static bool FindKey0d_v18_r75367(DecrypterInfo info)
{
var instrs = info.method.Body.Instructions;
for (int i = 0; i < instrs.Count; i++)
{
int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()");
if (index < 0)
{
break;
}
int index2 = ConfuserUtils.FindCallMethod(instrs, index, Code.Call, "System.Byte[] System.BitConverter::GetBytes(System.Int32)");
if (index2 < 0)
{
break;
}
if (index2 - index != 3)
{
continue;
}
var ldci4 = instrs[index + 1];
if (!ldci4.IsLdcI4())
{
continue;
}
if (instrs[index + 2].OpCode.Code != Code.Xor)
{
continue;
}
info.key0d = (uint)ldci4.GetLdcI4Value();
return(true);
}
return(false);
}
static bool FindKey5_v17_r74788(MethodDef method, out uint key)
{
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count; i++)
{
i = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Reflection.Module System.Reflection.Assembly::GetModule(System.String)");
if (i < 0)
{
break;
}
if (i + 1 >= instrs.Count)
{
break;
}
var ldci4 = instrs[i + 1];
if (!ldci4.IsLdcI4())
{
continue;
}
key = (uint)ldci4.GetLdcI4Value();
return(true);
}
key = 0;
return(false);
}
bool CheckType_v14_r58564(TypeDef type, MethodDef initMethod)
{
var virtualProtect = DotNetUtils.GetPInvokeMethod(type, "VirtualProtect");
if (virtualProtect == null)
{
return(false);
}
if (!DotNetUtils.CallsMethod(initMethod, "System.IntPtr System.Runtime.InteropServices.Marshal::GetHINSTANCE(System.Reflection.Module)"))
{
return(false);
}
if (ConfuserUtils.CountCalls(initMethod, virtualProtect) != 3)
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 224))
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 240))
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 267))
{
return(false);
}
version = ConfuserVersion.v14_r58564;
return(true);
}
byte[] DecryptResource_v18_r75367_normal(byte[] encrypted)
{
var key = GetSigKey();
var decrypted = ConfuserUtils.Decrypt(BitConverter.ToUInt32(key, 12) * (uint)key0, encrypted);
return(Decompress(DeobUtils.AesDecrypt(decrypted, key, DeobUtils.Md5Sum(key))));
}
static bool FindKey1(MethodDef method, out uint key)
{
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count; i++)
{
int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()");
if (index < 0)
{
break;
}
if (index + 2 > instrs.Count)
{
break;
}
if (!instrs[index + 1].IsStloc())
{
continue;
}
var ldci4 = instrs[index + 2];
if (!ldci4.IsLdcI4())
{
continue;
}
key = (uint)ldci4.GetLdcI4Value();
return(true);
}
key = 0;
return(false);
}
static bool FindSafeKey1(MethodDef method, out uint key)
{
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count; i++)
{
int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Newobj, "System.Void System.Random::.ctor(System.Int32)");
if (index < 0)
{
break;
}
if (index == 0)
{
continue;
}
var ldci4 = instrs[index - 1];
if (!ldci4.IsLdcI4())
{
continue;
}
key = (uint)ldci4.GetLdcI4Value();
return(true);
}
key = 0;
return(false);
}
static bool FindKey0(MethodDef method, out uint key)
{
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count; i++)
{
int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Call, "System.Text.Encoding System.Text.Encoding::get_UTF8()");
if (index < 0)
{
break;
}
int index2 = ConfuserUtils.FindCallMethod(instrs, i, Code.Call, "System.Byte[] System.BitConverter::GetBytes(System.Int32)");
if (index2 - index != 2)
{
continue;
}
var ldci4 = instrs[index + 1];
if (!ldci4.IsLdcI4())
{
continue;
}
key = (uint)ldci4.GetLdcI4Value();
return(true);
}
key = 0;
return(false);
}
static bool FindKey4(MethodDef method, out uint key)
{
var instrs = method.Body.Instructions;
for (int index = 0; index < instrs.Count; index++)
{
index = ConfuserUtils.FindCallMethod(instrs, index, Code.Call, "System.Void System.Runtime.InteropServices.Marshal::Copy(System.Byte[],System.Int32,System.IntPtr,System.Int32)");
if (index < 0)
{
break;
}
if (index + 2 >= instrs.Count)
{
continue;
}
if (!instrs[index + 1].IsLdloc())
{
continue;
}
var ldci4 = instrs[index + 2];
if (!ldci4.IsLdcI4())
{
continue;
}
key = (uint)ldci4.GetLdcI4Value();
return(true);
}
key = 0;
return(false);
}
static bool FindKey4_other(MethodDef method, out uint key)
{
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count; i++)
{
int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.IO.BinaryReader::ReadInt32()");
if (index < 0)
{
break;
}
if (index + 1 >= instrs.Count)
{
break;
}
var ldci4 = instrs[index + 1];
if (!ldci4.IsLdcI4())
{
continue;
}
key = (uint)ldci4.GetLdcI4Value();
return(true);
}
key = 0;
return(false);
}
public override string Decrypt(MethodDef caller, int magic)
{
var reader = stringDecrypter.reader;
reader.Position = (caller.MDToken.ToInt32() ^ magic) - stringDecrypter.magic1;
int len = reader.ReadInt32() ^ (int)~stringDecrypter.magic2;
var rand = new Random(caller.MDToken.ToInt32());
var instrs = stringDecrypter.decryptMethod.Body.Instructions;
constReader = new PolyConstantsReader(instrs, false);
int polyIndex = ConfuserUtils.FindCallMethod(instrs, 0, Code.Callvirt, "System.Int64 System.IO.BinaryReader::ReadInt64()");
if (polyIndex < 0)
{
throw new ApplicationException("Could not find start of decrypt code");
}
var decrypted = new byte[len];
for (int i = 0; i < len; i += 8)
{
constReader.Arg = reader.ReadInt64();
int index = polyIndex;
long val;
if (!constReader.GetInt64(ref index, out val) || instrs[index].OpCode.Code != Code.Conv_I8)
{
throw new ApplicationException("Could not get string int64 value");
}
Array.Copy(BitConverter.GetBytes(val ^ rand.Next()), 0, decrypted, i, Math.Min(8, len - i));
}
return(Encoding.Unicode.GetString(decrypted));
}
Local GetDynamicLocal(out int instrIndex)
{
var instrs = installMethod.Body.Instructions;
for (int i = 0; i < instrs.Count; i++)
{
i = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Void System.IO.BinaryWriter::Write(System.Byte)");
if (i < 0)
{
break;
}
int index = i - 2;
if (index < 0)
{
continue;
}
var ldloc = instrs[index];
if (!ldloc.IsLdloc())
{
continue;
}
if (instrs[index + 1].OpCode.Code != Code.Conv_U1)
{
continue;
}
instrIndex = index;
return(ldloc.GetLocal(installMethod.Body.Variables));
}
instrIndex = 0;
return(null);
}
byte[] Decompress(byte[] compressed)
{
if (lzmaType != null)
{
return(ConfuserUtils.SevenZipDecompress(compressed));
}
return(DeobUtils.Inflate(compressed, true));
}
public void Deobfuscate(Blocks blocks)
{
if (blocks.Method != installMethod)
{
return;
}
ConfuserUtils.RemoveResourceHookCode(blocks, handler);
}
static bool FindKey5(MethodDef method, out uint key)
{
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count; i++)
{
i = FindCallvirtReadUInt32(instrs, i);
if (i < 0)
{
break;
}
int index2 = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.IO.BinaryReader::ReadInt32()");
if (index2 < 0)
{
break;
}
if (index2 - i != 6)
{
continue;
}
var ldci4 = instrs[i + 1];
if (!ldci4.IsLdcI4())
{
continue;
}
if (instrs[i + 2].OpCode.Code != Code.Xor)
{
continue;
}
var stloc = instrs[i + 3];
if (!stloc.IsStloc())
{
continue;
}
var ldloc = instrs[i + 4];
if (!ldloc.IsLdloc())
{
continue;
}
if (ldloc.GetLocal(method.Body.Variables) == stloc.GetLocal(method.Body.Variables))
{
continue;
}
if (!instrs[i + 5].IsLdloc())
{
continue;
}
key = (uint)ldci4.GetLdcI4Value();
return(true);
}
key = 0;
return(false);
}
public void Deobfuscate(Blocks blocks)
{
if (asmResolverMethod == null)
{
return;
}
if (blocks.Method != DotNetUtils.GetModuleTypeCctor(module))
{
return;
}
ConfuserUtils.RemoveResourceHookCode(blocks, asmResolverMethod);
}
static int GetFieldNameIndex(MethodDef method) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count; i++) {
i = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Byte[] System.Text.Encoding::GetBytes(System.Char[],System.Int32,System.Int32)");
if (i < 0)
break;
if (i < 2)
continue;
var ldci4 = instrs[i - 2];
if (!ldci4.IsLdcI4())
continue;
return ldci4.GetLdcI4Value();
}
return -1;
}
protected static bool FindKey0_v14_r58564(MethodDef method, out uint key)
{
var instrs = method.Body.Instructions;
for (int i = 0; i + 5 < instrs.Count; i++)
{
i = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.IO.BinaryReader::ReadInt32()");
if (i < 0)
{
break;
}
int index = i + 1;
var ldci4_1 = instrs[index++];
if (!ldci4_1.IsLdcI4())
{
continue;
}
if (instrs[index++].OpCode.Code != Code.Xor)
{
continue;
}
if (!instrs[index++].IsStloc())
{
continue;
}
if (!instrs[index++].IsLdloc())
{
continue;
}
var ldci4_2 = instrs[index++];
if (!ldci4_2.IsLdcI4())
{
continue;
}
if (ldci4_2.GetLdcI4Value() != 0 && ldci4_1.GetLdcI4Value() != ldci4_2.GetLdcI4Value())
{
continue;
}
key = (uint)ldci4_1.GetLdcI4Value();
return(true);
}
key = 0;
return(false);
}
static bool FindKey0d(MethodDef method, out uint key)
{
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count; i++)
{
int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()");
if (index < 0)
{
break;
}
int index2 = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()");
int ldci4Index;
switch (index2 - index)
{
case 3:
// rev <= r79440
ldci4Index = index + 1;
break;
case -4:
// rev >= r79630
ldci4Index = index2 - 2;
break;
default:
continue;
}
var ldci4 = instrs[ldci4Index];
if (!ldci4.IsLdcI4())
{
continue;
}
if (!instrs[ldci4Index + 1].IsLdloc())
{
continue;
}
key = (uint)ldci4.GetLdcI4Value();
return(true);
}
key = 0;
return(false);
}
public void Find() {
var cctor = DotNetUtils.GetModuleTypeCctor(module);
if (cctor == null)
return;
simpleDeobfuscator.Deobfuscate(cctor, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
if ((dictField = ConstantsDecrypterUtils.FindDictField(cctor, cctor.DeclaringType)) == null)
return;
if ((dataField = ConstantsDecrypterUtils.FindDataField_v18_r75367(cctor, cctor.DeclaringType)) == null &&
(dataField = ConstantsDecrypterUtils.FindDataField_v19_r77172(cctor, cctor.DeclaringType)) == null)
return;
nativeMethod = FindNativeMethod(cctor, cctor.DeclaringType);
var method = GetDecryptMethod();
if (method == null)
return;
simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
var info = new DecrypterInfo(this, method, ConfuserVersion.Unknown);
if (FindKeys_v18_r75367(info))
InitVersion(cctor, ConfuserVersion.v18_r75367_normal, ConfuserVersion.v18_r75367_dynamic, ConfuserVersion.v18_r75367_native);
else if (FindKeys_v18_r75369(info)) {
lzmaType = ConfuserUtils.FindLzmaType(cctor);
if (lzmaType == null)
InitVersion(cctor, ConfuserVersion.v18_r75369_normal, ConfuserVersion.v18_r75369_dynamic, ConfuserVersion.v18_r75369_native);
else if (!DotNetUtils.CallsMethod(method, "System.Void System.Threading.Monitor::Exit(System.Object)"))
InitVersion(cctor, ConfuserVersion.v19_r77172_normal, ConfuserVersion.v19_r77172_dynamic, ConfuserVersion.v19_r77172_native);
else if (DotNetUtils.CallsMethod(method, "System.Void System.Diagnostics.StackFrame::.ctor(System.Int32)"))
InitVersion(cctor, ConfuserVersion.v19_r78363_normal, ConfuserVersion.v19_r78363_dynamic, ConfuserVersion.v19_r78363_native);
else {
int index1 = ConfuserUtils.FindCallMethod(cctor.Body.Instructions, 0, Code.Callvirt, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()");
int index2 = ConfuserUtils.FindCallMethod(cctor.Body.Instructions, 0, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()");
if (index1 < 0 || index2 < 0) {
}
if (index2 - index1 == 3)
InitVersion(cctor, ConfuserVersion.v19_r78056_normal, ConfuserVersion.v19_r78056_dynamic, ConfuserVersion.v19_r78056_native);
else if (index2 - index1 == -4)
InitVersion(cctor, ConfuserVersion.v19_r79630_normal, ConfuserVersion.v19_r79630_dynamic, ConfuserVersion.v19_r79630_native);
}
}
else
return;
installMethod = cctor;
}
byte[] DecryptConstant_v15_r60785_dynamic(DecrypterInfo info, byte[] encrypted, uint offs)
{
var instrs = info.decryptMethod.Body.Instructions;
int startIndex = GetDynamicStartIndex_v15_r60785(instrs);
int endIndex = GetDynamicEndIndex_v15_r60785(instrs, startIndex);
if (endIndex < 0)
{
throw new ApplicationException("Could not find start/endIndex");
}
var dataReader = ByteArrayDataReaderFactory.CreateReader(encrypted);
var decrypted = new byte[dataReader.ReadInt32()];
var constReader = new Arg64ConstantsReader(instrs, false);
ConfuserUtils.DecryptCompressedInt32Data(constReader, startIndex, endIndex, ref dataReader, decrypted);
return(decrypted);
}
static bool FindKey2OrKey3(IList <Instruction> instrs, ref int index, out uint key)
{
key = 0;
if (index + 6 >= instrs.Count)
{
return(false);
}
int i = index;
if (!instrs[i++].IsLdloc())
{
return(false);
}
if (!instrs[i++].IsLdloc())
{
return(false);
}
if (!ConfuserUtils.IsCallMethod(instrs[i++], Code.Callvirt, "System.Int32 System.IO.BinaryReader::ReadInt32()"))
{
return(false);
}
var ldci4 = instrs[i++];
if (!ldci4.IsLdcI4())
{
return(false);
}
if (instrs[i++].OpCode.Code != Code.Xor)
{
return(false);
}
if (!ConfuserUtils.IsCallMethod(instrs[i++], Code.Callvirt, "System.Byte[] System.IO.BinaryReader::ReadBytes(System.Int32)"))
{
return(false);
}
if (!instrs[i++].IsStloc())
{
return(false);
}
key = (uint)ldci4.GetLdcI4Value();
index = i;
return(true);
}
static bool FindKey0_v18_r75369(MethodDef method, out byte key0)
{
var instrs = method.Body.Instructions;
for (int index = 0; index < instrs.Count; index++)
{
index = ConfuserUtils.FindCallMethod(instrs, index, Code.Callvirt, "System.Int32 System.IO.Stream::Read(System.Byte[],System.Int32,System.Int32)");
if (index < 0)
{
break;
}
if (index + 4 >= instrs.Count)
{
break;
}
index++;
if (instrs[index++].OpCode.Code != Code.Pop)
{
continue;
}
var ldci4 = instrs[index++];
if (!ldci4.IsLdcI4())
{
continue;
}
if (instrs[index++].OpCode.Code != Code.Conv_U1)
{
continue;
}
if (!instrs[index++].IsStloc())
{
continue;
}
key0 = (byte)ldci4.GetLdcI4Value();
return(true);
}
key0 = 0;
return(false);
}
public override string Decrypt(MethodDef caller, int magic)
{
var reader = stringDecrypter.reader;
reader.Position = (caller.MDToken.ToInt32() ^ magic) - stringDecrypter.magic1;
int len = reader.ReadInt32() ^ (int)~stringDecrypter.magic2;
var decrypted = new byte[len];
int startIndex, endIndex;
if (!FindPolyStartEndIndexes(out startIndex, out endIndex))
{
throw new ApplicationException("Could not get start/end indexes");
}
var constReader = new Arg64ConstantsReader(stringDecrypter.decryptMethod.Body.Instructions, false);
ConfuserUtils.DecryptCompressedInt32Data(constReader, startIndex, endIndex, reader, decrypted);
return(Encoding.Unicode.GetString(decrypted));
}
static bool FindCallvirtChar(MethodDef method, out ushort callvirtChar) {
var instrs = method.Body.Instructions;
for (int index = 0; index < instrs.Count; index++) {
index = ConfuserUtils.FindCallMethod(instrs, index, Code.Callvirt, "System.Char System.String::get_Chars(System.Int32)");
if (index < 0)
break;
index++;
if (index >= instrs.Count)
break;
var ldci4 = instrs[index];
if (!ldci4.IsLdcI4())
continue;
callvirtChar = (ushort)ldci4.GetLdcI4Value();
return true;
}
callvirtChar = 0;
return false;
}
static bool FindMagic1(MethodDef method, out uint magic)
{
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count; i++)
{
int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Byte[] System.IO.BinaryReader::ReadBytes(System.Int32)");
if (index < 0)
{
break;
}
if (index < 4)
{
continue;
}
index -= 4;
if (!instrs[index].IsLdarg())
{
continue;
}
if (instrs[index + 1].OpCode.Code != Code.Xor)
{
continue;
}
var ldci4 = instrs[index + 2];
if (!ldci4.IsLdcI4())
{
continue;
}
if (instrs[index + 3].OpCode.Code != Code.Sub)
{
continue;
}
magic = (uint)ldci4.GetLdcI4Value();
return(true);
}
magic = 0;
return(false);
}
static bool FindMagic_v18_r75367(MethodDef method, out uint magic) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count; i++) {
i = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()");
if (i < 0 || i + 3 >= instrs.Count)
break;
if (!instrs[i + 1].IsLdloc())
continue;
var ldci4 = instrs[i + 2];
if (!ldci4.IsLdcI4())
continue;
if (instrs[i+3].OpCode.Code != Code.Xor)
continue;
magic = (uint)ldci4.GetLdcI4Value();
return true;
}
magic = 0;
return false;
}
static MethodDef FindNativeMethod_v18_r75367(MethodDef method) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count; i++) {
i = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()");
if (i < 0 || i + 2 >= instrs.Count)
break;
if (!instrs[i + 1].IsLdloc())
continue;
var call = instrs[i + 2];
if (call.OpCode.Code != Code.Call)
continue;
var calledMethod = call.Operand as MethodDef;
if (calledMethod == null || calledMethod.Body != null || !calledMethod.IsNative)
continue;
return calledMethod;
}
return null;
}
static bool FindMagic_v14_r58564(MethodDef method, out uint magic) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count; i++) {
int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Call, "System.Int32 System.BitConverter::ToInt32(System.Byte[],System.Int32)");
if (index < 0)
break;
int index2 = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)");
if (index2 < 0 || index2 - index != 3)
continue;
var ldci4 = instrs[index + 1];
if (!ldci4.IsLdcI4())
continue;
if (instrs[index + 2].OpCode.Code != Code.Xor)
continue;
magic = (uint)ldci4.GetLdcI4Value();
return true;
}
magic = 0;
return false;
}
static MethodDef FindNativeMethod_v17_r73740(MethodDef method) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count; i++) {
int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Call, "System.Int32 System.BitConverter::ToInt32(System.Byte[],System.Int32)");
if (index < 0)
break;
if (index < 1 || index + 1 >= instrs.Count)
continue;
if (!instrs[index - 1].IsLdcI4())
continue;
var call = instrs[index + 1];
if (call.OpCode.Code != Code.Call)
continue;
var calledMethod = call.Operand as MethodDef;
if (calledMethod == null || calledMethod.Body != null || !calledMethod.IsNative)
continue;
return calledMethod;
}
return null;
}
static bool Is_v17_r73740(MethodDef method) {
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count; i++) {
int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)");
if (index < 0)
break;
if (index < 3)
continue;
index -= 3;
var ldci4 = instrs[index];
if (!ldci4.IsLdcI4() || ldci4.GetLdcI4Value() != 24)
continue;
if (instrs[index + 1].OpCode.Code != Code.Shl)
continue;
if (instrs[index + 2].OpCode.Code != Code.Or)
continue;
return true;
}
return false;
}
