public override void Execute(Context Context) { GetJunk.Clear(); GetJunk = new List <CilInstruction>(); if (Utils.DecMethod != null && Context.AsmModule != null && Context.SysModule != null) { foreach (var Type in Context.AsmModule.GetAllTypes()) { foreach (var Method in Type.Methods.Where(x => x.HasMethodBody)) { Method.CilMethodBody.Instructions.ExpandMacros(); var IL = Method.CilMethodBody.Instructions; for (int x = 0; x < IL.Count; x++) { try { if (IL[x].OpCode == CilOpCodes.Call && IL[x].Operand is IMethodDescriptor && IL[x].Operand.ToString().Contains(Utils.DecMethod.Name) && ((IMethodDescriptor)IL[x].Operand).Resolve().Parameters.Count == Utils.DecMethod.Resolve().Parameters.Count) { object Result = null; var Params = ParamsParser(Utils.DecMethod.Resolve(), x, IL, Context.SysModule); var Ref = ((MethodInfo)Context.SysModule.ResolveMethod(Utils.DecMethod.MetadataToken.ToInt32())); if (Utils.DecMethod.Resolve().CilMethodBody.Instructions.Any <CilInstruction>(i => i.ToString().Contains("StackTrace") || i.ToString().Contains("GetCallingAssembly"))) { Result = InvokeAsDynamic(Context.SysModule, Method, Utils.DecMethod.Resolve(), Params); } else { Result = Ref.Invoke(null, Params); } Context.StringLog.Debug($"Restored > {Result}"); IL[x].OpCode = CilOpCodes.Ldstr; IL[x].Operand = Result; foreach (var i in GetJunk) { i.OpCode = CilOpCodes.Nop; } } } catch (Exception ex) { Context.StringLog.Error(ex.Message); } } } } } else { Context.StringLog.Custom("Skipping", "Decryption Method Empty.."); } }
public object[] ParamsParser(MethodDefinition DecMethod, int Index, CilInstructionCollection IL, Module Module) { var C = DecMethod.Parameters.Count; int ParsedIndex = -0; object[] ParsedParams = new object[C]; var Temp = 0; for (int x = -C + Index; x < Index; x++) { if (IL[x].OpCode == CilOpCodes.Ldsfld) // Yes Sorry for Pseudo code here :) { ParsedParams[ParsedIndex++] = Convert.ChangeType(GetFieldValue(Module, ((IFieldDescriptor)IL[x].Operand).MetadataToken.ToInt32()), System.Type.GetType(DecMethod.Parameters[Temp++].ParameterType.GetTypeFullName())); GetJunk.Add(IL[x]); } else { ParsedParams[ParsedIndex++] = Convert.ChangeType(IL[x].Operand, System.Type.GetType(DecMethod.Parameters[Temp++].ParameterType.GetTypeFullName())); GetJunk.Add(IL[x]); } } return(ParsedParams); }
public override void Execute(Context Context) { if (Utils.DecMethod != null) { foreach (var Type in Context.AsmModule.GetAllTypes().Where(x => x.Methods != null)) { foreach (var Method in Type.Methods.Where(x => x.CilMethodBody != null)) { Method.CilMethodBody.Instructions.ExpandMacros(); var IL = Method.CilMethodBody.Instructions; for (int x = 0; x < IL.Count; x++) { try { if (IL[x].OpCode == CilOpCodes.Call && IL[x].Operand is IMethodDescriptor && IL[x].Operand.ToString().Contains(Utils.DecMethod.Name) && ((IMethodDescriptor)IL[x].Operand).Resolve().Parameters.Count == Utils.DecMethod.Resolve().Parameters.Count) { Context.StringLog.Debug($"Found Encrypted Str ..."); var Params = ParamsParser(Utils.DecMethod.Resolve(), x, IL, Context.SysModule); var Ref = ((MethodInfo)Context.SysModule.ResolveMethod(Utils.DecMethod.MetadataToken.ToInt32())); var Result = Ref.Invoke(null, Params); Context.StringLog.Debug($"Restored String : {Result}"); IL[x] = new CilInstruction(CilOpCodes.Ldstr, Result); foreach (var i in GetJunk) { i.OpCode = CilOpCodes.Nop; } } } catch (Exception ex) { Context.StringLog.Error(ex.Message); } } GetJunk.Clear(); } } } else { Context.StringLog.Custom("Skipping", "Decryption Method Empty.."); } }
public object[] ParamsParser(MethodDefinition DecMethod, int Index, CilInstructionCollection IL, Module Module) { var pi = 0; var pp = 0; var rMethod = Module.ResolveMethod(DecMethod.MetadataToken.ToInt32()); var rMethodParams = rMethod.GetParameters(); var C = rMethodParams.Length; var Parsed = new object[C]; for (int x = (-C + Index); x < Index; x++) { object Result = null; if (IL[x].OpCode == CilOpCodes.Stsfld) { Result = Module.ResolveField(((IFieldDescriptor)IL[x].Operand).MetadataToken.ToInt32()).GetValue(null); } var CurrentT = rMethodParams[pi++].ParameterType; if (CurrentT == typeof(String) || CurrentT == typeof(string)) { Result = (string)IL[x].Operand; } else if (CurrentT == typeof(Int16) || CurrentT == typeof(short)) { Result = Result == null ? (short)IL[x].GetLdcI4Constant() : (short)Result; } else if (CurrentT == typeof(Int32) || CurrentT == typeof(int)) { Result = Result == null ? (int)IL[x].GetLdcI4Constant() : (int)Result; } else if (CurrentT == typeof(Int64) || CurrentT == typeof(long)) { Result = Result == null ? (long)IL[x].GetLdcI4Constant() : (long)Result; } else if (CurrentT == typeof(SByte) || CurrentT == typeof(sbyte)) { Result = Result == null ? (sbyte)IL[x].Operand : (sbyte)Result; } else if (CurrentT == typeof(Byte) || CurrentT == typeof(byte)) { Result = Result == null ? (byte)IL[x].Operand : (byte)Result; } else if (CurrentT == typeof(UInt16) || CurrentT == typeof(ushort)) { Result = Result == null ? (ushort)unchecked (IL[x].GetLdcI4Constant()) : (ushort)Result; } else if (CurrentT == typeof(UInt32) || CurrentT == typeof(uint)) { Result = Result == null ? (uint)unchecked (IL[x].GetLdcI4Constant()) : (uint)Result; } else if (CurrentT == typeof(UInt64) || CurrentT == typeof(ulong)) { Result = Result == null ? (ulong)unchecked (IL[x].GetLdcI4Constant()) : (ulong)Result; } else if (CurrentT == typeof(Boolean) || CurrentT == typeof(bool)) { Result = Result == null ? (IL[x].GetLdcI4Constant() == 1 ? true : false) : Convert.ToBoolean(Result); } else if (CurrentT == typeof(Char) || CurrentT == typeof(char)) { Result = Result == null?Convert.ToChar(IL[x].GetLdcI4Constant()) : (char)Result; } else { Result = Result == null?Convert.ChangeType(IL[x].Operand, CurrentT) : Convert.ChangeType(Result, CurrentT); } Parsed[pp++] = Result; GetJunk.Add(IL[x]); } return(Parsed); }