public static void DeobfuscateFlow(TestDeobfOptions options, MethodDefinition method)
{
if (options == null || options.Rows == null || options.Rows.Length == 0) return;
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.DeobfFlow(options.Rows[0], method);
}
public void Reflector65_FullTest()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Reflector.6.5.exe" };
options.ApplyFrom("Name, String and Boolean Function");
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
string outputFile = options.OutputFiles[0];
TestDeobfOptions options2 = new TestDeobfOptions();
options2.SourceDir = Path.GetDirectoryName(outputFile);
options2.Rows = new string[] { outputFile };
options2.ApplyFrom("Flow without Boolean Function");
options2.LoopCount = 3;
//options2.chkReflectorFixChecked = true;
options2.ExceptionHandlerFile = new ExceptionHandlerFile(ExceptionHandlerFile.Default.FileName);
options2.ExceptionHandlerFile.Keywords.Add("NS006.c000021::m000");
TestDeobfuscator deobf2 = new TestDeobfuscator(options2);
deobf2.Go();
string outputFile2 = options2.OutputFiles[0];
TestUtils.CheckAndOutput(new string[] { outputFile2 },
new string[] { TestUtils.ObfuscatedCommentText, TestUtils.ObfuscatedForeachText }
);
Utils.DeleteFile(outputFile);
Utils.DeleteFile(outputFile2);
}
public void Test022()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly022.dll" };
options.ApplyFrom("Default");
options.chkDelegateCallChecked = true;
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
string outputFile = options.OutputFiles[0];
TestDeobfOptions options2 = new TestDeobfOptions();
options2.SourceDir = Path.GetDirectoryName(outputFile);
options2.Rows = new string[] { outputFile };
options2.ApplyFrom("Flow without Boolean Function");
options2.LoopCount = 2;
options2.ExceptionHandlerFile = new ExceptionHandlerFile(ExceptionHandlerFile.Default.FileName);
options2.ExceptionHandlerFile.Keywords.Add("NS004.c00003e::m000");
TestDeobfuscator deobf2 = new TestDeobfuscator(options2);
deobf2.Go();
string outputFile2 = options2.OutputFiles[0];
TestUtils.CheckAndOutput(new string[] { outputFile2 },
new string[] { TestUtils.ObfuscatedCommentText,
TestUtils.ObfuscatedForeachText }
);
AssemblyDefinition ad = AssemblyDefinition.ReadAssembly(outputFile2);
string typeName = "NS012.c0000cb";
TypeDefinition td = TestUtils.FindType(ad, typeName);
Assert.IsNotNull(td, "Failed to find type: " + typeName);
string methodName = "m00002e";
MethodDefinition md = TestUtils.FindMethod(td, methodName,
new string[] { "System.String" }, "System.String");
Assert.IsNotNull(md, "Failed to find method: " + methodName);
Collection <Instruction> instructions = md.Body.Instructions;
Instruction ins1 = instructions[1];
Assert.AreEqual(Code.Ldstr, ins1.OpCode.Code, "Unexpected opcode " + ins1.OpCode.Code.ToString());
Assert.AreEqual(@"Software\Red Gate\", ins1.Operand, "Unexpected operand " + ins1.Operand as string);
Instruction ins2 = instructions[2];
Assert.AreEqual(Code.Callvirt, ins2.OpCode.Code, "Unexpected opcode " + ins2.OpCode.Code.ToString());
Assert.AreEqual(@"Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String)", ins2.Operand.ToString(), "Unexpected operand " + ins2.Operand as string);
Utils.DeleteFile(outputFile);
Utils.DeleteFile(outputFile2);
}
public static void DeobfuscateFlow(TestDeobfOptions options, MethodDefinition method)
{
if (options == null || options.Rows == null || options.Rows.Length == 0)
{
return;
}
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.DeobfFlow(options.Rows[0], method);
}
public void Test020()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly020.exe" };
options.ApplyFrom("Default");
options.chkAutoStringChecked = false;
options.chkBoolFunctionChecked = false;
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
List <MethodDeclarationInfo> list = TestUtils.FindMethods(options.OutputFiles,
new string[] { TestUtils.ObfuscatedCommentText },
null);
int unexpected = 0;
int expected = 0;
foreach (MethodDeclarationInfo mdi in list)
{
switch (mdi.MethodDeclaration.Token)
{
case 0x06000012:
//case 0x06000155:
case 0x06000199:
case 0x060001ce:
case 0x060001cf:
case 0x06000774:
//use branch only
expected++;
break;
case 0x060003ad:
//case 0x06000413:
//use brach only 2 + conditional brach 2
expected++;
break;
default:
TestUtils.Output(mdi, null);
unexpected++;
break;
}
}
TestUtils.AssertFail(6, expected, unexpected);
string outputFile = options.OutputFiles[0];
Utils.DeleteFile(outputFile);
}
public void Test021()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly021.exe" };
options.ApplyFrom("Flow without Boolean Function");
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
TestUtils.CheckAndOutput(options.OutputFiles);
Utils.DeleteFile(options.OutputFiles);
}
public void Test021()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly021.exe" };
options.ApplyFrom("Flow without Boolean Function");
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
TestUtils.CheckAndOutput(options.OutputFiles);
Utils.DeleteFile(options.OutputFiles);
}
public static void Deobfuscate(TestDeobfOptions options)
{
if (options == null || options.Rows == null || options.Rows.Length == 0) return;
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
if (deobf.Errors.Count > 0)
{
foreach (DeobfError de in deobf.Errors)
{
Utils.ConsoleOutput("{0}\r\n\r\n", de.ToString());
}
Assert.AreEqual(0, deobf.Errors.Count, "Deobfuscate error found.");
}
}
public void Test002()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly002.exe" };
options.ApplyFrom("Default");
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
string outputFile = options.OutputFiles[0];
Utils.DeleteFile(outputFile);
}
public void Test024()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly024.exe" };
options.ApplyFrom("Name and String");
options.chkDirectCallChecked = true;
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
string outputFile = options.OutputFiles[0];
AssemblyDefinition ad = AssemblyDefinition.ReadAssembly(outputFile);
string typeName;
TypeDefinition td;
MethodDefinition md;
//duplicate property name
typeName = "NS014.c000031";
td = TestUtils.FindType(ad, typeName);
Assert.IsNotNull(td, "Failed to find type: " + typeName);
Assert.AreEqual(5, td.Properties.Count);
Assert.AreEqual("p000001", td.Properties[0].Name);
Assert.AreEqual("p00002e", td.Properties[1].Name);
Assert.AreEqual("p00002f", td.Properties[2].Name);
Assert.AreEqual("p000030", td.Properties[3].Name);
Assert.AreEqual("p000031", td.Properties[4].Name);
//direct call
typeName = "NS002.c000047";
td = TestUtils.FindType(ad, typeName);
Assert.IsNotNull(td, "Failed to find type: " + typeName);
md = TestUtils.FindMethod(td, ".cctor", null, null);
Assert.IsNotNull(td, "Failed to find .cctor: " + typeName);
Collection <Instruction> ic = md.Body.Instructions;
Assert.AreEqual(15, ic.Count);
Assert.AreEqual("System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle)", ic[6].Operand.ToString());
Assert.AreEqual("System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle)", ic[12].Operand.ToString());
TestUtils.CheckAndOutput(options.OutputFiles);
Utils.DeleteFile(options.OutputFiles);
}
public static void Deobfuscate(TestDeobfOptions options)
{
if (options == null || options.Rows == null || options.Rows.Length == 0)
{
return;
}
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
if (deobf.Errors.Count > 0)
{
foreach (DeobfError de in deobf.Errors)
{
Utils.ConsoleOutput("{0}\r\n\r\n", de.ToString());
}
Assert.AreEqual(0, deobf.Errors.Count, "Deobfuscate error found.");
}
}
public void Test019()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly019.dll" };
options.ApplyFrom("Flow");
options.chkRemoveAttributeChecked = true;
options.AttributeFile = new AttributeFile(AttributeFile.Default.FileName);
options.AttributeFile.AllLevelStrings.Add("0x02000068");
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
string outputFile = options.OutputFiles[0];
TestUtils.CheckAndOutput(new string[] { outputFile });
Utils.DeleteFile(outputFile);
}
public void Test001()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly001.exe" };
options.ApplyFrom("Flow");
options.chkRemoveAttributeChecked = true;
options.AttributeFile = new AttributeFile(AttributeFile.Default.FileName);
options.AttributeFile.AllLevelStrings.Add("cvi4cGFBAypGRlpQZB");
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
string outputFile = options.OutputFiles[0];
TestUtils.CheckAndOutput(new string[] { outputFile },
new string[] { TestUtils.ObfuscatedCommentText },
new string[] { "AMGtDMpoFL3aEFIsnt", "HKE8WcJreWA12f9Lr8" }
);
Utils.DeleteFile(outputFile);
}
public void Test002()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly002.exe" };
options.ApplyFrom("Default");
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
string outputFile = options.OutputFiles[0];
Utils.DeleteFile(outputFile);
}
public void Test020()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly020.exe" };
options.ApplyFrom("Default");
options.chkAutoStringChecked = false;
options.chkBoolFunctionChecked = false;
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
List<MethodDeclarationInfo> list = TestUtils.FindMethods(options.OutputFiles,
new string[] { TestUtils.ObfuscatedCommentText },
null);
int unexpected = 0;
int expected = 0;
foreach (MethodDeclarationInfo mdi in list)
{
switch (mdi.MethodDeclaration.Token)
{
case 0x06000012:
//case 0x06000155:
case 0x06000199:
case 0x060001ce:
case 0x060001cf:
case 0x06000774:
//use branch only
expected++;
break;
case 0x060003ad:
//case 0x06000413:
//use brach only 2 + conditional brach 2
expected++;
break;
default:
TestUtils.Output(mdi, null);
unexpected++;
break;
}
}
TestUtils.AssertFail(6, expected, unexpected);
string outputFile = options.OutputFiles[0];
Utils.DeleteFile(outputFile);
}
public void Test001()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly001.exe" };
options.ApplyFrom("Flow");
options.chkRemoveAttributeChecked = true;
options.AttributeFile = new AttributeFile(AttributeFile.Default.FileName);
options.AttributeFile.AllLevelStrings.Add("cvi4cGFBAypGRlpQZB");
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
string outputFile = options.OutputFiles[0];
TestUtils.CheckAndOutput(new string[] { outputFile },
new string[] { TestUtils.ObfuscatedCommentText },
new string[] { "AMGtDMpoFL3aEFIsnt", "HKE8WcJreWA12f9Lr8" }
);
Utils.DeleteFile(outputFile);
}
public void Test022()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly022.dll" };
options.ApplyFrom("Default");
options.chkDelegateCallChecked = true;
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
string outputFile = options.OutputFiles[0];
TestDeobfOptions options2 = new TestDeobfOptions();
options2.SourceDir = Path.GetDirectoryName(outputFile);
options2.Rows = new string[] { outputFile };
options2.ApplyFrom("Flow without Boolean Function");
options2.LoopCount = 2;
options2.ExceptionHandlerFile = new ExceptionHandlerFile(ExceptionHandlerFile.Default.FileName);
options2.ExceptionHandlerFile.Keywords.Add("NS004.c00003e::m000");
TestDeobfuscator deobf2 = new TestDeobfuscator(options2);
deobf2.Go();
string outputFile2 = options2.OutputFiles[0];
TestUtils.CheckAndOutput(new string[] { outputFile2 },
new string[] { TestUtils.ObfuscatedCommentText,
TestUtils.ObfuscatedForeachText }
);
AssemblyDefinition ad = AssemblyDefinition.ReadAssembly(outputFile2);
string typeName = "NS012.c0000cb";
TypeDefinition td = TestUtils.FindType(ad, typeName);
Assert.IsNotNull(td, "Failed to find type: " + typeName);
string methodName = "m00002e";
MethodDefinition md = TestUtils.FindMethod(td, methodName,
new string[] { "System.String" }, "System.String");
Assert.IsNotNull(md, "Failed to find method: " + methodName);
Collection<Instruction> instructions = md.Body.Instructions;
Instruction ins1 = instructions[1];
Assert.AreEqual(Code.Ldstr, ins1.OpCode.Code, "Unexpected opcode " + ins1.OpCode.Code.ToString());
Assert.AreEqual(@"Software\Red Gate\", ins1.Operand, "Unexpected operand " + ins1.Operand as string);
Instruction ins2 = instructions[2];
Assert.AreEqual(Code.Callvirt, ins2.OpCode.Code, "Unexpected opcode " + ins2.OpCode.Code.ToString());
Assert.AreEqual(@"Microsoft.Win32.RegistryKey Microsoft.Win32.RegistryKey::OpenSubKey(System.String)", ins2.Operand.ToString(), "Unexpected operand " + ins2.Operand as string);
Utils.DeleteFile(outputFile);
Utils.DeleteFile(outputFile2);
}
public void Test024()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly024.exe" };
options.ApplyFrom("Name and String");
options.chkDirectCallChecked = true;
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
string outputFile = options.OutputFiles[0];
AssemblyDefinition ad = AssemblyDefinition.ReadAssembly(outputFile);
string typeName;
TypeDefinition td;
MethodDefinition md;
//duplicate property name
typeName = "NS014.c000031";
td = TestUtils.FindType(ad, typeName);
Assert.IsNotNull(td, "Failed to find type: " + typeName);
Assert.AreEqual(5, td.Properties.Count);
Assert.AreEqual("p000001", td.Properties[0].Name);
Assert.AreEqual("p00002e", td.Properties[1].Name);
Assert.AreEqual("p00002f", td.Properties[2].Name);
Assert.AreEqual("p000030", td.Properties[3].Name);
Assert.AreEqual("p000031", td.Properties[4].Name);
//direct call
typeName = "NS002.c000047";
td = TestUtils.FindType(ad, typeName);
Assert.IsNotNull(td, "Failed to find type: " + typeName);
md = TestUtils.FindMethod(td, ".cctor", null, null);
Assert.IsNotNull(td, "Failed to find .cctor: " + typeName);
Collection<Instruction> ic = md.Body.Instructions;
Assert.AreEqual(15, ic.Count);
Assert.AreEqual("System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle)", ic[6].Operand.ToString());
Assert.AreEqual("System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle)", ic[12].Operand.ToString());
TestUtils.CheckAndOutput(options.OutputFiles);
Utils.DeleteFile(options.OutputFiles);
}
public void Reflector70_FullTest()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Reflector.7.0.exe" };
options.ApplyFrom("Default");
options.LoopCount = 2;
options.chkDelegateCallChecked = true;
options.IgnoredMethodFile.Regexes.Add(new Regex("0x060000c3")); //for 7.0
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
string outputFile = options.OutputFiles[0];
TestDeobfOptions options2 = new TestDeobfOptions();
options2.SourceDir = Path.GetDirectoryName(outputFile);
options2.Rows = new string[] { outputFile };
options2.ApplyFrom("Flow without Boolean Function");
options2.LoopCount = 2;
options2.chkReflectorFixChecked = true;
options2.ExceptionHandlerFile = new ExceptionHandlerFile(ExceptionHandlerFile.Default.FileName);
options2.ExceptionHandlerFile.Keywords.Add("NS011.c000065::m000");
TestDeobfuscator deobf2 = new TestDeobfuscator(options2);
deobf2.Go();
string outputFile2 = options2.OutputFiles[0];
List<MethodDeclarationInfo> list = TestUtils.FindMethods(
new string[] { outputFile2 },
new string[] { TestUtils.ObfuscatedCommentText, TestUtils.ObfuscatedForeachText },
null);
int unexpected = 0;
int expected = 0;
foreach (MethodDeclarationInfo mdi in list)
{
switch (mdi.MethodDeclaration.Token)
{
//case 0x060008ef:
//c000183.m0003ea(Int32) : Int32 (0x060008ef):
//use cond branch (up) once at last
//expected++;
//break;
default:
TestUtils.Output(mdi, null);
unexpected++;
break;
}
}
TestUtils.AssertFail(0, expected, unexpected);
Utils.DeleteFile(outputFile);
Utils.DeleteFile(outputFile2);
}
public void Test019()
{
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Assembly019.dll" };
options.ApplyFrom("Flow");
options.chkRemoveAttributeChecked = true;
options.AttributeFile = new AttributeFile(AttributeFile.Default.FileName);
options.AttributeFile.AllLevelStrings.Add("0x02000068");
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
string outputFile = options.OutputFiles[0];
TestUtils.CheckAndOutput(new string[] { outputFile });
Utils.DeleteFile(outputFile);
}
public void Reflector74_FullTest()
{
//ensure to load default reflector at first
SimpleReflector dummy = SimpleReflector.Default;
TestDeobfOptions options = new TestDeobfOptions();
options.Rows = new string[] { "Reflector.7.4.exe" };
options.ApplyFrom("Default");
options.LoopCount = 2;
options.chkDelegateCallChecked = true;
options.IgnoredMethodFile.Regexes.Add(new Regex("RedGate.Licensing"));
options.IgnoredMethodFile.Regexes.Add(new Regex("ReflectorCustomDialog"));
TestDeobfuscator deobf = new TestDeobfuscator(options);
deobf.Go();
string outputFile = options.OutputFiles[0];
TestDeobfOptions options2 = new TestDeobfOptions();
options2.SourceDir = Path.GetDirectoryName(outputFile);
options2.Rows = new string[] { outputFile };
options2.ApplyFrom("Flow without Boolean Function");
options2.LoopCount = 2;
options2.chkReflectorFixChecked = true;
options2.ExceptionHandlerFile = new ExceptionHandlerFile(ExceptionHandlerFile.Default.FileName);
options2.ExceptionHandlerFile.Keywords.Add("NS011.c000065::m000");
TestDeobfuscator deobf2 = new TestDeobfuscator(options2);
deobf2.Go();
string outputFile2 = options2.OutputFiles[0];
List<MethodDeclarationInfo> list = TestUtils.FindMethods(
new string[] { outputFile2 },
new string[] { TestUtils.ObfuscatedCommentText, TestUtils.ObfuscatedForeachText },
null);
int unexpected = 0;
int expected = 0;
foreach (MethodDeclarationInfo mdi in list)
{
switch (mdi.MethodDeclaration.Token)
{
//Edit 2012-12-26: fixed in .Net Reflector 7.7
//case 0x060019ee:
//case 0x0600195b:
//TODO: find reason? or use ILSpy
//Non-matching stack heights
//expected++;
//break;
default:
TestUtils.Output(mdi, null);
unexpected++;
break;
}
}
TestUtils.AssertFail(0, expected, unexpected);
Utils.DeleteFile(outputFile);
Utils.DeleteFile(outputFile2);
}
