public static bool CouldBeResourceDecrypter(MethodDef method, LocalTypes localTypes, IList <string> additionalTypes)
{
var requiredTypes = new List <string> {
"System.Byte[]",
"System.IO.BinaryReader",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.ICryptoTransform",
};
requiredTypes.AddRange(additionalTypes);
if (!localTypes.All(requiredTypes))
{
return(false);
}
if (DotNetUtils.GetMethod(method.DeclaringType, "System.Security.Cryptography.SymmetricAlgorithm", "()") != null)
{
if (localTypes.Exists("System.UInt64") || (localTypes.Exists("System.UInt32") && !localTypes.Exists("System.Reflection.Assembly")))
{
return(false);
}
}
if (!localTypes.Exists("System.Security.Cryptography.RijndaelManaged") &&
!localTypes.Exists("System.Security.Cryptography.AesManaged") &&
!localTypes.Exists("System.Security.Cryptography.SymmetricAlgorithm"))
{
return(false);
}
return(true);
}
public static bool CouldBeDecryptMethod(MethodDef method, IEnumerable <string> additionalTypes)
{
if (method.Body == null)
{
return(false);
}
var localTypes = new LocalTypes(method);
var requiredTypes = new List <string> {
"System.Byte[]",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.ICryptoTransform",
};
requiredTypes.AddRange(additionalTypes);
if (!localTypes.All(requiredTypes))
{
return(false);
}
if (!localTypes.Exists("System.Security.Cryptography.RijndaelManaged") &&
!localTypes.Exists("System.Security.Cryptography.AesManaged"))
{
return(false);
}
return(true);
}
bool CheckType(TypeDef type) {
var requiredTypes = new string[] {
"System.Byte[]",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.MD5",
"System.Security.Cryptography.Rijndael",
};
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
var sig = method.MethodSig;
if (sig == null || sig.Params.Count != 2)
continue;
if (!CheckType(sig.RetType, ElementType.String))
continue;
if (!CheckType(sig.Params[0], ElementType.String))
continue;
if (!CheckType(sig.Params[1], ElementType.String))
continue;
var localTypes = new LocalTypes(method);
if (!localTypes.All(requiredTypes))
continue;
antiStrongNameMethod = method;
return true;
}
return false;
}
bool CheckType(TypeDef type)
{
var requiredTypes = new string[] {
"System.Byte[]",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.MD5",
"System.Security.Cryptography.Rijndael",
};
foreach (var method in type.Methods)
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
var sig = method.MethodSig;
if (sig == null || sig.Params.Count != 2)
{
continue;
}
if (!CheckType(sig.RetType, ElementType.String))
{
continue;
}
if (!CheckType(sig.Params[0], ElementType.String))
{
continue;
}
if (!CheckType(sig.Params[1], ElementType.String))
{
continue;
}
var localTypes = new LocalTypes(method);
if (!localTypes.All(requiredTypes))
{
continue;
}
antiStrongNameMethod = method;
return(true);
}
return(false);
}
public static bool CouldBeResourceDecrypter(MethodDef method, LocalTypes localTypes, IList <string> additionalTypes)
{
var requiredTypes = new List <string> {
"System.UInt32",
"System.String",
"System.Int32",
"System.Byte[]",
"System.IO.BinaryReader",
};
requiredTypes.AddRange(additionalTypes);
if (!localTypes.All(requiredTypes))
{
return(false);
}
return(true);
}
public static bool CouldBeDecryptMethod(MethodDef method, IEnumerable<string> additionalTypes) {
if (method.Body == null)
return false;
var localTypes = new LocalTypes(method);
var requiredTypes = new List<string> {
"System.Byte[]",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.ICryptoTransform",
};
requiredTypes.AddRange(additionalTypes);
if (!localTypes.All(requiredTypes))
return false;
if (!localTypes.Exists("System.Security.Cryptography.RijndaelManaged") &&
!localTypes.Exists("System.Security.Cryptography.AesManaged"))
return false;
return true;
}
public bool CouldBeResourceDecrypter(MethodDef method, IEnumerable <string> additionalTypes, bool checkResource)
{
if (!method.IsStatic)
{
return(false);
}
if (method.Body == null)
{
return(false);
}
var localTypes = new LocalTypes(method);
var requiredTypes = new List <string> {
"System.Byte[]",
"System.IO.BinaryReader",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.ICryptoTransform",
};
requiredTypes.AddRange(additionalTypes);
if (!localTypes.All(requiredTypes))
{
return(false);
}
if (!localTypes.Exists("System.Security.Cryptography.RijndaelManaged") &&
!localTypes.Exists("System.Security.Cryptography.AesManaged") &&
!localTypes.Exists("System.Security.Cryptography.SymmetricAlgorithm"))
{
return(false);
}
if (checkResource && FindMethodsDecrypterResource(method) == null)
{
return(false);
}
return(true);
}
public static bool CouldBeResourceDecrypter(MethodDef method, LocalTypes localTypes, IList <string> additionalTypes)
{
var requiredTypes = new List <string> {
"System.Byte[]",
"System.IO.BinaryReader",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.ICryptoTransform",
};
requiredTypes.AddRange(additionalTypes);
if (!localTypes.All(requiredTypes))
{
return(false);
}
if (!localTypes.Exists("System.Security.Cryptography.RijndaelManaged") &&
!localTypes.Exists("System.Security.Cryptography.AesManaged") &&
!localTypes.Exists("System.Security.Cryptography.SymmetricAlgorithm"))
{
return(false);
}
return(true);
}
bool CheckMethod(ISimpleDeobfuscator simpleDeobfuscator, MethodDef methodToCheck)
{
if (methodToCheck == null)
{
return(false);
}
var resolverLocals = new string[] {
"System.Byte[]",
"System.Reflection.Assembly",
"System.String",
"System.IO.BinaryReader",
"System.IO.Stream",
};
var resolverLocals2 = new string[] {
"System.Reflection.Assembly",
"System.IO.BinaryReader",
"System.IO.Stream",
};
simpleDeobfuscator.Deobfuscate(methodToCheck);
foreach (var method in DotNetUtils.GetCalledMethods(module, methodToCheck))
{
var type = method.DeclaringType;
if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
{
continue;
}
if (!method.IsStatic)
{
continue;
}
if (type.Fields.Count != 2 && type.Fields.Count != 3)
{
continue;
}
if (type.HasNestedTypes)
{
continue;
}
if (type.HasEvents || type.HasProperties)
{
continue;
}
if (!CheckFields(type.Fields))
{
continue;
}
var resolverMethod = FindAssemblyResolveMethod(type);
if (resolverMethod == null)
{
continue;
}
var localTypes = new LocalTypes(resolverMethod);
if (!localTypes.All(resolverLocals) && !localTypes.All(resolverLocals2))
{
continue;
}
assemblyResolverType = type;
assemblyResolverMethod = resolverMethod;
assemblyResolverInitMethod = method;
return(true);
}
return(false);
}
void FindKeyIv(MethodDef method, out byte[] key, out byte[] iv)
{
key = null;
iv = null;
var requiredTypes = new string[] {
"System.Byte[]",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.Rijndael",
};
foreach (var calledMethod in DotNetUtils.GetCalledMethods(module, method))
{
if (calledMethod.DeclaringType != method.DeclaringType)
{
continue;
}
if (calledMethod.MethodSig.GetRetType().GetFullName() != "System.Byte[]")
{
continue;
}
var localTypes = new LocalTypes(calledMethod);
if (!localTypes.All(requiredTypes))
{
continue;
}
var instructions = calledMethod.Body.Instructions;
byte[] newKey = null, newIv = null;
for (int i = 0; i < instructions.Count && (newKey == null || newIv == null); i++)
{
var instr = instructions[i];
if (instr.OpCode.Code != Code.Ldtoken)
{
continue;
}
var field = instr.Operand as FieldDef;
if (field == null)
{
continue;
}
if (field.InitialValue == null)
{
continue;
}
if (field.InitialValue.Length == 32)
{
newKey = field.InitialValue;
}
else if (field.InitialValue.Length == 16)
{
newIv = field.InitialValue;
}
}
if (newKey == null || newIv == null)
{
continue;
}
InitializeStringDecrypterVersion(method);
key = newKey;
iv = newIv;
return;
}
}
public void Find()
{
var type = DotNetUtils.GetModuleType(module);
if (type == null)
{
return;
}
foreach (var method in type.Methods)
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.Object", "(System.UInt32)"))
{
continue;
}
var info = new DecrypterInfo();
var localTypes = new LocalTypes(method);
if (localTypes.All(requiredLocals1))
{
if (localTypes.Exists("System.Collections.BitArray")) // or System.Random
{
version = ConfuserVersion.v15_r60785_normal;
}
else if (DeobUtils.HasInteger(method, 0x100) &&
DeobUtils.HasInteger(method, 0x10000) &&
DeobUtils.HasInteger(method, 0xFFFF))
{
version = ConfuserVersion.v17_r73404_normal;
}
else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[])"))
{
if (FindInstruction(method.Body.Instructions, 0, Code.Conv_I8) >= 0)
{
if (DotNetUtils.CallsMethod(method, "System.Void System.Console::WriteLine()"))
{
version = ConfuserVersion.v15_r60785_dynamic;
}
else
{
version = ConfuserVersion.v17_r72989_dynamic;
}
}
else
{
version = ConfuserVersion.v17_r73740_dynamic;
}
}
else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[],System.Int32,System.Int32)"))
{
if ((nativeMethod = FindNativeMethod(method)) == null)
{
version = ConfuserVersion.v17_r73764_dynamic;
}
else
{
version = ConfuserVersion.v17_r73764_native;
}
}
else
{
continue;
}
}
else if (localTypes.All(requiredLocals2))
{
if (DeobUtils.HasInteger(method, 0x100) &&
DeobUtils.HasInteger(method, 0x10000) &&
DeobUtils.HasInteger(method, 0xFFFF))
{
version = ConfuserVersion.v17_r73822_normal;
}
else if (DotNetUtils.CallsMethod(method, "System.Int32 System.Object::GetHashCode()"))
{
if ((nativeMethod = FindNativeMethod(method)) == null)
{
version = ConfuserVersion.v17_r74021_dynamic;
}
else
{
version = ConfuserVersion.v17_r74021_native;
}
}
else if ((nativeMethod = FindNativeMethod(method)) == null)
{
version = ConfuserVersion.v17_r73822_dynamic;
}
else
{
version = ConfuserVersion.v17_r73822_native;
}
}
else
{
continue;
}
info.decryptMethod = method;
theDecrypterInfo = info;
Add(info);
break;
}
}
public void Find(ISimpleDeobfuscator simpleDeobfuscator)
{
var type = DotNetUtils.GetModuleType(module);
if (type == null)
{
return;
}
foreach (var method in type.Methods)
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.String", "(System.Int32)"))
{
continue;
}
var localTypes = new LocalTypes(method);
if (!localTypes.All(requiredLocals))
{
continue;
}
simpleDeobfuscator.Deobfuscate(method);
bool foundOldMagic1;
if (FindMagic1(method, out magic1))
{
foundOldMagic1 = true;
}
else if (FindNewMagic1(method, out magic1))
{
foundOldMagic1 = false;
}
else
{
continue;
}
if (!FindMagic2(method, out magic2))
{
continue;
}
version = ConfuserVersion.Unknown;
if (DotNetUtils.CallsMethod(method, "System.Text.Encoding System.Text.Encoding::get_UTF8()"))
{
if (foundOldMagic1)
{
if (DotNetUtils.CallsMethod(method, "System.Object System.AppDomain::GetData(System.String)"))
{
version = ConfuserVersion.v13_r55604_safe;
}
else
{
version = ConfuserVersion.v10_r42915;
}
}
else
{
if (!FindSafeKey1(method, out key1))
{
continue;
}
version = ConfuserVersion.v14_r58802_safe;
}
}
else if (!localTypes.Exists("System.Random"))
{
if (foundOldMagic1)
{
version = ConfuserVersion.v11_r49299;
}
else
{
version = ConfuserVersion.v14_r58802_dynamic;
}
}
else if (localTypes.Exists("System.Collections.Generic.Dictionary`2<System.Int32,System.String>"))
{
version = ConfuserVersion.v10_r48832;
}
if (version == ConfuserVersion.Unknown)
{
continue;
}
decryptMethod = method;
break;
}
}
public void Find(ISimpleDeobfuscator simpleDeobfuscator) {
var type = DotNetUtils.GetModuleType(module);
if (type == null)
return;
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
if (!DotNetUtils.IsMethod(method, "System.String", "(System.Int32)"))
continue;
var localTypes = new LocalTypes(method);
if (!localTypes.All(requiredLocals))
continue;
simpleDeobfuscator.Deobfuscate(method);
bool foundOldMagic1;
if (FindMagic1(method, out magic1))
foundOldMagic1 = true;
else if (FindNewMagic1(method, out magic1))
foundOldMagic1 = false;
else
continue;
if (!FindMagic2(method, out magic2))
continue;
version = ConfuserVersion.Unknown;
if (DotNetUtils.CallsMethod(method, "System.Text.Encoding System.Text.Encoding::get_UTF8()")) {
if (foundOldMagic1) {
if (DotNetUtils.CallsMethod(method, "System.Object System.AppDomain::GetData(System.String)"))
version = ConfuserVersion.v13_r55604_safe;
else
version = ConfuserVersion.v10_r42915;
}
else {
if (!FindSafeKey1(method, out key1))
continue;
version = ConfuserVersion.v14_r58802_safe;
}
}
else if (!localTypes.Exists("System.Random")) {
if (foundOldMagic1)
version = ConfuserVersion.v11_r49299;
else
version = ConfuserVersion.v14_r58802_dynamic;
}
else if (localTypes.Exists("System.Collections.Generic.Dictionary`2<System.Int32,System.String>"))
version = ConfuserVersion.v10_r48832;
if (version == ConfuserVersion.Unknown)
continue;
decryptMethod = method;
break;
}
}
public void Find() {
var type = DotNetUtils.GetModuleType(module);
if (type == null)
return;
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
if (!DotNetUtils.IsMethod(method, "System.Object", "(System.UInt32)"))
continue;
DecrypterInfo info = new DecrypterInfo();
var localTypes = new LocalTypes(method);
if (localTypes.All(requiredLocals1)) {
if (localTypes.Exists("System.Collections.BitArray")) // or System.Random
version = ConfuserVersion.v15_r60785_normal;
else if (DeobUtils.HasInteger(method, 0x100) &&
DeobUtils.HasInteger(method, 0x10000) &&
DeobUtils.HasInteger(method, 0xFFFF))
version = ConfuserVersion.v17_r73404_normal;
else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[])")) {
if (FindInstruction(method.Body.Instructions, 0, Code.Conv_I8) >= 0) {
if (DotNetUtils.CallsMethod(method, "System.Void System.Console::WriteLine()"))
version = ConfuserVersion.v15_r60785_dynamic;
else
version = ConfuserVersion.v17_r72989_dynamic;
}
else
version = ConfuserVersion.v17_r73740_dynamic;
}
else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[],System.Int32,System.Int32)")) {
if ((nativeMethod = FindNativeMethod(method)) == null)
version = ConfuserVersion.v17_r73764_dynamic;
else
version = ConfuserVersion.v17_r73764_native;
}
else
continue;
}
else if (localTypes.All(requiredLocals2)) {
if (DeobUtils.HasInteger(method, 0x100) &&
DeobUtils.HasInteger(method, 0x10000) &&
DeobUtils.HasInteger(method, 0xFFFF))
version = ConfuserVersion.v17_r73822_normal;
else if (DotNetUtils.CallsMethod(method, "System.Int32 System.Object::GetHashCode()")) {
if ((nativeMethod = FindNativeMethod(method)) == null)
version = ConfuserVersion.v17_r74021_dynamic;
else
version = ConfuserVersion.v17_r74021_native;
}
else if ((nativeMethod = FindNativeMethod(method)) == null)
version = ConfuserVersion.v17_r73822_dynamic;
else
version = ConfuserVersion.v17_r73822_native;
}
else
continue;
info.decryptMethod = method;
theDecrypterInfo = info;
Add(info);
break;
}
}
