2012-07-27 18:17:40 +08:00
|
|
|
|
/*
|
2015-10-30 05:45:26 +08:00
|
|
|
|
Copyright (C) 2011-2015 de4dot@gmail.com
|
2012-07-27 18:17:40 +08:00
|
|
|
|
|
|
|
|
|
|
This file is part of de4dot.
|
|
|
|
|
|
|
|
|
|
|
|
de4dot is free software: you can redistribute it and/or modify
|
|
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
|
|
|
|
de4dot is distributed in the hope that it will be useful,
|
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
|
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
2012-07-31 16:00:46 +08:00
|
|
|
|
using System;
|
2012-07-27 18:17:40 +08:00
|
|
|
|
using System.Collections.Generic;
|
|
|
|
|
|
using System.IO;
|
2012-12-23 04:08:29 +08:00
|
|
|
|
using dnlib.DotNet;
|
|
|
|
|
|
using dnlib.DotNet.Emit;
|
2012-07-27 18:17:40 +08:00
|
|
|
|
using de4dot.blocks;
|
|
|
|
|
|
|
|
|
|
|
|
namespace de4dot.code.deobfuscators.Confuser {
|
2012-08-09 17:47:18 +08:00
|
|
|
|
class ResourceDecrypter : IVersionProvider {
|
2012-11-19 06:42:43 +08:00
|
|
|
|
ModuleDefMD module;
|
2012-07-27 18:17:40 +08:00
|
|
|
|
ISimpleDeobfuscator simpleDeobfuscator;
|
2012-11-19 06:42:43 +08:00
|
|
|
|
MethodDef handler;
|
|
|
|
|
|
MethodDef installMethod;
|
2013-01-20 22:59:30 +08:00
|
|
|
|
TypeDef lzmaType;
|
2012-07-27 18:17:40 +08:00
|
|
|
|
EmbeddedResource resource;
|
2012-11-19 06:42:43 +08:00
|
|
|
|
Dictionary<FieldDef, bool> fields = new Dictionary<FieldDef, bool>();
|
2012-07-27 18:17:40 +08:00
|
|
|
|
byte key0, key1;
|
2012-07-31 16:00:46 +08:00
|
|
|
|
ConfuserVersion version = ConfuserVersion.Unknown;
|
|
|
|
|
|
|
|
|
|
|
|
enum ConfuserVersion {
|
|
|
|
|
|
Unknown,
|
2012-07-31 18:42:41 +08:00
|
|
|
|
v14_r55802,
|
2012-08-03 00:26:01 +08:00
|
|
|
|
v17_r73404,
|
2012-08-05 07:57:36 +08:00
|
|
|
|
v17_r73822,
|
2012-08-08 18:14:54 +08:00
|
|
|
|
v18_r75367,
|
2012-08-09 00:34:37 +08:00
|
|
|
|
v18_r75369,
|
2013-01-20 22:59:30 +08:00
|
|
|
|
v19_r77172,
|
2012-07-31 16:00:46 +08:00
|
|
|
|
}
|
2012-07-27 18:17:40 +08:00
|
|
|
|
|
2012-11-19 06:42:43 +08:00
|
|
|
|
public IEnumerable<FieldDef> Fields {
|
2012-07-27 18:17:40 +08:00
|
|
|
|
get { return fields.Keys; }
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-11-19 06:42:43 +08:00
|
|
|
|
public MethodDef Handler {
|
2012-07-27 18:17:40 +08:00
|
|
|
|
get { return handler; }
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-20 22:59:30 +08:00
|
|
|
|
public TypeDef LzmaType {
|
|
|
|
|
|
get { return lzmaType; }
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-07-27 18:17:40 +08:00
|
|
|
|
public bool Detected {
|
|
|
|
|
|
get { return handler != null; }
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-11-19 06:42:43 +08:00
|
|
|
|
public ResourceDecrypter(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator) {
|
2012-07-27 18:17:40 +08:00
|
|
|
|
this.module = module;
|
|
|
|
|
|
this.simpleDeobfuscator = simpleDeobfuscator;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-19 20:09:49 +08:00
|
|
|
|
public void Find() {
|
|
|
|
|
|
if (CheckMethod(DotNetUtils.GetModuleTypeCctor(module)))
|
2012-07-27 18:17:40 +08:00
|
|
|
|
return;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-19 20:09:49 +08:00
|
|
|
|
bool CheckMethod(MethodDef method) {
|
2012-07-27 18:17:40 +08:00
|
|
|
|
if (method == null || method.Body == null)
|
|
|
|
|
|
return false;
|
2013-01-19 20:09:49 +08:00
|
|
|
|
if (!DotNetUtils.CallsMethod(method, "System.Void System.AppDomain::add_ResourceResolve(System.ResolveEventHandler)"))
|
2012-07-27 18:17:40 +08:00
|
|
|
|
return false;
|
2015-10-30 05:36:17 +08:00
|
|
|
|
simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
|
2012-07-27 18:17:40 +08:00
|
|
|
|
fields.Clear();
|
|
|
|
|
|
|
2013-01-19 20:09:49 +08:00
|
|
|
|
var tmpHandler = GetHandler(method);
|
2012-07-27 18:17:40 +08:00
|
|
|
|
if (tmpHandler == null || tmpHandler.DeclaringType != method.DeclaringType)
|
|
|
|
|
|
return false;
|
|
|
|
|
|
|
2013-01-19 20:09:49 +08:00
|
|
|
|
var tmpResource = FindResource(tmpHandler);
|
2012-07-27 18:17:40 +08:00
|
|
|
|
if (tmpResource == null)
|
|
|
|
|
|
return false;
|
|
|
|
|
|
|
2015-10-30 05:36:17 +08:00
|
|
|
|
simpleDeobfuscator.Deobfuscate(tmpHandler, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
|
2012-07-31 16:00:46 +08:00
|
|
|
|
ConfuserVersion tmpVersion = ConfuserVersion.Unknown;
|
2013-01-19 20:09:49 +08:00
|
|
|
|
if (DotNetUtils.CallsMethod(tmpHandler, "System.Object System.AppDomain::GetData(System.String)")) {
|
|
|
|
|
|
if (!DotNetUtils.CallsMethod(tmpHandler, "System.Void System.Buffer::BlockCopy(System.Array,System.Int32,System.Array,System.Int32,System.Int32)")) {
|
|
|
|
|
|
if (!FindKey0Key1_v14_r55802(tmpHandler, out key0, out key1))
|
2012-08-03 00:26:01 +08:00
|
|
|
|
return false;
|
|
|
|
|
|
tmpVersion = ConfuserVersion.v14_r55802;
|
|
|
|
|
|
}
|
2013-01-19 20:09:49 +08:00
|
|
|
|
else if (FindKey0_v17_r73404(tmpHandler, out key0) && FindKey1_v17_r73404(tmpHandler, out key1))
|
2012-08-03 00:26:01 +08:00
|
|
|
|
tmpVersion = ConfuserVersion.v17_r73404;
|
|
|
|
|
|
else
|
2012-07-31 16:00:46 +08:00
|
|
|
|
return false;
|
|
|
|
|
|
}
|
|
|
|
|
|
else {
|
2013-01-19 20:09:49 +08:00
|
|
|
|
if (AddFields(FindFields(tmpHandler, method.DeclaringType)) != 1)
|
2012-07-31 16:00:46 +08:00
|
|
|
|
return false;
|
|
|
|
|
|
|
2013-01-19 20:09:49 +08:00
|
|
|
|
if (FindKey0_v17_r73404(tmpHandler, out key0) && FindKey1_v17_r73404(tmpHandler, out key1))
|
2012-08-05 07:57:36 +08:00
|
|
|
|
tmpVersion = ConfuserVersion.v17_r73822;
|
2013-01-19 20:09:49 +08:00
|
|
|
|
else if (FindKey0_v18_r75367(tmpHandler, out key0) && FindKey1_v17_r73404(tmpHandler, out key1))
|
2012-08-08 18:14:54 +08:00
|
|
|
|
tmpVersion = ConfuserVersion.v18_r75367;
|
2013-01-20 22:59:30 +08:00
|
|
|
|
else if (FindKey0_v18_r75369(tmpHandler, out key0) && FindKey1_v18_r75369(tmpHandler, out key1)) {
|
|
|
|
|
|
lzmaType = ConfuserUtils.FindLzmaType(tmpHandler);
|
|
|
|
|
|
if (lzmaType == null)
|
|
|
|
|
|
tmpVersion = ConfuserVersion.v18_r75369;
|
|
|
|
|
|
else
|
|
|
|
|
|
tmpVersion = ConfuserVersion.v19_r77172;
|
|
|
|
|
|
}
|
2012-08-05 07:57:36 +08:00
|
|
|
|
else
|
2012-07-31 16:00:46 +08:00
|
|
|
|
return false;
|
|
|
|
|
|
}
|
2012-07-27 18:17:40 +08:00
|
|
|
|
|
|
|
|
|
|
handler = tmpHandler;
|
|
|
|
|
|
resource = tmpResource;
|
|
|
|
|
|
installMethod = method;
|
2012-07-31 16:00:46 +08:00
|
|
|
|
version = tmpVersion;
|
2012-07-27 18:17:40 +08:00
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-19 20:09:49 +08:00
|
|
|
|
static MethodDef GetHandler(MethodDef method) {
|
2012-07-27 18:17:40 +08:00
|
|
|
|
var instrs = method.Body.Instructions;
|
|
|
|
|
|
for (int i = 0; i < instrs.Count - 2; i++) {
|
|
|
|
|
|
var ldftn = instrs[i];
|
|
|
|
|
|
if (ldftn.OpCode.Code != Code.Ldftn)
|
|
|
|
|
|
continue;
|
2012-11-19 06:42:43 +08:00
|
|
|
|
var handler = ldftn.Operand as MethodDef;
|
2012-07-27 18:17:40 +08:00
|
|
|
|
if (handler == null)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
|
|
var newobj = instrs[i + 1];
|
|
|
|
|
|
if (newobj.OpCode.Code != Code.Newobj)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
|
|
var callvirt = instrs[i + 2];
|
|
|
|
|
|
if (callvirt.OpCode.Code != Code.Callvirt)
|
|
|
|
|
|
continue;
|
2012-11-19 06:42:43 +08:00
|
|
|
|
var calledMethod = callvirt.Operand as IMethod;
|
2012-07-27 18:17:40 +08:00
|
|
|
|
if (calledMethod == null)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
if (calledMethod.FullName != "System.Void System.AppDomain::add_ResourceResolve(System.ResolveEventHandler)")
|
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
|
|
return handler;
|
|
|
|
|
|
}
|
|
|
|
|
|
return null;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-19 20:09:49 +08:00
|
|
|
|
int AddFields(IEnumerable<FieldDef> moreFields) {
|
2012-07-27 18:17:40 +08:00
|
|
|
|
int count = 0;
|
|
|
|
|
|
foreach (var field in moreFields) {
|
2013-01-19 20:09:49 +08:00
|
|
|
|
if (AddField(field))
|
2012-07-27 18:17:40 +08:00
|
|
|
|
count++;
|
|
|
|
|
|
}
|
|
|
|
|
|
return count;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-19 20:09:49 +08:00
|
|
|
|
bool AddField(FieldDef field) {
|
2012-07-27 18:17:40 +08:00
|
|
|
|
if (field == null)
|
|
|
|
|
|
return false;
|
|
|
|
|
|
if (fields.ContainsKey(field))
|
|
|
|
|
|
return false;
|
|
|
|
|
|
fields[field] = true;
|
|
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-19 20:09:49 +08:00
|
|
|
|
static IEnumerable<FieldDef> FindFields(MethodDef method, TypeDef declaringType) {
|
2012-11-19 06:42:43 +08:00
|
|
|
|
var fields = new List<FieldDef>();
|
2012-07-27 18:17:40 +08:00
|
|
|
|
foreach (var instr in method.Body.Instructions) {
|
2012-11-19 06:42:43 +08:00
|
|
|
|
var field = instr.Operand as FieldDef;
|
2012-07-27 18:17:40 +08:00
|
|
|
|
if (field != null && field.DeclaringType == declaringType)
|
|
|
|
|
|
fields.Add(field);
|
|
|
|
|
|
}
|
|
|
|
|
|
return fields;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-19 20:09:49 +08:00
|
|
|
|
EmbeddedResource FindResource(MethodDef method) {
|
|
|
|
|
|
return DotNetUtils.GetResource(module, DotNetUtils.GetCodeStrings(method)) as EmbeddedResource;
|
2012-07-27 18:17:40 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-19 20:09:49 +08:00
|
|
|
|
static bool FindKey0_v18_r75367(MethodDef method, out byte key0) {
|
2012-08-08 18:14:54 +08:00
|
|
|
|
var instrs = method.Body.Instructions;
|
|
|
|
|
|
for (int i = 0; i < instrs.Count; i++) {
|
2013-01-19 20:09:49 +08:00
|
|
|
|
i = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.IO.Stream::Read(System.Byte[],System.Int32,System.Int32)");
|
2012-08-08 18:14:54 +08:00
|
|
|
|
if (i < 0)
|
|
|
|
|
|
break;
|
|
|
|
|
|
if (i + 3 >= instrs.Count)
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
if (instrs[i + 1].OpCode.Code != Code.Pop)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
var ldci4 = instrs[i + 2];
|
2012-11-19 06:42:43 +08:00
|
|
|
|
if (!ldci4.IsLdcI4())
|
2012-08-08 18:14:54 +08:00
|
|
|
|
continue;
|
2012-11-19 06:42:43 +08:00
|
|
|
|
if (!instrs[i + 3].IsStloc())
|
2012-08-08 18:14:54 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
|
2012-11-19 06:42:43 +08:00
|
|
|
|
key0 = (byte)ldci4.GetLdcI4Value();
|
2012-08-08 18:14:54 +08:00
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
key0 = 0;
|
|
|
|
|
|
return false;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-19 20:09:49 +08:00
|
|
|
|
static bool FindKey0_v18_r75369(MethodDef method, out byte key0) {
|
2012-07-27 18:17:40 +08:00
|
|
|
|
var instrs = method.Body.Instructions;
|
|
|
|
|
|
for (int index = 0; index < instrs.Count; index++) {
|
2013-01-19 20:09:49 +08:00
|
|
|
|
index = ConfuserUtils.FindCallMethod(instrs, index, Code.Callvirt, "System.Int32 System.IO.Stream::Read(System.Byte[],System.Int32,System.Int32)");
|
2012-07-27 18:17:40 +08:00
|
|
|
|
if (index < 0)
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
if (index + 4 >= instrs.Count)
|
|
|
|
|
|
break;
|
|
|
|
|
|
index++;
|
|
|
|
|
|
|
|
|
|
|
|
if (instrs[index++].OpCode.Code != Code.Pop)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
var ldci4 = instrs[index++];
|
2012-11-19 06:42:43 +08:00
|
|
|
|
if (!ldci4.IsLdcI4())
|
2012-07-27 18:17:40 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
if (instrs[index++].OpCode.Code != Code.Conv_U1)
|
|
|
|
|
|
continue;
|
2012-11-19 06:42:43 +08:00
|
|
|
|
if (!instrs[index++].IsStloc())
|
2012-07-27 18:17:40 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
|
2012-11-19 06:42:43 +08:00
|
|
|
|
key0 = (byte)ldci4.GetLdcI4Value();
|
2012-07-27 18:17:40 +08:00
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
key0 = 0;
|
|
|
|
|
|
return false;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-19 20:09:49 +08:00
|
|
|
|
static bool FindKey1_v18_r75369(MethodDef method, out byte key1) {
|
2012-07-27 18:17:40 +08:00
|
|
|
|
var instrs = method.Body.Instructions;
|
|
|
|
|
|
for (int i = 0; i < instrs.Count - 4; i++) {
|
|
|
|
|
|
int index = i;
|
2012-11-19 06:42:43 +08:00
|
|
|
|
if (!instrs[index++].IsLdloc())
|
2012-07-27 18:17:40 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
var ldci4_1 = instrs[index++];
|
2012-11-19 06:42:43 +08:00
|
|
|
|
if (!ldci4_1.IsLdcI4())
|
2012-07-27 18:17:40 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
if (instrs[index++].OpCode.Code != Code.Mul)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
var ldci4_2 = instrs[index++];
|
2012-11-19 06:42:43 +08:00
|
|
|
|
if (!ldci4_2.IsLdcI4() || ldci4_2.GetLdcI4Value() != 0x100)
|
2012-07-27 18:17:40 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
if (instrs[index++].OpCode.Code != Code.Rem)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
|
2012-11-19 06:42:43 +08:00
|
|
|
|
key1 = (byte)ldci4_1.GetLdcI4Value();
|
2012-07-27 18:17:40 +08:00
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
key1 = 0;
|
|
|
|
|
|
return false;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-19 20:09:49 +08:00
|
|
|
|
static bool FindKey0Key1_v14_r55802(MethodDef method, out byte key0, out byte key1) {
|
2012-07-31 16:00:46 +08:00
|
|
|
|
var instrs = method.Body.Instructions;
|
|
|
|
|
|
for (int i = 0; i < instrs.Count - 5; i++) {
|
2012-11-19 06:42:43 +08:00
|
|
|
|
if (!instrs[i].IsLdcI4())
|
2012-07-31 16:00:46 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
if (instrs[i + 1].OpCode.Code != Code.Add)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
if (instrs[i + 2].OpCode.Code != Code.Ldelem_U1)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
var ldci4_1 = instrs[i + 3];
|
2012-11-19 06:42:43 +08:00
|
|
|
|
if (!ldci4_1.IsLdcI4())
|
2012-07-31 16:00:46 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
if (instrs[i + 4].OpCode.Code != Code.Xor)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
var ldci4_2 = instrs[i + 5];
|
2012-11-19 06:42:43 +08:00
|
|
|
|
if (!ldci4_2.IsLdcI4())
|
2012-07-31 16:00:46 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
|
2012-11-19 06:42:43 +08:00
|
|
|
|
key0 = (byte)ldci4_1.GetLdcI4Value();
|
|
|
|
|
|
key1 = (byte)ldci4_2.GetLdcI4Value();
|
2012-07-31 16:00:46 +08:00
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
key0 = 0;
|
|
|
|
|
|
key1 = 0;
|
|
|
|
|
|
return false;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-19 20:09:49 +08:00
|
|
|
|
static bool FindKey0_v17_r73404(MethodDef method, out byte key) {
|
2012-08-03 00:26:01 +08:00
|
|
|
|
var instrs = method.Body.Instructions;
|
|
|
|
|
|
for (int i = 0; i < instrs.Count - 3; i++) {
|
2013-01-19 20:09:49 +08:00
|
|
|
|
int index = ConfuserUtils.FindCallMethod(instrs, i, Code.Callvirt, "System.Byte[] System.IO.BinaryReader::ReadBytes(System.Int32)");
|
2012-08-03 00:26:01 +08:00
|
|
|
|
if (index < 0)
|
|
|
|
|
|
break;
|
|
|
|
|
|
if (index + 3 >= instrs.Count)
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
2012-11-19 06:42:43 +08:00
|
|
|
|
if (!instrs[index + 1].IsStloc())
|
2012-08-03 00:26:01 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
var ldci4 = instrs[index + 2];
|
2012-11-19 06:42:43 +08:00
|
|
|
|
if (!ldci4.IsLdcI4())
|
2012-08-03 00:26:01 +08:00
|
|
|
|
continue;
|
2012-11-19 06:42:43 +08:00
|
|
|
|
if (!instrs[index + 3].IsStloc())
|
2012-08-03 00:26:01 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
|
2012-11-19 06:42:43 +08:00
|
|
|
|
key = (byte)ldci4.GetLdcI4Value();
|
2012-08-03 00:26:01 +08:00
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
key = 0;
|
|
|
|
|
|
return false;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-19 20:09:49 +08:00
|
|
|
|
static bool FindKey1_v17_r73404(MethodDef method, out byte key) {
|
2012-08-03 00:26:01 +08:00
|
|
|
|
var instrs = method.Body.Instructions;
|
|
|
|
|
|
for (int i = 0; i < instrs.Count - 3; i++) {
|
|
|
|
|
|
var ldci4_1 = instrs[i];
|
2012-11-19 06:42:43 +08:00
|
|
|
|
if (!ldci4_1.IsLdcI4())
|
2012-08-03 00:26:01 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
if (instrs[i + 1].OpCode.Code != Code.Mul)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
var ldci4_2 = instrs[i + 2];
|
2012-11-19 06:42:43 +08:00
|
|
|
|
if (!ldci4_2.IsLdcI4() || ldci4_2.GetLdcI4Value() != 0x100)
|
2012-08-03 00:26:01 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
if (instrs[i + 3].OpCode.Code != Code.Rem)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
|
2012-11-19 06:42:43 +08:00
|
|
|
|
key = (byte)ldci4_1.GetLdcI4Value();
|
2012-08-03 00:26:01 +08:00
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
key = 0;
|
|
|
|
|
|
return false;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-19 20:09:49 +08:00
|
|
|
|
public EmbeddedResource MergeResources() {
|
2012-07-27 18:17:40 +08:00
|
|
|
|
if (resource == null)
|
|
|
|
|
|
return null;
|
2013-01-19 20:09:49 +08:00
|
|
|
|
DeobUtils.DecryptAndAddResources(module, resource.Name.String, () => DecryptResource());
|
2012-07-31 16:08:46 +08:00
|
|
|
|
var tmpResource = resource;
|
|
|
|
|
|
resource = null;
|
|
|
|
|
|
return tmpResource;
|
2012-07-27 18:17:40 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-21 01:41:58 +08:00
|
|
|
|
byte[] Decompress(byte[] compressed) {
|
|
|
|
|
|
if (lzmaType != null)
|
|
|
|
|
|
return ConfuserUtils.SevenZipDecompress(compressed);
|
|
|
|
|
|
return DeobUtils.Inflate(compressed, true);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
byte[] DecryptXor(byte[] data) {
|
|
|
|
|
|
byte k = key0;
|
|
|
|
|
|
for (int i = 0; i < data.Length; i++) {
|
|
|
|
|
|
data[i] ^= k;
|
|
|
|
|
|
k *= key1;
|
|
|
|
|
|
}
|
|
|
|
|
|
return data;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-19 20:09:49 +08:00
|
|
|
|
byte[] DecryptResource() {
|
2012-07-31 16:00:46 +08:00
|
|
|
|
switch (version) {
|
2013-01-19 20:09:49 +08:00
|
|
|
|
case ConfuserVersion.v14_r55802: return Decrypt_v14_r55802();
|
|
|
|
|
|
case ConfuserVersion.v17_r73404: return Decrypt_v17_r73404();
|
|
|
|
|
|
case ConfuserVersion.v17_r73822: return Decrypt_v17_r73404();
|
|
|
|
|
|
case ConfuserVersion.v18_r75367: return Decrypt_v18_r75367();
|
|
|
|
|
|
case ConfuserVersion.v18_r75369: return Decrypt_v18_r75367();
|
2013-01-21 01:41:58 +08:00
|
|
|
|
case ConfuserVersion.v19_r77172: return Decrypt_v18_r75367();
|
2012-07-31 16:00:46 +08:00
|
|
|
|
default: throw new ApplicationException("Unknown version");
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-19 20:09:49 +08:00
|
|
|
|
byte[] Decrypt_v14_r55802() {
|
2013-01-21 01:41:58 +08:00
|
|
|
|
var reader = new BinaryReader(new MemoryStream(Decompress(resource.GetResourceData())));
|
2012-07-31 16:00:46 +08:00
|
|
|
|
var encypted = reader.ReadBytes(reader.ReadInt32());
|
|
|
|
|
|
if ((encypted.Length & 1) != 0)
|
|
|
|
|
|
throw new ApplicationException("Invalid resource data length");
|
|
|
|
|
|
var decrypted = new byte[encypted.Length / 2];
|
|
|
|
|
|
for (int i = 0; i < decrypted.Length; i++)
|
|
|
|
|
|
decrypted[i] = (byte)((encypted[i * 2 + 1] ^ key0) * key1 + (encypted[i * 2] ^ key0));
|
2013-01-21 01:41:58 +08:00
|
|
|
|
reader = new BinaryReader(new MemoryStream(Decompress(decrypted)));
|
2012-07-31 16:00:46 +08:00
|
|
|
|
return reader.ReadBytes(reader.ReadInt32());
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-19 20:09:49 +08:00
|
|
|
|
byte[] Decrypt_v17_r73404() {
|
2013-01-21 01:41:58 +08:00
|
|
|
|
var reader = new BinaryReader(new MemoryStream(Decompress(resource.GetResourceData())));
|
|
|
|
|
|
return DecryptXor(reader.ReadBytes(reader.ReadInt32()));
|
2012-08-03 00:26:01 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-19 20:09:49 +08:00
|
|
|
|
byte[] Decrypt_v18_r75367() {
|
2013-01-21 01:41:58 +08:00
|
|
|
|
var encrypted = DecryptXor(resource.GetResourceData());
|
|
|
|
|
|
var reader = new BinaryReader(new MemoryStream(Decompress(encrypted)));
|
2013-01-20 22:59:30 +08:00
|
|
|
|
return reader.ReadBytes(reader.ReadInt32());
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-19 20:09:49 +08:00
|
|
|
|
public void Deobfuscate(Blocks blocks) {
|
2012-07-27 18:17:40 +08:00
|
|
|
|
if (blocks.Method != installMethod)
|
|
|
|
|
|
return;
|
2013-01-19 20:09:49 +08:00
|
|
|
|
ConfuserUtils.RemoveResourceHookCode(blocks, handler);
|
2012-07-27 18:17:40 +08:00
|
|
|
|
}
|
2012-08-09 17:47:18 +08:00
|
|
|
|
|
2013-01-19 20:09:49 +08:00
|
|
|
|
public bool GetRevisionRange(out int minRev, out int maxRev) {
|
2012-08-09 17:47:18 +08:00
|
|
|
|
switch (version) {
|
|
|
|
|
|
case ConfuserVersion.Unknown:
|
|
|
|
|
|
minRev = maxRev = 0;
|
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
|
|
case ConfuserVersion.v14_r55802:
|
|
|
|
|
|
minRev = 55802;
|
|
|
|
|
|
maxRev = 72989;
|
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
|
|
case ConfuserVersion.v17_r73404:
|
|
|
|
|
|
minRev = 73404;
|
|
|
|
|
|
maxRev = 73791;
|
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
|
|
case ConfuserVersion.v17_r73822:
|
|
|
|
|
|
minRev = 73822;
|
|
|
|
|
|
maxRev = 75349;
|
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
|
|
case ConfuserVersion.v18_r75367:
|
|
|
|
|
|
minRev = 75367;
|
|
|
|
|
|
maxRev = 75367;
|
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
|
|
case ConfuserVersion.v18_r75369:
|
|
|
|
|
|
minRev = 75369;
|
2013-01-20 22:59:30 +08:00
|
|
|
|
maxRev = 77124;
|
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
|
|
case ConfuserVersion.v19_r77172:
|
|
|
|
|
|
minRev = 77172;
|
2012-08-09 17:47:18 +08:00
|
|
|
|
maxRev = int.MaxValue;
|
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
|
|
default: throw new ApplicationException("Invalid version");
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2012-07-27 18:17:40 +08:00
|
|
|
|
}
|
|
|
|
|
|
}
|
