monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use default shift constants when Eazfuscator.NET < 5.0

Browse Source
This commit is contained in:
PythEch 2016-02-06 17:38:14 +02:00
parent d7c7c7ce85
commit 17c23f9ad7
2 changed files with 68 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
de4dot.code/deobfuscators/Eazfuscator_NET/DecrypterType.cs
View File

@ -35,6 +35,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
int i1, i2, i3; int i1, i2, i3;
int m1_i1, m2_i1, m2_i2, m3_i1; int m1_i1, m2_i1, m2_i2, m3_i1;
MethodDef[] efConstMethods; MethodDef[] efConstMethods;
List<int> shiftConsts;
public MethodDef Int64Method { public MethodDef Int64Method {
get { return int64Method; } get { return int64Method; }
@ -54,6 +55,16 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
get { return type != null; } get { return type != null; }
} }
public List<int> ShiftConsts {
get { return shiftConsts; }
set {
if (shiftConsts == null)
shiftConsts = value;
else if (shiftConsts != value)
throw new ApplicationException("Found another one");
}
}
public DecrypterType(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator) { public DecrypterType(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator) {
this.module = module; this.module = module;
this.simpleDeobfuscator = simpleDeobfuscator; this.simpleDeobfuscator = simpleDeobfuscator;
@ -337,51 +348,6 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return BinOp1(efConstMethods[5].DeclaringType.MDToken.ToInt32(), BinOp3(BinOp2(efConstMethods[4].DeclaringType.MDToken.ToInt32(), efConstMethods[0].DeclaringType.MDToken.ToInt32()), BinOp3(efConstMethods[2].DeclaringType.MDToken.ToInt32() ^ i3, ConstMethod5()))); return BinOp1(efConstMethods[5].DeclaringType.MDToken.ToInt32(), BinOp3(BinOp2(efConstMethods[4].DeclaringType.MDToken.ToInt32(), efConstMethods[0].DeclaringType.MDToken.ToInt32()), BinOp3(efConstMethods[2].DeclaringType.MDToken.ToInt32() ^ i3, ConstMethod5())));
} }
bool FindShiftInts(MethodDef method, out List<int> bytes) {
var instrs = method.Body.Instructions;
var constantsReader = new EfConstantsReader(method);
bytes = new List<int>(8);
for (int i = 0; i < instrs.Count - 4; i++) {
if (bytes.Count >= 8)
return true;
var ldloc1 = instrs[i];
if (ldloc1.OpCode.Code != Code.Ldloc_1)
continue;
var ldlocs = instrs[i + 1];
if (ldlocs.OpCode.Code != Code.Ldloc_S)
continue;
var maybe = instrs[i + 2];
if (maybe.OpCode.Code == Code.Conv_U1) {
var callvirt = instrs[i + 3];
if (callvirt.OpCode.Code != Code.Callvirt)
return false;
bytes.Add(0);
continue;
}
var shr = instrs[i + 3];
if (shr.OpCode.Code != Code.Shr)
return false;
var convu1 = instrs[i + 4];
if (convu1.OpCode.Code != Code.Conv_U1)
return false;
int constant;
int index = i + 2;
if (!constantsReader.GetInt32(ref index, out constant))
return false;
bytes.Add(constant);
}
return false;
}
public ulong GetMagic() { public ulong GetMagic() {
if (type == null) if (type == null)
throw new ApplicationException("Can't calculate magic since type isn't initialized"); throw new ApplicationException("Can't calculate magic since type isn't initialized");
@ -393,10 +359,6 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
bytes.AddRange(Encoding.Unicode.GetBytes(module.Assembly.Name.String)); bytes.AddRange(Encoding.Unicode.GetBytes(module.Assembly.Name.String));
} }
List<int> shiftConsts;
if (!FindShiftInts(int64Method, out shiftConsts))
throw new ApplicationException("Could not extract magic constants");
int num3 = ConstMethod1(); int num3 = ConstMethod1();
int num2 = type.MDToken.ToInt32(); int num2 = type.MDToken.ToInt32();

57
de4dot.code/deobfuscators/Eazfuscator_NET/StringDecrypter.cs
View File

@ -325,10 +325,22 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
if (decrypterType.Detected && !decrypterType.Initialize()) if (decrypterType.Detected && !decrypterType.Initialize())
return false; return false;
if (!isV50OrLater) {
decrypterType.ShiftConsts = new List<int> { 24, 16, 8, 0, 16, 8, 0, 24 };
}
else {
List<int> shiftConsts;
if (!FindShiftInts(decrypterType.Int64Method, out shiftConsts))
return false;
decrypterType.ShiftConsts = shiftConsts;
}
if (!FindInts(index)) if (!FindInts(index))
return false; return false;
} }
InitializeFlags(); InitializeFlags();
Initialize(); Initialize();
@ -624,6 +636,51 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
return DotNetUtils.GetResource(module, sb.ToString()) as EmbeddedResource; return DotNetUtils.GetResource(module, sb.ToString()) as EmbeddedResource;
} }
bool FindShiftInts(MethodDef method, out List<int> bytes) {
var instrs = method.Body.Instructions;
var constantsReader = new EfConstantsReader(method);
bytes = new List<int>(8);
for (int i = 0; i < instrs.Count - 4; i++) {
if (bytes.Count >= 8)
return true;
var ldloc1 = instrs[i];
if (ldloc1.OpCode.Code != Code.Ldloc_1)
continue;
var ldlocs = instrs[i + 1];
if (ldlocs.OpCode.Code != Code.Ldloc_S)
continue;
var maybe = instrs[i + 2];
if (maybe.OpCode.Code == Code.Conv_U1) {
var callvirt = instrs[i + 3];
if (callvirt.OpCode.Code != Code.Callvirt)
return false;
bytes.Add(0);
continue;
}
var shr = instrs[i + 3];
if (shr.OpCode.Code != Code.Shr)
return false;
var convu1 = instrs[i + 4];
if (convu1.OpCode.Code != Code.Conv_U1)
return false;
int constant;
int index = i + 2;
if (!constantsReader.GetInt32(ref index, out constant))
return false;
bytes.Add(constant);
}
return false;
}
static MethodDef FindInt64Method(MethodDef method) { static MethodDef FindInt64Method(MethodDef method) {
foreach (var instr in method.Body.Instructions) { foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code != Code.Call) if (instr.OpCode.Code != Code.Call)