Dump embedded assemblies
This commit is contained in:
parent
6ec1222657
commit
49c06dec64
|
@ -58,6 +58,7 @@
|
|||
<Compile Include="AssemblyClient\SameAppDomainAssemblyServerLoader.cs" />
|
||||
<Compile Include="AssemblyResolver.cs" />
|
||||
<Compile Include="deobfuscators\ArrayFinder.cs" />
|
||||
<Compile Include="deobfuscators\Babel_NET\AssemblyResolver.cs" />
|
||||
<Compile Include="deobfuscators\Babel_NET\BabelUtils.cs" />
|
||||
<Compile Include="deobfuscators\Babel_NET\ConstantsDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\Babel_NET\Deobfuscator.cs" />
|
||||
|
|
112
de4dot.code/deobfuscators/Babel_NET/AssemblyResolver.cs
Normal file
112
de4dot.code/deobfuscators/Babel_NET/AssemblyResolver.cs
Normal file
|
@ -0,0 +1,112 @@
|
|||
/*
|
||||
Copyright (C) 2011-2012 de4dot@gmail.com
|
||||
|
||||
This file is part of de4dot.
|
||||
|
||||
de4dot is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
de4dot is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
using System.IO;
|
||||
using Mono.Cecil;
|
||||
using de4dot.blocks;
|
||||
|
||||
namespace de4dot.code.deobfuscators.Babel_NET {
|
||||
class AssemblyResolver {
|
||||
ModuleDefinition module;
|
||||
TypeDefinition resolverType;
|
||||
MethodDefinition registerMethod;
|
||||
EmbeddedResource encryptedResource;
|
||||
EmbeddedAssemblyInfo[] embeddedAssemblyInfos = new EmbeddedAssemblyInfo[0];
|
||||
|
||||
public class EmbeddedAssemblyInfo {
|
||||
public string fullname;
|
||||
public string extension;
|
||||
public byte[] data;
|
||||
|
||||
public EmbeddedAssemblyInfo(string fullName, string extension, byte[] data) {
|
||||
this.fullname = fullName;
|
||||
this.extension = extension;
|
||||
this.data = data;
|
||||
}
|
||||
}
|
||||
|
||||
public bool Detected {
|
||||
get { return resolverType != null; }
|
||||
}
|
||||
|
||||
public TypeDefinition Type {
|
||||
get { return resolverType; }
|
||||
}
|
||||
|
||||
public MethodDefinition InitMethod {
|
||||
get { return registerMethod; }
|
||||
}
|
||||
|
||||
public EmbeddedResource EncryptedResource {
|
||||
get { return encryptedResource; }
|
||||
}
|
||||
|
||||
public EmbeddedAssemblyInfo[] EmbeddedAssemblyInfos {
|
||||
get { return embeddedAssemblyInfos; }
|
||||
}
|
||||
|
||||
public AssemblyResolver(ModuleDefinition module) {
|
||||
this.module = module;
|
||||
}
|
||||
|
||||
public void find() {
|
||||
var requiredTypes = new string[] {
|
||||
"System.Object",
|
||||
"System.Int32",
|
||||
"System.Collections.Hashtable",
|
||||
};
|
||||
foreach (var type in module.Types) {
|
||||
if (type.HasEvents)
|
||||
continue;
|
||||
if (!new FieldTypes(type).exactly(requiredTypes))
|
||||
continue;
|
||||
|
||||
MethodDefinition regMethod, handler;
|
||||
if (!BabelUtils.findRegisterMethod(type, out regMethod, out handler))
|
||||
continue;
|
||||
|
||||
resolverType = type;
|
||||
registerMethod = regMethod;
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
public void initialize(ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
|
||||
if (resolverType == null)
|
||||
return;
|
||||
|
||||
encryptedResource = BabelUtils.findEmbeddedResource(module, resolverType, simpleDeobfuscator, deob);
|
||||
if (encryptedResource == null) {
|
||||
Log.w("Could not find embedded assemblies resource");
|
||||
return;
|
||||
}
|
||||
|
||||
var decrypted = new ResourceDecrypter(module).decrypt(encryptedResource.GetResourceData());
|
||||
var reader = new BinaryReader(new MemoryStream(decrypted));
|
||||
int numAssemblies = reader.ReadInt32();
|
||||
embeddedAssemblyInfos = new EmbeddedAssemblyInfo[numAssemblies];
|
||||
for (int i = 0; i < numAssemblies; i++) {
|
||||
string name = reader.ReadString();
|
||||
var data = reader.ReadBytes(reader.ReadInt32());
|
||||
var mod = ModuleDefinition.ReadModule(new MemoryStream(data));
|
||||
embeddedAssemblyInfos[i] = new EmbeddedAssemblyInfo(name, DeobUtils.getExtension(mod.Kind), data);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -29,12 +29,14 @@ namespace de4dot.code.deobfuscators.Babel_NET {
|
|||
BoolOption decryptMethods;
|
||||
BoolOption decryptResources;
|
||||
BoolOption decryptConstants;
|
||||
BoolOption dumpEmbeddedAssemblies;
|
||||
|
||||
public DeobfuscatorInfo()
|
||||
: base() {
|
||||
decryptMethods = new BoolOption(null, makeArgName("methods"), "Decrypt methods", true);
|
||||
decryptResources = new BoolOption(null, makeArgName("rsrc"), "Decrypt resources", true);
|
||||
decryptConstants = new BoolOption(null, makeArgName("consts"), "Decrypt constants and arrays", true);
|
||||
dumpEmbeddedAssemblies = new BoolOption(null, makeArgName("embedded"), "Dump embedded assemblies", true);
|
||||
}
|
||||
|
||||
public override string Name {
|
||||
|
@ -51,6 +53,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
|
|||
DecryptMethods = decryptMethods.get(),
|
||||
DecryptResources = decryptResources.get(),
|
||||
DecryptConstants = decryptConstants.get(),
|
||||
DumpEmbeddedAssemblies = dumpEmbeddedAssemblies.get(),
|
||||
});
|
||||
}
|
||||
|
||||
|
@ -59,6 +62,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
|
|||
decryptMethods,
|
||||
decryptResources,
|
||||
decryptConstants,
|
||||
dumpEmbeddedAssemblies,
|
||||
};
|
||||
}
|
||||
}
|
||||
|
@ -69,6 +73,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
|
|||
string obfuscatorName = DeobfuscatorInfo.THE_NAME;
|
||||
|
||||
ResourceResolver resourceResolver;
|
||||
AssemblyResolver assemblyResolver;
|
||||
StringDecrypter stringDecrypter;
|
||||
ConstantsDecrypter constantsDecrypter;
|
||||
Int32ValueInliner int32ValueInliner;
|
||||
|
@ -82,6 +87,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
|
|||
public bool DecryptMethods { get; set; }
|
||||
public bool DecryptResources { get; set; }
|
||||
public bool DecryptConstants { get; set; }
|
||||
public bool DumpEmbeddedAssemblies { get; set; }
|
||||
}
|
||||
|
||||
public override string Type {
|
||||
|
@ -110,6 +116,7 @@ namespace de4dot.code.deobfuscators.Babel_NET {
|
|||
|
||||
int sum = toInt32(foundBabelAttribute) +
|
||||
toInt32(resourceResolver.Detected) +
|
||||
toInt32(assemblyResolver.Detected) +
|
||||
toInt32(stringDecrypter.Detected) +
|
||||
toInt32(constantsDecrypter.Detected) +
|
||||
toInt32(proxyDelegateFinder.Detected) +
|
||||
|
@ -125,6 +132,8 @@ namespace de4dot.code.deobfuscators.Babel_NET {
|
|||
findBabelAttribute();
|
||||
resourceResolver = new ResourceResolver(module);
|
||||
resourceResolver.find();
|
||||
assemblyResolver = new AssemblyResolver(module);
|
||||
assemblyResolver.find();
|
||||
stringDecrypter = new StringDecrypter(module);
|
||||
stringDecrypter.find();
|
||||
constantsDecrypter = new ConstantsDecrypter(module, initializedDataCreator);
|
||||
|
@ -181,6 +190,9 @@ namespace de4dot.code.deobfuscators.Babel_NET {
|
|||
}
|
||||
}
|
||||
|
||||
if (options.DumpEmbeddedAssemblies)
|
||||
assemblyResolver.initialize(DeobfuscatedFile, this);
|
||||
|
||||
if (options.DecryptMethods) {
|
||||
methodsDecrypter.initialize(DeobfuscatedFile, this);
|
||||
methodsDecrypter.decrypt();
|
||||
|
@ -201,9 +213,20 @@ namespace de4dot.code.deobfuscators.Babel_NET {
|
|||
doubleValueInliner.add(constantsDecrypter.DoubleDecrypter, (method, args) => constantsDecrypter.decryptDouble((int)args[0]));
|
||||
}
|
||||
|
||||
dumpEmbeddedAssemblies();
|
||||
proxyDelegateFinder.find();
|
||||
}
|
||||
|
||||
void dumpEmbeddedAssemblies() {
|
||||
if (!options.DumpEmbeddedAssemblies)
|
||||
return;
|
||||
foreach (var info in assemblyResolver.EmbeddedAssemblyInfos)
|
||||
DeobfuscatedFile.createAssemblyFile(info.data, Utils.getAssemblySimpleName(info.fullname), info.extension);
|
||||
addTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver type");
|
||||
addCctorInitCallToBeRemoved(assemblyResolver.InitMethod);
|
||||
addResourceToBeRemoved(assemblyResolver.EncryptedResource, "Embedded encrypted assemblies");
|
||||
}
|
||||
|
||||
void decryptResources() {
|
||||
if (!options.DecryptResources)
|
||||
return;
|
||||
|
|
Loading…
Reference in New Issue
Block a user