protected override void ScanForObfuscator()
{
methodsDecrypter = new MethodsDecrypter(module);
methodsDecrypter.Find();
proxyCallFixer = new ProxyCallFixer(module, DeobfuscatedFile);
proxyCallFixer.FindDelegateCreator(module);
stringDecrypter = new StringDecrypter(module);
stringDecrypter.Find(DeobfuscatedFile);
booleanDecrypter = new BooleanDecrypter(module);
booleanDecrypter.Find();
assemblyResolver = new AssemblyResolver(module);
assemblyResolver.Find(DeobfuscatedFile);
obfuscatorName = DetectVersion();
if (unpackedNativeFile)
{
obfuscatorName += " (native)";
}
resourceResolver = new ResourceResolver(module);
resourceResolver.Find(DeobfuscatedFile);
}
public override void DeobfuscateBegin()
{
base.DeobfuscateBegin();
proxyCallFixer = new ProxyCallFixer(Module, DeobfuscatedFile);
proxyCallFixer.FindDelegateCreator();
proxyCallFixer.Find();
stringDecrypter.Initialize(peImage, fileData, DeobfuscatedFile);
if (!stringDecrypter.Detected)
{
FreePEImage();
}
booleanDecrypter.Initialize(fileData, DeobfuscatedFile);
booleanValueInliner = new BooleanValueInliner();
emptyClass = new EmptyClass(Module);
if (options.DecryptBools)
{
booleanValueInliner.Add(booleanDecrypter.Method, (method, gim, args) => {
return(booleanDecrypter.Decrypt((int)args[0]));
});
}
foreach (var info in stringDecrypter.DecrypterInfos)
{
staticStringInliner.Add(info.method, (method2, gim, args) => {
return(stringDecrypter.Decrypt(method2, (int)args[0]));
});
}
if (stringDecrypter.OtherStringDecrypter != null)
{
staticStringInliner.Add(stringDecrypter.OtherStringDecrypter, (method2, gim, args) => {
return(stringDecrypter.Decrypt((string)args[0]));
});
}
DeobfuscatedFile.StringDecryptersAdded();
metadataTokenObfuscator = new MetadataTokenObfuscator(Module);
antiStrongname = new AntiStrongName(GetDecrypterType());
bool removeResourceResolver = false;
if (options.DecryptResources)
{
resourceResolver.Initialize(DeobfuscatedFile, this);
DecryptResources();
if (options.InlineMethods)
{
AddTypeToBeRemoved(resourceResolver.Type, "Resource decrypter type");
removeResourceResolver = true;
}
AddEntryPointCallToBeRemoved(resourceResolver.InitMethod);
AddCctorInitCallToBeRemoved(resourceResolver.InitMethod);
}
if (resourceResolver.Detected && !removeResourceResolver && !resourceResolver.FoundResource)
{
canRemoveDecrypterType = false; // There may be calls to its .ctor
}
if (Operations.DecryptStrings != OpDecryptString.None)
{
AddResourceToBeRemoved(stringDecrypter.Resource, "Encrypted strings");
}
else
{
canRemoveDecrypterType = false;
}
if (options.DecryptMethods && !methodsDecrypter.HasNativeMethods)
{
AddResourceToBeRemoved(methodsDecrypter.Resource, "Encrypted methods");
AddCctorInitCallToBeRemoved(methodsDecrypter.Method);
}
else
{
canRemoveDecrypterType = false;
}
if (options.DecryptBools)
{
AddResourceToBeRemoved(booleanDecrypter.Resource, "Encrypted booleans");
}
else
{
canRemoveDecrypterType = false;
}
if (!options.RemoveAntiStrongName)
{
canRemoveDecrypterType = false;
}
// The inlined methods may contain calls to the decrypter class
if (!options.InlineMethods)
{
canRemoveDecrypterType = false;
}
if (options.DumpEmbeddedAssemblies)
{
if (options.InlineMethods)
{
AddTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver");
}
AddEntryPointCallToBeRemoved(assemblyResolver.InitMethod);
AddCctorInitCallToBeRemoved(assemblyResolver.InitMethod);
DumpEmbeddedAssemblies();
}
if (options.InlineMethods)
{
AddTypeToBeRemoved(metadataTokenObfuscator.Type, "Metadata token obfuscator");
}
AddCctorInitCallToBeRemoved(emptyClass.Method);
AddCtorInitCallToBeRemoved(emptyClass.Method);
AddEntryPointCallToBeRemoved(emptyClass.Method);
if (options.InlineMethods)
{
AddTypeToBeRemoved(emptyClass.Type, "Empty class");
}
startedDeobfuscating = true;
}
public override void DeobfuscateBegin() {
base.DeobfuscateBegin();
proxyCallFixer = new ProxyCallFixer(module, DeobfuscatedFile);
proxyCallFixer.FindDelegateCreator();
proxyCallFixer.Find();
stringDecrypter.Initialize(peImage, fileData, DeobfuscatedFile);
if (!stringDecrypter.Detected)
FreePEImage();
booleanDecrypter.Initialize(fileData, DeobfuscatedFile);
booleanValueInliner = new BooleanValueInliner();
emptyClass = new EmptyClass(module);
if (options.DecryptBools) {
booleanValueInliner.Add(booleanDecrypter.Method, (method, gim, args) => {
return booleanDecrypter.Decrypt((int)args[0]);
});
}
foreach (var info in stringDecrypter.DecrypterInfos) {
staticStringInliner.Add(info.method, (method2, gim, args) => {
return stringDecrypter.Decrypt(method2, (int)args[0]);
});
}
if (stringDecrypter.OtherStringDecrypter != null) {
staticStringInliner.Add(stringDecrypter.OtherStringDecrypter, (method2, gim, args) => {
return stringDecrypter.Decrypt((string)args[0]);
});
}
DeobfuscatedFile.StringDecryptersAdded();
metadataTokenObfuscator = new MetadataTokenObfuscator(module);
antiStrongname = new AntiStrongName(GetDecrypterType());
bool removeResourceResolver = false;
if (options.DecryptResources) {
resourceResolver.Initialize(DeobfuscatedFile, this);
DecryptResources();
if (options.InlineMethods) {
AddTypeToBeRemoved(resourceResolver.Type, "Resource decrypter type");
removeResourceResolver = true;
}
AddEntryPointCallToBeRemoved(resourceResolver.InitMethod);
AddCctorInitCallToBeRemoved(resourceResolver.InitMethod);
}
if (resourceResolver.Detected && !removeResourceResolver && !resourceResolver.FoundResource)
canRemoveDecrypterType = false; // There may be calls to its .ctor
if (Operations.DecryptStrings != OpDecryptString.None)
AddResourceToBeRemoved(stringDecrypter.Resource, "Encrypted strings");
else
canRemoveDecrypterType = false;
if (options.DecryptMethods && !methodsDecrypter.HasNativeMethods) {
AddResourceToBeRemoved(methodsDecrypter.Resource, "Encrypted methods");
AddCctorInitCallToBeRemoved(methodsDecrypter.Method);
}
else
canRemoveDecrypterType = false;
if (options.DecryptBools)
AddResourceToBeRemoved(booleanDecrypter.Resource, "Encrypted booleans");
else
canRemoveDecrypterType = false;
if (!options.RemoveAntiStrongName)
canRemoveDecrypterType = false;
// The inlined methods may contain calls to the decrypter class
if (!options.InlineMethods)
canRemoveDecrypterType = false;
if (options.DumpEmbeddedAssemblies) {
if (options.InlineMethods)
AddTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver");
AddEntryPointCallToBeRemoved(assemblyResolver.InitMethod);
AddCctorInitCallToBeRemoved(assemblyResolver.InitMethod);
DumpEmbeddedAssemblies();
}
if (options.InlineMethods)
AddTypeToBeRemoved(metadataTokenObfuscator.Type, "Metadata token obfuscator");
AddCctorInitCallToBeRemoved(emptyClass.Method);
AddCtorInitCallToBeRemoved(emptyClass.Method);
AddEntryPointCallToBeRemoved(emptyClass.Method);
if (options.InlineMethods)
AddTypeToBeRemoved(emptyClass.Type, "Empty class");
startedDeobfuscating = true;
}