public MyDeobfuscator(ModuleDefMD module) { cliSecureRtType = new CliSecureRtType(module); cliSecureRtType.Find(null); stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterMethod); stringDecrypter.Find(); cliSecureRtType.FindStringDecrypterMethod(); stringDecrypter.Method = cliSecureRtType.StringDecrypterMethod; staticStringInliner.Add(stringDecrypter.Method, (method, gim, args) => stringDecrypter.Decrypt((string)args[0])); }
public MyDeobfuscator(ModuleDefMD module) { cliSecureRtType = new CliSecureRtType(module); cliSecureRtType.Find(null); stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterInfos); stringDecrypter.Find(); cliSecureRtType.FindStringDecrypterMethod(); stringDecrypter.AddDecrypterInfos(cliSecureRtType.StringDecrypterInfos); stringDecrypter.Initialize(); foreach (var info in stringDecrypter.StringDecrypterInfos) staticStringInliner.Add(info.Method, (method, gim, args) => stringDecrypter.Decrypt((string)args[0])); }
public MyDeobfuscator(ModuleDefMD module) { cliSecureRtType = new CliSecureRtType(module); cliSecureRtType.Find(null); stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterInfos); stringDecrypter.Find(); cliSecureRtType.FindStringDecrypterMethod(); stringDecrypter.AddDecrypterInfos(cliSecureRtType.StringDecrypterInfos); stringDecrypter.Initialize(); foreach (var info in stringDecrypter.StringDecrypterInfos) { staticStringInliner.Add(info.Method, (method, gim, args) => stringDecrypter.Decrypt((string)args[0])); } }
protected override void ScanForObfuscator() { FindCliSecureAttribute(); cliSecureRtType = new CliSecureRtType(module); cliSecureRtType.Find(ModuleBytes); stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterInfos); stringDecrypter.Find(); resourceDecrypter = new ResourceDecrypter(module); resourceDecrypter.Find(); proxyCallFixer = new ProxyCallFixer(module); proxyCallFixer.FindDelegateCreator(); csvmV1 = new vm.v1.Csvm(DeobfuscatedFile.DeobfuscatorContext, module); csvmV1.Find(); csvmV2 = new vm.v2.Csvm(DeobfuscatedFile.DeobfuscatorContext, module); csvmV2.Find(); }
protected override void scanForObfuscator() { findCliSecureAttribute(); cliSecureRtType = new CliSecureRtType(module); cliSecureRtType.find(ModuleBytes); stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterMethod); stringDecrypter.find(); resourceDecrypter = new ResourceDecrypter(module); resourceDecrypter.find(); proxyCallFixer = new ProxyCallFixer(module); proxyCallFixer.findDelegateCreator(); csvm = new vm.Csvm(DeobfuscatedFile.DeobfuscatorContext, module); csvm.find(); }
static byte[] GetModuleCctorBytes(CliSecureRtType csRtType) { var initMethod = csRtType.InitializeMethod; if (initMethod == null) return null; uint initToken = initMethod.MDToken.ToUInt32(); var moduleCctorBytes = new byte[6]; moduleCctorBytes[0] = 0x28; // call moduleCctorBytes[1] = (byte)initToken; moduleCctorBytes[2] = (byte)(initToken >> 8); moduleCctorBytes[3] = (byte)(initToken >> 16); moduleCctorBytes[4] = (byte)(initToken >> 24); moduleCctorBytes[5] = 0x2A; // ret return moduleCctorBytes; }
public bool Decrypt(MyPEImage peImage, ModuleDefMD module, CliSecureRtType csRtType, ref DumpedMethods dumpedMethods) { this.peImage = peImage; this.csRtType = csRtType; this.module = module; switch (Decrypt2(ref dumpedMethods)) { case DecryptResult.Decrypted: return true; case DecryptResult.NotEncrypted: return false; case DecryptResult.Error: Logger.n("Using dynamic method decryption"); byte[] moduleCctorBytes = GetModuleCctorBytes(csRtType); dumpedMethods = de4dot.code.deobfuscators.MethodsDecrypter.Decrypt(module, moduleCctorBytes); return true; default: throw new ApplicationException("Invalid DecryptResult"); } }
protected override void scanForObfuscator() { findCliSecureAttribute(); cliSecureRtType = new CliSecureRtType(module); cliSecureRtType.find(); stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterMethod); stringDecrypter.find(); proxyDelegateFinder = new ProxyDelegateFinder(module); proxyDelegateFinder.findDelegateCreator(); }