From 4490c976b3c2ab46da286e4cc74a5cf357a97556 Mon Sep 17 00:00:00 2001
From: de4dot <de4dot@gmail.com>
Date: Sat, 22 Oct 2011 18:13:13 +0200
Subject: [PATCH] Find anti-debugger and tamper detection code

---
 de4dot.code/de4dot.code.csproj                |  2 +
 .../CryptoObfuscator/AntiDebugger.cs          | 75 +++++++++++++++++++
 .../CryptoObfuscator/Deobfuscator.cs          | 18 ++++-
 .../CryptoObfuscator/StringDecrypter.cs       |  2 +-
 .../CryptoObfuscator/TamperDetection.cs       | 59 +++++++++++++++
 5 files changed, 154 insertions(+), 2 deletions(-)
 create mode 100644 de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs
 create mode 100644 de4dot.code/deobfuscators/CryptoObfuscator/TamperDetection.cs

diff --git a/de4dot.code/de4dot.code.csproj b/de4dot.code/de4dot.code.csproj
index 796b3536..7f3850a6 100644
--- a/de4dot.code/de4dot.code.csproj
+++ b/de4dot.code/de4dot.code.csproj
@@ -57,11 +57,13 @@
     <Compile Include="CommandLineParser.cs" />
     <Compile Include="deobfuscators\CliSecure\Deobfuscator.cs" />
     <Compile Include="deobfuscators\CliSecure\ProxyDelegateFinder.cs" />
+    <Compile Include="deobfuscators\CryptoObfuscator\AntiDebugger.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\AssemblyResolver.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\Deobfuscator.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\ResourceDecrypter.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\ResourceResolver.cs" />
     <Compile Include="deobfuscators\CryptoObfuscator\StringDecrypter.cs" />
+    <Compile Include="deobfuscators\CryptoObfuscator\TamperDetection.cs" />
     <Compile Include="deobfuscators\DeobfuscatorBase.cs" />
     <Compile Include="deobfuscators\DeobfuscatorInfoBase.cs" />
     <Compile Include="deobfuscators\DeobUtils.cs" />
diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs b/de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs
new file mode 100644
index 00000000..7c71b224
--- /dev/null
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs
@@ -0,0 +1,75 @@
+/*
+    Copyright (C) 2011 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using Mono.Cecil;
+using de4dot.blocks;
+
+namespace de4dot.deobfuscators.CryptoObfuscator {
+	class AntiDebugger {
+		ModuleDefinition module;
+		ISimpleDeobfuscator simpleDeobfuscator;
+		IDeobfuscator deob;
+		TypeDefinition antiDebuggerType;
+		MethodDefinition antiDebuggerMethod;
+
+		public AntiDebugger(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
+			this.module = module;
+			this.simpleDeobfuscator = simpleDeobfuscator;
+			this.deob = deob;
+		}
+
+		public void find() {
+			var mainMethod = module.EntryPoint;
+			if (mainMethod == null)
+				return;
+
+			foreach (var info in DotNetUtils.getCalledMethods(module, mainMethod)) {
+				var type = info.Item1;
+				var method = info.Item2;
+
+				if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()"))
+					continue;
+				if (DotNetUtils.getPInvokeMethod(type, "kernel32", "LoadLibrary") == null)
+					continue;
+				if (DotNetUtils.getPInvokeMethod(type, "kernel32", "GetProcAddress") == null)
+					continue;
+				deobfuscate(method);
+				if (!containsString(method, "debugger was detected"))
+					continue;
+
+				antiDebuggerType = type;
+				antiDebuggerMethod = method;
+				return;
+			}
+		}
+
+		void deobfuscate(MethodDefinition method) {
+			simpleDeobfuscator.deobfuscate(method);
+			simpleDeobfuscator.decryptStrings(method, deob);
+		}
+
+		bool containsString(MethodDefinition method, string part) {
+			foreach (var s in DotNetUtils.getCodeStrings(method)) {
+				if (s.Contains(part))
+					return true;
+			}
+			return false;
+		}
+	}
+}
diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs b/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
index 42ac00e3..b6694886 100644
--- a/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/Deobfuscator.cs
@@ -25,8 +25,11 @@ using de4dot.blocks;
 namespace de4dot.deobfuscators.CryptoObfuscator {
 	class DeobfuscatorInfo : DeobfuscatorInfoBase {
 		const string DEFAULT_REGEX = @"!^[A-Z]{1,3}(?:`\d+)?$&!^c[0-9a-f]{32}(?:`\d+)?$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
+		BoolOption removeTamperProtection;
+
 		public DeobfuscatorInfo()
 			: base("co", DEFAULT_REGEX) {
+			removeTamperProtection = new BoolOption(null, makeArgName("tamper"), "Remove tamper protection code", true);
 		}
 
 		internal static string ObfuscatorType {
@@ -40,11 +43,13 @@ namespace de4dot.deobfuscators.CryptoObfuscator {
 		public override IDeobfuscator createDeobfuscator() {
 			return new Deobfuscator(new Deobfuscator.Options {
 				ValidNameRegex = validNameRegex.get(),
+				RemoveTamperProtection = removeTamperProtection.get(),
 			});
 		}
 
 		protected override IEnumerable<Option> getOptionsInternal() {
 			return new List<Option>() {
+				removeTamperProtection,
 			};
 		}
 	}
@@ -59,8 +64,11 @@ namespace de4dot.deobfuscators.CryptoObfuscator {
 		ResourceResolver resourceResolver;
 		AssemblyResolver assemblyResolver;
 		StringDecrypter stringDecrypter;
+		TamperDetection tamperDetection;
+		AntiDebugger antiDebugger;
 
 		internal class Options : OptionsBase {
+			public bool RemoveTamperProtection { get; set; }
 		}
 
 		public override string Type {
@@ -91,6 +99,8 @@ namespace de4dot.deobfuscators.CryptoObfuscator {
 				val += 10;
 			if (stringDecrypter.Detected)
 				val += 10;
+			if (tamperDetection.Detected)
+				val += 10;
 
 			return val;
 		}
@@ -107,7 +117,9 @@ namespace de4dot.deobfuscators.CryptoObfuscator {
 				foundObfuscatedSymbols = true;
 
 			stringDecrypter = new StringDecrypter(module);
-			stringDecrypter.detect();
+			stringDecrypter.find();
+			tamperDetection = new TamperDetection(module);
+			tamperDetection.find();
 		}
 
 		void initializeVersion(TypeDefinition attr) {
@@ -153,8 +165,12 @@ namespace de4dot.deobfuscators.CryptoObfuscator {
 				staticStringDecrypter.add(stringDecrypter.StringDecrypterMethod, (method, args) => {
 					return stringDecrypter.decrypt((int)args[0]);
 				});
+				DeobfuscatedFile.stringDecryptersAdded();
 			}
 
+			antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this);
+			antiDebugger.find();
+
 			dumpEmbeddedAssemblies();
 		}
 
diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/StringDecrypter.cs b/de4dot.code/deobfuscators/CryptoObfuscator/StringDecrypter.cs
index 8d14c86d..9a279667 100644
--- a/de4dot.code/deobfuscators/CryptoObfuscator/StringDecrypter.cs
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/StringDecrypter.cs
@@ -45,7 +45,7 @@ namespace de4dot.deobfuscators.CryptoObfuscator {
 			this.module = module;
 		}
 
-		public void detect() {
+		public void find() {
 			TypeDefinition type;
 			MethodDefinition method;
 			if (!findStringDecrypterType(out type, out method))
diff --git a/de4dot.code/deobfuscators/CryptoObfuscator/TamperDetection.cs b/de4dot.code/deobfuscators/CryptoObfuscator/TamperDetection.cs
new file mode 100644
index 00000000..9f96a534
--- /dev/null
+++ b/de4dot.code/deobfuscators/CryptoObfuscator/TamperDetection.cs
@@ -0,0 +1,59 @@
+/*
+    Copyright (C) 2011 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using Mono.Cecil;
+using de4dot.blocks;
+
+namespace de4dot.deobfuscators.CryptoObfuscator {
+	class TamperDetection {
+		ModuleDefinition module;
+		TypeDefinition tamperType;
+		MethodDefinition tamperMethod;
+
+		public bool Detected {
+			get { return tamperMethod != null; }
+		}
+
+		public TamperDetection(ModuleDefinition module) {
+			this.module = module;
+		}
+
+		public void find() {
+			var mainMethod = module.EntryPoint;
+			if (mainMethod == null)
+				return;
+
+			foreach (var info in DotNetUtils.getCalledMethods(module, mainMethod)) {
+				var type = info.Item1;
+				var method = info.Item2;
+
+				if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()"))
+					continue;
+				if (type.Methods.Count != 3)
+					continue;
+				if (DotNetUtils.getPInvokeMethod(type, "mscoree", "StrongNameSignatureVerificationEx") == null)
+					continue;
+
+				tamperType = type;
+				tamperMethod = method;
+				return;
+			}
+		}
+	}
+}