EmbeddedResource FindGetManifestResourceStreamTypeResource(TypeDef type, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
foreach (var method in type.Methods)
{
if (!method.IsPrivate || !method.IsStatic || method.Body == null)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.String", "(System.Reflection.Assembly,System.Type,System.String)"))
{
continue;
}
simpleDeobfuscator.Deobfuscate(method);
simpleDeobfuscator.DecryptStrings(method, deob);
foreach (var s in DotNetUtils.GetCodeStrings(method))
{
var resource = DotNetUtils.GetResource(module, s) as EmbeddedResource;
if (resource != null)
{
return(resource);
}
}
}
return(null);
}
List <AssemblyInfo> InitializeEmbeddedAssemblies(string s)
{
var sb = new StringBuilder(s.Length);
foreach (var c in s)
{
sb.Append((char)~c);
}
var tmpAssemblyInfos = sb.ToString().Split(new string[] { asmSeparator }, StringSplitOptions.RemoveEmptyEntries);
if (tmpAssemblyInfos.Length == 0 || (tmpAssemblyInfos.Length & 1) == 1)
{
return(null);
}
var newAssemblyInfos = new List <AssemblyInfo>(tmpAssemblyInfos.Length / 2);
for (int i = 0; i < tmpAssemblyInfos.Length; i += 2)
{
var assemblyName = tmpAssemblyInfos[i];
var resourceName = tmpAssemblyInfos[i + 1];
var resource = DotNetUtils.GetResource(module, resourceName) as EmbeddedResource;
var symbolsResource = DotNetUtils.GetResource(module, resourceName + "#") as EmbeddedResource;
if (resource == null)
{
return(null);
}
newAssemblyInfos.Add(new AssemblyInfo(assemblyName, resource, symbolsResource));
}
return(newAssemblyInfos);
}
static EmbeddedResource FindEmbeddedResource2(ModuleDefMD module, MethodDef method)
{
var strings = new List <string>(DotNetUtils.GetCodeStrings(method));
if (strings.Count != 1)
{
return(null);
}
var encryptedString = strings[0];
int xorKey;
if (!GetXorKey2(method, out xorKey))
{
return(null);
}
var sb = new StringBuilder(encryptedString.Length);
foreach (var c in encryptedString)
{
sb.Append((char)(c ^ xorKey));
}
return(DotNetUtils.GetResource(module, sb.ToString()) as EmbeddedResource);
}
public void Find()
{
foreach (var calledMethod in DotNetUtils.GetCalledMethods(module, DotNetUtils.GetModuleTypeCctor(module)))
{
if (!DotNetUtils.IsMethod(calledMethod, "System.Void", "()"))
{
continue;
}
if (calledMethod.DeclaringType.FullName != "<PrivateImplementationDetails>{F1C5056B-0AFC-4423-9B83-D13A26B48869}")
{
continue;
}
nativeLibCallerType = calledMethod.DeclaringType;
initMethod = calledMethod;
foreach (var s in DotNetUtils.GetCodeStrings(initMethod))
{
nativeFileResource = DotNetUtils.GetResource(module, s);
if (nativeFileResource != null)
{
break;
}
}
return;
}
}
bool FindStringsResource(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator, MethodDef cctor)
{
if (stringsResource != null)
{
return(true);
}
if (decrypterVersion <= StringDecrypterVersion.V3)
{
stringsResource = DotNetUtils.GetResource(module, (module.Mvid ?? Guid.NewGuid()).ToString("B")) as EmbeddedResource;
if (stringsResource != null)
{
return(true);
}
}
if (FindStringsResource2(deob, simpleDeobfuscator, cctor))
{
return(true);
}
if (FindStringsResource2(deob, simpleDeobfuscator, stringDecrypterMethod))
{
return(true);
}
return(false);
}
bool CheckInitMethod(MethodDef checkMethod, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
var requiredFields = new string[] {
"System.Collections.Hashtable",
"System.Boolean",
};
foreach (var method in DotNetUtils.GetCalledMethods(module, checkMethod))
{
if (method.Body == null)
{
continue;
}
if (!method.IsStatic)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
{
continue;
}
var type = method.DeclaringType;
if (!new FieldTypes(type).Exactly(requiredFields))
{
continue;
}
var ctor = type.FindMethod(".ctor");
if (ctor == null)
{
continue;
}
var handler = DeobUtils.GetResolveMethod(ctor);
if (handler == null)
{
continue;
}
simpleDeobfuscator.DecryptStrings(handler, deob);
var resourcePrefix = GetResourcePrefix(handler);
if (resourcePrefix == null)
{
continue;
}
for (int i = 0; ; i++)
{
var resource = DotNetUtils.GetResource(module, resourcePrefix + i.ToString("D5")) as EmbeddedResource;
if (resource == null)
{
break;
}
resources.Add(resource);
}
initMethod = method;
return(true);
}
return(false);
}
string GetResourceName()
{
var defaultName = module.Assembly.Name.String + module.Assembly.Name.String;
var cctor = stringDecrypterType.FindStaticConstructor();
if (cctor == null)
{
return(defaultName);
}
foreach (var s in DotNetUtils.GetCodeStrings(cctor))
{
if (DotNetUtils.GetResource(module, s) != null)
{
return(s);
}
try {
return(Encoding.UTF8.GetString(Convert.FromBase64String(s)));
}
catch {
}
}
return(defaultName);
}
public void Find(ISimpleDeobfuscator simpleDeobfuscator)
{
var additionalTypes = new string[] {
"System.String",
};
EmbeddedResource stringsResource = null;
foreach (var type in module.Types)
{
if (decrypterInfos.Count > 0)
{
break;
}
if (type.BaseType == null || type.BaseType.FullName != "System.Object")
{
continue;
}
foreach (var method in type.Methods)
{
if (!method.IsStatic || !method.HasBody)
{
continue;
}
if (!DotNetUtils.IsMethod(method, "System.String", "(System.Int32)"))
{
continue;
}
if (!encryptedResource.CouldBeResourceDecrypter(method, additionalTypes))
{
continue;
}
var resource = DotNetUtils.GetResource(module, DotNetUtils.GetCodeStrings(method)) as EmbeddedResource;
if (resource == null)
{
throw new ApplicationException("Could not find strings resource");
}
if (stringsResource != null && stringsResource != resource)
{
throw new ApplicationException("Two different string resources found");
}
stringsResource = resource;
encryptedResource.Method = method;
var info = new DecrypterInfo(method, null, null);
simpleDeobfuscator.Deobfuscate(info.method);
FindKeyIv(info.method, out info.key, out info.iv);
decrypterInfos.Add(info);
}
}
if (decrypterInfos.Count > 0)
{
FindOtherStringDecrypter(decrypterInfos[0].method.DeclaringType);
}
}
EmbeddedResource FindResourceFromStringBuilder(MethodDef method)
{
int startIndex = EfUtils.FindOpCodeIndex(method, 0, Code.Newobj, "System.Void System.Text.StringBuilder::.ctor()");
if (startIndex < 0)
{
return(null);
}
int endIndex = EfUtils.FindOpCodeIndex(method, startIndex, Code.Call, "System.String System.Text.StringBuilder::ToString()");
if (endIndex < 0)
{
return(null);
}
var sb = new StringBuilder();
var instrs = method.Body.Instructions;
int val = 0, shift = 0;
for (int i = startIndex; i < endIndex; i++)
{
var instr = instrs[i];
if (instr.OpCode.Code == Code.Call && instr.Operand.ToString() == "System.Text.StringBuilder System.Text.StringBuilder::Append(System.Char)")
{
sb.Append((char)(val >> shift));
shift = 0;
}
if (stringMethodConsts.IsLoadConstantInt32(instr))
{
int tmp;
if (!stringMethodConsts.GetInt32(ref i, out tmp))
{
break;
}
if (i >= endIndex)
{
break;
}
var next = instrs[i];
if (next.OpCode.Code == Code.Shr)
{
shift = tmp;
}
else
{
val = tmp;
shift = 0;
}
}
}
return(DotNetUtils.GetResource(module, sb.ToString()) as EmbeddedResource);
}
static EmbeddedResource FindEmbeddedResource1(ModuleDefMD module, MethodDef method)
{
foreach (var s in DotNetUtils.GetCodeStrings(method))
{
if (DotNetUtils.GetResource(module, s) is EmbeddedResource resource)
{
return(resource);
}
}
return(null);
}
string GetResourcePrefix(MethodDef handler)
{
foreach (var s in DotNetUtils.GetCodeStrings(handler))
{
var resource = DotNetUtils.GetResource(module, s + "00000") as EmbeddedResource;
if (resource != null)
{
return(s);
}
}
return(null);
}
public static EmbeddedResource GetEmbeddedResourceFromCodeStrings(ModuleDef module, MethodDef method)
{
foreach (var s in DotNetUtils.GetCodeStrings(method))
{
var resource = DotNetUtils.GetResource(module, s) as EmbeddedResource;
if (resource != null)
{
return(resource);
}
}
return(null);
}
EmbeddedResource FindMethodsDecrypterResource(MethodDef method)
{
foreach (var s in DotNetUtils.GetCodeStrings(method))
{
var resource = DotNetUtils.GetResource(module, s) as EmbeddedResource;
if (resource != null)
{
return(resource);
}
}
return(null);
}
public NativeLibSaver(ModuleDefMD module, NativeLibSaver oldOne)
{
this.module = module;
this.nativeLibCallerType = Lookup(oldOne.nativeLibCallerType, "Could not find nativeLibCallerType");
this.initMethod = Lookup(oldOne.initMethod, "Could not find initMethod");
if (oldOne.nativeFileResource != null)
{
this.nativeFileResource = DotNetUtils.GetResource(module, oldOne.nativeFileResource.Name.String);
if (this.nativeFileResource == null)
{
throw new ApplicationException("Could not find nativeFileResource");
}
}
}
void UpdateLinkedResource()
{
foreach (var modref in moduleRefs)
{
var resource = DotNetUtils.GetResource(module, modref.Name.String) as LinkedResource;
if (resource == null)
{
continue;
}
linkedResource = resource;
return;
}
}
public EncryptedResource(ModuleDefMD module, EncryptedResource oldOne)
{
this.module = module;
resourceDecrypterMethod = Lookup(oldOne.resourceDecrypterMethod, "Could not find resource decrypter method");
if (oldOne.encryptedDataResource != null)
{
encryptedDataResource = DotNetUtils.GetResource(module, oldOne.encryptedDataResource.Name.String) as EmbeddedResource;
}
this.decrypter = oldOne.decrypter;
if (encryptedDataResource == null && oldOne.encryptedDataResource != null)
{
throw new ApplicationException("Could not initialize EncryptedResource");
}
}
// Find the embedded resource where all the strings are encrypted
EmbeddedResource FindStringResource(MethodDef method)
{
foreach (var s in DotNetUtils.GetCodeStrings(method))
{
if (s == null)
{
continue;
}
if (DotNetUtils.GetResource(module, s) is EmbeddedResource resource)
{
return(resource);
}
}
return(null);
}
public EmbeddedResource MergeResources()
{
if (rsrcResolveMethod == null)
{
return(null);
}
var resource = DotNetUtils.GetResource(module, DotNetUtils.GetCodeStrings(rsrcResolveMethod)) as EmbeddedResource;
if (resource == null)
{
return(null);
}
DeobUtils.DecryptAndAddResources(module, resource.Name.String, () => DecryptResource(resource));
return(resource);
}
public void Initialize(ResourceDecrypter resourceDecrypter)
{
if (decryptedData != null || stringDecrypterType == null)
{
return;
}
var resourceName = GetResourceName();
stringResource = DotNetUtils.GetResource(module, resourceName) as EmbeddedResource;
if (stringResource == null)
{
return;
}
Logger.v("Adding string decrypter. Resource: {0}", Utils.ToCsharpString(stringResource.Name));
decryptedData = resourceDecrypter.Decrypt(stringResource.GetResourceStream());
}
public EmbeddedResource MergeResources()
{
if (mergedIt)
{
return(null);
}
var resource = DotNetUtils.GetResource(module, GetResourceNames()) as EmbeddedResource;
if (resource == null)
{
return(null);
}
DeobUtils.DecryptAndAddResources(module, resource.Name.String, () => resourceDecrypter.Decrypt(resource.CreateReader().AsStream()));
mergedIt = true;
return(resource);
}
public bool ResolveResources()
{
bool ok = true;
foreach (var info in embeddedAssemblyInfos)
{
if (info.resource != null)
{
continue;
}
info.resource = DotNetUtils.GetResource(module, info.resourceName) as EmbeddedResource;
if (info.resource == null)
{
ok = false;
}
}
return(ok);
}
public override void Initialize()
{
if (resourceName != null)
{
resource = DotNetUtils.GetResource(module, resourceName) as EmbeddedResource;
}
else
{
resource = FindResource(initMethod);
}
if (resource == null)
{
throw new ApplicationException("Could not find encrypted consts resource");
}
FindDecrypterInfos();
InitializeDecrypterInfos();
SetConstantsData(DeobUtils.Inflate(resource.CreateReader().ToArray(), true));
}
public static EmbeddedResource GetResource(ModuleDefMD module, IEnumerable <string> names)
{
foreach (var name in names)
{
if (DotNetUtils.GetResource(module, name) is EmbeddedResource resource)
{
return(resource);
}
try {
resource = DotNetUtils.GetResource(module, Encoding.UTF8.GetString(Convert.FromBase64String(name))) as EmbeddedResource;
if (resource != null)
{
return(resource);
}
}
catch {
}
}
return(null);
}
EmbeddedResource GetResource(MethodDef method, out ModuleDefMD theResourceModule)
{
string resourceDllFileName = null;
theResourceModule = module;
foreach (var s in DotNetUtils.GetCodeStrings(method))
{
if (s.Length > 0 && s[0] == '\\')
{
resourceDllFileName = s;
}
var resource = DotNetUtils.GetResource(theResourceModule, s + ".resources") as EmbeddedResource;
if (resource != null)
{
return(resource);
}
}
if (resourceDllFileName == null)
{
return(null);
}
// Here if CW 2.x
theResourceModule = GetResourceModule(resourceDllFileName);
if (theResourceModule == null)
{
return(null);
}
foreach (var s in DotNetUtils.GetCodeStrings(method))
{
var resource = DotNetUtils.GetResource(theResourceModule, s + ".resources") as EmbeddedResource;
if (resource != null)
{
return(resource);
}
}
theResourceModule = null;
return(null);
}
EmbeddedResource GetResource(string resourceName)
{
if (DotNetUtils.GetResource(module, resourceName + ".resources") is EmbeddedResource resource)
{
return(resource);
}
string name = "";
var pieces = resourceName.Split('.');
Array.Reverse(pieces);
foreach (var piece in pieces)
{
name = piece + name;
resource = DotNetUtils.GetResource(module, name + ".resources") as EmbeddedResource;
if (resource != null)
{
return(resource);
}
}
return(null);
}
public static EmbeddedAssemblyInfo Create(ModuleDefMD module, string encName, string rsrcName)
{
var info = new EmbeddedAssemblyInfo();
try {
if (encName == "" || Convert.ToBase64String(Convert.FromBase64String(encName)) != encName)
{
return(null);
}
}
catch (FormatException) {
return(null);
}
if (rsrcName.Length > 0 && rsrcName[0] == '[')
{
int i = rsrcName.IndexOf(']');
if (i < 0)
{
return(null);
}
info.flags = rsrcName.Substring(1, i - 1);
info.isTempFile = info.flags.IndexOf('t') >= 0;
info.isCompressed = info.flags.IndexOf('z') >= 0;
rsrcName = rsrcName.Substring(i + 1);
}
if (rsrcName == "")
{
return(null);
}
info.assemblyName = Encoding.UTF8.GetString(Convert.FromBase64String(encName));
info.resourceName = rsrcName;
info.resource = DotNetUtils.GetResource(module, rsrcName) as EmbeddedResource;
info.simpleName = Utils.GetAssemblySimpleName(info.assemblyName);
return(info);
}
public void InitializeEmbeddedFiles()
{
foreach (var info in assemblyInfos)
{
info.Resource = DotNetUtils.GetResource(module, info.ResourceName) as EmbeddedResource;
if (info.Resource == null)
{
throw new ApplicationException($"Could not find resource {Utils.ToCsharpString(info.ResourceName)}");
}
info.Data = info.Resource.GetReader().ToArray();
if (info.IsEncrypted)
{
Decrypt(info.Data);
}
if (info.IsCompressed)
{
info.Data = Decompress(info.Data);
}
InitializeNameAndExtension(info);
}
}
bool FindTypeAndResources()
{
var bundleDataTmp = DotNetUtils.GetResource(module, ".bundle.dat") as EmbeddedResource;
var bundleXmlFileTmp = DotNetUtils.GetResource(module, ".bundle.manifest") as EmbeddedResource;
if (bundleDataTmp == null || bundleXmlFileTmp == null)
{
return(false);
}
var bundleTypeTmp = FindBundleType();
if (bundleTypeTmp == null)
{
return(false);
}
bundleData = bundleDataTmp;
bundleXmlFile = bundleXmlFileTmp;
bundleType = bundleTypeTmp;
FindOtherTypes();
return(true);
}
EmbeddedResource FindCsvmResource() => DotNetUtils.GetResource(module, "_CSVM") as EmbeddedResource;
EmbeddedResource FindResourceFromCodeString(MethodDef method)
{
return(DotNetUtils.GetResource(module, DotNetUtils.GetCodeStrings(method)) as EmbeddedResource);
}