298 lines
9.1 KiB
C#
298 lines
9.1 KiB
C#
|
/*
|
|||
|
Copyright (C) 2011-2013 de4dot@gmail.com
|
|||
|
|
|||
|
This file is part of de4dot.
|
|||
|
|
|||
|
de4dot is free software: you can redistribute it and/or modify
|
|||
|
it under the terms of the GNU General Public License as published by
|
|||
|
the Free Software Foundation, either version 3 of the License, or
|
|||
|
(at your option) any later version.
|
|||
|
|
|||
|
de4dot is distributed in the hope that it will be useful,
|
|||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|||
|
GNU General Public License for more details.
|
|||
|
|
|||
|
You should have received a copy of the GNU General Public License
|
|||
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
|||
|
*/
|
|||
|
|
|||
|
using System;
|
|||
|
using System.Collections.Generic;
|
|||
|
using dnlib.DotNet;
|
|||
|
using dnlib.DotNet.Emit;
|
|||
|
using de4dot.blocks;
|
|||
|
using de4dot.blocks.cflow;
|
|||
|
|
|||
|
namespace de4dot.code.deobfuscators.Agile_NET.vm.v2 {
|
|||
|
class MyDeobfuscator {
|
|||
|
CliSecureRtType cliSecureRtType;
|
|||
|
StringDecrypter stringDecrypter;
|
|||
|
StaticStringInliner staticStringInliner = new StaticStringInliner();
|
|||
|
|
|||
|
public MyDeobfuscator(ModuleDefMD module) {
|
|||
|
cliSecureRtType = new CliSecureRtType(module);
|
|||
|
cliSecureRtType.Find(null);
|
|||
|
stringDecrypter = new StringDecrypter(module, cliSecureRtType.StringDecrypterMethod);
|
|||
|
stringDecrypter.Find();
|
|||
|
cliSecureRtType.FindStringDecrypterMethod();
|
|||
|
stringDecrypter.Method = cliSecureRtType.StringDecrypterMethod;
|
|||
|
staticStringInliner.Add(stringDecrypter.Method, (method, gim, args) => stringDecrypter.Decrypt((string)args[0]));
|
|||
|
}
|
|||
|
|
|||
|
void RestoreMethod(Blocks blocks) {
|
|||
|
IList<Instruction> allInstructions;
|
|||
|
IList<ExceptionHandler> allExceptionHandlers;
|
|||
|
blocks.GetCode(out allInstructions, out allExceptionHandlers);
|
|||
|
DotNetUtils.RestoreBody(blocks.Method, allInstructions, allExceptionHandlers);
|
|||
|
}
|
|||
|
|
|||
|
public void DecryptStrings(MethodDef method) {
|
|||
|
var blocks = new Blocks(method);
|
|||
|
DecryptStrings(blocks);
|
|||
|
RestoreMethod(blocks);
|
|||
|
}
|
|||
|
|
|||
|
public void DecryptStrings(Blocks blocks) {
|
|||
|
staticStringInliner.Decrypt(blocks);
|
|||
|
}
|
|||
|
|
|||
|
public void Deobfuscate(MethodDef method) {
|
|||
|
DecryptStrings(method);
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
class VmOpCodeHandlerDetector {
|
|||
|
const int NUM_HANDLERS = 78;
|
|||
|
ModuleDefMD module;
|
|||
|
List<VmOpCode> vmOpCodes;
|
|||
|
MyDeobfuscator deobfuscator;
|
|||
|
|
|||
|
public IList<VmOpCode> Handlers {
|
|||
|
get { return vmOpCodes; }
|
|||
|
}
|
|||
|
|
|||
|
public VmOpCodeHandlerDetector(ModuleDefMD module) {
|
|||
|
this.module = module;
|
|||
|
}
|
|||
|
|
|||
|
public void FindHandlers() {
|
|||
|
if (vmOpCodes != null)
|
|||
|
return;
|
|||
|
|
|||
|
deobfuscator = new MyDeobfuscator(module);
|
|||
|
|
|||
|
var csvmInfo = new CsvmInfo(module);
|
|||
|
csvmInfo.Initialize();
|
|||
|
var vmHandlerTypes = FindVmHandlerTypes();
|
|||
|
if (vmHandlerTypes == null)
|
|||
|
throw new ApplicationException("Could not find CSVM opcode handler types");
|
|||
|
|
|||
|
var composites = CreateCompositeOpCodeHandlers(csvmInfo, vmHandlerTypes);
|
|||
|
foreach (var handlerInfos in OpCodeHandlerInfos.HandlerInfos) {
|
|||
|
var otherHandlers = CreateOtherHandlers(csvmInfo, handlerInfos);
|
|||
|
|
|||
|
if (!DetectCompositeHandlers(composites, otherHandlers))
|
|||
|
continue;
|
|||
|
|
|||
|
vmOpCodes = CreateVmOpCodes(composites);
|
|||
|
break;
|
|||
|
}
|
|||
|
if (vmOpCodes == null)
|
|||
|
throw new ApplicationException("Could not find any/all CSVM handlers");
|
|||
|
}
|
|||
|
|
|||
|
static List<VmOpCode> CreateVmOpCodes(IList<CompositeOpCodeHandler> composites) {
|
|||
|
var list = new List<VmOpCode>(composites.Count);
|
|||
|
foreach (var composite in composites)
|
|||
|
list.Add(new VmOpCode(composite.OpCodeHandlerInfos));
|
|||
|
return list;
|
|||
|
}
|
|||
|
|
|||
|
bool DetectCompositeHandlers(IEnumerable<CompositeOpCodeHandler> composites, List<OpCodeHandler> otherHandlers) {
|
|||
|
var detector = new CompositeHandlerDetector(otherHandlers);
|
|||
|
foreach (var composite in composites) {
|
|||
|
if (!detector.FindHandlers(composite))
|
|||
|
return false;
|
|||
|
}
|
|||
|
return true;
|
|||
|
}
|
|||
|
|
|||
|
static MethodDef SimplifyInstructions(MethodDef method) {
|
|||
|
if (method.Body == null)
|
|||
|
return method;
|
|||
|
method.Body.SimplifyMacros(method.Parameters);
|
|||
|
return method;
|
|||
|
}
|
|||
|
|
|||
|
List<CompositeOpCodeHandler> CreateCompositeOpCodeHandlers(CsvmInfo csvmInfo, List<TypeDef> handlers) {
|
|||
|
var list = new List<CompositeOpCodeHandler>(handlers.Count);
|
|||
|
|
|||
|
foreach (var handler in handlers) {
|
|||
|
var execHandler = new HandlerMethod(GetExecMethod(handler));
|
|||
|
list.Add(new CompositeOpCodeHandler(handler, execHandler));
|
|||
|
}
|
|||
|
|
|||
|
return list;
|
|||
|
}
|
|||
|
|
|||
|
MethodDef GetExecMethod(TypeDef type) {
|
|||
|
MethodDef readMethod, execMethod;
|
|||
|
GetReadAndExecMethods(type, out readMethod, out execMethod);
|
|||
|
deobfuscator.Deobfuscate(execMethod);
|
|||
|
SimplifyInstructions(execMethod);
|
|||
|
return execMethod;
|
|||
|
}
|
|||
|
|
|||
|
static MethodSigInfoCreator CreateMethodSigInfoCreator(CsvmInfo csvmInfo) {
|
|||
|
var creator = new MethodSigInfoCreator();
|
|||
|
|
|||
|
creator.AddId(csvmInfo.LogicalOpShrUn, 1);
|
|||
|
creator.AddId(csvmInfo.LogicalOpShl, 2);
|
|||
|
creator.AddId(csvmInfo.LogicalOpShr, 3);
|
|||
|
creator.AddId(csvmInfo.LogicalOpAnd, 4);
|
|||
|
creator.AddId(csvmInfo.LogicalOpXor, 5);
|
|||
|
creator.AddId(csvmInfo.LogicalOpOr, 6);
|
|||
|
|
|||
|
creator.AddId(csvmInfo.CompareLt, 7);
|
|||
|
creator.AddId(csvmInfo.CompareLte, 8);
|
|||
|
creator.AddId(csvmInfo.CompareGt, 9);
|
|||
|
creator.AddId(csvmInfo.CompareGte, 10);
|
|||
|
creator.AddId(csvmInfo.CompareEq, 11);
|
|||
|
creator.AddId(csvmInfo.CompareEqz, 12);
|
|||
|
|
|||
|
creator.AddId(csvmInfo.ArithmeticSubOvfUn, 13);
|
|||
|
creator.AddId(csvmInfo.ArithmeticMulOvfUn, 14);
|
|||
|
creator.AddId(csvmInfo.ArithmeticRemUn, 15);
|
|||
|
creator.AddId(csvmInfo.ArithmeticRem, 16);
|
|||
|
creator.AddId(csvmInfo.ArithmeticDivUn, 17);
|
|||
|
creator.AddId(csvmInfo.ArithmeticDiv, 18);
|
|||
|
creator.AddId(csvmInfo.ArithmeticMul, 19);
|
|||
|
creator.AddId(csvmInfo.ArithmeticMulOvf, 20);
|
|||
|
creator.AddId(csvmInfo.ArithmeticSub, 21);
|
|||
|
creator.AddId(csvmInfo.ArithmeticSubOvf, 22);
|
|||
|
creator.AddId(csvmInfo.ArithmeticAddOvfUn, 23);
|
|||
|
creator.AddId(csvmInfo.ArithmeticAddOvf, 24);
|
|||
|
creator.AddId(csvmInfo.ArithmeticAdd, 25);
|
|||
|
|
|||
|
creator.AddId(csvmInfo.UnaryNot, 26);
|
|||
|
creator.AddId(csvmInfo.UnaryNeg, 27);
|
|||
|
|
|||
|
creator.AddId(csvmInfo.ArgsGet, 28);
|
|||
|
creator.AddId(csvmInfo.ArgsSet, 29);
|
|||
|
creator.AddId(csvmInfo.LocalsGet, 30);
|
|||
|
creator.AddId(csvmInfo.LocalsSet, 31);
|
|||
|
|
|||
|
return creator;
|
|||
|
}
|
|||
|
|
|||
|
static void GetReadAndExecMethods(TypeDef handler, out MethodDef readMethod, out MethodDef execMethod) {
|
|||
|
readMethod = execMethod = null;
|
|||
|
foreach (var method in handler.Methods) {
|
|||
|
if (!method.IsVirtual)
|
|||
|
continue;
|
|||
|
if (DotNetUtils.IsMethod(method, "System.Void", "(System.IO.BinaryReader)")) {
|
|||
|
if (readMethod != null)
|
|||
|
throw new ApplicationException("Found another read method");
|
|||
|
readMethod = method;
|
|||
|
}
|
|||
|
else if (!DotNetUtils.HasReturnValue(method) && method.MethodSig.GetParamCount() == 1) {
|
|||
|
if (execMethod != null)
|
|||
|
throw new ApplicationException("Found another execute method");
|
|||
|
execMethod = method;
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
if (readMethod == null)
|
|||
|
throw new ApplicationException("Could not find read method");
|
|||
|
if (execMethod == null)
|
|||
|
throw new ApplicationException("Could not find execute method");
|
|||
|
}
|
|||
|
|
|||
|
IEnumerable<TypeDef> GetVmHandlerTypes(TypeDef baseType) {
|
|||
|
foreach (var type in module.Types) {
|
|||
|
if (type.BaseType == baseType)
|
|||
|
yield return type;
|
|||
|
}
|
|||
|
}
|
|||
|
|
|||
|
List<TypeDef> FindBasicVmHandlerTypes(CsvmInfo csvmInfo) {
|
|||
|
var list = new List<TypeDef>();
|
|||
|
if (csvmInfo.VmHandlerBaseType == null)
|
|||
|
return list;
|
|||
|
foreach (var type in module.Types) {
|
|||
|
if (list.Count == NUM_HANDLERS)
|
|||
|
break;
|
|||
|
if (type.BaseType == csvmInfo.VmHandlerBaseType)
|
|||
|
list.Add(type);
|
|||
|
}
|
|||
|
return list;
|
|||
|
}
|
|||
|
|
|||
|
List<TypeDef> FindVmHandlerTypes() {
|
|||
|
var requiredFields = new string[] {
|
|||
|
null,
|
|||
|
"System.Collections.Generic.Dictionary`2<System.UInt16,System.Type>",
|
|||
|
"System.UInt16",
|
|||
|
};
|
|||
|
var cflowDeobfuscator = new CflowDeobfuscator();
|
|||
|
foreach (var type in module.Types) {
|
|||
|
var cctor = type.FindStaticConstructor();
|
|||
|
if (cctor == null)
|
|||
|
continue;
|
|||
|
requiredFields[0] = type.FullName;
|
|||
|
if (!new FieldTypes(type).Exactly(requiredFields))
|
|||
|
continue;
|
|||
|
|
|||
|
cflowDeobfuscator.Deobfuscate(cctor);
|
|||
|
var handlers = FindVmHandlerTypes(cctor);
|
|||
|
if (handlers.Count < NUM_HANDLERS)
|
|||
|
continue;
|
|||
|
|
|||
|
return handlers;
|
|||
|
}
|
|||
|
|
|||
|
return null;
|
|||
|
}
|
|||
|
|
|||
|
static List<TypeDef> FindVmHandlerTypes(MethodDef method) {
|
|||
|
var list = new List<TypeDef>();
|
|||
|
|
|||
|
foreach (var instr in method.Body.Instructions) {
|
|||
|
if (instr.OpCode.Code != Code.Ldtoken)
|
|||
|
continue;
|
|||
|
var type = instr.Operand as TypeDef;
|
|||
|
if (type == null)
|
|||
|
continue;
|
|||
|
|
|||
|
list.Add(type);
|
|||
|
}
|
|||
|
|
|||
|
return list;
|
|||
|
}
|
|||
|
|
|||
|
List<OpCodeHandler> CreateOtherHandlers(CsvmInfo csvmInfo, IList<OpCodeHandlerInfo> handlerInfos) {
|
|||
|
var list = new List<OpCodeHandler>(NUM_HANDLERS);
|
|||
|
|
|||
|
foreach (var type in GetVmHandlerTypes(csvmInfo.VmHandlerBaseType)) {
|
|||
|
if (list.Count == NUM_HANDLERS)
|
|||
|
break;
|
|||
|
|
|||
|
var execHandler = new PrimitiveHandlerMethod(GetExecMethod(type));
|
|||
|
execHandler.Sig = CreateMethodSigInfoCreator(csvmInfo).Create(execHandler.Blocks);
|
|||
|
|
|||
|
var finder = new MethodFinder(handlerInfos, execHandler);
|
|||
|
var handler = finder.FindHandler();
|
|||
|
if (handler == null)
|
|||
|
continue;
|
|||
|
|
|||
|
list.Add(handler);
|
|||
|
}
|
|||
|
|
|||
|
list.Sort((a, b) => a.OpCodeHandlerInfo.Name.ToUpperInvariant().CompareTo(b.OpCodeHandlerInfo.Name.ToUpperInvariant()));
|
|||
|
|
|||
|
return list;
|
|||
|
}
|
|||
|
}
|
|||
|
}
|