Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[C#] Phoneix Protector de4dot code

Featured Replies

Posted

Hi im new to de4dot midding so when i finaly made this to work i wanted to share with ewryone
 

Open De4Dot source (be shure that you can compile it Video  //Credit to @li0nsar3c00l)


Then go to de4dot.code/deobfuscators and create New Folder (Phoneix_Protector)
and create 2 classes Deobfuscator.cs and StringDecrypter.cse8QRmk0.pngand paste this codeDeobfuscator.cs

using System.Collections.Generic;using dnlib.DotNet;using de4dot.blocks;namespace de4dot.code.deobfuscators.Phoneix_Protector{   public class DeobfuscatorInfo:DeobfuscatorInfoBase    {        public const string THE_NAME = "Phoneix Protector";        public const string THE_TYPE = "pp";        const string DEFAULT_REGEX =  DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX;        public DeobfuscatorInfo()            : base(DEFAULT_REGEX)        {        }        public override string Name {			get { return THE_NAME; }		}		public override string Type {			get { return THE_TYPE; }		}		public override IDeobfuscator CreateDeobfuscator() {			return new Deobfuscator(new Deobfuscator.Options {                RenameResourcesInCode = false,				ValidNameRegex = validNameRegex.Get(),			});		}	}    class Deobfuscator : DeobfuscatorBase    {        Options options;        string obfuscatorName = "Phoneix Protector";        StringDecrypter stringDecrypter;        bool foundPhoneixAttribute = false;        internal class Options : OptionsBase        {        }        public override string Type        {            get { return DeobfuscatorInfo.THE_TYPE; }        }        public override string TypeLong        {            get { return DeobfuscatorInfo.THE_NAME; }        }        public override string Name        {            get { return obfuscatorName; }        }        public Deobfuscator(Options options)            : base(options)        {            this.options = options;        }        protected override int DetectInternal()  //Main Detect Function        {                        int val = 0;            if (stringDecrypter.Detected)                val += 100;            if (foundPhoneixAttribute)                val += 10;            return val;        }                protected override void ScanForObfuscator() //Main Scann Function        {            stringDecrypter = new StringDecrypter(module);            stringDecrypter.Find(DeobfuscatedFile);            FindPhoneixAttribute();        }        void FindPhoneixAttribute()        {            foreach (var type in module.Types)            {                if (type.Namespace.StartsWith("?") && type.Namespace.EndsWith("?"))                {                    foundPhoneixAttribute = true;                    return;                }            }        }        public override void DeobfuscateBegin() {  			base.DeobfuscateBegin();			foreach (var info in stringDecrypter.StringDecrypterInfos)				staticStringInliner.Add(info.method, (method, gim, args) => stringDecrypter.Decrypt( (string)args[0]));  //Decrypting all Strings			DeobfuscatedFile.StringDecryptersAdded();		}		public override void DeobfuscateEnd() {			if (CanRemoveStringDecrypterType)            {				AddMethodsToBeRemoved(stringDecrypter.StringDecrypters, "String Decrypter Method"); //Removing All Calls for String Decrypt example: class1.decriptstring()                AddTypeToBeRemoved(stringDecrypter.Type, "String Derypter Type");  //Removing Phoneix Class               }			base.DeobfuscateEnd();		}		public override IEnumerable<int> GetStringDecrypterMethods() {			var list = new List<int>();			foreach (var method in stringDecrypter.StringDecrypters)				list.Add(method.MDToken.ToInt32());			return list;		}	}    }     

StringDecrypt.cs
 

using System.Collections.Generic;using dnlib.DotNet;using dnlib.DotNet.Emit;using de4dot.blocks;namespace de4dot.code.deobfuscators.Phoneix_Protector{    class StringDecrypter    {        ModuleDefMD module;        MethodDefAndDeclaringTypeDict<StringDecrypterInfo> stringDecrypterMethods = new MethodDefAndDeclaringTypeDict<StringDecrypterInfo>();        TypeDef stringDecrypterType;        public TypeDef Type //Returning Class Of String Decryptor Function        {            get { return stringDecrypterType; }        }        public class StringDecrypterInfo        {            public MethodDef method;                                    public StringDecrypterInfo(MethodDef method)            {                this.method = method;            }                   }        public bool Detected        {            get { return stringDecrypterMethods.Count > 0; }        }        public IEnumerable<MethodDef> StringDecrypters        {            get            {                var list = new List<MethodDef>(stringDecrypterMethods.Count);                foreach (var info in stringDecrypterMethods.GetValues())                    list.Add(info.method); //adding all calls for string decryptor                return list;            }        }                public IEnumerable<StringDecrypterInfo> StringDecrypterInfos        {            get { return stringDecrypterMethods.GetValues(); }        }               public void Find(ISimpleDeobfuscator simpleDeobfuscator)        {            foreach (var type in module.GetTypes())            {                FindStringDecrypterMethods(type, simpleDeobfuscator);                            }        }        void FindStringDecrypterMethods(TypeDef type, ISimpleDeobfuscator simpleDeobfuscator)  //Seartching for Decrypt Function        {            foreach (var method in DotNetUtils.FindMethods(type.Methods, "System.String", new string[] { "System.String"}))            {                if (method.Body.HasExceptionHandlers)                    continue;                      if (DotNetUtils.GetMethodCalls(method, "System.String System.String::Intern(System.String)") != 1)                    continue;                simpleDeobfuscator.Deobfuscate(method);                var instrs = method.Body.Instructions;                for (int i = 0; i < instrs.Count - 3; i++)  //Seartching For String Decrypt Function (that is MsIl code of function (not all))                {                    if (!instrs[i].IsLdarg() || instrs[i].GetParameterIndex() != 0)                        continue;                    if (instrs[i + 1].OpCode.Code != Code.Callvirt)                        continue;                    if (!instrs[i + 2].IsStloc())                        continue;                    if (!instrs[i + 3].IsLdloc())                        continue;                    if (instrs[i + 4].OpCode.Code != Code.Newarr)                        continue;                    if (!instrs[i + 5].IsStloc())                        continue;                    if (!instrs[i + 6].IsLdcI4())                        continue;                    if (!instrs[i + 7].IsStloc())                        continue;                    if (instrs[i + 8].OpCode.Code != Code.Br_S)                        continue;                    if (!instrs[i + 9].IsLdarg())                        continue;                    if (!instrs[i + 10].IsLdloc())                        continue;                    if (instrs[i + 11].OpCode.Code != Code.Callvirt)                        continue;  //if you want you can continue with Il code but i think its enough                    var info = new StringDecrypterInfo(method);                    stringDecrypterMethods.Add(info.method, info);                    stringDecrypterType = method.DeclaringType;  // Class Of String Decrypt function                    Logger.v("Found string decrypter method", Utils.RemoveNewlines(info.method));                    break;                }            }        }        public StringDecrypter(ModuleDefMD module)        {            this.module = module;        }        public string  Decrypt(string str)        {            var chrArr = new char[str.Length];            var i = 0;            foreach (char c in str)                chrArr[i] =                    char.ConvertFromUtf32((((byte)((c >> 8) ^ i) << 8) | (byte)(c ^ (chrArr.Length - i++))))[0];            return string.Intern(new string(chrArr));        }    }}

and in  the end dont forget to add new de4dot.code.deobfuscators.Phoneix_Protector.DeobfuscatorInfo()  in de4dot.cui/program.cs
KlJ8Toe.png
i also added comments for better understanding hope it was usefoul Credit goes to 0xd4d //His XenoCode decrypt because its mostly copy of itHappy De4Dot Modding TheProxy grin.png

Edited by TheProxy

it's very useful,thank,thank .... you very much...


thanks you :D 


  • 3 weeks later...

Thank You  :smartass:


Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.