Support EF 3.3.149
This commit is contained in:
parent
2d583316cf
commit
553337adb7
|
@ -140,6 +140,7 @@
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\v3\DecryptMethod.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor\v3\DecryptMethod.cs" />
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\v3\MemoryPatcher.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor\v3\MemoryPatcher.cs" />
|
||||||
<Compile Include="deobfuscators\Eazfuscator_NET\AssemblyResolver.cs" />
|
<Compile Include="deobfuscators\Eazfuscator_NET\AssemblyResolver.cs" />
|
||||||
|
<Compile Include="deobfuscators\Eazfuscator_NET\ConstantsReader.cs" />
|
||||||
<Compile Include="deobfuscators\Eazfuscator_NET\DecrypterType.cs" />
|
<Compile Include="deobfuscators\Eazfuscator_NET\DecrypterType.cs" />
|
||||||
<Compile Include="deobfuscators\Eazfuscator_NET\Deobfuscator.cs" />
|
<Compile Include="deobfuscators\Eazfuscator_NET\Deobfuscator.cs" />
|
||||||
<Compile Include="deobfuscators\Eazfuscator_NET\EfUtils.cs" />
|
<Compile Include="deobfuscators\Eazfuscator_NET\EfUtils.cs" />
|
||||||
|
|
220
de4dot.code/deobfuscators/Eazfuscator_NET/ConstantsReader.cs
Normal file
220
de4dot.code/deobfuscators/Eazfuscator_NET/ConstantsReader.cs
Normal file
|
@ -0,0 +1,220 @@
|
||||||
|
/*
|
||||||
|
Copyright (C) 2011-2012 de4dot@gmail.com
|
||||||
|
|
||||||
|
This file is part of de4dot.
|
||||||
|
|
||||||
|
de4dot is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
de4dot is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
using System.Collections.Generic;
|
||||||
|
using Mono.Cecil;
|
||||||
|
using Mono.Cecil.Cil;
|
||||||
|
using Mono.Cecil.Metadata;
|
||||||
|
using de4dot.blocks;
|
||||||
|
|
||||||
|
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
|
class ConstantsReader {
|
||||||
|
IList<Instruction> instructions;
|
||||||
|
IList<VariableDefinition> locals;
|
||||||
|
Dictionary<VariableDefinition, int> localsValues = new Dictionary<VariableDefinition, int>();
|
||||||
|
|
||||||
|
public ConstantsReader(MethodDefinition method) {
|
||||||
|
instructions = method.Body.Instructions;
|
||||||
|
locals = method.Body.Variables;
|
||||||
|
initialize();
|
||||||
|
}
|
||||||
|
|
||||||
|
void initialize() {
|
||||||
|
findConstants();
|
||||||
|
}
|
||||||
|
|
||||||
|
void findConstants() {
|
||||||
|
for (int index = 0; index < instructions.Count; ) {
|
||||||
|
int value;
|
||||||
|
if (!getInt32(ref index, out value))
|
||||||
|
break;
|
||||||
|
var stloc = instructions[index];
|
||||||
|
if (!DotNetUtils.isStloc(stloc))
|
||||||
|
break;
|
||||||
|
var local = DotNetUtils.getLocalVar(locals, stloc);
|
||||||
|
if (local == null || local.VariableType.EType != ElementType.I4)
|
||||||
|
break;
|
||||||
|
localsValues[local] = value;
|
||||||
|
index++;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (localsValues.Count != 2)
|
||||||
|
localsValues.Clear();
|
||||||
|
}
|
||||||
|
|
||||||
|
public bool getNextInt32(ref int index, out int val) {
|
||||||
|
for (; index < instructions.Count; index++) {
|
||||||
|
var instr = instructions[index];
|
||||||
|
if (!isLoadConstant(instr))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
return getInt32(ref index, out val);
|
||||||
|
}
|
||||||
|
|
||||||
|
val = 0;
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
public bool isLoadConstant(Instruction instr) {
|
||||||
|
if (DotNetUtils.isLdcI4(instr))
|
||||||
|
return true;
|
||||||
|
if (!DotNetUtils.isLdloc(instr))
|
||||||
|
return false;
|
||||||
|
int tmp;
|
||||||
|
return getLocalConstant(instr, out tmp);
|
||||||
|
}
|
||||||
|
|
||||||
|
public bool getInt16(ref int index, out short val) {
|
||||||
|
int tmp;
|
||||||
|
if (!getInt32(ref index, out tmp)) {
|
||||||
|
val = 0;
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
val = (short)tmp;
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
public bool getInt32(ref int index, out int val) {
|
||||||
|
val = 0;
|
||||||
|
if (index >= instructions.Count)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
var stack = new Stack<int>();
|
||||||
|
|
||||||
|
int op1;
|
||||||
|
for (; index < instructions.Count; index++) {
|
||||||
|
var instr = instructions[index];
|
||||||
|
switch (instr.OpCode.Code) {
|
||||||
|
case Code.Conv_I1:
|
||||||
|
if (stack.Count < 1)
|
||||||
|
goto done;
|
||||||
|
stack.Push((sbyte)stack.Pop());
|
||||||
|
break;
|
||||||
|
|
||||||
|
case Code.Conv_U1:
|
||||||
|
if (stack.Count < 1)
|
||||||
|
goto done;
|
||||||
|
stack.Push((byte)stack.Pop());
|
||||||
|
break;
|
||||||
|
|
||||||
|
case Code.Conv_I2:
|
||||||
|
if (stack.Count < 1)
|
||||||
|
goto done;
|
||||||
|
stack.Push((short)stack.Pop());
|
||||||
|
break;
|
||||||
|
|
||||||
|
case Code.Conv_U2:
|
||||||
|
if (stack.Count < 1)
|
||||||
|
goto done;
|
||||||
|
stack.Push((ushort)stack.Pop());
|
||||||
|
break;
|
||||||
|
|
||||||
|
case Code.Conv_I4:
|
||||||
|
case Code.Conv_U4:
|
||||||
|
break;
|
||||||
|
|
||||||
|
case Code.Not:
|
||||||
|
stack.Push(~stack.Pop());
|
||||||
|
break;
|
||||||
|
|
||||||
|
case Code.Neg:
|
||||||
|
stack.Push(-stack.Pop());
|
||||||
|
break;
|
||||||
|
|
||||||
|
case Code.Ldloc:
|
||||||
|
case Code.Ldloc_S:
|
||||||
|
case Code.Ldloc_0:
|
||||||
|
case Code.Ldloc_1:
|
||||||
|
case Code.Ldloc_2:
|
||||||
|
case Code.Ldloc_3:
|
||||||
|
if (!getLocalConstant(instr, out op1))
|
||||||
|
goto done;
|
||||||
|
stack.Push(op1);
|
||||||
|
break;
|
||||||
|
|
||||||
|
case Code.Ldc_I4:
|
||||||
|
case Code.Ldc_I4_S:
|
||||||
|
case Code.Ldc_I4_0:
|
||||||
|
case Code.Ldc_I4_1:
|
||||||
|
case Code.Ldc_I4_2:
|
||||||
|
case Code.Ldc_I4_3:
|
||||||
|
case Code.Ldc_I4_4:
|
||||||
|
case Code.Ldc_I4_5:
|
||||||
|
case Code.Ldc_I4_6:
|
||||||
|
case Code.Ldc_I4_7:
|
||||||
|
case Code.Ldc_I4_8:
|
||||||
|
case Code.Ldc_I4_M1:
|
||||||
|
stack.Push(DotNetUtils.getLdcI4Value(instr));
|
||||||
|
break;
|
||||||
|
|
||||||
|
case Code.Add:
|
||||||
|
if (stack.Count < 2)
|
||||||
|
goto done;
|
||||||
|
stack.Push(stack.Pop() + stack.Pop());
|
||||||
|
break;
|
||||||
|
|
||||||
|
case Code.Sub:
|
||||||
|
if (stack.Count < 2)
|
||||||
|
goto done;
|
||||||
|
stack.Push(-(stack.Pop() - stack.Pop()));
|
||||||
|
break;
|
||||||
|
|
||||||
|
case Code.Xor:
|
||||||
|
if (stack.Count < 2)
|
||||||
|
goto done;
|
||||||
|
stack.Push(stack.Pop() ^ stack.Pop());
|
||||||
|
break;
|
||||||
|
|
||||||
|
case Code.Or:
|
||||||
|
if (stack.Count < 2)
|
||||||
|
goto done;
|
||||||
|
stack.Push(stack.Pop() | stack.Pop());
|
||||||
|
break;
|
||||||
|
|
||||||
|
case Code.And:
|
||||||
|
if (stack.Count < 2)
|
||||||
|
goto done;
|
||||||
|
stack.Push(stack.Pop() & stack.Pop());
|
||||||
|
break;
|
||||||
|
|
||||||
|
default:
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
done:
|
||||||
|
if (stack.Count == 0)
|
||||||
|
return false;
|
||||||
|
while (stack.Count > 1)
|
||||||
|
stack.Pop();
|
||||||
|
val = stack.Pop();
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
bool getLocalConstant(Instruction instr, out int value) {
|
||||||
|
value = 0;
|
||||||
|
var local = DotNetUtils.getLocalVar(locals, instr);
|
||||||
|
if (local == null)
|
||||||
|
return false;
|
||||||
|
if (local.VariableType.EType != ElementType.I4)
|
||||||
|
return false;
|
||||||
|
return localsValues.TryGetValue(local, out value);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -27,6 +27,7 @@ using de4dot.blocks;
|
||||||
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
class DecrypterType {
|
class DecrypterType {
|
||||||
ModuleDefinition module;
|
ModuleDefinition module;
|
||||||
|
ISimpleDeobfuscator simpleDeobfuscator;
|
||||||
TypeDefinition type;
|
TypeDefinition type;
|
||||||
MethodDefinition int64Method;
|
MethodDefinition int64Method;
|
||||||
bool initialized;
|
bool initialized;
|
||||||
|
@ -49,8 +50,9 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
get { return type != null; }
|
get { return type != null; }
|
||||||
}
|
}
|
||||||
|
|
||||||
public DecrypterType(ModuleDefinition module) {
|
public DecrypterType(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator) {
|
||||||
this.module = module;
|
this.module = module;
|
||||||
|
this.simpleDeobfuscator = simpleDeobfuscator;
|
||||||
}
|
}
|
||||||
|
|
||||||
public bool initialize() {
|
public bool initialize() {
|
||||||
|
@ -77,7 +79,55 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
bool initializeEfConstMethods() {
|
bool initializeEfConstMethods() {
|
||||||
if (type == null)
|
if (type == null)
|
||||||
return false;
|
return false;
|
||||||
foreach (var instr in int64Method.Body.Instructions) {
|
|
||||||
|
efConstMethods = new MethodDefinition[6];
|
||||||
|
|
||||||
|
efConstMethods[0] = findEfConstMethodCall(int64Method);
|
||||||
|
efConstMethods[5] = findEfConstMethodCall(efConstMethods[0]);
|
||||||
|
efConstMethods[4] = findEfConstMethodCall(efConstMethods[5]);
|
||||||
|
var calls = findEfConstMethodCalls(efConstMethods[4]);
|
||||||
|
if (calls.Count != 2)
|
||||||
|
return false;
|
||||||
|
if (getNumberOfTypeofs(calls[0]) == 3) {
|
||||||
|
efConstMethods[2] = calls[0];
|
||||||
|
efConstMethods[1] = calls[1];
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
efConstMethods[2] = calls[0];
|
||||||
|
efConstMethods[1] = calls[1];
|
||||||
|
}
|
||||||
|
efConstMethods[3] = findEfConstMethodCall(efConstMethods[1]);
|
||||||
|
|
||||||
|
foreach (var m in efConstMethods) {
|
||||||
|
if (m == null)
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int getNumberOfTypeofs(MethodDefinition method) {
|
||||||
|
if (method == null)
|
||||||
|
return 0;
|
||||||
|
int count = 0;
|
||||||
|
foreach (var instr in method.Body.Instructions) {
|
||||||
|
if (instr.OpCode.Code == Code.Ldtoken)
|
||||||
|
count++;
|
||||||
|
}
|
||||||
|
return count;
|
||||||
|
}
|
||||||
|
|
||||||
|
MethodDefinition findEfConstMethodCall(MethodDefinition method) {
|
||||||
|
var list = findEfConstMethodCalls(method);
|
||||||
|
if (list == null || list.Count != 1)
|
||||||
|
return null;
|
||||||
|
return list[0];
|
||||||
|
}
|
||||||
|
|
||||||
|
List<MethodDefinition> findEfConstMethodCalls(MethodDefinition method) {
|
||||||
|
if (method == null)
|
||||||
|
return null;
|
||||||
|
var list = new List<MethodDefinition>();
|
||||||
|
foreach (var instr in method.Body.Instructions) {
|
||||||
if (instr.OpCode.Code != Code.Call)
|
if (instr.OpCode.Code != Code.Call)
|
||||||
continue;
|
continue;
|
||||||
var calledMethod = instr.Operand as MethodDefinition;
|
var calledMethod = instr.Operand as MethodDefinition;
|
||||||
|
@ -85,40 +135,12 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
continue;
|
continue;
|
||||||
if (!DotNetUtils.isMethod(calledMethod, "System.Int32", "()"))
|
if (!DotNetUtils.isMethod(calledMethod, "System.Int32", "()"))
|
||||||
continue;
|
continue;
|
||||||
int index = type.NestedTypes.IndexOf(calledMethod.DeclaringType);
|
if (type.NestedTypes.IndexOf(calledMethod.DeclaringType) < 0)
|
||||||
if (index < 0)
|
|
||||||
continue;
|
|
||||||
if (!initializeEfConstMethods(index))
|
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
return true;
|
list.Add(calledMethod);
|
||||||
}
|
}
|
||||||
|
return list;
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
bool initializeEfConstMethods(int index) {
|
|
||||||
efConstMethods = new MethodDefinition[6];
|
|
||||||
for (int i = 0; i < efConstMethods.Length; i++) {
|
|
||||||
var constMethod = getEfConstMethod(type.NestedTypes[index++]);
|
|
||||||
if (constMethod == null)
|
|
||||||
return false;
|
|
||||||
efConstMethods[i] = constMethod;
|
|
||||||
}
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
MethodDefinition getEfConstMethod(TypeDefinition nestedType) {
|
|
||||||
foreach (var method in nestedType.Methods) {
|
|
||||||
if (!method.IsStatic || method.Body == null)
|
|
||||||
continue;
|
|
||||||
if (!DotNetUtils.isMethod(method, "System.Int32", "()"))
|
|
||||||
continue;
|
|
||||||
|
|
||||||
return method;
|
|
||||||
}
|
|
||||||
|
|
||||||
return null;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
MethodDefinition findInt64Method() {
|
MethodDefinition findInt64Method() {
|
||||||
|
@ -176,6 +198,8 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
var methods = getBinaryIntMethods(nestedType);
|
var methods = getBinaryIntMethods(nestedType);
|
||||||
if (methods.Count < 3)
|
if (methods.Count < 3)
|
||||||
continue;
|
continue;
|
||||||
|
foreach (var m in methods)
|
||||||
|
simpleDeobfuscator.deobfuscate(m);
|
||||||
if (!findMethod1Int(methods))
|
if (!findMethod1Int(methods))
|
||||||
continue;
|
continue;
|
||||||
if (!findMethod2Int(methods))
|
if (!findMethod2Int(methods))
|
||||||
|
@ -259,12 +283,13 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
|
|
||||||
int index = 0;
|
int index = 0;
|
||||||
var instrs = method.Body.Instructions;
|
var instrs = method.Body.Instructions;
|
||||||
|
var constantsReader = new ConstantsReader(method);
|
||||||
while (true) {
|
while (true) {
|
||||||
int val;
|
int val;
|
||||||
if (!EfUtils.getNextInt32(method, ref index, out val))
|
if (!constantsReader.getNextInt32(ref index, out val))
|
||||||
break;
|
break;
|
||||||
|
|
||||||
if (index + 1 < instrs.Count && instrs[index].OpCode.Code != Code.Ret)
|
if (index < instrs.Count && instrs[index].OpCode.Code != Code.Ret)
|
||||||
list.Add(val);
|
list.Add(val);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -91,7 +91,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
}
|
}
|
||||||
|
|
||||||
protected override void scanForObfuscator() {
|
protected override void scanForObfuscator() {
|
||||||
decrypterType = new DecrypterType(module);
|
decrypterType = new DecrypterType(module, DeobfuscatedFile);
|
||||||
stringDecrypter = new StringDecrypter(module, decrypterType);
|
stringDecrypter = new StringDecrypter(module, decrypterType);
|
||||||
stringDecrypter.find();
|
stringDecrypter.find();
|
||||||
assemblyResolver = new AssemblyResolver(module, decrypterType);
|
assemblyResolver = new AssemblyResolver(module, decrypterType);
|
||||||
|
|
|
@ -24,105 +24,72 @@ using de4dot.blocks;
|
||||||
|
|
||||||
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
static class EfUtils {
|
static class EfUtils {
|
||||||
public static int indexOfPreviousLdci4Instruction(MethodDefinition method, int index) {
|
public static int findOpCodeIndex(MethodDefinition method, int index, Code code) {
|
||||||
var instrs = method.Body.Instructions;
|
|
||||||
for (int i = index; i >= 0; i--) {
|
|
||||||
var instr = instrs[i];
|
|
||||||
if (DotNetUtils.isLdcI4(instr))
|
|
||||||
return i;
|
|
||||||
}
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
public static int indexOfNextLdci4Instruction(MethodDefinition method, int index) {
|
|
||||||
if (index < 0)
|
|
||||||
return -1;
|
|
||||||
var instrs = method.Body.Instructions;
|
|
||||||
for (int i = index; i < instrs.Count; i++) {
|
|
||||||
var instr = instrs[i];
|
|
||||||
if (DotNetUtils.isLdcI4(instr))
|
|
||||||
return i;
|
|
||||||
}
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
public static bool getNextInt32(MethodDefinition method, ref int index, out int val) {
|
|
||||||
for (; index < method.Body.Instructions.Count; index++) {
|
for (; index < method.Body.Instructions.Count; index++) {
|
||||||
var instr = method.Body.Instructions[index];
|
var instr = method.Body.Instructions[index];
|
||||||
if (instr.OpCode.Code != Code.Ldc_I4_S && instr.OpCode.Code != Code.Ldc_I4)
|
if (instr.OpCode.Code != code)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
return getInt32(method, ref index, out val);
|
return index;
|
||||||
}
|
}
|
||||||
|
return -1;
|
||||||
val = 0;
|
|
||||||
return false;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public static bool getInt16(MethodDefinition method, ref int index, ref short s) {
|
public static int findOpCodeIndex(MethodDefinition method, int index, Code code, string operandString) {
|
||||||
int val;
|
while (index < method.Body.Instructions.Count) {
|
||||||
if (!getInt32(method, ref index, out val))
|
index = findOpCodeIndex(method, index, code);
|
||||||
return false;
|
if (index < 0)
|
||||||
s = (short)val;
|
break;
|
||||||
return true;
|
var instr = method.Body.Instructions[index];
|
||||||
|
if (instr.Operand.ToString() == operandString)
|
||||||
|
return index;
|
||||||
|
|
||||||
|
index++;
|
||||||
|
}
|
||||||
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
public static bool getInt32(MethodDefinition method, ref int index, out int val) {
|
public static Instruction getNextStore(MethodDefinition method, ref int index) {
|
||||||
val = 0;
|
for (; index < method.Body.Instructions.Count; index++) {
|
||||||
var instrs = method.Body.Instructions;
|
var instr = method.Body.Instructions[index];
|
||||||
if (index >= instrs.Count)
|
|
||||||
return false;
|
|
||||||
var ldci4 = instrs[index];
|
|
||||||
if (ldci4.OpCode.Code != Code.Ldc_I4_S && ldci4.OpCode.Code != Code.Ldc_I4)
|
|
||||||
return false;
|
|
||||||
|
|
||||||
var stack = new Stack<int>();
|
|
||||||
stack.Push(DotNetUtils.getLdcI4Value(ldci4));
|
|
||||||
|
|
||||||
index++;
|
|
||||||
for (; index < instrs.Count; index++) {
|
|
||||||
int l = stack.Count - 1;
|
|
||||||
|
|
||||||
var instr = instrs[index];
|
|
||||||
switch (instr.OpCode.Code) {
|
switch (instr.OpCode.Code) {
|
||||||
case Code.Not:
|
case Code.Starg:
|
||||||
stack.Push(~stack.Pop());
|
case Code.Starg_S:
|
||||||
break;
|
case Code.Stelem_Any:
|
||||||
|
case Code.Stelem_I:
|
||||||
case Code.Neg:
|
case Code.Stelem_I1:
|
||||||
stack.Push(-stack.Pop());
|
case Code.Stelem_I2:
|
||||||
break;
|
case Code.Stelem_I4:
|
||||||
|
case Code.Stelem_I8:
|
||||||
case Code.Ldc_I4:
|
case Code.Stelem_R4:
|
||||||
case Code.Ldc_I4_S:
|
case Code.Stelem_R8:
|
||||||
case Code.Ldc_I4_0:
|
case Code.Stelem_Ref:
|
||||||
case Code.Ldc_I4_1:
|
case Code.Stfld:
|
||||||
case Code.Ldc_I4_2:
|
case Code.Stind_I:
|
||||||
case Code.Ldc_I4_3:
|
case Code.Stind_I1:
|
||||||
case Code.Ldc_I4_4:
|
case Code.Stind_I2:
|
||||||
case Code.Ldc_I4_5:
|
case Code.Stind_I4:
|
||||||
case Code.Ldc_I4_6:
|
case Code.Stind_I8:
|
||||||
case Code.Ldc_I4_7:
|
case Code.Stind_R4:
|
||||||
case Code.Ldc_I4_8:
|
case Code.Stind_R8:
|
||||||
case Code.Ldc_I4_M1:
|
case Code.Stind_Ref:
|
||||||
stack.Push(DotNetUtils.getLdcI4Value(instr));
|
case Code.Stloc:
|
||||||
break;
|
case Code.Stloc_0:
|
||||||
|
case Code.Stloc_1:
|
||||||
case Code.Xor:
|
case Code.Stloc_2:
|
||||||
if (stack.Count < 2)
|
case Code.Stloc_3:
|
||||||
goto done;
|
case Code.Stloc_S:
|
||||||
stack.Push(stack.Pop() ^ stack.Pop());
|
case Code.Stobj:
|
||||||
break;
|
case Code.Stsfld:
|
||||||
|
return instr;
|
||||||
default:
|
|
||||||
goto done;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (instr.OpCode.FlowControl != FlowControl.Next)
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
done:
|
|
||||||
while (stack.Count > 1)
|
return null;
|
||||||
stack.Pop();
|
|
||||||
val = stack.Pop();
|
|
||||||
return true;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public static MethodDefinition getResolveMethod(MethodDefinition method) {
|
public static MethodDefinition getResolveMethod(MethodDefinition method) {
|
||||||
|
|
|
@ -36,6 +36,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
int i1, i2, i3, i4, i5, i6;
|
int i1, i2, i3, i4, i5, i6;
|
||||||
bool checkMinus2;
|
bool checkMinus2;
|
||||||
bool usePublicKeyToken;
|
bool usePublicKeyToken;
|
||||||
|
bool hasStringBuilder;
|
||||||
int keyLen;
|
int keyLen;
|
||||||
byte[] theKey;
|
byte[] theKey;
|
||||||
int magic1;
|
int magic1;
|
||||||
|
@ -44,6 +45,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
BinaryReader reader;
|
BinaryReader reader;
|
||||||
DecrypterType decrypterType;
|
DecrypterType decrypterType;
|
||||||
StreamHelperType streamHelperType;
|
StreamHelperType streamHelperType;
|
||||||
|
ConstantsReader stringMethodConsts;
|
||||||
bool isV32OrLater;
|
bool isV32OrLater;
|
||||||
|
|
||||||
class StreamHelperType {
|
class StreamHelperType {
|
||||||
|
@ -217,25 +219,27 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
}
|
}
|
||||||
|
|
||||||
bool findConstants(ISimpleDeobfuscator simpleDeobfuscator) {
|
bool findConstants(ISimpleDeobfuscator simpleDeobfuscator) {
|
||||||
|
simpleDeobfuscator.deobfuscate(stringMethod);
|
||||||
|
stringMethodConsts = new ConstantsReader(stringMethod);
|
||||||
|
|
||||||
if (!findResource(stringMethod))
|
if (!findResource(stringMethod))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
simpleDeobfuscator.deobfuscate(stringMethod);
|
hasStringBuilder = new LocalTypes(stringMethod).exists("System.Text.StringBuilder");
|
||||||
|
checkMinus2 = isV32OrLater || DeobUtils.hasInteger(stringMethod, -2);
|
||||||
checkMinus2 = DeobUtils.hasInteger(stringMethod, -2);
|
|
||||||
usePublicKeyToken = callsGetPublicKeyToken(stringMethod);
|
usePublicKeyToken = callsGetPublicKeyToken(stringMethod);
|
||||||
|
|
||||||
var int64Method = findInt64Method(stringMethod);
|
var int64Method = findInt64Method(stringMethod);
|
||||||
if (int64Method != null)
|
if (int64Method != null)
|
||||||
decrypterType.Type = int64Method.DeclaringType;
|
decrypterType.Type = int64Method.DeclaringType;
|
||||||
|
|
||||||
if (!findShorts(stringMethod))
|
if (!findShorts())
|
||||||
return false;
|
return false;
|
||||||
if (!findInt3(stringMethod))
|
if (!findInt3())
|
||||||
return false;
|
return false;
|
||||||
if (!findInt4(stringMethod))
|
if (!findInt4())
|
||||||
return false;
|
return false;
|
||||||
if (checkMinus2 && !findInt5(stringMethod))
|
if (checkMinus2 && !findInt5())
|
||||||
return false;
|
return false;
|
||||||
dataDecrypterType = findDataDecrypterType(stringMethod);
|
dataDecrypterType = findDataDecrypterType(stringMethod);
|
||||||
if (dataDecrypterType == null)
|
if (dataDecrypterType == null)
|
||||||
|
@ -243,7 +247,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
|
|
||||||
if (isV32OrLater) {
|
if (isV32OrLater) {
|
||||||
bool initializedAll;
|
bool initializedAll;
|
||||||
if (!findInts(stringMethod, out initializedAll))
|
if (!findInts(out initializedAll))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
var cctor = DotNetUtils.getMethod(stringType, ".cctor");
|
var cctor = DotNetUtils.getMethod(stringType, ".cctor");
|
||||||
|
@ -264,49 +268,116 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
}
|
}
|
||||||
|
|
||||||
void initializeFlags() {
|
void initializeFlags() {
|
||||||
if (!isV32OrLater || !DeobUtils.hasInteger(stringMethod, 0xFFFFFFF)) {
|
if (!isV32OrLater) {
|
||||||
// <= 3.3.134
|
|
||||||
rldFlag = 0x40000000;
|
rldFlag = 0x40000000;
|
||||||
bytesFlag = 0x80000000;
|
bytesFlag = 0x80000000;
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
// 3.3.136+
|
|
||||||
var instrs = stringMethod.Body.Instructions;
|
var instrs = stringMethod.Body.Instructions;
|
||||||
for (int i = 0; i < instrs.Count; i++) {
|
for (int i = 0; i < instrs.Count; i++) {
|
||||||
var ldci4 = instrs[i];
|
var ldci4 = instrs[i];
|
||||||
if (!DotNetUtils.isLdcI4(ldci4))
|
if (!stringMethodConsts.isLoadConstant(ldci4))
|
||||||
continue;
|
continue;
|
||||||
if (DotNetUtils.getLdcI4Value(ldci4) != 0xFFFFFFF)
|
int index = i, tmp;
|
||||||
|
if (!stringMethodConsts.getInt32(ref index, out tmp) || !isFlagsMask(tmp))
|
||||||
continue;
|
continue;
|
||||||
if (findFlags(stringMethod, i))
|
if (findFlags(i))
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
throw new ApplicationException("Could not find string decrypter flags");
|
throw new ApplicationException("Could not find string decrypter flags");
|
||||||
}
|
}
|
||||||
|
|
||||||
bool findFlags(MethodDefinition method, int index) {
|
static bool isFlagsMask(int value) {
|
||||||
var flags = new List<uint>(3);
|
return value == 0x1FFFFFFF || value == 0x0FFFFFFF;
|
||||||
|
}
|
||||||
|
|
||||||
|
class FlagsInfo {
|
||||||
|
public VariableDefinition Local { get; set; }
|
||||||
|
public uint Value { get; set; }
|
||||||
|
public int Offset { get; set; }
|
||||||
|
public FlagsInfo(VariableDefinition local, uint value, int offset) {
|
||||||
|
Local = local;
|
||||||
|
Value = value;
|
||||||
|
Offset = offset;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
bool findFlags(int index) {
|
||||||
|
var flags = findFlags2(index);
|
||||||
|
if (flags == null)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
flags.Sort((a, b) => Utils.compareInt32(a.Offset, b.Offset));
|
||||||
|
|
||||||
|
rldFlag = flags[0].Value;
|
||||||
|
bytesFlag = flags[1].Value;
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
List<FlagsInfo> findFlags2(int index) {
|
||||||
|
var flags = new List<FlagsInfo>(3);
|
||||||
for (int i = index - 1; i >= 0; i--) {
|
for (int i = index - 1; i >= 0; i--) {
|
||||||
var instr = method.Body.Instructions[i];
|
var instr = stringMethod.Body.Instructions[i];
|
||||||
if (instr.OpCode.FlowControl != FlowControl.Next)
|
if (instr.OpCode.FlowControl != FlowControl.Next)
|
||||||
break;
|
break;
|
||||||
if (!DotNetUtils.isLdcI4(instr))
|
if (!stringMethodConsts.isLoadConstant(instr))
|
||||||
continue;
|
continue;
|
||||||
uint value = (uint)DotNetUtils.getLdcI4Value(instr);
|
int index2 = i, value;
|
||||||
if (value != 0x80000000 && value != 0x40000000 && value != 0x20000000)
|
if (!stringMethodConsts.getInt32(ref index2, out value))
|
||||||
continue;
|
continue;
|
||||||
flags.Add(value);
|
if ((uint)value != 0x80000000 && value != 0x40000000 && value != 0x20000000)
|
||||||
|
continue;
|
||||||
|
var local = getFlagsLocal(stringMethod, index2);
|
||||||
|
if (local == null)
|
||||||
|
continue;
|
||||||
|
int offset = getFlagsOffset(stringMethod, index2, local);
|
||||||
|
if (offset < 0)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
flags.Add(new FlagsInfo(local, (uint)value, offset));
|
||||||
if (flags.Count != 3)
|
if (flags.Count != 3)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
rldFlag = flags[1];
|
return flags;
|
||||||
bytesFlag = flags[2];
|
|
||||||
return true;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return false;
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int getFlagsOffset(MethodDefinition method, int index, VariableDefinition local) {
|
||||||
|
var instrs = method.Body.Instructions;
|
||||||
|
for (; index < instrs.Count; index++) {
|
||||||
|
var ldloc = instrs[index];
|
||||||
|
if (!DotNetUtils.isLdloc(ldloc))
|
||||||
|
continue;
|
||||||
|
if (DotNetUtils.getLocalVar(method.Body.Variables, ldloc) != local)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
return index;
|
||||||
|
}
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
static VariableDefinition getFlagsLocal(MethodDefinition method, int index) {
|
||||||
|
var instrs = method.Body.Instructions;
|
||||||
|
if (index + 5 >= instrs.Count)
|
||||||
|
return null;
|
||||||
|
if (instrs[index++].OpCode.Code != Code.And)
|
||||||
|
return null;
|
||||||
|
if (instrs[index++].OpCode.Code != Code.Ldc_I4_0)
|
||||||
|
return null;
|
||||||
|
if (instrs[index++].OpCode.Code != Code.Ceq)
|
||||||
|
return null;
|
||||||
|
if (instrs[index++].OpCode.Code != Code.Ldc_I4_0)
|
||||||
|
return null;
|
||||||
|
if (instrs[index++].OpCode.Code != Code.Ceq)
|
||||||
|
return null;
|
||||||
|
var stloc = instrs[index++];
|
||||||
|
if (!DotNetUtils.isStloc(stloc))
|
||||||
|
return null;
|
||||||
|
return DotNetUtils.getLocalVar(method.Body.Variables, stloc);
|
||||||
}
|
}
|
||||||
|
|
||||||
void initialize() {
|
void initialize() {
|
||||||
|
@ -417,10 +488,52 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
}
|
}
|
||||||
|
|
||||||
bool findResource(MethodDefinition method) {
|
bool findResource(MethodDefinition method) {
|
||||||
encryptedResource = DotNetUtils.getResource(module, DotNetUtils.getCodeStrings(method)) as EmbeddedResource;
|
encryptedResource = findResourceFromCodeString(method) ??
|
||||||
|
findResourceFromStringBuilder(method);
|
||||||
return encryptedResource != null;
|
return encryptedResource != null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
EmbeddedResource findResourceFromCodeString(MethodDefinition method) {
|
||||||
|
return DotNetUtils.getResource(module, DotNetUtils.getCodeStrings(method)) as EmbeddedResource;
|
||||||
|
}
|
||||||
|
|
||||||
|
EmbeddedResource findResourceFromStringBuilder(MethodDefinition method) {
|
||||||
|
int startIndex = EfUtils.findOpCodeIndex(method, 0, Code.Newobj, "System.Void System.Text.StringBuilder::.ctor()");
|
||||||
|
if (startIndex < 0)
|
||||||
|
return null;
|
||||||
|
int endIndex = EfUtils.findOpCodeIndex(method, startIndex, Code.Call, "System.String System.Text.StringBuilder::ToString()");
|
||||||
|
if (endIndex < 0)
|
||||||
|
return null;
|
||||||
|
|
||||||
|
var sb = new StringBuilder();
|
||||||
|
var instrs = method.Body.Instructions;
|
||||||
|
int val = 0, shift = 0;
|
||||||
|
for (int i = startIndex; i < endIndex; i++) {
|
||||||
|
var instr = instrs[i];
|
||||||
|
if (instr.OpCode.Code == Code.Call && instr.Operand.ToString() == "System.Text.StringBuilder System.Text.StringBuilder::Append(System.Char)") {
|
||||||
|
sb.Append((char)(val >> shift));
|
||||||
|
shift = 0;
|
||||||
|
}
|
||||||
|
if (stringMethodConsts.isLoadConstant(instr)) {
|
||||||
|
int tmp;
|
||||||
|
if (!stringMethodConsts.getInt32(ref i, out tmp))
|
||||||
|
break;
|
||||||
|
if (i >= endIndex)
|
||||||
|
break;
|
||||||
|
|
||||||
|
var next = instrs[i];
|
||||||
|
if (next.OpCode.Code == Code.Shr)
|
||||||
|
shift = tmp;
|
||||||
|
else {
|
||||||
|
val = tmp;
|
||||||
|
shift = 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return DotNetUtils.getResource(module, sb.ToString()) as EmbeddedResource;
|
||||||
|
}
|
||||||
|
|
||||||
static MethodDefinition findInt64Method(MethodDefinition method) {
|
static MethodDefinition findInt64Method(MethodDefinition method) {
|
||||||
foreach (var instr in method.Body.Instructions) {
|
foreach (var instr in method.Body.Instructions) {
|
||||||
if (instr.OpCode.Code != Code.Call)
|
if (instr.OpCode.Code != Code.Call)
|
||||||
|
@ -451,70 +564,94 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool findShorts(MethodDefinition method) {
|
bool findShorts() {
|
||||||
int index = 0;
|
int index = 0;
|
||||||
if (!findShort(method, ref index, ref s1))
|
if (!findShort(ref index, ref s1))
|
||||||
return false;
|
return false;
|
||||||
if (!findShort(method, ref index, ref s2))
|
if (!findShort(ref index, ref s2))
|
||||||
return false;
|
return false;
|
||||||
if (!findShort(method, ref index, ref s3))
|
if (!findShort(ref index, ref s3))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool findShort(MethodDefinition method, ref int index, ref short s) {
|
bool findShort(ref int index, ref short s) {
|
||||||
if (!findCallReadInt16(method, ref index))
|
if (!findCallReadInt16(ref index))
|
||||||
return false;
|
return false;
|
||||||
index++;
|
index++;
|
||||||
return EfUtils.getInt16(method, ref index, ref s);
|
return stringMethodConsts.getInt16(ref index, out s);
|
||||||
}
|
}
|
||||||
|
|
||||||
bool findInts(MethodDefinition method, out bool initializedAll) {
|
bool findInts(out bool initializedAll) {
|
||||||
|
int index = findInitIntsIndex(stringMethod, out initializedAll);
|
||||||
|
if (index < 0)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
i2 = 0;
|
||||||
|
bool returnValue = false;
|
||||||
|
var instrs = stringMethod.Body.Instructions;
|
||||||
|
for (int i = index; i < instrs.Count - 2; i++) {
|
||||||
|
var instr = instrs[i];
|
||||||
|
|
||||||
|
if (instr.OpCode.Code == Code.Ldsfld &&
|
||||||
|
instrs[i + 1].OpCode.Code == Code.Ldc_I4 &&
|
||||||
|
(int)instrs[i + 1].Operand == 268435314)
|
||||||
|
break;
|
||||||
|
if (instr.OpCode.Code != Code.Call && instr.OpCode.FlowControl != FlowControl.Next)
|
||||||
|
break;
|
||||||
|
|
||||||
|
if (!stringMethodConsts.isLoadConstant(instr))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
int tmp;
|
||||||
|
if (!stringMethodConsts.getNextInt32(ref i, out tmp))
|
||||||
|
continue;
|
||||||
|
if ((instrs[i - 1].OpCode.Code == Code.Xor && DotNetUtils.isStloc(instrs[i])) ||
|
||||||
|
(instrs[i].OpCode.Code == Code.Xor && DotNetUtils.isStloc(instrs[i + 1])) ||
|
||||||
|
DotNetUtils.isLdloc(instrs[i])) {
|
||||||
|
i2 ^= tmp;
|
||||||
|
returnValue = true;
|
||||||
|
}
|
||||||
|
i--;
|
||||||
|
}
|
||||||
|
|
||||||
|
return returnValue;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int findInitIntsIndex(MethodDefinition method, out bool initializedAll) {
|
||||||
initializedAll = false;
|
initializedAll = false;
|
||||||
|
|
||||||
// <= 3.2
|
var instrs = method.Body.Instructions;
|
||||||
int index = findIndexInt64Method_v1(method);
|
for (int i = 0; i < instrs.Count; i++) {
|
||||||
if (index >= 0) {
|
var ldnull = instrs[i];
|
||||||
if (!EfUtils.getNextInt32(method, ref index, out i1))
|
if (ldnull.OpCode.Code != Code.Ldnull)
|
||||||
return false;
|
continue;
|
||||||
int tmp;
|
|
||||||
if (!EfUtils.getNextInt32(method, ref index, out tmp))
|
|
||||||
return false;
|
|
||||||
if (!EfUtils.getNextInt32(method, ref index, out i2))
|
|
||||||
return false;
|
|
||||||
|
|
||||||
initializedAll = true;
|
var stsfld = instrs[i + 1];
|
||||||
return true;
|
if (stsfld.OpCode.Code != Code.Stsfld)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
var storeField = stsfld.Operand as FieldDefinition;
|
||||||
|
if (storeField == null || storeField.FieldType.FullName != "System.Byte[]")
|
||||||
|
continue;
|
||||||
|
|
||||||
|
var instr = instrs[i + 2];
|
||||||
|
if (instr.OpCode.Code == Code.Ldsfld) {
|
||||||
|
var loadField = instr.Operand as FieldDefinition;
|
||||||
|
if (loadField == null || loadField.FieldType.EType != ElementType.I4)
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
else if (DotNetUtils.isLdcI4(instr)) {
|
||||||
|
initializedAll = true;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
continue;
|
||||||
|
|
||||||
|
return i;
|
||||||
}
|
}
|
||||||
|
|
||||||
// 3.3
|
return -1;
|
||||||
index = findIndexInt64Method_v2(method);
|
|
||||||
if (index >= 0) {
|
|
||||||
if (!EfUtils.getNextInt32(method, ref index, out i2))
|
|
||||||
return false;
|
|
||||||
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
// 3.2+ (Silverlight)
|
|
||||||
index = DeobUtils.indexOfLdci4Instruction(method, 268435314);
|
|
||||||
if (index >= 0) {
|
|
||||||
index--;
|
|
||||||
index = EfUtils.indexOfPreviousLdci4Instruction(method, index);
|
|
||||||
if (index < 0)
|
|
||||||
return false;
|
|
||||||
|
|
||||||
i1 = 0;
|
|
||||||
if (!EfUtils.getNextInt32(method, ref index, out i2))
|
|
||||||
return false;
|
|
||||||
|
|
||||||
// 3.2: true, 3.3+: false
|
|
||||||
initializedAll = method.Body.Instructions[index].OpCode.Code == Code.Stsfld;
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
return false;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
bool findIntsCctor(MethodDefinition cctor) {
|
bool findIntsCctor(MethodDefinition cctor) {
|
||||||
|
@ -522,23 +659,23 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
if (!findCallGetFrame(cctor, ref index))
|
if (!findCallGetFrame(cctor, ref index))
|
||||||
return findIntsCctor2(cctor);
|
return findIntsCctor2(cctor);
|
||||||
|
|
||||||
int tmp1, tmp2, tmp3;
|
int tmp1, tmp2, tmp3 = 0;
|
||||||
if (!EfUtils.getNextInt32(cctor, ref index, out tmp1))
|
var constantsReader = new ConstantsReader(cctor);
|
||||||
|
if (!constantsReader.getNextInt32(ref index, out tmp1))
|
||||||
return false;
|
return false;
|
||||||
if (!EfUtils.getNextInt32(cctor, ref index, out tmp2))
|
if (tmp1 == 0 && !constantsReader.getNextInt32(ref index, out tmp1))
|
||||||
|
return false;
|
||||||
|
if (!constantsReader.getNextInt32(ref index, out tmp2))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
index = 0;
|
index = 0;
|
||||||
while (true) {
|
var instrs = cctor.Body.Instructions;
|
||||||
if (!EfUtils.getNextInt32(cctor, ref index, out tmp3))
|
while (index < instrs.Count) {
|
||||||
return false;
|
|
||||||
int nextIndex = index;
|
|
||||||
int tmp4;
|
int tmp4;
|
||||||
if (!EfUtils.getNextInt32(cctor, ref index, out tmp4))
|
if (!constantsReader.getNextInt32(ref index, out tmp4))
|
||||||
return false;
|
|
||||||
if (tmp4 == 16)
|
|
||||||
break;
|
break;
|
||||||
index = nextIndex;
|
if (index < instrs.Count && DotNetUtils.isLdloc(instrs[index]))
|
||||||
|
tmp3 = tmp4;
|
||||||
}
|
}
|
||||||
|
|
||||||
i1 = tmp1 ^ tmp2 ^ tmp3;
|
i1 = tmp1 ^ tmp2 ^ tmp3;
|
||||||
|
@ -549,9 +686,10 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
bool findIntsCctor2(MethodDefinition cctor) {
|
bool findIntsCctor2(MethodDefinition cctor) {
|
||||||
int index = 0;
|
int index = 0;
|
||||||
var instrs = cctor.Body.Instructions;
|
var instrs = cctor.Body.Instructions;
|
||||||
|
var constantsReader = new ConstantsReader(cctor);
|
||||||
while (index >= 0) {
|
while (index >= 0) {
|
||||||
int val;
|
int val;
|
||||||
if (!EfUtils.getNextInt32(cctor, ref index, out val))
|
if (!constantsReader.getNextInt32(ref index, out val))
|
||||||
break;
|
break;
|
||||||
if (index < instrs.Count && instrs[index].OpCode.Code == Code.Add) {
|
if (index < instrs.Count && instrs[index].OpCode.Code == Code.Add) {
|
||||||
i1 = val;
|
i1 = val;
|
||||||
|
@ -562,15 +700,15 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool findInt3(MethodDefinition method) {
|
bool findInt3() {
|
||||||
if (!isV32OrLater)
|
if (!isV32OrLater)
|
||||||
return findInt3Old(method);
|
return findInt3Old();
|
||||||
return findInt3New(method);
|
return findInt3New();
|
||||||
}
|
}
|
||||||
|
|
||||||
// <= 3.1
|
// <= 3.1
|
||||||
bool findInt3Old(MethodDefinition method) {
|
bool findInt3Old() {
|
||||||
var instrs = method.Body.Instructions;
|
var instrs = stringMethod.Body.Instructions;
|
||||||
for (int i = 0; i < instrs.Count - 4; i++) {
|
for (int i = 0; i < instrs.Count - 4; i++) {
|
||||||
var ldarg0 = instrs[i];
|
var ldarg0 = instrs[i];
|
||||||
if (ldarg0.OpCode.Code != Code.Ldarg_0)
|
if (ldarg0.OpCode.Code != Code.Ldarg_0)
|
||||||
|
@ -582,7 +720,7 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
|
|
||||||
int index = i + 1;
|
int index = i + 1;
|
||||||
int value;
|
int value;
|
||||||
if (!EfUtils.getInt32(method, ref index, out value))
|
if (!stringMethodConsts.getInt32(ref index, out value))
|
||||||
continue;
|
continue;
|
||||||
if (index >= instrs.Count)
|
if (index >= instrs.Count)
|
||||||
continue;
|
continue;
|
||||||
|
@ -598,28 +736,33 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
}
|
}
|
||||||
|
|
||||||
// 3.2+
|
// 3.2+
|
||||||
bool findInt3New(MethodDefinition method) {
|
bool findInt3New() {
|
||||||
var instrs = method.Body.Instructions;
|
var instrs = stringMethod.Body.Instructions;
|
||||||
for (int i = 0; i < instrs.Count - 4; i++) {
|
for (int i = 0; i < instrs.Count; i++) {
|
||||||
var ldarg0 = instrs[i];
|
int index = i;
|
||||||
|
|
||||||
|
var ldarg0 = instrs[index++];
|
||||||
if (ldarg0.OpCode.Code != Code.Ldarg_0)
|
if (ldarg0.OpCode.Code != Code.Ldarg_0)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
var ldci4 = instrs[i + 1];
|
int value;
|
||||||
if (!DotNetUtils.isLdcI4(ldci4))
|
if (!stringMethodConsts.getInt32(ref index, out value))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
if (instrs[i + 2].OpCode.Code != Code.Xor)
|
if (index + 3 >= instrs.Count)
|
||||||
|
break;
|
||||||
|
|
||||||
|
if (instrs[index++].OpCode.Code != Code.Xor)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
if (!DotNetUtils.isLdloc(instrs[i + 3]))
|
if (!DotNetUtils.isLdloc(instrs[index++]))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
if (instrs[i + 4].OpCode.Code != Code.Xor)
|
if (instrs[index++].OpCode.Code != Code.Xor)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
i3 = DotNetUtils.getLdcI4Value(ldci4);
|
i3 = value;
|
||||||
if (!findInt6(method, i + 5))
|
if (!findInt6(index++))
|
||||||
return false;
|
return false;
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
@ -627,116 +770,73 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
// v3.3.134.30672+ (not 3.3.128.10407)
|
// v3.3.134+
|
||||||
bool findInt6(MethodDefinition method, int index) {
|
bool findInt6(int index) {
|
||||||
index = getNextLdci4InSameBlock(method, index);
|
index = getNextLdci4InSameBlock(index);
|
||||||
if (index < 0)
|
if (index < 0)
|
||||||
return true;
|
return true;
|
||||||
|
|
||||||
return EfUtils.getNextInt32(method, ref index, out i6);
|
return stringMethodConsts.getNextInt32(ref index, out i6);
|
||||||
}
|
}
|
||||||
|
|
||||||
bool findInt4(MethodDefinition method) {
|
bool findInt4() {
|
||||||
int index = 0;
|
int index = 0;
|
||||||
if (!findCallReadInt32(method, ref index))
|
if (!findCallReadInt32(ref index))
|
||||||
return false;
|
return false;
|
||||||
if (!EfUtils.getNextInt32(method, ref index, out i4))
|
if (!stringMethodConsts.getNextInt32(ref index, out i4))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int getNextLdci4InSameBlock(MethodDefinition method, int index) {
|
int getNextLdci4InSameBlock(int index) {
|
||||||
var instrs = method.Body.Instructions;
|
var instrs = stringMethod.Body.Instructions;
|
||||||
for (int i = index; i < instrs.Count; i++) {
|
for (int i = index; i < instrs.Count; i++) {
|
||||||
var instr = instrs[i];
|
var instr = instrs[i];
|
||||||
if (instr.OpCode.FlowControl != FlowControl.Next)
|
if (instr.OpCode.FlowControl != FlowControl.Next)
|
||||||
return -1;
|
return -1;
|
||||||
if (DotNetUtils.isLdcI4(instr))
|
if (stringMethodConsts.isLoadConstant(instr))
|
||||||
return i;
|
return i;
|
||||||
}
|
}
|
||||||
|
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool findInt5(MethodDefinition method) {
|
bool findInt5() {
|
||||||
int index = -1;
|
int index = -1;
|
||||||
while (true) {
|
while (true) {
|
||||||
index++;
|
index++;
|
||||||
if (!findCallReadBytes(method, ref index))
|
if (!findCallReadBytes(ref index))
|
||||||
return false;
|
return false;
|
||||||
if (index <= 0)
|
if (index <= 0)
|
||||||
continue;
|
continue;
|
||||||
var ldci4 = method.Body.Instructions[index - 1];
|
var ldci4 = stringMethod.Body.Instructions[index - 1];
|
||||||
if (!DotNetUtils.isLdcI4(ldci4))
|
if (!DotNetUtils.isLdcI4(ldci4))
|
||||||
continue;
|
continue;
|
||||||
if (DotNetUtils.getLdcI4Value(ldci4) != 4)
|
if (DotNetUtils.getLdcI4Value(ldci4) != 4)
|
||||||
continue;
|
continue;
|
||||||
if (!EfUtils.getNextInt32(method, ref index, out i5))
|
if (!stringMethodConsts.getNextInt32(ref index, out i5))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
static int findIndexInt64Method_v1(MethodDefinition method) {
|
|
||||||
var instrs = method.Body.Instructions;
|
|
||||||
for (int i = 0; i < instrs.Count - 2; i++) {
|
|
||||||
var ldci4 = instrs[i];
|
|
||||||
if (!DotNetUtils.isLdcI4(ldci4))
|
|
||||||
continue;
|
|
||||||
|
|
||||||
var stloc = instrs[i + 1];
|
|
||||||
if (!DotNetUtils.isStloc(stloc))
|
|
||||||
continue;
|
|
||||||
|
|
||||||
var call = instrs[i + 2];
|
|
||||||
if (call.OpCode.Code != Code.Call)
|
|
||||||
continue;
|
|
||||||
var calledMethod = call.Operand as MethodDefinition;
|
|
||||||
if (calledMethod == null)
|
|
||||||
continue;
|
|
||||||
if (!DotNetUtils.isMethod(calledMethod, "System.Int64", "()"))
|
|
||||||
continue;
|
|
||||||
|
|
||||||
return i;
|
|
||||||
}
|
|
||||||
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int findIndexInt64Method_v2(MethodDefinition method) {
|
|
||||||
var instrs = method.Body.Instructions;
|
|
||||||
for (int i = 0; i < instrs.Count; i++) {
|
|
||||||
var call = instrs[i];
|
|
||||||
if (call.OpCode.Code != Code.Call)
|
|
||||||
continue;
|
|
||||||
var calledMethod = call.Operand as MethodDefinition;
|
|
||||||
if (calledMethod == null)
|
|
||||||
continue;
|
|
||||||
if (!DotNetUtils.isMethod(calledMethod, "System.Int64", "()"))
|
|
||||||
continue;
|
|
||||||
|
|
||||||
return i;
|
|
||||||
}
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
static bool callsGetPublicKeyToken(MethodDefinition method) {
|
static bool callsGetPublicKeyToken(MethodDefinition method) {
|
||||||
int index = 0;
|
int index = 0;
|
||||||
return findCall(method, ref index, "System.Byte[] System.Reflection.AssemblyName::GetPublicKeyToken()");
|
return findCall(method, ref index, "System.Byte[] System.Reflection.AssemblyName::GetPublicKeyToken()");
|
||||||
}
|
}
|
||||||
|
|
||||||
bool findCallReadInt16(MethodDefinition method, ref int index) {
|
bool findCallReadInt16(ref int index) {
|
||||||
return findCall(method, ref index, streamHelperType == null ? "System.Int16 System.IO.BinaryReader::ReadInt16()" : streamHelperType.readInt16Method.FullName);
|
return findCall(stringMethod, ref index, streamHelperType == null ? "System.Int16 System.IO.BinaryReader::ReadInt16()" : streamHelperType.readInt16Method.FullName);
|
||||||
}
|
}
|
||||||
|
|
||||||
bool findCallReadInt32(MethodDefinition method, ref int index) {
|
bool findCallReadInt32(ref int index) {
|
||||||
return findCall(method, ref index, streamHelperType == null ? "System.Int32 System.IO.BinaryReader::ReadInt32()" : streamHelperType.readInt32Method.FullName);
|
return findCall(stringMethod, ref index, streamHelperType == null ? "System.Int32 System.IO.BinaryReader::ReadInt32()" : streamHelperType.readInt32Method.FullName);
|
||||||
}
|
}
|
||||||
|
|
||||||
bool findCallReadBytes(MethodDefinition method, ref int index) {
|
bool findCallReadBytes(ref int index) {
|
||||||
return findCall(method, ref index, streamHelperType == null ? "System.Byte[] System.IO.BinaryReader::ReadBytes(System.Int32)" : streamHelperType.readBytesMethod.FullName);
|
return findCall(stringMethod, ref index, streamHelperType == null ? "System.Byte[] System.IO.BinaryReader::ReadBytes(System.Int32)" : streamHelperType.readBytesMethod.FullName);
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool findCallGetFrame(MethodDefinition method, ref int index) {
|
static bool findCallGetFrame(MethodDefinition method, ref int index) {
|
||||||
|
|
|
@ -569,22 +569,22 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
|
|
||||||
if (decryptStringType.NestedTypes.Count == 3) {
|
if (decryptStringType.NestedTypes.Count == 3) {
|
||||||
var fields33 = new string[] {
|
var fields33 = new string[] {
|
||||||
decryptStringType.NestedTypes[0].FullName,
|
getNestedTypeName(0),
|
||||||
decryptStringType.NestedTypes[1].FullName,
|
getNestedTypeName(1),
|
||||||
"System.Byte[]",
|
"System.Byte[]",
|
||||||
"System.Int16",
|
"System.Int16",
|
||||||
"System.Int32",
|
"System.Int32",
|
||||||
"System.Byte[]",
|
"System.Byte[]",
|
||||||
"System.Int32",
|
"System.Int32",
|
||||||
"System.Int32",
|
"System.Int32",
|
||||||
decryptStringType.NestedTypes[2].FullName,
|
getNestedTypeName(2),
|
||||||
};
|
};
|
||||||
var locals33 = createLocalsArray(
|
var locals33 = createLocalsArray(
|
||||||
"System.Boolean",
|
"System.Boolean",
|
||||||
"System.Byte",
|
"System.Byte",
|
||||||
"System.Byte[]",
|
"System.Byte[]",
|
||||||
"System.Char[]",
|
"System.Char[]",
|
||||||
decryptStringType.NestedTypes[0].FullName,
|
getNestedTypeName(0),
|
||||||
"System.Diagnostics.StackFrame",
|
"System.Diagnostics.StackFrame",
|
||||||
"System.Diagnostics.StackTrace",
|
"System.Diagnostics.StackTrace",
|
||||||
"System.Int16",
|
"System.Int16",
|
||||||
|
@ -606,7 +606,6 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
otherMethods[0].IsPrivate &&
|
otherMethods[0].IsPrivate &&
|
||||||
otherMethods[0].IsStatic &&
|
otherMethods[0].IsStatic &&
|
||||||
new LocalTypes(otherMethods[0]).exactly(olocals33) &&
|
new LocalTypes(otherMethods[0]).exactly(olocals33) &&
|
||||||
hasConstantM2 &&
|
|
||||||
decryptStringMethod.NoInlining &&
|
decryptStringMethod.NoInlining &&
|
||||||
decryptStringMethod.IsAssembly &&
|
decryptStringMethod.IsAssembly &&
|
||||||
!decryptStringMethod.IsSynchronized &&
|
!decryptStringMethod.IsSynchronized &&
|
||||||
|
@ -617,11 +616,86 @@ namespace de4dot.code.deobfuscators.Eazfuscator_NET {
|
||||||
checkTypeFields(fields33)) {
|
checkTypeFields(fields33)) {
|
||||||
return "3.3";
|
return "3.3";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var fields33_149 = new string[] {
|
||||||
|
getNestedTypeName(0),
|
||||||
|
getNestedTypeName(1),
|
||||||
|
"System.Byte[]",
|
||||||
|
"System.Int16",
|
||||||
|
"System.Int32",
|
||||||
|
"System.Byte[]",
|
||||||
|
"System.Int32",
|
||||||
|
"System.Int32",
|
||||||
|
getNestedTypeName(2),
|
||||||
|
};
|
||||||
|
var locals33_149 = createLocalsArray(
|
||||||
|
"System.Boolean",
|
||||||
|
"System.Byte",
|
||||||
|
"System.Byte[]",
|
||||||
|
"System.Char[]",
|
||||||
|
getNestedTypeName(0),
|
||||||
|
"System.Diagnostics.StackFrame",
|
||||||
|
"System.Diagnostics.StackTrace",
|
||||||
|
"System.Int16",
|
||||||
|
"System.Int32",
|
||||||
|
"System.Int64",
|
||||||
|
"System.IO.Stream",
|
||||||
|
"System.Reflection.Assembly",
|
||||||
|
"System.Reflection.AssemblyName",
|
||||||
|
"System.Reflection.MethodBase",
|
||||||
|
"System.String",
|
||||||
|
"System.Text.StringBuilder",
|
||||||
|
"System.Type"
|
||||||
|
);
|
||||||
|
var olocals33_149 = createLocalsArray(
|
||||||
|
"System.Int32"
|
||||||
|
);
|
||||||
|
if (otherMethods.Count == 1 &&
|
||||||
|
decryptStringType.NestedTypes.Count == 3 &&
|
||||||
|
DotNetUtils.isMethod(otherMethods[0], "System.Void", "(System.Byte[],System.Int32,System.Byte[])") &&
|
||||||
|
otherMethods[0].IsPrivate &&
|
||||||
|
otherMethods[0].IsStatic &&
|
||||||
|
new LocalTypes(otherMethods[0]).exactly(olocals33_149) &&
|
||||||
|
decryptStringMethod.NoInlining &&
|
||||||
|
decryptStringMethod.IsAssembly &&
|
||||||
|
!decryptStringMethod.IsSynchronized &&
|
||||||
|
decryptStringMethod.Body.MaxStackSize >= 1 &&
|
||||||
|
decryptStringMethod.Body.MaxStackSize <= 8 &&
|
||||||
|
(decryptStringMethod.Body.ExceptionHandlers.Count == 1 || decryptStringMethod.Body.ExceptionHandlers.Count == 2) &&
|
||||||
|
new LocalTypes(decryptStringMethod).exactly(locals33_149) &&
|
||||||
|
checkTypeFields(fields33_149)) {
|
||||||
|
return "3.3"; // 3.3.149 (but not SL or CF)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
TypeDefinition getNestedType(int n) {
|
||||||
|
var type = stringDecrypter.Type;
|
||||||
|
|
||||||
|
int fieldIndex;
|
||||||
|
switch (n) {
|
||||||
|
case 0: fieldIndex = 0; break;
|
||||||
|
case 1: fieldIndex = 1; break;
|
||||||
|
case 2: fieldIndex = 8; break;
|
||||||
|
default: throw new ApplicationException("Invalid index: " + n);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (fieldIndex >= type.Fields.Count)
|
||||||
|
return null;
|
||||||
|
var nestedType = type.Fields[fieldIndex].FieldType as TypeDefinition;
|
||||||
|
if (nestedType == null || type.NestedTypes.IndexOf(nestedType) < 0)
|
||||||
|
return null;
|
||||||
|
|
||||||
|
return nestedType;
|
||||||
|
}
|
||||||
|
|
||||||
|
string getNestedTypeName(int n) {
|
||||||
|
var nestedType = getNestedType(n);
|
||||||
|
return nestedType == null ? null : nestedType.FullName;
|
||||||
|
}
|
||||||
|
|
||||||
bool checkTypeFields(string[] fieldTypes) {
|
bool checkTypeFields(string[] fieldTypes) {
|
||||||
if (fieldTypes.Length != stringDecrypter.Type.Fields.Count)
|
if (fieldTypes.Length != stringDecrypter.Type.Fields.Count)
|
||||||
return false;
|
return false;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user