public void Find() { var additionalTypes = new string[] { "System.Boolean", }; foreach (var type in module.Types) { if (type.BaseType == null || type.BaseType.FullName != "System.Object") { continue; } foreach (var method in type.Methods) { if (!method.IsStatic || !method.HasBody) { continue; } if (!DotNetUtils.IsMethod(method, "System.Boolean", "(System.Int32)")) { continue; } if (!encryptedResource.CouldBeResourceDecrypter(method, additionalTypes)) { continue; } encryptedResource.Method = method; return; } } }
public void Find(ISimpleDeobfuscator simpleDeobfuscator) { var additionalTypes = new string[] { "System.String", }; EmbeddedResource stringsResource = null; foreach (var type in module.Types) { if (decrypterInfos.Count > 0) { break; } if (type.BaseType == null || type.BaseType.FullName != "System.Object") { continue; } foreach (var method in type.Methods) { if (!method.IsStatic || !method.HasBody) { continue; } if (!DotNetUtils.IsMethod(method, "System.String", "(System.Int32)")) { continue; } if (!encryptedResource.CouldBeResourceDecrypter(method, additionalTypes)) { continue; } var resource = DotNetUtils.GetResource(module, DotNetUtils.GetCodeStrings(method)) as EmbeddedResource; if (resource == null) { throw new ApplicationException("Could not find strings resource"); } if (stringsResource != null && stringsResource != resource) { throw new ApplicationException("Two different string resources found"); } stringsResource = resource; encryptedResource.Method = method; var info = new DecrypterInfo(method, null, null); simpleDeobfuscator.Deobfuscate(info.method); FindKeyIv(info.method, out info.key, out info.iv); decrypterInfos.Add(info); } } if (decrypterInfos.Count > 0) { FindOtherStringDecrypter(decrypterInfos[0].method.DeclaringType); } }
MethodDef GetResourceDecrypterInitMethod(MethodDef method, string[] additionalTypes, bool checkResource) { if (encryptedResource.CouldBeResourceDecrypter(method, additionalTypes, checkResource)) { return(method); } foreach (var calledMethod in DotNetUtils.GetCalledMethods(module, method)) { if (!DotNetUtils.IsMethod(calledMethod, "System.Void", "()")) { continue; } if (encryptedResource.CouldBeResourceDecrypter(calledMethod, additionalTypes, checkResource)) { return(calledMethod); } } return(null); }
public void Find() { var additionalTypes = new string[] { "System.IntPtr", // "System.Reflection.Assembly", //TODO: Not in unknown DNR version with jitter support }; var checkedMethods = new Dictionary <IMethod, bool>(MethodEqualityComparer.CompareDeclaringTypes); var callCounter = new CallCounter(); int typesLeft = 30; foreach (var type in module.GetTypes()) { var cctor = type.FindStaticConstructor(); if (cctor == null || cctor.Body == null) { continue; } if (typesLeft-- <= 0) { break; } foreach (var method in DotNetUtils.GetCalledMethods(module, cctor)) { if (!checkedMethods.ContainsKey(method)) { checkedMethods[method] = false; if (method.DeclaringType.BaseType == null || method.DeclaringType.BaseType.FullName != "System.Object") { continue; } if (!DotNetUtils.IsMethod(method, "System.Void", "()")) { continue; } if (!encryptedResource.CouldBeResourceDecrypter(method, additionalTypes)) { continue; } checkedMethods[method] = true; } else if (!checkedMethods[method]) { continue; } callCounter.Add(method); } } encryptedResource.Method = (MethodDef)callCounter.Most(); }
public void Find(ISimpleDeobfuscator simpleDeobfuscator) { var additionalTypes = new string[] { "System.String", }; foreach (var type in module.Types) { if (type.BaseType == null || type.BaseType.FullName != "System.Object") { continue; } if (!CheckFields(type.Fields)) { continue; } foreach (var method in type.Methods) { if (!method.IsStatic || !method.HasBody) { continue; } if (!DotNetUtils.IsMethod(method, "System.Reflection.Assembly", "(System.Object,System.ResolveEventArgs)") && !DotNetUtils.IsMethod(method, "System.Reflection.Assembly", "(System.Object,System.Object)")) { continue; } if (!encryptedResource.CouldBeResourceDecrypter(method, additionalTypes, false)) { continue; } encryptedResource.Method = method; return; } } }