public void decrypt(ResourceDecrypter resourceDecrypter)
{
if (decryptMethod == null)
{
return;
}
resource = CoUtils.getResource(module, decrypterCctor);
if (resource == null)
{
return;
}
var decrypted = resourceDecrypter.decrypt(resource.GetResourceStream());
var reader = new BinaryReader(new MemoryStream(decrypted));
int numEncrypted = reader.ReadInt32();
Log.v("Restoring {0} encrypted methods", numEncrypted);
Log.indent();
for (int i = 0; i < numEncrypted; i++)
{
int delegateTypeToken = reader.ReadInt32();
uint codeOffset = reader.ReadUInt32();
var origOffset = reader.BaseStream.Position;
reader.BaseStream.Position = codeOffset;
decrypt(reader, delegateTypeToken);
reader.BaseStream.Position = origOffset;
}
Log.deIndent();
}
public void Decrypt(ResourceDecrypter resourceDecrypter, ISimpleDeobfuscator simpleDeobfuscator)
{
if (decryptMethod == null)
{
return;
}
resource = CoUtils.GetResource(module, decrypterCctor);
if (resource == null)
{
return;
}
var decrypted = resourceDecrypter.Decrypt(resource.GetResourceStream());
var reader = MemoryImageStream.Create(decrypted);
int numEncrypted = reader.ReadInt32();
Logger.v("Restoring {0} encrypted methods", numEncrypted);
Logger.Instance.Indent();
for (int i = 0; i < numEncrypted; i++)
{
int delegateTypeToken = reader.ReadInt32();
uint codeOffset = reader.ReadUInt32();
var origOffset = reader.Position;
reader.Position = codeOffset;
Decrypt(reader, delegateTypeToken, simpleDeobfuscator);
reader.Position = origOffset;
}
Logger.Instance.DeIndent();
}
public void init(ResourceDecrypter resourceDecrypter)
{
if (decrypterType == null)
{
return;
}
encryptedResource = CoUtils.getResource(module, DotNetUtils.getCodeStrings(DotNetUtils.getMethod(decrypterType, ".cctor")));
constantsData = resourceDecrypter.decrypt(encryptedResource.GetResourceStream());
}
public void init(ResourceDecrypter resourceDecrypter)
{
if (decrypterType == null)
{
return;
}
encryptedResource = CoUtils.getResource(module, DotNetUtils.getCodeStrings(decrypterType.FindStaticConstructor()));
encryptedResource.Data.Position = 0;
constantsData = resourceDecrypter.decrypt(encryptedResource.Data.CreateStream());
}
public void Initialize(ResourceDecrypter resourceDecrypter) {
if (decryptedData != null || stringDecrypterType == null)
return;
var resourceName = GetResourceName();
stringResource = DotNetUtils.GetResource(module, resourceName) as EmbeddedResource;
if (stringResource == null)
return;
Logger.v("Adding string decrypter. Resource: {0}", Utils.ToCsharpString(stringResource.Name));
decryptedData = resourceDecrypter.Decrypt(stringResource.GetResourceStream());
}
public void Initialize(ResourceDecrypter resourceDecrypter)
{
if (decryptedData != null || stringDecrypterType == null)
{
return;
}
var resourceName = GetResourceName();
stringResource = DotNetUtils.GetResource(module, resourceName) as EmbeddedResource;
if (stringResource == null)
{
return;
}
Logger.v("Adding string decrypter. Resource: {0}", Utils.ToCsharpString(stringResource.Name));
decryptedData = resourceDecrypter.Decrypt(stringResource.GetResourceStream());
}
public void init(ResourceDecrypter resourceDecrypter)
{
if (decryptedData != null)
{
return;
}
var resourceName = getResourceName();
stringResource = DotNetUtils.getResource(module, resourceName) as EmbeddedResource;
if (stringResource == null)
{
return;
}
Log.v("Adding string decrypter. Resource: {0}", Utils.toCsharpString(stringResource.Name));
decryptedData = resourceDecrypter.decrypt(stringResource.GetResourceStream());
}
public void Initialize(ResourceDecrypter resourceDecrypter)
{
if (decrypterType == null)
{
return;
}
var cctor = decrypterType.FindStaticConstructor();
encryptedResource = CoUtils.GetResource(module, DotNetUtils.GetCodeStrings(cctor));
//if the return value is null, it is possible that resource name is encrypted
if (encryptedResource == null)
{
var Resources = new string[] { CoUtils.DecryptResourceName(module, cctor) };
encryptedResource = CoUtils.GetResource(module, Resources);
}
constantsData = resourceDecrypter.Decrypt(encryptedResource.GetReader().AsStream());
}
public override void deobfuscateBegin()
{
base.deobfuscateBegin();
resourceDecrypter = new ResourceDecrypter(module, DeobfuscatedFile);
resourceResolver = new ResourceResolver(module, resourceDecrypter);
assemblyResolver = new AssemblyResolver(module);
resourceResolver.find();
assemblyResolver.find();
decryptResources();
stringDecrypter.init(resourceDecrypter);
if (stringDecrypter.Method != null)
{
staticStringInliner.add(stringDecrypter.Method, (method, args) => {
return(stringDecrypter.decrypt((int)args[0]));
});
DeobfuscatedFile.stringDecryptersAdded();
}
antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this);
antiDebugger.find();
addModuleCctorInitCallToBeRemoved(resourceResolver.Method);
addModuleCctorInitCallToBeRemoved(assemblyResolver.Method);
addCallToBeRemoved(module.EntryPoint, tamperDetection.Method);
addModuleCctorInitCallToBeRemoved(tamperDetection.Method);
addCallToBeRemoved(module.EntryPoint, antiDebugger.Method);
addModuleCctorInitCallToBeRemoved(antiDebugger.Method);
addTypeToBeRemoved(resourceResolver.Type, "Resource resolver type");
addTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver type");
addTypeToBeRemoved(tamperDetection.Type, "Tamper detection type");
addTypeToBeRemoved(antiDebugger.Type, "Anti-debugger type");
proxyDelegateFinder.find();
dumpEmbeddedAssemblies();
}
public override void deobfuscateBegin()
{
base.deobfuscateBegin();
resourceDecrypter = new ResourceDecrypter(module, DeobfuscatedFile);
resourceResolver = new ResourceResolver(module, resourceDecrypter);
assemblyResolver = new AssemblyResolver(module);
resourceResolver.find();
assemblyResolver.find();
decryptResources();
stringDecrypter.init(resourceDecrypter);
if (stringDecrypter.Method != null) {
staticStringInliner.add(stringDecrypter.Method, (method, gim, args) => {
return stringDecrypter.decrypt((int)args[0]);
});
DeobfuscatedFile.stringDecryptersAdded();
}
methodsDecrypter.decrypt(resourceDecrypter);
if (methodsDecrypter.Detected) {
if (!assemblyResolver.Detected)
assemblyResolver.find();
if (!tamperDetection.Detected)
tamperDetection.find();
}
antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this);
antiDebugger.find();
if (options.DecryptConstants) {
constantsDecrypter.init(resourceDecrypter);
int32ValueInliner = new Int32ValueInliner();
int32ValueInliner.add(constantsDecrypter.Int32Decrypter, (method, gim, args) => constantsDecrypter.decryptInt32((int)args[0]));
int64ValueInliner = new Int64ValueInliner();
int64ValueInliner.add(constantsDecrypter.Int64Decrypter, (method, gim, args) => constantsDecrypter.decryptInt64((int)args[0]));
singleValueInliner = new SingleValueInliner();
singleValueInliner.add(constantsDecrypter.SingleDecrypter, (method, gim, args) => constantsDecrypter.decryptSingle((int)args[0]));
doubleValueInliner = new DoubleValueInliner();
doubleValueInliner.add(constantsDecrypter.DoubleDecrypter, (method, gim, args) => constantsDecrypter.decryptDouble((int)args[0]));
addTypeToBeRemoved(constantsDecrypter.Type, "Constants decrypter type");
addResourceToBeRemoved(constantsDecrypter.Resource, "Encrypted constants");
}
addModuleCctorInitCallToBeRemoved(resourceResolver.Method);
addModuleCctorInitCallToBeRemoved(assemblyResolver.Method);
addCallToBeRemoved(module.EntryPoint, tamperDetection.Method);
addModuleCctorInitCallToBeRemoved(tamperDetection.Method);
addCallToBeRemoved(module.EntryPoint, antiDebugger.Method);
addModuleCctorInitCallToBeRemoved(antiDebugger.Method);
addTypeToBeRemoved(resourceResolver.Type, "Resource resolver type");
addTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver type");
addTypeToBeRemoved(tamperDetection.Type, "Tamper detection type");
addTypeToBeRemoved(antiDebugger.Type, "Anti-debugger type");
addTypeToBeRemoved(methodsDecrypter.Type, "Methods decrypter type");
addTypesToBeRemoved(methodsDecrypter.DelegateTypes, "Methods decrypter delegate type");
addResourceToBeRemoved(methodsDecrypter.Resource, "Encrypted methods");
proxyCallFixer.find();
dumpEmbeddedAssemblies();
}
public override void deobfuscateBegin()
{
base.deobfuscateBegin();
resourceDecrypter = new ResourceDecrypter(module, DeobfuscatedFile);
resourceResolver = new ResourceResolver(module, resourceDecrypter);
assemblyResolver = new AssemblyResolver(module);
resourceResolver.find();
assemblyResolver.find();
decryptResources();
stringDecrypter.init(resourceDecrypter);
if (stringDecrypter.Method != null) {
staticStringInliner.add(stringDecrypter.Method, (method, args) => {
return stringDecrypter.decrypt((int)args[0]);
});
DeobfuscatedFile.stringDecryptersAdded();
}
antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this);
antiDebugger.find();
addModuleCctorInitCallToBeRemoved(resourceResolver.Method);
addModuleCctorInitCallToBeRemoved(assemblyResolver.Method);
addCallToBeRemoved(module.EntryPoint, tamperDetection.Method);
addModuleCctorInitCallToBeRemoved(tamperDetection.Method);
addCallToBeRemoved(module.EntryPoint, antiDebugger.Method);
addModuleCctorInitCallToBeRemoved(antiDebugger.Method);
addTypeToBeRemoved(resourceResolver.Type, "Resource resolver type");
addTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver type");
addTypeToBeRemoved(tamperDetection.Type, "Tamper detection type");
addTypeToBeRemoved(antiDebugger.Type, "Anti-debugger type");
proxyDelegateFinder.find();
dumpEmbeddedAssemblies();
}
public void Initialize(ResourceDecrypter resourceDecrypter) {
if (decrypterType == null)
return;
encryptedResource = CoUtils.GetResource(module, DotNetUtils.GetCodeStrings(decrypterType.FindStaticConstructor()));
encryptedResource.Data.Position = 0;
constantsData = resourceDecrypter.Decrypt(encryptedResource.Data.CreateStream());
}
public override void DeobfuscateBegin()
{
base.DeobfuscateBegin();
resourceDecrypter = new ResourceDecrypter(module, DeobfuscatedFile);
resourceResolver = new ResourceResolver(module, resourceDecrypter);
assemblyResolver = new AssemblyResolver(module);
resourceResolver.Find();
assemblyResolver.Find(DeobfuscatedFile);
DecryptResources();
stringDecrypter.Initialize(resourceDecrypter);
if (stringDecrypter.Method != null)
{
staticStringInliner.Add(stringDecrypter.Method, (method, gim, args) => {
return(stringDecrypter.Decrypt((int)args[0]));
});
DeobfuscatedFile.StringDecryptersAdded();
}
methodsDecrypter.Decrypt(resourceDecrypter, DeobfuscatedFile);
if (methodsDecrypter.Detected)
{
if (!assemblyResolver.Detected)
{
assemblyResolver.Find(DeobfuscatedFile);
}
if (!tamperDetection.Detected)
{
tamperDetection.Find();
}
}
antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this);
antiDebugger.Find();
if (options.DecryptConstants)
{
constantsDecrypter.Initialize(resourceDecrypter);
int32ValueInliner = new Int32ValueInliner();
int32ValueInliner.Add(constantsDecrypter.Int32Decrypter, (method, gim, args) => constantsDecrypter.DecryptInt32((int)args[0]));
int64ValueInliner = new Int64ValueInliner();
int64ValueInliner.Add(constantsDecrypter.Int64Decrypter, (method, gim, args) => constantsDecrypter.DecryptInt64((int)args[0]));
singleValueInliner = new SingleValueInliner();
singleValueInliner.Add(constantsDecrypter.SingleDecrypter, (method, gim, args) => constantsDecrypter.DecryptSingle((int)args[0]));
doubleValueInliner = new DoubleValueInliner();
doubleValueInliner.Add(constantsDecrypter.DoubleDecrypter, (method, gim, args) => constantsDecrypter.DecryptDouble((int)args[0]));
AddTypeToBeRemoved(constantsDecrypter.Type, "Constants decrypter type");
AddResourceToBeRemoved(constantsDecrypter.Resource, "Encrypted constants");
}
AddModuleCctorInitCallToBeRemoved(resourceResolver.Method);
AddModuleCctorInitCallToBeRemoved(assemblyResolver.Method);
AddCallToBeRemoved(module.EntryPoint, tamperDetection.Method);
AddModuleCctorInitCallToBeRemoved(tamperDetection.Method);
AddCallToBeRemoved(module.EntryPoint, antiDebugger.Method);
AddModuleCctorInitCallToBeRemoved(antiDebugger.Method);
AddTypeToBeRemoved(resourceResolver.Type, "Resource resolver type");
AddTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver type");
AddTypeToBeRemoved(tamperDetection.Type, "Tamper detection type");
AddTypeToBeRemoved(antiDebugger.Type, "Anti-debugger type");
AddTypeToBeRemoved(methodsDecrypter.Type, "Methods decrypter type");
AddTypesToBeRemoved(methodsDecrypter.DelegateTypes, "Methods decrypter delegate type");
AddResourceToBeRemoved(methodsDecrypter.Resource, "Encrypted methods");
proxyCallFixer.Find();
DumpEmbeddedAssemblies();
startedDeobfuscating = true;
}
public void init(ResourceDecrypter resourceDecrypter)
{
if (decryptedData != null)
return;
var resourceName = getResourceName();
stringResource = DotNetUtils.getResource(module, resourceName) as EmbeddedResource;
if (stringResource == null)
return;
Log.v("Adding string decrypter. Resource: {0}", Utils.toCsharpString(stringResource.Name));
decryptedData = resourceDecrypter.decrypt(stringResource.GetResourceStream());
}
public ResourceResolver(ModuleDefMD module, ResourceDecrypter resourceDecrypter)
{
this.module = module;
this.resourceDecrypter = resourceDecrypter;
}
public void decrypt(ResourceDecrypter resourceDecrypter)
{
if (decryptMethod == null)
return;
resource = CoUtils.getResource(module, decrypterCctor);
if (resource == null)
return;
var decrypted = resourceDecrypter.decrypt(resource.GetResourceStream());
var reader = new BinaryReader(new MemoryStream(decrypted));
int numEncrypted = reader.ReadInt32();
Log.v("Restoring {0} encrypted methods", numEncrypted);
Log.indent();
for (int i = 0; i < numEncrypted; i++) {
int delegateTypeToken = reader.ReadInt32();
uint codeOffset = reader.ReadUInt32();
var origOffset = reader.BaseStream.Position;
reader.BaseStream.Position = codeOffset;
decrypt(reader, delegateTypeToken);
reader.BaseStream.Position = origOffset;
}
Log.deIndent();
}
public void Decrypt(ResourceDecrypter resourceDecrypter, ISimpleDeobfuscator simpleDeobfuscator) {
if (decryptMethod == null)
return;
resource = CoUtils.GetResource(module, decrypterCctor);
if (resource == null)
return;
var decrypted = resourceDecrypter.Decrypt(resource.GetResourceStream());
var reader = MemoryImageStream.Create(decrypted);
int numEncrypted = reader.ReadInt32();
Logger.v("Restoring {0} encrypted methods", numEncrypted);
Logger.Instance.Indent();
for (int i = 0; i < numEncrypted; i++) {
int delegateTypeToken = reader.ReadInt32();
uint codeOffset = reader.ReadUInt32();
var origOffset = reader.Position;
reader.Position = codeOffset;
Decrypt(reader, delegateTypeToken, simpleDeobfuscator);
reader.Position = origOffset;
}
Logger.Instance.DeIndent();
}
public void Initialize(ResourceDecrypter resourceDecrypter) {
if (decrypterType == null)
return;
MethodDef cctor = decrypterType.FindStaticConstructor();
encryptedResource = CoUtils.GetResource(module, DotNetUtils.GetCodeStrings(cctor));
//if the return value is null, it is possible that resource name is encrypted
if (encryptedResource == null) {
var Resources = new string[] { CoUtils.DecryptResourceName(module, cctor) };
encryptedResource = CoUtils.GetResource(module, Resources);
}
encryptedResource.Data.Position = 0;
constantsData = resourceDecrypter.Decrypt(encryptedResource.Data.CreateStream());
}
public ResourceResolver(ModuleDefinition module, ResourceDecrypter resourceDecrypter)
{
this.module = module;
this.resourceDecrypter = resourceDecrypter;
}
public void init(ResourceDecrypter resourceDecrypter)
{
if (decrypterType == null)
return;
encryptedResource = CoUtils.getResource(module, DotNetUtils.getCodeStrings(DotNetUtils.getMethod(decrypterType, ".cctor")));
constantsData = resourceDecrypter.decrypt(encryptedResource.GetResourceStream());
}
