static List <int> GetConstants(MethodDef method) { var list = new List <int>(); if (method == null) { return(list); } int index = 0; var instrs = method.Body.Instructions; var constantsReader = new EfConstantsReader(method); while (true) { int val; if (!constantsReader.GetNextInt32(ref index, out val)) { break; } if (index < instrs.Count && instrs[index].OpCode.Code != Code.Ret) { list.Add(val); } } return(list); }
bool FindIntsCctor(MethodDef cctor) { int index = 0; if (!FindCallGetFrame(cctor, ref index)) { return(FindIntsCctor2(cctor)); } int tmp1, tmp2, tmp3 = 0; var constantsReader = new EfConstantsReader(cctor); if (!constantsReader.GetNextInt32(ref index, out tmp1)) { return(false); } if (tmp1 == 0 && !constantsReader.GetNextInt32(ref index, out tmp1)) { return(false); } if (!constantsReader.GetNextInt32(ref index, out tmp2)) { return(false); } if (tmp2 == 0 && !constantsReader.GetNextInt32(ref index, out tmp2)) { return(false); } index = 0; var instrs = cctor.Body.Instructions; while (index < instrs.Count) { int tmp4; if (!constantsReader.GetNextInt32(ref index, out tmp4)) { break; } if (index < instrs.Count && instrs[index].IsLdloc()) { tmp3 = tmp4; } } i1 = tmp1 ^ tmp2 ^ tmp3; return(true); }
// Compact Framework doesn't have StackFrame bool FindIntsCctor2(MethodDef cctor) { int index = 0; var instrs = cctor.Body.Instructions; var constantsReader = new EfConstantsReader(cctor); while (index >= 0) { int val; if (!constantsReader.GetNextInt32(ref index, out val)) { break; } if (index < instrs.Count && instrs[index].OpCode.Code == Code.Add) { i1 = val; return(true); } } return(false); }
bool FindConstants(ISimpleDeobfuscator simpleDeobfuscator) { dynocode = new DynamicDynocodeIterator(); simpleDeobfuscator.Deobfuscate(stringMethod); stringMethodConsts = new EfConstantsReader(stringMethod); if (!FindResource(stringMethod)) { return(false); } checkMinus2 = isV32OrLater || DeobUtils.HasInteger(stringMethod, -2); usePublicKeyToken = CallsGetPublicKeyToken(stringMethod); var int64Method = FindInt64Method(stringMethod); if (int64Method != null) { decrypterType.Type = int64Method.DeclaringType; } if (!FindShorts()) { return(false); } if (!FindInt3()) { return(false); } if (!FindInt4()) { return(false); } if (checkMinus2 && !FindInt5()) { return(false); } dataDecrypterType = FindDataDecrypterType(stringMethod); if (dataDecrypterType == null) { return(false); } if (isV32OrLater) { bool initializedAll; int index = FindInitIntsIndex(stringMethod, out initializedAll); var cctor = stringType.FindStaticConstructor(); if (!initializedAll && cctor != null) { simpleDeobfuscator.Deobfuscate(cctor); if (!FindIntsCctor(cctor)) { return(false); } } if (decrypterType.Detected && !decrypterType.Initialize()) { return(false); } if (!FindInts(index)) { return(false); } } InitializeFlags(); Initialize(); return(true); }
bool FindShiftInts(MethodDef method, out List<int> bytes) { var instrs = method.Body.Instructions; var constantsReader = new EfConstantsReader(method); bytes = new List<int>(8); for (int i = 0; i < instrs.Count - 4; i++) { if (bytes.Count >= 8) return true; var ldloc1 = instrs[i]; if (ldloc1.OpCode.Code != Code.Ldloc_1) continue; var ldlocs = instrs[i + 1]; if (ldlocs.OpCode.Code != Code.Ldloc_S) continue; var maybe = instrs[i + 2]; if (maybe.OpCode.Code == Code.Conv_U1) { var callvirt = instrs[i + 3]; if (callvirt.OpCode.Code != Code.Callvirt) return false; bytes.Add(0); continue; } var shr = instrs[i + 3]; if (shr.OpCode.Code != Code.Shr) return false; var convu1 = instrs[i + 4]; if (convu1.OpCode.Code != Code.Conv_U1) return false; int constant; int index = i + 2; if (!constantsReader.GetInt32(ref index, out constant)) return false; bytes.Add(constant); } return false; }
bool FindConstants(ISimpleDeobfuscator simpleDeobfuscator) { dynocode = new DynamicDynocodeIterator(); simpleDeobfuscator.Deobfuscate(stringMethod); stringMethodConsts = new EfConstantsReader(stringMethod); if (!FindResource(stringMethod)) return false; checkMinus2 = isV32OrLater || DeobUtils.HasInteger(stringMethod, -2); usePublicKeyToken = CallsGetPublicKeyToken(stringMethod); var int64Method = FindInt64Method(stringMethod); if (int64Method != null) decrypterType.Type = int64Method.DeclaringType; if (!FindShorts()) return false; if (!FindInt3()) return false; if (!FindInt4()) return false; if (checkMinus2 && !FindInt5()) return false; // The method body of the data decrypter method has been moved into // the string decrypter helper method in 5.0 if (!isV50OrLater) { dataDecrypterType = FindDataDecrypterType(stringMethod); if (dataDecrypterType == null) return false; } if (isV32OrLater) { bool initializedAll; int index = FindInitIntsIndex(stringMethod, out initializedAll); var cctor = stringType.FindStaticConstructor(); if (!initializedAll && cctor != null) { simpleDeobfuscator.Deobfuscate(cctor); if (!FindIntsCctor(cctor)) return false; } if (decrypterType.Detected && !decrypterType.Initialize()) return false; if (!isV50OrLater) { decrypterType.ShiftConsts = new List<int> { 24, 16, 8, 0, 16, 8, 0, 24 }; } else { List<int> shiftConsts; if (!FindShiftInts(decrypterType.Int64Method, out shiftConsts)) return false; decrypterType.ShiftConsts = shiftConsts; } if (!FindInts(index)) return false; } InitializeFlags(); Initialize(); return true; }
// Compact Framework doesn't have StackFrame bool FindIntsCctor2(MethodDef cctor) { int index = 0; var instrs = cctor.Body.Instructions; var constantsReader = new EfConstantsReader(cctor); while (index >= 0) { int val; if (!constantsReader.GetNextInt32(ref index, out val)) break; if (index < instrs.Count && instrs[index].OpCode.Code == Code.Add) { i1 = val; return true; } } return false; }
bool FindIntsCctor(MethodDef cctor) { int index = 0; if (!FindCallGetFrame(cctor, ref index)) return FindIntsCctor2(cctor); int tmp1, tmp2, tmp3 = 0; var constantsReader = new EfConstantsReader(cctor); if (!constantsReader.GetNextInt32(ref index, out tmp1)) return false; if (tmp1 == 0 && !constantsReader.GetNextInt32(ref index, out tmp1)) return false; if (!constantsReader.GetNextInt32(ref index, out tmp2)) return false; if (tmp2 == 0 && !constantsReader.GetNextInt32(ref index, out tmp2)) return false; index = 0; var instrs = cctor.Body.Instructions; while (index < instrs.Count) { int tmp4; if (!constantsReader.GetNextInt32(ref index, out tmp4)) break; if (index < instrs.Count && instrs[index].IsLdloc()) tmp3 = tmp4; } i1 = tmp1 ^ tmp2 ^ tmp3; return true; }
bool FindConstants(ISimpleDeobfuscator simpleDeobfuscator) { dynocode = new DynamicDynocodeIterator(); simpleDeobfuscator.Deobfuscate(stringMethod); stringMethodConsts = new EfConstantsReader(stringMethod); if (!FindResource(stringMethod)) return false; checkMinus2 = isV32OrLater || DeobUtils.HasInteger(stringMethod, -2); usePublicKeyToken = CallsGetPublicKeyToken(stringMethod); var int64Method = FindInt64Method(stringMethod); if (int64Method != null) decrypterType.Type = int64Method.DeclaringType; if (!FindShorts()) return false; if (!FindInt3()) return false; if (!FindInt4()) return false; if (checkMinus2 && !FindInt5()) return false; dataDecrypterType = FindDataDecrypterType(stringMethod); if (dataDecrypterType == null) return false; if (isV32OrLater) { bool initializedAll; int index = FindInitIntsIndex(stringMethod, out initializedAll); var cctor = stringType.FindStaticConstructor(); if (!initializedAll && cctor != null) { simpleDeobfuscator.Deobfuscate(cctor); if (!FindIntsCctor(cctor)) return false; } if (decrypterType.Detected && !decrypterType.Initialize()) return false; if (!FindInts(index)) return false; } InitializeFlags(); Initialize(); return true; }
bool findConstants(ISimpleDeobfuscator simpleDeobfuscator) { simpleDeobfuscator.deobfuscate(stringMethod); stringMethodConsts = new EfConstantsReader(stringMethod); if (!findResource(stringMethod)) { return(false); } checkMinus2 = isV32OrLater || DeobUtils.hasInteger(stringMethod, -2); usePublicKeyToken = callsGetPublicKeyToken(stringMethod); var int64Method = findInt64Method(stringMethod); if (int64Method != null) { decrypterType.Type = int64Method.DeclaringType; } if (!findShorts()) { return(false); } if (!findInt3()) { return(false); } if (!findInt4()) { return(false); } if (checkMinus2 && !findInt5()) { return(false); } dataDecrypterType = findDataDecrypterType(stringMethod); if (dataDecrypterType == null) { return(false); } if (isV32OrLater) { bool initializedAll; if (!findInts(out initializedAll)) { return(false); } var cctor = DotNetUtils.getMethod(stringType, ".cctor"); if (!initializedAll && cctor != null) { simpleDeobfuscator.deobfuscate(cctor); if (!findIntsCctor(cctor)) { return(false); } } if (decrypterType.Detected && !decrypterType.initialize()) { return(false); } } initializeFlags(); initialize(); return(true); }
static List<int> GetConstants(MethodDef method) { var list = new List<int>(); if (method == null) return list; int index = 0; var instrs = method.Body.Instructions; var constantsReader = new EfConstantsReader(method); while (true) { int val; if (!constantsReader.GetNextInt32(ref index, out val)) break; if (index < instrs.Count && instrs[index].OpCode.Code != Code.Ret) list.Add(val); } return list; }
bool findConstants(ISimpleDeobfuscator simpleDeobfuscator) { simpleDeobfuscator.deobfuscate(stringMethod); stringMethodConsts = new EfConstantsReader(stringMethod); if (!findResource(stringMethod)) return false; checkMinus2 = isV32OrLater || DeobUtils.hasInteger(stringMethod, -2); usePublicKeyToken = callsGetPublicKeyToken(stringMethod); var int64Method = findInt64Method(stringMethod); if (int64Method != null) decrypterType.Type = int64Method.DeclaringType; if (!findShorts()) return false; if (!findInt3()) return false; if (!findInt4()) return false; if (checkMinus2 && !findInt5()) return false; dataDecrypterType = findDataDecrypterType(stringMethod); if (dataDecrypterType == null) return false; if (isV32OrLater) { bool initializedAll; if (!findInts(out initializedAll)) return false; var cctor = DotNetUtils.getMethod(stringType, ".cctor"); if (!initializedAll && cctor != null) { simpleDeobfuscator.deobfuscate(cctor); if (!findIntsCctor(cctor)) return false; } if (decrypterType.Detected && !decrypterType.initialize()) return false; } initializeFlags(); initialize(); return true; }