void InitDecrypters() { assemblyResolverInfo = new AssemblyResolverInfo(module, DeobfuscatedFile, this); assemblyResolverInfo.FindTypes(); resourceDecrypterInfo = new ResourceDecrypterInfo(module, assemblyResolverInfo.SimpleZipTypeMethod, DeobfuscatedFile); resourceResolverInfo = new ResourceResolverInfo(module, DeobfuscatedFile, this, assemblyResolverInfo); resourceResolverInfo.FindTypes(); resourceDecrypter = new ResourceDecrypter(resourceDecrypterInfo); assemblyResolver = new AssemblyResolver(resourceDecrypter, assemblyResolverInfo); resourceResolver = new ResourceResolver(module, assemblyResolver, resourceResolverInfo); InitStringDecrypterInfos(); assemblyResolverInfo.FindTypes(); resourceResolverInfo.FindTypes(); AddModuleCctorInitCallToBeRemoved(assemblyResolverInfo.CallResolverMethod); AddCallToBeRemoved(module.EntryPoint, assemblyResolverInfo.CallResolverMethod); AddModuleCctorInitCallToBeRemoved(resourceResolverInfo.CallResolverMethod); AddCallToBeRemoved(module.EntryPoint, resourceResolverInfo.CallResolverMethod); resourceDecrypterInfo.SetSimpleZipType(GetGlobalSimpleZipTypeMethod(), DeobfuscatedFile); if (!DecryptResources()) { throw new ApplicationException("Could not decrypt resources"); } DumpEmbeddedAssemblies(); }
void InitDecrypters() { assemblyResolverInfo = new AssemblyResolverInfo(module, DeobfuscatedFile, this); assemblyResolverInfo.FindTypes(); resourceDecrypterInfo = new ResourceDecrypterInfo(module, assemblyResolverInfo.SimpleZipTypeMethod, DeobfuscatedFile); resourceResolverInfo = new ResourceResolverInfo(module, DeobfuscatedFile, this, assemblyResolverInfo); resourceResolverInfo.FindTypes(); resourceDecrypter = new ResourceDecrypter(resourceDecrypterInfo); assemblyResolver = new AssemblyResolver(resourceDecrypter, assemblyResolverInfo); resourceResolver = new ResourceResolver(module, assemblyResolver, resourceResolverInfo); InitStringDecrypterInfos(); assemblyResolverInfo.FindTypes(); resourceResolverInfo.FindTypes(); AddModuleCctorInitCallToBeRemoved(assemblyResolverInfo.CallResolverMethod); AddCallToBeRemoved(module.EntryPoint, assemblyResolverInfo.CallResolverMethod); AddModuleCctorInitCallToBeRemoved(resourceResolverInfo.CallResolverMethod); AddCallToBeRemoved(module.EntryPoint, resourceResolverInfo.CallResolverMethod); resourceDecrypterInfo.SetSimpleZipType(GetGlobalSimpleZipTypeMethod(), DeobfuscatedFile); if (!DecryptResources()) { throw new ApplicationException("Could not decrypt resources"); } var bt = FindBigType(); var candidateMthods = bt.Methods.Where(m => DotNetUtils.IsMethod(m, "System.String", "(System.Int32)")); //foreach (var cm in candidateMthods) { // staticStringInliner.Add(cm, (method, gim, args) => { // // var instrs = method.Body.Instructions; // return args[0].ToString(); // }); //} DumpEmbeddedAssemblies(); }
void InitDecrypters() { assemblyResolverInfo = new AssemblyResolverInfo(module, DeobfuscatedFile, this); assemblyResolverInfo.FindTypes(); resourceDecrypterInfo = new ResourceDecrypterInfo(module, assemblyResolverInfo.SimpleZipTypeMethod, DeobfuscatedFile); resourceResolverInfo = new ResourceResolverInfo(module, DeobfuscatedFile, this, assemblyResolverInfo); resourceResolverInfo.FindTypes(); resourceDecrypter = new ResourceDecrypter(resourceDecrypterInfo); assemblyResolver = new AssemblyResolver(resourceDecrypter, assemblyResolverInfo); resourceResolver = new ResourceResolver(module, assemblyResolver, resourceResolverInfo); InitStringDecrypterInfos(); assemblyResolverInfo.FindTypes(); resourceResolverInfo.FindTypes(); AddModuleCctorInitCallToBeRemoved(assemblyResolverInfo.CallResolverMethod); AddCallToBeRemoved(module.EntryPoint, assemblyResolverInfo.CallResolverMethod); AddModuleCctorInitCallToBeRemoved(resourceResolverInfo.CallResolverMethod); AddCallToBeRemoved(module.EntryPoint, resourceResolverInfo.CallResolverMethod); resourceDecrypterInfo.SetSimpleZipType(GetGlobalSimpleZipTypeMethod(), DeobfuscatedFile); if (!DecryptResources()) throw new ApplicationException("Could not decrypt resources"); DumpEmbeddedAssemblies(); }
public bool Initialize(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator) { var cctor = stringsEncodingClass.FindStaticConstructor(); if (cctor != null) { simpleDeobfuscator.Deobfuscate(cctor); } decrypterVersion = GuessVersion(cctor); if (!FindDecrypterMethod()) { throw new ApplicationException("Could not find string decrypter method"); } if (!FindStringsResource(deob, simpleDeobfuscator, cctor)) { return(false); } if (decrypterVersion <= StringDecrypterVersion.V3) { MethodDef initMethod; if (decrypterVersion == StringDecrypterVersion.V3) { initMethod = cctor; } else if (decrypterVersion == StringDecrypterVersion.V2) { initMethod = stringDecrypterMethod; } else { initMethod = stringDecrypterMethod; } stringOffset = 0; if (decrypterVersion != StringDecrypterVersion.V1) { if (CallsGetPublicKeyToken(initMethod)) { var pkt = PublicKeyBase.ToPublicKeyToken(module.Assembly.PublicKeyToken); if (!PublicKeyBase.IsNullOrEmpty2(pkt)) { for (int i = 0; i < pkt.Data.Length - 1; i += 2) { stringOffset ^= ((int)pkt.Data[i] << 8) + pkt.Data[i + 1]; } } } if (DeobUtils.HasInteger(initMethod, 0xFFFFFF) && DeobUtils.HasInteger(initMethod, 0xFFFF)) { stringOffset ^= ((stringDecrypterMethod.MDToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF; } } } else { var offsetVal = FindOffsetValue(cctor); if (offsetVal == null) { throw new ApplicationException("Could not find string offset"); } stringOffset = offsetVal.Value; decrypterVersion = StringDecrypterVersion.V4; } simpleZipTypeMethod = FindSimpleZipTypeMethod(cctor) ?? FindSimpleZipTypeMethod(stringDecrypterMethod); if (simpleZipTypeMethod != null) { resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator)); } return(true); }
public bool Initialize(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator) { var cctor = stringsEncodingClass.FindStaticConstructor(); if (cctor != null) simpleDeobfuscator.Deobfuscate(cctor); decrypterVersion = GuessVersion(cctor); if (!FindDecrypterMethod()) throw new ApplicationException("Could not find string decrypter method"); if (!FindStringsResource(deob, simpleDeobfuscator, cctor)) return false; if (decrypterVersion <= StringDecrypterVersion.V3) { MethodDef initMethod; if (decrypterVersion == StringDecrypterVersion.V3) initMethod = cctor; else if (decrypterVersion == StringDecrypterVersion.V2) initMethod = stringDecrypterMethod; else initMethod = stringDecrypterMethod; stringOffset = 0; if (decrypterVersion != StringDecrypterVersion.V1) { if (CallsGetPublicKeyToken(initMethod)) { var pkt = PublicKeyBase.ToPublicKeyToken(module.Assembly.PublicKeyToken); if (!PublicKeyBase.IsNullOrEmpty2(pkt)) { for (int i = 0; i < pkt.Data.Length - 1; i += 2) stringOffset ^= ((int)pkt.Data[i] << 8) + pkt.Data[i + 1]; } } if (DeobUtils.HasInteger(initMethod, 0xFFFFFF) && DeobUtils.HasInteger(initMethod, 0xFFFF)) { stringOffset ^= ((stringDecrypterMethod.MDToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF; } } } else { var offsetVal = FindOffsetValue(cctor); if (offsetVal == null) throw new ApplicationException("Could not find string offset"); stringOffset = offsetVal.Value; decrypterVersion = StringDecrypterVersion.V4; } simpleZipTypeMethod = FindSimpleZipTypeMethod(cctor) ?? FindSimpleZipTypeMethod(stringDecrypterMethod); if (simpleZipTypeMethod != null) resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator)); return true; }
public AssemblyResolver(ResourceDecrypter resourceDecrypter, AssemblyResolverInfo assemblyResolverInfo) { this.resourceDecrypter = resourceDecrypter; this.assemblyResolverInfo = assemblyResolverInfo; }
public AssemblyResolver(ResourceDecrypter resourceDecrypter, AssemblyResolverInfo assemblyResolverInfo) { this.resourceDecrypter = resourceDecrypter; this.assemblyResolverInfo = assemblyResolverInfo; }
public bool init(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator) { var cctor = DotNetUtils.getMethod(stringsEncodingClass, ".cctor"); if (cctor != null) simpleDeobfuscator.deobfuscate(cctor); decrypterVersion = guessVersion(cctor); if (!findDecrypterMethod()) throw new ApplicationException("Could not find string decrypter method"); if (!findStringsResource(deob, simpleDeobfuscator, cctor)) return false; if (decrypterVersion <= StringDecrypterVersion.V3) { MethodDefinition initMethod; if (decrypterVersion == StringDecrypterVersion.V3) initMethod = cctor; else if (decrypterVersion == StringDecrypterVersion.V2) initMethod = stringDecrypterMethod; else initMethod = stringDecrypterMethod; stringOffset = 0; if (decrypterVersion != StringDecrypterVersion.V1) { if (callsGetPublicKeyToken(initMethod)) { var pkt = module.Assembly.Name.PublicKeyToken; if (pkt != null) { for (int i = 0; i < pkt.Length - 1; i += 2) stringOffset ^= ((int)pkt[i] << 8) + pkt[i + 1]; } } if (DotNetUtils.findLdcI4Constant(initMethod, 0xFFFFFF) && DotNetUtils.findLdcI4Constant(initMethod, 0xFFFF)) { stringOffset ^= ((stringDecrypterMethod.MetadataToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF; } } } else { var offsetVal = findOffsetValue(cctor); if (offsetVal == null) throw new ApplicationException("Could not find string offset"); stringOffset = offsetVal.Value; decrypterVersion = StringDecrypterVersion.V4; } simpleZipTypeMethod = findSimpleZipTypeMethod(cctor) ?? findSimpleZipTypeMethod(stringDecrypterMethod); if (simpleZipTypeMethod != null) resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator)); return true; }
public bool init(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator) { var cctor = DotNetUtils.getMethod(stringsEncodingClass, ".cctor"); if (cctor != null) { simpleDeobfuscator.deobfuscate(cctor); } decrypterVersion = guessVersion(cctor); if (!findDecrypterMethod()) { throw new ApplicationException("Could not find string decrypter method"); } if (!findStringsResource(deob, simpleDeobfuscator, cctor)) { return(false); } if (decrypterVersion <= StringDecrypterVersion.V3) { MethodDefinition initMethod; if (decrypterVersion == StringDecrypterVersion.V3) { initMethod = cctor; } else if (decrypterVersion == StringDecrypterVersion.V2) { initMethod = stringDecrypterMethod; } else { initMethod = stringDecrypterMethod; } stringOffset = 0; if (decrypterVersion != StringDecrypterVersion.V1) { if (callsGetPublicKeyToken(initMethod)) { var pkt = module.Assembly.Name.PublicKeyToken; if (pkt != null) { for (int i = 0; i < pkt.Length - 1; i += 2) { stringOffset ^= ((int)pkt[i] << 8) + pkt[i + 1]; } } } if (DeobUtils.hasInteger(initMethod, 0xFFFFFF) && DeobUtils.hasInteger(initMethod, 0xFFFF)) { stringOffset ^= ((stringDecrypterMethod.MetadataToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF; } } } else { var offsetVal = findOffsetValue(cctor); if (offsetVal == null) { throw new ApplicationException("Could not find string offset"); } stringOffset = offsetVal.Value; decrypterVersion = StringDecrypterVersion.V4; } simpleZipTypeMethod = findSimpleZipTypeMethod(cctor) ?? findSimpleZipTypeMethod(stringDecrypterMethod); if (simpleZipTypeMethod != null) { resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator)); } return(true); }