void InitDecrypters()
{
assemblyResolverInfo = new AssemblyResolverInfo(module, DeobfuscatedFile, this);
assemblyResolverInfo.FindTypes();
resourceDecrypterInfo = new ResourceDecrypterInfo(module, assemblyResolverInfo.SimpleZipTypeMethod, DeobfuscatedFile);
resourceResolverInfo = new ResourceResolverInfo(module, DeobfuscatedFile, this, assemblyResolverInfo);
resourceResolverInfo.FindTypes();
resourceDecrypter = new ResourceDecrypter(resourceDecrypterInfo);
assemblyResolver = new AssemblyResolver(resourceDecrypter, assemblyResolverInfo);
resourceResolver = new ResourceResolver(module, assemblyResolver, resourceResolverInfo);
InitStringDecrypterInfos();
assemblyResolverInfo.FindTypes();
resourceResolverInfo.FindTypes();
AddModuleCctorInitCallToBeRemoved(assemblyResolverInfo.CallResolverMethod);
AddCallToBeRemoved(module.EntryPoint, assemblyResolverInfo.CallResolverMethod);
AddModuleCctorInitCallToBeRemoved(resourceResolverInfo.CallResolverMethod);
AddCallToBeRemoved(module.EntryPoint, resourceResolverInfo.CallResolverMethod);
resourceDecrypterInfo.SetSimpleZipType(GetGlobalSimpleZipTypeMethod(), DeobfuscatedFile);
if (!DecryptResources())
{
throw new ApplicationException("Could not decrypt resources");
}
DumpEmbeddedAssemblies();
}
void InitDecrypters()
{
assemblyResolverInfo = new AssemblyResolverInfo(module, DeobfuscatedFile, this);
assemblyResolverInfo.FindTypes();
resourceDecrypterInfo = new ResourceDecrypterInfo(module, assemblyResolverInfo.SimpleZipTypeMethod, DeobfuscatedFile);
resourceResolverInfo = new ResourceResolverInfo(module, DeobfuscatedFile, this, assemblyResolverInfo);
resourceResolverInfo.FindTypes();
resourceDecrypter = new ResourceDecrypter(resourceDecrypterInfo);
assemblyResolver = new AssemblyResolver(resourceDecrypter, assemblyResolverInfo);
resourceResolver = new ResourceResolver(module, assemblyResolver, resourceResolverInfo);
InitStringDecrypterInfos();
assemblyResolverInfo.FindTypes();
resourceResolverInfo.FindTypes();
AddModuleCctorInitCallToBeRemoved(assemblyResolverInfo.CallResolverMethod);
AddCallToBeRemoved(module.EntryPoint, assemblyResolverInfo.CallResolverMethod);
AddModuleCctorInitCallToBeRemoved(resourceResolverInfo.CallResolverMethod);
AddCallToBeRemoved(module.EntryPoint, resourceResolverInfo.CallResolverMethod);
resourceDecrypterInfo.SetSimpleZipType(GetGlobalSimpleZipTypeMethod(), DeobfuscatedFile);
if (!DecryptResources())
{
throw new ApplicationException("Could not decrypt resources");
}
var bt = FindBigType();
var candidateMthods = bt.Methods.Where(m => DotNetUtils.IsMethod(m, "System.String", "(System.Int32)"));
//foreach (var cm in candidateMthods) {
// staticStringInliner.Add(cm, (method, gim, args) => {
//
// var instrs = method.Body.Instructions;
// return args[0].ToString();
// });
//}
DumpEmbeddedAssemblies();
}
void InitDecrypters() {
assemblyResolverInfo = new AssemblyResolverInfo(module, DeobfuscatedFile, this);
assemblyResolverInfo.FindTypes();
resourceDecrypterInfo = new ResourceDecrypterInfo(module, assemblyResolverInfo.SimpleZipTypeMethod, DeobfuscatedFile);
resourceResolverInfo = new ResourceResolverInfo(module, DeobfuscatedFile, this, assemblyResolverInfo);
resourceResolverInfo.FindTypes();
resourceDecrypter = new ResourceDecrypter(resourceDecrypterInfo);
assemblyResolver = new AssemblyResolver(resourceDecrypter, assemblyResolverInfo);
resourceResolver = new ResourceResolver(module, assemblyResolver, resourceResolverInfo);
InitStringDecrypterInfos();
assemblyResolverInfo.FindTypes();
resourceResolverInfo.FindTypes();
AddModuleCctorInitCallToBeRemoved(assemblyResolverInfo.CallResolverMethod);
AddCallToBeRemoved(module.EntryPoint, assemblyResolverInfo.CallResolverMethod);
AddModuleCctorInitCallToBeRemoved(resourceResolverInfo.CallResolverMethod);
AddCallToBeRemoved(module.EntryPoint, resourceResolverInfo.CallResolverMethod);
resourceDecrypterInfo.SetSimpleZipType(GetGlobalSimpleZipTypeMethod(), DeobfuscatedFile);
if (!DecryptResources())
throw new ApplicationException("Could not decrypt resources");
DumpEmbeddedAssemblies();
}
public bool Initialize(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator)
{
var cctor = stringsEncodingClass.FindStaticConstructor();
if (cctor != null)
{
simpleDeobfuscator.Deobfuscate(cctor);
}
decrypterVersion = GuessVersion(cctor);
if (!FindDecrypterMethod())
{
throw new ApplicationException("Could not find string decrypter method");
}
if (!FindStringsResource(deob, simpleDeobfuscator, cctor))
{
return(false);
}
if (decrypterVersion <= StringDecrypterVersion.V3)
{
MethodDef initMethod;
if (decrypterVersion == StringDecrypterVersion.V3)
{
initMethod = cctor;
}
else if (decrypterVersion == StringDecrypterVersion.V2)
{
initMethod = stringDecrypterMethod;
}
else
{
initMethod = stringDecrypterMethod;
}
stringOffset = 0;
if (decrypterVersion != StringDecrypterVersion.V1)
{
if (CallsGetPublicKeyToken(initMethod))
{
var pkt = PublicKeyBase.ToPublicKeyToken(module.Assembly.PublicKeyToken);
if (!PublicKeyBase.IsNullOrEmpty2(pkt))
{
for (int i = 0; i < pkt.Data.Length - 1; i += 2)
{
stringOffset ^= ((int)pkt.Data[i] << 8) + pkt.Data[i + 1];
}
}
}
if (DeobUtils.HasInteger(initMethod, 0xFFFFFF) &&
DeobUtils.HasInteger(initMethod, 0xFFFF))
{
stringOffset ^= ((stringDecrypterMethod.MDToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF;
}
}
}
else
{
var offsetVal = FindOffsetValue(cctor);
if (offsetVal == null)
{
throw new ApplicationException("Could not find string offset");
}
stringOffset = offsetVal.Value;
decrypterVersion = StringDecrypterVersion.V4;
}
simpleZipTypeMethod = FindSimpleZipTypeMethod(cctor) ?? FindSimpleZipTypeMethod(stringDecrypterMethod);
if (simpleZipTypeMethod != null)
{
resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator));
}
return(true);
}
public bool Initialize(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator) {
var cctor = stringsEncodingClass.FindStaticConstructor();
if (cctor != null)
simpleDeobfuscator.Deobfuscate(cctor);
decrypterVersion = GuessVersion(cctor);
if (!FindDecrypterMethod())
throw new ApplicationException("Could not find string decrypter method");
if (!FindStringsResource(deob, simpleDeobfuscator, cctor))
return false;
if (decrypterVersion <= StringDecrypterVersion.V3) {
MethodDef initMethod;
if (decrypterVersion == StringDecrypterVersion.V3)
initMethod = cctor;
else if (decrypterVersion == StringDecrypterVersion.V2)
initMethod = stringDecrypterMethod;
else
initMethod = stringDecrypterMethod;
stringOffset = 0;
if (decrypterVersion != StringDecrypterVersion.V1) {
if (CallsGetPublicKeyToken(initMethod)) {
var pkt = PublicKeyBase.ToPublicKeyToken(module.Assembly.PublicKeyToken);
if (!PublicKeyBase.IsNullOrEmpty2(pkt)) {
for (int i = 0; i < pkt.Data.Length - 1; i += 2)
stringOffset ^= ((int)pkt.Data[i] << 8) + pkt.Data[i + 1];
}
}
if (DeobUtils.HasInteger(initMethod, 0xFFFFFF) &&
DeobUtils.HasInteger(initMethod, 0xFFFF)) {
stringOffset ^= ((stringDecrypterMethod.MDToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF;
}
}
}
else {
var offsetVal = FindOffsetValue(cctor);
if (offsetVal == null)
throw new ApplicationException("Could not find string offset");
stringOffset = offsetVal.Value;
decrypterVersion = StringDecrypterVersion.V4;
}
simpleZipTypeMethod = FindSimpleZipTypeMethod(cctor) ?? FindSimpleZipTypeMethod(stringDecrypterMethod);
if (simpleZipTypeMethod != null)
resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator));
return true;
}
public AssemblyResolver(ResourceDecrypter resourceDecrypter, AssemblyResolverInfo assemblyResolverInfo)
{
this.resourceDecrypter = resourceDecrypter;
this.assemblyResolverInfo = assemblyResolverInfo;
}
public AssemblyResolver(ResourceDecrypter resourceDecrypter, AssemblyResolverInfo assemblyResolverInfo)
{
this.resourceDecrypter = resourceDecrypter;
this.assemblyResolverInfo = assemblyResolverInfo;
}
public bool init(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator)
{
var cctor = DotNetUtils.getMethod(stringsEncodingClass, ".cctor");
if (cctor != null)
simpleDeobfuscator.deobfuscate(cctor);
decrypterVersion = guessVersion(cctor);
if (!findDecrypterMethod())
throw new ApplicationException("Could not find string decrypter method");
if (!findStringsResource(deob, simpleDeobfuscator, cctor))
return false;
if (decrypterVersion <= StringDecrypterVersion.V3) {
MethodDefinition initMethod;
if (decrypterVersion == StringDecrypterVersion.V3)
initMethod = cctor;
else if (decrypterVersion == StringDecrypterVersion.V2)
initMethod = stringDecrypterMethod;
else
initMethod = stringDecrypterMethod;
stringOffset = 0;
if (decrypterVersion != StringDecrypterVersion.V1) {
if (callsGetPublicKeyToken(initMethod)) {
var pkt = module.Assembly.Name.PublicKeyToken;
if (pkt != null) {
for (int i = 0; i < pkt.Length - 1; i += 2)
stringOffset ^= ((int)pkt[i] << 8) + pkt[i + 1];
}
}
if (DotNetUtils.findLdcI4Constant(initMethod, 0xFFFFFF) &&
DotNetUtils.findLdcI4Constant(initMethod, 0xFFFF)) {
stringOffset ^= ((stringDecrypterMethod.MetadataToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF;
}
}
}
else {
var offsetVal = findOffsetValue(cctor);
if (offsetVal == null)
throw new ApplicationException("Could not find string offset");
stringOffset = offsetVal.Value;
decrypterVersion = StringDecrypterVersion.V4;
}
simpleZipTypeMethod = findSimpleZipTypeMethod(cctor) ?? findSimpleZipTypeMethod(stringDecrypterMethod);
if (simpleZipTypeMethod != null)
resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator));
return true;
}
public bool init(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator)
{
var cctor = DotNetUtils.getMethod(stringsEncodingClass, ".cctor");
if (cctor != null)
{
simpleDeobfuscator.deobfuscate(cctor);
}
decrypterVersion = guessVersion(cctor);
if (!findDecrypterMethod())
{
throw new ApplicationException("Could not find string decrypter method");
}
if (!findStringsResource(deob, simpleDeobfuscator, cctor))
{
return(false);
}
if (decrypterVersion <= StringDecrypterVersion.V3)
{
MethodDefinition initMethod;
if (decrypterVersion == StringDecrypterVersion.V3)
{
initMethod = cctor;
}
else if (decrypterVersion == StringDecrypterVersion.V2)
{
initMethod = stringDecrypterMethod;
}
else
{
initMethod = stringDecrypterMethod;
}
stringOffset = 0;
if (decrypterVersion != StringDecrypterVersion.V1)
{
if (callsGetPublicKeyToken(initMethod))
{
var pkt = module.Assembly.Name.PublicKeyToken;
if (pkt != null)
{
for (int i = 0; i < pkt.Length - 1; i += 2)
{
stringOffset ^= ((int)pkt[i] << 8) + pkt[i + 1];
}
}
}
if (DeobUtils.hasInteger(initMethod, 0xFFFFFF) &&
DeobUtils.hasInteger(initMethod, 0xFFFF))
{
stringOffset ^= ((stringDecrypterMethod.MetadataToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF;
}
}
}
else
{
var offsetVal = findOffsetValue(cctor);
if (offsetVal == null)
{
throw new ApplicationException("Could not find string offset");
}
stringOffset = offsetVal.Value;
decrypterVersion = StringDecrypterVersion.V4;
}
simpleZipTypeMethod = findSimpleZipTypeMethod(cctor) ?? findSimpleZipTypeMethod(stringDecrypterMethod);
if (simpleZipTypeMethod != null)
{
resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator));
}
return(true);
}
