2012-01-08 03:27:07 +08:00
|
|
|
|
/*
|
2012-01-10 06:04:52 +08:00
|
|
|
|
Copyright (C) 2011-2012 de4dot@gmail.com
|
2012-01-08 03:27:07 +08:00
|
|
|
|
|
|
|
|
|
This file is part of de4dot.
|
|
|
|
|
|
|
|
|
|
de4dot is free software: you can redistribute it and/or modify
|
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
|
|
de4dot is distributed in the hope that it will be useful,
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
using System;
|
|
|
|
|
using System.Collections.Generic;
|
|
|
|
|
using System.IO;
|
2012-11-02 22:57:11 +08:00
|
|
|
|
using dot10.DotNet;
|
|
|
|
|
using dot10.DotNet.Emit;
|
2012-01-08 03:27:07 +08:00
|
|
|
|
using de4dot.blocks;
|
|
|
|
|
|
|
|
|
|
namespace de4dot.code.deobfuscators.Babel_NET {
|
2012-04-05 03:06:10 +08:00
|
|
|
|
class MethodsDecrypter {
|
2012-01-08 03:27:07 +08:00
|
|
|
|
ModuleDefinition module;
|
2012-06-12 16:37:51 +08:00
|
|
|
|
ResourceDecrypter resourceDecrypter;
|
2012-04-05 03:06:10 +08:00
|
|
|
|
IDeobfuscatorContext deobfuscatorContext;
|
2012-01-08 03:27:07 +08:00
|
|
|
|
Dictionary<string, ImageReader> imageReaders = new Dictionary<string, ImageReader>(StringComparer.Ordinal);
|
2012-11-02 22:57:11 +08:00
|
|
|
|
TypeDef methodsDecrypterCreator;
|
|
|
|
|
TypeDef methodsDecrypter;
|
|
|
|
|
MethodDef decryptExecuteMethod;
|
2012-01-08 03:27:07 +08:00
|
|
|
|
EmbeddedResource encryptedResource;
|
|
|
|
|
|
|
|
|
|
public bool Detected {
|
|
|
|
|
get { return methodsDecrypterCreator != null; }
|
|
|
|
|
}
|
|
|
|
|
|
2012-06-12 16:37:51 +08:00
|
|
|
|
public MethodsDecrypter(ModuleDefinition module, ResourceDecrypter resourceDecrypter, IDeobfuscatorContext deobfuscatorContext) {
|
2012-01-08 03:27:07 +08:00
|
|
|
|
this.module = module;
|
2012-06-12 16:37:51 +08:00
|
|
|
|
this.resourceDecrypter = resourceDecrypter;
|
2012-04-05 03:06:10 +08:00
|
|
|
|
this.deobfuscatorContext = deobfuscatorContext;
|
2012-01-08 03:27:07 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public void find() {
|
|
|
|
|
var requiredFields = new string[] {
|
|
|
|
|
"System.Threading.ReaderWriterLock",
|
|
|
|
|
"System.Collections.Hashtable",
|
|
|
|
|
};
|
|
|
|
|
foreach (var type in module.GetTypes()) {
|
|
|
|
|
var fieldTypes = new FieldTypes(type);
|
|
|
|
|
if (!fieldTypes.all(requiredFields))
|
|
|
|
|
continue;
|
|
|
|
|
if (DotNetUtils.getMethod(type, "Finalize") == null)
|
|
|
|
|
continue;
|
|
|
|
|
var executeMethod = DotNetUtils.getMethod(type, "System.Object", "(System.String,System.Object[])");
|
|
|
|
|
if (executeMethod == null || !executeMethod.IsStatic || executeMethod.Body == null)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
var decrypterType = findMethodsDecrypterType(type);
|
|
|
|
|
if (decrypterType == null)
|
|
|
|
|
continue;
|
|
|
|
|
|
2012-06-12 16:37:51 +08:00
|
|
|
|
resourceDecrypter.DecryptMethod = findDecryptMethod(decrypterType);
|
|
|
|
|
|
2012-01-08 03:27:07 +08:00
|
|
|
|
methodsDecrypterCreator = type;
|
|
|
|
|
methodsDecrypter = decrypterType;
|
|
|
|
|
decryptExecuteMethod = executeMethod;
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
static MethodDef findDecryptMethod(TypeDef type) {
|
2012-06-12 16:37:51 +08:00
|
|
|
|
foreach (var method in type.Methods) {
|
|
|
|
|
var decryptMethod = ResourceDecrypter.findDecrypterMethod(method);
|
|
|
|
|
if (decryptMethod != null)
|
|
|
|
|
return decryptMethod;
|
|
|
|
|
}
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
TypeDef findMethodsDecrypterType(TypeDef type) {
|
2012-01-08 03:27:07 +08:00
|
|
|
|
foreach (var field in type.Fields) {
|
|
|
|
|
var fieldType = DotNetUtils.getType(module, field.FieldType);
|
|
|
|
|
if (fieldType == null)
|
|
|
|
|
continue;
|
|
|
|
|
if (DotNetUtils.getMethod(fieldType, "Finalize") == null)
|
|
|
|
|
continue;
|
|
|
|
|
if (!new FieldTypes(fieldType).exists("System.Collections.Hashtable"))
|
|
|
|
|
continue;
|
|
|
|
|
if (DotNetUtils.getMethod(fieldType, "System.String", "()") == null)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
return fieldType;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public void initialize(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
|
|
|
|
|
if (methodsDecrypter == null)
|
|
|
|
|
return;
|
|
|
|
|
|
2012-01-18 14:38:35 +08:00
|
|
|
|
encryptedResource = BabelUtils.findEmbeddedResource(module, methodsDecrypter, simpleDeobfuscator, deob);
|
2012-06-12 16:37:51 +08:00
|
|
|
|
if (encryptedResource != null)
|
|
|
|
|
addImageReader("", resourceDecrypter.decrypt(encryptedResource.GetResourceData()));
|
2012-01-08 03:27:07 +08:00
|
|
|
|
}
|
|
|
|
|
|
2012-06-12 16:37:51 +08:00
|
|
|
|
ImageReader addImageReader(string name, byte[] data) {
|
2012-04-05 03:06:10 +08:00
|
|
|
|
var imageReader = new ImageReader(deobfuscatorContext, module, data);
|
2012-01-08 03:27:07 +08:00
|
|
|
|
if (!imageReader.initialize()) {
|
|
|
|
|
Log.w("Could not read encrypted methods");
|
2012-06-12 16:37:51 +08:00
|
|
|
|
return null;
|
2012-01-08 03:27:07 +08:00
|
|
|
|
}
|
|
|
|
|
if (imageReaders.ContainsKey(name))
|
|
|
|
|
throw new ApplicationException(string.Format("ImageReader for name '{0}' already exists", name));
|
|
|
|
|
imageReaders[name] = imageReader;
|
2012-06-12 16:37:51 +08:00
|
|
|
|
return imageReader;
|
2012-01-08 03:27:07 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
class EncryptInfo {
|
|
|
|
|
public string encryptedMethodName;
|
|
|
|
|
public string feature;
|
2012-11-02 22:57:11 +08:00
|
|
|
|
public MethodDef method;
|
2012-06-12 16:37:51 +08:00
|
|
|
|
|
|
|
|
|
public string FullName {
|
|
|
|
|
get {
|
|
|
|
|
if (string.IsNullOrEmpty(feature))
|
|
|
|
|
return encryptedMethodName;
|
|
|
|
|
return string.Format("{0}:{1}", feature, encryptedMethodName);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
public EncryptInfo(string encryptedMethodName, string feature, MethodDef method) {
|
2012-01-08 03:27:07 +08:00
|
|
|
|
this.encryptedMethodName = encryptedMethodName;
|
|
|
|
|
this.feature = feature;
|
|
|
|
|
this.method = method;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public override string ToString() {
|
|
|
|
|
if (feature != "")
|
2012-11-02 22:57:11 +08:00
|
|
|
|
return string.Format("{0}:{1} {2:X8}", feature, encryptedMethodName, method.MDToken.ToInt32());
|
2012-01-08 03:27:07 +08:00
|
|
|
|
else
|
2012-11-02 22:57:11 +08:00
|
|
|
|
return string.Format("{0} {1:X8}", encryptedMethodName, method.MDToken.ToInt32());
|
2012-01-08 03:27:07 +08:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public void decrypt() {
|
|
|
|
|
int numNonDecryptedMethods = 0;
|
|
|
|
|
int totalEncryptedMethods = 0;
|
|
|
|
|
foreach (var info in getEncryptedMethods()) {
|
|
|
|
|
totalEncryptedMethods++;
|
2012-06-12 16:37:51 +08:00
|
|
|
|
var imageReader = getImageReader(info.feature);
|
|
|
|
|
if (imageReader == null) {
|
2012-01-08 03:27:07 +08:00
|
|
|
|
numNonDecryptedMethods++;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2012-11-02 22:57:11 +08:00
|
|
|
|
Log.v("Decrypting method {0:X8}", info.method.MDToken.ToInt32());
|
2012-06-12 16:37:51 +08:00
|
|
|
|
imageReader.restore(info.FullName, info.method);
|
2012-01-08 03:27:07 +08:00
|
|
|
|
}
|
|
|
|
|
if (numNonDecryptedMethods > 0)
|
|
|
|
|
Log.w("{0}/{1} methods not decrypted", numNonDecryptedMethods, totalEncryptedMethods);
|
|
|
|
|
}
|
|
|
|
|
|
2012-06-12 16:37:51 +08:00
|
|
|
|
ImageReader getImageReader(string feature) {
|
|
|
|
|
ImageReader imageReader;
|
|
|
|
|
if (imageReaders.TryGetValue(feature, out imageReader))
|
|
|
|
|
return imageReader;
|
|
|
|
|
|
|
|
|
|
return createImageReader(feature);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ImageReader createImageReader(string feature) {
|
|
|
|
|
if (string.IsNullOrEmpty(feature))
|
|
|
|
|
return null;
|
|
|
|
|
|
|
|
|
|
try {
|
|
|
|
|
var encrypted = File.ReadAllBytes(getFile(Path.GetDirectoryName(module.FullyQualifiedName), feature));
|
|
|
|
|
var decrypted = resourceDecrypter.decrypt(encrypted);
|
|
|
|
|
return addImageReader(feature, decrypted);
|
|
|
|
|
}
|
|
|
|
|
catch {
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static string getFile(string dir, string name) {
|
|
|
|
|
try {
|
|
|
|
|
var di = new DirectoryInfo(dir);
|
|
|
|
|
foreach (var file in di.GetFiles()) {
|
|
|
|
|
if (Utils.StartsWith(file.Name, name, StringComparison.OrdinalIgnoreCase))
|
|
|
|
|
return file.FullName;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
catch {
|
|
|
|
|
}
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
2012-01-08 03:27:07 +08:00
|
|
|
|
List<EncryptInfo> getEncryptedMethods() {
|
|
|
|
|
var infos = new List<EncryptInfo>();
|
|
|
|
|
|
|
|
|
|
foreach (var type in module.GetTypes()) {
|
|
|
|
|
foreach (var method in type.Methods) {
|
|
|
|
|
EncryptInfo info;
|
|
|
|
|
if (checkEncryptedMethod(method, out info))
|
|
|
|
|
infos.Add(info);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return infos;
|
|
|
|
|
}
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
bool checkEncryptedMethod(MethodDef method, out EncryptInfo info) {
|
2012-01-08 03:27:07 +08:00
|
|
|
|
info = null;
|
|
|
|
|
if (method.Body == null)
|
|
|
|
|
return false;
|
|
|
|
|
if (!callsExecuteMethod(method))
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
var strings = DotNetUtils.getCodeStrings(method);
|
|
|
|
|
if (strings.Count != 1)
|
|
|
|
|
throw new ApplicationException(string.Format("Could not find name of encrypted method"));
|
|
|
|
|
|
|
|
|
|
string feature = "";
|
|
|
|
|
string name = strings[0];
|
|
|
|
|
int index = name.IndexOf(':');
|
|
|
|
|
if (index >= 0) {
|
|
|
|
|
feature = name.Substring(0, index);
|
|
|
|
|
name = name.Substring(index + 1);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
info = new EncryptInfo(name, feature, method);
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
bool callsExecuteMethod(MethodDef method) {
|
2012-01-08 03:27:07 +08:00
|
|
|
|
foreach (var instr in method.Body.Instructions) {
|
|
|
|
|
if (instr.OpCode.Code != Code.Call && instr.OpCode.Code != Code.Callvirt)
|
|
|
|
|
continue;
|
|
|
|
|
if (MemberReferenceHelper.compareMethodReferenceAndDeclaringType(decryptExecuteMethod, instr.Operand as MethodReference))
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|