protected ProxyCallFixer2(ModuleDefinition module, ProxyCallFixer2 oldOne)
: base(module, oldOne)
{
foreach (var oldMethod in oldOne.proxyMethodToDelegateInfo.getKeys())
{
var oldDi = oldOne.proxyMethodToDelegateInfo.find(oldMethod);
var method = lookup(oldMethod, "Could not find proxy method");
proxyMethodToDelegateInfo.add(method, copy(oldDi));
}
}
public void add(MethodDefinition method, Func <MethodDefinition, GenericInstanceMethod, object[], string> handler)
{
if (method != null)
{
stringDecrypters.add(method, handler);
}
}
bool initializeDecrypterInfos(TypeDefinition type)
{
foreach (var method in type.Methods)
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
if (method.Parameters.Count != 0)
{
continue;
}
if (!isStringType(method.MethodReturnType.ReturnType))
{
continue;
}
var info = createInfo(method);
if (info == null)
{
continue;
}
methodToInfo.add(method, info);
}
return(methodToInfo.Count != 0);
}
protected override void getCallInfo(object context, FieldDefinition field, out MethodReference calledMethod, out OpCode callOpcode)
{
if (memberReferences == null)
{
memberReferences = new List <MemberReference>(module.GetMemberReferences());
}
int rid = 0;
foreach (var c in field.Name)
{
rid = (rid << 4) + hexToInt((char)((byte)c + 0x2F));
}
rid &= 0x00FFFFFF;
calledMethod = (MethodReference)memberReferences[rid - 1];
var calledMethodDef = DotNetUtils.getMethod(module, calledMethod);
if (calledMethodDef != null)
{
proxyMethodsType = calledMethodDef.DeclaringType;
proxyTargetMethods.add(calledMethodDef, true);
calledMethod = calledMethodDef;
}
callOpcode = OpCodes.Call;
}
protected void add(MethodDefinition oldMethod, MethodReference newMethod, OpCode opCode)
{
if (oldMethod == null)
{
return;
}
oldToNewMethod.add(oldMethod, new NewMethodInfo(opCode, newMethod));
}
public void find(ISimpleDeobfuscator simpleDeobfuscator)
{
if (module.Assembly == null)
{
return;
}
bool hasPublicKeyToken = module.Assembly.Name.PublicKeyToken != null && module.Assembly.Name.PublicKeyToken.Length != 0;
foreach (var type in module.GetTypes())
{
var cctor = DotNetUtils.getMethod(type, ".cctor");
if (cctor == null)
{
continue;
}
bool deobfuscatedCctor = false;
foreach (var method in type.Methods)
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
IDecrypterInfo info = null;
if (DecrypterInfo13.isPossibleDecrypterMethod(method))
{
deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
simpleDeobfuscator.deobfuscate(method);
info = getInfoV13(cctor, method);
}
else if (DecrypterInfo40.isPossibleDecrypterMethod(method))
{
deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
simpleDeobfuscator.deobfuscate(method);
info = getInfoV40(cctor, method);
}
else if (DecrypterInfo41.isPossibleDecrypterMethod(method))
{
deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
simpleDeobfuscator.deobfuscate(method);
info = getInfoV41(cctor, method);
}
if (info == null)
{
continue;
}
methodToInfo.add(method, info);
version = info.Version;
}
}
}
public void find(ISimpleDeobfuscator simpleDeobfuscator)
{
if (module.Assembly == null)
{
return;
}
bool hasPublicKeyToken = module.Assembly.Name.PublicKeyToken != null && module.Assembly.Name.PublicKeyToken.Length != 0;
foreach (var type in module.GetTypes())
{
if (!checkFields(type.Fields))
{
continue;
}
var cctor = DotNetUtils.getMethod(type, ".cctor");
if (cctor == null)
{
continue;
}
if (!hasPublicKeyToken)
{
simpleDeobfuscator.deobfuscate(cctor);
}
foreach (var method in type.Methods)
{
if (method.Body == null)
{
continue;
}
IDecrypterInfo info = null;
if (DotNetUtils.isMethod(method, "System.String", "(System.Int32)"))
{
simpleDeobfuscator.deobfuscate(method);
info = getInfoV3(cctor, method);
}
else if (DotNetUtils.isMethod(method, "System.String", "(System.Int32,System.Int32)"))
{
simpleDeobfuscator.deobfuscate(method);
info = getInfoV4(cctor, method);
}
if (info == null)
{
continue;
}
methodToInfo.add(method, info);
version = info.Version;
}
}
}
public void find()
{
foreach (var type in module.Types)
{
MethodDefinition decrypterMethod;
var decrypterVersion = checkType(type, out decrypterMethod);
if (decrypterVersion == Version.Unknown)
{
continue;
}
version = decrypterVersion;
stringEncrypterInfos.add(decrypterMethod, new StringEncrypterInfo(decrypterMethod));
}
}
public void add(MethodDefinition method, Func <MethodDefinition, object[], TValue> handler)
{
if (method == null)
{
return;
}
if (decrypterMethods.find(method) != null)
{
throw new ApplicationException(string.Format("Handler for method {0:X8} has already been added", method.MetadataToken.ToInt32()));
}
if (method != null)
{
decrypterMethods.add(method, handler);
}
}
public void add(MethodDefinition method, MethodDefinition methodToBeRemoved)
{
if (method == null || methodToBeRemoved == null)
{
return;
}
checkMethod(methodToBeRemoved);
var dict = methodRefInfos.find(method);
if (dict == null)
{
methodRefInfos.add(method, dict = new MethodDefinitionAndDeclaringTypeDict <bool>());
}
dict.add(methodToBeRemoved, true);
}
public void initializeEventHandlerNames()
{
var ourFields = new FieldDefinitionAndDeclaringTypeDict <FieldDef>();
foreach (var fieldDef in type.AllFields)
{
ourFields.add(fieldDef.FieldDefinition, fieldDef);
}
var ourMethods = new MethodDefinitionAndDeclaringTypeDict <MethodDef>();
foreach (var methodDef in type.AllMethods)
{
ourMethods.add(methodDef.MethodDefinition, methodDef);
}
initVbEventHandlers(ourFields, ourMethods);
initFieldEventHandlers(ourFields, ourMethods);
initTypeEventHandlers(ourFields, ourMethods);
}
public void findDelegateCreator()
{
var requiredTypes = new string[] {
"System.ModuleHandle",
};
foreach (var type in module.Types)
{
if (!new FieldTypes(type).exactly(requiredTypes))
{
continue;
}
foreach (var method in type.Methods)
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
if (!DotNetUtils.isMethod(method, "System.Void", "(System.RuntimeTypeHandle,System.Int32,System.RuntimeFieldHandle)") &&
!DotNetUtils.isMethod(method, "System.Void", "(System.RuntimeTypeHandle,System.Int32,System.Int32,System.RuntimeFieldHandle)"))
{
continue;
}
var creatorType = getProxyCreatorType(method);
if (creatorType == ProxyCreatorType.None)
{
continue;
}
methodToType.add(method, creatorType);
setDelegateCreatorMethod(method);
}
if (methodToType.Count == 0)
{
continue;
}
return;
}
}
public TypeDefinitionDict <bool> getInlinedTypes(IEnumerable <MethodDefinition> unusedMethods)
{
var unused = new MethodDefinitionAndDeclaringTypeDict <bool>();
foreach (var method in unusedMethods)
{
unused.add(method, true);
}
var types = new TypeDefinitionDict <bool>();
foreach (var type in methodsTypes.getKeys())
{
if (checkAllMethodsUnused(unused, type))
{
types.add(type, true);
}
}
return(types);
}
static void initializeCtors(TypeDefinition manager, MethodDefinitionAndDeclaringTypeDict <MethodReference> ctors)
{
if (manager == null)
{
return;
}
foreach (var ctor in manager.Methods)
{
if (ctor.Name != ".ctor")
{
continue;
}
var newCtor = new MethodReference(ctor.Name, ctor.MethodReturnType.ReturnType, manager.BaseType);
newCtor.HasThis = true;
foreach (var param in ctor.Parameters)
{
newCtor.Parameters.Add(new ParameterDefinition(param.ParameterType));
}
ctors.add(ctor, newCtor);
}
}
public void add(MethodDefinition method)
{
methods.add(method, true);
}
static void initializeCtors(TypeDefinition manager, MethodDefinitionAndDeclaringTypeDict<MethodReference> ctors)
{
if (manager == null)
return;
foreach (var ctor in manager.Methods) {
if (ctor.Name != ".ctor")
continue;
var newCtor = new MethodReference(ctor.Name, ctor.MethodReturnType.ReturnType, manager.BaseType);
newCtor.HasThis = true;
foreach (var param in ctor.Parameters)
newCtor.Parameters.Add(new ParameterDefinition(param.ParameterType));
ctors.add(ctor, newCtor);
}
}
public void initializeEventHandlerNames()
{
var ourFields = new FieldDefinitionAndDeclaringTypeDict<FieldDef>();
foreach (var fieldDef in type.AllFields)
ourFields.add(fieldDef.FieldDefinition, fieldDef);
var ourMethods = new MethodDefinitionAndDeclaringTypeDict<MethodDef>();
foreach (var methodDef in type.AllMethods)
ourMethods.add(methodDef.MethodDefinition, methodDef);
initVbEventHandlers(ourFields, ourMethods);
initFieldEventHandlers(ourFields, ourMethods);
initTypeEventHandlers(ourFields, ourMethods);
}
void initializeWindowsFormsFieldsAndProps()
{
var checker = NameChecker;
var ourFields = new FieldDefinitionAndDeclaringTypeDict<FieldDef>();
foreach (var fieldDef in type.AllFields)
ourFields.add(fieldDef.FieldDefinition, fieldDef);
var ourMethods = new MethodDefinitionAndDeclaringTypeDict<MethodDef>();
foreach (var methodDef in type.AllMethods)
ourMethods.add(methodDef.MethodDefinition, methodDef);
foreach (var methodDef in type.AllMethods) {
if (methodDef.MethodDefinition.Body == null)
continue;
if (methodDef.MethodDefinition.IsStatic || methodDef.MethodDefinition.IsVirtual)
continue;
var instructions = methodDef.MethodDefinition.Body.Instructions;
for (int i = 2; i < instructions.Count; i++) {
var call = instructions[i];
if (call.OpCode.Code != Code.Call && call.OpCode.Code != Code.Callvirt)
continue;
if (!isWindowsFormsSetNameMethod(call.Operand as MethodReference))
continue;
var ldstr = instructions[i - 1];
if (ldstr.OpCode.Code != Code.Ldstr)
continue;
var fieldName = ldstr.Operand as string;
if (fieldName == null || !checker.isValidFieldName(fieldName))
continue;
var instr = instructions[i - 2];
FieldReference fieldRef = null;
if (instr.OpCode.Code == Code.Call || instr.OpCode.Code == Code.Callvirt) {
var calledMethod = instr.Operand as MethodReference;
if (calledMethod == null)
continue;
var calledMethodDef = ourMethods.find(calledMethod);
if (calledMethodDef == null)
continue;
fieldRef = getFieldReference(calledMethodDef.MethodDefinition);
var propDef = calledMethodDef.Property;
if (propDef == null)
continue;
memberInfos.prop(propDef).suggestedName = fieldName;
fieldName = "_" + fieldName;
}
else if (instr.OpCode.Code == Code.Ldfld) {
fieldRef = instr.Operand as FieldReference;
}
if (fieldRef == null)
continue;
var fieldDef = ourFields.find(fieldRef);
if (fieldDef == null)
continue;
var fieldInfo = memberInfos.field(fieldDef);
if (fieldInfo.renamed)
continue;
fieldInfo.suggestedName = variableNameState.getNewFieldName(fieldInfo.oldName, new NameCreator2(fieldName));
}
}
}
public void add(MethodDefinition exceptionLogger)
{
exceptionLoggerMethods.add(exceptionLogger, true);
}
public void initialize()
{
if (encryptedResource == null)
{
return;
}
decryptedReader = new BinaryReader(new MemoryStream(decrypt(encryptedResource.GetResourceData())));
delegateType = null;
foreach (var type in module.GetTypes())
{
var cctor = DotNetUtils.getMethod(type, ".cctor");
if (cctor == null)
{
continue;
}
if (type.Fields.Count != 1)
{
continue;
}
var field = type.Fields[0];
var tmpDelegateType = DotNetUtils.getType(module, field.FieldType);
if (tmpDelegateType == null)
{
continue;
}
if (!checkDelegateType(tmpDelegateType))
{
continue;
}
if (delegateType != null && delegateType != tmpDelegateType)
{
continue;
}
if (!checkCctor(cctor))
{
continue;
}
delegateType = tmpDelegateType;
foreach (var method in type.Methods)
{
if (method.Name == ".cctor")
{
continue;
}
if (!method.IsStatic || method.Body == null)
{
continue;
}
if (method.Parameters.Count != 0)
{
continue;
}
if (method.MethodReturnType.ReturnType.FullName == "System.Void")
{
continue;
}
var info = getDecrypterInfo(method, field);
if (info == null)
{
continue;
}
decrypterMethods.add(info.method, info);
}
}
}
void initializeWindowsFormsFieldsAndProps()
{
var checker = NameChecker;
var ourFields = new FieldDefinitionAndDeclaringTypeDict <FieldDef>();
foreach (var fieldDef in type.AllFields)
{
ourFields.add(fieldDef.FieldDefinition, fieldDef);
}
var ourMethods = new MethodDefinitionAndDeclaringTypeDict <MethodDef>();
foreach (var methodDef in type.AllMethods)
{
ourMethods.add(methodDef.MethodDefinition, methodDef);
}
foreach (var methodDef in type.AllMethods)
{
if (methodDef.MethodDefinition.Body == null)
{
continue;
}
if (methodDef.MethodDefinition.IsStatic || methodDef.MethodDefinition.IsVirtual)
{
continue;
}
var instructions = methodDef.MethodDefinition.Body.Instructions;
for (int i = 2; i < instructions.Count; i++)
{
var call = instructions[i];
if (call.OpCode.Code != Code.Call && call.OpCode.Code != Code.Callvirt)
{
continue;
}
if (!isWindowsFormsSetNameMethod(call.Operand as MethodReference))
{
continue;
}
var ldstr = instructions[i - 1];
if (ldstr.OpCode.Code != Code.Ldstr)
{
continue;
}
var fieldName = ldstr.Operand as string;
if (fieldName == null || !checker.isValidFieldName(fieldName))
{
continue;
}
var instr = instructions[i - 2];
FieldReference fieldRef = null;
if (instr.OpCode.Code == Code.Call || instr.OpCode.Code == Code.Callvirt)
{
var calledMethod = instr.Operand as MethodReference;
if (calledMethod == null)
{
continue;
}
var calledMethodDef = ourMethods.find(calledMethod);
if (calledMethodDef == null)
{
continue;
}
fieldRef = getFieldReference(calledMethodDef.MethodDefinition);
var propDef = calledMethodDef.Property;
if (propDef == null)
{
continue;
}
memberInfos.prop(propDef).suggestedName = fieldName;
fieldName = "_" + fieldName;
}
else if (instr.OpCode.Code == Code.Ldfld)
{
fieldRef = instr.Operand as FieldReference;
}
if (fieldRef == null)
{
continue;
}
var fieldDef = ourFields.find(fieldRef);
if (fieldDef == null)
{
continue;
}
var fieldInfo = memberInfos.field(fieldDef);
if (fieldInfo.renamed)
{
continue;
}
fieldInfo.suggestedName = variableNameState.getNewFieldName(fieldInfo.oldName, new NameCreator2(fieldName));
}
}
}
public TypeDefinitionDict<bool> getInlinedTypes(IEnumerable<MethodDefinition> unusedMethods)
{
var unused = new MethodDefinitionAndDeclaringTypeDict<bool>();
foreach (var method in unusedMethods)
unused.add(method, true);
var types = new TypeDefinitionDict<bool>();
foreach (var type in methodsTypes.getKeys()) {
if (checkAllMethodsUnused(unused, type))
types.add(type, true);
}
return types;
}
void restoreMethodBodies()
{
var methodToOrigMethods = new MethodDefinitionAndDeclaringTypeDict<List<MethodDefinition>>();
foreach (var t in module.Types) {
var types = new List<TypeDefinition>(TypeDefinition.GetTypes(new List<TypeDefinition> { t }));
foreach (var type in types) {
if (methodsTypes.find(type))
continue;
foreach (var method in type.Methods) {
if (method.Name == ".ctor" || method.Name == ".cctor")
continue;
MethodDefinition calledMethod;
if (!checkRestoreBody(method, out calledMethod))
continue;
if (!checkSameMethods(method, calledMethod))
continue;
if (!methodsTypes.find(calledMethod.DeclaringType))
continue;
if (types.IndexOf(calledMethod.DeclaringType) < 0)
continue;
var list = methodToOrigMethods.find(calledMethod);
if (list == null)
methodToOrigMethods.add(calledMethod, list = new List<MethodDefinition>());
list.Add(method);
}
}
}
foreach (var calledMethod in methodToOrigMethods.getKeys()) {
var list = methodToOrigMethods.find(calledMethod);
var method = list[0];
Log.v("Restored method body {0:X8} from method {1:X8}",
method.MetadataToken.ToInt32(),
calledMethod.MetadataToken.ToInt32());
DotNetUtils.copyBodyFromTo(calledMethod, method);
classMethods.add(calledMethod, method);
}
}
void restoreMethodBodies()
{
var methodToOrigMethods = new MethodDefinitionAndDeclaringTypeDict <List <MethodDefinition> >();
foreach (var t in module.Types)
{
var types = new List <TypeDefinition>(TypeDefinition.GetTypes(new List <TypeDefinition> {
t
}));
foreach (var type in types)
{
if (methodsTypes.find(type))
{
continue;
}
foreach (var method in type.Methods)
{
if (method.Name == ".ctor" || method.Name == ".cctor")
{
continue;
}
MethodDefinition calledMethod;
if (!checkRestoreBody(method, out calledMethod))
{
continue;
}
if (!checkSameMethods(method, calledMethod))
{
continue;
}
if (!methodsTypes.find(calledMethod.DeclaringType))
{
continue;
}
if (types.IndexOf(calledMethod.DeclaringType) < 0)
{
continue;
}
var list = methodToOrigMethods.find(calledMethod);
if (list == null)
{
methodToOrigMethods.add(calledMethod, list = new List <MethodDefinition>());
}
list.Add(method);
}
}
}
foreach (var calledMethod in methodToOrigMethods.getKeys())
{
var list = methodToOrigMethods.find(calledMethod);
var method = list[0];
Log.v("Restored method body {0:X8} from method {1:X8}",
method.MetadataToken.ToInt32(),
calledMethod.MetadataToken.ToInt32());
DotNetUtils.copyBodyFromTo(calledMethod, method);
classMethods.add(calledMethod, method);
}
}
