public void initialize(ModuleDefinition module, EmbeddedResource resource)
{
var decrypted = new ResourceDecrypter(module).decrypt(resource.GetResourceData());
var reader = new BinaryReader(new MemoryStream(decrypted));
while (reader.BaseStream.Position < reader.BaseStream.Length)
{
offsetToString[(int)reader.BaseStream.Position] = reader.ReadString();
}
}
byte[] decryptResourceAssembly()
{
var decrypted = new ResourceDecrypter(module).decrypt(encryptedResource.GetResourceData());
var reader = new BinaryReader(new MemoryStream(decrypted));
int numResources = reader.ReadInt32();
for (int i = 0; i < numResources; i++)
{
reader.ReadString();
}
return(reader.ReadBytes((int)(reader.BaseStream.Length - reader.BaseStream.Position)));
}
static MethodDef FindDecryptMethod(TypeDef type)
{
foreach (var method in type.Methods)
{
var decryptMethod = ResourceDecrypter.FindDecrypterMethod(method);
if (decryptMethod != null)
{
return(decryptMethod);
}
}
return(null);
}
byte[] decryptArray(byte[] encryptedData, int elemSize)
{
var decrypted = new ResourceDecrypter(module).decrypt(encryptedData);
var ary = (Array) new BinaryFormatter().Deserialize(new MemoryStream(decrypted));
if (ary is byte[])
{
return((byte[])ary);
}
var newAry = new byte[ary.Length * elemSize];
Buffer.BlockCopy(ary, 0, newAry, 0, newAry.Length);
return(newAry);
}
public void find()
{
var requiredTypes = new string[] {
"System.Reflection.Assembly",
"System.Object",
"System.Int32",
"System.String[]",
};
foreach (var type in module.Types)
{
if (type.HasEvents)
{
continue;
}
if (!new FieldTypes(type).all(requiredTypes))
{
continue;
}
MethodDefinition regMethod, handler;
if (!BabelUtils.findRegisterMethod(type, out regMethod, out handler))
{
continue;
}
var resource = BabelUtils.findEmbeddedResource(module, type);
if (resource == null)
{
continue;
}
var decryptMethod = findDecryptMethod(type);
if (decryptMethod == null)
{
throw new ApplicationException("Couldn't find resource type decrypt method");
}
resourceDecrypter.DecryptMethod = ResourceDecrypter.findDecrypterMethod(decryptMethod);
initXorKeys(decryptMethod);
resolverType = type;
registerMethod = regMethod;
encryptedResource = resource;
return;
}
}
public void initialize(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
if (decrypterType == null)
{
return;
}
encryptedResource = BabelUtils.findEmbeddedResource(module, decrypterType, simpleDeobfuscator, deob);
if (encryptedResource == null)
{
Log.w("Could not find encrypted constants resource");
return;
}
var decrypted = new ResourceDecrypter(module).decrypt(encryptedResource.GetResourceData());
var reader = new BinaryReader(new MemoryStream(decrypted));
int count;
count = reader.ReadInt32();
decryptedInts = new int[count];
while (count-- > 0)
{
decryptedInts[count] = reader.ReadInt32();
}
count = reader.ReadInt32();
decryptedLongs = new long[count];
while (count-- > 0)
{
decryptedLongs[count] = reader.ReadInt64();
}
count = reader.ReadInt32();
decryptedFloats = new float[count];
while (count-- > 0)
{
decryptedFloats[count] = reader.ReadSingle();
}
count = reader.ReadInt32();
decryptedDoubles = new double[count];
while (count-- > 0)
{
decryptedDoubles[count] = reader.ReadDouble();
}
}
bool isConstantDecrypter(TypeDefinition type)
{
if (type.HasEvents)
{
return(false);
}
if (type.NestedTypes.Count != 1)
{
return(false);
}
var nested = type.NestedTypes[0];
if (!checkNestedFields(nested))
{
return(false);
}
resourceDecrypter.DecryptMethod = ResourceDecrypter.findDecrypterMethod(DotNetUtils.getMethod(nested, ".ctor"));
if (DotNetUtils.getMethod(type, "System.Int32", "(System.Int32)") == null)
{
return(false);
}
if (DotNetUtils.getMethod(type, "System.Int64", "(System.Int32)") == null)
{
return(false);
}
if (DotNetUtils.getMethod(type, "System.Single", "(System.Int32)") == null)
{
return(false);
}
if (DotNetUtils.getMethod(type, "System.Double", "(System.Int32)") == null)
{
return(false);
}
if (DotNetUtils.getMethod(type, "System.Array", "(System.Byte[])") == null)
{
return(false);
}
return(true);
}
public void initialize(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
if (resolverType == null)
return;
encryptedResource = BabelUtils.findEmbeddedResource(module, resolverType, simpleDeobfuscator, deob);
if (encryptedResource == null) {
Log.w("Could not find embedded assemblies resource");
return;
}
var decrypted = new ResourceDecrypter(module).decrypt(encryptedResource.GetResourceData());
var reader = new BinaryReader(new MemoryStream(decrypted));
int numAssemblies = reader.ReadInt32();
embeddedAssemblyInfos = new EmbeddedAssemblyInfo[numAssemblies];
for (int i = 0; i < numAssemblies; i++) {
string name = reader.ReadString();
var data = reader.ReadBytes(reader.ReadInt32());
var mod = ModuleDefinition.ReadModule(new MemoryStream(data));
embeddedAssemblyInfos[i] = new EmbeddedAssemblyInfo(name, DeobUtils.getExtension(mod.Kind), data);
}
}
public void find()
{
var requiredTypes = new string[] {
"System.Object",
"System.Int32",
"System.Collections.Hashtable",
};
foreach (var type in module.Types)
{
if (type.HasEvents)
{
continue;
}
if (!new FieldTypes(type).exactly(requiredTypes))
{
continue;
}
MethodDef regMethod, handler;
if (!BabelUtils.findRegisterMethod(type, out regMethod, out handler))
{
continue;
}
var decryptMethod = findDecryptMethod(type);
if (decryptMethod == null)
{
throw new ApplicationException("Couldn't find resource type decrypt method");
}
resourceDecrypter.DecryptMethod = ResourceDecrypter.findDecrypterMethod(decryptMethod);
resolverType = type;
registerMethod = regMethod;
return;
}
}
IDecrypterInfo CheckNested(TypeDef type, TypeDef nested)
{
if (nested.HasProperties || nested.HasEvents)
{
return(null);
}
if (nested.FindMethod(".ctor") == null)
{
return(null);
}
if (nested.Fields.Count == 1 || nested.Fields.Count == 3)
{
// 4.0+
if (!HasFieldType(nested.Fields, nested))
{
return(null);
}
var decrypterBuilderMethod = DotNetUtils.GetMethod(nested, "System.Reflection.Emit.MethodBuilder", "(System.Reflection.Emit.TypeBuilder)");
if (decrypterBuilderMethod == null)
{
return(null);
}
resourceDecrypter.DecryptMethod = ResourceDecrypter.FindDecrypterMethod(nested.FindMethod(".ctor"));
var nestedDecrypter = DotNetUtils.GetMethod(nested, "System.String", "(System.Int32)");
if (nestedDecrypter == null || nestedDecrypter.IsStatic)
{
return(null);
}
var decrypter = DotNetUtils.GetMethod(type, "System.String", "(System.Int32)");
if (decrypter == null || !decrypter.IsStatic)
{
return(null);
}
simpleDeobfuscator.Deobfuscate(decrypterBuilderMethod);
return(new DecrypterInfoV3(resourceDecrypter)
{
Decrypter = decrypter,
OffsetCalcInstructions = GetOffsetCalcInstructions(decrypterBuilderMethod),
});
}
else if (nested.Fields.Count == 2)
{
// 3.0 - 3.5
if (CheckFields(nested, "System.Collections.Hashtable", nested))
{
// 3.0 - 3.5
var nestedDecrypter = DotNetUtils.GetMethod(nested, "System.String", "(System.Int32)");
if (nestedDecrypter == null || nestedDecrypter.IsStatic)
{
return(null);
}
var decrypter = DotNetUtils.GetMethod(type, "System.String", "(System.Int32)");
if (decrypter == null || !decrypter.IsStatic)
{
return(null);
}
resourceDecrypter.DecryptMethod = ResourceDecrypter.FindDecrypterMethod(nested.FindMethod(".ctor"));
return(new DecrypterInfoV3(resourceDecrypter)
{
Decrypter = decrypter
});
}
else if (CheckFields(nested, "System.Byte[]", nested))
{
// 3.0
var nestedDecrypter = DotNetUtils.GetMethod(nested, "System.String", "(System.String,System.Int32)");
if (nestedDecrypter == null || nestedDecrypter.IsStatic)
{
return(null);
}
var decrypter = DotNetUtils.GetMethod(type, "System.String", "(System.String,System.Int32)");
if (decrypter == null || !decrypter.IsStatic)
{
return(null);
}
return(new DecrypterInfoV2 {
Decrypter = decrypter
});
}
else
{
return(null);
}
}
return(null);
}
public StringDecrypter(ModuleDefMD module, ResourceDecrypter resourceDecrypter)
{
this.module = module;
this.resourceDecrypter = resourceDecrypter;
}
public DecrypterInfoV3(ResourceDecrypter resourceDecrypter)
{
this.resourceDecrypter = resourceDecrypter;
}
public AssemblyResolver(ModuleDefMD module, ResourceDecrypter resourceDecrypter)
{
this.module = module;
this.resourceDecrypter = resourceDecrypter;
}
public StringDecrypter(ModuleDefMD module, ResourceDecrypter resourceDecrypter) {
this.module = module;
this.resourceDecrypter = resourceDecrypter;
}
public DecrypterInfoV3(ResourceDecrypter resourceDecrypter) {
this.resourceDecrypter = resourceDecrypter;
}
byte[] decryptResourceAssembly()
{
var decrypted = new ResourceDecrypter(module).decrypt(encryptedResource.GetResourceData());
var reader = new BinaryReader(new MemoryStream(decrypted));
int numResources = reader.ReadInt32();
for (int i = 0; i < numResources; i++)
reader.ReadString();
return reader.ReadBytes((int)(reader.BaseStream.Length - reader.BaseStream.Position));
}
public void initialize(ModuleDefinition module, EmbeddedResource resource)
{
var decrypted = new ResourceDecrypter(module).decrypt(resource.GetResourceData());
var reader = new BinaryReader(new MemoryStream(decrypted));
while (reader.BaseStream.Position < reader.BaseStream.Length)
offsetToString[(int)reader.BaseStream.Position] = reader.ReadString();
}
public MethodsDecrypter(ModuleDefMD module, ResourceDecrypter resourceDecrypter, IDeobfuscatorContext deobfuscatorContext) {
this.module = module;
this.resourceDecrypter = resourceDecrypter;
this.deobfuscatorContext = deobfuscatorContext;
}
public ResourceResolver(ModuleDefMD module, ResourceDecrypter resourceDecrypter, ISimpleDeobfuscator simpleDeobfuscator) {
this.module = module;
this.resourceDecrypter = resourceDecrypter;
this.simpleDeobfuscator = simpleDeobfuscator;
}
public ResourceResolver(ModuleDefinition module, ResourceDecrypter resourceDecrypter, ISimpleDeobfuscator simpleDeobfuscator)
{
this.module = module;
this.resourceDecrypter = resourceDecrypter;
this.simpleDeobfuscator = simpleDeobfuscator;
}
public ConstantsDecrypter(ModuleDefMD module, ResourceDecrypter resourceDecrypter, InitializedDataCreator initializedDataCreator) {
this.module = module;
this.resourceDecrypter = resourceDecrypter;
this.initializedDataCreator = initializedDataCreator;
}
public MethodsDecrypter(ModuleDefMD module, ResourceDecrypter resourceDecrypter, IDeobfuscatorContext deobfuscatorContext)
{
this.module = module;
this.resourceDecrypter = resourceDecrypter;
this.deobfuscatorContext = deobfuscatorContext;
}
public AssemblyResolver(ModuleDefMD module, ResourceDecrypter resourceDecrypter)
{
this.module = module;
this.resourceDecrypter = resourceDecrypter;
}
public ConstantsDecrypter(ModuleDefinition module, ResourceDecrypter resourceDecrypter, InitializedDataCreator initializedDataCreator)
{
this.module = module;
this.resourceDecrypter = resourceDecrypter;
this.initializedDataCreator = initializedDataCreator;
}
public void initialize(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
if (resolverType == null)
return;
encryptedResource = BabelUtils.findEmbeddedResource(module, resolverType, simpleDeobfuscator, deob);
if (encryptedResource == null) {
Log.w("Could not find embedded assemblies resource");
return;
}
var decrypted = new ResourceDecrypter(module).decrypt(encryptedResource.GetResourceData());
var reader = new BinaryReader(new MemoryStream(decrypted));
int numAssemblies = reader.ReadInt32();
embeddedAssemblyInfos = new EmbeddedAssemblyInfo[numAssemblies];
for (int i = 0; i < numAssemblies; i++) {
string name = reader.ReadString();
var data = reader.ReadBytes(reader.ReadInt32());
var mod = ModuleDefinition.ReadModule(new MemoryStream(data));
embeddedAssemblyInfos[i] = new EmbeddedAssemblyInfo(name, DeobUtils.getExtension(mod.Kind), data);
}
}
