Detect some unsupported obfuscators

2011-10-05 17:22:56 +02:00 · 2011-10-05 17:22:56 +02:00 · 1c721b017e
commit 1c721b017e
parent d2b621b5b3
1 changed files with 88 additions and 1 deletions
--- a/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/Unknown/Deobfuscator.cs
@ -17,6 +17,8 @@
    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
 */

+using System.Text.RegularExpressions;
+
 namespace de4dot.deobfuscators.Unknown {
 	class DeobfuscatorInfo : DeobfuscatorInfoBase {
 		public DeobfuscatorInfo()
@ -40,6 +42,8 @@ namespace de4dot.deobfuscators.Unknown {
 	}

 	class Deobfuscator : DeobfuscatorBase {
+		string obfuscatorName = "Unknown Obfuscator";
+
 		internal class Options : OptionsBase {
 		}

@ -48,7 +52,7 @@ namespace de4dot.deobfuscators.Unknown {
 		}

 		public override string Name {
-			get { return "Unknown Obfuscator"; }
+			get { return obfuscatorName; }
 		}

 		public Deobfuscator(Options options)
@ -56,7 +60,90 @@ namespace de4dot.deobfuscators.Unknown {
 		}

 		public override int detect() {
+			scanForObfuscator();
 			return 1;
 		}
+
+		protected override void scanForObfuscatorInternal() {
+			var name = scanTypes();
+			if (name != null)
+				obfuscatorName = name;
+		}
+
+		string scanTypes() {
+			foreach (var type in module.Types) {
+				if (type.FullName == "BabelAttribute")
+					return "Babel .NET";
+				if (type.Namespace == "___codefort")
+					return "CodeFort";
+				if (type.FullName == "____KILL")
+					return "DeployLX CodeVeil";
+				if (type.FullName == "CryptoObfuscator.ProtectedWithCryptoObfuscatorAttribute")
+					return "Crypto Obfuscator";
+				if (type.FullName == "AssemblyObfuscatedByGoliath" || type.FullName == "Goliath.NET.Obfuscator.Attribute.ObfuscatedByGoliath")
+					return "Goliath .NET";
+				if (type.FullName == "Xenocode.Client.Attributes.AssemblyAttributes.ProcessedByXenocode")
+					return "Xenocode";
+				if (type.FullName == "ZYXDNGuarder")
+					return "DNGuard HVM";
+				if (type.FullName == "InfaceMaxtoCode")
+					return "MaxtoCode";
+			}
+			return checkDotNetReactor() ?? checkCryptoObfuscator() ?? checkMancoObfuscator();
+		}
+
+		string checkDotNetReactor() {
+			foreach (var type in module.Types) {
+				if (Regex.IsMatch(type.Name, @"^<PrivateImplementationDetails>\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\}$")) {
+					foreach (var method in type.Methods) {
+						if (!method.IsStatic)
+							continue;
+						if (Regex.IsMatch(method.Name, @"^CS\$\d+\$[0-9A-F]{4}$"))
+							return ".NET Reactor";
+					}
+					foreach (var field in type.Fields) {
+						if (!field.IsStatic)
+							continue;
+						if (Regex.IsMatch(field.FieldType.Name, @"^__StaticArrayInitTypeSize=[1-9]\d*$") ||
+							Regex.IsMatch(field.Name, @"^fieldimpl[1-9]\d*$") ||
+							Regex.IsMatch(field.Name, @"^\$\$method0x6[0-9a-f]{6}-\d+$") ||
+							Regex.IsMatch(field.Name, @"^CS\$\d+\$[0-9A-F]{4}$"))
+							return ".NET Reactor";
+					}
+				}
+			}
+			return null;
+		}
+
+		string checkCryptoObfuscator() {
+			int matched = 0;
+			foreach (var type in module.Types) {
+				if (type.Namespace != "A")
+					continue;
+				if (Regex.IsMatch(type.Name, "^c[0-9a-f]{32}$") || Regex.IsMatch(type.Name, "^A[A-Z]*$")) {
+					if (++matched >= 20)
+						return "Crypto Obfuscator";
+				}
+			}
+			return null;
+		}
+
+		string checkMancoObfuscator() {
+			int matched = 0;
+			const string substr = "();\t";
+			foreach (var type in module.GetTypes()) {
+				if (type.Name.Contains(substr)) {
+					if (++matched >= 20)
+						return "Manco .NET Obfuscator";
+				}
+				foreach (var field in type.Fields) {
+					if (field.Name.Contains(substr)) {
+						if (++matched >= 20)
+							return "Manco .NET Obfuscator";
+					}
+				}
+			}
+			return null;
+		}
 	}
 }