本文整理汇总了C#中ISimpleDeobfuscator.Deobfuscate方法的典型用法代码示例。如果您正苦于以下问题:C# ISimpleDeobfuscator.Deobfuscate方法的具体用法?C# ISimpleDeobfuscator.Deobfuscate怎么用?C# ISimpleDeobfuscator.Deobfuscate使用的例子?那么, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类ISimpleDeobfuscator的用法示例。
在下文中一共展示了ISimpleDeobfuscator.Deobfuscate方法的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的C#代码示例。
示例1: CheckMethod
bool CheckMethod(ISimpleDeobfuscator simpleDeobfuscator, MethodDef method) {
if (method == null || method.Body == null)
return false;
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code != Code.Call)
continue;
var calledMethod = instr.Operand as MethodDef;
if (calledMethod == null)
continue;
if (calledMethod == null || !calledMethod.IsStatic)
continue;
if (!DotNetUtils.IsMethod(calledMethod, "System.Void", "()"))
continue;
var type = calledMethod.DeclaringType;
if (type.NestedTypes.Count > 0)
continue;
simpleDeobfuscator.Deobfuscate(calledMethod, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
if (CheckType(type, calledMethod)) {
initMethod = calledMethod;
return true;
}
}
return false;
}示例2: FindGetManifestResourceStreamTypeResource
EmbeddedResource FindGetManifestResourceStreamTypeResource(TypeDef type, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
foreach (var method in type.Methods) {
if (!method.IsPrivate || !method.IsStatic || method.Body == null)
continue;
if (!DotNetUtils.IsMethod(method, "System.String", "(System.Reflection.Assembly,System.Type,System.String)"))
continue;
simpleDeobfuscator.Deobfuscate(method);
simpleDeobfuscator.DecryptStrings(method, deob);
foreach (var s in DotNetUtils.GetCodeStrings(method)) {
var resource = DotNetUtils.GetResource(module, s) as EmbeddedResource;
if (resource != null)
return resource;
}
}
return null;
}示例3: Initialize
void Initialize(ISimpleDeobfuscator simpleDeobfuscator, MethodDef method) {
var desList = new List<byte[]>(2);
var aesList = new List<byte[]>(2);
var instructions = method.Body.Instructions;
simpleDeobfuscator.Deobfuscate(method);
for (int i = 0; i <= instructions.Count - 2; i++) {
var ldtoken = instructions[i];
if (ldtoken.OpCode.Code != Code.Ldtoken)
continue;
var field = DotNetUtils.GetField(module, ldtoken.Operand as IField);
if (field == null)
continue;
if (field.InitialValue == null)
continue;
var call = instructions[i + 1];
if (call.OpCode.Code != Code.Call)
continue;
var calledMethod = call.Operand as IMethod;
if (!DotNetUtils.IsMethod(calledMethod, "System.Void", "(System.Array,System.RuntimeFieldHandle)"))
continue;
if (field.InitialValue.Length == 8)
desList.Add(field.InitialValue);
else if (field.InitialValue.Length == 16)
aesList.Add(field.InitialValue);
}
if (desList.Count >= 2) {
DES_Key = desList[desList.Count - 2];
DES_IV = desList[desList.Count - 1];
}
if (aesList.Count >= 2) {
AES_Key = aesList[aesList.Count - 2];
AES_IV = aesList[aesList.Count - 1];
}
}示例4: FindStringDecrypterMethods
void FindStringDecrypterMethods(TypeDef type, ISimpleDeobfuscator simpleDeobfuscator) {
foreach (var method in DotNetUtils.FindMethods(type.Methods, "System.String", new string[] { "System.String", "System.Int32" })) {
if (method.Body.HasExceptionHandlers)
continue;
if (DotNetUtils.GetMethodCalls(method, "System.Char[] System.String::ToCharArray()") != 1)
continue;
if (DotNetUtils.GetMethodCalls(method, "System.String System.String::Intern(System.String)") != 1)
continue;
simpleDeobfuscator.Deobfuscate(method);
var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count - 3; i++) {
var ldarg = instrs[i];
if (!ldarg.IsLdarg() || ldarg.GetParameterIndex() != 0)
continue;
var callvirt = instrs[i + 1];
if (callvirt.OpCode.Code != Code.Callvirt)
continue;
var calledMethod = callvirt.Operand as MemberRef;
if (calledMethod == null || calledMethod.FullName != "System.Char[] System.String::ToCharArray()")
continue;
var stloc = instrs[i + 2];
if (!stloc.IsStloc())
continue;
var ldci4 = instrs[i + 3];
if (!ldci4.IsLdcI4())
continue;
var info = new StringDecrypterInfo(method, ldci4.GetLdcI4Value());
stringDecrypterMethods.Add(info.method, info);
Logger.v("Found string decrypter method: {0}, magic: 0x{1:X8}", Utils.RemoveNewlines(info.method), info.magic);
break;
}
}
}示例5: FindConstants
bool FindConstants(ISimpleDeobfuscator simpleDeobfuscator) {
dynocode = new DynamicDynocodeIterator();
simpleDeobfuscator.Deobfuscate(stringMethod);
stringMethodConsts = new EfConstantsReader(stringMethod);
if (!FindResource(stringMethod))
return false;
checkMinus2 = isV32OrLater || DeobUtils.HasInteger(stringMethod, -2);
usePublicKeyToken = CallsGetPublicKeyToken(stringMethod);
var int64Method = FindInt64Method(stringMethod);
if (int64Method != null)
decrypterType.Type = int64Method.DeclaringType;
if (!FindShorts())
return false;
if (!FindInt3())
return false;
if (!FindInt4())
return false;
if (checkMinus2 && !FindInt5())
return false;
dataDecrypterType = FindDataDecrypterType(stringMethod);
if (dataDecrypterType == null)
return false;
if (isV32OrLater) {
bool initializedAll;
int index = FindInitIntsIndex(stringMethod, out initializedAll);
var cctor = stringType.FindStaticConstructor();
if (!initializedAll && cctor != null) {
simpleDeobfuscator.Deobfuscate(cctor);
if (!FindIntsCctor(cctor))
return false;
}
if (decrypterType.Detected && !decrypterType.Initialize())
return false;
if (!FindInts(index))
return false;
}
InitializeFlags();
Initialize();
return true;
}示例6: CheckType
bool CheckType(TypeDef type, MethodDef initMethod, ISimpleDeobfuscator simpleDeobfuscator) {
if (DotNetUtils.FindFieldType(type, "System.Collections.Hashtable", true) == null)
return false;
simpleDeobfuscator.Deobfuscate(initMethod);
if (!CheckInitMethod(initMethod))
return false;
if ((asmSeparator = FindAssemblySeparator(initMethod)) == null)
return false;
List<AssemblyInfo> newAssemblyInfos = null;
foreach (var s in DotNetUtils.GetCodeStrings(initMethod)) {
newAssemblyInfos = InitializeEmbeddedAssemblies(s);
if (newAssemblyInfos != null)
break;
}
if (newAssemblyInfos == null)
return false;
resolverType = type;
resolverMethod = initMethod;
assemblyInfos = newAssemblyInfos;
return true;
}示例7: FindEntryPointToken
bool FindEntryPointToken(ISimpleDeobfuscator simpleDeobfuscator, MethodDef cctor, MethodDef entryPoint, out uint token)
{
token = 0;
ulong @base;
if (!FindBase(cctor, out @base))
return false;
var modPowMethod = DotNetUtils.GetMethod(cctor.DeclaringType, "System.UInt64", "(System.UInt64,System.UInt64,System.UInt64)");
if (modPowMethod == null)
throw new ApplicationException("Could not find modPow()");
simpleDeobfuscator.Deobfuscate(entryPoint);
ulong mod;
if (!FindMod(entryPoint, out mod))
throw new ApplicationException("Could not find modulus");
token = 0x06000000 | (uint)ModPow(@base, 0x47, mod);
if (token >> 24 != 0x06)
throw new ApplicationException("Illegal entry point token");
return true;
}示例8: FindInitMethod
MethodDef FindInitMethod(ISimpleDeobfuscator simpleDeobfuscator) {
var ctor = Type.FindMethod(".ctor");
foreach (var method in Type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
if (!DotNetUtils.IsMethod(method, "System.Void", "()"))
continue;
if (method.Body.Variables.Count > 1)
continue;
simpleDeobfuscator.Deobfuscate(method);
bool stsfldUsed = false, newobjUsed = false;
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code == Code.Stsfld) {
var field = instr.Operand as IField;
if (field == null || field.FieldSig.GetFieldType().GetElementType() != ElementType.Boolean)
continue;
if (!new SigComparer().Equals(Type, field.DeclaringType))
continue;
stsfldUsed = true;
}
else if (instr.OpCode.Code == Code.Newobj) {
var calledCtor = instr.Operand as IMethod;
if (calledCtor == null)
continue;
if (!MethodEqualityComparer.CompareDeclaringTypes.Equals(calledCtor, ctor))
continue;
newobjUsed = true;
}
}
if (!stsfldUsed || !newobjUsed)
continue;
return method;
}
return null;
}示例9: FindConstants
bool FindConstants(ISimpleDeobfuscator simpleDeobfuscator) {
dynocode = new DynamicDynocodeIterator();
simpleDeobfuscator.Deobfuscate(stringMethod);
stringMethodConsts = new EfConstantsReader(stringMethod);
if (!FindResource(stringMethod))
return false;
checkMinus2 = isV32OrLater || DeobUtils.HasInteger(stringMethod, -2);
usePublicKeyToken = CallsGetPublicKeyToken(stringMethod);
var int64Method = FindInt64Method(stringMethod);
if (int64Method != null)
decrypterType.Type = int64Method.DeclaringType;
if (!FindShorts())
return false;
if (!FindInt3())
return false;
if (!FindInt4())
return false;
if (checkMinus2 && !FindInt5())
return false;
// The method body of the data decrypter method has been moved into
// the string decrypter helper method in 5.0
if (!isV50OrLater) {
dataDecrypterType = FindDataDecrypterType(stringMethod);
if (dataDecrypterType == null)
return false;
}
if (isV32OrLater) {
bool initializedAll;
int index = FindInitIntsIndex(stringMethod, out initializedAll);
var cctor = stringType.FindStaticConstructor();
if (!initializedAll && cctor != null) {
simpleDeobfuscator.Deobfuscate(cctor);
if (!FindIntsCctor(cctor))
return false;
}
if (decrypterType.Detected && !decrypterType.Initialize())
return false;
if (!isV50OrLater) {
decrypterType.ShiftConsts = new List<int> { 24, 16, 8, 0, 16, 8, 0, 24 };
}
else {
List<int> shiftConsts;
if (!FindShiftInts(decrypterType.Int64Method, out shiftConsts))
return false;
decrypterType.ShiftConsts = shiftConsts;
}
if (!FindInts(index))
return false;
}
InitializeFlags();
Initialize();
return true;
}示例10: Initialize
public void Initialize(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
if (handlerMethod == null)
return;
FindOtherType();
simpleDeobfuscator.Deobfuscate(handlerMethod);
simpleDeobfuscator.DecryptStrings(handlerMethod, deob);
if (!CreateAssemblyInfos())
throw new ApplicationException("Could not initialize assembly infos");
if (decryptMethod != null) {
simpleDeobfuscator.Deobfuscate(decryptMethod);
simpleDeobfuscator.DecryptStrings(decryptMethod, deob);
if (!CreateDecryptKey())
throw new ApplicationException("Could not initialize decryption key");
}
}示例11: GetAssemblyInfos
public List<AssemblyInfo> GetAssemblyInfos(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
var infos = new List<AssemblyInfo>();
if (embedResolverMethod != null) {
simpleDeobfuscator.Deobfuscate(embedResolverMethod);
simpleDeobfuscator.DecryptStrings(embedResolverMethod, deob);
embedPassword = GetEmbedPassword(embedResolverMethod);
}
if (embedPassword == null)
return infos;
foreach (var rsrc in module.Resources) {
var resource = rsrc as EmbeddedResource;
if (resource == null)
continue;
if (!Regex.IsMatch(resource.Name.String, "^cfd_([0-9a-f]{2})+_$"))
continue;
var asmData = Decrypt(embedPassword, Gunzip(resource.Data.ReadAllBytes()));
var mod = ModuleDefMD.Load(asmData);
infos.Add(new AssemblyInfo(asmData, resource, mod.Assembly.FullName, mod.Assembly.Name.String, DeobUtils.GetExtension(mod.Kind)));
}
return infos;
}示例12: InitializeArrays2
bool InitializeArrays2(ISimpleDeobfuscator simpleDeobfuscator, MethodDef method) {
bool foundField = false;
simpleDeobfuscator.Deobfuscate(method, true);
var instructions = method.Body.Instructions;
for (int i = 0; i < instructions.Count; i++) {
var ldci4 = instructions[i];
if (!ldci4.IsLdcI4())
continue;
i++;
var instrs = DotNetUtils.GetInstructions(instructions, i, OpCodes.Newarr, OpCodes.Dup, OpCodes.Ldtoken, OpCodes.Call, OpCodes.Stsfld);
if (instrs == null)
continue;
var arrayInitField = instrs[2].Operand as FieldDef;
if (arrayInitField == null || arrayInitField.InitialValue == null || arrayInitField.InitialValue.Length == 0)
continue;
var calledMethod = instrs[3].Operand as IMethod;
if (calledMethod == null || calledMethod.FullName != "System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle)")
continue;
var targetField = instrs[4].Operand as FieldDef;
if (targetField == null || targetField.FieldType.GetElementType() != ElementType.SZArray)
continue;
var etype = ((SZArraySig)targetField.FieldType).Next.GetElementType();
if (etype < ElementType.Boolean || etype > ElementType.U4)
continue;
if (fieldToInfo.Find(targetField) == null) {
fieldToInfo.Add(targetField, new FieldInfo(targetField, arrayInitField));
foundField = true;
}
}
return foundField;
}示例13: GetProxyCreatorType
static ProxyCreatorType GetProxyCreatorType(MethodDef method, ISimpleDeobfuscator simpleDeobfuscator, out int version) {
var type = GetProxyCreatorTypeV1(method);
if (type != ProxyCreatorType.None) {
version = 1;
return type;
}
simpleDeobfuscator.Deobfuscate(method);
type = GetProxyCreatorTypeV2(method);
if (type != ProxyCreatorType.None) {
version = 2;
return type;
}
version = 0;
return ProxyCreatorType.None;
}示例14: FindDelegateCreator
public void FindDelegateCreator(ISimpleDeobfuscator simpleDeobfuscator) {
var type = DotNetUtils.GetModuleType(module);
if (type == null)
return;
foreach (var method in type.Methods) {
if (method.Body == null || !method.IsStatic || !method.IsAssembly)
continue;
ConfuserVersion theVersion = ConfuserVersion.Unknown;
if (DotNetUtils.IsMethod(method, "System.Void", "(System.String,System.RuntimeFieldHandle)"))
theVersion = ConfuserVersion.v10_r42915;
else if (DotNetUtils.IsMethod(method, "System.Void", "(System.RuntimeFieldHandle)"))
theVersion = ConfuserVersion.v10_r48717;
else
continue;
int tmpVer;
var proxyType = GetProxyCreatorType(method, simpleDeobfuscator, out tmpVer);
if (proxyType == ProxyCreatorType.None)
continue;
if (proxyType == ProxyCreatorType.Newobj)
foundNewobjProxy = true;
simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
MethodDef nativeMethod = null;
uint magic;
if (FindMagic_v14_r58564(method, out magic)) {
if (!DotNetUtils.CallsMethod(method, "System.Byte[] System.Convert::FromBase64String(System.String)")) {
if (!IsMethodCreator_v14_r58802(method, proxyType))
theVersion = ConfuserVersion.v14_r58564;
else
theVersion = ConfuserVersion.v14_r58802;
}
else if (DotNetUtils.CallsMethod(method, "System.Reflection.Module System.Reflection.MemberInfo::get_Module()"))
theVersion = ConfuserVersion.v17_r73479;
else if (proxyType != ProxyCreatorType.CallOrCallvirt || !HasFieldReference(method, "System.Reflection.Emit.OpCode System.Reflection.Emit.OpCodes::Castclass"))
theVersion = ConfuserVersion.v14_r58857;
else if (proxyType == ProxyCreatorType.CallOrCallvirt && DotNetUtils.CallsMethod(method, "System.Void System.Reflection.Emit.DynamicMethod::.ctor(System.String,System.Type,System.Type[],System.Boolean)"))
theVersion = ConfuserVersion.v16_r66631;
else if (proxyType == ProxyCreatorType.CallOrCallvirt)
theVersion = ConfuserVersion.v16_r70489;
}
else if (!DotNetUtils.CallsMethod(method, "System.Byte[] System.Convert::FromBase64String(System.String)") &&
DotNetUtils.CallsMethod(method, "System.Reflection.MethodBase System.Reflection.Module::ResolveMethod(System.Int32)")) {
if (proxyType == ProxyCreatorType.CallOrCallvirt && !FindCallvirtChar(method, out callvirtChar))
continue;
if ((nativeMethod = FindNativeMethod_v18_r75367(method)) != null)
theVersion = proxyType != ProxyCreatorType.CallOrCallvirt || callvirtChar == 9 ? ConfuserVersion.v18_r75367_native : ConfuserVersion.v18_r75369_native;
else if (FindMagic_v18_r75367(method, out magic))
theVersion = proxyType != ProxyCreatorType.CallOrCallvirt || callvirtChar == 9 ? ConfuserVersion.v18_r75367_normal : ConfuserVersion.v18_r75369_normal;
else if (FindMagic_v19_r76101(method, out magic))
CommonCheckVersion19(method, true, tmpVer, ref theVersion);
else if ((nativeMethod = FindNativeMethod_v19_r76101(method)) != null)
CommonCheckVersion19(method, false, tmpVer, ref theVersion);
else {
if (proxyType == ProxyCreatorType.CallOrCallvirt && !DotNetUtils.CallsMethod(method, "System.Int32 System.String::get_Length()"))
theVersion = ConfuserVersion.v11_r50378;
int numCalls = ConfuserUtils.CountCalls(method, "System.Byte[] System.Text.Encoding::GetBytes(System.Char[],System.Int32,System.Int32)");
if (numCalls == 2)
theVersion = ConfuserVersion.v12_r54564;
if (!DotNetUtils.CallsMethod(method, "System.Reflection.Assembly System.Reflection.Assembly::Load(System.Reflection.AssemblyName)"))
theVersion = ConfuserVersion.v13_r55346;
if (DotNetUtils.CallsMethod(method, "System.Void System.Runtime.CompilerServices.RuntimeHelpers::RunClassConstructor(System.RuntimeTypeHandle)"))
theVersion = ConfuserVersion.v13_r55604;
}
}
else if (Is_v17_r73740(method)) {
if (DotNetUtils.CallsMethod(method, "System.Boolean System.Type::get_IsArray()")) {
if ((nativeMethod = FindNativeMethod_v17_r73740(method)) != null)
theVersion = ConfuserVersion.v17_r74708_native;
else if (FindMagic_v17_r73740(method, out magic))
theVersion = ConfuserVersion.v17_r74708_normal;
else
continue;
}
else {
if ((nativeMethod = FindNativeMethod_v17_r73740(method)) != null)
theVersion = ConfuserVersion.v17_r73740_native;
else if (FindMagic_v17_r73740(method, out magic))
theVersion = ConfuserVersion.v17_r73740_normal;
else
continue;
}
}
else if (theVersion == ConfuserVersion.v10_r42915) {
if (DeobUtils.HasInteger(method, 0x06000000))
theVersion = ConfuserVersion.v10_r42919;
}
SetDelegateCreatorMethod(method);
methodToInfo.Add(method, new ProxyCreatorInfo(method, proxyType, theVersion, magic, nativeMethod, callvirtChar));
version = (ConfuserVersion)Math.Max((int)version, (int)theVersion);
}
}示例15: Find
public void Find(ISimpleDeobfuscator simpleDeobfuscator) {
if (module.Assembly == null)
return;
var pkt = module.Assembly.PublicKeyToken;
bool hasPublicKeyToken = !PublicKeyBase.IsNullOrEmpty2(pkt);
foreach (var type in module.GetTypes()) {
var cctor = type.FindStaticConstructor();
if (cctor == null)
continue;
bool deobfuscatedCctor = false;
bool? v13State = null, v40State = null, v41State = null;
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
IDecrypterInfo info = null;
if (DecrypterInfo13.IsPossibleDecrypterMethod(method, ref v13State)) {
DeobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
simpleDeobfuscator.Deobfuscate(method);
info = GetInfoV13(cctor, method);
}
else if (DecrypterInfo40.IsPossibleDecrypterMethod(method, ref v40State)) {
DeobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
simpleDeobfuscator.Deobfuscate(method);
info = GetInfoV40(cctor, method);
}
else if (DecrypterInfo41.IsPossibleDecrypterMethod(method, ref v41State)) {
DeobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
simpleDeobfuscator.Deobfuscate(method);
info = GetInfoV41(cctor, method);
}
if (info == null)
continue;
methodToInfo.Add(method, info);
version = info.Version;
}
}
}