2012-02-27 05:48:43 +08:00
|
|
|
|
/*
|
|
|
|
|
|
Copyright (C) 2011-2012 de4dot@gmail.com
|
|
|
|
|
|
|
|
|
|
|
|
This file is part of de4dot.
|
|
|
|
|
|
|
|
|
|
|
|
de4dot is free software: you can redistribute it and/or modify
|
|
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
|
|
|
|
de4dot is distributed in the hope that it will be useful,
|
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
|
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
2012-03-13 16:26:40 +08:00
|
|
|
|
using System;
|
2012-02-27 05:48:43 +08:00
|
|
|
|
using System.Collections.Generic;
|
|
|
|
|
|
using System.IO;
|
|
|
|
|
|
using System.Text;
|
2012-11-02 22:57:11 +08:00
|
|
|
|
using dot10.DotNet;
|
|
|
|
|
|
using dot10.DotNet.Emit;
|
2012-02-27 05:48:43 +08:00
|
|
|
|
using de4dot.blocks;
|
2012-12-11 04:43:56 +08:00
|
|
|
|
using de4dot.blocks.cflow;
|
2012-02-27 05:48:43 +08:00
|
|
|
|
|
|
|
|
|
|
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
|
|
|
|
|
class StringDecrypter {
|
2012-11-18 08:09:07 +08:00
|
|
|
|
ModuleDefMD module;
|
2012-11-02 22:57:11 +08:00
|
|
|
|
TypeDef stringType;
|
|
|
|
|
|
MethodDef stringMethod;
|
|
|
|
|
|
TypeDef dataDecrypterType;
|
2012-02-27 05:48:43 +08:00
|
|
|
|
short s1, s2, s3;
|
2012-03-11 22:34:53 +08:00
|
|
|
|
int i1, i2, i3, i4, i5, i6;
|
2012-02-27 05:48:43 +08:00
|
|
|
|
bool checkMinus2;
|
|
|
|
|
|
bool usePublicKeyToken;
|
|
|
|
|
|
int keyLen;
|
|
|
|
|
|
byte[] theKey;
|
|
|
|
|
|
int magic1;
|
2012-03-13 16:26:40 +08:00
|
|
|
|
uint rldFlag, bytesFlag;
|
2012-02-27 05:48:43 +08:00
|
|
|
|
EmbeddedResource encryptedResource;
|
|
|
|
|
|
BinaryReader reader;
|
2012-02-27 19:55:37 +08:00
|
|
|
|
DecrypterType decrypterType;
|
2012-03-06 15:17:55 +08:00
|
|
|
|
StreamHelperType streamHelperType;
|
2012-04-30 07:26:10 +08:00
|
|
|
|
EfConstantsReader stringMethodConsts;
|
2012-03-17 06:22:24 +08:00
|
|
|
|
bool isV32OrLater;
|
2012-12-08 08:12:20 +08:00
|
|
|
|
int? validStringDecrypterValue;
|
2012-12-11 07:23:16 +08:00
|
|
|
|
Dynocode dynocode;
|
2012-03-06 15:17:55 +08:00
|
|
|
|
|
|
|
|
|
|
class StreamHelperType {
|
2012-11-02 22:57:11 +08:00
|
|
|
|
public TypeDef type;
|
|
|
|
|
|
public MethodDef readInt16Method;
|
|
|
|
|
|
public MethodDef readInt32Method;
|
|
|
|
|
|
public MethodDef readBytesMethod;
|
2012-03-06 15:17:55 +08:00
|
|
|
|
|
|
|
|
|
|
public bool Detected {
|
|
|
|
|
|
get {
|
|
|
|
|
|
return readInt16Method != null &&
|
|
|
|
|
|
readInt32Method != null &&
|
|
|
|
|
|
readBytesMethod != null;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
public StreamHelperType(TypeDef type) {
|
2012-03-06 15:17:55 +08:00
|
|
|
|
this.type = type;
|
|
|
|
|
|
|
|
|
|
|
|
foreach (var method in type.Methods) {
|
|
|
|
|
|
if (method.IsStatic || method.Body == null || method.IsPrivate || method.GenericParameters.Count > 0)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
if (DotNetUtils.isMethod(method, "System.Int16", "()"))
|
|
|
|
|
|
readInt16Method = method;
|
|
|
|
|
|
else if (DotNetUtils.isMethod(method, "System.Int32", "()"))
|
|
|
|
|
|
readInt32Method = method;
|
|
|
|
|
|
else if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.Int32)"))
|
|
|
|
|
|
readBytesMethod = method;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2012-02-27 05:48:43 +08:00
|
|
|
|
|
2012-12-08 08:12:20 +08:00
|
|
|
|
public int? ValidStringDecrypterValue {
|
|
|
|
|
|
get { return validStringDecrypterValue;}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
public TypeDef Type {
|
2012-02-27 19:55:37 +08:00
|
|
|
|
get { return stringType; }
|
2012-02-27 05:48:43 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public EmbeddedResource Resource {
|
|
|
|
|
|
get { return encryptedResource; }
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
public IEnumerable<TypeDef> Types {
|
2012-02-27 05:48:43 +08:00
|
|
|
|
get {
|
2012-11-02 22:57:11 +08:00
|
|
|
|
return new List<TypeDef> {
|
2012-02-27 19:55:37 +08:00
|
|
|
|
stringType,
|
|
|
|
|
|
dataDecrypterType,
|
|
|
|
|
|
};
|
2012-02-27 05:48:43 +08:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-12-11 07:23:16 +08:00
|
|
|
|
public IEnumerable<TypeDef> DynocodeTypes {
|
|
|
|
|
|
get { return dynocode.Types; }
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
public MethodDef Method {
|
2012-02-27 19:55:37 +08:00
|
|
|
|
get { return stringMethod; }
|
2012-02-27 05:48:43 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public bool Detected {
|
2012-02-27 19:55:37 +08:00
|
|
|
|
get { return stringType != null; }
|
2012-02-27 05:48:43 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2012-11-18 08:09:07 +08:00
|
|
|
|
public StringDecrypter(ModuleDefMD module, DecrypterType decrypterType) {
|
2012-02-27 05:48:43 +08:00
|
|
|
|
this.module = module;
|
2012-02-27 19:55:37 +08:00
|
|
|
|
this.decrypterType = decrypterType;
|
2012-02-27 05:48:43 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
static bool checkIfV32OrLater(TypeDef type) {
|
2012-03-17 06:22:24 +08:00
|
|
|
|
int numInts = 0;
|
|
|
|
|
|
foreach (var field in type.Fields) {
|
2012-11-18 08:09:07 +08:00
|
|
|
|
if (field.FieldSig.GetFieldType().GetElementType() == ElementType.I4)
|
2012-03-17 06:22:24 +08:00
|
|
|
|
numInts++;
|
|
|
|
|
|
}
|
|
|
|
|
|
return numInts >= 2;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-02-27 19:55:37 +08:00
|
|
|
|
public void find() {
|
2012-02-27 05:48:43 +08:00
|
|
|
|
foreach (var type in module.Types) {
|
2012-03-06 15:17:55 +08:00
|
|
|
|
if (!checkType(type))
|
2012-02-27 05:48:43 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
|
|
foreach (var method in type.Methods) {
|
|
|
|
|
|
if (!checkDecrypterMethod(method))
|
|
|
|
|
|
continue;
|
|
|
|
|
|
|
2012-02-27 19:55:37 +08:00
|
|
|
|
stringType = type;
|
|
|
|
|
|
stringMethod = method;
|
2012-03-17 06:22:24 +08:00
|
|
|
|
isV32OrLater = checkIfV32OrLater(stringType);
|
2012-02-27 05:48:43 +08:00
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-03-09 02:21:54 +08:00
|
|
|
|
static string[] requiredFieldTypes = new string[] {
|
|
|
|
|
|
"System.Byte[]",
|
|
|
|
|
|
"System.Int16",
|
|
|
|
|
|
};
|
2012-11-02 22:57:11 +08:00
|
|
|
|
bool checkType(TypeDef type) {
|
2012-03-09 02:21:54 +08:00
|
|
|
|
if (!new FieldTypes(type).all(requiredFieldTypes))
|
|
|
|
|
|
return false;
|
2012-03-06 15:17:55 +08:00
|
|
|
|
if (type.NestedTypes.Count == 0) {
|
|
|
|
|
|
return DotNetUtils.findFieldType(type, "System.IO.BinaryReader", true) != null &&
|
|
|
|
|
|
DotNetUtils.findFieldType(type, "System.Collections.Generic.Dictionary`2<System.Int32,System.String>", true) != null;
|
|
|
|
|
|
}
|
|
|
|
|
|
else if (type.NestedTypes.Count == 3) {
|
|
|
|
|
|
streamHelperType = findStreamHelperType(type);
|
|
|
|
|
|
return streamHelperType != null;
|
|
|
|
|
|
}
|
|
|
|
|
|
else if (type.NestedTypes.Count == 1) {
|
|
|
|
|
|
return type.NestedTypes[0].IsEnum;
|
|
|
|
|
|
}
|
|
|
|
|
|
else
|
|
|
|
|
|
return false;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static string[] streamHelperTypeFields = new string[] {
|
|
|
|
|
|
"System.IO.Stream",
|
|
|
|
|
|
"System.Byte[]",
|
|
|
|
|
|
};
|
2012-11-02 22:57:11 +08:00
|
|
|
|
static StreamHelperType findStreamHelperType(TypeDef type) {
|
2012-03-06 15:17:55 +08:00
|
|
|
|
foreach (var field in type.Fields) {
|
2012-11-18 08:09:07 +08:00
|
|
|
|
var nested = field.FieldSig.GetFieldType().TryGetTypeDef();
|
2012-03-06 15:17:55 +08:00
|
|
|
|
if (nested == null)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
if (nested.DeclaringType != type)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
if (!new FieldTypes(nested).exactly(streamHelperTypeFields))
|
|
|
|
|
|
continue;
|
|
|
|
|
|
var streamHelperType = new StreamHelperType(nested);
|
|
|
|
|
|
if (!streamHelperType.Detected)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
|
|
return streamHelperType;
|
|
|
|
|
|
}
|
|
|
|
|
|
return null;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-03-09 02:21:54 +08:00
|
|
|
|
static string[] requiredLocalTypes = new string[] {
|
|
|
|
|
|
"System.Boolean",
|
|
|
|
|
|
"System.Byte[]",
|
|
|
|
|
|
"System.Char[]",
|
|
|
|
|
|
"System.Int16",
|
|
|
|
|
|
"System.Int32",
|
|
|
|
|
|
"System.Reflection.Assembly",
|
|
|
|
|
|
"System.String",
|
|
|
|
|
|
};
|
2012-11-02 22:57:11 +08:00
|
|
|
|
static bool checkDecrypterMethod(MethodDef method) {
|
2012-02-27 05:48:43 +08:00
|
|
|
|
if (method == null || !method.IsStatic || method.Body == null)
|
|
|
|
|
|
return false;
|
|
|
|
|
|
if (!DotNetUtils.isMethod(method, "System.String", "(System.Int32)"))
|
|
|
|
|
|
return false;
|
2012-03-09 02:21:54 +08:00
|
|
|
|
if (!new LocalTypes(method).all(requiredLocalTypes))
|
|
|
|
|
|
return false;
|
2012-02-27 05:48:43 +08:00
|
|
|
|
|
|
|
|
|
|
foreach (var instr in method.Body.Instructions) {
|
|
|
|
|
|
if (instr.OpCode != OpCodes.Callvirt)
|
|
|
|
|
|
continue;
|
2012-11-18 08:09:07 +08:00
|
|
|
|
var calledMethod = instr.Operand as IMethod;
|
2012-02-27 05:48:43 +08:00
|
|
|
|
if (calledMethod != null && calledMethod.FullName == "System.IO.Stream System.Reflection.Assembly::GetManifestResourceStream(System.String)")
|
|
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
return false;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-02-27 19:55:37 +08:00
|
|
|
|
public void initialize(ISimpleDeobfuscator simpleDeobfuscator) {
|
|
|
|
|
|
if (stringType == null)
|
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
|
|
if (!findConstants(simpleDeobfuscator)) {
|
|
|
|
|
|
if (encryptedResource == null)
|
2012-11-11 12:31:11 +08:00
|
|
|
|
Logger.w("Could not find encrypted resource. Strings cannot be decrypted.");
|
2012-02-27 19:55:37 +08:00
|
|
|
|
else
|
2012-11-11 12:31:11 +08:00
|
|
|
|
Logger.w("Can't decrypt strings. Possibly a new Eazfuscator.NET version.");
|
2012-02-27 19:55:37 +08:00
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-02-29 10:45:43 +08:00
|
|
|
|
bool findConstants(ISimpleDeobfuscator simpleDeobfuscator) {
|
2012-12-11 07:23:16 +08:00
|
|
|
|
dynocode = new Dynocode(simpleDeobfuscator);
|
2012-04-10 09:52:18 +08:00
|
|
|
|
simpleDeobfuscator.deobfuscate(stringMethod);
|
2012-04-30 07:26:10 +08:00
|
|
|
|
stringMethodConsts = new EfConstantsReader(stringMethod);
|
2012-04-10 09:52:18 +08:00
|
|
|
|
|
2012-02-27 19:55:37 +08:00
|
|
|
|
if (!findResource(stringMethod))
|
2012-02-27 05:48:43 +08:00
|
|
|
|
return false;
|
|
|
|
|
|
|
2012-04-10 09:52:18 +08:00
|
|
|
|
checkMinus2 = isV32OrLater || DeobUtils.hasInteger(stringMethod, -2);
|
2012-02-27 19:55:37 +08:00
|
|
|
|
usePublicKeyToken = callsGetPublicKeyToken(stringMethod);
|
2012-02-27 05:48:43 +08:00
|
|
|
|
|
2012-02-27 19:55:37 +08:00
|
|
|
|
var int64Method = findInt64Method(stringMethod);
|
|
|
|
|
|
if (int64Method != null)
|
|
|
|
|
|
decrypterType.Type = int64Method.DeclaringType;
|
2012-02-27 05:48:43 +08:00
|
|
|
|
|
2012-04-10 09:52:18 +08:00
|
|
|
|
if (!findShorts())
|
2012-02-27 05:48:43 +08:00
|
|
|
|
return false;
|
2012-04-10 09:52:18 +08:00
|
|
|
|
if (!findInt3())
|
2012-02-27 05:48:43 +08:00
|
|
|
|
return false;
|
2012-04-10 09:52:18 +08:00
|
|
|
|
if (!findInt4())
|
2012-02-27 05:48:43 +08:00
|
|
|
|
return false;
|
2012-04-10 09:52:18 +08:00
|
|
|
|
if (checkMinus2 && !findInt5())
|
2012-02-27 05:48:43 +08:00
|
|
|
|
return false;
|
2012-02-27 19:55:37 +08:00
|
|
|
|
dataDecrypterType = findDataDecrypterType(stringMethod);
|
2012-02-27 05:48:43 +08:00
|
|
|
|
if (dataDecrypterType == null)
|
|
|
|
|
|
return false;
|
|
|
|
|
|
|
2012-03-17 06:22:24 +08:00
|
|
|
|
if (isV32OrLater) {
|
2012-03-06 15:17:55 +08:00
|
|
|
|
bool initializedAll;
|
2012-12-11 04:43:56 +08:00
|
|
|
|
int index = findInitIntsIndex(stringMethod, out initializedAll);
|
2012-03-06 15:17:55 +08:00
|
|
|
|
|
2012-11-18 08:09:07 +08:00
|
|
|
|
var cctor = stringType.FindStaticConstructor();
|
2012-03-06 15:17:55 +08:00
|
|
|
|
if (!initializedAll && cctor != null) {
|
|
|
|
|
|
simpleDeobfuscator.deobfuscate(cctor);
|
|
|
|
|
|
if (!findIntsCctor(cctor))
|
|
|
|
|
|
return false;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-03-17 06:22:24 +08:00
|
|
|
|
if (decrypterType.Detected && !decrypterType.initialize())
|
2012-02-27 05:48:43 +08:00
|
|
|
|
return false;
|
2012-12-11 04:43:56 +08:00
|
|
|
|
|
|
|
|
|
|
if (!findInts(index))
|
|
|
|
|
|
return false;
|
2012-02-27 05:48:43 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2012-03-13 16:26:40 +08:00
|
|
|
|
initializeFlags();
|
2012-02-27 05:48:43 +08:00
|
|
|
|
initialize();
|
|
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-03-13 16:26:40 +08:00
|
|
|
|
void initializeFlags() {
|
2012-04-10 09:52:18 +08:00
|
|
|
|
if (!isV32OrLater) {
|
2012-03-13 16:26:40 +08:00
|
|
|
|
rldFlag = 0x40000000;
|
|
|
|
|
|
bytesFlag = 0x80000000;
|
|
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
var instrs = stringMethod.Body.Instructions;
|
|
|
|
|
|
for (int i = 0; i < instrs.Count; i++) {
|
|
|
|
|
|
var ldci4 = instrs[i];
|
2012-07-31 01:07:25 +08:00
|
|
|
|
if (!stringMethodConsts.isLoadConstantInt32(ldci4))
|
2012-03-13 16:26:40 +08:00
|
|
|
|
continue;
|
2012-04-10 09:52:18 +08:00
|
|
|
|
int index = i, tmp;
|
|
|
|
|
|
if (!stringMethodConsts.getInt32(ref index, out tmp) || !isFlagsMask(tmp))
|
2012-03-13 16:26:40 +08:00
|
|
|
|
continue;
|
2012-04-10 09:52:18 +08:00
|
|
|
|
if (findFlags(i))
|
2012-03-13 16:26:40 +08:00
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
throw new ApplicationException("Could not find string decrypter flags");
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-04-10 09:52:18 +08:00
|
|
|
|
static bool isFlagsMask(int value) {
|
|
|
|
|
|
return value == 0x1FFFFFFF || value == 0x0FFFFFFF;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
class FlagsInfo {
|
2012-11-18 08:09:07 +08:00
|
|
|
|
public Local Local { get; set; }
|
2012-04-10 09:52:18 +08:00
|
|
|
|
public uint Value { get; set; }
|
|
|
|
|
|
public int Offset { get; set; }
|
2012-11-18 08:09:07 +08:00
|
|
|
|
public FlagsInfo(Local local, uint value, int offset) {
|
2012-04-10 09:52:18 +08:00
|
|
|
|
Local = local;
|
|
|
|
|
|
Value = value;
|
|
|
|
|
|
Offset = offset;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
bool findFlags(int index) {
|
|
|
|
|
|
var flags = findFlags2(index);
|
|
|
|
|
|
if (flags == null)
|
|
|
|
|
|
return false;
|
|
|
|
|
|
|
2012-11-18 08:09:07 +08:00
|
|
|
|
flags.Sort((a, b) => a.Offset.CompareTo(b.Offset));
|
2012-04-10 09:52:18 +08:00
|
|
|
|
|
|
|
|
|
|
rldFlag = flags[0].Value;
|
|
|
|
|
|
bytesFlag = flags[1].Value;
|
|
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
List<FlagsInfo> findFlags2(int index) {
|
|
|
|
|
|
var flags = new List<FlagsInfo>(3);
|
2012-03-13 16:26:40 +08:00
|
|
|
|
for (int i = index - 1; i >= 0; i--) {
|
2012-04-10 09:52:18 +08:00
|
|
|
|
var instr = stringMethod.Body.Instructions[i];
|
2012-03-13 16:26:40 +08:00
|
|
|
|
if (instr.OpCode.FlowControl != FlowControl.Next)
|
|
|
|
|
|
break;
|
2012-07-31 01:07:25 +08:00
|
|
|
|
if (!stringMethodConsts.isLoadConstantInt32(instr))
|
2012-04-10 09:52:18 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
int index2 = i, value;
|
|
|
|
|
|
if (!stringMethodConsts.getInt32(ref index2, out value))
|
|
|
|
|
|
continue;
|
|
|
|
|
|
if ((uint)value != 0x80000000 && value != 0x40000000 && value != 0x20000000)
|
2012-03-13 16:26:40 +08:00
|
|
|
|
continue;
|
2012-04-10 09:52:18 +08:00
|
|
|
|
var local = getFlagsLocal(stringMethod, index2);
|
|
|
|
|
|
if (local == null)
|
2012-03-13 16:26:40 +08:00
|
|
|
|
continue;
|
2012-04-10 09:52:18 +08:00
|
|
|
|
int offset = getFlagsOffset(stringMethod, index2, local);
|
|
|
|
|
|
if (offset < 0)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
|
|
flags.Add(new FlagsInfo(local, (uint)value, offset));
|
2012-03-13 16:26:40 +08:00
|
|
|
|
if (flags.Count != 3)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
|
2012-04-10 09:52:18 +08:00
|
|
|
|
return flags;
|
2012-03-13 16:26:40 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2012-04-10 09:52:18 +08:00
|
|
|
|
return null;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-11-18 08:09:07 +08:00
|
|
|
|
static int getFlagsOffset(MethodDef method, int index, Local local) {
|
2012-04-10 09:52:18 +08:00
|
|
|
|
var instrs = method.Body.Instructions;
|
|
|
|
|
|
for (; index < instrs.Count; index++) {
|
|
|
|
|
|
var ldloc = instrs[index];
|
2012-11-18 08:09:07 +08:00
|
|
|
|
if (!ldloc.IsLdloc())
|
2012-04-10 09:52:18 +08:00
|
|
|
|
continue;
|
2012-11-20 00:58:34 +08:00
|
|
|
|
if (ldloc.GetLocal(method.Body.Variables) != local)
|
2012-04-10 09:52:18 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
|
|
return index;
|
|
|
|
|
|
}
|
|
|
|
|
|
return -1;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-11-18 08:09:07 +08:00
|
|
|
|
static Local getFlagsLocal(MethodDef method, int index) {
|
2012-04-10 09:52:18 +08:00
|
|
|
|
var instrs = method.Body.Instructions;
|
|
|
|
|
|
if (index + 5 >= instrs.Count)
|
|
|
|
|
|
return null;
|
|
|
|
|
|
if (instrs[index++].OpCode.Code != Code.And)
|
|
|
|
|
|
return null;
|
|
|
|
|
|
if (instrs[index++].OpCode.Code != Code.Ldc_I4_0)
|
|
|
|
|
|
return null;
|
|
|
|
|
|
if (instrs[index++].OpCode.Code != Code.Ceq)
|
|
|
|
|
|
return null;
|
|
|
|
|
|
if (instrs[index++].OpCode.Code != Code.Ldc_I4_0)
|
|
|
|
|
|
return null;
|
|
|
|
|
|
if (instrs[index++].OpCode.Code != Code.Ceq)
|
|
|
|
|
|
return null;
|
|
|
|
|
|
var stloc = instrs[index++];
|
2012-11-18 08:09:07 +08:00
|
|
|
|
if (!stloc.IsStloc())
|
2012-04-10 09:52:18 +08:00
|
|
|
|
return null;
|
2012-11-20 00:58:34 +08:00
|
|
|
|
return stloc.GetLocal(method.Body.Variables);
|
2012-03-13 16:26:40 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2012-02-27 05:48:43 +08:00
|
|
|
|
void initialize() {
|
|
|
|
|
|
reader = new BinaryReader(encryptedResource.GetResourceStream());
|
|
|
|
|
|
short len = (short)(reader.ReadInt16() ^ s1);
|
|
|
|
|
|
if (len != 0)
|
|
|
|
|
|
theKey = reader.ReadBytes(len);
|
|
|
|
|
|
else
|
|
|
|
|
|
keyLen = reader.ReadInt16() ^ s2;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public string decrypt(int val) {
|
2012-12-08 08:12:20 +08:00
|
|
|
|
validStringDecrypterValue = val;
|
2012-02-27 05:48:43 +08:00
|
|
|
|
while (true) {
|
2012-03-11 22:34:53 +08:00
|
|
|
|
int offset = magic1 ^ i3 ^ val ^ i6;
|
2012-02-27 05:48:43 +08:00
|
|
|
|
reader.BaseStream.Position = offset;
|
|
|
|
|
|
byte[] tmpKey;
|
|
|
|
|
|
if (theKey == null) {
|
|
|
|
|
|
tmpKey = reader.ReadBytes(keyLen == -1 ? (short)(reader.ReadInt16() ^ s3 ^ offset) : keyLen);
|
2012-03-17 06:22:24 +08:00
|
|
|
|
if (isV32OrLater) {
|
2012-02-27 05:48:43 +08:00
|
|
|
|
for (int i = 0; i < tmpKey.Length; i++)
|
|
|
|
|
|
tmpKey[i] ^= (byte)(magic1 >> ((i & 3) << 3));
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
else
|
|
|
|
|
|
tmpKey = theKey;
|
|
|
|
|
|
|
|
|
|
|
|
int flags = i4 ^ magic1 ^ offset ^ reader.ReadInt32();
|
|
|
|
|
|
if (checkMinus2 && flags == -2) {
|
|
|
|
|
|
var ary2 = reader.ReadBytes(4);
|
2012-02-27 19:55:37 +08:00
|
|
|
|
val = -(magic1 ^ i5) ^ (ary2[2] | (ary2[0] << 8) | (ary2[3] << 16) | (ary2[1] << 24));
|
2012-02-27 05:48:43 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
var bytes = reader.ReadBytes(flags & 0x1FFFFFFF);
|
|
|
|
|
|
decrypt1(bytes, tmpKey);
|
2012-11-18 08:09:07 +08:00
|
|
|
|
var pkt = PublicKeyBase.ToPublicKeyToken(module.Assembly.PublicKey);
|
|
|
|
|
|
if (usePublicKeyToken && !PublicKeyBase.IsNullOrEmpty2(pkt)) {
|
2012-02-27 05:48:43 +08:00
|
|
|
|
for (int i = 0; i < bytes.Length; i++)
|
2012-11-18 08:09:07 +08:00
|
|
|
|
bytes[i] ^= (byte)((pkt.Data[i & 7] >> 5) + (pkt.Data[i & 7] << 3));
|
2012-02-27 05:48:43 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2012-03-13 16:26:40 +08:00
|
|
|
|
if ((flags & rldFlag) != 0)
|
2012-02-27 05:48:43 +08:00
|
|
|
|
bytes = rld(bytes);
|
2012-03-13 16:26:40 +08:00
|
|
|
|
if ((flags & bytesFlag) != 0) {
|
2012-02-27 05:48:43 +08:00
|
|
|
|
var sb = new StringBuilder(bytes.Length);
|
|
|
|
|
|
foreach (var b in bytes)
|
|
|
|
|
|
sb.Append((char)b);
|
|
|
|
|
|
return sb.ToString();
|
|
|
|
|
|
}
|
|
|
|
|
|
else
|
|
|
|
|
|
return Encoding.Unicode.GetString(bytes);
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static byte[] rld(byte[] src) {
|
|
|
|
|
|
var dst = new byte[src[2] + (src[3] << 8) + (src[0] << 16) + (src[1] << 24)];
|
|
|
|
|
|
int srcIndex = 4;
|
|
|
|
|
|
int dstIndex = 0;
|
|
|
|
|
|
int flags = 0;
|
|
|
|
|
|
int bit = 128;
|
|
|
|
|
|
while (dstIndex < dst.Length) {
|
|
|
|
|
|
bit <<= 1;
|
|
|
|
|
|
if (bit == 256) {
|
|
|
|
|
|
bit = 1;
|
|
|
|
|
|
flags = src[srcIndex++];
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if ((flags & bit) == 0) {
|
|
|
|
|
|
dst[dstIndex++] = src[srcIndex++];
|
|
|
|
|
|
continue;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int numBytes = (src[srcIndex] >> 2) + 3;
|
|
|
|
|
|
int copyIndex = dstIndex - ((src[srcIndex + 1] + (src[srcIndex] << 8)) & 0x3FF);
|
|
|
|
|
|
if (copyIndex < 0)
|
|
|
|
|
|
break;
|
|
|
|
|
|
while (dstIndex < dst.Length && numBytes-- > 0)
|
|
|
|
|
|
dst[dstIndex++] = dst[copyIndex++];
|
|
|
|
|
|
srcIndex += 2;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return dst;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void decrypt1(byte[] dest, byte[] key) {
|
|
|
|
|
|
byte b = (byte)((key[1] + 7) ^ (dest.Length + 11));
|
2012-03-10 12:30:57 +08:00
|
|
|
|
uint lcg = (uint)((key[0] | (key[2] << 8)) + (b << 3));
|
2012-02-27 05:48:43 +08:00
|
|
|
|
b += 3;
|
|
|
|
|
|
ushort xn = 0;
|
|
|
|
|
|
for (int i = 0; i < dest.Length; i++) {
|
|
|
|
|
|
if ((i & 1) == 0) {
|
|
|
|
|
|
lcg = lcgNext(lcg);
|
|
|
|
|
|
xn = (ushort)(lcg >> 16);
|
|
|
|
|
|
}
|
|
|
|
|
|
byte tmp = dest[i];
|
2012-03-10 12:30:57 +08:00
|
|
|
|
dest[i] ^= (byte)(key[1] ^ xn ^ b);
|
2012-02-27 05:48:43 +08:00
|
|
|
|
b = (byte)(tmp + 3);
|
|
|
|
|
|
xn >>= 8;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static uint lcgNext(uint lcg) {
|
|
|
|
|
|
return lcg * 214013 + 2531011;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
bool findResource(MethodDef method) {
|
2012-04-10 09:52:18 +08:00
|
|
|
|
encryptedResource = findResourceFromCodeString(method) ??
|
|
|
|
|
|
findResourceFromStringBuilder(method);
|
2012-02-27 05:48:43 +08:00
|
|
|
|
return encryptedResource != null;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
EmbeddedResource findResourceFromCodeString(MethodDef method) {
|
2012-04-10 09:52:18 +08:00
|
|
|
|
return DotNetUtils.getResource(module, DotNetUtils.getCodeStrings(method)) as EmbeddedResource;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
EmbeddedResource findResourceFromStringBuilder(MethodDef method) {
|
2012-04-10 09:52:18 +08:00
|
|
|
|
int startIndex = EfUtils.findOpCodeIndex(method, 0, Code.Newobj, "System.Void System.Text.StringBuilder::.ctor()");
|
|
|
|
|
|
if (startIndex < 0)
|
|
|
|
|
|
return null;
|
|
|
|
|
|
int endIndex = EfUtils.findOpCodeIndex(method, startIndex, Code.Call, "System.String System.Text.StringBuilder::ToString()");
|
|
|
|
|
|
if (endIndex < 0)
|
|
|
|
|
|
return null;
|
|
|
|
|
|
|
|
|
|
|
|
var sb = new StringBuilder();
|
|
|
|
|
|
var instrs = method.Body.Instructions;
|
|
|
|
|
|
int val = 0, shift = 0;
|
|
|
|
|
|
for (int i = startIndex; i < endIndex; i++) {
|
|
|
|
|
|
var instr = instrs[i];
|
|
|
|
|
|
if (instr.OpCode.Code == Code.Call && instr.Operand.ToString() == "System.Text.StringBuilder System.Text.StringBuilder::Append(System.Char)") {
|
|
|
|
|
|
sb.Append((char)(val >> shift));
|
|
|
|
|
|
shift = 0;
|
|
|
|
|
|
}
|
2012-07-31 01:07:25 +08:00
|
|
|
|
if (stringMethodConsts.isLoadConstantInt32(instr)) {
|
2012-04-10 09:52:18 +08:00
|
|
|
|
int tmp;
|
|
|
|
|
|
if (!stringMethodConsts.getInt32(ref i, out tmp))
|
|
|
|
|
|
break;
|
|
|
|
|
|
if (i >= endIndex)
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
var next = instrs[i];
|
|
|
|
|
|
if (next.OpCode.Code == Code.Shr)
|
|
|
|
|
|
shift = tmp;
|
|
|
|
|
|
else {
|
|
|
|
|
|
val = tmp;
|
|
|
|
|
|
shift = 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return DotNetUtils.getResource(module, sb.ToString()) as EmbeddedResource;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
static MethodDef findInt64Method(MethodDef method) {
|
2012-02-27 05:48:43 +08:00
|
|
|
|
foreach (var instr in method.Body.Instructions) {
|
|
|
|
|
|
if (instr.OpCode.Code != Code.Call)
|
|
|
|
|
|
continue;
|
2012-11-02 22:57:11 +08:00
|
|
|
|
var calledMethod = instr.Operand as MethodDef;
|
2012-02-27 05:48:43 +08:00
|
|
|
|
if (calledMethod == null)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
if (!DotNetUtils.isMethod(calledMethod, "System.Int64", "()"))
|
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
|
|
return calledMethod;
|
|
|
|
|
|
}
|
|
|
|
|
|
return null;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
static TypeDef findDataDecrypterType(MethodDef method) {
|
2012-02-27 05:48:43 +08:00
|
|
|
|
foreach (var instr in method.Body.Instructions) {
|
|
|
|
|
|
if (instr.OpCode.Code != Code.Call)
|
|
|
|
|
|
continue;
|
2012-11-02 22:57:11 +08:00
|
|
|
|
var calledMethod = instr.Operand as MethodDef;
|
2012-02-27 05:48:43 +08:00
|
|
|
|
if (calledMethod == null)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
if (!DotNetUtils.isMethod(calledMethod, "System.Byte[]", "(System.Byte[],System.Byte[])"))
|
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
|
|
return calledMethod.DeclaringType;
|
|
|
|
|
|
}
|
|
|
|
|
|
return null;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-04-10 09:52:18 +08:00
|
|
|
|
bool findShorts() {
|
2012-02-27 05:48:43 +08:00
|
|
|
|
int index = 0;
|
2012-04-10 09:52:18 +08:00
|
|
|
|
if (!findShort(ref index, ref s1))
|
2012-02-27 05:48:43 +08:00
|
|
|
|
return false;
|
2012-04-10 09:52:18 +08:00
|
|
|
|
if (!findShort(ref index, ref s2))
|
2012-02-27 05:48:43 +08:00
|
|
|
|
return false;
|
2012-04-10 09:52:18 +08:00
|
|
|
|
if (!findShort(ref index, ref s3))
|
2012-02-27 05:48:43 +08:00
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-04-10 09:52:18 +08:00
|
|
|
|
bool findShort(ref int index, ref short s) {
|
|
|
|
|
|
if (!findCallReadInt16(ref index))
|
2012-02-27 05:48:43 +08:00
|
|
|
|
return false;
|
|
|
|
|
|
index++;
|
2012-04-10 09:52:18 +08:00
|
|
|
|
return stringMethodConsts.getInt16(ref index, out s);
|
2012-02-27 05:48:43 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2012-12-11 04:43:56 +08:00
|
|
|
|
bool findInts(int index) {
|
2012-04-10 09:52:18 +08:00
|
|
|
|
if (index < 0)
|
|
|
|
|
|
return false;
|
2012-03-06 15:17:55 +08:00
|
|
|
|
|
2012-04-10 09:52:18 +08:00
|
|
|
|
i2 = 0;
|
|
|
|
|
|
var instrs = stringMethod.Body.Instructions;
|
2012-12-11 04:43:56 +08:00
|
|
|
|
|
|
|
|
|
|
var emu = new InstructionEmulator(stringMethod);
|
|
|
|
|
|
foreach (var kv in stringMethodConsts.Locals32)
|
|
|
|
|
|
emu.setLocal(kv.Key, new Int32Value(kv.Value));
|
|
|
|
|
|
|
|
|
|
|
|
var fields = new Dictionary<FieldDef, int?>();
|
2012-04-10 09:52:18 +08:00
|
|
|
|
for (int i = index; i < instrs.Count - 2; i++) {
|
|
|
|
|
|
var instr = instrs[i];
|
2012-02-27 05:48:43 +08:00
|
|
|
|
|
2012-12-11 04:43:56 +08:00
|
|
|
|
FieldDef field;
|
|
|
|
|
|
switch (instr.OpCode.Code) {
|
|
|
|
|
|
case Code.Ldsfld:
|
|
|
|
|
|
field = instr.Operand as FieldDef;
|
|
|
|
|
|
if (field == null || field.DeclaringType != stringMethod.DeclaringType || field.FieldType.GetElementType() != ElementType.I4)
|
|
|
|
|
|
goto default;
|
|
|
|
|
|
fields[field] = null;
|
|
|
|
|
|
emu.push(new Int32Value(i1));
|
2012-04-10 09:52:18 +08:00
|
|
|
|
break;
|
2012-12-11 04:43:56 +08:00
|
|
|
|
|
|
|
|
|
|
case Code.Stsfld:
|
|
|
|
|
|
field = instr.Operand as FieldDef;
|
|
|
|
|
|
if (field == null || field.DeclaringType != stringMethod.DeclaringType || field.FieldType.GetElementType() != ElementType.I4)
|
|
|
|
|
|
goto default;
|
|
|
|
|
|
if (fields.ContainsKey(field) && fields[field] == null)
|
|
|
|
|
|
goto default;
|
|
|
|
|
|
var val = emu.pop() as Int32Value;
|
|
|
|
|
|
if (val == null || !val.allBitsValid())
|
|
|
|
|
|
fields[field] = null;
|
|
|
|
|
|
else
|
|
|
|
|
|
fields[field] = val.value;
|
2012-04-10 09:52:18 +08:00
|
|
|
|
break;
|
2012-03-06 15:17:55 +08:00
|
|
|
|
|
2012-12-11 04:43:56 +08:00
|
|
|
|
case Code.Call:
|
|
|
|
|
|
var method = instr.Operand as MethodDef;
|
|
|
|
|
|
if (!decrypterType.Detected || method != decrypterType.Int64Method)
|
|
|
|
|
|
goto done;
|
|
|
|
|
|
emu.push(new Int64Value((long)decrypterType.getMagic()));
|
|
|
|
|
|
break;
|
2012-03-06 15:17:55 +08:00
|
|
|
|
|
2012-12-11 07:23:16 +08:00
|
|
|
|
case Code.Newobj:
|
|
|
|
|
|
if (!emulateDynocode(emu, ref i))
|
|
|
|
|
|
goto default;
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
2012-12-11 04:43:56 +08:00
|
|
|
|
default:
|
|
|
|
|
|
if (instr.OpCode.FlowControl != FlowControl.Next)
|
|
|
|
|
|
goto done;
|
|
|
|
|
|
emu.emulate(instr);
|
|
|
|
|
|
break;
|
2012-04-10 09:52:18 +08:00
|
|
|
|
}
|
2012-03-06 15:17:55 +08:00
|
|
|
|
}
|
2012-12-11 04:43:56 +08:00
|
|
|
|
done: ;
|
2012-03-06 15:17:55 +08:00
|
|
|
|
|
2012-12-11 04:43:56 +08:00
|
|
|
|
foreach (var val in fields.Values) {
|
|
|
|
|
|
if (val == null)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
magic1 = i2 = val.Value;
|
|
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return false;
|
2012-04-10 09:52:18 +08:00
|
|
|
|
}
|
2012-03-06 15:17:55 +08:00
|
|
|
|
|
2012-12-11 07:23:16 +08:00
|
|
|
|
bool emulateDynocode(InstructionEmulator emu, ref int index) {
|
|
|
|
|
|
var instrs = stringMethod.Body.Instructions;
|
|
|
|
|
|
var instr = instrs[index];
|
|
|
|
|
|
|
|
|
|
|
|
var ctor = instr.Operand as MethodDef;
|
|
|
|
|
|
if (ctor == null || ctor.MethodSig.GetParamCount() != 1 || ctor.MethodSig.Params[0].ElementType != ElementType.I4)
|
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
|
|
if (index + 4 >= instrs.Count)
|
|
|
|
|
|
return false;
|
|
|
|
|
|
var ldloc = instrs[index + 3];
|
|
|
|
|
|
if (!ldloc.IsLdloc() || instrs[index + 4].OpCode.Code != Code.Stfld)
|
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
|
|
var initValue = emu.getLocal(ldloc.GetLocal(stringMethod.Body.Variables)) as Int32Value;
|
|
|
|
|
|
if (initValue == null || !initValue.allBitsValid())
|
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
|
|
int leaveIndex = findLeave(instrs, index);
|
|
|
|
|
|
if (leaveIndex < 0)
|
|
|
|
|
|
return false;
|
|
|
|
|
|
var afterLoop = instrs[leaveIndex].Operand as Instruction;
|
|
|
|
|
|
if (afterLoop == null)
|
|
|
|
|
|
return false;
|
|
|
|
|
|
int newIndex = instrs.IndexOf(afterLoop);
|
|
|
|
|
|
var loopLocal = getDCLoopLocal(index, newIndex);
|
|
|
|
|
|
if (loopLocal == null)
|
|
|
|
|
|
return false;
|
|
|
|
|
|
var initValue2 = emu.getLocal(loopLocal) as Int32Value;
|
|
|
|
|
|
if (initValue2 == null || !initValue2.allBitsValid())
|
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
|
|
var dcGen = dynocode.getDynocodeGenerator(ctor.DeclaringType);
|
|
|
|
|
|
if (dcGen == null)
|
|
|
|
|
|
return false;
|
|
|
|
|
|
int loopLocalValue = initValue2.value;
|
|
|
|
|
|
foreach (var val in dcGen.getValues(initValue.value))
|
|
|
|
|
|
loopLocalValue ^= val;
|
|
|
|
|
|
|
|
|
|
|
|
emu.setLocal(loopLocal, new Int32Value(loopLocalValue));
|
|
|
|
|
|
emu.emulate(instr);
|
|
|
|
|
|
index = newIndex - 1;
|
|
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
Local getDCLoopLocal(int start, int end) {
|
|
|
|
|
|
var instrs = stringMethod.Body.Instructions;
|
|
|
|
|
|
for (int i = start; i < end - 1; i++) {
|
|
|
|
|
|
if (instrs[i].OpCode.Code != Code.Xor)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
var stloc = instrs[i + 1];
|
|
|
|
|
|
if (!stloc.IsStloc())
|
|
|
|
|
|
continue;
|
|
|
|
|
|
return stloc.GetLocal(stringMethod.Body.Variables);
|
|
|
|
|
|
}
|
|
|
|
|
|
return null;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int findLeave(IList<Instruction> instrs, int index) {
|
|
|
|
|
|
for (int i = index; i < instrs.Count; i++) {
|
|
|
|
|
|
if (instrs[i].OpCode.Code == Code.Leave_S || instrs[i].OpCode.Code == Code.Leave)
|
|
|
|
|
|
return i;
|
|
|
|
|
|
}
|
|
|
|
|
|
return -1;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
static int findInitIntsIndex(MethodDef method, out bool initializedAll) {
|
2012-04-10 09:52:18 +08:00
|
|
|
|
initializedAll = false;
|
2012-03-17 06:22:24 +08:00
|
|
|
|
|
2012-04-10 09:52:18 +08:00
|
|
|
|
var instrs = method.Body.Instructions;
|
|
|
|
|
|
for (int i = 0; i < instrs.Count; i++) {
|
|
|
|
|
|
var ldnull = instrs[i];
|
|
|
|
|
|
if (ldnull.OpCode.Code != Code.Ldnull)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
|
|
var stsfld = instrs[i + 1];
|
|
|
|
|
|
if (stsfld.OpCode.Code != Code.Stsfld)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
var storeField = stsfld.Operand as FieldDef;
|
2012-04-10 09:52:18 +08:00
|
|
|
|
if (storeField == null || storeField.FieldType.FullName != "System.Byte[]")
|
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
|
|
var instr = instrs[i + 2];
|
|
|
|
|
|
if (instr.OpCode.Code == Code.Ldsfld) {
|
2012-11-02 22:57:11 +08:00
|
|
|
|
var loadField = instr.Operand as FieldDef;
|
2012-11-18 08:09:07 +08:00
|
|
|
|
if (loadField == null || loadField.FieldType.GetElementType() != ElementType.I4)
|
2012-04-10 09:52:18 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
}
|
2012-11-18 08:09:07 +08:00
|
|
|
|
else if (instr.IsLdcI4()) {
|
2012-04-10 09:52:18 +08:00
|
|
|
|
initializedAll = true;
|
|
|
|
|
|
}
|
|
|
|
|
|
else
|
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
|
|
return i;
|
2012-03-17 18:19:03 +08:00
|
|
|
|
}
|
2012-03-17 06:22:24 +08:00
|
|
|
|
|
2012-04-10 09:52:18 +08:00
|
|
|
|
return -1;
|
2012-03-17 06:22:24 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
bool findIntsCctor(MethodDef cctor) {
|
2012-03-06 15:17:55 +08:00
|
|
|
|
int index = 0;
|
|
|
|
|
|
if (!findCallGetFrame(cctor, ref index))
|
2012-03-19 05:59:34 +08:00
|
|
|
|
return findIntsCctor2(cctor);
|
2012-03-06 15:17:55 +08:00
|
|
|
|
|
2012-04-10 09:52:18 +08:00
|
|
|
|
int tmp1, tmp2, tmp3 = 0;
|
2012-04-30 07:26:10 +08:00
|
|
|
|
var constantsReader = new EfConstantsReader(cctor);
|
2012-04-10 09:52:18 +08:00
|
|
|
|
if (!constantsReader.getNextInt32(ref index, out tmp1))
|
|
|
|
|
|
return false;
|
|
|
|
|
|
if (tmp1 == 0 && !constantsReader.getNextInt32(ref index, out tmp1))
|
2012-02-27 05:48:43 +08:00
|
|
|
|
return false;
|
2012-04-10 09:52:18 +08:00
|
|
|
|
if (!constantsReader.getNextInt32(ref index, out tmp2))
|
2012-06-25 07:14:26 +08:00
|
|
|
|
return false;
|
|
|
|
|
|
if (tmp2 == 0 && !constantsReader.getNextInt32(ref index, out tmp2))
|
2012-02-27 05:48:43 +08:00
|
|
|
|
return false;
|
|
|
|
|
|
|
2012-03-06 15:17:55 +08:00
|
|
|
|
index = 0;
|
2012-04-10 09:52:18 +08:00
|
|
|
|
var instrs = cctor.Body.Instructions;
|
|
|
|
|
|
while (index < instrs.Count) {
|
2012-03-06 15:17:55 +08:00
|
|
|
|
int tmp4;
|
2012-04-10 09:52:18 +08:00
|
|
|
|
if (!constantsReader.getNextInt32(ref index, out tmp4))
|
2012-03-06 15:17:55 +08:00
|
|
|
|
break;
|
2012-11-18 08:09:07 +08:00
|
|
|
|
if (index < instrs.Count && instrs[index].IsLdloc())
|
2012-04-10 09:52:18 +08:00
|
|
|
|
tmp3 = tmp4;
|
2012-03-06 15:17:55 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
i1 = tmp1 ^ tmp2 ^ tmp3;
|
2012-02-27 05:48:43 +08:00
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-03-19 05:59:34 +08:00
|
|
|
|
// Compact Framework doesn't have StackFrame
|
2012-11-02 22:57:11 +08:00
|
|
|
|
bool findIntsCctor2(MethodDef cctor) {
|
2012-03-19 05:59:34 +08:00
|
|
|
|
int index = 0;
|
|
|
|
|
|
var instrs = cctor.Body.Instructions;
|
2012-04-30 07:26:10 +08:00
|
|
|
|
var constantsReader = new EfConstantsReader(cctor);
|
2012-03-19 05:59:34 +08:00
|
|
|
|
while (index >= 0) {
|
|
|
|
|
|
int val;
|
2012-04-10 09:52:18 +08:00
|
|
|
|
if (!constantsReader.getNextInt32(ref index, out val))
|
2012-03-19 05:59:34 +08:00
|
|
|
|
break;
|
|
|
|
|
|
if (index < instrs.Count && instrs[index].OpCode.Code == Code.Add) {
|
|
|
|
|
|
i1 = val;
|
|
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-04-10 09:52:18 +08:00
|
|
|
|
bool findInt3() {
|
2012-03-17 06:22:24 +08:00
|
|
|
|
if (!isV32OrLater)
|
2012-04-10 09:52:18 +08:00
|
|
|
|
return findInt3Old();
|
|
|
|
|
|
return findInt3New();
|
2012-02-27 05:48:43 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// <= 3.1
|
2012-04-10 09:52:18 +08:00
|
|
|
|
bool findInt3Old() {
|
|
|
|
|
|
var instrs = stringMethod.Body.Instructions;
|
2012-02-27 05:48:43 +08:00
|
|
|
|
for (int i = 0; i < instrs.Count - 4; i++) {
|
|
|
|
|
|
var ldarg0 = instrs[i];
|
|
|
|
|
|
if (ldarg0.OpCode.Code != Code.Ldarg_0)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
|
|
var ldci4 = instrs[i + 1];
|
2012-11-18 08:09:07 +08:00
|
|
|
|
if (!ldci4.IsLdcI4())
|
2012-02-27 05:48:43 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
|
|
int index = i + 1;
|
|
|
|
|
|
int value;
|
2012-04-10 09:52:18 +08:00
|
|
|
|
if (!stringMethodConsts.getInt32(ref index, out value))
|
2012-02-27 05:48:43 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
if (index >= instrs.Count)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
|
|
if (instrs[index].OpCode.Code != Code.Xor)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
|
|
i3 = value;
|
|
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 3.2+
|
2012-04-10 09:52:18 +08:00
|
|
|
|
bool findInt3New() {
|
|
|
|
|
|
var instrs = stringMethod.Body.Instructions;
|
|
|
|
|
|
for (int i = 0; i < instrs.Count; i++) {
|
|
|
|
|
|
int index = i;
|
|
|
|
|
|
|
|
|
|
|
|
var ldarg0 = instrs[index++];
|
2012-02-27 05:48:43 +08:00
|
|
|
|
if (ldarg0.OpCode.Code != Code.Ldarg_0)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
|
2012-04-10 09:52:18 +08:00
|
|
|
|
int value;
|
|
|
|
|
|
if (!stringMethodConsts.getInt32(ref index, out value))
|
2012-02-27 05:48:43 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
|
2012-04-10 09:52:18 +08:00
|
|
|
|
if (index + 3 >= instrs.Count)
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
if (instrs[index++].OpCode.Code != Code.Xor)
|
2012-02-27 05:48:43 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
|
2012-11-18 08:09:07 +08:00
|
|
|
|
if (!instrs[index++].IsLdloc())
|
2012-02-27 05:48:43 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
|
2012-04-10 09:52:18 +08:00
|
|
|
|
if (instrs[index++].OpCode.Code != Code.Xor)
|
2012-02-27 05:48:43 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
|
2012-04-10 09:52:18 +08:00
|
|
|
|
i3 = value;
|
|
|
|
|
|
if (!findInt6(index++))
|
2012-03-11 22:34:53 +08:00
|
|
|
|
return false;
|
2012-02-27 05:48:43 +08:00
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-04-10 09:52:18 +08:00
|
|
|
|
// v3.3.134+
|
|
|
|
|
|
bool findInt6(int index) {
|
|
|
|
|
|
index = getNextLdci4InSameBlock(index);
|
2012-03-11 22:34:53 +08:00
|
|
|
|
if (index < 0)
|
|
|
|
|
|
return true;
|
|
|
|
|
|
|
2012-04-10 09:52:18 +08:00
|
|
|
|
return stringMethodConsts.getNextInt32(ref index, out i6);
|
2012-03-11 22:34:53 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2012-04-10 09:52:18 +08:00
|
|
|
|
bool findInt4() {
|
2012-02-27 05:48:43 +08:00
|
|
|
|
int index = 0;
|
2012-04-10 09:52:18 +08:00
|
|
|
|
if (!findCallReadInt32(ref index))
|
2012-02-27 05:48:43 +08:00
|
|
|
|
return false;
|
2012-04-10 09:52:18 +08:00
|
|
|
|
if (!stringMethodConsts.getNextInt32(ref index, out i4))
|
2012-02-27 05:48:43 +08:00
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-04-10 09:52:18 +08:00
|
|
|
|
int getNextLdci4InSameBlock(int index) {
|
|
|
|
|
|
var instrs = stringMethod.Body.Instructions;
|
2012-03-11 22:34:53 +08:00
|
|
|
|
for (int i = index; i < instrs.Count; i++) {
|
|
|
|
|
|
var instr = instrs[i];
|
|
|
|
|
|
if (instr.OpCode.FlowControl != FlowControl.Next)
|
|
|
|
|
|
return -1;
|
2012-07-31 01:07:25 +08:00
|
|
|
|
if (stringMethodConsts.isLoadConstantInt32(instr))
|
2012-03-11 22:34:53 +08:00
|
|
|
|
return i;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-04-10 09:52:18 +08:00
|
|
|
|
bool findInt5() {
|
2012-02-27 05:48:43 +08:00
|
|
|
|
int index = -1;
|
|
|
|
|
|
while (true) {
|
|
|
|
|
|
index++;
|
2012-04-10 09:52:18 +08:00
|
|
|
|
if (!findCallReadBytes(ref index))
|
2012-02-27 05:48:43 +08:00
|
|
|
|
return false;
|
|
|
|
|
|
if (index <= 0)
|
|
|
|
|
|
continue;
|
2012-04-10 09:52:18 +08:00
|
|
|
|
var ldci4 = stringMethod.Body.Instructions[index - 1];
|
2012-11-18 08:09:07 +08:00
|
|
|
|
if (!ldci4.IsLdcI4())
|
2012-02-27 05:48:43 +08:00
|
|
|
|
continue;
|
2012-11-18 08:09:07 +08:00
|
|
|
|
if (ldci4.GetLdcI4Value() != 4)
|
2012-02-27 05:48:43 +08:00
|
|
|
|
continue;
|
2012-04-10 09:52:18 +08:00
|
|
|
|
if (!stringMethodConsts.getNextInt32(ref index, out i5))
|
2012-02-27 05:48:43 +08:00
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
static bool callsGetPublicKeyToken(MethodDef method) {
|
2012-02-27 05:48:43 +08:00
|
|
|
|
int index = 0;
|
|
|
|
|
|
return findCall(method, ref index, "System.Byte[] System.Reflection.AssemblyName::GetPublicKeyToken()");
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-04-10 09:52:18 +08:00
|
|
|
|
bool findCallReadInt16(ref int index) {
|
|
|
|
|
|
return findCall(stringMethod, ref index, streamHelperType == null ? "System.Int16 System.IO.BinaryReader::ReadInt16()" : streamHelperType.readInt16Method.FullName);
|
2012-03-06 15:17:55 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2012-04-10 09:52:18 +08:00
|
|
|
|
bool findCallReadInt32(ref int index) {
|
|
|
|
|
|
return findCall(stringMethod, ref index, streamHelperType == null ? "System.Int32 System.IO.BinaryReader::ReadInt32()" : streamHelperType.readInt32Method.FullName);
|
2012-02-27 05:48:43 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2012-04-10 09:52:18 +08:00
|
|
|
|
bool findCallReadBytes(ref int index) {
|
|
|
|
|
|
return findCall(stringMethod, ref index, streamHelperType == null ? "System.Byte[] System.IO.BinaryReader::ReadBytes(System.Int32)" : streamHelperType.readBytesMethod.FullName);
|
2012-02-27 05:48:43 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
static bool findCallGetFrame(MethodDef method, ref int index) {
|
2012-03-06 15:17:55 +08:00
|
|
|
|
return findCall(method, ref index, "System.Diagnostics.StackFrame System.Diagnostics.StackTrace::GetFrame(System.Int32)");
|
2012-02-27 05:48:43 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
static bool findCall(MethodDef method, ref int index, string methodFullName) {
|
2012-02-27 05:48:43 +08:00
|
|
|
|
for (; index < method.Body.Instructions.Count; index++) {
|
|
|
|
|
|
if (!findCallvirt(method, ref index))
|
|
|
|
|
|
return false;
|
|
|
|
|
|
|
2012-11-18 08:09:07 +08:00
|
|
|
|
var calledMethod = method.Body.Instructions[index].Operand as IMethod;
|
2012-02-27 05:48:43 +08:00
|
|
|
|
if (calledMethod == null)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
if (calledMethod.ToString() != methodFullName)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
return false;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
static bool findCallvirt(MethodDef method, ref int index) {
|
2012-02-27 05:48:43 +08:00
|
|
|
|
var instrs = method.Body.Instructions;
|
|
|
|
|
|
for (; index < instrs.Count; index++) {
|
|
|
|
|
|
var instr = instrs[index];
|
|
|
|
|
|
if (instr.OpCode.Code != Code.Callvirt)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
