bool findEmbedded(MethodDef method)
{
if (method == null || method.Body == null)
{
return(false);
}
foreach (var calledMethod in DotNetUtils.getCalledMethods(module, method))
{
var resolver = checkInitMethod(calledMethod);
if (resolver == null)
{
continue;
}
if (!checkType(calledMethod.DeclaringType))
{
continue;
}
embedInitMethod = calledMethod;
embedResolverMethod = resolver;
return(true);
}
return(false);
}
MethodDef checkCalledMethods(MethodDef method)
{
int calls = 0;
TypeDef type = null;
MethodDef initMethod = null;
foreach (var calledMethod in DotNetUtils.getCalledMethods(module, method))
{
calls++;
if (type != null && calledMethod.DeclaringType != type)
{
return(null);
}
type = calledMethod.DeclaringType;
if (initMethod == null)
{
initMethod = calledMethod;
}
}
if (calls != 2)
{
return(null);
}
return(initMethod);
}
public void find() {
var additionalTypes = new string[] {
"System.IntPtr",
// "System.Reflection.Assembly", //TODO: Not in unknown DNR version with jitter support
};
var checkedMethods = new Dictionary<IMethod, bool>(MethodEqualityComparer.CompareDeclaringTypes);
var callCounter = new CallCounter();
int typesLeft = 30;
foreach (var type in module.GetTypes()) {
var cctor = type.FindStaticConstructor();
if (cctor == null || cctor.Body == null)
continue;
if (typesLeft-- <= 0)
break;
foreach (var method in DotNetUtils.getCalledMethods(module, cctor)) {
if (!checkedMethods.ContainsKey(method)) {
checkedMethods[method] = false;
if (method.DeclaringType.BaseType == null || method.DeclaringType.BaseType.FullName != "System.Object")
continue;
if (!DotNetUtils.isMethod(method, "System.Void", "()"))
continue;
if (!encryptedResource.couldBeResourceDecrypter(method, additionalTypes))
continue;
checkedMethods[method] = true;
}
else if (!checkedMethods[method])
continue;
callCounter.add(method);
}
}
encryptedResource.Method = (MethodDef)callCounter.most();
}
protected override bool checkResolverInitMethodSilverlight(MethodDef resolverInitMethod)
{
if (resolverInitMethod.Body.ExceptionHandlers.Count != 1)
{
return(false);
}
foreach (var method in DotNetUtils.getCalledMethods(module, resolverInitMethod))
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
if (!method.IsPublic || method.HasGenericParameters)
{
continue;
}
if (!DotNetUtils.isMethod(method, "System.Void", "(System.String)"))
{
continue;
}
simpleDeobfuscator.deobfuscate(method);
if (!new LocalTypes(method).all(requiredLocals_sl))
{
continue;
}
initMethod = resolverInitMethod;
resolveHandler = method;
updateVersion(resolveHandler);
return(true);
}
return(false);
}
public void find()
{
var cctor = DotNetUtils.getModuleTypeCctor(module);
if (cctor == null)
{
return;
}
foreach (var method in DotNetUtils.getCalledMethods(module, cctor))
{
if (method.Name == ".cctor" || method.Name == ".ctor")
{
continue;
}
if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()"))
{
continue;
}
if (checkType(method))
{
break;
}
}
}
bool checkCctor(MethodDef cctor)
{
var ldtokenType = getLdtokenType(cctor);
if (!new SigComparer().Equals(ldtokenType, cctor.DeclaringType))
{
return(false);
}
MethodDef initMethod = null;
foreach (var method in DotNetUtils.getCalledMethods(module, cctor))
{
if (DotNetUtils.isMethod(method, "System.Void", "(System.Type)"))
{
initMethod = method;
break;
}
}
if (initMethod == null || initMethod.Body == null)
{
return(false);
}
return(true);
}
string getPassword(MethodDef decryptMethod)
{
foreach (var method in DotNetUtils.getCalledMethods(module, decryptMethod))
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
if (!new SigComparer().Equals(method.DeclaringType, decryptMethod.DeclaringType))
{
continue;
}
if (!DotNetUtils.isMethod(method, "System.String", "()"))
{
continue;
}
var hexChars = getPassword2(method);
if (string.IsNullOrEmpty(hexChars))
{
continue;
}
var password = fixPassword(hexChars);
if (string.IsNullOrEmpty(password))
{
continue;
}
return(password);
}
return(null);
}
bool checkCalledMethods(MethodDefinition checkMethod)
{
if (checkMethod == null || checkMethod.Body == null)
{
return(false);
}
foreach (var method in DotNetUtils.getCalledMethods(module, checkMethod))
{
if (method.Name == ".cctor" || method.Name == ".ctor")
{
continue;
}
if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()"))
{
continue;
}
if (checkResolverInitMethod(method))
{
return(true);
}
}
return(false);
}
bool checkCalledMethods(MethodDefinition checkMethod)
{
if (checkMethod == null)
{
return(false);
}
foreach (var method in DotNetUtils.getCalledMethods(module, checkMethod))
{
if (method.Name == ".cctor" || method.Name == ".ctor")
{
continue;
}
if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()"))
{
continue;
}
if (checkMemoryManagerType(method.DeclaringType, method))
{
memoryManagerType = method.DeclaringType;
attachAppMethod = method;
return(true);
}
}
return(false);
}
string getPassword(MethodDefinition decryptMethod)
{
foreach (var method in DotNetUtils.getCalledMethods(module, decryptMethod))
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
if (!MemberReferenceHelper.compareTypes(method.DeclaringType, decryptMethod.DeclaringType))
{
continue;
}
if (!DotNetUtils.isMethod(method, "System.String", "()"))
{
continue;
}
var hexChars = getPassword2(method);
if (string.IsNullOrEmpty(hexChars))
{
continue;
}
var password = fixPassword(hexChars);
if (string.IsNullOrEmpty(password))
{
continue;
}
return(password);
}
return(null);
}
bool checkCctor(MethodDefinition cctor)
{
var ldtokenType = getLdtokenType(cctor);
if (!MemberReferenceHelper.compareTypes(ldtokenType, cctor.DeclaringType))
{
return(false);
}
MethodDefinition initMethod = null;
foreach (var method in DotNetUtils.getCalledMethods(module, cctor))
{
if (DotNetUtils.isMethod(method, "System.Void", "(System.Type)"))
{
initMethod = method;
break;
}
}
if (initMethod == null || initMethod.Body == null)
{
return(false);
}
return(true);
}
public void find()
{
foreach (var calledMethod in DotNetUtils.getCalledMethods(module, DotNetUtils.getModuleTypeCctor(module)))
{
if (!DotNetUtils.isMethod(calledMethod, "System.Void", "()"))
{
continue;
}
if (calledMethod.DeclaringType.FullName != "<PrivateImplementationDetails>{F1C5056B-0AFC-4423-9B83-D13A26B48869}")
{
continue;
}
nativeLibCallerType = calledMethod.DeclaringType;
initMethod = calledMethod;
foreach (var s in DotNetUtils.getCodeStrings(initMethod))
{
nativeFileResource = DotNetUtils.getResource(module, s);
if (nativeFileResource != null)
{
break;
}
}
return;
}
}
bool checkCctor(MethodDefinition cctor)
{
foreach (var method in DotNetUtils.getCalledMethods(module, cctor))
{
if (method.Name != "Startup")
{
continue;
}
if (!DotNetUtils.isMethod(method, "System.Void", "()"))
{
continue;
}
ModuleReference module1, module2;
bool isOldTmp;
if (!checkType(method.DeclaringType, out module1, out module2, out isOldTmp))
{
continue;
}
mcType = method.DeclaringType;
mcModule1 = module1;
mcModule2 = module2;
isOld = isOldTmp;
return(true);
}
return(false);
}
bool checkInitMethod(MethodDefinition checkMethod, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
var requiredFields = new string[] {
"System.Collections.Hashtable",
"System.Boolean",
};
foreach (var method in DotNetUtils.getCalledMethods(module, checkMethod))
{
if (method.Body == null)
{
continue;
}
if (!method.IsStatic)
{
continue;
}
if (!DotNetUtils.isMethod(method, "System.Void", "()"))
{
continue;
}
var type = method.DeclaringType;
if (!new FieldTypes(type).exactly(requiredFields))
{
continue;
}
var ctor = DotNetUtils.getMethod(type, ".ctor");
if (ctor == null)
{
continue;
}
var handler = getHandler(ctor);
if (handler == null)
{
continue;
}
simpleDeobfuscator.decryptStrings(handler, deob);
var resourcePrefix = getResourcePrefix(handler);
if (resourcePrefix == null)
{
continue;
}
for (int i = 0; ; i++)
{
var resource = DotNetUtils.getResource(module, resourcePrefix + i.ToString("D5")) as EmbeddedResource;
if (resource == null)
{
break;
}
resources.Add(resource);
}
initMethod = method;
return(true);
}
return(false);
}
bool find2()
{
foreach (var cctor in DeobUtils.getInitCctors(module, 3))
{
foreach (var calledMethod in DotNetUtils.getCalledMethods(module, cctor))
{
var type = calledMethod.DeclaringType;
if (type.IsPublic)
{
continue;
}
var fieldTypes = new FieldTypes(type);
if (!fieldTypes.exactly(requiredFields1) && !fieldTypes.exactly(requiredFields2) &&
!fieldTypes.exactly(requiredFields3) && !fieldTypes.exactly(requiredFields4))
{
continue;
}
if (!hasInitializeMethod(type, "_Initialize") && !hasInitializeMethod(type, "_Initialize64"))
{
continue;
}
stringDecrypterMethod = findStringDecrypterMethod(type);
initializeMethod = calledMethod;
postInitializeMethod = findMethod(type, "System.Void", "PostInitialize", "()");
loadMethod = findMethod(type, "System.IntPtr", "Load", "()");
cliSecureRtType = type;
return(true);
}
}
return(false);
}
string getMainResourceKey(MethodDef method, out MethodDef decryptAssemblyMethod)
{
foreach (var calledMethod in DotNetUtils.getCalledMethods(module, method))
{
if (!calledMethod.IsStatic || calledMethod.Body == null)
{
continue;
}
if (!DotNetUtils.isMethod(calledMethod, "System.Void", "(System.String[])"))
{
continue;
}
deobfuscateAll(calledMethod);
string keyInfo = getMainResourceKeyInfo(calledMethod, out decryptAssemblyMethod);
if (keyInfo == null)
{
continue;
}
return(BitConverter.ToString(new MD5CryptoServiceProvider().ComputeHash(new ASCIIEncoding().GetBytes(keyInfo))).Replace("-", ""));
}
decryptAssemblyMethod = null;
return(null);
}
bool find(MethodDefinition methodToCheck)
{
if (methodToCheck == null)
{
return(false);
}
foreach (var method in DotNetUtils.getCalledMethods(module, methodToCheck))
{
var type = method.DeclaringType;
if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()"))
{
continue;
}
if (DotNetUtils.getPInvokeMethod(type, "kernel32", "LoadLibrary") == null)
{
continue;
}
if (DotNetUtils.getPInvokeMethod(type, "kernel32", "GetProcAddress") == null)
{
continue;
}
deobfuscate(method);
if (!containsString(method, "debugger is active"))
{
continue;
}
antiDebuggerType = type;
antiDebuggerMethod = method;
return(true);
}
return(false);
}
bool checkAttachAppMethod(MethodDefinition attachAppMethod)
{
callResolverMethod = null;
if (!attachAppMethod.HasBody)
{
return(false);
}
foreach (var method in DotNetUtils.getCalledMethods(module, attachAppMethod))
{
if (attachAppMethod == method)
{
continue;
}
if (method.Name == ".cctor" || method.Name == ".ctor")
{
continue;
}
if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()"))
{
continue;
}
if (!checkResolverInitMethod(method))
{
continue;
}
callResolverMethod = attachAppMethod;
return(true);
}
if (hasLdftn(attachAppMethod))
{
simpleDeobfuscator.deobfuscate(attachAppMethod);
foreach (var resolverHandler in getResolverHandlers(attachAppMethod))
{
if (!resolverHandler.HasBody)
{
continue;
}
var resolverTypeTmp = getResolverType(resolverHandler);
if (resolverTypeTmp == null)
{
continue;
}
deobfuscate(resolverHandler);
if (checkHandlerMethod(resolverHandler))
{
callResolverMethod = attachAppMethod;
resolverType = resolverTypeTmp;
return(true);
}
}
}
return(false);
}
void addEntryPointCallToBeRemoved(MethodDefinition methodToBeRemoved)
{
var entryPoint = module.EntryPoint;
addCallToBeRemoved(entryPoint, methodToBeRemoved);
foreach (var calledMethod in DotNetUtils.getCalledMethods(module, entryPoint))
{
addCallToBeRemoved(calledMethod, methodToBeRemoved);
}
}
bool callsMethod(MethodDef methodToCheck, MethodDef calledMethod)
{
foreach (var method in DotNetUtils.getCalledMethods(module, methodToCheck))
{
if (method == calledMethod)
{
return(true);
}
}
return(false);
}
public void find()
{
var additionalTypes = new string[] {
"System.IntPtr",
// "System.Reflection.Assembly", //TODO: Not in unknown DNR version with jitter support
};
var checkedMethods = new Dictionary <MethodReferenceAndDeclaringTypeKey, bool>();
var callCounter = new CallCounter();
int typesLeft = 30;
foreach (var type in module.GetTypes())
{
var cctor = DotNetUtils.getMethod(type, ".cctor");
if (cctor == null || cctor.Body == null)
{
continue;
}
if (typesLeft-- <= 0)
{
break;
}
foreach (var method in DotNetUtils.getCalledMethods(module, cctor))
{
var key = new MethodReferenceAndDeclaringTypeKey(method);
if (!checkedMethods.ContainsKey(key))
{
checkedMethods[key] = false;
if (method.DeclaringType.BaseType == null || method.DeclaringType.BaseType.FullName != "System.Object")
{
continue;
}
if (!DotNetUtils.isMethod(method, "System.Void", "()"))
{
continue;
}
if (!encryptedResource.couldBeResourceDecrypter(method, additionalTypes))
{
continue;
}
checkedMethods[key] = true;
}
else if (!checkedMethods[key])
{
continue;
}
callCounter.add(method);
}
}
encryptedResource.Method = (MethodDefinition)callCounter.most();
}
// The main decrypter type calls the string decrypter init method inside its init method
void findV5(MethodDef method)
{
if (!mainType.Detected)
{
return;
}
foreach (var calledMethod in DotNetUtils.getCalledMethods(module, mainType.InitMethod))
{
if (find(calledMethod))
{
return;
}
}
}
string getPassword2(MethodDef method)
{
string password = "";
foreach (var calledMethod in DotNetUtils.getCalledMethods(module, method))
{
var s = getPassword3(calledMethod);
if (string.IsNullOrEmpty(s))
{
return(null);
}
password += s;
}
return(password);
}
void init()
{
var callCounter = new CallCounter();
int count = 0;
foreach (var type in module.GetTypes())
{
if (count >= 40)
{
break;
}
foreach (var method in type.Methods)
{
if (method.Name != ".ctor" && method.Name != ".cctor" && module.EntryPoint != method)
{
continue;
}
foreach (var calledMethod in DotNetUtils.getCalledMethods(module, method))
{
if (!calledMethod.IsStatic || calledMethod.Body == null)
{
continue;
}
if (!DotNetUtils.isMethod(calledMethod, "System.Void", "()"))
{
continue;
}
if (isEmptyClass(calledMethod))
{
callCounter.add(calledMethod);
count++;
}
}
}
}
int numCalls;
var theMethod = (MethodDef)callCounter.most(out numCalls);
if (numCalls >= 10)
{
emptyMethod = theMethod;
}
}
void findResourceType()
{
var cctor = DotNetUtils.getModuleTypeCctor(module);
if (cctor == null)
{
return;
}
foreach (var calledMethod in DotNetUtils.getCalledMethods(module, cctor))
{
if (!calledMethod.IsStatic || calledMethod.Body == null)
{
continue;
}
if (!DotNetUtils.isMethod(calledMethod, "System.Void", "()"))
{
continue;
}
var type = calledMethod.DeclaringType;
if (!new FieldTypes(type).exactly(requiredFields))
{
continue;
}
var resolveHandler = DotNetUtils.getMethod(type, "System.Reflection.Assembly", "(System.Object,System.ResolveEventArgs)");
var decryptMethod = DotNetUtils.getMethod(type, "System.Byte[]", "(System.IO.Stream)");
if (resolveHandler == null || !resolveHandler.IsStatic)
{
continue;
}
if (decryptMethod == null || !decryptMethod.IsStatic)
{
continue;
}
rsrcType = type;
rsrcRrrMethod = calledMethod;
rsrcResolveMethod = resolveHandler;
return;
}
}
bool callsMainTypeTamperCheckMethod(MethodDef method)
{
foreach (var calledMethod in DotNetUtils.getCalledMethods(module, method))
{
if (calledMethod == mainType.TamperCheckMethod)
{
return(true);
}
}
var instructions = method.Body.Instructions;
for (int i = 0; i < instructions.Count; i++)
{
var instrs = DotNetUtils.getInstructions(instructions, i, OpCodes.Ldtoken, OpCodes.Call, OpCodes.Call, OpCodes.Ldc_I8, OpCodes.Call);
if (instrs == null)
{
continue;
}
if (!checkInvokeCall(instrs[1], "System.Type", "(System.RuntimeTypeHandle)"))
{
continue;
}
if (!checkInvokeCall(instrs[2], "System.Reflection.Assembly", "(System.Object)"))
{
continue;
}
if (!checkInvokeCall(instrs[4], "System.Void", "(System.Reflection.Assembly,System.UInt64)"))
{
continue;
}
return(true);
}
return(false);
}
ProxyCreatorType getProxyCreatorType(MethodDefinition methodToCheck)
{
foreach (var calledMethod in DotNetUtils.getCalledMethods(module, methodToCheck))
{
if (!calledMethod.IsStatic || calledMethod.Body == null)
{
continue;
}
if (!MemberReferenceHelper.compareTypes(methodToCheck.DeclaringType, calledMethod.DeclaringType))
{
continue;
}
if (DotNetUtils.isMethod(calledMethod, "System.Void", "(System.Reflection.FieldInfo,System.Type,System.Reflection.MethodInfo)"))
{
return(ProxyCreatorType.CallOrCallvirt);
}
if (DotNetUtils.isMethod(calledMethod, "System.Void", "(System.Reflection.FieldInfo,System.Type,System.Reflection.ConstructorInfo)"))
{
return(ProxyCreatorType.Newobj);
}
}
return(ProxyCreatorType.None);
}
bool initProxyType(Info infoTmp, MethodDefinition method)
{
foreach (var calledMethod in DotNetUtils.getCalledMethods(module, method))
{
if (!calledMethod.IsStatic)
{
continue;
}
if (!DotNetUtils.isMethod(calledMethod, "System.Void", "(System.Int32)"))
{
continue;
}
if (!checkProxyType(infoTmp, calledMethod.DeclaringType))
{
continue;
}
infoTmp.proxyType = calledMethod.DeclaringType;
infoTmp.initMethod = calledMethod;
return(true);
}
return(false);
}
bool find(MethodDefinition methodToCheck)
{
if (methodToCheck == null)
{
return(false);
}
foreach (var method in DotNetUtils.getCalledMethods(module, methodToCheck))
{
bool result = false;
switch (frameworkType)
{
case FrameworkType.Desktop:
result = findDesktop(method);
break;
case FrameworkType.Silverlight:
result = findSilverlight(method);
break;
case FrameworkType.CompactFramework:
result = findCompactFramework(method);
break;
}
if (!result)
{
continue;
}
tamperType = method.DeclaringType;
tamperMethod = method;
return(true);
}
return(false);
}
bool findTypes(MethodDefinition initMethod)
{
if (initMethod == null)
{
return(false);
}
foreach (var method in DotNetUtils.getCalledMethods(module, initMethod))
{
if (method.Name == ".cctor" || method.Name == ".ctor")
{
continue;
}
if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()"))
{
continue;
}
if (checkAttachAppMethod(method))
{
return(true);
}
}
return(false);
}
