[C#] Phoneix Protector de4dot code

[TheProxy]

Hi im new to de4dot midding so when i finaly made this to work i wanted to share with ewryone
 

Open De4Dot source (be shure that you can compile it Video  //Credit to @li0nsar3c00l)

Then go to de4dot.code/deobfuscators and create New Folder (Phoneix_Protector)
and create 2 classes Deobfuscator.cs and StringDecrypter.csand paste this codeDeobfuscator.cs

using System.Collections.Generic;using dnlib.DotNet;using de4dot.blocks;namespace de4dot.code.deobfuscators.Phoneix_Protector{   public class DeobfuscatorInfo:DeobfuscatorInfoBase    {        public const string THE_NAME = "Phoneix Protector";        public const string THE_TYPE = "pp";        const string DEFAULT_REGEX =  DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX;        public DeobfuscatorInfo()            : base(DEFAULT_REGEX)        {        }        public override string Name {			get { return THE_NAME; }		}		public override string Type {			get { return THE_TYPE; }		}		public override IDeobfuscator CreateDeobfuscator() {			return new Deobfuscator(new Deobfuscator.Options {                RenameResourcesInCode = false,				ValidNameRegex = validNameRegex.Get(),			});		}	}    class Deobfuscator : DeobfuscatorBase    {        Options options;        string obfuscatorName = "Phoneix Protector";        StringDecrypter stringDecrypter;        bool foundPhoneixAttribute = false;        internal class Options : OptionsBase        {        }        public override string Type        {            get { return DeobfuscatorInfo.THE_TYPE; }        }        public override string TypeLong        {            get { return DeobfuscatorInfo.THE_NAME; }        }        public override string Name        {            get { return obfuscatorName; }        }        public Deobfuscator(Options options)            : base(options)        {            this.options = options;        }        protected override int DetectInternal()  //Main Detect Function        {                        int val = 0;            if (stringDecrypter.Detected)                val += 100;            if (foundPhoneixAttribute)                val += 10;            return val;        }                protected override void ScanForObfuscator() //Main Scann Function        {            stringDecrypter = new StringDecrypter(module);            stringDecrypter.Find(DeobfuscatedFile);            FindPhoneixAttribute();        }        void FindPhoneixAttribute()        {            foreach (var type in module.Types)            {                if (type.Namespace.StartsWith("?") && type.Namespace.EndsWith("?"))                {                    foundPhoneixAttribute = true;                    return;                }            }        }        public override void DeobfuscateBegin() {  			base.DeobfuscateBegin();			foreach (var info in stringDecrypter.StringDecrypterInfos)				staticStringInliner.Add(info.method, (method, gim, args) => stringDecrypter.Decrypt( (string)args[0]));  //Decrypting all Strings			DeobfuscatedFile.StringDecryptersAdded();		}		public override void DeobfuscateEnd() {			if (CanRemoveStringDecrypterType)            {				AddMethodsToBeRemoved(stringDecrypter.StringDecrypters, "String Decrypter Method"); //Removing All Calls for String Decrypt example: class1.decriptstring()                AddTypeToBeRemoved(stringDecrypter.Type, "String Derypter Type");  //Removing Phoneix Class               }			base.DeobfuscateEnd();		}		public override IEnumerable<int> GetStringDecrypterMethods() {			var list = new List<int>();			foreach (var method in stringDecrypter.StringDecrypters)				list.Add(method.MDToken.ToInt32());			return list;		}	}    }     

StringDecrypt.cs
 

using System.Collections.Generic;using dnlib.DotNet;using dnlib.DotNet.Emit;using de4dot.blocks;namespace de4dot.code.deobfuscators.Phoneix_Protector{    class StringDecrypter    {        ModuleDefMD module;        MethodDefAndDeclaringTypeDict<StringDecrypterInfo> stringDecrypterMethods = new MethodDefAndDeclaringTypeDict<StringDecrypterInfo>();        TypeDef stringDecrypterType;        public TypeDef Type //Returning Class Of String Decryptor Function        {            get { return stringDecrypterType; }        }        public class StringDecrypterInfo        {            public MethodDef method;                                    public StringDecrypterInfo(MethodDef method)            {                this.method = method;            }                   }        public bool Detected        {            get { return stringDecrypterMethods.Count > 0; }        }        public IEnumerable<MethodDef> StringDecrypters        {            get            {                var list = new List<MethodDef>(stringDecrypterMethods.Count);                foreach (var info in stringDecrypterMethods.GetValues())                    list.Add(info.method); //adding all calls for string decryptor                return list;            }        }                public IEnumerable<StringDecrypterInfo> StringDecrypterInfos        {            get { return stringDecrypterMethods.GetValues(); }        }               public void Find(ISimpleDeobfuscator simpleDeobfuscator)        {            foreach (var type in module.GetTypes())            {                FindStringDecrypterMethods(type, simpleDeobfuscator);                            }        }        void FindStringDecrypterMethods(TypeDef type, ISimpleDeobfuscator simpleDeobfuscator)  //Seartching for Decrypt Function        {            foreach (var method in DotNetUtils.FindMethods(type.Methods, "System.String", new string[] { "System.String"}))            {                if (method.Body.HasExceptionHandlers)                    continue;                      if (DotNetUtils.GetMethodCalls(method, "System.String System.String::Intern(System.String)") != 1)                    continue;                simpleDeobfuscator.Deobfuscate(method);                var instrs = method.Body.Instructions;                for (int i = 0; i < instrs.Count - 3; i++)  //Seartching For String Decrypt Function (that is MsIl code of function (not all))                {                    if (!instrs[i].IsLdarg() || instrs[i].GetParameterIndex() != 0)                        continue;                    if (instrs[i + 1].OpCode.Code != Code.Callvirt)                        continue;                    if (!instrs[i + 2].IsStloc())                        continue;                    if (!instrs[i + 3].IsLdloc())                        continue;                    if (instrs[i + 4].OpCode.Code != Code.Newarr)                        continue;                    if (!instrs[i + 5].IsStloc())                        continue;                    if (!instrs[i + 6].IsLdcI4())                        continue;                    if (!instrs[i + 7].IsStloc())                        continue;                    if (instrs[i + 8].OpCode.Code != Code.Br_S)                        continue;                    if (!instrs[i + 9].IsLdarg())                        continue;                    if (!instrs[i + 10].IsLdloc())                        continue;                    if (instrs[i + 11].OpCode.Code != Code.Callvirt)                        continue;  //if you want you can continue with Il code but i think its enough                    var info = new StringDecrypterInfo(method);                    stringDecrypterMethods.Add(info.method, info);                    stringDecrypterType = method.DeclaringType;  // Class Of String Decrypt function                    Logger.v("Found string decrypter method", Utils.RemoveNewlines(info.method));                    break;                }            }        }        public StringDecrypter(ModuleDefMD module)        {            this.module = module;        }        public string  Decrypt(string str)        {            var chrArr = new char[str.Length];            var i = 0;            foreach (char c in str)                chrArr[i] =                    char.ConvertFromUtf32((((byte)((c >> 8) ^ i) << 8) | (byte)(c ^ (chrArr.Length - i++))))[0];            return string.Intern(new string(chrArr));        }    }}

and in  the end dont forget to add new de4dot.code.deobfuscators.Phoneix_Protector.DeobfuscatorInfo()  in de4dot.cui/program.cs

i also added comments for better understanding hope it was usefoul Credit goes to 0xd4d //His XenoCode decrypt because its mostly copy of itHappy De4Dot Modding TheProxy 

Edited May 11, 2015 by TheProxy

[heartcoffee]

it's very useful,thank,thank .... you very much...

[NightBaron]

thanks you  

[Xer0x]

Thank You