From 10e83acebc8ed936834da0f59c2ee5e13f05c4fe Mon Sep 17 00:00:00 2001 From: de4dot Date: Thu, 8 Nov 2012 07:43:57 +0100 Subject: [PATCH] Port CodeFort deobfuscator --- blocks/DotNetUtils.cs | 12 ++++--- de4dot.code/de4dot.code.csproj | 14 ++++---- .../deobfuscators/CodeFort/AssemblyData.cs | 36 +++++++++---------- .../CodeFort/AssemblyDecrypter.cs | 25 ++++++------- .../CodeFort/CfMethodCallInliner.cs | 2 +- .../deobfuscators/CodeFort/Deobfuscator.cs | 3 +- .../deobfuscators/CodeFort/ProxyCallFixer.cs | 28 +++++++-------- .../deobfuscators/CodeFort/StringDecrypter.cs | 4 +-- de4dot.cui/Program.cs | 2 +- 9 files changed, 63 insertions(+), 63 deletions(-) diff --git a/blocks/DotNetUtils.cs b/blocks/DotNetUtils.cs index 490f5fed..3b00dd69 100644 --- a/blocks/DotNetUtils.cs +++ b/blocks/DotNetUtils.cs @@ -309,21 +309,25 @@ namespace de4dot.blocks { return null; return getMethod(module, method, method.DeclaringType); } +#endif - public static MethodDef getMethod2(ModuleDefinition module, MethodReference method) { + public static MethodDef getMethod2(ModuleDefMD module, IMethod method) { if (method == null) return null; - return getMethod(module, method, method.DeclaringType.GetElementType()); + if (method is MethodDef) + return (MethodDef)method; + var git = method.DeclaringType.ToGenericInstSig(); + var dt = git == null ? method.DeclaringType : git.GenericType.TypeDefOrRef; + return getMethod(module, method, dt); } - static MethodDef getMethod(ModuleDefinition module, MethodReference method, TypeReference declaringType) { + static MethodDef getMethod(ModuleDefMD module, IMethod method, ITypeDefOrRef declaringType) { if (method == null) return null; if (method is MethodDef) return (MethodDef)method; return getMethod(getType(module, declaringType), method); } -#endif public static MethodDef getMethod(TypeDef type, string returnType, string parameters) { foreach (var method in type.Methods) { diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj index 26c2873a..6cf04e0f 100644 --- a/de4dot.code/de4dot.code.csproj +++ b/de4dot.code/de4dot.code.csproj @@ -93,13 +93,13 @@ - - - - - - - + + + + + + + diff --git a/de4dot.code/deobfuscators/CodeFort/AssemblyData.cs b/de4dot.code/deobfuscators/CodeFort/AssemblyData.cs index 374d65be..262bd97a 100644 --- a/de4dot.code/deobfuscators/CodeFort/AssemblyData.cs +++ b/de4dot.code/deobfuscators/CodeFort/AssemblyData.cs @@ -25,21 +25,21 @@ using System.Reflection.Emit; using System.Text; namespace de4dot.code.deobfuscators.CodeFort { - interface IType { + interface ICFType { Type get(SerializedTypes serializedTypes); } static class ITypeCreator { - public static IType create(string name) { + public static ICFType create(string name) { return new StringType(name); } - public static IType create(Type type) { + public static ICFType create(Type type) { return new ExistingType(type); } } - class StringType : IType { + class StringType : ICFType { readonly string name; public StringType(string name) { @@ -55,7 +55,7 @@ namespace de4dot.code.deobfuscators.CodeFort { } } - class ExistingType : IType { + class ExistingType : ICFType { readonly Type type; public ExistingType(Type type) { @@ -71,19 +71,19 @@ namespace de4dot.code.deobfuscators.CodeFort { } } - class GenericType : IType { - IType type; - IType[] genericArgs; + class GenericType : ICFType { + ICFType type; + ICFType[] genericArgs; - public GenericType(string type, IType[] genericArgs) + public GenericType(string type, ICFType[] genericArgs) : this(ITypeCreator.create(type), genericArgs) { } - public GenericType(Type type, IType[] genericArgs) + public GenericType(Type type, ICFType[] genericArgs) : this(ITypeCreator.create(type), genericArgs) { } - public GenericType(IType type, IType[] genericArgs) { + public GenericType(ICFType type, ICFType[] genericArgs) { this.type = type; this.genericArgs = genericArgs; } @@ -129,8 +129,8 @@ namespace de4dot.code.deobfuscators.CodeFort { : this(ITypeCreator.create(type)) { } - public ListType(IType type) - : base(typeof(List<>), new IType[] { type }) { + public ListType(ICFType type) + : base(typeof(List<>), new ICFType[] { type }) { } } @@ -153,7 +153,7 @@ namespace de4dot.code.deobfuscators.CodeFort { } class TypeInfo : TypeInfoBase { - public readonly IType baseType; + public readonly ICFType baseType; public readonly TypeFieldInfo[] fieldInfos; public TypeInfo(string name, string dcName, TypeFieldInfo[] fieldInfos) @@ -164,11 +164,11 @@ namespace de4dot.code.deobfuscators.CodeFort { : this(ITypeCreator.create(typeof(object)), name, dcNamespace, dcName, fieldInfos) { } - public TypeInfo(IType baseType, string name, string dcName, TypeFieldInfo[] fieldInfos) + public TypeInfo(ICFType baseType, string name, string dcName, TypeFieldInfo[] fieldInfos) : this(baseType, name, "", dcName, fieldInfos) { } - public TypeInfo(IType baseType, string name, string dcNamespace, string dcName, TypeFieldInfo[] fieldInfos) + public TypeInfo(ICFType baseType, string name, string dcNamespace, string dcName, TypeFieldInfo[] fieldInfos) : base(name, dcNamespace, dcName) { this.baseType = baseType; this.fieldInfos = fieldInfos; @@ -176,7 +176,7 @@ namespace de4dot.code.deobfuscators.CodeFort { } class TypeFieldInfo { - public readonly IType type; + public readonly ICFType type; public readonly string name; public readonly string dmName; @@ -188,7 +188,7 @@ namespace de4dot.code.deobfuscators.CodeFort { : this(ITypeCreator.create(type), name, dmName) { } - public TypeFieldInfo(IType type, string name, string dmName) { + public TypeFieldInfo(ICFType type, string name, string dmName) { this.type = type; this.name = name; this.dmName = dmName; diff --git a/de4dot.code/deobfuscators/CodeFort/AssemblyDecrypter.cs b/de4dot.code/deobfuscators/CodeFort/AssemblyDecrypter.cs index 5425ea44..29cd26c3 100644 --- a/de4dot.code/deobfuscators/CodeFort/AssemblyDecrypter.cs +++ b/de4dot.code/deobfuscators/CodeFort/AssemblyDecrypter.cs @@ -23,13 +23,14 @@ using System.IO; using System.Security.Cryptography; using System.Text; using System.Text.RegularExpressions; +using dot10.IO; using dot10.DotNet; using dot10.DotNet.Emit; using de4dot.blocks; namespace de4dot.code.deobfuscators.CodeFort { class AssemblyDecrypter { - ModuleDefinition module; + ModuleDefMD module; EmbeddedResource assemblyEncryptedResource; PasswordInfo embedPassword; MethodDef embedInitMethod; @@ -75,11 +76,11 @@ namespace de4dot.code.deobfuscators.CodeFort { get { return embedInitMethod; } } - public AssemblyDecrypter(ModuleDefinition module) { + public AssemblyDecrypter(ModuleDefMD module) { this.module = module; } - public AssemblyDecrypter(ModuleDefinition module, AssemblyDecrypter oldOne) { + public AssemblyDecrypter(ModuleDefMD module, AssemblyDecrypter oldOne) { this.module = module; this.embedPassword = oldOne.embedPassword; } @@ -192,7 +193,7 @@ namespace de4dot.code.deobfuscators.CodeFort { if (assemblyEncryptedResource == null) return null; - var reader = new BinaryReader(assemblyEncryptedResource.GetResourceStream()); + var reader = new BinaryReader(new MemoryStream(assemblyEncryptedResource.Data.ReadAllBytes())); var encryptedData = DeobUtils.gunzip(reader.BaseStream, reader.ReadInt32()); reader = new BinaryReader(new MemoryStream(encryptedData)); var serializedData = reader.ReadBytes(reader.ReadInt32()); @@ -235,12 +236,12 @@ namespace de4dot.code.deobfuscators.CodeFort { var resource = rsrc as EmbeddedResource; if (resource == null) continue; - if (!Regex.IsMatch(resource.Name, "^cfd_([0-9a-f]{2})+_$")) + if (!Regex.IsMatch(resource.Name.String, "^cfd_([0-9a-f]{2})+_$")) continue; - var asmData = decrypt(embedPassword, gunzip(resource.GetResourceData())); - var mod = ModuleDefinition.ReadModule(new MemoryStream(asmData)); - infos.Add(new AssemblyInfo(asmData, resource, mod.Assembly.FullName, mod.Assembly.Name.Name, DeobUtils.getExtension(mod.Kind))); + var asmData = decrypt(embedPassword, gunzip(resource.Data.ReadAllBytes())); + var mod = ModuleDefMD.Load(asmData); + infos.Add(new AssemblyInfo(asmData, resource, mod.Assembly.FullName, mod.Assembly.Name.String, DeobUtils.getExtension(mod.Kind))); } return infos; @@ -262,7 +263,7 @@ namespace de4dot.code.deobfuscators.CodeFort { var salt = getString(ldstr2, instrs, ref index); var ldci4 = instrs[index++]; - if (!DotNetUtils.isLdcI4(ldci4)) + if (!ldci4.IsLdcI4()) continue; var ldstr3 = instrs[index++]; @@ -284,10 +285,10 @@ namespace de4dot.code.deobfuscators.CodeFort { if (call.OpCode.Code != Code.Call && call.OpCode.Code != Code.Callvirt) return s; index++; - var calledMethod = call.Operand as MethodReference; - if (calledMethod.Name == "ToUpper") + var calledMethod = call.Operand as IMethod; + if (calledMethod.Name.String == "ToUpper") return s.ToUpper(); - if (calledMethod.Name == "ToLower") + if (calledMethod.Name.String == "ToLower") return s.ToLower(); throw new ApplicationException(string.Format("Unknown method {0}", calledMethod)); } diff --git a/de4dot.code/deobfuscators/CodeFort/CfMethodCallInliner.cs b/de4dot.code/deobfuscators/CodeFort/CfMethodCallInliner.cs index d06ab197..84916b3b 100644 --- a/de4dot.code/deobfuscators/CodeFort/CfMethodCallInliner.cs +++ b/de4dot.code/deobfuscators/CodeFort/CfMethodCallInliner.cs @@ -34,7 +34,7 @@ namespace de4dot.code.deobfuscators.CodeFort { return proxyCallFixer.isProxyTargetMethod(method); } - protected override bool isCompatibleType(int paramIndex, TypeReference origType, TypeReference newType) { + protected override bool isCompatibleType(int paramIndex, IType origType, IType newType) { return true; } } diff --git a/de4dot.code/deobfuscators/CodeFort/Deobfuscator.cs b/de4dot.code/deobfuscators/CodeFort/Deobfuscator.cs index 29fd1850..244749fb 100644 --- a/de4dot.code/deobfuscators/CodeFort/Deobfuscator.cs +++ b/de4dot.code/deobfuscators/CodeFort/Deobfuscator.cs @@ -20,7 +20,6 @@ using System; using System.Collections.Generic; using dot10.DotNet; -using Mono.MyStuff; using de4dot.blocks; using de4dot.PE; @@ -115,7 +114,7 @@ namespace de4dot.code.deobfuscators.CodeFort { return newFileData != null; } - public override IDeobfuscator moduleReloaded(ModuleDefinition module) { + public override IDeobfuscator moduleReloaded(ModuleDefMD module) { var newOne = new Deobfuscator(options); newOne.setModule(module); newOne.proxyCallFixer = new ProxyCallFixer(module); diff --git a/de4dot.code/deobfuscators/CodeFort/ProxyCallFixer.cs b/de4dot.code/deobfuscators/CodeFort/ProxyCallFixer.cs index aefbc0d8..605c36f8 100644 --- a/de4dot.code/deobfuscators/CodeFort/ProxyCallFixer.cs +++ b/de4dot.code/deobfuscators/CodeFort/ProxyCallFixer.cs @@ -25,7 +25,6 @@ using de4dot.blocks; namespace de4dot.code.deobfuscators.CodeFort { class ProxyCallFixer : ProxyCallFixer3 { - IList memberReferences; MethodDefinitionAndDeclaringTypeDict proxyTargetMethods = new MethodDefinitionAndDeclaringTypeDict(); TypeDef proxyMethodsType; @@ -33,11 +32,11 @@ namespace de4dot.code.deobfuscators.CodeFort { get { return proxyMethodsType; } } - public ProxyCallFixer(ModuleDefinition module) + public ProxyCallFixer(ModuleDefMD module) : base(module) { } - public bool isProxyTargetMethod(MethodReference method) { + public bool isProxyTargetMethod(IMethod method) { return proxyTargetMethods.find(method); } @@ -55,7 +54,7 @@ namespace de4dot.code.deobfuscators.CodeFort { static MethodDef checkType(TypeDef type) { if (type.Fields.Count != 1) return null; - if (type.Fields[0].FieldType.FullName != "System.Reflection.Module") + if (type.Fields[0].FieldSig.GetFieldType().GetFullName() != "System.Reflection.Module") return null; return checkMethods(type); } @@ -85,29 +84,26 @@ namespace de4dot.code.deobfuscators.CodeFort { if (instrs.Count != 3) return null; var ldci4 = instrs[0]; - if (!DotNetUtils.isLdcI4(ldci4)) + if (!ldci4.IsLdcI4()) return null; var call = instrs[1]; if (call.OpCode.Code != Code.Call) return null; if (!isDelegateCreatorMethod(call.Operand as MethodDef)) return null; - int rid = DotNetUtils.getLdcI4Value(ldci4); - if (cctor.DeclaringType.MDToken.RID != rid) + int rid = ldci4.GetLdcI4Value(); + if (cctor.DeclaringType.Rid != rid) throw new ApplicationException("Invalid rid"); return rid; } - protected override void getCallInfo(object context, FieldDef field, out MethodReference calledMethod, out OpCode callOpcode) { - if (memberReferences == null) - memberReferences = new List(module.GetMemberReferences()); - - int rid = 0; - foreach (var c in field.Name) - rid = (rid << 4) + hexToInt((char)((byte)c + 0x2F)); + protected override void getCallInfo(object context, FieldDef field, out IMethod calledMethod, out OpCode callOpcode) { + uint rid = 0; + foreach (var c in field.Name.String) + rid = (rid << 4) + (uint)hexToInt((char)((byte)c + 0x2F)); rid &= 0x00FFFFFF; - calledMethod = (MethodReference)memberReferences[rid - 1]; - var calledMethodDef = DotNetUtils.getMethod(module, calledMethod); + calledMethod = module.ResolveMemberRef(rid); + var calledMethodDef = DotNetUtils.getMethod2(module, calledMethod); if (calledMethodDef != null) { proxyMethodsType = calledMethodDef.DeclaringType; proxyTargetMethods.add(calledMethodDef, true); diff --git a/de4dot.code/deobfuscators/CodeFort/StringDecrypter.cs b/de4dot.code/deobfuscators/CodeFort/StringDecrypter.cs index cdad1a20..b38a5a0d 100644 --- a/de4dot.code/deobfuscators/CodeFort/StringDecrypter.cs +++ b/de4dot.code/deobfuscators/CodeFort/StringDecrypter.cs @@ -24,7 +24,7 @@ using de4dot.blocks; namespace de4dot.code.deobfuscators.CodeFort { class StringDecrypter { - ModuleDefinition module; + ModuleDefMD module; MethodDef decryptMethod; public bool Detected { @@ -39,7 +39,7 @@ namespace de4dot.code.deobfuscators.CodeFort { get { return decryptMethod == null ? null : decryptMethod.DeclaringType; } } - public StringDecrypter(ModuleDefinition module) { + public StringDecrypter(ModuleDefMD module) { this.module = module; } diff --git a/de4dot.cui/Program.cs b/de4dot.cui/Program.cs index 47e0bb26..93bad5f5 100644 --- a/de4dot.cui/Program.cs +++ b/de4dot.cui/Program.cs @@ -39,8 +39,8 @@ namespace de4dot.cui { new de4dot.code.deobfuscators.Unknown.DeobfuscatorInfo(), new de4dot.code.deobfuscators.Agile_NET.DeobfuscatorInfo(), new de4dot.code.deobfuscators.Babel_NET.DeobfuscatorInfo(), -#if PORT new de4dot.code.deobfuscators.CodeFort.DeobfuscatorInfo(), +#if PORT new de4dot.code.deobfuscators.CodeVeil.DeobfuscatorInfo(), new de4dot.code.deobfuscators.CodeWall.DeobfuscatorInfo(), new de4dot.code.deobfuscators.CryptoObfuscator.DeobfuscatorInfo(),