示例#1
0
 protected override void scanForObfuscator()
 {
     findCliSecureAttribute();
     cliSecureRtType = new CliSecureRtType(module);
     cliSecureRtType.find(ModuleBytes);
     stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterMethod);
     stringDecrypter.find();
     resourceDecrypter = new ResourceDecrypter(module);
     resourceDecrypter.find();
     proxyCallFixer = new ProxyCallFixer(module);
     proxyCallFixer.findDelegateCreator();
     csvm = new vm.Csvm(DeobfuscatedFile.DeobfuscatorContext, module);
     csvm.find();
 }
示例#2
0
        static byte[] getModuleCctorBytes(CliSecureRtType csRtType)
        {
            var initMethod = csRtType.InitializeMethod;

            if (initMethod == null)
            {
                return(null);
            }
            uint initToken        = initMethod.MetadataToken.ToUInt32();
            var  moduleCctorBytes = new byte[6];

            moduleCctorBytes[0] = 0x28;                 // call
            moduleCctorBytes[1] = (byte)initToken;
            moduleCctorBytes[2] = (byte)(initToken >> 8);
            moduleCctorBytes[3] = (byte)(initToken >> 16);
            moduleCctorBytes[4] = (byte)(initToken >> 24);
            moduleCctorBytes[5] = 0x2A;                 // ret
            return(moduleCctorBytes);
        }
示例#3
0
        public bool decrypt(PeImage peImage, Mono.Cecil.ModuleDefinition module, CliSecureRtType csRtType, ref DumpedMethods dumpedMethods)
        {
            this.peImage  = peImage;
            this.csRtType = csRtType;
            this.module   = module;

            switch (decrypt2(ref dumpedMethods))
            {
            case DecryptResult.Decrypted: return(true);

            case DecryptResult.NotEncrypted: return(false);

            case DecryptResult.Error:
                Log.w("Using dynamic method decryption");
                byte[] moduleCctorBytes = getModuleCctorBytes(csRtType);
                dumpedMethods = de4dot.code.deobfuscators.MethodsDecrypter.decrypt(module.FullyQualifiedName, moduleCctorBytes);
                return(true);

            default:
                throw new ApplicationException("Invalid DecryptResult");
            }
        }