static bool isV3Old(MethodDef method) { return(DotNetUtils.callsMethod(method, "System.Int32 System.IO.Stream::Read(System.Byte[],System.Int32,System.Int32)") && !DotNetUtils.callsMethod(method, "System.Int32 System.IO.Stream::ReadByte()") && // Obfuscated System.Int32 System.IO.Stream::ReadByte() !DotNetUtils.callsMethod(method, "System.Int32", "(System.IO.Stream,System.Int32,System.Int32)")); }
bool findCompactFramework(MethodDefinition method) { if (!new LocalTypes(method).exactly(requiredLocals_cf)) { return(false); } if (!DotNetUtils.callsMethod(method, "System.Int32 System.String::get_Length()")) { return(false); } if (!DotNetUtils.callsMethod(method, "System.Byte[] System.Convert::FromBase64String(System.String)")) { return(false); } if (!DotNetUtils.callsMethod(method, "System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly()")) { return(false); } if (DotNetUtils.callsMethod(method, "System.Byte[]", "(System.Reflection.Assembly)") && DotNetUtils.callsMethod(method, "System.String", "(System.Reflection.Assembly)")) { } else if (DotNetUtils.callsMethod(method, "System.Reflection.AssemblyName System.Reflection.Assembly::GetName()") && DotNetUtils.callsMethod(method, "System.Byte[] System.Reflection.AssemblyName::GetPublicKeyToken()")) { } else { return(false); } return(true); }
static MethodDefinition findDecryptMethod(TypeDefinition type) { if (type == null) { return(null); } foreach (var method in type.Methods) { if (method.Body == null || !method.IsStatic || method.IsPrivate) { continue; } if (!DotNetUtils.isMethod(method, "System.String", "(System.UInt32)")) { continue; } if (!DotNetUtils.callsMethod(method, "System.String System.Runtime.InteropServices.Marshal::PtrToStringAnsi(System.IntPtr)")) { continue; } return(method); } return(null); }
static MethodDefinition getTheOnlyMethod(TypeDefinition type, string typeName, string methodName, string returnType, string parameters) { MethodDefinition foundMethod = null; foreach (var method in type.Methods) { if (!method.IsStatic || method.Body == null || method.HasGenericParameters) { continue; } if (method.IsPrivate) { continue; } if (!DotNetUtils.isMethod(method, returnType, "(" + typeName + "," + parameters + ")")) { continue; } if (!DotNetUtils.callsMethod(method, returnType + " " + typeName + "::" + methodName + "(" + parameters + ")")) { continue; } if (foundMethod != null) { return(null); } foundMethod = method; } return(foundMethod); }
bool findDesktopOrCompactFrameworkV1() { resourceDecrypterType = null; foreach (var type in module.Types) { if (type.Fields.Count != 0) { continue; } foreach (var method in getDecrypterMethods(type)) { if (method == null) { continue; } if (!new LocalTypes(method).exactly(requiredLocals_v1)) { continue; } if (!DotNetUtils.callsMethod(method, "System.Int64", "()")) { continue; } if (!DotNetUtils.callsMethod(method, "System.Int32", "(System.Byte[],System.Int32,System.Int32)")) { continue; } if (!DotNetUtils.callsMethod(method, "System.Void", "(System.Array,System.Int32,System.Array,System.Int32,System.Int32)")) { continue; } if (!DotNetUtils.callsMethod(method, "System.Security.Cryptography.ICryptoTransform", "()")) { continue; } if (!DotNetUtils.callsMethod(method, "System.Byte[]", "(System.Byte[],System.Int32,System.Int32)")) { continue; } resourceDecrypterType = type; return(true); } } return(false); }
bool checkMethodV2(MethodDef method) { if (!DeobUtils.hasInteger(method, ' ')) { return(false); } foreach (var calledMethodName in callsMethodsV2) { if (!DotNetUtils.callsMethod(method, calledMethodName)) { return(false); } } decrypter = new DecrypterV2(); return(true); }
bool findSilverlight(MethodDef method) { if (!new LocalTypes(method).exactly(requiredLocals_sl)) { return(false); } if (!DotNetUtils.callsMethod(method, "System.Int32 System.String::get_Length()")) { return(false); } if (!DotNetUtils.callsMethod(method, "System.Byte[] System.Convert::FromBase64String(System.String)")) { return(false); } if (!DotNetUtils.callsMethod(method, "System.Reflection.Assembly System.Reflection.Assembly::GetExecutingAssembly()")) { return(false); } if (!DotNetUtils.callsMethod(method, "System.String System.Reflection.Assembly::get_FullName()")) { return(false); } if (!DotNetUtils.callsMethod(method, "System.Byte[] System.Reflection.AssemblyName::GetPublicKeyToken()")) { return(false); } if (DotNetUtils.callsMethod(method, "System.String", "(System.Reflection.Assembly)")) { } else if (DotNetUtils.callsMethod(method, "System.String System.Reflection.AssemblyName::get_Name()")) { } else { return(false); } return(true); }
protected override bool checkResolverInitMethodInternal(MethodDef resolverInitMethod) { return(DotNetUtils.callsMethod(resolverInitMethod, "System.Void System.AppDomain::add_AssemblyResolve(System.ResolveEventHandler)")); }
static bool throw_check(UnknownHandlerInfo info) { return(!DotNetUtils.callsMethod(info.ExecuteMethod, "System.Reflection.MethodInfo System.Type::GetMethod(System.String,System.Reflection.BindingFlags)")); }
static bool ret_check(UnknownHandlerInfo info) { return(DotNetUtils.callsMethod(info.ExecuteMethod, "System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)")); }
static bool leave_check(UnknownHandlerInfo info) { return(!DotNetUtils.callsMethod(info.ExecuteMethod, "System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)") && !DotNetUtils.callsMethod(info.ExecuteMethod, "System.Type System.Reflection.Module::ResolveType(System.Int32)") && !DotNetUtils.callsMethod(info.ExecuteMethod, "System.Reflection.MemberInfo System.Reflection.Module::ResolveMember(System.Int32)")); }
bool needReverse() { return(DotNetUtils.callsMethod(resourceDecrypterMethod, "System.Void System.Array::Reverse(System.Array)")); }
protected override bool detectInternal(UnknownHandlerInfo info) { return(DotNetUtils.callsMethod(info.ExecuteMethod, "System.Reflection.MethodInfo System.Type::GetMethod(System.String,System.Reflection.BindingFlags)")); }
protected override bool detectInternal(UnknownHandlerInfo info) { return(DotNetUtils.callsMethod(info.ExecuteMethod, "System.Type System.Reflection.Module::ResolveType(System.Int32)")); }
string detectVersion() { /* * Methods decrypter locals (not showing its own types): * 3.7.0.3: * "System.Byte[]" * "System.Int32" * "System.Int32[]" * "System.IntPtr" * "System.IO.BinaryReader" * "System.IO.MemoryStream" * "System.Object" * "System.Reflection.Assembly" * "System.Security.Cryptography.CryptoStream" * "System.Security.Cryptography.ICryptoTransform" * "System.Security.Cryptography.RijndaelManaged" * "System.String" * * 3.9.8.0: * - "System.Int32[]" + "System.Diagnostics.StackFrame" + + 4.0.0.0: (jitter) + - "System.Diagnostics.StackFrame" + - "System.Object" + "System.Boolean" + "System.Collections.IEnumerator" + "System.Delegate" + "System.Diagnostics.Process" + "System.Diagnostics.ProcessModule" + "System.Diagnostics.ProcessModuleCollection" + "System.IDisposable" + "System.Int64" + "System.UInt32" + "System.UInt64" + + 4.1.0.0: (jitter) + "System.Reflection.Assembly" + + 4.3.1.0: (jitter) + "System.Byte&" */ LocalTypes localTypes; int minVer = -1; foreach (var info in stringDecrypter.DecrypterInfos) { if (info.key == null) { continue; } localTypes = new LocalTypes(info.method); if (!localTypes.exists("System.IntPtr")) { return(DeobfuscatorInfo.THE_NAME + " <= 3.7"); } minVer = 3800; break; } if (methodsDecrypter.Method == null) { if (minVer >= 3800) { return(DeobfuscatorInfo.THE_NAME + " >= 3.8"); } return(DeobfuscatorInfo.THE_NAME); } localTypes = new LocalTypes(methodsDecrypter.Method); if (localTypes.exists("System.Int32[]")) { if (minVer >= 3800) { return(DeobfuscatorInfo.THE_NAME + " 3.8.4.1 - 3.9.0.1"); } return(DeobfuscatorInfo.THE_NAME + " <= 3.9.0.1"); } if (!localTypes.exists("System.Diagnostics.Process")) // If < 4.0 { if (localTypes.exists("System.Diagnostics.StackFrame")) { return(DeobfuscatorInfo.THE_NAME + " 3.9.8.0"); } } var compileMethod = MethodsDecrypter.findDnrCompileMethod(methodsDecrypter.Method.DeclaringType); if (compileMethod == null) { return(DeobfuscatorInfo.THE_NAME + " < 4.0"); } DeobfuscatedFile.deobfuscate(compileMethod); bool compileMethodHasConstant_0x70000000 = DeobUtils.hasInteger(compileMethod, 0x70000000); // 4.0-4.1 DeobfuscatedFile.deobfuscate(methodsDecrypter.Method); bool hasCorEnableProfilingString = findString(methodsDecrypter.Method, "Cor_Enable_Profiling"); // 4.1-4.4 if (compileMethodHasConstant_0x70000000) { if (hasCorEnableProfilingString) { return(DeobfuscatorInfo.THE_NAME + " 4.1"); } return(DeobfuscatorInfo.THE_NAME + " 4.0"); } if (!hasCorEnableProfilingString) { // 4.x or 4.5 bool callsReverse = DotNetUtils.callsMethod(methodsDecrypter.Method, "System.Void System.Array::Reverse(System.Array)"); if (!callsReverse) { return(DeobfuscatorInfo.THE_NAME + " 4.x"); } return(DeobfuscatorInfo.THE_NAME + " 4.5"); } // 4.2-4.4 if (!localTypes.exists("System.Byte&")) { return(DeobfuscatorInfo.THE_NAME + " 4.2"); } localTypes = new LocalTypes(compileMethod); if (localTypes.exists("System.Object")) { return(DeobfuscatorInfo.THE_NAME + " 4.4"); } return(DeobfuscatorInfo.THE_NAME + " 4.3"); }