monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Support DS obfuscated SL assemblies

Browse Source
This commit is contained in:
de4dot 2012-03-17 14:50:56 +01:00
parent 37450a1515
commit 0b858c47ed
3 changed files with 73 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
de4dot.code/deobfuscators/DeepSea/AssemblyResolver.cs
View File

@ -71,16 +71,58 @@ namespace de4dot.code.deobfuscators.DeepSea {
: base(module, simpleDeobfuscator, deob) { : base(module, simpleDeobfuscator, deob) {
} }
static string[] requiredLocals_sl = new string[] {
"System.Byte[]",
"System.IO.Stream",
"System.Reflection.Assembly",
"System.Security.Cryptography.SHA1Managed",
"System.Windows.AssemblyPart",
};
protected override bool checkResolverInitMethodSilverlight(MethodDefinition resolverInitMethod) {
if (resolverInitMethod.Body.ExceptionHandlers.Count != 1)
return false;
foreach (var info in DotNetUtils.getCalledMethods(module, resolverInitMethod)) {
var method = info.Item2;
if (!method.IsStatic || method.Body == null)
continue;
if (!method.IsPublic || method.HasGenericParameters)
continue;
if (!DotNetUtils.isMethod(method, "System.Void", "(System.String)"))
continue;
if (!new LocalTypes(method).all(requiredLocals_sl))
continue;
initMethod = resolverInitMethod;
resolveHandler = method;
updateVersion(resolveHandler);
return true;
}
return false;
}
void updateVersion(MethodDefinition handler) {
if (isV3Old(handler))
version = Version.V3Old;
else
version = Version.V3;
}
static bool isV3Old(MethodDefinition method) {
return DotNetUtils.callsMethod(method, "System.Int32 System.IO.Stream::Read(System.Byte[],System.Int32,System.Int32)") &&
!DotNetUtils.callsMethod(method, "System.Int32 System.IO.Stream::ReadByte()") &&
// Obfuscated System.Int32 System.IO.Stream::ReadByte()
!DotNetUtils.callsMethod(method, "System.Int32", "(System.IO.Stream,System.Int32,System.Int32)");
}
protected override bool checkResolverInitMethodInternal(MethodDefinition resolverInitMethod) { protected override bool checkResolverInitMethodInternal(MethodDefinition resolverInitMethod) {
return checkIfCalled(resolverInitMethod, "System.Void System.AppDomain::add_AssemblyResolve(System.ResolveEventHandler)"); return checkIfCalled(resolverInitMethod, "System.Void System.AppDomain::add_AssemblyResolve(System.ResolveEventHandler)");
} }
protected override bool checkHandlerMethodInternal(MethodDefinition handler) { protected override bool checkHandlerMethodDesktopInternal(MethodDefinition handler) {
if (checkHandlerV3(handler) || checkHandlerSL(handler)) { if (checkHandlerV3(handler) || checkHandlerSL(handler)) {
if (isV3Old(handler)) updateVersion(handler);
version = Version.V3Old;
else
version = Version.V3;
return true; return true;
} }
@ -96,11 +138,6 @@ namespace de4dot.code.deobfuscators.DeepSea {
return false; return false;
} }
static bool isV3Old(MethodDefinition method) {
return DotNetUtils.callsMethod(method, "System.Int32 System.IO.Stream::Read(System.Byte[],System.Int32,System.Int32)") &&
!DotNetUtils.callsMethod(method, "System.Int32 System.IO.Stream::ReadByte()");
}
static string[] handlerLocalTypes_NET = new string[] { static string[] handlerLocalTypes_NET = new string[] {
"System.Byte[]", "System.Byte[]",
"System.IO.Compression.DeflateStream", "System.IO.Compression.DeflateStream",

29
de4dot.code/deobfuscators/DeepSea/ResolverBase.cs
View File

@ -30,6 +30,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
protected IDeobfuscator deob; protected IDeobfuscator deob;
protected MethodDefinition initMethod; protected MethodDefinition initMethod;
protected MethodDefinition resolveHandler; protected MethodDefinition resolveHandler;
protected FrameworkType frameworkType;
public MethodDefinition InitMethod { public MethodDefinition InitMethod {
get { return initMethod; } get { return initMethod; }
@ -45,6 +46,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
public ResolverBase(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) { public ResolverBase(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
this.module = module; this.module = module;
this.frameworkType = DotNetUtils.getFrameworkType(module);
this.simpleDeobfuscator = simpleDeobfuscator; this.simpleDeobfuscator = simpleDeobfuscator;
this.deob = deob; this.deob = deob;
} }
@ -77,12 +79,27 @@ namespace de4dot.code.deobfuscators.DeepSea {
bool checkResolverInitMethod(MethodDefinition resolverInitMethod) { bool checkResolverInitMethod(MethodDefinition resolverInitMethod) {
if (resolverInitMethod == null || resolverInitMethod.Body == null) if (resolverInitMethod == null || resolverInitMethod.Body == null)
return false; return false;
if (resolverInitMethod.Body.ExceptionHandlers.Count != 1)
return false;
switch (frameworkType) {
case FrameworkType.Silverlight:
return checkResolverInitMethodSilverlight(resolverInitMethod);
case FrameworkType.Unknown:
case FrameworkType.Desktop:
case FrameworkType.CompactFramework:
case FrameworkType.Zune:
default:
return checkResolverInitMethodDesktop(resolverInitMethod);
}
}
bool checkResolverInitMethodDesktop(MethodDefinition resolverInitMethod) {
if (!checkResolverInitMethodInternal(resolverInitMethod)) if (!checkResolverInitMethodInternal(resolverInitMethod))
return false; return false;
foreach (var resolveHandlerMethod in getLdftnMethods(resolverInitMethod)) { foreach (var resolveHandlerMethod in getLdftnMethods(resolverInitMethod)) {
if (!checkHandlerMethod(resolveHandlerMethod)) if (!checkHandlerMethodDesktop(resolveHandlerMethod))
continue; continue;
initMethod = resolverInitMethod; initMethod = resolverInitMethod;
@ -93,6 +110,10 @@ namespace de4dot.code.deobfuscators.DeepSea {
return false; return false;
} }
protected virtual bool checkResolverInitMethodSilverlight(MethodDefinition resolverInitMethod) {
return false;
}
protected abstract bool checkResolverInitMethodInternal(MethodDefinition resolverInitMethod); protected abstract bool checkResolverInitMethodInternal(MethodDefinition resolverInitMethod);
protected static bool checkIfCalled(MethodDefinition method, string fullName) { protected static bool checkIfCalled(MethodDefinition method, string fullName) {
@ -120,15 +141,15 @@ namespace de4dot.code.deobfuscators.DeepSea {
return list; return list;
} }
bool checkHandlerMethod(MethodDefinition handler) { bool checkHandlerMethodDesktop(MethodDefinition handler) {
if (handler == null || handler.Body == null || !handler.IsStatic) if (handler == null || handler.Body == null || !handler.IsStatic)
return false; return false;
if (!DotNetUtils.isMethod(handler, "System.Reflection.Assembly", "(System.Object,System.ResolveEventArgs)")) if (!DotNetUtils.isMethod(handler, "System.Reflection.Assembly", "(System.Object,System.ResolveEventArgs)"))
return false; return false;
return checkHandlerMethodInternal(handler); return checkHandlerMethodDesktopInternal(handler);
} }
protected abstract bool checkHandlerMethodInternal(MethodDefinition handler); protected abstract bool checkHandlerMethodDesktopInternal(MethodDefinition handler);
// 3.0.3.41 - 3.0.4.44 // 3.0.3.41 - 3.0.4.44
protected static byte[] decryptResourceV3Old(EmbeddedResource resource) { protected static byte[] decryptResourceV3Old(EmbeddedResource resource) {

2
de4dot.code/deobfuscators/DeepSea/ResourceResolver.cs
View File

@ -45,7 +45,7 @@ namespace de4dot.code.deobfuscators.DeepSea {
return checkIfCalled(resolverInitMethod, "System.Void System.AppDomain::add_ResourceResolve(System.ResolveEventHandler)"); return checkIfCalled(resolverInitMethod, "System.Void System.AppDomain::add_ResourceResolve(System.ResolveEventHandler)");
} }
protected override bool checkHandlerMethodInternal(MethodDefinition handler) { protected override bool checkHandlerMethodDesktopInternal(MethodDefinition handler) {
if (checkHandlerV3(handler)) { if (checkHandlerV3(handler)) {
isV3 = true; isV3 = true;
return true; return true;