public override void DeobfuscateBegin() { base.DeobfuscateBegin(); stringDecrypter = new StringDecrypter(decrypterInfo); stringDecrypter.Find(); if (stringDecrypter.Detected) { stringDecrypter.Initialize(GetEncoding(options.StringCodePage)); staticStringInliner.Add(stringDecrypter.Method, (method, gim, args) => stringDecrypter.Decrypt((uint)args[0])); DeobfuscatedFile.StringDecryptersAdded(); } else { FreePEImage(); } foreach (var method in mainType.InitMethods) { AddCctorInitCallToBeRemoved(method); } AddTypeToBeRemoved(mainType.Type, "Obfuscator type"); RemoveDuplicateEmbeddedResources(); RemoveInvalidResources(); }
public MyDeobfuscator(ModuleDefMD module) { cliSecureRtType = new CliSecureRtType(module); cliSecureRtType.Find(null); stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterMethod); stringDecrypter.Find(); cliSecureRtType.FindStringDecrypterMethod(); stringDecrypter.Method = cliSecureRtType.StringDecrypterMethod; staticStringInliner.Add(stringDecrypter.Method, (method, gim, args) => stringDecrypter.Decrypt((string)args[0])); }
public MyDeobfuscator(ModuleDefMD module) { cliSecureRtType = new CliSecureRtType(module); cliSecureRtType.Find(null); stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterInfos); stringDecrypter.Find(); cliSecureRtType.FindStringDecrypterMethod(); stringDecrypter.AddDecrypterInfos(cliSecureRtType.StringDecrypterInfos); stringDecrypter.Initialize(); foreach (var info in stringDecrypter.StringDecrypterInfos) staticStringInliner.Add(info.Method, (method, gim, args) => stringDecrypter.Decrypt((string)args[0])); }
public MyDeobfuscator(ModuleDefMD module) { cliSecureRtType = new CliSecureRtType(module); cliSecureRtType.Find(null); stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterInfos); stringDecrypter.Find(); cliSecureRtType.FindStringDecrypterMethod(); stringDecrypter.AddDecrypterInfos(cliSecureRtType.StringDecrypterInfos); stringDecrypter.Initialize(); foreach (var info in stringDecrypter.StringDecrypterInfos) { staticStringInliner.Add(info.Method, (method, gim, args) => stringDecrypter.Decrypt((string)args[0])); } }
protected override void ScanForObfuscator() { FindCliSecureAttribute(); cliSecureRtType = new CliSecureRtType(module); cliSecureRtType.Find(ModuleBytes); stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterInfos); stringDecrypter.Find(); resourceDecrypter = new ResourceDecrypter(module); resourceDecrypter.Find(); proxyCallFixer = new ProxyCallFixer(module); proxyCallFixer.FindDelegateCreator(); csvmV1 = new vm.v1.Csvm(DeobfuscatedFile.DeobfuscatorContext, module); csvmV1.Find(); csvmV2 = new vm.v2.Csvm(DeobfuscatedFile.DeobfuscatorContext, module); csvmV2.Find(); }
protected override void scanForObfuscator() { methodsDecrypter = new MethodsDecrypter(module); methodsDecrypter.find(); stringDecrypter = new StringDecrypter(module); stringDecrypter.find(DeobfuscatedFile); booleanDecrypter = new BooleanDecrypter(module); booleanDecrypter.find(); assemblyResolver = new AssemblyResolver(module); assemblyResolver.find(DeobfuscatedFile); obfuscatorName = detectVersion(); resourceResolver = new ResourceResolver(module); resourceResolver.find(DeobfuscatedFile); }
protected override void ScanForObfuscator() { FindKillType(); mainType = new MainType(module); mainType.Find(); proxyCallFixer = new ProxyCallFixer(module, mainType); proxyCallFixer.FindDelegateCreator(); methodsDecrypter = new MethodsDecrypter(mainType); methodsDecrypter.Find(); stringDecrypter = new StringDecrypter(module, mainType); stringDecrypter.Find(); var version = DetectVersion(); if (!string.IsNullOrEmpty(version)) obfuscatorName = obfuscatorName + " " + version; }
protected override void scanForObfuscator() { findCliSecureAttribute(); cliSecureRtType = new CliSecureRtType(module); cliSecureRtType.find(ModuleBytes); stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterMethod); stringDecrypter.find(); resourceDecrypter = new ResourceDecrypter(module); resourceDecrypter.find(); proxyCallFixer = new ProxyCallFixer(module); proxyCallFixer.findDelegateCreator(); csvm = new vm.Csvm(DeobfuscatedFile.DeobfuscatorContext, module); csvm.find(); }
protected override void ScanForObfuscator() { methodsDecrypter = new MethodsDecrypter(module); methodsDecrypter.Find(); stringDecrypter = new StringDecrypter(module); stringDecrypter.Find(DeobfuscatedFile); booleanDecrypter = new BooleanDecrypter(module); booleanDecrypter.Find(); assemblyResolver = new AssemblyResolver(module); assemblyResolver.Find(DeobfuscatedFile); obfuscatorName = DetectVersion(); if (unpackedNativeFile) obfuscatorName += " (native)"; resourceResolver = new ResourceResolver(module); resourceResolver.Find(DeobfuscatedFile); }
static void Main(string[] args) { Console.Title = "DeConfuser - The De-Obfuscator for confuser v1.6"; Console.WriteLine("Copyright © DragonHunter - 2012"); Console.WriteLine("This deobfuscator might not work at every confused assembly, still BETA"); Console.WriteLine("Checkout this project at http://deconfuser.codeplex.com"); Console.WriteLine("Thanks also to Mono.Cecil there was no DeConfuser without Mono.Cecil"); Console.WriteLine("This version of Mono.Cecil is modded by DragonHunter to do some evil shit"); //hardcoded path atm... string inputPath = @"H:\DeConfuser\ConfuseMe\bin\Debug\confused\ConfuseMe.exe"; string outputPath = @"H:\DeConfuser\ConfuseMe\bin\Debug\confused\ConfuseMe_cleaned.exe"; //load assembly AssemblyDefinition asm = AssemblyFactory.GetAssembly(inputPath); #region Anti-Debug remover AntiDebug debug = new AntiDebug(); TypeDefinition AntiType = null; MethodDefinition AntiMethod = null; Console.WriteLine("-------------------------------------------------------"); if (debug.FindAntiDebug(asm, ref AntiType, ref AntiMethod)) { Console.WriteLine("[Anti-Debugger] Anti-Debugger detected, removing..."); debug.RemoveAntiDebug(asm, AntiType, AntiMethod); Console.WriteLine("[Anti-Debugger] Removed anti-debugger"); } else { Console.WriteLine("This assembly is not protected with anti-debugging"); } Console.WriteLine("-------------------------------------------------------"); #endregion #region String Decryptor StringDecrypter decrypter = new StringDecrypter(); TypeDefinition DecryptType = null; MethodDefinition DecryptMethod = null; if (decrypter.FindMethod(asm, ref DecryptType, ref DecryptMethod)) { Console.WriteLine("[String Decryptor] Found string decryptor, decrypting strings..."); byte[] StringData = decrypter.GetStringResource(asm, inputPath, DecryptMethod); decrypter.DecryptAllStrings(asm, DecryptMethod, StringData); decrypter.RemoveDecryptMethod(asm, DecryptType, DecryptMethod); Console.WriteLine("[String Decryptor] Removed the decrypt method"); } else { Console.WriteLine("This assembly is not protected with encrypted strings"); } Console.WriteLine("-------------------------------------------------------"); #endregion #region Anti-Dump remover AntiDump dump = new AntiDump(); TypeDefinition AntiDumpType = null; MethodDefinition AntiDumpMethod = null; if (dump.FindAntiDump(asm, ref AntiDumpType, ref AntiDumpMethod)) { Console.WriteLine("[Anti-Dump] Anti-Dump detected, removing..."); dump.RemoveAntiDump(asm, AntiDumpType, AntiDumpMethod); Console.WriteLine("[Anti-Dump] Removed anti-dump"); } else { Console.WriteLine("This assembly is not protected with anti-dump"); } Console.WriteLine("-------------------------------------------------------"); #endregion #region Resource Decryptor ResourceDecrypter resourceDecrypter = new ResourceDecrypter(); TypeDefinition ResourceType = null; MethodDefinition ResourceMethod = null; if (resourceDecrypter.FindMethod(asm, ref ResourceType, ref ResourceMethod)) { Console.WriteLine("[Resource-Decrypter] Resource-Decrypter, decrypting"); resourceDecrypter.DecryptAllResources(asm, inputPath, ResourceType, ResourceMethod); } else { Console.WriteLine("This assembly is not protected with encrypted resources"); } Console.WriteLine("-------------------------------------------------------"); #endregion AssemblyFactory.SaveAssembly(asm, outputPath); Console.WriteLine("File dumped to \"" + outputPath + "\""); Console.WriteLine("Thanks for using DeConfuser :)"); Process.GetCurrentProcess().WaitForExit(); }
protected override void scanForObfuscator() { findCliSecureAttribute(); cliSecureRtType = new CliSecureRtType(module); cliSecureRtType.find(); stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterMethod); stringDecrypter.find(); proxyDelegateFinder = new ProxyDelegateFinder(module); proxyDelegateFinder.findDelegateCreator(); }