本文整理汇总了C#中ISimpleDeobfuscator.deobfuscate方法的典型用法代码示例。如果您正苦于以下问题:C# ISimpleDeobfuscator.deobfuscate方法的具体用法?C# ISimpleDeobfuscator.deobfuscate怎么用?C# ISimpleDeobfuscator.deobfuscate使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类ISimpleDeobfuscator的用法示例。
在下文中一共展示了ISimpleDeobfuscator.deobfuscate方法的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的C#代码示例。
示例1: findEmbeddedResource
public static EmbeddedResource findEmbeddedResource(ModuleDefinition module, TypeDefinition decrypterType, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
return findEmbeddedResource(module, decrypterType, (method) => {
simpleDeobfuscator.deobfuscate(method);
simpleDeobfuscator.decryptStrings(method, deob);
});
}示例2: updateFlags
bool updateFlags(MethodDefinition method, ISimpleDeobfuscator simpleDeobfuscator)
{
if (method == null || method.Body == null)
return false;
var constants = new List<int>();
simpleDeobfuscator.deobfuscate(method);
var instructions = method.Body.Instructions;
for (int i = 2; i < instructions.Count; i++) {
var and = instructions[i];
if (and.OpCode.Code != Code.And)
continue;
var ldci4 = instructions[i - 1];
if (!DotNetUtils.isLdcI4(ldci4))
continue;
var ldloc = instructions[i - 2];
if (!DotNetUtils.isLdloc(ldloc))
continue;
var local = DotNetUtils.getLocalVar(method.Body.Variables, ldloc);
if (local.VariableType.ToString() != "System.Byte")
continue;
constants.Add(DotNetUtils.getLdcI4Value(ldci4));
}
if (constants.Count == 2) {
desEncryptedFlag = (byte)constants[0];
deflatedFlag = (byte)constants[1];
return true;
}
return false;
}示例3: find
public void find(ISimpleDeobfuscator simpleDeobfuscator)
{
if (module.Assembly == null)
return;
var pkt = module.Assembly.PublicKeyToken;
bool hasPublicKeyToken = !PublicKeyBase.IsNullOrEmpty2(pkt);
foreach (var type in module.GetTypes()) {
var cctor = type.FindStaticConstructor();
if (cctor == null)
continue;
bool deobfuscatedCctor = false;
bool? v13State = null, v40State = null, v41State = null;
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
IDecrypterInfo info = null;
if (DecrypterInfo13.isPossibleDecrypterMethod(method, ref v13State)) {
deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
simpleDeobfuscator.deobfuscate(method);
info = getInfoV13(cctor, method);
}
else if (DecrypterInfo40.isPossibleDecrypterMethod(method, ref v40State)) {
deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
simpleDeobfuscator.deobfuscate(method);
info = getInfoV40(cctor, method);
}
else if (DecrypterInfo41.isPossibleDecrypterMethod(method, ref v41State)) {
deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
simpleDeobfuscator.deobfuscate(method);
info = getInfoV41(cctor, method);
}
if (info == null)
continue;
methodToInfo.add(method, info);
version = info.Version;
}
}
}示例4: initialize
public void initialize(ISimpleDeobfuscator simpleDeobfuscator)
{
foreach (var info in stringEncrypterInfos.getValues()) {
simpleDeobfuscator.deobfuscate(info.Method);
info.Resource = findResource(info.Method);
if (info.Resource == null) {
Logger.w("Could not find encrypted strings resource (Method {0:X8})", info.Method.MDToken.ToInt32());
continue;
}
info.Magic1 = findMagic1(info.Method);
info.Magic2 = findMagic2(info.Method);
info.Magic3 = findMagic3(info.Method);
info.Reader = info.Resource.Data;
info.Reader.Position = 0;
}
}示例5: initializeArrays2
bool initializeArrays2(ISimpleDeobfuscator simpleDeobfuscator, MethodDef method)
{
bool foundField = false;
simpleDeobfuscator.deobfuscate(method, true);
var instructions = method.Body.Instructions;
for (int i = 0; i < instructions.Count; i++) {
var ldci4 = instructions[i];
if (!ldci4.IsLdcI4())
continue;
i++;
var instrs = DotNetUtils.getInstructions(instructions, i, OpCodes.Newarr, OpCodes.Dup, OpCodes.Ldtoken, OpCodes.Call, OpCodes.Stsfld);
if (instrs == null)
continue;
var arrayInitField = instrs[2].Operand as FieldDef;
if (arrayInitField == null || arrayInitField.InitialValue == null || arrayInitField.InitialValue.Length == 0)
continue;
var calledMethod = instrs[3].Operand as IMethod;
if (calledMethod == null || calledMethod.FullName != "System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle)")
continue;
var targetField = instrs[4].Operand as FieldDef;
if (targetField == null || targetField.FieldType.GetElementType() != ElementType.SZArray)
continue;
var etype = ((SZArraySig)targetField.FieldType).Next.GetElementType();
if (etype < ElementType.Boolean || etype > ElementType.U4)
continue;
if (fieldToInfo.find(targetField) == null) {
fieldToInfo.add(targetField, new FieldInfo(targetField, arrayInitField));
foundField = true;
}
}
return foundField;
}示例6: findStringDecrypterMethods
void findStringDecrypterMethods(TypeDef type, ISimpleDeobfuscator simpleDeobfuscator)
{
foreach (var method in DotNetUtils.findMethods(type.Methods, "System.String", new string[] { "System.String", "System.Int32" })) {
if (method.Body.HasExceptionHandlers)
continue;
if (DotNetUtils.getMethodCalls(method, "System.Char[] System.String::ToCharArray()") != 1)
continue;
if (DotNetUtils.getMethodCalls(method, "System.String System.String::Intern(System.String)") != 1)
continue;
simpleDeobfuscator.deobfuscate(method);
var instructions = method.Body.Instructions;
for (int i = 0; i <= instructions.Count - 3; i++) {
var ldci4 = method.Body.Instructions[i];
if (!ldci4.IsLdcI4())
continue;
if (instructions[i + 1].OpCode.Code != Code.Ldarg_1)
continue;
if (instructions[i + 2].OpCode.Code != Code.Add)
continue;
var info = new StringDecrypterInfo(method, ldci4.GetLdcI4Value());
stringDecrypterMethods.add(info.method, info);
Logger.v("Found string decrypter method: {0}, magic: 0x{1:X8}", Utils.removeNewlines(info.method), info.magic);
break;
}
}
}示例7: init
void init(ISimpleDeobfuscator simpleDeobfuscator, MethodDefinition method)
{
var desList = new List<byte[]>(2);
var aesList = new List<byte[]>(2);
var instructions = method.Body.Instructions;
simpleDeobfuscator.deobfuscate(method);
for (int i = 0; i <= instructions.Count - 2; i++) {
var ldtoken = instructions[i];
if (ldtoken.OpCode.Code != Code.Ldtoken)
continue;
var field = DotNetUtils.getField(module, ldtoken.Operand as FieldReference);
if (field == null)
continue;
if (field.InitialValue == null)
continue;
var call = instructions[i + 1];
if (call.OpCode.Code != Code.Call)
continue;
var calledMethod = call.Operand as MethodReference;
if (!DotNetUtils.isMethod(calledMethod, "System.Void", "(System.Array,System.RuntimeFieldHandle)"))
continue;
if (field.InitialValue.Length == 8)
desList.Add(field.InitialValue);
else if (field.InitialValue.Length == 16)
aesList.Add(field.InitialValue);
}
if (desList.Count >= 2) {
DES_Key = desList[desList.Count - 2];
DES_IV = desList[desList.Count - 1];
}
if (aesList.Count >= 2) {
AES_Key = aesList[aesList.Count - 2];
AES_IV = aesList[aesList.Count - 1];
}
}示例8: initialize
public void initialize(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
if (handlerMethod == null)
return;
findOtherType();
simpleDeobfuscator.deobfuscate(handlerMethod);
simpleDeobfuscator.decryptStrings(handlerMethod, deob);
if (!createAssemblyInfos())
throw new ApplicationException("Could not initialize assembly infos");
simpleDeobfuscator.deobfuscate(decryptMethod);
simpleDeobfuscator.decryptStrings(decryptMethod, deob);
if (!createDecryptKey())
throw new ApplicationException("Could not initialize decryption key");
}示例9: init
public bool init(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator)
{
var cctor = stringsEncodingClass.FindStaticConstructor();
if (cctor != null)
simpleDeobfuscator.deobfuscate(cctor);
decrypterVersion = guessVersion(cctor);
if (!findDecrypterMethod())
throw new ApplicationException("Could not find string decrypter method");
if (!findStringsResource(deob, simpleDeobfuscator, cctor))
return false;
if (decrypterVersion <= StringDecrypterVersion.V3) {
MethodDef initMethod;
if (decrypterVersion == StringDecrypterVersion.V3)
initMethod = cctor;
else if (decrypterVersion == StringDecrypterVersion.V2)
initMethod = stringDecrypterMethod;
else
initMethod = stringDecrypterMethod;
stringOffset = 0;
if (decrypterVersion != StringDecrypterVersion.V1) {
if (callsGetPublicKeyToken(initMethod)) {
var pkt = PublicKeyBase.ToPublicKeyToken(module.Assembly.PublicKeyToken);
if (!PublicKeyBase.IsNullOrEmpty2(pkt)) {
for (int i = 0; i < pkt.Data.Length - 1; i += 2)
stringOffset ^= ((int)pkt.Data[i] << 8) + pkt.Data[i + 1];
}
}
if (DeobUtils.hasInteger(initMethod, 0xFFFFFF) &&
DeobUtils.hasInteger(initMethod, 0xFFFF)) {
stringOffset ^= ((stringDecrypterMethod.MDToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF;
}
}
}
else {
var offsetVal = findOffsetValue(cctor);
if (offsetVal == null)
throw new ApplicationException("Could not find string offset");
stringOffset = offsetVal.Value;
decrypterVersion = StringDecrypterVersion.V4;
}
simpleZipTypeMethod = findSimpleZipTypeMethod(cctor) ?? findSimpleZipTypeMethod(stringDecrypterMethod);
if (simpleZipTypeMethod != null)
resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator));
return true;
}示例10: init
public bool init(IDeobfuscator deob, ISimpleDeobfuscator simpleDeobfuscator)
{
var cctor = DotNetUtils.getMethod(stringsEncodingClass, ".cctor");
if (cctor != null)
simpleDeobfuscator.deobfuscate(cctor);
decrypterVersion = guessVersion(cctor);
if (!findDecrypterMethod())
throw new ApplicationException("Could not find string decrypter method");
if (!findStringsResource(deob, simpleDeobfuscator, cctor))
return false;
if (decrypterVersion <= StringDecrypterVersion.V3) {
MethodDefinition initMethod;
if (decrypterVersion == StringDecrypterVersion.V3)
initMethod = cctor;
else if (decrypterVersion == StringDecrypterVersion.V2)
initMethod = stringDecrypterMethod;
else
initMethod = stringDecrypterMethod;
stringOffset = 0;
if (decrypterVersion != StringDecrypterVersion.V1) {
if (callsGetPublicKeyToken(initMethod)) {
var pkt = module.Assembly.Name.PublicKeyToken;
if (pkt != null) {
for (int i = 0; i < pkt.Length - 1; i += 2)
stringOffset ^= ((int)pkt[i] << 8) + pkt[i + 1];
}
}
if (DotNetUtils.findLdcI4Constant(initMethod, 0xFFFFFF) &&
DotNetUtils.findLdcI4Constant(initMethod, 0xFFFF)) {
stringOffset ^= ((stringDecrypterMethod.MetadataToken.ToInt32() & 0xFFFFFF) - 1) % 0xFFFF;
}
}
}
else {
var offsetVal = findOffsetValue(cctor);
if (offsetVal == null)
throw new ApplicationException("Could not find string offset");
stringOffset = offsetVal.Value;
decrypterVersion = StringDecrypterVersion.V4;
}
simpleZipTypeMethod = findSimpleZipTypeMethod(cctor) ?? findSimpleZipTypeMethod(stringDecrypterMethod);
if (simpleZipTypeMethod != null)
resourceDecrypter = new ResourceDecrypter(new ResourceDecrypterInfo(module, simpleZipTypeMethod, simpleDeobfuscator));
return true;
}示例11: find
public void find(ISimpleDeobfuscator simpleDeobfuscator)
{
if (module.Assembly == null)
return;
bool hasPublicKeyToken = module.Assembly.Name.PublicKeyToken != null && module.Assembly.Name.PublicKeyToken.Length != 0;
foreach (var type in module.GetTypes()) {
if (!checkFields(type.Fields))
continue;
var cctor = DotNetUtils.getMethod(type, ".cctor");
if (cctor == null)
continue;
if (!hasPublicKeyToken)
simpleDeobfuscator.deobfuscate(cctor);
foreach (var method in type.Methods) {
if (method.Body == null)
continue;
IDecrypterInfo info = null;
if (DotNetUtils.isMethod(method, "System.String", "(System.Int32)")) {
simpleDeobfuscator.deobfuscate(method);
info = getInfoV3(cctor, method);
}
else if (DotNetUtils.isMethod(method, "System.String", "(System.Int32,System.Int32)")) {
simpleDeobfuscator.deobfuscate(method);
info = getInfoV4(cctor, method);
}
if (info == null)
continue;
methodToInfo.add(method, info);
version = info.Version;
}
}
}示例12: findConstants
bool findConstants(ISimpleDeobfuscator simpleDeobfuscator)
{
simpleDeobfuscator.deobfuscate(stringMethod);
stringMethodConsts = new EfConstantsReader(stringMethod);
if (!findResource(stringMethod))
return false;
checkMinus2 = isV32OrLater || DeobUtils.hasInteger(stringMethod, -2);
usePublicKeyToken = callsGetPublicKeyToken(stringMethod);
var int64Method = findInt64Method(stringMethod);
if (int64Method != null)
decrypterType.Type = int64Method.DeclaringType;
if (!findShorts())
return false;
if (!findInt3())
return false;
if (!findInt4())
return false;
if (checkMinus2 && !findInt5())
return false;
dataDecrypterType = findDataDecrypterType(stringMethod);
if (dataDecrypterType == null)
return false;
if (isV32OrLater) {
bool initializedAll;
if (!findInts(out initializedAll))
return false;
var cctor = DotNetUtils.getMethod(stringType, ".cctor");
if (!initializedAll && cctor != null) {
simpleDeobfuscator.deobfuscate(cctor);
if (!findIntsCctor(cctor))
return false;
}
if (decrypterType.Detected && !decrypterType.initialize())
return false;
}
initializeFlags();
initialize();
return true;
}示例13: getAssemblyInfos
public List<AssemblyInfo> getAssemblyInfos(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob)
{
var infos = new List<AssemblyInfo>();
if (embedResolverMethod != null) {
simpleDeobfuscator.deobfuscate(embedResolverMethod);
simpleDeobfuscator.decryptStrings(embedResolverMethod, deob);
embedPassword = getEmbedPassword(embedResolverMethod);
}
if (embedPassword == null)
return infos;
foreach (var rsrc in module.Resources) {
var resource = rsrc as EmbeddedResource;
if (resource == null)
continue;
if (!Regex.IsMatch(resource.Name.String, "^cfd_([0-9a-f]{2})+_$"))
continue;
var asmData = decrypt(embedPassword, gunzip(resource.Data.ReadAllBytes()));
var mod = ModuleDefMD.Load(asmData);
infos.Add(new AssemblyInfo(asmData, resource, mod.Assembly.FullName, mod.Assembly.Name.String, DeobUtils.getExtension(mod.Kind)));
}
return infos;
}示例14: initializeArrays2
bool initializeArrays2(ISimpleDeobfuscator simpleDeobfuscator, MethodDefinition method)
{
bool foundField = false;
simpleDeobfuscator.deobfuscate(method, true);
var instructions = method.Body.Instructions;
for (int i = 0; i < instructions.Count; i++) {
var ldci4 = instructions[i];
if (!DotNetUtils.isLdcI4(ldci4))
continue;
i++;
var instrs = DotNetUtils.getInstructions(instructions, i, OpCodes.Newarr, OpCodes.Dup, OpCodes.Ldtoken, OpCodes.Call, OpCodes.Stsfld);
if (instrs == null)
continue;
var arrayType = instrs[0].Operand as TypeReference;
if (arrayType == null || arrayType.EType != ElementType.U1)
continue;
var arrayInitField = instrs[2].Operand as FieldDefinition;
if (arrayInitField == null || arrayInitField.InitialValue == null || arrayInitField.InitialValue.Length == 0)
continue;
var calledMethod = instrs[3].Operand as MethodReference;
if (calledMethod == null || calledMethod.FullName != "System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle)")
continue;
var targetField = instrs[4].Operand as FieldDefinition;
if (targetField == null)
continue;
if (fieldToInfo.find(targetField) == null) {
fieldToInfo.add(targetField, new FieldInfo(targetField, arrayInitField));
foundField = true;
}
}
return foundField;
}示例15: find
public void find(ISimpleDeobfuscator simpleDeobfuscator)
{
if (module.Assembly == null)
return;
bool hasPublicKeyToken = module.Assembly.Name.PublicKeyToken != null && module.Assembly.Name.PublicKeyToken.Length != 0;
foreach (var type in module.GetTypes()) {
var cctor = DotNetUtils.getMethod(type, ".cctor");
if (cctor == null)
continue;
bool deobfuscatedCctor = false;
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
IDecrypterInfo info = null;
if (DecrypterInfo13.isPossibleDecrypterMethod(method)) {
deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
simpleDeobfuscator.deobfuscate(method);
info = getInfoV13(cctor, method);
}
else if (DecrypterInfo40.isPossibleDecrypterMethod(method)) {
deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
simpleDeobfuscator.deobfuscate(method);
info = getInfoV40(cctor, method);
}
else if (DecrypterInfo41.isPossibleDecrypterMethod(method)) {
deobfuscateCctor(simpleDeobfuscator, cctor, ref deobfuscatedCctor, hasPublicKeyToken);
simpleDeobfuscator.deobfuscate(method);
info = getInfoV41(cctor, method);
}
if (info == null)
continue;
methodToInfo.add(method, info);
version = info.Version;
}
}
}