Пример #1
0
        public void Find()
        {
            foreach (var type in module.Types)
            {
                if (type.HasNestedTypes || type.HasInterfaces)
                {
                    continue;
                }
                if (type.HasEvents || type.HasProperties)
                {
                    continue;
                }
                if (type.Fields.Count < 2 || type.Fields.Count > 3)
                {
                    continue;
                }
                if ((type.Attributes & ~TypeAttributes.Sealed) != 0)
                {
                    continue;
                }
                if (type.BaseType == null || type.BaseType.FullName != "System.Object")
                {
                    continue;
                }
                if (HasInstanceMethods(type))
                {
                    continue;
                }
                var cctor = type.FindStaticConstructor();
                if (cctor == null)
                {
                    continue;
                }

                FieldDef        encryptedDataFieldTmp;
                StringDataFlags stringDataFlagsTmp;
                if (!CheckCctor(cctor, out encryptedDataFieldTmp, out stringDataFlagsTmp))
                {
                    continue;
                }

                if (!InitializeDecrypterInfos(type))
                {
                    continue;
                }

                encryptedDataField = encryptedDataFieldTmp;
                stringDataFlags    = stringDataFlagsTmp;
                decrypterType      = type;
                return;
            }
        }
Пример #2
0
        public void find()
        {
            foreach (var type in module.Types)
            {
                if (type.HasNestedTypes || type.HasInterfaces)
                {
                    continue;
                }
                if (type.HasEvents || type.HasProperties)
                {
                    continue;
                }
                if (type.Fields.Count != 2)
                {
                    continue;
                }
                if ((type.Attributes & ~TypeAttributes.Sealed) != 0)
                {
                    continue;
                }
                if (type.BaseType == null || type.BaseType.FullName != "System.Object")
                {
                    continue;
                }
                if (hasInstanceMethods(type))
                {
                    continue;
                }
                var cctor = DotNetUtils.getMethod(type, ".cctor");
                if (cctor == null)
                {
                    continue;
                }

                FieldDefinition encryptedDataFieldTmp;
                StringDataFlags stringDataFlagsTmp;
                if (!checkCctor(cctor, out encryptedDataFieldTmp, out stringDataFlagsTmp))
                {
                    continue;
                }

                if (!initializeDecrypterInfos(type))
                {
                    continue;
                }

                encryptedDataField = encryptedDataFieldTmp;
                stringDataFlags    = stringDataFlagsTmp;
                decrypterType      = type;
                return;
            }
        }
Пример #3
0
        bool CheckCctor(MethodDef cctor, out FieldDef compressedDataField, out StringDataFlags flags)
        {
            flags = 0;
            var instructions = cctor.Body.Instructions;

            for (int i = 0; i < instructions.Count; i++)
            {
                var ldci4 = instructions[i];
                if (!ldci4.IsLdcI4())
                {
                    continue;
                }

                var instrs = DotNetUtils.GetInstructions(instructions, i + 1, OpCodes.Newarr, OpCodes.Dup, OpCodes.Ldtoken, OpCodes.Call);
                if (instrs == null)
                {
                    continue;
                }

                var newarr = instrs[0];
                if (newarr.Operand.ToString() != "System.Byte")
                {
                    continue;
                }

                var field = instrs[2].Operand as FieldDef;
                if (field == null || field.InitialValue == null || field.InitialValue.Length == 0)
                {
                    continue;
                }

                int index = i + 1 + instrs.Count;
                if (index < instructions.Count && instructions[index].OpCode.Code == Code.Call)
                {
                    flags = GetStringDataFlags(instructions[index].Operand as MethodDef);
                }

                compressedDataField = field;
                return(true);
            }

            compressedDataField = null;
            return(false);
        }
Пример #4
0
        StringDataFlags GetStringDataFlags(MethodDef method)
        {
            if (method == null || method.Body == null)
            {
                return(0);
            }
            var sig = method.MethodSig;

            if (sig == null || sig.Params.Count != 1)
            {
                return(0);
            }
            if (!CheckClass(sig.Params[0], "System.Byte[]"))
            {
                return(0);
            }
            if (!CheckClass(sig.RetType, "System.Byte[]"))
            {
                return(0);
            }

            StringDataFlags flags = 0;

            if (HasInstruction(method, Code.Not))
            {
                flags |= StringDataFlags.Encrypted2;
            }
            else if (HasInstruction(method, Code.Xor))
            {
                flags |= StringDataFlags.Encrypted1;
            }
            else if (Check3DesCreator(method))
            {
                flags |= StringDataFlags.Encrypted3DES;
            }
            if (CallsDecompressor(method))
            {
                flags |= StringDataFlags.Compressed;
            }

            return(flags);
        }
Пример #5
0
        StringDataFlags getStringDataFlags(MethodDefinition method)
        {
            if (method == null || method.Body == null)
            {
                return(0);
            }
            if (method.Parameters.Count != 1)
            {
                return(0);
            }
            if (!checkClass(method.Parameters[0].ParameterType, "System.Byte[]"))
            {
                return(0);
            }
            if (!checkClass(method.MethodReturnType.ReturnType, "System.Byte[]"))
            {
                return(0);
            }

            StringDataFlags flags = 0;

            if (hasInstruction(method, Code.Not))
            {
                flags |= StringDataFlags.Encrypted2;
            }
            else if (hasInstruction(method, Code.Xor))
            {
                flags |= StringDataFlags.Encrypted1;
            }
            else if (check3DesCreator(method))
            {
                flags |= StringDataFlags.Encrypted3DES;
            }
            if (callsDecompressor(method))
            {
                flags |= StringDataFlags.Compressed;
            }

            return(flags);
        }
Пример #6
0
        bool checkCctor(MethodDefinition cctor, out FieldDefinition compressedDataField, out StringDataFlags flags)
        {
            flags = 0;
            var instructions = cctor.Body.Instructions;
            for (int i = 0; i < instructions.Count; i++) {
                var ldci4 = instructions[i];
                if (!DotNetUtils.isLdcI4(ldci4))
                    continue;

                var instrs = DotNetUtils.getInstructions(instructions, i + 1, OpCodes.Newarr, OpCodes.Dup, OpCodes.Ldtoken, OpCodes.Call);
                if (instrs == null)
                    continue;

                var newarr = instrs[0];
                if (newarr.Operand.ToString() != "System.Byte")
                    continue;

                var field = instrs[2].Operand as FieldDefinition;
                if (field == null || field.InitialValue == null || field.InitialValue.Length == 0)
                    continue;

                int index = i + 1 + instrs.Count;
                if (index < instructions.Count && instructions[index].OpCode.Code == Code.Call)
                    flags = getStringDataFlags(instructions[index].Operand as MethodDefinition);

                compressedDataField = field;
                return true;
            }

            compressedDataField = null;
            return false;
        }
Пример #7
0
        public void find()
        {
            foreach (var type in module.Types) {
                if (type.HasNestedTypes || type.HasInterfaces)
                    continue;
                if (type.HasEvents || type.HasProperties)
                    continue;
                if (type.Fields.Count != 2)
                    continue;
                if ((type.Attributes & ~TypeAttributes.Sealed) != 0)
                    continue;
                if (type.BaseType == null || type.BaseType.FullName != "System.Object")
                    continue;
                if (hasInstanceMethods(type))
                    continue;
                var cctor = DotNetUtils.getMethod(type, ".cctor");
                if (cctor == null)
                    continue;

                FieldDefinition encryptedDataFieldTmp;
                StringDataFlags stringDataFlagsTmp;
                if (!checkCctor(cctor, out encryptedDataFieldTmp, out stringDataFlagsTmp))
                    continue;

                if (!initializeDecrypterInfos(type))
                    continue;

                encryptedDataField = encryptedDataFieldTmp;
                stringDataFlags = stringDataFlagsTmp;
                decrypterType = type;
                return;
            }
        }
Пример #8
0
        public void Find()
        {
            foreach (var type in module.Types) {
                if (type.HasNestedTypes || type.HasInterfaces)
                    continue;
                if (type.HasEvents || type.HasProperties)
                    continue;
                if (type.Fields.Count < 2 || type.Fields.Count > 3)
                    continue;
                if ((type.Attributes & ~TypeAttributes.Sealed) != 0)
                    continue;
                if (type.BaseType == null || type.BaseType.FullName != "System.Object")
                    continue;
                if (HasInstanceMethods(type))
                    continue;
                var cctor = type.FindStaticConstructor();
                if (cctor == null)
                    continue;

                FieldDef encryptedDataFieldTmp;
                StringDataFlags stringDataFlagsTmp;
                if (!CheckCctor(cctor, out encryptedDataFieldTmp, out stringDataFlagsTmp))
                    continue;

                if (!InitializeDecrypterInfos(type))
                    continue;

                encryptedDataField = encryptedDataFieldTmp;
                stringDataFlags = stringDataFlagsTmp;
                decrypterType = type;
                return;
            }
        }