2011-11-06 19:19:26 +08:00
|
|
|
|
/*
|
2015-10-30 05:45:26 +08:00
|
|
|
|
Copyright (C) 2011-2015 de4dot@gmail.com
|
2011-11-06 19:19:26 +08:00
|
|
|
|
|
|
|
|
|
This file is part of de4dot.
|
|
|
|
|
|
|
|
|
|
de4dot is free software: you can redistribute it and/or modify
|
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
|
|
de4dot is distributed in the hope that it will be useful,
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
using System;
|
2014-03-27 18:28:52 +08:00
|
|
|
|
using System.Collections.Generic;
|
2011-11-06 19:19:26 +08:00
|
|
|
|
using System.Text;
|
2012-12-20 09:06:09 +08:00
|
|
|
|
using dnlib.DotNet;
|
2014-03-27 18:28:52 +08:00
|
|
|
|
using dnlib.DotNet.Emit;
|
|
|
|
|
using de4dot.blocks;
|
2011-11-06 19:19:26 +08:00
|
|
|
|
|
2012-11-06 23:38:39 +08:00
|
|
|
|
namespace de4dot.code.deobfuscators.Agile_NET {
|
2011-11-06 19:19:26 +08:00
|
|
|
|
class StringDecrypter {
|
2012-11-07 12:17:45 +08:00
|
|
|
|
ModuleDefMD module;
|
2012-11-02 22:57:11 +08:00
|
|
|
|
TypeDef stringDecrypterType;
|
2014-03-27 18:28:52 +08:00
|
|
|
|
FieldDef keyInitField;
|
|
|
|
|
FieldDef keyArrayField;
|
|
|
|
|
Dictionary<StringDecrypterInfo, bool> stringDecrypterInfos = new Dictionary<StringDecrypterInfo, bool>();
|
2011-11-06 19:19:26 +08:00
|
|
|
|
byte[] stringDecrypterKey;
|
|
|
|
|
|
|
|
|
|
public bool Detected {
|
2014-03-27 18:28:52 +08:00
|
|
|
|
get { return stringDecrypterInfos.Count != 0; }
|
2011-11-06 19:19:26 +08:00
|
|
|
|
}
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
public TypeDef Type {
|
2011-11-06 19:19:26 +08:00
|
|
|
|
get { return stringDecrypterType; }
|
|
|
|
|
}
|
|
|
|
|
|
2014-03-27 18:28:52 +08:00
|
|
|
|
public TypeDef KeyArrayFieldType {
|
|
|
|
|
get { return keyArrayField == null ? null : keyArrayField.DeclaringType; }
|
2011-11-06 19:19:26 +08:00
|
|
|
|
}
|
|
|
|
|
|
2014-03-27 18:28:52 +08:00
|
|
|
|
public IEnumerable<StringDecrypterInfo> StringDecrypterInfos {
|
|
|
|
|
get { return stringDecrypterInfos.Keys; }
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public StringDecrypter(ModuleDefMD module, IEnumerable<StringDecrypterInfo> stringDecrypterMethods) {
|
2011-11-06 19:19:26 +08:00
|
|
|
|
this.module = module;
|
2014-03-27 18:28:52 +08:00
|
|
|
|
foreach (var sdm in stringDecrypterMethods)
|
|
|
|
|
this.stringDecrypterInfos[sdm] = true;
|
2011-11-06 19:19:26 +08:00
|
|
|
|
}
|
|
|
|
|
|
2012-11-07 12:17:45 +08:00
|
|
|
|
public StringDecrypter(ModuleDefMD module, StringDecrypter oldOne) {
|
2011-11-06 19:19:26 +08:00
|
|
|
|
this.module = module;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
stringDecrypterType = Lookup(oldOne.stringDecrypterType, "Could not find stringDecrypterType");
|
2014-03-27 18:28:52 +08:00
|
|
|
|
keyInitField = Lookup(oldOne.keyInitField, "Could not find key init field");
|
|
|
|
|
keyArrayField = Lookup(oldOne.keyArrayField, "Could not find key array field");
|
|
|
|
|
foreach (var info in oldOne.stringDecrypterInfos.Keys) {
|
|
|
|
|
var m = Lookup(info.Method, "Could not find string decrypter method");
|
|
|
|
|
var f = Lookup(info.Field, "Could not find string decrypter field");
|
|
|
|
|
stringDecrypterInfos[new StringDecrypterInfo(m, f)] = true;
|
|
|
|
|
}
|
2011-11-06 19:19:26 +08:00
|
|
|
|
stringDecrypterKey = oldOne.stringDecrypterKey;
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
T Lookup<T>(T def, string errorMessage) where T : class, ICodedToken {
|
|
|
|
|
return DeobUtils.Lookup(module, def, errorMessage);
|
2011-11-06 19:19:26 +08:00
|
|
|
|
}
|
|
|
|
|
|
2014-03-27 18:28:52 +08:00
|
|
|
|
public void AddDecrypterInfos(IEnumerable<StringDecrypterInfo> infos) {
|
|
|
|
|
foreach (var info in infos)
|
|
|
|
|
stringDecrypterInfos[info] = true;
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
public void Find() {
|
2012-04-26 07:16:08 +08:00
|
|
|
|
stringDecrypterKey = new byte[1] { 0xFF };
|
2011-11-06 19:19:26 +08:00
|
|
|
|
foreach (var type in module.Types) {
|
|
|
|
|
if (type.FullName == "<D234>" || type.FullName == "<ClassD234>") {
|
|
|
|
|
stringDecrypterType = type;
|
|
|
|
|
foreach (var field in type.Fields) {
|
|
|
|
|
if (field.FullName == "<D234> <D234>::345" || field.FullName == "<ClassD234>/D234 <ClassD234>::345") {
|
2014-03-27 18:28:52 +08:00
|
|
|
|
keyInitField = field;
|
2011-11-06 19:19:26 +08:00
|
|
|
|
stringDecrypterKey = field.InitialValue;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2014-03-27 18:28:52 +08:00
|
|
|
|
public void Initialize() {
|
|
|
|
|
if (keyInitField == null)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
foreach (var type in module.Types) {
|
|
|
|
|
var cctor = type.FindStaticConstructor();
|
|
|
|
|
if (cctor == null)
|
|
|
|
|
continue;
|
|
|
|
|
keyArrayField = GetKeyArrayField(cctor, keyInitField);
|
|
|
|
|
if (keyArrayField != null)
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
if (keyArrayField == null)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
foreach (var type in module.GetTypes()) {
|
|
|
|
|
FieldDef field;
|
|
|
|
|
var method = FindStringDecrypters(type, keyArrayField, out field);
|
|
|
|
|
if (method == null)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
stringDecrypterInfos[new StringDecrypterInfo(method, field)] = true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static FieldDef GetKeyArrayField(MethodDef method, FieldDef keyInitField) {
|
|
|
|
|
if (method == null || method.Body == null)
|
|
|
|
|
return null;
|
|
|
|
|
var instrs = method.Body.Instructions;
|
|
|
|
|
for (int i = 0; i < instrs.Count; i++) {
|
|
|
|
|
if (instrs[i].OpCode.Code != Code.Ldtoken)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
i++;
|
|
|
|
|
for (; i < instrs.Count; i++) {
|
|
|
|
|
var instr = instrs[i];
|
|
|
|
|
if (instr.OpCode.Code != Code.Stsfld)
|
|
|
|
|
continue;
|
|
|
|
|
var field = instr.Operand as FieldDef;
|
|
|
|
|
if (field == null || !field.IsStatic || field.DeclaringType != method.DeclaringType)
|
|
|
|
|
continue;
|
|
|
|
|
if (field.FieldSig.GetFieldType().GetFullName() != "System.Byte[]")
|
|
|
|
|
continue;
|
|
|
|
|
return field;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static MethodDef FindStringDecrypters(TypeDef type, FieldDef keyArrayField, out FieldDef field) {
|
|
|
|
|
FieldDef foundField = null;
|
|
|
|
|
foreach (var method in type.Methods) {
|
|
|
|
|
if (!method.IsAssembly || !method.IsStatic)
|
|
|
|
|
continue;
|
|
|
|
|
if (!DotNetUtils.IsMethod(method, "System.String", "(System.String)"))
|
|
|
|
|
continue;
|
|
|
|
|
if (!method.HasBody)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
bool accessedArrayField = false;
|
|
|
|
|
foreach (var instr in method.Body.Instructions) {
|
|
|
|
|
var f = instr.Operand as FieldDef;
|
|
|
|
|
accessedArrayField |= f == keyArrayField;
|
|
|
|
|
if (f == null || f == keyArrayField || f == foundField)
|
|
|
|
|
continue;
|
2014-04-15 00:26:59 +08:00
|
|
|
|
if (DotNetUtils.DerivesFromDelegate(f.DeclaringType))
|
|
|
|
|
continue;
|
2014-03-27 18:28:52 +08:00
|
|
|
|
if (f.FieldSig.GetFieldType().GetFullName() != "System.Collections.Hashtable" ||
|
|
|
|
|
foundField != null)
|
|
|
|
|
goto exit;
|
|
|
|
|
foundField = f;
|
|
|
|
|
}
|
|
|
|
|
if (!accessedArrayField)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
field = foundField;
|
|
|
|
|
return method;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
exit: ;
|
|
|
|
|
field = null;
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public void Deobfuscate(Blocks blocks) {
|
|
|
|
|
if (!blocks.Method.IsStaticConstructor)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
var decrypterFields = new Dictionary<FieldDef, bool>(stringDecrypterInfos.Count);
|
|
|
|
|
foreach (var info in stringDecrypterInfos.Keys) {
|
|
|
|
|
if (info.Field != null)
|
|
|
|
|
decrypterFields[info.Field] = true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
foreach (var block in blocks.MethodBlocks.GetAllBlocks()) {
|
|
|
|
|
var instrs = block.Instructions;
|
|
|
|
|
for (int i = instrs.Count - 2; i >= 0; i--) {
|
|
|
|
|
var newobj = instrs[i];
|
|
|
|
|
if (newobj.OpCode.Code != Code.Newobj)
|
|
|
|
|
continue;
|
|
|
|
|
var ctor = newobj.Operand as IMethod;
|
|
|
|
|
if (ctor == null || ctor.FullName != "System.Void System.Collections.Hashtable::.ctor()")
|
|
|
|
|
continue;
|
|
|
|
|
var stsfld = instrs[i + 1];
|
|
|
|
|
if (stsfld.OpCode.Code != Code.Stsfld)
|
|
|
|
|
continue;
|
|
|
|
|
var field = stsfld.Operand as FieldDef;
|
|
|
|
|
if (field == null || !decrypterFields.ContainsKey(field))
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
block.Remove(i, 2);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
public string Decrypt(string es) {
|
2011-11-06 19:19:26 +08:00
|
|
|
|
if (stringDecrypterKey == null)
|
|
|
|
|
throw new ApplicationException("Trying to decrypt strings when stringDecrypterKey is null (could not find it!)");
|
2012-12-03 08:22:14 +08:00
|
|
|
|
char[] buf = new char[es.Length];
|
2011-11-06 19:19:26 +08:00
|
|
|
|
for (int i = 0; i < es.Length; i++)
|
2012-12-03 08:22:14 +08:00
|
|
|
|
buf[i] = (char)(es[i] ^ stringDecrypterKey[i % stringDecrypterKey.Length]);
|
|
|
|
|
return new string(buf);
|
2011-11-06 19:19:26 +08:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|