void deobfuscateMethods()
{
if (savedMethodBodies != null)
{
savedMethodBodies.restoreAll();
savedMethodBodies = null;
}
deob.DeobfuscatedFile = null;
if (!options.ControlFlowDeobfuscation)
{
// If it's the unknown type, we don't remove any types that could cause Mono.Cecil
// to throw an exception.
if (deob.Type == "un" || options.KeepObfuscatorTypes)
{
return;
}
}
Log.v("Deobfuscating methods");
var methodPrinter = new MethodPrinter();
var cflowDeobfuscator = new BlocksCflowDeobfuscator(deob.BlocksDeobfuscators);
foreach (var method in getAllMethods())
{
Log.v("Deobfuscating {0} ({1:X8})", Utils.removeNewlines(method), method.MetadataToken.ToUInt32());
Log.indent();
int oldIndentLevel = Log.indentLevel;
try {
deobfuscate(method, cflowDeobfuscator, methodPrinter);
}
catch (ApplicationException) {
throw;
}
catch (Exception ex) {
if (!canLoadMethodBody(method))
{
Log.v("Invalid method body. {0:X8}", method.MetadataToken.ToInt32());
method.Body = new MethodBody(method);
}
else
{
Log.w("Could not deobfuscate method {0:X8}. Hello, E.T.: {1}", // E.T. = exception type
method.MetadataToken.ToInt32(),
ex.GetType());
}
}
finally {
Log.indentLevel = oldIndentLevel;
}
removeNoInliningAttribute(method);
Log.deIndent();
}
}
void detectObfuscator(IEnumerable <IDeobfuscator> deobfuscators)
{
// The deobfuscators may call methods to deobfuscate control flow and decrypt
// strings (statically) in order to detect the obfuscator.
if (!options.ControlFlowDeobfuscation || options.StringDecrypterType == DecrypterType.None)
{
savedMethodBodies = new SavedMethodBodies();
}
// It's not null if it unpacked a native file
if (this.deob != null)
{
deob.init(module);
deob.DeobfuscatedFile = this;
deob.earlyDetect();
deob.detect();
return;
}
foreach (var deob in deobfuscators)
{
deob.init(module);
deob.DeobfuscatedFile = this;
}
if (options.ForcedObfuscatorType != null)
{
foreach (var deob in deobfuscators)
{
if (string.Equals(options.ForcedObfuscatorType, deob.Type, StringComparison.OrdinalIgnoreCase))
{
deob.earlyDetect();
this.deob = deob;
deob.detect();
return;
}
}
}
else
{
this.deob = earlyDetectObfuscator(deobfuscators);
if (this.deob == null)
{
this.deob = detectObfuscator2(deobfuscators);
}
else
{
this.deob.detect();
}
}
}
void detectObfuscator(IEnumerable<IDeobfuscator> deobfuscators)
{
// The deobfuscators may call methods to deobfuscate control flow and decrypt
// strings (statically) in order to detect the obfuscator.
if (!options.ControlFlowDeobfuscation || options.StringDecrypterType == DecrypterType.None)
savedMethodBodies = new SavedMethodBodies();
// It's not null if it unpacked a native file
if (this.deob != null) {
deob.init(module);
deob.DeobfuscatedFile = this;
deob.earlyDetect();
deob.detect();
return;
}
foreach (var deob in deobfuscators) {
deob.init(module);
deob.DeobfuscatedFile = this;
}
if (options.ForcedObfuscatorType != null) {
foreach (var deob in deobfuscators) {
if (string.Equals(options.ForcedObfuscatorType, deob.Type, StringComparison.OrdinalIgnoreCase)) {
deob.earlyDetect();
this.deob = deob;
deob.detect();
return;
}
}
}
else {
this.deob = earlyDetectObfuscator(deobfuscators);
if (this.deob == null)
this.deob = detectObfuscator2(deobfuscators);
else
this.deob.detect();
}
}
void deobfuscateMethods()
{
if (savedMethodBodies != null) {
savedMethodBodies.restoreAll();
savedMethodBodies = null;
}
deob.DeobfuscatedFile = null;
if (!options.ControlFlowDeobfuscation) {
// If it's the unknown type, we don't remove any types that could cause Mono.Cecil
// to throw an exception.
if (deob.Type == "un" || options.KeepObfuscatorTypes)
return;
}
Log.v("Deobfuscating methods");
var methodPrinter = new MethodPrinter();
var cflowDeobfuscator = new BlocksCflowDeobfuscator(deob.BlocksDeobfuscators);
foreach (var method in allMethods) {
Log.v("Deobfuscating {0} ({1:X8})", Utils.removeNewlines(method), method.MetadataToken.ToUInt32());
Log.indent();
int oldIndentLevel = Log.indentLevel;
try {
deobfuscate(method, cflowDeobfuscator, methodPrinter);
}
catch (ApplicationException) {
throw;
}
catch (Exception ex) {
if (!canLoadMethodBody(method)) {
Log.v("Invalid method body. {0:X8}", method.MetadataToken.ToInt32());
method.Body = new MethodBody(method);
}
else {
Log.w("Could not deobfuscate method {0:X8}. Hello, E.T.: {1}", // E.T. = exception type
method.MetadataToken.ToInt32(),
ex.GetType());
}
}
finally {
Log.indentLevel = oldIndentLevel;
}
removeNoInliningAttribute(method);
Log.deIndent();
}
}
void DeobfuscateMethods() {
if (savedMethodBodies != null) {
savedMethodBodies.RestoreAll();
savedMethodBodies = null;
}
deob.DeobfuscatedFile = null;
if (!options.ControlFlowDeobfuscation) {
if (options.KeepObfuscatorTypes || deob.Type == "un")
return;
}
bool isVerbose = !Logger.Instance.IgnoresEvent(LoggerEvent.Verbose);
bool isVV = !Logger.Instance.IgnoresEvent(LoggerEvent.VeryVerbose);
if (isVerbose)
Logger.v("Deobfuscating methods");
var methodPrinter = new MethodPrinter();
var cflowDeobfuscator = new BlocksCflowDeobfuscator(deob.BlocksDeobfuscators);
foreach (var method in GetAllMethods()) {
if (isVerbose) {
Logger.v("Deobfuscating {0} ({1:X8})", Utils.RemoveNewlines(method), method.MDToken.ToUInt32());
Logger.Instance.Indent();
}
int oldIndentLevel = Logger.Instance.IndentLevel;
try {
Deobfuscate(method, cflowDeobfuscator, methodPrinter, isVerbose, isVV);
}
catch (Exception ex) {
if (!CanLoadMethodBody(method)) {
if (isVerbose)
Logger.v("Invalid method body. {0:X8}", method.MDToken.ToInt32());
method.Body = new CilBody();
}
else {
Logger.w("Could not deobfuscate method {0:X8}. Hello, E.T.: {1}", // E.T. = exception type
method.MDToken.ToInt32(),
ex.GetType());
}
}
finally {
Logger.Instance.IndentLevel = oldIndentLevel;
}
RemoveNoInliningAttribute(method);
if (isVerbose)
Logger.Instance.DeIndent();
}
}
void DeobfuscateMethods()
{
if (savedMethodBodies != null)
{
savedMethodBodies.RestoreAll();
savedMethodBodies = null;
}
deob.DeobfuscatedFile = null;
if (!options.ControlFlowDeobfuscation)
{
if (options.KeepObfuscatorTypes || deob.Type == "un")
{
return;
}
}
bool isVerbose = !Logger.Instance.IgnoresEvent(LoggerEvent.Verbose);
bool isVV = !Logger.Instance.IgnoresEvent(LoggerEvent.VeryVerbose);
if (isVerbose)
{
Logger.v("Deobfuscating methods");
}
var methodPrinter = new MethodPrinter();
var cflowDeobfuscator = new BlocksCflowDeobfuscator(deob.BlocksDeobfuscators);
foreach (var method in GetAllMethods())
{
if (isVerbose)
{
Logger.v("Deobfuscating {0} ({1:X8})", Utils.RemoveNewlines(method), method.MDToken.ToUInt32());
Logger.Instance.Indent();
}
int oldIndentLevel = Logger.Instance.IndentLevel;
try {
Deobfuscate(method, cflowDeobfuscator, methodPrinter, isVerbose, isVV);
}
catch (Exception ex) {
if (!CanLoadMethodBody(method))
{
if (isVerbose)
{
Logger.v("Invalid method body. {0:X8}", method.MDToken.ToInt32());
}
method.Body = new CilBody();
}
else
{
Logger.w("Could not deobfuscate method {0:X8}. Hello, E.T.: {1}", // E.T. = exception type
method.MDToken.ToInt32(),
ex.GetType());
}
}
finally {
Logger.Instance.IndentLevel = oldIndentLevel;
}
RemoveNoInliningAttribute(method);
if (isVerbose)
{
Logger.Instance.DeIndent();
}
}
}
void deobfuscateMethods()
{
if (savedMethodBodies != null) {
savedMethodBodies.restoreAll();
savedMethodBodies = null;
}
deob.DeobfuscatedFile = null;
Log.v("Deobfuscating methods");
foreach (var method in allMethods) {
Log.v("Deobfuscating {0} ({1:X8})", method, method.MetadataToken.ToUInt32());
Log.indent();
if (hasNonEmptyBody(method)) {
var blocks = new Blocks(method);
deob.deobfuscateMethodBegin(blocks);
if (options.ControlFlowDeobfuscation) {
int numDeadBlocks = blocks.deobfuscate();
if (numDeadBlocks > 0)
Log.v("Removed {0} dead block(s)", numDeadBlocks);
}
deobfuscateStrings(blocks);
deob.deobfuscateMethodEnd(blocks);
if (options.ControlFlowDeobfuscation)
blocks.deobfuscateLeaveObfuscation();
IList<Instruction> allInstructions;
IList<ExceptionHandler> allExceptionHandlers;
blocks.getCode(out allInstructions, out allExceptionHandlers);
DotNetUtils.restoreBody(method, allInstructions, allExceptionHandlers);
}
removeNoInliningAttribute(method);
Log.deIndent();
}
}
void deobfuscateMethods()
{
if (savedMethodBodies != null) {
savedMethodBodies.restoreAll();
savedMethodBodies = null;
}
deob.DeobfuscatedFile = null;
Log.v("Deobfuscating methods");
var methodPrinter = new MethodPrinter();
var cflowDeobfuscator = new BlocksCflowDeobfuscator { InlineMethods = deob.CanInlineMethods };
foreach (var method in allMethods) {
Log.v("Deobfuscating {0} ({1:X8})", method, method.MetadataToken.ToUInt32());
Log.indent();
if (hasNonEmptyBody(method)) {
var blocks = new Blocks(method);
int numRemovedLocals = 0;
int oldNumInstructions = method.Body.Instructions.Count;
deob.deobfuscateMethodBegin(blocks);
if (options.ControlFlowDeobfuscation) {
cflowDeobfuscator.init(blocks);
cflowDeobfuscator.deobfuscate();
}
if (deob.deobfuscateOther(blocks) && options.ControlFlowDeobfuscation)
cflowDeobfuscator.deobfuscate();
if (options.ControlFlowDeobfuscation) {
numRemovedLocals = blocks.optimizeLocals();
blocks.repartitionBlocks();
}
deobfuscateStrings(blocks);
deob.deobfuscateMethodEnd(blocks);
IList<Instruction> allInstructions;
IList<ExceptionHandler> allExceptionHandlers;
blocks.getCode(out allInstructions, out allExceptionHandlers);
DotNetUtils.restoreBody(method, allInstructions, allExceptionHandlers);
if (numRemovedLocals > 0)
Log.v("Removed {0} unused local(s)", numRemovedLocals);
int numRemovedInstructions = oldNumInstructions - method.Body.Instructions.Count;
if (numRemovedInstructions > 0)
Log.v("Removed {0} dead instruction(s)", numRemovedInstructions);
const Log.LogLevel dumpLogLevel = Log.LogLevel.veryverbose;
if (Log.isAtLeast(dumpLogLevel)) {
Log.log(dumpLogLevel, "Deobfuscated code:");
Log.indent();
methodPrinter.print(dumpLogLevel, method, allInstructions, allExceptionHandlers);
Log.deIndent();
}
}
removeNoInliningAttribute(method);
Log.deIndent();
}
}
