bool CheckInitMethod(MethodDef method)
{
var type = method.DeclaringType;
if (type.NestedTypes.Count < 2 || type.NestedTypes.Count > 6)
{
return(false);
}
if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "MoveFileEx") == null)
{
return(false);
}
var resolveHandler = DeobUtils.GetResolveMethod(method);
if (resolveHandler == null)
{
return(false);
}
if (!DeobUtils.HasInteger(resolveHandler, ',') ||
!DeobUtils.HasInteger(resolveHandler, '|'))
{
return(false);
}
initMethod = method;
resolverType = type;
handlerMethod = resolveHandler;
return(true);
}
static TypeDef FindInflaterType(MethodDef method)
{
if (method == null || method.Body == null)
{
return(null);
}
foreach (var instr in method.Body.Instructions)
{
if (instr.OpCode.Code != Code.Call)
{
continue;
}
var calledMethod = instr.Operand as MethodDef;
if (calledMethod == null || !calledMethod.IsStatic)
{
continue;
}
var type = calledMethod.DeclaringType;
foreach (var nested in type.NestedTypes)
{
if (DeobUtils.HasInteger(nested.FindMethod(".ctor"), 0x8001))
{
return(type);
}
}
}
return(null);
}
bool InitializeInfos(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
if (handlerMethod == null)
{
return(true);
}
foreach (var method in resolverType.Methods)
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
{
continue;
}
if (!DeobUtils.HasInteger(method, ':') || !DeobUtils.HasInteger(method, '|'))
{
continue;
}
simpleDeobfuscator.Deobfuscate(method);
simpleDeobfuscator.DecryptStrings(method, deob);
if (!InitializeInfos(method))
{
continue;
}
return(true);
}
return(false);
}
bool CheckType_v14_r58564(TypeDef type, MethodDef initMethod)
{
var virtualProtect = DotNetUtils.GetPInvokeMethod(type, "VirtualProtect");
if (virtualProtect == null)
{
return(false);
}
if (!DotNetUtils.CallsMethod(initMethod, "System.IntPtr System.Runtime.InteropServices.Marshal::GetHINSTANCE(System.Reflection.Module)"))
{
return(false);
}
if (ConfuserUtils.CountCalls(initMethod, virtualProtect) != 3)
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 224))
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 240))
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 267))
{
return(false);
}
version = ConfuserVersion.v14_r58564;
return(true);
}
static MethodDef GetResolveMethodSilverlight(MethodDef initMethod)
{
foreach (var instr in initMethod.Body.Instructions)
{
if (instr.OpCode.Code != Code.Call)
{
continue;
}
var calledMethod = instr.Operand as MethodDef;
if (calledMethod == null)
{
continue;
}
if (!DotNetUtils.IsMethod(calledMethod, "System.Void", "()"))
{
continue;
}
if (!DeobUtils.HasInteger(calledMethod, ',') ||
!DeobUtils.HasInteger(calledMethod, '|'))
{
continue;
}
return(calledMethod);
}
return(null);
}
static MethodDef CheckMethods(TypeDef type)
{
MethodDef creatorMethod = null;
foreach (var method in type.Methods)
{
if (method.Body == null)
{
return(null);
}
if (method.Name == ".cctor" || method.Name == ".ctor")
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.Void", "(System.Int32)"))
{
return(null);
}
if (!DeobUtils.HasInteger(method, 0x02000000))
{
return(null);
}
if (!DeobUtils.HasInteger(method, 0x06000000))
{
return(null);
}
creatorMethod = method;
}
return(creatorMethod);
}
static MethodDef FindXxteaMethod(TypeDef type)
{
foreach (var method in type.Methods)
{
if (!method.IsPrivate || method.IsStatic || method.Body == null)
{
continue;
}
if (DotNetUtils.IsMethod(method, "System.Void", "(System.UInt32[],System.UInt32[])"))
{
if (!DeobUtils.HasInteger(method, 0x9E3779B9))
{
continue;
}
}
else if (DotNetUtils.IsMethod(method, "System.Void", "(System.UInt32[],System.UInt32[],System.UInt32,System.UInt32,System.UInt32,System.UInt32,System.UInt32,System.UInt32,System.UInt32,System.UInt32,System.UInt32)"))
{
// Here if 5.0. 0x9E3779B9 is passed to it as the last arg.
}
else
{
continue;
}
if (!DeobUtils.HasInteger(method, 52))
{
continue;
}
return(method);
}
return(null);
}
void InitVersion(MethodDef installMethod, ConfuserVersion normal, ConfuserVersion dynamic, ConfuserVersion native) {
if (nativeMethod != null)
version = native;
else if (DeobUtils.HasInteger(installMethod, 0x10000))
version = normal;
else
version = dynamic;
}
// >= 1.9 r78363 (no refs to System.Reflection.Emit.OpCodes)
static ProxyCreatorType GetProxyCreatorTypeV2(MethodDef method) {
if (!DeobUtils.HasInteger(method, 0x2A))
return ProxyCreatorType.None;
if (CheckCtorProxyTypeV2(method))
return ProxyCreatorType.Newobj;
if (CheckCallProxyTypeV2(method))
return ProxyCreatorType.CallOrCallvirt;
return ProxyCreatorType.None;
}
static DecryptType GetDecryptType(MethodDef method)
{
if (DeobUtils.HasInteger(method, 0xFFF0))
{
return(DecryptType.Type2);
}
if (DeobUtils.HasInteger(method, 0xFFC0))
{
return(DecryptType.Type3);
}
return(DecryptType.Type1); // trial
}
IDecrypter CreateDecrypter(byte[] encryptedData)
{
if (decryptMethod != null && DeobUtils.HasInteger(decryptMethod, 6))
{
return(new Decrypter3(module, decryptMethod));
}
if (IsV30(encryptedData))
{
return(new Decrypter1(module));
}
return(new Decrypter2(module));
}
Version DetectVersion()
{
var ep = Module.EntryPoint;
if (ep == null || ep.Body == null)
{
return(Version.Unknown);
}
var type = ep.DeclaringType;
if (type == null)
{
return(Version.Unknown);
}
if (!new FieldTypes(type).Exactly(requiredFields))
{
return(Version.Unknown);
}
if (Module.Types.Count != 2)
{
return(Version.Unknown);
}
if (Module.Types[1] != type)
{
return(Version.Unknown);
}
if (Module.Types[0].Methods.Count != 0)
{
return(Version.Unknown);
}
if (CheckMethods(type, methods_v0x))
{
return(Version.V0x);
}
if (CheckMethods(type, methods_v1x))
{
var lfMethod = DotNetUtils.GetMethod(type, "System.Boolean", "(System.String,System.Byte[]&)");
if (lfMethod != null)
{
if (DeobUtils.HasInteger(lfMethod, (int)Machine.AMD64))
{
return(Version.V218);
}
return(Version.V1x_217);
}
}
return(Version.Unknown);
}
bool CheckMethodV2(MethodDef method)
{
if (!DeobUtils.HasInteger(method, ' '))
{
return(false);
}
foreach (var calledMethodName in callsMethodsV2)
{
if (!DotNetUtils.CallsMethod(method, calledMethodName))
{
return(false);
}
}
decrypter = new DecrypterV2();
return(true);
}
static bool IsOldStringDecrypterMethod(MethodDef method)
{
if (method == null || method.Body == null || !method.IsStatic)
{
return(false);
}
if (!DotNetUtils.IsMethod(method, "System.String", "(System.String)"))
{
return(false);
}
if (!DeobUtils.HasInteger(method, 0xFF))
{
return(false);
}
return(true);
}
void InitVersion(MethodDef method, ConfuserVersion normal, ConfuserVersion dynamic, ConfuserVersion native)
{
if (DeobUtils.HasInteger(method, 0x100) &&
DeobUtils.HasInteger(method, 0x10000) &&
DeobUtils.HasInteger(method, 0xFFFF))
{
version = normal;
}
else if ((nativeMethod = FindNativeMethod(method)) == null)
{
version = dynamic;
}
else
{
version = native;
}
}
bool CreateAssemblyInfos()
{
int numElements = DeobUtils.HasInteger(handlerMethod, 3) ? 3 : 2;
foreach (var s in DotNetUtils.GetCodeStrings(handlerMethod))
{
var infos = CreateAssemblyInfos(s, numElements);
if (infos == null)
{
continue;
}
assemblyInfos = infos;
return(true);
}
return(false);
}
MethodDef GetProxyCreateMethod(TypeDef type)
{
if (DotNetUtils.FindFieldType(type, "System.ModuleHandle", true) == null)
{
return(null);
}
if (!type.HasFields)
{
return(null);
}
if (type.Fields.Count > 25)
{
return(null);
}
MethodDef createMethod = null;
foreach (var m in type.Methods)
{
if (m.Name == ".ctor" || m.Name == ".cctor")
{
continue;
}
if (createMethod == null && DotNetUtils.IsMethod(m, "System.Void", "(System.Int32,System.Int32,System.Int32)"))
{
createMethod = m;
}
}
if (createMethod == null || !createMethod.HasBody)
{
return(null);
}
if (!DeobUtils.HasInteger(createMethod, 0xFFFFFF))
{
return(null);
}
return(createMethod);
}
MethodDef GetDecryptMethod()
{
foreach (var method in resolverType.Methods)
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.Byte[]", "(System.Byte[])"))
{
continue;
}
if (!DeobUtils.HasInteger(method, 32) ||
!DeobUtils.HasInteger(method, 121))
{
continue;
}
return(method);
}
throw new ApplicationException("Could not find decrypt method");
}
MethodDef GetDecryptMethod()
{
foreach (var method in resolverType.Methods)
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.Byte[]", "(System.Byte[])"))
{
continue;
}
if (!DeobUtils.HasInteger(method, 32) ||
!DeobUtils.HasInteger(method, 121))
{
continue;
}
return(method);
}
return(null);
}
bool CheckType_v14_r58852(TypeDef type, MethodDef initMethod)
{
var virtualProtect = DotNetUtils.GetPInvokeMethod(type, "VirtualProtect");
if (virtualProtect == null)
{
return(false);
}
if (!DotNetUtils.CallsMethod(initMethod, "System.IntPtr System.Runtime.InteropServices.Marshal::GetHINSTANCE(System.Reflection.Module)"))
{
return(false);
}
int virtualProtectCalls = ConfuserUtils.CountCalls(initMethod, virtualProtect);
if (virtualProtectCalls != 14 && virtualProtectCalls != 16)
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 0x3C))
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 0x6c64746e))
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 0x6c642e6c))
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 0x6f43744e))
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 0x6e69746e))
{
return(false);
}
int locallocs = ConfuserUtils.CountOpCode(initMethod, Code.Localloc);
if (DeobUtils.HasInteger(initMethod, 0x18))
{
version = ConfuserVersion.v14_r58852;
}
else if (virtualProtectCalls == 16)
{
version = ConfuserVersion.v16_r69339;
}
else if (virtualProtectCalls == 14)
{
if (locallocs == 2)
{
version = ConfuserVersion.v17_r74708;
}
else if (locallocs == 1)
{
if (DotNetUtils.HasString(initMethod, "<Unknown>"))
{
version = ConfuserVersion.v18_r75257;
}
else if (IsRev75725(initMethod))
{
version = ConfuserVersion.v19_r75725;
}
else
{
version = ConfuserVersion.v19_r76186;
}
}
else
{
return(false);
}
}
else
{
return(false);
}
return(true);
}
public bool Initialize(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator)
{
var cctor = stringsEncodingClass.FindStaticConstructor();
if (cctor != null)
{
simpleDeobfuscator.Deobfuscate(cctor);
}
decrypterVersion = GuessVersion(cctor);
if (!FindDecrypterMethod())
{
throw new ApplicationException("Could not find string decrypter method");
}
if (!FindStringsResource(deob, simpleDeobfuscator, cctor))
{
return(false);
}
if (decrypterVersion <= StringDecrypterVersion.V3)
{
MethodDef initMethod;
if (decrypterVersion == StringDecrypterVersion.V3)
{
initMethod = cctor;
}
else if (decrypterVersion == StringDecrypterVersion.V2)
{
initMethod = stringDecrypterMethod;
}
else
{
initMethod = stringDecrypterMethod;
}
stringOffset = 0;
if (decrypterVersion != StringDecrypterVersion.V1)
{
if (CallsGetPublicKeyToken(initMethod))
{
var pkt = PublicKeyBase.ToPublicKeyToken(module.Assembly.PublicKeyToken);
if (!PublicKeyBase.IsNullOrEmpty2(pkt))
{
for (int i = 0; i < pkt.Data.Length - 1; i += 2)
{
stringOffset ^= ((int)pkt.Data[i] << 8) + pkt.Data[i + 1];
}
}
}
if (DeobUtils.HasInteger(initMethod, 0xFFFFFF) &&
DeobUtils.HasInteger(initMethod, 0xFFFF))
{
stringOffset ^= ((stringDecrypterMethod.MDToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF;
}
}
}
else
{
var offsetVal = FindOffsetValue(cctor);
if (offsetVal == null)
{
throw new ApplicationException("Could not find string offset");
}
stringOffset = offsetVal.Value;
decrypterVersion = StringDecrypterVersion.V4;
}
simpleZipTypeMethod = FindSimpleZipTypeMethod(cctor) ?? FindSimpleZipTypeMethod(stringDecrypterMethod);
if (simpleZipTypeMethod != null)
{
resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator));
}
return(true);
}
public string Detect()
{
var decryptStringType = stringDecrypter.Type;
var decryptStringMethod = stringDecrypter.Method;
if (decryptStringType == null || decryptStringMethod == null)
{
return(null);
}
var otherMethods = new List <MethodDef>();
MethodDef cctor = null;
foreach (var method in decryptStringType.Methods)
{
if (method == decryptStringMethod)
{
continue;
}
if (method.Name == ".cctor")
{
cctor = method;
}
else
{
otherMethods.Add(method);
}
}
if (cctor == null)
{
return(null);
}
bool hasConstantM2 = DeobUtils.HasInteger(decryptStringMethod, -2);
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
var fields11 = new string[] {
"System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
"System.IO.BinaryReader",
"System.Byte[]",
"System.Int16",
"System.Boolean",
};
var locals11 = CreateLocalsArray(
"System.Boolean",
"System.Byte[]",
"System.Char[]",
"System.Int16",
"System.Int32",
"System.Reflection.Assembly",
"System.String"
);
if (otherMethods.Count == 0 &&
decryptStringType.NestedTypes.Count == 0 &&
!hasConstantM2 &&
!decryptStringMethod.IsNoInlining &&
decryptStringMethod.IsPublic &&
decryptStringMethod.IsSynchronized &&
decryptStringMethod.Body.MaxStack >= 35 &&
decryptStringMethod.Body.MaxStack <= 50 &&
decryptStringMethod.Body.ExceptionHandlers.Count == 0 &&
new LocalTypes(decryptStringMethod).Exactly(locals11) &&
CheckTypeFields(fields11))
{
return("1.1 - 1.2");
}
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
var fields13 = new string[] {
"System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
"System.IO.BinaryReader",
"System.Byte[]",
"System.Int16",
"System.Boolean",
"System.Byte[]",
};
var locals13 = CreateLocalsArray(
"System.Boolean",
"System.Byte",
"System.Byte[]",
"System.Char[]",
"System.Int16",
"System.Int32",
"System.Reflection.Assembly",
"System.String"
);
if (otherMethods.Count == 0 &&
decryptStringType.NestedTypes.Count == 0 &&
!hasConstantM2 &&
!decryptStringMethod.IsNoInlining &&
decryptStringMethod.IsPublic &&
decryptStringMethod.IsSynchronized &&
decryptStringMethod.Body.MaxStack >= 35 &&
decryptStringMethod.Body.MaxStack <= 50 &&
decryptStringMethod.Body.ExceptionHandlers.Count == 0 &&
new LocalTypes(decryptStringMethod).Exactly(locals13) &&
CheckTypeFields(fields13))
{
return("1.3");
}
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
var fields14 = new string[] {
"System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
"System.IO.BinaryReader",
"System.Byte[]",
"System.Int16",
"System.Boolean",
"System.Byte[]",
};
var locals14 = CreateLocalsArray(
"System.Boolean",
"System.Byte",
"System.Byte[]",
"System.Char[]",
"System.Int16",
"System.Int32",
"System.Reflection.Assembly",
"System.String"
);
if (otherMethods.Count == 0 &&
decryptStringType.NestedTypes.Count == 0 &&
!hasConstantM2 &&
!decryptStringMethod.IsNoInlining &&
decryptStringMethod.IsPublic &&
decryptStringMethod.IsSynchronized &&
decryptStringMethod.Body.MaxStack >= 150 &&
decryptStringMethod.Body.MaxStack <= 200 &&
decryptStringMethod.Body.ExceptionHandlers.Count == 0 &&
new LocalTypes(decryptStringMethod).Exactly(locals14) &&
CheckTypeFields(fields14))
{
return("1.4 - 2.3");
}
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
var fields24 = new string[] {
"System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
"System.IO.BinaryReader",
"System.Byte[]",
"System.Int16",
"System.Boolean",
"System.Byte[]",
};
var locals24 = CreateLocalsArray(
"System.Boolean",
"System.Byte",
"System.Byte[]",
"System.Char[]",
"System.Int16",
"System.Int32",
"System.Reflection.Assembly",
"System.Reflection.AssemblyName",
"System.String"
);
if (otherMethods.Count == 0 &&
decryptStringType.NestedTypes.Count == 0 &&
!hasConstantM2 &&
!decryptStringMethod.IsNoInlining &&
decryptStringMethod.IsPublic &&
decryptStringMethod.IsSynchronized &&
decryptStringMethod.Body.MaxStack >= 1 &&
decryptStringMethod.Body.MaxStack <= 8 &&
decryptStringMethod.Body.ExceptionHandlers.Count == 0 &&
new LocalTypes(decryptStringMethod).Exactly(locals24) &&
CheckTypeFields(fields24))
{
return("2.4 - 2.5");
}
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
var fields26 = new string[] {
"System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
"System.IO.BinaryReader",
"System.Byte[]",
"System.Int16",
"System.Boolean",
"System.Byte[]",
};
var locals26 = CreateLocalsArray(
"System.Boolean",
"System.Byte",
"System.Byte[]",
"System.Char[]",
"System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
"System.Int16",
"System.Int32",
"System.Reflection.Assembly",
"System.Reflection.AssemblyName",
"System.String"
);
if (otherMethods.Count == 0 &&
decryptStringType.NestedTypes.Count == 0 &&
!hasConstantM2 &&
!decryptStringMethod.IsNoInlining &&
decryptStringMethod.IsPublic &&
!decryptStringMethod.IsSynchronized &&
decryptStringMethod.Body.MaxStack >= 1 &&
decryptStringMethod.Body.MaxStack <= 8 &&
decryptStringMethod.Body.ExceptionHandlers.Count == 1 &&
new LocalTypes(decryptStringMethod).Exactly(locals26) &&
CheckTypeFields(fields26))
{
return("2.6");
}
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
var fields27 = new string[] {
"System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
"System.IO.BinaryReader",
"System.Byte[]",
"System.Int16",
"System.Boolean",
"System.Byte[]",
};
var locals27 = CreateLocalsArray(
"System.Boolean",
"System.Byte",
"System.Byte[]",
"System.Char[]",
"System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
"System.Int16",
"System.Int32",
"System.Reflection.Assembly",
"System.Reflection.AssemblyName",
"System.String"
);
if (otherMethods.Count == 0 &&
decryptStringType.NestedTypes.Count == 0 &&
!hasConstantM2 &&
decryptStringMethod.IsNoInlining &&
decryptStringMethod.IsPublic &&
!decryptStringMethod.IsSynchronized &&
decryptStringMethod.Body.MaxStack >= 1 &&
decryptStringMethod.Body.MaxStack <= 8 &&
decryptStringMethod.Body.ExceptionHandlers.Count == 1 &&
new LocalTypes(decryptStringMethod).Exactly(locals27) &&
CheckTypeFields(fields27))
{
return("2.7");
}
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
var fields28 = new string[] {
"System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
"System.IO.BinaryReader",
"System.Byte[]",
"System.Int16",
"System.Boolean",
"System.Byte[]",
"System.Boolean",
};
var locals28 = CreateLocalsArray(
"System.Boolean",
"System.Byte",
"System.Byte[]",
"System.Char[]",
"System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
"System.Int16",
"System.Int32",
"System.Reflection.Assembly",
"System.Reflection.AssemblyName",
"System.String"
);
if (otherMethods.Count == 0 &&
decryptStringType.NestedTypes.Count == 0 &&
!hasConstantM2 &&
decryptStringMethod.IsNoInlining &&
decryptStringMethod.IsAssembly &&
!decryptStringMethod.IsSynchronized &&
decryptStringMethod.Body.MaxStack >= 1 &&
decryptStringMethod.Body.MaxStack <= 8 &&
decryptStringMethod.Body.ExceptionHandlers.Count == 1 &&
new LocalTypes(decryptStringMethod).Exactly(locals28) &&
CheckTypeFields(fields28))
{
return("2.8");
}
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
var fields29 = new string[] {
"System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
"System.IO.BinaryReader",
"System.Byte[]",
"System.Int16",
"System.Int32",
"System.Byte[]",
};
var locals29 = CreateLocalsArray(
"System.Boolean",
"System.Byte",
"System.Byte[]",
"System.Char[]",
"System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
"System.Diagnostics.StackFrame",
"System.Diagnostics.StackTrace",
"System.Int16",
"System.Int32",
"System.IO.Stream",
"System.Reflection.Assembly",
"System.Reflection.AssemblyName",
"System.Reflection.MethodBase",
"System.String",
"System.Type"
);
if (otherMethods.Count == 0 &&
decryptStringType.NestedTypes.Count == 0 &&
!hasConstantM2 &&
decryptStringMethod.IsNoInlining &&
decryptStringMethod.IsAssembly &&
!decryptStringMethod.IsSynchronized &&
decryptStringMethod.Body.MaxStack >= 1 &&
decryptStringMethod.Body.MaxStack <= 8 &&
(decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) &&
new LocalTypes(decryptStringMethod).Exactly(locals29) &&
CheckTypeFields(fields29))
{
return("2.9");
}
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
var fields30 = new string[] {
"System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
"System.IO.BinaryReader",
"System.Byte[]",
"System.Int16",
"System.Int32",
"System.Byte[]",
};
var locals30 = CreateLocalsArray(
"System.Boolean",
"System.Byte",
"System.Byte[]",
"System.Char[]",
"System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
"System.Diagnostics.StackFrame",
"System.Diagnostics.StackTrace",
"System.Int16",
"System.Int32",
"System.IO.Stream",
"System.Reflection.Assembly",
"System.Reflection.AssemblyName",
"System.Reflection.MethodBase",
"System.String",
"System.Type"
);
var olocals30 = CreateLocalsArray(
"System.Int32"
);
if (otherMethods.Count == 1 &&
decryptStringType.NestedTypes.Count == 0 &&
DotNetUtils.IsMethod(otherMethods[0], "System.Int32", "(System.Byte[],System.Int32,System.Byte[])") &&
otherMethods[0].IsPrivate &&
otherMethods[0].IsStatic &&
new LocalTypes(otherMethods[0]).Exactly(olocals30) &&
!hasConstantM2 &&
decryptStringMethod.IsNoInlining &&
decryptStringMethod.IsAssembly &&
!decryptStringMethod.IsSynchronized &&
decryptStringMethod.Body.MaxStack >= 1 &&
decryptStringMethod.Body.MaxStack <= 8 &&
(decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) &&
new LocalTypes(decryptStringMethod).Exactly(locals30) &&
CheckTypeFields(fields30))
{
return("3.0");
}
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
var fields31 = new string[] {
"System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
"System.IO.BinaryReader",
"System.Byte[]",
"System.Int16",
"System.Int32",
"System.Byte[]",
};
var locals31 = CreateLocalsArray(
"System.Boolean",
"System.Byte",
"System.Byte[]",
"System.Char[]",
"System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
"System.Diagnostics.StackFrame",
"System.Diagnostics.StackTrace",
"System.Int16",
"System.Int32",
"System.IO.Stream",
"System.Reflection.Assembly",
"System.Reflection.AssemblyName",
"System.Reflection.MethodBase",
"System.String",
"System.Type"
);
var olocals31 = CreateLocalsArray(
"System.Int32"
);
if (otherMethods.Count == 1 &&
decryptStringType.NestedTypes.Count == 0 &&
DotNetUtils.IsMethod(otherMethods[0], "System.Int32", "(System.Byte[],System.Int32,System.Byte[])") &&
otherMethods[0].IsPrivate &&
otherMethods[0].IsStatic &&
new LocalTypes(otherMethods[0]).Exactly(olocals31) &&
hasConstantM2 &&
decryptStringMethod.IsNoInlining &&
decryptStringMethod.IsAssembly &&
!decryptStringMethod.IsSynchronized &&
decryptStringMethod.Body.MaxStack >= 1 &&
decryptStringMethod.Body.MaxStack <= 8 &&
(decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) &&
new LocalTypes(decryptStringMethod).Exactly(locals31) &&
CheckTypeFields(fields31))
{
return("3.1");
}
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
var fields32 = new string[] {
"System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
"System.IO.BinaryReader",
"System.Byte[]",
"System.Int16",
"System.Int32",
"System.Byte[]",
"System.Int32",
};
var locals32 = CreateLocalsArray(
"System.Boolean",
"System.Byte",
"System.Byte[]",
"System.Char[]",
"System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
"System.Diagnostics.StackFrame",
"System.Diagnostics.StackTrace",
"System.Int16",
"System.Int32",
"System.Int64",
"System.IO.Stream",
"System.Reflection.Assembly",
"System.Reflection.AssemblyName",
"System.Reflection.MethodBase",
"System.String",
"System.Type"
);
var olocals32 = CreateLocalsArray(
"System.Int32"
);
if (otherMethods.Count == 1 &&
decryptStringType.NestedTypes.Count == 0 &&
DotNetUtils.IsMethod(otherMethods[0], "System.Void", "(System.Byte[],System.Int32,System.Byte[])") &&
otherMethods[0].IsPrivate &&
otherMethods[0].IsStatic &&
new LocalTypes(otherMethods[0]).Exactly(olocals32) &&
hasConstantM2 &&
decryptStringMethod.IsNoInlining &&
decryptStringMethod.IsAssembly &&
!decryptStringMethod.IsSynchronized &&
decryptStringMethod.Body.MaxStack >= 1 &&
decryptStringMethod.Body.MaxStack <= 8 &&
(decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) &&
new LocalTypes(decryptStringMethod).Exactly(locals32) &&
CheckTypeFields(fields32))
{
return("3.2");
}
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
if (decryptStringType.NestedTypes.Count == 1)
{
var fields33 = new string[] {
"System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
"System.IO.BinaryReader",
"System.Byte[]",
"System.Int16",
"System.Int32",
"System.Byte[]",
"System.Int32",
"System.Int32",
decryptStringType.NestedTypes[0].FullName,
};
var locals33 = CreateLocalsArray(
"System.Boolean",
"System.Byte",
"System.Byte[]",
"System.Char[]",
"System.Collections.Generic.Dictionary`2<System.Int32,System.String>",
"System.Diagnostics.StackFrame",
"System.Diagnostics.StackTrace",
"System.Int16",
"System.Int32",
"System.Int64",
"System.IO.Stream",
"System.Reflection.Assembly",
"System.Reflection.AssemblyName",
"System.Reflection.MethodBase",
"System.String",
"System.Type"
);
var olocals33 = CreateLocalsArray(
"System.Int32"
);
if (otherMethods.Count == 1 &&
decryptStringType.NestedTypes.Count == 1 &&
DotNetUtils.IsMethod(otherMethods[0], "System.Void", "(System.Byte[],System.Int32,System.Byte[])") &&
otherMethods[0].IsPrivate &&
otherMethods[0].IsStatic &&
new LocalTypes(otherMethods[0]).Exactly(olocals33) &&
hasConstantM2 &&
decryptStringMethod.IsNoInlining &&
decryptStringMethod.IsAssembly &&
!decryptStringMethod.IsSynchronized &&
decryptStringMethod.Body.MaxStack >= 1 &&
decryptStringMethod.Body.MaxStack <= 8 &&
(decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) &&
new LocalTypes(decryptStringMethod).Exactly(locals33) &&
CheckTypeFields(fields33))
{
return("3.3.29 - 3.3.57 (BETA)");
}
}
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
if (decryptStringType.NestedTypes.Count == 3)
{
var fields33 = new string[] {
GetNestedTypeName(0),
GetNestedTypeName(1),
"System.Byte[]",
"System.Int16",
"System.Int32",
"System.Byte[]",
"System.Int32",
"System.Int32",
GetNestedTypeName(2),
};
var locals33 = CreateLocalsArray(
"System.Boolean",
"System.Byte",
"System.Byte[]",
"System.Char[]",
GetNestedTypeName(0),
"System.Diagnostics.StackFrame",
"System.Diagnostics.StackTrace",
"System.Int16",
"System.Int32",
"System.Int64",
"System.IO.Stream",
"System.Reflection.Assembly",
"System.Reflection.AssemblyName",
"System.Reflection.MethodBase",
"System.String",
"System.Type"
);
var olocals33 = CreateLocalsArray(
"System.Int32"
);
if (otherMethods.Count == 1 &&
decryptStringType.NestedTypes.Count == 3 &&
DotNetUtils.IsMethod(otherMethods[0], "System.Void", "(System.Byte[],System.Int32,System.Byte[])") &&
otherMethods[0].IsPrivate &&
otherMethods[0].IsStatic &&
new LocalTypes(otherMethods[0]).Exactly(olocals33) &&
decryptStringMethod.IsNoInlining &&
decryptStringMethod.IsAssembly &&
!decryptStringMethod.IsSynchronized &&
decryptStringMethod.Body.MaxStack >= 1 &&
decryptStringMethod.Body.MaxStack <= 8 &&
(decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) &&
new LocalTypes(decryptStringMethod).Exactly(locals33) &&
CheckTypeFields(fields33))
{
return("3.3");
}
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
var fields33_149 = new string[] {
GetNestedTypeName(0),
GetNestedTypeName(1),
"System.Byte[]",
"System.Int16",
"System.Int32",
"System.Byte[]",
"System.Int32",
"System.Int32",
GetNestedTypeName(2),
};
var locals33_149 = CreateLocalsArray(
"System.Boolean",
"System.Byte",
"System.Byte[]",
"System.Char[]",
GetNestedTypeName(0),
"System.Diagnostics.StackFrame",
"System.Diagnostics.StackTrace",
"System.Int16",
"System.Int32",
"System.Int64",
"System.IO.Stream",
"System.Reflection.Assembly",
"System.Reflection.AssemblyName",
"System.Reflection.MethodBase",
"System.String",
"System.Text.StringBuilder",
"System.Type"
);
var olocals33_149 = CreateLocalsArray(
"System.Int32"
);
if (otherMethods.Count == 1 &&
decryptStringType.NestedTypes.Count == 3 &&
DotNetUtils.IsMethod(otherMethods[0], "System.Void", "(System.Byte[],System.Int32,System.Byte[])") &&
otherMethods[0].IsPrivate &&
otherMethods[0].IsStatic &&
new LocalTypes(otherMethods[0]).Exactly(olocals33_149) &&
decryptStringMethod.IsNoInlining &&
decryptStringMethod.IsAssembly &&
!decryptStringMethod.IsSynchronized &&
decryptStringMethod.Body.MaxStack >= 1 &&
decryptStringMethod.Body.MaxStack <= 8 &&
(decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) &&
new LocalTypes(decryptStringMethod).Exactly(locals33_149) &&
CheckTypeFields2(fields33_149))
{
return("3.3.149 - 3.4"); // 3.3.149+ (but not SL or CF)
}
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
var fields35 = new string[] {
GetNestedTypeName(0),
GetNestedTypeName(1),
"System.Byte[]",
"System.Int16",
"System.Int32",
"System.Byte[]",
"System.Int32",
"System.Int32",
GetNestedTypeName(2),
};
var locals35 = CreateLocalsArray(
"System.Boolean",
"System.Byte",
"System.Byte[]",
"System.Char[]",
"System.Collections.Generic.IEnumerator`1<System.Int32>",
GetNestedTypeName(0),
"System.Diagnostics.StackFrame",
"System.Diagnostics.StackTrace",
"System.Int16",
"System.Int32",
"System.Int64",
"System.IO.Stream",
"System.Reflection.Assembly",
"System.Reflection.AssemblyName",
"System.Reflection.MethodBase",
"System.String",
"System.Text.StringBuilder",
"System.Type"
);
var olocals35 = CreateLocalsArray(
"System.Int32"
);
if (otherMethods.Count == 1 &&
decryptStringType.NestedTypes.Count == 3 &&
DotNetUtils.IsMethod(otherMethods[0], "System.Void", "(System.Byte[],System.Int32,System.Byte[])") &&
otherMethods[0].IsPrivate &&
otherMethods[0].IsStatic &&
new LocalTypes(otherMethods[0]).Exactly(olocals35) &&
decryptStringMethod.IsNoInlining &&
decryptStringMethod.IsAssembly &&
!decryptStringMethod.IsSynchronized &&
decryptStringMethod.Body.MaxStack >= 1 &&
decryptStringMethod.Body.MaxStack <= 8 &&
decryptStringMethod.Body.ExceptionHandlers.Count >= 2 &&
new LocalTypes(decryptStringMethod).All(locals35) &&
CheckTypeFields2(fields35))
{
return("3.5 - 4.2");
}
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
var fields43 = new string[] {
GetNestedTypeName(0),
GetNestedTypeName(1),
"System.Byte[]",
"System.Int16",
"System.Int32",
"System.Byte[]",
"System.Int32",
"System.Int32",
GetNestedTypeName(2),
};
var locals43 = CreateLocalsArray(
"System.Boolean",
"System.Byte",
"System.Byte[]",
"System.Char[]",
FindEnumeratorName(decryptStringMethod),
GetNestedTypeName(0),
"System.Diagnostics.StackFrame",
"System.Diagnostics.StackTrace",
"System.Int16",
"System.Int32",
"System.Int64",
"System.IO.Stream",
"System.Reflection.Assembly",
"System.Reflection.AssemblyName",
"System.Reflection.MethodBase",
"System.String",
"System.Text.StringBuilder",
"System.Type"
);
var olocals43 = CreateLocalsArray(
"System.Int32"
);
if (otherMethods.Count == 1 &&
decryptStringType.NestedTypes.Count == 3 &&
DotNetUtils.IsMethod(otherMethods[0], "System.Void", "(System.Byte[],System.Int32,System.Byte[])") &&
otherMethods[0].IsPrivate &&
otherMethods[0].IsStatic &&
new LocalTypes(otherMethods[0]).Exactly(olocals43) &&
decryptStringMethod.IsNoInlining &&
decryptStringMethod.IsAssembly &&
!decryptStringMethod.IsSynchronized &&
decryptStringMethod.Body.MaxStack >= 1 &&
decryptStringMethod.Body.MaxStack <= 8 &&
decryptStringMethod.Body.ExceptionHandlers.Count >= 2 &&
new LocalTypes(decryptStringMethod).All(locals43) &&
CheckTypeFields2(fields43))
{
return("4.3 - 4.9");
}
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////
var fields50 = new string[] {
GetNestedTypeName(0),
GetNestedTypeName(1),
"System.Byte[]",
"System.Int16",
"System.Int32",
"System.Byte[]",
"System.Int32",
"System.Int32",
GetNestedTypeName(2),
};
var locals50 = CreateLocalsArray(
// GetNestedTypeName(2) // One of the nested types is the first local (non-enum type)
"System.String",
"System.String"
);
var otherMethod50 = otherMethods.Find((m) => {
return(DotNetUtils.IsMethod(m, "System.Void", "(System.Byte[],System.Int32,System.Byte[])"));
});
decryptStringMethod = stringDecrypter.RealMethod;
if (stringDecrypter.HasRealMethod &&
otherMethods.Count == 2 &&
otherMethod50 != null &&
decryptStringType.NestedTypes.Count == 3 &&
otherMethod50.IsPrivate &&
otherMethod50.IsStatic &&
decryptStringMethod.IsNoInlining &&
decryptStringMethod.IsAssembly &&
!decryptStringMethod.IsSynchronized &&
decryptStringMethod.Body.MaxStack >= 1 &&
decryptStringMethod.Body.MaxStack <= 8 &&
decryptStringMethod.Body.ExceptionHandlers.Count == 1 &&
new LocalTypes(decryptStringMethod).All(locals50) &&
CheckTypeFields2(fields50))
{
foreach (var inst in stringDecrypter.Method.Body.Instructions)
{
if (inst.OpCode.Code == Code.Cgt_Un)
{
return("5.1");
}
}
return("5.0");
}
if (stringDecrypter.HasRealMethod &&
otherMethods.Count == 5 &&
otherMethod50 != null &&
decryptStringType.NestedTypes.Count == 3 &&
otherMethod50.IsPrivate &&
otherMethod50.IsStatic &&
decryptStringMethod.IsNoInlining &&
decryptStringMethod.IsAssembly &&
!decryptStringMethod.IsSynchronized &&
decryptStringMethod.Body.MaxStack >= 1 &&
decryptStringMethod.Body.MaxStack <= 8 &&
decryptStringMethod.Body.ExceptionHandlers.Count == 1)
{
return("5.2-5.8");
}
}
return(null);
}
public void FindDelegateCreator(ISimpleDeobfuscator simpleDeobfuscator) {
var type = DotNetUtils.GetModuleType(module);
if (type == null)
return;
foreach (var method in type.Methods) {
if (method.Body == null || !method.IsStatic || !method.IsAssembly)
continue;
var theVersion = ConfuserVersion.Unknown;
if (DotNetUtils.IsMethod(method, "System.Void", "(System.String,System.RuntimeFieldHandle)"))
theVersion = ConfuserVersion.v10_r42915;
else if (DotNetUtils.IsMethod(method, "System.Void", "(System.RuntimeFieldHandle)"))
theVersion = ConfuserVersion.v10_r48717;
else
continue;
var proxyType = GetProxyCreatorType(method, simpleDeobfuscator, out int tmpVer);
if (proxyType == ProxyCreatorType.None)
continue;
if (proxyType == ProxyCreatorType.Newobj)
foundNewobjProxy = true;
simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
MethodDef nativeMethod = null;
if (FindMagic_v14_r58564(method, out uint magic)) {
if (!DotNetUtils.CallsMethod(method, "System.Byte[] System.Convert::FromBase64String(System.String)")) {
if (!IsMethodCreator_v14_r58802(method, proxyType))
theVersion = ConfuserVersion.v14_r58564;
else
theVersion = ConfuserVersion.v14_r58802;
}
else if (DotNetUtils.CallsMethod(method, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()"))
theVersion = ConfuserVersion.v17_r73479;
else if (proxyType != ProxyCreatorType.CallOrCallvirt || !HasFieldReference(method, "System.Reflection.Emit.OpCode System.Reflection.Emit.OpCodes::Castclass"))
theVersion = ConfuserVersion.v14_r58857;
else if (proxyType == ProxyCreatorType.CallOrCallvirt && DotNetUtils.CallsMethod(method, "System.Void System.Reflection.Emit.DynamicMethod::.ctor(System.String,System.Type,System.Type[],System.Boolean)"))
theVersion = ConfuserVersion.v16_r66631;
else if (proxyType == ProxyCreatorType.CallOrCallvirt)
theVersion = ConfuserVersion.v16_r70489;
}
else if (!DotNetUtils.CallsMethod(method, "System.Byte[] System.Convert::FromBase64String(System.String)") &&
DotNetUtils.CallsMethod(method, "System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)")) {
if (proxyType == ProxyCreatorType.CallOrCallvirt && !FindCallvirtChar(method, out callvirtChar))
continue;
if ((nativeMethod = FindNativeMethod_v18_r75367(method)) != null)
theVersion = proxyType != ProxyCreatorType.CallOrCallvirt || callvirtChar == 9 ? ConfuserVersion.v18_r75367_native : ConfuserVersion.v18_r75369_native;
else if (FindMagic_v18_r75367(method, out magic))
theVersion = proxyType != ProxyCreatorType.CallOrCallvirt || callvirtChar == 9 ? ConfuserVersion.v18_r75367_normal : ConfuserVersion.v18_r75369_normal;
else if (FindMagic_v19_r76101(method, out magic))
CommonCheckVersion19(method, true, tmpVer, ref theVersion);
else if ((nativeMethod = FindNativeMethod_v19_r76101(method)) != null)
CommonCheckVersion19(method, false, tmpVer, ref theVersion);
else {
if (proxyType == ProxyCreatorType.CallOrCallvirt && !DotNetUtils.CallsMethod(method, "System.Int32 System.String::get_Length()"))
theVersion = ConfuserVersion.v11_r50378;
int numCalls = ConfuserUtils.CountCalls(method, "System.Byte[] System.Text.Encoding::GetBytes(System.Char[],System.Int32,System.Int32)");
if (numCalls == 2)
theVersion = ConfuserVersion.v12_r54564;
if (!DotNetUtils.CallsMethod(method, "System.Reflection.Assembly System.Reflection.Assembly::Load(System.Reflection.AssemblyName)"))
theVersion = ConfuserVersion.v13_r55346;
if (DotNetUtils.CallsMethod(method, "System.Void System.Runtime.CompilerServices.RuntimeHelpers::RunClassConstructor(System.RuntimeTypeHandle)"))
theVersion = ConfuserVersion.v13_r55604;
}
}
else if (Is_v17_r73740(method)) {
if (DotNetUtils.CallsMethod(method, "System.Boolean System.Type::get_IsArray()")) {
if ((nativeMethod = FindNativeMethod_v17_r73740(method)) != null)
theVersion = ConfuserVersion.v17_r74708_native;
else if (FindMagic_v17_r73740(method, out magic))
theVersion = ConfuserVersion.v17_r74708_normal;
else
continue;
}
else {
if ((nativeMethod = FindNativeMethod_v17_r73740(method)) != null)
theVersion = ConfuserVersion.v17_r73740_native;
else if (FindMagic_v17_r73740(method, out magic))
theVersion = ConfuserVersion.v17_r73740_normal;
else
continue;
}
}
else if (theVersion == ConfuserVersion.v10_r42915) {
if (DeobUtils.HasInteger(method, 0x06000000))
theVersion = ConfuserVersion.v10_r42919;
}
SetDelegateCreatorMethod(method);
methodToInfo.Add(method, new ProxyCreatorInfo(method, proxyType, theVersion, magic, nativeMethod, callvirtChar));
version = (ConfuserVersion)Math.Max((int)version, (int)theVersion);
}
}
string DetectVersion()
{
/*
* Methods decrypter locals (not showing its own types):
* 3.7.0.3:
* "System.Byte[]"
* "System.Int32"
* "System.Int32[]"
* "System.IntPtr"
* "System.IO.BinaryReader"
* "System.IO.MemoryStream"
* "System.Object"
* "System.Reflection.Assembly"
* "System.Security.Cryptography.CryptoStream"
* "System.Security.Cryptography.ICryptoTransform"
* "System.Security.Cryptography.RijndaelManaged"
* "System.String"
*
* 3.9.8.0:
* - "System.Int32[]"
+ "System.Diagnostics.StackFrame"
+
+ 4.0.0.0: (jitter)
+ - "System.Diagnostics.StackFrame"
+ - "System.Object"
+ "System.Boolean"
+ "System.Collections.IEnumerator"
+ "System.Delegate"
+ "System.Diagnostics.Process"
+ "System.Diagnostics.ProcessModule"
+ "System.Diagnostics.ProcessModuleCollection"
+ "System.IDisposable"
+ "System.Int64"
+ "System.UInt32"
+ "System.UInt64"
+
+ 4.1.0.0: (jitter)
+ "System.Reflection.Assembly"
+
+ 4.3.1.0: (jitter)
+ "System.Byte&"
*/
LocalTypes localTypes;
int minVer = -1;
foreach (var info in stringDecrypter.DecrypterInfos)
{
if (info.key == null)
{
continue;
}
localTypes = new LocalTypes(info.method);
if (!localTypes.Exists("System.IntPtr"))
{
return(DeobfuscatorInfo.THE_NAME + " <= 3.7");
}
minVer = 3800;
break;
}
if (methodsDecrypter.DecrypterTypeVersion != DnrDecrypterType.V1)
{
return(DeobfuscatorInfo.THE_NAME);
}
if (methodsDecrypter.Method == null)
{
if (minVer >= 3800)
{
return(DeobfuscatorInfo.THE_NAME + " >= 3.8");
}
return(DeobfuscatorInfo.THE_NAME);
}
localTypes = new LocalTypes(methodsDecrypter.Method);
if (localTypes.Exists("System.Int32[]"))
{
if (minVer >= 3800)
{
return(DeobfuscatorInfo.THE_NAME + " 3.8.4.1 - 3.9.0.1");
}
return(DeobfuscatorInfo.THE_NAME + " <= 3.9.0.1");
}
if (!localTypes.Exists("System.Diagnostics.Process")) // If < 4.0
{
if (localTypes.Exists("System.Diagnostics.StackFrame"))
{
return(DeobfuscatorInfo.THE_NAME + " 3.9.8.0");
}
}
var compileMethod = MethodsDecrypter.FindDnrCompileMethod(methodsDecrypter.Method.DeclaringType);
if (compileMethod == null)
{
DeobfuscatedFile.Deobfuscate(methodsDecrypter.Method);
if (!MethodsDecrypter.IsNewer45Decryption(methodsDecrypter.Method))
{
return(DeobfuscatorInfo.THE_NAME + " < 4.0");
}
return(DeobfuscatorInfo.THE_NAME + " 4.5+");
}
DeobfuscatedFile.Deobfuscate(compileMethod);
bool compileMethodHasConstant_0x70000000 = DeobUtils.HasInteger(compileMethod, 0x70000000); // 4.0-4.1
DeobfuscatedFile.Deobfuscate(methodsDecrypter.Method);
bool hasCorEnableProfilingString = FindString(methodsDecrypter.Method, "Cor_Enable_Profiling"); // 4.1-4.4
bool hasCatchString = FindString(methodsDecrypter.Method, "catch: "); // <= 4.7
if (compileMethodHasConstant_0x70000000)
{
if (hasCorEnableProfilingString)
{
return(DeobfuscatorInfo.THE_NAME + " 4.1");
}
return(DeobfuscatorInfo.THE_NAME + " 4.0");
}
if (!hasCorEnableProfilingString)
{
bool callsReverse = DotNetUtils.CallsMethod(methodsDecrypter.Method, "System.Void System.Array::Reverse(System.Array)");
if (!callsReverse)
{
return(DeobfuscatorInfo.THE_NAME + " 4.0 - 4.4");
}
int numIntPtrSizeCompares = CountCompareSystemIntPtrSize(methodsDecrypter.Method);
bool hasSymmetricAlgorithm = new LocalTypes(methodsDecrypter.Method).Exists("System.Security.Cryptography.SymmetricAlgorithm");
if (Module.IsClr40)
{
switch (numIntPtrSizeCompares)
{
case 7:
case 9: return(DeobfuscatorInfo.THE_NAME + " 4.5");
case 10:
if (!hasSymmetricAlgorithm)
{
return(DeobfuscatorInfo.THE_NAME + " 4.6");
}
if (hasCatchString)
{
return(DeobfuscatorInfo.THE_NAME + " 4.7");
}
return(DeobfuscatorInfo.THE_NAME + " 4.8");
}
}
else
{
switch (numIntPtrSizeCompares)
{
case 6:
case 8: return(DeobfuscatorInfo.THE_NAME + " 4.5");
case 9:
if (!hasSymmetricAlgorithm)
{
return(DeobfuscatorInfo.THE_NAME + " 4.6");
}
if (hasCatchString)
{
return(DeobfuscatorInfo.THE_NAME + " 4.7");
}
return(DeobfuscatorInfo.THE_NAME + " 4.8");
}
}
// Should never be reached unless it's a new version
return(DeobfuscatorInfo.THE_NAME + " 4.5+");
}
// 4.2-4.4
if (!localTypes.Exists("System.Byte&"))
{
return(DeobfuscatorInfo.THE_NAME + " 4.2");
}
localTypes = new LocalTypes(compileMethod);
if (localTypes.Exists("System.Object"))
{
return(DeobfuscatorInfo.THE_NAME + " 4.4");
}
return(DeobfuscatorInfo.THE_NAME + " 4.3");
}
static bool CheckCallProxyTypeV2(MethodDef method) => DeobUtils.HasInteger(method, 0x28) && DeobUtils.HasInteger(method, 0x6F);
bool FindConstants(ISimpleDeobfuscator simpleDeobfuscator)
{
dynocode = new DynamicDynocodeIterator();
simpleDeobfuscator.Deobfuscate(stringMethod);
stringMethodConsts = new EfConstantsReader(stringMethod);
if (!FindResource(stringMethod))
{
return(false);
}
checkMinus2 = isV32OrLater || DeobUtils.HasInteger(stringMethod, -2);
usePublicKeyToken = CallsGetPublicKeyToken(stringMethod);
var int64Method = FindInt64Method(stringMethod);
if (int64Method != null)
{
decrypterType.Type = int64Method.DeclaringType;
}
if (!FindShorts())
{
return(false);
}
if (!FindInt3())
{
return(false);
}
if (!FindInt4())
{
return(false);
}
if (checkMinus2 && !FindInt5())
{
return(false);
}
dataDecrypterType = FindDataDecrypterType(stringMethod);
if (dataDecrypterType == null)
{
return(false);
}
if (isV32OrLater)
{
bool initializedAll;
int index = FindInitIntsIndex(stringMethod, out initializedAll);
var cctor = stringType.FindStaticConstructor();
if (!initializedAll && cctor != null)
{
simpleDeobfuscator.Deobfuscate(cctor);
if (!FindIntsCctor(cctor))
{
return(false);
}
}
if (decrypterType.Detected && !decrypterType.Initialize())
{
return(false);
}
if (!FindInts(index))
{
return(false);
}
}
InitializeFlags();
Initialize();
return(true);
}
public void Find()
{
var type = DotNetUtils.GetModuleType(module);
if (type == null)
{
return;
}
foreach (var method in type.Methods)
{
if (!method.IsStatic || method.Body == null)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.Object", "(System.UInt32)"))
{
continue;
}
var info = new DecrypterInfo();
var localTypes = new LocalTypes(method);
if (localTypes.All(requiredLocals1))
{
if (localTypes.Exists("System.Collections.BitArray")) // or System.Random
{
version = ConfuserVersion.v15_r60785_normal;
}
else if (DeobUtils.HasInteger(method, 0x100) &&
DeobUtils.HasInteger(method, 0x10000) &&
DeobUtils.HasInteger(method, 0xFFFF))
{
version = ConfuserVersion.v17_r73404_normal;
}
else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[])"))
{
if (FindInstruction(method.Body.Instructions, 0, Code.Conv_I8) >= 0)
{
if (DotNetUtils.CallsMethod(method, "System.Void System.Console::WriteLine()"))
{
version = ConfuserVersion.v15_r60785_dynamic;
}
else
{
version = ConfuserVersion.v17_r72989_dynamic;
}
}
else
{
version = ConfuserVersion.v17_r73740_dynamic;
}
}
else if (DotNetUtils.CallsMethod(method, "System.String System.Text.Encoding::GetString(System.Byte[],System.Int32,System.Int32)"))
{
if ((nativeMethod = FindNativeMethod(method)) == null)
{
version = ConfuserVersion.v17_r73764_dynamic;
}
else
{
version = ConfuserVersion.v17_r73764_native;
}
}
else
{
continue;
}
}
else if (localTypes.All(requiredLocals2))
{
if (DeobUtils.HasInteger(method, 0x100) &&
DeobUtils.HasInteger(method, 0x10000) &&
DeobUtils.HasInteger(method, 0xFFFF))
{
version = ConfuserVersion.v17_r73822_normal;
}
else if (DotNetUtils.CallsMethod(method, "System.Int32 System.Object::GetHashCode()"))
{
if ((nativeMethod = FindNativeMethod(method)) == null)
{
version = ConfuserVersion.v17_r74021_dynamic;
}
else
{
version = ConfuserVersion.v17_r74021_native;
}
}
else if ((nativeMethod = FindNativeMethod(method)) == null)
{
version = ConfuserVersion.v17_r73822_dynamic;
}
else
{
version = ConfuserVersion.v17_r73822_native;
}
}
else
{
continue;
}
info.decryptMethod = method;
theDecrypterInfo = info;
Add(info);
break;
}
}