Local GetDynamicLocal(out int instrIndex) { var instrs = installMethod.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { i = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Void System.IO.BinaryWriter::Write(System.Byte)"); if (i < 0) { break; } int index = i - 2; if (index < 0) { continue; } var ldloc = instrs[index]; if (!ldloc.IsLdloc()) { continue; } if (instrs[index + 1].OpCode.Code != Code.Conv_U1) { continue; } instrIndex = index; return(ldloc.GetLocal(installMethod.Body.Variables)); } instrIndex = 0; return(null); }
static bool FindKey4(MethodDef method, out uint key) { var instrs = method.Body.Instructions; for (int index = 0; index < instrs.Count; index++) { index = ConfuserUtils.FindCallMethod(instrs, index, Code.Call, "System.Void System.Runtime.InteropServices.Marshal::Copy(System.Byte[],System.Int32,System.IntPtr,System.Int32)"); if (index < 0) { break; } if (index + 2 >= instrs.Count) { continue; } if (!instrs[index + 1].IsLdloc()) { continue; } var ldci4 = instrs[index + 2]; if (!ldci4.IsLdcI4()) { continue; } key = (uint)ldci4.GetLdcI4Value(); return(true); } key = 0; return(false); }
static bool FindKey0(MethodDef method, out uint key) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Call, "System.Text.Encoding System.Text.Encoding::get_UTF8()"); if (index < 0) { break; } int index2 = ConfuserUtils.FindCallMethod(instrs, i, Code.Call, "System.Byte[] System.BitConverter::GetBytes(System.Int32)"); if (index2 - index != 2) { continue; } var ldci4 = instrs[index + 1]; if (!ldci4.IsLdcI4()) { continue; } key = (uint)ldci4.GetLdcI4Value(); return(true); } key = 0; return(false); }
static bool FindKey4_other(MethodDef method, out uint key) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.IO.BinaryReader::ReadInt32()"); if (index < 0) { break; } if (index + 1 >= instrs.Count) { break; } var ldci4 = instrs[index + 1]; if (!ldci4.IsLdcI4()) { continue; } key = (uint)ldci4.GetLdcI4Value(); return(true); } key = 0; return(false); }
static bool FindKey1(MethodDef method, out uint key) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()"); if (index < 0) { break; } if (index + 2 > instrs.Count) { break; } if (!instrs[index + 1].IsStloc()) { continue; } var ldci4 = instrs[index + 2]; if (!ldci4.IsLdcI4()) { continue; } key = (uint)ldci4.GetLdcI4Value(); return(true); } key = 0; return(false); }
static bool FindSafeKey1(MethodDef method, out uint key) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Newobj, "System.Void System.Random::.ctor(System.Int32)"); if (index < 0) { break; } if (index == 0) { continue; } var ldci4 = instrs[index - 1]; if (!ldci4.IsLdcI4()) { continue; } key = (uint)ldci4.GetLdcI4Value(); return(true); } key = 0; return(false); }
public override string Decrypt(MethodDef caller, int magic) { var reader = stringDecrypter.reader; reader.Position = (caller.MDToken.ToInt32() ^ magic) - stringDecrypter.magic1; int len = reader.ReadInt32() ^ (int)~stringDecrypter.magic2; var rand = new Random(caller.MDToken.ToInt32()); var instrs = stringDecrypter.decryptMethod.Body.Instructions; constReader = new PolyConstantsReader(instrs, false); int polyIndex = ConfuserUtils.FindCallMethod(instrs, 0, Code.Callvirt, "System.Int64 System.IO.BinaryReader::ReadInt64()"); if (polyIndex < 0) { throw new ApplicationException("Could not find start of decrypt code"); } var decrypted = new byte[len]; for (int i = 0; i < len; i += 8) { constReader.Arg = reader.ReadInt64(); int index = polyIndex; long val; if (!constReader.GetInt64(ref index, out val) || instrs[index].OpCode.Code != Code.Conv_I8) { throw new ApplicationException("Could not get string int64 value"); } Array.Copy(BitConverter.GetBytes(val ^ rand.Next()), 0, decrypted, i, Math.Min(8, len - i)); } return(Encoding.Unicode.GetString(decrypted)); }
static bool FindKey5_v17_r74788(MethodDef method, out uint key) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { i = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Reflection.Module System.Reflection.Assembly::GetModule(System.String)"); if (i < 0) { break; } if (i + 1 >= instrs.Count) { break; } var ldci4 = instrs[i + 1]; if (!ldci4.IsLdcI4()) { continue; } key = (uint)ldci4.GetLdcI4Value(); return(true); } key = 0; return(false); }
static bool FindKey0d_v18_r75367(DecrypterInfo info) { var instrs = info.method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()"); if (index < 0) { break; } int index2 = ConfuserUtils.FindCallMethod(instrs, index, Code.Call, "System.Byte[] System.BitConverter::GetBytes(System.Int32)"); if (index2 < 0) { break; } if (index2 - index != 3) { continue; } var ldci4 = instrs[index + 1]; if (!ldci4.IsLdcI4()) { continue; } if (instrs[index + 2].OpCode.Code != Code.Xor) { continue; } info.key0d = (uint)ldci4.GetLdcI4Value(); return(true); } return(false); }
static bool FindKey5(MethodDef method, out uint key) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { i = FindCallvirtReadUInt32(instrs, i); if (i < 0) { break; } int index2 = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.IO.BinaryReader::ReadInt32()"); if (index2 < 0) { break; } if (index2 - i != 6) { continue; } var ldci4 = instrs[i + 1]; if (!ldci4.IsLdcI4()) { continue; } if (instrs[i + 2].OpCode.Code != Code.Xor) { continue; } var stloc = instrs[i + 3]; if (!stloc.IsStloc()) { continue; } var ldloc = instrs[i + 4]; if (!ldloc.IsLdloc()) { continue; } if (ldloc.GetLocal(method.Body.Variables) == stloc.GetLocal(method.Body.Variables)) { continue; } if (!instrs[i + 5].IsLdloc()) { continue; } key = (uint)ldci4.GetLdcI4Value(); return(true); } key = 0; return(false); }
static int GetFieldNameIndex(MethodDef method) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { i = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Byte[] System.Text.Encoding::GetBytes(System.Char[],System.Int32,System.Int32)"); if (i < 0) break; if (i < 2) continue; var ldci4 = instrs[i - 2]; if (!ldci4.IsLdcI4()) continue; return ldci4.GetLdcI4Value(); } return -1; }
protected static bool FindKey0_v14_r58564(MethodDef method, out uint key) { var instrs = method.Body.Instructions; for (int i = 0; i + 5 < instrs.Count; i++) { i = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.IO.BinaryReader::ReadInt32()"); if (i < 0) { break; } int index = i + 1; var ldci4_1 = instrs[index++]; if (!ldci4_1.IsLdcI4()) { continue; } if (instrs[index++].OpCode.Code != Code.Xor) { continue; } if (!instrs[index++].IsStloc()) { continue; } if (!instrs[index++].IsLdloc()) { continue; } var ldci4_2 = instrs[index++]; if (!ldci4_2.IsLdcI4()) { continue; } if (ldci4_2.GetLdcI4Value() != 0 && ldci4_1.GetLdcI4Value() != ldci4_2.GetLdcI4Value()) { continue; } key = (uint)ldci4_1.GetLdcI4Value(); return(true); } key = 0; return(false); }
static bool FindKey0d(MethodDef method, out uint key) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()"); if (index < 0) { break; } int index2 = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()"); int ldci4Index; switch (index2 - index) { case 3: // rev <= r79440 ldci4Index = index + 1; break; case -4: // rev >= r79630 ldci4Index = index2 - 2; break; default: continue; } var ldci4 = instrs[ldci4Index]; if (!ldci4.IsLdcI4()) { continue; } if (!instrs[ldci4Index + 1].IsLdloc()) { continue; } key = (uint)ldci4.GetLdcI4Value(); return(true); } key = 0; return(false); }
public void Find() { var cctor = DotNetUtils.GetModuleTypeCctor(module); if (cctor == null) return; simpleDeobfuscator.Deobfuscate(cctor, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs); if ((dictField = ConstantsDecrypterUtils.FindDictField(cctor, cctor.DeclaringType)) == null) return; if ((dataField = ConstantsDecrypterUtils.FindDataField_v18_r75367(cctor, cctor.DeclaringType)) == null && (dataField = ConstantsDecrypterUtils.FindDataField_v19_r77172(cctor, cctor.DeclaringType)) == null) return; nativeMethod = FindNativeMethod(cctor, cctor.DeclaringType); var method = GetDecryptMethod(); if (method == null) return; simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs); var info = new DecrypterInfo(this, method, ConfuserVersion.Unknown); if (FindKeys_v18_r75367(info)) InitVersion(cctor, ConfuserVersion.v18_r75367_normal, ConfuserVersion.v18_r75367_dynamic, ConfuserVersion.v18_r75367_native); else if (FindKeys_v18_r75369(info)) { lzmaType = ConfuserUtils.FindLzmaType(cctor); if (lzmaType == null) InitVersion(cctor, ConfuserVersion.v18_r75369_normal, ConfuserVersion.v18_r75369_dynamic, ConfuserVersion.v18_r75369_native); else if (!DotNetUtils.CallsMethod(method, "System.Void System.Threading.Monitor::Exit(System.Object)")) InitVersion(cctor, ConfuserVersion.v19_r77172_normal, ConfuserVersion.v19_r77172_dynamic, ConfuserVersion.v19_r77172_native); else if (DotNetUtils.CallsMethod(method, "System.Void System.Diagnostics.StackFrame::.ctor(System.Int32)")) InitVersion(cctor, ConfuserVersion.v19_r78363_normal, ConfuserVersion.v19_r78363_dynamic, ConfuserVersion.v19_r78363_native); else { int index1 = ConfuserUtils.FindCallMethod(cctor.Body.Instructions, 0, Code.Callvirt, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()"); int index2 = ConfuserUtils.FindCallMethod(cctor.Body.Instructions, 0, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()"); if (index1 < 0 || index2 < 0) { } if (index2 - index1 == 3) InitVersion(cctor, ConfuserVersion.v19_r78056_normal, ConfuserVersion.v19_r78056_dynamic, ConfuserVersion.v19_r78056_native); else if (index2 - index1 == -4) InitVersion(cctor, ConfuserVersion.v19_r79630_normal, ConfuserVersion.v19_r79630_dynamic, ConfuserVersion.v19_r79630_native); } } else return; installMethod = cctor; }
static bool FindKey0_v18_r75369(MethodDef method, out byte key0) { var instrs = method.Body.Instructions; for (int index = 0; index < instrs.Count; index++) { index = ConfuserUtils.FindCallMethod(instrs, index, Code.Callvirt, "System.Int32 System.IO.Stream::Read(System.Byte[],System.Int32,System.Int32)"); if (index < 0) { break; } if (index + 4 >= instrs.Count) { break; } index++; if (instrs[index++].OpCode.Code != Code.Pop) { continue; } var ldci4 = instrs[index++]; if (!ldci4.IsLdcI4()) { continue; } if (instrs[index++].OpCode.Code != Code.Conv_U1) { continue; } if (!instrs[index++].IsStloc()) { continue; } key0 = (byte)ldci4.GetLdcI4Value(); return(true); } key0 = 0; return(false); }
static bool FindCallvirtChar(MethodDef method, out ushort callvirtChar) { var instrs = method.Body.Instructions; for (int index = 0; index < instrs.Count; index++) { index = ConfuserUtils.FindCallMethod(instrs, index, Code.Callvirt, "System.Char System.String::get_Chars(System.Int32)"); if (index < 0) break; index++; if (index >= instrs.Count) break; var ldci4 = instrs[index]; if (!ldci4.IsLdcI4()) continue; callvirtChar = (ushort)ldci4.GetLdcI4Value(); return true; } callvirtChar = 0; return false; }
static bool FindMagic1(MethodDef method, out uint magic) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Byte[] System.IO.BinaryReader::ReadBytes(System.Int32)"); if (index < 0) { break; } if (index < 4) { continue; } index -= 4; if (!instrs[index].IsLdarg()) { continue; } if (instrs[index + 1].OpCode.Code != Code.Xor) { continue; } var ldci4 = instrs[index + 2]; if (!ldci4.IsLdcI4()) { continue; } if (instrs[index + 3].OpCode.Code != Code.Sub) { continue; } magic = (uint)ldci4.GetLdcI4Value(); return(true); } magic = 0; return(false); }
static bool FindMagic_v18_r75367(MethodDef method, out uint magic) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { i = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()"); if (i < 0 || i + 3 >= instrs.Count) break; if (!instrs[i + 1].IsLdloc()) continue; var ldci4 = instrs[i + 2]; if (!ldci4.IsLdcI4()) continue; if (instrs[i+3].OpCode.Code != Code.Xor) continue; magic = (uint)ldci4.GetLdcI4Value(); return true; } magic = 0; return false; }
static MethodDef FindNativeMethod_v18_r75367(MethodDef method) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { i = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()"); if (i < 0 || i + 2 >= instrs.Count) break; if (!instrs[i + 1].IsLdloc()) continue; var call = instrs[i + 2]; if (call.OpCode.Code != Code.Call) continue; var calledMethod = call.Operand as MethodDef; if (calledMethod == null || calledMethod.Body != null || !calledMethod.IsNative) continue; return calledMethod; } return null; }
static bool FindMagic_v14_r58564(MethodDef method, out uint magic) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Call, "System.Int32 System.BitConverter::ToInt32(System.Byte[],System.Int32)"); if (index < 0) break; int index2 = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)"); if (index2 < 0 || index2 - index != 3) continue; var ldci4 = instrs[index + 1]; if (!ldci4.IsLdcI4()) continue; if (instrs[index + 2].OpCode.Code != Code.Xor) continue; magic = (uint)ldci4.GetLdcI4Value(); return true; } magic = 0; return false; }
static bool Is_v17_r73740(MethodDef method) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)"); if (index < 0) break; if (index < 3) continue; index -= 3; var ldci4 = instrs[index]; if (!ldci4.IsLdcI4() || ldci4.GetLdcI4Value() != 24) continue; if (instrs[index + 1].OpCode.Code != Code.Shl) continue; if (instrs[index + 2].OpCode.Code != Code.Or) continue; return true; } return false; }
static MethodDef FindNativeMethod_v17_r73740(MethodDef method) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Call, "System.Int32 System.BitConverter::ToInt32(System.Byte[],System.Int32)"); if (index < 0) break; if (index < 1 || index + 1 >= instrs.Count) continue; if (!instrs[index - 1].IsLdcI4()) continue; var call = instrs[index + 1]; if (call.OpCode.Code != Code.Call) continue; var calledMethod = call.Operand as MethodDef; if (calledMethod == null || calledMethod.Body != null || !calledMethod.IsNative) continue; return calledMethod; } return null; }
static Local GetDynamicLocal_v17_r73740(MethodDef method) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { i = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Byte System.IO.BinaryReader::ReadByte()"); if (i < 0 || i + 5 >= instrs.Count) { break; } if (!instrs[i + 1].IsStloc()) { continue; } var ldloc = instrs[i + 2]; if (!ldloc.IsLdloc()) { continue; } if (!instrs[i + 3].IsLdloc()) { continue; } var ldci4 = instrs[i + 4]; if (!ldci4.IsLdcI4() || ldci4.GetLdcI4Value() != 0x7F) { continue; } if (instrs[i + 5].OpCode.Code != Code.And) { continue; } return(ldloc.GetLocal(method.Body.Variables)); } return(null); }
static bool FindMagic_v17_r73740(MethodDef method, out uint magic) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Call, "System.Int32 System.BitConverter::ToInt32(System.Byte[],System.Int32)"); if (index < 0) break; if (index < 1 || index + 2 >= instrs.Count) continue; if (!instrs[index - 1].IsLdcI4()) continue; var ldci4 = instrs[index + 1]; if (!ldci4.IsLdcI4()) continue; if (instrs[index + 2].OpCode.Code != Code.Xor) continue; magic = (uint)ldci4.GetLdcI4Value(); return true; } magic = 0; return false; }
static bool FindTypeCode(IList <Block> allBlocks, out byte typeCode, Code callCode, string bitConverterMethod) { foreach (var block in allBlocks) { if (block.Sources.Count != 1) { continue; } int index = ConfuserUtils.FindCallMethod(block.Instructions, 0, callCode, bitConverterMethod); if (index < 0) { continue; } if (!FindTypeCode(block.Sources[0], out typeCode)) { continue; } return(true); } typeCode = 0; return(false); }
static bool FindKey0_v17_r73404(MethodDef method, out byte key) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count - 3; i++) { int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Byte[] System.IO.BinaryReader::ReadBytes(System.Int32)"); if (index < 0) { break; } if (index + 3 >= instrs.Count) { break; } if (!instrs[index + 1].IsStloc()) { continue; } var ldci4 = instrs[index + 2]; if (!ldci4.IsLdcI4()) { continue; } if (!instrs[index + 3].IsStloc()) { continue; } key = (byte)ldci4.GetLdcI4Value(); return(true); } key = 0; return(false); }
static string GetResourceName(MethodDef method) { var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { i = ConfuserUtils.FindCallMethod(instrs, i, Code.Call, "System.Byte[] System.BitConverter::GetBytes(System.Int32)"); if (i < 0) { break; } if (i == 0) { continue; } var ldci4 = instrs[i - 1]; if (!ldci4.IsLdcI4()) { continue; } return(Encoding.UTF8.GetString(BitConverter.GetBytes(ldci4.GetLdcI4Value()))); } return(null); }
protected static int FindCallvirtReadUInt32(IList <Instruction> instrs, int index) { return(ConfuserUtils.FindCallMethod(instrs, index, Code.Callvirt, "System.UInt32 System.IO.BinaryReader::ReadUInt32()")); }
static int FindCallvirtReadUInt64(IList <Instruction> instrs, int index) => ConfuserUtils.FindCallMethod(instrs, index, Code.Callvirt, "System.UInt64 System.IO.BinaryReader::ReadUInt64()");