static MethodDef FindDecryptMethod(TypeDef type)
{
foreach (var method in type.Methods)
{
var decryptMethod = ResourceDecrypter.FindDecrypterMethod(method);
if (decryptMethod != null)
{
return(decryptMethod);
}
}
return(null);
}
public void Find()
{
var requiredTypes = new string[] {
"System.Reflection.Assembly",
"System.Object",
"System.Int32",
"System.String[]",
};
foreach (var type in module.Types)
{
if (type.HasEvents)
{
continue;
}
if (!new FieldTypes(type).All(requiredTypes))
{
continue;
}
MethodDef regMethod, handler;
if (!BabelUtils.FindRegisterMethod(type, out regMethod, out handler))
{
continue;
}
var resource = BabelUtils.FindEmbeddedResource(module, type);
if (resource == null)
{
continue;
}
var decryptMethod = FindDecryptMethod(type);
if (decryptMethod == null)
{
throw new ApplicationException("Couldn't find resource type decrypt method");
}
resourceDecrypter.DecryptMethod = ResourceDecrypter.FindDecrypterMethod(decryptMethod);
InitXorKeys(decryptMethod);
resolverType = type;
registerMethod = regMethod;
encryptedResource = resource;
return;
}
}
bool IsConstantDecrypter(TypeDef type)
{
if (type.HasEvents)
{
return(false);
}
if (type.NestedTypes.Count != 1)
{
return(false);
}
var nested = type.NestedTypes[0];
if (!CheckNestedFields(nested))
{
return(false);
}
resourceDecrypter.DecryptMethod = ResourceDecrypter.FindDecrypterMethod(nested.FindMethod(".ctor"));
if (DotNetUtils.GetMethod(type, "System.Int32", "(System.Int32)") == null)
{
return(false);
}
if (DotNetUtils.GetMethod(type, "System.Int64", "(System.Int32)") == null)
{
return(false);
}
if (DotNetUtils.GetMethod(type, "System.Single", "(System.Int32)") == null)
{
return(false);
}
if (DotNetUtils.GetMethod(type, "System.Double", "(System.Int32)") == null)
{
return(false);
}
if (DotNetUtils.GetMethod(type, "System.Array", "(System.Byte[])") == null)
{
return(false);
}
return(true);
}
public void Find()
{
var requiredTypes = new string[] {
"System.Object",
"System.Int32",
"System.Collections.Hashtable",
};
foreach (var type in module.Types)
{
if (type.HasEvents)
{
continue;
}
if (!new FieldTypes(type).Exactly(requiredTypes))
{
continue;
}
MethodDef regMethod, handler;
if (!BabelUtils.FindRegisterMethod(type, out regMethod, out handler))
{
continue;
}
var decryptMethod = FindDecryptMethod(type);
if (decryptMethod == null)
{
throw new ApplicationException("Couldn't find resource type decrypt method");
}
resourceDecrypter.DecryptMethod = ResourceDecrypter.FindDecrypterMethod(decryptMethod);
resolverType = type;
registerMethod = regMethod;
return;
}
}
IDecrypterInfo CheckNested(TypeDef type, TypeDef nested)
{
if (nested.HasProperties || nested.HasEvents)
{
return(null);
}
if (nested.FindMethod(".ctor") == null)
{
return(null);
}
if (nested.Fields.Count == 1 || nested.Fields.Count == 3)
{
// 4.0+
if (!HasFieldType(nested.Fields, nested))
{
return(null);
}
var decrypterBuilderMethod = DotNetUtils.GetMethod(nested, "System.Reflection.Emit.MethodBuilder", "(System.Reflection.Emit.TypeBuilder)");
if (decrypterBuilderMethod == null)
{
return(null);
}
resourceDecrypter.DecryptMethod = ResourceDecrypter.FindDecrypterMethod(nested.FindMethod(".ctor"));
var nestedDecrypter = DotNetUtils.GetMethod(nested, "System.String", "(System.Int32)");
if (nestedDecrypter == null || nestedDecrypter.IsStatic)
{
return(null);
}
var decrypter = DotNetUtils.GetMethod(type, "System.String", "(System.Int32)");
if (decrypter == null || !decrypter.IsStatic)
{
return(null);
}
simpleDeobfuscator.Deobfuscate(decrypterBuilderMethod);
return(new DecrypterInfoV3(resourceDecrypter)
{
Decrypter = decrypter,
OffsetCalcInstructions = GetOffsetCalcInstructions(decrypterBuilderMethod),
});
}
else if (nested.Fields.Count == 2)
{
// 3.0 - 3.5
if (CheckFields(nested, "System.Collections.Hashtable", nested))
{
// 3.0 - 3.5
var nestedDecrypter = DotNetUtils.GetMethod(nested, "System.String", "(System.Int32)");
if (nestedDecrypter == null || nestedDecrypter.IsStatic)
{
return(null);
}
var decrypter = DotNetUtils.GetMethod(type, "System.String", "(System.Int32)");
if (decrypter == null || !decrypter.IsStatic)
{
return(null);
}
resourceDecrypter.DecryptMethod = ResourceDecrypter.FindDecrypterMethod(nested.FindMethod(".ctor"));
return(new DecrypterInfoV3(resourceDecrypter)
{
Decrypter = decrypter
});
}
else if (CheckFields(nested, "System.Byte[]", nested))
{
// 3.0
var nestedDecrypter = DotNetUtils.GetMethod(nested, "System.String", "(System.String,System.Int32)");
if (nestedDecrypter == null || nestedDecrypter.IsStatic)
{
return(null);
}
var decrypter = DotNetUtils.GetMethod(type, "System.String", "(System.String,System.Int32)");
if (decrypter == null || !decrypter.IsStatic)
{
return(null);
}
return(new DecrypterInfoV2 {
Decrypter = decrypter
});
}
else
{
return(null);
}
}
return(null);
}