public List <AssemblyInfo> GetAssemblyInfos(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { var infos = new List <AssemblyInfo>(); if (embedResolverMethod != null) { simpleDeobfuscator.Deobfuscate(embedResolverMethod); simpleDeobfuscator.DecryptStrings(embedResolverMethod, deob); embedPassword = GetEmbedPassword(embedResolverMethod); } if (embedPassword == null) { return(infos); } foreach (var rsrc in module.Resources) { var resource = rsrc as EmbeddedResource; if (resource == null) { continue; } if (!Regex.IsMatch(resource.Name.String, "^cfd_([0-9a-f]{2})+_$")) { continue; } var asmData = Decrypt(embedPassword, Gunzip(resource.Data.ReadAllBytes())); var mod = ModuleDefMD.Load(asmData); infos.Add(new AssemblyInfo(asmData, resource, mod.Assembly.FullName, mod.Assembly.Name.String, DeobUtils.GetExtension(mod.Kind))); } return(infos); }
public List <AssemblyInfo> getAssemblyInfos(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { var infos = new List <AssemblyInfo>(); if (embedResolverMethod != null) { simpleDeobfuscator.deobfuscate(embedResolverMethod); simpleDeobfuscator.decryptStrings(embedResolverMethod, deob); embedPassword = getEmbedPassword(embedResolverMethod); } if (embedPassword == null) { return(infos); } foreach (var rsrc in module.Resources) { var resource = rsrc as EmbeddedResource; if (resource == null) { continue; } if (!Regex.IsMatch(resource.Name, "^cfd_([0-9a-f]{2})+_$")) { continue; } var asmData = decrypt(embedPassword, gunzip(resource.GetResourceData())); var mod = ModuleDefinition.ReadModule(new MemoryStream(asmData)); infos.Add(new AssemblyInfo(asmData, resource, mod.Assembly.FullName, mod.Assembly.Name.Name, DeobUtils.getExtension(mod.Kind))); } return(infos); }
static byte[] Decrypt(PasswordInfo password, byte[] data) { const int iterations = 2; const int numBits = 0x100; var key = new Rfc2898DeriveBytes(password.passphrase, Encoding.UTF8.GetBytes(password.salt), iterations).GetBytes(numBits / 8); return(DeobUtils.AesDecrypt(data, key, Encoding.UTF8.GetBytes(password.iv))); }
public void find(out PasswordInfo mainAsmPassword, out PasswordInfo embedPassword) { var asmBuilder = AppDomain.CurrentDomain.DefineDynamicAssembly(new AssemblyName("asm"), AssemblyBuilderAccess.Run); var moduleBuilder = asmBuilder.DefineDynamicModule("mod"); var serializedTypes = new SerializedTypes(moduleBuilder); var allTypes = serializedTypes.deserialize(serializedData); asmTypes = toList(readField(allTypes, "Types")); mainAsmPassword = findMainAssemblyPassword(); embedPassword = findEmbedPassword(); }
public void Find(out PasswordInfo mainAsmPassword, out PasswordInfo embedPassword) { var asmBuilder = AppDomain.CurrentDomain.DefineDynamicAssembly(new AssemblyName("asm"), AssemblyBuilderAccess.Run); var moduleBuilder = asmBuilder.DefineDynamicModule("mod"); var serializedTypes = new SerializedTypes(moduleBuilder); var allTypes = serializedTypes.Deserialize(serializedData); asmTypes = ToList(ReadField(allTypes, "Types")); mainAsmPassword = FindMainAssemblyPassword(); embedPassword = FindEmbedPassword(); }
public AssemblyDecrypter(ModuleDefMD module, AssemblyDecrypter oldOne) { this.module = module; this.embedPassword = oldOne.embedPassword; }
public List<AssemblyInfo> GetAssemblyInfos(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { var infos = new List<AssemblyInfo>(); if (embedResolverMethod != null) { simpleDeobfuscator.Deobfuscate(embedResolverMethod); simpleDeobfuscator.DecryptStrings(embedResolverMethod, deob); embedPassword = GetEmbedPassword(embedResolverMethod); } if (embedPassword == null) return infos; foreach (var rsrc in module.Resources) { var resource = rsrc as EmbeddedResource; if (resource == null) continue; if (!Regex.IsMatch(resource.Name.String, "^cfd_([0-9a-f]{2})+_$")) continue; var asmData = Decrypt(embedPassword, Gunzip(resource.Data.ReadAllBytes())); var mod = ModuleDefMD.Load(asmData); infos.Add(new AssemblyInfo(asmData, resource, mod.Assembly.FullName, mod.Assembly.Name.String, DeobUtils.GetExtension(mod.Kind))); } return infos; }
static byte[] Decrypt(PasswordInfo password, byte[] data) { const int iterations = 2; const int numBits = 0x100; var key = new Rfc2898DeriveBytes(password.passphrase, Encoding.UTF8.GetBytes(password.salt), iterations).GetBytes(numBits / 8); return DeobUtils.AesDecrypt(data, key, Encoding.UTF8.GetBytes(password.iv)); }
public List<AssemblyInfo> getAssemblyInfos(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { var infos = new List<AssemblyInfo>(); if (embedResolverMethod != null) { simpleDeobfuscator.deobfuscate(embedResolverMethod); simpleDeobfuscator.decryptStrings(embedResolverMethod, deob); embedPassword = getEmbedPassword(embedResolverMethod); } if (embedPassword == null) return infos; foreach (var rsrc in module.Resources) { var resource = rsrc as EmbeddedResource; if (resource == null) continue; if (!Regex.IsMatch(resource.Name, "^cfd_([0-9a-f]{2})+_$")) continue; var asmData = decrypt(embedPassword, gunzip(resource.GetResourceData())); var mod = ModuleDefinition.ReadModule(new MemoryStream(asmData)); infos.Add(new AssemblyInfo(asmData, resource, mod.Assembly.FullName, mod.Assembly.Name.Name, DeobUtils.getExtension(mod.Kind))); } return infos; }