예제 #1
0
        public override void deobfuscateBegin()
        {
            base.deobfuscateBegin();

            resourceDecrypter = new ResourceDecrypter(module, DeobfuscatedFile);
            resourceResolver  = new ResourceResolver(module, resourceDecrypter);
            assemblyResolver  = new AssemblyResolver(module);
            resourceResolver.find();
            assemblyResolver.find();

            decryptResources();
            stringDecrypter.init(resourceDecrypter);
            if (stringDecrypter.Method != null)
            {
                staticStringInliner.add(stringDecrypter.Method, (method, args) => {
                    return(stringDecrypter.decrypt((int)args[0]));
                });
                DeobfuscatedFile.stringDecryptersAdded();
            }

            antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this);
            antiDebugger.find();

            addModuleCctorInitCallToBeRemoved(resourceResolver.Method);
            addModuleCctorInitCallToBeRemoved(assemblyResolver.Method);
            addCallToBeRemoved(module.EntryPoint, tamperDetection.Method);
            addModuleCctorInitCallToBeRemoved(tamperDetection.Method);
            addCallToBeRemoved(module.EntryPoint, antiDebugger.Method);
            addModuleCctorInitCallToBeRemoved(antiDebugger.Method);
            addTypeToBeRemoved(resourceResolver.Type, "Resource resolver type");
            addTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver type");
            addTypeToBeRemoved(tamperDetection.Type, "Tamper detection type");
            addTypeToBeRemoved(antiDebugger.Type, "Anti-debugger type");

            proxyDelegateFinder.find();

            dumpEmbeddedAssemblies();
        }
예제 #2
0
        public override void deobfuscateBegin()
        {
            base.deobfuscateBegin();

            resourceDecrypter = new ResourceDecrypter(module, DeobfuscatedFile);
            resourceResolver  = new ResourceResolver(module, resourceDecrypter);
            assemblyResolver  = new AssemblyResolver(module);
            resourceResolver.find();
            assemblyResolver.find();

            decryptResources();
            stringDecrypter.init(resourceDecrypter);
            if (stringDecrypter.Method != null)
            {
                staticStringInliner.add(stringDecrypter.Method, (method, gim, args) => {
                    return(stringDecrypter.decrypt((int)args[0]));
                });
                DeobfuscatedFile.stringDecryptersAdded();
            }

            methodsDecrypter.decrypt(resourceDecrypter);

            if (methodsDecrypter.Detected)
            {
                if (!assemblyResolver.Detected)
                {
                    assemblyResolver.find();
                }
                if (!tamperDetection.Detected)
                {
                    tamperDetection.find();
                }
            }
            antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this);
            antiDebugger.find();

            if (options.DecryptConstants)
            {
                constantsDecrypter.init(resourceDecrypter);
                int32ValueInliner = new Int32ValueInliner();
                int32ValueInliner.add(constantsDecrypter.Int32Decrypter, (method, gim, args) => constantsDecrypter.decryptInt32((int)args[0]));
                int64ValueInliner = new Int64ValueInliner();
                int64ValueInliner.add(constantsDecrypter.Int64Decrypter, (method, gim, args) => constantsDecrypter.decryptInt64((int)args[0]));
                singleValueInliner = new SingleValueInliner();
                singleValueInliner.add(constantsDecrypter.SingleDecrypter, (method, gim, args) => constantsDecrypter.decryptSingle((int)args[0]));
                doubleValueInliner = new DoubleValueInliner();
                doubleValueInliner.add(constantsDecrypter.DoubleDecrypter, (method, gim, args) => constantsDecrypter.decryptDouble((int)args[0]));
                addTypeToBeRemoved(constantsDecrypter.Type, "Constants decrypter type");
                addResourceToBeRemoved(constantsDecrypter.Resource, "Encrypted constants");
            }

            addModuleCctorInitCallToBeRemoved(resourceResolver.Method);
            addModuleCctorInitCallToBeRemoved(assemblyResolver.Method);
            addCallToBeRemoved(module.EntryPoint, tamperDetection.Method);
            addModuleCctorInitCallToBeRemoved(tamperDetection.Method);
            addCallToBeRemoved(module.EntryPoint, antiDebugger.Method);
            addModuleCctorInitCallToBeRemoved(antiDebugger.Method);
            addTypeToBeRemoved(resourceResolver.Type, "Resource resolver type");
            addTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver type");
            addTypeToBeRemoved(tamperDetection.Type, "Tamper detection type");
            addTypeToBeRemoved(antiDebugger.Type, "Anti-debugger type");
            addTypeToBeRemoved(methodsDecrypter.Type, "Methods decrypter type");
            addTypesToBeRemoved(methodsDecrypter.DelegateTypes, "Methods decrypter delegate type");
            addResourceToBeRemoved(methodsDecrypter.Resource, "Encrypted methods");

            proxyCallFixer.find();

            dumpEmbeddedAssemblies();
        }