, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs); if (!Add(ConstantsDecrypterUtils.FindDictField(cctor, cctor.DeclaringType))) { return; } if (!Add(ConstantsDecrypterUtils.FindStreamField(cctor, cctor.DeclaringType))) { return; } var method = GetDecryptMethod(); if (method == null) { return; } resourceName = GetResourceName(cctor); if (resourceName != null) { simpleDeobfuscator.Deobfuscate(method); keyArraySize = GetKeyArraySize(method); if (keyArraySize == 8) { InitVersion(method, ConfuserVersion.v17_r75056_normal, ConfuserVersion.v17_r75056_dynamic, ConfuserVersion.v17_r75056_native); } else if (keyArraySize == 16) { InitVersion(method, ConfuserVersion.v18_r75257_normal, ConfuserVersion.v18_r75257_dynamic, ConfuserVersion.v18_r75257_native); } else { return; } } else if (DotNetUtils.CallsMethod(method, "System.String System.Reflection.Module::get_ScopeName()")) { InitVersion(method, ConfuserVersion.v17_r74816_normal, ConfuserVersion.v17_r74816_dynamic, ConfuserVersion.v17_r74816_native); } else if (DotNetUtils.CallsMethod(method, "System.Reflection.Module System.Reflection.Assembly::GetModule(System.String)")) { InitVersion(method, ConfuserVersion.v17_r74788_normal, ConfuserVersion.v17_r74788_dynamic, ConfuserVersion.v17_r74788_native); } else { InitVersion(method, ConfuserVersion.v17_r74708_normal, ConfuserVersion.v17_r74708_dynamic, ConfuserVersion.v17_r74708_native); } initMethod = cctor; }
bool FindEmbedded() { return(FindEmbedded(DotNetUtils.GetModuleTypeCctor(module)) || FindEmbedded(module.EntryPoint)); }
public void Find() => CheckCalledMethods(DotNetUtils.GetModuleTypeCctor(module));
bool HasModuleCctor() { return(DotNetUtils.GetModuleTypeCctor(Module) != null); }
public void AddModuleCctorInitCallToBeRemoved(MethodDef methodToBeRemoved) { methodCallRemover.Add(DotNetUtils.GetModuleTypeCctor(module), methodToBeRemoved); }
public void Initialize(ISimpleDeobfuscator simpleDeobfuscator) { InitializeArrays(simpleDeobfuscator, DotNetUtils.GetModuleTypeCctor(module)); }