static List <int> GetConstants(MethodDef method)
{
var list = new List <int>();
if (method == null)
{
return(list);
}
int index = 0;
var instrs = method.Body.Instructions;
var constantsReader = new EfConstantsReader(method);
while (true)
{
int val;
if (!constantsReader.GetNextInt32(ref index, out val))
{
break;
}
if (index < instrs.Count && instrs[index].OpCode.Code != Code.Ret)
{
list.Add(val);
}
}
return(list);
}
bool FindIntsCctor(MethodDef cctor)
{
int index = 0;
if (!FindCallGetFrame(cctor, ref index))
{
return(FindIntsCctor2(cctor));
}
int tmp1, tmp2, tmp3 = 0;
var constantsReader = new EfConstantsReader(cctor);
if (!constantsReader.GetNextInt32(ref index, out tmp1))
{
return(false);
}
if (tmp1 == 0 && !constantsReader.GetNextInt32(ref index, out tmp1))
{
return(false);
}
if (!constantsReader.GetNextInt32(ref index, out tmp2))
{
return(false);
}
if (tmp2 == 0 && !constantsReader.GetNextInt32(ref index, out tmp2))
{
return(false);
}
index = 0;
var instrs = cctor.Body.Instructions;
while (index < instrs.Count)
{
int tmp4;
if (!constantsReader.GetNextInt32(ref index, out tmp4))
{
break;
}
if (index < instrs.Count && instrs[index].IsLdloc())
{
tmp3 = tmp4;
}
}
i1 = tmp1 ^ tmp2 ^ tmp3;
return(true);
}
// Compact Framework doesn't have StackFrame
bool FindIntsCctor2(MethodDef cctor)
{
int index = 0;
var instrs = cctor.Body.Instructions;
var constantsReader = new EfConstantsReader(cctor);
while (index >= 0)
{
int val;
if (!constantsReader.GetNextInt32(ref index, out val))
{
break;
}
if (index < instrs.Count && instrs[index].OpCode.Code == Code.Add)
{
i1 = val;
return(true);
}
}
return(false);
}
bool FindConstants(ISimpleDeobfuscator simpleDeobfuscator)
{
dynocode = new DynamicDynocodeIterator();
simpleDeobfuscator.Deobfuscate(stringMethod);
stringMethodConsts = new EfConstantsReader(stringMethod);
if (!FindResource(stringMethod))
{
return(false);
}
checkMinus2 = isV32OrLater || DeobUtils.HasInteger(stringMethod, -2);
usePublicKeyToken = CallsGetPublicKeyToken(stringMethod);
var int64Method = FindInt64Method(stringMethod);
if (int64Method != null)
{
decrypterType.Type = int64Method.DeclaringType;
}
if (!FindShorts())
{
return(false);
}
if (!FindInt3())
{
return(false);
}
if (!FindInt4())
{
return(false);
}
if (checkMinus2 && !FindInt5())
{
return(false);
}
dataDecrypterType = FindDataDecrypterType(stringMethod);
if (dataDecrypterType == null)
{
return(false);
}
if (isV32OrLater)
{
bool initializedAll;
int index = FindInitIntsIndex(stringMethod, out initializedAll);
var cctor = stringType.FindStaticConstructor();
if (!initializedAll && cctor != null)
{
simpleDeobfuscator.Deobfuscate(cctor);
if (!FindIntsCctor(cctor))
{
return(false);
}
}
if (decrypterType.Detected && !decrypterType.Initialize())
{
return(false);
}
if (!FindInts(index))
{
return(false);
}
}
InitializeFlags();
Initialize();
return(true);
}
bool FindShiftInts(MethodDef method, out List<int> bytes) {
var instrs = method.Body.Instructions;
var constantsReader = new EfConstantsReader(method);
bytes = new List<int>(8);
for (int i = 0; i < instrs.Count - 4; i++) {
if (bytes.Count >= 8)
return true;
var ldloc1 = instrs[i];
if (ldloc1.OpCode.Code != Code.Ldloc_1)
continue;
var ldlocs = instrs[i + 1];
if (ldlocs.OpCode.Code != Code.Ldloc_S)
continue;
var maybe = instrs[i + 2];
if (maybe.OpCode.Code == Code.Conv_U1) {
var callvirt = instrs[i + 3];
if (callvirt.OpCode.Code != Code.Callvirt)
return false;
bytes.Add(0);
continue;
}
var shr = instrs[i + 3];
if (shr.OpCode.Code != Code.Shr)
return false;
var convu1 = instrs[i + 4];
if (convu1.OpCode.Code != Code.Conv_U1)
return false;
int constant;
int index = i + 2;
if (!constantsReader.GetInt32(ref index, out constant))
return false;
bytes.Add(constant);
}
return false;
}
bool FindConstants(ISimpleDeobfuscator simpleDeobfuscator) {
dynocode = new DynamicDynocodeIterator();
simpleDeobfuscator.Deobfuscate(stringMethod);
stringMethodConsts = new EfConstantsReader(stringMethod);
if (!FindResource(stringMethod))
return false;
checkMinus2 = isV32OrLater || DeobUtils.HasInteger(stringMethod, -2);
usePublicKeyToken = CallsGetPublicKeyToken(stringMethod);
var int64Method = FindInt64Method(stringMethod);
if (int64Method != null)
decrypterType.Type = int64Method.DeclaringType;
if (!FindShorts())
return false;
if (!FindInt3())
return false;
if (!FindInt4())
return false;
if (checkMinus2 && !FindInt5())
return false;
// The method body of the data decrypter method has been moved into
// the string decrypter helper method in 5.0
if (!isV50OrLater) {
dataDecrypterType = FindDataDecrypterType(stringMethod);
if (dataDecrypterType == null)
return false;
}
if (isV32OrLater) {
bool initializedAll;
int index = FindInitIntsIndex(stringMethod, out initializedAll);
var cctor = stringType.FindStaticConstructor();
if (!initializedAll && cctor != null) {
simpleDeobfuscator.Deobfuscate(cctor);
if (!FindIntsCctor(cctor))
return false;
}
if (decrypterType.Detected && !decrypterType.Initialize())
return false;
if (!isV50OrLater) {
decrypterType.ShiftConsts = new List<int> { 24, 16, 8, 0, 16, 8, 0, 24 };
}
else {
List<int> shiftConsts;
if (!FindShiftInts(decrypterType.Int64Method, out shiftConsts))
return false;
decrypterType.ShiftConsts = shiftConsts;
}
if (!FindInts(index))
return false;
}
InitializeFlags();
Initialize();
return true;
}
// Compact Framework doesn't have StackFrame
bool FindIntsCctor2(MethodDef cctor) {
int index = 0;
var instrs = cctor.Body.Instructions;
var constantsReader = new EfConstantsReader(cctor);
while (index >= 0) {
int val;
if (!constantsReader.GetNextInt32(ref index, out val))
break;
if (index < instrs.Count && instrs[index].OpCode.Code == Code.Add) {
i1 = val;
return true;
}
}
return false;
}
bool FindIntsCctor(MethodDef cctor) {
int index = 0;
if (!FindCallGetFrame(cctor, ref index))
return FindIntsCctor2(cctor);
int tmp1, tmp2, tmp3 = 0;
var constantsReader = new EfConstantsReader(cctor);
if (!constantsReader.GetNextInt32(ref index, out tmp1))
return false;
if (tmp1 == 0 && !constantsReader.GetNextInt32(ref index, out tmp1))
return false;
if (!constantsReader.GetNextInt32(ref index, out tmp2))
return false;
if (tmp2 == 0 && !constantsReader.GetNextInt32(ref index, out tmp2))
return false;
index = 0;
var instrs = cctor.Body.Instructions;
while (index < instrs.Count) {
int tmp4;
if (!constantsReader.GetNextInt32(ref index, out tmp4))
break;
if (index < instrs.Count && instrs[index].IsLdloc())
tmp3 = tmp4;
}
i1 = tmp1 ^ tmp2 ^ tmp3;
return true;
}
bool FindConstants(ISimpleDeobfuscator simpleDeobfuscator) {
dynocode = new DynamicDynocodeIterator();
simpleDeobfuscator.Deobfuscate(stringMethod);
stringMethodConsts = new EfConstantsReader(stringMethod);
if (!FindResource(stringMethod))
return false;
checkMinus2 = isV32OrLater || DeobUtils.HasInteger(stringMethod, -2);
usePublicKeyToken = CallsGetPublicKeyToken(stringMethod);
var int64Method = FindInt64Method(stringMethod);
if (int64Method != null)
decrypterType.Type = int64Method.DeclaringType;
if (!FindShorts())
return false;
if (!FindInt3())
return false;
if (!FindInt4())
return false;
if (checkMinus2 && !FindInt5())
return false;
dataDecrypterType = FindDataDecrypterType(stringMethod);
if (dataDecrypterType == null)
return false;
if (isV32OrLater) {
bool initializedAll;
int index = FindInitIntsIndex(stringMethod, out initializedAll);
var cctor = stringType.FindStaticConstructor();
if (!initializedAll && cctor != null) {
simpleDeobfuscator.Deobfuscate(cctor);
if (!FindIntsCctor(cctor))
return false;
}
if (decrypterType.Detected && !decrypterType.Initialize())
return false;
if (!FindInts(index))
return false;
}
InitializeFlags();
Initialize();
return true;
}
bool findConstants(ISimpleDeobfuscator simpleDeobfuscator)
{
simpleDeobfuscator.deobfuscate(stringMethod);
stringMethodConsts = new EfConstantsReader(stringMethod);
if (!findResource(stringMethod))
{
return(false);
}
checkMinus2 = isV32OrLater || DeobUtils.hasInteger(stringMethod, -2);
usePublicKeyToken = callsGetPublicKeyToken(stringMethod);
var int64Method = findInt64Method(stringMethod);
if (int64Method != null)
{
decrypterType.Type = int64Method.DeclaringType;
}
if (!findShorts())
{
return(false);
}
if (!findInt3())
{
return(false);
}
if (!findInt4())
{
return(false);
}
if (checkMinus2 && !findInt5())
{
return(false);
}
dataDecrypterType = findDataDecrypterType(stringMethod);
if (dataDecrypterType == null)
{
return(false);
}
if (isV32OrLater)
{
bool initializedAll;
if (!findInts(out initializedAll))
{
return(false);
}
var cctor = DotNetUtils.getMethod(stringType, ".cctor");
if (!initializedAll && cctor != null)
{
simpleDeobfuscator.deobfuscate(cctor);
if (!findIntsCctor(cctor))
{
return(false);
}
}
if (decrypterType.Detected && !decrypterType.initialize())
{
return(false);
}
}
initializeFlags();
initialize();
return(true);
}
static List<int> GetConstants(MethodDef method) {
var list = new List<int>();
if (method == null)
return list;
int index = 0;
var instrs = method.Body.Instructions;
var constantsReader = new EfConstantsReader(method);
while (true) {
int val;
if (!constantsReader.GetNextInt32(ref index, out val))
break;
if (index < instrs.Count && instrs[index].OpCode.Code != Code.Ret)
list.Add(val);
}
return list;
}
bool findConstants(ISimpleDeobfuscator simpleDeobfuscator)
{
simpleDeobfuscator.deobfuscate(stringMethod);
stringMethodConsts = new EfConstantsReader(stringMethod);
if (!findResource(stringMethod))
return false;
checkMinus2 = isV32OrLater || DeobUtils.hasInteger(stringMethod, -2);
usePublicKeyToken = callsGetPublicKeyToken(stringMethod);
var int64Method = findInt64Method(stringMethod);
if (int64Method != null)
decrypterType.Type = int64Method.DeclaringType;
if (!findShorts())
return false;
if (!findInt3())
return false;
if (!findInt4())
return false;
if (checkMinus2 && !findInt5())
return false;
dataDecrypterType = findDataDecrypterType(stringMethod);
if (dataDecrypterType == null)
return false;
if (isV32OrLater) {
bool initializedAll;
if (!findInts(out initializedAll))
return false;
var cctor = DotNetUtils.getMethod(stringType, ".cctor");
if (!initializedAll && cctor != null) {
simpleDeobfuscator.deobfuscate(cctor);
if (!findIntsCctor(cctor))
return false;
}
if (decrypterType.Detected && !decrypterType.initialize())
return false;
}
initializeFlags();
initialize();
return true;
}
