2011-10-17 06:22:22 +08:00
|
|
|
|
/*
|
2013-01-02 00:03:16 +08:00
|
|
|
|
Copyright (C) 2011-2013 de4dot@gmail.com
|
2011-10-17 06:22:22 +08:00
|
|
|
|
|
|
|
|
|
This file is part of de4dot.
|
|
|
|
|
|
|
|
|
|
de4dot is free software: you can redistribute it and/or modify
|
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
|
|
de4dot is distributed in the hope that it will be useful,
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
using System.Collections.Generic;
|
2012-12-20 09:06:09 +08:00
|
|
|
|
using dnlib.DotNet.Emit;
|
2011-10-17 06:22:22 +08:00
|
|
|
|
|
|
|
|
|
namespace de4dot.blocks.cflow {
|
2011-10-19 05:31:50 +08:00
|
|
|
|
public class BlocksCflowDeobfuscator {
|
2011-10-17 06:22:22 +08:00
|
|
|
|
Blocks blocks;
|
2011-10-22 00:05:24 +08:00
|
|
|
|
List<Block> allBlocks = new List<Block>();
|
2012-04-30 04:22:43 +08:00
|
|
|
|
List<IBlocksDeobfuscator> userBlocksDeobfuscators = new List<IBlocksDeobfuscator>();
|
2012-05-03 11:34:12 +08:00
|
|
|
|
List<IBlocksDeobfuscator> ourBlocksDeobfuscators = new List<IBlocksDeobfuscator>();
|
2011-10-17 06:22:22 +08:00
|
|
|
|
|
2012-04-30 04:22:43 +08:00
|
|
|
|
public BlocksCflowDeobfuscator() {
|
|
|
|
|
init();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public BlocksCflowDeobfuscator(IEnumerable<IBlocksDeobfuscator> blocksDeobfuscator) {
|
|
|
|
|
init();
|
|
|
|
|
add(blocksDeobfuscator);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void init() {
|
2012-05-03 11:34:12 +08:00
|
|
|
|
ourBlocksDeobfuscators.Add(new BlockCflowDeobfuscator { ExecuteOnNoChange = false });
|
|
|
|
|
ourBlocksDeobfuscators.Add(new SwitchCflowDeobfuscator { ExecuteOnNoChange = false });
|
|
|
|
|
ourBlocksDeobfuscators.Add(new DeadStoreRemover { ExecuteOnNoChange = false });
|
|
|
|
|
ourBlocksDeobfuscators.Add(new DeadCodeRemover { ExecuteOnNoChange = false });
|
|
|
|
|
ourBlocksDeobfuscators.Add(new ConstantsFolder { ExecuteOnNoChange = true });
|
|
|
|
|
ourBlocksDeobfuscators.Add(new StLdlocFixer { ExecuteOnNoChange = true });
|
2012-12-21 20:55:57 +08:00
|
|
|
|
ourBlocksDeobfuscators.Add(new DupBlockCflowDeobfuscator { ExecuteOnNoChange = true });
|
2012-04-30 04:22:43 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public void add(IEnumerable<IBlocksDeobfuscator> blocksDeobfuscators) {
|
|
|
|
|
foreach (var bd in blocksDeobfuscators)
|
|
|
|
|
add(bd);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public void add(IBlocksDeobfuscator blocksDeobfuscator) {
|
|
|
|
|
if (blocksDeobfuscator != null)
|
|
|
|
|
userBlocksDeobfuscators.Add(blocksDeobfuscator);
|
|
|
|
|
}
|
2012-01-11 13:44:44 +08:00
|
|
|
|
|
|
|
|
|
public void init(Blocks blocks) {
|
2011-10-17 06:22:22 +08:00
|
|
|
|
this.blocks = blocks;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public void deobfuscate() {
|
|
|
|
|
bool changed;
|
2011-10-22 02:14:25 +08:00
|
|
|
|
int iterations = -1;
|
2012-04-30 04:22:43 +08:00
|
|
|
|
|
|
|
|
|
deobfuscateBegin(userBlocksDeobfuscators);
|
2012-05-03 11:34:12 +08:00
|
|
|
|
deobfuscateBegin(ourBlocksDeobfuscators);
|
2012-04-30 04:22:43 +08:00
|
|
|
|
|
2011-10-17 06:22:22 +08:00
|
|
|
|
do {
|
2011-10-22 02:14:25 +08:00
|
|
|
|
iterations++;
|
2011-10-17 06:22:22 +08:00
|
|
|
|
changed = false;
|
2011-10-19 07:53:42 +08:00
|
|
|
|
removeDeadBlocks();
|
|
|
|
|
mergeBlocks();
|
2011-10-19 05:31:50 +08:00
|
|
|
|
|
2011-10-22 00:02:58 +08:00
|
|
|
|
blocks.MethodBlocks.getAllBlocks(allBlocks);
|
2011-10-19 05:31:50 +08:00
|
|
|
|
|
2011-10-22 02:14:25 +08:00
|
|
|
|
if (iterations == 0)
|
|
|
|
|
changed |= fixDotfuscatorLoop();
|
|
|
|
|
|
2012-04-30 04:22:43 +08:00
|
|
|
|
changed |= deobfuscate(userBlocksDeobfuscators, allBlocks);
|
2012-05-03 11:34:12 +08:00
|
|
|
|
changed |= deobfuscate(ourBlocksDeobfuscators, allBlocks);
|
|
|
|
|
changed |= deobfuscateNoChange(changed, userBlocksDeobfuscators, allBlocks);
|
|
|
|
|
changed |= deobfuscateNoChange(changed, ourBlocksDeobfuscators, allBlocks);
|
2012-04-30 04:22:43 +08:00
|
|
|
|
} while (changed);
|
|
|
|
|
}
|
2011-10-19 05:31:50 +08:00
|
|
|
|
|
2012-04-30 04:22:43 +08:00
|
|
|
|
void deobfuscateBegin(IEnumerable<IBlocksDeobfuscator> bds) {
|
|
|
|
|
foreach (var bd in bds)
|
|
|
|
|
bd.deobfuscateBegin(blocks);
|
|
|
|
|
}
|
2012-01-09 08:25:25 +08:00
|
|
|
|
|
2012-04-30 04:22:43 +08:00
|
|
|
|
bool deobfuscate(IEnumerable<IBlocksDeobfuscator> bds, List<Block> allBlocks) {
|
|
|
|
|
bool changed = false;
|
2012-05-03 11:34:12 +08:00
|
|
|
|
foreach (var bd in bds) {
|
|
|
|
|
if (bd.ExecuteOnNoChange)
|
|
|
|
|
continue;
|
|
|
|
|
changed |= bd.deobfuscate(allBlocks);
|
|
|
|
|
}
|
|
|
|
|
return changed;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
bool deobfuscateNoChange(bool changed, IEnumerable<IBlocksDeobfuscator> bds, List<Block> allBlocks) {
|
|
|
|
|
foreach (var bd in bds) {
|
|
|
|
|
if (changed)
|
|
|
|
|
break;
|
|
|
|
|
if (!bd.ExecuteOnNoChange)
|
|
|
|
|
continue;
|
2012-04-30 04:22:43 +08:00
|
|
|
|
changed |= bd.deobfuscate(allBlocks);
|
2012-05-03 11:34:12 +08:00
|
|
|
|
}
|
2012-04-30 04:22:43 +08:00
|
|
|
|
return changed;
|
2011-10-17 06:22:22 +08:00
|
|
|
|
}
|
|
|
|
|
|
2011-10-22 02:14:25 +08:00
|
|
|
|
// Hack for old Dotfuscator
|
|
|
|
|
bool fixDotfuscatorLoop() {
|
|
|
|
|
/*
|
|
|
|
|
blk1:
|
|
|
|
|
...
|
|
|
|
|
ldc.i4.x
|
|
|
|
|
blk2:
|
|
|
|
|
dup
|
|
|
|
|
dup
|
|
|
|
|
ldc.i4.y
|
|
|
|
|
some_op
|
|
|
|
|
bcc blk2
|
|
|
|
|
blk3:
|
|
|
|
|
pop
|
|
|
|
|
...
|
|
|
|
|
*/
|
|
|
|
|
bool changed = false;
|
|
|
|
|
foreach (var block in allBlocks) {
|
|
|
|
|
if (block.Instructions.Count != 5)
|
|
|
|
|
continue;
|
|
|
|
|
var instructions = block.Instructions;
|
|
|
|
|
if (instructions[0].OpCode.Code != Code.Dup)
|
|
|
|
|
continue;
|
|
|
|
|
if (instructions[1].OpCode.Code != Code.Dup)
|
|
|
|
|
continue;
|
|
|
|
|
if (!instructions[2].isLdcI4())
|
|
|
|
|
continue;
|
|
|
|
|
if (instructions[3].OpCode.Code != Code.Sub && instructions[3].OpCode.Code != Code.Add)
|
|
|
|
|
continue;
|
|
|
|
|
if (instructions[4].OpCode.Code != Code.Blt && instructions[4].OpCode.Code != Code.Blt_S &&
|
|
|
|
|
instructions[4].OpCode.Code != Code.Bgt && instructions[4].OpCode.Code != Code.Bgt_S)
|
|
|
|
|
continue;
|
|
|
|
|
if (block.Sources.Count != 2)
|
|
|
|
|
continue;
|
|
|
|
|
var prev = block.Sources[0];
|
|
|
|
|
if (prev == block)
|
|
|
|
|
prev = block.Sources[1];
|
|
|
|
|
if (prev == null || !prev.LastInstr.isLdcI4())
|
|
|
|
|
continue;
|
|
|
|
|
var next = block.FallThrough;
|
|
|
|
|
if (next.FirstInstr.OpCode.Code != Code.Pop)
|
|
|
|
|
continue;
|
|
|
|
|
block.replaceLastInstrsWithBranch(5, next);
|
|
|
|
|
changed = true;
|
|
|
|
|
}
|
|
|
|
|
return changed;
|
|
|
|
|
}
|
|
|
|
|
|
2011-10-19 05:31:50 +08:00
|
|
|
|
bool removeDeadBlocks() {
|
2011-10-22 03:35:35 +08:00
|
|
|
|
return new DeadBlocksRemover(blocks.MethodBlocks).remove() > 0;
|
2011-10-17 06:22:22 +08:00
|
|
|
|
}
|
|
|
|
|
|
2011-10-19 05:31:50 +08:00
|
|
|
|
bool mergeBlocks() {
|
|
|
|
|
bool changed = false;
|
2011-10-17 06:22:22 +08:00
|
|
|
|
foreach (var scopeBlock in getAllScopeBlocks(blocks.MethodBlocks))
|
2011-10-19 05:31:50 +08:00
|
|
|
|
changed |= scopeBlock.mergeBlocks() > 0;
|
|
|
|
|
return changed;
|
2011-10-17 06:22:22 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
IEnumerable<ScopeBlock> getAllScopeBlocks(ScopeBlock scopeBlock) {
|
|
|
|
|
var list = new List<ScopeBlock>();
|
|
|
|
|
list.Add(scopeBlock);
|
|
|
|
|
list.AddRange(scopeBlock.getAllScopeBlocks());
|
|
|
|
|
return list;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|