monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'mc'

Browse Source
This commit is contained in:
de4dot 2012-03-01 22:10:36 +01:00
commit 48d6a3b6fc
8 changed files with 967 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
de4dot.code/PE/MetadataTables.cs
View File

@ -43,13 +43,14 @@ namespace de4dot.code.PE {
reader.BaseStream.Position = fileOffset;
}
// TODO: This table needs to be updated to support the other metadata tables.
static MetadataVarType[] metadataVarType = new MetadataVarType[] {
MVT.byte2, MVT.stringIndex, MVT.guidIndex, MVT.guidIndex, MVT.guidIndex, MVT.end, // 0
MVT.resolutionScope, MVT.stringIndex, MVT.stringIndex, MVT.end, // 1
MVT.byte4, MVT.stringIndex, MVT.stringIndex, MVT.typeDefOrRef, MVT.fieldIndex, MVT.methodDefIndex, MVT.end, // 2
MVT.end, // 3
MVT.byte2, MVT.stringIndex, MVT.blobIndex, MVT.end, // 4
MVT.end, // 5
MVT.methodDefIndex, MVT.end, // 5
MVT.byte4, MVT.byte2, MVT.byte2, MVT.stringIndex, MVT.blobIndex, MVT.paramIndex, MVT.end, // 6
MVT.end, // 7
MVT.byte2, MVT.byte2, MVT.stringIndex, MVT.end, // 8
@ -113,7 +114,7 @@ namespace de4dot.code.PE {
};
void init() {
var streamTable = metadata.getStream("#~");
var streamTable = metadata.getStream("#~") ?? metadata.getStream("#-");
if (streamTable == null)
throw new ApplicationException("Could not find #~ stream");

3
de4dot.code/de4dot.code.csproj
View File

@ -164,6 +164,9 @@
<Compile Include="deobfuscators\InitializedDataCreator.cs" />
<Compile Include="deobfuscators\InlinedMethodsFinder.cs" />
<Compile Include="deobfuscators\ISimpleDeobfuscator.cs" />
<Compile Include="deobfuscators\MaxtoCode\Deobfuscator.cs" />
<Compile Include="deobfuscators\MaxtoCode\FileDecrypter.cs" />
<Compile Include="deobfuscators\MaxtoCode\MainType.cs" />
<Compile Include="deobfuscators\MethodCollection.cs" />
<Compile Include="deobfuscators\QuickLZ.cs" />
<Compile Include="deobfuscators\RandomNameChecker.cs" />

10
de4dot.code/deobfuscators/DeobUtils.cs
View File

@ -50,6 +50,16 @@ namespace de4dot.code.deobfuscators {
return newDef;
}
public static ModuleReference lookup(ModuleDefinition module, ModuleReference other, string errorMessage) {
if (other == null)
return null;
foreach (var modRef in module.ModuleReferences) {
if (modRef.MetadataToken.ToInt32() == other.MetadataToken.ToInt32())
return modRef;
}
throw new ApplicationException(errorMessage);
}
public static byte[] readModule(ModuleDefinition module) {
return Utils.readFile(module.FullyQualifiedName);
}

121
de4dot.code/deobfuscators/MaxtoCode/Deobfuscator.cs Normal file
View File

@ -0,0 +1,121 @@
/*
Copyright (C) 2011-2012 de4dot@gmail.com
This file is part of de4dot.
de4dot is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
de4dot is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
*/
using System.Collections.Generic;
using Mono.Cecil;
using Mono.MyStuff;
namespace de4dot.code.deobfuscators.MaxtoCode {
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
public const string THE_NAME = "MaxtoCode";
public const string THE_TYPE = "mc";
const string DEFAULT_REGEX = @"!^[oO01l]{4,}$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
public DeobfuscatorInfo()
: base(DEFAULT_REGEX) {
}
public override string Name {
get { return THE_NAME; }
}
public override string Type {
get { return THE_TYPE; }
}
public override IDeobfuscator createDeobfuscator() {
return new Deobfuscator(new Deobfuscator.Options {
RenameResourcesInCode = false,
ValidNameRegex = validNameRegex.get(),
});
}
}
class Deobfuscator : DeobfuscatorBase {
Options options;
MainType mainType;
internal class Options : OptionsBase {
}
public override string Type {
get { return DeobfuscatorInfo.THE_TYPE; }
}
public override string TypeLong {
get { return DeobfuscatorInfo.THE_NAME; }
}
public override string Name {
get { return DeobfuscatorInfo.THE_NAME; }
}
internal Deobfuscator(Options options)
: base(options) {
this.options = options;
}
protected override int detectInternal() {
int val = 0;
if (mainType.Detected)
val = 150;
return val;
}
protected override void scanForObfuscator() {
mainType = new MainType(module);
mainType.find();
}
public override bool getDecryptedModule(ref byte[] newFileData, ref DumpedMethods dumpedMethods) {
if (!mainType.Detected)
return false;
var fileDecrypter = new FileDecrypter(mainType);
var fileData = DeobUtils.readModule(module);
if (!fileDecrypter.decrypt(fileData, ref dumpedMethods))
return false;
newFileData = fileData;
return true;
}
public override IDeobfuscator moduleReloaded(ModuleDefinition module) {
var newOne = new Deobfuscator(options);
newOne.setModule(module);
newOne.mainType = new MainType(module, mainType);
return newOne;
}
public override void deobfuscateBegin() {
base.deobfuscateBegin();
foreach (var method in mainType.InitMethods)
addCctorInitCallToBeRemoved(method);
addTypeToBeRemoved(mainType.Type, "Obfuscator type");
addModuleReferencesToBeRemoved(mainType.ModuleReferences, "MC runtime module reference");
}
public override IEnumerable<int> getStringDecrypterMethods() {
return new List<int>();
}
}
}

664
de4dot.code/deobfuscators/MaxtoCode/FileDecrypter.cs Normal file
View File

@ -0,0 +1,664 @@
/*
Copyright (C) 2011-2012 de4dot@gmail.com
This file is part of de4dot.
de4dot is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
de4dot is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
*/
using System;
using System.IO;
using System.Collections.Generic;
using Mono.MyStuff;
using de4dot.code.PE;
namespace de4dot.code.deobfuscators.MaxtoCode {
// Decrypts methods and resources
class FileDecrypter {
MainType mainType;
class PeHeader {
const int XOR_KEY = 0x7ABF931;
byte[] headerData;
uint rvaDispl1;
uint rvaDispl2;
public PeHeader(MainType mainType, PeImage peImage) {
headerData = getPeHeaderData(peImage);
if (!mainType.IsOld && peImage.readUInt32(0x2008) != 0x48) {
rvaDispl1 = readUInt32(0x0FB0) ^ XOR_KEY;
rvaDispl2 = readUInt32(0x0FB4) ^ XOR_KEY;
}
}
public uint getMcHeaderRva() {
return getRva2(0x0FFC, XOR_KEY);
}
public uint getRva1(int offset, uint xorKey) {
return (readUInt32(offset) ^ xorKey) - rvaDispl1;
}
public uint getRva2(int offset, uint xorKey) {
return (readUInt32(offset) ^ xorKey) - rvaDispl2;
}
public uint readUInt32(int offset) {
return BitConverter.ToUInt32(headerData, offset);
}
static byte[] getPeHeaderData(PeImage peImage) {
var data = new byte[0x1000];
var firstSection = peImage.Sections[0];
readTo(peImage, data, 0, 0, firstSection.pointerToRawData);
foreach (var section in peImage.Sections) {
if (section.virtualAddress >= data.Length)
continue;
int offset = (int)section.virtualAddress;
readTo(peImage, data, offset, section.pointerToRawData, section.sizeOfRawData);
}
return data;
}
static void readTo(PeImage peImage, byte[] data, int destOffset, uint imageOffset, uint maxLength) {
if (destOffset > data.Length)
return;
int len = Math.Min(data.Length - destOffset, (int)maxLength);
var newData = peImage.offsetReadBytes(imageOffset, len);
Array.Copy(newData, 0, data, destOffset, newData.Length);
}
}
class McHeader {
PeHeader peHeader;
byte[] data;
public byte this[int index] {
get { return data[index]; }
}
public McHeader(PeImage peImage, PeHeader peHeader) {
this.peHeader = peHeader;
this.data = peImage.readBytes(peHeader.getMcHeaderRva(), 0x2000);
}
public byte readByte(int offset) {
return data[offset];
}
public void readBytes(int offset, Array dest, int size) {
Buffer.BlockCopy(data, offset, dest, 0, size);
}
public uint readUInt32(int offset) {
return BitConverter.ToUInt32(data, offset);
}
}
enum EncryptionVersion {
Unknown,
V1,
V2,
V3,
}
class EncryptionInfo {
public uint MagicLo { get; set; }
public uint MagicHi { get; set; }
public EncryptionVersion Version { get; set; }
}
static EncryptionInfo[] encryptionInfos_Rva900h = new EncryptionInfo[] {
// PE header timestamp
// 462FA2D2 = Wed, 25 Apr 2007 18:49:54 (3.20)
new EncryptionInfo {
MagicLo = 0xA098B387,
MagicHi = 0x1E8EBCA3,
Version = EncryptionVersion.V1,
},
// 482384FB = Thu, 08 May 2008 22:55:55 (3.36)
new EncryptionInfo {
MagicLo = 0xAA98B387,
MagicHi = 0x1E8EECA3,
Version = EncryptionVersion.V2,
},
// 4A5EEC64 = Thu, 16 Jul 2009 09:01:24
// 4C6220EC = Wed, 11 Aug 2010 04:02:52
// 4C622357 = Wed, 11 Aug 2010 04:13:11
new EncryptionInfo {
MagicLo = 0xAA98B387,
MagicHi = 0x128EECA3,
Version = EncryptionVersion.V2,
},
// 4C6E4605 = Fri, 20 Aug 2010 09:08:21
// 4D0E220D = Sun, 19 Dec 2010 15:17:33
// 4DC2FC75 = Thu, 05 May 2011 19:37:25
// 4DFA3D5D = Thu, 16 Jun 2011 17:29:01
new EncryptionInfo {
MagicLo = 0xAA98B387,
MagicHi = 0xF28EECA3,
Version = EncryptionVersion.V2,
},
// 4DC2FE0C = Thu, 05 May 2011 19:44:12
new EncryptionInfo {
MagicLo = 0xAA98B387,
MagicHi = 0xF28EEAA3,
Version = EncryptionVersion.V2,
},
// 4ED76740 = Thu, 01 Dec 2011 11:38:40
// 4EE1FAD1 = Fri, 09 Dec 2011 12:10:57
new EncryptionInfo {
MagicLo = 0xAA983B87,
MagicHi = 0xF28EECA3,
Version = EncryptionVersion.V3,
},
};
static EncryptionInfo[] encryptionInfos_McHeader8C0h = new EncryptionInfo[] {
// 462FA2D2 = Wed, 25 Apr 2007 18:49:54 (3.20)
new EncryptionInfo {
MagicLo = 0x6AA13B13,
MagicHi = 0xD72B991F,
Version = EncryptionVersion.V1,
},
// 482384FB = Thu, 08 May 2008 22:55:55 (3.36)
new EncryptionInfo {
MagicLo = 0x6A713B13,
MagicHi = 0xD72B891F,
Version = EncryptionVersion.V2,
},
// 4A5EEC64 = Thu, 16 Jul 2009 09:01:24
// 4C6220EC = Wed, 11 Aug 2010 04:02:52
// 4C622357 = Wed, 11 Aug 2010 04:13:11
// 4C6E4605 = Fri, 20 Aug 2010 09:08:21
// 4D0E220D = Sun, 19 Dec 2010 15:17:33
// 4DC2FC75 = Thu, 05 May 2011 19:37:25
// 4DC2FE0C = Thu, 05 May 2011 19:44:12
// 4DFA3D5D = Thu, 16 Jun 2011 17:29:01
new EncryptionInfo {
MagicLo = 0x6A713B13,
MagicHi = 0xD72B891F,
Version = EncryptionVersion.V2,
},
// 4ED76740 = Thu, 01 Dec 2011 11:38:40
// 4EE1FAD1 = Fri, 09 Dec 2011 12:10:57
new EncryptionInfo {
MagicLo = 0x6A731B13,
MagicHi = 0xD72B891F,
Version = EncryptionVersion.V3,
},
};
class MethodInfos {
MainType mainType;
PeImage peImage;
PeHeader peHeader;
McHeader mcHeader;
uint structSize;
uint methodInfosOffset;
uint encryptedDataOffset;
uint xorKey;
Dictionary<uint, DecryptedMethodInfo> infos = new Dictionary<uint, DecryptedMethodInfo>();
IDecrypter decrypter;
const int ENCRYPTED_DATA_INFO_SIZE = 0x13;
public class DecryptedMethodInfo {
public uint bodyRva;
public byte[] body;
public DecryptedMethodInfo(uint bodyRva, byte[] body) {
this.bodyRva = bodyRva;
this.body = body;
}
}
public MethodInfos(MainType mainType, PeImage peImage, PeHeader peHeader, McHeader mcHeader) {
this.mainType = mainType;
this.peImage = peImage;
this.peHeader = peHeader;
this.mcHeader = mcHeader;
structSize = getStructSize(mcHeader);
uint methodInfosRva = peHeader.getRva2(0x0FF8, mcHeader.readUInt32(0x005A));
uint encryptedDataRva = peHeader.getRva2(0x0FF0, mcHeader.readUInt32(0x0046));
methodInfosOffset = peImage.rvaToOffset(methodInfosRva);
encryptedDataOffset = peImage.rvaToOffset(encryptedDataRva);
}
static uint getStructSize(McHeader mcHeader) {
uint magicLo = mcHeader.readUInt32(0x8C0);
uint magicHi = mcHeader.readUInt32(0x8C4);
foreach (var info in encryptionInfos_McHeader8C0h) {
if (magicLo == info.MagicLo && magicHi == info.MagicHi)
return 0xC + 6 * ENCRYPTED_DATA_INFO_SIZE;
}
return 0xC + 3 * ENCRYPTED_DATA_INFO_SIZE;
}
EncryptionVersion getVersion() {
uint m1lo = peHeader.readUInt32(0x900);
uint m1hi = peHeader.readUInt32(0x904);
uint m2lo = mcHeader.readUInt32(0x8C0);
uint m2hi = mcHeader.readUInt32(0x8C4);
foreach (var info in encryptionInfos_McHeader8C0h) {
if (info.MagicLo == m2lo && info.MagicHi == m2hi)
return info.Version;
}
foreach (var info in encryptionInfos_Rva900h) {
if (info.MagicLo == m1lo && info.MagicHi == m1hi)
return info.Version;
}
Log.w("Could not detect MC version. Magic1: {0:X8} {1:X8}, Magic2: {2:X8} {3:X8}", m1lo, m1hi, m2lo, m2hi);
return EncryptionVersion.Unknown;
}
public DecryptedMethodInfo lookup(uint bodyRva) {
DecryptedMethodInfo info;
infos.TryGetValue(bodyRva, out info);
return info;
}
byte readByte(uint offset) {
return peImage.offsetReadByte(methodInfosOffset + offset);
}
short readInt16(uint offset) {
return (short)peImage.offsetReadUInt16(methodInfosOffset + offset);
}
uint readUInt32(uint offset) {
return peImage.offsetReadUInt32(methodInfosOffset + offset);
}
int readInt32(uint offset) {
return (int)readUInt32(offset);
}
short readEncryptedInt16(uint offset) {
return (short)(readInt16(offset) ^ xorKey);
}
int readEncryptedInt32(uint offset) {
return (int)readEncryptedUInt32(offset);
}
uint readEncryptedUInt32(uint offset) {
return readUInt32(offset) ^ xorKey;
}
interface IDecrypter {
byte[] decrypt(int type, byte[] encrypted);
}
class DecrypterV1 : IDecrypter {
MethodInfos methodInfos;
public DecrypterV1(MethodInfos methodInfos) {
this.methodInfos = methodInfos;
}
public byte[] decrypt(int type, byte[] encrypted) {
switch (type) {
case 1: return methodInfos.decrypt1(encrypted);
case 2: return methodInfos.decrypt4(encrypted);
case 3: return methodInfos.decrypt2(encrypted);
case 4: return methodInfos.decrypt3(encrypted);
case 5: return methodInfos.decrypt5(encrypted);
case 6: return methodInfos.decrypt6(encrypted);
case 7: return methodInfos.decrypt7(encrypted);
default: throw new ApplicationException(string.Format("Invalid encryption type: {0:X2}", type));
}
}
}
class DecrypterV2 : IDecrypter {
MethodInfos methodInfos;
public DecrypterV2(MethodInfos methodInfos) {
this.methodInfos = methodInfos;
}
public byte[] decrypt(int type, byte[] encrypted) {
switch (type) {
case 1: return methodInfos.decrypt3(encrypted);
case 2: return methodInfos.decrypt2(encrypted);
case 3: return methodInfos.decrypt1(encrypted);
case 4: return methodInfos.decrypt4(encrypted);
case 5: return methodInfos.decrypt5(encrypted);
case 6: return methodInfos.decrypt6(encrypted);
case 7: return methodInfos.decrypt7(encrypted);
default: throw new ApplicationException(string.Format("Invalid encryption type: {0:X2}", type));
}
}
}
class DecrypterV3 : IDecrypter {
MethodInfos methodInfos;
public DecrypterV3(MethodInfos methodInfos) {
this.methodInfos = methodInfos;
}
public byte[] decrypt(int type, byte[] encrypted) {
switch (type) {
case 1: return methodInfos.decrypt1(encrypted);
case 2: return methodInfos.decrypt2(encrypted);
case 3: return methodInfos.decrypt3(encrypted);
case 4: return methodInfos.decrypt4(encrypted);
case 5: return methodInfos.decrypt5(encrypted);
case 6: return methodInfos.decrypt6(encrypted);
case 7: return methodInfos.decrypt7(encrypted);
default: throw new ApplicationException(string.Format("Invalid encryption type: {0:X2}", type));
}
}
}
void initializeDecrypter() {
switch (getVersion()) {
case EncryptionVersion.V1:
decrypter = new DecrypterV1(this);
break;
case EncryptionVersion.V2:
decrypter = new DecrypterV2(this);
break;
case EncryptionVersion.V3:
decrypter = new DecrypterV3(this);
break;
case EncryptionVersion.Unknown:
default:
throw new ApplicationException("Unknown MC version");
}
}
public void initializeInfos() {
initializeDecrypter();
int numMethods = readInt32(0) ^ readInt32(4);
if (numMethods < 0)
throw new ApplicationException("Invalid number of encrypted methods");
xorKey = (uint)numMethods;
uint rvaDispl = !mainType.IsOld && peImage.readUInt32(0x2008) != 0x48 ? 0x1000U : 0;
int numEncryptedDataInfos = ((int)structSize - 0xC) / ENCRYPTED_DATA_INFO_SIZE;
var encryptedDataInfos = new byte[numEncryptedDataInfos][];
uint offset = 8;
for (int i = 0; i < numMethods; i++, offset += structSize) {
uint methodBodyRva = readEncryptedUInt32(offset) - rvaDispl;
uint totalSize = readEncryptedUInt32(offset + 4);
uint methodInstructionRva = readEncryptedUInt32(offset + 8) - rvaDispl;
var decryptedData = new byte[totalSize];
// Read the method body header and method body (instrs + exception handlers).
// The method body header is always in the first one. The instrs + ex handlers
// are always in the last 4, and evenly divided (each byte[] is totalLen / 4).
// The 2nd one is for the exceptions (or padding), but it may be null.
uint offset2 = offset + 0xC;
int exOffset = 0;
for (int j = 0; j < encryptedDataInfos.Length; j++, offset2 += ENCRYPTED_DATA_INFO_SIZE) {
// readByte(offset2); <-- index
int encryptionType = readEncryptedInt16(offset2 + 1);
uint dataOffset = readEncryptedUInt32(offset2 + 3);
uint encryptedSize = readEncryptedUInt32(offset2 + 7);
uint realSize = readEncryptedUInt32(offset2 + 11);
if (j == 1)
exOffset = readEncryptedInt32(offset2 + 15);
if (j == 1 && exOffset == 0)
encryptedDataInfos[j] = null;
else
encryptedDataInfos[j] = decrypt(encryptionType, dataOffset, encryptedSize, realSize);
}
int copyOffset = 0;
copyOffset = copyData(decryptedData, encryptedDataInfos[0], copyOffset);
for (int j = 2; j < encryptedDataInfos.Length; j++)
copyOffset = copyData(decryptedData, encryptedDataInfos[j], copyOffset);
copyData(decryptedData, encryptedDataInfos[1], exOffset); // Exceptions or padding
var info = new DecryptedMethodInfo(methodBodyRva, decryptedData);
infos[info.bodyRva] = info;
}
}
static int copyData(byte[] dest, byte[] source, int offset) {
if (source == null)
return offset;
Array.Copy(source, 0, dest, offset, source.Length);
return offset + source.Length;
}
byte[] readData(uint offset, int size) {
return peImage.offsetReadBytes(encryptedDataOffset + offset, size);
}
byte[] decrypt(int type, uint dataOffset, uint encryptedSize, uint realSize) {
if (realSize == 0)
return null;
if (realSize > encryptedSize)
throw new ApplicationException("Invalid realSize");
var encrypted = readData(dataOffset, (int)encryptedSize);
var decrypted = decrypter.decrypt(type, encrypted);
if (realSize > decrypted.Length)
throw new ApplicationException("Invalid decrypted length");
Array.Resize(ref decrypted, (int)realSize);
return decrypted;
}
byte[] decrypt1(byte[] encrypted) {
var decrypted = new byte[encrypted.Length];
for (int i = 0; i < decrypted.Length; i++)
decrypted[i] = (byte)(encrypted[i] ^ mcHeader.readByte(i % 0x2000));
return decrypted;
}
byte[] decrypt2(byte[] encrypted) {
if ((encrypted.Length & 7) != 0)
throw new ApplicationException("Invalid encryption #2 length");
const int offset = 0x00FA;
uint key4 = mcHeader.readUInt32(offset + 4 * 4);
uint key5 = mcHeader.readUInt32(offset + 5 * 4);
byte[] decrypted = new byte[encrypted.Length & ~7];
var writer = new BinaryWriter(new MemoryStream(decrypted));
int loopCount = encrypted.Length / 8;
for (int i = 0; i < loopCount; i++) {
uint val0 = BitConverter.ToUInt32(encrypted, i * 8);
uint val1 = BitConverter.ToUInt32(encrypted, i * 8 + 4);
uint x = (val1 >> 26) + (val0 << 6);
uint y = (val0 >> 26) + (val1 << 6);
writer.Write(x ^ key4);
writer.Write(y ^ key5);
}
return decrypted;
}
static byte[] decrypt3Shifts = new byte[16] { 5, 11, 14, 21, 6, 20, 17, 29, 4, 10, 3, 2, 7, 1, 26, 18 };
byte[] decrypt3(byte[] encrypted) {
if ((encrypted.Length & 7) != 0)
throw new ApplicationException("Invalid encryption #3 length");
const int offset = 0x015E;
uint key0 = mcHeader.readUInt32(offset + 0 * 4);
uint key3 = mcHeader.readUInt32(offset + 3 * 4);
byte[] decrypted = new byte[encrypted.Length & ~7];
var writer = new BinaryWriter(new MemoryStream(decrypted));
int loopCount = encrypted.Length / 8;
for (int i = 0; i < loopCount; i++) {
uint x = BitConverter.ToUInt32(encrypted, i * 8);
uint y = BitConverter.ToUInt32(encrypted, i * 8 + 4);
foreach (var shift in decrypt3Shifts) {
int shift1 = 32 - shift;
uint x1 = (y >> shift1) + (x << shift);
uint y1 = (x >> shift1) + (y << shift);
x = x1;
y = y1;
}
writer.Write(x ^ key0);
writer.Write(y ^ key3);
}
return decrypted;
}
byte[] decrypt4(byte[] encrypted) {
var decrypted = new byte[encrypted.Length / 3 * 2 + 1];
int count = encrypted.Length / 3;
int i = 0, j = 0, k = 0;
while (count-- > 0) {
byte k1 = mcHeader.readByte(j + 1);
byte k2 = mcHeader.readByte(j + 2);
byte k3 = mcHeader.readByte(j + 3);
decrypted[k++] = (byte)(((encrypted[i + 1] ^ k2) >> 4) | ((encrypted[i] ^ k1) & 0xF0));
decrypted[k++] = (byte)(((encrypted[i + 1] ^ k2) << 4) + ((encrypted[i + 2] ^ k3) & 0x0F));
i += 3;
j = (j + 4) % 0x2000;
}
if ((encrypted.Length % 3) != 0)
decrypted[k] = (byte)(encrypted[i] ^ mcHeader.readByte(j));
return decrypted;
}
byte[] decrypt5(byte[] encrypted) {
throw new NotImplementedException("Encryption type #5 not implemented yet");
}
byte[] decrypt6(byte[] encrypted) {
throw new NotImplementedException("Encryption type #6 not implemented yet");
}
byte[] decrypt7(byte[] encrypted) {
throw new NotImplementedException("Encryption type #7 not implemented yet");
}
}
public FileDecrypter(MainType mainType) {
this.mainType = mainType;
}
public bool decrypt(byte[] fileData, ref DumpedMethods dumpedMethods) {
var peImage = new PeImage(fileData);
var peHeader = new PeHeader(mainType, peImage);
var mcHeader = new McHeader(peImage, peHeader);
dumpedMethods = decryptMethods(peImage, peHeader, mcHeader);
if (dumpedMethods == null)
return false;
decryptResources(fileData, peImage, peHeader, mcHeader);
return true;
}
DumpedMethods decryptMethods(PeImage peImage, PeHeader peHeader, McHeader mcHeader) {
var dumpedMethods = new DumpedMethods();
var methodInfos = new MethodInfos(mainType, peImage, peHeader, mcHeader);
methodInfos.initializeInfos();
var metadataTables = peImage.Cor20Header.createMetadataTables();
var methodDef = metadataTables.getMetadataType(MetadataIndex.iMethodDef);
uint methodDefOffset = methodDef.fileOffset;
for (int i = 0; i < methodDef.rows; i++, methodDefOffset += methodDef.totalSize) {
uint bodyRva = peImage.offsetReadUInt32(methodDefOffset);
if (bodyRva == 0)
continue;
var info = methodInfos.lookup(bodyRva);
if (info == null)
continue;
uint bodyOffset = peImage.rvaToOffset(bodyRva);
ushort magic = peImage.offsetReadUInt16(bodyOffset);
if (magic != 0xFFF3)
continue;
var dm = new DumpedMethod();
dm.token = (uint)(0x06000001 + i);
dm.mdImplFlags = peImage.offsetReadUInt16(methodDefOffset + (uint)methodDef.fields[1].offset);
dm.mdFlags = peImage.offsetReadUInt16(methodDefOffset + (uint)methodDef.fields[2].offset);
dm.mdName = peImage.offsetRead(methodDefOffset + (uint)methodDef.fields[3].offset, methodDef.fields[3].size);
dm.mdSignature = peImage.offsetRead(methodDefOffset + (uint)methodDef.fields[4].offset, methodDef.fields[4].size);
dm.mdParamList = peImage.offsetRead(methodDefOffset + (uint)methodDef.fields[5].offset, methodDef.fields[5].size);
var reader = new BinaryReader(new MemoryStream(info.body));
byte b = reader.ReadByte();
if ((b & 3) == 2) {
dm.mhFlags = 2;
dm.mhMaxStack = 8;
dm.mhCodeSize = (uint)(b >> 2);
dm.mhLocalVarSigTok = 0;
}
else {
reader.BaseStream.Position--;
dm.mhFlags = reader.ReadUInt16();
dm.mhMaxStack = reader.ReadUInt16();
dm.mhCodeSize = reader.ReadUInt32();
dm.mhLocalVarSigTok = reader.ReadUInt32();
uint codeOffset = (uint)(dm.mhFlags >> 12) * 4;
reader.BaseStream.Position += codeOffset - 12;
}
dm.code = reader.ReadBytes((int)dm.mhCodeSize);
if ((dm.mhFlags & 8) != 0) {
reader.BaseStream.Position = (reader.BaseStream.Position + 3) & ~3;
dm.extraSections = reader.ReadBytes((int)(reader.BaseStream.Length - reader.BaseStream.Position));
}
dumpedMethods.add(dm);
}
return dumpedMethods;
}
void decryptResources(byte[] fileData, PeImage peImage, PeHeader peHeader, McHeader mcHeader) {
uint resourceRva = peHeader.getRva1(0x0E10, mcHeader.readUInt32(0x00A0));
uint resourceSize = peHeader.readUInt32(0x0E14) ^ mcHeader.readUInt32(0x00AA);
if (resourceRva == 0 || resourceSize == 0)
return;
if (resourceRva != peImage.Cor20Header.resources.virtualAddress ||
resourceSize != peImage.Cor20Header.resources.size) {
Log.w("Invalid resource RVA and size found");
}
Log.v("Decrypting resources @ RVA {0:X8}, {1} bytes", resourceRva, resourceSize);
int resourceOffset = (int)peImage.rvaToOffset(resourceRva);
for (int i = 0; i < resourceSize; i++)
fileData[resourceOffset + i] ^= mcHeader[i % 0x2000];
}
}
}

165
de4dot.code/deobfuscators/MaxtoCode/MainType.cs Normal file
View File

@ -0,0 +1,165 @@
/*
Copyright (C) 2011-2012 de4dot@gmail.com
This file is part of de4dot.
de4dot is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
de4dot is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
*/
using System;
using System.Collections.Generic;
using Mono.Cecil;
using de4dot.blocks;
namespace de4dot.code.deobfuscators.MaxtoCode {
class MainType {
ModuleDefinition module;
TypeDefinition mcType;
ModuleReference mcModule1, mcModule2;
bool isOld;
public bool IsOld {
get { return isOld; }
}
public TypeDefinition Type {
get { return mcType; }
}
public IEnumerable<ModuleReference> ModuleReferences {
get {
var list = new List<ModuleReference>();
if (mcModule1 != null)
list.Add(mcModule1);
if (mcModule2 != null)
list.Add(mcModule2);
return list;
}
}
public IEnumerable<MethodDefinition> InitMethods {
get {
var list = new List<MethodDefinition>();
if (mcType == null)
return list;
foreach (var method in mcType.Methods) {
if (method.IsStatic && DotNetUtils.isMethod(method, "System.Void", "()"))
list.Add(method);
}
return list;
}
}
public bool Detected {
get { return mcType != null; }
}
public MainType(ModuleDefinition module) {
this.module = module;
}
public MainType(ModuleDefinition module, MainType oldOne) {
this.module = module;
this.mcType = lookup(oldOne.mcType, "Could not find main type");
this.mcModule1 = DeobUtils.lookup(module, oldOne.mcModule1, "Could not find MC runtime module ref #1");
this.mcModule2 = DeobUtils.lookup(module, oldOne.mcModule2, "Could not find MC runtime module ref #2");
}
T lookup<T>(T def, string errorMessage) where T : MemberReference {
return DeobUtils.lookup(module, def, errorMessage);
}
public void find() {
var cctor = getCctor();
if (cctor == null)
return;
foreach (var info in DotNetUtils.getCalledMethods(module, cctor)) {
var method = info.Item2;
if (method.Name != "Startup")
continue;
if (!DotNetUtils.isMethod(method, "System.Void", "()"))
continue;
ModuleReference module1, module2;
bool isOldTmp;
if (!checkType(method.DeclaringType, out module1, out module2, out isOldTmp))
return;
mcType = method.DeclaringType;
mcModule1 = module1;
mcModule2 = module2;
isOld = isOldTmp;
break;
}
}
MethodDefinition getCctor() {
int checksLeft = 3;
foreach (var type in module.GetTypes()) {
var cctor = DotNetUtils.getMethod(type, ".cctor");
if (cctor != null)
return cctor;
if (!type.IsEnum && --checksLeft <= 0)
return null;
}
return null;
}
static bool checkType(TypeDefinition type, out ModuleReference module1, out ModuleReference module2, out bool isOld) {
module1 = module2 = null;
isOld = false;
if (DotNetUtils.getMethod(type, "Startup") == null)
return false;
var pinvokes = getPinvokes(type);
var pinvokeList = getPinvokeList(pinvokes, "CheckRuntime");
if (pinvokeList == null)
return false;
if (getPinvokeList(pinvokes, "MainDLL") == null)
return false;
// Newer versions (3.4+ ???) also have GetModuleBase()
isOld = getPinvokeList(pinvokes, "GetModuleBase") == null;
module1 = pinvokeList[0].PInvokeInfo.Module;
module2 = pinvokeList[1].PInvokeInfo.Module;
return true;
}
static Dictionary<string, List<MethodDefinition>> getPinvokes(TypeDefinition type) {
var pinvokes = new Dictionary<string, List<MethodDefinition>>(StringComparer.Ordinal);
foreach (var method in type.Methods) {
var info = method.PInvokeInfo;
if (info == null || info.EntryPoint == null)
continue;
List<MethodDefinition> list;
if (!pinvokes.TryGetValue(info.EntryPoint, out list))
pinvokes[info.EntryPoint] = list = new List<MethodDefinition>();
list.Add(method);
}
return pinvokes;
}
static List<MethodDefinition> getPinvokeList(Dictionary<string, List<MethodDefinition>> pinvokes, string methodName) {
List<MethodDefinition> list;
if (!pinvokes.TryGetValue(methodName, out list))
return null;
if (list.Count != 2)
return null;
return list;
}
}
}

2
de4dot.code/deobfuscators/Unknown/Deobfuscator.cs
View File

@ -102,8 +102,6 @@ namespace de4dot.code.deobfuscators.Unknown {
return "CodeFort";
if (type.FullName == "ZYXDNGuarder")
return "DNGuard HVM";
if (type.FullName == "InfaceMaxtoCode")
return "MaxtoCode";
if (type.Name.Contains("();\t"))
return "Manco .NET Obfuscator";
if (Regex.IsMatch(type.FullName, @"^EMyPID_\d+_$"))

1
de4dot.cui/Program.cs
View File

@ -47,6 +47,7 @@ namespace de4dot.cui {
new de4dot.code.deobfuscators.dotNET_Reactor.v4.DeobfuscatorInfo(),
new de4dot.code.deobfuscators.Eazfuscator_NET.DeobfuscatorInfo(),
new de4dot.code.deobfuscators.Goliath_NET.DeobfuscatorInfo(),
new de4dot.code.deobfuscators.MaxtoCode.DeobfuscatorInfo(),
new de4dot.code.deobfuscators.Skater_NET.DeobfuscatorInfo(),
new de4dot.code.deobfuscators.SmartAssembly.DeobfuscatorInfo(),
new de4dot.code.deobfuscators.Spices_Net.DeobfuscatorInfo(),