static uint[] getKey(MethodDef method)
{
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 1; i++)
{
var ldci4 = instrs[i];
if (!ldci4.IsLdcI4())
{
continue;
}
if (ldci4.GetLdcI4Value() != 4)
{
continue;
}
if (instrs[i + 1].OpCode.Code != Code.Newarr)
{
continue;
}
i++;
var key = ArrayFinder.getInitializedUInt32Array(4, method, ref i);
if (key == null)
{
continue;
}
return(key);
}
return(null);
}
bool Get3DesKeyIv(MethodDef method, ref byte[] key, ref byte[] iv)
{
if (!new LocalTypes(method).Exists("System.Security.Cryptography.TripleDESCryptoServiceProvider"))
{
return(false);
}
var instrs = method.Body.Instructions;
var arrays = ArrayFinder.GetArrays(method, module.CorLibTypes.Byte);
if (arrays.Count != 1 && arrays.Count != 2)
{
return(false);
}
key = arrays[0];
if (arrays.Count == 1)
{
var pkt = PublicKeyBase.ToPublicKeyToken(module.Assembly.PublicKey);
iv = pkt == null ? null : pkt.Data;
}
else
{
iv = arrays[1];
}
return(true);
}
bool get3DesKeyIv(MethodDefinition method, ref byte[] key, ref byte[] iv)
{
if (!new LocalTypes(method).exists("System.Security.Cryptography.TripleDESCryptoServiceProvider"))
{
return(false);
}
var instrs = method.Body.Instructions;
var arrays = ArrayFinder.getArrays(method, module.TypeSystem.Byte);
if (arrays.Count != 1 && arrays.Count != 2)
{
return(false);
}
key = arrays[0];
if (arrays.Count == 1)
{
iv = module.Assembly.Name.PublicKeyToken;
}
else
{
iv = arrays[1];
}
return(true);
}
public void Initialize(ISimpleDeobfuscator simpleDeobfuscator)
{
if (resourceDecrypterMethod == null)
{
return;
}
simpleDeobfuscator.Deobfuscate(resourceDecrypterMethod);
encryptedDataResource = FindMethodsDecrypterResource(resourceDecrypterMethod);
if (encryptedDataResource == null)
{
return;
}
var key = ArrayFinder.GetInitializedByteArray(resourceDecrypterMethod, 32);
if (key == null)
{
throw new ApplicationException("Could not find resource decrypter key");
}
var iv = ArrayFinder.GetInitializedByteArray(resourceDecrypterMethod, 16);
if (iv == null)
{
throw new ApplicationException("Could not find resource decrypter IV");
}
if (NeedReverse())
{
Array.Reverse(iv); // DNR 4.5.0.0
}
if (UsesPublicKeyToken())
{
var publicKeyToken = module.Assembly.PublicKeyToken;
if (publicKeyToken != null && publicKeyToken.Data.Length > 0)
{
for (int i = 0; i < 8; i++)
{
iv[i * 2 + 1] = publicKeyToken.Data[i];
}
}
}
var decrypterType = GetDecrypterType(resourceDecrypterMethod, new string[0]);
switch (decrypterType)
{
case DnrDecrypterType.V1: decrypter = new DecrypterV1(iv, key); break;
case DnrDecrypterType.V2: decrypter = new DecrypterV2(iv, key, resourceDecrypterMethod); break;
default: throw new ApplicationException("Unknown decrypter type");
}
}
static short[] FindKey(MethodDef initMethod, FieldDefAndDeclaringTypeDict <bool> fields)
{
var instrs = initMethod.Body.Instructions;
for (int i = 0; i < instrs.Count - 2; i++)
{
var ldci4 = instrs[i];
if (!ldci4.IsLdcI4())
{
continue;
}
var newarr = instrs[i + 1];
if (newarr.OpCode.Code != Code.Newarr)
{
continue;
}
if (newarr.Operand.ToString() != "System.Char")
{
continue;
}
var stloc = instrs[i + 2];
if (!stloc.IsStloc())
{
continue;
}
var local = stloc.GetLocal(initMethod.Body.Variables);
int startInitIndex = i;
i++;
var array = ArrayFinder.GetInitializedInt16Array(ldci4.GetLdcI4Value(), initMethod, ref i);
if (array == null)
{
continue;
}
var field = GetStoreField(initMethod, startInitIndex, local);
if (field == null)
{
continue;
}
if (fields.Find(field))
{
return(array);
}
}
return(null);
}
static short[] findKey(MethodDefinition initMethod, FieldDefinition keyField)
{
var instrs = initMethod.Body.Instructions;
for (int i = 0; i < instrs.Count - 2; i++)
{
var ldci4 = instrs[i];
if (!DotNetUtils.isLdcI4(ldci4))
{
continue;
}
var newarr = instrs[i + 1];
if (newarr.OpCode.Code != Code.Newarr)
{
continue;
}
if (newarr.Operand.ToString() != "System.Char")
{
continue;
}
var stloc = instrs[i + 2];
if (!DotNetUtils.isStloc(stloc))
{
continue;
}
var local = DotNetUtils.getLocalVar(initMethod.Body.Variables, stloc);
int startInitIndex = i;
i++;
var array = ArrayFinder.getInitializedInt16Array(DotNetUtils.getLdcI4Value(ldci4), initMethod, ref i);
if (array == null)
{
continue;
}
var field = getStoreField(initMethod, startInitIndex, local);
if (field == null)
{
continue;
}
if (keyField == field)
{
return(array);
}
}
return(null);
}
PatchInfo GetPatchInfo(MethodDef method)
{
int index1 = 0, index2, index3;
if (!ArrayFinder.FindNewarr(method, ref index1, out int size1))
{
return(null);
}
index2 = index1 + 1;
if (!ArrayFinder.FindNewarr(method, ref index2, out int size2))
{
return(null);
}
index3 = index2 + 1;
if (ArrayFinder.FindNewarr(method, ref index3, out int size3))
{
return(null);
}
if (size1 <= 0 || size1 > 35)
{
return(null);
}
var ary1 = ArrayFinder.GetInitializedInt32Array(size1, method, ref index1);
var ary2 = ArrayFinder.GetInitializedInt32Array(size2, method, ref index2);
if (ary1 == null || ary2 == null)
{
return(null);
}
ary2 = Decrypt(ary2);
if (ary2 == null || ary1.Length != ary2.Length)
{
return(null);
}
for (int i = 0; i < ary1.Length; i++)
{
ary1[i] = -ary1[i];
}
return(new PatchInfo(ary1, ary2));
}
public bool getKey(MethodDefinition method)
{
var tmpKey = ArrayFinder.getInitializedByteArray(method, 32);
if (tmpKey == null)
{
return(false);
}
var tmpIv = ArrayFinder.getInitializedByteArray(method, 16);
if (tmpIv == null)
{
return(false);
}
decryptionMethod = method;
key = tmpKey;
iv = tmpIv;
return(true);
}
public void init(ISimpleDeobfuscator simpleDeobfuscator)
{
if (resourceDecrypterMethod == null)
{
return;
}
simpleDeobfuscator.deobfuscate(resourceDecrypterMethod);
encryptedDataResource = findMethodsDecrypterResource(resourceDecrypterMethod);
if (encryptedDataResource == null)
{
return;
}
key = ArrayFinder.getInitializedByteArray(resourceDecrypterMethod, 32);
if (key == null)
{
throw new ApplicationException("Could not find resource decrypter key");
}
iv = ArrayFinder.getInitializedByteArray(resourceDecrypterMethod, 16);
if (iv == null)
{
throw new ApplicationException("Could not find resource decrypter IV");
}
if (needReverse())
{
Array.Reverse(iv); // DNR 4.5.0.0
}
if (usesPublicKeyToken())
{
var publicKeyToken = module.Assembly.PublicKeyToken;
if (publicKeyToken != null && publicKeyToken.Data.Length > 0)
{
for (int i = 0; i < 8; i++)
{
iv[i * 2 + 1] = publicKeyToken.Data[i];
}
}
}
}
