Fix old Confuser deobfuscator code
This commit is contained in:
parent
a0f12c4ad0
commit
02d6de8f39
|
@ -27,21 +27,29 @@ namespace de4dot.blocks.cflow {
|
||||||
List<IBlocksDeobfuscator> userBlocksDeobfuscators = new List<IBlocksDeobfuscator>();
|
List<IBlocksDeobfuscator> userBlocksDeobfuscators = new List<IBlocksDeobfuscator>();
|
||||||
List<IBlocksDeobfuscator> ourBlocksDeobfuscators = new List<IBlocksDeobfuscator>();
|
List<IBlocksDeobfuscator> ourBlocksDeobfuscators = new List<IBlocksDeobfuscator>();
|
||||||
|
|
||||||
public BlocksCflowDeobfuscator() {
|
public BlocksCflowDeobfuscator()
|
||||||
Initialize();
|
: this(false) {
|
||||||
}
|
}
|
||||||
|
|
||||||
public BlocksCflowDeobfuscator(IEnumerable<IBlocksDeobfuscator> blocksDeobfuscator) {
|
public BlocksCflowDeobfuscator(bool disableNewCFCode) {
|
||||||
Initialize();
|
Initialize(disableNewCFCode);
|
||||||
|
}
|
||||||
|
|
||||||
|
public BlocksCflowDeobfuscator(IEnumerable<IBlocksDeobfuscator> blocksDeobfuscator)
|
||||||
|
: this(blocksDeobfuscator, false) {
|
||||||
|
}
|
||||||
|
|
||||||
|
public BlocksCflowDeobfuscator(IEnumerable<IBlocksDeobfuscator> blocksDeobfuscator, bool disableNewCFCode) {
|
||||||
|
Initialize(disableNewCFCode);
|
||||||
Add(blocksDeobfuscator);
|
Add(blocksDeobfuscator);
|
||||||
}
|
}
|
||||||
|
|
||||||
void Initialize() {
|
void Initialize(bool disableNewCFCode) {
|
||||||
ourBlocksDeobfuscators.Add(new BlockCflowDeobfuscator { ExecuteIfNotModified = false });
|
ourBlocksDeobfuscators.Add(new BlockCflowDeobfuscator { ExecuteIfNotModified = false });
|
||||||
ourBlocksDeobfuscators.Add(new SwitchCflowDeobfuscator { ExecuteIfNotModified = false });
|
ourBlocksDeobfuscators.Add(new SwitchCflowDeobfuscator { ExecuteIfNotModified = false });
|
||||||
ourBlocksDeobfuscators.Add(new DeadStoreRemover { ExecuteIfNotModified = false });
|
ourBlocksDeobfuscators.Add(new DeadStoreRemover { ExecuteIfNotModified = false });
|
||||||
ourBlocksDeobfuscators.Add(new DeadCodeRemover { ExecuteIfNotModified = false });
|
ourBlocksDeobfuscators.Add(new DeadCodeRemover { ExecuteIfNotModified = false });
|
||||||
ourBlocksDeobfuscators.Add(new ConstantsFolder { ExecuteIfNotModified = true });
|
ourBlocksDeobfuscators.Add(new ConstantsFolder { ExecuteIfNotModified = true, DisableNewCode = disableNewCFCode });
|
||||||
ourBlocksDeobfuscators.Add(new StLdlocFixer { ExecuteIfNotModified = true });
|
ourBlocksDeobfuscators.Add(new StLdlocFixer { ExecuteIfNotModified = true });
|
||||||
ourBlocksDeobfuscators.Add(new DupBlockCflowDeobfuscator { ExecuteIfNotModified = true });
|
ourBlocksDeobfuscators.Add(new DupBlockCflowDeobfuscator { ExecuteIfNotModified = true });
|
||||||
}
|
}
|
||||||
|
|
|
@ -29,6 +29,8 @@ namespace de4dot.blocks.cflow {
|
||||||
InstructionEmulator instructionEmulator = new InstructionEmulator();
|
InstructionEmulator instructionEmulator = new InstructionEmulator();
|
||||||
IList<Parameter> args;
|
IList<Parameter> args;
|
||||||
|
|
||||||
|
public bool DisableNewCode { get; set; }
|
||||||
|
|
||||||
protected override void Initialize(List<Block> allBlocks) {
|
protected override void Initialize(List<Block> allBlocks) {
|
||||||
base.Initialize(allBlocks);
|
base.Initialize(allBlocks);
|
||||||
args = blocks.Method.Parameters;
|
args = blocks.Method.Parameters;
|
||||||
|
@ -131,6 +133,8 @@ namespace de4dot.blocks.cflow {
|
||||||
case Code.Sub_Ovf:
|
case Code.Sub_Ovf:
|
||||||
case Code.Sub_Ovf_Un:
|
case Code.Sub_Ovf_Un:
|
||||||
case Code.Xor:
|
case Code.Xor:
|
||||||
|
if (DisableNewCode)
|
||||||
|
break;
|
||||||
if (i + 1 < instrs.Count && instrs[i + 1].OpCode.Code == Code.Pop)
|
if (i + 1 < instrs.Count && instrs[i + 1].OpCode.Code == Code.Pop)
|
||||||
break;
|
break;
|
||||||
if (!VerifyValidArgs(instr.Instruction))
|
if (!VerifyValidArgs(instr.Instruction))
|
||||||
|
|
|
@ -789,15 +789,17 @@ namespace de4dot.code {
|
||||||
}
|
}
|
||||||
|
|
||||||
void ISimpleDeobfuscator.Deobfuscate(MethodDef method) {
|
void ISimpleDeobfuscator.Deobfuscate(MethodDef method) {
|
||||||
((ISimpleDeobfuscator)this).Deobfuscate(method, false);
|
((ISimpleDeobfuscator)this).Deobfuscate(method, 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
void ISimpleDeobfuscator.Deobfuscate(MethodDef method, bool force) {
|
void ISimpleDeobfuscator.Deobfuscate(MethodDef method, SimpleDeobfuscatorFlags flags) {
|
||||||
|
bool force = (flags & SimpleDeobfuscatorFlags.Force) != 0;
|
||||||
if (method == null || (!force && Check(method, SimpleDeobFlags.HasDeobfuscated)))
|
if (method == null || (!force && Check(method, SimpleDeobFlags.HasDeobfuscated)))
|
||||||
return;
|
return;
|
||||||
|
|
||||||
Deobfuscate(method, "Deobfuscating control flow", (blocks) => {
|
Deobfuscate(method, "Deobfuscating control flow", (blocks) => {
|
||||||
var cflowDeobfuscator = new BlocksCflowDeobfuscator(deob.BlocksDeobfuscators);
|
bool disableNewCFCode = (flags & SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs) != 0;
|
||||||
|
var cflowDeobfuscator = new BlocksCflowDeobfuscator(deob.BlocksDeobfuscators, disableNewCFCode);
|
||||||
cflowDeobfuscator.Initialize(blocks);
|
cflowDeobfuscator.Initialize(blocks);
|
||||||
cflowDeobfuscator.Deobfuscate();
|
cflowDeobfuscator.Deobfuscate();
|
||||||
});
|
});
|
||||||
|
|
|
@ -78,7 +78,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
if (type.NestedTypes.Count > 0)
|
if (type.NestedTypes.Count > 0)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
simpleDeobfuscator.Deobfuscate(calledMethod, true);
|
simpleDeobfuscator.Deobfuscate(calledMethod, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
|
||||||
if (CheckType(type, calledMethod)) {
|
if (CheckType(type, calledMethod)) {
|
||||||
initMethod = calledMethod;
|
initMethod = calledMethod;
|
||||||
return true;
|
return true;
|
||||||
|
|
|
@ -232,7 +232,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
if (!new LocalTypes(cctor).All(requiredLocalsCctor))
|
if (!new LocalTypes(cctor).All(requiredLocalsCctor))
|
||||||
return;
|
return;
|
||||||
|
|
||||||
simpleDeobfuscator.Deobfuscate(cctor, true);
|
simpleDeobfuscator.Deobfuscate(cctor, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
|
||||||
if (!Add(ConstantsDecrypterUtils.FindDictField(cctor, cctor.DeclaringType)))
|
if (!Add(ConstantsDecrypterUtils.FindDictField(cctor, cctor.DeclaringType)))
|
||||||
return;
|
return;
|
||||||
if (!Add(ConstantsDecrypterUtils.FindStreamField(cctor, cctor.DeclaringType)))
|
if (!Add(ConstantsDecrypterUtils.FindStreamField(cctor, cctor.DeclaringType)))
|
||||||
|
|
|
@ -202,7 +202,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
var cctor = DotNetUtils.GetModuleTypeCctor(module);
|
var cctor = DotNetUtils.GetModuleTypeCctor(module);
|
||||||
if (cctor == null)
|
if (cctor == null)
|
||||||
return;
|
return;
|
||||||
simpleDeobfuscator.Deobfuscate(cctor, true);
|
simpleDeobfuscator.Deobfuscate(cctor, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
|
||||||
|
|
||||||
if ((dictField = ConstantsDecrypterUtils.FindDictField(cctor, cctor.DeclaringType)) == null)
|
if ((dictField = ConstantsDecrypterUtils.FindDictField(cctor, cctor.DeclaringType)) == null)
|
||||||
return;
|
return;
|
||||||
|
@ -216,7 +216,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
var method = GetDecryptMethod();
|
var method = GetDecryptMethod();
|
||||||
if (method == null)
|
if (method == null)
|
||||||
return;
|
return;
|
||||||
simpleDeobfuscator.Deobfuscate(method);
|
simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
|
||||||
var info = new DecrypterInfo(this, method, ConfuserVersion.Unknown);
|
var info = new DecrypterInfo(this, method, ConfuserVersion.Unknown);
|
||||||
if (FindKeys_v18_r75367(info))
|
if (FindKeys_v18_r75367(info))
|
||||||
InitVersion(cctor, ConfuserVersion.v18_r75367_normal, ConfuserVersion.v18_r75367_dynamic, ConfuserVersion.v18_r75367_native);
|
InitVersion(cctor, ConfuserVersion.v18_r75367_normal, ConfuserVersion.v18_r75367_dynamic, ConfuserVersion.v18_r75367_native);
|
||||||
|
@ -425,7 +425,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
if (!IsDecryptMethodSignature(method))
|
if (!IsDecryptMethodSignature(method))
|
||||||
return null;
|
return null;
|
||||||
|
|
||||||
simpleDeobfuscator.Deobfuscate(method);
|
simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
|
||||||
var info = new DecrypterInfo(this, method, version);
|
var info = new DecrypterInfo(this, method, version);
|
||||||
if (!FindKeys(info))
|
if (!FindKeys(info))
|
||||||
return null;
|
return null;
|
||||||
|
|
|
@ -492,7 +492,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
if (proxyType == ProxyCreatorType.Newobj)
|
if (proxyType == ProxyCreatorType.Newobj)
|
||||||
foundNewobjProxy = true;
|
foundNewobjProxy = true;
|
||||||
|
|
||||||
simpleDeobfuscator.Deobfuscate(method);
|
simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
|
||||||
MethodDef nativeMethod = null;
|
MethodDef nativeMethod = null;
|
||||||
uint magic;
|
uint magic;
|
||||||
if (FindMagic_v14_r58564(method, out magic)) {
|
if (FindMagic_v14_r58564(method, out magic)) {
|
||||||
|
|
|
@ -77,7 +77,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
return false;
|
return false;
|
||||||
if (!DotNetUtils.CallsMethod(method, "System.Void System.AppDomain::add_ResourceResolve(System.ResolveEventHandler)"))
|
if (!DotNetUtils.CallsMethod(method, "System.Void System.AppDomain::add_ResourceResolve(System.ResolveEventHandler)"))
|
||||||
return false;
|
return false;
|
||||||
simpleDeobfuscator.Deobfuscate(method, true);
|
simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
|
||||||
fields.Clear();
|
fields.Clear();
|
||||||
|
|
||||||
var tmpHandler = GetHandler(method);
|
var tmpHandler = GetHandler(method);
|
||||||
|
@ -88,7 +88,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
if (tmpResource == null)
|
if (tmpResource == null)
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
simpleDeobfuscator.Deobfuscate(tmpHandler, true);
|
simpleDeobfuscator.Deobfuscate(tmpHandler, SimpleDeobfuscatorFlags.Force | SimpleDeobfuscatorFlags.DisableConstantsFolderExtraInstrs);
|
||||||
ConfuserVersion tmpVersion = ConfuserVersion.Unknown;
|
ConfuserVersion tmpVersion = ConfuserVersion.Unknown;
|
||||||
if (DotNetUtils.CallsMethod(tmpHandler, "System.Object System.AppDomain::GetData(System.String)")) {
|
if (DotNetUtils.CallsMethod(tmpHandler, "System.Object System.AppDomain::GetData(System.String)")) {
|
||||||
if (!DotNetUtils.CallsMethod(tmpHandler, "System.Void System.Buffer::BlockCopy(System.Array,System.Int32,System.Array,System.Int32,System.Int32)")) {
|
if (!DotNetUtils.CallsMethod(tmpHandler, "System.Void System.Buffer::BlockCopy(System.Array,System.Int32,System.Array,System.Int32,System.Int32)")) {
|
||||||
|
|
|
@ -109,7 +109,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
|
||||||
|
|
||||||
bool InitializeArrays2(ISimpleDeobfuscator simpleDeobfuscator, MethodDef method) {
|
bool InitializeArrays2(ISimpleDeobfuscator simpleDeobfuscator, MethodDef method) {
|
||||||
bool foundField = false;
|
bool foundField = false;
|
||||||
simpleDeobfuscator.Deobfuscate(method, true);
|
simpleDeobfuscator.Deobfuscate(method, SimpleDeobfuscatorFlags.Force);
|
||||||
var instructions = method.Body.Instructions;
|
var instructions = method.Body.Instructions;
|
||||||
for (int i = 0; i < instructions.Count; i++) {
|
for (int i = 0; i < instructions.Count; i++) {
|
||||||
var ldci4 = instructions[i];
|
var ldci4 = instructions[i];
|
||||||
|
|
|
@ -17,13 +17,23 @@
|
||||||
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
using System;
|
||||||
using dnlib.DotNet;
|
using dnlib.DotNet;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators {
|
namespace de4dot.code.deobfuscators {
|
||||||
|
[Flags]
|
||||||
|
public enum SimpleDeobfuscatorFlags : uint {
|
||||||
|
Force = 0x00000001,
|
||||||
|
|
||||||
|
// Hack for Confuser deobfuscator code. That code was written before the
|
||||||
|
// constants folder was updated and it now breaks the old Confuser code.
|
||||||
|
DisableConstantsFolderExtraInstrs = 0x00000002,
|
||||||
|
}
|
||||||
|
|
||||||
public interface ISimpleDeobfuscator {
|
public interface ISimpleDeobfuscator {
|
||||||
void MethodModified(MethodDef method);
|
void MethodModified(MethodDef method);
|
||||||
void Deobfuscate(MethodDef method);
|
void Deobfuscate(MethodDef method);
|
||||||
void Deobfuscate(MethodDef method, bool force);
|
void Deobfuscate(MethodDef method, SimpleDeobfuscatorFlags flags);
|
||||||
void DecryptStrings(MethodDef method, IDeobfuscator deob);
|
void DecryptStrings(MethodDef method, IDeobfuscator deob);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue