public static bool couldBeDecryptMethod(MethodDefinition method, IEnumerable <string> additionalTypes)
{
if (method.Body == null)
{
return(false);
}
var localTypes = new LocalTypes(method);
var requiredTypes = new List <string> {
"System.Byte[]",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.ICryptoTransform",
};
requiredTypes.AddRange(additionalTypes);
if (!localTypes.all(requiredTypes))
{
return(false);
}
if (!localTypes.exists("System.Security.Cryptography.RijndaelManaged") &&
!localTypes.exists("System.Security.Cryptography.AesManaged"))
{
return(false);
}
return(true);
}
bool checkType(TypeDef type)
{
var requiredTypes = new string[] {
"System.Byte[]",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.MD5",
"System.Security.Cryptography.Rijndael",
};
foreach (var method in type.Methods)
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
var sig = method.MethodSig;
if (sig == null || sig.Params.Count != 2)
{
continue;
}
if (!checkType(sig.RetType, ElementType.String))
{
continue;
}
if (!checkType(sig.Params[0], ElementType.String))
{
continue;
}
if (!checkType(sig.Params[1], ElementType.String))
{
continue;
}
var localTypes = new LocalTypes(method);
if (!localTypes.all(requiredTypes))
{
continue;
}
antiStrongNameMethod = method;
return(true);
}
return(false);
}
bool checkType(TypeDefinition type)
{
var requiredTypes = new string[] {
"System.Byte[]",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.MD5",
"System.Security.Cryptography.Rijndael",
};
foreach (var method in type.Methods)
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
if (method.Parameters.Count != 2)
{
continue;
}
if (!checkType(method.MethodReturnType.ReturnType.FullName, "System.String"))
{
continue;
}
if (!checkType(method.Parameters[0].ParameterType.FullName, "System.String"))
{
continue;
}
if (!checkType(method.Parameters[1].ParameterType.FullName, "System.String"))
{
continue;
}
var localTypes = new LocalTypes(method);
if (!localTypes.all(requiredTypes))
{
continue;
}
antiStrongNameMethod = method;
return(true);
}
return(false);
}
public static bool couldBeDecryptMethod(MethodDefinition method, IEnumerable<string> additionalTypes)
{
if (method.Body == null)
return false;
var localTypes = new LocalTypes(method);
var requiredTypes = new List<string> {
"System.Byte[]",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.ICryptoTransform",
};
requiredTypes.AddRange(additionalTypes);
if (!localTypes.all(requiredTypes))
return false;
if (!localTypes.exists("System.Security.Cryptography.RijndaelManaged") &&
!localTypes.exists("System.Security.Cryptography.AesManaged"))
return false;
return true;
}
public bool couldBeResourceDecrypter(MethodDefinition method, IEnumerable <string> additionalTypes, bool checkResource)
{
if (!method.IsStatic)
{
return(false);
}
if (method.Body == null)
{
return(false);
}
var localTypes = new LocalTypes(method);
var requiredTypes = new List <string> {
"System.Byte[]",
"System.IO.BinaryReader",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.ICryptoTransform",
};
requiredTypes.AddRange(additionalTypes);
if (!localTypes.all(requiredTypes))
{
return(false);
}
if (!localTypes.exists("System.Security.Cryptography.RijndaelManaged") &&
!localTypes.exists("System.Security.Cryptography.AesManaged"))
{
return(false);
}
if (checkResource && findMethodsDecrypterResource(method) == null)
{
return(false);
}
return(true);
}
bool checkType(TypeDefinition type)
{
var requiredTypes = new string[] {
"System.Byte[]",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.MD5",
"System.Security.Cryptography.Rijndael",
};
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
if (method.Parameters.Count != 2)
continue;
if (!checkType(method.MethodReturnType.ReturnType.FullName, "System.String"))
continue;
if (!checkType(method.Parameters[0].ParameterType.FullName, "System.String"))
continue;
if (!checkType(method.Parameters[1].ParameterType.FullName, "System.String"))
continue;
var localTypes = new LocalTypes(method);
if (!localTypes.all(requiredTypes))
continue;
antiStrongNameMethod = method;
return true;
}
return false;
}
bool checkMethod(ISimpleDeobfuscator simpleDeobfuscator, MethodDefinition methodToCheck)
{
if (methodToCheck == null)
{
return(false);
}
var resolverLocals = new string[] {
"System.Byte[]",
"System.Reflection.Assembly",
"System.Security.Cryptography.MD5",
"System.String",
"System.IO.BinaryReader",
"System.IO.Stream",
};
simpleDeobfuscator.deobfuscate(methodToCheck);
foreach (var method in DotNetUtils.getCalledMethods(module, methodToCheck))
{
var type = method.DeclaringType;
if (!DotNetUtils.isMethod(method, "System.Void", "()"))
{
continue;
}
if (!method.IsStatic)
{
continue;
}
if (type.Fields.Count != 2)
{
continue;
}
if (type.HasNestedTypes)
{
continue;
}
if (type.HasEvents || type.HasProperties)
{
continue;
}
if (!checkFields(type.Fields))
{
continue;
}
var resolverMethod = findAssemblyResolveMethod(type);
if (resolverMethod == null)
{
continue;
}
var localTypes = new LocalTypes(resolverMethod);
if (!localTypes.all(resolverLocals))
{
continue;
}
assemblyResolverType = type;
assemblyResolverMethod = resolverMethod;
assemblyResolverInitMethod = method;
return(true);
}
return(false);
}
void findKeyIv(MethodDef method, out byte[] key, out byte[] iv)
{
key = null;
iv = null;
var requiredTypes = new string[] {
"System.Byte[]",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.Rijndael",
};
foreach (var calledMethod in DotNetUtils.getCalledMethods(module, method))
{
if (calledMethod.DeclaringType != method.DeclaringType)
{
continue;
}
if (calledMethod.MethodSig.GetRetType().GetFullName() != "System.Byte[]")
{
continue;
}
var localTypes = new LocalTypes(calledMethod);
if (!localTypes.all(requiredTypes))
{
continue;
}
var instructions = calledMethod.Body.Instructions;
byte[] newKey = null, newIv = null;
for (int i = 0; i < instructions.Count && (newKey == null || newIv == null); i++)
{
var instr = instructions[i];
if (instr.OpCode.Code != Code.Ldtoken)
{
continue;
}
var field = instr.Operand as FieldDef;
if (field == null)
{
continue;
}
if (field.InitialValue == null)
{
continue;
}
if (field.InitialValue.Length == 32)
{
newKey = field.InitialValue;
}
else if (field.InitialValue.Length == 16)
{
newIv = field.InitialValue;
}
}
if (newKey == null || newIv == null)
{
continue;
}
initializeStringDecrypterVersion(method);
key = newKey;
iv = newIv;
return;
}
}
bool checkType(TypeDef type)
{
var requiredTypes = new string[] {
"System.Byte[]",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.MD5",
"System.Security.Cryptography.Rijndael",
};
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
var sig = method.MethodSig;
if (sig == null || sig.Params.Count != 2)
continue;
if (!checkType(sig.RetType, ElementType.String))
continue;
if (!checkType(sig.Params[0], ElementType.String))
continue;
if (!checkType(sig.Params[1], ElementType.String))
continue;
var localTypes = new LocalTypes(method);
if (!localTypes.all(requiredTypes))
continue;
antiStrongNameMethod = method;
return true;
}
return false;
}
