bool CheckMethod(ISimpleDeobfuscator simpleDeobfuscator, MethodDef method) {
if (method == null || method.Body == null)
return false;
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code != Code.Call)
continue;
var calledMethod = instr.Operand as MethodDef;
if (calledMethod == null)
continue;
if (calledMethod == null || !calledMethod.IsStatic)
continue;
if (!DotNetUtils.IsMethod(calledMethod, "System.Void", "()"))
continue;
var type = calledMethod.DeclaringType;
if (type.NestedTypes.Count > 0)
continue;
simpleDeobfuscator.Deobfuscate(calledMethod, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
if (CheckType(type, calledMethod)) {
initMethod = calledMethod;
return true;
}
}
return false;
}
EmbeddedResource FindGetManifestResourceStreamTypeResource(TypeDef type, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
foreach (var method in type.Methods) {
if (!method.IsPrivate || !method.IsStatic || method.Body == null)
continue;
if (!DotNetUtils.IsMethod(method, "System.String", "(System.Reflection.Assembly,System.Type,System.String)"))
continue;
simpleDeobfuscator.Deobfuscate(method);
simpleDeobfuscator.DecryptStrings(method, deob);
foreach (var s in DotNetUtils.GetCodeStrings(method)) {
var resource = DotNetUtils.GetResource(module, s) as EmbeddedResource;
if (resource != null)
return resource;
}
}
return null;
}
void Initialize(ISimpleDeobfuscator simpleDeobfuscator, MethodDef method) {
var desList = new List<byte[]>(2);
var aesList = new List<byte[]>(2);
var instructions = method.Body.Instructions;
simpleDeobfuscator.Deobfuscate(method);
for (int i = 0; i <= instructions.Count - 2; i++) {
var ldtoken = instructions[i];
if (ldtoken.OpCode.Code != Code.Ldtoken)
continue;
var field = DotNetUtils.GetField(module, ldtoken.Operand as IField);
if (field == null)
continue;
if (field.InitialValue == null)
continue;
var call = instructions[i + 1];
if (call.OpCode.Code != Code.Call)
continue;
var calledMethod = call.Operand as IMethod;
if (!DotNetUtils.IsMethod(calledMethod, "System.Void", "(System.Array,System.RuntimeFieldHandle)"))
continue;
if (field.InitialValue.Length == 8)
desList.Add(field.InitialValue);
else if (field.InitialValue.Length == 16)
aesList.Add(field.InitialValue);
}
if (desList.Count >= 2) {
DES_Key = desList[desList.Count - 2];
DES_IV = desList[desList.Count - 1];
}
if (aesList.Count >= 2) {
AES_Key = aesList[aesList.Count - 2];
AES_IV = aesList[aesList.Count - 1];
}
}
void FindStringDecrypterMethods(TypeDef type, ISimpleDeobfuscator simpleDeobfuscator) {
foreach (var method in DotNetUtils.FindMethods(type.Methods, "System.String", new string[] { "System.String", "System.Int32" })) {
if (method.Body.HasExceptionHandlers)
continue;
if (DotNetUtils.GetMethodCalls(method, "System.Char[] System.String::ToCharArray()") != 1)
continue;
if (DotNetUtils.GetMethodCalls(method, "System.String System.String::Intern(System.String)") != 1)
continue;
simpleDeobfuscator.Deobfuscate(method);
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 3; i++) {
var ldarg = instrs[i];
if (!ldarg.IsLdarg() || ldarg.GetParameterIndex() != 0)
continue;
var callvirt = instrs[i + 1];
if (callvirt.OpCode.Code != Code.Callvirt)
continue;
var calledMethod = callvirt.Operand as MemberRef;
if (calledMethod == null || calledMethod.FullName != "System.Char[] System.String::ToCharArray()")
continue;
var stloc = instrs[i + 2];
if (!stloc.IsStloc())
continue;
var ldci4 = instrs[i + 3];
if (!ldci4.IsLdcI4())
continue;
var info = new StringDecrypterInfo(method, ldci4.GetLdcI4Value());
stringDecrypterMethods.Add(info.method, info);
Logger.v("Found string decrypter method: {0}, magic: 0x{1:X8}", Utils.RemoveNewlines(info.method), info.magic);
break;
}
}
}
static ProxyCreatorType GetProxyCreatorType(MethodDef method, ISimpleDeobfuscator simpleDeobfuscator, out int version) {
var type = GetProxyCreatorTypeV1(method);
if (type != ProxyCreatorType.None) {
version = 1;
return type;
}
simpleDeobfuscator.Deobfuscate(method);
type = GetProxyCreatorTypeV2(method);
if (type != ProxyCreatorType.None) {
version = 2;
return type;
}
version = 0;
return ProxyCreatorType.None;
}
MethodDef FindInitMethod(ISimpleDeobfuscator simpleDeobfuscator) {
var ctor = Type.FindMethod(".ctor");
foreach (var method in Type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
continue;
if (method.Body.Variables.Count > 1)
continue;
simpleDeobfuscator.Deobfuscate(method);
bool stsfldUsed = false, newobjUsed = false;
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code == Code.Stsfld) {
var field = instr.Operand as IField;
if (field == null || field.FieldSig.GetFieldType().GetElementType() != ElementType.Boolean)
continue;
if (!new SigComparer().Equals(Type, field.DeclaringType))
continue;
stsfldUsed = true;
}
else if (instr.OpCode.Code == Code.Newobj) {
var calledCtor = instr.Operand as IMethod;
if (calledCtor == null)
continue;
if (!MethodEqualityComparer.CompareDeclaringTypes.Equals(calledCtor, ctor))
continue;
newobjUsed = true;
}
}
if (!stsfldUsed || !newobjUsed)
continue;
return method;
}
return null;
}
bool FindConstants(ISimpleDeobfuscator simpleDeobfuscator) {
dynocode = new DynamicDynocodeIterator();
simpleDeobfuscator.Deobfuscate(stringMethod);
stringMethodConsts = new EfConstantsReader(stringMethod);
if (!FindResource(stringMethod))
return false;
checkMinus2 = isV32OrLater || DeobUtils.HasInteger(stringMethod, -2);
usePublicKeyToken = CallsGetPublicKeyToken(stringMethod);
var int64Method = FindInt64Method(stringMethod);
if (int64Method != null)
decrypterType.Type = int64Method.DeclaringType;
if (!FindShorts())
return false;
if (!FindInt3())
return false;
if (!FindInt4())
return false;
if (checkMinus2 && !FindInt5())
return false;
// The method body of the data decrypter method has been moved into
// the string decrypter helper method in 5.0
if (!isV50OrLater) {
dataDecrypterType = FindDataDecrypterType(stringMethod);
if (dataDecrypterType == null)
return false;
}
if (isV32OrLater) {
bool initializedAll;
int index = FindInitIntsIndex(stringMethod, out initializedAll);
var cctor = stringType.FindStaticConstructor();
if (!initializedAll && cctor != null) {
simpleDeobfuscator.Deobfuscate(cctor);
if (!FindIntsCctor(cctor))
return false;
}
if (decrypterType.Detected && !decrypterType.Initialize())
return false;
if (!isV50OrLater) {
decrypterType.ShiftConsts = new List<int> { 24, 16, 8, 0, 16, 8, 0, 24 };
}
else {
List<int> shiftConsts;
if (!FindShiftInts(decrypterType.Int64Method, out shiftConsts))
return false;
decrypterType.ShiftConsts = shiftConsts;
}
if (!FindInts(index))
return false;
}
InitializeFlags();
Initialize();
return true;
}
public void Find(ISimpleDeobfuscator simpleDeobfuscator) {
if (module.Assembly == null)
return;
var pkt = module.Assembly.PublicKeyToken;
bool hasPublicKeyToken = !PublicKeyBase.IsNullOrEmpty2(pkt);
foreach (var type in module.GetTypes()) {
var cctor = type.FindStaticConstructor();
if (cctor == null)
continue;
bool deobfuscatedCctor = false;
bool? v13State = null, v40State = null, v41State = null;
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
IDecrypterInfo info = null;
if (DecrypterInfo13.IsPossibleDecrypterMethod(method, ref v13State)) {
DeobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
simpleDeobfuscator.Deobfuscate(method);
info = GetInfoV13(cctor, method);
}
else if (DecrypterInfo40.IsPossibleDecrypterMethod(method, ref v40State)) {
DeobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
simpleDeobfuscator.Deobfuscate(method);
info = GetInfoV40(cctor, method);
}
else if (DecrypterInfo41.IsPossibleDecrypterMethod(method, ref v41State)) {
DeobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
simpleDeobfuscator.Deobfuscate(method);
info = GetInfoV41(cctor, method);
}
if (info == null)
continue;
methodToInfo.Add(method, info);
version = info.Version;
}
}
}
bool CheckType(TypeDef type, MethodDef initMethod, ISimpleDeobfuscator simpleDeobfuscator) {
if (DotNetUtils.FindFieldType(type, "System.Collections.Hashtable", true) == null)
return false;
simpleDeobfuscator.Deobfuscate(initMethod);
if (!CheckInitMethod(initMethod))
return false;
if ((asmSeparator = FindAssemblySeparator(initMethod)) == null)
return false;
List<AssemblyInfo> newAssemblyInfos = null;
foreach (var s in DotNetUtils.GetCodeStrings(initMethod)) {
newAssemblyInfos = InitializeEmbeddedAssemblies(s);
if (newAssemblyInfos != null)
break;
}
if (newAssemblyInfos == null)
return false;
resolverType = type;
resolverMethod = initMethod;
assemblyInfos = newAssemblyInfos;
return true;
}
public void Initialize(ISimpleDeobfuscator deobfuscator) {
if (decrypterCctor == null)
return;
deobfuscator.Deobfuscate(decrypterCctor);
var instrs = decrypterCctor.Body.Instructions;
for (int i = 0; i < instrs.Count - 4; i++) {
var ldstr = instrs[i];
if (ldstr.OpCode.Code != Code.Ldstr)
continue;
var encryptedString = ldstr.Operand as string;
if (encryptedString == null)
continue;
if (instrs[i + 1].OpCode.Code != Code.Stsfld)
continue;
if (instrs[i + 2].OpCode.Code != Code.Ldsfld)
continue;
if (instrs[i + 3].OpCode.Code != Code.Call)
continue;
if (instrs[i + 4].OpCode.Code != Code.Stsfld)
continue;
var field = instrs[i + 4].Operand as FieldDef;
if (field == null)
continue;
if (!new SigComparer().Equals(field.DeclaringType, decrypterType))
continue;
fieldToDecryptedString.Add(field, decrypter.Decrypt(encryptedString));
}
}
bool FindConstants(ISimpleDeobfuscator simpleDeobfuscator)
{
dynocode = new DynamicDynocodeIterator();
simpleDeobfuscator.Deobfuscate(stringMethod);
stringMethodConsts = new EfConstantsReader(stringMethod);
if (!FindResource(stringMethod))
{
return(false);
}
checkMinus2 = isV32OrLater || DeobUtils.HasInteger(stringMethod, -2);
usePublicKeyToken = CallsGetPublicKeyToken(stringMethod);
var int64Method = FindInt64Method(stringMethod);
if (int64Method != null)
{
decrypterType.Type = int64Method.DeclaringType;
}
if (!FindShorts())
{
return(false);
}
if (!FindInt3())
{
return(false);
}
if (!FindInt4())
{
return(false);
}
if (checkMinus2 && !FindInt5())
{
return(false);
}
// The method body of the data decrypter method has been moved into
// the string decrypter helper method in 5.0
if (!isV50OrLater)
{
dataDecrypterType = FindDataDecrypterType(stringMethod);
if (dataDecrypterType == null)
{
return(false);
}
}
if (isV32OrLater)
{
bool initializedAll;
int index = FindInitIntsIndex(stringMethod, out initializedAll);
var cctor = stringType.FindStaticConstructor();
if (!initializedAll && cctor != null)
{
simpleDeobfuscator.Deobfuscate(cctor);
if (!FindIntsCctor(cctor))
{
return(false);
}
}
if (decrypterType.Detected && !decrypterType.Initialize())
{
return(false);
}
if (!FindInts(index))
{
return(false);
}
}
InitializeFlags();
Initialize();
return(true);
}
bool InitializeInfos(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
if (handlerMethod == null)
return true;
foreach (var method in resolverType.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
continue;
if (!DeobUtils.HasInteger(method, ':') || !DeobUtils.HasInteger(method, '|'))
continue;
simpleDeobfuscator.Deobfuscate(method);
simpleDeobfuscator.DecryptStrings(method, deob);
if (!InitializeInfos(method))
continue;
return true;
}
return false;
}
public void FindDelegateCreator(ISimpleDeobfuscator simpleDeobfuscator) {
var type = DotNetUtils.GetModuleType(module);
if (type == null)
return;
foreach (var method in type.Methods) {
if (method.Body == null || !method.IsStatic || !method.IsAssembly)
continue;
ConfuserVersion theVersion = ConfuserVersion.Unknown;
if (DotNetUtils.IsMethod(method, "System.Void", "(System.String,System.RuntimeFieldHandle)"))
theVersion = ConfuserVersion.v10_r42915;
else if (DotNetUtils.IsMethod(method, "System.Void", "(System.RuntimeFieldHandle)"))
theVersion = ConfuserVersion.v10_r48717;
else
continue;
int tmpVer;
var proxyType = GetProxyCreatorType(method, simpleDeobfuscator, out tmpVer);
if (proxyType == ProxyCreatorType.None)
continue;
if (proxyType == ProxyCreatorType.Newobj)
foundNewobjProxy = true;
simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
MethodDef nativeMethod = null;
uint magic;
if (FindMagic_v14_r58564(method, out magic)) {
if (!DotNetUtils.CallsMethod(method, "System.Byte[] System.Convert::FromBase64String(System.String)")) {
if (!IsMethodCreator_v14_r58802(method, proxyType))
theVersion = ConfuserVersion.v14_r58564;
else
theVersion = ConfuserVersion.v14_r58802;
}
else if (DotNetUtils.CallsMethod(method, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()"))
theVersion = ConfuserVersion.v17_r73479;
else if (proxyType != ProxyCreatorType.CallOrCallvirt || !HasFieldReference(method, "System.Reflection.Emit.OpCode System.Reflection.Emit.OpCodes::Castclass"))
theVersion = ConfuserVersion.v14_r58857;
else if (proxyType == ProxyCreatorType.CallOrCallvirt && DotNetUtils.CallsMethod(method, "System.Void System.Reflection.Emit.DynamicMethod::.ctor(System.String,System.Type,System.Type[],System.Boolean)"))
theVersion = ConfuserVersion.v16_r66631;
else if (proxyType == ProxyCreatorType.CallOrCallvirt)
theVersion = ConfuserVersion.v16_r70489;
}
else if (!DotNetUtils.CallsMethod(method, "System.Byte[] System.Convert::FromBase64String(System.String)") &&
DotNetUtils.CallsMethod(method, "System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)")) {
if (proxyType == ProxyCreatorType.CallOrCallvirt && !FindCallvirtChar(method, out callvirtChar))
continue;
if ((nativeMethod = FindNativeMethod_v18_r75367(method)) != null)
theVersion = proxyType != ProxyCreatorType.CallOrCallvirt || callvirtChar == 9 ? ConfuserVersion.v18_r75367_native : ConfuserVersion.v18_r75369_native;
else if (FindMagic_v18_r75367(method, out magic))
theVersion = proxyType != ProxyCreatorType.CallOrCallvirt || callvirtChar == 9 ? ConfuserVersion.v18_r75367_normal : ConfuserVersion.v18_r75369_normal;
else if (FindMagic_v19_r76101(method, out magic))
CommonCheckVersion19(method, true, tmpVer, ref theVersion);
else if ((nativeMethod = FindNativeMethod_v19_r76101(method)) != null)
CommonCheckVersion19(method, false, tmpVer, ref theVersion);
else {
if (proxyType == ProxyCreatorType.CallOrCallvirt && !DotNetUtils.CallsMethod(method, "System.Int32 System.String::get_Length()"))
theVersion = ConfuserVersion.v11_r50378;
int numCalls = ConfuserUtils.CountCalls(method, "System.Byte[] System.Text.Encoding::GetBytes(System.Char[],System.Int32,System.Int32)");
if (numCalls == 2)
theVersion = ConfuserVersion.v12_r54564;
if (!DotNetUtils.CallsMethod(method, "System.Reflection.Assembly System.Reflection.Assembly::Load(System.Reflection.AssemblyName)"))
theVersion = ConfuserVersion.v13_r55346;
if (DotNetUtils.CallsMethod(method, "System.Void System.Runtime.CompilerServices.RuntimeHelpers::RunClassConstructor(System.RuntimeTypeHandle)"))
theVersion = ConfuserVersion.v13_r55604;
}
}
else if (Is_v17_r73740(method)) {
if (DotNetUtils.CallsMethod(method, "System.Boolean System.Type::get_IsArray()")) {
if ((nativeMethod = FindNativeMethod_v17_r73740(method)) != null)
theVersion = ConfuserVersion.v17_r74708_native;
else if (FindMagic_v17_r73740(method, out magic))
theVersion = ConfuserVersion.v17_r74708_normal;
else
continue;
}
else {
if ((nativeMethod = FindNativeMethod_v17_r73740(method)) != null)
theVersion = ConfuserVersion.v17_r73740_native;
else if (FindMagic_v17_r73740(method, out magic))
theVersion = ConfuserVersion.v17_r73740_normal;
else
continue;
}
}
else if (theVersion == ConfuserVersion.v10_r42915) {
if (DeobUtils.HasInteger(method, 0x06000000))
theVersion = ConfuserVersion.v10_r42919;
}
SetDelegateCreatorMethod(method);
methodToInfo.Add(method, new ProxyCreatorInfo(method, proxyType, theVersion, magic, nativeMethod, callvirtChar));
version = (ConfuserVersion)Math.Max((int)version, (int)theVersion);
}
}
public static EmbeddedResource FindEmbeddedResource(ModuleDefMD module, TypeDef decrypterType, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) =>
FindEmbeddedResource(module, decrypterType, (method) => {
simpleDeobfuscator.Deobfuscate(method);
simpleDeobfuscator.DecryptStrings(method, deob);
});
bool CheckMethod(ISimpleDeobfuscator simpleDeobfuscator, MethodDef methodToCheck)
{
if (methodToCheck == null)
{
return(false);
}
var resolverLocals = new string[] {
"System.Byte[]",
"System.Reflection.Assembly",
"System.String",
"System.IO.BinaryReader",
"System.IO.Stream",
};
simpleDeobfuscator.Deobfuscate(methodToCheck);
foreach (var method in DotNetUtils.GetCalledMethods(module, methodToCheck))
{
var type = method.DeclaringType;
if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
{
continue;
}
if (!method.IsStatic)
{
continue;
}
if (type.Fields.Count != 2)
{
continue;
}
if (type.HasNestedTypes)
{
continue;
}
if (type.HasEvents || type.HasProperties)
{
continue;
}
if (!CheckFields(type.Fields))
{
continue;
}
var resolverMethod = FindAssemblyResolveMethod(type);
if (resolverMethod == null)
{
continue;
}
var localTypes = new LocalTypes(resolverMethod);
if (!localTypes.All(resolverLocals))
{
continue;
}
assemblyResolverType = type;
assemblyResolverMethod = resolverMethod;
assemblyResolverInitMethod = method;
return(true);
}
return(false);
}
bool FindEntryPointToken(ISimpleDeobfuscator simpleDeobfuscator, MethodDef cctor, MethodDef entryPoint, out uint token)
{
token = 0;
ulong @base;
if (!FindBase(cctor, out @base))
return false;
var modPowMethod = DotNetUtils.GetMethod(cctor.DeclaringType, "System.UInt64", "(System.UInt64,System.UInt64,System.UInt64)");
if (modPowMethod == null)
throw new ApplicationException("Could not find modPow()");
simpleDeobfuscator.Deobfuscate(entryPoint);
ulong mod;
if (!FindMod(entryPoint, out mod))
throw new ApplicationException("Could not find modulus");
token = 0x06000000 | (uint)ModPow(@base, 0x47, mod);
if (token >> 24 != 0x06)
throw new ApplicationException("Illegal entry point token");
return true;
}
public void Find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
var entryPoint = module.EntryPoint;
if (entryPoint == null)
return;
if (!new LocalTypes(entryPoint).All(requiredEntryPointLocals))
return;
var type = entryPoint.DeclaringType;
if (!new FieldTypes(type).All(requiredFields))
return;
bool use7zip = type.NestedTypes.Count == 6;
MethodDef decyptMethod;
if (use7zip)
decyptMethod = FindDecryptMethod_7zip(type);
else
decyptMethod = FindDecryptMethod_inflate(type);
if (decyptMethod == null)
return;
ConfuserVersion theVersion = ConfuserVersion.Unknown;
var decryptLocals = new LocalTypes(decyptMethod);
if (decryptLocals.Exists("System.IO.MemoryStream")) {
if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.String,System.Byte[])"))
theVersion = ConfuserVersion.v10_r42915;
else if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.Security.Permissions.PermissionState)"))
theVersion = ConfuserVersion.v10_r48717;
else
theVersion = ConfuserVersion.v14_r57778;
}
else
theVersion = ConfuserVersion.v14_r58564;
var cctor = type.FindStaticConstructor();
if (cctor == null)
return;
if ((asmResolverMethod = FindAssemblyResolverMethod(entryPoint.DeclaringType)) != null) {
theVersion = ConfuserVersion.v14_r58802;
simpleDeobfuscator.Deobfuscate(asmResolverMethod);
if (!FindKey1(asmResolverMethod, out key1))
return;
}
switch (theVersion) {
case ConfuserVersion.v10_r42915:
case ConfuserVersion.v10_r48717:
case ConfuserVersion.v14_r57778:
break;
case ConfuserVersion.v14_r58564:
case ConfuserVersion.v14_r58802:
simpleDeobfuscator.Deobfuscate(decyptMethod);
if (FindKey0_v14_r58564(decyptMethod, out key0))
break;
if (FindKey0_v14_r58852(decyptMethod, out key0)) {
if (!decryptLocals.Exists("System.Security.Cryptography.RijndaelManaged")) {
theVersion = ConfuserVersion.v14_r58852;
break;
}
if (use7zip) {
if (new LocalTypes(decyptMethod).Exists("System.IO.MemoryStream"))
theVersion = ConfuserVersion.v17_r75076;
else if (module.Name == "Stub.exe")
theVersion = ConfuserVersion.v18_r75184;
else if (!IsGetLenToPosStateMethodPrivate(type))
theVersion = ConfuserVersion.v18_r75367;
else
theVersion = ConfuserVersion.v19_r77172;
}
else if (IsDecryptMethod_v17_r73404(decyptMethod))
theVersion = ConfuserVersion.v17_r73404;
else
theVersion = ConfuserVersion.v15_r60785;
break;
}
throw new ApplicationException("Could not find magic");
default:
throw new ApplicationException("Invalid version");
}
simpleDeobfuscator.Deobfuscate(cctor);
simpleDeobfuscator.DecryptStrings(cctor, deob);
if (FindEntryPointToken(simpleDeobfuscator, cctor, entryPoint, out entryPointToken) && !use7zip) {
if (DotNetUtils.CallsMethod(asmResolverMethod, "System.Void", "(System.String)"))
theVersion = ConfuserVersion.v17_r73477;
else
theVersion = ConfuserVersion.v17_r73566;
}
mainAsmResource = FindResource(cctor);
if (mainAsmResource == null)
throw new ApplicationException("Could not find main assembly resource");
version = theVersion;
}
IDecrypterInfo CheckNested(TypeDef type, TypeDef nested)
{
if (nested.HasProperties || nested.HasEvents)
{
return(null);
}
if (nested.FindMethod(".ctor") == null)
{
return(null);
}
if (nested.Fields.Count == 1 || nested.Fields.Count == 3)
{
// 4.0+
if (!HasFieldType(nested.Fields, nested))
{
return(null);
}
var decrypterBuilderMethod = DotNetUtils.GetMethod(nested, "System.Reflection.Emit.MethodBuilder", "(System.Reflection.Emit.TypeBuilder)");
if (decrypterBuilderMethod == null)
{
return(null);
}
resourceDecrypter.DecryptMethod = ResourceDecrypter.FindDecrypterMethod(nested.FindMethod(".ctor"));
var nestedDecrypter = DotNetUtils.GetMethod(nested, "System.String", "(System.Int32)");
if (nestedDecrypter == null || nestedDecrypter.IsStatic)
{
return(null);
}
var decrypter = DotNetUtils.GetMethod(type, "System.String", "(System.Int32)");
if (decrypter == null || !decrypter.IsStatic)
{
return(null);
}
simpleDeobfuscator.Deobfuscate(decrypterBuilderMethod);
return(new DecrypterInfoV3(resourceDecrypter)
{
Decrypter = decrypter,
OffsetCalcInstructions = GetOffsetCalcInstructions(decrypterBuilderMethod),
});
}
else if (nested.Fields.Count == 2)
{
// 3.0 - 3.5
if (CheckFields(nested, "System.Collections.Hashtable", nested))
{
// 3.0 - 3.5
var nestedDecrypter = DotNetUtils.GetMethod(nested, "System.String", "(System.Int32)");
if (nestedDecrypter == null || nestedDecrypter.IsStatic)
{
return(null);
}
var decrypter = DotNetUtils.GetMethod(type, "System.String", "(System.Int32)");
if (decrypter == null || !decrypter.IsStatic)
{
return(null);
}
resourceDecrypter.DecryptMethod = ResourceDecrypter.FindDecrypterMethod(nested.FindMethod(".ctor"));
return(new DecrypterInfoV3(resourceDecrypter)
{
Decrypter = decrypter
});
}
else if (CheckFields(nested, "System.Byte[]", nested))
{
// 3.0
var nestedDecrypter = DotNetUtils.GetMethod(nested, "System.String", "(System.String,System.Int32)");
if (nestedDecrypter == null || nestedDecrypter.IsStatic)
{
return(null);
}
var decrypter = DotNetUtils.GetMethod(type, "System.String", "(System.String,System.Int32)");
if (decrypter == null || !decrypter.IsStatic)
{
return(null);
}
return(new DecrypterInfoV2 {
Decrypter = decrypter
});
}
else
{
return(null);
}
}
return(null);
}
bool InitializeArrays2(ISimpleDeobfuscator simpleDeobfuscator, MethodDef method) {
bool foundField = false;
simpleDeobfuscator.Deobfuscate(method, true);
var instructions = method.Body.Instructions;
for (int i = 0; i < instructions.Count; i++) {
var ldci4 = instructions[i];
if (!ldci4.IsLdcI4())
continue;
i++;
var instrs = DotNetUtils.GetInstructions(instructions, i, OpCodes.Newarr, OpCodes.Dup, OpCodes.Ldtoken, OpCodes.Call, OpCodes.Stsfld);
if (instrs == null)
continue;
var arrayInitField = instrs[2].Operand as FieldDef;
if (arrayInitField == null || arrayInitField.InitialValue == null || arrayInitField.InitialValue.Length == 0)
continue;
var calledMethod = instrs[3].Operand as IMethod;
if (calledMethod == null || calledMethod.FullName != "System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle)")
continue;
var targetField = instrs[4].Operand as FieldDef;
if (targetField == null || targetField.FieldType.GetElementType() != ElementType.SZArray)
continue;
var etype = ((SZArraySig)targetField.FieldType).Next.GetElementType();
if (etype < ElementType.Boolean || etype > ElementType.U4)
continue;
if (fieldToInfo.Find(targetField) == null) {
fieldToInfo.Add(targetField, new FieldInfo(targetField, arrayInitField));
foundField = true;
}
}
return foundField;
}
bool UpdateFlags(MethodDef method, ISimpleDeobfuscator simpleDeobfuscator)
{
if (method == null || method.Body == null || method.Body.Variables.Count < 3)
{
return(false);
}
var constants = new List <int>();
simpleDeobfuscator.Deobfuscate(method);
var instructions = method.Body.Instructions;
for (int i = 2; i < instructions.Count; i++)
{
var and = instructions[i];
if (and.OpCode.Code != Code.And)
{
continue;
}
var ldci4 = instructions[i - 1];
if (!ldci4.IsLdcI4())
{
continue;
}
int flagValue = ldci4.GetLdcI4Value();
if (!IsFlag(flagValue))
{
continue;
}
var ldloc = instructions[i - 2];
if (!ldloc.IsLdloc())
{
continue;
}
var local = ldloc.GetLocal(method.Body.Variables);
if (local.Type.GetElementType().GetPrimitiveSize() < 0)
{
continue;
}
constants.Add(flagValue);
}
flipFlagsBits = CheckFlipBits(method);
skipBytes = GetHeaderSkipBytes(method);
switch (frameworkType)
{
case FrameworkType.Desktop:
if (!module.IsClr1x)
{
if (constants.Count == 2)
{
desEncryptedFlag = (byte)constants[0];
deflatedFlag = (byte)constants[1];
return(true);
}
}
if (constants.Count == 1)
{
desEncryptedFlag = (byte)constants[0];
return(true);
}
break;
case FrameworkType.Silverlight:
if (constants.Count == 1)
{
bitwiseNotEncryptedFlag = (byte)constants[0];
return(true);
}
break;
case FrameworkType.CompactFramework:
if (constants.Count == 1)
{
desEncryptedFlag = (byte)constants[0];
return(true);
}
break;
}
return(false);
}
bool CheckMethod(MethodDef method)
{
if (method == null || method.Body == null)
{
return(false);
}
if (!DotNetUtils.CallsMethod(method, "System.Void System.AppDomain::add_ResourceResolve(System.ResolveEventHandler)"))
{
return(false);
}
simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
fields.Clear();
var tmpHandler = GetHandler(method);
if (tmpHandler == null || tmpHandler.DeclaringType != method.DeclaringType)
{
return(false);
}
var tmpResource = FindResource(tmpHandler);
if (tmpResource == null)
{
return(false);
}
simpleDeobfuscator.Deobfuscate(tmpHandler, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
var tmpVersion = ConfuserVersion.Unknown;
if (DotNetUtils.CallsMethod(tmpHandler, "System.Object System.AppDomain::GetData(System.String)"))
{
if (!DotNetUtils.CallsMethod(tmpHandler, "System.Void System.Buffer::BlockCopy(System.Array,System.Int32,System.Array,System.Int32,System.Int32)"))
{
if (!FindKey0Key1_v14_r55802(tmpHandler, out key0, out key1))
{
return(false);
}
tmpVersion = ConfuserVersion.v14_r55802;
}
else if (FindKey0_v17_r73404(tmpHandler, out key0) && FindKey1_v17_r73404(tmpHandler, out key1))
{
tmpVersion = ConfuserVersion.v17_r73404;
}
else
{
return(false);
}
}
else
{
if (AddFields(FindFields(tmpHandler, method.DeclaringType)) != 1)
{
return(false);
}
if (FindKey0_v17_r73404(tmpHandler, out key0) && FindKey1_v17_r73404(tmpHandler, out key1))
{
tmpVersion = ConfuserVersion.v17_r73822;
}
else if (FindKey0_v18_r75367(tmpHandler, out key0) && FindKey1_v17_r73404(tmpHandler, out key1))
{
tmpVersion = ConfuserVersion.v18_r75367;
}
else if (FindKey0_v18_r75369(tmpHandler, out key0) && FindKey1_v18_r75369(tmpHandler, out key1))
{
lzmaType = ConfuserUtils.FindLzmaType(tmpHandler);
if (lzmaType == null)
{
tmpVersion = ConfuserVersion.v18_r75369;
}
else
{
tmpVersion = ConfuserVersion.v19_r77172;
}
}
else
{
return(false);
}
}
handler = tmpHandler;
resource = tmpResource;
installMethod = method;
version = tmpVersion;
return(true);
}
public static EmbeddedResource FindEmbeddedResource(ModuleDefMD module, TypeDef decrypterType, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
return FindEmbeddedResource(module, decrypterType, (method) => {
simpleDeobfuscator.Deobfuscate(method);
simpleDeobfuscator.DecryptStrings(method, deob);
});
}
public void Find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
var entryPoint = module.EntryPoint;
if (entryPoint == null)
{
return;
}
if (!new LocalTypes(entryPoint).All(requiredEntryPointLocals))
{
return;
}
var type = entryPoint.DeclaringType;
if (!new FieldTypes(type).All(requiredFields))
{
return;
}
bool use7zip = type.NestedTypes.Count == 6;
MethodDef decyptMethod;
if (use7zip)
{
decyptMethod = FindDecryptMethod_7zip(type);
}
else
{
decyptMethod = FindDecryptMethod_inflate(type);
}
if (decyptMethod == null)
{
return;
}
var theVersion = ConfuserVersion.Unknown;
var decryptLocals = new LocalTypes(decyptMethod);
if (decryptLocals.Exists("System.IO.MemoryStream"))
{
if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.String,System.Byte[])"))
{
theVersion = ConfuserVersion.v10_r42915;
}
else if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.Security.Permissions.PermissionState)"))
{
theVersion = ConfuserVersion.v10_r48717;
}
else
{
theVersion = ConfuserVersion.v14_r57778;
}
}
else
{
theVersion = ConfuserVersion.v14_r58564;
}
var cctor = type.FindStaticConstructor();
if (cctor == null)
{
return;
}
if ((asmResolverMethod = FindAssemblyResolverMethod(entryPoint.DeclaringType)) != null)
{
theVersion = ConfuserVersion.v14_r58802;
simpleDeobfuscator.Deobfuscate(asmResolverMethod);
if (!FindKey1(asmResolverMethod, out uint key1))
{
return;
}
}
switch (theVersion)
{
case ConfuserVersion.v10_r42915:
case ConfuserVersion.v10_r48717:
case ConfuserVersion.v14_r57778:
break;
case ConfuserVersion.v14_r58564:
case ConfuserVersion.v14_r58802:
simpleDeobfuscator.Deobfuscate(decyptMethod);
if (FindKey0_v14_r58564(decyptMethod, out key0))
{
break;
}
if (FindKey0_v14_r58852(decyptMethod, out key0))
{
if (!decryptLocals.Exists("System.Security.Cryptography.RijndaelManaged"))
{
theVersion = ConfuserVersion.v14_r58852;
break;
}
if (use7zip)
{
if (new LocalTypes(decyptMethod).Exists("System.IO.MemoryStream"))
{
theVersion = ConfuserVersion.v17_r75076;
}
else if (module.Name == "Stub.exe")
{
theVersion = ConfuserVersion.v18_r75184;
}
else if (!IsGetLenToPosStateMethodPrivate(type))
{
theVersion = ConfuserVersion.v18_r75367;
}
else
{
theVersion = ConfuserVersion.v19_r77172;
}
}
else if (IsDecryptMethod_v17_r73404(decyptMethod))
{
theVersion = ConfuserVersion.v17_r73404;
}
else
{
theVersion = ConfuserVersion.v15_r60785;
}
break;
}
throw new ApplicationException("Could not find magic");
default:
throw new ApplicationException("Invalid version");
}
simpleDeobfuscator.Deobfuscate(cctor);
simpleDeobfuscator.DecryptStrings(cctor, deob);
if (FindEntryPointToken(simpleDeobfuscator, cctor, entryPoint, out entryPointToken) && !use7zip)
{
if (DotNetUtils.CallsMethod(asmResolverMethod, "System.Void", "(System.String)"))
{
theVersion = ConfuserVersion.v17_r73477;
}
else
{
theVersion = ConfuserVersion.v17_r73566;
}
}
mainAsmResource = FindResource(cctor);
if (mainAsmResource == null)
{
throw new ApplicationException("Could not find main assembly resource");
}
version = theVersion;
}
public void Find(ISimpleDeobfuscator simpleDeobfuscator) {
var type = DotNetUtils.GetModuleType(module);
if (type == null)
return;
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
if (!DotNetUtils.IsMethod(method, "System.String", "(System.Int32)"))
continue;
var localTypes = new LocalTypes(method);
if (!localTypes.All(requiredLocals))
continue;
simpleDeobfuscator.Deobfuscate(method);
bool foundOldMagic1;
if (FindMagic1(method, out magic1))
foundOldMagic1 = true;
else if (FindNewMagic1(method, out magic1))
foundOldMagic1 = false;
else
continue;
if (!FindMagic2(method, out magic2))
continue;
version = ConfuserVersion.Unknown;
if (DotNetUtils.CallsMethod(method, "System.Text.Encoding System.Text.Encoding::get_UTF8()")) {
if (foundOldMagic1) {
if (DotNetUtils.CallsMethod(method, "System.Object System.AppDomain::GetData(System.String)"))
version = ConfuserVersion.v13_r55604_safe;
else
version = ConfuserVersion.v10_r42915;
}
else {
if (!FindSafeKey1(method, out key1))
continue;
version = ConfuserVersion.v14_r58802_safe;
}
}
else if (!localTypes.Exists("System.Random")) {
if (foundOldMagic1)
version = ConfuserVersion.v11_r49299;
else
version = ConfuserVersion.v14_r58802_dynamic;
}
else if (localTypes.Exists("System.Collections.Generic.Dictionary`2<System.Int32,System.String>"))
version = ConfuserVersion.v10_r48832;
if (version == ConfuserVersion.Unknown)
continue;
decryptMethod = method;
break;
}
}
MethodDef FindInitMethod(ISimpleDeobfuscator simpleDeobfuscator)
{
var ctor = Type.FindMethod(".ctor");
foreach (var method in Type.Methods)
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
{
continue;
}
if (method.Body.Variables.Count > 1)
{
continue;
}
simpleDeobfuscator.Deobfuscate(method);
bool stsfldUsed = false, newobjUsed = false;
foreach (var instr in method.Body.Instructions)
{
if (instr.OpCode.Code == Code.Stsfld)
{
var field = instr.Operand as IField;
if (field == null || field.FieldSig.GetFieldType().GetElementType() != ElementType.Boolean)
{
continue;
}
if (!new SigComparer().Equals(Type, field.DeclaringType))
{
continue;
}
stsfldUsed = true;
}
else if (instr.OpCode.Code == Code.Newobj)
{
var calledCtor = instr.Operand as IMethod;
if (calledCtor == null)
{
continue;
}
if (!MethodEqualityComparer.CompareDeclaringTypes.Equals(calledCtor, ctor))
{
if (calledCtor.DeclaringType.FullName != "System.ResolveEventHandler")
{
continue;
}
}
newobjUsed = true;
}
}
if (!stsfldUsed || !newobjUsed)
{
continue;
}
return(method);
}
return(null);
}
bool FindConstants(ISimpleDeobfuscator simpleDeobfuscator) {
dynocode = new DynamicDynocodeIterator();
simpleDeobfuscator.Deobfuscate(stringMethod);
stringMethodConsts = new EfConstantsReader(stringMethod);
if (!FindResource(stringMethod))
return false;
checkMinus2 = isV32OrLater || DeobUtils.HasInteger(stringMethod, -2);
usePublicKeyToken = CallsGetPublicKeyToken(stringMethod);
var int64Method = FindInt64Method(stringMethod);
if (int64Method != null)
decrypterType.Type = int64Method.DeclaringType;
if (!FindShorts())
return false;
if (!FindInt3())
return false;
if (!FindInt4())
return false;
if (checkMinus2 && !FindInt5())
return false;
dataDecrypterType = FindDataDecrypterType(stringMethod);
if (dataDecrypterType == null)
return false;
if (isV32OrLater) {
bool initializedAll;
int index = FindInitIntsIndex(stringMethod, out initializedAll);
var cctor = stringType.FindStaticConstructor();
if (!initializedAll && cctor != null) {
simpleDeobfuscator.Deobfuscate(cctor);
if (!FindIntsCctor(cctor))
return false;
}
if (decrypterType.Detected && !decrypterType.Initialize())
return false;
if (!FindInts(index))
return false;
}
InitializeFlags();
Initialize();
return true;
}
void DeobfuscateAll(MethodDef method)
{
simpleDeobfuscator.Deobfuscate(method);
simpleDeobfuscator.DecryptStrings(method, deob);
}
static void DeobfuscateCctor(ISimpleDeobfuscator simpleDeobfuscator, MethodDef cctor, ref bool deobfuscatedCctor, bool hasPublicKeyToken) {
if (deobfuscatedCctor || hasPublicKeyToken)
return;
simpleDeobfuscator.Deobfuscate(cctor);
deobfuscatedCctor = true;
}
public List<AssemblyInfo> GetAssemblyInfos(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
var infos = new List<AssemblyInfo>();
if (embedResolverMethod != null) {
simpleDeobfuscator.Deobfuscate(embedResolverMethod);
simpleDeobfuscator.DecryptStrings(embedResolverMethod, deob);
embedPassword = GetEmbedPassword(embedResolverMethod);
}
if (embedPassword == null)
return infos;
foreach (var rsrc in module.Resources) {
var resource = rsrc as EmbeddedResource;
if (resource == null)
continue;
if (!Regex.IsMatch(resource.Name.String, "^cfd_([0-9a-f]{2})+_$"))
continue;
var asmData = Decrypt(embedPassword, Gunzip(resource.Data.ReadAllBytes()));
var mod = ModuleDefMD.Load(asmData);
infos.Add(new AssemblyInfo(asmData, resource, mod.Assembly.FullName, mod.Assembly.Name.String, DeobUtils.GetExtension(mod.Kind)));
}
return infos;
}
public void Initialize(ISimpleDeobfuscator simpleDeobfuscator) {
foreach (var info in stringEncrypterInfos.GetValues()) {
simpleDeobfuscator.Deobfuscate(info.Method);
info.Resource = FindResource(info.Method);
if (info.Resource == null) {
Logger.w("Could not find encrypted strings resource (Method {0:X8})", info.Method.MDToken.ToInt32());
continue;
}
info.Magic1 = FindMagic1(info.Method);
info.Magic2 = FindMagic2(info.Method);
info.Magic3 = FindMagic3(info.Method);
info.Reader = info.Resource.Data;
info.Reader.Position = 0;
}
}
void Find()
{
foreach (var type in module.GetTypes())
{
if (type.IsSealed && type.HasFields)
{
if (type.Fields.Count < 100)
{
continue;
}
foreach (var method in type.Methods)
{
if (!method.IsStatic)
{
continue;
}
if (!method.IsAssembly)
{
continue;
}
simpleDeobfuscator.Deobfuscate(method);
var instrs = method.Body.Instructions;
for (var i = 0; i < instrs.Count; i++)
{
var ldcI4 = instrs[i];
if (!ldcI4.IsLdcI4())
{
continue;
}
if (i + 1 >= instrs.Count)
{
continue;
}
var stsfld = instrs[i + 1];
if (stsfld.OpCode.Code != Code.Stsfld)
{
continue;
}
var key = stsfld.Operand as FieldDef;
if (key == null)
{
continue;
}
var value = ldcI4.GetLdcI4Value();
if (!dictionary.ContainsKey(key))
{
dictionary.Add(key, value);
}
else
{
dictionary[key] = value;
}
}
if (dictionary.Count < 100)
{
dictionary.Clear();
continue;
}
Type = type;
return;
}
}
}
}
public void Initialize(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
if (encryptedResource.Method == null)
return;
initMethod = FindInitMethod(simpleDeobfuscator);
if (initMethod == null)
throw new ApplicationException("Could not find resource resolver init method");
simpleDeobfuscator.Deobfuscate(encryptedResource.Method);
simpleDeobfuscator.DecryptStrings(encryptedResource.Method, deob);
encryptedResource.Initialize(simpleDeobfuscator);
}
public void Initialize(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
if (handlerMethod == null)
return;
FindOtherType();
simpleDeobfuscator.Deobfuscate(handlerMethod);
simpleDeobfuscator.DecryptStrings(handlerMethod, deob);
if (!CreateAssemblyInfos())
throw new ApplicationException("Could not initialize assembly infos");
if (decryptMethod != null) {
simpleDeobfuscator.Deobfuscate(decryptMethod);
simpleDeobfuscator.DecryptStrings(decryptMethod, deob);
if (!CreateDecryptKey())
throw new ApplicationException("Could not initialize decryption key");
}
}
public bool Initialize(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator) {
var cctor = stringsEncodingClass.FindStaticConstructor();
if (cctor != null)
simpleDeobfuscator.Deobfuscate(cctor);
decrypterVersion = GuessVersion(cctor);
if (!FindDecrypterMethod())
throw new ApplicationException("Could not find string decrypter method");
if (!FindStringsResource(deob, simpleDeobfuscator, cctor))
return false;
if (decrypterVersion <= StringDecrypterVersion.V3) {
MethodDef initMethod;
if (decrypterVersion == StringDecrypterVersion.V3)
initMethod = cctor;
else if (decrypterVersion == StringDecrypterVersion.V2)
initMethod = stringDecrypterMethod;
else
initMethod = stringDecrypterMethod;
stringOffset = 0;
if (decrypterVersion != StringDecrypterVersion.V1) {
if (CallsGetPublicKeyToken(initMethod)) {
var pkt = PublicKeyBase.ToPublicKeyToken(module.Assembly.PublicKeyToken);
if (!PublicKeyBase.IsNullOrEmpty2(pkt)) {
for (int i = 0; i < pkt.Data.Length - 1; i += 2)
stringOffset ^= ((int)pkt.Data[i] << 8) + pkt.Data[i + 1];
}
}
if (DeobUtils.HasInteger(initMethod, 0xFFFFFF) &&
DeobUtils.HasInteger(initMethod, 0xFFFF)) {
stringOffset ^= ((stringDecrypterMethod.MDToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF;
}
}
}
else {
var offsetVal = FindOffsetValue(cctor);
if (offsetVal == null)
throw new ApplicationException("Could not find string offset");
stringOffset = offsetVal.Value;
decrypterVersion = StringDecrypterVersion.V4;
}
simpleZipTypeMethod = FindSimpleZipTypeMethod(cctor) ?? FindSimpleZipTypeMethod(stringDecrypterMethod);
if (simpleZipTypeMethod != null)
resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator));
return true;
}
public bool Initialize(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator)
{
var cctor = stringsEncodingClass.FindStaticConstructor();
if (cctor != null)
{
simpleDeobfuscator.Deobfuscate(cctor);
}
decrypterVersion = GuessVersion(cctor);
if (!FindDecrypterMethod())
{
throw new ApplicationException("Could not find string decrypter method");
}
if (!FindStringsResource(deob, simpleDeobfuscator, cctor))
{
return(false);
}
if (decrypterVersion <= StringDecrypterVersion.V3)
{
MethodDef initMethod;
if (decrypterVersion == StringDecrypterVersion.V3)
{
initMethod = cctor;
}
else if (decrypterVersion == StringDecrypterVersion.V2)
{
initMethod = stringDecrypterMethod;
}
else
{
initMethod = stringDecrypterMethod;
}
stringOffset = 0;
if (decrypterVersion != StringDecrypterVersion.V1)
{
if (CallsGetPublicKeyToken(initMethod))
{
var pkt = PublicKeyBase.ToPublicKeyToken(module.Assembly.PublicKeyToken);
if (!PublicKeyBase.IsNullOrEmpty2(pkt))
{
for (int i = 0; i < pkt.Data.Length - 1; i += 2)
{
stringOffset ^= ((int)pkt.Data[i] << 8) + pkt.Data[i + 1];
}
}
}
if (DeobUtils.HasInteger(initMethod, 0xFFFFFF) &&
DeobUtils.HasInteger(initMethod, 0xFFFF))
{
stringOffset ^= ((stringDecrypterMethod.MDToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF;
}
}
}
else
{
var offsetVal = FindOffsetValue(cctor);
if (offsetVal == null)
{
throw new ApplicationException("Could not find string offset");
}
stringOffset = offsetVal.Value;
var xorVal = FindXorValue(stringDecrypterMethod, stringsEncodingClass.HasNestedTypes, simpleDeobfuscator);
if (xorVal != null)
{
decrypterVersion = StringDecrypterVersion.V5;
xorValue = (int)xorVal;
}
else
{
decrypterVersion = StringDecrypterVersion.V4;
}
}
simpleZipTypeMethod = FindSimpleZipTypeMethod(cctor) ?? FindSimpleZipTypeMethod(stringDecrypterMethod);
if (simpleZipTypeMethod != null)
{
resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator));
}
return(true);
}
bool UpdateFlags(MethodDef method, ISimpleDeobfuscator simpleDeobfuscator) {
if (method == null || method.Body == null || method.Body.Variables.Count < 3)
return false;
var constants = new List<int>();
simpleDeobfuscator.Deobfuscate(method);
var instructions = method.Body.Instructions;
for (int i = 2; i < instructions.Count; i++) {
var and = instructions[i];
if (and.OpCode.Code != Code.And)
continue;
var ldci4 = instructions[i - 1];
if (!ldci4.IsLdcI4())
continue;
int flagValue = ldci4.GetLdcI4Value();
if (!IsFlag(flagValue))
continue;
var ldloc = instructions[i - 2];
if (!ldloc.IsLdloc())
continue;
var local = ldloc.GetLocal(method.Body.Variables);
if (local.Type.GetElementType().GetPrimitiveSize() < 0)
continue;
constants.Add(flagValue);
}
int notIndex, skipIndex;
flipFlagsBits = CheckFlipBits(method, out notIndex);
skipBytes = GetHeaderSkipBytes(method, out skipIndex);
skipBeforeFlag = skipIndex < notIndex;
switch (frameworkType) {
case FrameworkType.Desktop:
if (!module.IsClr1x) {
if (constants.Count == 2) {
desEncryptedFlag = (byte)constants[0];
deflatedFlag = (byte)constants[1];
return true;
}
}
if (constants.Count == 1) {
desEncryptedFlag = (byte)constants[0];
return true;
}
break;
case FrameworkType.Silverlight:
if (constants.Count == 1) {
bitwiseNotEncryptedFlag = (byte)constants[0];
return true;
}
break;
case FrameworkType.CompactFramework:
if (constants.Count == 1) {
desEncryptedFlag = (byte)constants[0];
return true;
}
break;
}
return false;
}
public void Find()
{
var cctor = DotNetUtils.GetModuleTypeCctor(module);
if (cctor == null)
{
return;
}
simpleDeobfuscator.Deobfuscate(cctor, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
if ((dictField = ConstantsDecrypterUtils.FindDictField(cctor, cctor.DeclaringType)) == null)
{
return;
}
if ((dataField = ConstantsDecrypterUtils.FindDataField_v18_r75367(cctor, cctor.DeclaringType)) == null &&
(dataField = ConstantsDecrypterUtils.FindDataField_v19_r77172(cctor, cctor.DeclaringType)) == null)
{
return;
}
nativeMethod = FindNativeMethod(cctor, cctor.DeclaringType);
var method = GetDecryptMethod();
if (method == null)
{
return;
}
simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
var info = new DecrypterInfo(this, method, ConfuserVersion.Unknown);
if (FindKeys_v18_r75367(info))
{
InitVersion(cctor, ConfuserVersion.v18_r75367_normal, ConfuserVersion.v18_r75367_dynamic, ConfuserVersion.v18_r75367_native);
}
else if (FindKeys_v18_r75369(info))
{
lzmaType = ConfuserUtils.FindLzmaType(cctor);
if (lzmaType == null)
{
InitVersion(cctor, ConfuserVersion.v18_r75369_normal, ConfuserVersion.v18_r75369_dynamic, ConfuserVersion.v18_r75369_native);
}
else if (!DotNetUtils.CallsMethod(method, "System.Void System.Threading.Monitor::Exit(System.Object)"))
{
InitVersion(cctor, ConfuserVersion.v19_r77172_normal, ConfuserVersion.v19_r77172_dynamic, ConfuserVersion.v19_r77172_native);
}
else if (DotNetUtils.CallsMethod(method, "System.Void System.Diagnostics.StackFrame::.ctor(System.Int32)"))
{
InitVersion(cctor, ConfuserVersion.v19_r78363_normal, ConfuserVersion.v19_r78363_dynamic, ConfuserVersion.v19_r78363_native);
}
else
{
int index1 = ConfuserUtils.FindCallMethod(cctor.Body.Instructions, 0, Code.Callvirt, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()");
int index2 = ConfuserUtils.FindCallMethod(cctor.Body.Instructions, 0, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()");
if (index1 < 0 || index2 < 0)
{
}
if (index2 - index1 == 3)
{
InitVersion(cctor, ConfuserVersion.v19_r78056_normal, ConfuserVersion.v19_r78056_dynamic, ConfuserVersion.v19_r78056_native);
}
else if (index2 - index1 == -4)
{
InitVersion(cctor, ConfuserVersion.v19_r79630_normal, ConfuserVersion.v19_r79630_dynamic, ConfuserVersion.v19_r79630_native);
}
}
}
else
{
return;
}
installMethod = cctor;
}
