bool CheckMethod(MethodDef cctor) {
if (cctor == null || cctor.Body == null)
return false;
var localTypes = new LocalTypes(cctor);
if (!localTypes.Exactly(ilpLocalsV1x) &&
!localTypes.Exactly(ilpLocalsV2x))
return false;
var type = cctor.DeclaringType;
var methods = GetPinvokeMethods(type, "Protect");
if (methods.Count == 0)
methods = GetPinvokeMethods(type, "P0");
if (methods.Count != 2)
return false;
if (type.Fields.Count < 1 || type.Fields.Count > 2)
return false;
if (!GetDelegate(type, out invokerInstanceField, out invokerDelegate))
return false;
runtimeFileInfos = new List<RuntimeFileInfo>(methods.Count);
foreach (var method in methods)
runtimeFileInfos.Add(new RuntimeFileInfo(method));
return true;
}
bool CheckType(TypeDef type) {
var requiredTypes = new string[] {
"System.Byte[]",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.MD5",
"System.Security.Cryptography.Rijndael",
};
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
var sig = method.MethodSig;
if (sig == null || sig.Params.Count != 2)
continue;
if (!CheckType(sig.RetType, ElementType.String))
continue;
if (!CheckType(sig.Params[0], ElementType.String))
continue;
if (!CheckType(sig.Params[1], ElementType.String))
continue;
var localTypes = new LocalTypes(method);
if (!localTypes.All(requiredTypes))
continue;
antiStrongNameMethod = method;
return true;
}
return false;
}
public static bool couldBeDecryptMethod(MethodDefinition method, IEnumerable <string> additionalTypes)
{
if (method.Body == null)
{
return(false);
}
var localTypes = new LocalTypes(method);
var requiredTypes = new List <string> {
"System.Byte[]",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.ICryptoTransform",
};
requiredTypes.AddRange(additionalTypes);
if (!localTypes.all(requiredTypes))
{
return(false);
}
if (!localTypes.exists("System.Security.Cryptography.RijndaelManaged") &&
!localTypes.exists("System.Security.Cryptography.AesManaged"))
{
return(false);
}
return(true);
}
public static bool CouldBeResourceDecrypter(MethodDef method, LocalTypes localTypes, IList <string> additionalTypes)
{
var requiredTypes = new List <string> {
"System.Byte[]",
"System.IO.BinaryReader",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.ICryptoTransform",
};
requiredTypes.AddRange(additionalTypes);
if (!localTypes.All(requiredTypes))
{
return(false);
}
if (DotNetUtils.GetMethod(method.DeclaringType, "System.Security.Cryptography.SymmetricAlgorithm", "()") != null)
{
if (localTypes.Exists("System.UInt64") || (localTypes.Exists("System.UInt32") && !localTypes.Exists("System.Reflection.Assembly")))
{
return(false);
}
}
if (!localTypes.Exists("System.Security.Cryptography.RijndaelManaged") &&
!localTypes.Exists("System.Security.Cryptography.AesManaged") &&
!localTypes.Exists("System.Security.Cryptography.SymmetricAlgorithm"))
{
return(false);
}
return(true);
}
/// <summary>
/// コンストラクタ
/// </summary>
/// <param name="node">対象Node</param>
/// <param name="semanticModel">対象ソースのsemanticModel</param>
/// <param name="parent">親IAnalyzeItem</param>
/// <param name="container">イベントコンテナ</param>
public ItemForEach(ForEachStatementSyntax node, SemanticModel semanticModel, IAnalyzeItem parent, EventContainer container) : base(parent, node, semanticModel, container)
{
ItemType = ItemTypes.MethodStatement;
var oparetion = semanticModel.GetOperation(node) as IForEachLoopOperation;
var localSymbol = oparetion.Locals.First();
// ローカルの型設定
IsVar = node.Type.IsVar;
LocalTypes.AddRange(GetTypes(localSymbol.Type, semanticModel, node));
// ローカル設定
Local.Add(new Expression(localSymbol.Name, Expression.GetSymbolTypeName(localSymbol)));
// コレクションの型設定
var conversionOperation = oparetion.Collection as IConversionOperation;
if (!(conversionOperation is null))
{
CollectionTypes.AddRange(GetTypes(conversionOperation.Operand.Type, semanticModel, node));
}
//コレクション
Collection.AddRange(OperationFactory.GetExpressionList(oparetion.Collection.Children.First(), container));
// 内部処理設定
var block = node.Statement as BlockSyntax;
foreach (var statement in block.Statements)
{
Members.Add(ItemFactory.Create(statement, semanticModel, container, this));
}
}
protected override void OnNodeSet()
{
if (LocalTypes == null)
{
var domNode =
new DomNode(SledLuaSchema.SledLuaVarFilterTypesType.Type);
var localTypes =
domNode.As <SledLuaVarFilterTypesType>();
SetChild(SledLuaSchema.SledLuaVarFilterType.LocalTypesChild, localTypes);
if (LocalTypes != null)
{
LocalTypes.SetAll(false);
}
}
if (LocalNames == null)
{
var domNode =
new DomNode(SledLuaSchema.SledLuaVarFilterNamesType.Type);
var localNames =
domNode.As <SledLuaVarFilterNamesType>();
SetChild(SledLuaSchema.SledLuaVarFilterType.LocalNamesChild, localNames);
}
if (TargetTypes == null)
{
var domNode =
new DomNode(SledLuaSchema.SledLuaVarFilterTypesType.Type);
var targetTypes =
domNode.As <SledLuaVarFilterTypesType>();
SetChild(SledLuaSchema.SledLuaVarFilterType.TargetTypesChild, targetTypes);
if (TargetTypes != null)
{
TargetTypes.SetAll(false);
}
}
if (TargetNames == null)
{
var domNode =
new DomNode(SledLuaSchema.SledLuaVarFilterNamesType.Type);
var targetNames =
domNode.As <SledLuaVarFilterNamesType>();
SetChild(SledLuaSchema.SledLuaVarFilterType.TargetNamesChild, targetNames);
}
base.OnNodeSet();
}
void InitializeStringDecrypterVersion(MethodDef method)
{
var localTypes = new LocalTypes(method);
if (localTypes.Exists("System.IntPtr"))
{
stringDecrypterVersion = StringDecrypterVersion.VER_38;
}
else
{
stringDecrypterVersion = StringDecrypterVersion.VER_37;
}
}
public MethodInfo Compile()
{
var locals = LocalTypes.ToList();
var instructions = Instructions.ToList();
var tokenResolver = new ILInstructionResolver(Module);
Dictionary <int, Label> labels = null;
return(DynamicCompiler.CompileMethod(Name, ReturnType, ParameterTypes, (gen) =>
{
locals.ForEach(x => gen.DeclareLocal(x));
labels = instructions.Where(x => x.Label.HasValue).ToDictionary(x => (int)x.Label, x => gen.DefineLabel());
instructions.ToList().ForEach(x => x.Emit(gen, tokenResolver, labels));
}));
}
bool CheckType(TypeDef type)
{
var requiredTypes = new string[] {
"System.Byte[]",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.MD5",
"System.Security.Cryptography.Rijndael",
};
foreach (var method in type.Methods)
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
var sig = method.MethodSig;
if (sig == null || sig.Params.Count != 2)
{
continue;
}
if (!CheckType(sig.RetType, ElementType.String))
{
continue;
}
if (!CheckType(sig.Params[0], ElementType.String))
{
continue;
}
if (!CheckType(sig.Params[1], ElementType.String))
{
continue;
}
var localTypes = new LocalTypes(method);
if (!localTypes.All(requiredTypes))
{
continue;
}
antiStrongNameMethod = method;
return(true);
}
return(false);
}
bool checkType(TypeDefinition type)
{
var requiredTypes = new string[] {
"System.Byte[]",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.MD5",
"System.Security.Cryptography.Rijndael",
};
foreach (var method in type.Methods)
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
if (method.Parameters.Count != 2)
{
continue;
}
if (!checkType(method.MethodReturnType.ReturnType.FullName, "System.String"))
{
continue;
}
if (!checkType(method.Parameters[0].ParameterType.FullName, "System.String"))
{
continue;
}
if (!checkType(method.Parameters[1].ParameterType.FullName, "System.String"))
{
continue;
}
var localTypes = new LocalTypes(method);
if (!localTypes.all(requiredTypes))
{
continue;
}
antiStrongNameMethod = method;
return(true);
}
return(false);
}
public static bool CouldBeResourceDecrypter(MethodDef method, LocalTypes localTypes, IList <string> additionalTypes)
{
var requiredTypes = new List <string> {
"System.UInt32",
"System.String",
"System.Int32",
"System.Byte[]",
"System.IO.BinaryReader",
};
requiredTypes.AddRange(additionalTypes);
if (!localTypes.All(requiredTypes))
{
return(false);
}
return(true);
}
bool CheckMethod(MethodDef cctor)
{
if (cctor == null || cctor.Body == null)
{
return(false);
}
var localTypes = new LocalTypes(cctor);
if (!localTypes.Exactly(ilpLocalsV1x) &&
!localTypes.Exactly(ilpLocalsV2x))
{
return(false);
}
var type = cctor.DeclaringType;
var methods = GetPinvokeMethods(type, "Protect");
if (methods.Count == 0)
{
methods = GetPinvokeMethods(type, "P0");
}
if (methods.Count != 2)
{
return(false);
}
if (type.Fields.Count < 1 || type.Fields.Count > 2)
{
return(false);
}
if (!GetDelegate(type, out invokerInstanceField, out invokerDelegate))
{
return(false);
}
runtimeFileInfos = new List <RuntimeFileInfo>(methods.Count);
foreach (var method in methods)
{
runtimeFileInfos.Add(new RuntimeFileInfo(method));
}
return(true);
}
public static bool CouldBeDecryptMethod(MethodDef method, IEnumerable<string> additionalTypes) {
if (method.Body == null)
return false;
var localTypes = new LocalTypes(method);
var requiredTypes = new List<string> {
"System.Byte[]",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.ICryptoTransform",
};
requiredTypes.AddRange(additionalTypes);
if (!localTypes.All(requiredTypes))
return false;
if (!localTypes.Exists("System.Security.Cryptography.RijndaelManaged") &&
!localTypes.Exists("System.Security.Cryptography.AesManaged"))
return false;
return true;
}
public bool CouldBeResourceDecrypter(MethodDef method, IEnumerable <string> additionalTypes, bool checkResource)
{
if (!method.IsStatic)
{
return(false);
}
if (method.Body == null)
{
return(false);
}
var localTypes = new LocalTypes(method);
var requiredTypes = new List <string> {
"System.Byte[]",
"System.IO.BinaryReader",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.ICryptoTransform",
};
requiredTypes.AddRange(additionalTypes);
if (!localTypes.All(requiredTypes))
{
return(false);
}
if (!localTypes.Exists("System.Security.Cryptography.RijndaelManaged") &&
!localTypes.Exists("System.Security.Cryptography.AesManaged") &&
!localTypes.Exists("System.Security.Cryptography.SymmetricAlgorithm"))
{
return(false);
}
if (checkResource && FindMethodsDecrypterResource(method) == null)
{
return(false);
}
return(true);
}
static DnrDecrypterType GetDecrypterType(MethodDef method, IList <string> additionalTypes)
{
if (method == null || !method.IsStatic || method.Body == null)
{
return(DnrDecrypterType.Unknown);
}
if (additionalTypes == null)
{
additionalTypes = new string[0];
}
var localTypes = new LocalTypes(method);
if (DecrypterV1.CouldBeResourceDecrypter(method, localTypes, additionalTypes))
{
return(DnrDecrypterType.V1);
}
else if (DecrypterV2.CouldBeResourceDecrypter(method, localTypes, additionalTypes))
{
return(DnrDecrypterType.V2);
}
return(DnrDecrypterType.Unknown);
}
public static bool CouldBeResourceDecrypter(MethodDef method, LocalTypes localTypes, IList <string> additionalTypes)
{
var requiredTypes = new List <string> {
"System.Byte[]",
"System.IO.BinaryReader",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.ICryptoTransform",
};
requiredTypes.AddRange(additionalTypes);
if (!localTypes.All(requiredTypes))
{
return(false);
}
if (!localTypes.Exists("System.Security.Cryptography.RijndaelManaged") &&
!localTypes.Exists("System.Security.Cryptography.AesManaged") &&
!localTypes.Exists("System.Security.Cryptography.SymmetricAlgorithm"))
{
return(false);
}
return(true);
}
bool CheckMethod(ISimpleDeobfuscator simpleDeobfuscator, MethodDef methodToCheck)
{
if (methodToCheck == null)
{
return(false);
}
var resolverLocals = new string[] {
"System.Byte[]",
"System.Reflection.Assembly",
"System.String",
"System.IO.BinaryReader",
"System.IO.Stream",
};
var resolverLocals2 = new string[] {
"System.Reflection.Assembly",
"System.IO.BinaryReader",
"System.IO.Stream",
};
simpleDeobfuscator.Deobfuscate(methodToCheck);
foreach (var method in DotNetUtils.GetCalledMethods(module, methodToCheck))
{
var type = method.DeclaringType;
if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
{
continue;
}
if (!method.IsStatic)
{
continue;
}
if (type.Fields.Count != 2 && type.Fields.Count != 3)
{
continue;
}
if (type.HasNestedTypes)
{
continue;
}
if (type.HasEvents || type.HasProperties)
{
continue;
}
if (!CheckFields(type.Fields))
{
continue;
}
var resolverMethod = FindAssemblyResolveMethod(type);
if (resolverMethod == null)
{
continue;
}
var localTypes = new LocalTypes(resolverMethod);
if (!localTypes.All(resolverLocals) && !localTypes.All(resolverLocals2))
{
continue;
}
assemblyResolverType = type;
assemblyResolverMethod = resolverMethod;
assemblyResolverInitMethod = method;
return(true);
}
return(false);
}
static ITypeDefinition LoadLocalType(string name)
{
var types = LocalTypes.ToArray();
return(types.Where(t => t.ReflectionName.EndsWith(name)).First());
}
void FindKeyIv(MethodDef method, out byte[] key, out byte[] iv)
{
key = null;
iv = null;
var requiredTypes = new string[] {
"System.Byte[]",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.Rijndael",
};
foreach (var calledMethod in DotNetUtils.GetCalledMethods(module, method))
{
if (calledMethod.DeclaringType != method.DeclaringType)
{
continue;
}
if (calledMethod.MethodSig.GetRetType().GetFullName() != "System.Byte[]")
{
continue;
}
var localTypes = new LocalTypes(calledMethod);
if (!localTypes.All(requiredTypes))
{
continue;
}
var instructions = calledMethod.Body.Instructions;
byte[] newKey = null, newIv = null;
for (int i = 0; i < instructions.Count && (newKey == null || newIv == null); i++)
{
var instr = instructions[i];
if (instr.OpCode.Code != Code.Ldtoken)
{
continue;
}
var field = instr.Operand as FieldDef;
if (field == null)
{
continue;
}
if (field.InitialValue == null)
{
continue;
}
if (field.InitialValue.Length == 32)
{
newKey = field.InitialValue;
}
else if (field.InitialValue.Length == 16)
{
newIv = field.InitialValue;
}
}
if (newKey == null || newIv == null)
{
continue;
}
InitializeStringDecrypterVersion(method);
key = newKey;
iv = newIv;
return;
}
}
public void AddLocals(params Type[] types)
{
LocalTypes = LocalTypes.Concat(types).ToArray();
}
public void Find()
{
var type = DotNetUtils.GetModuleType(module);
if (type == null)
{
return;
}
foreach (var method in type.Methods)
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.Object", "(System.UInt32)"))
{
continue;
}
var info = new DecrypterInfo();
var localTypes = new LocalTypes(method);
if (localTypes.All(requiredLocals1))
{
if (localTypes.Exists("System.Collections.BitArray")) // or System.Random
{
version = ConfuserVersion.v15_r60785_normal;
}
else if (DeobUtils.HasInteger(method, 0x100) &&
DeobUtils.HasInteger(method, 0x10000) &&
DeobUtils.HasInteger(method, 0xFFFF))
{
version = ConfuserVersion.v17_r73404_normal;
}
else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[])"))
{
if (FindInstruction(method.Body.Instructions, 0, Code.Conv_I8) >= 0)
{
if (DotNetUtils.CallsMethod(method, "System.Void System.Console::WriteLine()"))
{
version = ConfuserVersion.v15_r60785_dynamic;
}
else
{
version = ConfuserVersion.v17_r72989_dynamic;
}
}
else
{
version = ConfuserVersion.v17_r73740_dynamic;
}
}
else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[],System.Int32,System.Int32)"))
{
if ((nativeMethod = FindNativeMethod(method)) == null)
{
version = ConfuserVersion.v17_r73764_dynamic;
}
else
{
version = ConfuserVersion.v17_r73764_native;
}
}
else
{
continue;
}
}
else if (localTypes.All(requiredLocals2))
{
if (DeobUtils.HasInteger(method, 0x100) &&
DeobUtils.HasInteger(method, 0x10000) &&
DeobUtils.HasInteger(method, 0xFFFF))
{
version = ConfuserVersion.v17_r73822_normal;
}
else if (DotNetUtils.CallsMethod(method, "System.Int32 System.Object::GetHashCode()"))
{
if ((nativeMethod = FindNativeMethod(method)) == null)
{
version = ConfuserVersion.v17_r74021_dynamic;
}
else
{
version = ConfuserVersion.v17_r74021_native;
}
}
else if ((nativeMethod = FindNativeMethod(method)) == null)
{
version = ConfuserVersion.v17_r73822_dynamic;
}
else
{
version = ConfuserVersion.v17_r73822_native;
}
}
else
{
continue;
}
info.decryptMethod = method;
theDecrypterInfo = info;
Add(info);
break;
}
}
public void Find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
var entryPoint = module.EntryPoint;
if (entryPoint == null)
return;
if (!new LocalTypes(entryPoint).All(requiredEntryPointLocals))
return;
var type = entryPoint.DeclaringType;
if (!new FieldTypes(type).All(requiredFields))
return;
bool use7zip = type.NestedTypes.Count == 6;
MethodDef decyptMethod;
if (use7zip)
decyptMethod = FindDecryptMethod_7zip(type);
else
decyptMethod = FindDecryptMethod_inflate(type);
if (decyptMethod == null)
return;
ConfuserVersion theVersion = ConfuserVersion.Unknown;
var decryptLocals = new LocalTypes(decyptMethod);
if (decryptLocals.Exists("System.IO.MemoryStream")) {
if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.String,System.Byte[])"))
theVersion = ConfuserVersion.v10_r42915;
else if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.Security.Permissions.PermissionState)"))
theVersion = ConfuserVersion.v10_r48717;
else
theVersion = ConfuserVersion.v14_r57778;
}
else
theVersion = ConfuserVersion.v14_r58564;
var cctor = type.FindStaticConstructor();
if (cctor == null)
return;
if ((asmResolverMethod = FindAssemblyResolverMethod(entryPoint.DeclaringType)) != null) {
theVersion = ConfuserVersion.v14_r58802;
simpleDeobfuscator.Deobfuscate(asmResolverMethod);
if (!FindKey1(asmResolverMethod, out key1))
return;
}
switch (theVersion) {
case ConfuserVersion.v10_r42915:
case ConfuserVersion.v10_r48717:
case ConfuserVersion.v14_r57778:
break;
case ConfuserVersion.v14_r58564:
case ConfuserVersion.v14_r58802:
simpleDeobfuscator.Deobfuscate(decyptMethod);
if (FindKey0_v14_r58564(decyptMethod, out key0))
break;
if (FindKey0_v14_r58852(decyptMethod, out key0)) {
if (!decryptLocals.Exists("System.Security.Cryptography.RijndaelManaged")) {
theVersion = ConfuserVersion.v14_r58852;
break;
}
if (use7zip) {
if (new LocalTypes(decyptMethod).Exists("System.IO.MemoryStream"))
theVersion = ConfuserVersion.v17_r75076;
else if (module.Name == "Stub.exe")
theVersion = ConfuserVersion.v18_r75184;
else if (!IsGetLenToPosStateMethodPrivate(type))
theVersion = ConfuserVersion.v18_r75367;
else
theVersion = ConfuserVersion.v19_r77172;
}
else if (IsDecryptMethod_v17_r73404(decyptMethod))
theVersion = ConfuserVersion.v17_r73404;
else
theVersion = ConfuserVersion.v15_r60785;
break;
}
throw new ApplicationException("Could not find magic");
default:
throw new ApplicationException("Invalid version");
}
simpleDeobfuscator.Deobfuscate(cctor);
simpleDeobfuscator.DecryptStrings(cctor, deob);
if (FindEntryPointToken(simpleDeobfuscator, cctor, entryPoint, out entryPointToken) && !use7zip) {
if (DotNetUtils.CallsMethod(asmResolverMethod, "System.Void", "(System.String)"))
theVersion = ConfuserVersion.v17_r73477;
else
theVersion = ConfuserVersion.v17_r73566;
}
mainAsmResource = FindResource(cctor);
if (mainAsmResource == null)
throw new ApplicationException("Could not find main assembly resource");
version = theVersion;
}
public void Find(ISimpleDeobfuscator simpleDeobfuscator)
{
var type = DotNetUtils.GetModuleType(module);
if (type == null)
{
return;
}
foreach (var method in type.Methods)
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.String", "(System.Int32)"))
{
continue;
}
var localTypes = new LocalTypes(method);
if (!localTypes.All(requiredLocals))
{
continue;
}
simpleDeobfuscator.Deobfuscate(method);
bool foundOldMagic1;
if (FindMagic1(method, out magic1))
{
foundOldMagic1 = true;
}
else if (FindNewMagic1(method, out magic1))
{
foundOldMagic1 = false;
}
else
{
continue;
}
if (!FindMagic2(method, out magic2))
{
continue;
}
version = ConfuserVersion.Unknown;
if (DotNetUtils.CallsMethod(method, "System.Text.Encoding System.Text.Encoding::get_UTF8()"))
{
if (foundOldMagic1)
{
if (DotNetUtils.CallsMethod(method, "System.Object System.AppDomain::GetData(System.String)"))
{
version = ConfuserVersion.v13_r55604_safe;
}
else
{
version = ConfuserVersion.v10_r42915;
}
}
else
{
if (!FindSafeKey1(method, out key1))
{
continue;
}
version = ConfuserVersion.v14_r58802_safe;
}
}
else if (!localTypes.Exists("System.Random"))
{
if (foundOldMagic1)
{
version = ConfuserVersion.v11_r49299;
}
else
{
version = ConfuserVersion.v14_r58802_dynamic;
}
}
else if (localTypes.Exists("System.Collections.Generic.Dictionary`2<System.Int32,System.String>"))
{
version = ConfuserVersion.v10_r48832;
}
if (version == ConfuserVersion.Unknown)
{
continue;
}
decryptMethod = method;
break;
}
}
public void Find(ISimpleDeobfuscator simpleDeobfuscator) {
var type = DotNetUtils.GetModuleType(module);
if (type == null)
return;
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
if (!DotNetUtils.IsMethod(method, "System.String", "(System.Int32)"))
continue;
var localTypes = new LocalTypes(method);
if (!localTypes.All(requiredLocals))
continue;
simpleDeobfuscator.Deobfuscate(method);
bool foundOldMagic1;
if (FindMagic1(method, out magic1))
foundOldMagic1 = true;
else if (FindNewMagic1(method, out magic1))
foundOldMagic1 = false;
else
continue;
if (!FindMagic2(method, out magic2))
continue;
version = ConfuserVersion.Unknown;
if (DotNetUtils.CallsMethod(method, "System.Text.Encoding System.Text.Encoding::get_UTF8()")) {
if (foundOldMagic1) {
if (DotNetUtils.CallsMethod(method, "System.Object System.AppDomain::GetData(System.String)"))
version = ConfuserVersion.v13_r55604_safe;
else
version = ConfuserVersion.v10_r42915;
}
else {
if (!FindSafeKey1(method, out key1))
continue;
version = ConfuserVersion.v14_r58802_safe;
}
}
else if (!localTypes.Exists("System.Random")) {
if (foundOldMagic1)
version = ConfuserVersion.v11_r49299;
else
version = ConfuserVersion.v14_r58802_dynamic;
}
else if (localTypes.Exists("System.Collections.Generic.Dictionary`2<System.Int32,System.String>"))
version = ConfuserVersion.v10_r48832;
if (version == ConfuserVersion.Unknown)
continue;
decryptMethod = method;
break;
}
}
string detectVersion()
{
/*
* Methods decrypter locals (not showing its own types):
* 3.7.0.3:
* "System.Byte[]"
* "System.Int32"
* "System.Int32[]"
* "System.IntPtr"
* "System.IO.BinaryReader"
* "System.IO.MemoryStream"
* "System.Object"
* "System.Reflection.Assembly"
* "System.Security.Cryptography.CryptoStream"
* "System.Security.Cryptography.ICryptoTransform"
* "System.Security.Cryptography.RijndaelManaged"
* "System.String"
*
* 3.9.8.0:
* - "System.Int32[]"
+ "System.Diagnostics.StackFrame"
+
+ 4.0.0.0: (jitter)
+ - "System.Diagnostics.StackFrame"
+ - "System.Object"
+ "System.Boolean"
+ "System.Collections.IEnumerator"
+ "System.Delegate"
+ "System.Diagnostics.Process"
+ "System.Diagnostics.ProcessModule"
+ "System.Diagnostics.ProcessModuleCollection"
+ "System.IDisposable"
+ "System.Int64"
+ "System.UInt32"
+ "System.UInt64"
+
+ 4.1.0.0: (jitter)
+ "System.Reflection.Assembly"
+
+ 4.3.1.0: (jitter)
+ "System.Byte&"
*/
LocalTypes localTypes;
int minVer = -1;
foreach (var info in stringDecrypter.DecrypterInfos)
{
if (info.key == null)
{
continue;
}
localTypes = new LocalTypes(info.method);
if (!localTypes.exists("System.IntPtr"))
{
return(DeobfuscatorInfo.THE_NAME + " <= 3.7");
}
minVer = 3800;
break;
}
if (methodsDecrypter.Method == null)
{
if (minVer >= 3800)
{
return(DeobfuscatorInfo.THE_NAME + " >= 3.8");
}
return(DeobfuscatorInfo.THE_NAME);
}
localTypes = new LocalTypes(methodsDecrypter.Method);
if (localTypes.exists("System.Int32[]"))
{
if (minVer >= 3800)
{
return(DeobfuscatorInfo.THE_NAME + " 3.8.4.1 - 3.9.0.1");
}
return(DeobfuscatorInfo.THE_NAME + " <= 3.9.0.1");
}
if (!localTypes.exists("System.Diagnostics.Process")) // If < 4.0
{
if (localTypes.exists("System.Diagnostics.StackFrame"))
{
return(DeobfuscatorInfo.THE_NAME + " 3.9.8.0");
}
}
var compileMethod = MethodsDecrypter.findDnrCompileMethod(methodsDecrypter.Method.DeclaringType);
if (compileMethod == null)
{
return(DeobfuscatorInfo.THE_NAME + " < 4.0");
}
DeobfuscatedFile.deobfuscate(compileMethod);
bool compileMethodHasConstant_0x70000000 = DeobUtils.hasInteger(compileMethod, 0x70000000); // 4.0-4.1
DeobfuscatedFile.deobfuscate(methodsDecrypter.Method);
bool hasCorEnableProfilingString = findString(methodsDecrypter.Method, "Cor_Enable_Profiling"); // 4.1-4.4
if (compileMethodHasConstant_0x70000000)
{
if (hasCorEnableProfilingString)
{
return(DeobfuscatorInfo.THE_NAME + " 4.1");
}
return(DeobfuscatorInfo.THE_NAME + " 4.0");
}
if (!hasCorEnableProfilingString)
{
return(DeobfuscatorInfo.THE_NAME);
}
// 4.2-4.4
if (!localTypes.exists("System.Byte&"))
{
return(DeobfuscatorInfo.THE_NAME + " 4.2");
}
localTypes = new LocalTypes(compileMethod);
if (localTypes.exists("System.Object"))
{
return(DeobfuscatorInfo.THE_NAME + " 4.4");
}
return(DeobfuscatorInfo.THE_NAME + " 4.3");
}
public void Find() {
var type = DotNetUtils.GetModuleType(module);
if (type == null)
return;
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
if (!DotNetUtils.IsMethod(method, "System.Object", "(System.UInt32)"))
continue;
DecrypterInfo info = new DecrypterInfo();
var localTypes = new LocalTypes(method);
if (localTypes.All(requiredLocals1)) {
if (localTypes.Exists("System.Collections.BitArray")) // or System.Random
version = ConfuserVersion.v15_r60785_normal;
else if (DeobUtils.HasInteger(method, 0x100) &&
DeobUtils.HasInteger(method, 0x10000) &&
DeobUtils.HasInteger(method, 0xFFFF))
version = ConfuserVersion.v17_r73404_normal;
else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[])")) {
if (FindInstruction(method.Body.Instructions, 0, Code.Conv_I8) >= 0) {
if (DotNetUtils.CallsMethod(method, "System.Void System.Console::WriteLine()"))
version = ConfuserVersion.v15_r60785_dynamic;
else
version = ConfuserVersion.v17_r72989_dynamic;
}
else
version = ConfuserVersion.v17_r73740_dynamic;
}
else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[],System.Int32,System.Int32)")) {
if ((nativeMethod = FindNativeMethod(method)) == null)
version = ConfuserVersion.v17_r73764_dynamic;
else
version = ConfuserVersion.v17_r73764_native;
}
else
continue;
}
else if (localTypes.All(requiredLocals2)) {
if (DeobUtils.HasInteger(method, 0x100) &&
DeobUtils.HasInteger(method, 0x10000) &&
DeobUtils.HasInteger(method, 0xFFFF))
version = ConfuserVersion.v17_r73822_normal;
else if (DotNetUtils.CallsMethod(method, "System.Int32 System.Object::GetHashCode()")) {
if ((nativeMethod = FindNativeMethod(method)) == null)
version = ConfuserVersion.v17_r74021_dynamic;
else
version = ConfuserVersion.v17_r74021_native;
}
else if ((nativeMethod = FindNativeMethod(method)) == null)
version = ConfuserVersion.v17_r73822_dynamic;
else
version = ConfuserVersion.v17_r73822_native;
}
else
continue;
info.decryptMethod = method;
theDecrypterInfo = info;
Add(info);
break;
}
}
string DetectVersion()
{
/*
* Methods decrypter locals (not showing its own types):
* 3.7.0.3:
* "System.Byte[]"
* "System.Int32"
* "System.Int32[]"
* "System.IntPtr"
* "System.IO.BinaryReader"
* "System.IO.MemoryStream"
* "System.Object"
* "System.Reflection.Assembly"
* "System.Security.Cryptography.CryptoStream"
* "System.Security.Cryptography.ICryptoTransform"
* "System.Security.Cryptography.RijndaelManaged"
* "System.String"
*
* 3.9.8.0:
* - "System.Int32[]"
+ "System.Diagnostics.StackFrame"
+
+ 4.0.0.0: (jitter)
+ - "System.Diagnostics.StackFrame"
+ - "System.Object"
+ "System.Boolean"
+ "System.Collections.IEnumerator"
+ "System.Delegate"
+ "System.Diagnostics.Process"
+ "System.Diagnostics.ProcessModule"
+ "System.Diagnostics.ProcessModuleCollection"
+ "System.IDisposable"
+ "System.Int64"
+ "System.UInt32"
+ "System.UInt64"
+
+ 4.1.0.0: (jitter)
+ "System.Reflection.Assembly"
+
+ 4.3.1.0: (jitter)
+ "System.Byte&"
*/
LocalTypes localTypes;
int minVer = -1;
foreach (var info in stringDecrypter.DecrypterInfos)
{
if (info.key == null)
{
continue;
}
localTypes = new LocalTypes(info.method);
if (!localTypes.Exists("System.IntPtr"))
{
return(DeobfuscatorInfo.THE_NAME + " <= 3.7");
}
minVer = 3800;
break;
}
if (methodsDecrypter.DecrypterTypeVersion != DnrDecrypterType.V1)
{
return(DeobfuscatorInfo.THE_NAME);
}
if (methodsDecrypter.Method == null)
{
if (minVer >= 3800)
{
return(DeobfuscatorInfo.THE_NAME + " >= 3.8");
}
return(DeobfuscatorInfo.THE_NAME);
}
localTypes = new LocalTypes(methodsDecrypter.Method);
if (localTypes.Exists("System.Int32[]"))
{
if (minVer >= 3800)
{
return(DeobfuscatorInfo.THE_NAME + " 3.8.4.1 - 3.9.0.1");
}
return(DeobfuscatorInfo.THE_NAME + " <= 3.9.0.1");
}
if (!localTypes.Exists("System.Diagnostics.Process")) // If < 4.0
{
if (localTypes.Exists("System.Diagnostics.StackFrame"))
{
return(DeobfuscatorInfo.THE_NAME + " 3.9.8.0");
}
}
var compileMethod = MethodsDecrypter.FindDnrCompileMethod(methodsDecrypter.Method.DeclaringType);
if (compileMethod == null)
{
DeobfuscatedFile.Deobfuscate(methodsDecrypter.Method);
if (!MethodsDecrypter.IsNewer45Decryption(methodsDecrypter.Method))
{
return(DeobfuscatorInfo.THE_NAME + " < 4.0");
}
return(DeobfuscatorInfo.THE_NAME + " 4.5+");
}
DeobfuscatedFile.Deobfuscate(compileMethod);
bool compileMethodHasConstant_0x70000000 = DeobUtils.HasInteger(compileMethod, 0x70000000); // 4.0-4.1
DeobfuscatedFile.Deobfuscate(methodsDecrypter.Method);
bool hasCorEnableProfilingString = FindString(methodsDecrypter.Method, "Cor_Enable_Profiling"); // 4.1-4.4
bool hasCatchString = FindString(methodsDecrypter.Method, "catch: "); // <= 4.7
if (compileMethodHasConstant_0x70000000)
{
if (hasCorEnableProfilingString)
{
return(DeobfuscatorInfo.THE_NAME + " 4.1");
}
return(DeobfuscatorInfo.THE_NAME + " 4.0");
}
if (!hasCorEnableProfilingString)
{
bool callsReverse = DotNetUtils.CallsMethod(methodsDecrypter.Method, "System.Void System.Array::Reverse(System.Array)");
if (!callsReverse)
{
return(DeobfuscatorInfo.THE_NAME + " 4.0 - 4.4");
}
int numIntPtrSizeCompares = CountCompareSystemIntPtrSize(methodsDecrypter.Method);
bool hasSymmetricAlgorithm = new LocalTypes(methodsDecrypter.Method).Exists("System.Security.Cryptography.SymmetricAlgorithm");
if (Module.IsClr40)
{
switch (numIntPtrSizeCompares)
{
case 7:
case 9: return(DeobfuscatorInfo.THE_NAME + " 4.5");
case 10:
if (!hasSymmetricAlgorithm)
{
return(DeobfuscatorInfo.THE_NAME + " 4.6");
}
if (hasCatchString)
{
return(DeobfuscatorInfo.THE_NAME + " 4.7");
}
return(DeobfuscatorInfo.THE_NAME + " 4.8");
}
}
else
{
switch (numIntPtrSizeCompares)
{
case 6:
case 8: return(DeobfuscatorInfo.THE_NAME + " 4.5");
case 9:
if (!hasSymmetricAlgorithm)
{
return(DeobfuscatorInfo.THE_NAME + " 4.6");
}
if (hasCatchString)
{
return(DeobfuscatorInfo.THE_NAME + " 4.7");
}
return(DeobfuscatorInfo.THE_NAME + " 4.8");
}
}
// Should never be reached unless it's a new version
return(DeobfuscatorInfo.THE_NAME + " 4.5+");
}
// 4.2-4.4
if (!localTypes.Exists("System.Byte&"))
{
return(DeobfuscatorInfo.THE_NAME + " 4.2");
}
localTypes = new LocalTypes(compileMethod);
if (localTypes.Exists("System.Object"))
{
return(DeobfuscatorInfo.THE_NAME + " 4.4");
}
return(DeobfuscatorInfo.THE_NAME + " 4.3");
}
bool checkType(TypeDefinition type)
{
var requiredTypes = new string[] {
"System.Byte[]",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.MD5",
"System.Security.Cryptography.Rijndael",
};
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
if (method.Parameters.Count != 2)
continue;
if (!checkType(method.MethodReturnType.ReturnType.FullName, "System.String"))
continue;
if (!checkType(method.Parameters[0].ParameterType.FullName, "System.String"))
continue;
if (!checkType(method.Parameters[1].ParameterType.FullName, "System.String"))
continue;
var localTypes = new LocalTypes(method);
if (!localTypes.all(requiredTypes))
continue;
antiStrongNameMethod = method;
return true;
}
return false;
}
string detectVersion()
{
/*
Methods decrypter locals (not showing its own types):
3.7.0.3:
"System.Byte[]"
"System.Int32"
"System.Int32[]"
"System.IntPtr"
"System.IO.BinaryReader"
"System.IO.MemoryStream"
"System.Object"
"System.Reflection.Assembly"
"System.Security.Cryptography.CryptoStream"
"System.Security.Cryptography.ICryptoTransform"
"System.Security.Cryptography.RijndaelManaged"
"System.String"
3.9.8.0:
- "System.Int32[]"
+ "System.Diagnostics.StackFrame"
4.0.0.0: (jitter)
- "System.Diagnostics.StackFrame"
- "System.Object"
+ "System.Boolean"
+ "System.Collections.IEnumerator"
+ "System.Delegate"
+ "System.Diagnostics.Process"
+ "System.Diagnostics.ProcessModule"
+ "System.Diagnostics.ProcessModuleCollection"
+ "System.IDisposable"
+ "System.Int64"
+ "System.UInt32"
+ "System.UInt64"
4.1.0.0: (jitter)
+ "System.Reflection.Assembly"
4.3.1.0: (jitter)
+ "System.Byte&"
*/
LocalTypes localTypes;
int minVer = -1;
foreach (var info in stringDecrypter.DecrypterInfos) {
if (info.key == null)
continue;
localTypes = new LocalTypes(info.method);
if (!localTypes.exists("System.IntPtr"))
return ".NET Reactor <= 3.7";
minVer = 3800;
break;
}
if (methodsDecrypter.Method == null) {
if (minVer >= 3800)
return ".NET Reactor >= 3.8";
return ".NET Reactor";
}
localTypes = new LocalTypes(methodsDecrypter.Method);
if (localTypes.exists("System.Int32[]")) {
if (minVer >= 3800)
return ".NET Reactor 3.8.4.1 - 3.9.0.1";
return ".NET Reactor <= 3.9.0.1";
}
if (!localTypes.exists("System.Diagnostics.Process")) { // If < 4.0
if (localTypes.exists("System.Diagnostics.StackFrame"))
return ".NET Reactor 3.9.8.0";
}
var compileMethod = MethodsDecrypter.findDnrCompileMethod(methodsDecrypter.Method.DeclaringType);
if (compileMethod == null)
return ".NET Reactor < 4.0";
DeobfuscatedFile.deobfuscate(compileMethod);
bool compileMethodHasConstant_0x70000000 = findConstant(compileMethod, 0x70000000); // 4.0-4.1
DeobfuscatedFile.deobfuscate(methodsDecrypter.Method);
bool hasCorEnableProfilingString = findString(methodsDecrypter.Method, "Cor_Enable_Profiling"); // 4.1-4.4
if (compileMethodHasConstant_0x70000000) {
if (hasCorEnableProfilingString)
return ".NET Reactor 4.1";
return ".NET Reactor 4.0";
}
if (!hasCorEnableProfilingString)
return ".NET Reactor";
// 4.2-4.4
if (!localTypes.exists("System.Byte&"))
return ".NET Reactor 4.2";
localTypes = new LocalTypes(compileMethod);
if (localTypes.exists("System.Object"))
return ".NET Reactor 4.4";
return ".NET Reactor 4.3";
}
public void Find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
var entryPoint = module.EntryPoint;
if (entryPoint == null)
{
return;
}
if (!new LocalTypes(entryPoint).All(requiredEntryPointLocals))
{
return;
}
var type = entryPoint.DeclaringType;
if (!new FieldTypes(type).All(requiredFields))
{
return;
}
bool use7zip = type.NestedTypes.Count == 6;
MethodDef decyptMethod;
if (use7zip)
{
decyptMethod = FindDecryptMethod_7zip(type);
}
else
{
decyptMethod = FindDecryptMethod_inflate(type);
}
if (decyptMethod == null)
{
return;
}
var theVersion = ConfuserVersion.Unknown;
var decryptLocals = new LocalTypes(decyptMethod);
if (decryptLocals.Exists("System.IO.MemoryStream"))
{
if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.String,System.Byte[])"))
{
theVersion = ConfuserVersion.v10_r42915;
}
else if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.Security.Permissions.PermissionState)"))
{
theVersion = ConfuserVersion.v10_r48717;
}
else
{
theVersion = ConfuserVersion.v14_r57778;
}
}
else
{
theVersion = ConfuserVersion.v14_r58564;
}
var cctor = type.FindStaticConstructor();
if (cctor == null)
{
return;
}
if ((asmResolverMethod = FindAssemblyResolverMethod(entryPoint.DeclaringType)) != null)
{
theVersion = ConfuserVersion.v14_r58802;
simpleDeobfuscator.Deobfuscate(asmResolverMethod);
if (!FindKey1(asmResolverMethod, out uint key1))
{
return;
}
}
switch (theVersion)
{
case ConfuserVersion.v10_r42915:
case ConfuserVersion.v10_r48717:
case ConfuserVersion.v14_r57778:
break;
case ConfuserVersion.v14_r58564:
case ConfuserVersion.v14_r58802:
simpleDeobfuscator.Deobfuscate(decyptMethod);
if (FindKey0_v14_r58564(decyptMethod, out key0))
{
break;
}
if (FindKey0_v14_r58852(decyptMethod, out key0))
{
if (!decryptLocals.Exists("System.Security.Cryptography.RijndaelManaged"))
{
theVersion = ConfuserVersion.v14_r58852;
break;
}
if (use7zip)
{
if (new LocalTypes(decyptMethod).Exists("System.IO.MemoryStream"))
{
theVersion = ConfuserVersion.v17_r75076;
}
else if (module.Name == "Stub.exe")
{
theVersion = ConfuserVersion.v18_r75184;
}
else if (!IsGetLenToPosStateMethodPrivate(type))
{
theVersion = ConfuserVersion.v18_r75367;
}
else
{
theVersion = ConfuserVersion.v19_r77172;
}
}
else if (IsDecryptMethod_v17_r73404(decyptMethod))
{
theVersion = ConfuserVersion.v17_r73404;
}
else
{
theVersion = ConfuserVersion.v15_r60785;
}
break;
}
throw new ApplicationException("Could not find magic");
default:
throw new ApplicationException("Invalid version");
}
simpleDeobfuscator.Deobfuscate(cctor);
simpleDeobfuscator.DecryptStrings(cctor, deob);
if (FindEntryPointToken(simpleDeobfuscator, cctor, entryPoint, out entryPointToken) && !use7zip)
{
if (DotNetUtils.CallsMethod(asmResolverMethod, "System.Void", "(System.String)"))
{
theVersion = ConfuserVersion.v17_r73477;
}
else
{
theVersion = ConfuserVersion.v17_r73566;
}
}
mainAsmResource = FindResource(cctor);
if (mainAsmResource == null)
{
throw new ApplicationException("Could not find main assembly resource");
}
version = theVersion;
}
string DetectVersion() {
/*
Methods decrypter locals (not showing its own types):
3.7.0.3:
"System.Byte[]"
"System.Int32"
"System.Int32[]"
"System.IntPtr"
"System.IO.BinaryReader"
"System.IO.MemoryStream"
"System.Object"
"System.Reflection.Assembly"
"System.Security.Cryptography.CryptoStream"
"System.Security.Cryptography.ICryptoTransform"
"System.Security.Cryptography.RijndaelManaged"
"System.String"
3.9.8.0:
- "System.Int32[]"
+ "System.Diagnostics.StackFrame"
4.0.0.0: (jitter)
- "System.Diagnostics.StackFrame"
- "System.Object"
+ "System.Boolean"
+ "System.Collections.IEnumerator"
+ "System.Delegate"
+ "System.Diagnostics.Process"
+ "System.Diagnostics.ProcessModule"
+ "System.Diagnostics.ProcessModuleCollection"
+ "System.IDisposable"
+ "System.Int64"
+ "System.UInt32"
+ "System.UInt64"
4.1.0.0: (jitter)
+ "System.Reflection.Assembly"
4.3.1.0: (jitter)
+ "System.Byte&"
*/
LocalTypes localTypes;
int minVer = -1;
foreach (var info in stringDecrypter.DecrypterInfos) {
if (info.key == null)
continue;
localTypes = new LocalTypes(info.method);
if (!localTypes.Exists("System.IntPtr"))
return DeobfuscatorInfo.THE_NAME + " <= 3.7";
minVer = 3800;
break;
}
if (methodsDecrypter.Method == null) {
if (minVer >= 3800)
return DeobfuscatorInfo.THE_NAME + " >= 3.8";
return DeobfuscatorInfo.THE_NAME;
}
localTypes = new LocalTypes(methodsDecrypter.Method);
if (localTypes.Exists("System.Int32[]")) {
if (minVer >= 3800)
return DeobfuscatorInfo.THE_NAME + " 3.8.4.1 - 3.9.0.1";
return DeobfuscatorInfo.THE_NAME + " <= 3.9.0.1";
}
if (!localTypes.Exists("System.Diagnostics.Process")) { // If < 4.0
if (localTypes.Exists("System.Diagnostics.StackFrame"))
return DeobfuscatorInfo.THE_NAME + " 3.9.8.0";
}
var compileMethod = MethodsDecrypter.FindDnrCompileMethod(methodsDecrypter.Method.DeclaringType);
if (compileMethod == null) {
DeobfuscatedFile.Deobfuscate(methodsDecrypter.Method);
if (!MethodsDecrypter.IsNewer45Decryption(methodsDecrypter.Method))
return DeobfuscatorInfo.THE_NAME + " < 4.0";
return DeobfuscatorInfo.THE_NAME + " 4.5+";
}
DeobfuscatedFile.Deobfuscate(compileMethod);
bool compileMethodHasConstant_0x70000000 = DeobUtils.HasInteger(compileMethod, 0x70000000); // 4.0-4.1
DeobfuscatedFile.Deobfuscate(methodsDecrypter.Method);
bool hasCorEnableProfilingString = FindString(methodsDecrypter.Method, "Cor_Enable_Profiling"); // 4.1-4.4
bool hasCatchString = FindString(methodsDecrypter.Method, "catch: "); // <= 4.7
if (compileMethodHasConstant_0x70000000) {
if (hasCorEnableProfilingString)
return DeobfuscatorInfo.THE_NAME + " 4.1";
return DeobfuscatorInfo.THE_NAME + " 4.0";
}
if (!hasCorEnableProfilingString) {
bool callsReverse = DotNetUtils.CallsMethod(methodsDecrypter.Method, "System.Void System.Array::Reverse(System.Array)");
if (!callsReverse)
return DeobfuscatorInfo.THE_NAME + " 4.0 - 4.4";
int numIntPtrSizeCompares = CountCompareSystemIntPtrSize(methodsDecrypter.Method);
bool hasSymmetricAlgorithm = new LocalTypes(methodsDecrypter.Method).Exists("System.Security.Cryptography.SymmetricAlgorithm");
if (module.IsClr40) {
switch (numIntPtrSizeCompares) {
case 7:
case 9: return DeobfuscatorInfo.THE_NAME + " 4.5";
case 10:
if (!hasSymmetricAlgorithm)
return DeobfuscatorInfo.THE_NAME + " 4.6";
if (hasCatchString)
return DeobfuscatorInfo.THE_NAME + " 4.7";
return DeobfuscatorInfo.THE_NAME + " 4.8";
}
}
else {
switch (numIntPtrSizeCompares) {
case 6:
case 8: return DeobfuscatorInfo.THE_NAME + " 4.5";
case 9:
if (!hasSymmetricAlgorithm)
return DeobfuscatorInfo.THE_NAME + " 4.6";
if (hasCatchString)
return DeobfuscatorInfo.THE_NAME + " 4.7";
return DeobfuscatorInfo.THE_NAME + " 4.8";
}
}
// Should never be reached unless it's a new version
return DeobfuscatorInfo.THE_NAME + " 4.5+";
}
// 4.2-4.4
if (!localTypes.Exists("System.Byte&"))
return DeobfuscatorInfo.THE_NAME + " 4.2";
localTypes = new LocalTypes(compileMethod);
if (localTypes.Exists("System.Object"))
return DeobfuscatorInfo.THE_NAME + " 4.4";
return DeobfuscatorInfo.THE_NAME + " 4.3";
}