Port CodeFort deobfuscator
This commit is contained in:
de4dot
parent
4393df31d9
commit
10e83acebc
|
|
@ -309,21 +309,25 @@ namespace de4dot.blocks {
|
|||
return null;
|
||||
return getMethod(module, method, method.DeclaringType);
|
||||
}
|
||||
#endif
|
||||
|
||||
public static MethodDef getMethod2(ModuleDefinition module, MethodReference method) {
|
||||
public static MethodDef getMethod2(ModuleDefMD module, IMethod method) {
|
||||
if (method == null)
|
||||
return null;
|
||||
return getMethod(module, method, method.DeclaringType.GetElementType());
|
||||
if (method is MethodDef)
|
||||
return (MethodDef)method;
|
||||
var git = method.DeclaringType.ToGenericInstSig();
|
||||
var dt = git == null ? method.DeclaringType : git.GenericType.TypeDefOrRef;
|
||||
return getMethod(module, method, dt);
|
||||
}
|
||||
|
||||
static MethodDef getMethod(ModuleDefinition module, MethodReference method, TypeReference declaringType) {
|
||||
static MethodDef getMethod(ModuleDefMD module, IMethod method, ITypeDefOrRef declaringType) {
|
||||
if (method == null)
|
||||
return null;
|
||||
if (method is MethodDef)
|
||||
return (MethodDef)method;
|
||||
return getMethod(getType(module, declaringType), method);
|
||||
}
|
||||
#endif
|
||||
|
||||
public static MethodDef getMethod(TypeDef type, string returnType, string parameters) {
|
||||
foreach (var method in type.Methods) {
|
||||
|
|
|
|||
|
|
@ -93,13 +93,13 @@
|
|||
<Compile Include="deobfuscators\Babel_NET\ResourceResolver.cs" />
|
||||
<Compile Include="deobfuscators\Babel_NET\StringDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\Blowfish.cs" />
|
||||
<None Include="deobfuscators\CodeFort\AssemblyData.cs" />
|
||||
<None Include="deobfuscators\CodeFort\AssemblyDecrypter.cs" />
|
||||
<None Include="deobfuscators\CodeFort\CfMethodCallInliner.cs" />
|
||||
<None Include="deobfuscators\CodeFort\Deobfuscator.cs" />
|
||||
<None Include="deobfuscators\CodeFort\PasswordFinder.cs" />
|
||||
<None Include="deobfuscators\CodeFort\ProxyCallFixer.cs" />
|
||||
<None Include="deobfuscators\CodeFort\StringDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\CodeFort\AssemblyData.cs" />
|
||||
<Compile Include="deobfuscators\CodeFort\AssemblyDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\CodeFort\CfMethodCallInliner.cs" />
|
||||
<Compile Include="deobfuscators\CodeFort\Deobfuscator.cs" />
|
||||
<Compile Include="deobfuscators\CodeFort\PasswordFinder.cs" />
|
||||
<Compile Include="deobfuscators\CodeFort\ProxyCallFixer.cs" />
|
||||
<Compile Include="deobfuscators\CodeFort\StringDecrypter.cs" />
|
||||
<None Include="deobfuscators\CodeVeil\AssemblyResolver.cs" />
|
||||
<None Include="deobfuscators\CodeVeil\Deobfuscator.cs" />
|
||||
<None Include="deobfuscators\CodeVeil\ErexResourceReader.cs" />
|
||||
|
|
|
|||
|
|
@ -25,21 +25,21 @@ using System.Reflection.Emit;
|
|||
using System.Text;
|
||||
|
||||
namespace de4dot.code.deobfuscators.CodeFort {
|
||||
interface IType {
|
||||
interface ICFType {
|
||||
Type get(SerializedTypes serializedTypes);
|
||||
}
|
||||
|
||||
static class ITypeCreator {
|
||||
public static IType create(string name) {
|
||||
public static ICFType create(string name) {
|
||||
return new StringType(name);
|
||||
}
|
||||
|
||||
public static IType create(Type type) {
|
||||
public static ICFType create(Type type) {
|
||||
return new ExistingType(type);
|
||||
}
|
||||
}
|
||||
|
||||
class StringType : IType {
|
||||
class StringType : ICFType {
|
||||
readonly string name;
|
||||
|
||||
public StringType(string name) {
|
||||
|
|
@ -55,7 +55,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
|
|||
}
|
||||
}
|
||||
|
||||
class ExistingType : IType {
|
||||
class ExistingType : ICFType {
|
||||
readonly Type type;
|
||||
|
||||
public ExistingType(Type type) {
|
||||
|
|
@ -71,19 +71,19 @@ namespace de4dot.code.deobfuscators.CodeFort {
|
|||
}
|
||||
}
|
||||
|
||||
class GenericType : IType {
|
||||
IType type;
|
||||
IType[] genericArgs;
|
||||
class GenericType : ICFType {
|
||||
ICFType type;
|
||||
ICFType[] genericArgs;
|
||||
|
||||
public GenericType(string type, IType[] genericArgs)
|
||||
public GenericType(string type, ICFType[] genericArgs)
|
||||
: this(ITypeCreator.create(type), genericArgs) {
|
||||
}
|
||||
|
||||
public GenericType(Type type, IType[] genericArgs)
|
||||
public GenericType(Type type, ICFType[] genericArgs)
|
||||
: this(ITypeCreator.create(type), genericArgs) {
|
||||
}
|
||||
|
||||
public GenericType(IType type, IType[] genericArgs) {
|
||||
public GenericType(ICFType type, ICFType[] genericArgs) {
|
||||
this.type = type;
|
||||
this.genericArgs = genericArgs;
|
||||
}
|
||||
|
|
@ -129,8 +129,8 @@ namespace de4dot.code.deobfuscators.CodeFort {
|
|||
: this(ITypeCreator.create(type)) {
|
||||
}
|
||||
|
||||
public ListType(IType type)
|
||||
: base(typeof(List<>), new IType[] { type }) {
|
||||
public ListType(ICFType type)
|
||||
: base(typeof(List<>), new ICFType[] { type }) {
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -153,7 +153,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
|
|||
}
|
||||
|
||||
class TypeInfo : TypeInfoBase {
|
||||
public readonly IType baseType;
|
||||
public readonly ICFType baseType;
|
||||
public readonly TypeFieldInfo[] fieldInfos;
|
||||
|
||||
public TypeInfo(string name, string dcName, TypeFieldInfo[] fieldInfos)
|
||||
|
|
@ -164,11 +164,11 @@ namespace de4dot.code.deobfuscators.CodeFort {
|
|||
: this(ITypeCreator.create(typeof(object)), name, dcNamespace, dcName, fieldInfos) {
|
||||
}
|
||||
|
||||
public TypeInfo(IType baseType, string name, string dcName, TypeFieldInfo[] fieldInfos)
|
||||
public TypeInfo(ICFType baseType, string name, string dcName, TypeFieldInfo[] fieldInfos)
|
||||
: this(baseType, name, "", dcName, fieldInfos) {
|
||||
}
|
||||
|
||||
public TypeInfo(IType baseType, string name, string dcNamespace, string dcName, TypeFieldInfo[] fieldInfos)
|
||||
public TypeInfo(ICFType baseType, string name, string dcNamespace, string dcName, TypeFieldInfo[] fieldInfos)
|
||||
: base(name, dcNamespace, dcName) {
|
||||
this.baseType = baseType;
|
||||
this.fieldInfos = fieldInfos;
|
||||
|
|
@ -176,7 +176,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
|
|||
}
|
||||
|
||||
class TypeFieldInfo {
|
||||
public readonly IType type;
|
||||
public readonly ICFType type;
|
||||
public readonly string name;
|
||||
public readonly string dmName;
|
||||
|
||||
|
|
@ -188,7 +188,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
|
|||
: this(ITypeCreator.create(type), name, dmName) {
|
||||
}
|
||||
|
||||
public TypeFieldInfo(IType type, string name, string dmName) {
|
||||
public TypeFieldInfo(ICFType type, string name, string dmName) {
|
||||
this.type = type;
|
||||
this.name = name;
|
||||
this.dmName = dmName;
|
||||
|
|
|
|||
|
|
@ -23,13 +23,14 @@ using System.IO;
|
|||
using System.Security.Cryptography;
|
||||
using System.Text;
|
||||
using System.Text.RegularExpressions;
|
||||
using dot10.IO;
|
||||
using dot10.DotNet;
|
||||
using dot10.DotNet.Emit;
|
||||
using de4dot.blocks;
|
||||
|
||||
namespace de4dot.code.deobfuscators.CodeFort {
|
||||
class AssemblyDecrypter {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
EmbeddedResource assemblyEncryptedResource;
|
||||
PasswordInfo embedPassword;
|
||||
MethodDef embedInitMethod;
|
||||
|
|
@ -75,11 +76,11 @@ namespace de4dot.code.deobfuscators.CodeFort {
|
|||
get { return embedInitMethod; }
|
||||
}
|
||||
|
||||
public AssemblyDecrypter(ModuleDefinition module) {
|
||||
public AssemblyDecrypter(ModuleDefMD module) {
|
||||
this.module = module;
|
||||
}
|
||||
|
||||
public AssemblyDecrypter(ModuleDefinition module, AssemblyDecrypter oldOne) {
|
||||
public AssemblyDecrypter(ModuleDefMD module, AssemblyDecrypter oldOne) {
|
||||
this.module = module;
|
||||
this.embedPassword = oldOne.embedPassword;
|
||||
}
|
||||
|
|
@ -192,7 +193,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
|
|||
if (assemblyEncryptedResource == null)
|
||||
return null;
|
||||
|
||||
var reader = new BinaryReader(assemblyEncryptedResource.GetResourceStream());
|
||||
var reader = new BinaryReader(new MemoryStream(assemblyEncryptedResource.Data.ReadAllBytes()));
|
||||
var encryptedData = DeobUtils.gunzip(reader.BaseStream, reader.ReadInt32());
|
||||
reader = new BinaryReader(new MemoryStream(encryptedData));
|
||||
var serializedData = reader.ReadBytes(reader.ReadInt32());
|
||||
|
|
@ -235,12 +236,12 @@ namespace de4dot.code.deobfuscators.CodeFort {
|
|||
var resource = rsrc as EmbeddedResource;
|
||||
if (resource == null)
|
||||
continue;
|
||||
if (!Regex.IsMatch(resource.Name, "^cfd_([0-9a-f]{2})+_$"))
|
||||
if (!Regex.IsMatch(resource.Name.String, "^cfd_([0-9a-f]{2})+_$"))
|
||||
continue;
|
||||
|
||||
var asmData = decrypt(embedPassword, gunzip(resource.GetResourceData()));
|
||||
var mod = ModuleDefinition.ReadModule(new MemoryStream(asmData));
|
||||
infos.Add(new AssemblyInfo(asmData, resource, mod.Assembly.FullName, mod.Assembly.Name.Name, DeobUtils.getExtension(mod.Kind)));
|
||||
var asmData = decrypt(embedPassword, gunzip(resource.Data.ReadAllBytes()));
|
||||
var mod = ModuleDefMD.Load(asmData);
|
||||
infos.Add(new AssemblyInfo(asmData, resource, mod.Assembly.FullName, mod.Assembly.Name.String, DeobUtils.getExtension(mod.Kind)));
|
||||
}
|
||||
|
||||
return infos;
|
||||
|
|
@ -262,7 +263,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
|
|||
var salt = getString(ldstr2, instrs, ref index);
|
||||
|
||||
var ldci4 = instrs[index++];
|
||||
if (!DotNetUtils.isLdcI4(ldci4))
|
||||
if (!ldci4.IsLdcI4())
|
||||
continue;
|
||||
|
||||
var ldstr3 = instrs[index++];
|
||||
|
|
@ -284,10 +285,10 @@ namespace de4dot.code.deobfuscators.CodeFort {
|
|||
if (call.OpCode.Code != Code.Call && call.OpCode.Code != Code.Callvirt)
|
||||
return s;
|
||||
index++;
|
||||
var calledMethod = call.Operand as MethodReference;
|
||||
if (calledMethod.Name == "ToUpper")
|
||||
var calledMethod = call.Operand as IMethod;
|
||||
if (calledMethod.Name.String == "ToUpper")
|
||||
return s.ToUpper();
|
||||
if (calledMethod.Name == "ToLower")
|
||||
if (calledMethod.Name.String == "ToLower")
|
||||
return s.ToLower();
|
||||
throw new ApplicationException(string.Format("Unknown method {0}", calledMethod));
|
||||
}
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
|
|||
return proxyCallFixer.isProxyTargetMethod(method);
|
||||
}
|
||||
|
||||
protected override bool isCompatibleType(int paramIndex, TypeReference origType, TypeReference newType) {
|
||||
protected override bool isCompatibleType(int paramIndex, IType origType, IType newType) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -20,7 +20,6 @@
|
|||
using System;
|
||||
using System.Collections.Generic;
|
||||
using dot10.DotNet;
|
||||
using Mono.MyStuff;
|
||||
using de4dot.blocks;
|
||||
using de4dot.PE;
|
||||
|
||||
|
|
@ -115,7 +114,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
|
|||
return newFileData != null;
|
||||
}
|
||||
|
||||
public override IDeobfuscator moduleReloaded(ModuleDefinition module) {
|
||||
public override IDeobfuscator moduleReloaded(ModuleDefMD module) {
|
||||
var newOne = new Deobfuscator(options);
|
||||
newOne.setModule(module);
|
||||
newOne.proxyCallFixer = new ProxyCallFixer(module);
|
||||
|
|
|
|||
|
|
@ -25,7 +25,6 @@ using de4dot.blocks;
|
|||
|
||||
namespace de4dot.code.deobfuscators.CodeFort {
|
||||
class ProxyCallFixer : ProxyCallFixer3 {
|
||||
IList<MemberReference> memberReferences;
|
||||
MethodDefinitionAndDeclaringTypeDict<bool> proxyTargetMethods = new MethodDefinitionAndDeclaringTypeDict<bool>();
|
||||
TypeDef proxyMethodsType;
|
||||
|
||||
|
|
@ -33,11 +32,11 @@ namespace de4dot.code.deobfuscators.CodeFort {
|
|||
get { return proxyMethodsType; }
|
||||
}
|
||||
|
||||
public ProxyCallFixer(ModuleDefinition module)
|
||||
public ProxyCallFixer(ModuleDefMD module)
|
||||
: base(module) {
|
||||
}
|
||||
|
||||
public bool isProxyTargetMethod(MethodReference method) {
|
||||
public bool isProxyTargetMethod(IMethod method) {
|
||||
return proxyTargetMethods.find(method);
|
||||
}
|
||||
|
||||
|
|
@ -55,7 +54,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
|
|||
static MethodDef checkType(TypeDef type) {
|
||||
if (type.Fields.Count != 1)
|
||||
return null;
|
||||
if (type.Fields[0].FieldType.FullName != "System.Reflection.Module")
|
||||
if (type.Fields[0].FieldSig.GetFieldType().GetFullName() != "System.Reflection.Module")
|
||||
return null;
|
||||
return checkMethods(type);
|
||||
}
|
||||
|
|
@ -85,29 +84,26 @@ namespace de4dot.code.deobfuscators.CodeFort {
|
|||
if (instrs.Count != 3)
|
||||
return null;
|
||||
var ldci4 = instrs[0];
|
||||
if (!DotNetUtils.isLdcI4(ldci4))
|
||||
if (!ldci4.IsLdcI4())
|
||||
return null;
|
||||
var call = instrs[1];
|
||||
if (call.OpCode.Code != Code.Call)
|
||||
return null;
|
||||
if (!isDelegateCreatorMethod(call.Operand as MethodDef))
|
||||
return null;
|
||||
int rid = DotNetUtils.getLdcI4Value(ldci4);
|
||||
if (cctor.DeclaringType.MDToken.RID != rid)
|
||||
int rid = ldci4.GetLdcI4Value();
|
||||
if (cctor.DeclaringType.Rid != rid)
|
||||
throw new ApplicationException("Invalid rid");
|
||||
return rid;
|
||||
}
|
||||
|
||||
protected override void getCallInfo(object context, FieldDef field, out MethodReference calledMethod, out OpCode callOpcode) {
|
||||
if (memberReferences == null)
|
||||
memberReferences = new List<MemberReference>(module.GetMemberReferences());
|
||||
|
||||
int rid = 0;
|
||||
foreach (var c in field.Name)
|
||||
rid = (rid << 4) + hexToInt((char)((byte)c + 0x2F));
|
||||
protected override void getCallInfo(object context, FieldDef field, out IMethod calledMethod, out OpCode callOpcode) {
|
||||
uint rid = 0;
|
||||
foreach (var c in field.Name.String)
|
||||
rid = (rid << 4) + (uint)hexToInt((char)((byte)c + 0x2F));
|
||||
rid &= 0x00FFFFFF;
|
||||
calledMethod = (MethodReference)memberReferences[rid - 1];
|
||||
var calledMethodDef = DotNetUtils.getMethod(module, calledMethod);
|
||||
calledMethod = module.ResolveMemberRef(rid);
|
||||
var calledMethodDef = DotNetUtils.getMethod2(module, calledMethod);
|
||||
if (calledMethodDef != null) {
|
||||
proxyMethodsType = calledMethodDef.DeclaringType;
|
||||
proxyTargetMethods.add(calledMethodDef, true);
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ using de4dot.blocks;
|
|||
|
||||
namespace de4dot.code.deobfuscators.CodeFort {
|
||||
class StringDecrypter {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
MethodDef decryptMethod;
|
||||
|
||||
public bool Detected {
|
||||
|
|
@ -39,7 +39,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
|
|||
get { return decryptMethod == null ? null : decryptMethod.DeclaringType; }
|
||||
}
|
||||
|
||||
public StringDecrypter(ModuleDefinition module) {
|
||||
public StringDecrypter(ModuleDefMD module) {
|
||||
this.module = module;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -39,8 +39,8 @@ namespace de4dot.cui {
|
|||
new de4dot.code.deobfuscators.Unknown.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.Agile_NET.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.Babel_NET.DeobfuscatorInfo(),
|
||||
#if PORT
|
||||
new de4dot.code.deobfuscators.CodeFort.DeobfuscatorInfo(),
|
||||
#if PORT
|
||||
new de4dot.code.deobfuscators.CodeVeil.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.CodeWall.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.CryptoObfuscator.DeobfuscatorInfo(),
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user