public static bool Phase1() { var cflowCleaner = new CflowDeobfuscator(); var mCounter = 0; foreach (var mDef in AsmDef.FindMethods(m => true)) { cflowCleaner.deobfuscate(mDef); mCounter++; Logger.VLog("Cleaned method: " + mDef.Name); } Logger.VSLog(string.Format("{0} methods cleaned...", mCounter)); return true; }
void Find() { var cflowDeobfuscator = new CflowDeobfuscator(new MethodCallInliner(true)); foreach (var type in module.Types) { if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "CloseHandle") == null) continue; var resolver = new AssemblyResolver(type, cflowDeobfuscator); if (!resolver.Detected) continue; var patcher = new MemoryPatcher(type, cflowDeobfuscator); if (!patcher.Detected) continue; assemblyResolver = resolver; memoryPatcher = patcher; return; } }
List<TypeDefinition> findVmHandlerTypes() { var requiredFields = new string[] { null, "System.Collections.Generic.Dictionary`2<System.UInt16,System.Type>", "System.UInt16", }; var cflowDeobfuscator = new CflowDeobfuscator(new NoMethodInliner()); foreach (var type in module.Types) { var cctor = DotNetUtils.getMethod(type, ".cctor"); if (cctor == null) continue; requiredFields[0] = type.FullName; if (!new FieldTypes(type).exactly(requiredFields)) continue; cflowDeobfuscator.deobfuscate(cctor); var handlers = findVmHandlerTypes(cctor); if (handlers.Count != 31) continue; return handlers; } return null; }
List<TypeDef> FindVmHandlerTypes() { var requiredFields = new string[] { null, "System.Collections.Generic.Dictionary`2<System.UInt16,System.Type>", "System.UInt16", }; var cflowDeobfuscator = new CflowDeobfuscator(); foreach (var type in module.Types) { var cctor = type.FindStaticConstructor(); if (cctor == null) continue; requiredFields[0] = type.FullName; var fieldTypes = new FieldTypes(type); if (!fieldTypes.All(requiredFields)) continue; cflowDeobfuscator.Deobfuscate(cctor); var handlers = FindVmHandlerTypes(cctor); if (handlers.Count < NUM_HANDLERS) continue; return handlers; } return null; }