protected override void ScanForObfuscator() { foreach (var type in module.Types) { if (type.FullName == "CryptoObfuscator.ProtectedWithCryptoObfuscatorAttribute") { foundCryptoObfuscatorAttribute = true; AddAttributeToBeRemoved(type, "Obfuscator attribute"); InitializeVersion(type); } } if (CheckCryptoObfuscator()) { foundObfuscatedSymbols = true; } inlinedMethodTypes = new InlinedMethodTypes(); methodsDecrypter = new MethodsDecrypter(module); methodsDecrypter.Find(); proxyCallFixer = new ProxyCallFixer(module); proxyCallFixer.FindDelegateCreator(); stringDecrypter = new StringDecrypter(module); stringDecrypter.Find(); tamperDetection = new TamperDetection(module); tamperDetection.Find(); constantsDecrypter = new ConstantsDecrypter(module, initializedDataCreator); constantsDecrypter.Find(); foundObfuscatorUserString = Utils.StartsWith(module.ReadUserString(0x70000001), "\u0011\"3D9B94A98B-76A8-4810-B1A0-4BE7C4F9C98D", StringComparison.Ordinal); }
public override void DeobfuscateBegin() { base.DeobfuscateBegin(); resourceDecrypter = new ResourceDecrypter(module, DeobfuscatedFile); resourceResolver = new ResourceResolver(module, resourceDecrypter); assemblyResolver = new AssemblyResolver(module); resourceResolver.Find(); assemblyResolver.Find(DeobfuscatedFile); DecryptResources(); stringDecrypter.Initialize(resourceDecrypter); if (stringDecrypter.Method != null) { staticStringInliner.Add(stringDecrypter.Method, (method, gim, args) => { return(stringDecrypter.Decrypt((int)args[0])); }); DeobfuscatedFile.StringDecryptersAdded(); } methodsDecrypter.Decrypt(resourceDecrypter, DeobfuscatedFile); if (methodsDecrypter.Detected) { if (!assemblyResolver.Detected) { assemblyResolver.Find(DeobfuscatedFile); } if (!tamperDetection.Detected) { tamperDetection.Find(); } } antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this); antiDebugger.Find(); if (options.DecryptConstants) { constantsDecrypter.Initialize(resourceDecrypter); int32ValueInliner = new Int32ValueInliner(); int32ValueInliner.Add(constantsDecrypter.Int32Decrypter, (method, gim, args) => constantsDecrypter.DecryptInt32((int)args[0])); int64ValueInliner = new Int64ValueInliner(); int64ValueInliner.Add(constantsDecrypter.Int64Decrypter, (method, gim, args) => constantsDecrypter.DecryptInt64((int)args[0])); singleValueInliner = new SingleValueInliner(); singleValueInliner.Add(constantsDecrypter.SingleDecrypter, (method, gim, args) => constantsDecrypter.DecryptSingle((int)args[0])); doubleValueInliner = new DoubleValueInliner(); doubleValueInliner.Add(constantsDecrypter.DoubleDecrypter, (method, gim, args) => constantsDecrypter.DecryptDouble((int)args[0])); AddTypeToBeRemoved(constantsDecrypter.Type, "Constants decrypter type"); AddResourceToBeRemoved(constantsDecrypter.Resource, "Encrypted constants"); } AddModuleCctorInitCallToBeRemoved(resourceResolver.Method); AddModuleCctorInitCallToBeRemoved(assemblyResolver.Method); AddCallToBeRemoved(module.EntryPoint, tamperDetection.Method); AddModuleCctorInitCallToBeRemoved(tamperDetection.Method); AddCallToBeRemoved(module.EntryPoint, antiDebugger.Method); AddModuleCctorInitCallToBeRemoved(antiDebugger.Method); AddTypeToBeRemoved(resourceResolver.Type, "Resource resolver type"); AddTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver type"); AddTypeToBeRemoved(tamperDetection.Type, "Tamper detection type"); AddTypeToBeRemoved(antiDebugger.Type, "Anti-debugger type"); AddTypeToBeRemoved(methodsDecrypter.Type, "Methods decrypter type"); AddTypesToBeRemoved(methodsDecrypter.DelegateTypes, "Methods decrypter delegate type"); AddResourceToBeRemoved(methodsDecrypter.Resource, "Encrypted methods"); proxyCallFixer.Find(); DumpEmbeddedAssemblies(); startedDeobfuscating = true; }
protected override void ScanForObfuscator() { foreach (var type in module.Types) { if (type.FullName == "CryptoObfuscator.ProtectedWithCryptoObfuscatorAttribute") { foundCryptoObfuscatorAttribute = true; AddAttributeToBeRemoved(type, "Obfuscator attribute"); InitializeVersion(type); } } if (CheckCryptoObfuscator()) foundObfuscatedSymbols = true; inlinedMethodTypes = new InlinedMethodTypes(); methodsDecrypter = new MethodsDecrypter(module); methodsDecrypter.Find(); proxyCallFixer = new ProxyCallFixer(module); proxyCallFixer.FindDelegateCreator(); stringDecrypter = new StringDecrypter(module); stringDecrypter.Find(); tamperDetection = new TamperDetection(module); tamperDetection.Find(); constantsDecrypter = new ConstantsDecrypter(module, initializedDataCreator); constantsDecrypter.Find(); foundObfuscatorUserString = Utils.StartsWith(module.ReadUserString(0x70000001), "\u0011\"3D9B94A98B-76A8-4810-B1A0-4BE7C4F9C98D", StringComparison.Ordinal); }