public void decrypt(ResourceDecrypter resourceDecrypter) { if (decryptMethod == null) { return; } resource = CoUtils.getResource(module, decrypterCctor); if (resource == null) { return; } var decrypted = resourceDecrypter.decrypt(resource.GetResourceStream()); var reader = new BinaryReader(new MemoryStream(decrypted)); int numEncrypted = reader.ReadInt32(); Log.v("Restoring {0} encrypted methods", numEncrypted); Log.indent(); for (int i = 0; i < numEncrypted; i++) { int delegateTypeToken = reader.ReadInt32(); uint codeOffset = reader.ReadUInt32(); var origOffset = reader.BaseStream.Position; reader.BaseStream.Position = codeOffset; decrypt(reader, delegateTypeToken); reader.BaseStream.Position = origOffset; } Log.deIndent(); }
public void Decrypt(ResourceDecrypter resourceDecrypter, ISimpleDeobfuscator simpleDeobfuscator) { if (decryptMethod == null) { return; } resource = CoUtils.GetResource(module, decrypterCctor); if (resource == null) { return; } var decrypted = resourceDecrypter.Decrypt(resource.GetResourceStream()); var reader = MemoryImageStream.Create(decrypted); int numEncrypted = reader.ReadInt32(); Logger.v("Restoring {0} encrypted methods", numEncrypted); Logger.Instance.Indent(); for (int i = 0; i < numEncrypted; i++) { int delegateTypeToken = reader.ReadInt32(); uint codeOffset = reader.ReadUInt32(); var origOffset = reader.Position; reader.Position = codeOffset; Decrypt(reader, delegateTypeToken, simpleDeobfuscator); reader.Position = origOffset; } Logger.Instance.DeIndent(); }
public void init(ResourceDecrypter resourceDecrypter) { if (decrypterType == null) { return; } encryptedResource = CoUtils.getResource(module, DotNetUtils.getCodeStrings(DotNetUtils.getMethod(decrypterType, ".cctor"))); constantsData = resourceDecrypter.decrypt(encryptedResource.GetResourceStream()); }
public void init(ResourceDecrypter resourceDecrypter) { if (decrypterType == null) { return; } encryptedResource = CoUtils.getResource(module, DotNetUtils.getCodeStrings(decrypterType.FindStaticConstructor())); encryptedResource.Data.Position = 0; constantsData = resourceDecrypter.decrypt(encryptedResource.Data.CreateStream()); }
public void Initialize(ResourceDecrypter resourceDecrypter) { if (decryptedData != null || stringDecrypterType == null) return; var resourceName = GetResourceName(); stringResource = DotNetUtils.GetResource(module, resourceName) as EmbeddedResource; if (stringResource == null) return; Logger.v("Adding string decrypter. Resource: {0}", Utils.ToCsharpString(stringResource.Name)); decryptedData = resourceDecrypter.Decrypt(stringResource.GetResourceStream()); }
public void Initialize(ResourceDecrypter resourceDecrypter) { if (decryptedData != null || stringDecrypterType == null) { return; } var resourceName = GetResourceName(); stringResource = DotNetUtils.GetResource(module, resourceName) as EmbeddedResource; if (stringResource == null) { return; } Logger.v("Adding string decrypter. Resource: {0}", Utils.ToCsharpString(stringResource.Name)); decryptedData = resourceDecrypter.Decrypt(stringResource.GetResourceStream()); }
public void init(ResourceDecrypter resourceDecrypter) { if (decryptedData != null) { return; } var resourceName = getResourceName(); stringResource = DotNetUtils.getResource(module, resourceName) as EmbeddedResource; if (stringResource == null) { return; } Log.v("Adding string decrypter. Resource: {0}", Utils.toCsharpString(stringResource.Name)); decryptedData = resourceDecrypter.decrypt(stringResource.GetResourceStream()); }
public void Initialize(ResourceDecrypter resourceDecrypter) { if (decrypterType == null) { return; } var cctor = decrypterType.FindStaticConstructor(); encryptedResource = CoUtils.GetResource(module, DotNetUtils.GetCodeStrings(cctor)); //if the return value is null, it is possible that resource name is encrypted if (encryptedResource == null) { var Resources = new string[] { CoUtils.DecryptResourceName(module, cctor) }; encryptedResource = CoUtils.GetResource(module, Resources); } constantsData = resourceDecrypter.Decrypt(encryptedResource.GetReader().AsStream()); }
public override void deobfuscateBegin() { base.deobfuscateBegin(); resourceDecrypter = new ResourceDecrypter(module, DeobfuscatedFile); resourceResolver = new ResourceResolver(module, resourceDecrypter); assemblyResolver = new AssemblyResolver(module); resourceResolver.find(); assemblyResolver.find(); decryptResources(); stringDecrypter.init(resourceDecrypter); if (stringDecrypter.Method != null) { staticStringInliner.add(stringDecrypter.Method, (method, args) => { return(stringDecrypter.decrypt((int)args[0])); }); DeobfuscatedFile.stringDecryptersAdded(); } antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this); antiDebugger.find(); addModuleCctorInitCallToBeRemoved(resourceResolver.Method); addModuleCctorInitCallToBeRemoved(assemblyResolver.Method); addCallToBeRemoved(module.EntryPoint, tamperDetection.Method); addModuleCctorInitCallToBeRemoved(tamperDetection.Method); addCallToBeRemoved(module.EntryPoint, antiDebugger.Method); addModuleCctorInitCallToBeRemoved(antiDebugger.Method); addTypeToBeRemoved(resourceResolver.Type, "Resource resolver type"); addTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver type"); addTypeToBeRemoved(tamperDetection.Type, "Tamper detection type"); addTypeToBeRemoved(antiDebugger.Type, "Anti-debugger type"); proxyDelegateFinder.find(); dumpEmbeddedAssemblies(); }
public override void deobfuscateBegin() { base.deobfuscateBegin(); resourceDecrypter = new ResourceDecrypter(module, DeobfuscatedFile); resourceResolver = new ResourceResolver(module, resourceDecrypter); assemblyResolver = new AssemblyResolver(module); resourceResolver.find(); assemblyResolver.find(); decryptResources(); stringDecrypter.init(resourceDecrypter); if (stringDecrypter.Method != null) { staticStringInliner.add(stringDecrypter.Method, (method, gim, args) => { return stringDecrypter.decrypt((int)args[0]); }); DeobfuscatedFile.stringDecryptersAdded(); } methodsDecrypter.decrypt(resourceDecrypter); if (methodsDecrypter.Detected) { if (!assemblyResolver.Detected) assemblyResolver.find(); if (!tamperDetection.Detected) tamperDetection.find(); } antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this); antiDebugger.find(); if (options.DecryptConstants) { constantsDecrypter.init(resourceDecrypter); int32ValueInliner = new Int32ValueInliner(); int32ValueInliner.add(constantsDecrypter.Int32Decrypter, (method, gim, args) => constantsDecrypter.decryptInt32((int)args[0])); int64ValueInliner = new Int64ValueInliner(); int64ValueInliner.add(constantsDecrypter.Int64Decrypter, (method, gim, args) => constantsDecrypter.decryptInt64((int)args[0])); singleValueInliner = new SingleValueInliner(); singleValueInliner.add(constantsDecrypter.SingleDecrypter, (method, gim, args) => constantsDecrypter.decryptSingle((int)args[0])); doubleValueInliner = new DoubleValueInliner(); doubleValueInliner.add(constantsDecrypter.DoubleDecrypter, (method, gim, args) => constantsDecrypter.decryptDouble((int)args[0])); addTypeToBeRemoved(constantsDecrypter.Type, "Constants decrypter type"); addResourceToBeRemoved(constantsDecrypter.Resource, "Encrypted constants"); } addModuleCctorInitCallToBeRemoved(resourceResolver.Method); addModuleCctorInitCallToBeRemoved(assemblyResolver.Method); addCallToBeRemoved(module.EntryPoint, tamperDetection.Method); addModuleCctorInitCallToBeRemoved(tamperDetection.Method); addCallToBeRemoved(module.EntryPoint, antiDebugger.Method); addModuleCctorInitCallToBeRemoved(antiDebugger.Method); addTypeToBeRemoved(resourceResolver.Type, "Resource resolver type"); addTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver type"); addTypeToBeRemoved(tamperDetection.Type, "Tamper detection type"); addTypeToBeRemoved(antiDebugger.Type, "Anti-debugger type"); addTypeToBeRemoved(methodsDecrypter.Type, "Methods decrypter type"); addTypesToBeRemoved(methodsDecrypter.DelegateTypes, "Methods decrypter delegate type"); addResourceToBeRemoved(methodsDecrypter.Resource, "Encrypted methods"); proxyCallFixer.find(); dumpEmbeddedAssemblies(); }
public override void deobfuscateBegin() { base.deobfuscateBegin(); resourceDecrypter = new ResourceDecrypter(module, DeobfuscatedFile); resourceResolver = new ResourceResolver(module, resourceDecrypter); assemblyResolver = new AssemblyResolver(module); resourceResolver.find(); assemblyResolver.find(); decryptResources(); stringDecrypter.init(resourceDecrypter); if (stringDecrypter.Method != null) { staticStringInliner.add(stringDecrypter.Method, (method, args) => { return stringDecrypter.decrypt((int)args[0]); }); DeobfuscatedFile.stringDecryptersAdded(); } antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this); antiDebugger.find(); addModuleCctorInitCallToBeRemoved(resourceResolver.Method); addModuleCctorInitCallToBeRemoved(assemblyResolver.Method); addCallToBeRemoved(module.EntryPoint, tamperDetection.Method); addModuleCctorInitCallToBeRemoved(tamperDetection.Method); addCallToBeRemoved(module.EntryPoint, antiDebugger.Method); addModuleCctorInitCallToBeRemoved(antiDebugger.Method); addTypeToBeRemoved(resourceResolver.Type, "Resource resolver type"); addTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver type"); addTypeToBeRemoved(tamperDetection.Type, "Tamper detection type"); addTypeToBeRemoved(antiDebugger.Type, "Anti-debugger type"); proxyDelegateFinder.find(); dumpEmbeddedAssemblies(); }
public void Initialize(ResourceDecrypter resourceDecrypter) { if (decrypterType == null) return; encryptedResource = CoUtils.GetResource(module, DotNetUtils.GetCodeStrings(decrypterType.FindStaticConstructor())); encryptedResource.Data.Position = 0; constantsData = resourceDecrypter.Decrypt(encryptedResource.Data.CreateStream()); }
public override void DeobfuscateBegin() { base.DeobfuscateBegin(); resourceDecrypter = new ResourceDecrypter(module, DeobfuscatedFile); resourceResolver = new ResourceResolver(module, resourceDecrypter); assemblyResolver = new AssemblyResolver(module); resourceResolver.Find(); assemblyResolver.Find(DeobfuscatedFile); DecryptResources(); stringDecrypter.Initialize(resourceDecrypter); if (stringDecrypter.Method != null) { staticStringInliner.Add(stringDecrypter.Method, (method, gim, args) => { return(stringDecrypter.Decrypt((int)args[0])); }); DeobfuscatedFile.StringDecryptersAdded(); } methodsDecrypter.Decrypt(resourceDecrypter, DeobfuscatedFile); if (methodsDecrypter.Detected) { if (!assemblyResolver.Detected) { assemblyResolver.Find(DeobfuscatedFile); } if (!tamperDetection.Detected) { tamperDetection.Find(); } } antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this); antiDebugger.Find(); if (options.DecryptConstants) { constantsDecrypter.Initialize(resourceDecrypter); int32ValueInliner = new Int32ValueInliner(); int32ValueInliner.Add(constantsDecrypter.Int32Decrypter, (method, gim, args) => constantsDecrypter.DecryptInt32((int)args[0])); int64ValueInliner = new Int64ValueInliner(); int64ValueInliner.Add(constantsDecrypter.Int64Decrypter, (method, gim, args) => constantsDecrypter.DecryptInt64((int)args[0])); singleValueInliner = new SingleValueInliner(); singleValueInliner.Add(constantsDecrypter.SingleDecrypter, (method, gim, args) => constantsDecrypter.DecryptSingle((int)args[0])); doubleValueInliner = new DoubleValueInliner(); doubleValueInliner.Add(constantsDecrypter.DoubleDecrypter, (method, gim, args) => constantsDecrypter.DecryptDouble((int)args[0])); AddTypeToBeRemoved(constantsDecrypter.Type, "Constants decrypter type"); AddResourceToBeRemoved(constantsDecrypter.Resource, "Encrypted constants"); } AddModuleCctorInitCallToBeRemoved(resourceResolver.Method); AddModuleCctorInitCallToBeRemoved(assemblyResolver.Method); AddCallToBeRemoved(module.EntryPoint, tamperDetection.Method); AddModuleCctorInitCallToBeRemoved(tamperDetection.Method); AddCallToBeRemoved(module.EntryPoint, antiDebugger.Method); AddModuleCctorInitCallToBeRemoved(antiDebugger.Method); AddTypeToBeRemoved(resourceResolver.Type, "Resource resolver type"); AddTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver type"); AddTypeToBeRemoved(tamperDetection.Type, "Tamper detection type"); AddTypeToBeRemoved(antiDebugger.Type, "Anti-debugger type"); AddTypeToBeRemoved(methodsDecrypter.Type, "Methods decrypter type"); AddTypesToBeRemoved(methodsDecrypter.DelegateTypes, "Methods decrypter delegate type"); AddResourceToBeRemoved(methodsDecrypter.Resource, "Encrypted methods"); proxyCallFixer.Find(); DumpEmbeddedAssemblies(); startedDeobfuscating = true; }
public void init(ResourceDecrypter resourceDecrypter) { if (decryptedData != null) return; var resourceName = getResourceName(); stringResource = DotNetUtils.getResource(module, resourceName) as EmbeddedResource; if (stringResource == null) return; Log.v("Adding string decrypter. Resource: {0}", Utils.toCsharpString(stringResource.Name)); decryptedData = resourceDecrypter.decrypt(stringResource.GetResourceStream()); }
public ResourceResolver(ModuleDefMD module, ResourceDecrypter resourceDecrypter) { this.module = module; this.resourceDecrypter = resourceDecrypter; }
public void decrypt(ResourceDecrypter resourceDecrypter) { if (decryptMethod == null) return; resource = CoUtils.getResource(module, decrypterCctor); if (resource == null) return; var decrypted = resourceDecrypter.decrypt(resource.GetResourceStream()); var reader = new BinaryReader(new MemoryStream(decrypted)); int numEncrypted = reader.ReadInt32(); Log.v("Restoring {0} encrypted methods", numEncrypted); Log.indent(); for (int i = 0; i < numEncrypted; i++) { int delegateTypeToken = reader.ReadInt32(); uint codeOffset = reader.ReadUInt32(); var origOffset = reader.BaseStream.Position; reader.BaseStream.Position = codeOffset; decrypt(reader, delegateTypeToken); reader.BaseStream.Position = origOffset; } Log.deIndent(); }
public void Decrypt(ResourceDecrypter resourceDecrypter, ISimpleDeobfuscator simpleDeobfuscator) { if (decryptMethod == null) return; resource = CoUtils.GetResource(module, decrypterCctor); if (resource == null) return; var decrypted = resourceDecrypter.Decrypt(resource.GetResourceStream()); var reader = MemoryImageStream.Create(decrypted); int numEncrypted = reader.ReadInt32(); Logger.v("Restoring {0} encrypted methods", numEncrypted); Logger.Instance.Indent(); for (int i = 0; i < numEncrypted; i++) { int delegateTypeToken = reader.ReadInt32(); uint codeOffset = reader.ReadUInt32(); var origOffset = reader.Position; reader.Position = codeOffset; Decrypt(reader, delegateTypeToken, simpleDeobfuscator); reader.Position = origOffset; } Logger.Instance.DeIndent(); }
public void Initialize(ResourceDecrypter resourceDecrypter) { if (decrypterType == null) return; MethodDef cctor = decrypterType.FindStaticConstructor(); encryptedResource = CoUtils.GetResource(module, DotNetUtils.GetCodeStrings(cctor)); //if the return value is null, it is possible that resource name is encrypted if (encryptedResource == null) { var Resources = new string[] { CoUtils.DecryptResourceName(module, cctor) }; encryptedResource = CoUtils.GetResource(module, Resources); } encryptedResource.Data.Position = 0; constantsData = resourceDecrypter.Decrypt(encryptedResource.Data.CreateStream()); }
public ResourceResolver(ModuleDefinition module, ResourceDecrypter resourceDecrypter) { this.module = module; this.resourceDecrypter = resourceDecrypter; }
public void init(ResourceDecrypter resourceDecrypter) { if (decrypterType == null) return; encryptedResource = CoUtils.getResource(module, DotNetUtils.getCodeStrings(DotNetUtils.getMethod(decrypterType, ".cctor"))); constantsData = resourceDecrypter.decrypt(encryptedResource.GetResourceStream()); }