bool CheckInitMethod(MethodDef method)
{
var type = method.DeclaringType;
if (type.NestedTypes.Count < 2 || type.NestedTypes.Count > 6)
{
return(false);
}
if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "MoveFileEx") == null)
{
return(false);
}
var resolveHandler = DeobUtils.GetResolveMethod(method);
if (resolveHandler == null)
{
return(false);
}
if (!DeobUtils.HasInteger(resolveHandler, ',') ||
!DeobUtils.HasInteger(resolveHandler, '|'))
{
return(false);
}
initMethod = method;
resolverType = type;
handlerMethod = resolveHandler;
return(true);
}
void Find()
{
var cflowDeobfuscator = new CflowDeobfuscator(new MethodCallInliner(true));
foreach (var type in module.Types)
{
if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "CloseHandle") == null)
{
continue;
}
var resolver = new AssemblyResolver(type, cflowDeobfuscator);
if (!resolver.Detected)
{
continue;
}
var patcher = new MemoryPatcher(type, cflowDeobfuscator);
if (!patcher.Detected)
{
continue;
}
assemblyResolver = resolver;
memoryPatcher = patcher;
return;
}
}
bool FindDesktop(MethodDef method)
{
var type = method.DeclaringType;
if (!method.IsStatic || !DotNetUtils.IsMethod(method, "System.Void", "()"))
{
return(false);
}
if (type.Methods.Count < 3 || type.Methods.Count > 31)
{
return(false);
}
if (DotNetUtils.GetPInvokeMethod(type, "mscoree", "StrongNameSignatureVerificationEx") != null ||
DotNetUtils.GetPInvokeMethod(type, "kernel32.dll", "SetLastError") != null &&
DotNetUtils.GetPInvokeMethod(type, "kernel32.dll", "CloseHandle") != null &&
DotNetUtils.GetPInvokeMethod(type, "kernel32.dll", "OpenProcess") != null)
{
return(true);
}
if (DotNetUtils.GetPInvokeMethod(type, "mscoree", "CLRCreateInstance") == null)
{
return(false);
}
if (type.NestedTypes.Count != 3)
{
return(false);
}
if (!type.NestedTypes[0].IsInterface || !type.NestedTypes[1].IsInterface || !type.NestedTypes[2].IsInterface)
{
return(false);
}
return(true);
}
bool Find(MethodDef methodToCheck) {
if (methodToCheck == null)
return false;
foreach (var method in DotNetUtils.GetCalledMethods(module, methodToCheck)) {
var type = method.DeclaringType;
if (!method.IsStatic || !DotNetUtils.IsMethod(method, "System.Void", "()"))
continue;
if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "LoadLibrary") == null)
continue;
if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "GetProcAddress") == null)
continue;
Deobfuscate(method);
if (!ContainsString(method, "debugger is activ") &&
!ContainsString(method, "debugger is running") &&
!ContainsString(method, "Debugger detected") &&
!ContainsString(method, "Debugger was detected") &&
!ContainsString(method, "{0} was detected") &&
!ContainsString(method, "run under") &&
!ContainsString(method, "run with") &&
!ContainsString(method, "started under") &&
!ContainsString(method, "{0} detected") &&
!ContainsString(method, "{0} found"))
continue;
antiDebuggerType = type;
antiDebuggerMethod = method;
return true;
}
return false;
}
static bool HasInitializeMethod(TypeDef type, string name)
{
var method = DotNetUtils.GetPInvokeMethod(type, name);
if (method == null)
{
return(false);
}
var sig = method.MethodSig;
if (sig.Params.Count != 1)
{
return(false);
}
if (sig.Params[0].GetElementType() != ElementType.I)
{
return(false);
}
var retType = sig.RetType.GetElementType();
if (retType != ElementType.Void && retType != ElementType.I4)
{
return(false);
}
return(true);
}
bool CheckType_v14_r58564(TypeDef type, MethodDef initMethod)
{
var virtualProtect = DotNetUtils.GetPInvokeMethod(type, "VirtualProtect");
if (virtualProtect == null)
{
return(false);
}
if (!DotNetUtils.CallsMethod(initMethod, "System.IntPtr System.Runtime.InteropServices.Marshal::GetHINSTANCE(System.Reflection.Module)"))
{
return(false);
}
if (ConfuserUtils.CountCalls(initMethod, virtualProtect) != 3)
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 224))
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 240))
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 267))
{
return(false);
}
version = ConfuserVersion.v14_r58564;
return(true);
}
bool FindDesktop(MethodDef method)
{
var type = method.DeclaringType;
if (!method.IsStatic || !DotNetUtils.IsMethod(method, "System.Void", "()"))
{
return(false);
}
if (type.Methods.Count < 3 || type.Methods.Count > 31)
{
return(false);
}
if (DotNetUtils.GetPInvokeMethod(type, "mscoree", "StrongNameSignatureVerificationEx") != null)
{
}
else if (DotNetUtils.GetPInvokeMethod(type, "mscoree", "CLRCreateInstance") != null)
{
if (type.NestedTypes.Count != 3)
{
return(false);
}
if (!type.NestedTypes[0].IsInterface || !type.NestedTypes[1].IsInterface || !type.NestedTypes[2].IsInterface)
{
return(false);
}
}
else
{
return(false);
}
return(true);
}
bool CheckMemoryManagerType(TypeDef type, MethodDef method)
{
// Only two fields: itself and a long
int fields = 0;
foreach (var field in type.Fields)
{
if (new SigComparer().Equals(field.FieldType, type) ||
field.FieldType.FullName == "System.Int64")
{
fields++;
continue;
}
if (DotNetUtils.DerivesFromDelegate(DotNetUtils.GetType(module, field.FieldType)))
{
continue;
}
return(false);
}
if (fields != 2)
{
return(false);
}
if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "SetProcessWorkingSetSize") == null)
{
return(false);
}
return(true);
}
bool CheckInitMethod(MethodDef initMethod, out ObfuscatorVersion obfuscatorVersionTmp)
{
obfuscatorVersionTmp = ObfuscatorVersion.Unknown;
if (initMethod == null)
{
return(false);
}
if (initMethod.Body == null)
{
return(false);
}
if (!initMethod.IsStatic)
{
return(false);
}
if (!DotNetUtils.IsMethod(initMethod, "System.Void", "(System.Boolean,System.Boolean)"))
{
return(false);
}
if (HasCodeString(initMethod, "E_FullTrust"))
{
if (DotNetUtils.GetPInvokeMethod(initMethod.DeclaringType, "user32", "CallWindowProcW") != null)
{
obfuscatorVersionTmp = ObfuscatorVersion.V4_1;
}
else
{
obfuscatorVersionTmp = ObfuscatorVersion.V4_0;
}
}
else if (HasCodeString(initMethod, "Full Trust Required"))
{
obfuscatorVersionTmp = ObfuscatorVersion.V3;
}
else if (initMethod.DeclaringType.HasNestedTypes && new FieldTypes(initMethod.DeclaringType).All(fieldTypesV5))
{
obfuscatorVersionTmp = ObfuscatorVersion.V5_0;
}
else
{
return(false);
}
return(true);
}
protected override bool CheckType(TypeDef type, MethodDef initMethod)
{
if (type == null)
{
return(false);
}
if (type.Methods.Count != 3)
{
return(false);
}
var virtProtect = DotNetUtils.GetPInvokeMethod(type, "kernel32", "VirtualProtect");
if (virtProtect == null)
{
return(false);
}
if (!DotNetUtils.HasString(initMethod, "Broken file"))
{
return(false);
}
if ((decryptMethod = FindDecryptMethod(type)) == null)
{
return(false);
}
bool callsFileStreamCtor = DotNetUtils.CallsMethod(initMethod, "System.Void System.IO.FileStream::.ctor(System.String,System.IO.FileMode,System.IO.FileAccess,System.IO.FileShare)");
if (!DotNetUtils.HasString(initMethod, "Module error"))
{
version = ConfuserVersion.v14_r57884;
}
else if (virtProtect.IsPrivate && callsFileStreamCtor)
{
int calls = ConfuserUtils.CountCalls(initMethod, "System.Void System.Buffer::BlockCopy(System.Array,System.Int32,System.Array,System.Int32,System.Int32)");
if (calls <= 1)
{
version = ConfuserVersion.v14_r58564;
}
else if (calls == 2)
{
version = ConfuserVersion.v14_r58852;
}
else if (calls == 4)
{
version = ConfuserVersion.v15_r59014;
}
else
{
return(false);
}
}
else if (callsFileStreamCtor)
{
version = ConfuserVersion.v14_r58004;
}
else if (DotNetUtils.CallsMethod(initMethod, "System.Int32 System.Object::GetHashCode()"))
{
if (DotNetUtils.HasString(initMethod, "<Unknown>"))
{
version = ConfuserVersion.v17_r72989;
}
else
{
version = ConfuserVersion.v16_r71742;
}
}
else if (DotNetUtils.CallsMethod(decryptMethod, "System.Security.Cryptography.Rijndael System.Security.Cryptography.Rijndael::Create()"))
{
version = ConfuserVersion.v17_r73605;
}
else if (DotNetUtils.HasString(initMethod, "<Unknown>"))
{
version = ConfuserVersion.v18_r75288;
}
else
{
version = ConfuserVersion.v19_r75725;
}
return(true);
}
bool CheckType_v14_r58852(TypeDef type, MethodDef initMethod)
{
var virtualProtect = DotNetUtils.GetPInvokeMethod(type, "VirtualProtect");
if (virtualProtect == null)
{
return(false);
}
if (!DotNetUtils.CallsMethod(initMethod, "System.IntPtr System.Runtime.InteropServices.Marshal::GetHINSTANCE(System.Reflection.Module)"))
{
return(false);
}
int virtualProtectCalls = ConfuserUtils.CountCalls(initMethod, virtualProtect);
if (virtualProtectCalls != 14 && virtualProtectCalls != 16)
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 0x3C))
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 0x6c64746e))
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 0x6c642e6c))
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 0x6f43744e))
{
return(false);
}
if (!DeobUtils.HasInteger(initMethod, 0x6e69746e))
{
return(false);
}
int locallocs = ConfuserUtils.CountOpCode(initMethod, Code.Localloc);
if (DeobUtils.HasInteger(initMethod, 0x18))
{
version = ConfuserVersion.v14_r58852;
}
else if (virtualProtectCalls == 16)
{
version = ConfuserVersion.v16_r69339;
}
else if (virtualProtectCalls == 14)
{
if (locallocs == 2)
{
version = ConfuserVersion.v17_r74708;
}
else if (locallocs == 1)
{
if (DotNetUtils.HasString(initMethod, "<Unknown>"))
{
version = ConfuserVersion.v18_r75257;
}
else if (IsRev75725(initMethod))
{
version = ConfuserVersion.v19_r75725;
}
else
{
version = ConfuserVersion.v19_r76186;
}
}
else
{
return(false);
}
}
else
{
return(false);
}
return(true);
}
bool CheckMethod_safe(TypeDef type, MethodDef initMethod)
{
if (type == DotNetUtils.GetModuleType(module))
{
if (!DotNetUtils.HasString(initMethod, "Debugger detected (Managed)"))
{
return(false);
}
if (!CheckProfilerStrings1(initMethod))
{
return(false);
}
version = ConfuserVersion.v14_r57588_safe;
}
else
{
var ntQueryInformationProcess = DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtQueryInformationProcess");
if (ntQueryInformationProcess == null)
{
return(false);
}
if (DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtSetInformationProcess") == null)
{
return(false);
}
if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "CloseHandle") == null)
{
return(false);
}
var antiDebugMethod = GetAntiDebugMethod(type, initMethod);
if (antiDebugMethod == null)
{
return(false);
}
bool hasDebuggerStrings = DotNetUtils.HasString(antiDebugMethod, "Debugger detected (Managed)") ||
DotNetUtils.HasString(antiDebugMethod, "Debugger is detected (Managed)");
if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)"))
{
return(false);
}
if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 0)
{
return(false);
}
if (!CheckProfilerStrings1(initMethod) && !CheckProfilerStrings2(initMethod))
{
return(false);
}
int failFastCalls = ConfuserUtils.CountCalls(antiDebugMethod, "System.Void System.Environment::FailFast(System.String)");
if (failFastCalls != 2)
{
return(false);
}
if (hasDebuggerStrings)
{
if (!DotNetUtils.CallsMethod(antiDebugMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)"))
{
version = ConfuserVersion.v16_r61954_safe;
}
else if (DotNetUtils.GetPInvokeMethod(type, "IsDebuggerPresent") == null)
{
version = ConfuserVersion.v17_r73822_safe;
}
else if (CheckProfilerStrings1(initMethod))
{
version = ConfuserVersion.v17_r74021_safe;
}
else
{
version = ConfuserVersion.v19_r76119_safe;
}
}
else
{
version = ConfuserVersion.v19_r78363_safe;
}
}
return(true);
}
bool CheckMethod_normal(TypeDef type, MethodDef initMethod)
{
var ntQueryInformationProcess = DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtQueryInformationProcess");
if (ntQueryInformationProcess == null)
{
return(false);
}
if (DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtSetInformationProcess") == null)
{
return(false);
}
if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "CloseHandle") == null)
{
return(false);
}
var antiDebugMethod = GetAntiDebugMethod(type, initMethod);
if (antiDebugMethod == null)
{
return(false);
}
bool hasDebuggerStrings = DotNetUtils.HasString(antiDebugMethod, "Debugger detected (Managed)");
if (DotNetUtils.CallsMethod(initMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)"))
{
int failFastCalls = ConfuserUtils.CountCalls(antiDebugMethod, "System.Void System.Environment::FailFast(System.String)");
if (failFastCalls != 6 && failFastCalls != 8)
{
return(false);
}
if (!CheckProfilerStrings1(initMethod))
{
return(false);
}
if (!DotNetUtils.CallsMethod(antiDebugMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)"))
{
if (!hasDebuggerStrings)
{
return(false);
}
if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 2)
{
return(false);
}
version = ConfuserVersion.v16_r61954_normal;
}
else if (failFastCalls == 8)
{
if (!hasDebuggerStrings)
{
return(false);
}
if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 2)
{
return(false);
}
version = ConfuserVersion.v17_r73822_normal;
}
else if (failFastCalls == 6)
{
if (DotNetUtils.GetPInvokeMethod(type, "IsDebuggerPresent") == null)
{
return(false);
}
if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 0)
{
return(false);
}
if (hasDebuggerStrings)
{
version = ConfuserVersion.v17_r74021_normal;
}
else
{
version = ConfuserVersion.v19_r78363_normal;
}
}
else
{
return(false);
}
}
else if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr)"))
{
if (!hasDebuggerStrings)
{
return(false);
}
if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Diagnostics.Process::EnterDebugMode()"))
{
return(false);
}
if (!CheckProfilerStrings1(antiDebugMethod))
{
return(false);
}
version = ConfuserVersion.v14_r57588_normal;
}
else
{
if (!hasDebuggerStrings)
{
return(false);
}
if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Diagnostics.Process::EnterDebugMode()"))
{
return(false);
}
if (!CheckProfilerStrings1(antiDebugMethod))
{
return(false);
}
version = ConfuserVersion.v14_r60785_normal;
}
return(true);
}
