Add constants decrypter

2012-07-11 02:18:01 +02:00 · 2012-07-11 02:18:01 +02:00 · 2aa3c8aaea
commit 2aa3c8aaea
parent 8f2f2f46ce
3 changed files with 180 additions and 1 deletions
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@ -67,6 +67,7 @@
    <Compile Include="deobfuscators\Babel_NET\MemberReferenceConverter.cs" />
    <Compile Include="deobfuscators\Babel_NET\MethodBodyReader.cs" />
    <Compile Include="deobfuscators\Babel_NET\MethodReferenceReader.cs" />
+    <Compile Include="deobfuscators\CryptoObfuscator\ConstantsDecrypter.cs" />
    <Compile Include="deobfuscators\MethodBodyReaderBase.cs" />
    <Compile Include="deobfuscators\Babel_NET\MethodsDecrypter.cs" />
    <Compile Include="deobfuscators\Babel_NET\ProxyDelegateFinder.cs" />
--- a/de4dot.code/deobfuscators/CryptoObfuscator/ConstantsDecrypter.cs
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/ConstantsDecrypter.cs
@ -0,0 +1,145 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System;
+using System.Collections.Generic;
+using System.Text;
+using Mono.Cecil;
+using de4dot.blocks;
+
+namespace de4dot.code.deobfuscators.CryptoObfuscator {
+	class ConstantsDecrypter {
+		ModuleDefinition module;
+		TypeDefinition decrypterType;
+		MethodDefinition methodI4;
+		MethodDefinition methodI8;
+		MethodDefinition methodR4;
+		MethodDefinition methodR8;
+		EmbeddedResource encryptedResource;
+		byte[] constantsData;
+
+		public TypeDefinition Type {
+			get { return decrypterType; }
+		}
+
+		public EmbeddedResource Resource {
+			get { return encryptedResource; }
+		}
+
+		public MethodDefinition Int32Decrypter {
+			get { return methodI4; }
+		}
+
+		public MethodDefinition Int64Decrypter {
+			get { return methodI8; }
+		}
+
+		public MethodDefinition SingleDecrypter {
+			get { return methodR4; }
+		}
+
+		public MethodDefinition DoubleDecrypter {
+			get { return methodR8; }
+		}
+
+		public bool Detected {
+			get { return decrypterType != null; }
+		}
+
+		public ConstantsDecrypter(ModuleDefinition module) {
+			this.module = module;
+		}
+
+		public void find() {
+			foreach (var type in module.Types) {
+				if (!checkType(type))
+					continue;
+
+				decrypterType = type;
+				return;
+			}
+		}
+
+		static readonly string[] requiredTypes = new string[] {
+			"System.Byte[]",
+		};
+		bool checkType(TypeDefinition type) {
+			if (type.Methods.Count != 7)
+				return false;
+			if (type.Fields.Count != 1)
+				return false;
+			if (!new FieldTypes(type).all(requiredTypes))
+				return false;
+			if (!checkMethods(type))
+				return false;
+
+			return true;
+		}
+
+		bool checkMethods(TypeDefinition type) {
+			methodI4 = DotNetUtils.getMethod(type, "System.Int32", "(System.Int32)");
+			methodI8 = DotNetUtils.getMethod(type, "System.Int64", "(System.Int32)");
+			methodR4 = DotNetUtils.getMethod(type, "System.Single", "(System.Int32)");
+			methodR8 = DotNetUtils.getMethod(type, "System.Double", "(System.Int32)");
+
+			return methodI4 != null && methodI8 != null &&
+				methodR4 != null && methodR8 != null;
+		}
+
+		public void init(ResourceDecrypter resourceDecrypter) {
+			if (decrypterType == null)
+				return;
+
+			encryptedResource = getResource(module, DotNetUtils.getCodeStrings(DotNetUtils.getMethod(decrypterType, ".cctor")));
+			constantsData = resourceDecrypter.decrypt(encryptedResource.GetResourceStream());
+		}
+
+		static EmbeddedResource getResource(ModuleDefinition module, IEnumerable<string> names) {
+			foreach (var name in names) {
+				var resource = DotNetUtils.getResource(module, name) as EmbeddedResource;
+				if (resource != null)
+					return resource;
+				try {
+					resource = DotNetUtils.getResource(module, Encoding.UTF8.GetString(Convert.FromBase64String(name))) as EmbeddedResource;
+					if (resource != null)
+						return resource;
+				}
+				catch {
+				}
+			}
+			return null;
+		}
+
+		public int decryptInt32(int index) {
+			return BitConverter.ToInt32(constantsData, index);
+		}
+
+		public long decryptInt64(int index) {
+			return BitConverter.ToInt64(constantsData, index);
+		}
+
+		public float decryptSingle(int index) {
+			return BitConverter.ToSingle(constantsData, index);
+		}
+
+		public double decryptDouble(int index) {
+			return BitConverter.ToDouble(constantsData, index);
+		}
+	}
+}
--- a/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
@ -29,10 +29,12 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 		public const string THE_TYPE = "co";
 		const string DEFAULT_REGEX = @"!^(get_|set_|add_|remove_)?[A-Z]{1,3}(?:`\d+)?$&!^(get_|set_|add_|remove_)?c[0-9a-f]{32}(?:`\d+)?$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
 		BoolOption removeTamperProtection;
+		BoolOption decryptConstants;

 		public DeobfuscatorInfo()
 			: base(DEFAULT_REGEX) {
 			removeTamperProtection = new BoolOption(null, makeArgName("tamper"), "Remove tamper protection code", true);
+			decryptConstants = new BoolOption(null, makeArgName("consts"), "Decrypt constants", true);
 		}

 		public override string Name {
@ -47,12 +49,14 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 			return new Deobfuscator(new Deobfuscator.Options {
 				ValidNameRegex = validNameRegex.get(),
 				RemoveTamperProtection = removeTamperProtection.get(),
+				DecryptConstants = decryptConstants.get(),
 			});
 		}

 		protected override IEnumerable<Option> getOptionsInternal() {
 			return new List<Option>() {
 				removeTamperProtection,
+				decryptConstants,
 			};
 		}
 	}
@ -71,9 +75,15 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 		StringDecrypter stringDecrypter;
 		TamperDetection tamperDetection;
 		AntiDebugger antiDebugger;
+		ConstantsDecrypter constantsDecrypter;
+		Int32ValueInliner int32ValueInliner;
+		Int64ValueInliner int64ValueInliner;
+		SingleValueInliner singleValueInliner;
+		DoubleValueInliner doubleValueInliner;

 		internal class Options : OptionsBase {
 			public bool RemoveTamperProtection { get; set; }
+			public bool DecryptConstants { get; set; }
 		}

 		public override string Type {
@ -103,7 +113,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {

 			int sum = toInt32(stringDecrypter.Detected) +
 					toInt32(tamperDetection.Detected) +
-					toInt32(proxyDelegateFinder.Detected);
+					toInt32(proxyDelegateFinder.Detected) +
+					toInt32(constantsDecrypter.Detected);
 			if (sum > 0)
 				val += 100 + 10 * (sum - 1);
 			if (foundCryptoObfuscatorAttribute || foundObfuscatedSymbols || foundObfuscatorUserString)
@ -129,6 +140,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 			stringDecrypter.find();
 			tamperDetection = new TamperDetection(module);
 			tamperDetection.find();
+			constantsDecrypter = new ConstantsDecrypter(module);
+			constantsDecrypter.find();
 			foundObfuscatorUserString = Utils.StartsWith(module.GetUserString(1), "\u0011\"3D9B94A98B-76A8-4810-B1A0-4BE7C4F9C98D", StringComparison.Ordinal);
 		}

@ -180,6 +193,20 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
 			antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this);
 			antiDebugger.find();

+			if (options.DecryptConstants) {
+				constantsDecrypter.init(resourceDecrypter);
+				int32ValueInliner = new Int32ValueInliner();
+				int32ValueInliner.add(constantsDecrypter.Int32Decrypter, (method, args) => constantsDecrypter.decryptInt32((int)args[0]));
+				int64ValueInliner = new Int64ValueInliner();
+				int64ValueInliner.add(constantsDecrypter.Int64Decrypter, (method, args) => constantsDecrypter.decryptInt64((int)args[0]));
+				singleValueInliner = new SingleValueInliner();
+				singleValueInliner.add(constantsDecrypter.SingleDecrypter, (method, args) => constantsDecrypter.decryptSingle((int)args[0]));
+				doubleValueInliner = new DoubleValueInliner();
+				doubleValueInliner.add(constantsDecrypter.DoubleDecrypter, (method, args) => constantsDecrypter.decryptDouble((int)args[0]));
+				addTypeToBeRemoved(constantsDecrypter.Type, "Constants decrypter type");
+				addResourceToBeRemoved(constantsDecrypter.Resource, "Encrypted constants");
+			}
+
 			addModuleCctorInitCallToBeRemoved(resourceResolver.Method);
 			addModuleCctorInitCallToBeRemoved(assemblyResolver.Method);
 			addCallToBeRemoved(module.EntryPoint, tamperDetection.Method);
@ -198,6 +225,12 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {

 		public override void deobfuscateMethodEnd(Blocks blocks) {
 			proxyDelegateFinder.deobfuscate(blocks);
+			if (options.DecryptConstants) {
+				int32ValueInliner.decrypt(blocks);
+				int64ValueInliner.decrypt(blocks);
+				singleValueInliner.decrypt(blocks);
+				doubleValueInliner.decrypt(blocks);
+			}
 			base.deobfuscateMethodEnd(blocks);
 		}