protected override void LoadChildren() { foreach (var r in module.GetAssemblyRefs().OrderBy(r => r.Name.String)) { this.Children.Add(new AssemblyReferenceTreeNode(r, parentAssembly)); } foreach (var r in module.GetModuleRefs().OrderBy(r => r.Name.String)) { this.Children.Add(new ModuleReferenceTreeNode(r)); } }
public static Obfuscator DetectObfuscator(ModuleDefMD Module, string Path) { if (Module.GetAssemblyRefs().Where(q => q.ToString().Contains("AgileDotNet.VMRuntime")).ToArray().Count() > 0) { return(Obfuscator.AgileVM); } if (Module.Types.SingleOrDefault(t => t.HasFields && t.Fields.Count == 119) != null) { return(Obfuscator.KoiVM); } if (Module.GetAssemblyRefs().Where(q => q.ToString().Contains("KoiVM.Runtime")).ToArray().Count() > 0) { return(Obfuscator.KoiVMDll); } foreach (var type in Module.Types) { foreach (var method in type.Methods) { if (method.HasBody && method.Body.HasInstructions && method.Body.Instructions.Count() >= 6) { if (method.Body.Instructions[0].IsLdarg()) { if (method.Body.Instructions[1].IsLdarg()) { if (method.Body.Instructions[2].IsLdarg()) { if (method.Body.Instructions[3].IsLdarg()) { if (method.Body.Instructions[5].OpCode == OpCodes.Pop) { if (method.Body.Instructions[6].OpCode == OpCodes.Ret) { if (method.Body.Instructions[4].OpCode == OpCodes.Call) { if (method.Body.Instructions[4].ToString().Contains("(System.IO.Stream,System.String,System.Object[])")) { return(Obfuscator.EazVM); } } } } } } } } } } } return(Obfuscator.Unknown); }
private void LoadDependencies(ModuleDefMD module) { if (seenModules.Contains(module.Location)) { return; } seenModules.Add(module.Location); Modules.Add(module); Resolver.AddToCache(module); foreach (var assemblyRef in module.GetAssemblyRefs()) { // There are cases, where the Resolver will not be able to resolve the assemblies // automatically, even if they are in the same directory. // (maybe this has todo with linux / specific mono versions?) // So, try to load them manually recursively first. var subModuleFile = Path.Combine(Path.GetDirectoryName(module.Location), assemblyRef.Name + ".dll"); if (File.Exists(subModuleFile)) { var subModule = ModuleDefMD.Load(subModuleFile, Resolver.DefaultModuleContext); if (subModule != null) { LoadDependencies(subModule); } } var assembly = Resolver.ResolveThrow(assemblyRef, null); foreach (var moduleRef in assembly.Modules) { LoadDependencies((ModuleDefMD)moduleRef); } } }
/// <summary> /// Get the AssemblyRef of the module from the assembly full name, adding /// our own AssemblyRef if none found. /// </summary> /// <param name="fullName">Assembly full name</param> /// <returns>AssemblyRef</returns> public AssemblyRef FindAssemblyRef(String fullName) { // fullName: ", mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" // causes... // System.IO.FileLoadException: The given assembly name or codebase was invalid. (Exception from HRESULT: 0x80131047) // at System.Reflection.AssemblyName.nInit(RuntimeAssembly& assembly, Boolean forIntrospection, Boolean raiseResolveEvent) // at System.Reflection.AssemblyName.nInit() // at eazdevirt.Util.NameResolver.FindAssemblyRef(String fullName) // at eazdevirt.Util.NameResolver.FindAssemblyRef(TypeName typeName) // at eazdevirt.Util.NameResolver.ResolveTypeDefOrRef(TypeName typeName) // at eazdevirt.IO.Resolver.ResolveType_NoLock(Int32 position) // at eazdevirt.IO.Resolver.ResolveType(Int32 position) // at eazdevirt.IO.VirtualizedMethodBodyReader.SetLocalsAndParameters() // at eazdevirt.IO.VirtualizedMethodBodyReader.Read() // at eazdevirt.Devirtualizer.Devirtualize(DevirtualizeOptions options, Action`1 attemptCallback) // Try to find AssemblyRef via full name var assemblyRef = _module.GetAssemblyRefs().FirstOrDefault((ar) => { return(ar.FullName.Equals(fullName)); }); if (assemblyRef != null) { return(assemblyRef); } // If unable to find, add our own AssemblyRef from the full name return(new AssemblyRefUser(new System.Reflection.AssemblyName(fullName))); }
private static void asmRefAdder() { var asmResolver = new AssemblyResolver { EnableTypeDefCache = true }; var modCtx = new ModuleContext(asmResolver); asmResolver.DefaultModuleContext = modCtx; var asmRefs = module.GetAssemblyRefs().ToList(); module.Context = modCtx; foreach (var asmRef in asmRefs) { try { if (asmRef == null) { continue; } var asm = asmResolver.Resolve(asmRef.FullName, module); if (asm == null) { continue; } ((AssemblyResolver)module.Context.AssemblyResolver).AddToCache(asm); } catch { } } }
public static FrameworkType GetFrameworkType(ModuleDefMD module) { foreach (var modRef in module.GetAssemblyRefs()) { if (modRef.Name != "mscorlib") { continue; } if (PublicKeyBase.IsNullOrEmpty2(modRef.PublicKeyOrToken)) { continue; } switch (BitConverter.ToString(modRef.PublicKeyOrToken.Data).Replace("-", "").ToLowerInvariant()) { case "b77a5c561934e089": return(FrameworkType.Desktop); case "7cec85d7bea7798e": return(FrameworkType.Silverlight); case "969db8053d3322ac": return(FrameworkType.CompactFramework); case "1c9e259686f921e0": return(FrameworkType.XNA); case "e92a8b81eba7ceb7": return(FrameworkType.Zune); } } return(FrameworkType.Unknown); }
public void LoadAssembly(ModuleDefMD manifestModule, string path, bool clear) { AnalysisHandler.Reset(); RefNode = null; CurrentModule = null; if (clear) { CurrentTreeView.Nodes.Clear(); } TreeNode file = NewFile(manifestModule, path); file.AddTo(CurrentTreeView); ModuleDefMD module = manifestModule; NameSpaceList.Clear(); TreeNode moduleNode = NewModule(module); moduleNode.AddTo(file); CurrentModule = moduleNode; if (module.Types.Any()) { foreach (TypeDef type in module.Types.OrderBy(t => t.Name.ToLower())) { new TypeHandler(this).HandleType(type, false); } } CurrentModule = moduleNode; if (module.GetAssemblyRefs().Any()) { new ReferenceHandler(this).HandleReferences(module.GetAssemblyRefs()); } var processor = new NodeDevirtualizer(RefNode, this); processor.ProcessNode(); processor.WorkerFinished += processor_WorkerFinished; RefNode = processor.Node; }
static bool ShouldPatchAssembly(ModuleDefMD mod) { foreach (var asmRef in mod.GetAssemblyRefs()) { string name = asmRef.Name; if (name == "netstandard") { return(false); } } return(true); }
private static void _fixExternalReferenceImpl(ModuleDefMD module, AssemblyRef oldAsmRef, AssemblyRef newAsmRef) { // Credit: https://github.com/0xd4d/dnSpy/issues/173#issuecomment-242180559 foreach (var asmRef in module.GetAssemblyRefs()) { if (_isEqual(asmRef, oldAsmRef)) { asmRef.PublicKeyOrToken = newAsmRef.PublicKeyOrToken; asmRef.Version = newAsmRef.Version; } } }
//Here we replace the AssemblyRef entry for TrinitySeal with Unitas.Runtime //With this, we not only hijack all library calls //But we also bypass the hash check static void ProcessAssembly(string vars) { Console.WriteLine("Processing assembly..."); var opts = new ModuleWriterOptions(_mod) { Logger = DummyLogger.NoThrowInstance }; var writer = new ModuleWriter(_mod, opts); foreach (var asmref in _mod.GetAssemblyRefs()) { if (asmref.Name != "TrinitySeal") { continue; } Console.WriteLine("Replacing reference"); asmref.Name = "Unitas.Runtime"; } Console.WriteLine("Fixing namespaces..."); foreach (var typeref in _mod.GetTypeRefs()) { if (typeref.Namespace == "TrinitySeal" && typeref.DefinitionAssembly.Name == "Unitas.Runtime") { typeref.Namespace = "Unitas.Runtime"; } } //Preserve EVERYTHING opts.MetadataOptions.PreserveHeapOrder(_mod, true); opts.MetadataOptions.Flags |= MetadataFlags.PreserveRids | MetadataFlags.KeepOldMaxStack; var runtime = Path.Combine(Path.GetDirectoryName(_mod.Location), "Unitas.Runtime.dll"); File.Copy(typeof(Seal).Assembly.Location, runtime, true); if (vars != null) { AddServerVariables(vars, runtime); } writer.Write(GetNewName()); Console.WriteLine($"Bypassed assembly saved at: {GetNewName()}"); }
private void LoadDependencies(ModuleDefMD module) { if (seenModules.Contains(module.Location)) { return; } seenModules.Add(module.Location); Modules.Add(module); Resolver.AddToCache(module); foreach (var assemblyRef in module.GetAssemblyRefs()) { AssemblyDef assembly = Resolver.ResolveThrow(assemblyRef, null); foreach (var moduleRef in assembly.Modules) { LoadDependencies((ModuleDefMD)moduleRef); } } }
public static void LoadModule(string filename) { try { FileName = filename; byte[] data = File.ReadAllBytes(filename); ModuleContext modCtx = ModuleDef.CreateModuleContext(); module = ModuleDefMD.Load(data, modCtx); Write("Module Loaded : " + module.Name, TypeMessage.Info); foreach (AssemblyRef dependance in module.GetAssemblyRefs()) { Write($"Dependance : {dependance.Name}", TypeMessage.Info); } } catch { Write("Error for Loade Module", TypeMessage.Error); } }
public static List <string> GetRefs(string file) { List <string> refs = new List <string>(); Console.WriteLine(string.Format("[+] Analyzing {0}", file)); try { using (ModuleDefMD mod = ModuleDefMD.Load(file)) { foreach (var reference in mod.GetAssemblyRefs()) { refs.Add(reference.Name); } } } catch (IOException e) { Console.WriteLine(string.Format("[-] Failed to analyze {0}, file not found", file)); } catch (BadImageFormatException e) { Console.WriteLine(string.Format("[-] Failed to analyze {0}, bad image format", file)); } return(refs); }
public static void LoadAsmRef() { var asmResolver = new AssemblyResolver(); var modCtx = new ModuleContext(asmResolver); asmResolver.DefaultModuleContext = modCtx; asmResolver.EnableTypeDefCache = true; module.Location = filename; var asmRefs = module.GetAssemblyRefs().ToList(); module.Context = modCtx; foreach (var asmRef in asmRefs) { if (asmRef == null) { continue; } var asma = asmResolver.Resolve(asmRef.FullName, module); // Protections.Protections.ModuleDef.Context.AssemblyResolver.AddToCache(asma); ((AssemblyResolver)module.Context.AssemblyResolver).AddToCache(asma); } }
private static AssemblyRef GetCallingConventionAssemblyRefForNetCore(ModuleDefMD module, string callingConventionAssemblyName) { var numAsmRefs = module.TablesStream.AssemblyRefTable.Rows; foreach (var assemblyRef in module.GetAssemblyRefs()) { if (assemblyRef is null) { continue; } if (assemblyRef.Name == callingConventionAssemblyName) { return(assemblyRef); } } var compilerServicesAssembly = new AssemblyRefUser(module.Context.AssemblyResolver.ResolveThrow(new AssemblyRefUser(callingConventionAssemblyName), module)); module.UpdateRowId(compilerServicesAssembly); return(compilerServicesAssembly); }
public static void Main(string[] args) { string path = "../Release/CILExamining.exe"; ModuleDefMD m = ModuleDefMD.Load(path); AssemblyResolver ar = new AssemblyResolver(); ModuleContext mc = new ModuleContext(ar); foreach (AssemblyRef assemblyRef in m.GetAssemblyRefs()) { ar.ResolveThrow(assemblyRef, m); } ar.PostSearchPaths.Add(path); m.Context = mc; Obfuscations.Utilities.RenameUtility ru = new Obfuscations.Utilities.RenameUtility(); new Obfuscations.ReferenceProxyObfuscation(ru.Random).Execute(m); //new Obfuscations.RenameObfuscation(ru).Execute(m); //new Obfuscations.JunkObfuscation(ru).Execute(m); m.Write(path + ".o"); }
private static void Main(string[] args) { Console.WriteLine("Name of Executable to Unpack : "); var path = Console.ReadLine(); if (path == string.Empty) { return; } if (path != null && path.StartsWith("\"") && path[path.Length - 1] == '"') { path = path.Substring(1, path.Length - 2); } if (!File.Exists(path)) { Console.ForegroundColor = ConsoleColor.Red; Console.WriteLine("[!] File not found"); Console.WriteLine("[!] Press key to exit..."); Console.Read(); return; } Console.WriteLine("Babel Unpacker running.."); ModuleDefMD moduleDefMD = ModuleDefMD.Load(path); AssemblyResolver assemblyResolver = new AssemblyResolver(); ModuleContext moduleContext = new ModuleContext(assemblyResolver); assemblyResolver.DefaultModuleContext = moduleContext; assemblyResolver.EnableTypeDefCache = true; moduleDefMD.Location = path; List <AssemblyRef> list = moduleDefMD.GetAssemblyRefs().ToList <AssemblyRef>(); moduleDefMD.Context = moduleContext; foreach (AssemblyRef assemblyRef in list) { if (assemblyRef != null) { AssemblyDef assemblyDef = assemblyResolver.Resolve(assemblyRef.FullName, moduleDefMD); moduleDefMD.Context.AssemblyResolver.AddToCache(assemblyDef); } } Program.asm = Assembly.LoadFrom(path); De4Dot.Cflow(moduleDefMD); VMDecryptor.run(moduleDefMD, Program.asm); Delegates.CleanDelegates(moduleDefMD); Ints.CleanInts(moduleDefMD); Ints.CleanFloats(moduleDefMD); Ints.CleanDouble(moduleDefMD); Strings.CleanStringMethodOne(moduleDefMD); Strings.CleanStringMethodTwo(moduleDefMD); De4Dot.Cflow(moduleDefMD); Ints.CleanInts(moduleDefMD); Ints.CleanFloats(moduleDefMD); Ints.CleanDouble(moduleDefMD); Strings.CleanStringMethodOne(moduleDefMD); Strings.CleanStringMethodTwo(moduleDefMD); De4Dot.Cflow(moduleDefMD); AntiTamper.AntiTamp(moduleDefMD); Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine("Unpack Complete !"); moduleDefMD.Write("cleaned_" + path, new ModuleWriterOptions(moduleDefMD)); }
private static void Remove(ModuleDefMD md, StrongNameKey key = null, bool checkBaml = false, int floor = 0) { //if (WhiteList.Contains(md.Assembly.Name)) //{ // Log($"{md.Assembly.Name} is in WhiteList! It will keep its sign."); //} bool isResign = key != null; PublicKey pk = null; if (isResign) { pk = new PublicKey(key.PublicKey); } string operation = isResign ? "Resigning" : "Removing"; Log($"{"".PadLeft(floor, PaddingChar)}{operation} StrongName for assembly [{md.Name}] ..."); md.IsStrongNameSigned = isResign; if (!isResign) { //if (md.Assembly.PublicKeyToken != null) //{ // md.Assembly.PublicKeyToken.Data = null; //} if (md.Assembly.PublicKey != null) { md.Assembly.PublicKey = null; } md.Assembly.HasPublicKey = false; } HandleDic[md.Assembly.Name] = true; if (checkBaml) { BamlProject b = new BamlProject(md); b.RemoveRefKeyToken(CurrentPublicKeyToken, pk?.Token.ToString() ?? "null"); if (b.BamlFiles.Count > 0) { Log($"{"".PadLeft(floor, PaddingChar)}{operation} StrongName for BAMLs in [{md.Name}] ..."); } b.ProcessForRef(); } var attrs = md.Assembly.CustomAttributes.FindAll(InternalInvisibleAttr); if (attrs.Any()) { Log($"{"".PadLeft(floor, PaddingChar)}{operation} StrongName for Attributes in [{md.Name}] ..."); } foreach (var attr in attrs) { var s = (UTF8String)attr.ConstructorArguments[0].Value; if (s.Contains("PublicKey=" + CurrentPublicKey)) { var arg = attr.ConstructorArguments[0]; arg.Value = s.Remove(s.IndexOf(",")); var name = arg.Value.ToString(); if (isResign) { arg.Value += $", {pk.ToString()}"; } attr.ConstructorArguments[0] = arg; //Remove InternalVisible if (HandleDic.ContainsKey(name) && HandleDic[name]) { continue; } var p = Path.Combine(CurrentPath, name + ".dll"); if (!File.Exists(p)) { p = Path.Combine(CurrentPath, name + ".exe"); } if (File.Exists(p)) { try { Remove(ModuleDefMD.Load(p), key, checkBaml, floor + 1); } catch (Exception ex) { Log(ex.ToString()); } } } } //Remove AssemblyRef Log($"{"".PadLeft(floor, PaddingChar)}{operation} StrongName for AssemblyRefs in [{md.Name}] ..."); foreach (var asmref in md.GetAssemblyRefs()) { if (asmref.PublicKeyOrToken.Token.ToString() == CurrentPublicKeyToken) { var p = Path.Combine(CurrentPath, asmref.Name + ".dll"); if (!File.Exists(p)) { p = Path.Combine(CurrentPath, asmref.Name + ".exe"); } if (File.Exists(p)) { if (!isResign) { //if (asmref.PublicKeyOrToken != null) //{ // asmref.PublicKeyOrToken = null; //} asmref.HasPublicKey = false; } else { asmref.PublicKeyOrToken = pk.Token; asmref.HasPublicKey = false; } if (HandleDic.ContainsKey(asmref.Name) && HandleDic[asmref.Name]) { continue; } try { Remove(ModuleDefMD.Load(p), key, checkBaml, floor + 1); } catch (Exception ex) { Log(ex.ToString()); } } } } Log($"{"".PadLeft(floor, PaddingChar)}Saving [{md.Name}] ..."); if (isResign) { if (md.IsILOnly) { ModuleWriterOptions option = new ModuleWriterOptions(md); option.InitializeStrongNameSigning(md, key); option.ShareMethodBodies = false; md.Write(Path.Combine(SavePath, md.Name), option); } else { NativeModuleWriterOptions option = new NativeModuleWriterOptions(md, false); option.InitializeStrongNameSigning(md, key); md.NativeWrite(Path.Combine(SavePath, md.Name), option); } } else { if (md.IsILOnly) { md.Write(Path.Combine(SavePath, md.Name)); } else { md.NativeWrite(Path.Combine(SavePath, md.Name)); } } }
public void Run() { // Create a default assembly resolver and type resolver and pass it to Load(). // If it's a .NET Core assembly, you'll need to disable GAC loading and add // .NET Core reference assembly search paths. ModuleContext modCtx = ModuleDef.CreateModuleContext(); IAssemblyResolver resolver = new CustomAssemblyResolver(references); modCtx.AssemblyResolver = resolver; module = ModuleDefMD.Load(inputFileName, modCtx); Importer importer = new Importer(module); var instantiateComponentMethod = (from t in module.GetTypes() where t.Name == "ComponentFactory" from m in t.Methods where m.Name == "InstantiateComponent" select m).Single(); var assembly = resolver.Resolve(module.GetAssemblyRefs().FirstOrDefault(x => x.Name == "Microsoft.Extensions.DependencyInjection.Abstractions"), module); var getServiceMethod = (from t in assembly.ManifestModule.GetTypes() where t.Name == "ActivatorUtilities" from m in t.Methods where m.Name == "GetServiceOrCreateInstance" && !m.HasGenericParameters select m).Single(); var firstCall = instantiateComponentMethod.Body.Instructions.First(x => x.OpCode == OpCodes.Call); instantiateComponentMethod.Body.Instructions.Insert(0, OpCodes.Ldarg_1.ToInstruction()); firstCall.Operand = importer.Import(getServiceMethod); if (module.IsILOnly) { // Create writer options var opts = new ModuleWriterOptions(module); // Open or create the strong name key var signatureKey = new StrongNameKey(Path.Combine(Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location), "Key.snk")); // This method will initialize the required properties opts.InitializeStrongNameSigning(module, signatureKey); module.Write(outputFileName, opts); } else { // Create writer options var opts = new NativeModuleWriterOptions(module, false); // Open or create the strong name key var signatureKey = new StrongNameKey(Path.Combine(Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location), "Key.snk")); // This method will initialize the required properties opts.InitializeStrongNameSigning(module, signatureKey); module.NativeWrite(outputFileName, opts); } }
static void Main(string[] args) { Console.OutputEncoding = Encoding.ASCII; var stopwatch = new Stopwatch(); stopwatch.Start(); //string path = args[0]; Console.WriteLine("Drag n Drop the Exe: "); string path = Console.ReadLine(); try { path = path.Replace("\"", ""); } catch { } string fileDir = System.IO.Path.GetDirectoryName(path); fileDir = fileDir.Replace("\"", ""); string agilePath = fileDir + "\\AgileDotNet.VMRuntime.dll"; string obf = ""; Console.Clear(); ModuleDefMD module = ModuleDefMD.Load(path); Console.WriteLine("ForlaxerKoi v1.0"); Console.WriteLine("ReCoded by: Forlax (Originaly Made by Team Venturi77)\n"); info($"Processing module '{module.Name}'..."); info($"Resolving dependencies..."); foreach (var data in module.GetAssemblyRefs()) { if (data.ToString().Contains("AgileDotNet.VMRuntime")) { obf = "Agile.NET"; } dbg($"Resolved '{data.ToString()}'"); } success("Resolved all dependencies"); try { if (obf == "Agile.NET") { info("Detected Agile.NET as Obfuscator"); obf = "AgileVM"; goto Agile; } else if (module.FullName.Contains("вє∂ѕ ρяσтє¢тσя")) { info("Detected Beds Protector as Obfuscator"); obf = "Beds Protector with KoiVM"; } else if (module.Assembly.Modules[0].CustomAttributes[0].AttributeType.ToString().Contains("ConfusedBy") || module.Assembly.Modules[0].CustomAttributes[1].AttributeType.ToString().Contains("ConfusedBy")) { info("Detected ConfuserEx as Obfuscator"); obf = "ConfuserEX with KoiVM"; } else { info("Detected EazFuscator as Obfuscator"); obf = "EazVM"; goto EAZ; } } catch { info("Detected EazFuscator as Obfuscator"); obf = "EazVM"; goto EAZ; } dbg("Looking for KoiVM data"); bool isFound = false; foreach (var stream in module.Metadata.AllStreams) { if (stream.Name == "#Koi" || stream.Name == "#Bed" || stream.Name == "Eddy^CZ") { isFound = true; info($"Found KoiVM data '{stream.Name}'"); dbg($"Heap offset: {ToHex((int)stream.StreamHeader.StartOffset)}"); dbg($"Heap size: {ToHex((int)stream.StreamHeader.StreamSize)}"); var read = stream.CreateReader(); byte[] bytes = read.ToArray(); System.IO.File.WriteAllText(path + "_" + stream.Name.Replace("#", "") + "_unicode.bin", System.Text.Encoding.Unicode.GetString(bytes)); System.IO.File.WriteAllBytes(path + "_" + stream.Name.Replace("#", "") + ".bin", bytes); success("Exported KoiVM data"); dbg("Hooking Forlaxer..."); try { //File.Copy(@"C:\Users\ForlaxPy\source\repos\Forlaxer\Forlaxer\bin\Debug\Forlaxer.dll", fileDir + "\\Forlaxer.dll"); } catch { } try { Colorful.Console.Write("\n[DEBUG] ", Color.LightSkyBlue); Colorful.Console.Write("Pick a version [1: DBG & BNG |2: BNG] "); stopwatch.Stop(); int pick = int.Parse(Console.ReadLine()); stopwatch.Start(); InjectForlaxerKoi(path, bytes, pick); dbg("Generating the JSON config..."); generateJson(path, obf); } catch (ArgumentNullException ex) { File.WriteAllText("traces.txt", ex.Message.ToString()); fail("Failed to Hook Forlaxer "); } int VMmethods = 0; try { VMmethods = detectingVMedMethods(path); success($"Parsed {VMmethods} virtualized methods"); } catch { } //VMData koi = new VMData(stream.StreamHeader); //System.Reflection.Module m = System.Reflection.Assembly //System.Reflection.Module m = Type.GetTypeFromHandle(typeof(Fox).TypeHandle).Module; } } if (!isFound) { fail("Couldn't find KoiVM data"); } goto Done; EAZ: dbg("Hooking Forlaxer..."); try { //File.Copy(@"C:\Users\ForlaxPy\source\repos\Forlaxer\Forlaxer\bin\Debug\Forlaxer.dll", fileDir + "\\Forlaxer.dll"); } catch { } try { Colorful.Console.Write("\n[DEBUG] ", Color.LightSkyBlue); Colorful.Console.Write("Pick a version [1: DBG & BNG |2: BNG] "); stopwatch.Stop(); int pick = int.Parse(Console.ReadLine()); stopwatch.Start(); InjectForlaxerEaz(path, pick); dbg("Generating the JSON config..."); generateJson(path, obf); } catch (ArgumentNullException ex) { File.WriteAllText("traces.txt", ex.Message.ToString()); fail("Failed to Hook Forlaxer "); } goto Done; Agile: dbg("Hooking Forlaxer..."); try { //File.Copy(@"C:\Users\ForlaxPy\source\repos\Forlaxer\Forlaxer\bin\Debug\Forlaxer.dll", fileDir + "\\Forlaxer.dll"); } catch { } try { Colorful.Console.Write("\n[DEBUG] ", Color.LightSkyBlue); Colorful.Console.Write("Pick a version [1: DBG & BNG |2: BNG] "); stopwatch.Stop(); int pick = int.Parse(Console.ReadLine()); stopwatch.Start(); InjectForlaxerAgile(agilePath, pick); File.Move(agilePath, agilePath + ".bak"); File.Move(agilePath + ".temp", agilePath); success("Forlaxer Hooked Succesfully!"); dbg("Generating the JSON config..."); generateJson(path, obf); } catch (ArgumentNullException ex) { File.WriteAllText("traces.txt", ex.Message.ToString()); fail("Failed to Hook Forlaxer "); } goto Done; Done: stopwatch.Stop(); Console.WriteLine("\n\n\nElapsed time: " + stopwatch.Elapsed.TotalSeconds.ToString() + " seconds."); Console.ReadKey(); }
private void ExecuteOperation() { List <(Regex pattern, string replacement)> replacementPatterns = new List <(Regex pattern, string replacement)>(); string[] regexpOptions = _commandLineOptions.Regexps.ToArray(); for (int i = 0; i < regexpOptions.Length; i += 2) { string regexpOption = regexpOptions[i]; string regexpReplacementOption = regexpOptions[i + 1]; Regex regex = new Regex(regexpOption, RegexOptions.Singleline); replacementPatterns.Add((regex, regexpReplacementOption)); } string UpdateName(string name, Action onNameChanged) { string originalName = name; foreach ((Regex pattern, string replacement)replacementPattern in replacementPatterns) { name = replacementPattern.pattern.Replace(name, replacementPattern.replacement); } if (name != originalName) { onNameChanged(); } return(name); } Log.Info($"Reading assembly from {_commandLineOptions.InputAssemblyPath}"); ModuleDefMD module = ModuleDefMD.Load(_commandLineOptions.InputAssemblyPath); AssemblyDef assembly = module.Assembly; TypeDef[] types = module.GetTypes().ToArray(); TypeRef[] typeReferences = module.GetTypeRefs().ToArray(); AssemblyRef[] assemblyReferences = module.GetAssemblyRefs().ToArray(); Log.Info("Updating assembly name"); if (_commandLineOptions.ReplaceAssemblyName) { assembly.Name = UpdateName(assembly.Name, () => Log.Info("Assembly name modified")); for (int i = 0; i < assembly.Modules.Count; i++) { ModuleDef moduleDef = assembly.Modules[i]; int finalI = i; moduleDef.Name = UpdateName(moduleDef.Name, () => Log.Info($"Module {finalI} name modified")); } } Log.Info("Modifying types"); int modifiedTypes = 0; foreach (TypeDef type in types) { type.Namespace = UpdateName(type.Namespace, () => modifiedTypes++); } Log.Info($"Modified {modifiedTypes} type(s)"); Log.Info("Modifying type references"); int modifiedTypeReferences = 0; foreach (TypeRef typeReference in typeReferences) { typeReference.Namespace = UpdateName(typeReference.Namespace, () => modifiedTypeReferences++); } Log.Info($"Modified {modifiedTypeReferences} type reference(s)"); if (_commandLineOptions.ReplaceAssemblyReferences) { Log.Info("Modifying assembly references"); int modifiedReferences = 0; foreach (AssemblyRef assemblyReference in assemblyReferences) { assemblyReference.Name = UpdateName(assemblyReference.Name, () => modifiedReferences++); } Log.Info($"Modified {modifiedReferences} assembly reference(s)"); } Log.Info("Updating attributes"); HashSet <CustomAttribute> customAttributes = new HashSet <CustomAttribute>(); customAttributes.UnionWith(module.CustomAttributes); customAttributes.UnionWith(assembly.CustomAttributes); foreach (TypeDef type in types) { customAttributes.UnionWith(type.CustomAttributes); type.Events.ToList().ForEach(m => customAttributes.UnionWith(m.CustomAttributes)); type.Fields.ToList().ForEach(m => customAttributes.UnionWith(m.CustomAttributes)); type.Interfaces.ToList().ForEach(m => customAttributes.UnionWith(m.CustomAttributes)); type.Methods.ToList().ForEach(m => customAttributes.UnionWith(m.CustomAttributes)); type.GenericParameters.ToList().ForEach(m => customAttributes.UnionWith(m.CustomAttributes)); type.Properties.ToList().ForEach(m => customAttributes.UnionWith(m.CustomAttributes)); foreach (MethodDef method in type.Methods) { method.GenericParameters.ToList().ForEach(m => customAttributes.UnionWith(m.CustomAttributes)); method.Parameters.ToList() .ForEach(m => { if (m.HasParamDef) { customAttributes.UnionWith(m.ParamDef.CustomAttributes); } }); } } int modifiedAttributesParameters = 0; bool isAttributeModified = false; void UpdateAttributeConstructorArgument(object argument) { switch (argument) { case TypeDefOrRefSig type: if (type.IsTypeDef) { type.TypeDef.Namespace = UpdateName(type.Namespace, () => isAttributeModified = true); if (type.TypeDef.Scope is AssemblyRefUser assemblyRefUser) { assemblyRefUser.Name = UpdateName(assemblyRefUser.Name, () => isAttributeModified = true); } } else if (type.IsTypeRef) { type.TypeRef.Namespace = UpdateName(type.Namespace, () => isAttributeModified = true); if (type.TypeRef.Scope is AssemblyRefUser assemblyRefUser) { assemblyRefUser.Name = UpdateName(assemblyRefUser.Name, () => isAttributeModified = true); } } break; case GenericInstSig genericInstSig: foreach (TypeSig genericArgument in genericInstSig.GenericArguments) { UpdateAttributeConstructorArgument(genericArgument); } UpdateAttributeConstructorArgument(genericInstSig.GenericType); break; } } foreach (CustomAttribute customAttribute in customAttributes) { isAttributeModified = false; IEnumerable <CAArgument> constructorArguments = customAttribute.ConstructorArguments.Concat(customAttribute.NamedArguments.Select(na => na.Argument)); foreach (CAArgument attributeConstructorArgument in constructorArguments) { UpdateAttributeConstructorArgument(attributeConstructorArgument.Type); UpdateAttributeConstructorArgument(attributeConstructorArgument.Value); } if (isAttributeModified) { modifiedAttributesParameters++; } } Log.Info($"Modified {modifiedAttributesParameters} attribute(s)"); string outputPath; if (!String.IsNullOrWhiteSpace(_commandLineOptions.OutputAssemblyPath)) { outputPath = _commandLineOptions.OutputAssemblyPath; } else { outputPath = Path.Combine( Path.GetDirectoryName(_commandLineOptions.InputAssemblyPath) ?? "", Path.GetFileNameWithoutExtension(_commandLineOptions.InputAssemblyPath) + ".Modified" + Path.GetExtension(_commandLineOptions.InputAssemblyPath) ); } Log.Info($"Writing assembly to {outputPath}"); assembly.Write(outputPath); }
private static void Main(string[] args) { Console.Title = "Anti Decompiler Cleaner - Prab "; Console.ForegroundColor = ConsoleColor.Yellow; ModuleDefMD module = null; try { module = ModuleDefMD.Load(args[0]); Console.WriteLine("[?] File Loaded: {0}", module); foreach (var dependencies in module.GetAssemblyRefs()) { Console.WriteLine($"[?] Dependencies : {dependencies.Name}"); } } catch { Console.ForegroundColor = ConsoleColor.Red; Console.WriteLine("[^] Drag n Drop ! "); Console.ReadKey(); Environment.Exit(0); } foreach (var type in module.GetTypes()) { foreach (var method in type.Methods) { if (method != null && method.HasBody && method.Body.HasInstructions) { try { AntiDecompilerPhase.Execute(method); Console.ForegroundColor = ConsoleColor.Green; Console.WriteLine("[*] Cleaning method 0x{0:X2} {1}", method.MDToken.Raw, method.Name); } catch (Exception ex) { Console.ForegroundColor = ConsoleColor.Red; Console.WriteLine("[x] Failed to clean method {0}\n {1}", method.Name, ex.Message); } } } } var savingPath = module.Kind == ModuleKind.Dll ? args[0].Replace(".dll", "-noAnti.dll") : args[0].Replace(".exe", "-noAnti.exe"); if (module.IsILOnly) { var opts = new ModuleWriterOptions(module) { MetadataOptions = { Flags = MetadataFlags.PreserveAll }, Logger = DummyLogger.NoThrowInstance }; module.Write(savingPath, opts); } else { var opts = new NativeModuleWriterOptions(module, true) { MetadataOptions = { Flags = MetadataFlags.PreserveAll }, Logger = DummyLogger.NoThrowInstance }; module.NativeWrite(savingPath, opts); } Console.ForegroundColor = ConsoleColor.Yellow; Console.WriteLine("[+] Finished !\n[+] File Saved at : {0}", savingPath); Console.ReadLine(); }