protected override void scanForObfuscator() { findCliSecureAttribute(); cliSecureRtType = new CliSecureRtType(module); cliSecureRtType.find(ModuleBytes); stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterMethod); stringDecrypter.find(); resourceDecrypter = new ResourceDecrypter(module); resourceDecrypter.find(); proxyCallFixer = new ProxyCallFixer(module); proxyCallFixer.findDelegateCreator(); csvm = new vm.Csvm(DeobfuscatedFile.DeobfuscatorContext, module); csvm.find(); }
public CliSecureRtType(ModuleDefMD module, CliSecureRtType oldOne) { this.module = module; cliSecureRtType = Lookup(oldOne.cliSecureRtType, "Could not find CliSecureRt type"); postInitializeMethod = Lookup(oldOne.postInitializeMethod, "Could not find postInitializeMethod method"); initializeMethod = Lookup(oldOne.initializeMethod, "Could not find initializeMethod method"); foreach (var info in oldOne.stringDecrypterInfos.Keys) { var m = Lookup(info.Method, "Could not find string decrypter method"); var f = Lookup(info.Field, "Could not find string decrypter field"); stringDecrypterInfos[new StringDecrypterInfo(m, f)] = true; } loadMethod = Lookup(oldOne.loadMethod, "Could not find loadMethod method"); foundSig = oldOne.foundSig; }
protected override void ScanForObfuscator() { FindCliSecureAttribute(); cliSecureRtType = new CliSecureRtType(Module); cliSecureRtType.Find(ModuleBytes); stringDecrypter = new StringDecrypter(Module, cliSecureRtType.StringDecrypterInfos); stringDecrypter.Find(); resourceDecrypter = new ResourceDecrypter(Module); resourceDecrypter.Find(); proxyCallFixer = new ProxyCallFixer(Module); proxyCallFixer.FindDelegateCreator(); csvmV1 = new vm.v1.Csvm(DeobfuscatedFile.DeobfuscatorContext, Module); csvmV1.Find(); csvmV2 = new vm.v2.Csvm(DeobfuscatedFile.DeobfuscatorContext, Module); csvmV2.Find(); }
static byte[] GetModuleCctorBytes(CliSecureRtType csRtType) { var initMethod = csRtType.InitializeMethod; if (initMethod == null) { return(null); } uint initToken = initMethod.MDToken.ToUInt32(); var moduleCctorBytes = new byte[6]; moduleCctorBytes[0] = 0x28; // call moduleCctorBytes[1] = (byte)initToken; moduleCctorBytes[2] = (byte)(initToken >> 8); moduleCctorBytes[3] = (byte)(initToken >> 16); moduleCctorBytes[4] = (byte)(initToken >> 24); moduleCctorBytes[5] = 0x2A; // ret return(moduleCctorBytes); }
public bool Decrypt(MyPEImage peImage, ModuleDefMD module, CliSecureRtType csRtType, ref DumpedMethods dumpedMethods) { this.peImage = peImage; this.csRtType = csRtType; this.module = module; switch (Decrypt2(ref dumpedMethods)) { case DecryptResult.Decrypted: return(true); case DecryptResult.NotEncrypted: return(false); case DecryptResult.Error: Logger.n("Using dynamic method decryption"); byte[] moduleCctorBytes = GetModuleCctorBytes(csRtType); dumpedMethods = de4dot.code.deobfuscators.MethodsDecrypter.Decrypt(module, moduleCctorBytes); return(true); default: throw new ApplicationException("Invalid DecryptResult"); } }