TypeDef FindMethodsDecrypterType(TypeDef type)
{
foreach (var field in type.Fields)
{
var fieldType = DotNetUtils.GetType(module, field.FieldSig.GetFieldType());
if (fieldType == null)
{
continue;
}
if (fieldType.FindMethod("Finalize") == null)
{
continue;
}
if (!new FieldTypes(fieldType).Exists("System.Collections.Hashtable"))
{
continue;
}
if (DotNetUtils.GetMethod(fieldType, "System.String", "()") == null)
{
continue;
}
return(fieldType);
}
return(null);
}
void Find()
{
foreach (var type in module.Types)
{
if (type.HasEvents || type.HasProperties)
{
continue;
}
if (type.Methods.Count != 1)
{
continue;
}
if (type.Fields.Count != 1)
{
continue;
}
var method = type.Methods[0];
if (method.Name != ".ctor")
{
continue;
}
var field = type.Fields[0];
var fieldType = DotNetUtils.GetType(module, field.FieldSig.GetFieldType());
if (fieldType == null)
{
continue;
}
if (!fieldType.IsEnum)
{
continue;
}
enumField = field;
return;
}
}
bool CheckProxyType(Info infoTmp, TypeDef type)
{
if (type.NestedTypes.Count != 1)
{
return(false);
}
if (!new FieldTypes(type).All(requiredFields))
{
return(false);
}
var fields = GetRvaFields(type);
if (fields.Count != 1)
{
return(false);
}
var field = fields[0];
var fieldType = DotNetUtils.GetType(module, field.FieldSig.GetFieldType());
if (type.NestedTypes.IndexOf(fieldType) < 0)
{
return(false);
}
if (field.InitialValue == null || field.InitialValue.Length == 0)
{
return(false);
}
infoTmp.dataField = field;
return(true);
}
public void Initialize()
{
foreach (var kv in GetMovedTypes())
{
var structType = kv.Key;
structToOwners.Add(structType, kv.Value);
foreach (var ownerType in kv.Value)
{
foreach (var ownerField in ownerType.Fields)
{
if (DotNetUtils.GetType(module, ownerField.FieldSig.GetFieldType()) != structType)
{
continue;
}
structFieldsToFix.Add(ownerField, true);
break;
}
var fieldsDict = new FieldDefAndDeclaringTypeDict <FieldDef>();
typeToFieldsDict.Add(ownerType, fieldsDict);
foreach (var structField in structType.Fields)
{
var newField = module.UpdateRowId(new FieldDefUser(structField.Name, structField.FieldSig.Clone(), structField.Attributes));
ownerType.Fields.Add(newField);
fieldsDict.Add(structField, newField);
}
}
}
}
bool CheckType(TypeDef type)
{
if (!type.HasNestedTypes)
{
return(false);
}
var stringDataFieldTmp = CheckFields(type);
if (stringDataFieldTmp == null)
{
return(false);
}
var fieldType = DotNetUtils.GetType(module, stringDataFieldTmp.FieldSig.GetFieldType());
if (fieldType == null || type.NestedTypes.IndexOf(fieldType) < 0)
{
return(false);
}
var decrypterMethodTmp = GetDecrypterMethod(type);
if (decrypterMethodTmp == null)
{
return(false);
}
stringDataField = stringDataFieldTmp;
decrypterMethod = decrypterMethodTmp;
return(true);
}
IEnumerable <FieldDef> GetPossibleFields(TypeDef type)
{
var typeToFields = new TypeDefDict <List <FieldDef> >();
foreach (var field in type.Fields)
{
if (field.Attributes != FieldAttributes.Private)
{
continue;
}
var fieldType = DotNetUtils.GetType(module, field.FieldSig.GetFieldType());
if (fieldType == null)
{
continue;
}
if (!CheckBaseType(fieldType))
{
continue;
}
var list = typeToFields.Find(fieldType);
if (list == null)
{
typeToFields.Add(fieldType, list = new List <FieldDef>());
}
list.Add(field);
}
foreach (var list in typeToFields.GetValues())
{
if (list.Count == 1)
{
yield return(list[0]);
}
}
}
bool CheckMemoryManagerType(TypeDef type, MethodDef method)
{
// Only two fields: itself and a long
int fields = 0;
foreach (var field in type.Fields)
{
if (new SigComparer().Equals(field.FieldType, type) ||
field.FieldType.FullName == "System.Int64")
{
fields++;
continue;
}
if (DotNetUtils.DerivesFromDelegate(DotNetUtils.GetType(module, field.FieldType)))
{
continue;
}
return(false);
}
if (fields != 2)
{
return(false);
}
if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "SetProcessWorkingSetSize") == null)
{
return(false);
}
return(true);
}
void RemoveType(Dictionary <TypeDef, List <TypeDef> > candidates, TypeSig type)
{
var typeDef = DotNetUtils.GetType(module, type);
if (typeDef == null)
{
return;
}
candidates.Remove(typeDef);
}
public void Find()
{
var moduleCctor = DotNetUtils.GetModuleTypeCctor(_module);
if (moduleCctor == null)
{
return;
}
foreach (var inst in moduleCctor.Body.Instructions)
{
if (inst.OpCode != OpCodes.Call)
{
continue;
}
if (!(inst.Operand is MethodDef))
{
continue;
}
var method = inst.Operand as MethodDef;
if (!method.HasBody || !method.IsStatic)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
{
continue;
}
_deobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.Force);
if (!IsResDecryptInit(method, out FieldDef aField, out FieldDef asmField, out MethodDef mtd))
{
continue;
}
try
{
_decryptedBytes = DecryptArray(method, aField.InitialValue);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
return;
}
_arrayField = aField;
Type = DotNetUtils.GetType(_module, aField.FieldSig.Type);
_asmField = asmField;
AssembyResolveMethod = mtd;
Method = method;
CanRemoveLzma = true;
}
}
public void Find()
{
var moduleCctor = DotNetUtils.GetModuleTypeCctor(_module);
if (moduleCctor == null)
{
return;
}
foreach (var inst in moduleCctor.Body.Instructions)
{
if (inst.OpCode != OpCodes.Call)
{
continue;
}
if (!(inst.Operand is MethodDef))
{
continue;
}
var method = (MethodDef)inst.Operand;
if (!method.HasBody || !method.IsStatic)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
{
continue;
}
_deobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.Force);
if (!IsStringDecrypterInit(method, out FieldDef aField, out FieldDef dField))
{
continue;
}
try
{
_decryptedBytes = DecryptArray(method, aField.InitialValue);
}
catch (Exception e)
{
Console.WriteLine(e.Message);
return;
}
_arrayField = aField;
_decryptedField = dField;
ArrayType = DotNetUtils.GetType(_module, _arrayField.FieldSig.Type);
Method = method;
Decrypters.AddRange(FindStringDecrypters(moduleCctor.DeclaringType));
CanRemoveLzma = true;
}
}
public IMethod TryGetMethodDef(IMethod methodRef)
{
var methodDef = methodRef as MethodDef;
if (methodDef != null)
{
return(methodDef);
}
var declaringType = DotNetUtils.GetType(module, methodRef.DeclaringType);
if (declaringType == null)
{
return(methodRef);
}
return(DotNetUtils.GetMethod(declaringType, methodRef));
}
public IField TryGetFieldDef(IField fieldRef)
{
var fieldDef = fieldRef as FieldDef;
if (fieldDef != null)
{
return(fieldDef);
}
var declaringType = DotNetUtils.GetType(module, fieldRef.DeclaringType);
if (declaringType == null)
{
return(fieldRef);
}
return(DotNetUtils.GetField(declaringType, fieldRef));
}
public static bool IsSimpleZipDecryptMethod_QuickCheck(ModuleDefMD module, IMethod method, out MethodDef simpleZipTypeMethod)
{
simpleZipTypeMethod = null;
if (!DotNetUtils.IsMethod(method, "System.Byte[]", "(System.Byte[])"))
{
return(false);
}
var methodDef = DotNetUtils.GetMethod(DotNetUtils.GetType(module, method.DeclaringType), method);
if (methodDef == null)
{
return(false);
}
simpleZipTypeMethod = methodDef;
return(true);
}
protected override bool CheckResolverType(TypeDef type)
{
if (DotNetUtils.FindFieldType(type, "System.Collections.Hashtable", true) != null ||
DotNetUtils.FindFieldType(type, "System.Collections.Generic.Dictionary`2<System.String,System.Reflection.Assembly>", true) != null)
{
return(true);
}
foreach (var field in type.Fields)
{
if (DotNetUtils.DerivesFromDelegate(DotNetUtils.GetType(module, field.FieldType)))
{
continue;
}
if (field.IsLiteral && field.FieldType.ToString() == "System.String")
{
continue;
}
return(false);
}
return(true);
}
TypeDef GetType(ITypeDefOrRef typeRef) => DotNetUtils.GetType(module, typeRef);
TypeDef GetType(ITypeDefOrRef typeRef)
{
return(DotNetUtils.GetType(module, typeRef));
}
public void Initialize()
{
if (encryptedResource == null)
{
return;
}
decryptedReader = new BinaryReader(new MemoryStream(Decrypt(encryptedResource.GetResourceData())));
delegateType = null;
foreach (var type in module.GetTypes())
{
var cctor = type.FindStaticConstructor();
if (cctor == null)
{
continue;
}
if (type.Fields.Count != 1)
{
continue;
}
var field = type.Fields[0];
var tmpDelegateType = DotNetUtils.GetType(module, field.FieldType);
if (tmpDelegateType == null)
{
continue;
}
if (!CheckDelegateType(tmpDelegateType))
{
continue;
}
if (delegateType != null && delegateType != tmpDelegateType)
{
continue;
}
if (!CheckCctor(cctor))
{
continue;
}
delegateType = tmpDelegateType;
foreach (var method in type.Methods)
{
if (method.Name == ".cctor")
{
continue;
}
if (!method.IsStatic || method.Body == null)
{
continue;
}
var sig = method.MethodSig;
if (sig == null || sig.Params.Count != 0)
{
continue;
}
if (sig.RetType.GetElementType() == ElementType.Void)
{
continue;
}
var info = GetDecrypterInfo(method, field);
if (info == null)
{
continue;
}
decrypterMethods.Add(info.method, info);
}
}
}
Dictionary <TypeDef, List <TypeDef> > GetMovedTypes()
{
var candidates = new Dictionary <TypeDef, List <TypeDef> >();
var typeToStruct = new Dictionary <TypeDef, TypeDef>();
foreach (var type in module.GetTypes())
{
foreach (var field in GetPossibleFields(type))
{
var fieldType = DotNetUtils.GetType(module, field.FieldSig.GetFieldType());
if (fieldType == null)
{
continue;
}
if (!CheckBaseType(fieldType))
{
continue;
}
if ((fieldType.Attributes & ~TypeAttributes.Sealed) != TypeAttributes.NestedAssembly)
{
continue;
}
if (fieldType.NestedTypes.Count > 0)
{
continue;
}
if (fieldType.GenericParameters.Count > 0)
{
continue;
}
if (fieldType.Fields.Count == 0)
{
continue;
}
if (fieldType.HasEvents || fieldType.HasProperties || fieldType.HasInterfaces)
{
continue;
}
if (CheckMethods(fieldType))
{
continue;
}
if (!CheckFields(fieldType))
{
continue;
}
List <TypeDef> list;
if (!candidates.TryGetValue(fieldType, out list))
{
candidates[fieldType] = list = new List <TypeDef>();
}
list.Add(type);
typeToStruct[type] = fieldType;
break;
}
}
foreach (var type in module.GetTypes())
{
TypeDef structType;
typeToStruct.TryGetValue(type, out structType);
foreach (var field in type.Fields)
{
if (field.IsStatic || field.FieldSig.GetFieldType().TryGetTypeDef() != structType)
{
RemoveType(candidates, field.FieldSig.GetFieldType());
}
}
foreach (var method in type.Methods)
{
RemoveType(candidates, method.MethodSig.GetRetType());
foreach (var parameter in method.MethodSig.GetParams())
{
RemoveType(candidates, parameter);
}
if (method.Body != null)
{
foreach (var local in method.Body.Variables)
{
RemoveType(candidates, local.Type);
}
}
}
}
return(candidates);
}
/*static string[] requiredFields = new string[] {
* "System.Byte[]",
* "System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
* };*/
protected override bool CheckDecrypterType(TypeDef type)
{
var fields = type.Fields;
if (fields.Count != 2)
{
return(false);
}
if (fields[0].FieldType.FullName != "System.Byte[]")
{
return(false);
}
var dict = fields[1].FieldType.ToGenericInstSig();
if (dict == null || dict.GenericArguments.Count != 2)
{
return(false);
}
if (dict.GenericType.GetFullName() != "System.Collections.Generic.Dictionary`2")
{
return(false);
}
if (dict.GenericArguments[0].FullName != "System.Int32")
{
return(false);
}
var garg = dict.GenericArguments[1];
if (garg.FullName != "System.String")
{
if (!garg.IsValueType)
{
return(false);
}
var gargType = DotNetUtils.GetType(module, garg);
if (gargType == null || !gargType.IsClass)
{
return(false);
}
if (gargType.Fields.Count != 1)
{
return(false);
}
var field = gargType.Fields[0];
if (field.FieldType.FullName != "System.String")
{
return(false);
}
delegateReturnType = gargType;
stringStructField = field;
}
else
{
delegateReturnType = garg;
stringStructField = null;
}
return(true);
}
