bool findEmbedded(MethodDef method) { if (method == null || method.Body == null) { return(false); } foreach (var calledMethod in DotNetUtils.getCalledMethods(module, method)) { var resolver = checkInitMethod(calledMethod); if (resolver == null) { continue; } if (!checkType(calledMethod.DeclaringType)) { continue; } embedInitMethod = calledMethod; embedResolverMethod = resolver; return(true); } return(false); }
MethodDef checkCalledMethods(MethodDef method) { int calls = 0; TypeDef type = null; MethodDef initMethod = null; foreach (var calledMethod in DotNetUtils.getCalledMethods(module, method)) { calls++; if (type != null && calledMethod.DeclaringType != type) { return(null); } type = calledMethod.DeclaringType; if (initMethod == null) { initMethod = calledMethod; } } if (calls != 2) { return(null); } return(initMethod); }
public void find() { var additionalTypes = new string[] { "System.IntPtr", // "System.Reflection.Assembly", //TODO: Not in unknown DNR version with jitter support }; var checkedMethods = new Dictionary<IMethod, bool>(MethodEqualityComparer.CompareDeclaringTypes); var callCounter = new CallCounter(); int typesLeft = 30; foreach (var type in module.GetTypes()) { var cctor = type.FindStaticConstructor(); if (cctor == null || cctor.Body == null) continue; if (typesLeft-- <= 0) break; foreach (var method in DotNetUtils.getCalledMethods(module, cctor)) { if (!checkedMethods.ContainsKey(method)) { checkedMethods[method] = false; if (method.DeclaringType.BaseType == null || method.DeclaringType.BaseType.FullName != "System.Object") continue; if (!DotNetUtils.isMethod(method, "System.Void", "()")) continue; if (!encryptedResource.couldBeResourceDecrypter(method, additionalTypes)) continue; checkedMethods[method] = true; } else if (!checkedMethods[method]) continue; callCounter.add(method); } } encryptedResource.Method = (MethodDef)callCounter.most(); }
protected override bool checkResolverInitMethodSilverlight(MethodDef resolverInitMethod) { if (resolverInitMethod.Body.ExceptionHandlers.Count != 1) { return(false); } foreach (var method in DotNetUtils.getCalledMethods(module, resolverInitMethod)) { if (!method.IsStatic || method.Body == null) { continue; } if (!method.IsPublic || method.HasGenericParameters) { continue; } if (!DotNetUtils.isMethod(method, "System.Void", "(System.String)")) { continue; } simpleDeobfuscator.deobfuscate(method); if (!new LocalTypes(method).all(requiredLocals_sl)) { continue; } initMethod = resolverInitMethod; resolveHandler = method; updateVersion(resolveHandler); return(true); } return(false); }
public void find() { var cctor = DotNetUtils.getModuleTypeCctor(module); if (cctor == null) { return; } foreach (var method in DotNetUtils.getCalledMethods(module, cctor)) { if (method.Name == ".cctor" || method.Name == ".ctor") { continue; } if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()")) { continue; } if (checkType(method)) { break; } } }
bool checkCctor(MethodDef cctor) { var ldtokenType = getLdtokenType(cctor); if (!new SigComparer().Equals(ldtokenType, cctor.DeclaringType)) { return(false); } MethodDef initMethod = null; foreach (var method in DotNetUtils.getCalledMethods(module, cctor)) { if (DotNetUtils.isMethod(method, "System.Void", "(System.Type)")) { initMethod = method; break; } } if (initMethod == null || initMethod.Body == null) { return(false); } return(true); }
string getPassword(MethodDef decryptMethod) { foreach (var method in DotNetUtils.getCalledMethods(module, decryptMethod)) { if (!method.IsStatic || method.Body == null) { continue; } if (!new SigComparer().Equals(method.DeclaringType, decryptMethod.DeclaringType)) { continue; } if (!DotNetUtils.isMethod(method, "System.String", "()")) { continue; } var hexChars = getPassword2(method); if (string.IsNullOrEmpty(hexChars)) { continue; } var password = fixPassword(hexChars); if (string.IsNullOrEmpty(password)) { continue; } return(password); } return(null); }
bool checkCalledMethods(MethodDefinition checkMethod) { if (checkMethod == null || checkMethod.Body == null) { return(false); } foreach (var method in DotNetUtils.getCalledMethods(module, checkMethod)) { if (method.Name == ".cctor" || method.Name == ".ctor") { continue; } if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()")) { continue; } if (checkResolverInitMethod(method)) { return(true); } } return(false); }
bool checkCalledMethods(MethodDefinition checkMethod) { if (checkMethod == null) { return(false); } foreach (var method in DotNetUtils.getCalledMethods(module, checkMethod)) { if (method.Name == ".cctor" || method.Name == ".ctor") { continue; } if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()")) { continue; } if (checkMemoryManagerType(method.DeclaringType, method)) { memoryManagerType = method.DeclaringType; attachAppMethod = method; return(true); } } return(false); }
string getPassword(MethodDefinition decryptMethod) { foreach (var method in DotNetUtils.getCalledMethods(module, decryptMethod)) { if (!method.IsStatic || method.Body == null) { continue; } if (!MemberReferenceHelper.compareTypes(method.DeclaringType, decryptMethod.DeclaringType)) { continue; } if (!DotNetUtils.isMethod(method, "System.String", "()")) { continue; } var hexChars = getPassword2(method); if (string.IsNullOrEmpty(hexChars)) { continue; } var password = fixPassword(hexChars); if (string.IsNullOrEmpty(password)) { continue; } return(password); } return(null); }
bool checkCctor(MethodDefinition cctor) { var ldtokenType = getLdtokenType(cctor); if (!MemberReferenceHelper.compareTypes(ldtokenType, cctor.DeclaringType)) { return(false); } MethodDefinition initMethod = null; foreach (var method in DotNetUtils.getCalledMethods(module, cctor)) { if (DotNetUtils.isMethod(method, "System.Void", "(System.Type)")) { initMethod = method; break; } } if (initMethod == null || initMethod.Body == null) { return(false); } return(true); }
public void find() { foreach (var calledMethod in DotNetUtils.getCalledMethods(module, DotNetUtils.getModuleTypeCctor(module))) { if (!DotNetUtils.isMethod(calledMethod, "System.Void", "()")) { continue; } if (calledMethod.DeclaringType.FullName != "<PrivateImplementationDetails>{F1C5056B-0AFC-4423-9B83-D13A26B48869}") { continue; } nativeLibCallerType = calledMethod.DeclaringType; initMethod = calledMethod; foreach (var s in DotNetUtils.getCodeStrings(initMethod)) { nativeFileResource = DotNetUtils.getResource(module, s); if (nativeFileResource != null) { break; } } return; } }
bool checkCctor(MethodDefinition cctor) { foreach (var method in DotNetUtils.getCalledMethods(module, cctor)) { if (method.Name != "Startup") { continue; } if (!DotNetUtils.isMethod(method, "System.Void", "()")) { continue; } ModuleReference module1, module2; bool isOldTmp; if (!checkType(method.DeclaringType, out module1, out module2, out isOldTmp)) { continue; } mcType = method.DeclaringType; mcModule1 = module1; mcModule2 = module2; isOld = isOldTmp; return(true); } return(false); }
bool checkInitMethod(MethodDefinition checkMethod, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { var requiredFields = new string[] { "System.Collections.Hashtable", "System.Boolean", }; foreach (var method in DotNetUtils.getCalledMethods(module, checkMethod)) { if (method.Body == null) { continue; } if (!method.IsStatic) { continue; } if (!DotNetUtils.isMethod(method, "System.Void", "()")) { continue; } var type = method.DeclaringType; if (!new FieldTypes(type).exactly(requiredFields)) { continue; } var ctor = DotNetUtils.getMethod(type, ".ctor"); if (ctor == null) { continue; } var handler = getHandler(ctor); if (handler == null) { continue; } simpleDeobfuscator.decryptStrings(handler, deob); var resourcePrefix = getResourcePrefix(handler); if (resourcePrefix == null) { continue; } for (int i = 0; ; i++) { var resource = DotNetUtils.getResource(module, resourcePrefix + i.ToString("D5")) as EmbeddedResource; if (resource == null) { break; } resources.Add(resource); } initMethod = method; return(true); } return(false); }
bool find2() { foreach (var cctor in DeobUtils.getInitCctors(module, 3)) { foreach (var calledMethod in DotNetUtils.getCalledMethods(module, cctor)) { var type = calledMethod.DeclaringType; if (type.IsPublic) { continue; } var fieldTypes = new FieldTypes(type); if (!fieldTypes.exactly(requiredFields1) && !fieldTypes.exactly(requiredFields2) && !fieldTypes.exactly(requiredFields3) && !fieldTypes.exactly(requiredFields4)) { continue; } if (!hasInitializeMethod(type, "_Initialize") && !hasInitializeMethod(type, "_Initialize64")) { continue; } stringDecrypterMethod = findStringDecrypterMethod(type); initializeMethod = calledMethod; postInitializeMethod = findMethod(type, "System.Void", "PostInitialize", "()"); loadMethod = findMethod(type, "System.IntPtr", "Load", "()"); cliSecureRtType = type; return(true); } } return(false); }
string getMainResourceKey(MethodDef method, out MethodDef decryptAssemblyMethod) { foreach (var calledMethod in DotNetUtils.getCalledMethods(module, method)) { if (!calledMethod.IsStatic || calledMethod.Body == null) { continue; } if (!DotNetUtils.isMethod(calledMethod, "System.Void", "(System.String[])")) { continue; } deobfuscateAll(calledMethod); string keyInfo = getMainResourceKeyInfo(calledMethod, out decryptAssemblyMethod); if (keyInfo == null) { continue; } return(BitConverter.ToString(new MD5CryptoServiceProvider().ComputeHash(new ASCIIEncoding().GetBytes(keyInfo))).Replace("-", "")); } decryptAssemblyMethod = null; return(null); }
bool find(MethodDefinition methodToCheck) { if (methodToCheck == null) { return(false); } foreach (var method in DotNetUtils.getCalledMethods(module, methodToCheck)) { var type = method.DeclaringType; if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()")) { continue; } if (DotNetUtils.getPInvokeMethod(type, "kernel32", "LoadLibrary") == null) { continue; } if (DotNetUtils.getPInvokeMethod(type, "kernel32", "GetProcAddress") == null) { continue; } deobfuscate(method); if (!containsString(method, "debugger is active")) { continue; } antiDebuggerType = type; antiDebuggerMethod = method; return(true); } return(false); }
bool checkAttachAppMethod(MethodDefinition attachAppMethod) { callResolverMethod = null; if (!attachAppMethod.HasBody) { return(false); } foreach (var method in DotNetUtils.getCalledMethods(module, attachAppMethod)) { if (attachAppMethod == method) { continue; } if (method.Name == ".cctor" || method.Name == ".ctor") { continue; } if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()")) { continue; } if (!checkResolverInitMethod(method)) { continue; } callResolverMethod = attachAppMethod; return(true); } if (hasLdftn(attachAppMethod)) { simpleDeobfuscator.deobfuscate(attachAppMethod); foreach (var resolverHandler in getResolverHandlers(attachAppMethod)) { if (!resolverHandler.HasBody) { continue; } var resolverTypeTmp = getResolverType(resolverHandler); if (resolverTypeTmp == null) { continue; } deobfuscate(resolverHandler); if (checkHandlerMethod(resolverHandler)) { callResolverMethod = attachAppMethod; resolverType = resolverTypeTmp; return(true); } } } return(false); }
void addEntryPointCallToBeRemoved(MethodDefinition methodToBeRemoved) { var entryPoint = module.EntryPoint; addCallToBeRemoved(entryPoint, methodToBeRemoved); foreach (var calledMethod in DotNetUtils.getCalledMethods(module, entryPoint)) { addCallToBeRemoved(calledMethod, methodToBeRemoved); } }
bool callsMethod(MethodDef methodToCheck, MethodDef calledMethod) { foreach (var method in DotNetUtils.getCalledMethods(module, methodToCheck)) { if (method == calledMethod) { return(true); } } return(false); }
public void find() { var additionalTypes = new string[] { "System.IntPtr", // "System.Reflection.Assembly", //TODO: Not in unknown DNR version with jitter support }; var checkedMethods = new Dictionary <MethodReferenceAndDeclaringTypeKey, bool>(); var callCounter = new CallCounter(); int typesLeft = 30; foreach (var type in module.GetTypes()) { var cctor = DotNetUtils.getMethod(type, ".cctor"); if (cctor == null || cctor.Body == null) { continue; } if (typesLeft-- <= 0) { break; } foreach (var method in DotNetUtils.getCalledMethods(module, cctor)) { var key = new MethodReferenceAndDeclaringTypeKey(method); if (!checkedMethods.ContainsKey(key)) { checkedMethods[key] = false; if (method.DeclaringType.BaseType == null || method.DeclaringType.BaseType.FullName != "System.Object") { continue; } if (!DotNetUtils.isMethod(method, "System.Void", "()")) { continue; } if (!encryptedResource.couldBeResourceDecrypter(method, additionalTypes)) { continue; } checkedMethods[key] = true; } else if (!checkedMethods[key]) { continue; } callCounter.add(method); } } encryptedResource.Method = (MethodDefinition)callCounter.most(); }
// The main decrypter type calls the string decrypter init method inside its init method void findV5(MethodDef method) { if (!mainType.Detected) { return; } foreach (var calledMethod in DotNetUtils.getCalledMethods(module, mainType.InitMethod)) { if (find(calledMethod)) { return; } } }
string getPassword2(MethodDef method) { string password = ""; foreach (var calledMethod in DotNetUtils.getCalledMethods(module, method)) { var s = getPassword3(calledMethod); if (string.IsNullOrEmpty(s)) { return(null); } password += s; } return(password); }
void init() { var callCounter = new CallCounter(); int count = 0; foreach (var type in module.GetTypes()) { if (count >= 40) { break; } foreach (var method in type.Methods) { if (method.Name != ".ctor" && method.Name != ".cctor" && module.EntryPoint != method) { continue; } foreach (var calledMethod in DotNetUtils.getCalledMethods(module, method)) { if (!calledMethod.IsStatic || calledMethod.Body == null) { continue; } if (!DotNetUtils.isMethod(calledMethod, "System.Void", "()")) { continue; } if (isEmptyClass(calledMethod)) { callCounter.add(calledMethod); count++; } } } } int numCalls; var theMethod = (MethodDef)callCounter.most(out numCalls); if (numCalls >= 10) { emptyMethod = theMethod; } }
void findResourceType() { var cctor = DotNetUtils.getModuleTypeCctor(module); if (cctor == null) { return; } foreach (var calledMethod in DotNetUtils.getCalledMethods(module, cctor)) { if (!calledMethod.IsStatic || calledMethod.Body == null) { continue; } if (!DotNetUtils.isMethod(calledMethod, "System.Void", "()")) { continue; } var type = calledMethod.DeclaringType; if (!new FieldTypes(type).exactly(requiredFields)) { continue; } var resolveHandler = DotNetUtils.getMethod(type, "System.Reflection.Assembly", "(System.Object,System.ResolveEventArgs)"); var decryptMethod = DotNetUtils.getMethod(type, "System.Byte[]", "(System.IO.Stream)"); if (resolveHandler == null || !resolveHandler.IsStatic) { continue; } if (decryptMethod == null || !decryptMethod.IsStatic) { continue; } rsrcType = type; rsrcRrrMethod = calledMethod; rsrcResolveMethod = resolveHandler; return; } }
bool callsMainTypeTamperCheckMethod(MethodDef method) { foreach (var calledMethod in DotNetUtils.getCalledMethods(module, method)) { if (calledMethod == mainType.TamperCheckMethod) { return(true); } } var instructions = method.Body.Instructions; for (int i = 0; i < instructions.Count; i++) { var instrs = DotNetUtils.getInstructions(instructions, i, OpCodes.Ldtoken, OpCodes.Call, OpCodes.Call, OpCodes.Ldc_I8, OpCodes.Call); if (instrs == null) { continue; } if (!checkInvokeCall(instrs[1], "System.Type", "(System.RuntimeTypeHandle)")) { continue; } if (!checkInvokeCall(instrs[2], "System.Reflection.Assembly", "(System.Object)")) { continue; } if (!checkInvokeCall(instrs[4], "System.Void", "(System.Reflection.Assembly,System.UInt64)")) { continue; } return(true); } return(false); }
ProxyCreatorType getProxyCreatorType(MethodDefinition methodToCheck) { foreach (var calledMethod in DotNetUtils.getCalledMethods(module, methodToCheck)) { if (!calledMethod.IsStatic || calledMethod.Body == null) { continue; } if (!MemberReferenceHelper.compareTypes(methodToCheck.DeclaringType, calledMethod.DeclaringType)) { continue; } if (DotNetUtils.isMethod(calledMethod, "System.Void", "(System.Reflection.FieldInfo,System.Type,System.Reflection.MethodInfo)")) { return(ProxyCreatorType.CallOrCallvirt); } if (DotNetUtils.isMethod(calledMethod, "System.Void", "(System.Reflection.FieldInfo,System.Type,System.Reflection.ConstructorInfo)")) { return(ProxyCreatorType.Newobj); } } return(ProxyCreatorType.None); }
bool initProxyType(Info infoTmp, MethodDefinition method) { foreach (var calledMethod in DotNetUtils.getCalledMethods(module, method)) { if (!calledMethod.IsStatic) { continue; } if (!DotNetUtils.isMethod(calledMethod, "System.Void", "(System.Int32)")) { continue; } if (!checkProxyType(infoTmp, calledMethod.DeclaringType)) { continue; } infoTmp.proxyType = calledMethod.DeclaringType; infoTmp.initMethod = calledMethod; return(true); } return(false); }
bool find(MethodDefinition methodToCheck) { if (methodToCheck == null) { return(false); } foreach (var method in DotNetUtils.getCalledMethods(module, methodToCheck)) { bool result = false; switch (frameworkType) { case FrameworkType.Desktop: result = findDesktop(method); break; case FrameworkType.Silverlight: result = findSilverlight(method); break; case FrameworkType.CompactFramework: result = findCompactFramework(method); break; } if (!result) { continue; } tamperType = method.DeclaringType; tamperMethod = method; return(true); } return(false); }
bool findTypes(MethodDefinition initMethod) { if (initMethod == null) { return(false); } foreach (var method in DotNetUtils.getCalledMethods(module, initMethod)) { if (method.Name == ".cctor" || method.Name == ".ctor") { continue; } if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()")) { continue; } if (checkAttachAppMethod(method)) { return(true); } } return(false); }