Пример #1
0
 protected override void scanForObfuscator()
 {
     findCliSecureAttribute();
     cliSecureRtType = new CliSecureRtType(module);
     cliSecureRtType.find(ModuleBytes);
     stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterMethod);
     stringDecrypter.find();
     resourceDecrypter = new ResourceDecrypter(module);
     resourceDecrypter.find();
     proxyCallFixer = new ProxyCallFixer(module);
     proxyCallFixer.findDelegateCreator();
     csvm = new vm.Csvm(DeobfuscatedFile.DeobfuscatorContext, module);
     csvm.find();
 }
Пример #2
0
 public CliSecureRtType(ModuleDefMD module, CliSecureRtType oldOne)
 {
     this.module          = module;
     cliSecureRtType      = Lookup(oldOne.cliSecureRtType, "Could not find CliSecureRt type");
     postInitializeMethod = Lookup(oldOne.postInitializeMethod, "Could not find postInitializeMethod method");
     initializeMethod     = Lookup(oldOne.initializeMethod, "Could not find initializeMethod method");
     foreach (var info in oldOne.stringDecrypterInfos.Keys)
     {
         var m = Lookup(info.Method, "Could not find string decrypter method");
         var f = Lookup(info.Field, "Could not find string decrypter field");
         stringDecrypterInfos[new StringDecrypterInfo(m, f)] = true;
     }
     loadMethod = Lookup(oldOne.loadMethod, "Could not find loadMethod method");
     foundSig   = oldOne.foundSig;
 }
Пример #3
0
 protected override void ScanForObfuscator()
 {
     FindCliSecureAttribute();
     cliSecureRtType = new CliSecureRtType(Module);
     cliSecureRtType.Find(ModuleBytes);
     stringDecrypter = new StringDecrypter(Module, cliSecureRtType.StringDecrypterInfos);
     stringDecrypter.Find();
     resourceDecrypter = new ResourceDecrypter(Module);
     resourceDecrypter.Find();
     proxyCallFixer = new ProxyCallFixer(Module);
     proxyCallFixer.FindDelegateCreator();
     csvmV1 = new vm.v1.Csvm(DeobfuscatedFile.DeobfuscatorContext, Module);
     csvmV1.Find();
     csvmV2 = new vm.v2.Csvm(DeobfuscatedFile.DeobfuscatorContext, Module);
     csvmV2.Find();
 }
Пример #4
0
        static byte[] GetModuleCctorBytes(CliSecureRtType csRtType)
        {
            var initMethod = csRtType.InitializeMethod;

            if (initMethod == null)
            {
                return(null);
            }
            uint initToken        = initMethod.MDToken.ToUInt32();
            var  moduleCctorBytes = new byte[6];

            moduleCctorBytes[0] = 0x28;                 // call
            moduleCctorBytes[1] = (byte)initToken;
            moduleCctorBytes[2] = (byte)(initToken >> 8);
            moduleCctorBytes[3] = (byte)(initToken >> 16);
            moduleCctorBytes[4] = (byte)(initToken >> 24);
            moduleCctorBytes[5] = 0x2A;                 // ret
            return(moduleCctorBytes);
        }
Пример #5
0
        public bool Decrypt(MyPEImage peImage, ModuleDefMD module, CliSecureRtType csRtType, ref DumpedMethods dumpedMethods)
        {
            this.peImage  = peImage;
            this.csRtType = csRtType;
            this.module   = module;

            switch (Decrypt2(ref dumpedMethods))
            {
            case DecryptResult.Decrypted: return(true);

            case DecryptResult.NotEncrypted: return(false);

            case DecryptResult.Error:
                Logger.n("Using dynamic method decryption");
                byte[] moduleCctorBytes = GetModuleCctorBytes(csRtType);
                dumpedMethods = de4dot.code.deobfuscators.MethodsDecrypter.Decrypt(module, moduleCctorBytes);
                return(true);

            default:
                throw new ApplicationException("Invalid DecryptResult");
            }
        }