public override void DeobfuscateBegin()
{
base.DeobfuscateBegin();
stringDecrypter = new StringDecrypter(decrypterInfo);
stringDecrypter.Find();
if (stringDecrypter.Detected)
{
stringDecrypter.Initialize(GetEncoding(options.StringCodePage));
staticStringInliner.Add(stringDecrypter.Method, (method, gim, args) => stringDecrypter.Decrypt((uint)args[0]));
DeobfuscatedFile.StringDecryptersAdded();
}
else
{
FreePEImage();
}
foreach (var method in mainType.InitMethods)
{
AddCctorInitCallToBeRemoved(method);
}
AddTypeToBeRemoved(mainType.Type, "Obfuscator type");
RemoveDuplicateEmbeddedResources();
RemoveInvalidResources();
}
public MyDeobfuscator(ModuleDefMD module) {
cliSecureRtType = new CliSecureRtType(module);
cliSecureRtType.Find(null);
stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterMethod);
stringDecrypter.Find();
cliSecureRtType.FindStringDecrypterMethod();
stringDecrypter.Method = cliSecureRtType.StringDecrypterMethod;
staticStringInliner.Add(stringDecrypter.Method, (method, gim, args) => stringDecrypter.Decrypt((string)args[0]));
}
public MyDeobfuscator(ModuleDefMD module)
{
cliSecureRtType = new CliSecureRtType(module);
cliSecureRtType.Find(null);
stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterMethod);
stringDecrypter.Find();
cliSecureRtType.FindStringDecrypterMethod();
stringDecrypter.Method = cliSecureRtType.StringDecrypterMethod;
staticStringInliner.Add(stringDecrypter.Method, (method, gim, args) => stringDecrypter.Decrypt((string)args[0]));
}
public MyDeobfuscator(ModuleDefMD module) {
cliSecureRtType = new CliSecureRtType(module);
cliSecureRtType.Find(null);
stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterInfos);
stringDecrypter.Find();
cliSecureRtType.FindStringDecrypterMethod();
stringDecrypter.AddDecrypterInfos(cliSecureRtType.StringDecrypterInfos);
stringDecrypter.Initialize();
foreach (var info in stringDecrypter.StringDecrypterInfos)
staticStringInliner.Add(info.Method, (method, gim, args) => stringDecrypter.Decrypt((string)args[0]));
}
public MyDeobfuscator(ModuleDefMD module)
{
cliSecureRtType = new CliSecureRtType(module);
cliSecureRtType.Find(null);
stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterInfos);
stringDecrypter.Find();
cliSecureRtType.FindStringDecrypterMethod();
stringDecrypter.AddDecrypterInfos(cliSecureRtType.StringDecrypterInfos);
stringDecrypter.Initialize();
foreach (var info in stringDecrypter.StringDecrypterInfos)
{
staticStringInliner.Add(info.Method, (method, gim, args) => stringDecrypter.Decrypt((string)args[0]));
}
}
protected override void ScanForObfuscator() {
FindCliSecureAttribute();
cliSecureRtType = new CliSecureRtType(module);
cliSecureRtType.Find(ModuleBytes);
stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterInfos);
stringDecrypter.Find();
resourceDecrypter = new ResourceDecrypter(module);
resourceDecrypter.Find();
proxyCallFixer = new ProxyCallFixer(module);
proxyCallFixer.FindDelegateCreator();
csvmV1 = new vm.v1.Csvm(DeobfuscatedFile.DeobfuscatorContext, module);
csvmV1.Find();
csvmV2 = new vm.v2.Csvm(DeobfuscatedFile.DeobfuscatorContext, module);
csvmV2.Find();
}
protected override void scanForObfuscator()
{
methodsDecrypter = new MethodsDecrypter(module);
methodsDecrypter.find();
stringDecrypter = new StringDecrypter(module);
stringDecrypter.find(DeobfuscatedFile);
booleanDecrypter = new BooleanDecrypter(module);
booleanDecrypter.find();
assemblyResolver = new AssemblyResolver(module);
assemblyResolver.find(DeobfuscatedFile);
obfuscatorName = detectVersion();
resourceResolver = new ResourceResolver(module);
resourceResolver.find(DeobfuscatedFile);
}
protected override void ScanForObfuscator() {
FindKillType();
mainType = new MainType(module);
mainType.Find();
proxyCallFixer = new ProxyCallFixer(module, mainType);
proxyCallFixer.FindDelegateCreator();
methodsDecrypter = new MethodsDecrypter(mainType);
methodsDecrypter.Find();
stringDecrypter = new StringDecrypter(module, mainType);
stringDecrypter.Find();
var version = DetectVersion();
if (!string.IsNullOrEmpty(version))
obfuscatorName = obfuscatorName + " " + version;
}
protected override void scanForObfuscator()
{
findCliSecureAttribute();
cliSecureRtType = new CliSecureRtType(module);
cliSecureRtType.find(ModuleBytes);
stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterMethod);
stringDecrypter.find();
resourceDecrypter = new ResourceDecrypter(module);
resourceDecrypter.find();
proxyCallFixer = new ProxyCallFixer(module);
proxyCallFixer.findDelegateCreator();
csvm = new vm.Csvm(DeobfuscatedFile.DeobfuscatorContext, module);
csvm.find();
}
protected override void ScanForObfuscator() {
methodsDecrypter = new MethodsDecrypter(module);
methodsDecrypter.Find();
stringDecrypter = new StringDecrypter(module);
stringDecrypter.Find(DeobfuscatedFile);
booleanDecrypter = new BooleanDecrypter(module);
booleanDecrypter.Find();
assemblyResolver = new AssemblyResolver(module);
assemblyResolver.Find(DeobfuscatedFile);
obfuscatorName = DetectVersion();
if (unpackedNativeFile)
obfuscatorName += " (native)";
resourceResolver = new ResourceResolver(module);
resourceResolver.Find(DeobfuscatedFile);
}
static void Main(string[] args)
{
Console.Title = "DeConfuser - The De-Obfuscator for confuser v1.6";
Console.WriteLine("Copyright © DragonHunter - 2012");
Console.WriteLine("This deobfuscator might not work at every confused assembly, still BETA");
Console.WriteLine("Checkout this project at http://deconfuser.codeplex.com");
Console.WriteLine("Thanks also to Mono.Cecil there was no DeConfuser without Mono.Cecil");
Console.WriteLine("This version of Mono.Cecil is modded by DragonHunter to do some evil shit");
//hardcoded path atm...
string inputPath = @"H:\DeConfuser\ConfuseMe\bin\Debug\confused\ConfuseMe.exe";
string outputPath = @"H:\DeConfuser\ConfuseMe\bin\Debug\confused\ConfuseMe_cleaned.exe";
//load assembly
AssemblyDefinition asm = AssemblyFactory.GetAssembly(inputPath);
#region Anti-Debug remover
AntiDebug debug = new AntiDebug();
TypeDefinition AntiType = null;
MethodDefinition AntiMethod = null;
Console.WriteLine("-------------------------------------------------------");
if (debug.FindAntiDebug(asm, ref AntiType, ref AntiMethod))
{
Console.WriteLine("[Anti-Debugger] Anti-Debugger detected, removing...");
debug.RemoveAntiDebug(asm, AntiType, AntiMethod);
Console.WriteLine("[Anti-Debugger] Removed anti-debugger");
}
else
{
Console.WriteLine("This assembly is not protected with anti-debugging");
}
Console.WriteLine("-------------------------------------------------------");
#endregion
#region String Decryptor
StringDecrypter decrypter = new StringDecrypter();
TypeDefinition DecryptType = null;
MethodDefinition DecryptMethod = null;
if (decrypter.FindMethod(asm, ref DecryptType, ref DecryptMethod))
{
Console.WriteLine("[String Decryptor] Found string decryptor, decrypting strings...");
byte[] StringData = decrypter.GetStringResource(asm, inputPath, DecryptMethod);
decrypter.DecryptAllStrings(asm, DecryptMethod, StringData);
decrypter.RemoveDecryptMethod(asm, DecryptType, DecryptMethod);
Console.WriteLine("[String Decryptor] Removed the decrypt method");
}
else
{
Console.WriteLine("This assembly is not protected with encrypted strings");
}
Console.WriteLine("-------------------------------------------------------");
#endregion
#region Anti-Dump remover
AntiDump dump = new AntiDump();
TypeDefinition AntiDumpType = null;
MethodDefinition AntiDumpMethod = null;
if (dump.FindAntiDump(asm, ref AntiDumpType, ref AntiDumpMethod))
{
Console.WriteLine("[Anti-Dump] Anti-Dump detected, removing...");
dump.RemoveAntiDump(asm, AntiDumpType, AntiDumpMethod);
Console.WriteLine("[Anti-Dump] Removed anti-dump");
}
else
{
Console.WriteLine("This assembly is not protected with anti-dump");
}
Console.WriteLine("-------------------------------------------------------");
#endregion
#region Resource Decryptor
ResourceDecrypter resourceDecrypter = new ResourceDecrypter();
TypeDefinition ResourceType = null;
MethodDefinition ResourceMethod = null;
if (resourceDecrypter.FindMethod(asm, ref ResourceType, ref ResourceMethod))
{
Console.WriteLine("[Resource-Decrypter] Resource-Decrypter, decrypting");
resourceDecrypter.DecryptAllResources(asm, inputPath, ResourceType, ResourceMethod);
}
else
{
Console.WriteLine("This assembly is not protected with encrypted resources");
}
Console.WriteLine("-------------------------------------------------------");
#endregion
AssemblyFactory.SaveAssembly(asm, outputPath);
Console.WriteLine("File dumped to \"" + outputPath + "\"");
Console.WriteLine("Thanks for using DeConfuser :)");
Process.GetCurrentProcess().WaitForExit();
}
protected override void scanForObfuscator()
{
findCliSecureAttribute();
cliSecureRtType = new CliSecureRtType(module);
cliSecureRtType.find();
stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterMethod);
stringDecrypter.find();
proxyDelegateFinder = new ProxyDelegateFinder(module);
proxyDelegateFinder.findDelegateCreator();
}
