Merge branch 'rummage' into new_code
Conflicts: de4dot.cui/Program.cs
This commit is contained in:
de4dot
commit
4dce00b35a
|
|
@ -29,5 +29,5 @@ using System.Runtime.InteropServices;
|
|||
[assembly: AssemblyTrademark("")]
|
||||
[assembly: AssemblyCulture("")]
|
||||
[assembly: ComVisible(false)]
|
||||
[assembly: AssemblyVersion("1.8.4.3405")]
|
||||
[assembly: AssemblyFileVersion("1.8.4.3405")]
|
||||
[assembly: AssemblyVersion("1.8.5.3405")]
|
||||
[assembly: AssemblyFileVersion("1.8.5.3405")]
|
||||
|
|
|
|||
|
|
@ -29,5 +29,5 @@ using System.Runtime.InteropServices;
|
|||
[assembly: AssemblyTrademark("")]
|
||||
[assembly: AssemblyCulture("")]
|
||||
[assembly: ComVisible(false)]
|
||||
[assembly: AssemblyVersion("1.8.4.3405")]
|
||||
[assembly: AssemblyFileVersion("1.8.4.3405")]
|
||||
[assembly: AssemblyVersion("1.8.5.3405")]
|
||||
[assembly: AssemblyFileVersion("1.8.5.3405")]
|
||||
|
|
|
|||
|
|
@ -29,5 +29,5 @@ using System.Runtime.InteropServices;
|
|||
[assembly: AssemblyTrademark("")]
|
||||
[assembly: AssemblyCulture("")]
|
||||
[assembly: ComVisible(false)]
|
||||
[assembly: AssemblyVersion("1.8.4.3405")]
|
||||
[assembly: AssemblyFileVersion("1.8.4.3405")]
|
||||
[assembly: AssemblyVersion("1.8.5.3405")]
|
||||
[assembly: AssemblyFileVersion("1.8.5.3405")]
|
||||
|
|
|
|||
|
|
@ -29,5 +29,5 @@ using System.Runtime.InteropServices;
|
|||
[assembly: AssemblyTrademark("")]
|
||||
[assembly: AssemblyCulture("")]
|
||||
[assembly: ComVisible(false)]
|
||||
[assembly: AssemblyVersion("1.8.4.3405")]
|
||||
[assembly: AssemblyFileVersion("1.8.4.3405")]
|
||||
[assembly: AssemblyVersion("1.8.5.3405")]
|
||||
[assembly: AssemblyFileVersion("1.8.5.3405")]
|
||||
|
|
|
|||
|
|
@ -29,5 +29,5 @@ using System.Runtime.InteropServices;
|
|||
[assembly: AssemblyTrademark("")]
|
||||
[assembly: AssemblyCulture("")]
|
||||
[assembly: ComVisible(false)]
|
||||
[assembly: AssemblyVersion("1.8.4.3405")]
|
||||
[assembly: AssemblyFileVersion("1.8.4.3405")]
|
||||
[assembly: AssemblyVersion("1.8.5.3405")]
|
||||
[assembly: AssemblyFileVersion("1.8.5.3405")]
|
||||
|
|
|
|||
|
|
@ -29,5 +29,5 @@ using System.Runtime.InteropServices;
|
|||
[assembly: AssemblyTrademark("")]
|
||||
[assembly: AssemblyCulture("")]
|
||||
[assembly: ComVisible(false)]
|
||||
[assembly: AssemblyVersion("1.8.4.3405")]
|
||||
[assembly: AssemblyFileVersion("1.8.4.3405")]
|
||||
[assembly: AssemblyVersion("1.8.5.3405")]
|
||||
[assembly: AssemblyFileVersion("1.8.5.3405")]
|
||||
|
|
|
|||
|
|
@ -29,5 +29,5 @@ using System.Runtime.InteropServices;
|
|||
[assembly: AssemblyTrademark("")]
|
||||
[assembly: AssemblyCulture("")]
|
||||
[assembly: ComVisible(false)]
|
||||
[assembly: AssemblyVersion("1.8.4.3405")]
|
||||
[assembly: AssemblyFileVersion("1.8.4.3405")]
|
||||
[assembly: AssemblyVersion("1.8.5.3405")]
|
||||
[assembly: AssemblyFileVersion("1.8.5.3405")]
|
||||
|
|
|
|||
|
|
@ -29,5 +29,5 @@ using System.Runtime.InteropServices;
|
|||
[assembly: AssemblyTrademark("")]
|
||||
[assembly: AssemblyCulture("")]
|
||||
[assembly: ComVisible(false)]
|
||||
[assembly: AssemblyVersion("1.8.4.3405")]
|
||||
[assembly: AssemblyFileVersion("1.8.4.3405")]
|
||||
[assembly: AssemblyVersion("1.8.5.3405")]
|
||||
[assembly: AssemblyFileVersion("1.8.5.3405")]
|
||||
|
|
|
|||
|
|
@ -232,5 +232,22 @@ namespace de4dot.code {
|
|||
return fileData;
|
||||
}
|
||||
}
|
||||
|
||||
public static uint readEncodedUInt32(BinaryReader reader) {
|
||||
uint val = 0;
|
||||
int bits = 0;
|
||||
for (int i = 0; i < 5; i++) {
|
||||
byte b = reader.ReadByte();
|
||||
val |= (uint)(b & 0x7F) << bits;
|
||||
if ((b & 0x80) == 0)
|
||||
return val;
|
||||
bits += 7;
|
||||
}
|
||||
throw new ApplicationException("Invalid encoded int32");
|
||||
}
|
||||
|
||||
public static int readEncodedInt32(BinaryReader reader) {
|
||||
return (int)readEncodedUInt32(reader);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -67,7 +67,7 @@
|
|||
<Compile Include="deobfuscators\Babel_NET\MemberReferenceConverter.cs" />
|
||||
<Compile Include="deobfuscators\Babel_NET\MethodBodyReader.cs" />
|
||||
<Compile Include="deobfuscators\Babel_NET\MethodReferenceReader.cs" />
|
||||
<Compile Include="deobfuscators\Babel_NET\MethodBodyReaderBase.cs" />
|
||||
<Compile Include="deobfuscators\MethodBodyReaderBase.cs" />
|
||||
<Compile Include="deobfuscators\Babel_NET\MethodsDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\Babel_NET\ProxyCallFixer.cs" />
|
||||
<Compile Include="deobfuscators\Babel_NET\ResourceDecrypter.cs" />
|
||||
|
|
@ -89,6 +89,7 @@
|
|||
<Compile Include="deobfuscators\CliSecure\vm\CsvmToCilMethodConverter.cs" />
|
||||
<Compile Include="deobfuscators\CliSecure\vm\FieldsInfo.cs" />
|
||||
<Compile Include="deobfuscators\CliSecure\vm\OpCodeHandler.cs" />
|
||||
<Compile Include="deobfuscators\CliSecure\vm\OpCodeHandlers.cs" />
|
||||
<Compile Include="deobfuscators\CliSecure\vm\UnknownHandlerInfo.cs" />
|
||||
<Compile Include="deobfuscators\CliSecure\vm\VmOpCodeHandlerDetector.cs" />
|
||||
<Compile Include="deobfuscators\CliSecure\vm\VmOperands.cs" />
|
||||
|
|
@ -209,6 +210,8 @@
|
|||
<Compile Include="deobfuscators\MPRESS\Lzmat.cs" />
|
||||
<Compile Include="deobfuscators\QuickLZ.cs" />
|
||||
<Compile Include="deobfuscators\RandomNameChecker.cs" />
|
||||
<Compile Include="deobfuscators\Rummage\Deobfuscator.cs" />
|
||||
<Compile Include="deobfuscators\Rummage\StringDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\Skater_NET\Deobfuscator.cs" />
|
||||
<Compile Include="deobfuscators\Skater_NET\EnumClassFinder.cs" />
|
||||
<Compile Include="deobfuscators\Skater_NET\StringDecrypter.cs" />
|
||||
|
|
|
|||
|
|
@ -212,7 +212,7 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
|
|||
int offset = 0;
|
||||
while (reader.BaseStream.Position < reader.BaseStream.Length) {
|
||||
int vmOpCode = reader.ReadUInt16();
|
||||
var instr = opCodeDetector.Handlers[vmOpCode].read(reader);
|
||||
var instr = opCodeDetector.Handlers[vmOpCode].Read(reader);
|
||||
instr.Offset = offset;
|
||||
offset += getInstructionSize(instr);
|
||||
instrs.Add(instr);
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load Diff
1198
de4dot.code/deobfuscators/CliSecure/vm/OpCodeHandlers.cs
Normal file
1198
de4dot.code/deobfuscators/CliSecure/vm/OpCodeHandlers.cs
Normal file
File diff suppressed because it is too large
Load Diff
|
|
@ -74,7 +74,7 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
|
|||
executeMethodPops = countPops(executeMethod);
|
||||
}
|
||||
|
||||
static IEnumerable<FieldDefinition> getFields(TypeDefinition type) {
|
||||
static internal IEnumerable<FieldDefinition> getFields(TypeDefinition type) {
|
||||
var typeFields = new FieldDefinitionAndDeclaringTypeDict<FieldDefinition>();
|
||||
foreach (var field in type.Fields)
|
||||
typeFields.add(field, field);
|
||||
|
|
|
|||
|
|
@ -45,39 +45,6 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
|
|||
|
||||
class VmOpCodeHandlerDetector {
|
||||
ModuleDefinition module;
|
||||
static readonly OpCodeHandler[] opCodeHandlerDetectors = new OpCodeHandler[] {
|
||||
new ArithmeticOpCodeHandler(),
|
||||
new ArrayOpCodeHandler(),
|
||||
new BoxOpCodeHandler(),
|
||||
new CallOpCodeHandler(),
|
||||
new CastOpCodeHandler(),
|
||||
new CompareOpCodeHandler(),
|
||||
new ConvertOpCodeHandler(),
|
||||
new DupPopOpCodeHandler(),
|
||||
new ElemOpCodeHandler(),
|
||||
new EndfinallyOpCodeHandler(),
|
||||
new FieldOpCodeHandler(),
|
||||
new InitobjOpCodeHandler(),
|
||||
new LdLocalArgOpCodeHandler(),
|
||||
new LdLocalArgAddrOpCodeHandler(),
|
||||
new LdelemaOpCodeHandler(),
|
||||
new LdlenOpCodeHandler(),
|
||||
new LdobjOpCodeHandler(),
|
||||
new LdstrOpCodeHandler(),
|
||||
new LdtokenOpCodeHandler(),
|
||||
new LeaveOpCodeHandler(),
|
||||
new LoadConstantOpCodeHandler(),
|
||||
new LoadFuncOpCodeHandler(),
|
||||
new LogicalOpCodeHandler(),
|
||||
new NopOpCodeHandler(),
|
||||
new RetOpCodeHandler(),
|
||||
new RethrowOpCodeHandler(),
|
||||
new StLocalArgOpCodeHandler(),
|
||||
new StobjOpCodeHandler(),
|
||||
new SwitchOpCodeHandler(),
|
||||
new ThrowOpCodeHandler(),
|
||||
new UnaryOpCodeHandler(),
|
||||
};
|
||||
List<OpCodeHandler> opCodeHandlers;
|
||||
|
||||
public List<OpCodeHandler> Handlers {
|
||||
|
|
@ -95,12 +62,15 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
|
|||
if (vmHandlerTypes == null)
|
||||
throw new ApplicationException("Could not find CSVM opcode handler types");
|
||||
|
||||
detectHandlers(vmHandlerTypes, createCsvmInfo());
|
||||
}
|
||||
|
||||
internal CsvmInfo createCsvmInfo() {
|
||||
var csvmInfo = new CsvmInfo();
|
||||
csvmInfo.StackValue = findStackValueType();
|
||||
csvmInfo.Stack = findStackType(csvmInfo.StackValue);
|
||||
initStackTypeMethods(csvmInfo);
|
||||
|
||||
detectHandlers(vmHandlerTypes, csvmInfo);
|
||||
return csvmInfo;
|
||||
}
|
||||
|
||||
TypeDefinition findStackValueType() {
|
||||
|
|
@ -239,19 +209,26 @@ namespace de4dot.code.deobfuscators.CliSecure.vm {
|
|||
void detectHandlers(List<TypeDefinition> handlerTypes, CsvmInfo csvmInfo) {
|
||||
opCodeHandlers = new List<OpCodeHandler>();
|
||||
var detected = new List<OpCodeHandler>();
|
||||
foreach (var handlerType in handlerTypes) {
|
||||
var info = new UnknownHandlerInfo(handlerType, csvmInfo);
|
||||
detected.Clear();
|
||||
foreach (var opCodeHandler in opCodeHandlerDetectors) {
|
||||
if (opCodeHandler.detect(info))
|
||||
detected.Add(opCodeHandler);
|
||||
|
||||
foreach (var handlersList in OpCodeHandlers.opcodeHandlers) {
|
||||
opCodeHandlers.Clear();
|
||||
|
||||
foreach (var handlerType in handlerTypes) {
|
||||
var info = new UnknownHandlerInfo(handlerType, csvmInfo);
|
||||
detected.Clear();
|
||||
foreach (var opCodeHandler in handlersList) {
|
||||
if (opCodeHandler.detect(info))
|
||||
detected.Add(opCodeHandler);
|
||||
}
|
||||
if (detected.Count != 1)
|
||||
goto next;
|
||||
opCodeHandlers.Add(detected[0]);
|
||||
}
|
||||
if (detected.Count != 1)
|
||||
throw new ApplicationException("Could not detect VM opcode handler");
|
||||
opCodeHandlers.Add(detected[0]);
|
||||
if (new List<OpCodeHandler>(Utils.unique(opCodeHandlers)).Count == opCodeHandlers.Count)
|
||||
return;
|
||||
next: ;
|
||||
}
|
||||
if (new List<OpCodeHandler>(Utils.unique(opCodeHandlers)).Count != opCodeHandlers.Count)
|
||||
throw new ApplicationException("Could not detect all VM opcode handlers");
|
||||
throw new ApplicationException("Could not detect all VM opcode handlers");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -62,7 +62,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
if (DotNetUtils.getPInvokeMethod(type, "kernel32", "GetProcAddress") == null)
|
||||
continue;
|
||||
deobfuscate(method);
|
||||
if (!containsString(method, "debugger is active"))
|
||||
if (!containsString(method, "debugger is activ"))
|
||||
continue;
|
||||
|
||||
antiDebuggerType = type;
|
||||
|
|
|
|||
|
|
@ -129,7 +129,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
MethodDefinition getProxyCreateMethod(TypeDefinition type) {
|
||||
if (DotNetUtils.findFieldType(type, "System.ModuleHandle", true) == null)
|
||||
return null;
|
||||
if (type.Fields.Count < 1 || type.Fields.Count > 4)
|
||||
if (type.Fields.Count < 1 || type.Fields.Count > 5)
|
||||
return null;
|
||||
|
||||
MethodDefinition createMethod = null;
|
||||
|
|
|
|||
|
|
@ -298,6 +298,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
foreach (var method in type.Methods) {
|
||||
if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.IO.Stream)"))
|
||||
return method;
|
||||
if (DotNetUtils.isMethod(method, "System.Byte[]", "(System.Int32,System.IO.Stream)"))
|
||||
return method;
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -84,7 +84,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
|
||||
if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()"))
|
||||
return false;
|
||||
if (type.Methods.Count < 3 || type.Methods.Count > 6)
|
||||
if (type.Methods.Count < 3 || type.Methods.Count > 7)
|
||||
return false;
|
||||
if (DotNetUtils.getPInvokeMethod(type, "mscoree", "StrongNameSignatureVerificationEx") != null) {
|
||||
}
|
||||
|
|
|
|||
|
|
@ -124,6 +124,17 @@ namespace de4dot.code.deobfuscators {
|
|||
} while ((sum -= DELTA) != 0);
|
||||
}
|
||||
|
||||
// Code converted from C implementation @ http://en.wikipedia.org/wiki/XTEA (decipher() func)
|
||||
public static void xteaDecrypt(ref uint v0, ref uint v1, uint[] key, int rounds) {
|
||||
const uint delta = 0x9E3779B9;
|
||||
uint sum = (uint)(delta * rounds);
|
||||
for (int i = 0; i < rounds; i++) {
|
||||
v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum >> 11) & 3]);
|
||||
sum -= delta;
|
||||
v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]);
|
||||
}
|
||||
}
|
||||
|
||||
public static string getExtension(ModuleKind kind) {
|
||||
switch (kind) {
|
||||
case ModuleKind.Dll:
|
||||
|
|
|
|||
|
|
@ -24,13 +24,13 @@ using Mono.Cecil;
|
|||
using Mono.Cecil.Cil;
|
||||
using de4dot.blocks;
|
||||
|
||||
namespace de4dot.code.deobfuscators.Babel_NET {
|
||||
namespace de4dot.code.deobfuscators {
|
||||
abstract class MethodBodyReaderBase {
|
||||
protected BinaryReader reader;
|
||||
public List<VariableDefinition> Locals { get; set; }
|
||||
public Instruction[] Instructions { get; set; }
|
||||
public ExceptionHandler[] ExceptionHandlers { get; set; }
|
||||
protected ParameterDefinition[] parameters;
|
||||
protected IList<ParameterDefinition> parameters;
|
||||
int currentOffset;
|
||||
|
||||
public MethodBodyReaderBase(BinaryReader reader) {
|
||||
110
de4dot.code/deobfuscators/Rummage/Deobfuscator.cs
Normal file
110
de4dot.code/deobfuscators/Rummage/Deobfuscator.cs
Normal file
|
|
@ -0,0 +1,110 @@
|
|||
/*
|
||||
Copyright (C) 2011-2012 de4dot@gmail.com
|
||||
|
||||
This file is part of de4dot.
|
||||
|
||||
de4dot is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
de4dot is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
using System.Collections.Generic;
|
||||
using Mono.Cecil;
|
||||
using de4dot.blocks;
|
||||
|
||||
namespace de4dot.code.deobfuscators.Rummage {
|
||||
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
|
||||
public const string THE_NAME = "Rummage";
|
||||
public const string THE_TYPE = "rm";
|
||||
const string DEFAULT_REGEX = @"!.";
|
||||
public DeobfuscatorInfo()
|
||||
: base(DEFAULT_REGEX) {
|
||||
}
|
||||
|
||||
public override string Name {
|
||||
get { return THE_NAME; }
|
||||
}
|
||||
|
||||
public override string Type {
|
||||
get { return THE_TYPE; }
|
||||
}
|
||||
|
||||
public override IDeobfuscator createDeobfuscator() {
|
||||
return new Deobfuscator(new Deobfuscator.Options {
|
||||
ValidNameRegex = validNameRegex.get(),
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
class Deobfuscator : DeobfuscatorBase {
|
||||
StringDecrypter stringDecrypter;
|
||||
|
||||
internal class Options : OptionsBase {
|
||||
}
|
||||
|
||||
public override string Type {
|
||||
get { return DeobfuscatorInfo.THE_TYPE; }
|
||||
}
|
||||
|
||||
public override string TypeLong {
|
||||
get { return DeobfuscatorInfo.THE_NAME; }
|
||||
}
|
||||
|
||||
public override string Name {
|
||||
get { return TypeLong; }
|
||||
}
|
||||
|
||||
public Deobfuscator(Options options)
|
||||
: base(options) {
|
||||
}
|
||||
|
||||
protected override int detectInternal() {
|
||||
int val = 0;
|
||||
|
||||
int sum = toInt32(stringDecrypter.Detected);
|
||||
if (sum > 0)
|
||||
val += 100 + 10 * (sum - 1);
|
||||
|
||||
return val;
|
||||
}
|
||||
|
||||
protected override void scanForObfuscator() {
|
||||
stringDecrypter = new StringDecrypter(module);
|
||||
stringDecrypter.find();
|
||||
}
|
||||
|
||||
public override void deobfuscateBegin() {
|
||||
base.deobfuscateBegin();
|
||||
|
||||
stringDecrypter.initialize();
|
||||
}
|
||||
|
||||
|
||||
public override void deobfuscateMethodEnd(Blocks blocks) {
|
||||
if (CanRemoveStringDecrypterType)
|
||||
stringDecrypter.deobfuscate(blocks);
|
||||
base.deobfuscateMethodEnd(blocks);
|
||||
}
|
||||
|
||||
public override void deobfuscateEnd() {
|
||||
if (CanRemoveStringDecrypterType) {
|
||||
addTypeToBeRemoved(stringDecrypter.Type, "String decrypter type");
|
||||
addTypesToBeRemoved(stringDecrypter.OtherTypes, "Decrypted string type");
|
||||
}
|
||||
base.deobfuscateEnd();
|
||||
}
|
||||
|
||||
public override IEnumerable<int> getStringDecrypterMethods() {
|
||||
return new List<int>();
|
||||
}
|
||||
}
|
||||
}
|
||||
256
de4dot.code/deobfuscators/Rummage/StringDecrypter.cs
Normal file
256
de4dot.code/deobfuscators/Rummage/StringDecrypter.cs
Normal file
|
|
@ -0,0 +1,256 @@
|
|||
/*
|
||||
Copyright (C) 2011-2012 de4dot@gmail.com
|
||||
|
||||
This file is part of de4dot.
|
||||
|
||||
de4dot is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
de4dot is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.IO;
|
||||
using System.Text;
|
||||
using Mono.Cecil;
|
||||
using Mono.Cecil.Cil;
|
||||
using de4dot.blocks;
|
||||
|
||||
namespace de4dot.code.deobfuscators.Rummage {
|
||||
class StringDecrypter {
|
||||
ModuleDefinition module;
|
||||
MethodDefinition stringDecrypterMethod;
|
||||
FieldDefinitionAndDeclaringTypeDict<StringInfo> stringInfos = new FieldDefinitionAndDeclaringTypeDict<StringInfo>();
|
||||
int fileDispl;
|
||||
uint[] key;
|
||||
BinaryReader reader;
|
||||
|
||||
class StringInfo {
|
||||
public readonly FieldDefinition field;
|
||||
public readonly int stringId;
|
||||
public string decrypted;
|
||||
|
||||
public StringInfo(FieldDefinition field, int stringId) {
|
||||
this.field = field;
|
||||
this.stringId = stringId;
|
||||
}
|
||||
|
||||
public override string ToString() {
|
||||
if (decrypted != null)
|
||||
return string.Format("{0:X8} - {1}", stringId, Utils.toCsharpString(decrypted));
|
||||
return string.Format("{0:X8}", stringId);
|
||||
}
|
||||
}
|
||||
|
||||
public TypeDefinition Type {
|
||||
get { return stringDecrypterMethod != null ? stringDecrypterMethod.DeclaringType : null; }
|
||||
}
|
||||
|
||||
public IEnumerable<TypeDefinition> OtherTypes {
|
||||
get {
|
||||
var list = new List<TypeDefinition>(stringInfos.Count);
|
||||
foreach (var info in stringInfos.getValues())
|
||||
list.Add(info.field.DeclaringType);
|
||||
return list;
|
||||
}
|
||||
}
|
||||
|
||||
public bool Detected {
|
||||
get { return stringDecrypterMethod != null; }
|
||||
}
|
||||
|
||||
public StringDecrypter(ModuleDefinition module) {
|
||||
this.module = module;
|
||||
}
|
||||
|
||||
public void find() {
|
||||
foreach (var type in module.Types) {
|
||||
var method = checkType(type);
|
||||
if (method == null)
|
||||
continue;
|
||||
if (!getDispl(method, ref fileDispl))
|
||||
continue;
|
||||
|
||||
stringDecrypterMethod = method;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
static readonly string[] requiredFields = new string[] {
|
||||
"System.UInt32[]",
|
||||
};
|
||||
static readonly string[] requiredLocals = new string[] {
|
||||
"System.Byte[]",
|
||||
"System.Int32",
|
||||
"System.IO.FileStream",
|
||||
};
|
||||
static MethodDefinition checkType(TypeDefinition type) {
|
||||
if (!new FieldTypes(type).exactly(requiredFields))
|
||||
return null;
|
||||
var cctor = DotNetUtils.getMethod(type, ".cctor");
|
||||
if (cctor == null)
|
||||
return null;
|
||||
if (!new LocalTypes(cctor).all(requiredLocals))
|
||||
return null;
|
||||
|
||||
return checkMethods(type);
|
||||
}
|
||||
|
||||
static MethodDefinition checkMethods(TypeDefinition type) {
|
||||
MethodDefinition cctor = null, decrypterMethod = null;
|
||||
foreach (var method in type.Methods) {
|
||||
if (!method.IsStatic || method.Body == null)
|
||||
return null;
|
||||
if (method.Name == ".cctor")
|
||||
cctor = method;
|
||||
else if (DotNetUtils.isMethod(method, "System.String", "(System.Int32)"))
|
||||
decrypterMethod = method;
|
||||
else
|
||||
return null;
|
||||
}
|
||||
if (cctor == null || decrypterMethod == null)
|
||||
return null;
|
||||
|
||||
return decrypterMethod;
|
||||
}
|
||||
|
||||
static bool getDispl(MethodDefinition method, ref int displ) {
|
||||
var instrs = method.Body.Instructions;
|
||||
for (int i = 0; i < instrs.Count - 2; i++) {
|
||||
var mul = instrs[i];
|
||||
if (mul.OpCode.Code != Code.Mul)
|
||||
continue;
|
||||
|
||||
var ldci4 = instrs[i + 1];
|
||||
if (!DotNetUtils.isLdcI4(ldci4))
|
||||
continue;
|
||||
|
||||
var sub = instrs[i + 2];
|
||||
if (sub.OpCode.Code != Code.Sub)
|
||||
continue;
|
||||
|
||||
displ = DotNetUtils.getLdcI4Value(ldci4);
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
public void initialize() {
|
||||
reader = new BinaryReader(new FileStream(module.FullyQualifiedName, FileMode.Open, FileAccess.Read, FileShare.Read));
|
||||
initKey();
|
||||
|
||||
foreach (var type in module.Types)
|
||||
initType(type);
|
||||
}
|
||||
|
||||
void initKey() {
|
||||
reader.BaseStream.Position = reader.BaseStream.Length - 48;
|
||||
key = new uint[4];
|
||||
for (int i = 0; i < key.Length; i++)
|
||||
key[i] = reader.ReadUInt32();
|
||||
}
|
||||
|
||||
void initType(TypeDefinition type) {
|
||||
var cctor = DotNetUtils.getMethod(type, ".cctor");
|
||||
if (cctor == null)
|
||||
return;
|
||||
var info = getStringInfo(cctor);
|
||||
if (info == null)
|
||||
return;
|
||||
|
||||
stringInfos.add(info.field, info);
|
||||
}
|
||||
|
||||
StringInfo getStringInfo(MethodDefinition method) {
|
||||
if (method == null || method.Body == null)
|
||||
return null;
|
||||
var instrs = method.Body.Instructions;
|
||||
for (int i = 0; i < instrs.Count - 2; i++) {
|
||||
var ldci4 = instrs[i];
|
||||
if (!DotNetUtils.isLdcI4(ldci4))
|
||||
continue;
|
||||
int stringId = DotNetUtils.getLdcI4Value(ldci4);
|
||||
|
||||
var call = instrs[i + 1];
|
||||
if (call.OpCode.Code != Code.Call)
|
||||
continue;
|
||||
var calledMethod = call.Operand as MethodReference;
|
||||
if (!MemberReferenceHelper.compareMethodReferenceAndDeclaringType(stringDecrypterMethod, calledMethod))
|
||||
continue;
|
||||
|
||||
var stsfld = instrs[i + 2];
|
||||
if (stsfld.OpCode.Code != Code.Stsfld)
|
||||
continue;
|
||||
var field = stsfld.Operand as FieldDefinition;
|
||||
if (field == null)
|
||||
continue;
|
||||
|
||||
return new StringInfo(field, stringId);
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
public void deobfuscate(Blocks blocks) {
|
||||
foreach (var block in blocks.MethodBlocks.getAllBlocks()) {
|
||||
var instrs = block.Instructions;
|
||||
for (int i = 0; i < instrs.Count; i++) {
|
||||
var instr = instrs[i];
|
||||
|
||||
if (instr.OpCode.Code != Code.Ldsfld)
|
||||
continue;
|
||||
|
||||
var field = instr.Operand as FieldReference;
|
||||
if (field == null)
|
||||
continue;
|
||||
var info = stringInfos.find(field);
|
||||
if (info == null)
|
||||
continue;
|
||||
var decrypted = decrypt(info);
|
||||
|
||||
instrs[i] = new Instr(Instruction.Create(OpCodes.Ldstr, decrypted));
|
||||
Log.v("Decrypted string: {0}", Utils.toCsharpString(decrypted));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
string decrypt(StringInfo info) {
|
||||
if (info.decrypted == null)
|
||||
info.decrypted = decrypt(info.stringId);
|
||||
|
||||
return info.decrypted;
|
||||
}
|
||||
|
||||
string decrypt(int stringId) {
|
||||
reader.BaseStream.Position = reader.BaseStream.Length + (stringId * 4 - fileDispl);
|
||||
|
||||
uint v0 = reader.ReadUInt32();
|
||||
uint v1 = reader.ReadUInt32();
|
||||
DeobUtils.xteaDecrypt(ref v0, ref v1, key, 32);
|
||||
int utf8Length = (int)v0;
|
||||
var decrypted = new uint[(utf8Length + 11) / 8 * 2 - 1];
|
||||
decrypted[0] = v1;
|
||||
for (int i = 1; i + 1 < decrypted.Length; i += 2) {
|
||||
v0 = reader.ReadUInt32();
|
||||
v1 = reader.ReadUInt32();
|
||||
DeobUtils.xteaDecrypt(ref v0, ref v1, key, 32);
|
||||
decrypted[i] = v0;
|
||||
decrypted[i + 1] = v1;
|
||||
}
|
||||
|
||||
var utf8 = new byte[utf8Length];
|
||||
Buffer.BlockCopy(decrypted, 0, utf8, 0, utf8.Length);
|
||||
return Encoding.UTF8.GetString(utf8);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -154,14 +154,12 @@ namespace de4dot.code.resources {
|
|||
}
|
||||
|
||||
static uint readUInt32(BinaryReader reader) {
|
||||
uint val = 0;
|
||||
for (int i = 0; i < 5; i++) {
|
||||
byte b = reader.ReadByte();
|
||||
val |= b;
|
||||
if ((b & 0x80) == 0)
|
||||
return val;
|
||||
try {
|
||||
return Utils.readEncodedUInt32(reader);
|
||||
}
|
||||
catch {
|
||||
throw new ResourceReaderException("Invalid encoded int32");
|
||||
}
|
||||
throw new ResourceReaderException("Invalid encoded int32");
|
||||
}
|
||||
|
||||
bool checkReaders() {
|
||||
|
|
|
|||
|
|
@ -51,6 +51,7 @@ namespace de4dot.cui {
|
|||
new de4dot.code.deobfuscators.Goliath_NET.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.MaxtoCode.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.MPRESS.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.Rummage.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.Skater_NET.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.SmartAssembly.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.Spices_Net.DeobfuscatorInfo(),
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ using System.Runtime.InteropServices;
|
|||
[assembly: AssemblyTrademark("")]
|
||||
[assembly: AssemblyCulture("")]
|
||||
[assembly: ComVisible(false)]
|
||||
[assembly: AssemblyVersion("1.8.4.3405")]
|
||||
[assembly: AssemblyFileVersion("1.8.4.3405")]
|
||||
[assembly: AssemblyVersion("1.8.5.3405")]
|
||||
[assembly: AssemblyFileVersion("1.8.5.3405")]
|
||||
[assembly: InternalsVisibleTo("de4dot, PublicKey=00240000048000009400000006020000002400005253413100040000010001007b5ffd8f48f1397cd4e21c9e30a5cb36b2c013d6f20688c90e3f0c2d24e6d67cbeea7a6ec3faf9ba081f3d6b6fbe389677adbb8337d3a16187cd13b16a34008a22b89089da41c4a08fd35615c77de0827adcca6d49b08c0ed3e0404a1c44b7d083be614acb1779e4fb275e14427f3687f375d03f3b465c8a6cdeebd1f8c7f4ea")]
|
||||
[assembly: InternalsVisibleTo("de4dot-x64, PublicKey=00240000048000009400000006020000002400005253413100040000010001007b5ffd8f48f1397cd4e21c9e30a5cb36b2c013d6f20688c90e3f0c2d24e6d67cbeea7a6ec3faf9ba081f3d6b6fbe389677adbb8337d3a16187cd13b16a34008a22b89089da41c4a08fd35615c77de0827adcca6d49b08c0ed3e0404a1c44b7d083be614acb1779e4fb275e14427f3687f375d03f3b465c8a6cdeebd1f8c7f4ea")]
|
||||
|
|
|
|||
|
|
@ -244,7 +244,8 @@ namespace de4dot.mdecrypt {
|
|||
|
||||
uint size = pSection->VirtualSize;
|
||||
uint rva = pSection->VirtualAddress;
|
||||
return new IntPtr((byte*)hDll + rva + size);
|
||||
int displ = -4;
|
||||
return new IntPtr((byte*)hDll + rva + size + displ);
|
||||
}
|
||||
|
||||
throw new ApplicationException("Could not find .text section");
|
||||
|
|
|
|||
|
|
@ -29,5 +29,5 @@ using System.Runtime.InteropServices;
|
|||
[assembly: AssemblyTrademark("")]
|
||||
[assembly: AssemblyCulture("")]
|
||||
[assembly: ComVisible(false)]
|
||||
[assembly: AssemblyVersion("1.8.4.3405")]
|
||||
[assembly: AssemblyFileVersion("1.8.4.3405")]
|
||||
[assembly: AssemblyVersion("1.8.5.3405")]
|
||||
[assembly: AssemblyFileVersion("1.8.5.3405")]
|
||||
|
|
|
|||
|
|
@ -29,5 +29,5 @@ using System.Runtime.InteropServices;
|
|||
[assembly: AssemblyTrademark("")]
|
||||
[assembly: AssemblyCulture("")]
|
||||
[assembly: ComVisible(false)]
|
||||
[assembly: AssemblyVersion("1.8.4.3405")]
|
||||
[assembly: AssemblyFileVersion("1.8.4.3405")]
|
||||
[assembly: AssemblyVersion("1.8.5.3405")]
|
||||
[assembly: AssemblyFileVersion("1.8.5.3405")]
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user