2011-09-22 10:55:30 +08:00
|
|
|
|
/*
|
2014-03-12 05:15:43 +08:00
|
|
|
|
Copyright (C) 2011-2014 de4dot@gmail.com
|
2011-09-22 10:55:30 +08:00
|
|
|
|
|
|
|
|
|
|
This file is part of de4dot.
|
|
|
|
|
|
|
|
|
|
|
|
de4dot is free software: you can redistribute it and/or modify
|
|
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
|
|
|
|
de4dot is distributed in the hope that it will be useful,
|
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
|
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
2012-02-25 13:25:40 +08:00
|
|
|
|
using System.Collections.Generic;
|
2011-10-05 23:22:56 +08:00
|
|
|
|
using System.Text.RegularExpressions;
|
2012-06-03 01:48:23 +08:00
|
|
|
|
using de4dot.blocks;
|
2011-10-05 23:22:56 +08:00
|
|
|
|
|
2011-12-09 16:02:06 +08:00
|
|
|
|
namespace de4dot.code.deobfuscators.Unknown {
|
|
|
|
|
|
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
|
2011-11-04 03:03:32 +08:00
|
|
|
|
public const string THE_NAME = "Unknown";
|
2011-11-12 18:31:07 +08:00
|
|
|
|
public const string THE_TYPE = "un";
|
2013-11-18 22:43:08 +08:00
|
|
|
|
const string DEFAULT_REGEX = DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
|
|
|
|
|
|
|
2011-09-22 10:55:30 +08:00
|
|
|
|
public DeobfuscatorInfo()
|
2013-11-18 22:43:08 +08:00
|
|
|
|
: base(DEFAULT_REGEX) {
|
2011-09-22 10:55:30 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2011-11-04 03:03:32 +08:00
|
|
|
|
public override string Name {
|
|
|
|
|
|
get { return THE_NAME; }
|
2011-09-22 10:55:30 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public override string Type {
|
2011-11-12 18:31:07 +08:00
|
|
|
|
get { return THE_TYPE; }
|
2011-09-22 10:55:30 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
public override IDeobfuscator CreateDeobfuscator() {
|
2011-09-22 10:55:30 +08:00
|
|
|
|
return new Deobfuscator(new Deobfuscator.Options {
|
|
|
|
|
|
RenameResourcesInCode = false,
|
2013-11-18 23:28:44 +08:00
|
|
|
|
ValidNameRegex = validNameRegex.Get(),
|
2011-09-22 10:55:30 +08:00
|
|
|
|
});
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
class Deobfuscator : DeobfuscatorBase {
|
2011-10-09 01:33:12 +08:00
|
|
|
|
string obfuscatorName;
|
2011-10-05 23:22:56 +08:00
|
|
|
|
|
2011-09-22 10:55:30 +08:00
|
|
|
|
internal class Options : OptionsBase {
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public override string Type {
|
2011-11-12 18:31:07 +08:00
|
|
|
|
get { return DeobfuscatorInfo.THE_TYPE; }
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public override string TypeLong {
|
2011-11-04 03:03:32 +08:00
|
|
|
|
get { return DeobfuscatorInfo.THE_NAME; }
|
2011-09-22 10:55:30 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public override string Name {
|
2011-10-09 01:33:12 +08:00
|
|
|
|
get { return obfuscatorName ?? "Unknown Obfuscator"; }
|
2011-09-22 10:55:30 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2011-12-09 16:02:06 +08:00
|
|
|
|
internal Deobfuscator(Options options)
|
2011-09-22 10:55:30 +08:00
|
|
|
|
: base(options) {
|
2012-12-14 23:50:06 +08:00
|
|
|
|
KeepTypes = true;
|
2011-09-22 10:55:30 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
void SetName(string name) {
|
2011-10-09 01:33:12 +08:00
|
|
|
|
if (obfuscatorName == null && name != null)
|
2012-06-03 01:48:23 +08:00
|
|
|
|
obfuscatorName = string.Format("{0} (not supported)", name);
|
2011-09-22 10:55:30 +08:00
|
|
|
|
}
|
2011-10-05 23:22:56 +08:00
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
protected override int DetectInternal() {
|
|
|
|
|
|
SetName(ScanTypes());
|
2011-10-09 01:33:12 +08:00
|
|
|
|
return 1;
|
2011-10-05 23:22:56 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
protected override void ScanForObfuscator() {
|
2011-10-26 20:29:12 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
string ScanTypes() {
|
2011-10-05 23:22:56 +08:00
|
|
|
|
foreach (var type in module.Types) {
|
2012-11-02 04:09:09 +08:00
|
|
|
|
var fn = type.FullName;
|
|
|
|
|
|
if (fn == "ConfusedByAttribute")
|
2012-08-13 06:54:46 +08:00
|
|
|
|
return "Confuser";
|
2012-11-02 04:09:09 +08:00
|
|
|
|
if (fn == "ZYXDNGuarder")
|
2011-10-05 23:22:56 +08:00
|
|
|
|
return "DNGuard HVM";
|
2012-11-02 04:09:09 +08:00
|
|
|
|
if (type.Name.String.Contains("();\t"))
|
2011-10-06 16:33:13 +08:00
|
|
|
|
return "Manco .NET Obfuscator";
|
2012-11-02 04:09:09 +08:00
|
|
|
|
if (Regex.IsMatch(fn, @"^EMyPID_\d+_$"))
|
2011-10-07 23:30:41 +08:00
|
|
|
|
return "BitHelmet Obfuscator";
|
2012-11-02 04:09:09 +08:00
|
|
|
|
if (fn == "YanoAttribute")
|
2011-10-07 14:45:40 +08:00
|
|
|
|
return "Yano Obfuscator";
|
2011-10-05 23:22:56 +08:00
|
|
|
|
}
|
|
|
|
|
|
return null;
|
|
|
|
|
|
}
|
2012-02-25 13:25:40 +08:00
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
public override IEnumerable<int> GetStringDecrypterMethods() {
|
2012-02-25 13:25:40 +08:00
|
|
|
|
return new List<int>();
|
|
|
|
|
|
}
|
2011-09-22 10:55:30 +08:00
|
|
|
|
}
|
|
|
|
|
|
}
|
