2012-07-30 20:11:04 +08:00
|
|
|
|
/*
|
|
|
|
|
Copyright (C) 2011-2012 de4dot@gmail.com
|
|
|
|
|
|
|
|
|
|
This file is part of de4dot.
|
|
|
|
|
|
|
|
|
|
de4dot is free software: you can redistribute it and/or modify
|
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
|
|
de4dot is distributed in the hope that it will be useful,
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
*/
|
|
|
|
|
|
2012-08-01 01:56:10 +08:00
|
|
|
|
using System;
|
2012-08-01 17:41:31 +08:00
|
|
|
|
using System.Collections.Generic;
|
2012-08-01 01:56:10 +08:00
|
|
|
|
using System.IO;
|
2012-07-30 20:11:04 +08:00
|
|
|
|
using Mono.Cecil;
|
|
|
|
|
using Mono.Cecil.Cil;
|
2012-08-04 04:36:40 +08:00
|
|
|
|
using Mono.Cecil.Metadata;
|
2012-07-30 20:11:04 +08:00
|
|
|
|
using de4dot.blocks;
|
2012-08-08 01:35:12 +08:00
|
|
|
|
using SevenZip.Compression.LZMA;
|
2012-07-30 20:11:04 +08:00
|
|
|
|
|
|
|
|
|
namespace de4dot.code.deobfuscators.Confuser {
|
2012-08-04 04:36:40 +08:00
|
|
|
|
class RealAssemblyInfo {
|
|
|
|
|
public AssemblyDefinition realAssembly;
|
|
|
|
|
public uint entryPointToken;
|
|
|
|
|
public ModuleKind kind;
|
|
|
|
|
public string moduleName;
|
|
|
|
|
|
|
|
|
|
public RealAssemblyInfo(AssemblyDefinition realAssembly, uint entryPointToken, ModuleKind kind) {
|
|
|
|
|
this.realAssembly = realAssembly;
|
|
|
|
|
this.entryPointToken = entryPointToken;
|
|
|
|
|
this.kind = kind;
|
|
|
|
|
this.moduleName = realAssembly.Name.Name + DeobUtils.getExtension(kind);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2012-08-01 17:41:31 +08:00
|
|
|
|
class EmbeddedAssemblyInfo {
|
|
|
|
|
public readonly byte[] data;
|
2012-08-04 04:36:40 +08:00
|
|
|
|
public string asmFullName;
|
|
|
|
|
public string asmSimpleName;
|
|
|
|
|
public string extension;
|
|
|
|
|
public ModuleKind kind;
|
2012-08-01 17:41:31 +08:00
|
|
|
|
public readonly EmbeddedResource resource;
|
2012-08-04 04:36:40 +08:00
|
|
|
|
public RealAssemblyInfo realAssemblyInfo;
|
2012-08-01 17:41:31 +08:00
|
|
|
|
|
2012-08-04 04:36:40 +08:00
|
|
|
|
public EmbeddedAssemblyInfo(EmbeddedResource resource, byte[] data, string asmFullName, ModuleKind kind) {
|
2012-08-01 17:41:31 +08:00
|
|
|
|
this.resource = resource;
|
|
|
|
|
this.data = data;
|
|
|
|
|
this.asmFullName = asmFullName;
|
|
|
|
|
this.asmSimpleName = Utils.getAssemblySimpleName(asmFullName);
|
2012-08-04 04:36:40 +08:00
|
|
|
|
this.kind = kind;
|
|
|
|
|
this.extension = DeobUtils.getExtension(kind);
|
2012-08-01 17:41:31 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public override string ToString() {
|
|
|
|
|
return asmFullName;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2012-08-09 17:47:18 +08:00
|
|
|
|
class Unpacker : IVersionProvider {
|
2012-07-30 20:11:04 +08:00
|
|
|
|
ModuleDefinition module;
|
2012-08-01 17:41:31 +08:00
|
|
|
|
EmbeddedResource mainAsmResource;
|
|
|
|
|
uint key0, key1;
|
2012-08-04 04:36:40 +08:00
|
|
|
|
uint entryPointToken;
|
2012-08-01 01:56:10 +08:00
|
|
|
|
ConfuserVersion version = ConfuserVersion.Unknown;
|
2012-08-01 17:41:31 +08:00
|
|
|
|
MethodDefinition asmResolverMethod;
|
2012-08-01 01:56:10 +08:00
|
|
|
|
|
|
|
|
|
enum ConfuserVersion {
|
|
|
|
|
Unknown,
|
|
|
|
|
v10_r42915,
|
2012-08-10 23:14:06 +08:00
|
|
|
|
v10_r48717,
|
2012-08-10 23:25:04 +08:00
|
|
|
|
v14_r57778,
|
2012-08-01 01:56:10 +08:00
|
|
|
|
v14_r58564,
|
2012-08-01 17:41:31 +08:00
|
|
|
|
v14_r58802,
|
2012-08-01 20:05:29 +08:00
|
|
|
|
v14_r58852,
|
2012-08-02 14:40:52 +08:00
|
|
|
|
v15_r60785,
|
2012-08-03 01:53:15 +08:00
|
|
|
|
v17_r73404,
|
2012-08-04 04:36:40 +08:00
|
|
|
|
v17_r73477,
|
2012-08-10 23:47:59 +08:00
|
|
|
|
v17_r73566,
|
2012-08-08 01:35:12 +08:00
|
|
|
|
v17_r75076,
|
2012-08-08 01:52:53 +08:00
|
|
|
|
v18_r75184,
|
2012-08-08 20:44:01 +08:00
|
|
|
|
v18_r75367,
|
2012-08-01 01:56:10 +08:00
|
|
|
|
}
|
2012-07-30 20:11:04 +08:00
|
|
|
|
|
|
|
|
|
public bool Detected {
|
2012-08-01 17:41:31 +08:00
|
|
|
|
get { return mainAsmResource != null; }
|
2012-07-30 20:11:04 +08:00
|
|
|
|
}
|
|
|
|
|
|
2012-08-11 07:15:25 +08:00
|
|
|
|
public Unpacker(ModuleDefinition module, Unpacker other) {
|
2012-07-30 20:11:04 +08:00
|
|
|
|
this.module = module;
|
2012-08-11 07:15:25 +08:00
|
|
|
|
if (other != null)
|
|
|
|
|
this.version = other.version;
|
2012-07-30 20:11:04 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static string[] requiredFields = new string[] {
|
|
|
|
|
"System.String",
|
|
|
|
|
};
|
|
|
|
|
static string[] requiredEntryPointLocals = new string[] {
|
|
|
|
|
"System.Byte[]",
|
|
|
|
|
"System.IO.BinaryReader",
|
|
|
|
|
"System.IO.Stream",
|
|
|
|
|
};
|
|
|
|
|
public void find(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
|
|
|
|
|
var entryPoint = module.EntryPoint;
|
|
|
|
|
if (entryPoint == null)
|
|
|
|
|
return;
|
|
|
|
|
if (!new LocalTypes(entryPoint).all(requiredEntryPointLocals))
|
|
|
|
|
return;
|
|
|
|
|
var type = entryPoint.DeclaringType;
|
|
|
|
|
if (!new FieldTypes(type).all(requiredFields))
|
|
|
|
|
return;
|
2012-08-11 07:15:25 +08:00
|
|
|
|
|
2012-08-08 01:35:12 +08:00
|
|
|
|
bool use7zip = type.NestedTypes.Count == 6;
|
|
|
|
|
MethodDefinition decyptMethod;
|
|
|
|
|
if (use7zip)
|
|
|
|
|
decyptMethod = findDecryptMethod_7zip(type);
|
|
|
|
|
else
|
|
|
|
|
decyptMethod = findDecryptMethod_inflate(type);
|
2012-08-01 01:56:10 +08:00
|
|
|
|
if (decyptMethod == null)
|
2012-07-30 20:11:04 +08:00
|
|
|
|
return;
|
2012-08-11 07:15:25 +08:00
|
|
|
|
|
|
|
|
|
ConfuserVersion theVersion = ConfuserVersion.Unknown;
|
2012-08-02 14:40:52 +08:00
|
|
|
|
var decryptLocals = new LocalTypes(decyptMethod);
|
2012-08-10 23:14:06 +08:00
|
|
|
|
if (decryptLocals.exists("System.IO.MemoryStream")) {
|
2012-08-11 06:37:19 +08:00
|
|
|
|
if (DotNetUtils.callsMethod(entryPoint, "System.Void", "(System.String,System.Byte[])"))
|
2012-08-11 07:15:25 +08:00
|
|
|
|
theVersion = ConfuserVersion.v10_r42915;
|
2012-08-11 06:37:19 +08:00
|
|
|
|
else if (DotNetUtils.callsMethod(entryPoint, "System.Void", "(System.Security.Permissions.PermissionState)"))
|
2012-08-11 07:15:25 +08:00
|
|
|
|
theVersion = ConfuserVersion.v10_r48717;
|
2012-08-10 23:25:04 +08:00
|
|
|
|
else
|
2012-08-11 07:15:25 +08:00
|
|
|
|
theVersion = ConfuserVersion.v14_r57778;
|
2012-08-10 23:14:06 +08:00
|
|
|
|
}
|
2012-08-01 01:56:10 +08:00
|
|
|
|
else
|
2012-08-11 07:15:25 +08:00
|
|
|
|
theVersion = ConfuserVersion.v14_r58564;
|
2012-07-30 20:11:04 +08:00
|
|
|
|
|
|
|
|
|
var cctor = DotNetUtils.getMethod(type, ".cctor");
|
|
|
|
|
if (cctor == null)
|
|
|
|
|
return;
|
|
|
|
|
|
2012-08-01 17:41:31 +08:00
|
|
|
|
if ((asmResolverMethod = findAssemblyResolverMethod(entryPoint.DeclaringType)) != null) {
|
2012-08-11 07:15:25 +08:00
|
|
|
|
theVersion = ConfuserVersion.v14_r58802;
|
2012-08-01 17:41:31 +08:00
|
|
|
|
simpleDeobfuscator.deobfuscate(asmResolverMethod);
|
|
|
|
|
if (!findKey1(asmResolverMethod, out key1))
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2012-08-11 07:15:25 +08:00
|
|
|
|
switch (theVersion) {
|
2012-08-01 17:41:31 +08:00
|
|
|
|
case ConfuserVersion.v10_r42915:
|
2012-08-10 23:14:06 +08:00
|
|
|
|
case ConfuserVersion.v10_r48717:
|
2012-08-10 23:25:04 +08:00
|
|
|
|
case ConfuserVersion.v14_r57778:
|
2012-08-01 17:41:31 +08:00
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case ConfuserVersion.v14_r58564:
|
|
|
|
|
case ConfuserVersion.v14_r58802:
|
2012-08-01 01:56:10 +08:00
|
|
|
|
simpleDeobfuscator.deobfuscate(decyptMethod);
|
2012-08-01 20:05:29 +08:00
|
|
|
|
if (findKey0_v14_r58564(decyptMethod, out key0))
|
|
|
|
|
break;
|
|
|
|
|
if (findKey0_v14_r58852(decyptMethod, out key0)) {
|
2012-08-02 14:40:52 +08:00
|
|
|
|
if (!decryptLocals.exists("System.Security.Cryptography.RijndaelManaged")) {
|
2012-08-11 07:15:25 +08:00
|
|
|
|
theVersion = ConfuserVersion.v14_r58852;
|
2012-08-02 14:40:52 +08:00
|
|
|
|
break;
|
|
|
|
|
}
|
2012-08-08 01:52:53 +08:00
|
|
|
|
if (use7zip) {
|
|
|
|
|
if (new LocalTypes(decyptMethod).exists("System.IO.MemoryStream"))
|
2012-08-11 07:15:25 +08:00
|
|
|
|
theVersion = ConfuserVersion.v17_r75076;
|
2012-08-08 20:44:01 +08:00
|
|
|
|
else if (module.Name == "Stub.exe")
|
2012-08-11 07:15:25 +08:00
|
|
|
|
theVersion = ConfuserVersion.v18_r75184;
|
2012-08-08 20:44:01 +08:00
|
|
|
|
else
|
2012-08-11 07:15:25 +08:00
|
|
|
|
theVersion = ConfuserVersion.v18_r75367;
|
2012-08-08 01:52:53 +08:00
|
|
|
|
}
|
2012-08-08 01:35:12 +08:00
|
|
|
|
else if (isDecryptMethod_v17_r73404(decyptMethod))
|
2012-08-11 07:15:25 +08:00
|
|
|
|
theVersion = ConfuserVersion.v17_r73404;
|
2012-08-03 01:53:15 +08:00
|
|
|
|
else
|
2012-08-11 07:15:25 +08:00
|
|
|
|
theVersion = ConfuserVersion.v15_r60785;
|
2012-08-01 20:05:29 +08:00
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
throw new ApplicationException("Could not find magic");
|
2012-08-01 17:41:31 +08:00
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
throw new ApplicationException("Invalid version");
|
2012-08-01 01:56:10 +08:00
|
|
|
|
}
|
|
|
|
|
|
2012-07-30 20:11:04 +08:00
|
|
|
|
simpleDeobfuscator.deobfuscate(cctor);
|
|
|
|
|
simpleDeobfuscator.decryptStrings(cctor, deob);
|
|
|
|
|
|
2012-08-10 23:47:59 +08:00
|
|
|
|
if (findEntryPointToken(simpleDeobfuscator, cctor, entryPoint, out entryPointToken) && !use7zip) {
|
|
|
|
|
if (DotNetUtils.callsMethod(asmResolverMethod, "System.Void", "(System.String)"))
|
2012-08-11 07:15:25 +08:00
|
|
|
|
theVersion = ConfuserVersion.v17_r73477;
|
2012-08-10 23:47:59 +08:00
|
|
|
|
else
|
2012-08-11 07:15:25 +08:00
|
|
|
|
theVersion = ConfuserVersion.v17_r73566;
|
2012-08-10 23:47:59 +08:00
|
|
|
|
}
|
2012-08-04 04:36:40 +08:00
|
|
|
|
|
2012-08-01 17:41:31 +08:00
|
|
|
|
mainAsmResource = findResource(cctor);
|
|
|
|
|
if (mainAsmResource == null)
|
|
|
|
|
throw new ApplicationException("Could not find main assembly resource");
|
2012-08-11 07:15:25 +08:00
|
|
|
|
version = theVersion;
|
2012-07-30 20:11:04 +08:00
|
|
|
|
}
|
|
|
|
|
|
2012-08-04 04:36:40 +08:00
|
|
|
|
bool findEntryPointToken(ISimpleDeobfuscator simpleDeobfuscator, MethodDefinition cctor, MethodDefinition entryPoint, out uint token) {
|
|
|
|
|
token = 0;
|
|
|
|
|
ulong @base;
|
|
|
|
|
if (!findBase(cctor, out @base))
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
var modPowMethod = DotNetUtils.getMethod(cctor.DeclaringType, "System.UInt64", "(System.UInt64,System.UInt64,System.UInt64)");
|
|
|
|
|
if (modPowMethod == null)
|
|
|
|
|
throw new ApplicationException("Could not find modPow()");
|
|
|
|
|
|
|
|
|
|
simpleDeobfuscator.deobfuscate(entryPoint);
|
|
|
|
|
ulong mod;
|
|
|
|
|
if (!findMod(entryPoint, out mod))
|
|
|
|
|
throw new ApplicationException("Could not find modulus");
|
|
|
|
|
|
|
|
|
|
token = 0x06000000 | (uint)modPow(@base, 0x47, mod);
|
|
|
|
|
if ((token >> 24) != 0x06)
|
|
|
|
|
throw new ApplicationException("Illegal entry point token");
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static ulong modPow(ulong @base, ulong pow, ulong mod) {
|
|
|
|
|
ulong m = 1;
|
|
|
|
|
while (pow > 0) {
|
|
|
|
|
if ((pow & 1) != 0)
|
|
|
|
|
m = (m * @base) % mod;
|
|
|
|
|
pow = pow >> 1;
|
|
|
|
|
@base = (@base * @base) % mod;
|
|
|
|
|
}
|
|
|
|
|
return m;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static bool findMod(MethodDefinition method, out ulong mod) {
|
|
|
|
|
var instrs = method.Body.Instructions;
|
2012-08-08 20:31:13 +08:00
|
|
|
|
for (int i = 0; i < instrs.Count - 1; i++) {
|
2012-08-04 04:36:40 +08:00
|
|
|
|
var ldci8 = instrs[i];
|
|
|
|
|
if (ldci8.OpCode.Code != Code.Ldc_I8)
|
|
|
|
|
continue;
|
|
|
|
|
|
2012-08-08 20:31:13 +08:00
|
|
|
|
var call = instrs[i + 1];
|
|
|
|
|
if (call.OpCode.Code != Code.Call)
|
|
|
|
|
continue;
|
|
|
|
|
var calledMethod = call.Operand as MethodReference;
|
|
|
|
|
if (calledMethod == null)
|
|
|
|
|
continue;
|
|
|
|
|
if (!DotNetUtils.isMethod(calledMethod, "System.UInt64", "(System.UInt64,System.UInt64,System.UInt64)"))
|
|
|
|
|
continue;
|
|
|
|
|
|
2012-08-04 04:36:40 +08:00
|
|
|
|
mod = (ulong)(long)ldci8.Operand;
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
mod = 0;
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static bool findBase(MethodDefinition method, out ulong @base) {
|
|
|
|
|
var instrs = method.Body.Instructions;
|
|
|
|
|
for (int i = 0; i < instrs.Count - 2; i++) {
|
|
|
|
|
var ldci8 = instrs[i];
|
|
|
|
|
if (ldci8.OpCode.Code != Code.Ldc_I8)
|
|
|
|
|
continue;
|
|
|
|
|
var stsfld = instrs[i + 1];
|
|
|
|
|
if (stsfld.OpCode.Code != Code.Stsfld)
|
|
|
|
|
continue;
|
|
|
|
|
var field = stsfld.Operand as FieldDefinition;
|
|
|
|
|
if (field == null || field.DeclaringType != method.DeclaringType)
|
|
|
|
|
continue;
|
|
|
|
|
if (field.FieldType.EType != ElementType.U8)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
@base = (ulong)(long)ldci8.Operand;
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
@base = 0;
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2012-08-03 01:53:15 +08:00
|
|
|
|
static bool isDecryptMethod_v17_r73404(MethodDefinition method) {
|
|
|
|
|
var instrs = method.Body.Instructions;
|
|
|
|
|
if (instrs.Count < 4)
|
|
|
|
|
return false;
|
|
|
|
|
if (!DotNetUtils.isLdarg(instrs[0]))
|
|
|
|
|
return false;
|
|
|
|
|
if (!isCallorNewobj(instrs[1]) && !isCallorNewobj(instrs[2]))
|
|
|
|
|
return false;
|
|
|
|
|
var stloc = instrs[3];
|
|
|
|
|
if (!DotNetUtils.isStloc(stloc))
|
|
|
|
|
return false;
|
|
|
|
|
var local = DotNetUtils.getLocalVar(method.Body.Variables, stloc);
|
|
|
|
|
if (local == null || local.VariableType.FullName != "System.IO.BinaryReader")
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static bool isCallorNewobj(Instruction instr) {
|
|
|
|
|
return instr.OpCode.Code == Code.Call || instr.OpCode.Code == Code.Newobj;
|
|
|
|
|
}
|
|
|
|
|
|
2012-08-01 17:41:31 +08:00
|
|
|
|
static MethodDefinition findAssemblyResolverMethod(TypeDefinition type) {
|
|
|
|
|
foreach (var method in type.Methods) {
|
|
|
|
|
if (!method.IsStatic || method.Body == null)
|
|
|
|
|
continue;
|
|
|
|
|
if (!DotNetUtils.isMethod(method, "System.Reflection.Assembly", "(System.Object,System.ResolveEventArgs)"))
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
return method;
|
|
|
|
|
}
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
2012-08-01 20:05:29 +08:00
|
|
|
|
static bool findKey0_v14_r58564(MethodDefinition method, out uint key) {
|
2012-08-01 01:56:10 +08:00
|
|
|
|
var instrs = method.Body.Instructions;
|
|
|
|
|
for (int i = 0; i < instrs.Count - 2; i++) {
|
|
|
|
|
if (instrs[i].OpCode.Code != Code.Xor)
|
|
|
|
|
continue;
|
|
|
|
|
var ldci4 = instrs[i + 1];
|
|
|
|
|
if (!DotNetUtils.isLdcI4(ldci4))
|
|
|
|
|
continue;
|
|
|
|
|
if (instrs[i + 2].OpCode.Code != Code.Xor)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
key = (uint)DotNetUtils.getLdcI4Value(ldci4);
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
key = 0;
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2012-08-01 20:05:29 +08:00
|
|
|
|
static bool findKey0_v14_r58852(MethodDefinition method, out uint key) {
|
|
|
|
|
var instrs = method.Body.Instructions;
|
|
|
|
|
for (int i = 0; i < instrs.Count - 3; i++) {
|
|
|
|
|
var ldci4_1 = instrs[i];
|
|
|
|
|
if (!DotNetUtils.isLdcI4(ldci4_1))
|
|
|
|
|
continue;
|
|
|
|
|
if (!DotNetUtils.isStloc(instrs[i + 1]))
|
|
|
|
|
continue;
|
|
|
|
|
var ldci4_2 = instrs[i + 2];
|
|
|
|
|
if (!DotNetUtils.isLdcI4(ldci4_2) && DotNetUtils.getLdcI4Value(ldci4_2) != 0)
|
|
|
|
|
continue;
|
|
|
|
|
if (!DotNetUtils.isStloc(instrs[i + 3]))
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
key = (uint)DotNetUtils.getLdcI4Value(ldci4_1);
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
key = 0;
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2012-08-01 17:41:31 +08:00
|
|
|
|
static bool findKey1(MethodDefinition method, out uint key) {
|
|
|
|
|
var instrs = method.Body.Instructions;
|
|
|
|
|
for (int i = 0; i < instrs.Count - 4; i++) {
|
|
|
|
|
if (instrs[i].OpCode.Code != Code.Ldelem_U1)
|
|
|
|
|
continue;
|
|
|
|
|
var ldci4 = instrs[i + 1];
|
|
|
|
|
if (!DotNetUtils.isLdcI4(ldci4))
|
|
|
|
|
continue;
|
|
|
|
|
if (instrs[i + 2].OpCode.Code != Code.Xor)
|
|
|
|
|
continue;
|
|
|
|
|
if (!DotNetUtils.isLdloc(instrs[i + 3]))
|
|
|
|
|
continue;
|
|
|
|
|
if (instrs[i + 4].OpCode.Code != Code.Xor)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
key = (uint)DotNetUtils.getLdcI4Value(ldci4);
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
key = 0;
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2012-07-30 20:11:04 +08:00
|
|
|
|
EmbeddedResource findResource(MethodDefinition method) {
|
|
|
|
|
return DotNetUtils.getResource(module, DotNetUtils.getCodeStrings(method)) as EmbeddedResource;
|
|
|
|
|
}
|
|
|
|
|
|
2012-08-08 01:35:12 +08:00
|
|
|
|
static string[] requiredDecryptLocals_inflate = new string[] {
|
2012-07-30 20:11:04 +08:00
|
|
|
|
"System.Byte[]",
|
|
|
|
|
"System.IO.Compression.DeflateStream",
|
|
|
|
|
};
|
2012-08-08 01:35:12 +08:00
|
|
|
|
static MethodDefinition findDecryptMethod_inflate(TypeDefinition type) {
|
|
|
|
|
foreach (var method in type.Methods) {
|
|
|
|
|
if (!method.IsStatic || method.Body == null)
|
|
|
|
|
continue;
|
|
|
|
|
if (!DotNetUtils.isMethod(method, "System.Byte[]", "(System.Byte[])"))
|
|
|
|
|
continue;
|
|
|
|
|
if (!new LocalTypes(method).all(requiredDecryptLocals_inflate))
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
return method;
|
|
|
|
|
}
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static string[] requiredDecryptLocals_7zip = new string[] {
|
|
|
|
|
"System.Byte[]",
|
|
|
|
|
"System.Int64",
|
|
|
|
|
"System.IO.BinaryReader",
|
|
|
|
|
"System.Security.Cryptography.CryptoStream",
|
|
|
|
|
"System.Security.Cryptography.RijndaelManaged",
|
|
|
|
|
};
|
|
|
|
|
static MethodDefinition findDecryptMethod_7zip(TypeDefinition type) {
|
2012-07-30 20:11:04 +08:00
|
|
|
|
foreach (var method in type.Methods) {
|
|
|
|
|
if (!method.IsStatic || method.Body == null)
|
|
|
|
|
continue;
|
|
|
|
|
if (!DotNetUtils.isMethod(method, "System.Byte[]", "(System.Byte[])"))
|
|
|
|
|
continue;
|
2012-08-08 01:35:12 +08:00
|
|
|
|
if (!new LocalTypes(method).all(requiredDecryptLocals_7zip))
|
2012-07-30 20:11:04 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
return method;
|
|
|
|
|
}
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
2012-08-09 20:14:15 +08:00
|
|
|
|
public EmbeddedAssemblyInfo unpackMainAssembly(bool createAssembly) {
|
2012-08-01 17:41:31 +08:00
|
|
|
|
if (mainAsmResource == null)
|
2012-07-30 20:11:04 +08:00
|
|
|
|
return null;
|
2012-08-04 04:36:40 +08:00
|
|
|
|
var info = createEmbeddedAssemblyInfo(mainAsmResource, decrypt(mainAsmResource));
|
|
|
|
|
|
|
|
|
|
var asm = module.Assembly;
|
2012-08-09 20:14:15 +08:00
|
|
|
|
if (createAssembly && asm != null && entryPointToken != 0 && info.kind == ModuleKind.NetModule) {
|
2012-08-04 04:36:40 +08:00
|
|
|
|
info.extension = DeobUtils.getExtension(module.Kind);
|
|
|
|
|
info.kind = module.Kind;
|
|
|
|
|
|
|
|
|
|
var realAsm = new AssemblyDefinition { Name = asm.Name };
|
|
|
|
|
info.realAssemblyInfo = new RealAssemblyInfo(realAsm, entryPointToken, info.kind);
|
2012-08-08 20:41:16 +08:00
|
|
|
|
if (module.Name != "Stub.exe")
|
|
|
|
|
info.realAssemblyInfo.moduleName = module.Name;
|
2012-08-04 04:36:40 +08:00
|
|
|
|
info.asmFullName = realAsm.Name.FullName;
|
|
|
|
|
info.asmSimpleName = realAsm.Name.Name;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return info;
|
2012-08-01 17:41:31 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public List<EmbeddedAssemblyInfo> getEmbeddedAssemblyInfos() {
|
|
|
|
|
var infos = new List<EmbeddedAssemblyInfo>();
|
|
|
|
|
foreach (var rsrc in module.Resources) {
|
|
|
|
|
var resource = rsrc as EmbeddedResource;
|
|
|
|
|
if (resource == null || resource == mainAsmResource)
|
|
|
|
|
continue;
|
|
|
|
|
try {
|
|
|
|
|
infos.Add(createEmbeddedAssemblyInfo(resource, decrypt(resource)));
|
|
|
|
|
}
|
|
|
|
|
catch {
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return infos;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static EmbeddedAssemblyInfo createEmbeddedAssemblyInfo(EmbeddedResource resource, byte[] data) {
|
|
|
|
|
var mod = ModuleDefinition.ReadModule(new MemoryStream(data));
|
2012-08-04 04:36:40 +08:00
|
|
|
|
var asmFullName = mod.Assembly != null ? mod.Assembly.Name.FullName : mod.Name;
|
|
|
|
|
return new EmbeddedAssemblyInfo(resource, data, asmFullName, mod.Kind);
|
2012-08-01 17:41:31 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
byte[] decrypt(EmbeddedResource resource) {
|
2012-07-30 20:11:04 +08:00
|
|
|
|
var data = resource.GetResourceData();
|
2012-08-01 20:05:29 +08:00
|
|
|
|
switch (version) {
|
|
|
|
|
case ConfuserVersion.v10_r42915: return decrypt_v10_r42915(data);
|
2012-08-10 23:14:06 +08:00
|
|
|
|
case ConfuserVersion.v10_r48717: return decrypt_v10_r42915(data);
|
2012-08-10 23:25:04 +08:00
|
|
|
|
case ConfuserVersion.v14_r57778: return decrypt_v10_r42915(data);
|
2012-08-01 20:05:29 +08:00
|
|
|
|
case ConfuserVersion.v14_r58564: return decrypt_v14_r58564(data);
|
|
|
|
|
case ConfuserVersion.v14_r58802: return decrypt_v14_r58564(data);
|
|
|
|
|
case ConfuserVersion.v14_r58852: return decrypt_v14_r58852(data);
|
2012-08-02 14:40:52 +08:00
|
|
|
|
case ConfuserVersion.v15_r60785: return decrypt_v15_r60785(data);
|
2012-08-03 01:53:15 +08:00
|
|
|
|
case ConfuserVersion.v17_r73404: return decrypt_v17_r73404(data);
|
2012-08-04 04:36:40 +08:00
|
|
|
|
case ConfuserVersion.v17_r73477: return decrypt_v17_r73404(data);
|
2012-08-10 23:47:59 +08:00
|
|
|
|
case ConfuserVersion.v17_r73566: return decrypt_v17_r73404(data);
|
2012-08-08 01:35:12 +08:00
|
|
|
|
case ConfuserVersion.v17_r75076: return decrypt_v17_r75076(data);
|
2012-08-08 01:52:53 +08:00
|
|
|
|
case ConfuserVersion.v18_r75184: return decrypt_v17_r75076(data);
|
2012-08-08 20:44:01 +08:00
|
|
|
|
case ConfuserVersion.v18_r75367: return decrypt_v17_r75076(data);
|
2012-08-01 20:05:29 +08:00
|
|
|
|
default: throw new ApplicationException("Unknown version");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
byte[] decrypt_v10_r42915(byte[] data) {
|
2012-07-30 20:11:04 +08:00
|
|
|
|
for (int i = 0; i < data.Length; i++)
|
2012-08-01 17:41:31 +08:00
|
|
|
|
data[i] ^= (byte)(i ^ key0);
|
2012-08-01 20:05:29 +08:00
|
|
|
|
return DeobUtils.inflate(data, true);
|
|
|
|
|
}
|
2012-08-01 01:56:10 +08:00
|
|
|
|
|
2012-08-01 20:05:29 +08:00
|
|
|
|
byte[] decrypt_v14_r58564(byte[] data) {
|
|
|
|
|
var reader = new BinaryReader(new MemoryStream(decrypt_v10_r42915(data)));
|
|
|
|
|
return reader.ReadBytes(reader.ReadInt32());
|
|
|
|
|
}
|
2012-08-01 01:56:10 +08:00
|
|
|
|
|
2012-08-01 20:05:29 +08:00
|
|
|
|
byte[] decrypt_v14_r58852(byte[] data) {
|
|
|
|
|
var reader = new BinaryReader(new MemoryStream(DeobUtils.inflate(data, true)));
|
|
|
|
|
data = reader.ReadBytes(reader.ReadInt32());
|
|
|
|
|
for (int i = 0; i < data.Length; i++) {
|
|
|
|
|
if ((i & 1) == 0)
|
|
|
|
|
data[i] ^= (byte)((key0 & 0xF) - i);
|
|
|
|
|
else
|
|
|
|
|
data[i] ^= (byte)((key0 >> 4) + i);
|
|
|
|
|
data[i] -= (byte)i;
|
|
|
|
|
}
|
2012-07-30 20:11:04 +08:00
|
|
|
|
return data;
|
|
|
|
|
}
|
2012-08-01 17:41:31 +08:00
|
|
|
|
|
2012-08-02 14:40:52 +08:00
|
|
|
|
byte[] decrypt_v15_r60785(byte[] data) {
|
|
|
|
|
var reader = new BinaryReader(new MemoryStream(DeobUtils.inflate(data, true)));
|
2012-08-03 01:53:15 +08:00
|
|
|
|
byte[] key, iv;
|
|
|
|
|
data = decrypt_v15_r60785(reader, out key, out iv);
|
|
|
|
|
reader = new BinaryReader(new MemoryStream(DeobUtils.aesDecrypt(data, key, iv)));
|
|
|
|
|
return reader.ReadBytes(reader.ReadInt32());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
byte[] decrypt_v15_r60785(BinaryReader reader, out byte[] key, out byte[] iv) {
|
2012-08-02 14:40:52 +08:00
|
|
|
|
var encrypted = reader.ReadBytes(reader.ReadInt32());
|
2012-08-03 01:53:15 +08:00
|
|
|
|
iv = reader.ReadBytes(reader.ReadInt32());
|
|
|
|
|
key = reader.ReadBytes(reader.ReadInt32());
|
2012-08-02 14:40:52 +08:00
|
|
|
|
for (int i = 0; i < key.Length; i += 4) {
|
|
|
|
|
key[i] ^= (byte)key0;
|
|
|
|
|
key[i + 1] ^= (byte)(key0 >> 8);
|
|
|
|
|
key[i + 2] ^= (byte)(key0 >> 16);
|
|
|
|
|
key[i + 3] ^= (byte)(key0 >> 24);
|
|
|
|
|
}
|
2012-08-03 01:53:15 +08:00
|
|
|
|
return encrypted;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
byte[] decrypt_v17_r73404(byte[] data) {
|
|
|
|
|
var reader = new BinaryReader(new MemoryStream(data));
|
|
|
|
|
byte[] key, iv;
|
|
|
|
|
data = decrypt_v15_r60785(reader, out key, out iv);
|
|
|
|
|
reader = new BinaryReader(new MemoryStream(DeobUtils.inflate(DeobUtils.aesDecrypt(data, key, iv), true)));
|
2012-08-02 14:40:52 +08:00
|
|
|
|
return reader.ReadBytes(reader.ReadInt32());
|
|
|
|
|
}
|
|
|
|
|
|
2012-08-08 01:35:12 +08:00
|
|
|
|
byte[] decrypt_v17_r75076(byte[] data) {
|
|
|
|
|
var reader = new BinaryReader(new MemoryStream(data));
|
|
|
|
|
byte[] key, iv;
|
|
|
|
|
data = decrypt_v15_r60785(reader, out key, out iv);
|
|
|
|
|
return sevenzipDecompress(DeobUtils.aesDecrypt(data, key, iv));
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static byte[] sevenzipDecompress(byte[] data) {
|
|
|
|
|
var reader = new BinaryReader(new MemoryStream(data));
|
|
|
|
|
int totalSize = reader.ReadInt32();
|
|
|
|
|
var props = reader.ReadBytes(5);
|
|
|
|
|
var decoder = new Decoder();
|
|
|
|
|
decoder.SetDecoderProperties(props);
|
|
|
|
|
if ((long)totalSize != reader.ReadInt64())
|
|
|
|
|
throw new ApplicationException("Invalid total size");
|
|
|
|
|
long compressedSize = data.Length - props.Length - 8;
|
|
|
|
|
var decompressed = new byte[totalSize];
|
|
|
|
|
decoder.Code(reader.BaseStream, new MemoryStream(decompressed, true), compressedSize, totalSize, null);
|
|
|
|
|
return decompressed;
|
|
|
|
|
}
|
|
|
|
|
|
2012-08-01 17:41:31 +08:00
|
|
|
|
public void deobfuscate(Blocks blocks) {
|
|
|
|
|
if (asmResolverMethod == null)
|
|
|
|
|
return;
|
|
|
|
|
if (blocks.Method != DotNetUtils.getModuleTypeCctor(module))
|
|
|
|
|
return;
|
|
|
|
|
ConfuserUtils.removeResourceHookCode(blocks, asmResolverMethod);
|
|
|
|
|
}
|
2012-08-09 17:47:18 +08:00
|
|
|
|
|
|
|
|
|
public bool getRevisionRange(out int minRev, out int maxRev) {
|
|
|
|
|
switch (version) {
|
|
|
|
|
case ConfuserVersion.Unknown:
|
|
|
|
|
minRev = maxRev = 0;
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
case ConfuserVersion.v10_r42915:
|
|
|
|
|
minRev = 42915;
|
2012-08-10 23:14:06 +08:00
|
|
|
|
maxRev = 48509;
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
case ConfuserVersion.v10_r48717:
|
|
|
|
|
minRev = 48717;
|
2012-08-10 23:25:04 +08:00
|
|
|
|
maxRev = 57699;
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
case ConfuserVersion.v14_r57778:
|
|
|
|
|
minRev = 57778;
|
2012-08-09 17:47:18 +08:00
|
|
|
|
maxRev = 58446;
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
case ConfuserVersion.v14_r58564:
|
|
|
|
|
minRev = 58564;
|
|
|
|
|
maxRev = 58741;
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
case ConfuserVersion.v14_r58802:
|
|
|
|
|
minRev = 58802;
|
|
|
|
|
maxRev = 58817;
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
case ConfuserVersion.v14_r58852:
|
|
|
|
|
minRev = 58852;
|
|
|
|
|
maxRev = 60408;
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
case ConfuserVersion.v15_r60785:
|
|
|
|
|
minRev = 60785;
|
|
|
|
|
maxRev = 72989;
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
case ConfuserVersion.v17_r73404:
|
|
|
|
|
minRev = 73404;
|
|
|
|
|
maxRev = 73430;
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
case ConfuserVersion.v17_r73477:
|
|
|
|
|
minRev = 73477;
|
2012-08-10 23:47:59 +08:00
|
|
|
|
maxRev = 73479;
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
case ConfuserVersion.v17_r73566:
|
|
|
|
|
minRev = 73566;
|
2012-08-09 17:47:18 +08:00
|
|
|
|
maxRev = 75056;
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
case ConfuserVersion.v17_r75076:
|
|
|
|
|
minRev = 75076;
|
|
|
|
|
maxRev = 75158;
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
case ConfuserVersion.v18_r75184:
|
|
|
|
|
minRev = 75184;
|
2012-08-10 05:32:11 +08:00
|
|
|
|
maxRev = int.MaxValue;
|
2012-08-09 17:47:18 +08:00
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
case ConfuserVersion.v18_r75367:
|
|
|
|
|
minRev = 75367;
|
|
|
|
|
maxRev = int.MaxValue;
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
default: throw new ApplicationException("Invalid version");
|
|
|
|
|
}
|
|
|
|
|
}
|
2012-07-30 20:11:04 +08:00
|
|
|
|
}
|
|
|
|
|
}
|