2012-07-17 00:04:20 +08:00
|
|
|
|
/*
|
2015-10-30 05:45:26 +08:00
|
|
|
|
Copyright (C) 2011-2015 de4dot@gmail.com
|
2012-07-17 00:04:20 +08:00
|
|
|
|
|
|
|
|
|
This file is part of de4dot.
|
|
|
|
|
|
|
|
|
|
de4dot is free software: you can redistribute it and/or modify
|
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
|
|
de4dot is distributed in the hope that it will be useful,
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
*/
|
|
|
|
|
|
2012-12-14 16:18:14 +08:00
|
|
|
|
using System;
|
2012-07-17 00:04:20 +08:00
|
|
|
|
using System.Collections.Generic;
|
2012-12-20 09:06:09 +08:00
|
|
|
|
using dnlib.DotNet;
|
|
|
|
|
using dnlib.DotNet.Emit;
|
2012-07-17 00:04:20 +08:00
|
|
|
|
using de4dot.blocks;
|
|
|
|
|
|
|
|
|
|
namespace de4dot.code.deobfuscators.DeepSea {
|
|
|
|
|
class ArrayBlockState {
|
2012-11-09 07:21:45 +08:00
|
|
|
|
ModuleDefMD module;
|
2012-11-22 16:14:51 +08:00
|
|
|
|
FieldDefAndDeclaringTypeDict<FieldInfo> fieldToInfo = new FieldDefAndDeclaringTypeDict<FieldInfo>();
|
2012-07-17 00:04:20 +08:00
|
|
|
|
|
|
|
|
|
public class FieldInfo {
|
2012-12-14 16:18:14 +08:00
|
|
|
|
public readonly ElementType elementType;
|
2012-11-02 22:57:11 +08:00
|
|
|
|
public readonly FieldDef field;
|
|
|
|
|
public readonly FieldDef arrayInitField;
|
2012-12-14 16:18:14 +08:00
|
|
|
|
public readonly Array array;
|
2012-07-17 00:04:20 +08:00
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
public FieldInfo(FieldDef field, FieldDef arrayInitField) {
|
2012-07-17 00:04:20 +08:00
|
|
|
|
this.field = field;
|
2012-12-14 16:18:14 +08:00
|
|
|
|
this.elementType = ((SZArraySig)field.FieldType).Next.GetElementType();
|
2012-07-17 00:04:20 +08:00
|
|
|
|
this.arrayInitField = arrayInitField;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
this.array = CreateArray(elementType, arrayInitField.InitialValue);
|
2012-12-14 16:18:14 +08:00
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
static Array CreateArray(ElementType etype, byte[] data) {
|
2012-12-14 16:18:14 +08:00
|
|
|
|
switch (etype) {
|
|
|
|
|
case ElementType.Boolean:
|
|
|
|
|
case ElementType.I1:
|
|
|
|
|
case ElementType.U1:
|
|
|
|
|
return (byte[])data.Clone();
|
|
|
|
|
|
|
|
|
|
case ElementType.Char:
|
|
|
|
|
case ElementType.I2:
|
|
|
|
|
case ElementType.U2:
|
|
|
|
|
var ary2 = new ushort[data.Length / 2];
|
|
|
|
|
Buffer.BlockCopy(data, 0, ary2, 0, ary2.Length * 2);
|
|
|
|
|
return ary2;
|
|
|
|
|
|
|
|
|
|
case ElementType.I4:
|
|
|
|
|
case ElementType.U4:
|
|
|
|
|
var ary4 = new uint[data.Length / 4];
|
|
|
|
|
Buffer.BlockCopy(data, 0, ary4, 0, ary4.Length * 4);
|
|
|
|
|
return ary4;
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
throw new ApplicationException("Invalid etype");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
public uint ReadArrayElement(int index) {
|
2012-12-14 16:18:14 +08:00
|
|
|
|
switch (elementType) {
|
|
|
|
|
case ElementType.Boolean:
|
|
|
|
|
case ElementType.I1:
|
|
|
|
|
case ElementType.U1:
|
|
|
|
|
return ((byte[])array)[index];
|
|
|
|
|
|
|
|
|
|
case ElementType.Char:
|
|
|
|
|
case ElementType.I2:
|
|
|
|
|
case ElementType.U2:
|
|
|
|
|
return ((ushort[])array)[index];
|
|
|
|
|
|
|
|
|
|
case ElementType.I4:
|
|
|
|
|
case ElementType.U4:
|
|
|
|
|
return ((uint[])array)[index];
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
throw new ApplicationException("Invalid etype");
|
|
|
|
|
}
|
2012-07-17 00:04:20 +08:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public bool Detected {
|
|
|
|
|
get { return fieldToInfo.Count != 0; }
|
|
|
|
|
}
|
|
|
|
|
|
2012-11-09 07:21:45 +08:00
|
|
|
|
public ArrayBlockState(ModuleDefMD module) {
|
2012-07-17 00:04:20 +08:00
|
|
|
|
this.module = module;
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
public void Initialize(ISimpleDeobfuscator simpleDeobfuscator) {
|
|
|
|
|
InitializeArrays(simpleDeobfuscator, DotNetUtils.GetModuleTypeCctor(module));
|
2012-07-17 00:04:20 +08:00
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
void InitializeArrays(ISimpleDeobfuscator simpleDeobfuscator, MethodDef method) {
|
2012-07-17 00:04:20 +08:00
|
|
|
|
if (method == null || method.Body == null)
|
|
|
|
|
return;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
while (InitializeArrays2(simpleDeobfuscator, method)) {
|
2012-07-17 00:04:20 +08:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
bool InitializeArrays2(ISimpleDeobfuscator simpleDeobfuscator, MethodDef method) {
|
2012-07-17 00:04:20 +08:00
|
|
|
|
bool foundField = false;
|
2015-10-30 05:36:17 +08:00
|
|
|
|
simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.Force);
|
2012-07-17 00:04:20 +08:00
|
|
|
|
var instructions = method.Body.Instructions;
|
|
|
|
|
for (int i = 0; i < instructions.Count; i++) {
|
|
|
|
|
var ldci4 = instructions[i];
|
2012-11-09 07:21:45 +08:00
|
|
|
|
if (!ldci4.IsLdcI4())
|
2012-07-17 00:04:20 +08:00
|
|
|
|
continue;
|
|
|
|
|
i++;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
var instrs = DotNetUtils.GetInstructions(instructions, i, OpCodes.Newarr, OpCodes.Dup, OpCodes.Ldtoken, OpCodes.Call, OpCodes.Stsfld);
|
2012-07-17 00:04:20 +08:00
|
|
|
|
if (instrs == null)
|
|
|
|
|
continue;
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
var arrayInitField = instrs[2].Operand as FieldDef;
|
2012-07-17 00:04:20 +08:00
|
|
|
|
if (arrayInitField == null || arrayInitField.InitialValue == null || arrayInitField.InitialValue.Length == 0)
|
|
|
|
|
continue;
|
|
|
|
|
|
2012-11-09 07:21:45 +08:00
|
|
|
|
var calledMethod = instrs[3].Operand as IMethod;
|
2012-07-17 00:04:20 +08:00
|
|
|
|
if (calledMethod == null || calledMethod.FullName != "System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle)")
|
|
|
|
|
continue;
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
var targetField = instrs[4].Operand as FieldDef;
|
2012-12-14 16:18:14 +08:00
|
|
|
|
if (targetField == null || targetField.FieldType.GetElementType() != ElementType.SZArray)
|
|
|
|
|
continue;
|
|
|
|
|
var etype = ((SZArraySig)targetField.FieldType).Next.GetElementType();
|
|
|
|
|
if (etype < ElementType.Boolean || etype > ElementType.U4)
|
2012-07-17 00:04:20 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
if (fieldToInfo.Find(targetField) == null) {
|
|
|
|
|
fieldToInfo.Add(targetField, new FieldInfo(targetField, arrayInitField));
|
2012-07-17 00:04:20 +08:00
|
|
|
|
foundField = true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return foundField;
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
public FieldInfo GetFieldInfo(IField fieldRef) {
|
2012-07-17 00:04:20 +08:00
|
|
|
|
if (fieldRef == null)
|
|
|
|
|
return null;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
return fieldToInfo.Find(fieldRef);
|
2012-07-17 00:04:20 +08:00
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
public IEnumerable<FieldDef> CleanUp() {
|
2012-11-02 22:57:11 +08:00
|
|
|
|
var removedFields = new List<FieldDef>();
|
2013-01-19 20:03:57 +08:00
|
|
|
|
var moduleCctor = DotNetUtils.GetModuleTypeCctor(module);
|
2012-07-17 00:04:20 +08:00
|
|
|
|
if (moduleCctor == null)
|
|
|
|
|
return removedFields;
|
|
|
|
|
var moduleCctorBlocks = new Blocks(moduleCctor);
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
var keep = FindFieldsToKeep();
|
|
|
|
|
foreach (var fieldInfo in fieldToInfo.GetValues()) {
|
2012-07-17 00:04:20 +08:00
|
|
|
|
if (keep.ContainsKey(fieldInfo))
|
|
|
|
|
continue;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
if (RemoveInitCode(moduleCctorBlocks, fieldInfo)) {
|
2012-07-17 00:04:20 +08:00
|
|
|
|
removedFields.Add(fieldInfo.field);
|
|
|
|
|
removedFields.Add(fieldInfo.arrayInitField);
|
|
|
|
|
}
|
|
|
|
|
fieldInfo.arrayInitField.InitialValue = new byte[1];
|
2012-11-09 07:21:45 +08:00
|
|
|
|
fieldInfo.arrayInitField.FieldSig.Type = module.CorLibTypes.Byte;
|
2012-11-17 18:45:24 +08:00
|
|
|
|
fieldInfo.arrayInitField.RVA = 0;
|
2012-07-17 00:04:20 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
IList<Instruction> allInstructions;
|
|
|
|
|
IList<ExceptionHandler> allExceptionHandlers;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
moduleCctorBlocks.GetCode(out allInstructions, out allExceptionHandlers);
|
|
|
|
|
DotNetUtils.RestoreBody(moduleCctorBlocks.Method, allInstructions, allExceptionHandlers);
|
2012-07-17 00:04:20 +08:00
|
|
|
|
return removedFields;
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
bool RemoveInitCode(Blocks blocks, FieldInfo info) {
|
2012-07-17 00:04:20 +08:00
|
|
|
|
bool removedSomething = false;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
foreach (var block in blocks.MethodBlocks.GetAllBlocks()) {
|
2012-07-17 00:04:20 +08:00
|
|
|
|
var instrs = block.Instructions;
|
|
|
|
|
for (int i = 0; i < instrs.Count - 5; i++) {
|
|
|
|
|
var ldci4 = instrs[i];
|
2013-01-19 20:03:57 +08:00
|
|
|
|
if (!ldci4.IsLdcI4())
|
2012-07-17 00:04:20 +08:00
|
|
|
|
continue;
|
|
|
|
|
if (instrs[i + 1].OpCode.Code != Code.Newarr)
|
|
|
|
|
continue;
|
|
|
|
|
if (instrs[i + 2].OpCode.Code != Code.Dup)
|
|
|
|
|
continue;
|
|
|
|
|
var ldtoken = instrs[i + 3];
|
|
|
|
|
if (ldtoken.OpCode.Code != Code.Ldtoken)
|
|
|
|
|
continue;
|
|
|
|
|
if (ldtoken.Operand != info.arrayInitField)
|
|
|
|
|
continue;
|
|
|
|
|
var call = instrs[i + 4];
|
|
|
|
|
if (call.OpCode.Code != Code.Call)
|
|
|
|
|
continue;
|
2012-11-09 07:21:45 +08:00
|
|
|
|
var calledMethod = call.Operand as IMethod;
|
2012-07-17 00:04:20 +08:00
|
|
|
|
if (calledMethod == null || calledMethod.FullName != "System.Void System.Runtime.CompilerServices.RuntimeHelpers::InitializeArray(System.Array,System.RuntimeFieldHandle)")
|
|
|
|
|
continue;
|
|
|
|
|
var stsfld = instrs[i + 5];
|
|
|
|
|
if (stsfld.OpCode.Code != Code.Stsfld)
|
|
|
|
|
continue;
|
|
|
|
|
if (stsfld.Operand != info.field)
|
|
|
|
|
continue;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
block.Remove(i, 6);
|
2012-07-17 00:04:20 +08:00
|
|
|
|
i--;
|
|
|
|
|
removedSomething = true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return removedSomething;
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
Dictionary<FieldInfo, bool> FindFieldsToKeep() {
|
2012-07-17 00:04:20 +08:00
|
|
|
|
var keep = new Dictionary<FieldInfo, bool>();
|
|
|
|
|
foreach (var type in module.GetTypes()) {
|
|
|
|
|
foreach (var method in type.Methods) {
|
2013-01-19 20:03:57 +08:00
|
|
|
|
if (type == DotNetUtils.GetModuleType(module) && method.Name == ".cctor")
|
2012-07-17 00:04:20 +08:00
|
|
|
|
continue;
|
|
|
|
|
if (method.Body == null)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
foreach (var instr in method.Body.Instructions) {
|
2012-11-09 07:21:45 +08:00
|
|
|
|
var field = instr.Operand as IField;
|
2012-07-17 00:04:20 +08:00
|
|
|
|
if (field == null)
|
|
|
|
|
continue;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
var fieldInfo = fieldToInfo.Find(field);
|
2012-07-17 00:04:20 +08:00
|
|
|
|
if (fieldInfo == null)
|
|
|
|
|
continue;
|
|
|
|
|
keep[fieldInfo] = true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return keep;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|