public static bool CouldBeResourceDecrypter(MethodDef method, LocalTypes localTypes, IList <string> additionalTypes) { var requiredTypes = new List <string> { "System.Byte[]", "System.IO.BinaryReader", "System.IO.MemoryStream", "System.Security.Cryptography.CryptoStream", "System.Security.Cryptography.ICryptoTransform", }; requiredTypes.AddRange(additionalTypes); if (!localTypes.All(requiredTypes)) { return(false); } if (DotNetUtils.GetMethod(method.DeclaringType, "System.Security.Cryptography.SymmetricAlgorithm", "()") != null) { if (localTypes.Exists("System.UInt64") || (localTypes.Exists("System.UInt32") && !localTypes.Exists("System.Reflection.Assembly"))) { return(false); } } if (!localTypes.Exists("System.Security.Cryptography.RijndaelManaged") && !localTypes.Exists("System.Security.Cryptography.AesManaged") && !localTypes.Exists("System.Security.Cryptography.SymmetricAlgorithm")) { return(false); } return(true); }
public static bool CouldBeDecryptMethod(MethodDef method, IEnumerable <string> additionalTypes) { if (method.Body == null) { return(false); } var localTypes = new LocalTypes(method); var requiredTypes = new List <string> { "System.Byte[]", "System.IO.MemoryStream", "System.Security.Cryptography.CryptoStream", "System.Security.Cryptography.ICryptoTransform", }; requiredTypes.AddRange(additionalTypes); if (!localTypes.All(requiredTypes)) { return(false); } if (!localTypes.Exists("System.Security.Cryptography.RijndaelManaged") && !localTypes.Exists("System.Security.Cryptography.AesManaged")) { return(false); } return(true); }
bool CheckType(TypeDef type) { var requiredTypes = new string[] { "System.Byte[]", "System.IO.MemoryStream", "System.Security.Cryptography.CryptoStream", "System.Security.Cryptography.MD5", "System.Security.Cryptography.Rijndael", }; foreach (var method in type.Methods) { if (!method.IsStatic || method.Body == null) continue; var sig = method.MethodSig; if (sig == null || sig.Params.Count != 2) continue; if (!CheckType(sig.RetType, ElementType.String)) continue; if (!CheckType(sig.Params[0], ElementType.String)) continue; if (!CheckType(sig.Params[1], ElementType.String)) continue; var localTypes = new LocalTypes(method); if (!localTypes.All(requiredTypes)) continue; antiStrongNameMethod = method; return true; } return false; }
bool CheckType(TypeDef type) { var requiredTypes = new string[] { "System.Byte[]", "System.IO.MemoryStream", "System.Security.Cryptography.CryptoStream", "System.Security.Cryptography.MD5", "System.Security.Cryptography.Rijndael", }; foreach (var method in type.Methods) { if (!method.IsStatic || method.Body == null) { continue; } var sig = method.MethodSig; if (sig == null || sig.Params.Count != 2) { continue; } if (!CheckType(sig.RetType, ElementType.String)) { continue; } if (!CheckType(sig.Params[0], ElementType.String)) { continue; } if (!CheckType(sig.Params[1], ElementType.String)) { continue; } var localTypes = new LocalTypes(method); if (!localTypes.All(requiredTypes)) { continue; } antiStrongNameMethod = method; return(true); } return(false); }
public static bool CouldBeResourceDecrypter(MethodDef method, LocalTypes localTypes, IList <string> additionalTypes) { var requiredTypes = new List <string> { "System.UInt32", "System.String", "System.Int32", "System.Byte[]", "System.IO.BinaryReader", }; requiredTypes.AddRange(additionalTypes); if (!localTypes.All(requiredTypes)) { return(false); } return(true); }
public static bool CouldBeDecryptMethod(MethodDef method, IEnumerable<string> additionalTypes) { if (method.Body == null) return false; var localTypes = new LocalTypes(method); var requiredTypes = new List<string> { "System.Byte[]", "System.IO.MemoryStream", "System.Security.Cryptography.CryptoStream", "System.Security.Cryptography.ICryptoTransform", }; requiredTypes.AddRange(additionalTypes); if (!localTypes.All(requiredTypes)) return false; if (!localTypes.Exists("System.Security.Cryptography.RijndaelManaged") && !localTypes.Exists("System.Security.Cryptography.AesManaged")) return false; return true; }
public bool CouldBeResourceDecrypter(MethodDef method, IEnumerable <string> additionalTypes, bool checkResource) { if (!method.IsStatic) { return(false); } if (method.Body == null) { return(false); } var localTypes = new LocalTypes(method); var requiredTypes = new List <string> { "System.Byte[]", "System.IO.BinaryReader", "System.IO.MemoryStream", "System.Security.Cryptography.CryptoStream", "System.Security.Cryptography.ICryptoTransform", }; requiredTypes.AddRange(additionalTypes); if (!localTypes.All(requiredTypes)) { return(false); } if (!localTypes.Exists("System.Security.Cryptography.RijndaelManaged") && !localTypes.Exists("System.Security.Cryptography.AesManaged") && !localTypes.Exists("System.Security.Cryptography.SymmetricAlgorithm")) { return(false); } if (checkResource && FindMethodsDecrypterResource(method) == null) { return(false); } return(true); }
public static bool CouldBeResourceDecrypter(MethodDef method, LocalTypes localTypes, IList <string> additionalTypes) { var requiredTypes = new List <string> { "System.Byte[]", "System.IO.BinaryReader", "System.IO.MemoryStream", "System.Security.Cryptography.CryptoStream", "System.Security.Cryptography.ICryptoTransform", }; requiredTypes.AddRange(additionalTypes); if (!localTypes.All(requiredTypes)) { return(false); } if (!localTypes.Exists("System.Security.Cryptography.RijndaelManaged") && !localTypes.Exists("System.Security.Cryptography.AesManaged") && !localTypes.Exists("System.Security.Cryptography.SymmetricAlgorithm")) { return(false); } return(true); }
bool CheckMethod(ISimpleDeobfuscator simpleDeobfuscator, MethodDef methodToCheck) { if (methodToCheck == null) { return(false); } var resolverLocals = new string[] { "System.Byte[]", "System.Reflection.Assembly", "System.String", "System.IO.BinaryReader", "System.IO.Stream", }; var resolverLocals2 = new string[] { "System.Reflection.Assembly", "System.IO.BinaryReader", "System.IO.Stream", }; simpleDeobfuscator.Deobfuscate(methodToCheck); foreach (var method in DotNetUtils.GetCalledMethods(module, methodToCheck)) { var type = method.DeclaringType; if (!DotNetUtils.IsMethod(method, "System.Void", "()")) { continue; } if (!method.IsStatic) { continue; } if (type.Fields.Count != 2 && type.Fields.Count != 3) { continue; } if (type.HasNestedTypes) { continue; } if (type.HasEvents || type.HasProperties) { continue; } if (!CheckFields(type.Fields)) { continue; } var resolverMethod = FindAssemblyResolveMethod(type); if (resolverMethod == null) { continue; } var localTypes = new LocalTypes(resolverMethod); if (!localTypes.All(resolverLocals) && !localTypes.All(resolverLocals2)) { continue; } assemblyResolverType = type; assemblyResolverMethod = resolverMethod; assemblyResolverInitMethod = method; return(true); } return(false); }
void FindKeyIv(MethodDef method, out byte[] key, out byte[] iv) { key = null; iv = null; var requiredTypes = new string[] { "System.Byte[]", "System.IO.MemoryStream", "System.Security.Cryptography.CryptoStream", "System.Security.Cryptography.Rijndael", }; foreach (var calledMethod in DotNetUtils.GetCalledMethods(module, method)) { if (calledMethod.DeclaringType != method.DeclaringType) { continue; } if (calledMethod.MethodSig.GetRetType().GetFullName() != "System.Byte[]") { continue; } var localTypes = new LocalTypes(calledMethod); if (!localTypes.All(requiredTypes)) { continue; } var instructions = calledMethod.Body.Instructions; byte[] newKey = null, newIv = null; for (int i = 0; i < instructions.Count && (newKey == null || newIv == null); i++) { var instr = instructions[i]; if (instr.OpCode.Code != Code.Ldtoken) { continue; } var field = instr.Operand as FieldDef; if (field == null) { continue; } if (field.InitialValue == null) { continue; } if (field.InitialValue.Length == 32) { newKey = field.InitialValue; } else if (field.InitialValue.Length == 16) { newIv = field.InitialValue; } } if (newKey == null || newIv == null) { continue; } InitializeStringDecrypterVersion(method); key = newKey; iv = newIv; return; } }
public void Find() { var type = DotNetUtils.GetModuleType(module); if (type == null) { return; } foreach (var method in type.Methods) { if (!method.IsStatic || method.Body == null) { continue; } if (!DotNetUtils.IsMethod(method, "System.Object", "(System.UInt32)")) { continue; } var info = new DecrypterInfo(); var localTypes = new LocalTypes(method); if (localTypes.All(requiredLocals1)) { if (localTypes.Exists("System.Collections.BitArray")) // or System.Random { version = ConfuserVersion.v15_r60785_normal; } else if (DeobUtils.HasInteger(method, 0x100) && DeobUtils.HasInteger(method, 0x10000) && DeobUtils.HasInteger(method, 0xFFFF)) { version = ConfuserVersion.v17_r73404_normal; } else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[])")) { if (FindInstruction(method.Body.Instructions, 0, Code.Conv_I8) >= 0) { if (DotNetUtils.CallsMethod(method, "System.Void System.Console::WriteLine()")) { version = ConfuserVersion.v15_r60785_dynamic; } else { version = ConfuserVersion.v17_r72989_dynamic; } } else { version = ConfuserVersion.v17_r73740_dynamic; } } else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[],System.Int32,System.Int32)")) { if ((nativeMethod = FindNativeMethod(method)) == null) { version = ConfuserVersion.v17_r73764_dynamic; } else { version = ConfuserVersion.v17_r73764_native; } } else { continue; } } else if (localTypes.All(requiredLocals2)) { if (DeobUtils.HasInteger(method, 0x100) && DeobUtils.HasInteger(method, 0x10000) && DeobUtils.HasInteger(method, 0xFFFF)) { version = ConfuserVersion.v17_r73822_normal; } else if (DotNetUtils.CallsMethod(method, "System.Int32 System.Object::GetHashCode()")) { if ((nativeMethod = FindNativeMethod(method)) == null) { version = ConfuserVersion.v17_r74021_dynamic; } else { version = ConfuserVersion.v17_r74021_native; } } else if ((nativeMethod = FindNativeMethod(method)) == null) { version = ConfuserVersion.v17_r73822_dynamic; } else { version = ConfuserVersion.v17_r73822_native; } } else { continue; } info.decryptMethod = method; theDecrypterInfo = info; Add(info); break; } }
public void Find(ISimpleDeobfuscator simpleDeobfuscator) { var type = DotNetUtils.GetModuleType(module); if (type == null) { return; } foreach (var method in type.Methods) { if (!method.IsStatic || method.Body == null) { continue; } if (!DotNetUtils.IsMethod(method, "System.String", "(System.Int32)")) { continue; } var localTypes = new LocalTypes(method); if (!localTypes.All(requiredLocals)) { continue; } simpleDeobfuscator.Deobfuscate(method); bool foundOldMagic1; if (FindMagic1(method, out magic1)) { foundOldMagic1 = true; } else if (FindNewMagic1(method, out magic1)) { foundOldMagic1 = false; } else { continue; } if (!FindMagic2(method, out magic2)) { continue; } version = ConfuserVersion.Unknown; if (DotNetUtils.CallsMethod(method, "System.Text.Encoding System.Text.Encoding::get_UTF8()")) { if (foundOldMagic1) { if (DotNetUtils.CallsMethod(method, "System.Object System.AppDomain::GetData(System.String)")) { version = ConfuserVersion.v13_r55604_safe; } else { version = ConfuserVersion.v10_r42915; } } else { if (!FindSafeKey1(method, out key1)) { continue; } version = ConfuserVersion.v14_r58802_safe; } } else if (!localTypes.Exists("System.Random")) { if (foundOldMagic1) { version = ConfuserVersion.v11_r49299; } else { version = ConfuserVersion.v14_r58802_dynamic; } } else if (localTypes.Exists("System.Collections.Generic.Dictionary`2<System.Int32,System.String>")) { version = ConfuserVersion.v10_r48832; } if (version == ConfuserVersion.Unknown) { continue; } decryptMethod = method; break; } }
public void Find(ISimpleDeobfuscator simpleDeobfuscator) { var type = DotNetUtils.GetModuleType(module); if (type == null) return; foreach (var method in type.Methods) { if (!method.IsStatic || method.Body == null) continue; if (!DotNetUtils.IsMethod(method, "System.String", "(System.Int32)")) continue; var localTypes = new LocalTypes(method); if (!localTypes.All(requiredLocals)) continue; simpleDeobfuscator.Deobfuscate(method); bool foundOldMagic1; if (FindMagic1(method, out magic1)) foundOldMagic1 = true; else if (FindNewMagic1(method, out magic1)) foundOldMagic1 = false; else continue; if (!FindMagic2(method, out magic2)) continue; version = ConfuserVersion.Unknown; if (DotNetUtils.CallsMethod(method, "System.Text.Encoding System.Text.Encoding::get_UTF8()")) { if (foundOldMagic1) { if (DotNetUtils.CallsMethod(method, "System.Object System.AppDomain::GetData(System.String)")) version = ConfuserVersion.v13_r55604_safe; else version = ConfuserVersion.v10_r42915; } else { if (!FindSafeKey1(method, out key1)) continue; version = ConfuserVersion.v14_r58802_safe; } } else if (!localTypes.Exists("System.Random")) { if (foundOldMagic1) version = ConfuserVersion.v11_r49299; else version = ConfuserVersion.v14_r58802_dynamic; } else if (localTypes.Exists("System.Collections.Generic.Dictionary`2<System.Int32,System.String>")) version = ConfuserVersion.v10_r48832; if (version == ConfuserVersion.Unknown) continue; decryptMethod = method; break; } }
public void Find() { var type = DotNetUtils.GetModuleType(module); if (type == null) return; foreach (var method in type.Methods) { if (!method.IsStatic || method.Body == null) continue; if (!DotNetUtils.IsMethod(method, "System.Object", "(System.UInt32)")) continue; DecrypterInfo info = new DecrypterInfo(); var localTypes = new LocalTypes(method); if (localTypes.All(requiredLocals1)) { if (localTypes.Exists("System.Collections.BitArray")) // or System.Random version = ConfuserVersion.v15_r60785_normal; else if (DeobUtils.HasInteger(method, 0x100) && DeobUtils.HasInteger(method, 0x10000) && DeobUtils.HasInteger(method, 0xFFFF)) version = ConfuserVersion.v17_r73404_normal; else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[])")) { if (FindInstruction(method.Body.Instructions, 0, Code.Conv_I8) >= 0) { if (DotNetUtils.CallsMethod(method, "System.Void System.Console::WriteLine()")) version = ConfuserVersion.v15_r60785_dynamic; else version = ConfuserVersion.v17_r72989_dynamic; } else version = ConfuserVersion.v17_r73740_dynamic; } else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[],System.Int32,System.Int32)")) { if ((nativeMethod = FindNativeMethod(method)) == null) version = ConfuserVersion.v17_r73764_dynamic; else version = ConfuserVersion.v17_r73764_native; } else continue; } else if (localTypes.All(requiredLocals2)) { if (DeobUtils.HasInteger(method, 0x100) && DeobUtils.HasInteger(method, 0x10000) && DeobUtils.HasInteger(method, 0xFFFF)) version = ConfuserVersion.v17_r73822_normal; else if (DotNetUtils.CallsMethod(method, "System.Int32 System.Object::GetHashCode()")) { if ((nativeMethod = FindNativeMethod(method)) == null) version = ConfuserVersion.v17_r74021_dynamic; else version = ConfuserVersion.v17_r74021_native; } else if ((nativeMethod = FindNativeMethod(method)) == null) version = ConfuserVersion.v17_r73822_dynamic; else version = ConfuserVersion.v17_r73822_native; } else continue; info.decryptMethod = method; theDecrypterInfo = info; Add(info); break; } }