protected override void ScanForObfuscator()
{
foreach (var type in module.Types)
{
if (type.FullName == "CryptoObfuscator.ProtectedWithCryptoObfuscatorAttribute")
{
foundCryptoObfuscatorAttribute = true;
AddAttributeToBeRemoved(type, "Obfuscator attribute");
InitializeVersion(type);
}
}
if (CheckCryptoObfuscator())
{
foundObfuscatedSymbols = true;
}
inlinedMethodTypes = new InlinedMethodTypes();
methodsDecrypter = new MethodsDecrypter(module);
methodsDecrypter.Find();
proxyCallFixer = new ProxyCallFixer(module);
proxyCallFixer.FindDelegateCreator();
stringDecrypter = new StringDecrypter(module);
stringDecrypter.Find();
tamperDetection = new TamperDetection(module);
tamperDetection.Find();
constantsDecrypter = new ConstantsDecrypter(module, initializedDataCreator);
constantsDecrypter.Find();
foundObfuscatorUserString = Utils.StartsWith(module.ReadUserString(0x70000001), "\u0011\"3D9B94A98B-76A8-4810-B1A0-4BE7C4F9C98D", StringComparison.Ordinal);
}
public override void DeobfuscateBegin()
{
base.DeobfuscateBegin();
resourceDecrypter = new ResourceDecrypter(module, DeobfuscatedFile);
resourceResolver = new ResourceResolver(module, resourceDecrypter);
assemblyResolver = new AssemblyResolver(module);
resourceResolver.Find();
assemblyResolver.Find(DeobfuscatedFile);
DecryptResources();
stringDecrypter.Initialize(resourceDecrypter);
if (stringDecrypter.Method != null)
{
staticStringInliner.Add(stringDecrypter.Method, (method, gim, args) => {
return(stringDecrypter.Decrypt((int)args[0]));
});
DeobfuscatedFile.StringDecryptersAdded();
}
methodsDecrypter.Decrypt(resourceDecrypter, DeobfuscatedFile);
if (methodsDecrypter.Detected)
{
if (!assemblyResolver.Detected)
{
assemblyResolver.Find(DeobfuscatedFile);
}
if (!tamperDetection.Detected)
{
tamperDetection.Find();
}
}
antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this);
antiDebugger.Find();
if (options.DecryptConstants)
{
constantsDecrypter.Initialize(resourceDecrypter);
int32ValueInliner = new Int32ValueInliner();
int32ValueInliner.Add(constantsDecrypter.Int32Decrypter, (method, gim, args) => constantsDecrypter.DecryptInt32((int)args[0]));
int64ValueInliner = new Int64ValueInliner();
int64ValueInliner.Add(constantsDecrypter.Int64Decrypter, (method, gim, args) => constantsDecrypter.DecryptInt64((int)args[0]));
singleValueInliner = new SingleValueInliner();
singleValueInliner.Add(constantsDecrypter.SingleDecrypter, (method, gim, args) => constantsDecrypter.DecryptSingle((int)args[0]));
doubleValueInliner = new DoubleValueInliner();
doubleValueInliner.Add(constantsDecrypter.DoubleDecrypter, (method, gim, args) => constantsDecrypter.DecryptDouble((int)args[0]));
AddTypeToBeRemoved(constantsDecrypter.Type, "Constants decrypter type");
AddResourceToBeRemoved(constantsDecrypter.Resource, "Encrypted constants");
}
AddModuleCctorInitCallToBeRemoved(resourceResolver.Method);
AddModuleCctorInitCallToBeRemoved(assemblyResolver.Method);
AddCallToBeRemoved(module.EntryPoint, tamperDetection.Method);
AddModuleCctorInitCallToBeRemoved(tamperDetection.Method);
AddCallToBeRemoved(module.EntryPoint, antiDebugger.Method);
AddModuleCctorInitCallToBeRemoved(antiDebugger.Method);
AddTypeToBeRemoved(resourceResolver.Type, "Resource resolver type");
AddTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver type");
AddTypeToBeRemoved(tamperDetection.Type, "Tamper detection type");
AddTypeToBeRemoved(antiDebugger.Type, "Anti-debugger type");
AddTypeToBeRemoved(methodsDecrypter.Type, "Methods decrypter type");
AddTypesToBeRemoved(methodsDecrypter.DelegateTypes, "Methods decrypter delegate type");
AddResourceToBeRemoved(methodsDecrypter.Resource, "Encrypted methods");
proxyCallFixer.Find();
DumpEmbeddedAssemblies();
startedDeobfuscating = true;
}
protected override void ScanForObfuscator() {
foreach (var type in module.Types) {
if (type.FullName == "CryptoObfuscator.ProtectedWithCryptoObfuscatorAttribute") {
foundCryptoObfuscatorAttribute = true;
AddAttributeToBeRemoved(type, "Obfuscator attribute");
InitializeVersion(type);
}
}
if (CheckCryptoObfuscator())
foundObfuscatedSymbols = true;
inlinedMethodTypes = new InlinedMethodTypes();
methodsDecrypter = new MethodsDecrypter(module);
methodsDecrypter.Find();
proxyCallFixer = new ProxyCallFixer(module);
proxyCallFixer.FindDelegateCreator();
stringDecrypter = new StringDecrypter(module);
stringDecrypter.Find();
tamperDetection = new TamperDetection(module);
tamperDetection.Find();
constantsDecrypter = new ConstantsDecrypter(module, initializedDataCreator);
constantsDecrypter.Find();
foundObfuscatorUserString = Utils.StartsWith(module.ReadUserString(0x70000001), "\u0011\"3D9B94A98B-76A8-4810-B1A0-4BE7C4F9C98D", StringComparison.Ordinal);
}
