Use default shift constants when Eazfuscator.NET < 5.0
This commit is contained in:
parent
d7c7c7ce85
commit
17c23f9ad7
|
@ -35,6 +35,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
int i1, i2, i3;
|
int i1, i2, i3;
|
||||||
int m1_i1, m2_i1, m2_i2, m3_i1;
|
int m1_i1, m2_i1, m2_i2, m3_i1;
|
||||||
MethodDef[] efConstMethods;
|
MethodDef[] efConstMethods;
|
||||||
|
List<int> shiftConsts;
|
||||||
|
|
||||||
public MethodDef Int64Method {
|
public MethodDef Int64Method {
|
||||||
get { return int64Method; }
|
get { return int64Method; }
|
||||||
|
@ -54,6 +55,16 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
get { return type != null; }
|
get { return type != null; }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public List<int> ShiftConsts {
|
||||||
|
get { return shiftConsts; }
|
||||||
|
set {
|
||||||
|
if (shiftConsts == null)
|
||||||
|
shiftConsts = value;
|
||||||
|
else if (shiftConsts != value)
|
||||||
|
throw new ApplicationException("Found another one");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
public DecrypterType(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator) {
|
public DecrypterType(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator) {
|
||||||
this.module = module;
|
this.module = module;
|
||||||
this.simpleDeobfuscator = simpleDeobfuscator;
|
this.simpleDeobfuscator = simpleDeobfuscator;
|
||||||
|
@ -337,51 +348,6 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
return BinOp1(efConstMethods[5].DeclaringType.MDToken.ToInt32(), BinOp3(BinOp2(efConstMethods[4].DeclaringType.MDToken.ToInt32(), efConstMethods[0].DeclaringType.MDToken.ToInt32()), BinOp3(efConstMethods[2].DeclaringType.MDToken.ToInt32() ^ i3, ConstMethod5())));
|
return BinOp1(efConstMethods[5].DeclaringType.MDToken.ToInt32(), BinOp3(BinOp2(efConstMethods[4].DeclaringType.MDToken.ToInt32(), efConstMethods[0].DeclaringType.MDToken.ToInt32()), BinOp3(efConstMethods[2].DeclaringType.MDToken.ToInt32() ^ i3, ConstMethod5())));
|
||||||
}
|
}
|
||||||
|
|
||||||
bool FindShiftInts(MethodDef method, out List<int> bytes) {
|
|
||||||
var instrs = method.Body.Instructions;
|
|
||||||
var constantsReader = new EfConstantsReader(method);
|
|
||||||
bytes = new List<int>(8);
|
|
||||||
|
|
||||||
for (int i = 0; i < instrs.Count - 4; i++) {
|
|
||||||
if (bytes.Count >= 8)
|
|
||||||
return true;
|
|
||||||
|
|
||||||
var ldloc1 = instrs[i];
|
|
||||||
if (ldloc1.OpCode.Code != Code.Ldloc_1)
|
|
||||||
continue;
|
|
||||||
|
|
||||||
var ldlocs = instrs[i + 1];
|
|
||||||
if (ldlocs.OpCode.Code != Code.Ldloc_S)
|
|
||||||
continue;
|
|
||||||
|
|
||||||
var maybe = instrs[i + 2];
|
|
||||||
if (maybe.OpCode.Code == Code.Conv_U1) {
|
|
||||||
var callvirt = instrs[i + 3];
|
|
||||||
if (callvirt.OpCode.Code != Code.Callvirt)
|
|
||||||
return false;
|
|
||||||
|
|
||||||
bytes.Add(0);
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
var shr = instrs[i + 3];
|
|
||||||
if (shr.OpCode.Code != Code.Shr)
|
|
||||||
return false;
|
|
||||||
|
|
||||||
var convu1 = instrs[i + 4];
|
|
||||||
if (convu1.OpCode.Code != Code.Conv_U1)
|
|
||||||
return false;
|
|
||||||
|
|
||||||
int constant;
|
|
||||||
int index = i + 2;
|
|
||||||
if (!constantsReader.GetInt32(ref index, out constant))
|
|
||||||
return false;
|
|
||||||
|
|
||||||
bytes.Add(constant);
|
|
||||||
}
|
|
||||||
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
public ulong GetMagic() {
|
public ulong GetMagic() {
|
||||||
if (type == null)
|
if (type == null)
|
||||||
throw new ApplicationException("Can't calculate magic since type isn't initialized");
|
throw new ApplicationException("Can't calculate magic since type isn't initialized");
|
||||||
|
@ -393,10 +359,6 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
bytes.AddRange(Encoding.Unicode.GetBytes(module.Assembly.Name.String));
|
bytes.AddRange(Encoding.Unicode.GetBytes(module.Assembly.Name.String));
|
||||||
}
|
}
|
||||||
|
|
||||||
List<int> shiftConsts;
|
|
||||||
if (!FindShiftInts(int64Method, out shiftConsts))
|
|
||||||
throw new ApplicationException("Could not extract magic constants");
|
|
||||||
|
|
||||||
int num3 = ConstMethod1();
|
int num3 = ConstMethod1();
|
||||||
int num2 = type.MDToken.ToInt32();
|
int num2 = type.MDToken.ToInt32();
|
||||||
|
|
||||||
|
|
|
@ -325,10 +325,22 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
if (decrypterType.Detected && !decrypterType.Initialize())
|
if (decrypterType.Detected && !decrypterType.Initialize())
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
|
if (!isV50OrLater) {
|
||||||
|
decrypterType.ShiftConsts = new List<int> { 24, 16, 8, 0, 16, 8, 0, 24 };
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
List<int> shiftConsts;
|
||||||
|
if (!FindShiftInts(decrypterType.Int64Method, out shiftConsts))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
decrypterType.ShiftConsts = shiftConsts;
|
||||||
|
}
|
||||||
|
|
||||||
if (!FindInts(index))
|
if (!FindInts(index))
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
InitializeFlags();
|
InitializeFlags();
|
||||||
Initialize();
|
Initialize();
|
||||||
|
|
||||||
|
@ -624,6 +636,51 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
return DotNetUtils.GetResource(module, sb.ToString()) as EmbeddedResource;
|
return DotNetUtils.GetResource(module, sb.ToString()) as EmbeddedResource;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bool FindShiftInts(MethodDef method, out List<int> bytes) {
|
||||||
|
var instrs = method.Body.Instructions;
|
||||||
|
var constantsReader = new EfConstantsReader(method);
|
||||||
|
bytes = new List<int>(8);
|
||||||
|
|
||||||
|
for (int i = 0; i < instrs.Count - 4; i++) {
|
||||||
|
if (bytes.Count >= 8)
|
||||||
|
return true;
|
||||||
|
|
||||||
|
var ldloc1 = instrs[i];
|
||||||
|
if (ldloc1.OpCode.Code != Code.Ldloc_1)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
var ldlocs = instrs[i + 1];
|
||||||
|
if (ldlocs.OpCode.Code != Code.Ldloc_S)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
var maybe = instrs[i + 2];
|
||||||
|
if (maybe.OpCode.Code == Code.Conv_U1) {
|
||||||
|
var callvirt = instrs[i + 3];
|
||||||
|
if (callvirt.OpCode.Code != Code.Callvirt)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
bytes.Add(0);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
var shr = instrs[i + 3];
|
||||||
|
if (shr.OpCode.Code != Code.Shr)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
var convu1 = instrs[i + 4];
|
||||||
|
if (convu1.OpCode.Code != Code.Conv_U1)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
int constant;
|
||||||
|
int index = i + 2;
|
||||||
|
if (!constantsReader.GetInt32(ref index, out constant))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
bytes.Add(constant);
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
static MethodDef FindInt64Method(MethodDef method) {
|
static MethodDef FindInt64Method(MethodDef method) {
|
||||||
foreach (var instr in method.Body.Instructions) {
|
foreach (var instr in method.Body.Instructions) {
|
||||||
if (instr.OpCode.Code != Code.Call)
|
if (instr.OpCode.Code != Code.Call)
|
||||||
|
|
Loading…
Reference in New Issue
Block a user