static bool FindKey0_v18_r75369(DecrypterInfo info) { var instrs = info.method.Body.Instructions; for (int i = 0; i < instrs.Count - 4; i++) { if (!instrs[i].IsLdloc()) { continue; } if (instrs[i + 1].OpCode.Code != Code.Xor) { continue; } var ldci4 = instrs[i + 2]; if (!ldci4.IsLdcI4()) { continue; } if (instrs[i + 3].OpCode.Code != Code.Conv_U8) { continue; } if (instrs[i + 4].OpCode.Code != Code.Mul) { continue; } info.key0 = (uint)ldci4.GetLdcI4Value(); return(true); } return(false); }
bool FindKeys(DecrypterInfo info) { switch (version) { case ConfuserVersion.v18_r75367_normal: case ConfuserVersion.v18_r75367_dynamic: case ConfuserVersion.v18_r75367_native: return(FindKeys_v18_r75367(info)); case ConfuserVersion.v18_r75369_normal: case ConfuserVersion.v18_r75369_dynamic: case ConfuserVersion.v18_r75369_native: case ConfuserVersion.v19_r77172_normal: case ConfuserVersion.v19_r77172_dynamic: case ConfuserVersion.v19_r77172_native: case ConfuserVersion.v19_r78056_normal: case ConfuserVersion.v19_r78056_dynamic: case ConfuserVersion.v19_r78056_native: case ConfuserVersion.v19_r78363_normal: case ConfuserVersion.v19_r78363_dynamic: case ConfuserVersion.v19_r78363_native: case ConfuserVersion.v19_r79630_normal: case ConfuserVersion.v19_r79630_dynamic: case ConfuserVersion.v19_r79630_native: return(FindKeys_v18_r75369(info)); default: throw new ApplicationException("Invalid version"); } }
protected byte[] DecryptConstant_v17_r73740_dynamic(DecrypterInfo info, byte[] encrypted, uint offs, uint key1, byte[] key2) { var local = GetDynamicLocal_v17_r73740(info.decryptMethod); if (local == null) { throw new ApplicationException("Could not find local"); } int endIndex = GetDynamicEndIndex_v17_r73740(info.decryptMethod, local); if (endIndex < 0) { endIndex = GetDynamicEndIndex_v17_r74788(info.decryptMethod, local); } int startIndex = GetDynamicStartIndex_v17_r73740(info.decryptMethod, endIndex); if (startIndex < 0) { throw new ApplicationException("Could not find start/end index"); } var constReader = new ConstantsReader(info.decryptMethod); return(Decrypt(encrypted, key1, (magic, i) => { constReader.SetConstantInt32(local, magic); int index = startIndex, result; if (!constReader.GetNextInt32(ref index, out result) || index != endIndex) { throw new ApplicationException("Could not decrypt integer"); } return (byte)(result ^ key2[i % key2.Length]); })); }
static bool FindLKeys_v18_r75369(DecrypterInfo info) { var instrs = info.method.Body.Instructions; for (int i = 0; i < instrs.Count - 8; i++) { var ldci8_1 = instrs[i]; if (ldci8_1.OpCode.Code != Code.Ldc_I8) continue; if (!instrs[i + 1].IsLdloc()) continue; if (instrs[i + 2].OpCode.Code != Code.Conv_U8) continue; if (instrs[i + 3].OpCode.Code != Code.Mul) continue; if (!instrs[i + 4].IsStloc()) continue; var ldci8_2 = instrs[i + 5]; if (ldci8_2.OpCode.Code != Code.Ldc_I8) continue; if (!instrs[i + 6].IsStloc()) continue; var ldci8_3 = instrs[i + 7]; if (ldci8_3.OpCode.Code != Code.Ldc_I8) continue; if (!instrs[i + 8].IsStloc()) continue; info.key0l = (ulong)(long)ldci8_1.Operand; info.key1l = (ulong)(long)ldci8_2.Operand; info.key2l = (ulong)(long)ldci8_3.Operand; return true; } return false; }
static bool FindKey0d_v18_r75367(DecrypterInfo info) { var instrs = info.method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()"); if (index < 0) { break; } int index2 = ConfuserUtils.FindCallMethod(instrs, index, Code.Call, "System.Byte[] System.BitConverter::GetBytes(System.Int32)"); if (index2 < 0) { break; } if (index2 - index != 3) { continue; } var ldci4 = instrs[index + 1]; if (!ldci4.IsLdcI4()) { continue; } if (instrs[index + 2].OpCode.Code != Code.Xor) { continue; } info.key0d = (uint)ldci4.GetLdcI4Value(); return(true); } return(false); }
bool InitializeFields(DecrypterInfo info) { switch (version) { case ConfuserVersion.v17_r73822_normal: case ConfuserVersion.v17_r73822_dynamic: case ConfuserVersion.v17_r73822_native: case ConfuserVersion.v17_r74021_dynamic: case ConfuserVersion.v17_r74021_native: if (!Add(ConstantsDecrypterUtils.FindDictField(info.decryptMethod, info.decryptMethod.DeclaringType))) { return(false); } if (!Add(ConstantsDecrypterUtils.FindMemoryStreamField(info.decryptMethod, info.decryptMethod.DeclaringType))) { return(false); } break; default: break; } return(true); }
byte[] DecryptConstant(DecrypterInfo info, byte[] encrypted, uint offs) { switch (version) { case ConfuserVersion.v15_r60785_normal: return(DecryptConstant_v15_r60785_normal(info, encrypted, offs)); case ConfuserVersion.v15_r60785_dynamic: return(DecryptConstant_v15_r60785_dynamic(info, encrypted, offs)); case ConfuserVersion.v17_r72989_dynamic: return(DecryptConstant_v15_r60785_dynamic(info, encrypted, offs)); case ConfuserVersion.v17_r73404_normal: return(DecryptConstant_v17_r73404_normal(info, encrypted, offs)); case ConfuserVersion.v17_r73740_dynamic: return(DecryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0)); case ConfuserVersion.v17_r73764_dynamic: return(DecryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0)); case ConfuserVersion.v17_r73764_native: return(DecryptConstant_v17_r73764_native(info, encrypted, offs, 0)); case ConfuserVersion.v17_r73822_normal: return(DecryptConstant_v17_r73404_normal(info, encrypted, offs)); case ConfuserVersion.v17_r73822_dynamic: return(DecryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0)); case ConfuserVersion.v17_r73822_native: return(DecryptConstant_v17_r73764_native(info, encrypted, offs, 0)); case ConfuserVersion.v17_r74021_dynamic: return(DecryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0)); case ConfuserVersion.v17_r74021_native: return(DecryptConstant_v17_r73764_native(info, encrypted, offs, 0)); default: throw new ApplicationException("Invalid version"); } }
void FreePEImage() { if (decrypterInfo != null) { decrypterInfo.Dispose(); } decrypterInfo = null; }
public void Find(ISimpleDeobfuscator simpleDeobfuscator) { var additionalTypes = new string[] { "System.String", }; EmbeddedResource stringsResource = null; foreach (var type in module.Types) { if (decrypterInfos.Count > 0) { break; } if (type.BaseType == null || type.BaseType.FullName != "System.Object") { continue; } foreach (var method in type.Methods) { if (!method.IsStatic || !method.HasBody) { continue; } if (!DotNetUtils.IsMethod(method, "System.String", "(System.Int32)")) { continue; } if (!encryptedResource.CouldBeResourceDecrypter(method, additionalTypes)) { continue; } var resource = DotNetUtils.GetResource(module, DotNetUtils.GetCodeStrings(method)) as EmbeddedResource; if (resource == null) { throw new ApplicationException("Could not find strings resource"); } if (stringsResource != null && stringsResource != resource) { throw new ApplicationException("Two different string resources found"); } stringsResource = resource; encryptedResource.Method = method; var info = new DecrypterInfo(method, null, null); simpleDeobfuscator.Deobfuscate(info.method); FindKeyIv(info.method, out info.key, out info.iv); decrypterInfos.Add(info); } } if (decrypterInfos.Count > 0) { FindOtherStringDecrypter(decrypterInfos[0].method.DeclaringType); } }
static bool FindKeys_v18_r75369(DecrypterInfo info) { if (!FindLKeys_v18_r75369(info)) return false; if (!FindKey0_v18_r75369(info)) return false; if (!FindKey0d_v18_r75367(info)) return false; return true; }
DecrypterInfo CreateDecrypterInfo(MethodDef method) { if (!IsDecryptMethodSignature(method)) return null; simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs); var info = new DecrypterInfo(this, method, version); if (!FindKeys(info)) return null; return info; }
byte[] DecryptConstant_v15_r60785_normal(DecrypterInfo info, byte[] encrypted, uint offs) { var rand = new Random((int)(info.key0 ^ offs)); var decrypted = new byte[encrypted.Length]; rand.NextBytes(decrypted); for (int i = 0; i < decrypted.Length; i++) { decrypted[i] ^= encrypted[i]; } return(decrypted); }
public override IDeobfuscator ModuleReloaded(ModuleDefMD module) { var newOne = new Deobfuscator(options); newOne.SetModule(module); newOne.mainType = new MainType(module, mainType); newOne.decrypterInfo = decrypterInfo; decrypterInfo = null; if (newOne.decrypterInfo != null) { newOne.decrypterInfo.mainType = newOne.mainType; } return(newOne); }
static bool FindKeys_v18_r75369(DecrypterInfo info) { if (!FindLKeys_v18_r75369(info)) { return(false); } if (!FindKey0_v18_r75369(info)) { return(false); } if (!FindKey0d_v18_r75367(info)) { return(false); } return(true); }
public void Find() { var cctor = DotNetUtils.GetModuleTypeCctor(module); if (cctor == null) return; simpleDeobfuscator.Deobfuscate(cctor, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs); if ((dictField = ConstantsDecrypterUtils.FindDictField(cctor, cctor.DeclaringType)) == null) return; if ((dataField = ConstantsDecrypterUtils.FindDataField_v18_r75367(cctor, cctor.DeclaringType)) == null && (dataField = ConstantsDecrypterUtils.FindDataField_v19_r77172(cctor, cctor.DeclaringType)) == null) return; nativeMethod = FindNativeMethod(cctor, cctor.DeclaringType); var method = GetDecryptMethod(); if (method == null) return; simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs); var info = new DecrypterInfo(this, method, ConfuserVersion.Unknown); if (FindKeys_v18_r75367(info)) InitVersion(cctor, ConfuserVersion.v18_r75367_normal, ConfuserVersion.v18_r75367_dynamic, ConfuserVersion.v18_r75367_native); else if (FindKeys_v18_r75369(info)) { lzmaType = ConfuserUtils.FindLzmaType(cctor); if (lzmaType == null) InitVersion(cctor, ConfuserVersion.v18_r75369_normal, ConfuserVersion.v18_r75369_dynamic, ConfuserVersion.v18_r75369_native); else if (!DotNetUtils.CallsMethod(method, "System.Void System.Threading.Monitor::Exit(System.Object)")) InitVersion(cctor, ConfuserVersion.v19_r77172_normal, ConfuserVersion.v19_r77172_dynamic, ConfuserVersion.v19_r77172_native); else if (DotNetUtils.CallsMethod(method, "System.Void System.Diagnostics.StackFrame::.ctor(System.Int32)")) InitVersion(cctor, ConfuserVersion.v19_r78363_normal, ConfuserVersion.v19_r78363_dynamic, ConfuserVersion.v19_r78363_native); else { int index1 = ConfuserUtils.FindCallMethod(cctor.Body.Instructions, 0, Code.Callvirt, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()"); int index2 = ConfuserUtils.FindCallMethod(cctor.Body.Instructions, 0, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()"); if (index1 < 0 || index2 < 0) { } if (index2 - index1 == 3) InitVersion(cctor, ConfuserVersion.v19_r78056_normal, ConfuserVersion.v19_r78056_dynamic, ConfuserVersion.v19_r78056_native); else if (index2 - index1 == -4) InitVersion(cctor, ConfuserVersion.v19_r79630_normal, ConfuserVersion.v19_r79630_dynamic, ConfuserVersion.v19_r79630_native); } } else return; installMethod = cctor; }
protected override byte[] DecryptData(DecrypterInfo info, MethodDef caller, object[] args, out byte typeCode) { uint offs = info.CalcHash(caller.MDToken.ToUInt32()) ^ (uint)args[0]; reader.Position = offs; typeCode = reader.ReadByte(); if (typeCode != info.int32Type && typeCode != info.int64Type && typeCode != info.singleType && typeCode != info.doubleType && typeCode != info.stringType) { throw new ApplicationException("Invalid type code"); } var encrypted = reader.ReadBytes(reader.ReadInt32()); return(DecryptConstant(info, encrypted, offs)); }
byte[] DecryptConstant_v15_r60785_dynamic(DecrypterInfo info, byte[] encrypted, uint offs) { var instrs = info.decryptMethod.Body.Instructions; int startIndex = GetDynamicStartIndex_v15_r60785(instrs); int endIndex = GetDynamicEndIndex_v15_r60785(instrs, startIndex); if (endIndex < 0) { throw new ApplicationException("Could not find start/endIndex"); } var dataReader = ByteArrayDataReaderFactory.CreateReader(encrypted); var decrypted = new byte[dataReader.ReadInt32()]; var constReader = new Arg64ConstantsReader(instrs, false); ConfuserUtils.DecryptCompressedInt32Data(constReader, startIndex, endIndex, ref dataReader, decrypted); return(decrypted); }
static bool FindKey0_v18_r75367(DecrypterInfo info) { var instrs = info.method.Body.Instructions; for (int i = 0; i < instrs.Count - 4; i++) { if (instrs[i].OpCode.Code != Code.Xor) continue; var ldci4 = instrs[i + 1]; if (!ldci4.IsLdcI4()) continue; if (instrs[i + 2].OpCode.Code != Code.Conv_I8) continue; if (instrs[i + 3].OpCode.Code != Code.Mul) continue; if (instrs[i + 4].OpCode.Code != Code.Add) continue; info.key0 = (uint)ldci4.GetLdcI4Value(); return true; } return false; }
public override bool GetDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods) { if (count != 0 || !mainType.Detected) { return(false); } var fileData = DeobUtils.ReadModule(module); decrypterInfo = new DecrypterInfo(mainType, fileData); var methodsDecrypter = new MethodsDecrypter(module, decrypterInfo); if (!methodsDecrypter.Decrypt(ref dumpedMethods)) { return(false); } newFileData = fileData; return(true); }
static bool FindLKeys_v18_r75367(DecrypterInfo info) { var instrs = info.method.Body.Instructions; for (int i = 0; i < instrs.Count - 10; i++) { var ldci4_1 = instrs[i]; if (!ldci4_1.IsLdcI4()) continue; if (!instrs[i + 1].IsLdloc()) continue; if (instrs[i + 2].OpCode.Code != Code.Xor) continue; if (instrs[i + 3].OpCode.Code != Code.Conv_U8) continue; if (!instrs[i + 4].IsStloc()) continue; var ldci4_2 = instrs[i + 5]; if (!ldci4_2.IsLdcI4()) continue; if (instrs[i + 6].OpCode.Code != Code.Conv_I8) continue; if (!instrs[i + 7].IsStloc()) continue; var ldci4_3 = instrs[i + 8]; if (!ldci4_3.IsLdcI4()) continue; if (instrs[i + 9].OpCode.Code != Code.Conv_I8) continue; if (!instrs[i + 10].IsStloc()) continue; info.key0l = (uint)ldci4_1.GetLdcI4Value(); info.key1l = (uint)ldci4_2.GetLdcI4Value(); info.key2l = (uint)ldci4_3.GetLdcI4Value(); return true; } return false; }
public void Find() { var type = DotNetUtils.GetModuleType(module); if (type == null) { return; } foreach (var method in type.Methods) { if (!method.IsStatic || method.Body == null) { continue; } if (!DotNetUtils.IsMethod(method, "System.Object", "(System.UInt32)")) { continue; } var info = new DecrypterInfo(); var localTypes = new LocalTypes(method); if (localTypes.All(requiredLocals1)) { if (localTypes.Exists("System.Collections.BitArray")) // or System.Random { version = ConfuserVersion.v15_r60785_normal; } else if (DeobUtils.HasInteger(method, 0x100) && DeobUtils.HasInteger(method, 0x10000) && DeobUtils.HasInteger(method, 0xFFFF)) { version = ConfuserVersion.v17_r73404_normal; } else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[])")) { if (FindInstruction(method.Body.Instructions, 0, Code.Conv_I8) >= 0) { if (DotNetUtils.CallsMethod(method, "System.Void System.Console::WriteLine()")) { version = ConfuserVersion.v15_r60785_dynamic; } else { version = ConfuserVersion.v17_r72989_dynamic; } } else { version = ConfuserVersion.v17_r73740_dynamic; } } else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[],System.Int32,System.Int32)")) { if ((nativeMethod = FindNativeMethod(method)) == null) { version = ConfuserVersion.v17_r73764_dynamic; } else { version = ConfuserVersion.v17_r73764_native; } } else { continue; } } else if (localTypes.All(requiredLocals2)) { if (DeobUtils.HasInteger(method, 0x100) && DeobUtils.HasInteger(method, 0x10000) && DeobUtils.HasInteger(method, 0xFFFF)) { version = ConfuserVersion.v17_r73822_normal; } else if (DotNetUtils.CallsMethod(method, "System.Int32 System.Object::GetHashCode()")) { if ((nativeMethod = FindNativeMethod(method)) == null) { version = ConfuserVersion.v17_r74021_dynamic; } else { version = ConfuserVersion.v17_r74021_native; } } else if ((nativeMethod = FindNativeMethod(method)) == null) { version = ConfuserVersion.v17_r73822_dynamic; } else { version = ConfuserVersion.v17_r73822_native; } } else { continue; } info.decryptMethod = method; theDecrypterInfo = info; Add(info); break; } }
byte[] DecryptConstant_v17_r73404_normal(DecrypterInfo info, byte[] encrypted, uint offs) => ConfuserUtils.Decrypt(info.key0 ^ offs, encrypted);
protected byte[] DecryptConstant_v17_r73764_native(DecrypterInfo info, byte[] encrypted, uint offs, uint key) { return DecryptConstant_v17_r73764_native(info, encrypted, offs, key, defaultDecryptKey_v17); }
protected byte[] DecryptConstant_v17_r73764_native(DecrypterInfo info, byte[] encrypted, uint offs, uint key1, byte[] key2) { using (var x86Emu = new x86Emulator(fileData)) return Decrypt(encrypted, key1, (magic, i) => (byte)(x86Emu.Emulate((uint)nativeMethod.RVA, magic) ^ key2[i % key2.Length])); }
protected abstract byte[] DecryptData(DecrypterInfo info, MethodDef caller, object[] args, out byte typeCode);
protected void Add(DecrypterInfo info) { methodToDecrypterInfo.Add(info.decryptMethod, info); }
bool FindKeys(DecrypterInfo info) { switch (version) { case ConfuserVersion.v18_r75367_normal: case ConfuserVersion.v18_r75367_dynamic: case ConfuserVersion.v18_r75367_native: return FindKeys_v18_r75367(info); case ConfuserVersion.v18_r75369_normal: case ConfuserVersion.v18_r75369_dynamic: case ConfuserVersion.v18_r75369_native: case ConfuserVersion.v19_r77172_normal: case ConfuserVersion.v19_r77172_dynamic: case ConfuserVersion.v19_r77172_native: case ConfuserVersion.v19_r78056_normal: case ConfuserVersion.v19_r78056_dynamic: case ConfuserVersion.v19_r78056_native: case ConfuserVersion.v19_r78363_normal: case ConfuserVersion.v19_r78363_dynamic: case ConfuserVersion.v19_r78363_native: case ConfuserVersion.v19_r79630_normal: case ConfuserVersion.v19_r79630_dynamic: case ConfuserVersion.v19_r79630_native: return FindKeys_v18_r75369(info); default: throw new ApplicationException("Invalid version"); } }
protected byte[] DecryptConstant_v17_r73764_native(DecrypterInfo info, byte[] encrypted, uint offs, uint key1, byte[] key2) { using (var x86Emu = new x86Emulator(fileData)) return(Decrypt(encrypted, key1, (magic, i) => (byte)(x86Emu.Emulate((uint)nativeMethod.RVA, magic) ^ key2[i % key2.Length]))); }
bool InitializeFields(DecrypterInfo info) { switch (version) { case ConfuserVersion.v17_r73822_normal: case ConfuserVersion.v17_r73822_dynamic: case ConfuserVersion.v17_r73822_native: case ConfuserVersion.v17_r74021_dynamic: case ConfuserVersion.v17_r74021_native: if (!Add(ConstantsDecrypterUtils.FindDictField(info.decryptMethod, info.decryptMethod.DeclaringType))) return false; if (!Add(ConstantsDecrypterUtils.FindMemoryStreamField(info.decryptMethod, info.decryptMethod.DeclaringType))) return false; break; default: break; } return true; }
protected byte[] DecryptConstant_v17_r73740_dynamic(DecrypterInfo info, byte[] encrypted, uint offs, uint key1, byte[] key2) { var local = GetDynamicLocal_v17_r73740(info.decryptMethod); if (local == null) throw new ApplicationException("Could not find local"); int endIndex = GetDynamicEndIndex_v17_r73740(info.decryptMethod, local); if (endIndex < 0) endIndex = GetDynamicEndIndex_v17_r74788(info.decryptMethod, local); int startIndex = GetDynamicStartIndex_v17_r73740(info.decryptMethod, endIndex); if (startIndex < 0) throw new ApplicationException("Could not find start/end index"); var constReader = new ConstantsReader(info.decryptMethod); return Decrypt(encrypted, key1, (magic, i) => { constReader.SetConstantInt32(local, magic); int index = startIndex, result; if (!constReader.GetNextInt32(ref index, out result) || index != endIndex) throw new ApplicationException("Could not decrypt integer"); return (byte)(result ^ key2[i % key2.Length]); }); }
protected byte[] DecryptConstant_v17_r73764_native(DecrypterInfo info, byte[] encrypted, uint offs, uint key) { return(DecryptConstant_v17_r73764_native(info, encrypted, offs, key, defaultDecryptKey_v17)); }
protected override byte[] DecryptData(DecrypterInfo info, MethodDef caller, object[] args, out byte typeCode) { uint offs = info.CalcHash(caller.MDToken.ToUInt32()) ^ (uint)args[0]; reader.Position = offs; typeCode = reader.ReadByte(); if (typeCode != info.int32Type && typeCode != info.int64Type && typeCode != info.singleType && typeCode != info.doubleType && typeCode != info.stringType) throw new ApplicationException("Invalid type code"); var encrypted = reader.ReadBytes(reader.ReadInt32()); return DecryptConstant(info, encrypted, offs); }
byte[] DecryptConstant(DecrypterInfo info, byte[] encrypted, uint offs) { switch (version) { case ConfuserVersion.v15_r60785_normal: return DecryptConstant_v15_r60785_normal(info, encrypted, offs); case ConfuserVersion.v15_r60785_dynamic: return DecryptConstant_v15_r60785_dynamic(info, encrypted, offs); case ConfuserVersion.v17_r72989_dynamic: return DecryptConstant_v15_r60785_dynamic(info, encrypted, offs); case ConfuserVersion.v17_r73404_normal: return DecryptConstant_v17_r73404_normal(info, encrypted, offs); case ConfuserVersion.v17_r73740_dynamic: return DecryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0); case ConfuserVersion.v17_r73764_dynamic: return DecryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0); case ConfuserVersion.v17_r73764_native: return DecryptConstant_v17_r73764_native(info, encrypted, offs, 0); case ConfuserVersion.v17_r73822_normal: return DecryptConstant_v17_r73404_normal(info, encrypted, offs); case ConfuserVersion.v17_r73822_dynamic: return DecryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0); case ConfuserVersion.v17_r73822_native: return DecryptConstant_v17_r73764_native(info, encrypted, offs, 0); case ConfuserVersion.v17_r74021_dynamic: return DecryptConstant_v17_r73740_dynamic(info, encrypted, offs, 0); case ConfuserVersion.v17_r74021_native: return DecryptConstant_v17_r73764_native(info, encrypted, offs, 0); default: throw new ApplicationException("Invalid version"); } }
byte[] DecryptConstant_v15_r60785_normal(DecrypterInfo info, byte[] encrypted, uint offs) { var rand = new Random((int)(info.key0 ^ offs)); var decrypted = new byte[encrypted.Length]; rand.NextBytes(decrypted); for (int i = 0; i < decrypted.Length; i++) decrypted[i] ^= encrypted[i]; return decrypted; }
byte[] DecryptConstant_v15_r60785_dynamic(DecrypterInfo info, byte[] encrypted, uint offs) { var instrs = info.decryptMethod.Body.Instructions; int startIndex = GetDynamicStartIndex_v15_r60785(instrs); int endIndex = GetDynamicEndIndex_v15_r60785(instrs, startIndex); if (endIndex < 0) throw new ApplicationException("Could not find start/endIndex"); var dataReader = MemoryImageStream.Create(encrypted); var decrypted = new byte[dataReader.ReadInt32()]; var constReader = new Arg64ConstantsReader(instrs, false); ConfuserUtils.DecryptCompressedInt32Data(constReader, startIndex, endIndex, dataReader, decrypted); return decrypted; }
byte[] DecryptConstant_v17_r73404_normal(DecrypterInfo info, byte[] encrypted, uint offs) { return ConfuserUtils.Decrypt(info.key0 ^ offs, encrypted); }
static bool FindKey0d_v18_r75367(DecrypterInfo info) { var instrs = info.method.Body.Instructions; for (int i = 0; i < instrs.Count; i++) { int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()"); if (index < 0) break; int index2 = ConfuserUtils.FindCallMethod(instrs, index, Code.Call, "System.Byte[] System.BitConverter::GetBytes(System.Int32)"); if (index2 < 0) break; if (index2 - index != 3) continue; var ldci4 = instrs[index + 1]; if (!ldci4.IsLdcI4()) continue; if (instrs[index + 2].OpCode.Code != Code.Xor) continue; info.key0d = (uint)ldci4.GetLdcI4Value(); return true; } return false; }
public void Find() { var type = DotNetUtils.GetModuleType(module); if (type == null) return; foreach (var method in type.Methods) { if (!method.IsStatic || method.Body == null) continue; if (!DotNetUtils.IsMethod(method, "System.Object", "(System.UInt32)")) continue; DecrypterInfo info = new DecrypterInfo(); var localTypes = new LocalTypes(method); if (localTypes.All(requiredLocals1)) { if (localTypes.Exists("System.Collections.BitArray")) // or System.Random version = ConfuserVersion.v15_r60785_normal; else if (DeobUtils.HasInteger(method, 0x100) && DeobUtils.HasInteger(method, 0x10000) && DeobUtils.HasInteger(method, 0xFFFF)) version = ConfuserVersion.v17_r73404_normal; else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[])")) { if (FindInstruction(method.Body.Instructions, 0, Code.Conv_I8) >= 0) { if (DotNetUtils.CallsMethod(method, "System.Void System.Console::WriteLine()")) version = ConfuserVersion.v15_r60785_dynamic; else version = ConfuserVersion.v17_r72989_dynamic; } else version = ConfuserVersion.v17_r73740_dynamic; } else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[],System.Int32,System.Int32)")) { if ((nativeMethod = FindNativeMethod(method)) == null) version = ConfuserVersion.v17_r73764_dynamic; else version = ConfuserVersion.v17_r73764_native; } else continue; } else if (localTypes.All(requiredLocals2)) { if (DeobUtils.HasInteger(method, 0x100) && DeobUtils.HasInteger(method, 0x10000) && DeobUtils.HasInteger(method, 0xFFFF)) version = ConfuserVersion.v17_r73822_normal; else if (DotNetUtils.CallsMethod(method, "System.Int32 System.Object::GetHashCode()")) { if ((nativeMethod = FindNativeMethod(method)) == null) version = ConfuserVersion.v17_r74021_dynamic; else version = ConfuserVersion.v17_r74021_native; } else if ((nativeMethod = FindNativeMethod(method)) == null) version = ConfuserVersion.v17_r73822_dynamic; else version = ConfuserVersion.v17_r73822_native; } else continue; info.decryptMethod = method; theDecrypterInfo = info; Add(info); break; } }
static bool FindKey0_v18_r75369(DecrypterInfo info) { var instrs = info.method.Body.Instructions; for (int i = 0; i < instrs.Count - 4; i++) { if (!instrs[i].IsLdloc()) continue; if (instrs[i + 1].OpCode.Code != Code.Xor) continue; var ldci4 = instrs[i + 2]; if (!ldci4.IsLdcI4()) continue; if (instrs[i + 3].OpCode.Code != Code.Conv_U8) continue; if (instrs[i + 4].OpCode.Code != Code.Mul) continue; info.key0 = (uint)ldci4.GetLdcI4Value(); return true; } return false; }
protected byte[] DecryptConstant_v17_r73740_dynamic(DecrypterInfo info, byte[] encrypted, uint offs, uint key) => DecryptConstant_v17_r73740_dynamic(info, encrypted, offs, key, defaultDecryptKey_v17);