void deobfuscateMethods() { if (savedMethodBodies != null) { savedMethodBodies.restoreAll(); savedMethodBodies = null; } deob.DeobfuscatedFile = null; if (!options.ControlFlowDeobfuscation) { // If it's the unknown type, we don't remove any types that could cause Mono.Cecil // to throw an exception. if (deob.Type == "un" || options.KeepObfuscatorTypes) { return; } } Log.v("Deobfuscating methods"); var methodPrinter = new MethodPrinter(); var cflowDeobfuscator = new BlocksCflowDeobfuscator(deob.BlocksDeobfuscators); foreach (var method in getAllMethods()) { Log.v("Deobfuscating {0} ({1:X8})", Utils.removeNewlines(method), method.MetadataToken.ToUInt32()); Log.indent(); int oldIndentLevel = Log.indentLevel; try { deobfuscate(method, cflowDeobfuscator, methodPrinter); } catch (ApplicationException) { throw; } catch (Exception ex) { if (!canLoadMethodBody(method)) { Log.v("Invalid method body. {0:X8}", method.MetadataToken.ToInt32()); method.Body = new MethodBody(method); } else { Log.w("Could not deobfuscate method {0:X8}. Hello, E.T.: {1}", // E.T. = exception type method.MetadataToken.ToInt32(), ex.GetType()); } } finally { Log.indentLevel = oldIndentLevel; } removeNoInliningAttribute(method); Log.deIndent(); } }
void deobfuscateMethods() { if (savedMethodBodies != null) { savedMethodBodies.restoreAll(); savedMethodBodies = null; } deob.DeobfuscatedFile = null; if (!options.ControlFlowDeobfuscation) { // If it's the unknown type, we don't remove any types that could cause Mono.Cecil // to throw an exception. if (deob.Type == "un" || options.KeepObfuscatorTypes) return; } Log.v("Deobfuscating methods"); var methodPrinter = new MethodPrinter(); var cflowDeobfuscator = new BlocksCflowDeobfuscator(deob.BlocksDeobfuscators); foreach (var method in allMethods) { Log.v("Deobfuscating {0} ({1:X8})", Utils.removeNewlines(method), method.MetadataToken.ToUInt32()); Log.indent(); int oldIndentLevel = Log.indentLevel; try { deobfuscate(method, cflowDeobfuscator, methodPrinter); } catch (ApplicationException) { throw; } catch (Exception ex) { if (!canLoadMethodBody(method)) { Log.v("Invalid method body. {0:X8}", method.MetadataToken.ToInt32()); method.Body = new MethodBody(method); } else { Log.w("Could not deobfuscate method {0:X8}. Hello, E.T.: {1}", // E.T. = exception type method.MetadataToken.ToInt32(), ex.GetType()); } } finally { Log.indentLevel = oldIndentLevel; } removeNoInliningAttribute(method); Log.deIndent(); } }
void deobfuscate(MethodDefinition method, BlocksCflowDeobfuscator cflowDeobfuscator, MethodPrinter methodPrinter) { if (!hasNonEmptyBody(method)) return; var blocks = new Blocks(method); int numRemovedLocals = 0; int oldNumInstructions = method.Body.Instructions.Count; deob.deobfuscateMethodBegin(blocks); if (options.ControlFlowDeobfuscation) { cflowDeobfuscator.init(blocks); cflowDeobfuscator.deobfuscate(); } if (deob.deobfuscateOther(blocks) && options.ControlFlowDeobfuscation) cflowDeobfuscator.deobfuscate(); if (options.ControlFlowDeobfuscation) { numRemovedLocals = blocks.optimizeLocals(); blocks.repartitionBlocks(); } deobfuscateStrings(blocks); deob.deobfuscateMethodEnd(blocks); IList<Instruction> allInstructions; IList<ExceptionHandler> allExceptionHandlers; blocks.getCode(out allInstructions, out allExceptionHandlers); DotNetUtils.restoreBody(method, allInstructions, allExceptionHandlers); if (numRemovedLocals > 0) Log.v("Removed {0} unused local(s)", numRemovedLocals); int numRemovedInstructions = oldNumInstructions - method.Body.Instructions.Count; if (numRemovedInstructions > 0) Log.v("Removed {0} dead instruction(s)", numRemovedInstructions); const Log.LogLevel dumpLogLevel = Log.LogLevel.veryverbose; if (Log.isAtLeast(dumpLogLevel)) { Log.log(dumpLogLevel, "Deobfuscated code:"); Log.indent(); methodPrinter.print(dumpLogLevel, allInstructions, allExceptionHandlers); Log.deIndent(); } }
void Deobfuscate(MethodDef method, BlocksCflowDeobfuscator cflowDeobfuscator, MethodPrinter methodPrinter, bool isVerbose, bool isVV) { if (!HasNonEmptyBody(method)) return; var blocks = new Blocks(method); int numRemovedLocals = 0; int oldNumInstructions = method.Body.Instructions.Count; deob.DeobfuscateMethodBegin(blocks); if (options.ControlFlowDeobfuscation) { cflowDeobfuscator.Initialize(blocks); cflowDeobfuscator.Deobfuscate(); } if (deob.DeobfuscateOther(blocks) && options.ControlFlowDeobfuscation) cflowDeobfuscator.Deobfuscate(); if (options.ControlFlowDeobfuscation) { if (CanOptimizeLocals()) numRemovedLocals = blocks.OptimizeLocals(); blocks.RepartitionBlocks(); } DeobfuscateStrings(blocks); deob.DeobfuscateMethodEnd(blocks); IList<Instruction> allInstructions; IList<ExceptionHandler> allExceptionHandlers; blocks.GetCode(out allInstructions, out allExceptionHandlers); DotNetUtils.RestoreBody(method, allInstructions, allExceptionHandlers); if (isVerbose && numRemovedLocals > 0) Logger.v("Removed {0} unused local(s)", numRemovedLocals); int numRemovedInstructions = oldNumInstructions - method.Body.Instructions.Count; if (isVerbose && numRemovedInstructions > 0) Logger.v("Removed {0} dead instruction(s)", numRemovedInstructions); if (isVV) { Logger.Log(LoggerEvent.VeryVerbose, "Deobfuscated code:"); Logger.Instance.Indent(); methodPrinter.Print(LoggerEvent.VeryVerbose, allInstructions, allExceptionHandlers); Logger.Instance.DeIndent(); } }
void DeobfuscateMethods() { if (savedMethodBodies != null) { savedMethodBodies.RestoreAll(); savedMethodBodies = null; } deob.DeobfuscatedFile = null; if (!options.ControlFlowDeobfuscation) { if (options.KeepObfuscatorTypes || deob.Type == "un") return; } bool isVerbose = !Logger.Instance.IgnoresEvent(LoggerEvent.Verbose); bool isVV = !Logger.Instance.IgnoresEvent(LoggerEvent.VeryVerbose); if (isVerbose) Logger.v("Deobfuscating methods"); var methodPrinter = new MethodPrinter(); var cflowDeobfuscator = new BlocksCflowDeobfuscator(deob.BlocksDeobfuscators); foreach (var method in GetAllMethods()) { if (isVerbose) { Logger.v("Deobfuscating {0} ({1:X8})", Utils.RemoveNewlines(method), method.MDToken.ToUInt32()); Logger.Instance.Indent(); } int oldIndentLevel = Logger.Instance.IndentLevel; try { Deobfuscate(method, cflowDeobfuscator, methodPrinter, isVerbose, isVV); } catch (Exception ex) { if (!CanLoadMethodBody(method)) { if (isVerbose) Logger.v("Invalid method body. {0:X8}", method.MDToken.ToInt32()); method.Body = new CilBody(); } else { Logger.w("Could not deobfuscate method {0:X8}. Hello, E.T.: {1}", // E.T. = exception type method.MDToken.ToInt32(), ex.GetType()); } } finally { Logger.Instance.IndentLevel = oldIndentLevel; } RemoveNoInliningAttribute(method); if (isVerbose) Logger.Instance.DeIndent(); } }
void Deobfuscate(MethodDef method, BlocksCflowDeobfuscator cflowDeobfuscator, MethodPrinter methodPrinter, bool isVerbose, bool isVV) { if (!HasNonEmptyBody(method)) { return; } var blocks = new Blocks(method); int numRemovedLocals = 0; int oldNumInstructions = method.Body.Instructions.Count; deob.DeobfuscateMethodBegin(blocks); if (options.ControlFlowDeobfuscation) { cflowDeobfuscator.Initialize(blocks); cflowDeobfuscator.Deobfuscate(); } if (deob.DeobfuscateOther(blocks) && options.ControlFlowDeobfuscation) { cflowDeobfuscator.Deobfuscate(); } if (options.ControlFlowDeobfuscation) { if (CanOptimizeLocals()) { numRemovedLocals = blocks.OptimizeLocals(); } blocks.RepartitionBlocks(); } DeobfuscateStrings(blocks); deob.DeobfuscateMethodEnd(blocks); IList <Instruction> allInstructions; IList <ExceptionHandler> allExceptionHandlers; blocks.GetCode(out allInstructions, out allExceptionHandlers); DotNetUtils.RestoreBody(method, allInstructions, allExceptionHandlers); if (isVerbose && numRemovedLocals > 0) { Logger.v("Removed {0} unused local(s)", numRemovedLocals); } int numRemovedInstructions = oldNumInstructions - method.Body.Instructions.Count; if (isVerbose && numRemovedInstructions > 0) { Logger.v("Removed {0} dead instruction(s)", numRemovedInstructions); } if (isVV) { Logger.Log(LoggerEvent.VeryVerbose, "Deobfuscated code:"); Logger.Instance.Indent(); methodPrinter.Print(LoggerEvent.VeryVerbose, allInstructions, allExceptionHandlers); Logger.Instance.DeIndent(); } }
void DeobfuscateMethods() { if (savedMethodBodies != null) { savedMethodBodies.RestoreAll(); savedMethodBodies = null; } deob.DeobfuscatedFile = null; if (!options.ControlFlowDeobfuscation) { if (options.KeepObfuscatorTypes || deob.Type == "un") { return; } } bool isVerbose = !Logger.Instance.IgnoresEvent(LoggerEvent.Verbose); bool isVV = !Logger.Instance.IgnoresEvent(LoggerEvent.VeryVerbose); if (isVerbose) { Logger.v("Deobfuscating methods"); } var methodPrinter = new MethodPrinter(); var cflowDeobfuscator = new BlocksCflowDeobfuscator(deob.BlocksDeobfuscators); foreach (var method in GetAllMethods()) { if (isVerbose) { Logger.v("Deobfuscating {0} ({1:X8})", Utils.RemoveNewlines(method), method.MDToken.ToUInt32()); Logger.Instance.Indent(); } int oldIndentLevel = Logger.Instance.IndentLevel; try { Deobfuscate(method, cflowDeobfuscator, methodPrinter, isVerbose, isVV); } catch (Exception ex) { if (!CanLoadMethodBody(method)) { if (isVerbose) { Logger.v("Invalid method body. {0:X8}", method.MDToken.ToInt32()); } method.Body = new CilBody(); } else { Logger.w("Could not deobfuscate method {0:X8}. Hello, E.T.: {1}", // E.T. = exception type method.MDToken.ToInt32(), ex.GetType()); } } finally { Logger.Instance.IndentLevel = oldIndentLevel; } RemoveNoInliningAttribute(method); if (isVerbose) { Logger.Instance.DeIndent(); } } }
void deobfuscate(MethodDefinition method, BlocksCflowDeobfuscator cflowDeobfuscator, MethodPrinter methodPrinter) { if (!hasNonEmptyBody(method)) { return; } var blocks = new Blocks(method); int numRemovedLocals = 0; int oldNumInstructions = method.Body.Instructions.Count; deob.deobfuscateMethodBegin(blocks); if (options.ControlFlowDeobfuscation) { cflowDeobfuscator.init(blocks); cflowDeobfuscator.deobfuscate(); } if (deob.deobfuscateOther(blocks) && options.ControlFlowDeobfuscation) { cflowDeobfuscator.deobfuscate(); } if (options.ControlFlowDeobfuscation) { numRemovedLocals = blocks.optimizeLocals(); blocks.repartitionBlocks(); } deobfuscateStrings(blocks); deob.deobfuscateMethodEnd(blocks); IList <Instruction> allInstructions; IList <ExceptionHandler> allExceptionHandlers; blocks.getCode(out allInstructions, out allExceptionHandlers); DotNetUtils.restoreBody(method, allInstructions, allExceptionHandlers); if (numRemovedLocals > 0) { Log.v("Removed {0} unused local(s)", numRemovedLocals); } int numRemovedInstructions = oldNumInstructions - method.Body.Instructions.Count; if (numRemovedInstructions > 0) { Log.v("Removed {0} dead instruction(s)", numRemovedInstructions); } const Log.LogLevel dumpLogLevel = Log.LogLevel.veryverbose; if (Log.isAtLeast(dumpLogLevel)) { Log.log(dumpLogLevel, "Deobfuscated code:"); Log.indent(); methodPrinter.print(dumpLogLevel, allInstructions, allExceptionHandlers); Log.deIndent(); } }