public override void deobfuscateBegin() { base.deobfuscateBegin(); if (options.DecryptResources) { addCctorInitCallToBeRemoved(resourceResolver.InitMethod); addTypeToBeRemoved(resourceResolver.Type, "Resource resolver type"); } decryptResources(); stringDecrypter.initialize(); if (Operations.DecryptStrings != OpDecryptString.None) { if (stringDecrypter.Resource != null) { Log.v("Adding string decrypter. Resource: {0}", Utils.toCsharpString(stringDecrypter.Resource.Name)); } staticStringInliner.add(stringDecrypter.DecryptMethod, (method, gim, args) => { return(stringDecrypter.decrypt(args)); }); DeobfuscatedFile.stringDecryptersAdded(); } if (options.DumpEmbeddedAssemblies) { assemblyResolver.initialize(DeobfuscatedFile, this); // Need to dump the assemblies before decrypting methods in case there's a reference // in the encrypted code to one of these assemblies. dumpEmbeddedAssemblies(); } if (options.DecryptMethods) { methodsDecrypter.initialize(DeobfuscatedFile, this); methodsDecrypter.decrypt(); } if (options.DecryptConstants) { constantsDecrypter.initialize(DeobfuscatedFile, this); addTypeToBeRemoved(constantsDecrypter.Type, "Constants decrypter type"); addResourceToBeRemoved(constantsDecrypter.Resource, "Encrypted constants"); int32ValueInliner = new Int32ValueInliner(); int32ValueInliner.add(constantsDecrypter.Int32Decrypter, (method, gim, args) => constantsDecrypter.decryptInt32((int)args[0])); int64ValueInliner = new Int64ValueInliner(); int64ValueInliner.add(constantsDecrypter.Int64Decrypter, (method, gim, args) => constantsDecrypter.decryptInt64((int)args[0])); singleValueInliner = new SingleValueInliner(); singleValueInliner.add(constantsDecrypter.SingleDecrypter, (method, gim, args) => constantsDecrypter.decryptSingle((int)args[0])); doubleValueInliner = new DoubleValueInliner(); doubleValueInliner.add(constantsDecrypter.DoubleDecrypter, (method, gim, args) => constantsDecrypter.decryptDouble((int)args[0])); } proxyCallFixer.find(); startedDeobfuscating = true; }
public override void deobfuscateBegin() { base.deobfuscateBegin(); proxyDelegateFinder = new ProxyDelegateFinder(module); proxyDelegateFinder.find(); localsRestorer = new LocalsRestorer(module); if (options.RestoreLocals) { localsRestorer.find(); } logicalExpressionFixer = new LogicalExpressionFixer(); stringDecrypter.initialize(); integerDecrypter.initialize(); arrayDecrypter.initialize(); if (options.DecryptIntegers) { int32ValueInliner = new Int32ValueInliner(); foreach (var method in integerDecrypter.getMethods()) { int32ValueInliner.add(method, (method2, args) => { return(integerDecrypter.decrypt(method2)); }); } } if (options.DecryptArrays) { arrayValueInliner = new ArrayValueInliner(module, initializedDataCreator); foreach (var method in arrayDecrypter.getMethods()) { arrayValueInliner.add(method, (method2, args) => { return(arrayDecrypter.decrypt(method2)); }); } } foreach (var method in stringDecrypter.getMethods()) { staticStringInliner.add(method, (method2, args) => { return(stringDecrypter.decrypt(method2)); }); DeobfuscatedFile.stringDecryptersAdded(); } if (options.RemoveAntiStrongName) { addTypeToBeRemoved(strongNameChecker.Type, "Strong name checker type"); } startedDeobfuscating = true; }
public override void deobfuscateBegin() { base.deobfuscateBegin(); resourceDecrypter = new ResourceDecrypter(module, DeobfuscatedFile); resourceResolver = new ResourceResolver(module, resourceDecrypter); assemblyResolver = new AssemblyResolver(module); resourceResolver.find(); assemblyResolver.find(); decryptResources(); stringDecrypter.init(resourceDecrypter); if (stringDecrypter.Method != null) { staticStringInliner.add(stringDecrypter.Method, (method, gim, args) => { return stringDecrypter.decrypt((int)args[0]); }); DeobfuscatedFile.stringDecryptersAdded(); } methodsDecrypter.decrypt(resourceDecrypter); if (methodsDecrypter.Detected) { if (!assemblyResolver.Detected) assemblyResolver.find(); if (!tamperDetection.Detected) tamperDetection.find(); } antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this); antiDebugger.find(); if (options.DecryptConstants) { constantsDecrypter.init(resourceDecrypter); int32ValueInliner = new Int32ValueInliner(); int32ValueInliner.add(constantsDecrypter.Int32Decrypter, (method, gim, args) => constantsDecrypter.decryptInt32((int)args[0])); int64ValueInliner = new Int64ValueInliner(); int64ValueInliner.add(constantsDecrypter.Int64Decrypter, (method, gim, args) => constantsDecrypter.decryptInt64((int)args[0])); singleValueInliner = new SingleValueInliner(); singleValueInliner.add(constantsDecrypter.SingleDecrypter, (method, gim, args) => constantsDecrypter.decryptSingle((int)args[0])); doubleValueInliner = new DoubleValueInliner(); doubleValueInliner.add(constantsDecrypter.DoubleDecrypter, (method, gim, args) => constantsDecrypter.decryptDouble((int)args[0])); addTypeToBeRemoved(constantsDecrypter.Type, "Constants decrypter type"); addResourceToBeRemoved(constantsDecrypter.Resource, "Encrypted constants"); } addModuleCctorInitCallToBeRemoved(resourceResolver.Method); addModuleCctorInitCallToBeRemoved(assemblyResolver.Method); addCallToBeRemoved(module.EntryPoint, tamperDetection.Method); addModuleCctorInitCallToBeRemoved(tamperDetection.Method); addCallToBeRemoved(module.EntryPoint, antiDebugger.Method); addModuleCctorInitCallToBeRemoved(antiDebugger.Method); addTypeToBeRemoved(resourceResolver.Type, "Resource resolver type"); addTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver type"); addTypeToBeRemoved(tamperDetection.Type, "Tamper detection type"); addTypeToBeRemoved(antiDebugger.Type, "Anti-debugger type"); addTypeToBeRemoved(methodsDecrypter.Type, "Methods decrypter type"); addTypesToBeRemoved(methodsDecrypter.DelegateTypes, "Methods decrypter delegate type"); addResourceToBeRemoved(methodsDecrypter.Resource, "Encrypted methods"); proxyCallFixer.find(); dumpEmbeddedAssemblies(); }
public override void deobfuscateBegin() { base.deobfuscateBegin(); proxyCallFixer = new ProxyCallFixer(module); proxyCallFixer.find(); localsRestorer = new LocalsRestorer(module); if (options.RestoreLocals) localsRestorer.find(); logicalExpressionFixer = new LogicalExpressionFixer(); stringDecrypter.initialize(); integerDecrypter.initialize(); arrayDecrypter.initialize(); if (options.DecryptIntegers) { int32ValueInliner = new Int32ValueInliner(); foreach (var method in integerDecrypter.getMethods()) { int32ValueInliner.add(method, (method2, args) => { return integerDecrypter.decrypt(method2); }); } } if (options.DecryptArrays) { arrayValueInliner = new ArrayValueInliner(module, initializedDataCreator); foreach (var method in arrayDecrypter.getMethods()) { arrayValueInliner.add(method, (method2, args) => { return arrayDecrypter.decrypt(method2); }); } } foreach (var method in stringDecrypter.getMethods()) { staticStringInliner.add(method, (method2, args) => { return stringDecrypter.decrypt(method2); }); DeobfuscatedFile.stringDecryptersAdded(); } if (options.RemoveAntiStrongName) addTypeToBeRemoved(strongNameChecker.Type, "Strong name checker type"); startedDeobfuscating = true; }
public override void deobfuscateBegin() { base.deobfuscateBegin(); if (options.DecryptResources) { addCctorInitCallToBeRemoved(resourceResolver.InitMethod); addTypeToBeRemoved(resourceResolver.Type, "Resource resolver type"); } decryptResources(); stringDecrypter.initialize(); if (Operations.DecryptStrings != OpDecryptString.None) { if (stringDecrypter.Resource != null) Log.v("Adding string decrypter. Resource: {0}", Utils.toCsharpString(stringDecrypter.Resource.Name)); staticStringInliner.add(stringDecrypter.DecryptMethod, (method, args) => { return stringDecrypter.decrypt(args); }); DeobfuscatedFile.stringDecryptersAdded(); } if (options.DumpEmbeddedAssemblies) { assemblyResolver.initialize(DeobfuscatedFile, this); // Need to dump the assemblies before decrypting methods in case there's a reference // in the encrypted code to one of these assemblies. dumpEmbeddedAssemblies(); } if (options.DecryptMethods) { methodsDecrypter.initialize(DeobfuscatedFile, this); methodsDecrypter.decrypt(); } if (options.DecryptConstants) { constantsDecrypter.initialize(DeobfuscatedFile, this); addTypeToBeRemoved(constantsDecrypter.Type, "Constants decrypter type"); addResourceToBeRemoved(constantsDecrypter.Resource, "Encrypted constants"); int32ValueInliner = new Int32ValueInliner(); int32ValueInliner.add(constantsDecrypter.Int32Decrypter, (method, args) => constantsDecrypter.decryptInt32((int)args[0])); int64ValueInliner = new Int64ValueInliner(); int64ValueInliner.add(constantsDecrypter.Int64Decrypter, (method, args) => constantsDecrypter.decryptInt64((int)args[0])); singleValueInliner = new SingleValueInliner(); singleValueInliner.add(constantsDecrypter.SingleDecrypter, (method, args) => constantsDecrypter.decryptSingle((int)args[0])); doubleValueInliner = new DoubleValueInliner(); doubleValueInliner.add(constantsDecrypter.DoubleDecrypter, (method, args) => constantsDecrypter.decryptDouble((int)args[0])); } proxyDelegateFinder.find(); }
public override void deobfuscateBegin() { base.deobfuscateBegin(); resourceDecrypter = new ResourceDecrypter(module, DeobfuscatedFile); resourceResolver = new ResourceResolver(module, resourceDecrypter); assemblyResolver = new AssemblyResolver(module); resourceResolver.find(); assemblyResolver.find(); decryptResources(); stringDecrypter.init(resourceDecrypter); if (stringDecrypter.Method != null) { staticStringInliner.add(stringDecrypter.Method, (method, gim, args) => { return(stringDecrypter.decrypt((int)args[0])); }); DeobfuscatedFile.stringDecryptersAdded(); } methodsDecrypter.decrypt(resourceDecrypter); if (methodsDecrypter.Detected) { if (!assemblyResolver.Detected) { assemblyResolver.find(); } if (!tamperDetection.Detected) { tamperDetection.find(); } } antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this); antiDebugger.find(); if (options.DecryptConstants) { constantsDecrypter.init(resourceDecrypter); int32ValueInliner = new Int32ValueInliner(); int32ValueInliner.add(constantsDecrypter.Int32Decrypter, (method, gim, args) => constantsDecrypter.decryptInt32((int)args[0])); int64ValueInliner = new Int64ValueInliner(); int64ValueInliner.add(constantsDecrypter.Int64Decrypter, (method, gim, args) => constantsDecrypter.decryptInt64((int)args[0])); singleValueInliner = new SingleValueInliner(); singleValueInliner.add(constantsDecrypter.SingleDecrypter, (method, gim, args) => constantsDecrypter.decryptSingle((int)args[0])); doubleValueInliner = new DoubleValueInliner(); doubleValueInliner.add(constantsDecrypter.DoubleDecrypter, (method, gim, args) => constantsDecrypter.decryptDouble((int)args[0])); addTypeToBeRemoved(constantsDecrypter.Type, "Constants decrypter type"); addResourceToBeRemoved(constantsDecrypter.Resource, "Encrypted constants"); } addModuleCctorInitCallToBeRemoved(resourceResolver.Method); addModuleCctorInitCallToBeRemoved(assemblyResolver.Method); addCallToBeRemoved(module.EntryPoint, tamperDetection.Method); addModuleCctorInitCallToBeRemoved(tamperDetection.Method); addCallToBeRemoved(module.EntryPoint, antiDebugger.Method); addModuleCctorInitCallToBeRemoved(antiDebugger.Method); addTypeToBeRemoved(resourceResolver.Type, "Resource resolver type"); addTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver type"); addTypeToBeRemoved(tamperDetection.Type, "Tamper detection type"); addTypeToBeRemoved(antiDebugger.Type, "Anti-debugger type"); addTypeToBeRemoved(methodsDecrypter.Type, "Methods decrypter type"); addTypesToBeRemoved(methodsDecrypter.DelegateTypes, "Methods decrypter delegate type"); addResourceToBeRemoved(methodsDecrypter.Resource, "Encrypted methods"); proxyCallFixer.find(); dumpEmbeddedAssemblies(); }