public void initialize(ModuleDefinition module, EmbeddedResource resource) { var decrypted = new ResourceDecrypter(module).decrypt(resource.GetResourceData()); var reader = new BinaryReader(new MemoryStream(decrypted)); while (reader.BaseStream.Position < reader.BaseStream.Length) { offsetToString[(int)reader.BaseStream.Position] = reader.ReadString(); } }
byte[] decryptResourceAssembly() { var decrypted = new ResourceDecrypter(module).decrypt(encryptedResource.GetResourceData()); var reader = new BinaryReader(new MemoryStream(decrypted)); int numResources = reader.ReadInt32(); for (int i = 0; i < numResources; i++) { reader.ReadString(); } return(reader.ReadBytes((int)(reader.BaseStream.Length - reader.BaseStream.Position))); }
static MethodDef FindDecryptMethod(TypeDef type) { foreach (var method in type.Methods) { var decryptMethod = ResourceDecrypter.FindDecrypterMethod(method); if (decryptMethod != null) { return(decryptMethod); } } return(null); }
byte[] decryptArray(byte[] encryptedData, int elemSize) { var decrypted = new ResourceDecrypter(module).decrypt(encryptedData); var ary = (Array) new BinaryFormatter().Deserialize(new MemoryStream(decrypted)); if (ary is byte[]) { return((byte[])ary); } var newAry = new byte[ary.Length * elemSize]; Buffer.BlockCopy(ary, 0, newAry, 0, newAry.Length); return(newAry); }
public void find() { var requiredTypes = new string[] { "System.Reflection.Assembly", "System.Object", "System.Int32", "System.String[]", }; foreach (var type in module.Types) { if (type.HasEvents) { continue; } if (!new FieldTypes(type).all(requiredTypes)) { continue; } MethodDefinition regMethod, handler; if (!BabelUtils.findRegisterMethod(type, out regMethod, out handler)) { continue; } var resource = BabelUtils.findEmbeddedResource(module, type); if (resource == null) { continue; } var decryptMethod = findDecryptMethod(type); if (decryptMethod == null) { throw new ApplicationException("Couldn't find resource type decrypt method"); } resourceDecrypter.DecryptMethod = ResourceDecrypter.findDecrypterMethod(decryptMethod); initXorKeys(decryptMethod); resolverType = type; registerMethod = regMethod; encryptedResource = resource; return; } }
public void initialize(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { if (decrypterType == null) { return; } encryptedResource = BabelUtils.findEmbeddedResource(module, decrypterType, simpleDeobfuscator, deob); if (encryptedResource == null) { Log.w("Could not find encrypted constants resource"); return; } var decrypted = new ResourceDecrypter(module).decrypt(encryptedResource.GetResourceData()); var reader = new BinaryReader(new MemoryStream(decrypted)); int count; count = reader.ReadInt32(); decryptedInts = new int[count]; while (count-- > 0) { decryptedInts[count] = reader.ReadInt32(); } count = reader.ReadInt32(); decryptedLongs = new long[count]; while (count-- > 0) { decryptedLongs[count] = reader.ReadInt64(); } count = reader.ReadInt32(); decryptedFloats = new float[count]; while (count-- > 0) { decryptedFloats[count] = reader.ReadSingle(); } count = reader.ReadInt32(); decryptedDoubles = new double[count]; while (count-- > 0) { decryptedDoubles[count] = reader.ReadDouble(); } }
bool isConstantDecrypter(TypeDefinition type) { if (type.HasEvents) { return(false); } if (type.NestedTypes.Count != 1) { return(false); } var nested = type.NestedTypes[0]; if (!checkNestedFields(nested)) { return(false); } resourceDecrypter.DecryptMethod = ResourceDecrypter.findDecrypterMethod(DotNetUtils.getMethod(nested, ".ctor")); if (DotNetUtils.getMethod(type, "System.Int32", "(System.Int32)") == null) { return(false); } if (DotNetUtils.getMethod(type, "System.Int64", "(System.Int32)") == null) { return(false); } if (DotNetUtils.getMethod(type, "System.Single", "(System.Int32)") == null) { return(false); } if (DotNetUtils.getMethod(type, "System.Double", "(System.Int32)") == null) { return(false); } if (DotNetUtils.getMethod(type, "System.Array", "(System.Byte[])") == null) { return(false); } return(true); }
public void initialize(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { if (resolverType == null) return; encryptedResource = BabelUtils.findEmbeddedResource(module, resolverType, simpleDeobfuscator, deob); if (encryptedResource == null) { Log.w("Could not find embedded assemblies resource"); return; } var decrypted = new ResourceDecrypter(module).decrypt(encryptedResource.GetResourceData()); var reader = new BinaryReader(new MemoryStream(decrypted)); int numAssemblies = reader.ReadInt32(); embeddedAssemblyInfos = new EmbeddedAssemblyInfo[numAssemblies]; for (int i = 0; i < numAssemblies; i++) { string name = reader.ReadString(); var data = reader.ReadBytes(reader.ReadInt32()); var mod = ModuleDefinition.ReadModule(new MemoryStream(data)); embeddedAssemblyInfos[i] = new EmbeddedAssemblyInfo(name, DeobUtils.getExtension(mod.Kind), data); } }
public void find() { var requiredTypes = new string[] { "System.Object", "System.Int32", "System.Collections.Hashtable", }; foreach (var type in module.Types) { if (type.HasEvents) { continue; } if (!new FieldTypes(type).exactly(requiredTypes)) { continue; } MethodDef regMethod, handler; if (!BabelUtils.findRegisterMethod(type, out regMethod, out handler)) { continue; } var decryptMethod = findDecryptMethod(type); if (decryptMethod == null) { throw new ApplicationException("Couldn't find resource type decrypt method"); } resourceDecrypter.DecryptMethod = ResourceDecrypter.findDecrypterMethod(decryptMethod); resolverType = type; registerMethod = regMethod; return; } }
IDecrypterInfo CheckNested(TypeDef type, TypeDef nested) { if (nested.HasProperties || nested.HasEvents) { return(null); } if (nested.FindMethod(".ctor") == null) { return(null); } if (nested.Fields.Count == 1 || nested.Fields.Count == 3) { // 4.0+ if (!HasFieldType(nested.Fields, nested)) { return(null); } var decrypterBuilderMethod = DotNetUtils.GetMethod(nested, "System.Reflection.Emit.MethodBuilder", "(System.Reflection.Emit.TypeBuilder)"); if (decrypterBuilderMethod == null) { return(null); } resourceDecrypter.DecryptMethod = ResourceDecrypter.FindDecrypterMethod(nested.FindMethod(".ctor")); var nestedDecrypter = DotNetUtils.GetMethod(nested, "System.String", "(System.Int32)"); if (nestedDecrypter == null || nestedDecrypter.IsStatic) { return(null); } var decrypter = DotNetUtils.GetMethod(type, "System.String", "(System.Int32)"); if (decrypter == null || !decrypter.IsStatic) { return(null); } simpleDeobfuscator.Deobfuscate(decrypterBuilderMethod); return(new DecrypterInfoV3(resourceDecrypter) { Decrypter = decrypter, OffsetCalcInstructions = GetOffsetCalcInstructions(decrypterBuilderMethod), }); } else if (nested.Fields.Count == 2) { // 3.0 - 3.5 if (CheckFields(nested, "System.Collections.Hashtable", nested)) { // 3.0 - 3.5 var nestedDecrypter = DotNetUtils.GetMethod(nested, "System.String", "(System.Int32)"); if (nestedDecrypter == null || nestedDecrypter.IsStatic) { return(null); } var decrypter = DotNetUtils.GetMethod(type, "System.String", "(System.Int32)"); if (decrypter == null || !decrypter.IsStatic) { return(null); } resourceDecrypter.DecryptMethod = ResourceDecrypter.FindDecrypterMethod(nested.FindMethod(".ctor")); return(new DecrypterInfoV3(resourceDecrypter) { Decrypter = decrypter }); } else if (CheckFields(nested, "System.Byte[]", nested)) { // 3.0 var nestedDecrypter = DotNetUtils.GetMethod(nested, "System.String", "(System.String,System.Int32)"); if (nestedDecrypter == null || nestedDecrypter.IsStatic) { return(null); } var decrypter = DotNetUtils.GetMethod(type, "System.String", "(System.String,System.Int32)"); if (decrypter == null || !decrypter.IsStatic) { return(null); } return(new DecrypterInfoV2 { Decrypter = decrypter }); } else { return(null); } } return(null); }
public StringDecrypter(ModuleDefMD module, ResourceDecrypter resourceDecrypter) { this.module = module; this.resourceDecrypter = resourceDecrypter; }
public DecrypterInfoV3(ResourceDecrypter resourceDecrypter) { this.resourceDecrypter = resourceDecrypter; }
public AssemblyResolver(ModuleDefMD module, ResourceDecrypter resourceDecrypter) { this.module = module; this.resourceDecrypter = resourceDecrypter; }
public StringDecrypter(ModuleDefMD module, ResourceDecrypter resourceDecrypter) { this.module = module; this.resourceDecrypter = resourceDecrypter; }
public DecrypterInfoV3(ResourceDecrypter resourceDecrypter) { this.resourceDecrypter = resourceDecrypter; }
byte[] decryptResourceAssembly() { var decrypted = new ResourceDecrypter(module).decrypt(encryptedResource.GetResourceData()); var reader = new BinaryReader(new MemoryStream(decrypted)); int numResources = reader.ReadInt32(); for (int i = 0; i < numResources; i++) reader.ReadString(); return reader.ReadBytes((int)(reader.BaseStream.Length - reader.BaseStream.Position)); }
public void initialize(ModuleDefinition module, EmbeddedResource resource) { var decrypted = new ResourceDecrypter(module).decrypt(resource.GetResourceData()); var reader = new BinaryReader(new MemoryStream(decrypted)); while (reader.BaseStream.Position < reader.BaseStream.Length) offsetToString[(int)reader.BaseStream.Position] = reader.ReadString(); }
public MethodsDecrypter(ModuleDefMD module, ResourceDecrypter resourceDecrypter, IDeobfuscatorContext deobfuscatorContext) { this.module = module; this.resourceDecrypter = resourceDecrypter; this.deobfuscatorContext = deobfuscatorContext; }
public ResourceResolver(ModuleDefMD module, ResourceDecrypter resourceDecrypter, ISimpleDeobfuscator simpleDeobfuscator) { this.module = module; this.resourceDecrypter = resourceDecrypter; this.simpleDeobfuscator = simpleDeobfuscator; }
public ResourceResolver(ModuleDefinition module, ResourceDecrypter resourceDecrypter, ISimpleDeobfuscator simpleDeobfuscator) { this.module = module; this.resourceDecrypter = resourceDecrypter; this.simpleDeobfuscator = simpleDeobfuscator; }
public ConstantsDecrypter(ModuleDefMD module, ResourceDecrypter resourceDecrypter, InitializedDataCreator initializedDataCreator) { this.module = module; this.resourceDecrypter = resourceDecrypter; this.initializedDataCreator = initializedDataCreator; }
public MethodsDecrypter(ModuleDefMD module, ResourceDecrypter resourceDecrypter, IDeobfuscatorContext deobfuscatorContext) { this.module = module; this.resourceDecrypter = resourceDecrypter; this.deobfuscatorContext = deobfuscatorContext; }
public AssemblyResolver(ModuleDefMD module, ResourceDecrypter resourceDecrypter) { this.module = module; this.resourceDecrypter = resourceDecrypter; }
public ConstantsDecrypter(ModuleDefinition module, ResourceDecrypter resourceDecrypter, InitializedDataCreator initializedDataCreator) { this.module = module; this.resourceDecrypter = resourceDecrypter; this.initializedDataCreator = initializedDataCreator; }
public void initialize(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { if (resolverType == null) return; encryptedResource = BabelUtils.findEmbeddedResource(module, resolverType, simpleDeobfuscator, deob); if (encryptedResource == null) { Log.w("Could not find embedded assemblies resource"); return; } var decrypted = new ResourceDecrypter(module).decrypt(encryptedResource.GetResourceData()); var reader = new BinaryReader(new MemoryStream(decrypted)); int numAssemblies = reader.ReadInt32(); embeddedAssemblyInfos = new EmbeddedAssemblyInfo[numAssemblies]; for (int i = 0; i < numAssemblies; i++) { string name = reader.ReadString(); var data = reader.ReadBytes(reader.ReadInt32()); var mod = ModuleDefinition.ReadModule(new MemoryStream(data)); embeddedAssemblyInfos[i] = new EmbeddedAssemblyInfo(name, DeobUtils.getExtension(mod.Kind), data); } }