Support Confuser 1.4 r58564 methods encrypter
This commit is contained in:
parent
17495e986f
commit
2a96ec9958
|
@ -33,6 +33,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
Unknown,
|
Unknown,
|
||||||
v14_r57884,
|
v14_r57884,
|
||||||
v14_r58004,
|
v14_r58004,
|
||||||
|
v14_r58564,
|
||||||
vXX,
|
vXX,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -49,7 +50,8 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
return false;
|
return false;
|
||||||
if (type.Methods.Count != 3)
|
if (type.Methods.Count != 3)
|
||||||
return false;
|
return false;
|
||||||
if (DotNetUtils.getPInvokeMethod(type, "kernel32", "VirtualProtect") == null)
|
var virtProtect = DotNetUtils.getPInvokeMethod(type, "kernel32", "VirtualProtect");
|
||||||
|
if (virtProtect == null)
|
||||||
return false;
|
return false;
|
||||||
if (!DotNetUtils.hasString(initMethod, "Broken file"))
|
if (!DotNetUtils.hasString(initMethod, "Broken file"))
|
||||||
return false;
|
return false;
|
||||||
|
@ -59,6 +61,8 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
|
|
||||||
if (!DotNetUtils.hasString(initMethod, "Module error"))
|
if (!DotNetUtils.hasString(initMethod, "Module error"))
|
||||||
version = ConfuserVersion.v14_r57884;
|
version = ConfuserVersion.v14_r57884;
|
||||||
|
else if (virtProtect.IsPrivate)
|
||||||
|
version = ConfuserVersion.v14_r58564;
|
||||||
else if (DotNetUtils.callsMethod(initMethod, "System.Void System.IO.FileStream::.ctor(System.String,System.IO.FileMode,System.IO.FileAccess,System.IO.FileShare)"))
|
else if (DotNetUtils.callsMethod(initMethod, "System.Void System.IO.FileStream::.ctor(System.String,System.IO.FileMode,System.IO.FileAccess,System.IO.FileShare)"))
|
||||||
version = ConfuserVersion.v14_r58004;
|
version = ConfuserVersion.v14_r58004;
|
||||||
else
|
else
|
||||||
|
@ -76,6 +80,11 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
case ConfuserVersion.v14_r58004:
|
case ConfuserVersion.v14_r58004:
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
case ConfuserVersion.v14_r58564:
|
||||||
|
if (!initializeKeys_v14_r58564())
|
||||||
|
throw new ApplicationException("Could not find all decryption keys");
|
||||||
|
break;
|
||||||
|
|
||||||
case ConfuserVersion.vXX:
|
case ConfuserVersion.vXX:
|
||||||
if (!initializeKeys_vXX())
|
if (!initializeKeys_vXX())
|
||||||
throw new ApplicationException("Could not find all decryption keys");
|
throw new ApplicationException("Could not find all decryption keys");
|
||||||
|
@ -86,6 +95,26 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bool initializeKeys_v14_r58564() {
|
||||||
|
simpleDeobfuscator.deobfuscate(initMethod);
|
||||||
|
if (!findLKey0(initMethod, out lkey0))
|
||||||
|
return false;
|
||||||
|
if (!findKey0_v14_r58564(initMethod, out key0))
|
||||||
|
return false;
|
||||||
|
if (!findKey2Key3(initMethod, out key2, out key3))
|
||||||
|
return false;
|
||||||
|
if (!findKey4(initMethod, out key4))
|
||||||
|
return false;
|
||||||
|
if (!findKey5(initMethod, out key5))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
simpleDeobfuscator.deobfuscate(decryptMethod);
|
||||||
|
if (!findKey6(decryptMethod, out key6))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
bool initializeKeys_vXX() {
|
bool initializeKeys_vXX() {
|
||||||
simpleDeobfuscator.deobfuscate(initMethod);
|
simpleDeobfuscator.deobfuscate(initMethod);
|
||||||
if (!findLKey0(initMethod, out lkey0))
|
if (!findLKey0(initMethod, out lkey0))
|
||||||
|
@ -186,6 +215,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
switch (version) {
|
switch (version) {
|
||||||
case ConfuserVersion.v14_r57884: return decrypt_v14_r57884(peImage, fileData, ref dumpedMethods);
|
case ConfuserVersion.v14_r57884: return decrypt_v14_r57884(peImage, fileData, ref dumpedMethods);
|
||||||
case ConfuserVersion.v14_r58004: return decrypt_v14_r58004(peImage, fileData, ref dumpedMethods);
|
case ConfuserVersion.v14_r58004: return decrypt_v14_r58004(peImage, fileData, ref dumpedMethods);
|
||||||
|
case ConfuserVersion.v14_r58564: return decrypt_v14_r58004(peImage, fileData, ref dumpedMethods);
|
||||||
case ConfuserVersion.vXX: return decrypt_vXX(peImage, fileData, ref dumpedMethods);
|
case ConfuserVersion.vXX: return decrypt_vXX(peImage, fileData, ref dumpedMethods);
|
||||||
default: throw new ApplicationException("Unknown version");
|
default: throw new ApplicationException("Unknown version");
|
||||||
}
|
}
|
||||||
|
@ -212,7 +242,7 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
byte[] decryptMethodsData_v14_r57884(PeImage peImage) {
|
byte[] decryptMethodsData_v14_r57884(PeImage peImage) {
|
||||||
var reader = peImage.Reader;
|
var reader = peImage.Reader;
|
||||||
reader.BaseStream.Position = 0;
|
reader.BaseStream.Position = 0;
|
||||||
var md5SumData = reader.ReadBytes((int)peImage.OptionalHeader.checkSum);
|
var md5SumData = reader.ReadBytes((int)peImage.OptionalHeader.checkSum ^ (int)key0);
|
||||||
|
|
||||||
int csOffs = (int)peImage.OptionalHeader.Offset + 0x40;
|
int csOffs = (int)peImage.OptionalHeader.Offset + 0x40;
|
||||||
md5SumData[csOffs] = 0;
|
md5SumData[csOffs] = 0;
|
||||||
|
@ -220,11 +250,11 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
md5SumData[csOffs + 2] = 0;
|
md5SumData[csOffs + 2] = 0;
|
||||||
md5SumData[csOffs + 3] = 0;
|
md5SumData[csOffs + 3] = 0;
|
||||||
var md5Sum = DeobUtils.md5Sum(md5SumData);
|
var md5Sum = DeobUtils.md5Sum(md5SumData);
|
||||||
ulong checkSum = reader.ReadUInt64();
|
ulong checkSum = reader.ReadUInt64() ^ lkey0;
|
||||||
if (checkSum != calcChecksum(md5SumData))
|
if (checkSum != calcChecksum(md5SumData))
|
||||||
throw new ApplicationException("Invalid checksum. File has been modified.");
|
throw new ApplicationException("Invalid checksum. File has been modified.");
|
||||||
var iv = reader.ReadBytes(reader.ReadInt32());
|
var iv = reader.ReadBytes(reader.ReadInt32() ^ (int)key2);
|
||||||
var encrypted = reader.ReadBytes(reader.ReadInt32());
|
var encrypted = reader.ReadBytes(reader.ReadInt32() ^ (int)key3);
|
||||||
var decrypted = decrypt(encrypted, iv, md5SumData);
|
var decrypted = decrypt(encrypted, iv, md5SumData);
|
||||||
if (BitConverter.ToInt16(decrypted, 0) != 0x6FD6)
|
if (BitConverter.ToInt16(decrypted, 0) != 0x6FD6)
|
||||||
throw new ApplicationException("Invalid magic");
|
throw new ApplicationException("Invalid magic");
|
||||||
|
@ -233,16 +263,19 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
|
|
||||||
bool decrypt_v14_r58004(PeImage peImage, byte[] fileData, ref DumpedMethods dumpedMethods) {
|
bool decrypt_v14_r58004(PeImage peImage, byte[] fileData, ref DumpedMethods dumpedMethods) {
|
||||||
methodsData = decryptMethodsData_v14_r57884(peImage);
|
methodsData = decryptMethodsData_v14_r57884(peImage);
|
||||||
|
return decryptImage_v14_r58004(peImage, fileData, ref dumpedMethods);
|
||||||
|
}
|
||||||
|
|
||||||
|
bool decryptImage_v14_r58004(PeImage peImage, byte[] fileData, ref DumpedMethods dumpedMethods) {
|
||||||
var reader = new BinaryReader(new MemoryStream(methodsData));
|
var reader = new BinaryReader(new MemoryStream(methodsData));
|
||||||
reader.ReadInt16(); // sig
|
reader.ReadInt16(); // sig
|
||||||
var writer = new BinaryWriter(new MemoryStream(fileData));
|
var writer = new BinaryWriter(new MemoryStream(fileData));
|
||||||
int numInfos = reader.ReadInt32();
|
int numInfos = reader.ReadInt32();
|
||||||
for (int i = 0; i < numInfos; i++) {
|
for (int i = 0; i < numInfos; i++) {
|
||||||
uint offs = reader.ReadUInt32();
|
uint offs = reader.ReadUInt32() ^ key4;
|
||||||
if (offs == 0)
|
if (offs == 0)
|
||||||
continue;
|
continue;
|
||||||
uint rva = reader.ReadUInt32();
|
uint rva = reader.ReadUInt32() ^ key4;
|
||||||
if (peImage.rvaToOffset(rva) != offs)
|
if (peImage.rvaToOffset(rva) != offs)
|
||||||
throw new ApplicationException("Invalid offs & rva");
|
throw new ApplicationException("Invalid offs & rva");
|
||||||
writer.BaseStream.Position = peImage.rvaToOffset(rva);
|
writer.BaseStream.Position = peImage.rvaToOffset(rva);
|
||||||
|
|
|
@ -74,8 +74,14 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
if (instr.OpCode.Code != Code.Call)
|
if (instr.OpCode.Code != Code.Call)
|
||||||
continue;
|
continue;
|
||||||
var calledMethod = instr.Operand as MethodDefinition;
|
var calledMethod = instr.Operand as MethodDefinition;
|
||||||
if (calledMethod == null || calledMethod.Body == null)
|
try {
|
||||||
|
// If the body is encrypted, this could throw
|
||||||
|
if (calledMethod == null || calledMethod.Body == null)
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
catch {
|
||||||
continue;
|
continue;
|
||||||
|
}
|
||||||
if (!DotNetUtils.isMethod(calledMethod, "System.Void", "()"))
|
if (!DotNetUtils.isMethod(calledMethod, "System.Void", "()"))
|
||||||
continue;
|
continue;
|
||||||
if (!checkType(calledMethod.DeclaringType, calledMethod))
|
if (!checkType(calledMethod.DeclaringType, calledMethod))
|
||||||
|
@ -152,6 +158,37 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
protected static bool findKey0_v14_r58564(MethodDefinition method, out uint key) {
|
||||||
|
var instrs = method.Body.Instructions;
|
||||||
|
for (int i = 0; i + 5 < instrs.Count; i++) {
|
||||||
|
i = ConfuserUtils.findCallMethod(instrs, i, Code.Callvirt, "System.Int32 System.IO.BinaryReader::ReadInt32()");
|
||||||
|
if (i < 0)
|
||||||
|
break;
|
||||||
|
|
||||||
|
int index = i + 1;
|
||||||
|
var ldci4_1 = instrs[index++];
|
||||||
|
if (!DotNetUtils.isLdcI4(ldci4_1))
|
||||||
|
continue;
|
||||||
|
if (instrs[index++].OpCode.Code != Code.Xor)
|
||||||
|
continue;
|
||||||
|
if (!DotNetUtils.isStloc(instrs[index++]))
|
||||||
|
continue;
|
||||||
|
if (!DotNetUtils.isLdloc(instrs[index++]))
|
||||||
|
continue;
|
||||||
|
var ldci4_2 = instrs[index++];
|
||||||
|
if (!DotNetUtils.isLdcI4(ldci4_2))
|
||||||
|
continue;
|
||||||
|
if (DotNetUtils.getLdcI4Value(ldci4_2) != 0)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
key = (uint)DotNetUtils.getLdcI4Value(ldci4_1);
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
key = 0;
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
protected static bool findKey1(MethodDefinition method, out uint key) {
|
protected static bool findKey1(MethodDefinition method, out uint key) {
|
||||||
var instrs = method.Body.Instructions;
|
var instrs = method.Body.Instructions;
|
||||||
for (int index = 0; index < instrs.Count; index++) {
|
for (int index = 0; index < instrs.Count; index++) {
|
||||||
|
|
Loading…
Reference in New Issue
Block a user