public static bool couldBeDecryptMethod(MethodDefinition method, IEnumerable <string> additionalTypes) { if (method.Body == null) { return(false); } var localTypes = new LocalTypes(method); var requiredTypes = new List <string> { "System.Byte[]", "System.IO.MemoryStream", "System.Security.Cryptography.CryptoStream", "System.Security.Cryptography.ICryptoTransform", }; requiredTypes.AddRange(additionalTypes); if (!localTypes.all(requiredTypes)) { return(false); } if (!localTypes.exists("System.Security.Cryptography.RijndaelManaged") && !localTypes.exists("System.Security.Cryptography.AesManaged")) { return(false); } return(true); }
bool checkType(TypeDef type) { var requiredTypes = new string[] { "System.Byte[]", "System.IO.MemoryStream", "System.Security.Cryptography.CryptoStream", "System.Security.Cryptography.MD5", "System.Security.Cryptography.Rijndael", }; foreach (var method in type.Methods) { if (!method.IsStatic || method.Body == null) { continue; } var sig = method.MethodSig; if (sig == null || sig.Params.Count != 2) { continue; } if (!checkType(sig.RetType, ElementType.String)) { continue; } if (!checkType(sig.Params[0], ElementType.String)) { continue; } if (!checkType(sig.Params[1], ElementType.String)) { continue; } var localTypes = new LocalTypes(method); if (!localTypes.all(requiredTypes)) { continue; } antiStrongNameMethod = method; return(true); } return(false); }
bool checkType(TypeDefinition type) { var requiredTypes = new string[] { "System.Byte[]", "System.IO.MemoryStream", "System.Security.Cryptography.CryptoStream", "System.Security.Cryptography.MD5", "System.Security.Cryptography.Rijndael", }; foreach (var method in type.Methods) { if (!method.IsStatic || method.Body == null) { continue; } if (method.Parameters.Count != 2) { continue; } if (!checkType(method.MethodReturnType.ReturnType.FullName, "System.String")) { continue; } if (!checkType(method.Parameters[0].ParameterType.FullName, "System.String")) { continue; } if (!checkType(method.Parameters[1].ParameterType.FullName, "System.String")) { continue; } var localTypes = new LocalTypes(method); if (!localTypes.all(requiredTypes)) { continue; } antiStrongNameMethod = method; return(true); } return(false); }
public static bool couldBeDecryptMethod(MethodDefinition method, IEnumerable<string> additionalTypes) { if (method.Body == null) return false; var localTypes = new LocalTypes(method); var requiredTypes = new List<string> { "System.Byte[]", "System.IO.MemoryStream", "System.Security.Cryptography.CryptoStream", "System.Security.Cryptography.ICryptoTransform", }; requiredTypes.AddRange(additionalTypes); if (!localTypes.all(requiredTypes)) return false; if (!localTypes.exists("System.Security.Cryptography.RijndaelManaged") && !localTypes.exists("System.Security.Cryptography.AesManaged")) return false; return true; }
public bool couldBeResourceDecrypter(MethodDefinition method, IEnumerable <string> additionalTypes, bool checkResource) { if (!method.IsStatic) { return(false); } if (method.Body == null) { return(false); } var localTypes = new LocalTypes(method); var requiredTypes = new List <string> { "System.Byte[]", "System.IO.BinaryReader", "System.IO.MemoryStream", "System.Security.Cryptography.CryptoStream", "System.Security.Cryptography.ICryptoTransform", }; requiredTypes.AddRange(additionalTypes); if (!localTypes.all(requiredTypes)) { return(false); } if (!localTypes.exists("System.Security.Cryptography.RijndaelManaged") && !localTypes.exists("System.Security.Cryptography.AesManaged")) { return(false); } if (checkResource && findMethodsDecrypterResource(method) == null) { return(false); } return(true); }
bool checkType(TypeDefinition type) { var requiredTypes = new string[] { "System.Byte[]", "System.IO.MemoryStream", "System.Security.Cryptography.CryptoStream", "System.Security.Cryptography.MD5", "System.Security.Cryptography.Rijndael", }; foreach (var method in type.Methods) { if (!method.IsStatic || method.Body == null) continue; if (method.Parameters.Count != 2) continue; if (!checkType(method.MethodReturnType.ReturnType.FullName, "System.String")) continue; if (!checkType(method.Parameters[0].ParameterType.FullName, "System.String")) continue; if (!checkType(method.Parameters[1].ParameterType.FullName, "System.String")) continue; var localTypes = new LocalTypes(method); if (!localTypes.all(requiredTypes)) continue; antiStrongNameMethod = method; return true; } return false; }
bool checkMethod(ISimpleDeobfuscator simpleDeobfuscator, MethodDefinition methodToCheck) { if (methodToCheck == null) { return(false); } var resolverLocals = new string[] { "System.Byte[]", "System.Reflection.Assembly", "System.Security.Cryptography.MD5", "System.String", "System.IO.BinaryReader", "System.IO.Stream", }; simpleDeobfuscator.deobfuscate(methodToCheck); foreach (var method in DotNetUtils.getCalledMethods(module, methodToCheck)) { var type = method.DeclaringType; if (!DotNetUtils.isMethod(method, "System.Void", "()")) { continue; } if (!method.IsStatic) { continue; } if (type.Fields.Count != 2) { continue; } if (type.HasNestedTypes) { continue; } if (type.HasEvents || type.HasProperties) { continue; } if (!checkFields(type.Fields)) { continue; } var resolverMethod = findAssemblyResolveMethod(type); if (resolverMethod == null) { continue; } var localTypes = new LocalTypes(resolverMethod); if (!localTypes.all(resolverLocals)) { continue; } assemblyResolverType = type; assemblyResolverMethod = resolverMethod; assemblyResolverInitMethod = method; return(true); } return(false); }
void findKeyIv(MethodDef method, out byte[] key, out byte[] iv) { key = null; iv = null; var requiredTypes = new string[] { "System.Byte[]", "System.IO.MemoryStream", "System.Security.Cryptography.CryptoStream", "System.Security.Cryptography.Rijndael", }; foreach (var calledMethod in DotNetUtils.getCalledMethods(module, method)) { if (calledMethod.DeclaringType != method.DeclaringType) { continue; } if (calledMethod.MethodSig.GetRetType().GetFullName() != "System.Byte[]") { continue; } var localTypes = new LocalTypes(calledMethod); if (!localTypes.all(requiredTypes)) { continue; } var instructions = calledMethod.Body.Instructions; byte[] newKey = null, newIv = null; for (int i = 0; i < instructions.Count && (newKey == null || newIv == null); i++) { var instr = instructions[i]; if (instr.OpCode.Code != Code.Ldtoken) { continue; } var field = instr.Operand as FieldDef; if (field == null) { continue; } if (field.InitialValue == null) { continue; } if (field.InitialValue.Length == 32) { newKey = field.InitialValue; } else if (field.InitialValue.Length == 16) { newIv = field.InitialValue; } } if (newKey == null || newIv == null) { continue; } initializeStringDecrypterVersion(method); key = newKey; iv = newIv; return; } }
bool checkType(TypeDef type) { var requiredTypes = new string[] { "System.Byte[]", "System.IO.MemoryStream", "System.Security.Cryptography.CryptoStream", "System.Security.Cryptography.MD5", "System.Security.Cryptography.Rijndael", }; foreach (var method in type.Methods) { if (!method.IsStatic || method.Body == null) continue; var sig = method.MethodSig; if (sig == null || sig.Params.Count != 2) continue; if (!checkType(sig.RetType, ElementType.String)) continue; if (!checkType(sig.Params[0], ElementType.String)) continue; if (!checkType(sig.Params[1], ElementType.String)) continue; var localTypes = new LocalTypes(method); if (!localTypes.all(requiredTypes)) continue; antiStrongNameMethod = method; return true; } return false; }