2012-02-02 13:56:14 +08:00
|
|
|
|
/*
|
2015-10-30 05:45:26 +08:00
|
|
|
|
Copyright (C) 2011-2015 de4dot@gmail.com
|
2012-02-02 13:56:14 +08:00
|
|
|
|
|
|
|
|
|
This file is part of de4dot.
|
|
|
|
|
|
|
|
|
|
de4dot is free software: you can redistribute it and/or modify
|
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
|
|
de4dot is distributed in the hope that it will be useful,
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
using System;
|
|
|
|
|
using System.Collections.Generic;
|
|
|
|
|
using System.Text;
|
2012-12-20 09:06:09 +08:00
|
|
|
|
using dnlib.DotNet;
|
|
|
|
|
using dnlib.DotNet.Emit;
|
2012-02-02 13:56:14 +08:00
|
|
|
|
using de4dot.blocks;
|
|
|
|
|
|
|
|
|
|
namespace de4dot.code.deobfuscators.Spices_Net {
|
|
|
|
|
class StringDecrypter {
|
2012-11-15 02:29:29 +08:00
|
|
|
|
ModuleDefMD module;
|
2012-11-02 22:57:11 +08:00
|
|
|
|
TypeDef decrypterType;
|
|
|
|
|
FieldDef encryptedDataField;
|
2012-02-02 13:56:14 +08:00
|
|
|
|
StringDataFlags stringDataFlags;
|
2012-11-22 16:14:51 +08:00
|
|
|
|
MethodDefAndDeclaringTypeDict<DecrypterInfo> methodToInfo = new MethodDefAndDeclaringTypeDict<DecrypterInfo>();
|
2012-02-02 13:56:14 +08:00
|
|
|
|
byte[] decryptedData;
|
|
|
|
|
byte[] key;
|
|
|
|
|
byte[] iv;
|
|
|
|
|
|
|
|
|
|
[Flags]
|
|
|
|
|
enum StringDataFlags {
|
|
|
|
|
Compressed = 0x1,
|
|
|
|
|
Encrypted1 = 0x2,
|
|
|
|
|
Encrypted2 = 0x4,
|
|
|
|
|
Encrypted3DES = 0x8,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public class DecrypterInfo {
|
2012-11-02 22:57:11 +08:00
|
|
|
|
public MethodDef method;
|
2012-02-02 13:56:14 +08:00
|
|
|
|
public int offset;
|
|
|
|
|
public int length;
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
public DecrypterInfo(MethodDef method, int offset, int length) {
|
2012-02-02 13:56:14 +08:00
|
|
|
|
this.method = method;
|
|
|
|
|
this.offset = offset;
|
|
|
|
|
this.length = length;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
public TypeDef EncryptedStringsType {
|
2012-02-03 17:13:41 +08:00
|
|
|
|
get {
|
|
|
|
|
if (encryptedDataField == null)
|
|
|
|
|
return null;
|
2012-11-15 02:29:29 +08:00
|
|
|
|
var type = encryptedDataField.FieldSig.GetFieldType().TryGetTypeDef();
|
2012-02-03 17:13:41 +08:00
|
|
|
|
if (type == null || type.Fields.Count != 1 || type.Fields[0] != encryptedDataField)
|
|
|
|
|
return null;
|
|
|
|
|
if (type.HasMethods || type.HasEvents || type.HasProperties || type.HasNestedTypes)
|
|
|
|
|
return null;
|
2012-11-17 06:50:52 +08:00
|
|
|
|
if (type.Interfaces.Count > 0)
|
2012-02-03 17:13:41 +08:00
|
|
|
|
return null;
|
|
|
|
|
|
|
|
|
|
return type;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
public TypeDef Type {
|
2012-02-02 13:56:14 +08:00
|
|
|
|
get { return decrypterType; }
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public bool Detected {
|
|
|
|
|
get { return decrypterType != null; }
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public IEnumerable<DecrypterInfo> DecrypterInfos {
|
2013-01-19 20:03:57 +08:00
|
|
|
|
get { return methodToInfo.GetValues(); }
|
2012-02-02 13:56:14 +08:00
|
|
|
|
}
|
|
|
|
|
|
2012-11-15 02:29:29 +08:00
|
|
|
|
public StringDecrypter(ModuleDefMD module) {
|
2012-02-02 13:56:14 +08:00
|
|
|
|
this.module = module;
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
public void Find() {
|
2012-02-02 13:56:14 +08:00
|
|
|
|
foreach (var type in module.Types) {
|
|
|
|
|
if (type.HasNestedTypes || type.HasInterfaces)
|
|
|
|
|
continue;
|
|
|
|
|
if (type.HasEvents || type.HasProperties)
|
|
|
|
|
continue;
|
2012-12-03 06:24:00 +08:00
|
|
|
|
if (type.Fields.Count < 2 || type.Fields.Count > 3)
|
2012-02-02 13:56:14 +08:00
|
|
|
|
continue;
|
2012-11-17 06:50:52 +08:00
|
|
|
|
if ((type.Attributes & ~TypeAttributes.Sealed) != 0)
|
2012-02-02 13:56:14 +08:00
|
|
|
|
continue;
|
|
|
|
|
if (type.BaseType == null || type.BaseType.FullName != "System.Object")
|
|
|
|
|
continue;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
if (HasInstanceMethods(type))
|
2012-02-02 13:56:14 +08:00
|
|
|
|
continue;
|
2012-11-17 06:50:52 +08:00
|
|
|
|
var cctor = type.FindStaticConstructor();
|
2012-02-02 13:56:14 +08:00
|
|
|
|
if (cctor == null)
|
|
|
|
|
continue;
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
FieldDef encryptedDataFieldTmp;
|
2012-02-02 13:56:14 +08:00
|
|
|
|
StringDataFlags stringDataFlagsTmp;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
if (!CheckCctor(cctor, out encryptedDataFieldTmp, out stringDataFlagsTmp))
|
2012-02-02 13:56:14 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
if (!InitializeDecrypterInfos(type))
|
2012-02-02 13:56:14 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
encryptedDataField = encryptedDataFieldTmp;
|
|
|
|
|
stringDataFlags = stringDataFlagsTmp;
|
|
|
|
|
decrypterType = type;
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
static bool HasInstanceMethods(TypeDef type) {
|
2012-02-02 13:56:14 +08:00
|
|
|
|
foreach (var method in type.Methods) {
|
|
|
|
|
if (!method.IsStatic)
|
|
|
|
|
return true;
|
2012-11-15 02:29:29 +08:00
|
|
|
|
if (method.ImplMap != null)
|
2012-02-02 13:56:14 +08:00
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
bool CheckCctor(MethodDef cctor, out FieldDef compressedDataField, out StringDataFlags flags) {
|
2012-02-02 13:56:14 +08:00
|
|
|
|
flags = 0;
|
|
|
|
|
var instructions = cctor.Body.Instructions;
|
|
|
|
|
for (int i = 0; i < instructions.Count; i++) {
|
|
|
|
|
var ldci4 = instructions[i];
|
2012-11-15 02:29:29 +08:00
|
|
|
|
if (!ldci4.IsLdcI4())
|
2012-02-02 13:56:14 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
var instrs = DotNetUtils.GetInstructions(instructions, i + 1, OpCodes.Newarr, OpCodes.Dup, OpCodes.Ldtoken, OpCodes.Call);
|
2012-02-02 13:56:14 +08:00
|
|
|
|
if (instrs == null)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
var newarr = instrs[0];
|
|
|
|
|
if (newarr.Operand.ToString() != "System.Byte")
|
|
|
|
|
continue;
|
|
|
|
|
|
2012-11-02 22:57:11 +08:00
|
|
|
|
var field = instrs[2].Operand as FieldDef;
|
2012-02-02 13:56:14 +08:00
|
|
|
|
if (field == null || field.InitialValue == null || field.InitialValue.Length == 0)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
int index = i + 1 + instrs.Count;
|
|
|
|
|
if (index < instructions.Count && instructions[index].OpCode.Code == Code.Call)
|
2013-01-19 20:03:57 +08:00
|
|
|
|
flags = GetStringDataFlags(instructions[index].Operand as MethodDef);
|
2012-02-02 13:56:14 +08:00
|
|
|
|
|
|
|
|
|
compressedDataField = field;
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
compressedDataField = null;
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
StringDataFlags GetStringDataFlags(MethodDef method) {
|
2012-02-02 13:56:14 +08:00
|
|
|
|
if (method == null || method.Body == null)
|
|
|
|
|
return 0;
|
2012-11-15 02:29:29 +08:00
|
|
|
|
var sig = method.MethodSig;
|
|
|
|
|
if (sig == null || sig.Params.Count != 1)
|
2012-02-02 13:56:14 +08:00
|
|
|
|
return 0;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
if (!CheckClass(sig.Params[0], "System.Byte[]"))
|
2012-02-02 13:56:14 +08:00
|
|
|
|
return 0;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
if (!CheckClass(sig.RetType, "System.Byte[]"))
|
2012-02-02 13:56:14 +08:00
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
StringDataFlags flags = 0;
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
if (HasInstruction(method, Code.Not))
|
2012-02-02 13:56:14 +08:00
|
|
|
|
flags |= StringDataFlags.Encrypted2;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
else if (HasInstruction(method, Code.Xor))
|
2012-02-02 13:56:14 +08:00
|
|
|
|
flags |= StringDataFlags.Encrypted1;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
else if (Check3DesCreator(method))
|
2012-02-02 13:56:14 +08:00
|
|
|
|
flags |= StringDataFlags.Encrypted3DES;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
if (CallsDecompressor(method))
|
2012-02-02 13:56:14 +08:00
|
|
|
|
flags |= StringDataFlags.Compressed;
|
|
|
|
|
|
|
|
|
|
return flags;
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
bool Check3DesCreator(MethodDef method) {
|
2012-02-02 13:56:14 +08:00
|
|
|
|
foreach (var instr in method.Body.Instructions) {
|
|
|
|
|
if (instr.OpCode.Code != Code.Call)
|
|
|
|
|
continue;
|
2012-11-02 22:57:11 +08:00
|
|
|
|
var calledMethod = instr.Operand as MethodDef;
|
2012-02-02 13:56:14 +08:00
|
|
|
|
if (calledMethod == null)
|
|
|
|
|
continue;
|
2012-11-15 02:29:29 +08:00
|
|
|
|
var sig = calledMethod.MethodSig;
|
|
|
|
|
if (sig == null || sig.RetType.GetElementType() == ElementType.Void)
|
2012-02-02 13:56:14 +08:00
|
|
|
|
continue;
|
2012-11-15 02:29:29 +08:00
|
|
|
|
if (sig.Params.Count != 0)
|
2012-02-02 13:56:14 +08:00
|
|
|
|
continue;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
if (!Get3DesKeyIv(calledMethod, ref key, ref iv))
|
2012-02-02 13:56:14 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
bool Get3DesKeyIv(MethodDef method, ref byte[] key, ref byte[] iv) {
|
|
|
|
|
if (!new LocalTypes(method).Exists("System.Security.Cryptography.TripleDESCryptoServiceProvider"))
|
2012-02-02 13:56:14 +08:00
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
var instrs = method.Body.Instructions;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
var arrays = ArrayFinder.GetArrays(method, module.CorLibTypes.Byte);
|
2012-02-02 13:56:14 +08:00
|
|
|
|
if (arrays.Count != 1 && arrays.Count != 2)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
key = arrays[0];
|
2012-11-15 02:29:29 +08:00
|
|
|
|
if (arrays.Count == 1) {
|
|
|
|
|
var pkt = PublicKeyBase.ToPublicKeyToken(module.Assembly.PublicKey);
|
|
|
|
|
iv = pkt == null ? null : pkt.Data;
|
|
|
|
|
}
|
2012-02-02 13:56:14 +08:00
|
|
|
|
else
|
|
|
|
|
iv = arrays[1];
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
static bool CallsDecompressor(MethodDef method) {
|
2012-02-02 13:56:14 +08:00
|
|
|
|
foreach (var instr in method.Body.Instructions) {
|
|
|
|
|
if (instr.OpCode.Code != Code.Call)
|
|
|
|
|
continue;
|
2012-11-02 22:57:11 +08:00
|
|
|
|
var called = instr.Operand as MethodDef;
|
2012-02-02 13:56:14 +08:00
|
|
|
|
if (called == null)
|
|
|
|
|
continue;
|
2012-11-15 02:29:29 +08:00
|
|
|
|
var sig = called.MethodSig;
|
|
|
|
|
if (sig == null)
|
|
|
|
|
continue;
|
|
|
|
|
if (sig.RetType.GetElementType() != ElementType.I4)
|
2012-02-02 13:56:14 +08:00
|
|
|
|
continue;
|
2012-11-15 02:29:29 +08:00
|
|
|
|
var parameters = sig.Params;
|
2012-02-02 13:56:14 +08:00
|
|
|
|
if (parameters.Count != 4)
|
|
|
|
|
continue;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
if (!CheckClass(parameters[0], "System.Byte[]"))
|
2012-02-02 13:56:14 +08:00
|
|
|
|
continue;
|
2012-11-15 02:29:29 +08:00
|
|
|
|
if (parameters[1].GetElementType() != ElementType.I4)
|
2012-02-02 13:56:14 +08:00
|
|
|
|
continue;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
if (!CheckClass(parameters[2], "System.Byte[]"))
|
2012-02-02 13:56:14 +08:00
|
|
|
|
continue;
|
2012-11-15 02:29:29 +08:00
|
|
|
|
if (parameters[3].GetElementType() != ElementType.I4)
|
2012-02-02 13:56:14 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
static bool HasInstruction(MethodDef method, Code code) {
|
2012-02-02 13:56:14 +08:00
|
|
|
|
foreach (var instr in method.Body.Instructions) {
|
|
|
|
|
if (instr.OpCode.Code == code)
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
static bool CheckClass(TypeSig type, string fullName) {
|
2012-11-15 02:29:29 +08:00
|
|
|
|
return type != null && (type.ElementType == ElementType.Object || type.FullName == fullName);
|
2012-02-02 13:56:14 +08:00
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
static bool IsStringType(TypeSig type) {
|
2012-11-15 02:29:29 +08:00
|
|
|
|
return type != null && (type.ElementType == ElementType.Object || type.ElementType == ElementType.String);
|
2012-02-02 13:56:14 +08:00
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
bool InitializeDecrypterInfos(TypeDef type) {
|
2012-02-02 13:56:14 +08:00
|
|
|
|
foreach (var method in type.Methods) {
|
|
|
|
|
if (!method.IsStatic || method.Body == null)
|
|
|
|
|
continue;
|
2012-11-15 02:29:29 +08:00
|
|
|
|
var sig = method.MethodSig;
|
|
|
|
|
if (sig == null)
|
|
|
|
|
continue;
|
|
|
|
|
if (sig.Params.Count != 0)
|
2012-02-02 13:56:14 +08:00
|
|
|
|
continue;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
if (!IsStringType(sig.RetType))
|
2012-02-02 13:56:14 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
var info = CreateInfo(method);
|
2012-02-02 13:56:14 +08:00
|
|
|
|
if (info == null)
|
|
|
|
|
continue;
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
methodToInfo.Add(method, info);
|
2012-02-02 13:56:14 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return methodToInfo.Count != 0;
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
DecrypterInfo CreateInfo(MethodDef method) {
|
2012-02-02 13:56:14 +08:00
|
|
|
|
var instrs = method.Body.Instructions;
|
|
|
|
|
for (int i = 0; i < instrs.Count - 1; i++) {
|
|
|
|
|
var ldci4_1 = instrs[i];
|
|
|
|
|
var ldci4_2 = instrs[i + 1];
|
2012-11-15 02:29:29 +08:00
|
|
|
|
if (!ldci4_1.IsLdcI4() || !ldci4_2.IsLdcI4())
|
2012-02-02 13:56:14 +08:00
|
|
|
|
continue;
|
|
|
|
|
|
2012-11-15 02:29:29 +08:00
|
|
|
|
int offset = ldci4_1.GetLdcI4Value();
|
|
|
|
|
int length = ldci4_2.GetLdcI4Value();
|
2012-02-02 13:56:14 +08:00
|
|
|
|
return new DecrypterInfo(method, offset, length);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
public void Initialize() {
|
2012-02-02 13:56:14 +08:00
|
|
|
|
if (decrypterType == null)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
decryptedData = new byte[encryptedDataField.InitialValue.Length];
|
|
|
|
|
Array.Copy(encryptedDataField.InitialValue, 0, decryptedData, 0, decryptedData.Length);
|
|
|
|
|
|
|
|
|
|
if ((stringDataFlags & StringDataFlags.Encrypted1) != 0) {
|
|
|
|
|
for (int i = 0; i < decryptedData.Length; i++)
|
|
|
|
|
decryptedData[i] ^= (byte)i;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ((stringDataFlags & StringDataFlags.Encrypted2) != 0) {
|
2012-11-15 02:29:29 +08:00
|
|
|
|
var k = module.Assembly.PublicKey.Data;
|
2012-02-02 13:56:14 +08:00
|
|
|
|
int mask = (byte)(~k.Length);
|
|
|
|
|
for (int i = 0; i < decryptedData.Length; i++)
|
|
|
|
|
decryptedData[i] ^= k[i & mask];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ((stringDataFlags & StringDataFlags.Encrypted3DES) != 0)
|
2013-01-19 20:03:57 +08:00
|
|
|
|
decryptedData = DeobUtils.Des3Decrypt(decryptedData, key, iv);
|
2012-02-02 13:56:14 +08:00
|
|
|
|
|
|
|
|
|
if ((stringDataFlags & StringDataFlags.Compressed) != 0)
|
2013-01-19 20:03:57 +08:00
|
|
|
|
decryptedData = QclzDecompressor.Decompress(decryptedData);
|
2012-02-02 13:56:14 +08:00
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
public void CleanUp() {
|
2012-02-02 13:56:14 +08:00
|
|
|
|
if (decrypterType == null)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
encryptedDataField.InitialValue = new byte[1];
|
2012-11-15 02:29:29 +08:00
|
|
|
|
encryptedDataField.FieldSig.Type = module.CorLibTypes.Byte;
|
2012-11-17 18:45:24 +08:00
|
|
|
|
encryptedDataField.RVA = 0;
|
2012-02-02 13:56:14 +08:00
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
public string Decrypt(MethodDef method) {
|
|
|
|
|
var info = methodToInfo.Find(method);
|
2012-02-02 13:56:14 +08:00
|
|
|
|
return Encoding.Unicode.GetString(decryptedData, info.offset, info.length);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|