2011-09-22 10:55:30 +08:00
|
|
|
|
/*
|
|
|
|
|
|
Copyright (C) 2011 de4dot@gmail.com
|
|
|
|
|
|
|
|
|
|
|
|
This file is part of de4dot.
|
|
|
|
|
|
|
|
|
|
|
|
de4dot is free software: you can redistribute it and/or modify
|
|
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
|
|
|
|
de4dot is distributed in the hope that it will be useful,
|
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
|
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
using System;
|
|
|
|
|
|
using System.Collections.Generic;
|
|
|
|
|
|
using System.Globalization;
|
|
|
|
|
|
using System.IO;
|
2011-10-13 01:47:51 +08:00
|
|
|
|
using System.Text;
|
2011-09-22 10:55:30 +08:00
|
|
|
|
using Mono.Cecil;
|
|
|
|
|
|
using Mono.Cecil.Cil;
|
2011-10-29 08:23:48 +08:00
|
|
|
|
using Mono.MyStuff;
|
2011-12-09 16:02:06 +08:00
|
|
|
|
using de4dot.code.deobfuscators;
|
2011-09-22 10:55:30 +08:00
|
|
|
|
using de4dot.blocks;
|
2011-10-17 06:22:22 +08:00
|
|
|
|
using de4dot.blocks.cflow;
|
2011-12-09 16:02:06 +08:00
|
|
|
|
using de4dot.code.AssemblyClient;
|
|
|
|
|
|
using de4dot.code.renamer;
|
|
|
|
|
|
using de4dot.code.PE;
|
2011-09-22 10:55:30 +08:00
|
|
|
|
|
2011-12-09 16:02:06 +08:00
|
|
|
|
namespace de4dot.code {
|
|
|
|
|
|
public class ObfuscatedFile : IObfuscatedFile, IDeobfuscatedFile {
|
2011-09-22 10:55:30 +08:00
|
|
|
|
Options options;
|
|
|
|
|
|
ModuleDefinition module;
|
|
|
|
|
|
IList<MethodDefinition> allMethods;
|
|
|
|
|
|
IDeobfuscator deob;
|
|
|
|
|
|
AssemblyModule assemblyModule;
|
|
|
|
|
|
IAssemblyClient assemblyClient;
|
|
|
|
|
|
DynamicStringDecrypter dynamicStringDecrypter;
|
|
|
|
|
|
IAssemblyClientFactory assemblyClientFactory;
|
|
|
|
|
|
SavedMethodBodies savedMethodBodies;
|
|
|
|
|
|
bool userStringDecrypterMethods = false;
|
|
|
|
|
|
|
|
|
|
|
|
class SavedMethodBodies {
|
|
|
|
|
|
Dictionary<MethodDefinition, SavedMethodBody> savedMethodBodies = new Dictionary<MethodDefinition, SavedMethodBody>();
|
|
|
|
|
|
|
|
|
|
|
|
class SavedMethodBody {
|
|
|
|
|
|
MethodDefinition method;
|
|
|
|
|
|
IList<Instruction> instructions;
|
|
|
|
|
|
IList<ExceptionHandler> exceptionHandlers;
|
|
|
|
|
|
|
|
|
|
|
|
public SavedMethodBody(MethodDefinition method) {
|
|
|
|
|
|
this.method = method;
|
|
|
|
|
|
DotNetUtils.copyBody(method, out instructions, out exceptionHandlers);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public void restore() {
|
|
|
|
|
|
DotNetUtils.restoreBody(method, instructions, exceptionHandlers);
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public void save(MethodDefinition method) {
|
|
|
|
|
|
if (isSaved(method))
|
|
|
|
|
|
return;
|
|
|
|
|
|
savedMethodBodies[method] = new SavedMethodBody(method);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public void restoreAll() {
|
|
|
|
|
|
foreach (var smb in savedMethodBodies.Values)
|
|
|
|
|
|
smb.restore();
|
|
|
|
|
|
savedMethodBodies.Clear();
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public bool isSaved(MethodDefinition method) {
|
|
|
|
|
|
return savedMethodBodies.ContainsKey(method);
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public class Options {
|
|
|
|
|
|
public string Filename { get; set; }
|
|
|
|
|
|
public string NewFilename { get; set; }
|
|
|
|
|
|
public string ForcedObfuscatorType { get; set; }
|
|
|
|
|
|
public DecrypterType StringDecrypterType { get; set; }
|
|
|
|
|
|
public List<string> StringDecrypterMethods { get; private set; }
|
|
|
|
|
|
public bool ControlFlowDeobfuscation { get; set; }
|
|
|
|
|
|
public bool KeepObfuscatorTypes { get; set; }
|
|
|
|
|
|
|
|
|
|
|
|
public Options() {
|
2011-09-28 22:06:10 +08:00
|
|
|
|
StringDecrypterType = DecrypterType.Default;
|
2011-09-22 10:55:30 +08:00
|
|
|
|
StringDecrypterMethods = new List<string>();
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public string Filename {
|
|
|
|
|
|
get { return options.Filename; }
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public string NewFilename {
|
|
|
|
|
|
get { return options.NewFilename; }
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public ModuleDefinition ModuleDefinition {
|
|
|
|
|
|
get { return module; }
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2011-11-17 11:17:03 +08:00
|
|
|
|
public INameChecker NameChecker {
|
|
|
|
|
|
get { return deob; }
|
2011-09-22 10:55:30 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public bool RenameResourcesInCode {
|
|
|
|
|
|
get { return deob.TheOptions.RenameResourcesInCode; }
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2011-11-09 19:08:48 +08:00
|
|
|
|
public bool RemoveNamespaceWithOneType {
|
|
|
|
|
|
get { return (deob.RenamingOptions & RenamingOptions.RemoveNamespaceIfOneType) != 0; }
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2011-09-22 10:55:30 +08:00
|
|
|
|
public IDeobfuscator Deobfuscator {
|
|
|
|
|
|
get { return deob; }
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public ObfuscatedFile(Options options, IAssemblyClientFactory assemblyClientFactory) {
|
|
|
|
|
|
this.assemblyClientFactory = assemblyClientFactory;
|
|
|
|
|
|
this.options = options;
|
|
|
|
|
|
userStringDecrypterMethods = options.StringDecrypterMethods.Count > 0;
|
|
|
|
|
|
options.Filename = Utils.getFullPath(options.Filename);
|
2011-11-06 19:26:41 +08:00
|
|
|
|
assemblyModule = new AssemblyModule(options.Filename);
|
2011-09-22 10:55:30 +08:00
|
|
|
|
|
|
|
|
|
|
if (options.NewFilename == null)
|
|
|
|
|
|
options.NewFilename = getDefaultNewFilename();
|
|
|
|
|
|
|
|
|
|
|
|
if (string.Equals(options.Filename, options.NewFilename, StringComparison.OrdinalIgnoreCase))
|
|
|
|
|
|
throw new UserException(string.Format("filename is same as new filename! ({0})", options.Filename));
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
string getDefaultNewFilename() {
|
|
|
|
|
|
int dotIndex = options.Filename.LastIndexOf('.');
|
|
|
|
|
|
string noExt, ext;
|
|
|
|
|
|
if (dotIndex != -1) {
|
|
|
|
|
|
noExt = options.Filename.Substring(0, dotIndex);
|
|
|
|
|
|
ext = options.Filename.Substring(dotIndex);
|
|
|
|
|
|
}
|
|
|
|
|
|
else {
|
|
|
|
|
|
noExt = options.Filename;
|
|
|
|
|
|
ext = "";
|
|
|
|
|
|
}
|
2011-11-04 03:07:50 +08:00
|
|
|
|
return noExt + "-cleaned" + ext;
|
2011-09-22 10:55:30 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public void load(IEnumerable<IDeobfuscator> deobfuscators) {
|
2011-12-01 01:26:36 +08:00
|
|
|
|
loadModule(deobfuscators);
|
2011-09-22 10:55:30 +08:00
|
|
|
|
AssemblyResolver.Instance.addSearchDirectory(Utils.getDirName(Filename));
|
|
|
|
|
|
AssemblyResolver.Instance.addSearchDirectory(Utils.getDirName(NewFilename));
|
|
|
|
|
|
|
|
|
|
|
|
allMethods = getAllMethods();
|
|
|
|
|
|
|
|
|
|
|
|
detectObfuscator(deobfuscators);
|
|
|
|
|
|
if (deob == null)
|
|
|
|
|
|
throw new ApplicationException("Could not detect obfuscator!");
|
2011-10-26 20:32:50 +08:00
|
|
|
|
initializeDeobfuscator();
|
|
|
|
|
|
}
|
2011-09-22 10:55:30 +08:00
|
|
|
|
|
2011-12-01 01:26:36 +08:00
|
|
|
|
void loadModule(IEnumerable<IDeobfuscator> deobfuscators) {
|
|
|
|
|
|
try {
|
|
|
|
|
|
module = assemblyModule.load();
|
|
|
|
|
|
}
|
|
|
|
|
|
catch (BadImageFormatException) {
|
|
|
|
|
|
if (!unpackNativeImage(deobfuscators))
|
|
|
|
|
|
throw new BadImageFormatException();
|
2011-12-01 03:22:52 +08:00
|
|
|
|
Log.v("Unpacked native file");
|
2011-12-01 01:26:36 +08:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
bool unpackNativeImage(IEnumerable<IDeobfuscator> deobfuscators) {
|
|
|
|
|
|
var peImage = new PeImage(Utils.readFile(Filename));
|
|
|
|
|
|
|
|
|
|
|
|
foreach (var deob in deobfuscators) {
|
2011-12-01 03:27:49 +08:00
|
|
|
|
byte[] unpackedData = null;
|
2011-12-01 01:26:36 +08:00
|
|
|
|
try {
|
2011-12-01 02:05:20 +08:00
|
|
|
|
unpackedData = deob.unpackNativeFile(peImage);
|
|
|
|
|
|
}
|
|
|
|
|
|
catch {
|
|
|
|
|
|
}
|
2011-12-01 03:27:49 +08:00
|
|
|
|
if (unpackedData == null)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
|
2011-12-01 02:05:20 +08:00
|
|
|
|
try {
|
2011-12-01 01:26:36 +08:00
|
|
|
|
module = assemblyModule.load(unpackedData);
|
|
|
|
|
|
}
|
|
|
|
|
|
catch {
|
2011-12-01 03:27:49 +08:00
|
|
|
|
Log.w("Could not load unpacked data. Deobfuscator: {0}", deob.TypeLong);
|
2011-12-01 01:26:36 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
}
|
2011-12-01 03:27:49 +08:00
|
|
|
|
this.deob = deob;
|
|
|
|
|
|
return true;
|
2011-12-01 01:26:36 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2011-10-26 20:32:50 +08:00
|
|
|
|
void initializeDeobfuscator() {
|
2011-09-28 22:06:10 +08:00
|
|
|
|
if (options.StringDecrypterType == DecrypterType.Default)
|
|
|
|
|
|
options.StringDecrypterType = deob.DefaultDecrypterType;
|
|
|
|
|
|
if (options.StringDecrypterType == DecrypterType.Default)
|
|
|
|
|
|
options.StringDecrypterType = DecrypterType.Static;
|
|
|
|
|
|
|
2011-09-22 10:55:30 +08:00
|
|
|
|
deob.Operations = createOperations();
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
IOperations createOperations() {
|
|
|
|
|
|
var op = new Operations();
|
|
|
|
|
|
|
2011-09-28 22:06:10 +08:00
|
|
|
|
switch (options.StringDecrypterType) {
|
|
|
|
|
|
case DecrypterType.None:
|
2011-09-22 10:55:30 +08:00
|
|
|
|
op.DecryptStrings = OpDecryptString.None;
|
2011-09-28 22:06:10 +08:00
|
|
|
|
break;
|
|
|
|
|
|
case DecrypterType.Static:
|
2011-09-22 10:55:30 +08:00
|
|
|
|
op.DecryptStrings = OpDecryptString.Static;
|
2011-09-28 22:06:10 +08:00
|
|
|
|
break;
|
|
|
|
|
|
default:
|
2011-09-22 10:55:30 +08:00
|
|
|
|
op.DecryptStrings = OpDecryptString.Dynamic;
|
2011-09-28 22:06:10 +08:00
|
|
|
|
break;
|
|
|
|
|
|
}
|
2011-09-22 10:55:30 +08:00
|
|
|
|
|
|
|
|
|
|
op.KeepObfuscatorTypes = options.KeepObfuscatorTypes;
|
|
|
|
|
|
|
|
|
|
|
|
return op;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void detectObfuscator(IEnumerable<IDeobfuscator> deobfuscators) {
|
|
|
|
|
|
|
|
|
|
|
|
// The deobfuscators may call methods to deobfuscate control flow and decrypt
|
|
|
|
|
|
// strings (statically) in order to detect the obfuscator.
|
|
|
|
|
|
if (!options.ControlFlowDeobfuscation || options.StringDecrypterType == DecrypterType.None)
|
|
|
|
|
|
savedMethodBodies = new SavedMethodBodies();
|
|
|
|
|
|
|
2011-12-01 01:26:36 +08:00
|
|
|
|
// It's not null if it unpacked a native file
|
|
|
|
|
|
if (this.deob != null) {
|
|
|
|
|
|
deob.init(module);
|
|
|
|
|
|
deob.DeobfuscatedFile = this;
|
|
|
|
|
|
deob.earlyDetect();
|
|
|
|
|
|
deob.detect();
|
|
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2011-09-22 10:55:30 +08:00
|
|
|
|
foreach (var deob in deobfuscators) {
|
2011-10-09 01:33:12 +08:00
|
|
|
|
deob.init(module);
|
2011-09-22 10:55:30 +08:00
|
|
|
|
deob.DeobfuscatedFile = this;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if (options.ForcedObfuscatorType != null) {
|
|
|
|
|
|
foreach (var deob in deobfuscators) {
|
|
|
|
|
|
if (string.Equals(options.ForcedObfuscatorType, deob.Type, StringComparison.OrdinalIgnoreCase)) {
|
2011-10-26 20:32:50 +08:00
|
|
|
|
deob.earlyDetect();
|
2011-09-22 10:55:30 +08:00
|
|
|
|
this.deob = deob;
|
2011-11-01 21:19:53 +08:00
|
|
|
|
deob.detect();
|
2011-09-22 10:55:30 +08:00
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2011-10-26 20:32:50 +08:00
|
|
|
|
else {
|
|
|
|
|
|
this.deob = earlyDetectObfuscator(deobfuscators);
|
|
|
|
|
|
if (this.deob == null)
|
|
|
|
|
|
this.deob = detectObfuscator2(deobfuscators);
|
|
|
|
|
|
else
|
|
|
|
|
|
this.deob.detect();
|
|
|
|
|
|
}
|
2011-10-09 01:33:12 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
IDeobfuscator earlyDetectObfuscator(IEnumerable<IDeobfuscator> deobfuscators) {
|
|
|
|
|
|
IDeobfuscator detected = null;
|
|
|
|
|
|
int detectVal = 0;
|
|
|
|
|
|
foreach (var deob in deobfuscators) {
|
|
|
|
|
|
int val = deob.earlyDetect();
|
|
|
|
|
|
if (val > 0)
|
2011-11-12 18:31:07 +08:00
|
|
|
|
Log.v("{0,3}: {1}", val, deob.TypeLong);
|
2011-10-09 01:33:12 +08:00
|
|
|
|
if (val > detectVal) {
|
|
|
|
|
|
detectVal = val;
|
|
|
|
|
|
detected = deob;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
return detected;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
IDeobfuscator detectObfuscator2(IEnumerable<IDeobfuscator> deobfuscators) {
|
|
|
|
|
|
IDeobfuscator detected = null;
|
|
|
|
|
|
int detectVal = 0;
|
|
|
|
|
|
foreach (var deob in deobfuscators) {
|
2011-11-01 21:19:53 +08:00
|
|
|
|
this.deob = deob; // So we can call deob.CanInlineMethods in deobfuscate()
|
2011-10-09 01:33:12 +08:00
|
|
|
|
int val = deob.detect();
|
2011-11-12 18:31:07 +08:00
|
|
|
|
Log.v("{0,3}: {1}", val, deob.TypeLong);
|
2011-10-09 01:33:12 +08:00
|
|
|
|
if (val > detectVal) {
|
|
|
|
|
|
detectVal = val;
|
|
|
|
|
|
detected = deob;
|
2011-09-22 10:55:30 +08:00
|
|
|
|
}
|
|
|
|
|
|
}
|
2011-11-01 21:19:53 +08:00
|
|
|
|
this.deob = null;
|
2011-10-09 01:33:12 +08:00
|
|
|
|
return detected;
|
2011-09-22 10:55:30 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public void save() {
|
|
|
|
|
|
Log.n("Saving {0}", options.NewFilename);
|
2011-11-25 22:19:56 +08:00
|
|
|
|
assemblyModule.save(options.NewFilename, options.ControlFlowDeobfuscation, deob as IWriterListener);
|
2011-09-22 10:55:30 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
IList<MethodDefinition> getAllMethods() {
|
|
|
|
|
|
var list = new List<MethodDefinition>();
|
|
|
|
|
|
|
|
|
|
|
|
foreach (var type in module.GetTypes()) {
|
|
|
|
|
|
foreach (var method in type.Methods)
|
|
|
|
|
|
list.Add(method);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return list;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public void deobfuscateBegin() {
|
|
|
|
|
|
switch (options.StringDecrypterType) {
|
|
|
|
|
|
case DecrypterType.None:
|
|
|
|
|
|
checkSupportedStringDecrypter(StringFeatures.AllowNoDecryption);
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
case DecrypterType.Static:
|
|
|
|
|
|
checkSupportedStringDecrypter(StringFeatures.AllowStaticDecryption);
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
case DecrypterType.Delegate:
|
2011-09-24 16:26:29 +08:00
|
|
|
|
case DecrypterType.Emulate:
|
2011-09-22 10:55:30 +08:00
|
|
|
|
checkSupportedStringDecrypter(StringFeatures.AllowDynamicDecryption);
|
|
|
|
|
|
assemblyClient = assemblyClientFactory.create();
|
|
|
|
|
|
assemblyClient.connect();
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
|
throw new ApplicationException(string.Format("Invalid string decrypter type '{0}'", options.StringDecrypterType));
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public void checkSupportedStringDecrypter(StringFeatures feature) {
|
|
|
|
|
|
if ((deob.StringFeatures & feature) == feature)
|
|
|
|
|
|
return;
|
2011-11-12 18:31:07 +08:00
|
|
|
|
throw new UserException(string.Format("Deobfuscator {0} does not support this string decryption type", deob.TypeLong));
|
2011-09-22 10:55:30 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public void deobfuscate() {
|
|
|
|
|
|
Log.n("Cleaning {0}", options.Filename);
|
|
|
|
|
|
initAssemblyClient();
|
2011-10-26 20:32:50 +08:00
|
|
|
|
|
2011-10-29 08:23:48 +08:00
|
|
|
|
byte[] fileData = null;
|
|
|
|
|
|
Dictionary<uint, DumpedMethod> dumpedMethods = null;
|
|
|
|
|
|
if (deob.getDecryptedModule(ref fileData, ref dumpedMethods))
|
|
|
|
|
|
reloadModule(fileData, dumpedMethods);
|
2011-10-26 20:32:50 +08:00
|
|
|
|
|
2011-09-22 10:55:30 +08:00
|
|
|
|
deob.deobfuscateBegin();
|
|
|
|
|
|
deobfuscateMethods();
|
|
|
|
|
|
deob.deobfuscateEnd();
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2011-10-29 08:23:48 +08:00
|
|
|
|
void reloadModule(byte[] newModuleData, Dictionary<uint, DumpedMethod> dumpedMethods) {
|
2011-11-06 19:34:09 +08:00
|
|
|
|
Log.v("Reloading decrypted assembly (original filename: {0})", Filename);
|
2011-10-30 13:14:22 +08:00
|
|
|
|
simpleDeobfuscatorFlags.Clear();
|
2011-10-29 08:23:48 +08:00
|
|
|
|
module = assemblyModule.reload(newModuleData, dumpedMethods);
|
2011-10-26 20:32:50 +08:00
|
|
|
|
allMethods = getAllMethods();
|
|
|
|
|
|
deob = deob.moduleReloaded(module);
|
|
|
|
|
|
initializeDeobfuscator();
|
|
|
|
|
|
deob.DeobfuscatedFile = this;
|
|
|
|
|
|
updateDynamicStringDecrypter();
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2011-09-22 10:55:30 +08:00
|
|
|
|
void initAssemblyClient() {
|
|
|
|
|
|
if (assemblyClient == null)
|
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
|
|
assemblyClient.waitConnected();
|
|
|
|
|
|
assemblyClient.Service.loadAssembly(options.Filename);
|
|
|
|
|
|
|
|
|
|
|
|
if (options.StringDecrypterType == DecrypterType.Delegate)
|
|
|
|
|
|
assemblyClient.Service.setStringDecrypterType(AssemblyData.StringDecrypterType.Delegate);
|
2011-09-24 16:26:29 +08:00
|
|
|
|
else if (options.StringDecrypterType == DecrypterType.Emulate)
|
|
|
|
|
|
assemblyClient.Service.setStringDecrypterType(AssemblyData.StringDecrypterType.Emulate);
|
2011-09-22 10:55:30 +08:00
|
|
|
|
else
|
|
|
|
|
|
throw new ApplicationException(string.Format("Invalid string decrypter type '{0}'", options.StringDecrypterType));
|
|
|
|
|
|
|
|
|
|
|
|
dynamicStringDecrypter = new DynamicStringDecrypter(assemblyClient);
|
|
|
|
|
|
updateDynamicStringDecrypter();
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void updateDynamicStringDecrypter() {
|
|
|
|
|
|
if (dynamicStringDecrypter != null)
|
|
|
|
|
|
dynamicStringDecrypter.init(getMethodTokens());
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
IEnumerable<int> getMethodTokens() {
|
|
|
|
|
|
var tokens = new List<int>();
|
|
|
|
|
|
|
|
|
|
|
|
if (!userStringDecrypterMethods) {
|
|
|
|
|
|
options.StringDecrypterMethods.Clear();
|
|
|
|
|
|
options.StringDecrypterMethods.AddRange(deob.getStringDecrypterMethods());
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
foreach (var val in options.StringDecrypterMethods) {
|
|
|
|
|
|
var tokenStr = val.Trim();
|
2011-10-09 19:19:26 +08:00
|
|
|
|
if (Utils.StartsWith(tokenStr, "0x", StringComparison.OrdinalIgnoreCase))
|
2011-09-22 10:55:30 +08:00
|
|
|
|
tokenStr = tokenStr.Substring(2);
|
|
|
|
|
|
int methodToken;
|
|
|
|
|
|
if (int.TryParse(tokenStr, NumberStyles.HexNumber, null, out methodToken))
|
|
|
|
|
|
tokens.Add(methodToken);
|
|
|
|
|
|
else
|
|
|
|
|
|
tokens.AddRange(findMethodTokens(val));
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return tokens;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
IEnumerable<int> findMethodTokens(string methodDesc) {
|
|
|
|
|
|
var tokens = new List<int>();
|
|
|
|
|
|
|
|
|
|
|
|
string typeString, methodName;
|
|
|
|
|
|
string[] argsStrings;
|
|
|
|
|
|
splitMethodDesc(methodDesc, out typeString, out methodName, out argsStrings);
|
|
|
|
|
|
|
|
|
|
|
|
foreach (var type in module.GetTypes()) {
|
|
|
|
|
|
if (typeString != null && typeString != type.FullName)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
foreach (var method in type.Methods) {
|
|
|
|
|
|
if (!method.IsStatic || method.MethodReturnType.ReturnType.FullName != "System.String")
|
|
|
|
|
|
continue;
|
|
|
|
|
|
if (methodName != null && methodName != method.Name)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
|
|
if (argsStrings == null) {
|
|
|
|
|
|
if (method.Parameters.Count == 0)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
}
|
|
|
|
|
|
else {
|
|
|
|
|
|
if (argsStrings.Length != method.Parameters.Count)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
for (int i = 0; i < argsStrings.Length; i++) {
|
|
|
|
|
|
if (argsStrings[i] != method.Parameters[i].ParameterType.FullName)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
Log.v("Adding string decrypter; token: {0:X8}, method: {1}", method.MetadataToken.ToInt32(), method.FullName);
|
|
|
|
|
|
tokens.Add(method.MetadataToken.ToInt32());
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return tokens;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void splitMethodDesc(string methodDesc, out string type, out string name, out string[] args) {
|
|
|
|
|
|
string stringArgs = null;
|
|
|
|
|
|
args = null;
|
|
|
|
|
|
type = null;
|
|
|
|
|
|
name = null;
|
|
|
|
|
|
|
|
|
|
|
|
var remaining = methodDesc;
|
|
|
|
|
|
int index = remaining.LastIndexOf("::");
|
|
|
|
|
|
if (index >= 0) {
|
|
|
|
|
|
type = remaining.Substring(0, index);
|
|
|
|
|
|
remaining = remaining.Substring(index + 2);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
index = remaining.IndexOf('(');
|
|
|
|
|
|
if (index >= 0) {
|
|
|
|
|
|
name = remaining.Substring(0, index);
|
|
|
|
|
|
remaining = remaining.Substring(index);
|
|
|
|
|
|
}
|
|
|
|
|
|
else {
|
|
|
|
|
|
name = remaining;
|
|
|
|
|
|
remaining = "";
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2011-10-09 19:19:26 +08:00
|
|
|
|
if (Utils.StartsWith(remaining, "(", StringComparison.Ordinal)) {
|
2011-09-22 10:55:30 +08:00
|
|
|
|
stringArgs = remaining;
|
|
|
|
|
|
}
|
|
|
|
|
|
else if (remaining.Length > 0)
|
|
|
|
|
|
throw new UserException(string.Format("Invalid method desc: '{0}'", methodDesc));
|
|
|
|
|
|
|
|
|
|
|
|
if (stringArgs != null) {
|
2011-10-09 19:19:26 +08:00
|
|
|
|
if (Utils.StartsWith(stringArgs, "(", StringComparison.Ordinal))
|
2011-09-22 10:55:30 +08:00
|
|
|
|
stringArgs = stringArgs.Substring(1);
|
|
|
|
|
|
if (stringArgs.EndsWith(")", StringComparison.Ordinal))
|
|
|
|
|
|
stringArgs = stringArgs.Substring(0, stringArgs.Length - 1);
|
|
|
|
|
|
args = stringArgs.Split(',');
|
|
|
|
|
|
for (int i = 0; i < args.Length; i++)
|
|
|
|
|
|
args[i] = args[i].Trim();
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if (type == "")
|
|
|
|
|
|
type = null;
|
|
|
|
|
|
if (name == "")
|
|
|
|
|
|
name = null;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public void deobfuscateEnd() {
|
|
|
|
|
|
deobfuscateCleanUp();
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public void deobfuscateCleanUp() {
|
|
|
|
|
|
if (assemblyClient != null) {
|
|
|
|
|
|
assemblyClient.Dispose();
|
|
|
|
|
|
assemblyClient = null;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void deobfuscateMethods() {
|
|
|
|
|
|
if (savedMethodBodies != null) {
|
|
|
|
|
|
savedMethodBodies.restoreAll();
|
|
|
|
|
|
savedMethodBodies = null;
|
|
|
|
|
|
}
|
|
|
|
|
|
deob.DeobfuscatedFile = null;
|
|
|
|
|
|
|
|
|
|
|
|
Log.v("Deobfuscating methods");
|
2011-10-13 01:47:51 +08:00
|
|
|
|
var methodPrinter = new MethodPrinter();
|
2011-11-01 21:19:53 +08:00
|
|
|
|
var cflowDeobfuscator = new BlocksCflowDeobfuscator { InlineMethods = deob.CanInlineMethods };
|
2011-09-22 10:55:30 +08:00
|
|
|
|
foreach (var method in allMethods) {
|
|
|
|
|
|
Log.v("Deobfuscating {0} ({1:X8})", method, method.MetadataToken.ToUInt32());
|
|
|
|
|
|
Log.indent();
|
|
|
|
|
|
|
2011-12-24 00:28:20 +08:00
|
|
|
|
try {
|
|
|
|
|
|
deobfuscate(method, cflowDeobfuscator, methodPrinter);
|
|
|
|
|
|
}
|
2011-12-26 06:06:37 +08:00
|
|
|
|
catch (ApplicationException) {
|
|
|
|
|
|
throw;
|
|
|
|
|
|
}
|
|
|
|
|
|
catch (Exception ex) {
|
|
|
|
|
|
Log.w("Could not deobfuscate method {0:X8}. Hello, E.T.: {1}", // E.T. = exception type
|
|
|
|
|
|
method.MetadataToken.ToInt32(),
|
|
|
|
|
|
ex.GetType());
|
2011-12-24 00:28:20 +08:00
|
|
|
|
}
|
|
|
|
|
|
removeNoInliningAttribute(method);
|
2011-10-27 04:16:51 +08:00
|
|
|
|
|
2011-12-24 00:28:20 +08:00
|
|
|
|
Log.deIndent();
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2011-10-27 04:16:51 +08:00
|
|
|
|
|
2011-12-24 00:28:20 +08:00
|
|
|
|
void deobfuscate(MethodDefinition method, BlocksCflowDeobfuscator cflowDeobfuscator, MethodPrinter methodPrinter) {
|
|
|
|
|
|
if (!hasNonEmptyBody(method))
|
|
|
|
|
|
return;
|
2011-10-27 04:16:51 +08:00
|
|
|
|
|
2011-12-24 00:28:20 +08:00
|
|
|
|
var blocks = new Blocks(method);
|
|
|
|
|
|
int numRemovedLocals = 0;
|
|
|
|
|
|
int oldNumInstructions = method.Body.Instructions.Count;
|
2011-09-22 10:55:30 +08:00
|
|
|
|
|
2011-12-24 00:28:20 +08:00
|
|
|
|
deob.deobfuscateMethodBegin(blocks);
|
|
|
|
|
|
if (options.ControlFlowDeobfuscation) {
|
|
|
|
|
|
cflowDeobfuscator.init(blocks);
|
|
|
|
|
|
cflowDeobfuscator.deobfuscate();
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if (deob.deobfuscateOther(blocks) && options.ControlFlowDeobfuscation)
|
|
|
|
|
|
cflowDeobfuscator.deobfuscate();
|
2011-09-22 10:55:30 +08:00
|
|
|
|
|
2011-12-24 00:28:20 +08:00
|
|
|
|
if (options.ControlFlowDeobfuscation) {
|
|
|
|
|
|
numRemovedLocals = blocks.optimizeLocals();
|
|
|
|
|
|
blocks.repartitionBlocks();
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
deobfuscateStrings(blocks);
|
|
|
|
|
|
deob.deobfuscateMethodEnd(blocks);
|
|
|
|
|
|
|
|
|
|
|
|
IList<Instruction> allInstructions;
|
|
|
|
|
|
IList<ExceptionHandler> allExceptionHandlers;
|
|
|
|
|
|
blocks.getCode(out allInstructions, out allExceptionHandlers);
|
|
|
|
|
|
DotNetUtils.restoreBody(method, allInstructions, allExceptionHandlers);
|
|
|
|
|
|
|
|
|
|
|
|
if (numRemovedLocals > 0)
|
|
|
|
|
|
Log.v("Removed {0} unused local(s)", numRemovedLocals);
|
|
|
|
|
|
int numRemovedInstructions = oldNumInstructions - method.Body.Instructions.Count;
|
|
|
|
|
|
if (numRemovedInstructions > 0)
|
|
|
|
|
|
Log.v("Removed {0} dead instruction(s)", numRemovedInstructions);
|
|
|
|
|
|
|
|
|
|
|
|
const Log.LogLevel dumpLogLevel = Log.LogLevel.veryverbose;
|
|
|
|
|
|
if (Log.isAtLeast(dumpLogLevel)) {
|
|
|
|
|
|
Log.log(dumpLogLevel, "Deobfuscated code:");
|
|
|
|
|
|
Log.indent();
|
|
|
|
|
|
methodPrinter.print(dumpLogLevel, method, allInstructions, allExceptionHandlers);
|
2011-09-22 10:55:30 +08:00
|
|
|
|
Log.deIndent();
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2011-10-13 01:47:51 +08:00
|
|
|
|
class MethodPrinter {
|
|
|
|
|
|
Log.LogLevel logLevel;
|
2011-11-04 06:32:33 +08:00
|
|
|
|
MethodReference method;
|
2011-10-13 01:47:51 +08:00
|
|
|
|
IList<Instruction> allInstructions;
|
|
|
|
|
|
IList<ExceptionHandler> allExceptionHandlers;
|
|
|
|
|
|
Dictionary<Instruction, bool> targets = new Dictionary<Instruction, bool>();
|
2011-10-21 16:32:43 +08:00
|
|
|
|
Dictionary<Instruction, string> labels = new Dictionary<Instruction, string>();
|
2011-10-13 01:47:51 +08:00
|
|
|
|
|
|
|
|
|
|
class ExInfo {
|
|
|
|
|
|
public List<ExceptionHandler> tryStarts = new List<ExceptionHandler>();
|
|
|
|
|
|
public List<ExceptionHandler> tryEnds = new List<ExceptionHandler>();
|
|
|
|
|
|
public List<ExceptionHandler> filterStarts = new List<ExceptionHandler>();
|
|
|
|
|
|
public List<ExceptionHandler> handlerStarts = new List<ExceptionHandler>();
|
|
|
|
|
|
public List<ExceptionHandler> handlerEnds = new List<ExceptionHandler>();
|
|
|
|
|
|
}
|
|
|
|
|
|
Dictionary<Instruction, ExInfo> exInfos = new Dictionary<Instruction, ExInfo>();
|
|
|
|
|
|
ExInfo lastExInfo;
|
|
|
|
|
|
|
2011-11-04 06:32:33 +08:00
|
|
|
|
public void print(Log.LogLevel logLevel, MethodReference method, IList<Instruction> allInstructions, IList<ExceptionHandler> allExceptionHandlers) {
|
2011-10-13 01:47:51 +08:00
|
|
|
|
try {
|
|
|
|
|
|
this.logLevel = logLevel;
|
2011-11-04 06:32:33 +08:00
|
|
|
|
this.method = method;
|
2011-10-13 01:47:51 +08:00
|
|
|
|
this.allInstructions = allInstructions;
|
|
|
|
|
|
this.allExceptionHandlers = allExceptionHandlers;
|
|
|
|
|
|
lastExInfo = new ExInfo();
|
|
|
|
|
|
print();
|
|
|
|
|
|
}
|
|
|
|
|
|
finally {
|
2011-11-04 06:32:33 +08:00
|
|
|
|
this.method = null;
|
2011-10-13 01:47:51 +08:00
|
|
|
|
this.allInstructions = null;
|
|
|
|
|
|
this.allExceptionHandlers = null;
|
|
|
|
|
|
targets.Clear();
|
2011-10-21 16:32:43 +08:00
|
|
|
|
labels.Clear();
|
2011-10-13 01:47:51 +08:00
|
|
|
|
exInfos.Clear();
|
|
|
|
|
|
lastExInfo = null;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void initTargets() {
|
|
|
|
|
|
foreach (var instr in allInstructions) {
|
|
|
|
|
|
switch (instr.OpCode.OperandType) {
|
|
|
|
|
|
case OperandType.ShortInlineBrTarget:
|
|
|
|
|
|
case OperandType.InlineBrTarget:
|
2011-10-21 16:32:43 +08:00
|
|
|
|
setTarget(instr.Operand as Instruction);
|
2011-10-13 01:47:51 +08:00
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
case OperandType.InlineSwitch:
|
2011-10-21 16:32:43 +08:00
|
|
|
|
foreach (var targetInstr in (Instruction[])instr.Operand)
|
|
|
|
|
|
setTarget(targetInstr);
|
2011-10-13 01:47:51 +08:00
|
|
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2011-10-21 16:32:43 +08:00
|
|
|
|
|
|
|
|
|
|
foreach (var ex in allExceptionHandlers) {
|
|
|
|
|
|
setTarget(ex.TryStart);
|
|
|
|
|
|
setTarget(ex.TryEnd);
|
|
|
|
|
|
setTarget(ex.FilterStart);
|
|
|
|
|
|
setTarget(ex.HandlerStart);
|
|
|
|
|
|
setTarget(ex.HandlerEnd);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
var sortedTargets = new List<Instruction>(targets.Keys);
|
2011-11-21 17:32:36 +08:00
|
|
|
|
sortedTargets.Sort((a, b) => Utils.compareInt32(a.Offset, b.Offset));
|
2011-10-21 16:32:43 +08:00
|
|
|
|
for (int i = 0; i < sortedTargets.Count; i++)
|
|
|
|
|
|
labels[sortedTargets[i]] = string.Format("label_{0}", i);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void setTarget(Instruction instr) {
|
|
|
|
|
|
if (instr != null)
|
|
|
|
|
|
targets[instr] = true;
|
2011-10-13 01:47:51 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void initExHandlers() {
|
|
|
|
|
|
foreach (var ex in allExceptionHandlers) {
|
|
|
|
|
|
if (ex.TryStart != null) {
|
|
|
|
|
|
getExInfo(ex.TryStart).tryStarts.Add(ex);
|
|
|
|
|
|
getExInfo(ex.TryEnd).tryEnds.Add(ex);
|
|
|
|
|
|
}
|
|
|
|
|
|
if (ex.FilterStart != null)
|
|
|
|
|
|
getExInfo(ex.FilterStart).filterStarts.Add(ex);
|
|
|
|
|
|
if (ex.HandlerStart != null) {
|
|
|
|
|
|
getExInfo(ex.HandlerStart).handlerStarts.Add(ex);
|
|
|
|
|
|
getExInfo(ex.HandlerEnd).handlerEnds.Add(ex);
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
ExInfo getExInfo(Instruction instruction) {
|
|
|
|
|
|
if (instruction == null)
|
|
|
|
|
|
return lastExInfo;
|
|
|
|
|
|
ExInfo exInfo;
|
|
|
|
|
|
if (!exInfos.TryGetValue(instruction, out exInfo))
|
|
|
|
|
|
exInfos[instruction] = exInfo = new ExInfo();
|
|
|
|
|
|
return exInfo;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void print() {
|
|
|
|
|
|
initTargets();
|
|
|
|
|
|
initExHandlers();
|
|
|
|
|
|
|
|
|
|
|
|
Log.indent();
|
|
|
|
|
|
foreach (var instr in allInstructions) {
|
|
|
|
|
|
if (targets.ContainsKey(instr)) {
|
|
|
|
|
|
Log.deIndent();
|
2011-10-21 16:32:43 +08:00
|
|
|
|
Log.log(logLevel, "{0}:", getLabel(instr));
|
2011-10-13 01:47:51 +08:00
|
|
|
|
Log.indent();
|
|
|
|
|
|
}
|
2011-10-21 16:32:43 +08:00
|
|
|
|
ExInfo exInfo;
|
|
|
|
|
|
if (exInfos.TryGetValue(instr, out exInfo))
|
|
|
|
|
|
printExInfo(exInfo);
|
2011-10-13 01:47:51 +08:00
|
|
|
|
var instrString = instr.GetOpCodeString();
|
2011-10-21 16:32:43 +08:00
|
|
|
|
var operandString = getOperandString(instr);
|
2011-10-13 01:47:51 +08:00
|
|
|
|
var memberReference = instr.Operand as MemberReference;
|
|
|
|
|
|
if (operandString == "")
|
|
|
|
|
|
Log.log(logLevel, "{0}", instrString);
|
|
|
|
|
|
else if (memberReference != null)
|
|
|
|
|
|
Log.log(logLevel, "{0,-9} {1} // {2:X8}", instrString, operandString, memberReference.MetadataToken.ToUInt32());
|
|
|
|
|
|
else
|
|
|
|
|
|
Log.log(logLevel, "{0,-9} {1}", instrString, operandString);
|
|
|
|
|
|
}
|
|
|
|
|
|
printExInfo(lastExInfo);
|
|
|
|
|
|
Log.deIndent();
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2011-10-21 16:32:43 +08:00
|
|
|
|
string getOperandString(Instruction instr) {
|
|
|
|
|
|
if (instr.Operand is Instruction)
|
|
|
|
|
|
return getLabel((Instruction)instr.Operand);
|
|
|
|
|
|
else if (instr.Operand is Instruction[]) {
|
|
|
|
|
|
var sb = new StringBuilder();
|
|
|
|
|
|
var targets = (Instruction[])instr.Operand;
|
|
|
|
|
|
for (int i = 0; i < targets.Length; i++) {
|
|
|
|
|
|
if (i > 0)
|
|
|
|
|
|
sb.Append(',');
|
|
|
|
|
|
sb.Append(getLabel(targets[i]));
|
|
|
|
|
|
}
|
|
|
|
|
|
return sb.ToString();
|
|
|
|
|
|
}
|
|
|
|
|
|
else if (instr.Operand is string)
|
|
|
|
|
|
return Utils.toCsharpString((string)instr.Operand);
|
2011-11-04 06:32:33 +08:00
|
|
|
|
else if (instr.Operand is ParameterDefinition) {
|
|
|
|
|
|
var arg = (ParameterDefinition)instr.Operand;
|
|
|
|
|
|
var s = instr.GetOperandString();
|
|
|
|
|
|
if (s != "")
|
|
|
|
|
|
return s;
|
|
|
|
|
|
return string.Format("<arg_{0}>", DotNetUtils.getArgIndex(method, arg));
|
|
|
|
|
|
}
|
2011-10-21 16:32:43 +08:00
|
|
|
|
else
|
|
|
|
|
|
return instr.GetOperandString();
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2011-10-13 01:47:51 +08:00
|
|
|
|
void printExInfo(ExInfo exInfo) {
|
|
|
|
|
|
Log.deIndent();
|
|
|
|
|
|
foreach (var ex in exInfo.tryStarts)
|
|
|
|
|
|
Log.log(logLevel, "// try start: {0}", getExceptionString(ex));
|
|
|
|
|
|
foreach (var ex in exInfo.tryEnds)
|
|
|
|
|
|
Log.log(logLevel, "// try end: {0}", getExceptionString(ex));
|
|
|
|
|
|
foreach (var ex in exInfo.filterStarts)
|
|
|
|
|
|
Log.log(logLevel, "// filter start: {0}", getExceptionString(ex));
|
|
|
|
|
|
foreach (var ex in exInfo.handlerStarts)
|
|
|
|
|
|
Log.log(logLevel, "// handler start: {0}", getExceptionString(ex));
|
|
|
|
|
|
foreach (var ex in exInfo.handlerEnds)
|
|
|
|
|
|
Log.log(logLevel, "// handler end: {0}", getExceptionString(ex));
|
|
|
|
|
|
Log.indent();
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
string getExceptionString(ExceptionHandler ex) {
|
|
|
|
|
|
var sb = new StringBuilder();
|
|
|
|
|
|
if (ex.TryStart != null)
|
2011-10-21 16:32:43 +08:00
|
|
|
|
sb.Append(string.Format("TRY: {0}-{1}", getLabel(ex.TryStart), getLabel(ex.TryEnd)));
|
2011-10-13 01:47:51 +08:00
|
|
|
|
if (ex.FilterStart != null)
|
2011-10-21 16:32:43 +08:00
|
|
|
|
sb.Append(string.Format(", FILTER: {0}", getLabel(ex.FilterStart)));
|
2011-10-13 01:47:51 +08:00
|
|
|
|
if (ex.HandlerStart != null)
|
2011-10-21 16:32:43 +08:00
|
|
|
|
sb.Append(string.Format(", HANDLER: {0}-{1}", getLabel(ex.HandlerStart), getLabel(ex.HandlerEnd)));
|
2011-10-13 01:47:51 +08:00
|
|
|
|
sb.Append(string.Format(", TYPE: {0}", ex.HandlerType));
|
|
|
|
|
|
if (ex.CatchType != null)
|
|
|
|
|
|
sb.Append(string.Format(", CATCH: {0}", ex.CatchType));
|
|
|
|
|
|
return sb.ToString();
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2011-10-21 16:32:43 +08:00
|
|
|
|
string getLabel(Instruction instr) {
|
2011-10-13 01:47:51 +08:00
|
|
|
|
if (instr == null)
|
2011-10-21 16:32:43 +08:00
|
|
|
|
return "<end>";
|
|
|
|
|
|
return labels[instr];
|
2011-10-13 01:47:51 +08:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2011-09-25 00:48:15 +08:00
|
|
|
|
bool hasNonEmptyBody(MethodDefinition method) {
|
|
|
|
|
|
return method.HasBody && method.Body.Instructions.Count > 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2011-09-22 10:55:30 +08:00
|
|
|
|
void deobfuscateStrings(Blocks blocks) {
|
|
|
|
|
|
switch (options.StringDecrypterType) {
|
|
|
|
|
|
case DecrypterType.None:
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
case DecrypterType.Static:
|
|
|
|
|
|
deob.deobfuscateStrings(blocks);
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
case DecrypterType.Delegate:
|
2011-09-24 16:26:29 +08:00
|
|
|
|
case DecrypterType.Emulate:
|
2011-09-22 10:55:30 +08:00
|
|
|
|
dynamicStringDecrypter.decrypt(blocks);
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
|
throw new ApplicationException(string.Format("Invalid string decrypter type '{0}'", options.StringDecrypterType));
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void removeNoInliningAttribute(MethodDefinition method) {
|
|
|
|
|
|
method.ImplAttributes = method.ImplAttributes & ~MethodImplAttributes.NoInlining;
|
2011-12-26 06:06:37 +08:00
|
|
|
|
for (int i = 0; i < method.CustomAttributes.Count; i++) {
|
|
|
|
|
|
var cattr = method.CustomAttributes[i];
|
|
|
|
|
|
if (cattr.AttributeType.FullName != "System.Runtime.CompilerServices.MethodImplAttribute")
|
|
|
|
|
|
continue;
|
|
|
|
|
|
int options = 0;
|
|
|
|
|
|
if (!getMethodImplOptions(cattr, ref options))
|
|
|
|
|
|
continue;
|
|
|
|
|
|
if (options != 0 && options != (int)MethodImplAttributes.NoInlining)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
method.CustomAttributes.RemoveAt(i);
|
|
|
|
|
|
i--;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static bool getMethodImplOptions(CustomAttribute cattr, ref int value) {
|
|
|
|
|
|
if (cattr.ConstructorArguments.Count != 1)
|
|
|
|
|
|
return false;
|
|
|
|
|
|
if (cattr.ConstructorArguments[0].Type.FullName != "System.Int16" &&
|
|
|
|
|
|
cattr.ConstructorArguments[0].Type.FullName != "System.Runtime.CompilerServices.MethodImplOptions")
|
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
|
|
var arg = cattr.ConstructorArguments[0].Value;
|
|
|
|
|
|
if (arg is short) {
|
|
|
|
|
|
value = (short)arg;
|
|
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
if (arg is int) {
|
|
|
|
|
|
value = (int)arg;
|
|
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return false;
|
2011-09-22 10:55:30 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public override string ToString() {
|
|
|
|
|
|
if (options == null || options.Filename == null)
|
|
|
|
|
|
return base.ToString();
|
|
|
|
|
|
return options.Filename;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
[Flags]
|
|
|
|
|
|
enum SimpleDeobFlags {
|
|
|
|
|
|
HasDeobfuscated = 0x1,
|
|
|
|
|
|
}
|
|
|
|
|
|
Dictionary<MethodDefinition, SimpleDeobFlags> simpleDeobfuscatorFlags = new Dictionary<MethodDefinition, SimpleDeobFlags>();
|
|
|
|
|
|
bool check(MethodDefinition method, SimpleDeobFlags flag) {
|
|
|
|
|
|
SimpleDeobFlags oldFlags;
|
|
|
|
|
|
simpleDeobfuscatorFlags.TryGetValue(method, out oldFlags);
|
|
|
|
|
|
simpleDeobfuscatorFlags[method] = oldFlags | flag;
|
|
|
|
|
|
return (oldFlags & flag) == flag;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void deobfuscate(MethodDefinition method, string msg, Action<Blocks> handler) {
|
|
|
|
|
|
if (savedMethodBodies != null)
|
|
|
|
|
|
savedMethodBodies.save(method);
|
|
|
|
|
|
|
|
|
|
|
|
Log.v("{0}: {1} ({2:X8})", msg, method, method.MetadataToken.ToUInt32());
|
|
|
|
|
|
Log.indent();
|
|
|
|
|
|
|
2011-09-25 00:48:15 +08:00
|
|
|
|
if (hasNonEmptyBody(method)) {
|
2011-09-22 10:55:30 +08:00
|
|
|
|
var blocks = new Blocks(method);
|
|
|
|
|
|
|
|
|
|
|
|
handler(blocks);
|
|
|
|
|
|
|
|
|
|
|
|
IList<Instruction> allInstructions;
|
|
|
|
|
|
IList<ExceptionHandler> allExceptionHandlers;
|
|
|
|
|
|
blocks.getCode(out allInstructions, out allExceptionHandlers);
|
|
|
|
|
|
DotNetUtils.restoreBody(method, allInstructions, allExceptionHandlers);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
Log.deIndent();
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void ISimpleDeobfuscator.deobfuscate(MethodDefinition method) {
|
|
|
|
|
|
if (check(method, SimpleDeobFlags.HasDeobfuscated))
|
|
|
|
|
|
return;
|
|
|
|
|
|
|
2011-10-22 02:35:13 +08:00
|
|
|
|
deobfuscate(method, "Deobfuscating control flow", (blocks) => {
|
|
|
|
|
|
var cflowDeobfuscator = new BlocksCflowDeobfuscator();
|
2011-11-01 21:19:53 +08:00
|
|
|
|
cflowDeobfuscator.InlineMethods = deob.CanInlineMethods;
|
2011-10-22 02:35:13 +08:00
|
|
|
|
cflowDeobfuscator.init(blocks);
|
|
|
|
|
|
cflowDeobfuscator.deobfuscate();
|
|
|
|
|
|
});
|
2011-09-22 10:55:30 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void ISimpleDeobfuscator.decryptStrings(MethodDefinition method, IDeobfuscator theDeob) {
|
|
|
|
|
|
deobfuscate(method, "Static string decryption", (blocks) => theDeob.deobfuscateStrings(blocks));
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2011-10-22 20:31:38 +08:00
|
|
|
|
void IDeobfuscatedFile.createAssemblyFile(byte[] data, string assemblyName, string extension) {
|
|
|
|
|
|
if (extension == null)
|
|
|
|
|
|
extension = ".dll";
|
2011-09-22 10:55:30 +08:00
|
|
|
|
var baseDir = Utils.getDirName(options.NewFilename);
|
2011-10-22 20:31:38 +08:00
|
|
|
|
var newName = Path.Combine(baseDir, assemblyName + extension);
|
2011-09-22 10:55:30 +08:00
|
|
|
|
Log.n("Creating file {0}", newName);
|
|
|
|
|
|
using (var writer = new BinaryWriter(new FileStream(newName, FileMode.Create))) {
|
|
|
|
|
|
writer.Write(data);
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void IDeobfuscatedFile.stringDecryptersAdded() {
|
|
|
|
|
|
updateDynamicStringDecrypter();
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
