Dump embedded assemblies

de4dot.code/de4dot.code.csproj

@@ -58,6 +58,7 @@
     <Compile Include="AssemblyClient\SameAppDomainAssemblyServerLoader.cs" />
     <Compile Include="AssemblyResolver.cs" />
     <Compile Include="deobfuscators\ArrayFinder.cs" />
+    <Compile Include="deobfuscators\Babel_NET\AssemblyResolver.cs" />
     <Compile Include="deobfuscators\Babel_NET\BabelUtils.cs" />
     <Compile Include="deobfuscators\Babel_NET\ConstantsDecrypter.cs" />
     <Compile Include="deobfuscators\Babel_NET\Deobfuscator.cs" />

de4dot.code/deobfuscators/Babel_NET/AssemblyResolver.cs

@@ -0,0 +1,112 @@
+/*
+    Copyright (C) 2011-2012 de4dot@gmail.com
+
+    This file is part of de4dot.
+
+    de4dot is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    de4dot is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with de4dot.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+using System.IO;
+using Mono.Cecil;
+using de4dot.blocks;
+
+namespace de4dot.code.deobfuscators.Babel_NET {
+	class AssemblyResolver {
+		ModuleDefinition module;
+		TypeDefinition resolverType;
+		MethodDefinition registerMethod;
+		EmbeddedResource encryptedResource;
+		EmbeddedAssemblyInfo[] embeddedAssemblyInfos = new EmbeddedAssemblyInfo[0];
+
+		public class EmbeddedAssemblyInfo {
+			public string fullname;
+			public string extension;
+			public byte[] data;
+
+			public EmbeddedAssemblyInfo(string fullName, string extension, byte[] data) {
+				this.fullname = fullName;
+				this.extension = extension;
+				this.data = data;
+			}
+		}
+
+		public bool Detected {
+			get { return resolverType != null; }
+		}
+
+		public TypeDefinition Type {
+			get { return resolverType; }
+		}
+
+		public MethodDefinition InitMethod {
+			get { return registerMethod; }
+		}
+
+		public EmbeddedResource EncryptedResource {
+			get { return encryptedResource; }
+		}
+
+		public EmbeddedAssemblyInfo[] EmbeddedAssemblyInfos {
+			get { return embeddedAssemblyInfos; }
+		}
+
+		public AssemblyResolver(ModuleDefinition module) {
+			this.module = module;
+		}
+
+		public void find() {
+			var requiredTypes = new string[] {
+				"System.Object",
+				"System.Int32",
+				"System.Collections.Hashtable",
+			};
+			foreach (var type in module.Types) {
+				if (type.HasEvents)
+					continue;
+				if (!new FieldTypes(type).exactly(requiredTypes))
+					continue;
+
+				MethodDefinition regMethod, handler;
+				if (!BabelUtils.findRegisterMethod(type, out regMethod, out handler))
+					continue;
+
+				resolverType = type;
+				registerMethod = regMethod;
+				return;
+			}
+		}
+
+		public void initialize(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
+			if (resolverType == null)
+				return;
+
+			encryptedResource = BabelUtils.findEmbeddedResource(module, resolverType, simpleDeobfuscator, deob);
+			if (encryptedResource == null) {
+				Log.w("Could not find embedded assemblies resource");
+				return;
+			}
+
+			var decrypted = new ResourceDecrypter(module).decrypt(encryptedResource.GetResourceData());
+			var reader = new BinaryReader(new MemoryStream(decrypted));
+			int numAssemblies = reader.ReadInt32();
+			embeddedAssemblyInfos = new EmbeddedAssemblyInfo[numAssemblies];
+			for (int i = 0; i < numAssemblies; i++) {
+				string name = reader.ReadString();
+				var data = reader.ReadBytes(reader.ReadInt32());
+				var mod = ModuleDefinition.ReadModule(new MemoryStream(data));
+				embeddedAssemblyInfos[i] = new EmbeddedAssemblyInfo(name, DeobUtils.getExtension(mod.Kind), data);
+			}
+		}
+	}
+}

de4dot.code/deobfuscators/Babel_NET/Deobfuscator.cs

@@ -29,12 +29,14 @@ namespace de4dot.code.deobfuscators.Babel_NET {
 		BoolOption decryptMethods;
 		BoolOption decryptResources;
 		BoolOption decryptConstants;
+		BoolOption dumpEmbeddedAssemblies;
 
 		public DeobfuscatorInfo()
 			: base() {
 			decryptMethods = new BoolOption(null, makeArgName("methods"), "Decrypt methods", true);
 			decryptResources = new BoolOption(null, makeArgName("rsrc"), "Decrypt resources", true);
 			decryptConstants = new BoolOption(null, makeArgName("consts"), "Decrypt constants and arrays", true);
+			dumpEmbeddedAssemblies = new BoolOption(null, makeArgName("embedded"), "Dump embedded assemblies", true);
 		}
 
 		public override string Name {
@@ -51,6 +53,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
 				DecryptMethods = decryptMethods.get(),
 				DecryptResources = decryptResources.get(),
 				DecryptConstants = decryptConstants.get(),
+				DumpEmbeddedAssemblies = dumpEmbeddedAssemblies.get(),
 			});
 		}
 
@@ -59,6 +62,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
 				decryptMethods,
 				decryptResources,
 				decryptConstants,
+				dumpEmbeddedAssemblies,
 			};
 		}
 	}
@@ -69,6 +73,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
 		string obfuscatorName = DeobfuscatorInfo.THE_NAME;
 
 		ResourceResolver resourceResolver;
+		AssemblyResolver assemblyResolver;
 		StringDecrypter stringDecrypter;
 		ConstantsDecrypter constantsDecrypter;
 		Int32ValueInliner int32ValueInliner;
@@ -82,6 +87,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
 			public bool DecryptMethods { get; set; }
 			public bool DecryptResources { get; set; }
 			public bool DecryptConstants { get; set; }
+			public bool DumpEmbeddedAssemblies { get; set; }
 		}
 
 		public override string Type {
@@ -110,6 +116,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
 
 			int sum = toInt32(foundBabelAttribute) +
 					toInt32(resourceResolver.Detected) +
+					toInt32(assemblyResolver.Detected) +
 					toInt32(stringDecrypter.Detected) +
 					toInt32(constantsDecrypter.Detected) +
 					toInt32(proxyDelegateFinder.Detected) +
@@ -125,6 +132,8 @@ namespace de4dot.code.deobfuscators.Babel_NET {
 			findBabelAttribute();
 			resourceResolver = new ResourceResolver(module);
 			resourceResolver.find();
+			assemblyResolver = new AssemblyResolver(module);
+			assemblyResolver.find();
 			stringDecrypter = new StringDecrypter(module);
 			stringDecrypter.find();
 			constantsDecrypter = new ConstantsDecrypter(module, initializedDataCreator);
@@ -181,6 +190,9 @@ namespace de4dot.code.deobfuscators.Babel_NET {
 				}
 			}
 
+			if (options.DumpEmbeddedAssemblies)
+				assemblyResolver.initialize(DeobfuscatedFile, this);
+
 			if (options.DecryptMethods) {
 				methodsDecrypter.initialize(DeobfuscatedFile, this);
 				methodsDecrypter.decrypt();
@@ -201,9 +213,20 @@ namespace de4dot.code.deobfuscators.Babel_NET {
 				doubleValueInliner.add(constantsDecrypter.DoubleDecrypter, (method, args) => constantsDecrypter.decryptDouble((int)args[0]));
 			}
 
+			dumpEmbeddedAssemblies();
 			proxyDelegateFinder.find();
 		}
 
+		void dumpEmbeddedAssemblies() {
+			if (!options.DumpEmbeddedAssemblies)
+				return;
+			foreach (var info in assemblyResolver.EmbeddedAssemblyInfos)
+				DeobfuscatedFile.createAssemblyFile(info.data, Utils.getAssemblySimpleName(info.fullname), info.extension);
+			addTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver type");
+			addCctorInitCallToBeRemoved(assemblyResolver.InitMethod);
+			addResourceToBeRemoved(assemblyResolver.EncryptedResource, "Embedded encrypted assemblies");
+		}
+
 		void decryptResources() {
 			if (!options.DecryptResources)
 				return;