Exemplo n.º 1
0
        public static bool couldBeDecryptMethod(MethodDefinition method, IEnumerable <string> additionalTypes)
        {
            if (method.Body == null)
            {
                return(false);
            }

            var localTypes    = new LocalTypes(method);
            var requiredTypes = new List <string> {
                "System.Byte[]",
                "System.IO.MemoryStream",
                "System.Security.Cryptography.CryptoStream",
                "System.Security.Cryptography.ICryptoTransform",
            };

            requiredTypes.AddRange(additionalTypes);
            if (!localTypes.all(requiredTypes))
            {
                return(false);
            }
            if (!localTypes.exists("System.Security.Cryptography.RijndaelManaged") &&
                !localTypes.exists("System.Security.Cryptography.AesManaged"))
            {
                return(false);
            }

            return(true);
        }
Exemplo n.º 2
0
        public static bool couldBeDecryptMethod(MethodDefinition method, IEnumerable<string> additionalTypes)
        {
            if (method.Body == null)
                return false;

            var localTypes = new LocalTypes(method);
            var requiredTypes = new List<string> {
                "System.Byte[]",
                "System.IO.MemoryStream",
                "System.Security.Cryptography.CryptoStream",
                "System.Security.Cryptography.ICryptoTransform",
            };
            requiredTypes.AddRange(additionalTypes);
            if (!localTypes.all(requiredTypes))
                return false;
            if (!localTypes.exists("System.Security.Cryptography.RijndaelManaged") &&
                !localTypes.exists("System.Security.Cryptography.AesManaged"))
                return false;

            return true;
        }
Exemplo n.º 3
0
        void initializeStringDecrypterVersion(MethodDef method)
        {
            var localTypes = new LocalTypes(method);

            if (localTypes.exists("System.IntPtr"))
            {
                stringDecrypterVersion = StringDecrypterVersion.VER_38;
            }
            else
            {
                stringDecrypterVersion = StringDecrypterVersion.VER_37;
            }
        }
Exemplo n.º 4
0
        public bool couldBeResourceDecrypter(MethodDefinition method, IEnumerable <string> additionalTypes, bool checkResource)
        {
            if (!method.IsStatic)
            {
                return(false);
            }
            if (method.Body == null)
            {
                return(false);
            }

            var localTypes    = new LocalTypes(method);
            var requiredTypes = new List <string> {
                "System.Byte[]",
                "System.IO.BinaryReader",
                "System.IO.MemoryStream",
                "System.Security.Cryptography.CryptoStream",
                "System.Security.Cryptography.ICryptoTransform",
            };

            requiredTypes.AddRange(additionalTypes);
            if (!localTypes.all(requiredTypes))
            {
                return(false);
            }
            if (!localTypes.exists("System.Security.Cryptography.RijndaelManaged") &&
                !localTypes.exists("System.Security.Cryptography.AesManaged"))
            {
                return(false);
            }

            if (checkResource && findMethodsDecrypterResource(method) == null)
            {
                return(false);
            }

            return(true);
        }
Exemplo n.º 5
0
        string detectVersion()
        {
            /*
            Methods decrypter locals (not showing its own types):
            3.7.0.3:
                    "System.Byte[]"
                    "System.Int32"
                    "System.Int32[]"
                    "System.IntPtr"
                    "System.IO.BinaryReader"
                    "System.IO.MemoryStream"
                    "System.Object"
                    "System.Reflection.Assembly"
                    "System.Security.Cryptography.CryptoStream"
                    "System.Security.Cryptography.ICryptoTransform"
                    "System.Security.Cryptography.RijndaelManaged"
                    "System.String"

            3.9.8.0:
            -		"System.Int32[]"
            +		"System.Diagnostics.StackFrame"

            4.0.0.0: (jitter)
            -		"System.Diagnostics.StackFrame"
            -		"System.Object"
            +		"System.Boolean"
            +		"System.Collections.IEnumerator"
            +		"System.Delegate"
            +		"System.Diagnostics.Process"
            +		"System.Diagnostics.ProcessModule"
            +		"System.Diagnostics.ProcessModuleCollection"
            +		"System.IDisposable"
            +		"System.Int64"
            +		"System.UInt32"
            +		"System.UInt64"

            4.1.0.0: (jitter)
            +		"System.Reflection.Assembly"

            4.3.1.0: (jitter)
            +		"System.Byte&"
            */

            LocalTypes localTypes;
            int minVer = -1;
            foreach (var info in stringDecrypter.DecrypterInfos) {
                if (info.key == null)
                    continue;
                localTypes = new LocalTypes(info.method);
                if (!localTypes.exists("System.IntPtr"))
                    return ".NET Reactor <= 3.7";
                minVer = 3800;
                break;
            }

            if (methodsDecrypter.Method == null) {
                if (minVer >= 3800)
                    return ".NET Reactor >= 3.8";
                return ".NET Reactor";
            }
            localTypes = new LocalTypes(methodsDecrypter.Method);

            if (localTypes.exists("System.Int32[]")) {
                if (minVer >= 3800)
                    return ".NET Reactor 3.8.4.1 - 3.9.0.1";
                return ".NET Reactor <= 3.9.0.1";
            }
            if (!localTypes.exists("System.Diagnostics.Process")) {	// If < 4.0
                if (localTypes.exists("System.Diagnostics.StackFrame"))
                    return ".NET Reactor 3.9.8.0";
            }

            var compileMethod = MethodsDecrypter.findDnrCompileMethod(methodsDecrypter.Method.DeclaringType);
            if (compileMethod == null)
                return ".NET Reactor < 4.0";
            DeobfuscatedFile.deobfuscate(compileMethod);
            bool compileMethodHasConstant_0x70000000 = findConstant(compileMethod, 0x70000000);	// 4.0-4.1
            DeobfuscatedFile.deobfuscate(methodsDecrypter.Method);
            bool hasCorEnableProfilingString = findString(methodsDecrypter.Method, "Cor_Enable_Profiling");	// 4.1-4.4

            if (compileMethodHasConstant_0x70000000) {
                if (hasCorEnableProfilingString)
                    return ".NET Reactor 4.1";
                return ".NET Reactor 4.0";
            }
            if (!hasCorEnableProfilingString)
                return ".NET Reactor";
            // 4.2-4.4

            if (!localTypes.exists("System.Byte&"))
                return ".NET Reactor 4.2";

            localTypes = new LocalTypes(compileMethod);
            if (localTypes.exists("System.Object"))
                return ".NET Reactor 4.4";
            return ".NET Reactor 4.3";
        }
Exemplo n.º 6
0
        string detectVersion()
        {
            /*
             * Methods decrypter locals (not showing its own types):
             * 3.7.0.3:
             *              "System.Byte[]"
             *              "System.Int32"
             *              "System.Int32[]"
             *              "System.IntPtr"
             *              "System.IO.BinaryReader"
             *              "System.IO.MemoryStream"
             *              "System.Object"
             *              "System.Reflection.Assembly"
             *              "System.Security.Cryptography.CryptoStream"
             *              "System.Security.Cryptography.ICryptoTransform"
             *              "System.Security.Cryptography.RijndaelManaged"
             *              "System.String"
             *
             * 3.9.8.0:
             * -		"System.Int32[]"
             +		"System.Diagnostics.StackFrame"
             +
             + 4.0.0.0: (jitter)
             + -		"System.Diagnostics.StackFrame"
             + -		"System.Object"
             +		"System.Boolean"
             +		"System.Collections.IEnumerator"
             +		"System.Delegate"
             +		"System.Diagnostics.Process"
             +		"System.Diagnostics.ProcessModule"
             +		"System.Diagnostics.ProcessModuleCollection"
             +		"System.IDisposable"
             +		"System.Int64"
             +		"System.UInt32"
             +		"System.UInt64"
             +
             + 4.1.0.0: (jitter)
             +		"System.Reflection.Assembly"
             +
             + 4.3.1.0: (jitter)
             +		"System.Byte&"
             */

            LocalTypes localTypes;
            int        minVer = -1;

            foreach (var info in stringDecrypter.DecrypterInfos)
            {
                if (info.key == null)
                {
                    continue;
                }
                localTypes = new LocalTypes(info.method);
                if (!localTypes.exists("System.IntPtr"))
                {
                    return(DeobfuscatorInfo.THE_NAME + " <= 3.7");
                }
                minVer = 3800;
                break;
            }

            if (methodsDecrypter.Method == null)
            {
                if (minVer >= 3800)
                {
                    return(DeobfuscatorInfo.THE_NAME + " >= 3.8");
                }
                return(DeobfuscatorInfo.THE_NAME);
            }
            localTypes = new LocalTypes(methodsDecrypter.Method);

            if (localTypes.exists("System.Int32[]"))
            {
                if (minVer >= 3800)
                {
                    return(DeobfuscatorInfo.THE_NAME + " 3.8.4.1 - 3.9.0.1");
                }
                return(DeobfuscatorInfo.THE_NAME + " <= 3.9.0.1");
            }
            if (!localTypes.exists("System.Diagnostics.Process"))               // If < 4.0
            {
                if (localTypes.exists("System.Diagnostics.StackFrame"))
                {
                    return(DeobfuscatorInfo.THE_NAME + " 3.9.8.0");
                }
            }

            var compileMethod = MethodsDecrypter.findDnrCompileMethod(methodsDecrypter.Method.DeclaringType);

            if (compileMethod == null)
            {
                return(DeobfuscatorInfo.THE_NAME + " < 4.0");
            }
            DeobfuscatedFile.deobfuscate(compileMethod);
            bool compileMethodHasConstant_0x70000000 = DeobUtils.hasInteger(compileMethod, 0x70000000);                 // 4.0-4.1

            DeobfuscatedFile.deobfuscate(methodsDecrypter.Method);
            bool hasCorEnableProfilingString = findString(methodsDecrypter.Method, "Cor_Enable_Profiling");             // 4.1-4.4

            if (compileMethodHasConstant_0x70000000)
            {
                if (hasCorEnableProfilingString)
                {
                    return(DeobfuscatorInfo.THE_NAME + " 4.1");
                }
                return(DeobfuscatorInfo.THE_NAME + " 4.0");
            }
            if (!hasCorEnableProfilingString)
            {
                return(DeobfuscatorInfo.THE_NAME);
            }
            // 4.2-4.4

            if (!localTypes.exists("System.Byte&"))
            {
                return(DeobfuscatorInfo.THE_NAME + " 4.2");
            }

            localTypes = new LocalTypes(compileMethod);
            if (localTypes.exists("System.Object"))
            {
                return(DeobfuscatorInfo.THE_NAME + " 4.4");
            }
            return(DeobfuscatorInfo.THE_NAME + " 4.3");
        }