Fix old Confuser deobfuscator code

2015-10-29 22:36:17 +01:00 · 2015-10-29 22:36:17 +01:00 · 02d6de8f39
parent a0f12c4ad0
commit 02d6de8f39
10 changed files with 43 additions and 19 deletions
--- a/de4dot.blocks/cflow/BlocksCflowDeobfuscator.cs
+++ b/de4dot.blocks/cflow/BlocksCflowDeobfuscator.cs
@ -27,21 +27,29 @@ namespace de4dot.blocks.cflow {
 		List<IBlocksDeobfuscator> userBlocksDeobfuscators = new List<IBlocksDeobfuscator>();
 		List<IBlocksDeobfuscator> ourBlocksDeobfuscators = new List<IBlocksDeobfuscator>();
-		public BlocksCflowDeobfuscator() {
+		public BlocksCflowDeobfuscator()
-			Initialize();
+			: this(false) {
 		}
-		public BlocksCflowDeobfuscator(IEnumerable<IBlocksDeobfuscator> blocksDeobfuscator) {
+		public BlocksCflowDeobfuscator(bool disableNewCFCode) {
-			Initialize();
+			Initialize(disableNewCFCode);
 		}
 		public BlocksCflowDeobfuscator(IEnumerable<IBlocksDeobfuscator> blocksDeobfuscator)
 			: this(blocksDeobfuscator, false) {
 		}
 		public BlocksCflowDeobfuscator(IEnumerable<IBlocksDeobfuscator> blocksDeobfuscator, bool disableNewCFCode) {
 			Initialize(disableNewCFCode);
 			Add(blocksDeobfuscator);
 		}
-		void Initialize() {
+		void Initialize(bool disableNewCFCode) {
 			ourBlocksDeobfuscators.Add(new BlockCflowDeobfuscator { ExecuteIfNotModified = false });
 			ourBlocksDeobfuscators.Add(new SwitchCflowDeobfuscator { ExecuteIfNotModified = false });
 			ourBlocksDeobfuscators.Add(new DeadStoreRemover { ExecuteIfNotModified = false });
 			ourBlocksDeobfuscators.Add(new DeadCodeRemover { ExecuteIfNotModified = false });
-			ourBlocksDeobfuscators.Add(new ConstantsFolder { ExecuteIfNotModified = true });
+			ourBlocksDeobfuscators.Add(new ConstantsFolder { ExecuteIfNotModified = true, DisableNewCode = disableNewCFCode });
 			ourBlocksDeobfuscators.Add(new StLdlocFixer { ExecuteIfNotModified = true });
 			ourBlocksDeobfuscators.Add(new DupBlockCflowDeobfuscator { ExecuteIfNotModified = true });
 		}
--- a/de4dot.blocks/cflow/ConstantsFolder.cs
+++ b/de4dot.blocks/cflow/ConstantsFolder.cs
@ -29,6 +29,8 @@ namespace de4dot.blocks.cflow {
 		InstructionEmulator instructionEmulator = new InstructionEmulator();
 		IList<Parameter> args;
 		public bool DisableNewCode { get; set; }
 		protected override void Initialize(List<Block> allBlocks) {
 			base.Initialize(allBlocks);
 			args = blocks.Method.Parameters;
@ -131,6 +133,8 @@ namespace de4dot.blocks.cflow {
 				case Code.Sub_Ovf:
 				case Code.Sub_Ovf_Un:
 				case Code.Xor:
 					if (DisableNewCode)
 						break;
 					if (i + 1 < instrs.Count && instrs[i + 1].OpCode.Code == Code.Pop)
 						break;
 					if (!VerifyValidArgs(instr.Instruction))
--- a/de4dot.code/ObfuscatedFile.cs
+++ b/de4dot.code/ObfuscatedFile.cs
@ -789,15 +789,17 @@ namespace de4dot.code {
 		}
 		void ISimpleDeobfuscator.Deobfuscate(MethodDef method) {
-			((ISimpleDeobfuscator)this).Deobfuscate(method, false);
+			((ISimpleDeobfuscator)this).Deobfuscate(method, 0);
 		}
-		void ISimpleDeobfuscator.Deobfuscate(MethodDef method, bool force) {
+		void ISimpleDeobfuscator.Deobfuscate(MethodDef method, SimpleDeobfuscatorFlags flags) {
 			bool force = (flags & SimpleDeobfuscatorFlags.Force) != 0;
 			if (method == null || (!force && Check(method, SimpleDeobFlags.HasDeobfuscated)))
 				return;
 			Deobfuscate(method, "Deobfuscating control flow", (blocks) => {
-				var cflowDeobfuscator = new BlocksCflowDeobfuscator(deob.BlocksDeobfuscators);
+				bool disableNewCFCode = (flags & SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs) != 0;
 				var cflowDeobfuscator = new BlocksCflowDeobfuscator(deob.BlocksDeobfuscators, disableNewCFCode);
 				cflowDeobfuscator.Initialize(blocks);
 				cflowDeobfuscator.Deobfuscate();
 			});
--- a/de4dot.code/deobfuscators/Confuser/AntiDumping.cs
+++ b/de4dot.code/deobfuscators/Confuser/AntiDumping.cs
@ -78,7 +78,7 @@ namespace de4dot.code.deobfuscators.Confuser {
 				if (type.NestedTypes.Count > 0)
 					continue;
-				simpleDeobfuscator.Deobfuscate(calledMethod, true);
+				simpleDeobfuscator.Deobfuscate(calledMethod, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
 				if (CheckType(type, calledMethod)) {
 					initMethod = calledMethod;
 					return true;
--- a/de4dot.code/deobfuscators/Confuser/ConstantsDecrypterV17.cs
+++ b/de4dot.code/deobfuscators/Confuser/ConstantsDecrypterV17.cs
@ -232,7 +232,7 @@ namespace de4dot.code.deobfuscators.Confuser {
 			if (!new LocalTypes(cctor).All(requiredLocalsCctor))
 				return;
-			simpleDeobfuscator.Deobfuscate(cctor, true);
+			simpleDeobfuscator.Deobfuscate(cctor, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
 			if (!Add(ConstantsDecrypterUtils.FindDictField(cctor, cctor.DeclaringType)))
 				return;
 			if (!Add(ConstantsDecrypterUtils.FindStreamField(cctor, cctor.DeclaringType)))
--- a/de4dot.code/deobfuscators/Confuser/ConstantsDecrypterV18.cs
+++ b/de4dot.code/deobfuscators/Confuser/ConstantsDecrypterV18.cs
@ -202,7 +202,7 @@ namespace de4dot.code.deobfuscators.Confuser {
 			var cctor = DotNetUtils.GetModuleTypeCctor(module);
 			if (cctor == null)
 				return;
-			simpleDeobfuscator.Deobfuscate(cctor, true);
+			simpleDeobfuscator.Deobfuscate(cctor, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
 			if ((dictField = ConstantsDecrypterUtils.FindDictField(cctor, cctor.DeclaringType)) == null)
 				return;
@ -216,7 +216,7 @@ namespace de4dot.code.deobfuscators.Confuser {
 			var method = GetDecryptMethod();
 			if (method == null)
 				return;
-			simpleDeobfuscator.Deobfuscate(method);
+			simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
 			var info = new DecrypterInfo(this, method, ConfuserVersion.Unknown);
 			if (FindKeys_v18_r75367(info))
 				InitVersion(cctor, ConfuserVersion.v18_r75367_normal, ConfuserVersion.v18_r75367_dynamic, ConfuserVersion.v18_r75367_native);
@ -425,7 +425,7 @@ namespace de4dot.code.deobfuscators.Confuser {
 			if (!IsDecryptMethodSignature(method))
 				return null;
-			simpleDeobfuscator.Deobfuscate(method);
+			simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
 			var info = new DecrypterInfo(this, method, version);
 			if (!FindKeys(info))
 				return null;
--- a/de4dot.code/deobfuscators/Confuser/ProxyCallFixer.cs
+++ b/de4dot.code/deobfuscators/Confuser/ProxyCallFixer.cs
@ -492,7 +492,7 @@ namespace de4dot.code.deobfuscators.Confuser {
 				if (proxyType == ProxyCreatorType.Newobj)
 					foundNewobjProxy = true;
-				simpleDeobfuscator.Deobfuscate(method);
+				simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
 				MethodDef nativeMethod = null;
 				uint magic;
 				if (FindMagic_v14_r58564(method, out magic)) {
--- a/de4dot.code/deobfuscators/Confuser/ResourceDecrypter.cs
+++ b/de4dot.code/deobfuscators/Confuser/ResourceDecrypter.cs
@ -77,7 +77,7 @@ namespace de4dot.code.deobfuscators.Confuser {
 				return false;
 			if (!DotNetUtils.CallsMethod(method, "System.Void System.AppDomain::add_ResourceResolve(System.ResolveEventHandler)"))
 				return false;
-			simpleDeobfuscator.Deobfuscate(method, true);
+			simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
 			fields.Clear();
 			var tmpHandler = GetHandler(method);
@ -88,7 +88,7 @@ namespace de4dot.code.deobfuscators.Confuser {
 			if (tmpResource == null)
 				return false;
-			simpleDeobfuscator.Deobfuscate(tmpHandler, true);
+			simpleDeobfuscator.Deobfuscate(tmpHandler, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
 			ConfuserVersion tmpVersion = ConfuserVersion.Unknown;
 			if (DotNetUtils.CallsMethod(tmpHandler, "System.Object System.AppDomain::GetData(System.String)")) {
 				if (!DotNetUtils.CallsMethod(tmpHandler, "System.Void System.Buffer::BlockCopy(System.Array,System.Int32,System.Array,System.Int32,System.Int32)")) {
--- a/de4dot.code/deobfuscators/DeepSea/ArrayBlockState.cs
+++ b/de4dot.code/deobfuscators/DeepSea/ArrayBlockState.cs
@ -109,7 +109,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
 		bool InitializeArrays2(ISimpleDeobfuscator simpleDeobfuscator, MethodDef method) {
 			bool foundField = false;
-			simpleDeobfuscator.Deobfuscate(method, true);
+			simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.Force);
 			var instructions = method.Body.Instructions;
 			for (int i = 0; i < instructions.Count; i++) {
 				var ldci4 = instructions[i];
--- a/de4dot.code/deobfuscators/ISimpleDeobfuscator.cs
+++ b/de4dot.code/deobfuscators/ISimpleDeobfuscator.cs
@ -17,13 +17,23 @@
    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
 */
 using System;
 using dnlib.DotNet;
 namespace de4dot.code.deobfuscators {
 	[Flags]
 	public enum SimpleDeobfuscatorFlags : uint {
 		Force											= 0x00000001,
 		// Hack for Confuser deobfuscator code. That code was written before the
 		// constants folder was updated and it now breaks the old Confuser code.
 		DisableConstantsFolderExtraInstrs				= 0x00000002,
 	}
 	public interface ISimpleDeobfuscator {
 		void MethodModified(MethodDef method);
 		void Deobfuscate(MethodDef method);
-		void Deobfuscate(MethodDef method, bool force);
+		void Deobfuscate(MethodDef method, SimpleDeobfuscatorFlags flags);
 		void DecryptStrings(MethodDef method, IDeobfuscator deob);
 	}
 }