2012-06-04 10:20:43 +08:00
|
|
|
|
/*
|
2014-03-12 05:15:43 +08:00
|
|
|
|
Copyright (C) 2011-2014 de4dot@gmail.com
|
2012-06-04 10:20:43 +08:00
|
|
|
|
|
|
|
|
|
|
This file is part of de4dot.
|
|
|
|
|
|
|
|
|
|
|
|
de4dot is free software: you can redistribute it and/or modify
|
|
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
|
|
|
|
de4dot is distributed in the hope that it will be useful,
|
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
|
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
using System;
|
|
|
|
|
|
using System.Collections.Generic;
|
2012-12-20 09:06:09 +08:00
|
|
|
|
using dnlib.DotNet;
|
2012-06-04 10:20:43 +08:00
|
|
|
|
using de4dot.blocks;
|
|
|
|
|
|
|
|
|
|
|
|
namespace de4dot.code.deobfuscators.ILProtector {
|
|
|
|
|
|
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
|
|
|
|
|
|
public const string THE_NAME = "ILProtector";
|
|
|
|
|
|
public const string THE_TYPE = "il";
|
2013-11-18 22:43:08 +08:00
|
|
|
|
const string DEFAULT_REGEX = DeobfuscatorBase.DEFAULT_ASIAN_VALID_NAME_REGEX;
|
2012-06-04 10:20:43 +08:00
|
|
|
|
|
|
|
|
|
|
public DeobfuscatorInfo()
|
2013-11-18 22:43:08 +08:00
|
|
|
|
: base(DEFAULT_REGEX) {
|
2012-06-04 10:20:43 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public override string Name {
|
|
|
|
|
|
get { return THE_NAME; }
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public override string Type {
|
|
|
|
|
|
get { return THE_TYPE; }
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
public override IDeobfuscator CreateDeobfuscator() {
|
2012-06-04 10:20:43 +08:00
|
|
|
|
return new Deobfuscator(new Deobfuscator.Options {
|
2013-11-18 23:28:44 +08:00
|
|
|
|
ValidNameRegex = validNameRegex.Get(),
|
2012-06-04 10:20:43 +08:00
|
|
|
|
});
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
protected override IEnumerable<Option> GetOptionsInternal() {
|
2012-06-04 10:20:43 +08:00
|
|
|
|
return new List<Option>() {
|
|
|
|
|
|
};
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
class Deobfuscator : DeobfuscatorBase {
|
|
|
|
|
|
Options options;
|
|
|
|
|
|
string obfuscatorName = DeobfuscatorInfo.THE_NAME;
|
|
|
|
|
|
|
|
|
|
|
|
MainType mainType;
|
2013-10-26 23:25:58 +08:00
|
|
|
|
StaticMethodsDecrypter staticMethodsDecrypter;
|
|
|
|
|
|
DynamicMethodsRestorer dynamicMethodsRestorer;
|
2012-06-04 10:20:43 +08:00
|
|
|
|
|
|
|
|
|
|
internal class Options : OptionsBase {
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public override string Type {
|
|
|
|
|
|
get { return DeobfuscatorInfo.THE_TYPE; }
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public override string TypeLong {
|
|
|
|
|
|
get { return DeobfuscatorInfo.THE_NAME; }
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public override string Name {
|
|
|
|
|
|
get { return obfuscatorName; }
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public Deobfuscator(Options options)
|
|
|
|
|
|
: base(options) {
|
|
|
|
|
|
this.options = options;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
protected override int DetectInternal() {
|
2012-06-04 10:20:43 +08:00
|
|
|
|
return mainType.Detected ? 150 : 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
protected override void ScanForObfuscator() {
|
2012-06-04 10:20:43 +08:00
|
|
|
|
mainType = new MainType(module);
|
2013-01-19 20:03:57 +08:00
|
|
|
|
mainType.Find();
|
2013-10-26 23:25:58 +08:00
|
|
|
|
|
|
|
|
|
|
staticMethodsDecrypter = new StaticMethodsDecrypter(module, mainType);
|
2012-12-13 19:03:25 +08:00
|
|
|
|
if (mainType.Detected)
|
2013-10-26 23:25:58 +08:00
|
|
|
|
staticMethodsDecrypter.Find();
|
|
|
|
|
|
|
|
|
|
|
|
if (mainType.Detected && !staticMethodsDecrypter.Detected)
|
|
|
|
|
|
dynamicMethodsRestorer = new DynamicMethodsRestorer(module, mainType);
|
2012-06-04 10:20:43 +08:00
|
|
|
|
|
2013-11-17 03:04:23 +08:00
|
|
|
|
if (mainType.Detected) {
|
|
|
|
|
|
if (staticMethodsDecrypter.Detected)
|
|
|
|
|
|
UpdateObfuscatorNameWith(staticMethodsDecrypter.Version);
|
|
|
|
|
|
else
|
|
|
|
|
|
UpdateObfuscatorNameWith(mainType.GetRuntimeVersionString());
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void UpdateObfuscatorNameWith(string version) {
|
|
|
|
|
|
if (!string.IsNullOrEmpty(version))
|
|
|
|
|
|
obfuscatorName += " " + version;
|
2012-06-04 10:20:43 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
public override void DeobfuscateBegin() {
|
|
|
|
|
|
base.DeobfuscateBegin();
|
2012-06-04 10:20:43 +08:00
|
|
|
|
|
2012-12-13 19:03:25 +08:00
|
|
|
|
if (mainType.Detected) {
|
2013-10-26 23:25:58 +08:00
|
|
|
|
if (staticMethodsDecrypter.Detected) {
|
|
|
|
|
|
staticMethodsDecrypter.Decrypt();
|
|
|
|
|
|
RemoveObfuscatorJunk(staticMethodsDecrypter);
|
|
|
|
|
|
}
|
|
|
|
|
|
else if (dynamicMethodsRestorer != null) {
|
2013-11-17 03:04:23 +08:00
|
|
|
|
Logger.v("Runtime file versions:");
|
|
|
|
|
|
Logger.Instance.Indent();
|
2013-11-17 09:04:11 +08:00
|
|
|
|
bool emailMe = false;
|
2013-11-17 03:04:23 +08:00
|
|
|
|
foreach (var info in mainType.RuntimeFileInfos) {
|
|
|
|
|
|
var version = info.GetVersion();
|
2013-11-17 09:04:11 +08:00
|
|
|
|
emailMe |= version != null && version == new Version(1, 0, 7, 0);
|
2013-11-17 03:04:23 +08:00
|
|
|
|
Logger.v("Version: {0} ({1})", version == null ? "UNKNOWN" : version.ToString(), info.PathName);
|
|
|
|
|
|
}
|
|
|
|
|
|
Logger.Instance.DeIndent();
|
2013-11-17 09:04:11 +08:00
|
|
|
|
if (emailMe)
|
|
|
|
|
|
Logger.n("**** Email me this program! de4dot@gmail.com");
|
2013-11-17 03:04:23 +08:00
|
|
|
|
|
2013-10-26 23:25:58 +08:00
|
|
|
|
dynamicMethodsRestorer.Decrypt();
|
|
|
|
|
|
RemoveObfuscatorJunk(dynamicMethodsRestorer);
|
2012-12-13 19:03:25 +08:00
|
|
|
|
}
|
|
|
|
|
|
else
|
|
|
|
|
|
Logger.w("New ILProtector version. Can't decrypt methods (yet)");
|
2012-06-04 10:20:43 +08:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-10-26 23:25:58 +08:00
|
|
|
|
void RemoveObfuscatorJunk(MethodsDecrypterBase methodsDecrypter) {
|
|
|
|
|
|
AddTypesToBeRemoved(methodsDecrypter.DelegateTypes, "Obfuscator method delegate type");
|
|
|
|
|
|
AddResourceToBeRemoved(methodsDecrypter.Resource, "Encrypted methods resource");
|
|
|
|
|
|
AddTypeToBeRemoved(mainType.InvokerDelegate, "Invoker delegate type");
|
|
|
|
|
|
AddFieldToBeRemoved(mainType.InvokerInstanceField, "Invoker delegate instance field");
|
2013-11-17 03:04:23 +08:00
|
|
|
|
foreach (var info in mainType.RuntimeFileInfos)
|
|
|
|
|
|
AddMethodToBeRemoved(info.ProtectMethod, "Obfuscator 'Protect' init method");
|
2013-10-26 23:25:58 +08:00
|
|
|
|
mainType.CleanUp();
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-01-19 20:03:57 +08:00
|
|
|
|
public override IEnumerable<int> GetStringDecrypterMethods() {
|
2012-06-04 10:20:43 +08:00
|
|
|
|
return new List<int>();
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
