protected override void scanForObfuscator()
{
findCliSecureAttribute();
cliSecureRtType = new CliSecureRtType(module);
cliSecureRtType.find(ModuleBytes);
stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterMethod);
stringDecrypter.find();
resourceDecrypter = new ResourceDecrypter(module);
resourceDecrypter.find();
proxyCallFixer = new ProxyCallFixer(module);
proxyCallFixer.findDelegateCreator();
csvm = new vm.Csvm(DeobfuscatedFile.DeobfuscatorContext, module);
csvm.find();
}
public CliSecureRtType(ModuleDefMD module, CliSecureRtType oldOne)
{
this.module = module;
cliSecureRtType = Lookup(oldOne.cliSecureRtType, "Could not find CliSecureRt type");
postInitializeMethod = Lookup(oldOne.postInitializeMethod, "Could not find postInitializeMethod method");
initializeMethod = Lookup(oldOne.initializeMethod, "Could not find initializeMethod method");
foreach (var info in oldOne.stringDecrypterInfos.Keys)
{
var m = Lookup(info.Method, "Could not find string decrypter method");
var f = Lookup(info.Field, "Could not find string decrypter field");
stringDecrypterInfos[new StringDecrypterInfo(m, f)] = true;
}
loadMethod = Lookup(oldOne.loadMethod, "Could not find loadMethod method");
foundSig = oldOne.foundSig;
}
protected override void ScanForObfuscator()
{
FindCliSecureAttribute();
cliSecureRtType = new CliSecureRtType(Module);
cliSecureRtType.Find(ModuleBytes);
stringDecrypter = new StringDecrypter(Module, cliSecureRtType.StringDecrypterInfos);
stringDecrypter.Find();
resourceDecrypter = new ResourceDecrypter(Module);
resourceDecrypter.Find();
proxyCallFixer = new ProxyCallFixer(Module);
proxyCallFixer.FindDelegateCreator();
csvmV1 = new vm.v1.Csvm(DeobfuscatedFile.DeobfuscatorContext, Module);
csvmV1.Find();
csvmV2 = new vm.v2.Csvm(DeobfuscatedFile.DeobfuscatorContext, Module);
csvmV2.Find();
}
static byte[] GetModuleCctorBytes(CliSecureRtType csRtType)
{
var initMethod = csRtType.InitializeMethod;
if (initMethod == null)
{
return(null);
}
uint initToken = initMethod.MDToken.ToUInt32();
var moduleCctorBytes = new byte[6];
moduleCctorBytes[0] = 0x28; // call
moduleCctorBytes[1] = (byte)initToken;
moduleCctorBytes[2] = (byte)(initToken >> 8);
moduleCctorBytes[3] = (byte)(initToken >> 16);
moduleCctorBytes[4] = (byte)(initToken >> 24);
moduleCctorBytes[5] = 0x2A; // ret
return(moduleCctorBytes);
}
public bool Decrypt(MyPEImage peImage, ModuleDefMD module, CliSecureRtType csRtType, ref DumpedMethods dumpedMethods)
{
this.peImage = peImage;
this.csRtType = csRtType;
this.module = module;
switch (Decrypt2(ref dumpedMethods))
{
case DecryptResult.Decrypted: return(true);
case DecryptResult.NotEncrypted: return(false);
case DecryptResult.Error:
Logger.n("Using dynamic method decryption");
byte[] moduleCctorBytes = GetModuleCctorBytes(csRtType);
dumpedMethods = de4dot.code.deobfuscators.MethodsDecrypter.Decrypt(module, moduleCctorBytes);
return(true);
default:
throw new ApplicationException("Invalid DecryptResult");
}
}