bool CheckType_v14_r58564(TypeDef type, MethodDef initMethod)
{
var virtualProtect = DotNetUtils.GetPInvokeMethod(type, "VirtualProtect");
if (virtualProtect == null)
{
return(false);
}
if (!DotNetUtils.CallsMethod(initMethod, "System.IntPtr System.Runtime.InteropServices.Marshal::GetHINSTANCE(System.Reflection.Module)"))
{
return(false);
}
if (ConfuserUtils.CountCalls(initMethod, virtualProtect) != 3)
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 224))
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 240))
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 267))
{
return(false);
}
version = ConfuserVersion.v14_r58564;
return(true);
}
protected override bool CheckType(TypeDef type, MethodDef initMethod)
{
if (type == null)
{
return(false);
}
if (type.Methods.Count != 3)
{
return(false);
}
var virtProtect = DotNetUtils.GetPInvokeMethod(type, "kernel32", "VirtualProtect");
if (virtProtect == null)
{
return(false);
}
if (!DotNetUtils.HasString(initMethod, "Broken file"))
{
return(false);
}
if ((decryptMethod = FindDecryptMethod(type)) == null)
{
return(false);
}
bool callsFileStreamCtor = DotNetUtils.CallsMethod(initMethod, "System.Void System.IO.FileStream::.ctor(System.String,System.IO.FileMode,System.IO.FileAccess,System.IO.FileShare)");
if (!DotNetUtils.HasString(initMethod, "Module error"))
{
version = ConfuserVersion.v14_r57884;
}
else if (virtProtect.IsPrivate && callsFileStreamCtor)
{
int calls = ConfuserUtils.CountCalls(initMethod, "System.Void System.Buffer::BlockCopy(System.Array,System.Int32,System.Array,System.Int32,System.Int32)");
if (calls <= 1)
{
version = ConfuserVersion.v14_r58564;
}
else if (calls == 2)
{
version = ConfuserVersion.v14_r58852;
}
else if (calls == 4)
{
version = ConfuserVersion.v15_r59014;
}
else
{
return(false);
}
}
else if (callsFileStreamCtor)
{
version = ConfuserVersion.v14_r58004;
}
else if (DotNetUtils.CallsMethod(initMethod, "System.Int32 System.Object::GetHashCode()"))
{
if (DotNetUtils.HasString(initMethod, "<Unknown>"))
{
version = ConfuserVersion.v17_r72989;
}
else
{
version = ConfuserVersion.v16_r71742;
}
}
else if (DotNetUtils.CallsMethod(decryptMethod, "System.Security.Cryptography.Rijndael System.Security.Cryptography.Rijndael::Create()"))
{
version = ConfuserVersion.v17_r73605;
}
else if (DotNetUtils.HasString(initMethod, "<Unknown>"))
{
version = ConfuserVersion.v18_r75288;
}
else
{
version = ConfuserVersion.v19_r75725;
}
return(true);
}
public void FindDelegateCreator(ISimpleDeobfuscator simpleDeobfuscator) {
var type = DotNetUtils.GetModuleType(module);
if (type == null)
return;
foreach (var method in type.Methods) {
if (method.Body == null || !method.IsStatic || !method.IsAssembly)
continue;
var theVersion = ConfuserVersion.Unknown;
if (DotNetUtils.IsMethod(method, "System.Void", "(System.String,System.RuntimeFieldHandle)"))
theVersion = ConfuserVersion.v10_r42915;
else if (DotNetUtils.IsMethod(method, "System.Void", "(System.RuntimeFieldHandle)"))
theVersion = ConfuserVersion.v10_r48717;
else
continue;
var proxyType = GetProxyCreatorType(method, simpleDeobfuscator, out int tmpVer);
if (proxyType == ProxyCreatorType.None)
continue;
if (proxyType == ProxyCreatorType.Newobj)
foundNewobjProxy = true;
simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
MethodDef nativeMethod = null;
if (FindMagic_v14_r58564(method, out uint magic)) {
if (!DotNetUtils.CallsMethod(method, "System.Byte[] System.Convert::FromBase64String(System.String)")) {
if (!IsMethodCreator_v14_r58802(method, proxyType))
theVersion = ConfuserVersion.v14_r58564;
else
theVersion = ConfuserVersion.v14_r58802;
}
else if (DotNetUtils.CallsMethod(method, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()"))
theVersion = ConfuserVersion.v17_r73479;
else if (proxyType != ProxyCreatorType.CallOrCallvirt || !HasFieldReference(method, "System.Reflection.Emit.OpCode System.Reflection.Emit.OpCodes::Castclass"))
theVersion = ConfuserVersion.v14_r58857;
else if (proxyType == ProxyCreatorType.CallOrCallvirt && DotNetUtils.CallsMethod(method, "System.Void System.Reflection.Emit.DynamicMethod::.ctor(System.String,System.Type,System.Type[],System.Boolean)"))
theVersion = ConfuserVersion.v16_r66631;
else if (proxyType == ProxyCreatorType.CallOrCallvirt)
theVersion = ConfuserVersion.v16_r70489;
}
else if (!DotNetUtils.CallsMethod(method, "System.Byte[] System.Convert::FromBase64String(System.String)") &&
DotNetUtils.CallsMethod(method, "System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)")) {
if (proxyType == ProxyCreatorType.CallOrCallvirt && !FindCallvirtChar(method, out callvirtChar))
continue;
if ((nativeMethod = FindNativeMethod_v18_r75367(method)) != null)
theVersion = proxyType != ProxyCreatorType.CallOrCallvirt || callvirtChar == 9 ? ConfuserVersion.v18_r75367_native : ConfuserVersion.v18_r75369_native;
else if (FindMagic_v18_r75367(method, out magic))
theVersion = proxyType != ProxyCreatorType.CallOrCallvirt || callvirtChar == 9 ? ConfuserVersion.v18_r75367_normal : ConfuserVersion.v18_r75369_normal;
else if (FindMagic_v19_r76101(method, out magic))
CommonCheckVersion19(method, true, tmpVer, ref theVersion);
else if ((nativeMethod = FindNativeMethod_v19_r76101(method)) != null)
CommonCheckVersion19(method, false, tmpVer, ref theVersion);
else {
if (proxyType == ProxyCreatorType.CallOrCallvirt && !DotNetUtils.CallsMethod(method, "System.Int32 System.String::get_Length()"))
theVersion = ConfuserVersion.v11_r50378;
int numCalls = ConfuserUtils.CountCalls(method, "System.Byte[] System.Text.Encoding::GetBytes(System.Char[],System.Int32,System.Int32)");
if (numCalls == 2)
theVersion = ConfuserVersion.v12_r54564;
if (!DotNetUtils.CallsMethod(method, "System.Reflection.Assembly System.Reflection.Assembly::Load(System.Reflection.AssemblyName)"))
theVersion = ConfuserVersion.v13_r55346;
if (DotNetUtils.CallsMethod(method, "System.Void System.Runtime.CompilerServices.RuntimeHelpers::RunClassConstructor(System.RuntimeTypeHandle)"))
theVersion = ConfuserVersion.v13_r55604;
}
}
else if (Is_v17_r73740(method)) {
if (DotNetUtils.CallsMethod(method, "System.Boolean System.Type::get_IsArray()")) {
if ((nativeMethod = FindNativeMethod_v17_r73740(method)) != null)
theVersion = ConfuserVersion.v17_r74708_native;
else if (FindMagic_v17_r73740(method, out magic))
theVersion = ConfuserVersion.v17_r74708_normal;
else
continue;
}
else {
if ((nativeMethod = FindNativeMethod_v17_r73740(method)) != null)
theVersion = ConfuserVersion.v17_r73740_native;
else if (FindMagic_v17_r73740(method, out magic))
theVersion = ConfuserVersion.v17_r73740_normal;
else
continue;
}
}
else if (theVersion == ConfuserVersion.v10_r42915) {
if (DeobUtils.HasInteger(method, 0x06000000))
theVersion = ConfuserVersion.v10_r42919;
}
SetDelegateCreatorMethod(method);
methodToInfo.Add(method, new ProxyCreatorInfo(method, proxyType, theVersion, magic, nativeMethod, callvirtChar));
version = (ConfuserVersion)Math.Max((int)version, (int)theVersion);
}
}
bool CheckType_v14_r58852(TypeDef type, MethodDef initMethod)
{
var virtualProtect = DotNetUtils.GetPInvokeMethod(type, "VirtualProtect");
if (virtualProtect == null)
{
return(false);
}
if (!DotNetUtils.CallsMethod(initMethod, "System.IntPtr System.Runtime.InteropServices.Marshal::GetHINSTANCE(System.Reflection.Module)"))
{
return(false);
}
int virtualProtectCalls = ConfuserUtils.CountCalls(initMethod, virtualProtect);
if (virtualProtectCalls != 14 && virtualProtectCalls != 16)
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 0x3C))
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 0x6c64746e))
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 0x6c642e6c))
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 0x6f43744e))
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 0x6e69746e))
{
return(false);
}
int locallocs = ConfuserUtils.CountOpCode(initMethod, Code.Localloc);
if (DeobUtils.HasInteger(initMethod, 0x18))
{
version = ConfuserVersion.v14_r58852;
}
else if (virtualProtectCalls == 16)
{
version = ConfuserVersion.v16_r69339;
}
else if (virtualProtectCalls == 14)
{
if (locallocs == 2)
{
version = ConfuserVersion.v17_r74708;
}
else if (locallocs == 1)
{
if (DotNetUtils.HasString(initMethod, "<Unknown>"))
{
version = ConfuserVersion.v18_r75257;
}
else if (IsRev75725(initMethod))
{
version = ConfuserVersion.v19_r75725;
}
else
{
version = ConfuserVersion.v19_r76186;
}
}
else
{
return(false);
}
}
else
{
return(false);
}
return(true);
}
bool CheckMethod_safe(TypeDef type, MethodDef initMethod)
{
if (type == DotNetUtils.GetModuleType(module))
{
if (!DotNetUtils.HasString(initMethod, "Debugger detected (Managed)"))
{
return(false);
}
if (!CheckProfilerStrings1(initMethod))
{
return(false);
}
version = ConfuserVersion.v14_r57588_safe;
}
else
{
var ntQueryInformationProcess = DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtQueryInformationProcess");
if (ntQueryInformationProcess == null)
{
return(false);
}
if (DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtSetInformationProcess") == null)
{
return(false);
}
if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "CloseHandle") == null)
{
return(false);
}
var antiDebugMethod = GetAntiDebugMethod(type, initMethod);
if (antiDebugMethod == null)
{
return(false);
}
bool hasDebuggerStrings = DotNetUtils.HasString(antiDebugMethod, "Debugger detected (Managed)") ||
DotNetUtils.HasString(antiDebugMethod, "Debugger is detected (Managed)");
if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)"))
{
return(false);
}
if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 0)
{
return(false);
}
if (!CheckProfilerStrings1(initMethod) && !CheckProfilerStrings2(initMethod))
{
return(false);
}
int failFastCalls = ConfuserUtils.CountCalls(antiDebugMethod, "System.Void System.Environment::FailFast(System.String)");
if (failFastCalls != 2)
{
return(false);
}
if (hasDebuggerStrings)
{
if (!DotNetUtils.CallsMethod(antiDebugMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)"))
{
version = ConfuserVersion.v16_r61954_safe;
}
else if (DotNetUtils.GetPInvokeMethod(type, "IsDebuggerPresent") == null)
{
version = ConfuserVersion.v17_r73822_safe;
}
else if (CheckProfilerStrings1(initMethod))
{
version = ConfuserVersion.v17_r74021_safe;
}
else
{
version = ConfuserVersion.v19_r76119_safe;
}
}
else
{
version = ConfuserVersion.v19_r78363_safe;
}
}
return(true);
}
bool CheckMethod_normal(TypeDef type, MethodDef initMethod)
{
var ntQueryInformationProcess = DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtQueryInformationProcess");
if (ntQueryInformationProcess == null)
{
return(false);
}
if (DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtSetInformationProcess") == null)
{
return(false);
}
if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "CloseHandle") == null)
{
return(false);
}
var antiDebugMethod = GetAntiDebugMethod(type, initMethod);
if (antiDebugMethod == null)
{
return(false);
}
bool hasDebuggerStrings = DotNetUtils.HasString(antiDebugMethod, "Debugger detected (Managed)");
if (DotNetUtils.CallsMethod(initMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)"))
{
int failFastCalls = ConfuserUtils.CountCalls(antiDebugMethod, "System.Void System.Environment::FailFast(System.String)");
if (failFastCalls != 6 && failFastCalls != 8)
{
return(false);
}
if (!CheckProfilerStrings1(initMethod))
{
return(false);
}
if (!DotNetUtils.CallsMethod(antiDebugMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)"))
{
if (!hasDebuggerStrings)
{
return(false);
}
if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 2)
{
return(false);
}
version = ConfuserVersion.v16_r61954_normal;
}
else if (failFastCalls == 8)
{
if (!hasDebuggerStrings)
{
return(false);
}
if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 2)
{
return(false);
}
version = ConfuserVersion.v17_r73822_normal;
}
else if (failFastCalls == 6)
{
if (DotNetUtils.GetPInvokeMethod(type, "IsDebuggerPresent") == null)
{
return(false);
}
if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 0)
{
return(false);
}
if (hasDebuggerStrings)
{
version = ConfuserVersion.v17_r74021_normal;
}
else
{
version = ConfuserVersion.v19_r78363_normal;
}
}
else
{
return(false);
}
}
else if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr)"))
{
if (!hasDebuggerStrings)
{
return(false);
}
if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Diagnostics.Process::EnterDebugMode()"))
{
return(false);
}
if (!CheckProfilerStrings1(antiDebugMethod))
{
return(false);
}
version = ConfuserVersion.v14_r57588_normal;
}
else
{
if (!hasDebuggerStrings)
{
return(false);
}
if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Diagnostics.Process::EnterDebugMode()"))
{
return(false);
}
if (!CheckProfilerStrings1(antiDebugMethod))
{
return(false);
}
version = ConfuserVersion.v14_r60785_normal;
}
return(true);
}
