Support newer Confuser 1.0 and 1.1 string decrypters
This commit is contained in:
parent
afb205aeea
commit
4f4af7a44a
|
@ -18,6 +18,7 @@
|
|||
*/
|
||||
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.IO;
|
||||
using System.Text;
|
||||
using Mono.Cecil;
|
||||
|
@ -31,6 +32,238 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
EmbeddedResource resource;
|
||||
uint magic1, magic2;
|
||||
BinaryReader reader;
|
||||
ConfuserVersion version = ConfuserVersion.Unknown;
|
||||
Decrypter decrypter;
|
||||
|
||||
enum ConfuserVersion {
|
||||
Unknown,
|
||||
v10_r42915,
|
||||
v10_r48832,
|
||||
v11_r49299,
|
||||
}
|
||||
|
||||
abstract class Decrypter {
|
||||
protected StringDecrypter stringDecrypter;
|
||||
|
||||
protected Decrypter(StringDecrypter stringDecrypter) {
|
||||
this.stringDecrypter = stringDecrypter;
|
||||
}
|
||||
|
||||
public abstract string decrypt(MethodDefinition caller, int magic);
|
||||
}
|
||||
|
||||
class Decrypter_v10_r42915 : Decrypter {
|
||||
public Decrypter_v10_r42915(StringDecrypter stringDecrypter)
|
||||
: base(stringDecrypter) {
|
||||
}
|
||||
|
||||
public override string decrypt(MethodDefinition caller, int magic) {
|
||||
var reader = stringDecrypter.reader;
|
||||
reader.BaseStream.Position = (caller.MetadataToken.ToInt32() ^ magic) - stringDecrypter.magic1;
|
||||
int len = reader.ReadInt32() ^ (int)~stringDecrypter.magic2;
|
||||
var bytes = reader.ReadBytes(len);
|
||||
var rand = new Random(caller.MetadataToken.ToInt32());
|
||||
|
||||
int mask = 0;
|
||||
for (int i = 0; i < bytes.Length; i++) {
|
||||
byte b = bytes[i];
|
||||
bytes[i] = (byte)(b ^ (rand.Next() & mask));
|
||||
mask += b;
|
||||
}
|
||||
return Encoding.UTF8.GetString(bytes);
|
||||
}
|
||||
}
|
||||
|
||||
class Decrypter_v10_r48832 : Decrypter {
|
||||
PolyConstantsReader constReader;
|
||||
|
||||
public Decrypter_v10_r48832(StringDecrypter stringDecrypter)
|
||||
: base(stringDecrypter) {
|
||||
}
|
||||
|
||||
public override string decrypt(MethodDefinition caller, int magic) {
|
||||
var reader = stringDecrypter.reader;
|
||||
reader.BaseStream.Position = (caller.MetadataToken.ToInt32() ^ magic) - stringDecrypter.magic1;
|
||||
int len = reader.ReadInt32() ^ (int)~stringDecrypter.magic2;
|
||||
var rand = new Random(caller.MetadataToken.ToInt32());
|
||||
|
||||
var instrs = stringDecrypter.decryptMethod.Body.Instructions;
|
||||
constReader = new PolyConstantsReader(instrs, false);
|
||||
int polyIndex = ConfuserUtils.findCallMethod(instrs, 0, Code.Callvirt, "System.Int64 System.IO.BinaryReader::ReadInt64()");
|
||||
if (polyIndex < 0)
|
||||
throw new ApplicationException("Could not find start of decrypt code");
|
||||
|
||||
var decrypted = new byte[len];
|
||||
for (int i = 0; i < len; i += 8) {
|
||||
constReader.Arg = reader.ReadInt64();
|
||||
int index = polyIndex;
|
||||
long val;
|
||||
if (!constReader.getInt64(ref index, out val) || instrs[index].OpCode.Code != Code.Conv_I8)
|
||||
throw new ApplicationException("Could not get string int64 value");
|
||||
Array.Copy(BitConverter.GetBytes(val ^ rand.Next()), 0, decrypted, i, Math.Min(8, len - i));
|
||||
}
|
||||
|
||||
return Encoding.Unicode.GetString(decrypted);
|
||||
}
|
||||
}
|
||||
|
||||
class Decrypter_v11_r49299 : Decrypter {
|
||||
MyConstantsReader constReader;
|
||||
|
||||
class MyConstantsReader : ConstantsReader {
|
||||
long arg;
|
||||
bool firstTime;
|
||||
|
||||
public long Arg {
|
||||
get { return arg; }
|
||||
set {
|
||||
arg = value;
|
||||
firstTime = true;
|
||||
}
|
||||
}
|
||||
|
||||
public MyConstantsReader(IList<Instruction> instrs, bool emulateConvInstrs)
|
||||
: base(instrs, emulateConvInstrs) {
|
||||
}
|
||||
|
||||
protected override bool processInstructionInt64(ref int index, Stack<ConstantInfo<long>> stack) {
|
||||
if (!firstTime)
|
||||
return false;
|
||||
firstTime = false;
|
||||
if (instructions[index].OpCode.Code != Code.Conv_I8)
|
||||
return false;
|
||||
|
||||
stack.Push(new ConstantInfo<long>(index, arg));
|
||||
index = index + 1;
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
public Decrypter_v11_r49299(StringDecrypter stringDecrypter)
|
||||
: base(stringDecrypter) {
|
||||
}
|
||||
|
||||
public override string decrypt(MethodDefinition caller, int magic) {
|
||||
var reader = stringDecrypter.reader;
|
||||
reader.BaseStream.Position = (caller.MetadataToken.ToInt32() ^ magic) - stringDecrypter.magic1;
|
||||
int len = reader.ReadInt32() ^ (int)~stringDecrypter.magic2;
|
||||
var decrypted = new byte[len];
|
||||
|
||||
int startIndex, endIndex;
|
||||
if (!findPolyStartEndIndexes(out startIndex, out endIndex))
|
||||
throw new ApplicationException("Could not get start/end indexes");
|
||||
|
||||
constReader = new MyConstantsReader(stringDecrypter.decryptMethod.Body.Instructions, false);
|
||||
for (int i = 0; i < len; i++) {
|
||||
constReader.Arg = Utils.readEncodedInt32(reader);
|
||||
int index = startIndex;
|
||||
long result;
|
||||
if (!constReader.getInt64(ref index, out result) || index != endIndex)
|
||||
throw new ApplicationException("Could not decrypt integer");
|
||||
decrypted[i] = (byte)result;
|
||||
}
|
||||
|
||||
return Encoding.Unicode.GetString(decrypted);
|
||||
}
|
||||
|
||||
bool findPolyStartEndIndexes(out int startIndex, out int endIndex) {
|
||||
startIndex = 0;
|
||||
endIndex = 0;
|
||||
|
||||
var local = findLocal(stringDecrypter.decryptMethod);
|
||||
if (local == null)
|
||||
return false;
|
||||
|
||||
if ((endIndex = findEndIndex(stringDecrypter.decryptMethod)) < 0)
|
||||
return false;
|
||||
|
||||
if ((startIndex = findStartIndex(stringDecrypter.decryptMethod, endIndex)) < 0)
|
||||
return false;
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
static VariableDefinition findLocal(MethodDefinition method) {
|
||||
var instrs = method.Body.Instructions;
|
||||
for (int i = 0; i < instrs.Count - 3; i++) {
|
||||
if (instrs[i].OpCode.Code != Code.And)
|
||||
continue;
|
||||
if (instrs[i + 1].OpCode.Code != Code.Shl)
|
||||
continue;
|
||||
if (instrs[i + 2].OpCode.Code != Code.Or)
|
||||
continue;
|
||||
if (!DotNetUtils.isStloc(instrs[i + 3]))
|
||||
continue;
|
||||
return DotNetUtils.getLocalVar(method.Body.Variables, instrs[i + 3]);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
static int findEndIndex(MethodDefinition method) {
|
||||
var instrs = method.Body.Instructions;
|
||||
for (int i = 0; i < instrs.Count - 5; i++) {
|
||||
if (instrs[i].OpCode.Code != Code.Conv_U1)
|
||||
continue;
|
||||
if (instrs[i + 1].OpCode.Code != Code.Stelem_I1)
|
||||
continue;
|
||||
if (!DotNetUtils.isLdloc(instrs[i + 2]))
|
||||
continue;
|
||||
if (!DotNetUtils.isLdcI4(instrs[i + 3]))
|
||||
continue;
|
||||
if (instrs[i + 4].OpCode.Code != Code.Add)
|
||||
continue;
|
||||
if (!DotNetUtils.isStloc(instrs[i + 5]))
|
||||
continue;
|
||||
return i;
|
||||
}
|
||||
return -1;
|
||||
}
|
||||
|
||||
static int findStartIndex(MethodDefinition method, int endIndex) {
|
||||
var instrs = method.Body.Instructions;
|
||||
for (int i = endIndex; i >= 0; i--) {
|
||||
var instr = instrs[i];
|
||||
if (instr.OpCode.FlowControl != FlowControl.Next)
|
||||
break;
|
||||
if (instr.OpCode.Code == Code.Conv_I8)
|
||||
return i;
|
||||
}
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
class PolyConstantsReader : ConstantsReader {
|
||||
long arg;
|
||||
|
||||
public long Arg {
|
||||
get { return arg; }
|
||||
set { arg = value; }
|
||||
}
|
||||
|
||||
public PolyConstantsReader(IList<Instruction> instrs, bool emulateConvInstrs)
|
||||
: base(instrs, emulateConvInstrs) {
|
||||
}
|
||||
|
||||
protected override bool processInstructionInt64(ref int index, Stack<ConstantInfo<long>> stack) {
|
||||
int i = index;
|
||||
|
||||
if (DotNetUtils.isLdloc(instructions[i])) {
|
||||
i++;
|
||||
if (i >= instructions.Count)
|
||||
return false;
|
||||
}
|
||||
var callvirt = instructions[i];
|
||||
if (callvirt.OpCode.Code != Code.Callvirt)
|
||||
return false;
|
||||
var calledMethod = callvirt.Operand as MethodReference;
|
||||
if (calledMethod == null || calledMethod.FullName != "System.Int64 System.IO.BinaryReader::ReadInt64()")
|
||||
return false;
|
||||
|
||||
stack.Push(new ConstantInfo<long>(index, arg));
|
||||
index = i + 1;
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
public EmbeddedResource Resource {
|
||||
get { return resource; }
|
||||
|
@ -51,7 +284,6 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
static string[] requiredLocals = new string[] {
|
||||
"System.Byte[]",
|
||||
"System.IO.BinaryReader",
|
||||
"System.Random",
|
||||
"System.Reflection.Assembly",
|
||||
};
|
||||
public void find(ISimpleDeobfuscator simpleDeobfuscator) {
|
||||
|
@ -63,7 +295,8 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
continue;
|
||||
if (!DotNetUtils.isMethod(method, "System.String", "(System.Int32)"))
|
||||
continue;
|
||||
if (!new LocalTypes(method).all(requiredLocals))
|
||||
var localTypes = new LocalTypes(method);
|
||||
if (!localTypes.all(requiredLocals))
|
||||
continue;
|
||||
|
||||
simpleDeobfuscator.deobfuscate(method);
|
||||
|
@ -76,6 +309,12 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
if (!findMagic2(method, out magic2))
|
||||
continue;
|
||||
|
||||
if (!localTypes.exists("System.Random"))
|
||||
version = ConfuserVersion.v11_r49299;
|
||||
else if (localTypes.exists("System.Collections.Generic.Dictionary`2<System.Int32,System.String>"))
|
||||
version = ConfuserVersion.v10_r48832;
|
||||
else
|
||||
version = ConfuserVersion.v10_r42915;
|
||||
resource = tmpResource;
|
||||
decryptMethod = method;
|
||||
break;
|
||||
|
@ -143,19 +382,27 @@ namespace de4dot.code.deobfuscators.Confuser {
|
|||
if (decryptMethod == null)
|
||||
return;
|
||||
reader = new BinaryReader(new MemoryStream(DeobUtils.inflate(resource.GetResourceData(), true)));
|
||||
|
||||
switch (version) {
|
||||
case ConfuserVersion.v10_r42915:
|
||||
decrypter = new Decrypter_v10_r42915(this);
|
||||
break;
|
||||
|
||||
case ConfuserVersion.v10_r48832:
|
||||
decrypter = new Decrypter_v10_r48832(this);
|
||||
break;
|
||||
|
||||
case ConfuserVersion.v11_r49299:
|
||||
decrypter = new Decrypter_v11_r49299(this);
|
||||
break;
|
||||
|
||||
default:
|
||||
throw new ApplicationException("Invalid version");
|
||||
}
|
||||
}
|
||||
|
||||
public string decrypt(MethodDefinition caller, int magic) {
|
||||
reader.BaseStream.Position = (caller.MetadataToken.ToInt32() ^ magic) - magic1;
|
||||
var bytes = reader.ReadBytes(reader.ReadInt32() ^ (int)~magic2);
|
||||
var rand = new Random(caller.MetadataToken.ToInt32());
|
||||
int mask = 0;
|
||||
for (int i = 0; i < bytes.Length; i++) {
|
||||
byte b = bytes[i];
|
||||
bytes[i] = (byte)(b ^ (rand.Next() & mask));
|
||||
mask += b;
|
||||
}
|
||||
return Encoding.UTF8.GetString(bytes);
|
||||
return decrypter.decrypt(caller, magic);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user