Update detection of resource resolver type

de4dot.code/deobfuscators/CliSecure/Deobfuscator.cs

@@ -78,6 +78,7 @@ namespace de4dot.code.deobfuscators.CliSecure {
 		ProxyDelegateFinder proxyDelegateFinder;
 		CliSecureRtType cliSecureRtType;
 		StringDecrypter stringDecrypter;
+		ResourceDecrypter resourceDecrypter;
 
 		StackFrameHelper stackFrameHelper;
 		vm.Csvm csvm;
@@ -143,6 +144,7 @@ namespace de4dot.code.deobfuscators.CliSecure {
 			int sum = toInt32(cliSecureRtType.Detected) +
 					toInt32(stringDecrypter.Detected) +
 					toInt32(proxyDelegateFinder.Detected) +
+					toInt32(resourceDecrypter.Detected) +
 					toInt32(csvm.Detected);
 			if (sum > 0)
 				val += 100 + 10 * (sum - 1);
@@ -158,6 +160,8 @@ namespace de4dot.code.deobfuscators.CliSecure {
 			cliSecureRtType.find();
 			stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterMethod);
 			stringDecrypter.find();
+			resourceDecrypter = new ResourceDecrypter(module);
+			resourceDecrypter.find();
 			proxyDelegateFinder = new ProxyDelegateFinder(module);
 			proxyDelegateFinder.findDelegateCreator();
 			csvm = new vm.Csvm(DeobfuscatedFile.DeobfuscatorContext, module);
@@ -199,6 +203,7 @@ namespace de4dot.code.deobfuscators.CliSecure {
 			newOne.cliSecureAttributes = lookup(module, cliSecureAttributes, "Could not find CliSecure attribute");
 			newOne.cliSecureRtType = new CliSecureRtType(module, cliSecureRtType);
 			newOne.stringDecrypter = new StringDecrypter(module, stringDecrypter);
+			newOne.resourceDecrypter = new ResourceDecrypter(module, resourceDecrypter);
 			newOne.proxyDelegateFinder = new ProxyDelegateFinder(module, proxyDelegateFinder);
 			newOne.csvm = new vm.Csvm(DeobfuscatedFile.DeobfuscatorContext, module, csvm);
 			return newOne;
@@ -220,8 +225,6 @@ namespace de4dot.code.deobfuscators.CliSecure {
 			addAttributesToBeRemoved(cliSecureAttributes, "Obfuscator attribute");
 
 			if (options.DecryptResources) {
-				var resourceDecrypter = new ResourceDecrypter(module);
-				resourceDecrypter.find();
 				decryptResources(resourceDecrypter);
 				addCctorInitCallToBeRemoved(resourceDecrypter.RsrcRrrMethod);
 			}

de4dot.code/deobfuscators/CliSecure/ResourceDecrypter.cs

@@ -28,7 +28,11 @@ namespace de4dot.code.deobfuscators.CliSecure {
 		ModuleDefinition module;
 		TypeDefinition rsrcType;
 		MethodDefinition rsrcRrrMethod;
-		MethodDefinition rsrcDecryptMethod;
+		MethodDefinition rsrcResolveMethod;
+
+		public bool Detected {
+			get { return rsrcType != null; }
+		}
 
 		public TypeDefinition Type {
 			get { return rsrcType; }
@@ -42,39 +46,57 @@ namespace de4dot.code.deobfuscators.CliSecure {
 			this.module = module;
 		}
 
+		public ResourceDecrypter(ModuleDefinition module, ResourceDecrypter oldOne) {
+			this.module = module;
+			rsrcType = lookup(oldOne.rsrcType, "Could not find rsrcType");
+			rsrcRrrMethod = lookup(oldOne.rsrcRrrMethod, "Could not find rsrcRrrMethod");
+			rsrcResolveMethod = lookup(oldOne.rsrcResolveMethod, "Could not find rsrcResolveMethod");
+		}
+
+		T lookup<T>(T def, string errorMessage) where T : MemberReference {
+			return DeobUtils.lookup(module, def, errorMessage);
+		}
+
 		public void find() {
 			findResourceType();
 		}
 
+		static readonly string[] requiredFields = new string[] {
+			"System.Reflection.Assembly",
+			"System.String[]",
+		};
 		void findResourceType() {
-			foreach (var type in module.Types) {
-				MethodDefinition rrrMethod = null;
-				MethodDefinition decryptMethod = null;
+			var cctor = DotNetUtils.getModuleTypeCctor(module);
+			if (cctor == null)
+				return;
 
-				foreach (var method in type.Methods) {
-					if (method.Name == "rrr" && DotNetUtils.isMethod(method, "System.Void", "()"))
-						rrrMethod = method;
-					else if (DotNetUtils.isMethod(method, "System.Reflection.Assembly", "(System.Object,System.ResolveEventArgs)"))
-						decryptMethod = method;
-				}
-				if (rrrMethod == null || decryptMethod == null)
+			foreach (var calledMethod in DotNetUtils.getCalledMethods(module, cctor)) {
+				if (!calledMethod.IsStatic || calledMethod.Body == null)
+					continue;
+				if (!DotNetUtils.isMethod(calledMethod, "System.Void", "()"))
+					continue;
+				var type = calledMethod.DeclaringType;
+				if (!new FieldTypes(type).exactly(requiredFields))
 					continue;
 
-				var methodCalls = DotNetUtils.getMethodCallCounts(rrrMethod);
-				if (methodCalls.count("System.Void System.ResolveEventHandler::.ctor(System.Object,System.IntPtr)") != 1)
+				var resolveHandler = DotNetUtils.getMethod(type, "System.Reflection.Assembly", "(System.Object,System.ResolveEventArgs)");
+				var decryptMethod = DotNetUtils.getMethod(type, "System.Byte[]", "(System.IO.Stream)");
+				if (resolveHandler == null || !resolveHandler.IsStatic)
+					continue;
+				if (decryptMethod == null || !decryptMethod.IsStatic)
 					continue;
 
 				rsrcType = type;
-				rsrcRrrMethod = rrrMethod;
-				rsrcDecryptMethod = decryptMethod;
+				rsrcRrrMethod = calledMethod;
+				rsrcResolveMethod = resolveHandler;
 				return;
 			}
 		}
 
 		public EmbeddedResource mergeResources() {
-			if (rsrcDecryptMethod == null)
+			if (rsrcResolveMethod == null)
 				return null;
-			var resource = DotNetUtils.getResource(module, DotNetUtils.getCodeStrings(rsrcDecryptMethod)) as EmbeddedResource;
+			var resource = DotNetUtils.getResource(module, DotNetUtils.getCodeStrings(rsrcResolveMethod)) as EmbeddedResource;
 			if (resource == null)
 				return null;
 			DeobUtils.decryptAndAddResources(module, resource.Name, () => decryptResource(resource));