public static bool CouldBeResourceDecrypter(MethodDef method, LocalTypes localTypes, IList <string> additionalTypes)
{
var requiredTypes = new List <string> {
"System.Byte[]",
"System.IO.BinaryReader",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.ICryptoTransform",
};
requiredTypes.AddRange(additionalTypes);
if (!localTypes.All(requiredTypes))
{
return(false);
}
if (DotNetUtils.GetMethod(method.DeclaringType, "System.Security.Cryptography.SymmetricAlgorithm", "()") != null)
{
if (localTypes.Exists("System.UInt64") || (localTypes.Exists("System.UInt32") && !localTypes.Exists("System.Reflection.Assembly")))
{
return(false);
}
}
if (!localTypes.Exists("System.Security.Cryptography.RijndaelManaged") &&
!localTypes.Exists("System.Security.Cryptography.AesManaged") &&
!localTypes.Exists("System.Security.Cryptography.SymmetricAlgorithm"))
{
return(false);
}
return(true);
}
public static bool CouldBeDecryptMethod(MethodDef method, IEnumerable <string> additionalTypes)
{
if (method.Body == null)
{
return(false);
}
var localTypes = new LocalTypes(method);
var requiredTypes = new List <string> {
"System.Byte[]",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.ICryptoTransform",
};
requiredTypes.AddRange(additionalTypes);
if (!localTypes.All(requiredTypes))
{
return(false);
}
if (!localTypes.Exists("System.Security.Cryptography.RijndaelManaged") &&
!localTypes.Exists("System.Security.Cryptography.AesManaged"))
{
return(false);
}
return(true);
}
public static bool CouldBeDecryptMethod(MethodDef method, IEnumerable<string> additionalTypes) {
if (method.Body == null)
return false;
var localTypes = new LocalTypes(method);
var requiredTypes = new List<string> {
"System.Byte[]",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.ICryptoTransform",
};
requiredTypes.AddRange(additionalTypes);
if (!localTypes.All(requiredTypes))
return false;
if (!localTypes.Exists("System.Security.Cryptography.RijndaelManaged") &&
!localTypes.Exists("System.Security.Cryptography.AesManaged"))
return false;
return true;
}
void InitializeStringDecrypterVersion(MethodDef method)
{
var localTypes = new LocalTypes(method);
if (localTypes.Exists("System.IntPtr"))
{
stringDecrypterVersion = StringDecrypterVersion.VER_38;
}
else
{
stringDecrypterVersion = StringDecrypterVersion.VER_37;
}
}
public bool CouldBeResourceDecrypter(MethodDef method, IEnumerable <string> additionalTypes, bool checkResource)
{
if (!method.IsStatic)
{
return(false);
}
if (method.Body == null)
{
return(false);
}
var localTypes = new LocalTypes(method);
var requiredTypes = new List <string> {
"System.Byte[]",
"System.IO.BinaryReader",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.ICryptoTransform",
};
requiredTypes.AddRange(additionalTypes);
if (!localTypes.All(requiredTypes))
{
return(false);
}
if (!localTypes.Exists("System.Security.Cryptography.RijndaelManaged") &&
!localTypes.Exists("System.Security.Cryptography.AesManaged") &&
!localTypes.Exists("System.Security.Cryptography.SymmetricAlgorithm"))
{
return(false);
}
if (checkResource && FindMethodsDecrypterResource(method) == null)
{
return(false);
}
return(true);
}
public static bool CouldBeResourceDecrypter(MethodDef method, LocalTypes localTypes, IList <string> additionalTypes)
{
var requiredTypes = new List <string> {
"System.Byte[]",
"System.IO.BinaryReader",
"System.IO.MemoryStream",
"System.Security.Cryptography.CryptoStream",
"System.Security.Cryptography.ICryptoTransform",
};
requiredTypes.AddRange(additionalTypes);
if (!localTypes.All(requiredTypes))
{
return(false);
}
if (!localTypes.Exists("System.Security.Cryptography.RijndaelManaged") &&
!localTypes.Exists("System.Security.Cryptography.AesManaged") &&
!localTypes.Exists("System.Security.Cryptography.SymmetricAlgorithm"))
{
return(false);
}
return(true);
}
string DetectVersion()
{
/*
* Methods decrypter locals (not showing its own types):
* 3.7.0.3:
* "System.Byte[]"
* "System.Int32"
* "System.Int32[]"
* "System.IntPtr"
* "System.IO.BinaryReader"
* "System.IO.MemoryStream"
* "System.Object"
* "System.Reflection.Assembly"
* "System.Security.Cryptography.CryptoStream"
* "System.Security.Cryptography.ICryptoTransform"
* "System.Security.Cryptography.RijndaelManaged"
* "System.String"
*
* 3.9.8.0:
* - "System.Int32[]"
+ "System.Diagnostics.StackFrame"
+
+ 4.0.0.0: (jitter)
+ - "System.Diagnostics.StackFrame"
+ - "System.Object"
+ "System.Boolean"
+ "System.Collections.IEnumerator"
+ "System.Delegate"
+ "System.Diagnostics.Process"
+ "System.Diagnostics.ProcessModule"
+ "System.Diagnostics.ProcessModuleCollection"
+ "System.IDisposable"
+ "System.Int64"
+ "System.UInt32"
+ "System.UInt64"
+
+ 4.1.0.0: (jitter)
+ "System.Reflection.Assembly"
+
+ 4.3.1.0: (jitter)
+ "System.Byte&"
*/
LocalTypes localTypes;
int minVer = -1;
foreach (var info in stringDecrypter.DecrypterInfos)
{
if (info.key == null)
{
continue;
}
localTypes = new LocalTypes(info.method);
if (!localTypes.Exists("System.IntPtr"))
{
return(DeobfuscatorInfo.THE_NAME + " <= 3.7");
}
minVer = 3800;
break;
}
if (methodsDecrypter.DecrypterTypeVersion != DnrDecrypterType.V1)
{
return(DeobfuscatorInfo.THE_NAME);
}
if (methodsDecrypter.Method == null)
{
if (minVer >= 3800)
{
return(DeobfuscatorInfo.THE_NAME + " >= 3.8");
}
return(DeobfuscatorInfo.THE_NAME);
}
localTypes = new LocalTypes(methodsDecrypter.Method);
if (localTypes.Exists("System.Int32[]"))
{
if (minVer >= 3800)
{
return(DeobfuscatorInfo.THE_NAME + " 3.8.4.1 - 3.9.0.1");
}
return(DeobfuscatorInfo.THE_NAME + " <= 3.9.0.1");
}
if (!localTypes.Exists("System.Diagnostics.Process")) // If < 4.0
{
if (localTypes.Exists("System.Diagnostics.StackFrame"))
{
return(DeobfuscatorInfo.THE_NAME + " 3.9.8.0");
}
}
var compileMethod = MethodsDecrypter.FindDnrCompileMethod(methodsDecrypter.Method.DeclaringType);
if (compileMethod == null)
{
DeobfuscatedFile.Deobfuscate(methodsDecrypter.Method);
if (!MethodsDecrypter.IsNewer45Decryption(methodsDecrypter.Method))
{
return(DeobfuscatorInfo.THE_NAME + " < 4.0");
}
return(DeobfuscatorInfo.THE_NAME + " 4.5+");
}
DeobfuscatedFile.Deobfuscate(compileMethod);
bool compileMethodHasConstant_0x70000000 = DeobUtils.HasInteger(compileMethod, 0x70000000); // 4.0-4.1
DeobfuscatedFile.Deobfuscate(methodsDecrypter.Method);
bool hasCorEnableProfilingString = FindString(methodsDecrypter.Method, "Cor_Enable_Profiling"); // 4.1-4.4
bool hasCatchString = FindString(methodsDecrypter.Method, "catch: "); // <= 4.7
if (compileMethodHasConstant_0x70000000)
{
if (hasCorEnableProfilingString)
{
return(DeobfuscatorInfo.THE_NAME + " 4.1");
}
return(DeobfuscatorInfo.THE_NAME + " 4.0");
}
if (!hasCorEnableProfilingString)
{
bool callsReverse = DotNetUtils.CallsMethod(methodsDecrypter.Method, "System.Void System.Array::Reverse(System.Array)");
if (!callsReverse)
{
return(DeobfuscatorInfo.THE_NAME + " 4.0 - 4.4");
}
int numIntPtrSizeCompares = CountCompareSystemIntPtrSize(methodsDecrypter.Method);
bool hasSymmetricAlgorithm = new LocalTypes(methodsDecrypter.Method).Exists("System.Security.Cryptography.SymmetricAlgorithm");
if (Module.IsClr40)
{
switch (numIntPtrSizeCompares)
{
case 7:
case 9: return(DeobfuscatorInfo.THE_NAME + " 4.5");
case 10:
if (!hasSymmetricAlgorithm)
{
return(DeobfuscatorInfo.THE_NAME + " 4.6");
}
if (hasCatchString)
{
return(DeobfuscatorInfo.THE_NAME + " 4.7");
}
return(DeobfuscatorInfo.THE_NAME + " 4.8");
}
}
else
{
switch (numIntPtrSizeCompares)
{
case 6:
case 8: return(DeobfuscatorInfo.THE_NAME + " 4.5");
case 9:
if (!hasSymmetricAlgorithm)
{
return(DeobfuscatorInfo.THE_NAME + " 4.6");
}
if (hasCatchString)
{
return(DeobfuscatorInfo.THE_NAME + " 4.7");
}
return(DeobfuscatorInfo.THE_NAME + " 4.8");
}
}
// Should never be reached unless it's a new version
return(DeobfuscatorInfo.THE_NAME + " 4.5+");
}
// 4.2-4.4
if (!localTypes.Exists("System.Byte&"))
{
return(DeobfuscatorInfo.THE_NAME + " 4.2");
}
localTypes = new LocalTypes(compileMethod);
if (localTypes.Exists("System.Object"))
{
return(DeobfuscatorInfo.THE_NAME + " 4.4");
}
return(DeobfuscatorInfo.THE_NAME + " 4.3");
}
public void Find()
{
var type = DotNetUtils.GetModuleType(module);
if (type == null)
{
return;
}
foreach (var method in type.Methods)
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.Object", "(System.UInt32)"))
{
continue;
}
var info = new DecrypterInfo();
var localTypes = new LocalTypes(method);
if (localTypes.All(requiredLocals1))
{
if (localTypes.Exists("System.Collections.BitArray")) // or System.Random
{
version = ConfuserVersion.v15_r60785_normal;
}
else if (DeobUtils.HasInteger(method, 0x100) &&
DeobUtils.HasInteger(method, 0x10000) &&
DeobUtils.HasInteger(method, 0xFFFF))
{
version = ConfuserVersion.v17_r73404_normal;
}
else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[])"))
{
if (FindInstruction(method.Body.Instructions, 0, Code.Conv_I8) >= 0)
{
if (DotNetUtils.CallsMethod(method, "System.Void System.Console::WriteLine()"))
{
version = ConfuserVersion.v15_r60785_dynamic;
}
else
{
version = ConfuserVersion.v17_r72989_dynamic;
}
}
else
{
version = ConfuserVersion.v17_r73740_dynamic;
}
}
else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[],System.Int32,System.Int32)"))
{
if ((nativeMethod = FindNativeMethod(method)) == null)
{
version = ConfuserVersion.v17_r73764_dynamic;
}
else
{
version = ConfuserVersion.v17_r73764_native;
}
}
else
{
continue;
}
}
else if (localTypes.All(requiredLocals2))
{
if (DeobUtils.HasInteger(method, 0x100) &&
DeobUtils.HasInteger(method, 0x10000) &&
DeobUtils.HasInteger(method, 0xFFFF))
{
version = ConfuserVersion.v17_r73822_normal;
}
else if (DotNetUtils.CallsMethod(method, "System.Int32 System.Object::GetHashCode()"))
{
if ((nativeMethod = FindNativeMethod(method)) == null)
{
version = ConfuserVersion.v17_r74021_dynamic;
}
else
{
version = ConfuserVersion.v17_r74021_native;
}
}
else if ((nativeMethod = FindNativeMethod(method)) == null)
{
version = ConfuserVersion.v17_r73822_dynamic;
}
else
{
version = ConfuserVersion.v17_r73822_native;
}
}
else
{
continue;
}
info.decryptMethod = method;
theDecrypterInfo = info;
Add(info);
break;
}
}
public void Find(ISimpleDeobfuscator simpleDeobfuscator)
{
var type = DotNetUtils.GetModuleType(module);
if (type == null)
{
return;
}
foreach (var method in type.Methods)
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.String", "(System.Int32)"))
{
continue;
}
var localTypes = new LocalTypes(method);
if (!localTypes.All(requiredLocals))
{
continue;
}
simpleDeobfuscator.Deobfuscate(method);
bool foundOldMagic1;
if (FindMagic1(method, out magic1))
{
foundOldMagic1 = true;
}
else if (FindNewMagic1(method, out magic1))
{
foundOldMagic1 = false;
}
else
{
continue;
}
if (!FindMagic2(method, out magic2))
{
continue;
}
version = ConfuserVersion.Unknown;
if (DotNetUtils.CallsMethod(method, "System.Text.Encoding System.Text.Encoding::get_UTF8()"))
{
if (foundOldMagic1)
{
if (DotNetUtils.CallsMethod(method, "System.Object System.AppDomain::GetData(System.String)"))
{
version = ConfuserVersion.v13_r55604_safe;
}
else
{
version = ConfuserVersion.v10_r42915;
}
}
else
{
if (!FindSafeKey1(method, out key1))
{
continue;
}
version = ConfuserVersion.v14_r58802_safe;
}
}
else if (!localTypes.Exists("System.Random"))
{
if (foundOldMagic1)
{
version = ConfuserVersion.v11_r49299;
}
else
{
version = ConfuserVersion.v14_r58802_dynamic;
}
}
else if (localTypes.Exists("System.Collections.Generic.Dictionary`2<System.Int32,System.String>"))
{
version = ConfuserVersion.v10_r48832;
}
if (version == ConfuserVersion.Unknown)
{
continue;
}
decryptMethod = method;
break;
}
}
public void Find(ISimpleDeobfuscator simpleDeobfuscator) {
var type = DotNetUtils.GetModuleType(module);
if (type == null)
return;
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
if (!DotNetUtils.IsMethod(method, "System.String", "(System.Int32)"))
continue;
var localTypes = new LocalTypes(method);
if (!localTypes.All(requiredLocals))
continue;
simpleDeobfuscator.Deobfuscate(method);
bool foundOldMagic1;
if (FindMagic1(method, out magic1))
foundOldMagic1 = true;
else if (FindNewMagic1(method, out magic1))
foundOldMagic1 = false;
else
continue;
if (!FindMagic2(method, out magic2))
continue;
version = ConfuserVersion.Unknown;
if (DotNetUtils.CallsMethod(method, "System.Text.Encoding System.Text.Encoding::get_UTF8()")) {
if (foundOldMagic1) {
if (DotNetUtils.CallsMethod(method, "System.Object System.AppDomain::GetData(System.String)"))
version = ConfuserVersion.v13_r55604_safe;
else
version = ConfuserVersion.v10_r42915;
}
else {
if (!FindSafeKey1(method, out key1))
continue;
version = ConfuserVersion.v14_r58802_safe;
}
}
else if (!localTypes.Exists("System.Random")) {
if (foundOldMagic1)
version = ConfuserVersion.v11_r49299;
else
version = ConfuserVersion.v14_r58802_dynamic;
}
else if (localTypes.Exists("System.Collections.Generic.Dictionary`2<System.Int32,System.String>"))
version = ConfuserVersion.v10_r48832;
if (version == ConfuserVersion.Unknown)
continue;
decryptMethod = method;
break;
}
}
string DetectVersion() {
/*
Methods decrypter locals (not showing its own types):
3.7.0.3:
"System.Byte[]"
"System.Int32"
"System.Int32[]"
"System.IntPtr"
"System.IO.BinaryReader"
"System.IO.MemoryStream"
"System.Object"
"System.Reflection.Assembly"
"System.Security.Cryptography.CryptoStream"
"System.Security.Cryptography.ICryptoTransform"
"System.Security.Cryptography.RijndaelManaged"
"System.String"
3.9.8.0:
- "System.Int32[]"
+ "System.Diagnostics.StackFrame"
4.0.0.0: (jitter)
- "System.Diagnostics.StackFrame"
- "System.Object"
+ "System.Boolean"
+ "System.Collections.IEnumerator"
+ "System.Delegate"
+ "System.Diagnostics.Process"
+ "System.Diagnostics.ProcessModule"
+ "System.Diagnostics.ProcessModuleCollection"
+ "System.IDisposable"
+ "System.Int64"
+ "System.UInt32"
+ "System.UInt64"
4.1.0.0: (jitter)
+ "System.Reflection.Assembly"
4.3.1.0: (jitter)
+ "System.Byte&"
*/
LocalTypes localTypes;
int minVer = -1;
foreach (var info in stringDecrypter.DecrypterInfos) {
if (info.key == null)
continue;
localTypes = new LocalTypes(info.method);
if (!localTypes.Exists("System.IntPtr"))
return DeobfuscatorInfo.THE_NAME + " <= 3.7";
minVer = 3800;
break;
}
if (methodsDecrypter.Method == null) {
if (minVer >= 3800)
return DeobfuscatorInfo.THE_NAME + " >= 3.8";
return DeobfuscatorInfo.THE_NAME;
}
localTypes = new LocalTypes(methodsDecrypter.Method);
if (localTypes.Exists("System.Int32[]")) {
if (minVer >= 3800)
return DeobfuscatorInfo.THE_NAME + " 3.8.4.1 - 3.9.0.1";
return DeobfuscatorInfo.THE_NAME + " <= 3.9.0.1";
}
if (!localTypes.Exists("System.Diagnostics.Process")) { // If < 4.0
if (localTypes.Exists("System.Diagnostics.StackFrame"))
return DeobfuscatorInfo.THE_NAME + " 3.9.8.0";
}
var compileMethod = MethodsDecrypter.FindDnrCompileMethod(methodsDecrypter.Method.DeclaringType);
if (compileMethod == null) {
DeobfuscatedFile.Deobfuscate(methodsDecrypter.Method);
if (!MethodsDecrypter.IsNewer45Decryption(methodsDecrypter.Method))
return DeobfuscatorInfo.THE_NAME + " < 4.0";
return DeobfuscatorInfo.THE_NAME + " 4.5+";
}
DeobfuscatedFile.Deobfuscate(compileMethod);
bool compileMethodHasConstant_0x70000000 = DeobUtils.HasInteger(compileMethod, 0x70000000); // 4.0-4.1
DeobfuscatedFile.Deobfuscate(methodsDecrypter.Method);
bool hasCorEnableProfilingString = FindString(methodsDecrypter.Method, "Cor_Enable_Profiling"); // 4.1-4.4
bool hasCatchString = FindString(methodsDecrypter.Method, "catch: "); // <= 4.7
if (compileMethodHasConstant_0x70000000) {
if (hasCorEnableProfilingString)
return DeobfuscatorInfo.THE_NAME + " 4.1";
return DeobfuscatorInfo.THE_NAME + " 4.0";
}
if (!hasCorEnableProfilingString) {
bool callsReverse = DotNetUtils.CallsMethod(methodsDecrypter.Method, "System.Void System.Array::Reverse(System.Array)");
if (!callsReverse)
return DeobfuscatorInfo.THE_NAME + " 4.0 - 4.4";
int numIntPtrSizeCompares = CountCompareSystemIntPtrSize(methodsDecrypter.Method);
bool hasSymmetricAlgorithm = new LocalTypes(methodsDecrypter.Method).Exists("System.Security.Cryptography.SymmetricAlgorithm");
if (module.IsClr40) {
switch (numIntPtrSizeCompares) {
case 7:
case 9: return DeobfuscatorInfo.THE_NAME + " 4.5";
case 10:
if (!hasSymmetricAlgorithm)
return DeobfuscatorInfo.THE_NAME + " 4.6";
if (hasCatchString)
return DeobfuscatorInfo.THE_NAME + " 4.7";
return DeobfuscatorInfo.THE_NAME + " 4.8";
}
}
else {
switch (numIntPtrSizeCompares) {
case 6:
case 8: return DeobfuscatorInfo.THE_NAME + " 4.5";
case 9:
if (!hasSymmetricAlgorithm)
return DeobfuscatorInfo.THE_NAME + " 4.6";
if (hasCatchString)
return DeobfuscatorInfo.THE_NAME + " 4.7";
return DeobfuscatorInfo.THE_NAME + " 4.8";
}
}
// Should never be reached unless it's a new version
return DeobfuscatorInfo.THE_NAME + " 4.5+";
}
// 4.2-4.4
if (!localTypes.Exists("System.Byte&"))
return DeobfuscatorInfo.THE_NAME + " 4.2";
localTypes = new LocalTypes(compileMethod);
if (localTypes.Exists("System.Object"))
return DeobfuscatorInfo.THE_NAME + " 4.4";
return DeobfuscatorInfo.THE_NAME + " 4.3";
}
public void Find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
var entryPoint = module.EntryPoint;
if (entryPoint == null)
{
return;
}
if (!new LocalTypes(entryPoint).All(requiredEntryPointLocals))
{
return;
}
var type = entryPoint.DeclaringType;
if (!new FieldTypes(type).All(requiredFields))
{
return;
}
bool use7zip = type.NestedTypes.Count == 6;
MethodDef decyptMethod;
if (use7zip)
{
decyptMethod = FindDecryptMethod_7zip(type);
}
else
{
decyptMethod = FindDecryptMethod_inflate(type);
}
if (decyptMethod == null)
{
return;
}
var theVersion = ConfuserVersion.Unknown;
var decryptLocals = new LocalTypes(decyptMethod);
if (decryptLocals.Exists("System.IO.MemoryStream"))
{
if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.String,System.Byte[])"))
{
theVersion = ConfuserVersion.v10_r42915;
}
else if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.Security.Permissions.PermissionState)"))
{
theVersion = ConfuserVersion.v10_r48717;
}
else
{
theVersion = ConfuserVersion.v14_r57778;
}
}
else
{
theVersion = ConfuserVersion.v14_r58564;
}
var cctor = type.FindStaticConstructor();
if (cctor == null)
{
return;
}
if ((asmResolverMethod = FindAssemblyResolverMethod(entryPoint.DeclaringType)) != null)
{
theVersion = ConfuserVersion.v14_r58802;
simpleDeobfuscator.Deobfuscate(asmResolverMethod);
if (!FindKey1(asmResolverMethod, out uint key1))
{
return;
}
}
switch (theVersion)
{
case ConfuserVersion.v10_r42915:
case ConfuserVersion.v10_r48717:
case ConfuserVersion.v14_r57778:
break;
case ConfuserVersion.v14_r58564:
case ConfuserVersion.v14_r58802:
simpleDeobfuscator.Deobfuscate(decyptMethod);
if (FindKey0_v14_r58564(decyptMethod, out key0))
{
break;
}
if (FindKey0_v14_r58852(decyptMethod, out key0))
{
if (!decryptLocals.Exists("System.Security.Cryptography.RijndaelManaged"))
{
theVersion = ConfuserVersion.v14_r58852;
break;
}
if (use7zip)
{
if (new LocalTypes(decyptMethod).Exists("System.IO.MemoryStream"))
{
theVersion = ConfuserVersion.v17_r75076;
}
else if (module.Name == "Stub.exe")
{
theVersion = ConfuserVersion.v18_r75184;
}
else if (!IsGetLenToPosStateMethodPrivate(type))
{
theVersion = ConfuserVersion.v18_r75367;
}
else
{
theVersion = ConfuserVersion.v19_r77172;
}
}
else if (IsDecryptMethod_v17_r73404(decyptMethod))
{
theVersion = ConfuserVersion.v17_r73404;
}
else
{
theVersion = ConfuserVersion.v15_r60785;
}
break;
}
throw new ApplicationException("Could not find magic");
default:
throw new ApplicationException("Invalid version");
}
simpleDeobfuscator.Deobfuscate(cctor);
simpleDeobfuscator.DecryptStrings(cctor, deob);
if (FindEntryPointToken(simpleDeobfuscator, cctor, entryPoint, out entryPointToken) && !use7zip)
{
if (DotNetUtils.CallsMethod(asmResolverMethod, "System.Void", "(System.String)"))
{
theVersion = ConfuserVersion.v17_r73477;
}
else
{
theVersion = ConfuserVersion.v17_r73566;
}
}
mainAsmResource = FindResource(cctor);
if (mainAsmResource == null)
{
throw new ApplicationException("Could not find main assembly resource");
}
version = theVersion;
}
public void Find() {
var type = DotNetUtils.GetModuleType(module);
if (type == null)
return;
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
if (!DotNetUtils.IsMethod(method, "System.Object", "(System.UInt32)"))
continue;
DecrypterInfo info = new DecrypterInfo();
var localTypes = new LocalTypes(method);
if (localTypes.All(requiredLocals1)) {
if (localTypes.Exists("System.Collections.BitArray")) // or System.Random
version = ConfuserVersion.v15_r60785_normal;
else if (DeobUtils.HasInteger(method, 0x100) &&
DeobUtils.HasInteger(method, 0x10000) &&
DeobUtils.HasInteger(method, 0xFFFF))
version = ConfuserVersion.v17_r73404_normal;
else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[])")) {
if (FindInstruction(method.Body.Instructions, 0, Code.Conv_I8) >= 0) {
if (DotNetUtils.CallsMethod(method, "System.Void System.Console::WriteLine()"))
version = ConfuserVersion.v15_r60785_dynamic;
else
version = ConfuserVersion.v17_r72989_dynamic;
}
else
version = ConfuserVersion.v17_r73740_dynamic;
}
else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[],System.Int32,System.Int32)")) {
if ((nativeMethod = FindNativeMethod(method)) == null)
version = ConfuserVersion.v17_r73764_dynamic;
else
version = ConfuserVersion.v17_r73764_native;
}
else
continue;
}
else if (localTypes.All(requiredLocals2)) {
if (DeobUtils.HasInteger(method, 0x100) &&
DeobUtils.HasInteger(method, 0x10000) &&
DeobUtils.HasInteger(method, 0xFFFF))
version = ConfuserVersion.v17_r73822_normal;
else if (DotNetUtils.CallsMethod(method, "System.Int32 System.Object::GetHashCode()")) {
if ((nativeMethod = FindNativeMethod(method)) == null)
version = ConfuserVersion.v17_r74021_dynamic;
else
version = ConfuserVersion.v17_r74021_native;
}
else if ((nativeMethod = FindNativeMethod(method)) == null)
version = ConfuserVersion.v17_r73822_dynamic;
else
version = ConfuserVersion.v17_r73822_native;
}
else
continue;
info.decryptMethod = method;
theDecrypterInfo = info;
Add(info);
break;
}
}
public void Find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
var entryPoint = module.EntryPoint;
if (entryPoint == null)
return;
if (!new LocalTypes(entryPoint).All(requiredEntryPointLocals))
return;
var type = entryPoint.DeclaringType;
if (!new FieldTypes(type).All(requiredFields))
return;
bool use7zip = type.NestedTypes.Count == 6;
MethodDef decyptMethod;
if (use7zip)
decyptMethod = FindDecryptMethod_7zip(type);
else
decyptMethod = FindDecryptMethod_inflate(type);
if (decyptMethod == null)
return;
ConfuserVersion theVersion = ConfuserVersion.Unknown;
var decryptLocals = new LocalTypes(decyptMethod);
if (decryptLocals.Exists("System.IO.MemoryStream")) {
if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.String,System.Byte[])"))
theVersion = ConfuserVersion.v10_r42915;
else if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.Security.Permissions.PermissionState)"))
theVersion = ConfuserVersion.v10_r48717;
else
theVersion = ConfuserVersion.v14_r57778;
}
else
theVersion = ConfuserVersion.v14_r58564;
var cctor = type.FindStaticConstructor();
if (cctor == null)
return;
if ((asmResolverMethod = FindAssemblyResolverMethod(entryPoint.DeclaringType)) != null) {
theVersion = ConfuserVersion.v14_r58802;
simpleDeobfuscator.Deobfuscate(asmResolverMethod);
if (!FindKey1(asmResolverMethod, out key1))
return;
}
switch (theVersion) {
case ConfuserVersion.v10_r42915:
case ConfuserVersion.v10_r48717:
case ConfuserVersion.v14_r57778:
break;
case ConfuserVersion.v14_r58564:
case ConfuserVersion.v14_r58802:
simpleDeobfuscator.Deobfuscate(decyptMethod);
if (FindKey0_v14_r58564(decyptMethod, out key0))
break;
if (FindKey0_v14_r58852(decyptMethod, out key0)) {
if (!decryptLocals.Exists("System.Security.Cryptography.RijndaelManaged")) {
theVersion = ConfuserVersion.v14_r58852;
break;
}
if (use7zip) {
if (new LocalTypes(decyptMethod).Exists("System.IO.MemoryStream"))
theVersion = ConfuserVersion.v17_r75076;
else if (module.Name == "Stub.exe")
theVersion = ConfuserVersion.v18_r75184;
else if (!IsGetLenToPosStateMethodPrivate(type))
theVersion = ConfuserVersion.v18_r75367;
else
theVersion = ConfuserVersion.v19_r77172;
}
else if (IsDecryptMethod_v17_r73404(decyptMethod))
theVersion = ConfuserVersion.v17_r73404;
else
theVersion = ConfuserVersion.v15_r60785;
break;
}
throw new ApplicationException("Could not find magic");
default:
throw new ApplicationException("Invalid version");
}
simpleDeobfuscator.Deobfuscate(cctor);
simpleDeobfuscator.DecryptStrings(cctor, deob);
if (FindEntryPointToken(simpleDeobfuscator, cctor, entryPoint, out entryPointToken) && !use7zip) {
if (DotNetUtils.CallsMethod(asmResolverMethod, "System.Void", "(System.String)"))
theVersion = ConfuserVersion.v17_r73477;
else
theVersion = ConfuserVersion.v17_r73566;
}
mainAsmResource = FindResource(cctor);
if (mainAsmResource == null)
throw new ApplicationException("Could not find main assembly resource");
version = theVersion;
}
