Support Confuser 1.4 r58802 string decrypter
This commit is contained in:
parent
c2d56bd8d1
commit
17db2d332e
|
@ -30,7 +30,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
ModuleDefinition module;
|
ModuleDefinition module;
|
||||||
MethodDefinition decryptMethod;
|
MethodDefinition decryptMethod;
|
||||||
EmbeddedResource resource;
|
EmbeddedResource resource;
|
||||||
uint magic1, magic2;
|
uint magic1, magic2, key1;
|
||||||
BinaryReader reader;
|
BinaryReader reader;
|
||||||
ConfuserVersion version = ConfuserVersion.Unknown;
|
ConfuserVersion version = ConfuserVersion.Unknown;
|
||||||
Decrypter decrypter;
|
Decrypter decrypter;
|
||||||
|
@ -40,6 +40,8 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
v10_r42915,
|
v10_r42915,
|
||||||
v10_r48832,
|
v10_r48832,
|
||||||
v11_r49299,
|
v11_r49299,
|
||||||
|
v14_r58802_safe, // "safe" string decrypter
|
||||||
|
v14_r58802_dynamic, // "dynamic" string decrypter
|
||||||
}
|
}
|
||||||
|
|
||||||
abstract class Decrypter {
|
abstract class Decrypter {
|
||||||
|
@ -53,8 +55,15 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
}
|
}
|
||||||
|
|
||||||
class Decrypter_v10_r42915 : Decrypter {
|
class Decrypter_v10_r42915 : Decrypter {
|
||||||
|
int? key;
|
||||||
|
|
||||||
public Decrypter_v10_r42915(StringDecrypter stringDecrypter)
|
public Decrypter_v10_r42915(StringDecrypter stringDecrypter)
|
||||||
|
: this(stringDecrypter, null) {
|
||||||
|
}
|
||||||
|
|
||||||
|
public Decrypter_v10_r42915(StringDecrypter stringDecrypter, int? key)
|
||||||
: base(stringDecrypter) {
|
: base(stringDecrypter) {
|
||||||
|
this.key = key;
|
||||||
}
|
}
|
||||||
|
|
||||||
public override string decrypt(MethodDefinition caller, int magic) {
|
public override string decrypt(MethodDefinition caller, int magic) {
|
||||||
|
@ -62,7 +71,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
reader.BaseStream.Position = (caller.MetadataToken.ToInt32() ^ magic) - stringDecrypter.magic1;
|
reader.BaseStream.Position = (caller.MetadataToken.ToInt32() ^ magic) - stringDecrypter.magic1;
|
||||||
int len = reader.ReadInt32() ^ (int)~stringDecrypter.magic2;
|
int len = reader.ReadInt32() ^ (int)~stringDecrypter.magic2;
|
||||||
var bytes = reader.ReadBytes(len);
|
var bytes = reader.ReadBytes(len);
|
||||||
var rand = new Random(caller.MetadataToken.ToInt32());
|
var rand = new Random(key == null ? caller.MetadataToken.ToInt32() : key.Value);
|
||||||
|
|
||||||
int mask = 0;
|
int mask = 0;
|
||||||
for (int i = 0; i < bytes.Length; i++) {
|
for (int i = 0; i < bytes.Length; i++) {
|
||||||
|
@ -301,18 +310,35 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
|
|
||||||
simpleDeobfuscator.deobfuscate(method);
|
simpleDeobfuscator.deobfuscate(method);
|
||||||
|
|
||||||
if (!findMagic1(method, out magic1))
|
bool foundOldMagic1;
|
||||||
|
if (findMagic1(method, out magic1))
|
||||||
|
foundOldMagic1 = true;
|
||||||
|
else if (findNewMagic1(method, out magic1))
|
||||||
|
foundOldMagic1 = false;
|
||||||
|
else
|
||||||
continue;
|
continue;
|
||||||
if (!findMagic2(method, out magic2))
|
if (!findMagic2(method, out magic2))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
if (DotNetUtils.callsMethod(method, "System.Text.Encoding System.Text.Encoding::get_UTF8()"))
|
version = ConfuserVersion.Unknown;
|
||||||
version = ConfuserVersion.v10_r42915;
|
if (DotNetUtils.callsMethod(method, "System.Text.Encoding System.Text.Encoding::get_UTF8()")) {
|
||||||
else if (!localTypes.exists("System.Random"))
|
if (foundOldMagic1)
|
||||||
version = ConfuserVersion.v11_r49299;
|
version = ConfuserVersion.v10_r42915;
|
||||||
|
else {
|
||||||
|
if (!findSafeKey1(method, out key1))
|
||||||
|
continue;
|
||||||
|
version = ConfuserVersion.v14_r58802_safe;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else if (!localTypes.exists("System.Random")) {
|
||||||
|
if (foundOldMagic1)
|
||||||
|
version = ConfuserVersion.v11_r49299;
|
||||||
|
else
|
||||||
|
version = ConfuserVersion.v14_r58802_dynamic;
|
||||||
|
}
|
||||||
else if (localTypes.exists("System.Collections.Generic.Dictionary`2<System.Int32,System.String>"))
|
else if (localTypes.exists("System.Collections.Generic.Dictionary`2<System.Int32,System.String>"))
|
||||||
version = ConfuserVersion.v10_r48832;
|
version = ConfuserVersion.v10_r48832;
|
||||||
else
|
if (version == ConfuserVersion.Unknown)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
decryptMethod = method;
|
decryptMethod = method;
|
||||||
|
@ -351,6 +377,28 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static bool findNewMagic1(MethodDefinition method, out uint magic) {
|
||||||
|
var instrs = method.Body.Instructions;
|
||||||
|
for (int i = 0; i < instrs.Count - 4; i++) {
|
||||||
|
if (instrs[i].OpCode.Code != Code.Ldarg_0)
|
||||||
|
continue;
|
||||||
|
if (instrs[i + 1].OpCode.Code != Code.Xor)
|
||||||
|
continue;
|
||||||
|
var ldci4 = instrs[i + 2];
|
||||||
|
if (!DotNetUtils.isLdcI4(ldci4))
|
||||||
|
continue;
|
||||||
|
if (instrs[i + 3].OpCode.Code != Code.Sub)
|
||||||
|
continue;
|
||||||
|
if (!DotNetUtils.isStloc(instrs[i + 4]))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
magic = (uint)DotNetUtils.getLdcI4Value(ldci4);
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
magic = 0;
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
static bool findMagic2(MethodDefinition method, out uint magic) {
|
static bool findMagic2(MethodDefinition method, out uint magic) {
|
||||||
var instrs = method.Body.Instructions;
|
var instrs = method.Body.Instructions;
|
||||||
for (int i = 0; i < instrs.Count; i++) {
|
for (int i = 0; i < instrs.Count; i++) {
|
||||||
|
@ -377,6 +425,26 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static bool findSafeKey1(MethodDefinition method, out uint key) {
|
||||||
|
var instrs = method.Body.Instructions;
|
||||||
|
for (int i = 0; i < instrs.Count; i++) {
|
||||||
|
int index = ConfuserUtils.findCallMethod(instrs, i, Code.Newobj, "System.Void System.Random::.ctor(System.Int32)");
|
||||||
|
if (index < 0)
|
||||||
|
break;
|
||||||
|
if (index == 0)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
var ldci4 = instrs[index - 1];
|
||||||
|
if (!DotNetUtils.isLdcI4(ldci4))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
key = (uint)DotNetUtils.getLdcI4Value(ldci4);
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
key = 0;
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
public void initialize() {
|
public void initialize() {
|
||||||
if (decryptMethod == null)
|
if (decryptMethod == null)
|
||||||
return;
|
return;
|
||||||
|
@ -396,9 +464,14 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case ConfuserVersion.v11_r49299:
|
case ConfuserVersion.v11_r49299:
|
||||||
|
case ConfuserVersion.v14_r58802_dynamic:
|
||||||
decrypter = new Decrypter_v11_r49299(this);
|
decrypter = new Decrypter_v11_r49299(this);
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
case ConfuserVersion.v14_r58802_safe:
|
||||||
|
decrypter = new Decrypter_v10_r42915(this, (int)key1);
|
||||||
|
break;
|
||||||
|
|
||||||
default:
|
default:
|
||||||
throw new ApplicationException("Invalid version");
|
throw new ApplicationException("Invalid version");
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user