void DecryptResources(ResourceDecrypter resourceDecrypter) {
var rsrc = resourceDecrypter.MergeResources();
if (rsrc == null)
return;
AddResourceToBeRemoved(rsrc, "Encrypted resources");
AddTypeToBeRemoved(resourceDecrypter.Type, "Resource decrypter type");
}
protected override void scanForObfuscator()
{
findCliSecureAttribute();
cliSecureRtType = new CliSecureRtType(module);
cliSecureRtType.find(ModuleBytes);
stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterMethod);
stringDecrypter.find();
resourceDecrypter = new ResourceDecrypter(module);
resourceDecrypter.find();
proxyCallFixer = new ProxyCallFixer(module);
proxyCallFixer.findDelegateCreator();
csvm = new vm.Csvm(DeobfuscatedFile.DeobfuscatorContext, module);
csvm.find();
}
protected override void ScanForObfuscator() {
FindCliSecureAttribute();
cliSecureRtType = new CliSecureRtType(module);
cliSecureRtType.Find(ModuleBytes);
stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterInfos);
stringDecrypter.Find();
resourceDecrypter = new ResourceDecrypter(module);
resourceDecrypter.Find();
proxyCallFixer = new ProxyCallFixer(module);
proxyCallFixer.FindDelegateCreator();
csvmV1 = new vm.v1.Csvm(DeobfuscatedFile.DeobfuscatorContext, module);
csvmV1.Find();
csvmV2 = new vm.v2.Csvm(DeobfuscatedFile.DeobfuscatorContext, module);
csvmV2.Find();
}
static void Main(string[] args)
{
Console.Title = "DeConfuser - The De-Obfuscator for confuser v1.6";
Console.WriteLine("Copyright © DragonHunter - 2012");
Console.WriteLine("This deobfuscator might not work at every confused assembly, still BETA");
Console.WriteLine("Checkout this project at http://deconfuser.codeplex.com");
Console.WriteLine("Thanks also to Mono.Cecil there was no DeConfuser without Mono.Cecil");
Console.WriteLine("This version of Mono.Cecil is modded by DragonHunter to do some evil shit");
//hardcoded path atm...
string inputPath = @"H:\DeConfuser\ConfuseMe\bin\Debug\confused\ConfuseMe.exe";
string outputPath = @"H:\DeConfuser\ConfuseMe\bin\Debug\confused\ConfuseMe_cleaned.exe";
//load assembly
AssemblyDefinition asm = AssemblyFactory.GetAssembly(inputPath);
#region Anti-Debug remover
AntiDebug debug = new AntiDebug();
TypeDefinition AntiType = null;
MethodDefinition AntiMethod = null;
Console.WriteLine("-------------------------------------------------------");
if (debug.FindAntiDebug(asm, ref AntiType, ref AntiMethod))
{
Console.WriteLine("[Anti-Debugger] Anti-Debugger detected, removing...");
debug.RemoveAntiDebug(asm, AntiType, AntiMethod);
Console.WriteLine("[Anti-Debugger] Removed anti-debugger");
}
else
{
Console.WriteLine("This assembly is not protected with anti-debugging");
}
Console.WriteLine("-------------------------------------------------------");
#endregion
#region String Decryptor
StringDecrypter decrypter = new StringDecrypter();
TypeDefinition DecryptType = null;
MethodDefinition DecryptMethod = null;
if (decrypter.FindMethod(asm, ref DecryptType, ref DecryptMethod))
{
Console.WriteLine("[String Decryptor] Found string decryptor, decrypting strings...");
byte[] StringData = decrypter.GetStringResource(asm, inputPath, DecryptMethod);
decrypter.DecryptAllStrings(asm, DecryptMethod, StringData);
decrypter.RemoveDecryptMethod(asm, DecryptType, DecryptMethod);
Console.WriteLine("[String Decryptor] Removed the decrypt method");
}
else
{
Console.WriteLine("This assembly is not protected with encrypted strings");
}
Console.WriteLine("-------------------------------------------------------");
#endregion
#region Anti-Dump remover
AntiDump dump = new AntiDump();
TypeDefinition AntiDumpType = null;
MethodDefinition AntiDumpMethod = null;
if (dump.FindAntiDump(asm, ref AntiDumpType, ref AntiDumpMethod))
{
Console.WriteLine("[Anti-Dump] Anti-Dump detected, removing...");
dump.RemoveAntiDump(asm, AntiDumpType, AntiDumpMethod);
Console.WriteLine("[Anti-Dump] Removed anti-dump");
}
else
{
Console.WriteLine("This assembly is not protected with anti-dump");
}
Console.WriteLine("-------------------------------------------------------");
#endregion
#region Resource Decryptor
ResourceDecrypter resourceDecrypter = new ResourceDecrypter();
TypeDefinition ResourceType = null;
MethodDefinition ResourceMethod = null;
if (resourceDecrypter.FindMethod(asm, ref ResourceType, ref ResourceMethod))
{
Console.WriteLine("[Resource-Decrypter] Resource-Decrypter, decrypting");
resourceDecrypter.DecryptAllResources(asm, inputPath, ResourceType, ResourceMethod);
}
else
{
Console.WriteLine("This assembly is not protected with encrypted resources");
}
Console.WriteLine("-------------------------------------------------------");
#endregion
AssemblyFactory.SaveAssembly(asm, outputPath);
Console.WriteLine("File dumped to \"" + outputPath + "\"");
Console.WriteLine("Thanks for using DeConfuser :)");
Process.GetCurrentProcess().WaitForExit();
}
