void InitializeConstantsDecrypterV18()
{
if (hasInitializedConstantsDecrypter || constantsDecrypterV18 == null || !constantsDecrypterV18.Detected)
{
return;
}
hasInitializedConstantsDecrypter = true;
DecryptResources();
constantsDecrypterV18.Initialize();
int32ValueInliner = new Int32ValueInliner();
int64ValueInliner = new Int64ValueInliner();
singleValueInliner = new SingleValueInliner();
doubleValueInliner = new DoubleValueInliner();
foreach (var info in constantsDecrypterV18.Decrypters)
{
staticStringInliner.Add(info.method, (method, gim, args) => constantsDecrypterV18.DecryptString(method, gim, (uint)args[0], (ulong)args[1]));
int32ValueInliner.Add(info.method, (method, gim, args) => constantsDecrypterV18.DecryptInt32(method, gim, (uint)args[0], (ulong)args[1]));
int64ValueInliner.Add(info.method, (method, gim, args) => constantsDecrypterV18.DecryptInt64(method, gim, (uint)args[0], (ulong)args[1]));
singleValueInliner.Add(info.method, (method, gim, args) => constantsDecrypterV18.DecryptSingle(method, gim, (uint)args[0], (ulong)args[1]));
doubleValueInliner.Add(info.method, (method, gim, args) => constantsDecrypterV18.DecryptDouble(method, gim, (uint)args[0], (ulong)args[1]));
}
DeobfuscatedFile.StringDecryptersAdded();
AddTypesToBeRemoved(constantsDecrypterV18.Types, "Constants decrypter type");
AddFieldsToBeRemoved(constantsDecrypterV18.Fields, "Constants decrypter field");
AddMethodToBeRemoved(constantsDecrypterV18.NativeMethod, "Constants decrypter native method");
AddTypeToBeRemoved(constantsDecrypterV18.LzmaType, "LZMA type");
AddResourceToBeRemoved(constantsDecrypterV18.Resource, "Encrypted constants");
}
public ConstantsInliner(Int32ValueInliner int32ValueInliner, Int64ValueInliner int64ValueInliner, SingleValueInliner singleValueInliner, DoubleValueInliner doubleValueInliner)
{
this.int32ValueInliner = int32ValueInliner;
this.int64ValueInliner = int64ValueInliner;
this.singleValueInliner = singleValueInliner;
this.doubleValueInliner = doubleValueInliner;
}
public override void DeobfuscateBegin()
{
base.DeobfuscateBegin();
if (options.DecryptResources)
{
AddCctorInitCallToBeRemoved(resourceResolver.InitMethod);
AddTypeToBeRemoved(resourceResolver.Type, "Resource resolver type");
}
DecryptResources();
stringDecrypter.Initialize();
if (Operations.DecryptStrings != OpDecryptString.None)
{
if (stringDecrypter.Resource != null)
{
Logger.v("Adding string decrypter. Resource: {0}", Utils.ToCsharpString(stringDecrypter.Resource.Name));
}
staticStringInliner.Add(stringDecrypter.DecryptMethod, (method, gim, args) => {
return(stringDecrypter.Decrypt(args));
});
DeobfuscatedFile.StringDecryptersAdded();
}
if (options.DumpEmbeddedAssemblies)
{
assemblyResolver.Initialize(DeobfuscatedFile, this);
// Need to dump the assemblies before decrypting methods in case there's a reference
// in the encrypted code to one of these assemblies.
DumpEmbeddedAssemblies();
}
if (options.DecryptMethods)
{
methodsDecrypter.Initialize(DeobfuscatedFile, this);
methodsDecrypter.decrypt();
}
if (options.DecryptConstants)
{
constantsDecrypter.Initialize(DeobfuscatedFile, this);
AddTypeToBeRemoved(constantsDecrypter.Type, "Constants decrypter type");
AddResourceToBeRemoved(constantsDecrypter.Resource, "Encrypted constants");
int32ValueInliner = new Int32ValueInliner();
int32ValueInliner.Add(constantsDecrypter.Int32Decrypter, (method, gim, args) => constantsDecrypter.DecryptInt32((int)args[0]));
int64ValueInliner = new Int64ValueInliner();
int64ValueInliner.Add(constantsDecrypter.Int64Decrypter, (method, gim, args) => constantsDecrypter.DecryptInt64((int)args[0]));
singleValueInliner = new SingleValueInliner();
singleValueInliner.Add(constantsDecrypter.SingleDecrypter, (method, gim, args) => constantsDecrypter.DecryptSingle((int)args[0]));
doubleValueInliner = new DoubleValueInliner();
doubleValueInliner.Add(constantsDecrypter.DoubleDecrypter, (method, gim, args) => constantsDecrypter.DecryptDouble((int)args[0]));
}
proxyCallFixer.Find();
startedDeobfuscating = true;
}
public override void DeobfuscateBegin()
{
if (_constantDecrypter.Detected)
{
_sbyteValueInliner = new SByteValueInliner();
_byteValueInliner = new ByteValueInliner();
_int16ValueInliner = new Int16ValueInliner();
_uint16ValueInliner = new UInt16ValueInliner();
_int32ValueInliner = new Int32ValueInliner();
_uint32ValueInliner = new UInt32ValueInliner();
_int64ValueInliner = new Int64ValueInliner();
_uint64ValueInliner = new UInt64ValueInliner();
_singleValueInliner = new SingleValueInliner();
_doubleValueInliner = new DoubleValueInliner();
_arrayValueInliner = new ArrayValueInliner(initializedDataCreator);
foreach (var info in _constantDecrypter.Decrypters)
{
staticStringInliner.Add(info.Method,
(method, gim, args) => _constantDecrypter.DecryptString(info, gim, (uint)args[0]));
_sbyteValueInliner.Add(info.Method,
(method, gim, args) => _constantDecrypter.DecryptSByte(info, gim, (uint)args[0]));
_byteValueInliner.Add(info.Method,
(method, gim, args) => _constantDecrypter.DecryptByte(info, gim, (uint)args[0]));
_int16ValueInliner.Add(info.Method,
(method, gim, args) => _constantDecrypter.DecryptInt16(info, gim, (uint)args[0]));
_uint16ValueInliner.Add(info.Method,
(method, gim, args) => _constantDecrypter.DecryptUInt16(info, gim, (uint)args[0]));
_int32ValueInliner.Add(info.Method,
(method, gim, args) => _constantDecrypter.DecryptInt32(info, gim, (uint)args[0]));
_uint32ValueInliner.Add(info.Method,
(method, gim, args) => _constantDecrypter.DecryptUInt32(info, gim, (uint)args[0]));
_int64ValueInliner.Add(info.Method,
(method, gim, args) => _constantDecrypter.DecryptInt64(info, gim, (uint)args[0]));
_uint64ValueInliner.Add(info.Method,
(method, gim, args) => _constantDecrypter.DecryptUInt64(info, gim, (uint)args[0]));
_singleValueInliner.Add(info.Method,
(method, gim, args) => _constantDecrypter.DecryptSingle(info, gim, (uint)args[0]));
_doubleValueInliner.Add(info.Method,
(method, gim, args) => _constantDecrypter.DecryptDouble(info, gim, (uint)args[0]));
_arrayValueInliner.Add(info.Method,
(method, gim, args) => _constantDecrypter.DecryptArray(info, gim, (uint)args[0]));
}
_deobfuscating = true;
}
if (_resourceDecrypter.Detected)
{
_resourceDecrypter.Fix();
}
base.DeobfuscateBegin();
}
void Initialize(ConstantsDecrypterBase constDecrypter, ref bool hasInitialized)
{
if (hasInitialized || constDecrypter == null || !constDecrypter.Detected)
{
return;
}
hasInitializedConstantsDecrypter15 = true;
DecryptResources();
constDecrypter.Initialize();
int32ValueInliner = new Int32ValueInliner();
int64ValueInliner = new Int64ValueInliner();
singleValueInliner = new SingleValueInliner();
doubleValueInliner = new DoubleValueInliner();
foreach (var info in constDecrypter.DecrypterInfos)
{
staticStringInliner.Add(info.decryptMethod, (method, gim, args) => constDecrypter.DecryptString(staticStringInliner.Method, method, args));
int32ValueInliner.Add(info.decryptMethod, (method, gim, args) => constDecrypter.DecryptInt32(int32ValueInliner.Method, method, args));
int64ValueInliner.Add(info.decryptMethod, (method, gim, args) => constDecrypter.DecryptInt64(int64ValueInliner.Method, method, args));
singleValueInliner.Add(info.decryptMethod, (method, gim, args) => constDecrypter.DecryptSingle(singleValueInliner.Method, method, args));
doubleValueInliner.Add(info.decryptMethod, (method, gim, args) => constDecrypter.DecryptDouble(doubleValueInliner.Method, method, args));
}
int32ValueInliner.RemoveUnbox = true;
int64ValueInliner.RemoveUnbox = true;
singleValueInliner.RemoveUnbox = true;
doubleValueInliner.RemoveUnbox = true;
DeobfuscatedFile.StringDecryptersAdded();
AddFieldsToBeRemoved(constDecrypter.Fields, "Constants decrypter field");
var moduleType = DotNetUtils.GetModuleType(Module);
foreach (var info in constDecrypter.DecrypterInfos)
{
if (info.decryptMethod.DeclaringType == moduleType)
{
AddMethodToBeRemoved(info.decryptMethod, "Constants decrypter method");
}
else
{
AddTypeToBeRemoved(info.decryptMethod.DeclaringType, "Constants decrypter type");
}
}
AddMethodToBeRemoved(constDecrypter.NativeMethod, "Constants decrypter native method");
AddResourceToBeRemoved(constDecrypter.Resource, "Encrypted constants");
}
public ConstantsInliner(SByteValueInliner sbyteValueInliner, ByteValueInliner byteValueInliner,
Int16ValueInliner int16ValueInliner, UInt16ValueInliner uint16ValueInliner,
Int32ValueInliner int32ValueInliner,
UInt32ValueInliner uint32ValueInliner, Int64ValueInliner int64ValueInliner,
UInt64ValueInliner uint64ValueInliner,
SingleValueInliner singleValueInliner, DoubleValueInliner doubleValueInliner,
ArrayValueInliner arrayValueInliner)
{
_sbyteValueInliner = sbyteValueInliner;
_byteValueInliner = byteValueInliner;
_int16ValueInliner = int16ValueInliner;
_uint16ValueInliner = uint16ValueInliner;
_int32ValueInliner = int32ValueInliner;
_uint32ValueInliner = uint32ValueInliner;
_int64ValueInliner = int64ValueInliner;
_uint64ValueInliner = uint64ValueInliner;
_singleValueInliner = singleValueInliner;
_doubleValueInliner = doubleValueInliner;
_arrayValueInliner = arrayValueInliner;
}
public override void deobfuscateBegin()
{
base.deobfuscateBegin();
resourceDecrypter = new ResourceDecrypter(module, DeobfuscatedFile);
resourceResolver = new ResourceResolver(module, resourceDecrypter);
assemblyResolver = new AssemblyResolver(module);
resourceResolver.find();
assemblyResolver.find();
decryptResources();
stringDecrypter.init(resourceDecrypter);
if (stringDecrypter.Method != null) {
staticStringInliner.add(stringDecrypter.Method, (method, gim, args) => {
return stringDecrypter.decrypt((int)args[0]);
});
DeobfuscatedFile.stringDecryptersAdded();
}
methodsDecrypter.decrypt(resourceDecrypter);
if (methodsDecrypter.Detected) {
if (!assemblyResolver.Detected)
assemblyResolver.find();
if (!tamperDetection.Detected)
tamperDetection.find();
}
antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this);
antiDebugger.find();
if (options.DecryptConstants) {
constantsDecrypter.init(resourceDecrypter);
int32ValueInliner = new Int32ValueInliner();
int32ValueInliner.add(constantsDecrypter.Int32Decrypter, (method, gim, args) => constantsDecrypter.decryptInt32((int)args[0]));
int64ValueInliner = new Int64ValueInliner();
int64ValueInliner.add(constantsDecrypter.Int64Decrypter, (method, gim, args) => constantsDecrypter.decryptInt64((int)args[0]));
singleValueInliner = new SingleValueInliner();
singleValueInliner.add(constantsDecrypter.SingleDecrypter, (method, gim, args) => constantsDecrypter.decryptSingle((int)args[0]));
doubleValueInliner = new DoubleValueInliner();
doubleValueInliner.add(constantsDecrypter.DoubleDecrypter, (method, gim, args) => constantsDecrypter.decryptDouble((int)args[0]));
addTypeToBeRemoved(constantsDecrypter.Type, "Constants decrypter type");
addResourceToBeRemoved(constantsDecrypter.Resource, "Encrypted constants");
}
addModuleCctorInitCallToBeRemoved(resourceResolver.Method);
addModuleCctorInitCallToBeRemoved(assemblyResolver.Method);
addCallToBeRemoved(module.EntryPoint, tamperDetection.Method);
addModuleCctorInitCallToBeRemoved(tamperDetection.Method);
addCallToBeRemoved(module.EntryPoint, antiDebugger.Method);
addModuleCctorInitCallToBeRemoved(antiDebugger.Method);
addTypeToBeRemoved(resourceResolver.Type, "Resource resolver type");
addTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver type");
addTypeToBeRemoved(tamperDetection.Type, "Tamper detection type");
addTypeToBeRemoved(antiDebugger.Type, "Anti-debugger type");
addTypeToBeRemoved(methodsDecrypter.Type, "Methods decrypter type");
addTypesToBeRemoved(methodsDecrypter.DelegateTypes, "Methods decrypter delegate type");
addResourceToBeRemoved(methodsDecrypter.Resource, "Encrypted methods");
proxyCallFixer.find();
dumpEmbeddedAssemblies();
}
public override void DeobfuscateBegin()
{
base.DeobfuscateBegin();
if (options.DecryptResources) {
AddCctorInitCallToBeRemoved(resourceResolver.InitMethod);
AddTypeToBeRemoved(resourceResolver.Type, "Resource resolver type");
}
DecryptResources();
stringDecrypter.Initialize();
if (Operations.DecryptStrings != OpDecryptString.None) {
if (stringDecrypter.Resource != null)
Logger.v("Adding string decrypter. Resource: {0}", Utils.ToCsharpString(stringDecrypter.Resource.Name));
staticStringInliner.Add(stringDecrypter.DecryptMethod, (method, gim, args) => {
return stringDecrypter.Decrypt(args);
});
DeobfuscatedFile.StringDecryptersAdded();
}
if (options.DumpEmbeddedAssemblies) {
assemblyResolver.Initialize(DeobfuscatedFile, this);
// Need to dump the assemblies before decrypting methods in case there's a reference
// in the encrypted code to one of these assemblies.
DumpEmbeddedAssemblies();
}
if (options.DecryptMethods) {
methodsDecrypter.Initialize(DeobfuscatedFile, this);
methodsDecrypter.decrypt();
}
if (options.DecryptConstants) {
constantsDecrypter.Initialize(DeobfuscatedFile, this);
AddTypeToBeRemoved(constantsDecrypter.Type, "Constants decrypter type");
AddResourceToBeRemoved(constantsDecrypter.Resource, "Encrypted constants");
int32ValueInliner = new Int32ValueInliner();
int32ValueInliner.Add(constantsDecrypter.Int32Decrypter, (method, gim, args) => constantsDecrypter.DecryptInt32((int)args[0]));
int64ValueInliner = new Int64ValueInliner();
int64ValueInliner.Add(constantsDecrypter.Int64Decrypter, (method, gim, args) => constantsDecrypter.DecryptInt64((int)args[0]));
singleValueInliner = new SingleValueInliner();
singleValueInliner.Add(constantsDecrypter.SingleDecrypter, (method, gim, args) => constantsDecrypter.DecryptSingle((int)args[0]));
doubleValueInliner = new DoubleValueInliner();
doubleValueInliner.Add(constantsDecrypter.DoubleDecrypter, (method, gim, args) => constantsDecrypter.DecryptDouble((int)args[0]));
}
proxyCallFixer.Find();
startedDeobfuscating = true;
}
public override void DeobfuscateBegin()
{
base.DeobfuscateBegin();
resourceDecrypter = new ResourceDecrypter(module, DeobfuscatedFile);
resourceResolver = new ResourceResolver(module, resourceDecrypter);
assemblyResolver = new AssemblyResolver(module);
resourceResolver.Find();
assemblyResolver.Find(DeobfuscatedFile);
DecryptResources();
stringDecrypter.Initialize(resourceDecrypter);
if (stringDecrypter.Method != null)
{
staticStringInliner.Add(stringDecrypter.Method, (method, gim, args) => {
return(stringDecrypter.Decrypt((int)args[0]));
});
DeobfuscatedFile.StringDecryptersAdded();
}
methodsDecrypter.Decrypt(resourceDecrypter, DeobfuscatedFile);
if (methodsDecrypter.Detected)
{
if (!assemblyResolver.Detected)
{
assemblyResolver.Find(DeobfuscatedFile);
}
if (!tamperDetection.Detected)
{
tamperDetection.Find();
}
}
antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this);
antiDebugger.Find();
if (options.DecryptConstants)
{
constantsDecrypter.Initialize(resourceDecrypter);
int32ValueInliner = new Int32ValueInliner();
int32ValueInliner.Add(constantsDecrypter.Int32Decrypter, (method, gim, args) => constantsDecrypter.DecryptInt32((int)args[0]));
int64ValueInliner = new Int64ValueInliner();
int64ValueInliner.Add(constantsDecrypter.Int64Decrypter, (method, gim, args) => constantsDecrypter.DecryptInt64((int)args[0]));
singleValueInliner = new SingleValueInliner();
singleValueInliner.Add(constantsDecrypter.SingleDecrypter, (method, gim, args) => constantsDecrypter.DecryptSingle((int)args[0]));
doubleValueInliner = new DoubleValueInliner();
doubleValueInliner.Add(constantsDecrypter.DoubleDecrypter, (method, gim, args) => constantsDecrypter.DecryptDouble((int)args[0]));
AddTypeToBeRemoved(constantsDecrypter.Type, "Constants decrypter type");
AddResourceToBeRemoved(constantsDecrypter.Resource, "Encrypted constants");
}
AddModuleCctorInitCallToBeRemoved(resourceResolver.Method);
AddModuleCctorInitCallToBeRemoved(assemblyResolver.Method);
AddCallToBeRemoved(module.EntryPoint, tamperDetection.Method);
AddModuleCctorInitCallToBeRemoved(tamperDetection.Method);
AddCallToBeRemoved(module.EntryPoint, antiDebugger.Method);
AddModuleCctorInitCallToBeRemoved(antiDebugger.Method);
AddTypeToBeRemoved(resourceResolver.Type, "Resource resolver type");
AddTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver type");
AddTypeToBeRemoved(tamperDetection.Type, "Tamper detection type");
AddTypeToBeRemoved(antiDebugger.Type, "Anti-debugger type");
AddTypeToBeRemoved(methodsDecrypter.Type, "Methods decrypter type");
AddTypesToBeRemoved(methodsDecrypter.DelegateTypes, "Methods decrypter delegate type");
AddResourceToBeRemoved(methodsDecrypter.Resource, "Encrypted methods");
proxyCallFixer.Find();
DumpEmbeddedAssemblies();
startedDeobfuscating = true;
}
void Initialize(ConstantsDecrypterBase constDecrypter, ref bool hasInitialized) {
if (hasInitialized || (constDecrypter == null || !constDecrypter.Detected))
return;
hasInitializedConstantsDecrypter15 = true;
DecryptResources();
constDecrypter.Initialize();
int32ValueInliner = new Int32ValueInliner();
int64ValueInliner = new Int64ValueInliner();
singleValueInliner = new SingleValueInliner();
doubleValueInliner = new DoubleValueInliner();
foreach (var info in constDecrypter.DecrypterInfos) {
staticStringInliner.Add(info.decryptMethod, (method, gim, args) => constDecrypter.DecryptString(staticStringInliner.Method, method, args));
int32ValueInliner.Add(info.decryptMethod, (method, gim, args) => constDecrypter.DecryptInt32(int32ValueInliner.Method, method, args));
int64ValueInliner.Add(info.decryptMethod, (method, gim, args) => constDecrypter.DecryptInt64(int64ValueInliner.Method, method, args));
singleValueInliner.Add(info.decryptMethod, (method, gim, args) => constDecrypter.DecryptSingle(singleValueInliner.Method, method, args));
doubleValueInliner.Add(info.decryptMethod, (method, gim, args) => constDecrypter.DecryptDouble(doubleValueInliner.Method, method, args));
}
int32ValueInliner.RemoveUnbox = true;
int64ValueInliner.RemoveUnbox = true;
singleValueInliner.RemoveUnbox = true;
doubleValueInliner.RemoveUnbox = true;
DeobfuscatedFile.StringDecryptersAdded();
AddFieldsToBeRemoved(constDecrypter.Fields, "Constants decrypter field");
var moduleType = DotNetUtils.GetModuleType(module);
foreach (var info in constDecrypter.DecrypterInfos) {
if (info.decryptMethod.DeclaringType == moduleType)
AddMethodToBeRemoved(info.decryptMethod, "Constants decrypter method");
else
AddTypeToBeRemoved(info.decryptMethod.DeclaringType, "Constants decrypter type");
}
AddMethodToBeRemoved(constDecrypter.NativeMethod, "Constants decrypter native method");
AddResourceToBeRemoved(constDecrypter.Resource, "Encrypted constants");
}
void InitializeConstantsDecrypterV18() {
if (hasInitializedConstantsDecrypter || (constantsDecrypterV18 == null || !constantsDecrypterV18.Detected))
return;
hasInitializedConstantsDecrypter = true;
DecryptResources();
constantsDecrypterV18.Initialize();
int32ValueInliner = new Int32ValueInliner();
int64ValueInliner = new Int64ValueInliner();
singleValueInliner = new SingleValueInliner();
doubleValueInliner = new DoubleValueInliner();
foreach (var info in constantsDecrypterV18.Decrypters) {
staticStringInliner.Add(info.method, (method, gim, args) => constantsDecrypterV18.DecryptString(method, gim, (uint)args[0], (ulong)args[1]));
int32ValueInliner.Add(info.method, (method, gim, args) => constantsDecrypterV18.DecryptInt32(method, gim, (uint)args[0], (ulong)args[1]));
int64ValueInliner.Add(info.method, (method, gim, args) => constantsDecrypterV18.DecryptInt64(method, gim, (uint)args[0], (ulong)args[1]));
singleValueInliner.Add(info.method, (method, gim, args) => constantsDecrypterV18.DecryptSingle(method, gim, (uint)args[0], (ulong)args[1]));
doubleValueInliner.Add(info.method, (method, gim, args) => constantsDecrypterV18.DecryptDouble(method, gim, (uint)args[0], (ulong)args[1]));
}
DeobfuscatedFile.StringDecryptersAdded();
AddTypesToBeRemoved(constantsDecrypterV18.Types, "Constants decrypter type");
AddFieldsToBeRemoved(constantsDecrypterV18.Fields, "Constants decrypter field");
AddMethodToBeRemoved(constantsDecrypterV18.NativeMethod, "Constants decrypter native method");
AddTypeToBeRemoved(constantsDecrypterV18.LzmaType, "LZMA type");
AddResourceToBeRemoved(constantsDecrypterV18.Resource, "Encrypted constants");
}
public ConstantsInliner(Int32ValueInliner int32ValueInliner, Int64ValueInliner int64ValueInliner, SingleValueInliner singleValueInliner, DoubleValueInliner doubleValueInliner) {
this.int32ValueInliner = int32ValueInliner;
this.int64ValueInliner = int64ValueInliner;
this.singleValueInliner = singleValueInliner;
this.doubleValueInliner = doubleValueInliner;
}