Exemplo n.º 1
0
        void RestoreBaseType()
        {
            var moduleType = DotNetUtils.GetModuleType(module);

            foreach (var type in module.GetTypes())
            {
                if (!IsTypeWithInvalidBaseType(moduleType, type))
                {
                    continue;
                }
                var corSig = module.CorLibTypes.GetCorLibTypeSig(type);
                if (corSig != null && corSig.ElementType == ElementType.Object)
                {
                    continue;
                }
                Logger.v("Adding System.Object as base type: {0} ({1:X8})",
                         Utils.RemoveNewlines(type),
                         type.MDToken.ToInt32());
                type.BaseType = module.CorLibTypes.Object.TypeDefOrRef;
            }
        }
Exemplo n.º 2
0
        public void FindMethods()
        {
            var moduleType = DotNetUtils.GetModuleType(Module);

            if (moduleType == null)
            {
                return;
            }
            var delegateMethods = new List <MethodDef>();

            foreach (var method in moduleType.Methods)
            {
                if (!IsDelegateMethod(method))
                {
                    continue;
                }
                delegateMethods.Add(method);
                //Console.WriteLine("Found Delegate Method {0}", method.Name);
            }
            Methods = delegateMethods;
        }
Exemplo n.º 3
0
        void DeleteTypes()
        {
            var types = module.Types;

            if (types == null || typesToRemove.Count == 0)
            {
                return;
            }

            Logger.v("Removing types");
            Logger.Instance.Indent();
            var moduleType = DotNetUtils.GetModuleType(module);

            foreach (var info in typesToRemove)
            {
                var typeDef = info.obj;
                if (typeDef == null || typeDef == moduleType)
                {
                    continue;
                }
                bool removed;
                if (typeDef.DeclaringType != null)
                {
                    removed = typeDef.DeclaringType.NestedTypes.Remove(typeDef);
                }
                else
                {
                    removed = types.Remove(typeDef);
                }
                if (removed)
                {
                    Logger.v("Removed type {0} ({1:X8}) (reason: {2})",
                             Utils.RemoveNewlines(typeDef),
                             typeDef.MDToken.ToUInt32(),
                             info.reason);
                }
            }
            Logger.Instance.DeIndent();
        }
Exemplo n.º 4
0
        public void FindFields()
        {
            if (Methods == null || Methods.Count == 0)
            {
                return;
            }
            var initializations = new List <DelegateInitInfo>();
            var mnoduleType     = DotNetUtils.GetModuleType(Module);

            if (mnoduleType != null)
            {
                foreach (var method in mnoduleType.Methods)
                {
                    var inits = FindFieldInitializations(method);
                    if (inits == null || inits.Count == 0)
                    {
                        continue;
                    }
                    initializations.AddRange(inits);
                }
            }
            foreach (var type in Module.GetTypes())
            {
                if (!DotNetUtils.DerivesFromDelegate(type))
                {
                    continue;
                }
                var inits = FindFieldInitializations(type.FindStaticConstructor());
                if (inits == null || inits.Count == 0)
                {
                    continue;
                }
                initializations.AddRange(inits);
            }
            Initializations = initializations;
        }
Exemplo n.º 5
0
        public void Find()
        {
            var type = DotNetUtils.GetModuleType(module);

            if (type == null)
            {
                return;
            }
            foreach (var method in type.Methods)
            {
                if (!method.IsStatic || method.Body == null)
                {
                    continue;
                }
                if (!DotNetUtils.IsMethod(method, "System.Object", "(System.UInt32)"))
                {
                    continue;
                }

                var info       = new DecrypterInfo();
                var localTypes = new LocalTypes(method);
                if (localTypes.All(requiredLocals1))
                {
                    if (localTypes.Exists("System.Collections.BitArray"))                       // or System.Random
                    {
                        version = ConfuserVersion.v15_r60785_normal;
                    }
                    else if (DeobUtils.HasInteger(method, 0x100) &&
                             DeobUtils.HasInteger(method, 0x10000) &&
                             DeobUtils.HasInteger(method, 0xFFFF))
                    {
                        version = ConfuserVersion.v17_r73404_normal;
                    }
                    else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[])"))
                    {
                        if (FindInstruction(method.Body.Instructions, 0, Code.Conv_I8) >= 0)
                        {
                            if (DotNetUtils.CallsMethod(method, "System.Void System.Console::WriteLine()"))
                            {
                                version = ConfuserVersion.v15_r60785_dynamic;
                            }
                            else
                            {
                                version = ConfuserVersion.v17_r72989_dynamic;
                            }
                        }
                        else
                        {
                            version = ConfuserVersion.v17_r73740_dynamic;
                        }
                    }
                    else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[],System.Int32,System.Int32)"))
                    {
                        if ((nativeMethod = FindNativeMethod(method)) == null)
                        {
                            version = ConfuserVersion.v17_r73764_dynamic;
                        }
                        else
                        {
                            version = ConfuserVersion.v17_r73764_native;
                        }
                    }
                    else
                    {
                        continue;
                    }
                }
                else if (localTypes.All(requiredLocals2))
                {
                    if (DeobUtils.HasInteger(method, 0x100) &&
                        DeobUtils.HasInteger(method, 0x10000) &&
                        DeobUtils.HasInteger(method, 0xFFFF))
                    {
                        version = ConfuserVersion.v17_r73822_normal;
                    }
                    else if (DotNetUtils.CallsMethod(method, "System.Int32 System.Object::GetHashCode()"))
                    {
                        if ((nativeMethod = FindNativeMethod(method)) == null)
                        {
                            version = ConfuserVersion.v17_r74021_dynamic;
                        }
                        else
                        {
                            version = ConfuserVersion.v17_r74021_native;
                        }
                    }
                    else if ((nativeMethod = FindNativeMethod(method)) == null)
                    {
                        version = ConfuserVersion.v17_r73822_dynamic;
                    }
                    else
                    {
                        version = ConfuserVersion.v17_r73822_native;
                    }
                }
                else
                {
                    continue;
                }

                info.decryptMethod = method;
                theDecrypterInfo   = info;
                Add(info);
                break;
            }
        }
Exemplo n.º 6
0
        public void Find(ISimpleDeobfuscator simpleDeobfuscator)
        {
            var type = DotNetUtils.GetModuleType(module);

            if (type == null)
            {
                return;
            }
            foreach (var method in type.Methods)
            {
                if (!method.IsStatic || method.Body == null)
                {
                    continue;
                }
                if (!DotNetUtils.IsMethod(method, "System.String", "(System.Int32)"))
                {
                    continue;
                }
                var localTypes = new LocalTypes(method);
                if (!localTypes.All(requiredLocals))
                {
                    continue;
                }

                simpleDeobfuscator.Deobfuscate(method);

                bool foundOldMagic1;
                if (FindMagic1(method, out magic1))
                {
                    foundOldMagic1 = true;
                }
                else if (FindNewMagic1(method, out magic1))
                {
                    foundOldMagic1 = false;
                }
                else
                {
                    continue;
                }
                if (!FindMagic2(method, out magic2))
                {
                    continue;
                }

                version = ConfuserVersion.Unknown;
                if (DotNetUtils.CallsMethod(method, "System.Text.Encoding System.Text.Encoding::get_UTF8()"))
                {
                    if (foundOldMagic1)
                    {
                        if (DotNetUtils.CallsMethod(method, "System.Object System.AppDomain::GetData(System.String)"))
                        {
                            version = ConfuserVersion.v13_r55604_safe;
                        }
                        else
                        {
                            version = ConfuserVersion.v10_r42915;
                        }
                    }
                    else
                    {
                        if (!FindSafeKey1(method, out key1))
                        {
                            continue;
                        }
                        version = ConfuserVersion.v14_r58802_safe;
                    }
                }
                else if (!localTypes.Exists("System.Random"))
                {
                    if (foundOldMagic1)
                    {
                        version = ConfuserVersion.v11_r49299;
                    }
                    else
                    {
                        version = ConfuserVersion.v14_r58802_dynamic;
                    }
                }
                else if (localTypes.Exists("System.Collections.Generic.Dictionary`2<System.Int32,System.String>"))
                {
                    version = ConfuserVersion.v10_r48832;
                }
                if (version == ConfuserVersion.Unknown)
                {
                    continue;
                }

                decryptMethod = method;
                break;
            }
        }
Exemplo n.º 7
0
		public void FindDelegateCreator(ISimpleDeobfuscator simpleDeobfuscator) {
			var type = DotNetUtils.GetModuleType(module);
			if (type == null)
				return;
			foreach (var method in type.Methods) {
				if (method.Body == null || !method.IsStatic || !method.IsAssembly)
					continue;
				var theVersion = ConfuserVersion.Unknown;

				if (DotNetUtils.IsMethod(method, "System.Void", "(System.String,System.RuntimeFieldHandle)"))
					theVersion = ConfuserVersion.v10_r42915;
				else if (DotNetUtils.IsMethod(method, "System.Void", "(System.RuntimeFieldHandle)"))
					theVersion = ConfuserVersion.v10_r48717;
				else
					continue;

				var proxyType = GetProxyCreatorType(method, simpleDeobfuscator, out int tmpVer);
				if (proxyType == ProxyCreatorType.None)
					continue;
				if (proxyType == ProxyCreatorType.Newobj)
					foundNewobjProxy = true;

				simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
				MethodDef nativeMethod = null;
				if (FindMagic_v14_r58564(method, out uint magic)) {
					if (!DotNetUtils.CallsMethod(method, "System.Byte[] System.Convert::FromBase64String(System.String)")) {
						if (!IsMethodCreator_v14_r58802(method, proxyType))
							theVersion = ConfuserVersion.v14_r58564;
						else
							theVersion = ConfuserVersion.v14_r58802;
					}
					else if (DotNetUtils.CallsMethod(method, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()"))
						theVersion = ConfuserVersion.v17_r73479;
					else if (proxyType != ProxyCreatorType.CallOrCallvirt || !HasFieldReference(method, "System.Reflection.Emit.OpCode System.Reflection.Emit.OpCodes::Castclass"))
						theVersion = ConfuserVersion.v14_r58857;
					else if (proxyType == ProxyCreatorType.CallOrCallvirt && DotNetUtils.CallsMethod(method, "System.Void System.Reflection.Emit.DynamicMethod::.ctor(System.String,System.Type,System.Type[],System.Boolean)"))
						theVersion = ConfuserVersion.v16_r66631;
					else if (proxyType == ProxyCreatorType.CallOrCallvirt)
						theVersion = ConfuserVersion.v16_r70489;
				}
				else if (!DotNetUtils.CallsMethod(method, "System.Byte[] System.Convert::FromBase64String(System.String)") &&
					DotNetUtils.CallsMethod(method, "System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)")) {
					if (proxyType == ProxyCreatorType.CallOrCallvirt && !FindCallvirtChar(method, out callvirtChar))
						continue;
					if ((nativeMethod = FindNativeMethod_v18_r75367(method)) != null)
						theVersion = proxyType != ProxyCreatorType.CallOrCallvirt || callvirtChar == 9 ? ConfuserVersion.v18_r75367_native : ConfuserVersion.v18_r75369_native;
					else if (FindMagic_v18_r75367(method, out magic))
						theVersion = proxyType != ProxyCreatorType.CallOrCallvirt || callvirtChar == 9 ? ConfuserVersion.v18_r75367_normal : ConfuserVersion.v18_r75369_normal;
					else if (FindMagic_v19_r76101(method, out magic))
						CommonCheckVersion19(method, true, tmpVer, ref theVersion);
					else if ((nativeMethod = FindNativeMethod_v19_r76101(method)) != null)
						CommonCheckVersion19(method, false, tmpVer, ref theVersion);
					else {
						if (proxyType == ProxyCreatorType.CallOrCallvirt && !DotNetUtils.CallsMethod(method, "System.Int32 System.String::get_Length()"))
							theVersion = ConfuserVersion.v11_r50378;
						int numCalls = ConfuserUtils.CountCalls(method, "System.Byte[] System.Text.Encoding::GetBytes(System.Char[],System.Int32,System.Int32)");
						if (numCalls == 2)
							theVersion = ConfuserVersion.v12_r54564;
						if (!DotNetUtils.CallsMethod(method, "System.Reflection.Assembly System.Reflection.Assembly::Load(System.Reflection.AssemblyName)"))
							theVersion = ConfuserVersion.v13_r55346;
						if (DotNetUtils.CallsMethod(method, "System.Void System.Runtime.CompilerServices.RuntimeHelpers::RunClassConstructor(System.RuntimeTypeHandle)"))
							theVersion = ConfuserVersion.v13_r55604;
					}
				}
				else if (Is_v17_r73740(method)) {
					if (DotNetUtils.CallsMethod(method, "System.Boolean System.Type::get_IsArray()")) {
						if ((nativeMethod = FindNativeMethod_v17_r73740(method)) != null)
							theVersion = ConfuserVersion.v17_r74708_native;
						else if (FindMagic_v17_r73740(method, out magic))
							theVersion = ConfuserVersion.v17_r74708_normal;
						else
							continue;
					}
					else {
						if ((nativeMethod = FindNativeMethod_v17_r73740(method)) != null)
							theVersion = ConfuserVersion.v17_r73740_native;
						else if (FindMagic_v17_r73740(method, out magic))
							theVersion = ConfuserVersion.v17_r73740_normal;
						else
							continue;
					}
				}
				else if (theVersion == ConfuserVersion.v10_r42915) {
					if (DeobUtils.HasInteger(method, 0x06000000))
						theVersion = ConfuserVersion.v10_r42919;
				}

				SetDelegateCreatorMethod(method);
				methodToInfo.Add(method, new ProxyCreatorInfo(method, proxyType, theVersion, magic, nativeMethod, callvirtChar));
				version = (ConfuserVersion)Math.Max((int)version, (int)theVersion);
			}
		}
Exemplo n.º 8
0
        bool CheckMethod_safe(TypeDef type, MethodDef initMethod)
        {
            if (type == DotNetUtils.GetModuleType(module))
            {
                if (!DotNetUtils.HasString(initMethod, "Debugger detected (Managed)"))
                {
                    return(false);
                }
                if (!CheckProfilerStrings1(initMethod))
                {
                    return(false);
                }

                version = ConfuserVersion.v14_r57588_safe;
            }
            else
            {
                var ntQueryInformationProcess = DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtQueryInformationProcess");
                if (ntQueryInformationProcess == null)
                {
                    return(false);
                }
                if (DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtSetInformationProcess") == null)
                {
                    return(false);
                }
                if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "CloseHandle") == null)
                {
                    return(false);
                }
                var antiDebugMethod = GetAntiDebugMethod(type, initMethod);
                if (antiDebugMethod == null)
                {
                    return(false);
                }
                bool hasDebuggerStrings = DotNetUtils.HasString(antiDebugMethod, "Debugger detected (Managed)") ||
                                          DotNetUtils.HasString(antiDebugMethod, "Debugger is detected (Managed)");
                if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)"))
                {
                    return(false);
                }
                if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 0)
                {
                    return(false);
                }
                if (!CheckProfilerStrings1(initMethod) && !CheckProfilerStrings2(initMethod))
                {
                    return(false);
                }

                int failFastCalls = ConfuserUtils.CountCalls(antiDebugMethod, "System.Void System.Environment::FailFast(System.String)");
                if (failFastCalls != 2)
                {
                    return(false);
                }

                if (hasDebuggerStrings)
                {
                    if (!DotNetUtils.CallsMethod(antiDebugMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)"))
                    {
                        version = ConfuserVersion.v16_r61954_safe;
                    }
                    else if (DotNetUtils.GetPInvokeMethod(type, "IsDebuggerPresent") == null)
                    {
                        version = ConfuserVersion.v17_r73822_safe;
                    }
                    else if (CheckProfilerStrings1(initMethod))
                    {
                        version = ConfuserVersion.v17_r74021_safe;
                    }
                    else
                    {
                        version = ConfuserVersion.v19_r76119_safe;
                    }
                }
                else
                {
                    version = ConfuserVersion.v19_r78363_safe;
                }
            }

            return(true);
        }