static bool FindKey0d_v18_r75367(DecrypterInfo info) { var instrs = info.method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()"); if (index < 0) { break; } int index2 = ConfuserUtils.FindCallMethod(instrs, index, Code.Call, "System.Byte[] System.BitConverter::GetBytes(System.Int32)"); if (index2 < 0) { break; } if (index2 - index != 3) { continue; } var ldci4 = instrs[index + 1]; if (!ldci4.IsLdcI4()) { continue; } if (instrs[index + 2].OpCode.Code != Code.Xor) { continue; } info.key0d = (uint)ldci4.GetLdcI4Value(); return(true); } return(false); }
static bool FindKey5_v17_r74788(MethodDef method, out uint key) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { i = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Reflection.Module System.Reflection.Assembly::GetModule(System.String)"); if (i < 0) { break; } if (i + 1 >= instrs.Count) { break; } var ldci4 = instrs[i + 1]; if (!ldci4.IsLdcI4()) { continue; } key = (uint)ldci4.GetLdcI4Value(); return(true); } key = 0; return(false); }
bool CheckType_v14_r58564(TypeDef type, MethodDef initMethod) { var virtualProtect = DotNetUtils.GetPInvokeMethod(type, "VirtualProtect"); if (virtualProtect == null) { return(false); } if (!DotNetUtils.CallsMethod(initMethod, "System.IntPtr System.Runtime.InteropServices.Marshal::GetHINSTANCE(System.Reflection.Module)")) { return(false); } if (ConfuserUtils.CountCalls(initMethod, virtualProtect) != 3) { return(false); } if (!DeobUtils.HasInteger(initMethod, 224)) { return(false); } if (!DeobUtils.HasInteger(initMethod, 240)) { return(false); } if (!DeobUtils.HasInteger(initMethod, 267)) { return(false); } version = ConfuserVersion.v14_r58564; return(true); }
byte[] DecryptResource_v18_r75367_normal(byte[] encrypted) { var key = GetSigKey(); var decrypted = ConfuserUtils.Decrypt(BitConverter.ToUInt32(key, 12) * (uint)key0, encrypted); return(Decompress(DeobUtils.AesDecrypt(decrypted, key, DeobUtils.Md5Sum(key)))); }
static bool FindKey1(MethodDef method, out uint key) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()"); if (index < 0) { break; } if (index + 2 > instrs.Count) { break; } if (!instrs[index + 1].IsStloc()) { continue; } var ldci4 = instrs[index + 2]; if (!ldci4.IsLdcI4()) { continue; } key = (uint)ldci4.GetLdcI4Value(); return(true); } key = 0; return(false); }
static bool FindSafeKey1(MethodDef method, out uint key) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Newobj, "System.Void System.Random::.ctor(System.Int32)"); if (index < 0) { break; } if (index == 0) { continue; } var ldci4 = instrs[index - 1]; if (!ldci4.IsLdcI4()) { continue; } key = (uint)ldci4.GetLdcI4Value(); return(true); } key = 0; return(false); }
static bool FindKey0(MethodDef method, out uint key) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Call, "System.Text.Encoding System.Text.Encoding::get_UTF8()"); if (index < 0) { break; } int index2 = ConfuserUtils.FindCallMethod(instrs, i, Code.Call, "System.Byte[] System.BitConverter::GetBytes(System.Int32)"); if (index2 - index != 2) { continue; } var ldci4 = instrs[index + 1]; if (!ldci4.IsLdcI4()) { continue; } key = (uint)ldci4.GetLdcI4Value(); return(true); } key = 0; return(false); }
static bool FindKey4(MethodDef method, out uint key) { var instrs = method.Body.Instructions; for (int index = 0; index < instrs.Count; index++) { index = ConfuserUtils.FindCallMethod(instrs, index, Code.Call, "System.Void System.Runtime.InteropServices.Marshal::Copy(System.Byte[],System.Int32,System.IntPtr,System.Int32)"); if (index < 0) { break; } if (index + 2 >= instrs.Count) { continue; } if (!instrs[index + 1].IsLdloc()) { continue; } var ldci4 = instrs[index + 2]; if (!ldci4.IsLdcI4()) { continue; } key = (uint)ldci4.GetLdcI4Value(); return(true); } key = 0; return(false); }
static bool FindKey4_other(MethodDef method, out uint key) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.IO.BinaryReader::ReadInt32()"); if (index < 0) { break; } if (index + 1 >= instrs.Count) { break; } var ldci4 = instrs[index + 1]; if (!ldci4.IsLdcI4()) { continue; } key = (uint)ldci4.GetLdcI4Value(); return(true); } key = 0; return(false); }
public override string Decrypt(MethodDef caller, int magic) { var reader = stringDecrypter.reader; reader.Position = (caller.MDToken.ToInt32() ^ magic) - stringDecrypter.magic1; int len = reader.ReadInt32() ^ (int)~stringDecrypter.magic2; var rand = new Random(caller.MDToken.ToInt32()); var instrs = stringDecrypter.decryptMethod.Body.Instructions; constReader = new PolyConstantsReader(instrs, false); int polyIndex = ConfuserUtils.FindCallMethod(instrs, 0, Code.Callvirt, "System.Int64 System.IO.BinaryReader::ReadInt64()"); if (polyIndex < 0) { throw new ApplicationException("Could not find start of decrypt code"); } var decrypted = new byte[len]; for (int i = 0; i < len; i += 8) { constReader.Arg = reader.ReadInt64(); int index = polyIndex; long val; if (!constReader.GetInt64(ref index, out val) || instrs[index].OpCode.Code != Code.Conv_I8) { throw new ApplicationException("Could not get string int64 value"); } Array.Copy(BitConverter.GetBytes(val ^ rand.Next()), 0, decrypted, i, Math.Min(8, len - i)); } return(Encoding.Unicode.GetString(decrypted)); }
Local GetDynamicLocal(out int instrIndex) { var instrs = installMethod.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { i = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Void System.IO.BinaryWriter::Write(System.Byte)"); if (i < 0) { break; } int index = i - 2; if (index < 0) { continue; } var ldloc = instrs[index]; if (!ldloc.IsLdloc()) { continue; } if (instrs[index + 1].OpCode.Code != Code.Conv_U1) { continue; } instrIndex = index; return(ldloc.GetLocal(installMethod.Body.Variables)); } instrIndex = 0; return(null); }
byte[] Decompress(byte[] compressed) { if (lzmaType != null) { return(ConfuserUtils.SevenZipDecompress(compressed)); } return(DeobUtils.Inflate(compressed, true)); }
public void Deobfuscate(Blocks blocks) { if (blocks.Method != installMethod) { return; } ConfuserUtils.RemoveResourceHookCode(blocks, handler); }
static bool FindKey5(MethodDef method, out uint key) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { i = FindCallvirtReadUInt32(instrs, i); if (i < 0) { break; } int index2 = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.IO.BinaryReader::ReadInt32()"); if (index2 < 0) { break; } if (index2 - i != 6) { continue; } var ldci4 = instrs[i + 1]; if (!ldci4.IsLdcI4()) { continue; } if (instrs[i + 2].OpCode.Code != Code.Xor) { continue; } var stloc = instrs[i + 3]; if (!stloc.IsStloc()) { continue; } var ldloc = instrs[i + 4]; if (!ldloc.IsLdloc()) { continue; } if (ldloc.GetLocal(method.Body.Variables) == stloc.GetLocal(method.Body.Variables)) { continue; } if (!instrs[i + 5].IsLdloc()) { continue; } key = (uint)ldci4.GetLdcI4Value(); return(true); } key = 0; return(false); }
public void Deobfuscate(Blocks blocks) { if (asmResolverMethod == null) { return; } if (blocks.Method != DotNetUtils.GetModuleTypeCctor(module)) { return; } ConfuserUtils.RemoveResourceHookCode(blocks, asmResolverMethod); }
static int GetFieldNameIndex(MethodDef method) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { i = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Byte[] System.Text.Encoding::GetBytes(System.Char[],System.Int32,System.Int32)"); if (i < 0) break; if (i < 2) continue; var ldci4 = instrs[i - 2]; if (!ldci4.IsLdcI4()) continue; return ldci4.GetLdcI4Value(); } return -1; }
protected static bool FindKey0_v14_r58564(MethodDef method, out uint key) { var instrs = method.Body.Instructions; for (int i = 0; i + 5 < instrs.Count; i++) { i = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.IO.BinaryReader::ReadInt32()"); if (i < 0) { break; } int index = i + 1; var ldci4_1 = instrs[index++]; if (!ldci4_1.IsLdcI4()) { continue; } if (instrs[index++].OpCode.Code != Code.Xor) { continue; } if (!instrs[index++].IsStloc()) { continue; } if (!instrs[index++].IsLdloc()) { continue; } var ldci4_2 = instrs[index++]; if (!ldci4_2.IsLdcI4()) { continue; } if (ldci4_2.GetLdcI4Value() != 0 && ldci4_1.GetLdcI4Value() != ldci4_2.GetLdcI4Value()) { continue; } key = (uint)ldci4_1.GetLdcI4Value(); return(true); } key = 0; return(false); }
static bool FindKey0d(MethodDef method, out uint key) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()"); if (index < 0) { break; } int index2 = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()"); int ldci4Index; switch (index2 - index) { case 3: // rev <= r79440 ldci4Index = index + 1; break; case -4: // rev >= r79630 ldci4Index = index2 - 2; break; default: continue; } var ldci4 = instrs[ldci4Index]; if (!ldci4.IsLdcI4()) { continue; } if (!instrs[ldci4Index + 1].IsLdloc()) { continue; } key = (uint)ldci4.GetLdcI4Value(); return(true); } key = 0; return(false); }
public void Find() { var cctor = DotNetUtils.GetModuleTypeCctor(module); if (cctor == null) return; simpleDeobfuscator.Deobfuscate(cctor, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs); if ((dictField = ConstantsDecrypterUtils.FindDictField(cctor, cctor.DeclaringType)) == null) return; if ((dataField = ConstantsDecrypterUtils.FindDataField_v18_r75367(cctor, cctor.DeclaringType)) == null && (dataField = ConstantsDecrypterUtils.FindDataField_v19_r77172(cctor, cctor.DeclaringType)) == null) return; nativeMethod = FindNativeMethod(cctor, cctor.DeclaringType); var method = GetDecryptMethod(); if (method == null) return; simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs); var info = new DecrypterInfo(this, method, ConfuserVersion.Unknown); if (FindKeys_v18_r75367(info)) InitVersion(cctor, ConfuserVersion.v18_r75367_normal, ConfuserVersion.v18_r75367_dynamic, ConfuserVersion.v18_r75367_native); else if (FindKeys_v18_r75369(info)) { lzmaType = ConfuserUtils.FindLzmaType(cctor); if (lzmaType == null) InitVersion(cctor, ConfuserVersion.v18_r75369_normal, ConfuserVersion.v18_r75369_dynamic, ConfuserVersion.v18_r75369_native); else if (!DotNetUtils.CallsMethod(method, "System.Void System.Threading.Monitor::Exit(System.Object)")) InitVersion(cctor, ConfuserVersion.v19_r77172_normal, ConfuserVersion.v19_r77172_dynamic, ConfuserVersion.v19_r77172_native); else if (DotNetUtils.CallsMethod(method, "System.Void System.Diagnostics.StackFrame::.ctor(System.Int32)")) InitVersion(cctor, ConfuserVersion.v19_r78363_normal, ConfuserVersion.v19_r78363_dynamic, ConfuserVersion.v19_r78363_native); else { int index1 = ConfuserUtils.FindCallMethod(cctor.Body.Instructions, 0, Code.Callvirt, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()"); int index2 = ConfuserUtils.FindCallMethod(cctor.Body.Instructions, 0, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()"); if (index1 < 0 || index2 < 0) { } if (index2 - index1 == 3) InitVersion(cctor, ConfuserVersion.v19_r78056_normal, ConfuserVersion.v19_r78056_dynamic, ConfuserVersion.v19_r78056_native); else if (index2 - index1 == -4) InitVersion(cctor, ConfuserVersion.v19_r79630_normal, ConfuserVersion.v19_r79630_dynamic, ConfuserVersion.v19_r79630_native); } } else return; installMethod = cctor; }
byte[] DecryptConstant_v15_r60785_dynamic(DecrypterInfo info, byte[] encrypted, uint offs) { var instrs = info.decryptMethod.Body.Instructions; int startIndex = GetDynamicStartIndex_v15_r60785(instrs); int endIndex = GetDynamicEndIndex_v15_r60785(instrs, startIndex); if (endIndex < 0) { throw new ApplicationException("Could not find start/endIndex"); } var dataReader = ByteArrayDataReaderFactory.CreateReader(encrypted); var decrypted = new byte[dataReader.ReadInt32()]; var constReader = new Arg64ConstantsReader(instrs, false); ConfuserUtils.DecryptCompressedInt32Data(constReader, startIndex, endIndex, ref dataReader, decrypted); return(decrypted); }
static bool FindKey2OrKey3(IList <Instruction> instrs, ref int index, out uint key) { key = 0; if (index + 6 >= instrs.Count) { return(false); } int i = index; if (!instrs[i++].IsLdloc()) { return(false); } if (!instrs[i++].IsLdloc()) { return(false); } if (!ConfuserUtils.IsCallMethod(instrs[i++], Code.Callvirt, "System.Int32 System.IO.BinaryReader::ReadInt32()")) { return(false); } var ldci4 = instrs[i++]; if (!ldci4.IsLdcI4()) { return(false); } if (instrs[i++].OpCode.Code != Code.Xor) { return(false); } if (!ConfuserUtils.IsCallMethod(instrs[i++], Code.Callvirt, "System.Byte[] System.IO.BinaryReader::ReadBytes(System.Int32)")) { return(false); } if (!instrs[i++].IsStloc()) { return(false); } key = (uint)ldci4.GetLdcI4Value(); index = i; return(true); }
static bool FindKey0_v18_r75369(MethodDef method, out byte key0) { var instrs = method.Body.Instructions; for (int index = 0; index < instrs.Count; index++) { index = ConfuserUtils.FindCallMethod(instrs, index, Code.Callvirt, "System.Int32 System.IO.Stream::Read(System.Byte[],System.Int32,System.Int32)"); if (index < 0) { break; } if (index + 4 >= instrs.Count) { break; } index++; if (instrs[index++].OpCode.Code != Code.Pop) { continue; } var ldci4 = instrs[index++]; if (!ldci4.IsLdcI4()) { continue; } if (instrs[index++].OpCode.Code != Code.Conv_U1) { continue; } if (!instrs[index++].IsStloc()) { continue; } key0 = (byte)ldci4.GetLdcI4Value(); return(true); } key0 = 0; return(false); }
public override string Decrypt(MethodDef caller, int magic) { var reader = stringDecrypter.reader; reader.Position = (caller.MDToken.ToInt32() ^ magic) - stringDecrypter.magic1; int len = reader.ReadInt32() ^ (int)~stringDecrypter.magic2; var decrypted = new byte[len]; int startIndex, endIndex; if (!FindPolyStartEndIndexes(out startIndex, out endIndex)) { throw new ApplicationException("Could not get start/end indexes"); } var constReader = new Arg64ConstantsReader(stringDecrypter.decryptMethod.Body.Instructions, false); ConfuserUtils.DecryptCompressedInt32Data(constReader, startIndex, endIndex, reader, decrypted); return(Encoding.Unicode.GetString(decrypted)); }
static bool FindCallvirtChar(MethodDef method, out ushort callvirtChar) { var instrs = method.Body.Instructions; for (int index = 0; index < instrs.Count; index++) { index = ConfuserUtils.FindCallMethod(instrs, index, Code.Callvirt, "System.Char System.String::get_Chars(System.Int32)"); if (index < 0) break; index++; if (index >= instrs.Count) break; var ldci4 = instrs[index]; if (!ldci4.IsLdcI4()) continue; callvirtChar = (ushort)ldci4.GetLdcI4Value(); return true; } callvirtChar = 0; return false; }
static bool FindMagic1(MethodDef method, out uint magic) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Byte[] System.IO.BinaryReader::ReadBytes(System.Int32)"); if (index < 0) { break; } if (index < 4) { continue; } index -= 4; if (!instrs[index].IsLdarg()) { continue; } if (instrs[index + 1].OpCode.Code != Code.Xor) { continue; } var ldci4 = instrs[index + 2]; if (!ldci4.IsLdcI4()) { continue; } if (instrs[index + 3].OpCode.Code != Code.Sub) { continue; } magic = (uint)ldci4.GetLdcI4Value(); return(true); } magic = 0; return(false); }
static bool FindMagic_v18_r75367(MethodDef method, out uint magic) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { i = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()"); if (i < 0 || i + 3 >= instrs.Count) break; if (!instrs[i + 1].IsLdloc()) continue; var ldci4 = instrs[i + 2]; if (!ldci4.IsLdcI4()) continue; if (instrs[i+3].OpCode.Code != Code.Xor) continue; magic = (uint)ldci4.GetLdcI4Value(); return true; } magic = 0; return false; }
static MethodDef FindNativeMethod_v18_r75367(MethodDef method) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { i = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()"); if (i < 0 || i + 2 >= instrs.Count) break; if (!instrs[i + 1].IsLdloc()) continue; var call = instrs[i + 2]; if (call.OpCode.Code != Code.Call) continue; var calledMethod = call.Operand as MethodDef; if (calledMethod == null || calledMethod.Body != null || !calledMethod.IsNative) continue; return calledMethod; } return null; }
static bool FindMagic_v14_r58564(MethodDef method, out uint magic) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Call, "System.Int32 System.BitConverter::ToInt32(System.Byte[],System.Int32)"); if (index < 0) break; int index2 = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)"); if (index2 < 0 || index2 - index != 3) continue; var ldci4 = instrs[index + 1]; if (!ldci4.IsLdcI4()) continue; if (instrs[index + 2].OpCode.Code != Code.Xor) continue; magic = (uint)ldci4.GetLdcI4Value(); return true; } magic = 0; return false; }
static MethodDef FindNativeMethod_v17_r73740(MethodDef method) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Call, "System.Int32 System.BitConverter::ToInt32(System.Byte[],System.Int32)"); if (index < 0) break; if (index < 1 || index + 1 >= instrs.Count) continue; if (!instrs[index - 1].IsLdcI4()) continue; var call = instrs[index + 1]; if (call.OpCode.Code != Code.Call) continue; var calledMethod = call.Operand as MethodDef; if (calledMethod == null || calledMethod.Body != null || !calledMethod.IsNative) continue; return calledMethod; } return null; }
static bool Is_v17_r73740(MethodDef method) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)"); if (index < 0) break; if (index < 3) continue; index -= 3; var ldci4 = instrs[index]; if (!ldci4.IsLdcI4() || ldci4.GetLdcI4Value() != 24) continue; if (instrs[index + 1].OpCode.Code != Code.Shl) continue; if (instrs[index + 2].OpCode.Code != Code.Or) continue; return true; } return false; }