protected override TypeReference updateGenericParameter(GenericParameter a)
{
switch (a.Type)
{
case GenericParameterType.Type:
if (git == null || a.Position >= git.GenericArguments.Count ||
!MemberReferenceHelper.compareTypes(git.ElementType, a.Owner as TypeReference))
{
return(a);
}
modified = true;
return(update(git.GenericArguments[a.Position]));
case GenericParameterType.Method:
if (gim == null || a.Position >= gim.GenericArguments.Count)
{
return(a);
}
modified = true;
return(update(gim.GenericArguments[a.Position]));
default:
return(a);
}
}
string getPassword(MethodDefinition decryptMethod)
{
foreach (var method in DotNetUtils.getCalledMethods(module, decryptMethod))
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
if (!MemberReferenceHelper.compareTypes(method.DeclaringType, decryptMethod.DeclaringType))
{
continue;
}
if (!DotNetUtils.isMethod(method, "System.String", "()"))
{
continue;
}
var hexChars = getPassword2(method);
if (string.IsNullOrEmpty(hexChars))
{
continue;
}
var password = fixPassword(hexChars);
if (string.IsNullOrEmpty(password))
{
continue;
}
return(password);
}
return(null);
}
public bool updateNewType(ModuleDefinition module)
{
if (types.Count == 0)
{
return(false);
}
TypeReference theNewType = null;
foreach (var key in types.Keys)
{
if (theNewType == null)
{
theNewType = key.TypeReference;
continue;
}
theNewType = getCommonBaseClass(module, theNewType, key.TypeReference);
if (theNewType == null)
{
break;
}
}
if (theNewType == null)
{
return(false);
}
if (MemberReferenceHelper.compareTypes(theNewType, newType))
{
return(false);
}
newType = theNewType;
return(true);
}
bool compareMethod(MethodReference method, BabelMethodreference babelMethodRef)
{
if (method.Parameters.Count != babelMethodRef.Parameters.Length)
{
return(false);
}
if (method.Name != babelMethodRef.Name)
{
return(false);
}
if (method.HasThis != babelMethodRef.HasThis)
{
return(false);
}
if (method.GenericParameters.Count != babelMethodRef.GenericArguments.Length)
{
return(false);
}
if (!MemberReferenceHelper.compareTypes(method.MethodReturnType.ReturnType, babelMethodRef.ReturnType))
{
return(false);
}
for (int i = 0; i < babelMethodRef.Parameters.Length; i++)
{
if (!MemberReferenceHelper.compareTypes(method.Parameters[i].ParameterType, babelMethodRef.Parameters[i].ParameterType))
{
return(false);
}
}
return(true);
}
void deleteCustomAttributes(IList <CustomAttribute> customAttrs)
{
if (customAttrs == null)
{
return;
}
foreach (var info in attrsToRemove)
{
var typeDef = info.obj;
if (typeDef == null)
{
continue;
}
for (int i = 0; i < customAttrs.Count; i++)
{
if (MemberReferenceHelper.compareTypes(customAttrs[i].AttributeType, typeDef))
{
customAttrs.RemoveAt(i);
Log.v("Removed custom attribute {0} ({1:X8}) (reason: {2})",
Utils.removeNewlines(typeDef),
typeDef.MetadataToken.ToUInt32(),
info.reason);
break;
}
}
}
}
bool addCast(Block block, int castIndex, int index, TypeReference type)
{
if (type == null)
{
return(false);
}
if (castIndex >= block.Instructions.Count || index >= block.Instructions.Count)
{
return(false);
}
var stloc = block.Instructions[index];
if (!stloc.isStloc())
{
return(false);
}
var local = DotNetUtils.getLocalVar(blocks.Locals, stloc.Instruction);
if (local == null)
{
return(false);
}
var localInfo = localInfos[local];
if (localInfo.CastType == null)
{
return(false);
}
if (!MemberReferenceHelper.compareTypes(localInfo.CastType, type))
{
block.insert(castIndex, new Instruction(OpCodes.Castclass, localInfo.CastType));
}
return(true);
}
bool checkCctor(MethodDefinition cctor)
{
var ldtokenType = getLdtokenType(cctor);
if (!MemberReferenceHelper.compareTypes(ldtokenType, cctor.DeclaringType))
{
return(false);
}
MethodDefinition initMethod = null;
foreach (var method in DotNetUtils.getCalledMethods(module, cctor))
{
if (DotNetUtils.isMethod(method, "System.Void", "(System.Type)"))
{
initMethod = method;
break;
}
}
if (initMethod == null || initMethod.Body == null)
{
return(false);
}
return(true);
}
void fixTypeofDecrypterInstructions(Blocks blocks)
{
var type = getDecrypterType();
if (type == null)
{
return;
}
foreach (var block in blocks.MethodBlocks.getAllBlocks())
{
var instructions = block.Instructions;
for (int i = 0; i < instructions.Count; i++)
{
var instr = instructions[i];
if (instr.OpCode.Code != Code.Ldtoken)
{
continue;
}
if (!MemberReferenceHelper.compareTypes(type, instr.Operand as TypeReference))
{
continue;
}
instructions[i] = new Instr(Instruction.Create(OpCodes.Ldtoken, blocks.Method.DeclaringType));
}
}
}
protected virtual bool canInline(MethodDefinition method)
{
if (method.GenericParameters.Count > 0)
{
return(false);
}
if (MemberReferenceHelper.compareMethodReferenceAndDeclaringType(method, blocks.Method))
{
return(false);
}
if (!MemberReferenceHelper.compareTypes(method.DeclaringType, blocks.Method.DeclaringType))
{
return(false);
}
if (method.IsStatic)
{
return(true);
}
if (method.IsVirtual)
{
return(false);
}
return(inlineInstanceMethods);
}
bool checkMemoryManagerType(TypeDefinition type, MethodDefinition method)
{
// Only two fields: itself and a long
int fields = 0;
foreach (var field in type.Fields)
{
if (MemberReferenceHelper.compareTypes(field.FieldType, type) ||
field.FieldType.FullName == "System.Int64")
{
fields++;
continue;
}
if (DotNetUtils.derivesFromDelegate(DotNetUtils.getType(module, field.FieldType)))
{
continue;
}
return(false);
}
if (fields != 2)
{
return(false);
}
if (DotNetUtils.getPInvokeMethod(type, "kernel32", "SetProcessWorkingSetSize") == null)
{
return(false);
}
return(true);
}
public TypeReference convert(TypeReference a)
{
var newOne = update(a);
if (!(a is GenericParameter) && !MemberReferenceHelper.compareTypes(newOne, a))
{
throw new ApplicationException("Could not convert type reference");
}
return(newOne);
}
static bool hasFieldType(IEnumerable <FieldDefinition> fields, TypeReference fieldType)
{
foreach (var field in fields)
{
if (MemberReferenceHelper.compareTypes(field.FieldType, fieldType))
{
return(true);
}
}
return(false);
}
public override bool Equals(object obj)
{
var other = obj as TypeInfo;
if (other == null)
{
return(false);
}
return(typeDef == other.typeDef &&
MemberReferenceHelper.compareTypes(typeReference, other.typeReference));
}
protected override bool isCompatibleType(int paramIndex, TypeReference origType, TypeReference newType)
{
if (MemberReferenceHelper.compareTypes(origType, newType))
{
return(true);
}
if (newType.IsValueType || origType.IsValueType)
{
return(false);
}
return(newType.FullName == "System.Object");
}
public static bool findRegisterMethod(TypeDefinition type, out MethodDefinition regMethod, out MethodDefinition handler)
{
foreach (var method in type.Methods)
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
if (method.Body.ExceptionHandlers.Count != 1)
{
continue;
}
foreach (var instr in method.Body.Instructions)
{
if (instr.OpCode.Code != Code.Ldftn)
{
continue;
}
var handlerRef = instr.Operand as MethodReference;
if (handlerRef == null)
{
continue;
}
if (!DotNetUtils.isMethod(handlerRef, "System.Reflection.Assembly", "(System.Object,System.ResolveEventArgs)"))
{
continue;
}
if (!MemberReferenceHelper.compareTypes(type, handlerRef.DeclaringType))
{
continue;
}
handler = DotNetUtils.getMethod(type, handlerRef);
if (handler == null)
{
continue;
}
if (handler.Body == null || handler.Body.ExceptionHandlers.Count != 1)
{
continue;
}
regMethod = method;
return(true);
}
}
regMethod = null;
handler = null;
return(false);
}
public void initialize(ISimpleDeobfuscator deobfuscator)
{
if (decrypterCctor == null)
{
return;
}
deobfuscator.deobfuscate(decrypterCctor);
var instrs = decrypterCctor.Body.Instructions;
for (int i = 0; i < instrs.Count - 4; i++)
{
var ldstr = instrs[i];
if (ldstr.OpCode.Code != Code.Ldstr)
{
continue;
}
var encryptedString = ldstr.Operand as string;
if (encryptedString == null)
{
continue;
}
if (instrs[i + 1].OpCode.Code != Code.Stsfld)
{
continue;
}
if (instrs[i + 2].OpCode.Code != Code.Ldsfld)
{
continue;
}
if (instrs[i + 3].OpCode.Code != Code.Call)
{
continue;
}
if (instrs[i + 4].OpCode.Code != Code.Stsfld)
{
continue;
}
var field = instrs[i + 4].Operand as FieldDefinition;
if (field == null)
{
continue;
}
if (!MemberReferenceHelper.compareTypes(field.DeclaringType, decrypterType))
{
continue;
}
fieldToDecryptedString.add(field, decrypter.decrypt(encryptedString));
}
}
static bool isCompatibleValueThisPtr(TypeReference origType, TypeReference newType)
{
var newByRef = newType as ByReferenceType;
if (newByRef == null)
{
return(false);
}
if (!newByRef.ElementType.IsValueType || !origType.IsValueType)
{
return(false);
}
return(MemberReferenceHelper.compareTypes(origType, newByRef.ElementType));
}
bool checkNestedFields(TypeDefinition nested)
{
if (!new FieldTypes(nested).all(requiredTypes))
{
return(false);
}
foreach (var field in nested.Fields)
{
if (MemberReferenceHelper.compareTypes(nested, field.FieldType))
{
return(true);
}
}
return(false);
}
protected override bool isCompatibleType(int paramIndex, TypeReference origType, TypeReference newType)
{
if (MemberReferenceHelper.compareTypes(origType, newType))
{
return(true);
}
if (paramIndex == -1)
{
if (newType.IsValueType || origType.IsValueType)
{
return(false);
}
}
return(newType.EType == ElementType.Object);
}
List <FieldDefinition> findFields()
{
var charArrayFields = new List <FieldDefinition>();
foreach (var instr in Method.Body.Instructions)
{
if (instr.OpCode.Code != Code.Stsfld && instr.OpCode.Code != Code.Ldsfld)
{
continue;
}
var field = instr.Operand as FieldDefinition;
if (field == null)
{
continue;
}
if (!MemberReferenceHelper.compareTypes(Method.DeclaringType, field.DeclaringType))
{
continue;
}
switch (field.FieldType.FullName)
{
case "System.Char[]":
if (!charArrayFields.Contains(field))
{
charArrayFields.Add(field);
}
break;
case "System.String[]":
if (cachedStringsField != null && cachedStringsField != field)
{
return(null);
}
cachedStringsField = field;
break;
default:
break;
}
}
if (cachedStringsField == null)
{
return(null);
}
return(charArrayFields);
}
public void deobfuscate(Blocks blocks)
{
if (type == null)
{
return;
}
foreach (var block in blocks.MethodBlocks.getAllBlocks())
{
var instrs = block.Instructions;
for (int i = 0; i < instrs.Count - 1; i++)
{
var instr = instrs[i];
if (instr.OpCode.Code != Code.Ldc_I4)
{
continue;
}
var call = instrs[i + 1];
if (call.OpCode.Code != Code.Call)
{
continue;
}
var method = call.Operand as MethodReference;
if (method == null)
{
continue;
}
if (!MemberReferenceHelper.compareTypes(type, method.DeclaringType))
{
continue;
}
var methodDef = DotNetUtils.getMethod(module, method);
if (methodDef == null)
{
continue;
}
if (methodDef != typeMethod && methodDef != fieldMethod)
{
continue;
}
int token = (int)instrs[i].Operand;
instrs[i] = new Instr(Instruction.Create(OpCodes.Nop));
instrs[i + 1] = new Instr(new Instruction(OpCodes.Ldtoken, module.LookupToken(token) as MemberReference));
}
}
}
ResolverVersion checkSetupMethod(MethodDefinition setupMethod)
{
var instructions = setupMethod.Body.Instructions;
int foundCount = 0;
for (int i = 0; i < instructions.Count; i++)
{
var instrs = DotNetUtils.getInstructions(instructions, i, OpCodes.Ldnull, OpCodes.Ldftn, OpCodes.Newobj);
if (instrs == null)
{
continue;
}
MethodReference methodRef;
var ldftn = instrs[1];
var newobj = instrs[2];
methodRef = ldftn.Operand as MethodReference;
if (methodRef == null || !MemberReferenceHelper.compareTypes(setupMethod.DeclaringType, methodRef.DeclaringType))
{
continue;
}
methodRef = newobj.Operand as MethodReference;
if (methodRef == null || methodRef.FullName != "System.Void System.ResolveEventHandler::.ctor(System.Object,System.IntPtr)")
{
continue;
}
foundCount++;
}
if (foundCount == 0)
{
return(ResolverVersion.None);
}
switch (foundCount)
{
case 1: return(ResolverVersion.V1);
case 2: return(ResolverVersion.V2);
default: return(ResolverVersion.None);
}
}
MethodDefinition findSimpleZipTypeMethod(MethodDefinition method)
{
if (method == null || method.Body == null)
{
return(null);
}
var instructions = method.Body.Instructions;
for (int i = 0; i <= instructions.Count - 2; i++)
{
var call = instructions[i];
if (call.OpCode.Code != Code.Call)
{
continue;
}
var calledMethod = call.Operand as MethodDefinition;
if (calledMethod == null)
{
continue;
}
if (!DotNetUtils.isMethod(calledMethod, "System.Byte[]", "(System.Byte[])"))
{
continue;
}
var stsfld = instructions[i + 1];
if (stsfld.OpCode.Code != Code.Stsfld)
{
continue;
}
var field = stsfld.Operand as FieldReference;
if (field == null || field.FieldType.FullName != "System.Byte[]")
{
continue;
}
if (!MemberReferenceHelper.compareTypes(stringsEncodingClass, field.DeclaringType))
{
continue;
}
return(calledMethod);
}
return(null);
}
bool checkFields(TypeDefinition type, string fieldType1, TypeDefinition fieldType2)
{
if (type.Fields.Count != 2)
{
return(false);
}
if (type.Fields[0].FieldType.FullName != fieldType1 &&
type.Fields[1].FieldType.FullName != fieldType1)
{
return(false);
}
if (!MemberReferenceHelper.compareTypes(type.Fields[0].FieldType, fieldType2) &&
!MemberReferenceHelper.compareTypes(type.Fields[1].FieldType, fieldType2))
{
return(false);
}
return(true);
}
void removeInitCode_v2(Blocks blocks)
{
foreach (var block in blocks.MethodBlocks.getAllBlocks())
{
var instructions = block.Instructions;
for (int i = 0; i <= instructions.Count - 3; i++)
{
var ldtoken = instructions[i];
if (ldtoken.OpCode != OpCodes.Ldtoken)
{
continue;
}
if (!MemberReferenceHelper.compareTypes(blocks.Method.DeclaringType, ldtoken.Operand as TypeReference))
{
continue;
}
var call1 = instructions[i + 1];
if (call1.OpCode != OpCodes.Call)
{
continue;
}
var method1 = call1.Operand as MethodReference;
if (method1 == null || method1.ToString() != "System.Type System.Type::GetTypeFromHandle(System.RuntimeTypeHandle)")
{
continue;
}
var call2 = instructions[i + 2];
if (call2.OpCode != OpCodes.Call)
{
continue;
}
var method2 = call2.Operand as MethodReference;
if (!MemberReferenceHelper.compareMethodReferenceAndDeclaringType(method2, CreateStringDelegateMethod))
{
continue;
}
block.remove(i, 3);
break;
}
}
}
void initialize(TypeDefinition type)
{
if (type.HasEvents || type.HasProperties)
{
return;
}
if (!type.IsValueType)
{
return;
}
if (type.Methods.Count != 1)
{
return;
}
var ctor = type.Methods[0];
if (ctor.Name != ".ctor" || ctor.Body == null || ctor.IsStatic)
{
return;
}
if (ctor.Parameters.Count != 1)
{
return;
}
var ctorParam = ctor.Parameters[0];
if (type.Fields.Count != 1)
{
return;
}
var typeField = type.Fields[0];
if (typeField.IsStatic)
{
return;
}
if (!MemberReferenceHelper.compareTypes(ctorParam.ParameterType, typeField.FieldType))
{
return;
}
typeToInfo.add(ctor.DeclaringType, new Info(ctor.DeclaringType, typeField.FieldType));
}
static bool isCallingResourceManagerCtor(IList <Instruction> instrs, int ldstrIndex, TypeInfo typeInfo)
{
try {
int index = ldstrIndex + 1;
var ldtoken = instrs[index++];
if (ldtoken.OpCode.Code != Code.Ldtoken)
{
return(false);
}
if (!MemberReferenceHelper.compareTypes(typeInfo.type.TypeDefinition, ldtoken.Operand as TypeReference))
{
return(false);
}
if (!checkCalledMethod(instrs[index++], "System.Type", "(System.RuntimeTypeHandle)"))
{
return(false);
}
if (!checkCalledMethod(instrs[index++], "System.Reflection.Assembly", "()"))
{
return(false);
}
var newobj = instrs[index++];
if (newobj.OpCode.Code != Code.Newobj)
{
return(false);
}
if (newobj.Operand.ToString() != "System.Void System.Resources.ResourceManager::.ctor(System.String,System.Reflection.Assembly)")
{
return(false);
}
return(true);
}
catch (ArgumentOutOfRangeException) {
return(false);
}
catch (IndexOutOfRangeException) {
return(false);
}
}
bool findFields()
{
foreach (var instr in Method.Body.Instructions)
{
if (instr.OpCode.Code != Code.Stsfld && instr.OpCode.Code != Code.Ldsfld)
{
continue;
}
var field = instr.Operand as FieldDefinition;
if (field == null)
{
continue;
}
if (!MemberReferenceHelper.compareTypes(Method.DeclaringType, field.DeclaringType))
{
continue;
}
switch (field.FieldType.FullName)
{
case "System.Char[]":
if (keyField != null && keyField != field)
{
return(false);
}
keyField = field;
break;
case "System.String[]":
if (cachedStringsField != null && cachedStringsField != field)
{
return(false);
}
cachedStringsField = field;
break;
default:
break;
}
}
return(keyField != null && cachedStringsField != null);
}
bool checkCctor(MethodDefinition cctor)
{
if (cctor.Body == null)
{
return(false);
}
int stsfldCount = 0;
foreach (var instr in cctor.Body.Instructions)
{
if (instr.OpCode.Code == Code.Stsfld)
{
var field = instr.Operand as FieldReference;
if (!MemberReferenceHelper.compareTypes(cctor.DeclaringType, field.DeclaringType))
{
return(false);
}
stsfldCount++;
}
}
return(stsfldCount >= cctor.DeclaringType.Fields.Count);
}
public static List <byte[]> getArrays(MethodDefinition method, TypeReference arrayElemntType)
{
var arrays = new List <byte[]>();
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count; i++)
{
TypeReference type;
var ary = getArray(instrs, ref i, out type);
if (ary == null)
{
break;
}
if (arrayElemntType != null && !MemberReferenceHelper.compareTypes(type, arrayElemntType))
{
continue;
}
arrays.Add(ary);
}
return(arrays);
}
