Update methods decrypter and string decrypter
This commit is contained in:
parent
39dbf5d9b2
commit
09178a6e95
|
@ -162,6 +162,11 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
return stringDecrypter.decrypt(method2, (int)args[0]);
|
return stringDecrypter.decrypt(method2, (int)args[0]);
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
if (stringDecrypter.OtherStringDecrypter != null) {
|
||||||
|
staticStringDecrypter.add(stringDecrypter.OtherStringDecrypter, (method2, args) => {
|
||||||
|
return stringDecrypter.decrypt((string)args[0]);
|
||||||
|
});
|
||||||
|
}
|
||||||
DeobfuscatedFile.stringDecryptersAdded();
|
DeobfuscatedFile.stringDecryptersAdded();
|
||||||
|
|
||||||
if (Operations.DecryptStrings != OpDecryptString.None)
|
if (Operations.DecryptStrings != OpDecryptString.None)
|
||||||
|
|
|
@ -112,40 +112,45 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
var methodsDataReader = new BinaryReader(new MemoryStream(methodsData));
|
var methodsDataReader = new BinaryReader(new MemoryStream(methodsData));
|
||||||
int patchCount = methodsDataReader.ReadInt32();
|
int patchCount = methodsDataReader.ReadInt32();
|
||||||
int mode = methodsDataReader.ReadInt32();
|
int mode = methodsDataReader.ReadInt32();
|
||||||
if (!useXorKey || mode == 1) {
|
|
||||||
// Here if DNR 4.0, 4.1
|
int tmp = methodsDataReader.ReadInt32();
|
||||||
for (int i = 0; i < patchCount; i++) {
|
methodsDataReader.BaseStream.Position -= 4;
|
||||||
uint rva = methodsDataReader.ReadUInt32();
|
if ((tmp & 0xFF000000) == 0x06000000) {
|
||||||
uint data = methodsDataReader.ReadUInt32();
|
// It's method token + rva. DNR <= 3.9.0.1 ???
|
||||||
peImage.write(rva, BitConverter.GetBytes(data));
|
methodsDataReader.BaseStream.Position += 8 * patchCount;
|
||||||
}
|
patchCount = methodsDataReader.ReadInt32();
|
||||||
|
mode = methodsDataReader.ReadInt32();
|
||||||
|
|
||||||
|
patchDwords(peImage, methodsDataReader, patchCount);
|
||||||
while (methodsDataReader.BaseStream.Position < methodsData.Length - 1) {
|
while (methodsDataReader.BaseStream.Position < methodsData.Length - 1) {
|
||||||
uint rva = methodsDataReader.ReadUInt32();
|
|
||||||
uint token = methodsDataReader.ReadUInt32();
|
uint token = methodsDataReader.ReadUInt32();
|
||||||
int size = methodsDataReader.ReadInt32();
|
int numDwords = methodsDataReader.ReadInt32();
|
||||||
if (size > 0)
|
patchDwords(peImage, methodsDataReader, numDwords / 2);
|
||||||
peImage.write(rva, methodsDataReader.ReadBytes(size));
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
for (int i = 0; i < patchCount; i++) {
|
// DNR 3.9.8.0, 4.0, 4.1, 4.2
|
||||||
uint rva = methodsDataReader.ReadUInt32();
|
patchDwords(peImage, methodsDataReader, patchCount);
|
||||||
uint data = methodsDataReader.ReadUInt32();
|
|
||||||
peImage.write(rva, BitConverter.GetBytes(data));
|
|
||||||
}
|
|
||||||
int count = methodsDataReader.ReadInt32();
|
|
||||||
while (methodsDataReader.BaseStream.Position < methodsData.Length - 1) {
|
while (methodsDataReader.BaseStream.Position < methodsData.Length - 1) {
|
||||||
uint rva = methodsDataReader.ReadUInt32();
|
uint rva = methodsDataReader.ReadUInt32();
|
||||||
uint token = methodsDataReader.ReadUInt32();
|
uint token = methodsDataReader.ReadUInt32();
|
||||||
int size = methodsDataReader.ReadInt32();
|
int size = methodsDataReader.ReadInt32();
|
||||||
if (size > 0)
|
if (size > 0)
|
||||||
peImage.write(rva, methodsDataReader.ReadBytes(size));
|
peImage.dotNetSafeWrite(rva, methodsDataReader.ReadBytes(size));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void patchDwords(PE.PeImage peImage, BinaryReader reader, int count) {
|
||||||
|
for (int i = 0; i < count; i++) {
|
||||||
|
uint rva = reader.ReadUInt32();
|
||||||
|
uint data = reader.ReadUInt32();
|
||||||
|
peImage.dotNetSafeWrite(rva, BitConverter.GetBytes(data));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
void initXorKey() {
|
void initXorKey() {
|
||||||
useXorKey = false;
|
useXorKey = false;
|
||||||
|
|
||||||
|
|
|
@ -30,6 +30,7 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
ModuleDefinition module;
|
ModuleDefinition module;
|
||||||
EncryptedResource encryptedResource;
|
EncryptedResource encryptedResource;
|
||||||
List<DecrypterInfo> decrypterInfos = new List<DecrypterInfo>();
|
List<DecrypterInfo> decrypterInfos = new List<DecrypterInfo>();
|
||||||
|
MethodDefinition otherStringDecrypter;
|
||||||
byte[] decryptedData;
|
byte[] decryptedData;
|
||||||
PE.PeImage peImage;
|
PE.PeImage peImage;
|
||||||
|
|
||||||
|
@ -57,6 +58,10 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
get { return decrypterInfos; }
|
get { return decrypterInfos; }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public MethodDefinition OtherStringDecrypter {
|
||||||
|
get { return otherStringDecrypter; }
|
||||||
|
}
|
||||||
|
|
||||||
public StringDecrypter(ModuleDefinition module) {
|
public StringDecrypter(ModuleDefinition module) {
|
||||||
this.module = module;
|
this.module = module;
|
||||||
this.encryptedResource = new EncryptedResource(module);
|
this.encryptedResource = new EncryptedResource(module);
|
||||||
|
@ -71,6 +76,11 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
throw new ApplicationException("Could not find string decrypter method");
|
throw new ApplicationException("Could not find string decrypter method");
|
||||||
decrypterInfos.Add(new DecrypterInfo(method, oldInfo.key, oldInfo.iv));
|
decrypterInfos.Add(new DecrypterInfo(method, oldInfo.key, oldInfo.iv));
|
||||||
}
|
}
|
||||||
|
if (oldOne.otherStringDecrypter != null) {
|
||||||
|
otherStringDecrypter = module.LookupToken(oldOne.otherStringDecrypter.MetadataToken.ToInt32()) as MethodDefinition;
|
||||||
|
if (otherStringDecrypter == null)
|
||||||
|
throw new ApplicationException("Could not find string decrypter method");
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public void find() {
|
public void find() {
|
||||||
|
@ -79,6 +89,8 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
};
|
};
|
||||||
EmbeddedResource stringsResource = null;
|
EmbeddedResource stringsResource = null;
|
||||||
foreach (var type in module.Types) {
|
foreach (var type in module.Types) {
|
||||||
|
if (decrypterInfos.Count > 0)
|
||||||
|
break;
|
||||||
if (type.BaseType == null || type.BaseType.FullName != "System.Object")
|
if (type.BaseType == null || type.BaseType.FullName != "System.Object")
|
||||||
continue;
|
continue;
|
||||||
foreach (var method in type.Methods) {
|
foreach (var method in type.Methods) {
|
||||||
|
@ -100,6 +112,26 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
decrypterInfos.Add(new DecrypterInfo(method, null, null));
|
decrypterInfos.Add(new DecrypterInfo(method, null, null));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (decrypterInfos.Count > 0)
|
||||||
|
findOtherStringDecrypter(decrypterInfos[0].method.DeclaringType);
|
||||||
|
}
|
||||||
|
|
||||||
|
void findOtherStringDecrypter(TypeDefinition type) {
|
||||||
|
foreach (var method in type.Methods) {
|
||||||
|
if (!method.IsStatic || !method.HasBody)
|
||||||
|
continue;
|
||||||
|
if (method.MethodReturnType.ReturnType.FullName != "System.String")
|
||||||
|
continue;
|
||||||
|
if (method.Parameters.Count != 1)
|
||||||
|
continue;
|
||||||
|
if (method.Parameters[0].ParameterType.FullName != "System.Object" &&
|
||||||
|
method.Parameters[0].ParameterType.FullName != "System.String")
|
||||||
|
continue;
|
||||||
|
|
||||||
|
otherStringDecrypter = method;
|
||||||
|
return;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public void init(PE.PeImage peImage, ISimpleDeobfuscator simpleDeobfuscator) {
|
public void init(PE.PeImage peImage, ISimpleDeobfuscator simpleDeobfuscator) {
|
||||||
|
@ -190,5 +222,10 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
return Encoding.Unicode.GetString(decryptedStringData, 0, decryptedStringData.Length);
|
return Encoding.Unicode.GetString(decryptedStringData, 0, decryptedStringData.Length);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public string decrypt(string s) {
|
||||||
|
var data = Convert.FromBase64String(s);
|
||||||
|
return Encoding.Unicode.GetString(data, 0, data.Length);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user