monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Port CodeFort deobfuscator

Browse Source
This commit is contained in:
de4dot 2012-11-08 07:43:57 +01:00
parent 4393df31d9
commit 10e83acebc
9 changed files with 63 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
blocks/DotNetUtils.cs
View File

@ -309,21 +309,25 @@ namespace de4dot.blocks {
return null; return null;
return getMethod(module, method, method.DeclaringType); return getMethod(module, method, method.DeclaringType);
} }
#endif
public static MethodDef getMethod2(ModuleDefinition module, MethodReference method) { public static MethodDef getMethod2(ModuleDefMD module, IMethod method) {
if (method == null) if (method == null)
return null; return null;
return getMethod(module, method, method.DeclaringType.GetElementType()); if (method is MethodDef)
return (MethodDef)method;
var git = method.DeclaringType.ToGenericInstSig();
var dt = git == null ? method.DeclaringType : git.GenericType.TypeDefOrRef;
return getMethod(module, method, dt);
} }
static MethodDef getMethod(ModuleDefinition module, MethodReference method, TypeReference declaringType) { static MethodDef getMethod(ModuleDefMD module, IMethod method, ITypeDefOrRef declaringType) {
if (method == null) if (method == null)
return null; return null;
if (method is MethodDef) if (method is MethodDef)
return (MethodDef)method; return (MethodDef)method;
return getMethod(getType(module, declaringType), method); return getMethod(getType(module, declaringType), method);
} }
#endif
public static MethodDef getMethod(TypeDef type, string returnType, string parameters) { public static MethodDef getMethod(TypeDef type, string returnType, string parameters) {
foreach (var method in type.Methods) { foreach (var method in type.Methods) {

14
de4dot.code/de4dot.code.csproj
View File

@ -93,13 +93,13 @@
<Compile Include="deobfuscators\Babel_NET\ResourceResolver.cs" /> <Compile Include="deobfuscators\Babel_NET\ResourceResolver.cs" />
<Compile Include="deobfuscators\Babel_NET\StringDecrypter.cs" /> <Compile Include="deobfuscators\Babel_NET\StringDecrypter.cs" />
<Compile Include="deobfuscators\Blowfish.cs" /> <Compile Include="deobfuscators\Blowfish.cs" />
<None Include="deobfuscators\CodeFort\AssemblyData.cs" /> <Compile Include="deobfuscators\CodeFort\AssemblyData.cs" />
<None Include="deobfuscators\CodeFort\AssemblyDecrypter.cs" /> <Compile Include="deobfuscators\CodeFort\AssemblyDecrypter.cs" />
<None Include="deobfuscators\CodeFort\CfMethodCallInliner.cs" /> <Compile Include="deobfuscators\CodeFort\CfMethodCallInliner.cs" />
<None Include="deobfuscators\CodeFort\Deobfuscator.cs" /> <Compile Include="deobfuscators\CodeFort\Deobfuscator.cs" />
<None Include="deobfuscators\CodeFort\PasswordFinder.cs" /> <Compile Include="deobfuscators\CodeFort\PasswordFinder.cs" />
<None Include="deobfuscators\CodeFort\ProxyCallFixer.cs" /> <Compile Include="deobfuscators\CodeFort\ProxyCallFixer.cs" />
<None Include="deobfuscators\CodeFort\StringDecrypter.cs" /> <Compile Include="deobfuscators\CodeFort\StringDecrypter.cs" />
<None Include="deobfuscators\CodeVeil\AssemblyResolver.cs" /> <None Include="deobfuscators\CodeVeil\AssemblyResolver.cs" />
<None Include="deobfuscators\CodeVeil\Deobfuscator.cs" /> <None Include="deobfuscators\CodeVeil\Deobfuscator.cs" />
<None Include="deobfuscators\CodeVeil\ErexResourceReader.cs" /> <None Include="deobfuscators\CodeVeil\ErexResourceReader.cs" />

36
de4dot.code/deobfuscators/CodeFort/AssemblyData.cs
View File

@ -25,21 +25,21 @@ using System.Reflection.Emit;
using System.Text; using System.Text;
namespace de4dot.code.deobfuscators.CodeFort { namespace de4dot.code.deobfuscators.CodeFort {
interface IType { interface ICFType {
Type get(SerializedTypes serializedTypes); Type get(SerializedTypes serializedTypes);
} }
static class ITypeCreator { static class ITypeCreator {
public static IType create(string name) { public static ICFType create(string name) {
return new StringType(name); return new StringType(name);
} }
public static IType create(Type type) { public static ICFType create(Type type) {
return new ExistingType(type); return new ExistingType(type);
} }
} }
class StringType : IType { class StringType : ICFType {
readonly string name; readonly string name;
public StringType(string name) { public StringType(string name) {
@ -55,7 +55,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
} }
} }
class ExistingType : IType { class ExistingType : ICFType {
readonly Type type; readonly Type type;
public ExistingType(Type type) { public ExistingType(Type type) {
@ -71,19 +71,19 @@ namespace de4dot.code.deobfuscators.CodeFort {
} }
} }
class GenericType : IType { class GenericType : ICFType {
IType type; ICFType type;
IType[] genericArgs; ICFType[] genericArgs;
public GenericType(string type, IType[] genericArgs) public GenericType(string type, ICFType[] genericArgs)
: this(ITypeCreator.create(type), genericArgs) { : this(ITypeCreator.create(type), genericArgs) {
} }
public GenericType(Type type, IType[] genericArgs) public GenericType(Type type, ICFType[] genericArgs)
: this(ITypeCreator.create(type), genericArgs) { : this(ITypeCreator.create(type), genericArgs) {
} }
public GenericType(IType type, IType[] genericArgs) { public GenericType(ICFType type, ICFType[] genericArgs) {
this.type = type; this.type = type;
this.genericArgs = genericArgs; this.genericArgs = genericArgs;
} }
@ -129,8 +129,8 @@ namespace de4dot.code.deobfuscators.CodeFort {
: this(ITypeCreator.create(type)) { : this(ITypeCreator.create(type)) {
} }
public ListType(IType type) public ListType(ICFType type)
: base(typeof(List<>), new IType[] { type }) { : base(typeof(List<>), new ICFType[] { type }) {
} }
} }
@ -153,7 +153,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
} }
class TypeInfo : TypeInfoBase { class TypeInfo : TypeInfoBase {
public readonly IType baseType; public readonly ICFType baseType;
public readonly TypeFieldInfo[] fieldInfos; public readonly TypeFieldInfo[] fieldInfos;
public TypeInfo(string name, string dcName, TypeFieldInfo[] fieldInfos) public TypeInfo(string name, string dcName, TypeFieldInfo[] fieldInfos)
@ -164,11 +164,11 @@ namespace de4dot.code.deobfuscators.CodeFort {
: this(ITypeCreator.create(typeof(object)), name, dcNamespace, dcName, fieldInfos) { : this(ITypeCreator.create(typeof(object)), name, dcNamespace, dcName, fieldInfos) {
} }
public TypeInfo(IType baseType, string name, string dcName, TypeFieldInfo[] fieldInfos) public TypeInfo(ICFType baseType, string name, string dcName, TypeFieldInfo[] fieldInfos)
: this(baseType, name, "", dcName, fieldInfos) { : this(baseType, name, "", dcName, fieldInfos) {
} }
public TypeInfo(IType baseType, string name, string dcNamespace, string dcName, TypeFieldInfo[] fieldInfos) public TypeInfo(ICFType baseType, string name, string dcNamespace, string dcName, TypeFieldInfo[] fieldInfos)
: base(name, dcNamespace, dcName) { : base(name, dcNamespace, dcName) {
this.baseType = baseType; this.baseType = baseType;
this.fieldInfos = fieldInfos; this.fieldInfos = fieldInfos;
@ -176,7 +176,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
} }
class TypeFieldInfo { class TypeFieldInfo {
public readonly IType type; public readonly ICFType type;
public readonly string name; public readonly string name;
public readonly string dmName; public readonly string dmName;
@ -188,7 +188,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
: this(ITypeCreator.create(type), name, dmName) { : this(ITypeCreator.create(type), name, dmName) {
} }
public TypeFieldInfo(IType type, string name, string dmName) { public TypeFieldInfo(ICFType type, string name, string dmName) {
this.type = type; this.type = type;
this.name = name; this.name = name;
this.dmName = dmName; this.dmName = dmName;

25
de4dot.code/deobfuscators/CodeFort/AssemblyDecrypter.cs
View File

@ -23,13 +23,14 @@ using System.IO;
using System.Security.Cryptography; using System.Security.Cryptography;
using System.Text; using System.Text;
using System.Text.RegularExpressions; using System.Text.RegularExpressions;
using dot10.IO;
using dot10.DotNet; using dot10.DotNet;
using dot10.DotNet.Emit; using dot10.DotNet.Emit;
using de4dot.blocks; using de4dot.blocks;
namespace de4dot.code.deobfuscators.CodeFort { namespace de4dot.code.deobfuscators.CodeFort {
class AssemblyDecrypter { class AssemblyDecrypter {
ModuleDefinition module; ModuleDefMD module;
EmbeddedResource assemblyEncryptedResource; EmbeddedResource assemblyEncryptedResource;
PasswordInfo embedPassword; PasswordInfo embedPassword;
MethodDef embedInitMethod; MethodDef embedInitMethod;
@ -75,11 +76,11 @@ namespace de4dot.code.deobfuscators.CodeFort {
get { return embedInitMethod; } get { return embedInitMethod; }
} }
public AssemblyDecrypter(ModuleDefinition module) { public AssemblyDecrypter(ModuleDefMD module) {
this.module = module; this.module = module;
} }
public AssemblyDecrypter(ModuleDefinition module, AssemblyDecrypter oldOne) { public AssemblyDecrypter(ModuleDefMD module, AssemblyDecrypter oldOne) {
this.module = module; this.module = module;
this.embedPassword = oldOne.embedPassword; this.embedPassword = oldOne.embedPassword;
} }
@ -192,7 +193,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
if (assemblyEncryptedResource == null) if (assemblyEncryptedResource == null)
return null; return null;
var reader = new BinaryReader(assemblyEncryptedResource.GetResourceStream()); var reader = new BinaryReader(new MemoryStream(assemblyEncryptedResource.Data.ReadAllBytes()));
var encryptedData = DeobUtils.gunzip(reader.BaseStream, reader.ReadInt32()); var encryptedData = DeobUtils.gunzip(reader.BaseStream, reader.ReadInt32());
reader = new BinaryReader(new MemoryStream(encryptedData)); reader = new BinaryReader(new MemoryStream(encryptedData));
var serializedData = reader.ReadBytes(reader.ReadInt32()); var serializedData = reader.ReadBytes(reader.ReadInt32());
@ -235,12 +236,12 @@ namespace de4dot.code.deobfuscators.CodeFort {
var resource = rsrc as EmbeddedResource; var resource = rsrc as EmbeddedResource;
if (resource == null) if (resource == null)
continue; continue;
if (!Regex.IsMatch(resource.Name, "^cfd_([0-9a-f]{2})+_$")) if (!Regex.IsMatch(resource.Name.String, "^cfd_([0-9a-f]{2})+_$"))
continue; continue;
var asmData = decrypt(embedPassword, gunzip(resource.GetResourceData())); var asmData = decrypt(embedPassword, gunzip(resource.Data.ReadAllBytes()));
var mod = ModuleDefinition.ReadModule(new MemoryStream(asmData)); var mod = ModuleDefMD.Load(asmData);
infos.Add(new AssemblyInfo(asmData, resource, mod.Assembly.FullName, mod.Assembly.Name.Name, DeobUtils.getExtension(mod.Kind))); infos.Add(new AssemblyInfo(asmData, resource, mod.Assembly.FullName, mod.Assembly.Name.String, DeobUtils.getExtension(mod.Kind)));
} }
return infos; return infos;
@ -262,7 +263,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
var salt = getString(ldstr2, instrs, ref index); var salt = getString(ldstr2, instrs, ref index);
var ldci4 = instrs[index++]; var ldci4 = instrs[index++];
if (!DotNetUtils.isLdcI4(ldci4)) if (!ldci4.IsLdcI4())
continue; continue;
var ldstr3 = instrs[index++]; var ldstr3 = instrs[index++];
@ -284,10 +285,10 @@ namespace de4dot.code.deobfuscators.CodeFort {
if (call.OpCode.Code != Code.Call && call.OpCode.Code != Code.Callvirt) if (call.OpCode.Code != Code.Call && call.OpCode.Code != Code.Callvirt)
return s; return s;
index++; index++;
var calledMethod = call.Operand as MethodReference; var calledMethod = call.Operand as IMethod;
if (calledMethod.Name == "ToUpper") if (calledMethod.Name.String == "ToUpper")
return s.ToUpper(); return s.ToUpper();
if (calledMethod.Name == "ToLower") if (calledMethod.Name.String == "ToLower")
return s.ToLower(); return s.ToLower();
throw new ApplicationException(string.Format("Unknown method {0}", calledMethod)); throw new ApplicationException(string.Format("Unknown method {0}", calledMethod));
} }

2
de4dot.code/deobfuscators/CodeFort/CfMethodCallInliner.cs
View File

@ -34,7 +34,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
return proxyCallFixer.isProxyTargetMethod(method); return proxyCallFixer.isProxyTargetMethod(method);
} }
protected override bool isCompatibleType(int paramIndex, TypeReference origType, TypeReference newType) { protected override bool isCompatibleType(int paramIndex, IType origType, IType newType) {
return true; return true;
} }
} }

3
de4dot.code/deobfuscators/CodeFort/Deobfuscator.cs
View File

@ -20,7 +20,6 @@
using System; using System;
using System.Collections.Generic; using System.Collections.Generic;
using dot10.DotNet; using dot10.DotNet;
using Mono.MyStuff;
using de4dot.blocks; using de4dot.blocks;
using de4dot.PE; using de4dot.PE;
@ -115,7 +114,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
return newFileData != null; return newFileData != null;
} }
public override IDeobfuscator moduleReloaded(ModuleDefinition module) { public override IDeobfuscator moduleReloaded(ModuleDefMD module) {
var newOne = new Deobfuscator(options); var newOne = new Deobfuscator(options);
newOne.setModule(module); newOne.setModule(module);
newOne.proxyCallFixer = new ProxyCallFixer(module); newOne.proxyCallFixer = new ProxyCallFixer(module);

28
de4dot.code/deobfuscators/CodeFort/ProxyCallFixer.cs
View File

@ -25,7 +25,6 @@ using de4dot.blocks;
namespace de4dot.code.deobfuscators.CodeFort { namespace de4dot.code.deobfuscators.CodeFort {
class ProxyCallFixer : ProxyCallFixer3 { class ProxyCallFixer : ProxyCallFixer3 {
IList<MemberReference> memberReferences;
MethodDefinitionAndDeclaringTypeDict<bool> proxyTargetMethods = new MethodDefinitionAndDeclaringTypeDict<bool>(); MethodDefinitionAndDeclaringTypeDict<bool> proxyTargetMethods = new MethodDefinitionAndDeclaringTypeDict<bool>();
TypeDef proxyMethodsType; TypeDef proxyMethodsType;
@ -33,11 +32,11 @@ namespace de4dot.code.deobfuscators.CodeFort {
get { return proxyMethodsType; } get { return proxyMethodsType; }
} }
public ProxyCallFixer(ModuleDefinition module) public ProxyCallFixer(ModuleDefMD module)
: base(module) { : base(module) {
} }
public bool isProxyTargetMethod(MethodReference method) { public bool isProxyTargetMethod(IMethod method) {
return proxyTargetMethods.find(method); return proxyTargetMethods.find(method);
} }
@ -55,7 +54,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
static MethodDef checkType(TypeDef type) { static MethodDef checkType(TypeDef type) {
if (type.Fields.Count != 1) if (type.Fields.Count != 1)
return null; return null;
if (type.Fields[0].FieldType.FullName != "System.Reflection.Module") if (type.Fields[0].FieldSig.GetFieldType().GetFullName() != "System.Reflection.Module")
return null; return null;
return checkMethods(type); return checkMethods(type);
} }
@ -85,29 +84,26 @@ namespace de4dot.code.deobfuscators.CodeFort {
if (instrs.Count != 3) if (instrs.Count != 3)
return null; return null;
var ldci4 = instrs[0]; var ldci4 = instrs[0];
if (!DotNetUtils.isLdcI4(ldci4)) if (!ldci4.IsLdcI4())
return null; return null;
var call = instrs[1]; var call = instrs[1];
if (call.OpCode.Code != Code.Call) if (call.OpCode.Code != Code.Call)
return null; return null;
if (!isDelegateCreatorMethod(call.Operand as MethodDef)) if (!isDelegateCreatorMethod(call.Operand as MethodDef))
return null; return null;
int rid = DotNetUtils.getLdcI4Value(ldci4); int rid = ldci4.GetLdcI4Value();
if (cctor.DeclaringType.MDToken.RID != rid) if (cctor.DeclaringType.Rid != rid)
throw new ApplicationException("Invalid rid"); throw new ApplicationException("Invalid rid");
return rid; return rid;
} }
protected override void getCallInfo(object context, FieldDef field, out MethodReference calledMethod, out OpCode callOpcode) { protected override void getCallInfo(object context, FieldDef field, out IMethod calledMethod, out OpCode callOpcode) {
if (memberReferences == null) uint rid = 0;
memberReferences = new List<MemberReference>(module.GetMemberReferences()); foreach (var c in field.Name.String)
rid = (rid << 4) + (uint)hexToInt((char)((byte)c + 0x2F));
int rid = 0;
foreach (var c in field.Name)
rid = (rid << 4) + hexToInt((char)((byte)c + 0x2F));
rid &= 0x00FFFFFF; rid &= 0x00FFFFFF;
calledMethod = (MethodReference)memberReferences[rid - 1]; calledMethod = module.ResolveMemberRef(rid);
var calledMethodDef = DotNetUtils.getMethod(module, calledMethod); var calledMethodDef = DotNetUtils.getMethod2(module, calledMethod);
if (calledMethodDef != null) { if (calledMethodDef != null) {
proxyMethodsType = calledMethodDef.DeclaringType; proxyMethodsType = calledMethodDef.DeclaringType;
proxyTargetMethods.add(calledMethodDef, true); proxyTargetMethods.add(calledMethodDef, true);

4
de4dot.code/deobfuscators/CodeFort/StringDecrypter.cs
View File

@ -24,7 +24,7 @@ using de4dot.blocks;
namespace de4dot.code.deobfuscators.CodeFort { namespace de4dot.code.deobfuscators.CodeFort {
class StringDecrypter { class StringDecrypter {
ModuleDefinition module; ModuleDefMD module;
MethodDef decryptMethod; MethodDef decryptMethod;
public bool Detected { public bool Detected {
@ -39,7 +39,7 @@ namespace de4dot.code.deobfuscators.CodeFort {
get { return decryptMethod == null ? null : decryptMethod.DeclaringType; } get { return decryptMethod == null ? null : decryptMethod.DeclaringType; }
} }
public StringDecrypter(ModuleDefinition module) { public StringDecrypter(ModuleDefMD module) {
this.module = module; this.module = module;
} }

2
de4dot.cui/Program.cs
View File

@ -39,8 +39,8 @@ namespace de4dot.cui {
new de4dot.code.deobfuscators.Unknown.DeobfuscatorInfo(), new de4dot.code.deobfuscators.Unknown.DeobfuscatorInfo(),
new de4dot.code.deobfuscators.Agile_NET.DeobfuscatorInfo(), new de4dot.code.deobfuscators.Agile_NET.DeobfuscatorInfo(),
new de4dot.code.deobfuscators.Babel_NET.DeobfuscatorInfo(), new de4dot.code.deobfuscators.Babel_NET.DeobfuscatorInfo(),
#if PORT
new de4dot.code.deobfuscators.CodeFort.DeobfuscatorInfo(), new de4dot.code.deobfuscators.CodeFort.DeobfuscatorInfo(),
#if PORT
new de4dot.code.deobfuscators.CodeVeil.DeobfuscatorInfo(), new de4dot.code.deobfuscators.CodeVeil.DeobfuscatorInfo(),
new de4dot.code.deobfuscators.CodeWall.DeobfuscatorInfo(), new de4dot.code.deobfuscators.CodeWall.DeobfuscatorInfo(),
new de4dot.code.deobfuscators.CryptoObfuscator.DeobfuscatorInfo(), new de4dot.code.deobfuscators.CryptoObfuscator.DeobfuscatorInfo(),