void InitDecrypters() { assemblyResolverInfo = new AssemblyResolverInfo(module, DeobfuscatedFile, this); assemblyResolverInfo.FindTypes(); resourceDecrypterInfo = new ResourceDecrypterInfo(module, assemblyResolverInfo.SimpleZipTypeMethod, DeobfuscatedFile); resourceResolverInfo = new ResourceResolverInfo(module, DeobfuscatedFile, this, assemblyResolverInfo); resourceResolverInfo.FindTypes(); resourceDecrypter = new ResourceDecrypter(resourceDecrypterInfo); assemblyResolver = new AssemblyResolver(resourceDecrypter, assemblyResolverInfo); resourceResolver = new ResourceResolver(module, assemblyResolver, resourceResolverInfo); InitStringDecrypterInfos(); assemblyResolverInfo.FindTypes(); resourceResolverInfo.FindTypes(); AddModuleCctorInitCallToBeRemoved(assemblyResolverInfo.CallResolverMethod); AddCallToBeRemoved(module.EntryPoint, assemblyResolverInfo.CallResolverMethod); AddModuleCctorInitCallToBeRemoved(resourceResolverInfo.CallResolverMethod); AddCallToBeRemoved(module.EntryPoint, resourceResolverInfo.CallResolverMethod); resourceDecrypterInfo.SetSimpleZipType(GetGlobalSimpleZipTypeMethod(), DeobfuscatedFile); if (!DecryptResources()) { throw new ApplicationException("Could not decrypt resources"); } DumpEmbeddedAssemblies(); }
void InitDecrypters() { assemblyResolverInfo = new AssemblyResolverInfo(module, DeobfuscatedFile, this); assemblyResolverInfo.FindTypes(); resourceDecrypterInfo = new ResourceDecrypterInfo(module, assemblyResolverInfo.SimpleZipTypeMethod, DeobfuscatedFile); resourceResolverInfo = new ResourceResolverInfo(module, DeobfuscatedFile, this, assemblyResolverInfo); resourceResolverInfo.FindTypes(); resourceDecrypter = new ResourceDecrypter(resourceDecrypterInfo); assemblyResolver = new AssemblyResolver(resourceDecrypter, assemblyResolverInfo); resourceResolver = new ResourceResolver(module, assemblyResolver, resourceResolverInfo); InitStringDecrypterInfos(); assemblyResolverInfo.FindTypes(); resourceResolverInfo.FindTypes(); AddModuleCctorInitCallToBeRemoved(assemblyResolverInfo.CallResolverMethod); AddCallToBeRemoved(module.EntryPoint, assemblyResolverInfo.CallResolverMethod); AddModuleCctorInitCallToBeRemoved(resourceResolverInfo.CallResolverMethod); AddCallToBeRemoved(module.EntryPoint, resourceResolverInfo.CallResolverMethod); resourceDecrypterInfo.SetSimpleZipType(GetGlobalSimpleZipTypeMethod(), DeobfuscatedFile); if (!DecryptResources()) { throw new ApplicationException("Could not decrypt resources"); } var bt = FindBigType(); var candidateMthods = bt.Methods.Where(m => DotNetUtils.IsMethod(m, "System.String", "(System.Int32)")); //foreach (var cm in candidateMthods) { // staticStringInliner.Add(cm, (method, gim, args) => { // // var instrs = method.Body.Instructions; // return args[0].ToString(); // }); //} DumpEmbeddedAssemblies(); }
void InitDecrypters() { assemblyResolverInfo = new AssemblyResolverInfo(module, DeobfuscatedFile, this); assemblyResolverInfo.FindTypes(); resourceDecrypterInfo = new ResourceDecrypterInfo(module, assemblyResolverInfo.SimpleZipTypeMethod, DeobfuscatedFile); resourceResolverInfo = new ResourceResolverInfo(module, DeobfuscatedFile, this, assemblyResolverInfo); resourceResolverInfo.FindTypes(); resourceDecrypter = new ResourceDecrypter(resourceDecrypterInfo); assemblyResolver = new AssemblyResolver(resourceDecrypter, assemblyResolverInfo); resourceResolver = new ResourceResolver(module, assemblyResolver, resourceResolverInfo); InitStringDecrypterInfos(); assemblyResolverInfo.FindTypes(); resourceResolverInfo.FindTypes(); AddModuleCctorInitCallToBeRemoved(assemblyResolverInfo.CallResolverMethod); AddCallToBeRemoved(module.EntryPoint, assemblyResolverInfo.CallResolverMethod); AddModuleCctorInitCallToBeRemoved(resourceResolverInfo.CallResolverMethod); AddCallToBeRemoved(module.EntryPoint, resourceResolverInfo.CallResolverMethod); resourceDecrypterInfo.SetSimpleZipType(GetGlobalSimpleZipTypeMethod(), DeobfuscatedFile); if (!DecryptResources()) throw new ApplicationException("Could not decrypt resources"); DumpEmbeddedAssemblies(); }
void InitStringDecrypterInfos() { var stringEncoderClassFinder = new StringEncoderClassFinder(module, DeobfuscatedFile); stringEncoderClassFinder.Find(); foreach (var info in stringEncoderClassFinder.StringsEncoderInfos) { var sinfo = new StringDecrypterInfo(module, info.StringDecrypterClass) { GetStringDelegate = info.GetStringDelegate, StringsType = info.StringsType, CreateStringDelegateMethod = info.CreateStringDelegateMethod, }; stringDecrypterInfos.Add(sinfo); } // There may be more than one string decrypter. The strings in the first one's // methods may be decrypted by the other string decrypter. var initd = new Dictionary <StringDecrypterInfo, bool>(stringDecrypterInfos.Count); while (initd.Count != stringDecrypterInfos.Count) { StringDecrypterInfo initdInfo = null; for (int i = 0; i < 2; i++) { foreach (var info in stringDecrypterInfos) { if (initd.ContainsKey(info)) { continue; } if (info.Initialize(this, DeobfuscatedFile)) { resourceDecrypterInfo.SetSimpleZipType(info.SimpleZipTypeMethod, DeobfuscatedFile); initdInfo = info; break; } } if (initdInfo != null) { break; } assemblyResolverInfo.FindTypes(); resourceResolverInfo.FindTypes(); DecryptResources(); } if (initdInfo == null) { break; } initd[initdInfo] = true; InitStringDecrypter(initdInfo); } // Sometimes there could be a string decrypter present that isn't called by anyone. foreach (var info in stringDecrypterInfos) { if (initd.ContainsKey(info)) { continue; } Logger.v("String decrypter not initialized. Token {0:X8}", info.StringsEncodingClass.MDToken.ToInt32()); } }