Esempi di codice in C# (CSharp) per DecrypterInfo

Esempio n. 1

0

Mostra file

        static bool FindKey0_v18_r75369(DecrypterInfo info)
        {
            var instrs = info.method.Body.Instructions;

            for (int i = 0; i < instrs.Count - 4; i++)
            {
                if (!instrs[i].IsLdloc())
                {
                    continue;
                }
                if (instrs[i + 1].OpCode.Code != Code.Xor)
                {
                    continue;
                }
                var ldci4 = instrs[i + 2];
                if (!ldci4.IsLdcI4())
                {
                    continue;
                }
                if (instrs[i + 3].OpCode.Code != Code.Conv_U8)
                {
                    continue;
                }
                if (instrs[i + 4].OpCode.Code != Code.Mul)
                {
                    continue;
                }

                info.key0 = (uint)ldci4.GetLdcI4Value();
                return(true);
            }
            return(false);
        }

Esempio n. 2

0

Mostra file

        bool FindKeys(DecrypterInfo info)
        {
            switch (version)
            {
            case ConfuserVersion.v18_r75367_normal:
            case ConfuserVersion.v18_r75367_dynamic:
            case ConfuserVersion.v18_r75367_native:
                return(FindKeys_v18_r75367(info));

            case ConfuserVersion.v18_r75369_normal:
            case ConfuserVersion.v18_r75369_dynamic:
            case ConfuserVersion.v18_r75369_native:
            case ConfuserVersion.v19_r77172_normal:
            case ConfuserVersion.v19_r77172_dynamic:
            case ConfuserVersion.v19_r77172_native:
            case ConfuserVersion.v19_r78056_normal:
            case ConfuserVersion.v19_r78056_dynamic:
            case ConfuserVersion.v19_r78056_native:
            case ConfuserVersion.v19_r78363_normal:
            case ConfuserVersion.v19_r78363_dynamic:
            case ConfuserVersion.v19_r78363_native:
            case ConfuserVersion.v19_r79630_normal:
            case ConfuserVersion.v19_r79630_dynamic:
            case ConfuserVersion.v19_r79630_native:
                return(FindKeys_v18_r75369(info));

            default:
                throw new ApplicationException("Invalid version");
            }
        }

Esempio n. 3

0

Mostra file

        protected byte[] DecryptConstant_v17_r73740_dynamic(DecrypterInfo info, byte[] encrypted, uint offs, uint key1, byte[] key2)
        {
            var local = GetDynamicLocal_v17_r73740(info.decryptMethod);

            if (local == null)
            {
                throw new ApplicationException("Could not find local");
            }

            int endIndex = GetDynamicEndIndex_v17_r73740(info.decryptMethod, local);

            if (endIndex < 0)
            {
                endIndex = GetDynamicEndIndex_v17_r74788(info.decryptMethod, local);
            }
            int startIndex = GetDynamicStartIndex_v17_r73740(info.decryptMethod, endIndex);

            if (startIndex < 0)
            {
                throw new ApplicationException("Could not find start/end index");
            }

            var constReader = new ConstantsReader(info.decryptMethod);

            return(Decrypt(encrypted, key1, (magic, i) => {
                constReader.SetConstantInt32(local, magic);
                int index = startIndex, result;
                if (!constReader.GetNextInt32(ref index, out result) || index != endIndex)
                {
                    throw new ApplicationException("Could not decrypt integer");
                }
                return (byte)(result ^ key2[i % key2.Length]);
            }));
        }

Esempio n. 4

0

Mostra file

File: ConstantsDecrypterV18.cs Progetto: haise0/de5dot

		static bool FindLKeys_v18_r75369(DecrypterInfo info) {
			var instrs = info.method.Body.Instructions;
			for (int i = 0; i < instrs.Count - 8; i++) {
				var ldci8_1 = instrs[i];
				if (ldci8_1.OpCode.Code != Code.Ldc_I8)
					continue;
				if (!instrs[i + 1].IsLdloc())
					continue;
				if (instrs[i + 2].OpCode.Code != Code.Conv_U8)
					continue;
				if (instrs[i + 3].OpCode.Code != Code.Mul)
					continue;
				if (!instrs[i + 4].IsStloc())
					continue;
				var ldci8_2 = instrs[i + 5];
				if (ldci8_2.OpCode.Code != Code.Ldc_I8)
					continue;
				if (!instrs[i + 6].IsStloc())
					continue;
				var ldci8_3 = instrs[i + 7];
				if (ldci8_3.OpCode.Code != Code.Ldc_I8)
					continue;
				if (!instrs[i + 8].IsStloc())
					continue;

				info.key0l = (ulong)(long)ldci8_1.Operand;
				info.key1l = (ulong)(long)ldci8_2.Operand;
				info.key2l = (ulong)(long)ldci8_3.Operand;
				return true;
			}
			return false;
		}

Esempio n. 5

0

Mostra file

        static bool FindKey0d_v18_r75367(DecrypterInfo info)
        {
            var instrs = info.method.Body.Instructions;

            for (int i = 0; i < instrs.Count; i++)
            {
                int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()");
                if (index < 0)
                {
                    break;
                }
                int index2 = ConfuserUtils.FindCallMethod(instrs, index, Code.Call, "System.Byte[] System.BitConverter::GetBytes(System.Int32)");
                if (index2 < 0)
                {
                    break;
                }
                if (index2 - index != 3)
                {
                    continue;
                }
                var ldci4 = instrs[index + 1];
                if (!ldci4.IsLdcI4())
                {
                    continue;
                }
                if (instrs[index + 2].OpCode.Code != Code.Xor)
                {
                    continue;
                }

                info.key0d = (uint)ldci4.GetLdcI4Value();
                return(true);
            }
            return(false);
        }

Esempio n. 6

0

Mostra file

        bool InitializeFields(DecrypterInfo info)
        {
            switch (version)
            {
            case ConfuserVersion.v17_r73822_normal:
            case ConfuserVersion.v17_r73822_dynamic:
            case ConfuserVersion.v17_r73822_native:
            case ConfuserVersion.v17_r74021_dynamic:
            case ConfuserVersion.v17_r74021_native:
                if (!Add(ConstantsDecrypterUtils.FindDictField(info.decryptMethod, info.decryptMethod.DeclaringType)))
                {
                    return(false);
                }
                if (!Add(ConstantsDecrypterUtils.FindMemoryStreamField(info.decryptMethod, info.decryptMethod.DeclaringType)))
                {
                    return(false);
                }
                break;

            default:
                break;
            }

            return(true);
        }

Esempio n. 7

0

Mostra file

        byte[] DecryptConstant(DecrypterInfo info, byte[] encrypted, uint offs)
        {
            switch (version)
            {
            case ConfuserVersion.v15_r60785_normal: return(DecryptConstant_v15_r60785_normal(info, encrypted, offs));

            case ConfuserVersion.v15_r60785_dynamic: return(DecryptConstant_v15_r60785_dynamic(info, encrypted, offs));

            case ConfuserVersion.v17_r72989_dynamic: return(DecryptConstant_v15_r60785_dynamic(info, encrypted, offs));

            case ConfuserVersion.v17_r73404_normal: return(DecryptConstant_v17_r73404_normal(info, encrypted, offs));

            case ConfuserVersion.v17_r73740_dynamic: return(DecryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0));

            case ConfuserVersion.v17_r73764_dynamic: return(DecryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0));

            case ConfuserVersion.v17_r73764_native: return(DecryptConstant_v17_r73764_native(info, encrypted, offs, 0));

            case ConfuserVersion.v17_r73822_normal: return(DecryptConstant_v17_r73404_normal(info, encrypted, offs));

            case ConfuserVersion.v17_r73822_dynamic: return(DecryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0));

            case ConfuserVersion.v17_r73822_native: return(DecryptConstant_v17_r73764_native(info, encrypted, offs, 0));

            case ConfuserVersion.v17_r74021_dynamic: return(DecryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0));

            case ConfuserVersion.v17_r74021_native: return(DecryptConstant_v17_r73764_native(info, encrypted, offs, 0));

            default: throw new ApplicationException("Invalid version");
            }
        }

Esempio n. 8

0

Mostra file

 void FreePEImage()
 {
     if (decrypterInfo != null)
     {
         decrypterInfo.Dispose();
     }
     decrypterInfo = null;
 }

Esempio n. 9

0

Mostra file

File: StringDecrypter.cs Progetto: lkmvip/de4dot_org

        public void Find(ISimpleDeobfuscator simpleDeobfuscator)
        {
            var additionalTypes = new string[] {
                "System.String",
            };
            EmbeddedResource stringsResource = null;

            foreach (var type in module.Types)
            {
                if (decrypterInfos.Count > 0)
                {
                    break;
                }
                if (type.BaseType == null || type.BaseType.FullName != "System.Object")
                {
                    continue;
                }
                foreach (var method in type.Methods)
                {
                    if (!method.IsStatic || !method.HasBody)
                    {
                        continue;
                    }
                    if (!DotNetUtils.IsMethod(method, "System.String", "(System.Int32)"))
                    {
                        continue;
                    }
                    if (!encryptedResource.CouldBeResourceDecrypter(method, additionalTypes))
                    {
                        continue;
                    }

                    var resource = DotNetUtils.GetResource(module, DotNetUtils.GetCodeStrings(method)) as EmbeddedResource;
                    if (resource == null)
                    {
                        throw new ApplicationException("Could not find strings resource");
                    }
                    if (stringsResource != null && stringsResource != resource)
                    {
                        throw new ApplicationException("Two different string resources found");
                    }

                    stringsResource          = resource;
                    encryptedResource.Method = method;

                    var info = new DecrypterInfo(method, null, null);
                    simpleDeobfuscator.Deobfuscate(info.method);
                    FindKeyIv(info.method, out info.key, out info.iv);

                    decrypterInfos.Add(info);
                }
            }

            if (decrypterInfos.Count > 0)
            {
                FindOtherStringDecrypter(decrypterInfos[0].method.DeclaringType);
            }
        }

Esempio n. 10

0

Mostra file

File: ConstantsDecrypterV18.cs Progetto: haise0/de5dot

		static bool FindKeys_v18_r75369(DecrypterInfo info) {
			if (!FindLKeys_v18_r75369(info))
				return false;
			if (!FindKey0_v18_r75369(info))
				return false;
			if (!FindKey0d_v18_r75367(info))
				return false;
			return true;
		}

Esempio n. 11

0

Mostra file

File: ConstantsDecrypterV18.cs Progetto: haise0/de5dot

		DecrypterInfo CreateDecrypterInfo(MethodDef method) {
			if (!IsDecryptMethodSignature(method))
				return null;

			simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
			var info = new DecrypterInfo(this, method, version);
			if (!FindKeys(info))
				return null;

			return info;
		}

Esempio n. 12

0

Mostra file

        byte[] DecryptConstant_v15_r60785_normal(DecrypterInfo info, byte[] encrypted, uint offs)
        {
            var rand      = new Random((int)(info.key0 ^ offs));
            var decrypted = new byte[encrypted.Length];

            rand.NextBytes(decrypted);
            for (int i = 0; i < decrypted.Length; i++)
            {
                decrypted[i] ^= encrypted[i];
            }
            return(decrypted);
        }

Esempio n. 13

0

Mostra file

        public override IDeobfuscator ModuleReloaded(ModuleDefMD module)
        {
            var newOne = new Deobfuscator(options);

            newOne.SetModule(module);
            newOne.mainType      = new MainType(module, mainType);
            newOne.decrypterInfo = decrypterInfo;
            decrypterInfo        = null;
            if (newOne.decrypterInfo != null)
            {
                newOne.decrypterInfo.mainType = newOne.mainType;
            }
            return(newOne);
        }

Esempio n. 14

0

Mostra file

 static bool FindKeys_v18_r75369(DecrypterInfo info)
 {
     if (!FindLKeys_v18_r75369(info))
     {
         return(false);
     }
     if (!FindKey0_v18_r75369(info))
     {
         return(false);
     }
     if (!FindKey0d_v18_r75367(info))
     {
         return(false);
     }
     return(true);
 }

Esempio n. 15

0

Mostra file

File: ConstantsDecrypterV18.cs Progetto: haise0/de5dot

		public void Find() {
			var cctor = DotNetUtils.GetModuleTypeCctor(module);
			if (cctor == null)
				return;
			simpleDeobfuscator.Deobfuscate(cctor, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);

			if ((dictField = ConstantsDecrypterUtils.FindDictField(cctor, cctor.DeclaringType)) == null)
				return;

			if ((dataField = ConstantsDecrypterUtils.FindDataField_v18_r75367(cctor, cctor.DeclaringType)) == null &&
				(dataField = ConstantsDecrypterUtils.FindDataField_v19_r77172(cctor, cctor.DeclaringType)) == null)
				return;

			nativeMethod = FindNativeMethod(cctor, cctor.DeclaringType);

			var method = GetDecryptMethod();
			if (method == null)
				return;
			simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
			var info = new DecrypterInfo(this, method, ConfuserVersion.Unknown);
			if (FindKeys_v18_r75367(info))
				InitVersion(cctor, ConfuserVersion.v18_r75367_normal, ConfuserVersion.v18_r75367_dynamic, ConfuserVersion.v18_r75367_native);
			else if (FindKeys_v18_r75369(info)) {
				lzmaType = ConfuserUtils.FindLzmaType(cctor);
				if (lzmaType == null)
					InitVersion(cctor, ConfuserVersion.v18_r75369_normal, ConfuserVersion.v18_r75369_dynamic, ConfuserVersion.v18_r75369_native);
				else if (!DotNetUtils.CallsMethod(method, "System.Void System.Threading.Monitor::Exit(System.Object)"))
					InitVersion(cctor, ConfuserVersion.v19_r77172_normal, ConfuserVersion.v19_r77172_dynamic, ConfuserVersion.v19_r77172_native);
				else if (DotNetUtils.CallsMethod(method, "System.Void System.Diagnostics.StackFrame::.ctor(System.Int32)"))
					InitVersion(cctor, ConfuserVersion.v19_r78363_normal, ConfuserVersion.v19_r78363_dynamic, ConfuserVersion.v19_r78363_native);
				else {
					int index1 = ConfuserUtils.FindCallMethod(cctor.Body.Instructions, 0, Code.Callvirt, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()");
					int index2 = ConfuserUtils.FindCallMethod(cctor.Body.Instructions, 0, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()");
					if (index1 < 0 || index2 < 0) {
					}
					if (index2 - index1 == 3)
						InitVersion(cctor, ConfuserVersion.v19_r78056_normal, ConfuserVersion.v19_r78056_dynamic, ConfuserVersion.v19_r78056_native);
					else if (index2 - index1 == -4)
						InitVersion(cctor, ConfuserVersion.v19_r79630_normal, ConfuserVersion.v19_r79630_dynamic, ConfuserVersion.v19_r79630_native);
				}
			}
			else
				return;

			installMethod = cctor;
		}

Esempio n. 16

0

Mostra file

        protected override byte[] DecryptData(DecrypterInfo info, MethodDef caller, object[] args, out byte typeCode)
        {
            uint offs = info.CalcHash(caller.MDToken.ToUInt32()) ^ (uint)args[0];

            reader.Position = offs;
            typeCode        = reader.ReadByte();
            if (typeCode != info.int32Type && typeCode != info.int64Type &&
                typeCode != info.singleType && typeCode != info.doubleType &&
                typeCode != info.stringType)
            {
                throw new ApplicationException("Invalid type code");
            }

            var encrypted = reader.ReadBytes(reader.ReadInt32());

            return(DecryptConstant(info, encrypted, offs));
        }

Esempio n. 17

0

Mostra file

        byte[] DecryptConstant_v15_r60785_dynamic(DecrypterInfo info, byte[] encrypted, uint offs)
        {
            var instrs     = info.decryptMethod.Body.Instructions;
            int startIndex = GetDynamicStartIndex_v15_r60785(instrs);
            int endIndex   = GetDynamicEndIndex_v15_r60785(instrs, startIndex);

            if (endIndex < 0)
            {
                throw new ApplicationException("Could not find start/endIndex");
            }

            var dataReader  = ByteArrayDataReaderFactory.CreateReader(encrypted);
            var decrypted   = new byte[dataReader.ReadInt32()];
            var constReader = new Arg64ConstantsReader(instrs, false);

            ConfuserUtils.DecryptCompressedInt32Data(constReader, startIndex, endIndex, ref dataReader, decrypted);
            return(decrypted);
        }

Esempio n. 18

0

Mostra file

File: ConstantsDecrypterV18.cs Progetto: haise0/de5dot

		static bool FindKey0_v18_r75367(DecrypterInfo info) {
			var instrs = info.method.Body.Instructions;
			for (int i = 0; i < instrs.Count - 4; i++) {
				if (instrs[i].OpCode.Code != Code.Xor)
					continue;
				var ldci4 = instrs[i + 1];
				if (!ldci4.IsLdcI4())
					continue;
				if (instrs[i + 2].OpCode.Code != Code.Conv_I8)
					continue;
				if (instrs[i + 3].OpCode.Code != Code.Mul)
					continue;
				if (instrs[i + 4].OpCode.Code != Code.Add)
					continue;

				info.key0 = (uint)ldci4.GetLdcI4Value();
				return true;
			}
			return false;
		}

Esempio n. 19

0

Mostra file

        public override bool GetDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods)
        {
            if (count != 0 || !mainType.Detected)
            {
                return(false);
            }

            var fileData = DeobUtils.ReadModule(module);

            decrypterInfo = new DecrypterInfo(mainType, fileData);
            var methodsDecrypter = new MethodsDecrypter(module, decrypterInfo);

            if (!methodsDecrypter.Decrypt(ref dumpedMethods))
            {
                return(false);
            }

            newFileData = fileData;
            return(true);
        }

Esempio n. 20

0

Mostra file

File: ConstantsDecrypterV18.cs Progetto: haise0/de5dot

		static bool FindLKeys_v18_r75367(DecrypterInfo info) {
			var instrs = info.method.Body.Instructions;
			for (int i = 0; i < instrs.Count - 10; i++) {
				var ldci4_1 = instrs[i];
				if (!ldci4_1.IsLdcI4())
					continue;
				if (!instrs[i + 1].IsLdloc())
					continue;
				if (instrs[i + 2].OpCode.Code != Code.Xor)
					continue;
				if (instrs[i + 3].OpCode.Code != Code.Conv_U8)
					continue;
				if (!instrs[i + 4].IsStloc())
					continue;
				var ldci4_2 = instrs[i + 5];
				if (!ldci4_2.IsLdcI4())
					continue;
				if (instrs[i + 6].OpCode.Code != Code.Conv_I8)
					continue;
				if (!instrs[i + 7].IsStloc())
					continue;
				var ldci4_3 = instrs[i + 8];
				if (!ldci4_3.IsLdcI4())
					continue;
				if (instrs[i + 9].OpCode.Code != Code.Conv_I8)
					continue;
				if (!instrs[i + 10].IsStloc())
					continue;

				info.key0l = (uint)ldci4_1.GetLdcI4Value();
				info.key1l = (uint)ldci4_2.GetLdcI4Value();
				info.key2l = (uint)ldci4_3.GetLdcI4Value();
				return true;
			}
			return false;
		}

Esempio n. 21

0

Mostra file

        public void Find()
        {
            var type = DotNetUtils.GetModuleType(module);

            if (type == null)
            {
                return;
            }
            foreach (var method in type.Methods)
            {
                if (!method.IsStatic || method.Body == null)
                {
                    continue;
                }
                if (!DotNetUtils.IsMethod(method, "System.Object", "(System.UInt32)"))
                {
                    continue;
                }

                var info       = new DecrypterInfo();
                var localTypes = new LocalTypes(method);
                if (localTypes.All(requiredLocals1))
                {
                    if (localTypes.Exists("System.Collections.BitArray"))                       // or System.Random
                    {
                        version = ConfuserVersion.v15_r60785_normal;
                    }
                    else if (DeobUtils.HasInteger(method, 0x100) &&
                             DeobUtils.HasInteger(method, 0x10000) &&
                             DeobUtils.HasInteger(method, 0xFFFF))
                    {
                        version = ConfuserVersion.v17_r73404_normal;
                    }
                    else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[])"))
                    {
                        if (FindInstruction(method.Body.Instructions, 0, Code.Conv_I8) >= 0)
                        {
                            if (DotNetUtils.CallsMethod(method, "System.Void System.Console::WriteLine()"))
                            {
                                version = ConfuserVersion.v15_r60785_dynamic;
                            }
                            else
                            {
                                version = ConfuserVersion.v17_r72989_dynamic;
                            }
                        }
                        else
                        {
                            version = ConfuserVersion.v17_r73740_dynamic;
                        }
                    }
                    else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[],System.Int32,System.Int32)"))
                    {
                        if ((nativeMethod = FindNativeMethod(method)) == null)
                        {
                            version = ConfuserVersion.v17_r73764_dynamic;
                        }
                        else
                        {
                            version = ConfuserVersion.v17_r73764_native;
                        }
                    }
                    else
                    {
                        continue;
                    }
                }
                else if (localTypes.All(requiredLocals2))
                {
                    if (DeobUtils.HasInteger(method, 0x100) &&
                        DeobUtils.HasInteger(method, 0x10000) &&
                        DeobUtils.HasInteger(method, 0xFFFF))
                    {
                        version = ConfuserVersion.v17_r73822_normal;
                    }
                    else if (DotNetUtils.CallsMethod(method, "System.Int32 System.Object::GetHashCode()"))
                    {
                        if ((nativeMethod = FindNativeMethod(method)) == null)
                        {
                            version = ConfuserVersion.v17_r74021_dynamic;
                        }
                        else
                        {
                            version = ConfuserVersion.v17_r74021_native;
                        }
                    }
                    else if ((nativeMethod = FindNativeMethod(method)) == null)
                    {
                        version = ConfuserVersion.v17_r73822_dynamic;
                    }
                    else
                    {
                        version = ConfuserVersion.v17_r73822_native;
                    }
                }
                else
                {
                    continue;
                }

                info.decryptMethod = method;
                theDecrypterInfo   = info;
                Add(info);
                break;
            }
        }

Esempio n. 22

0

Mostra file

 byte[] DecryptConstant_v17_r73404_normal(DecrypterInfo info, byte[] encrypted, uint offs) =>
 ConfuserUtils.Decrypt(info.key0 ^ offs, encrypted);

Esempio n. 23

0

Mostra file

File: ConstantsDecrypterBase.cs Progetto: RafaelRMachado/de4dot

		protected byte[] DecryptConstant_v17_r73764_native(DecrypterInfo info, byte[] encrypted, uint offs, uint key) {
			return DecryptConstant_v17_r73764_native(info, encrypted, offs, key, defaultDecryptKey_v17);
		}

Esempio n. 24

0

Mostra file

File: ConstantsDecrypterBase.cs Progetto: RafaelRMachado/de4dot

		protected byte[] DecryptConstant_v17_r73764_native(DecrypterInfo info, byte[] encrypted, uint offs, uint key1, byte[] key2) {
			using (var x86Emu = new x86Emulator(fileData))
				return Decrypt(encrypted, key1, (magic, i) => (byte)(x86Emu.Emulate((uint)nativeMethod.RVA, magic) ^ key2[i % key2.Length]));
		}

Esempio n. 25

0

Mostra file

File: ConstantsDecrypterBase.cs Progetto: RafaelRMachado/de4dot

		protected abstract byte[] DecryptData(DecrypterInfo info, MethodDef caller, object[] args, out byte typeCode);

Esempio n. 26

0

Mostra file

 protected void Add(DecrypterInfo info)
 {
     methodToDecrypterInfo.Add(info.decryptMethod, info);
 }

Esempio n. 27

0

Mostra file

File: ConstantsDecrypterV18.cs Progetto: RafaelRMachado/de4dot

		bool FindKeys(DecrypterInfo info) {
			switch (version) {
			case ConfuserVersion.v18_r75367_normal:
			case ConfuserVersion.v18_r75367_dynamic:
			case ConfuserVersion.v18_r75367_native:
				return FindKeys_v18_r75367(info);
			case ConfuserVersion.v18_r75369_normal:
			case ConfuserVersion.v18_r75369_dynamic:
			case ConfuserVersion.v18_r75369_native:
			case ConfuserVersion.v19_r77172_normal:
			case ConfuserVersion.v19_r77172_dynamic:
			case ConfuserVersion.v19_r77172_native:
			case ConfuserVersion.v19_r78056_normal:
			case ConfuserVersion.v19_r78056_dynamic:
			case ConfuserVersion.v19_r78056_native:
			case ConfuserVersion.v19_r78363_normal:
			case ConfuserVersion.v19_r78363_dynamic:
			case ConfuserVersion.v19_r78363_native:
			case ConfuserVersion.v19_r79630_normal:
			case ConfuserVersion.v19_r79630_dynamic:
			case ConfuserVersion.v19_r79630_native:
				return FindKeys_v18_r75369(info);
			default:
				throw new ApplicationException("Invalid version");
			}
		}

Esempio n. 28

0

Mostra file

 protected byte[] DecryptConstant_v17_r73764_native(DecrypterInfo info, byte[] encrypted, uint offs, uint key1, byte[] key2)
 {
     using (var x86Emu = new x86Emulator(fileData))
         return(Decrypt(encrypted, key1, (magic, i) => (byte)(x86Emu.Emulate((uint)nativeMethod.RVA, magic) ^ key2[i % key2.Length])));
 }

Esempio n. 29

0

Mostra file

 protected abstract byte[] DecryptData(DecrypterInfo info, MethodDef caller, object[] args, out byte typeCode);

Esempio n. 30

0

Mostra file

File: ConstantsDecrypterV15.cs Progetto: RafaelRMachado/de4dot

		bool InitializeFields(DecrypterInfo info) {
			switch (version) {
			case ConfuserVersion.v17_r73822_normal:
			case ConfuserVersion.v17_r73822_dynamic:
			case ConfuserVersion.v17_r73822_native:
			case ConfuserVersion.v17_r74021_dynamic:
			case ConfuserVersion.v17_r74021_native:
				if (!Add(ConstantsDecrypterUtils.FindDictField(info.decryptMethod, info.decryptMethod.DeclaringType)))
					return false;
				if (!Add(ConstantsDecrypterUtils.FindMemoryStreamField(info.decryptMethod, info.decryptMethod.DeclaringType)))
					return false;
				break;

			default:
				break;
			}

			return true;
		}

Esempio n. 31

0

Mostra file

File: ConstantsDecrypterBase.cs Progetto: RafaelRMachado/de4dot

		protected void Add(DecrypterInfo info) {
			methodToDecrypterInfo.Add(info.decryptMethod, info);
		}

Esempio n. 32

0

Mostra file

File: ConstantsDecrypterV18.cs Progetto: RafaelRMachado/de4dot

		static bool FindLKeys_v18_r75369(DecrypterInfo info) {
			var instrs = info.method.Body.Instructions;
			for (int i = 0; i < instrs.Count - 8; i++) {
				var ldci8_1 = instrs[i];
				if (ldci8_1.OpCode.Code != Code.Ldc_I8)
					continue;
				if (!instrs[i + 1].IsLdloc())
					continue;
				if (instrs[i + 2].OpCode.Code != Code.Conv_U8)
					continue;
				if (instrs[i + 3].OpCode.Code != Code.Mul)
					continue;
				if (!instrs[i + 4].IsStloc())
					continue;
				var ldci8_2 = instrs[i + 5];
				if (ldci8_2.OpCode.Code != Code.Ldc_I8)
					continue;
				if (!instrs[i + 6].IsStloc())
					continue;
				var ldci8_3 = instrs[i + 7];
				if (ldci8_3.OpCode.Code != Code.Ldc_I8)
					continue;
				if (!instrs[i + 8].IsStloc())
					continue;

				info.key0l = (ulong)(long)ldci8_1.Operand;
				info.key1l = (ulong)(long)ldci8_2.Operand;
				info.key2l = (ulong)(long)ldci8_3.Operand;
				return true;
			}
			return false;
		}

Esempio n. 33

0

Mostra file

File: ConstantsDecrypterV18.cs Progetto: RafaelRMachado/de4dot

		static bool FindLKeys_v18_r75367(DecrypterInfo info) {
			var instrs = info.method.Body.Instructions;
			for (int i = 0; i < instrs.Count - 10; i++) {
				var ldci4_1 = instrs[i];
				if (!ldci4_1.IsLdcI4())
					continue;
				if (!instrs[i + 1].IsLdloc())
					continue;
				if (instrs[i + 2].OpCode.Code != Code.Xor)
					continue;
				if (instrs[i + 3].OpCode.Code != Code.Conv_U8)
					continue;
				if (!instrs[i + 4].IsStloc())
					continue;
				var ldci4_2 = instrs[i + 5];
				if (!ldci4_2.IsLdcI4())
					continue;
				if (instrs[i + 6].OpCode.Code != Code.Conv_I8)
					continue;
				if (!instrs[i + 7].IsStloc())
					continue;
				var ldci4_3 = instrs[i + 8];
				if (!ldci4_3.IsLdcI4())
					continue;
				if (instrs[i + 9].OpCode.Code != Code.Conv_I8)
					continue;
				if (!instrs[i + 10].IsStloc())
					continue;

				info.key0l = (uint)ldci4_1.GetLdcI4Value();
				info.key1l = (uint)ldci4_2.GetLdcI4Value();
				info.key2l = (uint)ldci4_3.GetLdcI4Value();
				return true;
			}
			return false;
		}

Esempio n. 34

0

Mostra file

File: ConstantsDecrypterBase.cs Progetto: RafaelRMachado/de4dot

		protected byte[] DecryptConstant_v17_r73740_dynamic(DecrypterInfo info, byte[] encrypted, uint offs, uint key1, byte[] key2) {
			var local = GetDynamicLocal_v17_r73740(info.decryptMethod);
			if (local == null)
				throw new ApplicationException("Could not find local");

			int endIndex = GetDynamicEndIndex_v17_r73740(info.decryptMethod, local);
			if (endIndex < 0)
				endIndex = GetDynamicEndIndex_v17_r74788(info.decryptMethod, local);
			int startIndex = GetDynamicStartIndex_v17_r73740(info.decryptMethod, endIndex);
			if (startIndex < 0)
				throw new ApplicationException("Could not find start/end index");

			var constReader = new ConstantsReader(info.decryptMethod);
			return Decrypt(encrypted, key1, (magic, i) => {
				constReader.SetConstantInt32(local, magic);
				int index = startIndex, result;
				if (!constReader.GetNextInt32(ref index, out result) || index != endIndex)
					throw new ApplicationException("Could not decrypt integer");
				return (byte)(result ^ key2[i % key2.Length]);
			});
		}

Esempio n. 35

0

Mostra file

 protected byte[] DecryptConstant_v17_r73764_native(DecrypterInfo info, byte[] encrypted, uint offs, uint key)
 {
     return(DecryptConstant_v17_r73764_native(info, encrypted, offs, key, defaultDecryptKey_v17));
 }

Esempio n. 36

0

Mostra file

File: ConstantsDecrypterV15.cs Progetto: RafaelRMachado/de4dot

		protected override byte[] DecryptData(DecrypterInfo info, MethodDef caller, object[] args, out byte typeCode) {
			uint offs = info.CalcHash(caller.MDToken.ToUInt32()) ^ (uint)args[0];
			reader.Position = offs;
			typeCode = reader.ReadByte();
			if (typeCode != info.int32Type && typeCode != info.int64Type &&
				typeCode != info.singleType && typeCode != info.doubleType &&
				typeCode != info.stringType)
				throw new ApplicationException("Invalid type code");

			var encrypted = reader.ReadBytes(reader.ReadInt32());
			return DecryptConstant(info, encrypted, offs);
		}

Esempio n. 37

0

Mostra file

File: ConstantsDecrypterV18.cs Progetto: RafaelRMachado/de4dot

		public void Find() {
			var cctor = DotNetUtils.GetModuleTypeCctor(module);
			if (cctor == null)
				return;
			simpleDeobfuscator.Deobfuscate(cctor, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);

			if ((dictField = ConstantsDecrypterUtils.FindDictField(cctor, cctor.DeclaringType)) == null)
				return;

			if ((dataField = ConstantsDecrypterUtils.FindDataField_v18_r75367(cctor, cctor.DeclaringType)) == null &&
				(dataField = ConstantsDecrypterUtils.FindDataField_v19_r77172(cctor, cctor.DeclaringType)) == null)
				return;

			nativeMethod = FindNativeMethod(cctor, cctor.DeclaringType);

			var method = GetDecryptMethod();
			if (method == null)
				return;
			simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
			var info = new DecrypterInfo(this, method, ConfuserVersion.Unknown);
			if (FindKeys_v18_r75367(info))
				InitVersion(cctor, ConfuserVersion.v18_r75367_normal, ConfuserVersion.v18_r75367_dynamic, ConfuserVersion.v18_r75367_native);
			else if (FindKeys_v18_r75369(info)) {
				lzmaType = ConfuserUtils.FindLzmaType(cctor);
				if (lzmaType == null)
					InitVersion(cctor, ConfuserVersion.v18_r75369_normal, ConfuserVersion.v18_r75369_dynamic, ConfuserVersion.v18_r75369_native);
				else if (!DotNetUtils.CallsMethod(method, "System.Void System.Threading.Monitor::Exit(System.Object)"))
					InitVersion(cctor, ConfuserVersion.v19_r77172_normal, ConfuserVersion.v19_r77172_dynamic, ConfuserVersion.v19_r77172_native);
				else if (DotNetUtils.CallsMethod(method, "System.Void System.Diagnostics.StackFrame::.ctor(System.Int32)"))
					InitVersion(cctor, ConfuserVersion.v19_r78363_normal, ConfuserVersion.v19_r78363_dynamic, ConfuserVersion.v19_r78363_native);
				else {
					int index1 = ConfuserUtils.FindCallMethod(cctor.Body.Instructions, 0, Code.Callvirt, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()");
					int index2 = ConfuserUtils.FindCallMethod(cctor.Body.Instructions, 0, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()");
					if (index1 < 0 || index2 < 0) {
					}
					if (index2 - index1 == 3)
						InitVersion(cctor, ConfuserVersion.v19_r78056_normal, ConfuserVersion.v19_r78056_dynamic, ConfuserVersion.v19_r78056_native);
					else if (index2 - index1 == -4)
						InitVersion(cctor, ConfuserVersion.v19_r79630_normal, ConfuserVersion.v19_r79630_dynamic, ConfuserVersion.v19_r79630_native);
				}
			}
			else
				return;

			installMethod = cctor;
		}

Esempio n. 38

0

Mostra file

File: ConstantsDecrypterV15.cs Progetto: RafaelRMachado/de4dot

		byte[] DecryptConstant(DecrypterInfo info, byte[] encrypted, uint offs) {
			switch (version) {
			case ConfuserVersion.v15_r60785_normal: return DecryptConstant_v15_r60785_normal(info, encrypted, offs);
			case ConfuserVersion.v15_r60785_dynamic: return DecryptConstant_v15_r60785_dynamic(info, encrypted, offs);
			case ConfuserVersion.v17_r72989_dynamic: return DecryptConstant_v15_r60785_dynamic(info, encrypted, offs);
			case ConfuserVersion.v17_r73404_normal: return DecryptConstant_v17_r73404_normal(info, encrypted, offs);
			case ConfuserVersion.v17_r73740_dynamic: return DecryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0);
			case ConfuserVersion.v17_r73764_dynamic: return DecryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0);
			case ConfuserVersion.v17_r73764_native: return DecryptConstant_v17_r73764_native(info, encrypted, offs, 0);
			case ConfuserVersion.v17_r73822_normal: return DecryptConstant_v17_r73404_normal(info, encrypted, offs);
			case ConfuserVersion.v17_r73822_dynamic: return DecryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0);
			case ConfuserVersion.v17_r73822_native: return DecryptConstant_v17_r73764_native(info, encrypted, offs, 0);
			case ConfuserVersion.v17_r74021_dynamic: return DecryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0);
			case ConfuserVersion.v17_r74021_native: return DecryptConstant_v17_r73764_native(info, encrypted, offs, 0);
			default: throw new ApplicationException("Invalid version");
			}
		}

Esempio n. 39

0

Mostra file

File: ConstantsDecrypterV15.cs Progetto: RafaelRMachado/de4dot

		byte[] DecryptConstant_v15_r60785_normal(DecrypterInfo info, byte[] encrypted, uint offs) {
			var rand = new Random((int)(info.key0 ^ offs));
			var decrypted = new byte[encrypted.Length];
			rand.NextBytes(decrypted);
			for (int i = 0; i < decrypted.Length; i++)
				decrypted[i] ^= encrypted[i];
			return decrypted;
		}

Esempio n. 40

0

Mostra file

File: ConstantsDecrypterV18.cs Progetto: RafaelRMachado/de4dot

		DecrypterInfo CreateDecrypterInfo(MethodDef method) {
			if (!IsDecryptMethodSignature(method))
				return null;

			simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
			var info = new DecrypterInfo(this, method, version);
			if (!FindKeys(info))
				return null;

			return info;
		}

Esempio n. 41

0

Mostra file

File: ConstantsDecrypterV15.cs Progetto: RafaelRMachado/de4dot

		byte[] DecryptConstant_v15_r60785_dynamic(DecrypterInfo info, byte[] encrypted, uint offs) {
			var instrs = info.decryptMethod.Body.Instructions;
			int startIndex = GetDynamicStartIndex_v15_r60785(instrs);
			int endIndex = GetDynamicEndIndex_v15_r60785(instrs, startIndex);
			if (endIndex < 0)
				throw new ApplicationException("Could not find start/endIndex");

			var dataReader = MemoryImageStream.Create(encrypted);
			var decrypted = new byte[dataReader.ReadInt32()];
			var constReader = new Arg64ConstantsReader(instrs, false);
			ConfuserUtils.DecryptCompressedInt32Data(constReader, startIndex, endIndex, dataReader, decrypted);
			return decrypted;
		}

Esempio n. 42

0

Mostra file

File: ConstantsDecrypterV18.cs Progetto: RafaelRMachado/de4dot

		static bool FindKeys_v18_r75369(DecrypterInfo info) {
			if (!FindLKeys_v18_r75369(info))
				return false;
			if (!FindKey0_v18_r75369(info))
				return false;
			if (!FindKey0d_v18_r75367(info))
				return false;
			return true;
		}

Esempio n. 43

0

Mostra file

File: ConstantsDecrypterV15.cs Progetto: RafaelRMachado/de4dot

		byte[] DecryptConstant_v17_r73404_normal(DecrypterInfo info, byte[] encrypted, uint offs) {
			return ConfuserUtils.Decrypt(info.key0 ^ offs, encrypted);
		}

Esempio n. 44

0

Mostra file

File: ConstantsDecrypterV18.cs Progetto: RafaelRMachado/de4dot

		static bool FindKey0d_v18_r75367(DecrypterInfo info) {
			var instrs = info.method.Body.Instructions;
			for (int i = 0; i < instrs.Count; i++) {
				int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()");
				if (index < 0)
					break;
				int index2 = ConfuserUtils.FindCallMethod(instrs, index, Code.Call, "System.Byte[] System.BitConverter::GetBytes(System.Int32)");
				if (index2 < 0)
					break;
				if (index2 - index != 3)
					continue;
				var ldci4 = instrs[index + 1];
				if (!ldci4.IsLdcI4())
					continue;
				if (instrs[index + 2].OpCode.Code != Code.Xor)
					continue;

				info.key0d = (uint)ldci4.GetLdcI4Value();
				return true;
			}
			return false;
		}

Esempio n. 45

0

Mostra file

File: ConstantsDecrypterV15.cs Progetto: RafaelRMachado/de4dot

		public void Find() {
			var type = DotNetUtils.GetModuleType(module);
			if (type == null)
				return;
			foreach (var method in type.Methods) {
				if (!method.IsStatic || method.Body == null)
					continue;
				if (!DotNetUtils.IsMethod(method, "System.Object", "(System.UInt32)"))
					continue;

				DecrypterInfo info = new DecrypterInfo();
				var localTypes = new LocalTypes(method);
				if (localTypes.All(requiredLocals1)) {
					if (localTypes.Exists("System.Collections.BitArray"))	// or System.Random
						version = ConfuserVersion.v15_r60785_normal;
					else if (DeobUtils.HasInteger(method, 0x100) &&
							DeobUtils.HasInteger(method, 0x10000) &&
							DeobUtils.HasInteger(method, 0xFFFF))
						version = ConfuserVersion.v17_r73404_normal;
					else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[])")) {
						if (FindInstruction(method.Body.Instructions, 0, Code.Conv_I8) >= 0) {
							if (DotNetUtils.CallsMethod(method, "System.Void System.Console::WriteLine()"))
								version = ConfuserVersion.v15_r60785_dynamic;
							else
								version = ConfuserVersion.v17_r72989_dynamic;
						}
						else
							version = ConfuserVersion.v17_r73740_dynamic;
					}
					else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[],System.Int32,System.Int32)")) {
						if ((nativeMethod = FindNativeMethod(method)) == null)
							version = ConfuserVersion.v17_r73764_dynamic;
						else
							version = ConfuserVersion.v17_r73764_native;
					}
					else
						continue;
				}
				else if (localTypes.All(requiredLocals2)) {
					if (DeobUtils.HasInteger(method, 0x100) &&
						DeobUtils.HasInteger(method, 0x10000) &&
						DeobUtils.HasInteger(method, 0xFFFF))
						version = ConfuserVersion.v17_r73822_normal;
					else if (DotNetUtils.CallsMethod(method, "System.Int32 System.Object::GetHashCode()")) {
						if ((nativeMethod = FindNativeMethod(method)) == null)
							version = ConfuserVersion.v17_r74021_dynamic;
						else
							version = ConfuserVersion.v17_r74021_native;
					}
					else if ((nativeMethod = FindNativeMethod(method)) == null)
						version = ConfuserVersion.v17_r73822_dynamic;
					else
						version = ConfuserVersion.v17_r73822_native;
				}
				else
					continue;

				info.decryptMethod = method;
				theDecrypterInfo = info;
				Add(info);
				break;
			}
		}

Esempio n. 46

0

Mostra file

File: ConstantsDecrypterV18.cs Progetto: RafaelRMachado/de4dot

		static bool FindKey0_v18_r75369(DecrypterInfo info) {
			var instrs = info.method.Body.Instructions;
			for (int i = 0; i < instrs.Count - 4; i++) {
				if (!instrs[i].IsLdloc())
					continue;
				if (instrs[i + 1].OpCode.Code != Code.Xor)
					continue;
				var ldci4 = instrs[i + 2];
				if (!ldci4.IsLdcI4())
					continue;
				if (instrs[i + 3].OpCode.Code != Code.Conv_U8)
					continue;
				if (instrs[i + 4].OpCode.Code != Code.Mul)
					continue;

				info.key0 = (uint)ldci4.GetLdcI4Value();
				return true;
			}
			return false;
		}

Esempio n. 47

0

Mostra file

File: ConstantsDecrypterBase.cs Progetto: haise0/de5dot

 protected byte[] DecryptConstant_v17_r73740_dynamic(DecrypterInfo info, byte[] encrypted, uint offs, uint key) =>
 DecryptConstant_v17_r73740_dynamic(info, encrypted, offs, key, defaultDecryptKey_v17);

Esempi in C# (CSharp) per DecrypterInfo