bool checkType(TypeDefinition type, MethodDefinition initMethod)
{
if (DotNetUtils.findFieldType(type, "System.Collections.Hashtable", true) == null)
{
return(false);
}
if (!checkInitMethod(initMethod))
{
return(false);
}
List <AssemblyInfo> newAssemblyInfos = null;
foreach (var s in DotNetUtils.getCodeStrings(initMethod))
{
newAssemblyInfos = initializeEmbeddedAssemblies(s);
if (newAssemblyInfos != null)
{
break;
}
}
if (newAssemblyInfos == null)
{
return(false);
}
resolverType = type;
resolverMethod = initMethod;
assemblyInfos = newAssemblyInfos;
return(true);
}
protected override bool checkHandlerMethod(MethodDef method)
{
if (!method.IsStatic || !method.HasBody)
{
return(false);
}
var infos = new List <EmbeddedAssemblyInfo>();
foreach (var s in DotNetUtils.getCodeStrings(method))
{
if (string.IsNullOrEmpty(s))
{
continue;
}
if (!initInfos(infos, s.Split(',')))
{
continue;
}
embeddedAssemblyInfos = infos;
findSimpleZipType(method);
return(true);
}
return(false);
}
string getResourceName()
{
var defaultName = module.Assembly.Name.Name + module.Assembly.Name.Name;
var cctor = DotNetUtils.getMethod(stringDecrypterType, ".cctor");
if (cctor == null)
{
return(defaultName);
}
foreach (var s in DotNetUtils.getCodeStrings(cctor))
{
if (DotNetUtils.getResource(module, s) != null)
{
return(s);
}
try {
return(Encoding.UTF8.GetString(Convert.FromBase64String(s)));
}
catch {
}
}
return(defaultName);
}
bool checkEncryptedMethod(MethodDefinition method, out EncryptInfo info)
{
info = null;
if (method.Body == null)
{
return(false);
}
if (!callsExecuteMethod(method))
{
return(false);
}
var strings = DotNetUtils.getCodeStrings(method);
if (strings.Count != 1)
{
throw new ApplicationException(string.Format("Could not find name of encrypted method"));
}
string feature = "";
string name = strings[0];
int index = name.IndexOf(':');
if (index >= 0)
{
feature = name.Substring(0, index);
name = name.Substring(index + 1);
}
info = new EncryptInfo(name, feature, method);
return(true);
}
EmbeddedResource findGetManifestResourceStreamTypeResource(TypeDefinition type, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
foreach (var method in type.Methods)
{
if (!method.IsPrivate || !method.IsStatic || method.Body == null)
{
continue;
}
if (!DotNetUtils.isMethod(method, "System.String", "(System.Reflection.Assembly,System.Type,System.String)"))
{
continue;
}
simpleDeobfuscator.deobfuscate(method);
simpleDeobfuscator.decryptStrings(method, deob);
foreach (var s in DotNetUtils.getCodeStrings(method))
{
var resource = DotNetUtils.getResource(module, s) as EmbeddedResource;
if (resource != null)
{
return(resource);
}
}
}
return(null);
}
static EmbeddedResource findEmbeddedResource2(ModuleDefinition module, MethodDefinition method)
{
var strings = new List <string>(DotNetUtils.getCodeStrings(method));
if (strings.Count != 1)
{
return(null);
}
var encryptedString = strings[0];
int xorKey;
if (!getXorKey2(method, out xorKey))
{
return(null);
}
var sb = new StringBuilder(encryptedString.Length);
foreach (var c in encryptedString)
{
sb.Append((char)(c ^ xorKey));
}
return(DotNetUtils.getResource(module, sb.ToString()) as EmbeddedResource);
}
public void find()
{
foreach (var calledMethod in DotNetUtils.getCalledMethods(module, DotNetUtils.getModuleTypeCctor(module)))
{
if (!DotNetUtils.isMethod(calledMethod, "System.Void", "()"))
{
continue;
}
if (calledMethod.DeclaringType.FullName != "<PrivateImplementationDetails>{F1C5056B-0AFC-4423-9B83-D13A26B48869}")
{
continue;
}
nativeLibCallerType = calledMethod.DeclaringType;
initMethod = calledMethod;
foreach (var s in DotNetUtils.getCodeStrings(initMethod))
{
nativeFileResource = DotNetUtils.getResource(module, s);
if (nativeFileResource != null)
{
break;
}
}
return;
}
}
public static EmbeddedResource getResource(ModuleDefinition module, MethodDefinition method)
{
if (method == null || method.Body == null)
{
return(null);
}
return(getResource(module, DotNetUtils.getCodeStrings(method)));
}
public void find(ISimpleDeobfuscator simpleDeobfuscator)
{
var additionalTypes = new string[] {
"System.String",
};
EmbeddedResource stringsResource = null;
foreach (var type in module.Types)
{
if (decrypterInfos.Count > 0)
{
break;
}
if (type.BaseType == null || type.BaseType.FullName != "System.Object")
{
continue;
}
foreach (var method in type.Methods)
{
if (!method.IsStatic || !method.HasBody)
{
continue;
}
if (!DotNetUtils.isMethod(method, "System.String", "(System.Int32)"))
{
continue;
}
if (!encryptedResource.couldBeResourceDecrypter(method, additionalTypes))
{
continue;
}
var resource = DotNetUtils.getResource(module, DotNetUtils.getCodeStrings(method)) as EmbeddedResource;
if (resource == null)
{
throw new ApplicationException("Could not find strings resource");
}
if (stringsResource != null && stringsResource != resource)
{
throw new ApplicationException("Two different string resources found");
}
stringsResource = resource;
encryptedResource.Method = method;
var info = new DecrypterInfo(method, null, null);
simpleDeobfuscator.deobfuscate(info.method);
findKeyIv(info.method, out info.key, out info.iv);
decrypterInfos.Add(info);
}
}
if (decrypterInfos.Count > 0)
{
findOtherStringDecrypter(decrypterInfos[0].method.DeclaringType);
}
}
public void init(ResourceDecrypter resourceDecrypter)
{
if (decrypterType == null)
{
return;
}
encryptedResource = CoUtils.getResource(module, DotNetUtils.getCodeStrings(DotNetUtils.getMethod(decrypterType, ".cctor")));
constantsData = resourceDecrypter.decrypt(encryptedResource.GetResourceStream());
}
static bool hasCodeString(MethodDef method, string str)
{
foreach (var s in DotNetUtils.getCodeStrings(method))
{
if (s == str)
{
return(true);
}
}
return(false);
}
bool containsString(MethodDef method, string part)
{
foreach (var s in DotNetUtils.getCodeStrings(method))
{
if (s.Contains(part))
{
return(true);
}
}
return(false);
}
static bool findString(MethodDefinition method, string s)
{
foreach (var cs in DotNetUtils.getCodeStrings(method))
{
if (cs == s)
{
return(true);
}
}
return(false);
}
public void init(ResourceDecrypter resourceDecrypter)
{
if (decrypterType == null)
{
return;
}
encryptedResource = CoUtils.getResource(module, DotNetUtils.getCodeStrings(decrypterType.FindStaticConstructor()));
encryptedResource.Data.Position = 0;
constantsData = resourceDecrypter.decrypt(encryptedResource.Data.CreateStream());
}
string getResourcePrefix(MethodDefinition handler)
{
foreach (var s in DotNetUtils.getCodeStrings(handler))
{
var resource = DotNetUtils.getResource(module, s + "00000") as EmbeddedResource;
if (resource != null)
{
return(s);
}
}
return(null);
}
public static EmbeddedResource getEmbeddedResourceFromCodeStrings(ModuleDef module, MethodDef method)
{
foreach (var s in DotNetUtils.getCodeStrings(method))
{
var resource = DotNetUtils.getResource(module, s) as EmbeddedResource;
if (resource != null)
{
return(resource);
}
}
return(null);
}
EmbeddedResource findMethodsDecrypterResource(MethodDefinition method)
{
foreach (var s in DotNetUtils.getCodeStrings(method))
{
var resource = DotNetUtils.getResource(module, s) as EmbeddedResource;
if (resource != null)
{
return(resource);
}
}
return(null);
}
static EmbeddedResource findEmbeddedResource1(ModuleDefinition module, MethodDefinition method)
{
foreach (var s in DotNetUtils.getCodeStrings(method))
{
var resource = DotNetUtils.getResource(module, s) as EmbeddedResource;
if (resource != null)
{
return(resource);
}
}
return(null);
}
static byte[] getSalt(MethodDef method)
{
foreach (var s in DotNetUtils.getCodeStrings(method))
{
var saltAry = fixSalt(s);
if (saltAry != null)
{
return(saltAry);
}
}
return(null);
}
bool initializeInfos(MethodDefinition method) {
foreach (var s in DotNetUtils.getCodeStrings(method)) {
if (string.IsNullOrEmpty(s))
continue;
var ary = s.Split(':');
foreach (var asmInfo in ary)
resourceInfos.Add(asmInfo.Split('|')[0]);
return true;
}
return false;
}
public EmbeddedResource mergeResources()
{
if (rsrcDecryptMethod == null)
{
return(null);
}
var resource = DotNetUtils.getResource(module, DotNetUtils.getCodeStrings(rsrcDecryptMethod)) as EmbeddedResource;
if (resource == null)
{
return(null);
}
DeobUtils.decryptAndAddResources(module, resource.Name, () => decryptResource(resource));
return(resource);
}
// Find the embedded resource where all the strings are encrypted
EmbeddedResource findStringResource(MethodDef method)
{
foreach (var s in DotNetUtils.getCodeStrings(method))
{
if (s == null)
{
continue;
}
var resource = DotNetUtils.getResource(module, s) as EmbeddedResource;
if (resource != null)
{
return(resource);
}
}
return(null);
}
string getPassword3(MethodDef method)
{
var strings = new List <string>(DotNetUtils.getCodeStrings(method));
if (strings.Count != 1)
{
return(null);
}
var s = strings[0];
if (!Regex.IsMatch(s, @"^[a-fA-F0-9]{2} $"))
{
return(null);
}
return(s);
}
bool createAssemblyInfos()
{
int numElements = DeobUtils.hasInteger(handlerMethod, 3) ? 3 : 2;
foreach (var s in DotNetUtils.getCodeStrings(handlerMethod))
{
var infos = createAssemblyInfos(s, numElements);
if (infos == null)
{
continue;
}
assemblyInfos = infos;
return(true);
}
return(false);
}
public List <ResourceInfo> getEmbeddedAssemblies(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
var infos = new List <ResourceInfo>();
if (assemblyResolverMethod == null)
{
return(infos);
}
simpleDeobfuscator.deobfuscate(assemblyResolverMethod);
simpleDeobfuscator.decryptStrings(assemblyResolverMethod, deob);
foreach (var resourcePrefix in DotNetUtils.getCodeStrings(assemblyResolverMethod))
{
infos.AddRange(getResourceInfos(resourcePrefix));
}
return(infos);
}
EmbeddedResource getResource(MethodDef method, out ModuleDefMD theResourceModule)
{
string resourceDllFileName = null;
theResourceModule = module;
foreach (var s in DotNetUtils.getCodeStrings(method))
{
if (s.Length > 0 && s[0] == '\\')
{
resourceDllFileName = s;
}
var resource = DotNetUtils.getResource(theResourceModule, s + ".resources") as EmbeddedResource;
if (resource != null)
{
return(resource);
}
}
if (resourceDllFileName == null)
{
return(null);
}
// Here if CW 2.x
theResourceModule = getResourceModule(resourceDllFileName);
if (theResourceModule == null)
{
return(null);
}
foreach (var s in DotNetUtils.getCodeStrings(method))
{
var resource = DotNetUtils.getResource(theResourceModule, s + ".resources") as EmbeddedResource;
if (resource != null)
{
return(resource);
}
}
theResourceModule = null;
return(null);
}
bool createDecryptKey()
{
if (decryptMethod == null)
{
return(false);
}
foreach (var s in DotNetUtils.getCodeStrings(decryptMethod))
{
decryptKey = decodeBase64(s);
if (decryptKey == null || decryptKey.Length == 0)
{
continue;
}
if (decrypterType.Detected)
{
var data = new byte[8];
ulong magic = decrypterType.getMagic();
data[0] = (byte)magic;
data[7] = (byte)(magic >> 8);
data[6] = (byte)(magic >> 16);
data[5] = (byte)(magic >> 24);
data[4] = (byte)(magic >> 32);
data[1] = (byte)(magic >> 40);
data[3] = (byte)(magic >> 48);
data[2] = (byte)(magic >> 56);
for (int i = 0; i < decryptKey.Length; i++)
{
decryptKey[i] ^= (byte)(i + data[i % data.Length]);
}
}
return(true);
}
return(false);
}
public static EmbeddedResource findEmbeddedResource(ModuleDefinition module, TypeDefinition decrypterType, Action <MethodDefinition> fixMethod)
{
foreach (var method in decrypterType.Methods)
{
if (!DotNetUtils.isMethod(method, "System.String", "()"))
{
continue;
}
if (!method.IsStatic)
{
continue;
}
fixMethod(method);
foreach (var s in DotNetUtils.getCodeStrings(method))
{
var resource = DotNetUtils.getResource(module, s) as EmbeddedResource;
if (resource != null)
{
return(resource);
}
}
}
return(null);
}
EmbeddedResource findResource(MethodDefinition method)
{
return(DotNetUtils.getResource(module, DotNetUtils.getCodeStrings(method)) as EmbeddedResource);
}
