bool CheckMethod(ISimpleDeobfuscator simpleDeobfuscator, MethodDef method) { if (method == null || method.Body == null) return false; foreach (var instr in method.Body.Instructions) { if (instr.OpCode.Code != Code.Call) continue; var calledMethod = instr.Operand as MethodDef; if (calledMethod == null) continue; if (calledMethod == null || !calledMethod.IsStatic) continue; if (!DotNetUtils.IsMethod(calledMethod, "System.Void", "()")) continue; var type = calledMethod.DeclaringType; if (type.NestedTypes.Count > 0) continue; simpleDeobfuscator.Deobfuscate(calledMethod, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs); if (CheckType(type, calledMethod)) { initMethod = calledMethod; return true; } } return false; }
EmbeddedResource FindGetManifestResourceStreamTypeResource(TypeDef type, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { foreach (var method in type.Methods) { if (!method.IsPrivate || !method.IsStatic || method.Body == null) continue; if (!DotNetUtils.IsMethod(method, "System.String", "(System.Reflection.Assembly,System.Type,System.String)")) continue; simpleDeobfuscator.Deobfuscate(method); simpleDeobfuscator.DecryptStrings(method, deob); foreach (var s in DotNetUtils.GetCodeStrings(method)) { var resource = DotNetUtils.GetResource(module, s) as EmbeddedResource; if (resource != null) return resource; } } return null; }
void Initialize(ISimpleDeobfuscator simpleDeobfuscator, MethodDef method) { var desList = new List<byte[]>(2); var aesList = new List<byte[]>(2); var instructions = method.Body.Instructions; simpleDeobfuscator.Deobfuscate(method); for (int i = 0; i <= instructions.Count - 2; i++) { var ldtoken = instructions[i]; if (ldtoken.OpCode.Code != Code.Ldtoken) continue; var field = DotNetUtils.GetField(module, ldtoken.Operand as IField); if (field == null) continue; if (field.InitialValue == null) continue; var call = instructions[i + 1]; if (call.OpCode.Code != Code.Call) continue; var calledMethod = call.Operand as IMethod; if (!DotNetUtils.IsMethod(calledMethod, "System.Void", "(System.Array,System.RuntimeFieldHandle)")) continue; if (field.InitialValue.Length == 8) desList.Add(field.InitialValue); else if (field.InitialValue.Length == 16) aesList.Add(field.InitialValue); } if (desList.Count >= 2) { DES_Key = desList[desList.Count - 2]; DES_IV = desList[desList.Count - 1]; } if (aesList.Count >= 2) { AES_Key = aesList[aesList.Count - 2]; AES_IV = aesList[aesList.Count - 1]; } }
void FindStringDecrypterMethods(TypeDef type, ISimpleDeobfuscator simpleDeobfuscator) { foreach (var method in DotNetUtils.FindMethods(type.Methods, "System.String", new string[] { "System.String", "System.Int32" })) { if (method.Body.HasExceptionHandlers) continue; if (DotNetUtils.GetMethodCalls(method, "System.Char[] System.String::ToCharArray()") != 1) continue; if (DotNetUtils.GetMethodCalls(method, "System.String System.String::Intern(System.String)") != 1) continue; simpleDeobfuscator.Deobfuscate(method); var instrs = method.Body.Instructions; for (int i = 0; i < instrs.Count - 3; i++) { var ldarg = instrs[i]; if (!ldarg.IsLdarg() || ldarg.GetParameterIndex() != 0) continue; var callvirt = instrs[i + 1]; if (callvirt.OpCode.Code != Code.Callvirt) continue; var calledMethod = callvirt.Operand as MemberRef; if (calledMethod == null || calledMethod.FullName != "System.Char[] System.String::ToCharArray()") continue; var stloc = instrs[i + 2]; if (!stloc.IsStloc()) continue; var ldci4 = instrs[i + 3]; if (!ldci4.IsLdcI4()) continue; var info = new StringDecrypterInfo(method, ldci4.GetLdcI4Value()); stringDecrypterMethods.Add(info.method, info); Logger.v("Found string decrypter method: {0}, magic: 0x{1:X8}", Utils.RemoveNewlines(info.method), info.magic); break; } } }
static ProxyCreatorType GetProxyCreatorType(MethodDef method, ISimpleDeobfuscator simpleDeobfuscator, out int version) { var type = GetProxyCreatorTypeV1(method); if (type != ProxyCreatorType.None) { version = 1; return type; } simpleDeobfuscator.Deobfuscate(method); type = GetProxyCreatorTypeV2(method); if (type != ProxyCreatorType.None) { version = 2; return type; } version = 0; return ProxyCreatorType.None; }
MethodDef FindInitMethod(ISimpleDeobfuscator simpleDeobfuscator) { var ctor = Type.FindMethod(".ctor"); foreach (var method in Type.Methods) { if (!method.IsStatic || method.Body == null) continue; if (!DotNetUtils.IsMethod(method, "System.Void", "()")) continue; if (method.Body.Variables.Count > 1) continue; simpleDeobfuscator.Deobfuscate(method); bool stsfldUsed = false, newobjUsed = false; foreach (var instr in method.Body.Instructions) { if (instr.OpCode.Code == Code.Stsfld) { var field = instr.Operand as IField; if (field == null || field.FieldSig.GetFieldType().GetElementType() != ElementType.Boolean) continue; if (!new SigComparer().Equals(Type, field.DeclaringType)) continue; stsfldUsed = true; } else if (instr.OpCode.Code == Code.Newobj) { var calledCtor = instr.Operand as IMethod; if (calledCtor == null) continue; if (!MethodEqualityComparer.CompareDeclaringTypes.Equals(calledCtor, ctor)) continue; newobjUsed = true; } } if (!stsfldUsed || !newobjUsed) continue; return method; } return null; }
bool FindConstants(ISimpleDeobfuscator simpleDeobfuscator) { dynocode = new DynamicDynocodeIterator(); simpleDeobfuscator.Deobfuscate(stringMethod); stringMethodConsts = new EfConstantsReader(stringMethod); if (!FindResource(stringMethod)) return false; checkMinus2 = isV32OrLater || DeobUtils.HasInteger(stringMethod, -2); usePublicKeyToken = CallsGetPublicKeyToken(stringMethod); var int64Method = FindInt64Method(stringMethod); if (int64Method != null) decrypterType.Type = int64Method.DeclaringType; if (!FindShorts()) return false; if (!FindInt3()) return false; if (!FindInt4()) return false; if (checkMinus2 && !FindInt5()) return false; // The method body of the data decrypter method has been moved into // the string decrypter helper method in 5.0 if (!isV50OrLater) { dataDecrypterType = FindDataDecrypterType(stringMethod); if (dataDecrypterType == null) return false; } if (isV32OrLater) { bool initializedAll; int index = FindInitIntsIndex(stringMethod, out initializedAll); var cctor = stringType.FindStaticConstructor(); if (!initializedAll && cctor != null) { simpleDeobfuscator.Deobfuscate(cctor); if (!FindIntsCctor(cctor)) return false; } if (decrypterType.Detected && !decrypterType.Initialize()) return false; if (!isV50OrLater) { decrypterType.ShiftConsts = new List<int> { 24, 16, 8, 0, 16, 8, 0, 24 }; } else { List<int> shiftConsts; if (!FindShiftInts(decrypterType.Int64Method, out shiftConsts)) return false; decrypterType.ShiftConsts = shiftConsts; } if (!FindInts(index)) return false; } InitializeFlags(); Initialize(); return true; }
public void Find(ISimpleDeobfuscator simpleDeobfuscator) { if (module.Assembly == null) return; var pkt = module.Assembly.PublicKeyToken; bool hasPublicKeyToken = !PublicKeyBase.IsNullOrEmpty2(pkt); foreach (var type in module.GetTypes()) { var cctor = type.FindStaticConstructor(); if (cctor == null) continue; bool deobfuscatedCctor = false; bool? v13State = null, v40State = null, v41State = null; foreach (var method in type.Methods) { if (!method.IsStatic || method.Body == null) continue; IDecrypterInfo info = null; if (DecrypterInfo13.IsPossibleDecrypterMethod(method, ref v13State)) { DeobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken); simpleDeobfuscator.Deobfuscate(method); info = GetInfoV13(cctor, method); } else if (DecrypterInfo40.IsPossibleDecrypterMethod(method, ref v40State)) { DeobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken); simpleDeobfuscator.Deobfuscate(method); info = GetInfoV40(cctor, method); } else if (DecrypterInfo41.IsPossibleDecrypterMethod(method, ref v41State)) { DeobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken); simpleDeobfuscator.Deobfuscate(method); info = GetInfoV41(cctor, method); } if (info == null) continue; methodToInfo.Add(method, info); version = info.Version; } } }
bool CheckType(TypeDef type, MethodDef initMethod, ISimpleDeobfuscator simpleDeobfuscator) { if (DotNetUtils.FindFieldType(type, "System.Collections.Hashtable", true) == null) return false; simpleDeobfuscator.Deobfuscate(initMethod); if (!CheckInitMethod(initMethod)) return false; if ((asmSeparator = FindAssemblySeparator(initMethod)) == null) return false; List<AssemblyInfo> newAssemblyInfos = null; foreach (var s in DotNetUtils.GetCodeStrings(initMethod)) { newAssemblyInfos = InitializeEmbeddedAssemblies(s); if (newAssemblyInfos != null) break; } if (newAssemblyInfos == null) return false; resolverType = type; resolverMethod = initMethod; assemblyInfos = newAssemblyInfos; return true; }
public void Initialize(ISimpleDeobfuscator deobfuscator) { if (decrypterCctor == null) return; deobfuscator.Deobfuscate(decrypterCctor); var instrs = decrypterCctor.Body.Instructions; for (int i = 0; i < instrs.Count - 4; i++) { var ldstr = instrs[i]; if (ldstr.OpCode.Code != Code.Ldstr) continue; var encryptedString = ldstr.Operand as string; if (encryptedString == null) continue; if (instrs[i + 1].OpCode.Code != Code.Stsfld) continue; if (instrs[i + 2].OpCode.Code != Code.Ldsfld) continue; if (instrs[i + 3].OpCode.Code != Code.Call) continue; if (instrs[i + 4].OpCode.Code != Code.Stsfld) continue; var field = instrs[i + 4].Operand as FieldDef; if (field == null) continue; if (!new SigComparer().Equals(field.DeclaringType, decrypterType)) continue; fieldToDecryptedString.Add(field, decrypter.Decrypt(encryptedString)); } }
bool FindConstants(ISimpleDeobfuscator simpleDeobfuscator) { dynocode = new DynamicDynocodeIterator(); simpleDeobfuscator.Deobfuscate(stringMethod); stringMethodConsts = new EfConstantsReader(stringMethod); if (!FindResource(stringMethod)) { return(false); } checkMinus2 = isV32OrLater || DeobUtils.HasInteger(stringMethod, -2); usePublicKeyToken = CallsGetPublicKeyToken(stringMethod); var int64Method = FindInt64Method(stringMethod); if (int64Method != null) { decrypterType.Type = int64Method.DeclaringType; } if (!FindShorts()) { return(false); } if (!FindInt3()) { return(false); } if (!FindInt4()) { return(false); } if (checkMinus2 && !FindInt5()) { return(false); } // The method body of the data decrypter method has been moved into // the string decrypter helper method in 5.0 if (!isV50OrLater) { dataDecrypterType = FindDataDecrypterType(stringMethod); if (dataDecrypterType == null) { return(false); } } if (isV32OrLater) { bool initializedAll; int index = FindInitIntsIndex(stringMethod, out initializedAll); var cctor = stringType.FindStaticConstructor(); if (!initializedAll && cctor != null) { simpleDeobfuscator.Deobfuscate(cctor); if (!FindIntsCctor(cctor)) { return(false); } } if (decrypterType.Detected && !decrypterType.Initialize()) { return(false); } if (!FindInts(index)) { return(false); } } InitializeFlags(); Initialize(); return(true); }
bool InitializeInfos(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { if (handlerMethod == null) return true; foreach (var method in resolverType.Methods) { if (!method.IsStatic || method.Body == null) continue; if (!DotNetUtils.IsMethod(method, "System.Void", "()")) continue; if (!DeobUtils.HasInteger(method, ':') || !DeobUtils.HasInteger(method, '|')) continue; simpleDeobfuscator.Deobfuscate(method); simpleDeobfuscator.DecryptStrings(method, deob); if (!InitializeInfos(method)) continue; return true; } return false; }
public void FindDelegateCreator(ISimpleDeobfuscator simpleDeobfuscator) { var type = DotNetUtils.GetModuleType(module); if (type == null) return; foreach (var method in type.Methods) { if (method.Body == null || !method.IsStatic || !method.IsAssembly) continue; ConfuserVersion theVersion = ConfuserVersion.Unknown; if (DotNetUtils.IsMethod(method, "System.Void", "(System.String,System.RuntimeFieldHandle)")) theVersion = ConfuserVersion.v10_r42915; else if (DotNetUtils.IsMethod(method, "System.Void", "(System.RuntimeFieldHandle)")) theVersion = ConfuserVersion.v10_r48717; else continue; int tmpVer; var proxyType = GetProxyCreatorType(method, simpleDeobfuscator, out tmpVer); if (proxyType == ProxyCreatorType.None) continue; if (proxyType == ProxyCreatorType.Newobj) foundNewobjProxy = true; simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs); MethodDef nativeMethod = null; uint magic; if (FindMagic_v14_r58564(method, out magic)) { if (!DotNetUtils.CallsMethod(method, "System.Byte[] System.Convert::FromBase64String(System.String)")) { if (!IsMethodCreator_v14_r58802(method, proxyType)) theVersion = ConfuserVersion.v14_r58564; else theVersion = ConfuserVersion.v14_r58802; } else if (DotNetUtils.CallsMethod(method, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()")) theVersion = ConfuserVersion.v17_r73479; else if (proxyType != ProxyCreatorType.CallOrCallvirt || !HasFieldReference(method, "System.Reflection.Emit.OpCode System.Reflection.Emit.OpCodes::Castclass")) theVersion = ConfuserVersion.v14_r58857; else if (proxyType == ProxyCreatorType.CallOrCallvirt && DotNetUtils.CallsMethod(method, "System.Void System.Reflection.Emit.DynamicMethod::.ctor(System.String,System.Type,System.Type[],System.Boolean)")) theVersion = ConfuserVersion.v16_r66631; else if (proxyType == ProxyCreatorType.CallOrCallvirt) theVersion = ConfuserVersion.v16_r70489; } else if (!DotNetUtils.CallsMethod(method, "System.Byte[] System.Convert::FromBase64String(System.String)") && DotNetUtils.CallsMethod(method, "System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)")) { if (proxyType == ProxyCreatorType.CallOrCallvirt && !FindCallvirtChar(method, out callvirtChar)) continue; if ((nativeMethod = FindNativeMethod_v18_r75367(method)) != null) theVersion = proxyType != ProxyCreatorType.CallOrCallvirt || callvirtChar == 9 ? ConfuserVersion.v18_r75367_native : ConfuserVersion.v18_r75369_native; else if (FindMagic_v18_r75367(method, out magic)) theVersion = proxyType != ProxyCreatorType.CallOrCallvirt || callvirtChar == 9 ? ConfuserVersion.v18_r75367_normal : ConfuserVersion.v18_r75369_normal; else if (FindMagic_v19_r76101(method, out magic)) CommonCheckVersion19(method, true, tmpVer, ref theVersion); else if ((nativeMethod = FindNativeMethod_v19_r76101(method)) != null) CommonCheckVersion19(method, false, tmpVer, ref theVersion); else { if (proxyType == ProxyCreatorType.CallOrCallvirt && !DotNetUtils.CallsMethod(method, "System.Int32 System.String::get_Length()")) theVersion = ConfuserVersion.v11_r50378; int numCalls = ConfuserUtils.CountCalls(method, "System.Byte[] System.Text.Encoding::GetBytes(System.Char[],System.Int32,System.Int32)"); if (numCalls == 2) theVersion = ConfuserVersion.v12_r54564; if (!DotNetUtils.CallsMethod(method, "System.Reflection.Assembly System.Reflection.Assembly::Load(System.Reflection.AssemblyName)")) theVersion = ConfuserVersion.v13_r55346; if (DotNetUtils.CallsMethod(method, "System.Void System.Runtime.CompilerServices.RuntimeHelpers::RunClassConstructor(System.RuntimeTypeHandle)")) theVersion = ConfuserVersion.v13_r55604; } } else if (Is_v17_r73740(method)) { if (DotNetUtils.CallsMethod(method, "System.Boolean System.Type::get_IsArray()")) { if ((nativeMethod = FindNativeMethod_v17_r73740(method)) != null) theVersion = ConfuserVersion.v17_r74708_native; else if (FindMagic_v17_r73740(method, out magic)) theVersion = ConfuserVersion.v17_r74708_normal; else continue; } else { if ((nativeMethod = FindNativeMethod_v17_r73740(method)) != null) theVersion = ConfuserVersion.v17_r73740_native; else if (FindMagic_v17_r73740(method, out magic)) theVersion = ConfuserVersion.v17_r73740_normal; else continue; } } else if (theVersion == ConfuserVersion.v10_r42915) { if (DeobUtils.HasInteger(method, 0x06000000)) theVersion = ConfuserVersion.v10_r42919; } SetDelegateCreatorMethod(method); methodToInfo.Add(method, new ProxyCreatorInfo(method, proxyType, theVersion, magic, nativeMethod, callvirtChar)); version = (ConfuserVersion)Math.Max((int)version, (int)theVersion); } }
public static EmbeddedResource FindEmbeddedResource(ModuleDefMD module, TypeDef decrypterType, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) => FindEmbeddedResource(module, decrypterType, (method) => { simpleDeobfuscator.Deobfuscate(method); simpleDeobfuscator.DecryptStrings(method, deob); });
bool CheckMethod(ISimpleDeobfuscator simpleDeobfuscator, MethodDef methodToCheck) { if (methodToCheck == null) { return(false); } var resolverLocals = new string[] { "System.Byte[]", "System.Reflection.Assembly", "System.String", "System.IO.BinaryReader", "System.IO.Stream", }; simpleDeobfuscator.Deobfuscate(methodToCheck); foreach (var method in DotNetUtils.GetCalledMethods(module, methodToCheck)) { var type = method.DeclaringType; if (!DotNetUtils.IsMethod(method, "System.Void", "()")) { continue; } if (!method.IsStatic) { continue; } if (type.Fields.Count != 2) { continue; } if (type.HasNestedTypes) { continue; } if (type.HasEvents || type.HasProperties) { continue; } if (!CheckFields(type.Fields)) { continue; } var resolverMethod = FindAssemblyResolveMethod(type); if (resolverMethod == null) { continue; } var localTypes = new LocalTypes(resolverMethod); if (!localTypes.All(resolverLocals)) { continue; } assemblyResolverType = type; assemblyResolverMethod = resolverMethod; assemblyResolverInitMethod = method; return(true); } return(false); }
bool FindEntryPointToken(ISimpleDeobfuscator simpleDeobfuscator, MethodDef cctor, MethodDef entryPoint, out uint token) { token = 0; ulong @base; if (!FindBase(cctor, out @base)) return false; var modPowMethod = DotNetUtils.GetMethod(cctor.DeclaringType, "System.UInt64", "(System.UInt64,System.UInt64,System.UInt64)"); if (modPowMethod == null) throw new ApplicationException("Could not find modPow()"); simpleDeobfuscator.Deobfuscate(entryPoint); ulong mod; if (!FindMod(entryPoint, out mod)) throw new ApplicationException("Could not find modulus"); token = 0x06000000 | (uint)ModPow(@base, 0x47, mod); if (token >> 24 != 0x06) throw new ApplicationException("Illegal entry point token"); return true; }
public void Find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { var entryPoint = module.EntryPoint; if (entryPoint == null) return; if (!new LocalTypes(entryPoint).All(requiredEntryPointLocals)) return; var type = entryPoint.DeclaringType; if (!new FieldTypes(type).All(requiredFields)) return; bool use7zip = type.NestedTypes.Count == 6; MethodDef decyptMethod; if (use7zip) decyptMethod = FindDecryptMethod_7zip(type); else decyptMethod = FindDecryptMethod_inflate(type); if (decyptMethod == null) return; ConfuserVersion theVersion = ConfuserVersion.Unknown; var decryptLocals = new LocalTypes(decyptMethod); if (decryptLocals.Exists("System.IO.MemoryStream")) { if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.String,System.Byte[])")) theVersion = ConfuserVersion.v10_r42915; else if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.Security.Permissions.PermissionState)")) theVersion = ConfuserVersion.v10_r48717; else theVersion = ConfuserVersion.v14_r57778; } else theVersion = ConfuserVersion.v14_r58564; var cctor = type.FindStaticConstructor(); if (cctor == null) return; if ((asmResolverMethod = FindAssemblyResolverMethod(entryPoint.DeclaringType)) != null) { theVersion = ConfuserVersion.v14_r58802; simpleDeobfuscator.Deobfuscate(asmResolverMethod); if (!FindKey1(asmResolverMethod, out key1)) return; } switch (theVersion) { case ConfuserVersion.v10_r42915: case ConfuserVersion.v10_r48717: case ConfuserVersion.v14_r57778: break; case ConfuserVersion.v14_r58564: case ConfuserVersion.v14_r58802: simpleDeobfuscator.Deobfuscate(decyptMethod); if (FindKey0_v14_r58564(decyptMethod, out key0)) break; if (FindKey0_v14_r58852(decyptMethod, out key0)) { if (!decryptLocals.Exists("System.Security.Cryptography.RijndaelManaged")) { theVersion = ConfuserVersion.v14_r58852; break; } if (use7zip) { if (new LocalTypes(decyptMethod).Exists("System.IO.MemoryStream")) theVersion = ConfuserVersion.v17_r75076; else if (module.Name == "Stub.exe") theVersion = ConfuserVersion.v18_r75184; else if (!IsGetLenToPosStateMethodPrivate(type)) theVersion = ConfuserVersion.v18_r75367; else theVersion = ConfuserVersion.v19_r77172; } else if (IsDecryptMethod_v17_r73404(decyptMethod)) theVersion = ConfuserVersion.v17_r73404; else theVersion = ConfuserVersion.v15_r60785; break; } throw new ApplicationException("Could not find magic"); default: throw new ApplicationException("Invalid version"); } simpleDeobfuscator.Deobfuscate(cctor); simpleDeobfuscator.DecryptStrings(cctor, deob); if (FindEntryPointToken(simpleDeobfuscator, cctor, entryPoint, out entryPointToken) && !use7zip) { if (DotNetUtils.CallsMethod(asmResolverMethod, "System.Void", "(System.String)")) theVersion = ConfuserVersion.v17_r73477; else theVersion = ConfuserVersion.v17_r73566; } mainAsmResource = FindResource(cctor); if (mainAsmResource == null) throw new ApplicationException("Could not find main assembly resource"); version = theVersion; }
IDecrypterInfo CheckNested(TypeDef type, TypeDef nested) { if (nested.HasProperties || nested.HasEvents) { return(null); } if (nested.FindMethod(".ctor") == null) { return(null); } if (nested.Fields.Count == 1 || nested.Fields.Count == 3) { // 4.0+ if (!HasFieldType(nested.Fields, nested)) { return(null); } var decrypterBuilderMethod = DotNetUtils.GetMethod(nested, "System.Reflection.Emit.MethodBuilder", "(System.Reflection.Emit.TypeBuilder)"); if (decrypterBuilderMethod == null) { return(null); } resourceDecrypter.DecryptMethod = ResourceDecrypter.FindDecrypterMethod(nested.FindMethod(".ctor")); var nestedDecrypter = DotNetUtils.GetMethod(nested, "System.String", "(System.Int32)"); if (nestedDecrypter == null || nestedDecrypter.IsStatic) { return(null); } var decrypter = DotNetUtils.GetMethod(type, "System.String", "(System.Int32)"); if (decrypter == null || !decrypter.IsStatic) { return(null); } simpleDeobfuscator.Deobfuscate(decrypterBuilderMethod); return(new DecrypterInfoV3(resourceDecrypter) { Decrypter = decrypter, OffsetCalcInstructions = GetOffsetCalcInstructions(decrypterBuilderMethod), }); } else if (nested.Fields.Count == 2) { // 3.0 - 3.5 if (CheckFields(nested, "System.Collections.Hashtable", nested)) { // 3.0 - 3.5 var nestedDecrypter = DotNetUtils.GetMethod(nested, "System.String", "(System.Int32)"); if (nestedDecrypter == null || nestedDecrypter.IsStatic) { return(null); } var decrypter = DotNetUtils.GetMethod(type, "System.String", "(System.Int32)"); if (decrypter == null || !decrypter.IsStatic) { return(null); } resourceDecrypter.DecryptMethod = ResourceDecrypter.FindDecrypterMethod(nested.FindMethod(".ctor")); return(new DecrypterInfoV3(resourceDecrypter) { Decrypter = decrypter }); } else if (CheckFields(nested, "System.Byte[]", nested)) { // 3.0 var nestedDecrypter = DotNetUtils.GetMethod(nested, "System.String", "(System.String,System.Int32)"); if (nestedDecrypter == null || nestedDecrypter.IsStatic) { return(null); } var decrypter = DotNetUtils.GetMethod(type, "System.String", "(System.String,System.Int32)"); if (decrypter == null || !decrypter.IsStatic) { return(null); } return(new DecrypterInfoV2 { Decrypter = decrypter }); } else { return(null); } } return(null); }
bool InitializeArrays2(ISimpleDeobfuscator simpleDeobfuscator, MethodDef method) { bool foundField = false; simpleDeobfuscator.Deobfuscate(method, true); var instructions = method.Body.Instructions; for (int i = 0; i < instructions.Count; i++) { var ldci4 = instructions[i]; if (!ldci4.IsLdcI4()) continue; i++; var instrs = DotNetUtils.GetInstructions(instructions, i, OpCodes.Newarr, OpCodes.Dup, OpCodes.Ldtoken, OpCodes.Call, OpCodes.Stsfld); if (instrs == null) continue; var arrayInitField = instrs[2].Operand as FieldDef; if (arrayInitField == null || arrayInitField.InitialValue == null || arrayInitField.InitialValue.Length == 0) continue; var calledMethod = instrs[3].Operand as IMethod; if (calledMethod == null || calledMethod.FullName != "System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle)") continue; var targetField = instrs[4].Operand as FieldDef; if (targetField == null || targetField.FieldType.GetElementType() != ElementType.SZArray) continue; var etype = ((SZArraySig)targetField.FieldType).Next.GetElementType(); if (etype < ElementType.Boolean || etype > ElementType.U4) continue; if (fieldToInfo.Find(targetField) == null) { fieldToInfo.Add(targetField, new FieldInfo(targetField, arrayInitField)); foundField = true; } } return foundField; }
bool UpdateFlags(MethodDef method, ISimpleDeobfuscator simpleDeobfuscator) { if (method == null || method.Body == null || method.Body.Variables.Count < 3) { return(false); } var constants = new List <int>(); simpleDeobfuscator.Deobfuscate(method); var instructions = method.Body.Instructions; for (int i = 2; i < instructions.Count; i++) { var and = instructions[i]; if (and.OpCode.Code != Code.And) { continue; } var ldci4 = instructions[i - 1]; if (!ldci4.IsLdcI4()) { continue; } int flagValue = ldci4.GetLdcI4Value(); if (!IsFlag(flagValue)) { continue; } var ldloc = instructions[i - 2]; if (!ldloc.IsLdloc()) { continue; } var local = ldloc.GetLocal(method.Body.Variables); if (local.Type.GetElementType().GetPrimitiveSize() < 0) { continue; } constants.Add(flagValue); } flipFlagsBits = CheckFlipBits(method); skipBytes = GetHeaderSkipBytes(method); switch (frameworkType) { case FrameworkType.Desktop: if (!module.IsClr1x) { if (constants.Count == 2) { desEncryptedFlag = (byte)constants[0]; deflatedFlag = (byte)constants[1]; return(true); } } if (constants.Count == 1) { desEncryptedFlag = (byte)constants[0]; return(true); } break; case FrameworkType.Silverlight: if (constants.Count == 1) { bitwiseNotEncryptedFlag = (byte)constants[0]; return(true); } break; case FrameworkType.CompactFramework: if (constants.Count == 1) { desEncryptedFlag = (byte)constants[0]; return(true); } break; } return(false); }
bool CheckMethod(MethodDef method) { if (method == null || method.Body == null) { return(false); } if (!DotNetUtils.CallsMethod(method, "System.Void System.AppDomain::add_ResourceResolve(System.ResolveEventHandler)")) { return(false); } simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs); fields.Clear(); var tmpHandler = GetHandler(method); if (tmpHandler == null || tmpHandler.DeclaringType != method.DeclaringType) { return(false); } var tmpResource = FindResource(tmpHandler); if (tmpResource == null) { return(false); } simpleDeobfuscator.Deobfuscate(tmpHandler, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs); var tmpVersion = ConfuserVersion.Unknown; if (DotNetUtils.CallsMethod(tmpHandler, "System.Object System.AppDomain::GetData(System.String)")) { if (!DotNetUtils.CallsMethod(tmpHandler, "System.Void System.Buffer::BlockCopy(System.Array,System.Int32,System.Array,System.Int32,System.Int32)")) { if (!FindKey0Key1_v14_r55802(tmpHandler, out key0, out key1)) { return(false); } tmpVersion = ConfuserVersion.v14_r55802; } else if (FindKey0_v17_r73404(tmpHandler, out key0) && FindKey1_v17_r73404(tmpHandler, out key1)) { tmpVersion = ConfuserVersion.v17_r73404; } else { return(false); } } else { if (AddFields(FindFields(tmpHandler, method.DeclaringType)) != 1) { return(false); } if (FindKey0_v17_r73404(tmpHandler, out key0) && FindKey1_v17_r73404(tmpHandler, out key1)) { tmpVersion = ConfuserVersion.v17_r73822; } else if (FindKey0_v18_r75367(tmpHandler, out key0) && FindKey1_v17_r73404(tmpHandler, out key1)) { tmpVersion = ConfuserVersion.v18_r75367; } else if (FindKey0_v18_r75369(tmpHandler, out key0) && FindKey1_v18_r75369(tmpHandler, out key1)) { lzmaType = ConfuserUtils.FindLzmaType(tmpHandler); if (lzmaType == null) { tmpVersion = ConfuserVersion.v18_r75369; } else { tmpVersion = ConfuserVersion.v19_r77172; } } else { return(false); } } handler = tmpHandler; resource = tmpResource; installMethod = method; version = tmpVersion; return(true); }
public static EmbeddedResource FindEmbeddedResource(ModuleDefMD module, TypeDef decrypterType, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { return FindEmbeddedResource(module, decrypterType, (method) => { simpleDeobfuscator.Deobfuscate(method); simpleDeobfuscator.DecryptStrings(method, deob); }); }
public void Find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { var entryPoint = module.EntryPoint; if (entryPoint == null) { return; } if (!new LocalTypes(entryPoint).All(requiredEntryPointLocals)) { return; } var type = entryPoint.DeclaringType; if (!new FieldTypes(type).All(requiredFields)) { return; } bool use7zip = type.NestedTypes.Count == 6; MethodDef decyptMethod; if (use7zip) { decyptMethod = FindDecryptMethod_7zip(type); } else { decyptMethod = FindDecryptMethod_inflate(type); } if (decyptMethod == null) { return; } var theVersion = ConfuserVersion.Unknown; var decryptLocals = new LocalTypes(decyptMethod); if (decryptLocals.Exists("System.IO.MemoryStream")) { if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.String,System.Byte[])")) { theVersion = ConfuserVersion.v10_r42915; } else if (DotNetUtils.CallsMethod(entryPoint, "System.Void", "(System.Security.Permissions.PermissionState)")) { theVersion = ConfuserVersion.v10_r48717; } else { theVersion = ConfuserVersion.v14_r57778; } } else { theVersion = ConfuserVersion.v14_r58564; } var cctor = type.FindStaticConstructor(); if (cctor == null) { return; } if ((asmResolverMethod = FindAssemblyResolverMethod(entryPoint.DeclaringType)) != null) { theVersion = ConfuserVersion.v14_r58802; simpleDeobfuscator.Deobfuscate(asmResolverMethod); if (!FindKey1(asmResolverMethod, out uint key1)) { return; } } switch (theVersion) { case ConfuserVersion.v10_r42915: case ConfuserVersion.v10_r48717: case ConfuserVersion.v14_r57778: break; case ConfuserVersion.v14_r58564: case ConfuserVersion.v14_r58802: simpleDeobfuscator.Deobfuscate(decyptMethod); if (FindKey0_v14_r58564(decyptMethod, out key0)) { break; } if (FindKey0_v14_r58852(decyptMethod, out key0)) { if (!decryptLocals.Exists("System.Security.Cryptography.RijndaelManaged")) { theVersion = ConfuserVersion.v14_r58852; break; } if (use7zip) { if (new LocalTypes(decyptMethod).Exists("System.IO.MemoryStream")) { theVersion = ConfuserVersion.v17_r75076; } else if (module.Name == "Stub.exe") { theVersion = ConfuserVersion.v18_r75184; } else if (!IsGetLenToPosStateMethodPrivate(type)) { theVersion = ConfuserVersion.v18_r75367; } else { theVersion = ConfuserVersion.v19_r77172; } } else if (IsDecryptMethod_v17_r73404(decyptMethod)) { theVersion = ConfuserVersion.v17_r73404; } else { theVersion = ConfuserVersion.v15_r60785; } break; } throw new ApplicationException("Could not find magic"); default: throw new ApplicationException("Invalid version"); } simpleDeobfuscator.Deobfuscate(cctor); simpleDeobfuscator.DecryptStrings(cctor, deob); if (FindEntryPointToken(simpleDeobfuscator, cctor, entryPoint, out entryPointToken) && !use7zip) { if (DotNetUtils.CallsMethod(asmResolverMethod, "System.Void", "(System.String)")) { theVersion = ConfuserVersion.v17_r73477; } else { theVersion = ConfuserVersion.v17_r73566; } } mainAsmResource = FindResource(cctor); if (mainAsmResource == null) { throw new ApplicationException("Could not find main assembly resource"); } version = theVersion; }
public void Find(ISimpleDeobfuscator simpleDeobfuscator) { var type = DotNetUtils.GetModuleType(module); if (type == null) return; foreach (var method in type.Methods) { if (!method.IsStatic || method.Body == null) continue; if (!DotNetUtils.IsMethod(method, "System.String", "(System.Int32)")) continue; var localTypes = new LocalTypes(method); if (!localTypes.All(requiredLocals)) continue; simpleDeobfuscator.Deobfuscate(method); bool foundOldMagic1; if (FindMagic1(method, out magic1)) foundOldMagic1 = true; else if (FindNewMagic1(method, out magic1)) foundOldMagic1 = false; else continue; if (!FindMagic2(method, out magic2)) continue; version = ConfuserVersion.Unknown; if (DotNetUtils.CallsMethod(method, "System.Text.Encoding System.Text.Encoding::get_UTF8()")) { if (foundOldMagic1) { if (DotNetUtils.CallsMethod(method, "System.Object System.AppDomain::GetData(System.String)")) version = ConfuserVersion.v13_r55604_safe; else version = ConfuserVersion.v10_r42915; } else { if (!FindSafeKey1(method, out key1)) continue; version = ConfuserVersion.v14_r58802_safe; } } else if (!localTypes.Exists("System.Random")) { if (foundOldMagic1) version = ConfuserVersion.v11_r49299; else version = ConfuserVersion.v14_r58802_dynamic; } else if (localTypes.Exists("System.Collections.Generic.Dictionary`2<System.Int32,System.String>")) version = ConfuserVersion.v10_r48832; if (version == ConfuserVersion.Unknown) continue; decryptMethod = method; break; } }
MethodDef FindInitMethod(ISimpleDeobfuscator simpleDeobfuscator) { var ctor = Type.FindMethod(".ctor"); foreach (var method in Type.Methods) { if (!method.IsStatic || method.Body == null) { continue; } if (!DotNetUtils.IsMethod(method, "System.Void", "()")) { continue; } if (method.Body.Variables.Count > 1) { continue; } simpleDeobfuscator.Deobfuscate(method); bool stsfldUsed = false, newobjUsed = false; foreach (var instr in method.Body.Instructions) { if (instr.OpCode.Code == Code.Stsfld) { var field = instr.Operand as IField; if (field == null || field.FieldSig.GetFieldType().GetElementType() != ElementType.Boolean) { continue; } if (!new SigComparer().Equals(Type, field.DeclaringType)) { continue; } stsfldUsed = true; } else if (instr.OpCode.Code == Code.Newobj) { var calledCtor = instr.Operand as IMethod; if (calledCtor == null) { continue; } if (!MethodEqualityComparer.CompareDeclaringTypes.Equals(calledCtor, ctor)) { if (calledCtor.DeclaringType.FullName != "System.ResolveEventHandler") { continue; } } newobjUsed = true; } } if (!stsfldUsed || !newobjUsed) { continue; } return(method); } return(null); }
bool FindConstants(ISimpleDeobfuscator simpleDeobfuscator) { dynocode = new DynamicDynocodeIterator(); simpleDeobfuscator.Deobfuscate(stringMethod); stringMethodConsts = new EfConstantsReader(stringMethod); if (!FindResource(stringMethod)) return false; checkMinus2 = isV32OrLater || DeobUtils.HasInteger(stringMethod, -2); usePublicKeyToken = CallsGetPublicKeyToken(stringMethod); var int64Method = FindInt64Method(stringMethod); if (int64Method != null) decrypterType.Type = int64Method.DeclaringType; if (!FindShorts()) return false; if (!FindInt3()) return false; if (!FindInt4()) return false; if (checkMinus2 && !FindInt5()) return false; dataDecrypterType = FindDataDecrypterType(stringMethod); if (dataDecrypterType == null) return false; if (isV32OrLater) { bool initializedAll; int index = FindInitIntsIndex(stringMethod, out initializedAll); var cctor = stringType.FindStaticConstructor(); if (!initializedAll && cctor != null) { simpleDeobfuscator.Deobfuscate(cctor); if (!FindIntsCctor(cctor)) return false; } if (decrypterType.Detected && !decrypterType.Initialize()) return false; if (!FindInts(index)) return false; } InitializeFlags(); Initialize(); return true; }
void DeobfuscateAll(MethodDef method) { simpleDeobfuscator.Deobfuscate(method); simpleDeobfuscator.DecryptStrings(method, deob); }
static void DeobfuscateCctor(ISimpleDeobfuscator simpleDeobfuscator, MethodDef cctor, ref bool deobfuscatedCctor, bool hasPublicKeyToken) { if (deobfuscatedCctor || hasPublicKeyToken) return; simpleDeobfuscator.Deobfuscate(cctor); deobfuscatedCctor = true; }
public List<AssemblyInfo> GetAssemblyInfos(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { var infos = new List<AssemblyInfo>(); if (embedResolverMethod != null) { simpleDeobfuscator.Deobfuscate(embedResolverMethod); simpleDeobfuscator.DecryptStrings(embedResolverMethod, deob); embedPassword = GetEmbedPassword(embedResolverMethod); } if (embedPassword == null) return infos; foreach (var rsrc in module.Resources) { var resource = rsrc as EmbeddedResource; if (resource == null) continue; if (!Regex.IsMatch(resource.Name.String, "^cfd_([0-9a-f]{2})+_$")) continue; var asmData = Decrypt(embedPassword, Gunzip(resource.Data.ReadAllBytes())); var mod = ModuleDefMD.Load(asmData); infos.Add(new AssemblyInfo(asmData, resource, mod.Assembly.FullName, mod.Assembly.Name.String, DeobUtils.GetExtension(mod.Kind))); } return infos; }
public void Initialize(ISimpleDeobfuscator simpleDeobfuscator) { foreach (var info in stringEncrypterInfos.GetValues()) { simpleDeobfuscator.Deobfuscate(info.Method); info.Resource = FindResource(info.Method); if (info.Resource == null) { Logger.w("Could not find encrypted strings resource (Method {0:X8})", info.Method.MDToken.ToInt32()); continue; } info.Magic1 = FindMagic1(info.Method); info.Magic2 = FindMagic2(info.Method); info.Magic3 = FindMagic3(info.Method); info.Reader = info.Resource.Data; info.Reader.Position = 0; } }
void Find() { foreach (var type in module.GetTypes()) { if (type.IsSealed && type.HasFields) { if (type.Fields.Count < 100) { continue; } foreach (var method in type.Methods) { if (!method.IsStatic) { continue; } if (!method.IsAssembly) { continue; } simpleDeobfuscator.Deobfuscate(method); var instrs = method.Body.Instructions; for (var i = 0; i < instrs.Count; i++) { var ldcI4 = instrs[i]; if (!ldcI4.IsLdcI4()) { continue; } if (i + 1 >= instrs.Count) { continue; } var stsfld = instrs[i + 1]; if (stsfld.OpCode.Code != Code.Stsfld) { continue; } var key = stsfld.Operand as FieldDef; if (key == null) { continue; } var value = ldcI4.GetLdcI4Value(); if (!dictionary.ContainsKey(key)) { dictionary.Add(key, value); } else { dictionary[key] = value; } } if (dictionary.Count < 100) { dictionary.Clear(); continue; } Type = type; return; } } } }
public void Initialize(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { if (encryptedResource.Method == null) return; initMethod = FindInitMethod(simpleDeobfuscator); if (initMethod == null) throw new ApplicationException("Could not find resource resolver init method"); simpleDeobfuscator.Deobfuscate(encryptedResource.Method); simpleDeobfuscator.DecryptStrings(encryptedResource.Method, deob); encryptedResource.Initialize(simpleDeobfuscator); }
public void Initialize(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { if (handlerMethod == null) return; FindOtherType(); simpleDeobfuscator.Deobfuscate(handlerMethod); simpleDeobfuscator.DecryptStrings(handlerMethod, deob); if (!CreateAssemblyInfos()) throw new ApplicationException("Could not initialize assembly infos"); if (decryptMethod != null) { simpleDeobfuscator.Deobfuscate(decryptMethod); simpleDeobfuscator.DecryptStrings(decryptMethod, deob); if (!CreateDecryptKey()) throw new ApplicationException("Could not initialize decryption key"); } }
public bool Initialize(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator) { var cctor = stringsEncodingClass.FindStaticConstructor(); if (cctor != null) simpleDeobfuscator.Deobfuscate(cctor); decrypterVersion = GuessVersion(cctor); if (!FindDecrypterMethod()) throw new ApplicationException("Could not find string decrypter method"); if (!FindStringsResource(deob, simpleDeobfuscator, cctor)) return false; if (decrypterVersion <= StringDecrypterVersion.V3) { MethodDef initMethod; if (decrypterVersion == StringDecrypterVersion.V3) initMethod = cctor; else if (decrypterVersion == StringDecrypterVersion.V2) initMethod = stringDecrypterMethod; else initMethod = stringDecrypterMethod; stringOffset = 0; if (decrypterVersion != StringDecrypterVersion.V1) { if (CallsGetPublicKeyToken(initMethod)) { var pkt = PublicKeyBase.ToPublicKeyToken(module.Assembly.PublicKeyToken); if (!PublicKeyBase.IsNullOrEmpty2(pkt)) { for (int i = 0; i < pkt.Data.Length - 1; i += 2) stringOffset ^= ((int)pkt.Data[i] << 8) + pkt.Data[i + 1]; } } if (DeobUtils.HasInteger(initMethod, 0xFFFFFF) && DeobUtils.HasInteger(initMethod, 0xFFFF)) { stringOffset ^= ((stringDecrypterMethod.MDToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF; } } } else { var offsetVal = FindOffsetValue(cctor); if (offsetVal == null) throw new ApplicationException("Could not find string offset"); stringOffset = offsetVal.Value; decrypterVersion = StringDecrypterVersion.V4; } simpleZipTypeMethod = FindSimpleZipTypeMethod(cctor) ?? FindSimpleZipTypeMethod(stringDecrypterMethod); if (simpleZipTypeMethod != null) resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator)); return true; }
public bool Initialize(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator) { var cctor = stringsEncodingClass.FindStaticConstructor(); if (cctor != null) { simpleDeobfuscator.Deobfuscate(cctor); } decrypterVersion = GuessVersion(cctor); if (!FindDecrypterMethod()) { throw new ApplicationException("Could not find string decrypter method"); } if (!FindStringsResource(deob, simpleDeobfuscator, cctor)) { return(false); } if (decrypterVersion <= StringDecrypterVersion.V3) { MethodDef initMethod; if (decrypterVersion == StringDecrypterVersion.V3) { initMethod = cctor; } else if (decrypterVersion == StringDecrypterVersion.V2) { initMethod = stringDecrypterMethod; } else { initMethod = stringDecrypterMethod; } stringOffset = 0; if (decrypterVersion != StringDecrypterVersion.V1) { if (CallsGetPublicKeyToken(initMethod)) { var pkt = PublicKeyBase.ToPublicKeyToken(module.Assembly.PublicKeyToken); if (!PublicKeyBase.IsNullOrEmpty2(pkt)) { for (int i = 0; i < pkt.Data.Length - 1; i += 2) { stringOffset ^= ((int)pkt.Data[i] << 8) + pkt.Data[i + 1]; } } } if (DeobUtils.HasInteger(initMethod, 0xFFFFFF) && DeobUtils.HasInteger(initMethod, 0xFFFF)) { stringOffset ^= ((stringDecrypterMethod.MDToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF; } } } else { var offsetVal = FindOffsetValue(cctor); if (offsetVal == null) { throw new ApplicationException("Could not find string offset"); } stringOffset = offsetVal.Value; var xorVal = FindXorValue(stringDecrypterMethod, stringsEncodingClass.HasNestedTypes, simpleDeobfuscator); if (xorVal != null) { decrypterVersion = StringDecrypterVersion.V5; xorValue = (int)xorVal; } else { decrypterVersion = StringDecrypterVersion.V4; } } simpleZipTypeMethod = FindSimpleZipTypeMethod(cctor) ?? FindSimpleZipTypeMethod(stringDecrypterMethod); if (simpleZipTypeMethod != null) { resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator)); } return(true); }
bool UpdateFlags(MethodDef method, ISimpleDeobfuscator simpleDeobfuscator) { if (method == null || method.Body == null || method.Body.Variables.Count < 3) return false; var constants = new List<int>(); simpleDeobfuscator.Deobfuscate(method); var instructions = method.Body.Instructions; for (int i = 2; i < instructions.Count; i++) { var and = instructions[i]; if (and.OpCode.Code != Code.And) continue; var ldci4 = instructions[i - 1]; if (!ldci4.IsLdcI4()) continue; int flagValue = ldci4.GetLdcI4Value(); if (!IsFlag(flagValue)) continue; var ldloc = instructions[i - 2]; if (!ldloc.IsLdloc()) continue; var local = ldloc.GetLocal(method.Body.Variables); if (local.Type.GetElementType().GetPrimitiveSize() < 0) continue; constants.Add(flagValue); } int notIndex, skipIndex; flipFlagsBits = CheckFlipBits(method, out notIndex); skipBytes = GetHeaderSkipBytes(method, out skipIndex); skipBeforeFlag = skipIndex < notIndex; switch (frameworkType) { case FrameworkType.Desktop: if (!module.IsClr1x) { if (constants.Count == 2) { desEncryptedFlag = (byte)constants[0]; deflatedFlag = (byte)constants[1]; return true; } } if (constants.Count == 1) { desEncryptedFlag = (byte)constants[0]; return true; } break; case FrameworkType.Silverlight: if (constants.Count == 1) { bitwiseNotEncryptedFlag = (byte)constants[0]; return true; } break; case FrameworkType.CompactFramework: if (constants.Count == 1) { desEncryptedFlag = (byte)constants[0]; return true; } break; } return false; }
public void Find() { var cctor = DotNetUtils.GetModuleTypeCctor(module); if (cctor == null) { return; } simpleDeobfuscator.Deobfuscate(cctor, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs); if ((dictField = ConstantsDecrypterUtils.FindDictField(cctor, cctor.DeclaringType)) == null) { return; } if ((dataField = ConstantsDecrypterUtils.FindDataField_v18_r75367(cctor, cctor.DeclaringType)) == null && (dataField = ConstantsDecrypterUtils.FindDataField_v19_r77172(cctor, cctor.DeclaringType)) == null) { return; } nativeMethod = FindNativeMethod(cctor, cctor.DeclaringType); var method = GetDecryptMethod(); if (method == null) { return; } simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs); var info = new DecrypterInfo(this, method, ConfuserVersion.Unknown); if (FindKeys_v18_r75367(info)) { InitVersion(cctor, ConfuserVersion.v18_r75367_normal, ConfuserVersion.v18_r75367_dynamic, ConfuserVersion.v18_r75367_native); } else if (FindKeys_v18_r75369(info)) { lzmaType = ConfuserUtils.FindLzmaType(cctor); if (lzmaType == null) { InitVersion(cctor, ConfuserVersion.v18_r75369_normal, ConfuserVersion.v18_r75369_dynamic, ConfuserVersion.v18_r75369_native); } else if (!DotNetUtils.CallsMethod(method, "System.Void System.Threading.Monitor::Exit(System.Object)")) { InitVersion(cctor, ConfuserVersion.v19_r77172_normal, ConfuserVersion.v19_r77172_dynamic, ConfuserVersion.v19_r77172_native); } else if (DotNetUtils.CallsMethod(method, "System.Void System.Diagnostics.StackFrame::.ctor(System.Int32)")) { InitVersion(cctor, ConfuserVersion.v19_r78363_normal, ConfuserVersion.v19_r78363_dynamic, ConfuserVersion.v19_r78363_native); } else { int index1 = ConfuserUtils.FindCallMethod(cctor.Body.Instructions, 0, Code.Callvirt, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()"); int index2 = ConfuserUtils.FindCallMethod(cctor.Body.Instructions, 0, Code.Callvirt, "System.Int32 System.Reflection.MemberInfo::get_MetadataToken()"); if (index1 < 0 || index2 < 0) { } if (index2 - index1 == 3) { InitVersion(cctor, ConfuserVersion.v19_r78056_normal, ConfuserVersion.v19_r78056_dynamic, ConfuserVersion.v19_r78056_native); } else if (index2 - index1 == -4) { InitVersion(cctor, ConfuserVersion.v19_r79630_normal, ConfuserVersion.v19_r79630_dynamic, ConfuserVersion.v19_r79630_native); } } } else { return; } installMethod = cctor; }