void DecryptResources(ResourceDecrypter resourceDecrypter) { var rsrc = resourceDecrypter.MergeResources(); if (rsrc == null) return; AddResourceToBeRemoved(rsrc, "Encrypted resources"); AddTypeToBeRemoved(resourceDecrypter.Type, "Resource decrypter type"); }
protected override void scanForObfuscator() { findCliSecureAttribute(); cliSecureRtType = new CliSecureRtType(module); cliSecureRtType.find(ModuleBytes); stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterMethod); stringDecrypter.find(); resourceDecrypter = new ResourceDecrypter(module); resourceDecrypter.find(); proxyCallFixer = new ProxyCallFixer(module); proxyCallFixer.findDelegateCreator(); csvm = new vm.Csvm(DeobfuscatedFile.DeobfuscatorContext, module); csvm.find(); }
protected override void ScanForObfuscator() { FindCliSecureAttribute(); cliSecureRtType = new CliSecureRtType(module); cliSecureRtType.Find(ModuleBytes); stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterInfos); stringDecrypter.Find(); resourceDecrypter = new ResourceDecrypter(module); resourceDecrypter.Find(); proxyCallFixer = new ProxyCallFixer(module); proxyCallFixer.FindDelegateCreator(); csvmV1 = new vm.v1.Csvm(DeobfuscatedFile.DeobfuscatorContext, module); csvmV1.Find(); csvmV2 = new vm.v2.Csvm(DeobfuscatedFile.DeobfuscatorContext, module); csvmV2.Find(); }
static void Main(string[] args) { Console.Title = "DeConfuser - The De-Obfuscator for confuser v1.6"; Console.WriteLine("Copyright © DragonHunter - 2012"); Console.WriteLine("This deobfuscator might not work at every confused assembly, still BETA"); Console.WriteLine("Checkout this project at http://deconfuser.codeplex.com"); Console.WriteLine("Thanks also to Mono.Cecil there was no DeConfuser without Mono.Cecil"); Console.WriteLine("This version of Mono.Cecil is modded by DragonHunter to do some evil shit"); //hardcoded path atm... string inputPath = @"H:\DeConfuser\ConfuseMe\bin\Debug\confused\ConfuseMe.exe"; string outputPath = @"H:\DeConfuser\ConfuseMe\bin\Debug\confused\ConfuseMe_cleaned.exe"; //load assembly AssemblyDefinition asm = AssemblyFactory.GetAssembly(inputPath); #region Anti-Debug remover AntiDebug debug = new AntiDebug(); TypeDefinition AntiType = null; MethodDefinition AntiMethod = null; Console.WriteLine("-------------------------------------------------------"); if (debug.FindAntiDebug(asm, ref AntiType, ref AntiMethod)) { Console.WriteLine("[Anti-Debugger] Anti-Debugger detected, removing..."); debug.RemoveAntiDebug(asm, AntiType, AntiMethod); Console.WriteLine("[Anti-Debugger] Removed anti-debugger"); } else { Console.WriteLine("This assembly is not protected with anti-debugging"); } Console.WriteLine("-------------------------------------------------------"); #endregion #region String Decryptor StringDecrypter decrypter = new StringDecrypter(); TypeDefinition DecryptType = null; MethodDefinition DecryptMethod = null; if (decrypter.FindMethod(asm, ref DecryptType, ref DecryptMethod)) { Console.WriteLine("[String Decryptor] Found string decryptor, decrypting strings..."); byte[] StringData = decrypter.GetStringResource(asm, inputPath, DecryptMethod); decrypter.DecryptAllStrings(asm, DecryptMethod, StringData); decrypter.RemoveDecryptMethod(asm, DecryptType, DecryptMethod); Console.WriteLine("[String Decryptor] Removed the decrypt method"); } else { Console.WriteLine("This assembly is not protected with encrypted strings"); } Console.WriteLine("-------------------------------------------------------"); #endregion #region Anti-Dump remover AntiDump dump = new AntiDump(); TypeDefinition AntiDumpType = null; MethodDefinition AntiDumpMethod = null; if (dump.FindAntiDump(asm, ref AntiDumpType, ref AntiDumpMethod)) { Console.WriteLine("[Anti-Dump] Anti-Dump detected, removing..."); dump.RemoveAntiDump(asm, AntiDumpType, AntiDumpMethod); Console.WriteLine("[Anti-Dump] Removed anti-dump"); } else { Console.WriteLine("This assembly is not protected with anti-dump"); } Console.WriteLine("-------------------------------------------------------"); #endregion #region Resource Decryptor ResourceDecrypter resourceDecrypter = new ResourceDecrypter(); TypeDefinition ResourceType = null; MethodDefinition ResourceMethod = null; if (resourceDecrypter.FindMethod(asm, ref ResourceType, ref ResourceMethod)) { Console.WriteLine("[Resource-Decrypter] Resource-Decrypter, decrypting"); resourceDecrypter.DecryptAllResources(asm, inputPath, ResourceType, ResourceMethod); } else { Console.WriteLine("This assembly is not protected with encrypted resources"); } Console.WriteLine("-------------------------------------------------------"); #endregion AssemblyFactory.SaveAssembly(asm, outputPath); Console.WriteLine("File dumped to \"" + outputPath + "\""); Console.WriteLine("Thanks for using DeConfuser :)"); Process.GetCurrentProcess().WaitForExit(); }