static bool isV3Old(MethodDef method)
{
return(DotNetUtils.callsMethod(method, "System.Int32 System.IO.Stream::Read(System.Byte[],System.Int32,System.Int32)") &&
!DotNetUtils.callsMethod(method, "System.Int32 System.IO.Stream::ReadByte()") &&
// Obfuscated System.Int32 System.IO.Stream::ReadByte()
!DotNetUtils.callsMethod(method, "System.Int32", "(System.IO.Stream,System.Int32,System.Int32)"));
}
bool findCompactFramework(MethodDefinition method)
{
if (!new LocalTypes(method).exactly(requiredLocals_cf))
{
return(false);
}
if (!DotNetUtils.callsMethod(method, "System.Int32 System.String::get_Length()"))
{
return(false);
}
if (!DotNetUtils.callsMethod(method, "System.Byte[] System.Convert::FromBase64String(System.String)"))
{
return(false);
}
if (!DotNetUtils.callsMethod(method, "System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly()"))
{
return(false);
}
if (DotNetUtils.callsMethod(method, "System.Byte[]", "(System.Reflection.Assembly)") &&
DotNetUtils.callsMethod(method, "System.String", "(System.Reflection.Assembly)"))
{
}
else if (DotNetUtils.callsMethod(method, "System.Reflection.AssemblyName System.Reflection.Assembly::GetName()") &&
DotNetUtils.callsMethod(method, "System.Byte[] System.Reflection.AssemblyName::GetPublicKeyToken()"))
{
}
else
{
return(false);
}
return(true);
}
static MethodDefinition findDecryptMethod(TypeDefinition type)
{
if (type == null)
{
return(null);
}
foreach (var method in type.Methods)
{
if (method.Body == null || !method.IsStatic || method.IsPrivate)
{
continue;
}
if (!DotNetUtils.isMethod(method, "System.String", "(System.UInt32)"))
{
continue;
}
if (!DotNetUtils.callsMethod(method, "System.String System.Runtime.InteropServices.Marshal::PtrToStringAnsi(System.IntPtr)"))
{
continue;
}
return(method);
}
return(null);
}
static MethodDefinition getTheOnlyMethod(TypeDefinition type, string typeName, string methodName, string returnType, string parameters)
{
MethodDefinition foundMethod = null;
foreach (var method in type.Methods)
{
if (!method.IsStatic || method.Body == null || method.HasGenericParameters)
{
continue;
}
if (method.IsPrivate)
{
continue;
}
if (!DotNetUtils.isMethod(method, returnType, "(" + typeName + "," + parameters + ")"))
{
continue;
}
if (!DotNetUtils.callsMethod(method, returnType + " " + typeName + "::" + methodName + "(" + parameters + ")"))
{
continue;
}
if (foundMethod != null)
{
return(null);
}
foundMethod = method;
}
return(foundMethod);
}
bool findDesktopOrCompactFrameworkV1()
{
resourceDecrypterType = null;
foreach (var type in module.Types)
{
if (type.Fields.Count != 0)
{
continue;
}
foreach (var method in getDecrypterMethods(type))
{
if (method == null)
{
continue;
}
if (!new LocalTypes(method).exactly(requiredLocals_v1))
{
continue;
}
if (!DotNetUtils.callsMethod(method, "System.Int64", "()"))
{
continue;
}
if (!DotNetUtils.callsMethod(method, "System.Int32", "(System.Byte[],System.Int32,System.Int32)"))
{
continue;
}
if (!DotNetUtils.callsMethod(method, "System.Void", "(System.Array,System.Int32,System.Array,System.Int32,System.Int32)"))
{
continue;
}
if (!DotNetUtils.callsMethod(method, "System.Security.Cryptography.ICryptoTransform", "()"))
{
continue;
}
if (!DotNetUtils.callsMethod(method, "System.Byte[]", "(System.Byte[],System.Int32,System.Int32)"))
{
continue;
}
resourceDecrypterType = type;
return(true);
}
}
return(false);
}
bool checkMethodV2(MethodDef method)
{
if (!DeobUtils.hasInteger(method, ' '))
{
return(false);
}
foreach (var calledMethodName in callsMethodsV2)
{
if (!DotNetUtils.callsMethod(method, calledMethodName))
{
return(false);
}
}
decrypter = new DecrypterV2();
return(true);
}
bool findSilverlight(MethodDef method)
{
if (!new LocalTypes(method).exactly(requiredLocals_sl))
{
return(false);
}
if (!DotNetUtils.callsMethod(method, "System.Int32 System.String::get_Length()"))
{
return(false);
}
if (!DotNetUtils.callsMethod(method, "System.Byte[] System.Convert::FromBase64String(System.String)"))
{
return(false);
}
if (!DotNetUtils.callsMethod(method, "System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly()"))
{
return(false);
}
if (!DotNetUtils.callsMethod(method, "System.String System.Reflection.Assembly::get_FullName()"))
{
return(false);
}
if (!DotNetUtils.callsMethod(method, "System.Byte[] System.Reflection.AssemblyName::GetPublicKeyToken()"))
{
return(false);
}
if (DotNetUtils.callsMethod(method, "System.String", "(System.Reflection.Assembly)"))
{
}
else if (DotNetUtils.callsMethod(method, "System.String System.Reflection.AssemblyName::get_Name()"))
{
}
else
{
return(false);
}
return(true);
}
protected override bool checkResolverInitMethodInternal(MethodDef resolverInitMethod)
{
return(DotNetUtils.callsMethod(resolverInitMethod, "System.Void System.AppDomain::add_AssemblyResolve(System.ResolveEventHandler)"));
}
static bool throw_check(UnknownHandlerInfo info)
{
return(!DotNetUtils.callsMethod(info.ExecuteMethod, "System.Reflection.MethodInfo System.Type::GetMethod(System.String,System.Reflection.BindingFlags)"));
}
static bool ret_check(UnknownHandlerInfo info)
{
return(DotNetUtils.callsMethod(info.ExecuteMethod, "System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)"));
}
static bool leave_check(UnknownHandlerInfo info)
{
return(!DotNetUtils.callsMethod(info.ExecuteMethod, "System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)") &&
!DotNetUtils.callsMethod(info.ExecuteMethod, "System.Type System.Reflection.Module::ResolveType(System.Int32)") &&
!DotNetUtils.callsMethod(info.ExecuteMethod, "System.Reflection.MemberInfo System.Reflection.Module::ResolveMember(System.Int32)"));
}
bool needReverse()
{
return(DotNetUtils.callsMethod(resourceDecrypterMethod, "System.Void System.Array::Reverse(System.Array)"));
}
protected override bool detectInternal(UnknownHandlerInfo info)
{
return(DotNetUtils.callsMethod(info.ExecuteMethod, "System.Reflection.MethodInfo System.Type::GetMethod(System.String,System.Reflection.BindingFlags)"));
}
protected override bool detectInternal(UnknownHandlerInfo info)
{
return(DotNetUtils.callsMethod(info.ExecuteMethod, "System.Type System.Reflection.Module::ResolveType(System.Int32)"));
}
string detectVersion()
{
/*
* Methods decrypter locals (not showing its own types):
* 3.7.0.3:
* "System.Byte[]"
* "System.Int32"
* "System.Int32[]"
* "System.IntPtr"
* "System.IO.BinaryReader"
* "System.IO.MemoryStream"
* "System.Object"
* "System.Reflection.Assembly"
* "System.Security.Cryptography.CryptoStream"
* "System.Security.Cryptography.ICryptoTransform"
* "System.Security.Cryptography.RijndaelManaged"
* "System.String"
*
* 3.9.8.0:
* - "System.Int32[]"
+ "System.Diagnostics.StackFrame"
+
+ 4.0.0.0: (jitter)
+ - "System.Diagnostics.StackFrame"
+ - "System.Object"
+ "System.Boolean"
+ "System.Collections.IEnumerator"
+ "System.Delegate"
+ "System.Diagnostics.Process"
+ "System.Diagnostics.ProcessModule"
+ "System.Diagnostics.ProcessModuleCollection"
+ "System.IDisposable"
+ "System.Int64"
+ "System.UInt32"
+ "System.UInt64"
+
+ 4.1.0.0: (jitter)
+ "System.Reflection.Assembly"
+
+ 4.3.1.0: (jitter)
+ "System.Byte&"
*/
LocalTypes localTypes;
int minVer = -1;
foreach (var info in stringDecrypter.DecrypterInfos)
{
if (info.key == null)
{
continue;
}
localTypes = new LocalTypes(info.method);
if (!localTypes.exists("System.IntPtr"))
{
return(DeobfuscatorInfo.THE_NAME + " <= 3.7");
}
minVer = 3800;
break;
}
if (methodsDecrypter.Method == null)
{
if (minVer >= 3800)
{
return(DeobfuscatorInfo.THE_NAME + " >= 3.8");
}
return(DeobfuscatorInfo.THE_NAME);
}
localTypes = new LocalTypes(methodsDecrypter.Method);
if (localTypes.exists("System.Int32[]"))
{
if (minVer >= 3800)
{
return(DeobfuscatorInfo.THE_NAME + " 3.8.4.1 - 3.9.0.1");
}
return(DeobfuscatorInfo.THE_NAME + " <= 3.9.0.1");
}
if (!localTypes.exists("System.Diagnostics.Process")) // If < 4.0
{
if (localTypes.exists("System.Diagnostics.StackFrame"))
{
return(DeobfuscatorInfo.THE_NAME + " 3.9.8.0");
}
}
var compileMethod = MethodsDecrypter.findDnrCompileMethod(methodsDecrypter.Method.DeclaringType);
if (compileMethod == null)
{
return(DeobfuscatorInfo.THE_NAME + " < 4.0");
}
DeobfuscatedFile.deobfuscate(compileMethod);
bool compileMethodHasConstant_0x70000000 = DeobUtils.hasInteger(compileMethod, 0x70000000); // 4.0-4.1
DeobfuscatedFile.deobfuscate(methodsDecrypter.Method);
bool hasCorEnableProfilingString = findString(methodsDecrypter.Method, "Cor_Enable_Profiling"); // 4.1-4.4
if (compileMethodHasConstant_0x70000000)
{
if (hasCorEnableProfilingString)
{
return(DeobfuscatorInfo.THE_NAME + " 4.1");
}
return(DeobfuscatorInfo.THE_NAME + " 4.0");
}
if (!hasCorEnableProfilingString)
{
// 4.x or 4.5
bool callsReverse = DotNetUtils.callsMethod(methodsDecrypter.Method, "System.Void System.Array::Reverse(System.Array)");
if (!callsReverse)
{
return(DeobfuscatorInfo.THE_NAME + " 4.x");
}
return(DeobfuscatorInfo.THE_NAME + " 4.5");
}
// 4.2-4.4
if (!localTypes.exists("System.Byte&"))
{
return(DeobfuscatorInfo.THE_NAME + " 4.2");
}
localTypes = new LocalTypes(compileMethod);
if (localTypes.exists("System.Object"))
{
return(DeobfuscatorInfo.THE_NAME + " 4.4");
}
return(DeobfuscatorInfo.THE_NAME + " 4.3");
}
