public void Find()
{
foreach (var type in module.Types)
{
if (type.HasNestedTypes || type.HasInterfaces)
{
continue;
}
if (type.HasEvents || type.HasProperties)
{
continue;
}
if (type.Fields.Count < 2 || type.Fields.Count > 3)
{
continue;
}
if ((type.Attributes & ~TypeAttributes.Sealed) != 0)
{
continue;
}
if (type.BaseType == null || type.BaseType.FullName != "System.Object")
{
continue;
}
if (HasInstanceMethods(type))
{
continue;
}
var cctor = type.FindStaticConstructor();
if (cctor == null)
{
continue;
}
FieldDef encryptedDataFieldTmp;
StringDataFlags stringDataFlagsTmp;
if (!CheckCctor(cctor, out encryptedDataFieldTmp, out stringDataFlagsTmp))
{
continue;
}
if (!InitializeDecrypterInfos(type))
{
continue;
}
encryptedDataField = encryptedDataFieldTmp;
stringDataFlags = stringDataFlagsTmp;
decrypterType = type;
return;
}
}
public void find()
{
foreach (var type in module.Types)
{
if (type.HasNestedTypes || type.HasInterfaces)
{
continue;
}
if (type.HasEvents || type.HasProperties)
{
continue;
}
if (type.Fields.Count != 2)
{
continue;
}
if ((type.Attributes & ~TypeAttributes.Sealed) != 0)
{
continue;
}
if (type.BaseType == null || type.BaseType.FullName != "System.Object")
{
continue;
}
if (hasInstanceMethods(type))
{
continue;
}
var cctor = DotNetUtils.getMethod(type, ".cctor");
if (cctor == null)
{
continue;
}
FieldDefinition encryptedDataFieldTmp;
StringDataFlags stringDataFlagsTmp;
if (!checkCctor(cctor, out encryptedDataFieldTmp, out stringDataFlagsTmp))
{
continue;
}
if (!initializeDecrypterInfos(type))
{
continue;
}
encryptedDataField = encryptedDataFieldTmp;
stringDataFlags = stringDataFlagsTmp;
decrypterType = type;
return;
}
}
bool CheckCctor(MethodDef cctor, out FieldDef compressedDataField, out StringDataFlags flags)
{
flags = 0;
var instructions = cctor.Body.Instructions;
for (int i = 0; i < instructions.Count; i++)
{
var ldci4 = instructions[i];
if (!ldci4.IsLdcI4())
{
continue;
}
var instrs = DotNetUtils.GetInstructions(instructions, i + 1, OpCodes.Newarr, OpCodes.Dup, OpCodes.Ldtoken, OpCodes.Call);
if (instrs == null)
{
continue;
}
var newarr = instrs[0];
if (newarr.Operand.ToString() != "System.Byte")
{
continue;
}
var field = instrs[2].Operand as FieldDef;
if (field == null || field.InitialValue == null || field.InitialValue.Length == 0)
{
continue;
}
int index = i + 1 + instrs.Count;
if (index < instructions.Count && instructions[index].OpCode.Code == Code.Call)
{
flags = GetStringDataFlags(instructions[index].Operand as MethodDef);
}
compressedDataField = field;
return(true);
}
compressedDataField = null;
return(false);
}
StringDataFlags GetStringDataFlags(MethodDef method)
{
if (method == null || method.Body == null)
{
return(0);
}
var sig = method.MethodSig;
if (sig == null || sig.Params.Count != 1)
{
return(0);
}
if (!CheckClass(sig.Params[0], "System.Byte[]"))
{
return(0);
}
if (!CheckClass(sig.RetType, "System.Byte[]"))
{
return(0);
}
StringDataFlags flags = 0;
if (HasInstruction(method, Code.Not))
{
flags |= StringDataFlags.Encrypted2;
}
else if (HasInstruction(method, Code.Xor))
{
flags |= StringDataFlags.Encrypted1;
}
else if (Check3DesCreator(method))
{
flags |= StringDataFlags.Encrypted3DES;
}
if (CallsDecompressor(method))
{
flags |= StringDataFlags.Compressed;
}
return(flags);
}
StringDataFlags getStringDataFlags(MethodDefinition method)
{
if (method == null || method.Body == null)
{
return(0);
}
if (method.Parameters.Count != 1)
{
return(0);
}
if (!checkClass(method.Parameters[0].ParameterType, "System.Byte[]"))
{
return(0);
}
if (!checkClass(method.MethodReturnType.ReturnType, "System.Byte[]"))
{
return(0);
}
StringDataFlags flags = 0;
if (hasInstruction(method, Code.Not))
{
flags |= StringDataFlags.Encrypted2;
}
else if (hasInstruction(method, Code.Xor))
{
flags |= StringDataFlags.Encrypted1;
}
else if (check3DesCreator(method))
{
flags |= StringDataFlags.Encrypted3DES;
}
if (callsDecompressor(method))
{
flags |= StringDataFlags.Compressed;
}
return(flags);
}
bool checkCctor(MethodDefinition cctor, out FieldDefinition compressedDataField, out StringDataFlags flags)
{
flags = 0;
var instructions = cctor.Body.Instructions;
for (int i = 0; i < instructions.Count; i++) {
var ldci4 = instructions[i];
if (!DotNetUtils.isLdcI4(ldci4))
continue;
var instrs = DotNetUtils.getInstructions(instructions, i + 1, OpCodes.Newarr, OpCodes.Dup, OpCodes.Ldtoken, OpCodes.Call);
if (instrs == null)
continue;
var newarr = instrs[0];
if (newarr.Operand.ToString() != "System.Byte")
continue;
var field = instrs[2].Operand as FieldDefinition;
if (field == null || field.InitialValue == null || field.InitialValue.Length == 0)
continue;
int index = i + 1 + instrs.Count;
if (index < instructions.Count && instructions[index].OpCode.Code == Code.Call)
flags = getStringDataFlags(instructions[index].Operand as MethodDefinition);
compressedDataField = field;
return true;
}
compressedDataField = null;
return false;
}
public void find()
{
foreach (var type in module.Types) {
if (type.HasNestedTypes || type.HasInterfaces)
continue;
if (type.HasEvents || type.HasProperties)
continue;
if (type.Fields.Count != 2)
continue;
if ((type.Attributes & ~TypeAttributes.Sealed) != 0)
continue;
if (type.BaseType == null || type.BaseType.FullName != "System.Object")
continue;
if (hasInstanceMethods(type))
continue;
var cctor = DotNetUtils.getMethod(type, ".cctor");
if (cctor == null)
continue;
FieldDefinition encryptedDataFieldTmp;
StringDataFlags stringDataFlagsTmp;
if (!checkCctor(cctor, out encryptedDataFieldTmp, out stringDataFlagsTmp))
continue;
if (!initializeDecrypterInfos(type))
continue;
encryptedDataField = encryptedDataFieldTmp;
stringDataFlags = stringDataFlagsTmp;
decrypterType = type;
return;
}
}
public void Find()
{
foreach (var type in module.Types) {
if (type.HasNestedTypes || type.HasInterfaces)
continue;
if (type.HasEvents || type.HasProperties)
continue;
if (type.Fields.Count < 2 || type.Fields.Count > 3)
continue;
if ((type.Attributes & ~TypeAttributes.Sealed) != 0)
continue;
if (type.BaseType == null || type.BaseType.FullName != "System.Object")
continue;
if (HasInstanceMethods(type))
continue;
var cctor = type.FindStaticConstructor();
if (cctor == null)
continue;
FieldDef encryptedDataFieldTmp;
StringDataFlags stringDataFlagsTmp;
if (!CheckCctor(cctor, out encryptedDataFieldTmp, out stringDataFlagsTmp))
continue;
if (!InitializeDecrypterInfos(type))
continue;
encryptedDataField = encryptedDataFieldTmp;
stringDataFlags = stringDataFlagsTmp;
decrypterType = type;
return;
}
}