2012-02-05 23:17:47 +08:00
|
|
|
|
/*
|
2013-01-02 00:03:16 +08:00
|
|
|
|
Copyright (C) 2011-2013 de4dot@gmail.com
|
2012-02-05 23:17:47 +08:00
|
|
|
|
|
|
|
|
|
This file is part of de4dot.
|
|
|
|
|
|
|
|
|
|
de4dot is free software: you can redistribute it and/or modify
|
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
|
|
de4dot is distributed in the hope that it will be useful,
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
using System;
|
|
|
|
|
using System.Collections.Generic;
|
2012-12-20 09:06:09 +08:00
|
|
|
|
using dnlib.IO;
|
|
|
|
|
using dnlib.DotNet;
|
|
|
|
|
using dnlib.DotNet.Emit;
|
2012-02-05 23:17:47 +08:00
|
|
|
|
using de4dot.blocks;
|
|
|
|
|
|
2012-02-07 11:45:59 +08:00
|
|
|
|
namespace de4dot.code.deobfuscators.CodeVeil {
|
2012-02-05 23:17:47 +08:00
|
|
|
|
class MethodsDecrypter {
|
2012-02-08 22:40:11 +08:00
|
|
|
|
MainType mainType;
|
2012-02-07 21:55:20 +08:00
|
|
|
|
IDecrypter decrypter;
|
2012-02-07 12:08:02 +08:00
|
|
|
|
|
2012-02-07 21:55:20 +08:00
|
|
|
|
interface IDecrypter {
|
|
|
|
|
void initialize(byte[] methodsData);
|
2012-11-21 18:14:20 +08:00
|
|
|
|
bool decrypt(IBinaryReader fileDataReader, DumpedMethod dm);
|
2012-02-07 21:55:20 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
class Decrypter : IDecrypter {
|
2012-11-21 18:14:20 +08:00
|
|
|
|
IBinaryReader methodsDataReader;
|
2012-02-07 21:55:20 +08:00
|
|
|
|
|
|
|
|
|
public virtual void initialize(byte[] methodsData) {
|
2012-11-21 18:14:20 +08:00
|
|
|
|
methodsDataReader = MemoryImageStream.Create(methodsData);
|
2012-02-07 21:55:20 +08:00
|
|
|
|
}
|
|
|
|
|
|
2012-11-21 18:14:20 +08:00
|
|
|
|
public virtual bool decrypt(IBinaryReader fileDataReader, DumpedMethod dm) {
|
2012-02-07 21:55:20 +08:00
|
|
|
|
if (fileDataReader.ReadByte() != 0x2A)
|
|
|
|
|
return false; // Not a RET
|
2012-11-21 18:14:20 +08:00
|
|
|
|
methodsDataReader.Position = fileDataReader.ReadCompressedUInt32();
|
2012-02-07 21:55:20 +08:00
|
|
|
|
|
2012-11-21 18:14:20 +08:00
|
|
|
|
dm.mhCodeSize = methodsDataReader.ReadCompressedUInt32();
|
2012-02-07 21:55:20 +08:00
|
|
|
|
dm.code = methodsDataReader.ReadBytes((int)dm.mhCodeSize);
|
|
|
|
|
if ((dm.mhFlags & 8) != 0)
|
2012-04-22 19:43:43 +08:00
|
|
|
|
dm.extraSections = MethodBodyParser.readExtraSections(methodsDataReader);
|
2012-02-07 21:55:20 +08:00
|
|
|
|
|
|
|
|
|
if (!decryptCode(dm))
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
protected virtual bool decryptCode(DumpedMethod dm) {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
class DecrypterV5 : Decrypter {
|
|
|
|
|
byte[] decryptKey;
|
|
|
|
|
|
|
|
|
|
public override void initialize(byte[] methodsData) {
|
|
|
|
|
var data = DeobUtils.inflate(methodsData, true);
|
|
|
|
|
decryptKey = BitConverter.GetBytes(BitConverter.ToUInt32(data, 0));
|
|
|
|
|
|
|
|
|
|
var newMethodsData = new byte[data.Length - 4];
|
|
|
|
|
Array.Copy(data, 4, newMethodsData, 0, newMethodsData.Length);
|
|
|
|
|
base.initialize(newMethodsData);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
protected override bool decryptCode(DumpedMethod dm) {
|
|
|
|
|
var code = dm.code;
|
|
|
|
|
for (int i = 0; i < code.Length; i++) {
|
|
|
|
|
for (int j = 0; j < 4 && i + j < code.Length; j++)
|
|
|
|
|
code[i + j] ^= decryptKey[j];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2012-02-05 23:17:47 +08:00
|
|
|
|
public bool Detected {
|
2012-02-08 22:40:11 +08:00
|
|
|
|
get { return decrypter != null; }
|
2012-02-05 23:17:47 +08:00
|
|
|
|
}
|
|
|
|
|
|
2012-02-08 22:40:11 +08:00
|
|
|
|
public MethodsDecrypter(MainType mainType) {
|
|
|
|
|
this.mainType = mainType;
|
2012-02-05 23:17:47 +08:00
|
|
|
|
}
|
|
|
|
|
|
2012-02-08 22:40:11 +08:00
|
|
|
|
public MethodsDecrypter(MainType mainType, MethodsDecrypter oldOne) {
|
|
|
|
|
this.mainType = mainType;
|
2012-02-05 23:17:47 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public void find() {
|
2012-02-08 22:40:11 +08:00
|
|
|
|
if (!mainType.Detected)
|
2012-02-05 23:17:47 +08:00
|
|
|
|
return;
|
|
|
|
|
|
2012-02-08 22:40:11 +08:00
|
|
|
|
switch (mainType.Version) {
|
|
|
|
|
case ObfuscatorVersion.Unknown:
|
2012-02-05 23:17:47 +08:00
|
|
|
|
break;
|
|
|
|
|
|
2012-02-08 22:40:11 +08:00
|
|
|
|
case ObfuscatorVersion.V3:
|
|
|
|
|
case ObfuscatorVersion.V4_0:
|
|
|
|
|
case ObfuscatorVersion.V4_1:
|
|
|
|
|
decrypter = new Decrypter();
|
|
|
|
|
break;
|
2012-02-07 12:08:02 +08:00
|
|
|
|
|
2012-02-08 22:40:11 +08:00
|
|
|
|
case ObfuscatorVersion.V5_0:
|
2012-02-07 21:55:20 +08:00
|
|
|
|
decrypter = new DecrypterV5();
|
2012-02-08 22:40:11 +08:00
|
|
|
|
break;
|
2012-02-06 04:27:36 +08:00
|
|
|
|
|
2012-02-08 22:40:11 +08:00
|
|
|
|
default:
|
|
|
|
|
throw new ApplicationException("Unknown version");
|
2012-02-05 23:17:47 +08:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2012-02-25 13:14:19 +08:00
|
|
|
|
public bool decrypt(byte[] fileData, ref DumpedMethods dumpedMethods) {
|
2012-02-08 22:40:11 +08:00
|
|
|
|
if (decrypter == null)
|
2012-02-05 23:17:47 +08:00
|
|
|
|
return false;
|
|
|
|
|
|
2012-11-21 18:14:20 +08:00
|
|
|
|
using (var peImage = new MyPEImage(fileData)) {
|
|
|
|
|
if (peImage.Sections.Count <= 0)
|
|
|
|
|
return false;
|
2012-02-05 23:17:47 +08:00
|
|
|
|
|
2012-11-21 18:14:20 +08:00
|
|
|
|
var methodsData = findMethodsData(peImage, fileData);
|
|
|
|
|
if (methodsData == null)
|
|
|
|
|
return false;
|
2012-02-05 23:17:47 +08:00
|
|
|
|
|
2012-11-21 18:14:20 +08:00
|
|
|
|
decrypter.initialize(methodsData);
|
2012-02-07 12:08:02 +08:00
|
|
|
|
|
2012-11-21 18:14:20 +08:00
|
|
|
|
dumpedMethods = createDumpedMethods(peImage, fileData, methodsData);
|
|
|
|
|
if (dumpedMethods == null)
|
|
|
|
|
return false;
|
|
|
|
|
}
|
2012-02-05 23:17:47 +08:00
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2012-11-21 18:14:20 +08:00
|
|
|
|
DumpedMethods createDumpedMethods(MyPEImage peImage, byte[] fileData, byte[] methodsData) {
|
2012-02-25 13:14:19 +08:00
|
|
|
|
var dumpedMethods = new DumpedMethods();
|
2012-02-05 23:17:47 +08:00
|
|
|
|
|
2012-11-21 18:14:20 +08:00
|
|
|
|
var methodsDataReader = MemoryImageStream.Create(methodsData);
|
|
|
|
|
var fileDataReader = MemoryImageStream.Create(fileData);
|
2012-02-05 23:17:47 +08:00
|
|
|
|
|
2012-11-21 18:14:20 +08:00
|
|
|
|
var methodDef = peImage.DotNetFile.MetaData.TablesStream.MethodTable;
|
|
|
|
|
for (uint rid = 1; rid <= methodDef.Rows; rid++) {
|
2012-02-05 23:17:47 +08:00
|
|
|
|
var dm = new DumpedMethod();
|
2012-11-21 18:14:20 +08:00
|
|
|
|
|
|
|
|
|
peImage.readMethodTableRowTo(dm, rid);
|
|
|
|
|
if (dm.mdRVA == 0)
|
|
|
|
|
continue;
|
|
|
|
|
uint bodyOffset = peImage.rvaToOffset(dm.mdRVA);
|
2012-02-05 23:17:47 +08:00
|
|
|
|
|
|
|
|
|
byte b = peImage.offsetReadByte(bodyOffset);
|
|
|
|
|
uint codeOffset;
|
|
|
|
|
if ((b & 3) == 2) {
|
|
|
|
|
if (b != 2)
|
|
|
|
|
continue; // not zero byte code size
|
|
|
|
|
|
|
|
|
|
dm.mhFlags = 2;
|
|
|
|
|
dm.mhMaxStack = 8;
|
|
|
|
|
dm.mhLocalVarSigTok = 0;
|
|
|
|
|
codeOffset = bodyOffset + 1;
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
if (peImage.offsetReadUInt32(bodyOffset + 4) != 0)
|
|
|
|
|
continue; // not zero byte code size
|
|
|
|
|
|
|
|
|
|
dm.mhFlags = peImage.offsetReadUInt16(bodyOffset);
|
|
|
|
|
dm.mhMaxStack = peImage.offsetReadUInt16(bodyOffset + 2);
|
|
|
|
|
dm.mhLocalVarSigTok = peImage.offsetReadUInt32(bodyOffset + 8);
|
|
|
|
|
codeOffset = bodyOffset + (uint)(dm.mhFlags >> 12) * 4;
|
|
|
|
|
}
|
2012-11-21 18:14:20 +08:00
|
|
|
|
fileDataReader.Position = codeOffset;
|
2012-02-05 23:17:47 +08:00
|
|
|
|
|
2012-02-07 21:55:20 +08:00
|
|
|
|
if (!decrypter.decrypt(fileDataReader, dm))
|
|
|
|
|
continue;
|
2012-02-05 23:17:47 +08:00
|
|
|
|
|
2012-02-25 13:14:19 +08:00
|
|
|
|
dumpedMethods.add(dm);
|
2012-02-05 23:17:47 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return dumpedMethods;
|
|
|
|
|
}
|
|
|
|
|
|
2012-02-07 12:08:02 +08:00
|
|
|
|
// xor eax, eax / inc eax / pop esi edi edx ecx ebx / leave / ret 0Ch or 10h
|
2012-02-05 23:17:47 +08:00
|
|
|
|
static byte[] initializeMethodEnd = new byte[] {
|
2012-02-07 12:08:02 +08:00
|
|
|
|
0x33, 0xC0, 0x40, 0x5E, 0x5F, 0x5A, 0x59, 0x5B, 0xC9, 0xC2,
|
2012-02-05 23:17:47 +08:00
|
|
|
|
};
|
2012-11-21 18:14:20 +08:00
|
|
|
|
byte[] findMethodsData(MyPEImage peImage, byte[] fileData) {
|
2012-02-05 23:17:47 +08:00
|
|
|
|
var section = peImage.Sections[0];
|
|
|
|
|
|
2012-11-21 18:14:20 +08:00
|
|
|
|
var reader = MemoryImageStream.Create(fileData);
|
2012-02-05 23:17:47 +08:00
|
|
|
|
|
|
|
|
|
const int RVA_EXECUTIVE_OFFSET = 1 * 4;
|
|
|
|
|
const int ENC_CODE_OFFSET = 6 * 4;
|
2012-12-13 23:19:34 +08:00
|
|
|
|
int lastOffset = Math.Min(fileData.Length, (int)(section.PointerToRawData + section.SizeOfRawData));
|
2012-02-08 16:29:49 +08:00
|
|
|
|
for (int offset = getStartOffset(peImage); offset < lastOffset; ) {
|
|
|
|
|
offset = findSig(fileData, offset, lastOffset, initializeMethodEnd);
|
2012-02-05 23:17:47 +08:00
|
|
|
|
if (offset < 0)
|
|
|
|
|
return null;
|
|
|
|
|
offset += initializeMethodEnd.Length;
|
|
|
|
|
|
2012-02-07 12:08:02 +08:00
|
|
|
|
short retImm16 = BitConverter.ToInt16(fileData, offset);
|
|
|
|
|
if (retImm16 != 0x0C && retImm16 != 0x10)
|
|
|
|
|
continue;
|
|
|
|
|
offset += 2;
|
2012-02-12 19:03:55 +08:00
|
|
|
|
if (offset + ENC_CODE_OFFSET + 4 > lastOffset)
|
2012-02-08 16:29:49 +08:00
|
|
|
|
return null;
|
2012-02-07 12:08:02 +08:00
|
|
|
|
|
2012-02-08 22:45:18 +08:00
|
|
|
|
// rva is 0 when the assembly has been embedded
|
2012-11-08 16:48:05 +08:00
|
|
|
|
uint rva = BitConverter.ToUInt32(fileData, offset + RVA_EXECUTIVE_OFFSET);
|
2012-02-08 22:45:18 +08:00
|
|
|
|
if (rva != 0 && mainType.Rvas.IndexOf(rva) < 0)
|
|
|
|
|
continue;
|
2012-02-05 23:17:47 +08:00
|
|
|
|
|
|
|
|
|
int relOffs = BitConverter.ToInt32(fileData, offset + ENC_CODE_OFFSET);
|
2012-11-21 18:14:20 +08:00
|
|
|
|
if (relOffs <= 0 || relOffs >= section.SizeOfRawData)
|
2012-02-05 23:17:47 +08:00
|
|
|
|
continue;
|
2012-11-21 18:14:20 +08:00
|
|
|
|
reader.Position = section.PointerToRawData + relOffs;
|
2012-02-05 23:17:47 +08:00
|
|
|
|
|
2012-11-21 18:14:20 +08:00
|
|
|
|
int size = (int)reader.ReadCompressedUInt32();
|
2012-02-05 23:17:47 +08:00
|
|
|
|
int endOffset = relOffs + size;
|
2012-11-21 18:14:20 +08:00
|
|
|
|
if (endOffset < relOffs || endOffset > section.SizeOfRawData)
|
2012-02-05 23:17:47 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
return reader.ReadBytes(size);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
2012-11-21 18:14:20 +08:00
|
|
|
|
int getStartOffset(MyPEImage peImage) {
|
2012-02-08 16:29:49 +08:00
|
|
|
|
int minOffset = int.MaxValue;
|
2012-02-08 22:40:11 +08:00
|
|
|
|
foreach (var rva in mainType.Rvas) {
|
2012-02-08 16:29:49 +08:00
|
|
|
|
int rvaOffs = (int)peImage.rvaToOffset((uint)rva);
|
|
|
|
|
if (rvaOffs < minOffset)
|
|
|
|
|
minOffset = rvaOffs;
|
|
|
|
|
}
|
|
|
|
|
return minOffset == int.MaxValue ? 0 : minOffset;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int findSig(byte[] fileData, int offset, int lastOffset, byte[] sig) {
|
|
|
|
|
for (int i = offset; i < lastOffset - sig.Length + 1; i++) {
|
2012-02-05 23:17:47 +08:00
|
|
|
|
if (fileData[i] != sig[0])
|
|
|
|
|
continue;
|
|
|
|
|
if (compare(fileData, i + 1, sig, 1, sig.Length - 1))
|
|
|
|
|
return i;
|
|
|
|
|
}
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static bool compare(byte[] a1, int i1, byte[] a2, int i2, int len) {
|
|
|
|
|
for (int i = 0; i < len; i++) {
|
|
|
|
|
if (a1[i1++] != a2[i2++])
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|