Add constants decrypter
This commit is contained in:
parent
8f2f2f46ce
commit
2aa3c8aaea
|
@ -67,6 +67,7 @@
|
|||
<Compile Include="deobfuscators\Babel_NET\MemberReferenceConverter.cs" />
|
||||
<Compile Include="deobfuscators\Babel_NET\MethodBodyReader.cs" />
|
||||
<Compile Include="deobfuscators\Babel_NET\MethodReferenceReader.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\ConstantsDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\MethodBodyReaderBase.cs" />
|
||||
<Compile Include="deobfuscators\Babel_NET\MethodsDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\Babel_NET\ProxyDelegateFinder.cs" />
|
||||
|
|
145
de4dot.code/deobfuscators/CryptoObfuscator/ConstantsDecrypter.cs
Normal file
145
de4dot.code/deobfuscators/CryptoObfuscator/ConstantsDecrypter.cs
Normal file
|
@ -0,0 +1,145 @@
|
|||
/*
|
||||
Copyright (C) 2011-2012 de4dot@gmail.com
|
||||
|
||||
This file is part of de4dot.
|
||||
|
||||
de4dot is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
de4dot is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Text;
|
||||
using Mono.Cecil;
|
||||
using de4dot.blocks;
|
||||
|
||||
namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||
class ConstantsDecrypter {
|
||||
ModuleDefinition module;
|
||||
TypeDefinition decrypterType;
|
||||
MethodDefinition methodI4;
|
||||
MethodDefinition methodI8;
|
||||
MethodDefinition methodR4;
|
||||
MethodDefinition methodR8;
|
||||
EmbeddedResource encryptedResource;
|
||||
byte[] constantsData;
|
||||
|
||||
public TypeDefinition Type {
|
||||
get { return decrypterType; }
|
||||
}
|
||||
|
||||
public EmbeddedResource Resource {
|
||||
get { return encryptedResource; }
|
||||
}
|
||||
|
||||
public MethodDefinition Int32Decrypter {
|
||||
get { return methodI4; }
|
||||
}
|
||||
|
||||
public MethodDefinition Int64Decrypter {
|
||||
get { return methodI8; }
|
||||
}
|
||||
|
||||
public MethodDefinition SingleDecrypter {
|
||||
get { return methodR4; }
|
||||
}
|
||||
|
||||
public MethodDefinition DoubleDecrypter {
|
||||
get { return methodR8; }
|
||||
}
|
||||
|
||||
public bool Detected {
|
||||
get { return decrypterType != null; }
|
||||
}
|
||||
|
||||
public ConstantsDecrypter(ModuleDefinition module) {
|
||||
this.module = module;
|
||||
}
|
||||
|
||||
public void find() {
|
||||
foreach (var type in module.Types) {
|
||||
if (!checkType(type))
|
||||
continue;
|
||||
|
||||
decrypterType = type;
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
static readonly string[] requiredTypes = new string[] {
|
||||
"System.Byte[]",
|
||||
};
|
||||
bool checkType(TypeDefinition type) {
|
||||
if (type.Methods.Count != 7)
|
||||
return false;
|
||||
if (type.Fields.Count != 1)
|
||||
return false;
|
||||
if (!new FieldTypes(type).all(requiredTypes))
|
||||
return false;
|
||||
if (!checkMethods(type))
|
||||
return false;
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
bool checkMethods(TypeDefinition type) {
|
||||
methodI4 = DotNetUtils.getMethod(type, "System.Int32", "(System.Int32)");
|
||||
methodI8 = DotNetUtils.getMethod(type, "System.Int64", "(System.Int32)");
|
||||
methodR4 = DotNetUtils.getMethod(type, "System.Single", "(System.Int32)");
|
||||
methodR8 = DotNetUtils.getMethod(type, "System.Double", "(System.Int32)");
|
||||
|
||||
return methodI4 != null && methodI8 != null &&
|
||||
methodR4 != null && methodR8 != null;
|
||||
}
|
||||
|
||||
public void init(ResourceDecrypter resourceDecrypter) {
|
||||
if (decrypterType == null)
|
||||
return;
|
||||
|
||||
encryptedResource = getResource(module, DotNetUtils.getCodeStrings(DotNetUtils.getMethod(decrypterType, ".cctor")));
|
||||
constantsData = resourceDecrypter.decrypt(encryptedResource.GetResourceStream());
|
||||
}
|
||||
|
||||
static EmbeddedResource getResource(ModuleDefinition module, IEnumerable<string> names) {
|
||||
foreach (var name in names) {
|
||||
var resource = DotNetUtils.getResource(module, name) as EmbeddedResource;
|
||||
if (resource != null)
|
||||
return resource;
|
||||
try {
|
||||
resource = DotNetUtils.getResource(module, Encoding.UTF8.GetString(Convert.FromBase64String(name))) as EmbeddedResource;
|
||||
if (resource != null)
|
||||
return resource;
|
||||
}
|
||||
catch {
|
||||
}
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
public int decryptInt32(int index) {
|
||||
return BitConverter.ToInt32(constantsData, index);
|
||||
}
|
||||
|
||||
public long decryptInt64(int index) {
|
||||
return BitConverter.ToInt64(constantsData, index);
|
||||
}
|
||||
|
||||
public float decryptSingle(int index) {
|
||||
return BitConverter.ToSingle(constantsData, index);
|
||||
}
|
||||
|
||||
public double decryptDouble(int index) {
|
||||
return BitConverter.ToDouble(constantsData, index);
|
||||
}
|
||||
}
|
||||
}
|
|
@ -29,10 +29,12 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
public const string THE_TYPE = "co";
|
||||
const string DEFAULT_REGEX = @"!^(get_|set_|add_|remove_)?[A-Z]{1,3}(?:`\d+)?$&!^(get_|set_|add_|remove_)?c[0-9a-f]{32}(?:`\d+)?$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
|
||||
BoolOption removeTamperProtection;
|
||||
BoolOption decryptConstants;
|
||||
|
||||
public DeobfuscatorInfo()
|
||||
: base(DEFAULT_REGEX) {
|
||||
removeTamperProtection = new BoolOption(null, makeArgName("tamper"), "Remove tamper protection code", true);
|
||||
decryptConstants = new BoolOption(null, makeArgName("consts"), "Decrypt constants", true);
|
||||
}
|
||||
|
||||
public override string Name {
|
||||
|
@ -47,12 +49,14 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
return new Deobfuscator(new Deobfuscator.Options {
|
||||
ValidNameRegex = validNameRegex.get(),
|
||||
RemoveTamperProtection = removeTamperProtection.get(),
|
||||
DecryptConstants = decryptConstants.get(),
|
||||
});
|
||||
}
|
||||
|
||||
protected override IEnumerable<Option> getOptionsInternal() {
|
||||
return new List<Option>() {
|
||||
removeTamperProtection,
|
||||
decryptConstants,
|
||||
};
|
||||
}
|
||||
}
|
||||
|
@ -71,9 +75,15 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
StringDecrypter stringDecrypter;
|
||||
TamperDetection tamperDetection;
|
||||
AntiDebugger antiDebugger;
|
||||
ConstantsDecrypter constantsDecrypter;
|
||||
Int32ValueInliner int32ValueInliner;
|
||||
Int64ValueInliner int64ValueInliner;
|
||||
SingleValueInliner singleValueInliner;
|
||||
DoubleValueInliner doubleValueInliner;
|
||||
|
||||
internal class Options : OptionsBase {
|
||||
public bool RemoveTamperProtection { get; set; }
|
||||
public bool DecryptConstants { get; set; }
|
||||
}
|
||||
|
||||
public override string Type {
|
||||
|
@ -103,7 +113,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
|
||||
int sum = toInt32(stringDecrypter.Detected) +
|
||||
toInt32(tamperDetection.Detected) +
|
||||
toInt32(proxyDelegateFinder.Detected);
|
||||
toInt32(proxyDelegateFinder.Detected) +
|
||||
toInt32(constantsDecrypter.Detected);
|
||||
if (sum > 0)
|
||||
val += 100 + 10 * (sum - 1);
|
||||
if (foundCryptoObfuscatorAttribute || foundObfuscatedSymbols || foundObfuscatorUserString)
|
||||
|
@ -129,6 +140,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
stringDecrypter.find();
|
||||
tamperDetection = new TamperDetection(module);
|
||||
tamperDetection.find();
|
||||
constantsDecrypter = new ConstantsDecrypter(module);
|
||||
constantsDecrypter.find();
|
||||
foundObfuscatorUserString = Utils.StartsWith(module.GetUserString(1), "\u0011\"3D9B94A98B-76A8-4810-B1A0-4BE7C4F9C98D", StringComparison.Ordinal);
|
||||
}
|
||||
|
||||
|
@ -180,6 +193,20 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this);
|
||||
antiDebugger.find();
|
||||
|
||||
if (options.DecryptConstants) {
|
||||
constantsDecrypter.init(resourceDecrypter);
|
||||
int32ValueInliner = new Int32ValueInliner();
|
||||
int32ValueInliner.add(constantsDecrypter.Int32Decrypter, (method, args) => constantsDecrypter.decryptInt32((int)args[0]));
|
||||
int64ValueInliner = new Int64ValueInliner();
|
||||
int64ValueInliner.add(constantsDecrypter.Int64Decrypter, (method, args) => constantsDecrypter.decryptInt64((int)args[0]));
|
||||
singleValueInliner = new SingleValueInliner();
|
||||
singleValueInliner.add(constantsDecrypter.SingleDecrypter, (method, args) => constantsDecrypter.decryptSingle((int)args[0]));
|
||||
doubleValueInliner = new DoubleValueInliner();
|
||||
doubleValueInliner.add(constantsDecrypter.DoubleDecrypter, (method, args) => constantsDecrypter.decryptDouble((int)args[0]));
|
||||
addTypeToBeRemoved(constantsDecrypter.Type, "Constants decrypter type");
|
||||
addResourceToBeRemoved(constantsDecrypter.Resource, "Encrypted constants");
|
||||
}
|
||||
|
||||
addModuleCctorInitCallToBeRemoved(resourceResolver.Method);
|
||||
addModuleCctorInitCallToBeRemoved(assemblyResolver.Method);
|
||||
addCallToBeRemoved(module.EntryPoint, tamperDetection.Method);
|
||||
|
@ -198,6 +225,12 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
|
||||
public override void deobfuscateMethodEnd(Blocks blocks) {
|
||||
proxyDelegateFinder.deobfuscate(blocks);
|
||||
if (options.DecryptConstants) {
|
||||
int32ValueInliner.decrypt(blocks);
|
||||
int64ValueInliner.decrypt(blocks);
|
||||
singleValueInliner.decrypt(blocks);
|
||||
doubleValueInliner.decrypt(blocks);
|
||||
}
|
||||
base.deobfuscateMethodEnd(blocks);
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user