2012-07-27 02:12:12 +08:00
|
|
|
|
/*
|
|
|
|
|
|
Copyright (C) 2011-2012 de4dot@gmail.com
|
|
|
|
|
|
|
|
|
|
|
|
This file is part of de4dot.
|
|
|
|
|
|
|
|
|
|
|
|
de4dot is free software: you can redistribute it and/or modify
|
|
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
|
|
|
|
de4dot is distributed in the hope that it will be useful,
|
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
|
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
using System;
|
|
|
|
|
|
using System.Collections.Generic;
|
|
|
|
|
|
using Mono.Cecil;
|
|
|
|
|
|
using Mono.MyStuff;
|
|
|
|
|
|
using de4dot.blocks;
|
|
|
|
|
|
using de4dot.blocks.cflow;
|
|
|
|
|
|
using de4dot.PE;
|
|
|
|
|
|
|
|
|
|
|
|
namespace de4dot.code.deobfuscators.Confuser {
|
|
|
|
|
|
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
|
|
|
|
|
|
public const string THE_NAME = "Confuser";
|
|
|
|
|
|
public const string THE_TYPE = "cn";
|
2012-07-27 14:38:18 +08:00
|
|
|
|
BoolOption removeAntiDebug;
|
2012-07-27 14:47:37 +08:00
|
|
|
|
BoolOption removeAntiDump;
|
2012-07-27 02:12:12 +08:00
|
|
|
|
|
|
|
|
|
|
public DeobfuscatorInfo()
|
|
|
|
|
|
: base() {
|
2012-07-27 14:38:18 +08:00
|
|
|
|
removeAntiDebug = new BoolOption(null, makeArgName("antidb"), "Remove anti debug code", true);
|
2012-07-27 14:47:37 +08:00
|
|
|
|
removeAntiDump = new BoolOption(null, makeArgName("antidump"), "Remove anti dump code", true);
|
2012-07-27 02:12:12 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public override string Name {
|
|
|
|
|
|
get { return THE_NAME; }
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public override string Type {
|
|
|
|
|
|
get { return THE_TYPE; }
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public override IDeobfuscator createDeobfuscator() {
|
|
|
|
|
|
return new Deobfuscator(new Deobfuscator.Options {
|
|
|
|
|
|
ValidNameRegex = validNameRegex.get(),
|
2012-07-27 14:38:18 +08:00
|
|
|
|
RemoveAntiDebug = removeAntiDebug.get(),
|
2012-07-27 14:47:37 +08:00
|
|
|
|
RemoveAntiDump = removeAntiDump.get(),
|
2012-07-27 02:12:12 +08:00
|
|
|
|
});
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
protected override IEnumerable<Option> getOptionsInternal() {
|
|
|
|
|
|
return new List<Option>() {
|
2012-07-27 14:38:18 +08:00
|
|
|
|
removeAntiDebug,
|
2012-07-27 14:47:37 +08:00
|
|
|
|
removeAntiDump,
|
2012-07-27 02:12:12 +08:00
|
|
|
|
};
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
class Deobfuscator : DeobfuscatorBase {
|
|
|
|
|
|
Options options;
|
|
|
|
|
|
string obfuscatorName = DeobfuscatorInfo.THE_NAME;
|
|
|
|
|
|
|
|
|
|
|
|
JitMethodsDecrypter jitMethodsDecrypter;
|
2012-07-27 14:11:23 +08:00
|
|
|
|
ProxyCallFixer proxyCallFixer;
|
2012-07-27 14:38:18 +08:00
|
|
|
|
AntiDebugger antiDebugger;
|
2012-07-27 14:47:37 +08:00
|
|
|
|
AntiDumping antiDumping;
|
2012-07-27 18:17:40 +08:00
|
|
|
|
ResourceDecrypter resourceDecrypter;
|
2012-07-28 10:45:27 +08:00
|
|
|
|
ConstantsDecrypter constantsDecrypter;
|
|
|
|
|
|
Int32ValueInliner int32ValueInliner;
|
|
|
|
|
|
Int64ValueInliner int64ValueInliner;
|
|
|
|
|
|
SingleValueInliner singleValueInliner;
|
|
|
|
|
|
DoubleValueInliner doubleValueInliner;
|
2012-07-27 02:12:12 +08:00
|
|
|
|
|
|
|
|
|
|
internal class Options : OptionsBase {
|
2012-07-27 14:38:18 +08:00
|
|
|
|
public bool RemoveAntiDebug { get; set; }
|
2012-07-27 14:47:37 +08:00
|
|
|
|
public bool RemoveAntiDump { get; set; }
|
2012-07-27 02:12:12 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public override string Type {
|
|
|
|
|
|
get { return DeobfuscatorInfo.THE_TYPE; }
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public override string TypeLong {
|
|
|
|
|
|
get { return DeobfuscatorInfo.THE_NAME; }
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public override string Name {
|
|
|
|
|
|
get { return obfuscatorName; }
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public override IEnumerable<IBlocksDeobfuscator> BlocksDeobfuscators {
|
|
|
|
|
|
get {
|
|
|
|
|
|
var list = new List<IBlocksDeobfuscator>();
|
|
|
|
|
|
list.Add(new ConstantsFolder { ExecuteOnNoChange = true });
|
|
|
|
|
|
return list;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public Deobfuscator(Options options)
|
|
|
|
|
|
: base(options) {
|
|
|
|
|
|
this.options = options;
|
2012-07-28 10:45:27 +08:00
|
|
|
|
StringFeatures = StringFeatures.AllowStaticDecryption | StringFeatures.AllowDynamicDecryption;
|
2012-07-27 02:12:12 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
protected override int detectInternal() {
|
|
|
|
|
|
int val = 0;
|
|
|
|
|
|
|
2012-07-27 14:11:23 +08:00
|
|
|
|
int sum = toInt32(jitMethodsDecrypter.Detected) +
|
2012-07-27 14:38:18 +08:00
|
|
|
|
toInt32(proxyCallFixer != null ? proxyCallFixer.Detected : false) +
|
2012-07-27 14:47:37 +08:00
|
|
|
|
toInt32(antiDebugger != null ? antiDebugger.Detected : false) +
|
2012-07-27 18:17:40 +08:00
|
|
|
|
toInt32(antiDumping != null ? antiDumping.Detected : false) +
|
2012-07-28 10:45:27 +08:00
|
|
|
|
toInt32(resourceDecrypter != null ? resourceDecrypter.Detected : false) +
|
|
|
|
|
|
toInt32(constantsDecrypter != null ? constantsDecrypter.Detected : false);
|
2012-07-27 02:12:12 +08:00
|
|
|
|
if (sum > 0)
|
|
|
|
|
|
val += 100 + 10 * (sum - 1);
|
|
|
|
|
|
|
|
|
|
|
|
return val;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
protected override void scanForObfuscator() {
|
|
|
|
|
|
jitMethodsDecrypter = new JitMethodsDecrypter(module, DeobfuscatedFile);
|
|
|
|
|
|
jitMethodsDecrypter.find();
|
2012-07-27 14:11:23 +08:00
|
|
|
|
if (jitMethodsDecrypter.Detected)
|
|
|
|
|
|
return;
|
|
|
|
|
|
initTheRest();
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void initTheRest() {
|
|
|
|
|
|
proxyCallFixer = new ProxyCallFixer(module, getFileData(), DeobfuscatedFile);
|
|
|
|
|
|
proxyCallFixer.findDelegateCreator();
|
2012-07-27 14:38:18 +08:00
|
|
|
|
antiDebugger = new AntiDebugger(module);
|
|
|
|
|
|
antiDebugger.find();
|
2012-07-27 14:47:37 +08:00
|
|
|
|
antiDumping = new AntiDumping(module);
|
|
|
|
|
|
antiDumping.find();
|
2012-07-27 18:17:40 +08:00
|
|
|
|
resourceDecrypter = new ResourceDecrypter(module, DeobfuscatedFile);
|
|
|
|
|
|
resourceDecrypter.find();
|
2012-07-28 10:45:27 +08:00
|
|
|
|
constantsDecrypter = new ConstantsDecrypter(module, getFileData(), DeobfuscatedFile);
|
|
|
|
|
|
constantsDecrypter.find();
|
2012-07-27 14:11:23 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
byte[] getFileData() {
|
|
|
|
|
|
if (ModuleBytes != null)
|
|
|
|
|
|
return ModuleBytes;
|
|
|
|
|
|
return ModuleBytes = DeobUtils.readModule(module);
|
2012-07-27 02:12:12 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public override bool getDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods) {
|
|
|
|
|
|
if (count != 0 || !jitMethodsDecrypter.Detected)
|
|
|
|
|
|
return false;
|
|
|
|
|
|
|
2012-07-27 14:11:23 +08:00
|
|
|
|
byte[] fileData = getFileData();
|
2012-07-27 02:12:12 +08:00
|
|
|
|
var peImage = new PeImage(fileData);
|
|
|
|
|
|
|
|
|
|
|
|
if (jitMethodsDecrypter.Detected) {
|
|
|
|
|
|
jitMethodsDecrypter.initialize();
|
|
|
|
|
|
if (!jitMethodsDecrypter.decrypt(peImage, fileData, ref dumpedMethods))
|
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
|
|
newFileData = fileData;
|
|
|
|
|
|
return true;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public override IDeobfuscator moduleReloaded(ModuleDefinition module) {
|
|
|
|
|
|
var newOne = new Deobfuscator(options);
|
2012-07-27 14:11:23 +08:00
|
|
|
|
newOne.DeobfuscatedFile = DeobfuscatedFile;
|
2012-07-27 14:38:18 +08:00
|
|
|
|
newOne.ModuleBytes = ModuleBytes;
|
2012-07-27 02:12:12 +08:00
|
|
|
|
newOne.setModule(module);
|
|
|
|
|
|
newOne.jitMethodsDecrypter = new JitMethodsDecrypter(module, jitMethodsDecrypter);
|
2012-07-27 14:11:23 +08:00
|
|
|
|
newOne.initTheRest();
|
2012-07-27 02:12:12 +08:00
|
|
|
|
return newOne;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public override void deobfuscateBegin() {
|
|
|
|
|
|
base.deobfuscateBegin();
|
2012-07-27 14:11:23 +08:00
|
|
|
|
|
2012-07-27 14:50:53 +08:00
|
|
|
|
removeObfuscatorAttribute();
|
|
|
|
|
|
|
2012-07-27 18:17:40 +08:00
|
|
|
|
decryptResources();
|
|
|
|
|
|
|
2012-07-27 14:23:55 +08:00
|
|
|
|
if (jitMethodsDecrypter != null) {
|
|
|
|
|
|
addModuleCctorInitCallToBeRemoved(jitMethodsDecrypter.InitMethod);
|
|
|
|
|
|
addTypeToBeRemoved(jitMethodsDecrypter.Type, "Method decrypter (JIT) type");
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-07-27 14:38:18 +08:00
|
|
|
|
if (options.RemoveAntiDebug) {
|
|
|
|
|
|
addModuleCctorInitCallToBeRemoved(antiDebugger.InitMethod);
|
|
|
|
|
|
addTypeToBeRemoved(antiDebugger.Type, "Anti debugger type");
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-07-27 14:47:37 +08:00
|
|
|
|
if (options.RemoveAntiDump) {
|
|
|
|
|
|
addModuleCctorInitCallToBeRemoved(antiDumping.InitMethod);
|
|
|
|
|
|
addTypeToBeRemoved(antiDumping.Type, "Anti dumping type");
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-07-28 10:45:27 +08:00
|
|
|
|
constantsDecrypter.initialize();
|
|
|
|
|
|
int32ValueInliner = new Int32ValueInliner();
|
|
|
|
|
|
int64ValueInliner = new Int64ValueInliner();
|
|
|
|
|
|
singleValueInliner = new SingleValueInliner();
|
|
|
|
|
|
doubleValueInliner = new DoubleValueInliner();
|
|
|
|
|
|
foreach (var info in constantsDecrypter.Decrypters) {
|
|
|
|
|
|
staticStringInliner.add(info.method, (method, gim, args) => constantsDecrypter.decryptString(method, gim, (uint)args[0], (ulong)args[1]));
|
|
|
|
|
|
int32ValueInliner.add(info.method, (method, gim, args) => constantsDecrypter.decryptInt32(method, gim, (uint)args[0], (ulong)args[1]));
|
|
|
|
|
|
int64ValueInliner.add(info.method, (method, gim, args) => constantsDecrypter.decryptInt64(method, gim, (uint)args[0], (ulong)args[1]));
|
|
|
|
|
|
singleValueInliner.add(info.method, (method, gim, args) => constantsDecrypter.decryptSingle(method, gim, (uint)args[0], (ulong)args[1]));
|
|
|
|
|
|
doubleValueInliner.add(info.method, (method, gim, args) => constantsDecrypter.decryptDouble(method, gim, (uint)args[0], (ulong)args[1]));
|
|
|
|
|
|
}
|
|
|
|
|
|
DeobfuscatedFile.stringDecryptersAdded();
|
|
|
|
|
|
addTypesToBeRemoved(constantsDecrypter.Types, "Constants decrypter type");
|
|
|
|
|
|
addFieldsToBeRemoved(constantsDecrypter.Fields, "Constants decrypter field");
|
|
|
|
|
|
addMethodToBeRemoved(constantsDecrypter.NativeMethod, "Constants decrypter native method");
|
|
|
|
|
|
addResourceToBeRemoved(constantsDecrypter.Resource, "Encrypted constants");
|
|
|
|
|
|
|
2012-07-27 14:11:23 +08:00
|
|
|
|
proxyCallFixer.find();
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-07-27 18:17:40 +08:00
|
|
|
|
void decryptResources() {
|
|
|
|
|
|
var rsrc = resourceDecrypter.mergeResources();
|
|
|
|
|
|
if (rsrc == null)
|
|
|
|
|
|
return;
|
|
|
|
|
|
addResourceToBeRemoved(rsrc, "Encrypted resources");
|
|
|
|
|
|
addMethodToBeRemoved(resourceDecrypter.Handler, "Resource decrypter handler");
|
|
|
|
|
|
addFieldsToBeRemoved(resourceDecrypter.Fields, "Resource decrypter field");
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-07-27 14:50:53 +08:00
|
|
|
|
void removeObfuscatorAttribute() {
|
|
|
|
|
|
foreach (var type in module.Types) {
|
|
|
|
|
|
if (type.FullName == "ConfusedByAttribute")
|
|
|
|
|
|
addAttributeToBeRemoved(type, "Obfuscator attribute");
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-07-27 14:11:23 +08:00
|
|
|
|
public override void deobfuscateMethodEnd(Blocks blocks) {
|
|
|
|
|
|
proxyCallFixer.deobfuscate(blocks);
|
2012-07-27 18:17:40 +08:00
|
|
|
|
resourceDecrypter.deobfuscate(blocks);
|
2012-07-28 10:45:27 +08:00
|
|
|
|
int32ValueInliner.decrypt(blocks);
|
|
|
|
|
|
int64ValueInliner.decrypt(blocks);
|
|
|
|
|
|
singleValueInliner.decrypt(blocks);
|
|
|
|
|
|
doubleValueInliner.decrypt(blocks);
|
2012-07-27 14:11:23 +08:00
|
|
|
|
base.deobfuscateMethodEnd(blocks);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public override void deobfuscateEnd() {
|
|
|
|
|
|
removeProxyDelegates(proxyCallFixer);
|
2012-07-28 10:45:27 +08:00
|
|
|
|
constantsDecrypter.cleanUp();
|
2012-07-27 14:11:23 +08:00
|
|
|
|
|
|
|
|
|
|
base.deobfuscateEnd();
|
2012-07-27 02:12:12 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public override IEnumerable<int> getStringDecrypterMethods() {
|
|
|
|
|
|
var list = new List<int>();
|
|
|
|
|
|
return list;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
