// Finds the SmartAssembly.Delegates.GetString delegate TypeDef FindGetStringDelegate(MethodDef stringsCreateDelegateMethod) { if (!stringsCreateDelegateMethod.HasBody) { return(null); } foreach (var ldtoken in stringsCreateDelegateMethod.Body.Instructions) { if (ldtoken.OpCode.Code != Code.Ldtoken) { continue; } var typeToken = ldtoken.Operand as ITypeDefOrRef; if (typeToken == null) { continue; } var delegateType = GetType(typeToken); if (!DotNetUtils.DerivesFromDelegate(delegateType)) { continue; } var invoke = delegateType.FindMethod("Invoke"); if (invoke == null || !DotNetUtils.IsMethod(invoke, "System.String", "(System.Int32)")) { continue; } return(delegateType); } return(null); }
// Finds the SmartAssembly.StringsEncoding.Strings class. This class decrypts the // strings in the resources. It gets called by the SmartAssembly.Delegates.GetString // delegate instances which were created by SmartAssembly.HouseOfCards.Strings. TypeDef FindStringDecrypterClass(MethodDef stringsCreateDelegateMethod) { if (!stringsCreateDelegateMethod.HasBody) { return(null); } foreach (var ldtoken in stringsCreateDelegateMethod.Body.Instructions) { if (ldtoken.OpCode.Code != Code.Ldtoken) { continue; } var typeToken = ldtoken.Operand as ITypeDefOrRef; if (typeToken == null) { continue; } var type = GetType(typeToken); if (type == null || DotNetUtils.DerivesFromDelegate(type)) { continue; } if (!CouldBeStringDecrypterClass(type)) { continue; } return(type); } return(null); }
bool CanRenameMethod(MMethodDef methodDef) { var methodInfo = Method(methodDef); if (methodDef.IsStatic()) { if (methodInfo.oldName == ".cctor") { return(false); } } else if (methodDef.IsVirtual()) { if (DotNetUtils.DerivesFromDelegate(type.TypeDef)) { switch (methodInfo.oldName) { case "BeginInvoke": case "EndInvoke": case "Invoke": return(false); } } } else { if (methodInfo.oldName == ".ctor") { return(false); } } return(true); }
public void Read(MethodDef method) { gpContext = GenericParamContext.Create(method); flags = (MethodFlags)reader.ReadByte(); if (HasDelegateType) { delegateType = Resolve <TypeDef>(ReadTypeToken()); if (!DotNetUtils.DerivesFromDelegate(delegateType)) { throw new ApplicationException("Invalid delegate type"); } } if (HasLocals) { ReadLocals((int)reader.Read7BitEncodedUInt32()); } if (HasInstructions) { ReadInstructions((int)reader.Read7BitEncodedUInt32()); } if (HasExceptionHandlers) { ReadExceptionHandlers((int)reader.Read7BitEncodedUInt32()); } }
public void FindDelegateCreator(ModuleDefMD module) { var callCounter = new CallCounter(); foreach (var type in module.Types) { if (type.Namespace != "" || !DotNetUtils.DerivesFromDelegate(type)) { continue; } var cctor = type.FindStaticConstructor(); if (cctor == null) { continue; } foreach (var method in DotNetUtils.GetMethodCalls(cctor)) { callCounter.Add(method); } } var mostCalls = callCounter.Most(); if (mostCalls == null) { return; } SetDelegateCreatorMethod(DotNetUtils.GetMethod(module, mostCalls)); }
FieldDefAndDeclaringTypeDict<DelegateInitInfo> CreateDelegateInitInfos_v10_r42915(MethodDef method) { var infos = new FieldDefAndDeclaringTypeDict<DelegateInitInfo>(); var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count - 2; i++) { var ldstr = instrs[i]; if (ldstr.OpCode.Code != Code.Ldstr) continue; var info = ldstr.Operand as string; if (info == null) continue; var ldtoken = instrs[i + 1]; if (ldtoken.OpCode.Code != Code.Ldtoken) continue; var delegateField = ldtoken.Operand as FieldDef; if (delegateField == null) continue; var delegateType = delegateField.FieldType.TryGetTypeDef(); if (!DotNetUtils.DerivesFromDelegate(delegateType)) continue; var call = instrs[i + 2]; if (call.OpCode.Code != Code.Call) continue; var delegateCreatorMethod = call.Operand as MethodDef; if (delegateCreatorMethod == null || !IsDelegateCreatorMethod(delegateCreatorMethod)) continue; infos.Add(delegateField, new DelegateInitInfo(info, delegateField, delegateCreatorMethod)); i += 2; } return infos; }
bool CheckMemoryManagerType(TypeDef type, MethodDef method) { // Only two fields: itself and a long int fields = 0; foreach (var field in type.Fields) { if (new SigComparer().Equals(field.FieldType, type) || field.FieldType.FullName == "System.Int64") { fields++; continue; } if (DotNetUtils.DerivesFromDelegate(DotNetUtils.GetType(module, field.FieldType))) { continue; } return(false); } if (fields != 2) { return(false); } if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "SetProcessWorkingSetSize") == null) { return(false); } return(true); }
public override void DeobfuscateBegin() { base.DeobfuscateBegin(); cliSecureRtType.FindStringDecrypterMethod(); stringDecrypter.AddDecrypterInfos(cliSecureRtType.StringDecrypterInfos); stringDecrypter.Initialize(); AddAttributesToBeRemoved(cliSecureAttributes, "Obfuscator attribute"); if (options.DecryptResources) { DecryptResources(resourceDecrypter); AddCctorInitCallToBeRemoved(resourceDecrypter.RsrcRrrMethod); } stackFrameHelper = new StackFrameHelper(Module); stackFrameHelper.Find(); foreach (var type in Module.Types) { if (type.FullName == "InitializeDelegate" && DotNetUtils.DerivesFromDelegate(type)) { this.AddTypeToBeRemoved(type, "Obfuscator type"); } } proxyCallFixer.Find(); foreach (var info in stringDecrypter.StringDecrypterInfos) { staticStringInliner.Add(info.Method, (method, gim, args) => stringDecrypter.Decrypt((string)args[0])); } DeobfuscatedFile.StringDecryptersAdded(); if (options.DecryptMethods) { AddCctorInitCallToBeRemoved(cliSecureRtType.InitializeMethod); AddCctorInitCallToBeRemoved(cliSecureRtType.PostInitializeMethod); FindPossibleNamesToRemove(cliSecureRtType.LoadMethod); } if (options.RestoreVmCode && (csvmV1.Detected || csvmV2.Detected)) { if (csvmV1.Detected && csvmV1.Restore()) { AddResourceToBeRemoved(csvmV1.Resource, "CSVM data resource"); } else if (csvmV2.Detected && csvmV2.Restore()) { AddResourceToBeRemoved(csvmV2.Resource, "CSVM data resource"); } else { Logger.e("Couldn't restore VM methods. Use --dont-rename or it will not run"); PreserveTokensAndTypes(); } } }
static TypeSig GetCommonBaseClass(ModuleDef module, TypeSig a, TypeSig b) { if (DotNetUtils.IsDelegate(a) && DotNetUtils.DerivesFromDelegate(module.Find(b.ToTypeDefOrRef()))) { return(b); } if (DotNetUtils.IsDelegate(b) && DotNetUtils.DerivesFromDelegate(module.Find(a.ToTypeDefOrRef()))) { return(a); } return(null); //TODO: }
static MethodDef FindStringDecrypters(TypeDef type, FieldDef keyArrayField, out FieldDef field) { FieldDef foundField = null; foreach (var method in type.Methods) { if (!method.IsAssembly || !method.IsStatic) { continue; } if (!DotNetUtils.IsMethod(method, "System.String", "(System.String)")) { continue; } if (!method.HasBody) { continue; } bool accessedArrayField = false; foreach (var instr in method.Body.Instructions) { var f = instr.Operand as FieldDef; accessedArrayField |= f == keyArrayField; if (f == null || f == keyArrayField || f == foundField) { continue; } if (DotNetUtils.DerivesFromDelegate(f.DeclaringType)) { continue; } if (f.FieldSig.GetFieldType().GetFullName() != "System.Collections.Hashtable" || foundField != null) { goto exit; } foundField = f; } if (!accessedArrayField) { continue; } field = foundField; return(method); } exit :; field = null; return(null); }
bool CheckDelegateType(TypeDef type) { if (!DotNetUtils.DerivesFromDelegate(type)) { return(false); } var invoke = type.FindMethod("Invoke"); if (invoke == null) { return(false); } return(CheckDelegateInvokeMethod(invoke)); }
bool GetDelegate(TypeDef type, out FieldDef field, out TypeDef del) { foreach (var fld in type.Fields) { var theDelegate = fld.FieldType.TryGetTypeDef(); if (theDelegate != null && DotNetUtils.DerivesFromDelegate(theDelegate)) { field = fld; del = theDelegate; return(true); } } field = null; del = null; return(false); }
protected override bool CheckResolverType(TypeDef type) { if (DotNetUtils.FindFieldType(type, "System.Collections.Hashtable", true) != null || DotNetUtils.FindFieldType(type, "System.Collections.Generic.Dictionary`2<System.String,System.Reflection.Assembly>", true) != null) { return(true); } foreach (var field in type.Fields) { if (DotNetUtils.DerivesFromDelegate(DotNetUtils.GetType(module, field.FieldType))) { continue; } if (field.IsLiteral && field.FieldType.ToString() == "System.String") { continue; } return(false); } return(true); }
public void FindFields() { if (Methods == null || Methods.Count == 0) { return; } var initializations = new List <DelegateInitInfo>(); var mnoduleType = DotNetUtils.GetModuleType(Module); if (mnoduleType != null) { foreach (var method in mnoduleType.Methods) { var inits = FindFieldInitializations(method); if (inits == null || inits.Count == 0) { continue; } initializations.AddRange(inits); } } foreach (var type in Module.GetTypes()) { if (!DotNetUtils.DerivesFromDelegate(type)) { continue; } var inits = FindFieldInitializations(type.FindStaticConstructor()); if (inits == null || inits.Count == 0) { continue; } initializations.AddRange(inits); } Initializations = initializations; }
static FieldDef GetDelegateField(MethodDef method) { if (method == null || method.Body == null) return null; FieldDef field = null; bool foundInvoke = false; foreach (var instr in method.Body.Instructions) { if (instr.OpCode.Code == Code.Ldsfld) { var field2 = instr.Operand as FieldDef; if (field2 == null || field2.DeclaringType != method.DeclaringType) continue; if (field != null) return null; if (!DotNetUtils.DerivesFromDelegate(field2.FieldType.TryGetTypeDef())) continue; field = field2; } else if (instr.OpCode.Code == Code.Call || instr.OpCode.Code == Code.Callvirt) { var calledMethod = instr.Operand as IMethod; foundInvoke |= calledMethod != null && calledMethod.Name == "Invoke"; } } return foundInvoke ? field : null; }