2012-05-31 21:38:51 +08:00
|
|
|
|
/*
|
2015-10-30 05:45:26 +08:00
|
|
|
|
Copyright (C) 2011-2015 de4dot@gmail.com
|
2012-05-31 21:38:51 +08:00
|
|
|
|
|
|
|
|
|
This file is part of de4dot.
|
|
|
|
|
|
|
|
|
|
de4dot is free software: you can redistribute it and/or modify
|
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
|
|
de4dot is distributed in the hope that it will be useful,
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
using System;
|
|
|
|
|
using System.Collections.Generic;
|
|
|
|
|
using System.IO;
|
|
|
|
|
using System.Reflection;
|
|
|
|
|
using System.Reflection.Emit;
|
2012-12-20 09:06:09 +08:00
|
|
|
|
using dnlib.DotNet;
|
2012-05-31 21:38:51 +08:00
|
|
|
|
|
|
|
|
|
namespace de4dot.code.deobfuscators.CodeFort {
|
|
|
|
|
class PasswordInfo {
|
|
|
|
|
public string passphrase;
|
|
|
|
|
public string salt;
|
|
|
|
|
public string iv;
|
|
|
|
|
|
|
|
|
|
public PasswordInfo(string passphrase, string salt, string iv) {
|
|
|
|
|
this.passphrase = passphrase;
|
|
|
|
|
this.salt = salt;
|
|
|
|
|
this.iv = iv;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public override string ToString() {
|
|
|
|
|
return string.Format("P:{0}, S:{1}, I:{2}", passphrase, salt, iv);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
class PasswordFinder {
|
|
|
|
|
byte[] serializedData;
|
|
|
|
|
System.Collections.IList asmTypes;
|
|
|
|
|
|
|
|
|
|
class Obj {
|
|
|
|
|
object obj;
|
|
|
|
|
|
|
|
|
|
public Obj(object obj) {
|
|
|
|
|
this.obj = obj;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public string Name {
|
2013-01-19 20:03:57 +08:00
|
|
|
|
get { return (string)ReadField("Name"); }
|
2012-05-31 21:38:51 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public List<Obj> Members {
|
2013-01-19 20:03:57 +08:00
|
|
|
|
get { return GetList("Members"); }
|
2012-05-31 21:38:51 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public List<Obj> Instructions {
|
2013-01-19 20:03:57 +08:00
|
|
|
|
get { return GetList("Instructions"); }
|
2012-05-31 21:38:51 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public object Operand {
|
2013-01-19 20:03:57 +08:00
|
|
|
|
get { return ReadField("Operand"); }
|
2012-05-31 21:38:51 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public string OpCode {
|
2013-01-19 20:03:57 +08:00
|
|
|
|
get { return (string)ReadField("OpCode"); }
|
2012-05-31 21:38:51 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public Obj MemberDef {
|
2013-01-19 20:03:57 +08:00
|
|
|
|
get { return new Obj(ReadField("MemberDef")); }
|
2012-05-31 21:38:51 +08:00
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
protected object ReadField(string name) {
|
|
|
|
|
return PasswordFinder.ReadField(obj, name);
|
2012-05-31 21:38:51 +08:00
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
public Obj FindMethod(string name) {
|
2012-05-31 21:38:51 +08:00
|
|
|
|
foreach (var member in Members) {
|
|
|
|
|
if (member.obj.GetType().ToString() != "MethodDef")
|
|
|
|
|
continue;
|
|
|
|
|
if (member.Name != name)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
return member;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
throw new ApplicationException(string.Format("Could not find method {0}", name));
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
List<Obj> GetList(string name) {
|
|
|
|
|
return ConvertList((System.Collections.IList)ReadField(name));
|
2012-05-31 21:38:51 +08:00
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
static List<Obj> ConvertList(System.Collections.IList inList) {
|
2012-05-31 21:38:51 +08:00
|
|
|
|
var outList = new List<Obj>(inList.Count);
|
|
|
|
|
foreach (var e in inList)
|
|
|
|
|
outList.Add(new Obj(e));
|
|
|
|
|
return outList;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public override string ToString() {
|
|
|
|
|
return Name;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public PasswordFinder(byte[] serializedData) {
|
|
|
|
|
this.serializedData = serializedData;
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
static object ReadField(object instance, string name) {
|
2012-05-31 21:38:51 +08:00
|
|
|
|
return instance.GetType().GetField(name).GetValue(instance);
|
|
|
|
|
}
|
|
|
|
|
|
2013-11-21 23:50:25 +08:00
|
|
|
|
static System.Collections.IList ToList(object obj) {
|
2012-05-31 21:38:51 +08:00
|
|
|
|
return (System.Collections.IList)obj;
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
public void Find(out PasswordInfo mainAsmPassword, out PasswordInfo embedPassword) {
|
2012-05-31 21:38:51 +08:00
|
|
|
|
var asmBuilder = AppDomain.CurrentDomain.DefineDynamicAssembly(new AssemblyName("asm"), AssemblyBuilderAccess.Run);
|
|
|
|
|
var moduleBuilder = asmBuilder.DefineDynamicModule("mod");
|
|
|
|
|
var serializedTypes = new SerializedTypes(moduleBuilder);
|
2013-01-19 20:03:57 +08:00
|
|
|
|
var allTypes = serializedTypes.Deserialize(serializedData);
|
2013-11-21 23:50:25 +08:00
|
|
|
|
asmTypes = ToList(ReadField(allTypes, "Types"));
|
2012-05-31 21:38:51 +08:00
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
mainAsmPassword = FindMainAssemblyPassword();
|
|
|
|
|
embedPassword = FindEmbedPassword();
|
2012-05-31 21:38:51 +08:00
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
Obj FindType(string name) {
|
2012-05-31 21:38:51 +08:00
|
|
|
|
foreach (var tmp in asmTypes) {
|
|
|
|
|
var type = new Obj(tmp);
|
|
|
|
|
if (type.Name == name)
|
|
|
|
|
return type;
|
|
|
|
|
}
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
PasswordInfo FindMainAssemblyPassword() {
|
|
|
|
|
var type = FindType("BootstrapDynArguments");
|
|
|
|
|
var cctor = type.FindMethod(".cctor");
|
2012-05-31 21:38:51 +08:00
|
|
|
|
var instrs = cctor.Instructions;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
var passphrase = FindStringStoreValue(instrs, "KeyPassphrase");
|
|
|
|
|
var salt = FindStringStoreValue(instrs, "KeySaltValue");
|
|
|
|
|
var iv = FindStringStoreValue(instrs, "KeyIV");
|
2012-05-31 21:38:51 +08:00
|
|
|
|
return new PasswordInfo(passphrase, salt, iv);
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
static string FindStringStoreValue(List<Obj> instrs, string fieldName) {
|
2012-05-31 21:38:51 +08:00
|
|
|
|
for (int i = 0; i < instrs.Count - 1; i++) {
|
|
|
|
|
var ldstr = instrs[i];
|
|
|
|
|
if (ldstr.OpCode != "ldstr")
|
|
|
|
|
continue;
|
|
|
|
|
var stsfld = instrs[i + 1];
|
|
|
|
|
if (stsfld.OpCode != "stsfld")
|
|
|
|
|
continue;
|
|
|
|
|
var memberRef = new Obj(stsfld.Operand);
|
|
|
|
|
if (memberRef.MemberDef == null)
|
|
|
|
|
continue;
|
|
|
|
|
if (memberRef.MemberDef.Name != fieldName)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
return (string)ldstr.Operand;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
PasswordInfo FindEmbedPassword() {
|
|
|
|
|
var type = FindType("CilEmbeddingHelper");
|
2012-05-31 21:38:51 +08:00
|
|
|
|
if (type == null)
|
|
|
|
|
return null;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
var method = type.FindMethod("CurrentDomain_AssemblyResolve");
|
2012-05-31 21:38:51 +08:00
|
|
|
|
var instrs = method.Instructions;
|
|
|
|
|
for (int i = 0; i < instrs.Count - 3; i++) {
|
|
|
|
|
int index = i;
|
|
|
|
|
|
|
|
|
|
var ldstr1 = instrs[index++];
|
|
|
|
|
if (ldstr1.OpCode != "ldstr")
|
|
|
|
|
continue;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
var passphrase = GetString(ldstr1, instrs, ref index);
|
2012-05-31 21:38:51 +08:00
|
|
|
|
|
|
|
|
|
var ldstr2 = instrs[index++];
|
|
|
|
|
if (ldstr2.OpCode != "ldstr")
|
|
|
|
|
continue;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
var salt = GetString(ldstr2, instrs, ref index);
|
2012-05-31 21:38:51 +08:00
|
|
|
|
|
|
|
|
|
var ldc = instrs[index++];
|
|
|
|
|
if (!ldc.OpCode.StartsWith("ldc.i4"))
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
var ldstr3 = instrs[index++];
|
|
|
|
|
if (ldstr3.OpCode != "ldstr")
|
|
|
|
|
continue;
|
2013-01-19 20:03:57 +08:00
|
|
|
|
var iv = GetString(ldstr3, instrs, ref index);
|
2012-05-31 21:38:51 +08:00
|
|
|
|
|
|
|
|
|
return new PasswordInfo(passphrase, salt, iv);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
static string GetString(Obj ldstr, List<Obj> instrs, ref int index) {
|
2012-05-31 21:38:51 +08:00
|
|
|
|
var s = (string)ldstr.Operand;
|
|
|
|
|
if (index >= instrs.Count)
|
|
|
|
|
return s;
|
|
|
|
|
var call = instrs[index];
|
|
|
|
|
if (call.OpCode != "call" && call.OpCode != "callvirt")
|
|
|
|
|
return s;
|
|
|
|
|
index++;
|
|
|
|
|
var op = new Obj(call.Operand);
|
|
|
|
|
if (op.Name == "ToUpper")
|
|
|
|
|
return s.ToUpper();
|
|
|
|
|
if (op.Name == "ToLower")
|
|
|
|
|
return s.ToLower();
|
|
|
|
|
throw new ApplicationException(string.Format("Unknown method {0}", op.Name));
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|