string getPassword(MethodDefinition decryptMethod)
{
foreach (var method in DotNetUtils.getCalledMethods(module, decryptMethod))
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
if (!MemberReferenceHelper.compareTypes(method.DeclaringType, decryptMethod.DeclaringType))
{
continue;
}
if (!DotNetUtils.isMethod(method, "System.String", "()"))
{
continue;
}
var hexChars = getPassword2(method);
if (string.IsNullOrEmpty(hexChars))
{
continue;
}
var password = fixPassword(hexChars);
if (string.IsNullOrEmpty(password))
{
continue;
}
return(password);
}
return(null);
}
protected override bool isUnknownType(object o)
{
var arg = o as ParameterDefinition;
if (arg != null)
{
return(MemberReferenceHelper.isSystemObject(arg.ParameterType));
}
var field = o as FieldDefinition;
if (field != null)
{
return(MemberReferenceHelper.isSystemObject(field.FieldType));
}
var retType = o as MethodReturnType;
if (retType != null)
{
return(MemberReferenceHelper.isSystemObject(retType.ReturnType));
}
throw new ApplicationException(string.Format("Unknown type: {0}", o.GetType()));
}
protected virtual bool canInline(MethodDefinition method)
{
if (method.GenericParameters.Count > 0)
{
return(false);
}
if (MemberReferenceHelper.compareMethodReferenceAndDeclaringType(method, blocks.Method))
{
return(false);
}
if (!MemberReferenceHelper.compareTypes(method.DeclaringType, blocks.Method.DeclaringType))
{
return(false);
}
if (method.IsStatic)
{
return(true);
}
if (method.IsVirtual)
{
return(false);
}
return(inlineInstanceMethods);
}
public bool updateNewType(ModuleDefinition module)
{
if (types.Count == 0)
{
return(false);
}
TypeReference theNewType = null;
foreach (var key in types.Keys)
{
if (theNewType == null)
{
theNewType = key.TypeReference;
continue;
}
theNewType = getCommonBaseClass(module, theNewType, key.TypeReference);
if (theNewType == null)
{
break;
}
}
if (theNewType == null)
{
return(false);
}
if (MemberReferenceHelper.compareTypes(theNewType, newType))
{
return(false);
}
newType = theNewType;
return(true);
}
void fixTypeofDecrypterInstructions(Blocks blocks)
{
var type = getDecrypterType();
if (type == null)
{
return;
}
foreach (var block in blocks.MethodBlocks.getAllBlocks())
{
var instructions = block.Instructions;
for (int i = 0; i < instructions.Count; i++)
{
var instr = instructions[i];
if (instr.OpCode.Code != Code.Ldtoken)
{
continue;
}
if (!MemberReferenceHelper.compareTypes(type, instr.Operand as TypeReference))
{
continue;
}
instructions[i] = new Instr(Instruction.Create(OpCodes.Ldtoken, blocks.Method.DeclaringType));
}
}
}
protected override TypeReference updateGenericParameter(GenericParameter a)
{
switch (a.Type)
{
case GenericParameterType.Type:
if (git == null || a.Position >= git.GenericArguments.Count ||
!MemberReferenceHelper.compareTypes(git.ElementType, a.Owner as TypeReference))
{
return(a);
}
modified = true;
return(update(git.GenericArguments[a.Position]));
case GenericParameterType.Method:
if (gim == null || a.Position >= gim.GenericArguments.Count)
{
return(a);
}
modified = true;
return(update(gim.GenericArguments[a.Position]));
default:
return(a);
}
}
void deleteCustomAttributes(IList <CustomAttribute> customAttrs)
{
if (customAttrs == null)
{
return;
}
foreach (var info in attrsToRemove)
{
var typeDef = info.obj;
if (typeDef == null)
{
continue;
}
for (int i = 0; i < customAttrs.Count; i++)
{
if (MemberReferenceHelper.compareTypes(customAttrs[i].AttributeType, typeDef))
{
customAttrs.RemoveAt(i);
Log.v("Removed custom attribute {0} ({1:X8}) (reason: {2})",
Utils.removeNewlines(typeDef),
typeDef.MetadataToken.ToUInt32(),
info.reason);
break;
}
}
}
}
bool addCast(Block block, int castIndex, int index, TypeReference type)
{
if (type == null)
{
return(false);
}
if (castIndex >= block.Instructions.Count || index >= block.Instructions.Count)
{
return(false);
}
var stloc = block.Instructions[index];
if (!stloc.isStloc())
{
return(false);
}
var local = DotNetUtils.getLocalVar(blocks.Locals, stloc.Instruction);
if (local == null)
{
return(false);
}
var localInfo = localInfos[local];
if (localInfo.CastType == null)
{
return(false);
}
if (!MemberReferenceHelper.compareTypes(localInfo.CastType, type))
{
block.insert(castIndex, new Instruction(OpCodes.Castclass, localInfo.CastType));
}
return(true);
}
bool compareMethod(MethodReference method, BabelMethodreference babelMethodRef)
{
if (method.Parameters.Count != babelMethodRef.Parameters.Length)
{
return(false);
}
if (method.Name != babelMethodRef.Name)
{
return(false);
}
if (method.HasThis != babelMethodRef.HasThis)
{
return(false);
}
if (method.GenericParameters.Count != babelMethodRef.GenericArguments.Length)
{
return(false);
}
if (!MemberReferenceHelper.compareTypes(method.MethodReturnType.ReturnType, babelMethodRef.ReturnType))
{
return(false);
}
for (int i = 0; i < babelMethodRef.Parameters.Length; i++)
{
if (!MemberReferenceHelper.compareTypes(method.Parameters[i].ParameterType, babelMethodRef.Parameters[i].ParameterType))
{
return(false);
}
}
return(true);
}
public FieldDefinition resolve(FieldReference field)
{
if (field == null)
{
return(null);
}
var fieldDef = field as FieldDefinition;
if (fieldDef != null)
{
return(fieldDef);
}
var type = resolve(field.DeclaringType);
if (type == null)
{
return(null);
}
foreach (var f in type.Fields)
{
if (MemberReferenceHelper.compareFieldReference(field, f))
{
return(f);
}
}
return(null);
}
public MethodDefinition resolve(MethodReference method)
{
if (method == null)
{
return(null);
}
var methodDef = method as MethodDefinition;
if (methodDef != null)
{
return(methodDef);
}
var type = resolve(method.DeclaringType);
if (type == null)
{
return(null);
}
foreach (var m in type.Methods)
{
if (MemberReferenceHelper.compareMethodReference(method, m))
{
return(m);
}
}
return(null);
}
public void deobfuscate(Blocks blocks)
{
if (!Detected)
{
return;
}
if (stringStructField == null)
{
return;
}
foreach (var block in blocks.MethodBlocks.getAllBlocks())
{
var instrs = block.Instructions;
for (int i = 0; i < instrs.Count - 1; i++)
{
var ldstr = instrs[i];
if (ldstr.OpCode.Code != Code.Ldstr)
{
continue;
}
var ldfld = instrs[i + 1];
if (ldfld.OpCode.Code != Code.Ldfld)
{
continue;
}
if (!MemberReferenceHelper.compareFieldReferenceAndDeclaringType(stringStructField, ldfld.Operand as FieldReference))
{
continue;
}
block.remove(i + 1, 1);
}
}
}
public void deobfuscate(Blocks blocks)
{
foreach (var block in blocks.MethodBlocks.getAllBlocks())
{
var instrs = block.Instructions;
for (int i = 0; i < instrs.Count - 2; i++)
{
var ldsfld = instrs[i];
if (ldsfld.OpCode.Code != Code.Ldsfld)
{
continue;
}
var ldci4 = instrs[i + 1];
if (!ldci4.isLdcI4())
{
continue;
}
var stfld = instrs[i + 2];
if (stfld.OpCode.Code != Code.Stfld)
{
continue;
}
var field = stfld.Operand as FieldReference;
if (!MemberReferenceHelper.compareFieldReferenceAndDeclaringType(enumField, field))
{
continue;
}
block.remove(i, 3);
i--;
}
}
}
bool checkMemoryManagerType(TypeDefinition type, MethodDefinition method)
{
// Only two fields: itself and a long
int fields = 0;
foreach (var field in type.Fields)
{
if (MemberReferenceHelper.compareTypes(field.FieldType, type) ||
field.FieldType.FullName == "System.Int64")
{
fields++;
continue;
}
if (DotNetUtils.derivesFromDelegate(DotNetUtils.getType(module, field.FieldType)))
{
continue;
}
return(false);
}
if (fields != 2)
{
return(false);
}
if (DotNetUtils.getPInvokeMethod(type, "kernel32", "SetProcessWorkingSetSize") == null)
{
return(false);
}
return(true);
}
void findInitializeComponentMethod(TypeDef type, MethodDef possibleInitMethod)
{
foreach (var methodDef in type.AllMethods)
{
if (methodDef.MethodDefinition.Name != ".ctor")
{
continue;
}
if (methodDef.MethodDefinition.Body == null)
{
continue;
}
foreach (var instr in methodDef.MethodDefinition.Body.Instructions)
{
if (instr.OpCode.Code != Code.Call && instr.OpCode.Code != Code.Callvirt)
{
continue;
}
if (!MemberReferenceHelper.compareMethodReferenceAndDeclaringType(possibleInitMethod.MethodDefinition, instr.Operand as MethodReference))
{
continue;
}
memberInfos.method(possibleInitMethod).suggestedName = "InitializeComponent";
return;
}
}
}
public void deobfuscate(Blocks blocks)
{
if (initMethod == null)
{
return;
}
if (blocks.Method.Name != ".cctor")
{
return;
}
foreach (var block in blocks.MethodBlocks.getAllBlocks())
{
var instrs = block.Instructions;
for (int i = 0; i < instrs.Count; i++)
{
var instr = instrs[i];
if (instr.OpCode.Code != Code.Call)
{
continue;
}
var calledMethod = instr.Operand as MethodReference;
if (!MemberReferenceHelper.compareMethodReferenceAndDeclaringType(calledMethod, initMethod))
{
continue;
}
block.remove(i, 1);
i--;
}
}
}
bool checkCctor(MethodDefinition cctor)
{
var ldtokenType = getLdtokenType(cctor);
if (!MemberReferenceHelper.compareTypes(ldtokenType, cctor.DeclaringType))
{
return(false);
}
MethodDefinition initMethod = null;
foreach (var method in DotNetUtils.getCalledMethods(module, cctor))
{
if (DotNetUtils.isMethod(method, "System.Void", "(System.Type)"))
{
initMethod = method;
break;
}
}
if (initMethod == null || initMethod.Body == null)
{
return(false);
}
return(true);
}
public override bool Equals(object obj)
{
var other = obj as MethodDefKey;
if (other == null)
{
return(false);
}
return(MemberReferenceHelper.compareMethodReferenceAndDeclaringType(methodDef.MethodDefinition, other.methodDef.MethodDefinition));
}
public TypeReference convert(TypeReference a)
{
var newOne = update(a);
if (!(a is GenericParameter) && !MemberReferenceHelper.compareTypes(newOne, a))
{
throw new ApplicationException("Could not convert type reference");
}
return(newOne);
}
static bool hasFieldType(IEnumerable <FieldDefinition> fields, TypeReference fieldType)
{
foreach (var field in fields)
{
if (MemberReferenceHelper.compareTypes(field.FieldType, fieldType))
{
return(true);
}
}
return(false);
}
public override bool Equals(object obj)
{
var other = obj as TypeInfo;
if (other == null)
{
return(false);
}
return(typeDef == other.typeDef &&
MemberReferenceHelper.compareTypes(typeReference, other.typeReference));
}
static bool matches(IEnumerable <FieldDefinition> ourFields, FieldReference field)
{
foreach (var ourField in ourFields)
{
if (MemberReferenceHelper.compareFieldReferenceAndDeclaringType(ourField, field))
{
return(true);
}
}
return(false);
}
protected override bool isCompatibleType(int paramIndex, TypeReference origType, TypeReference newType)
{
if (MemberReferenceHelper.compareTypes(origType, newType))
{
return(true);
}
if (newType.IsValueType || origType.IsValueType)
{
return(false);
}
return(newType.FullName == "System.Object");
}
public TypeReference update(TypeReference a)
{
if (a == null)
{
return(null);
}
var type = MemberReferenceHelper.getMemberReferenceType(a);
switch (type)
{
case CecilType.ArrayType:
return(updateArrayType((ArrayType)a));
case CecilType.ByReferenceType:
return(updateByReferenceType((ByReferenceType)a));
case CecilType.FunctionPointerType:
return(updateFunctionPointerType((FunctionPointerType)a));
case CecilType.GenericInstanceType:
return(updateGenericInstanceType((GenericInstanceType)a));
case CecilType.GenericParameter:
return(updateGenericParameter((GenericParameter)a));
case CecilType.OptionalModifierType:
return(updateOptionalModifierType((OptionalModifierType)a));
case CecilType.PinnedType:
return(updatePinnedType((PinnedType)a));
case CecilType.PointerType:
return(updatePointerType((PointerType)a));
case CecilType.RequiredModifierType:
return(updateRequiredModifierType((RequiredModifierType)a));
case CecilType.SentinelType:
return(updateSentinelType((SentinelType)a));
case CecilType.TypeDefinition:
return(updateTypeDefinition((TypeDefinition)a));
case CecilType.TypeReference:
return(updateTypeReference((TypeReference)a));
default:
throw new ApplicationException(string.Format("Unknown cecil type {0}", type));
}
}
public static bool findRegisterMethod(TypeDefinition type, out MethodDefinition regMethod, out MethodDefinition handler)
{
foreach (var method in type.Methods)
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
if (method.Body.ExceptionHandlers.Count != 1)
{
continue;
}
foreach (var instr in method.Body.Instructions)
{
if (instr.OpCode.Code != Code.Ldftn)
{
continue;
}
var handlerRef = instr.Operand as MethodReference;
if (handlerRef == null)
{
continue;
}
if (!DotNetUtils.isMethod(handlerRef, "System.Reflection.Assembly", "(System.Object,System.ResolveEventArgs)"))
{
continue;
}
if (!MemberReferenceHelper.compareTypes(type, handlerRef.DeclaringType))
{
continue;
}
handler = DotNetUtils.getMethod(type, handlerRef);
if (handler == null)
{
continue;
}
if (handler.Body == null || handler.Body.ExceptionHandlers.Count != 1)
{
continue;
}
regMethod = method;
return(true);
}
}
regMethod = null;
handler = null;
return(false);
}
public void initialize(ISimpleDeobfuscator deobfuscator)
{
if (decrypterCctor == null)
{
return;
}
deobfuscator.deobfuscate(decrypterCctor);
var instrs = decrypterCctor.Body.Instructions;
for (int i = 0; i < instrs.Count - 4; i++)
{
var ldstr = instrs[i];
if (ldstr.OpCode.Code != Code.Ldstr)
{
continue;
}
var encryptedString = ldstr.Operand as string;
if (encryptedString == null)
{
continue;
}
if (instrs[i + 1].OpCode.Code != Code.Stsfld)
{
continue;
}
if (instrs[i + 2].OpCode.Code != Code.Ldsfld)
{
continue;
}
if (instrs[i + 3].OpCode.Code != Code.Call)
{
continue;
}
if (instrs[i + 4].OpCode.Code != Code.Stsfld)
{
continue;
}
var field = instrs[i + 4].Operand as FieldDefinition;
if (field == null)
{
continue;
}
if (!MemberReferenceHelper.compareTypes(field.DeclaringType, decrypterType))
{
continue;
}
fieldToDecryptedString.add(field, decrypter.decrypt(encryptedString));
}
}
static bool checkCall(Instr instr, MethodReference expectedMethod)
{
if (instr.OpCode.Code != Code.Call && instr.OpCode.Code != Code.Callvirt)
{
return(false);
}
var calledMethod = instr.Operand as MethodReference;
if (calledMethod == null)
{
return(false);
}
return(MemberReferenceHelper.compareMethodReferenceAndDeclaringType(calledMethod, expectedMethod));
}
static bool isCompatibleValueThisPtr(TypeReference origType, TypeReference newType)
{
var newByRef = newType as ByReferenceType;
if (newByRef == null)
{
return(false);
}
if (!newByRef.ElementType.IsValueType || !origType.IsValueType)
{
return(false);
}
return(MemberReferenceHelper.compareTypes(origType, newByRef.ElementType));
}
bool isValidType(TypeReference type)
{
if (type == null)
{
return(false);
}
if (type.EType == ElementType.Void)
{
return(false);
}
while (type != null)
{
switch (MemberReferenceHelper.getMemberReferenceType(type))
{
case CecilType.ArrayType:
case CecilType.GenericInstanceType:
case CecilType.PointerType:
case CecilType.TypeDefinition:
case CecilType.TypeReference:
case CecilType.FunctionPointerType:
break;
case CecilType.GenericParameter:
var gp = (GenericParameter)type;
if (method.DeclaringType != gp.Owner && method != gp.Owner)
{
return(false);
}
break;
case CecilType.ByReferenceType:
case CecilType.OptionalModifierType:
case CecilType.PinnedType:
case CecilType.RequiredModifierType:
case CecilType.SentinelType:
default:
return(false);
}
if (!(type is TypeSpecification))
{
break;
}
type = ((TypeSpecification)type).ElementType;
}
return(type != null);
}
bool checkNestedFields(TypeDefinition nested)
{
if (!new FieldTypes(nested).all(requiredTypes))
{
return(false);
}
foreach (var field in nested.Fields)
{
if (MemberReferenceHelper.compareTypes(nested, field.FieldType))
{
return(true);
}
}
return(false);
}
