Port CryptoObfuscator deobfuscator
This commit is contained in:
parent
472d57ed0f
commit
5d25a499aa
|
@ -181,17 +181,15 @@ namespace de4dot.blocks {
|
|||
return true;
|
||||
}
|
||||
|
||||
#if PORT
|
||||
public static FieldDefinition findFieldType(TypeDefinition typeDefinition, string typeName, bool isStatic) {
|
||||
public static FieldDef findFieldType(TypeDef typeDefinition, string typeName, bool isStatic) {
|
||||
if (typeDefinition == null)
|
||||
return null;
|
||||
foreach (var field in typeDefinition.Fields) {
|
||||
if (field.FieldType.FullName == typeName && field.IsStatic == isStatic)
|
||||
if (field.IsStatic == isStatic && field.FieldSig.GetFieldType().GetFullName() == typeName)
|
||||
return field;
|
||||
}
|
||||
return null;
|
||||
}
|
||||
#endif
|
||||
|
||||
public static IEnumerable<MethodDef> findMethods(IEnumerable<MethodDef> methods, string returnType, string[] argsTypes) {
|
||||
return findMethods(methods, returnType, argsTypes, true);
|
||||
|
@ -1233,14 +1231,13 @@ namespace de4dot.blocks {
|
|||
return new ClassSig(typeRef);
|
||||
}
|
||||
|
||||
#if PORT
|
||||
public static FrameworkType getFrameworkType(ModuleDefinition module) {
|
||||
foreach (var modRef in module.AssemblyReferences) {
|
||||
public static FrameworkType getFrameworkType(ModuleDefMD module) {
|
||||
foreach (var modRef in module.GetAssemblyRefs()) {
|
||||
if (modRef.Name != "mscorlib")
|
||||
continue;
|
||||
if (modRef.PublicKeyToken == null || modRef.PublicKeyToken.Length == 0)
|
||||
if (PublicKeyBase.IsNullOrEmpty2(modRef.PublicKeyOrToken))
|
||||
continue;
|
||||
switch (BitConverter.ToString(modRef.PublicKeyToken).Replace("-", "").ToLowerInvariant()) {
|
||||
switch (BitConverter.ToString(modRef.PublicKeyOrToken.Data).Replace("-", "").ToLowerInvariant()) {
|
||||
case "b77a5c561934e089":
|
||||
return FrameworkType.Desktop;
|
||||
case "7cec85d7bea7798e":
|
||||
|
@ -1256,7 +1253,6 @@ namespace de4dot.blocks {
|
|||
|
||||
return FrameworkType.Unknown;
|
||||
}
|
||||
#endif
|
||||
|
||||
public static int getMethodCalls(MethodDef method, string methodFullName) {
|
||||
if (method == null || method.Body == null)
|
||||
|
@ -1293,7 +1289,6 @@ namespace de4dot.blocks {
|
|||
return false;
|
||||
}
|
||||
|
||||
#if PORT
|
||||
public static bool callsMethod(MethodDef method, string returnType, string parameters) {
|
||||
if (method == null || method.Body == null)
|
||||
return false;
|
||||
|
@ -1301,13 +1296,14 @@ namespace de4dot.blocks {
|
|||
foreach (var instr in method.Body.Instructions) {
|
||||
if (instr.OpCode.Code != Code.Call && instr.OpCode.Code != Code.Callvirt && instr.OpCode.Code != Code.Newobj)
|
||||
continue;
|
||||
if (isMethod(instr.Operand as MethodReference, returnType, parameters))
|
||||
if (isMethod(instr.Operand as IMethod, returnType, parameters))
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
#if PORT
|
||||
public static IList<Instruction> getArgPushes(IList<Instruction> instrs, int index) {
|
||||
return getArgPushes(instrs, ref index);
|
||||
}
|
||||
|
|
|
@ -123,18 +123,18 @@
|
|||
<Compile Include="deobfuscators\CodeWall\randomc\CRandomMother.cs" />
|
||||
<Compile Include="deobfuscators\CodeWall\StringDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\ConstantsReader.cs" />
|
||||
<None Include="deobfuscators\CryptoObfuscator\AntiDebugger.cs" />
|
||||
<None Include="deobfuscators\CryptoObfuscator\AssemblyResolver.cs" />
|
||||
<None Include="deobfuscators\CryptoObfuscator\ConstantsDecrypter.cs" />
|
||||
<None Include="deobfuscators\CryptoObfuscator\CoUtils.cs" />
|
||||
<None Include="deobfuscators\CryptoObfuscator\Deobfuscator.cs" />
|
||||
<None Include="deobfuscators\CryptoObfuscator\MethodBodyReader.cs" />
|
||||
<None Include="deobfuscators\CryptoObfuscator\MethodsDecrypter.cs" />
|
||||
<None Include="deobfuscators\CryptoObfuscator\ProxyCallFixer.cs" />
|
||||
<None Include="deobfuscators\CryptoObfuscator\ResourceDecrypter.cs" />
|
||||
<None Include="deobfuscators\CryptoObfuscator\ResourceResolver.cs" />
|
||||
<None Include="deobfuscators\CryptoObfuscator\StringDecrypter.cs" />
|
||||
<None Include="deobfuscators\CryptoObfuscator\TamperDetection.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\AntiDebugger.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\AssemblyResolver.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\ConstantsDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\CoUtils.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\Deobfuscator.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\MethodBodyReader.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\MethodsDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\ProxyCallFixer.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\ResourceDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\ResourceResolver.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\StringDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\TamperDetection.cs" />
|
||||
<None Include="deobfuscators\DeepSea\ArrayBlockDeobfuscator.cs" />
|
||||
<None Include="deobfuscators\DeepSea\ArrayBlockState.cs" />
|
||||
<None Include="deobfuscators\DeepSea\AssemblyResolver.cs" />
|
||||
|
|
|
@ -22,7 +22,7 @@ using de4dot.blocks;
|
|||
|
||||
namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||
class AntiDebugger {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
ISimpleDeobfuscator simpleDeobfuscator;
|
||||
IDeobfuscator deob;
|
||||
TypeDef antiDebuggerType;
|
||||
|
@ -36,7 +36,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
get { return antiDebuggerMethod; }
|
||||
}
|
||||
|
||||
public AntiDebugger(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
|
||||
public AntiDebugger(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
|
||||
this.module = module;
|
||||
this.simpleDeobfuscator = simpleDeobfuscator;
|
||||
this.deob = deob;
|
||||
|
|
|
@ -26,7 +26,7 @@ using de4dot.blocks;
|
|||
|
||||
namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||
class AssemblyResolver {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
TypeDef resolverType;
|
||||
MethodDef resolverMethod;
|
||||
List<AssemblyInfo> assemblyInfos = new List<AssemblyInfo>();
|
||||
|
@ -62,7 +62,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
get { return resolverMethod; }
|
||||
}
|
||||
|
||||
public AssemblyResolver(ModuleDefinition module) {
|
||||
public AssemblyResolver(ModuleDefMD module) {
|
||||
this.module = module;
|
||||
}
|
||||
|
||||
|
@ -112,15 +112,15 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
if (instrs == null)
|
||||
continue;
|
||||
|
||||
MethodReference methodRef;
|
||||
IMethod methodRef;
|
||||
var ldftn = instrs[1];
|
||||
var newobj = instrs[2];
|
||||
|
||||
methodRef = ldftn.Operand as MethodReference;
|
||||
if (methodRef == null || !MemberReferenceHelper.compareTypes(initMethod.DeclaringType, methodRef.DeclaringType))
|
||||
methodRef = ldftn.Operand as IMethod;
|
||||
if (methodRef == null || !new SigComparer().Equals(initMethod.DeclaringType, methodRef.DeclaringType))
|
||||
continue;
|
||||
|
||||
methodRef = newobj.Operand as MethodReference;
|
||||
methodRef = newobj.Operand as IMethod;
|
||||
if (methodRef == null || methodRef.FullName != "System.Void System.ResolveEventHandler::.ctor(System.Object,System.IntPtr)")
|
||||
continue;
|
||||
|
||||
|
|
|
@ -25,13 +25,13 @@ using de4dot.blocks;
|
|||
|
||||
namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||
static class CoUtils {
|
||||
public static EmbeddedResource getResource(ModuleDefinition module, MethodDef method) {
|
||||
public static EmbeddedResource getResource(ModuleDefMD module, MethodDef method) {
|
||||
if (method == null || method.Body == null)
|
||||
return null;
|
||||
return getResource(module, DotNetUtils.getCodeStrings(method));
|
||||
}
|
||||
|
||||
public static EmbeddedResource getResource(ModuleDefinition module, IEnumerable<string> names) {
|
||||
public static EmbeddedResource getResource(ModuleDefMD module, IEnumerable<string> names) {
|
||||
foreach (var name in names) {
|
||||
var resource = DotNetUtils.getResource(module, name) as EmbeddedResource;
|
||||
if (resource != null)
|
||||
|
|
|
@ -20,12 +20,13 @@
|
|||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Text;
|
||||
using dot10.IO;
|
||||
using dot10.DotNet;
|
||||
using de4dot.blocks;
|
||||
|
||||
namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||
class ConstantsDecrypter {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
TypeDef decrypterType;
|
||||
MethodDef methodI4;
|
||||
MethodDef methodI8;
|
||||
|
@ -62,7 +63,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
get { return decrypterType != null; }
|
||||
}
|
||||
|
||||
public ConstantsDecrypter(ModuleDefinition module) {
|
||||
public ConstantsDecrypter(ModuleDefMD module) {
|
||||
this.module = module;
|
||||
}
|
||||
|
||||
|
@ -106,8 +107,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
if (decrypterType == null)
|
||||
return;
|
||||
|
||||
encryptedResource = CoUtils.getResource(module, DotNetUtils.getCodeStrings(DotNetUtils.getMethod(decrypterType, ".cctor")));
|
||||
constantsData = resourceDecrypter.decrypt(encryptedResource.GetResourceStream());
|
||||
encryptedResource = CoUtils.getResource(module, DotNetUtils.getCodeStrings(decrypterType.FindClassConstructor()));
|
||||
constantsData = resourceDecrypter.decrypt(encryptedResource.Data.CreateStream());
|
||||
}
|
||||
|
||||
public int decryptInt32(int index) {
|
||||
|
|
|
@ -105,7 +105,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
StringFeatures = StringFeatures.AllowStaticDecryption | StringFeatures.AllowDynamicDecryption;
|
||||
}
|
||||
|
||||
public override void init(ModuleDefinition module) {
|
||||
public override void init(ModuleDefMD module) {
|
||||
base.init(module);
|
||||
}
|
||||
|
||||
|
@ -146,7 +146,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
tamperDetection.find();
|
||||
constantsDecrypter = new ConstantsDecrypter(module);
|
||||
constantsDecrypter.find();
|
||||
foundObfuscatorUserString = Utils.StartsWith(module.GetUserString(0x70000001), "\u0011\"3D9B94A98B-76A8-4810-B1A0-4BE7C4F9C98D", StringComparison.Ordinal);
|
||||
foundObfuscatorUserString = Utils.StartsWith(module.ReadUserString(0x70000001), "\u0011\"3D9B94A98B-76A8-4810-B1A0-4BE7C4F9C98D", StringComparison.Ordinal);
|
||||
}
|
||||
|
||||
void initializeVersion(TypeDef attr) {
|
||||
|
@ -166,9 +166,9 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
foreach (var type in module.Types) {
|
||||
if (type.Namespace != "A")
|
||||
continue;
|
||||
if (Regex.IsMatch(type.Name, "^c[0-9a-f]{32}$"))
|
||||
if (Regex.IsMatch(type.Name.String, "^c[0-9a-f]{32}$"))
|
||||
return true;
|
||||
else if (Regex.IsMatch(type.Name, "^A[A-Z]*$")) {
|
||||
else if (Regex.IsMatch(type.Name.String, "^A[A-Z]*$")) {
|
||||
if (++matched >= 10)
|
||||
return true;
|
||||
}
|
||||
|
|
|
@ -19,27 +19,28 @@
|
|||
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.IO;
|
||||
using dot10.IO;
|
||||
using dot10.DotNet;
|
||||
using dot10.DotNet.MD;
|
||||
using dot10.DotNet.Emit;
|
||||
using de4dot.blocks;
|
||||
|
||||
namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||
class MethodBodyReader : MethodBodyReaderBase {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
ushort maxStackSize;
|
||||
|
||||
public MethodBodyReader(ModuleDefinition module, BinaryReader reader)
|
||||
public MethodBodyReader(ModuleDefMD module, IBinaryReader reader)
|
||||
: base(reader) {
|
||||
this.module = module;
|
||||
}
|
||||
|
||||
public void read(MethodDef method) {
|
||||
this.parameters = getParameters(method);
|
||||
this.Locals = getLocals(method);
|
||||
this.parameters = method.Parameters;
|
||||
this.locals = getLocals(method);
|
||||
|
||||
maxStackSize = (ushort)reader.ReadInt32();
|
||||
readInstructionsNumBytes(reader.ReadUInt32());
|
||||
ReadInstructionsNumBytes(reader.ReadUInt32());
|
||||
readExceptionHandlers();
|
||||
}
|
||||
|
||||
|
@ -51,73 +52,76 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
readExceptionHandlers((totalSize - 4) / 24);
|
||||
}
|
||||
|
||||
static IList<ParameterDefinition> getParameters(MethodReference method) {
|
||||
return DotNetUtils.getParameters(method);
|
||||
}
|
||||
|
||||
static IList<VariableDefinition> getLocals(MethodDef method) {
|
||||
static IList<Local> getLocals(MethodDef method) {
|
||||
if (method.Body == null)
|
||||
return new List<VariableDefinition>();
|
||||
return new List<VariableDefinition>(method.Body.Variables);
|
||||
return new List<Local>();
|
||||
return method.Body.LocalList;
|
||||
}
|
||||
|
||||
protected override FieldReference readInlineField(Instruction instr) {
|
||||
return (FieldReference)module.LookupToken(reader.ReadInt32());
|
||||
protected override IField ReadInlineField(Instruction instr) {
|
||||
return module.ResolveToken(reader.ReadUInt32()) as IField;
|
||||
}
|
||||
|
||||
protected override MethodReference readInlineMethod(Instruction instr) {
|
||||
return (MethodReference)module.LookupToken(reader.ReadInt32());
|
||||
protected override IMethod ReadInlineMethod(Instruction instr) {
|
||||
return module.ResolveToken(reader.ReadUInt32()) as IMethod;
|
||||
}
|
||||
|
||||
protected override CallSite readInlineSig(Instruction instr) {
|
||||
return module.ReadCallSite(new MetadataToken(reader.ReadUInt32()));
|
||||
protected override MethodSig ReadInlineSig(Instruction instr) {
|
||||
var sas = module.ResolveStandAloneSig(MDToken.ToRID(reader.ReadUInt32()));
|
||||
return sas == null ? null : sas.MethodSig;
|
||||
}
|
||||
|
||||
protected override string readInlineString(Instruction instr) {
|
||||
return module.GetUserString(reader.ReadUInt32());
|
||||
protected override string ReadInlineString(Instruction instr) {
|
||||
return module.ReadUserString(reader.ReadUInt32());
|
||||
}
|
||||
|
||||
protected override MemberReference readInlineTok(Instruction instr) {
|
||||
return (MemberReference)module.LookupToken(reader.ReadInt32());
|
||||
protected override ITokenOperand ReadInlineTok(Instruction instr) {
|
||||
return module.ResolveToken(reader.ReadUInt32()) as ITokenOperand;
|
||||
}
|
||||
|
||||
protected override TypeReference readInlineType(Instruction instr) {
|
||||
return (TypeReference)module.LookupToken(reader.ReadInt32());
|
||||
protected override ITypeDefOrRef ReadInlineType(Instruction instr) {
|
||||
return module.ResolveToken(reader.ReadUInt32()) as ITypeDefOrRef;
|
||||
}
|
||||
|
||||
protected override ExceptionHandler readExceptionHandler() {
|
||||
var eh = new ExceptionHandler((ExceptionHandlerType)reader.ReadInt32());
|
||||
void readExceptionHandlers(int numExceptionHandlers) {
|
||||
exceptionHandlers = new ExceptionHandler[numExceptionHandlers];
|
||||
for (int i = 0; i < exceptionHandlers.Count; i++)
|
||||
exceptionHandlers[i] = readExceptionHandler();
|
||||
}
|
||||
|
||||
int tryOffset = reader.ReadInt32();
|
||||
eh.TryStart = getInstruction(tryOffset);
|
||||
eh.TryEnd = getInstructionOrNull(tryOffset + reader.ReadInt32());
|
||||
ExceptionHandler readExceptionHandler() {
|
||||
var eh = new ExceptionHandler((ExceptionHandlerType)reader.ReadUInt32());
|
||||
|
||||
int handlerOffset = reader.ReadInt32();
|
||||
eh.HandlerStart = getInstruction(handlerOffset);
|
||||
eh.HandlerEnd = getInstructionOrNull(handlerOffset + reader.ReadInt32());
|
||||
uint tryOffset = reader.ReadUInt32();
|
||||
eh.TryStart = GetInstructionThrow(tryOffset);
|
||||
eh.TryEnd = GetInstruction(tryOffset + reader.ReadUInt32());
|
||||
|
||||
uint handlerOffset = reader.ReadUInt32();
|
||||
eh.HandlerStart = GetInstructionThrow(handlerOffset);
|
||||
eh.HandlerEnd = GetInstruction(handlerOffset + reader.ReadUInt32());
|
||||
|
||||
switch (eh.HandlerType) {
|
||||
case ExceptionHandlerType.Catch:
|
||||
eh.CatchType = (TypeReference)module.LookupToken(reader.ReadInt32());
|
||||
eh.CatchType = module.ResolveToken(reader.ReadUInt32()) as ITypeDefOrRef;
|
||||
break;
|
||||
|
||||
case ExceptionHandlerType.Filter:
|
||||
eh.FilterStart = getInstruction(reader.ReadInt32());
|
||||
eh.FilterStart = GetInstructionThrow(reader.ReadUInt32());
|
||||
break;
|
||||
|
||||
case ExceptionHandlerType.Finally:
|
||||
case ExceptionHandlerType.Fault:
|
||||
default:
|
||||
reader.ReadInt32();
|
||||
reader.ReadUInt32();
|
||||
break;
|
||||
}
|
||||
|
||||
return eh;
|
||||
}
|
||||
|
||||
public override void restoreMethod(MethodDef method) {
|
||||
base.restoreMethod(method);
|
||||
method.Body.MaxStackSize = maxStackSize;
|
||||
public new void RestoreMethod(MethodDef method) {
|
||||
base.RestoreMethod(method);
|
||||
method.Body.MaxStack = maxStackSize;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -19,14 +19,14 @@
|
|||
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.IO;
|
||||
using dot10.IO;
|
||||
using dot10.DotNet;
|
||||
using dot10.DotNet.Emit;
|
||||
using de4dot.blocks;
|
||||
|
||||
namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||
class MethodsDecrypter {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
TypeDef decrypterType;
|
||||
MethodDef decryptMethod;
|
||||
MethodDef decrypterCctor;
|
||||
|
@ -49,7 +49,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
get { return decrypterType != null; }
|
||||
}
|
||||
|
||||
public MethodsDecrypter(ModuleDefinition module) {
|
||||
public MethodsDecrypter(ModuleDefMD module) {
|
||||
this.module = module;
|
||||
}
|
||||
|
||||
|
@ -73,7 +73,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
if (!new FieldTypes(type).all(requiredFields))
|
||||
return false;
|
||||
|
||||
var cctor = DotNetUtils.getMethod(type, ".cctor");
|
||||
var cctor = type.FindClassConstructor();
|
||||
if (cctor == null)
|
||||
return false;
|
||||
var decryptMethodTmp = findDecryptMethod(type);
|
||||
|
@ -120,23 +120,23 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
if (resource == null)
|
||||
return;
|
||||
var decrypted = resourceDecrypter.decrypt(resource.GetResourceStream());
|
||||
var reader = new BinaryReader(new MemoryStream(decrypted));
|
||||
var reader = MemoryImageStream.Create(decrypted);
|
||||
int numEncrypted = reader.ReadInt32();
|
||||
Log.v("Restoring {0} encrypted methods", numEncrypted);
|
||||
Log.indent();
|
||||
for (int i = 0; i < numEncrypted; i++) {
|
||||
int delegateTypeToken = reader.ReadInt32();
|
||||
uint codeOffset = reader.ReadUInt32();
|
||||
var origOffset = reader.BaseStream.Position;
|
||||
reader.BaseStream.Position = codeOffset;
|
||||
var origOffset = reader.Position;
|
||||
reader.Position = codeOffset;
|
||||
decrypt(reader, delegateTypeToken);
|
||||
reader.BaseStream.Position = origOffset;
|
||||
reader.Position = origOffset;
|
||||
}
|
||||
Log.deIndent();
|
||||
}
|
||||
|
||||
void decrypt(BinaryReader reader, int delegateTypeToken) {
|
||||
var delegateType = module.LookupToken(delegateTypeToken) as TypeDef;
|
||||
void decrypt(IBinaryReader reader, int delegateTypeToken) {
|
||||
var delegateType = module.ResolveToken(delegateTypeToken) as TypeDef;
|
||||
if (delegateType == null)
|
||||
throw new ApplicationException("Couldn't find delegate type");
|
||||
|
||||
|
@ -145,21 +145,21 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
throw new ApplicationException("Could not find encrypted method tokens");
|
||||
if (delToken != delegateTypeToken)
|
||||
throw new ApplicationException("Invalid delegate type token");
|
||||
var encType = module.LookupToken(encDeclToken) as TypeReference;
|
||||
var encType = module.ResolveToken(encDeclToken) as ITypeDefOrRef;
|
||||
if (encType == null)
|
||||
throw new ApplicationException("Invalid declaring type token");
|
||||
var encMethod = module.LookupToken(encMethToken) as MethodDef;
|
||||
var encMethod = module.ResolveToken(encMethToken) as MethodDef;
|
||||
if (encMethod == null)
|
||||
throw new ApplicationException("Invalid encrypted method token");
|
||||
|
||||
var bodyReader = new MethodBodyReader(module, reader);
|
||||
bodyReader.read(encMethod);
|
||||
bodyReader.restoreMethod(encMethod);
|
||||
bodyReader.RestoreMethod(encMethod);
|
||||
Log.v("Restored method {0} ({1:X8}). Instrs:{2}, Locals:{3}, Exceptions:{4}",
|
||||
Utils.removeNewlines(encMethod.FullName),
|
||||
encMethod.MDToken.ToInt32(),
|
||||
encMethod.Body.Instructions.Count,
|
||||
encMethod.Body.Variables.Count,
|
||||
encMethod.Body.LocalList.Count,
|
||||
encMethod.Body.ExceptionHandlers.Count);
|
||||
delegateTypes.Add(delegateType);
|
||||
}
|
||||
|
@ -169,20 +169,20 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
encMethodToken = 0;
|
||||
encDeclaringTypeToken = 0;
|
||||
|
||||
var cctor = DotNetUtils.getMethod(delegateType, ".cctor");
|
||||
var cctor = delegateType.FindClassConstructor();
|
||||
if (cctor == null)
|
||||
return false;
|
||||
|
||||
var instrs = cctor.Body.Instructions;
|
||||
for (int i = 0; i < instrs.Count - 3; i++) {
|
||||
var ldci4_1 = instrs[i];
|
||||
if (!DotNetUtils.isLdcI4(ldci4_1))
|
||||
if (!ldci4_1.IsLdcI4())
|
||||
continue;
|
||||
var ldci4_2 = instrs[i + 1];
|
||||
if (!DotNetUtils.isLdcI4(ldci4_2))
|
||||
if (!ldci4_2.IsLdcI4())
|
||||
continue;
|
||||
var ldci4_3 = instrs[i + 2];
|
||||
if (!DotNetUtils.isLdcI4(ldci4_3))
|
||||
if (!ldci4_3.IsLdcI4())
|
||||
continue;
|
||||
var call = instrs[i + 3];
|
||||
if (call.OpCode.Code != Code.Call)
|
||||
|
@ -193,9 +193,9 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
if (calledMethod != decryptMethod)
|
||||
continue;
|
||||
|
||||
delegateToken = DotNetUtils.getLdcI4Value(ldci4_1);
|
||||
encMethodToken = DotNetUtils.getLdcI4Value(ldci4_2);
|
||||
encDeclaringTypeToken = DotNetUtils.getLdcI4Value(ldci4_3);
|
||||
delegateToken = ldci4_1.GetLdcI4Value();
|
||||
encMethodToken = ldci4_2.GetLdcI4Value();
|
||||
encDeclaringTypeToken = ldci4_3.GetLdcI4Value();
|
||||
return true;
|
||||
}
|
||||
|
||||
|
|
|
@ -27,7 +27,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
class ProxyCallFixer : ProxyCallFixer2 {
|
||||
Dictionary<MethodDef, ProxyCreatorType> methodToType = new Dictionary<MethodDef, ProxyCreatorType>();
|
||||
|
||||
public ProxyCallFixer(ModuleDefinition module)
|
||||
public ProxyCallFixer(ModuleDefMD module)
|
||||
: base(module) {
|
||||
}
|
||||
|
||||
|
@ -39,11 +39,11 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
}
|
||||
|
||||
class Context {
|
||||
public int typeToken;
|
||||
public int methodToken;
|
||||
public int declaringTypeToken;
|
||||
public uint typeToken;
|
||||
public uint methodToken;
|
||||
public uint declaringTypeToken;
|
||||
public ProxyCreatorType proxyCreatorType;
|
||||
public Context(int typeToken, int methodToken, int declaringTypeToken, ProxyCreatorType proxyCreatorType) {
|
||||
public Context(uint typeToken, uint methodToken, uint declaringTypeToken, ProxyCreatorType proxyCreatorType) {
|
||||
this.typeToken = typeToken;
|
||||
this.methodToken = methodToken;
|
||||
this.declaringTypeToken = declaringTypeToken;
|
||||
|
@ -58,9 +58,9 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
if (instrs == null)
|
||||
continue;
|
||||
|
||||
int typeToken = (int)instrs[0].Operand;
|
||||
int methodToken = (int)instrs[1].Operand;
|
||||
int declaringTypeToken = (int)instrs[2].Operand;
|
||||
uint typeToken = (uint)(int)instrs[0].Operand;
|
||||
uint methodToken = (uint)(int)instrs[1].Operand;
|
||||
uint declaringTypeToken = (uint)(int)instrs[2].Operand;
|
||||
var createMethod = instrs[3].Operand as MethodDef;
|
||||
|
||||
ProxyCreatorType proxyCreatorType;
|
||||
|
@ -73,12 +73,12 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
return null;
|
||||
}
|
||||
|
||||
protected override void getCallInfo(object context, FieldDef field, out MethodReference calledMethod, out OpCode callOpcode) {
|
||||
protected override void getCallInfo(object context, FieldDef field, out IMethod calledMethod, out OpCode callOpcode) {
|
||||
var ctx = (Context)context;
|
||||
|
||||
switch (ctx.proxyCreatorType) {
|
||||
case ProxyCreatorType.CallOrCallvirt:
|
||||
callOpcode = field.IsFamilyOrAssembly ? OpCodes.Callvirt : OpCodes.Call;
|
||||
callOpcode = field.IsFamORAssem ? OpCodes.Callvirt : OpCodes.Call;
|
||||
break;
|
||||
case ProxyCreatorType.CallCtor:
|
||||
callOpcode = OpCodes.Call;
|
||||
|
@ -90,7 +90,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
throw new ApplicationException(string.Format("Invalid proxy creator type: {0}", ctx.proxyCreatorType));
|
||||
}
|
||||
|
||||
calledMethod = module.LookupToken(ctx.methodToken) as MethodReference;
|
||||
calledMethod = module.ResolveToken(ctx.methodToken) as IMethod;
|
||||
}
|
||||
|
||||
public void findDelegateCreator() {
|
||||
|
@ -136,7 +136,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
foreach (var instr in createMethod.Body.Instructions) {
|
||||
if (instr.OpCode.Code != Code.Ldsfld)
|
||||
continue;
|
||||
var field = instr.Operand as FieldReference;
|
||||
var field = instr.Operand as IField;
|
||||
if (field == null)
|
||||
continue;
|
||||
switch (field.FullName) {
|
||||
|
|
|
@ -29,7 +29,7 @@ using de4dot.blocks;
|
|||
namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||
class ResourceDecrypter {
|
||||
const int BUFLEN = 0x8000;
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
TypeDef resourceDecrypterType;
|
||||
byte[] buffer1 = new byte[BUFLEN];
|
||||
byte[] buffer2 = new byte[BUFLEN];
|
||||
|
@ -40,7 +40,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
bool flipFlagsBits;
|
||||
int skipBytes;
|
||||
|
||||
public ResourceDecrypter(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator) {
|
||||
public ResourceDecrypter(ModuleDefMD module, ISimpleDeobfuscator simpleDeobfuscator) {
|
||||
this.module = module;
|
||||
frameworkType = DotNetUtils.getFrameworkType(module);
|
||||
find(simpleDeobfuscator);
|
||||
|
@ -49,7 +49,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
void find(ISimpleDeobfuscator simpleDeobfuscator) {
|
||||
switch (frameworkType) {
|
||||
case FrameworkType.Desktop:
|
||||
if (module.Runtime >= TargetRuntime.Net_2_0)
|
||||
if (!module.IsClr1x)
|
||||
findDesktopOrCompactFramework();
|
||||
else
|
||||
findDesktopOrCompactFrameworkV1();
|
||||
|
@ -60,7 +60,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
break;
|
||||
|
||||
case FrameworkType.CompactFramework:
|
||||
if (module.Runtime >= TargetRuntime.Net_2_0) {
|
||||
if (!module.IsClr1x) {
|
||||
if (findDesktopOrCompactFramework())
|
||||
break;
|
||||
}
|
||||
|
@ -84,7 +84,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
if (!new FieldTypes(type).exactly(requiredTypes))
|
||||
continue;
|
||||
|
||||
var cctor = DotNetUtils.getMethod(type, ".cctor");
|
||||
var cctor = type.FindClassConstructor();
|
||||
if (cctor == null)
|
||||
continue;
|
||||
|
||||
|
@ -103,8 +103,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
int stsfldCount = 0;
|
||||
foreach (var instr in cctor.Body.Instructions) {
|
||||
if (instr.OpCode.Code == Code.Stsfld) {
|
||||
var field = instr.Operand as FieldReference;
|
||||
if (!MemberReferenceHelper.compareTypes(cctor.DeclaringType, field.DeclaringType))
|
||||
var field = instr.Operand as IField;
|
||||
if (!new SigComparer().Equals(cctor.DeclaringType, field.DeclaringType))
|
||||
return false;
|
||||
stsfldCount++;
|
||||
}
|
||||
|
@ -186,10 +186,10 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
var instrs = method.Body.Instructions;
|
||||
for (int i = 0; i < instrs.Count - 1; i++) {
|
||||
var ldloc = instrs[i];
|
||||
if (!DotNetUtils.isLdloc(ldloc))
|
||||
if (!ldloc.IsLdloc())
|
||||
continue;
|
||||
var local = DotNetUtils.getLocalVar(method.Body.Variables, ldloc);
|
||||
if (local == null || !local.VariableType.IsPrimitive)
|
||||
var local = ldloc.GetLocal(method.Body.LocalList);
|
||||
if (local == null || local.Type.GetElementType().GetPrimitiveSize() < 0)
|
||||
continue;
|
||||
|
||||
var not = instrs[i + 1];
|
||||
|
@ -214,16 +214,16 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
if (and.OpCode.Code != Code.And)
|
||||
continue;
|
||||
var ldci4 = instructions[i - 1];
|
||||
if (!DotNetUtils.isLdcI4(ldci4))
|
||||
if (!ldci4.IsLdcI4())
|
||||
continue;
|
||||
int flagValue = DotNetUtils.getLdcI4Value(ldci4);
|
||||
int flagValue = ldci4.GetLdcI4Value();
|
||||
if (!isFlag(flagValue))
|
||||
continue;
|
||||
var ldloc = instructions[i - 2];
|
||||
if (!DotNetUtils.isLdloc(ldloc))
|
||||
if (!ldloc.IsLdloc())
|
||||
continue;
|
||||
var local = DotNetUtils.getLocalVar(method.Body.Variables, ldloc);
|
||||
if (!local.VariableType.IsPrimitive)
|
||||
var local = ldloc.GetLocal(method.Body.LocalList);
|
||||
if (local.Type.GetElementType().GetPrimitiveSize() < 0)
|
||||
continue;
|
||||
constants.Add(flagValue);
|
||||
}
|
||||
|
@ -233,7 +233,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
|
||||
switch (frameworkType) {
|
||||
case FrameworkType.Desktop:
|
||||
if (module.Runtime >= TargetRuntime.Net_2_0) {
|
||||
if (!module.IsClr1x) {
|
||||
if (constants.Count == 2) {
|
||||
desEncryptedFlag = (byte)constants[0];
|
||||
deflatedFlag = (byte)constants[1];
|
||||
|
@ -270,9 +270,9 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
var instrs = method.Body.Instructions;
|
||||
for (int i = 0; i < instrs.Count - 1; i++) {
|
||||
var ldci4 = instrs[i];
|
||||
if (!DotNetUtils.isLdcI4(ldci4))
|
||||
if (!ldci4.IsLdcI4())
|
||||
continue;
|
||||
int loopCount = DotNetUtils.getLdcI4Value(ldci4);
|
||||
int loopCount = ldci4.GetLdcI4Value();
|
||||
if (loopCount < 2 || loopCount > 3)
|
||||
continue;
|
||||
var blt = instrs[i + 1];
|
||||
|
@ -402,7 +402,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
if (key[i] != 0)
|
||||
return key;
|
||||
}
|
||||
key = module.Assembly.Name.PublicKeyToken;
|
||||
key = PublicKeyBase.GetRawData(module.Assembly.PublicKeyToken);
|
||||
if (key == null)
|
||||
throw new ApplicationException("PublicKeyToken is null, can't decrypt resources");
|
||||
return key;
|
||||
|
|
|
@ -19,13 +19,14 @@
|
|||
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using dot10.IO;
|
||||
using dot10.DotNet;
|
||||
using dot10.DotNet.Emit;
|
||||
using de4dot.blocks;
|
||||
|
||||
namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||
class ResourceResolver {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
ResourceDecrypter resourceDecrypter;
|
||||
TypeDef resolverType;
|
||||
MethodDef resolverMethod;
|
||||
|
@ -46,7 +47,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
get { return resolverMethod; }
|
||||
}
|
||||
|
||||
public ResourceResolver(ModuleDefinition module, ResourceDecrypter resourceDecrypter) {
|
||||
public ResourceResolver(ModuleDefMD module, ResourceDecrypter resourceDecrypter) {
|
||||
this.module = module;
|
||||
this.resourceDecrypter = resourceDecrypter;
|
||||
}
|
||||
|
@ -74,7 +75,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
if (resource == null)
|
||||
return null;
|
||||
|
||||
DeobUtils.decryptAndAddResources(module, resource.Name, () => resourceDecrypter.decrypt(resource.GetResourceStream()));
|
||||
DeobUtils.decryptAndAddResources(module, resource.Name.String, () => resourceDecrypter.decrypt(resource.Data.CreateStream()));
|
||||
mergedIt = true;
|
||||
return resource;
|
||||
}
|
||||
|
@ -84,12 +85,12 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
|
||||
switch (resolverVersion) {
|
||||
case ResolverVersion.V1:
|
||||
names.Add(module.Assembly.Name.Name);
|
||||
names.Add(module.Assembly.Name.String);
|
||||
break;
|
||||
|
||||
case ResolverVersion.V2:
|
||||
names.Add(string.Format("{0}{0}{0}", module.Assembly.Name.Name));
|
||||
names.Add(string.Format("{0}&", module.Assembly.Name.Name));
|
||||
names.Add(string.Format("{0}{0}{0}", module.Assembly.Name.String));
|
||||
names.Add(string.Format("{0}&", module.Assembly.Name.String));
|
||||
break;
|
||||
|
||||
default:
|
||||
|
@ -107,7 +108,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
|
||||
resolverVersion = checkSetupMethod(initMethod);
|
||||
if (resolverVersion == ResolverVersion.None)
|
||||
resolverVersion = checkSetupMethod(DotNetUtils.getMethod(initMethod.DeclaringType, ".cctor"));
|
||||
resolverVersion = checkSetupMethod(initMethod.DeclaringType.FindClassConstructor());
|
||||
if (resolverVersion == ResolverVersion.None)
|
||||
return false;
|
||||
|
||||
|
@ -124,15 +125,15 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
if (instrs == null)
|
||||
continue;
|
||||
|
||||
MethodReference methodRef;
|
||||
IMethod methodRef;
|
||||
var ldftn = instrs[1];
|
||||
var newobj = instrs[2];
|
||||
|
||||
methodRef = ldftn.Operand as MethodReference;
|
||||
if (methodRef == null || !MemberReferenceHelper.compareTypes(setupMethod.DeclaringType, methodRef.DeclaringType))
|
||||
methodRef = ldftn.Operand as IMethod;
|
||||
if (methodRef == null || !new SigComparer().Equals(setupMethod.DeclaringType, methodRef.DeclaringType))
|
||||
continue;
|
||||
|
||||
methodRef = newobj.Operand as MethodReference;
|
||||
methodRef = newobj.Operand as IMethod;
|
||||
if (methodRef == null || methodRef.FullName != "System.Void System.ResolveEventHandler::.ctor(System.Object,System.IntPtr)")
|
||||
continue;
|
||||
|
||||
|
|
|
@ -24,7 +24,7 @@ using de4dot.blocks;
|
|||
|
||||
namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||
class StringDecrypter {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
EmbeddedResource stringResource;
|
||||
TypeDef stringDecrypterType;
|
||||
MethodDef stringDecrypterMethod;
|
||||
|
@ -46,7 +46,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
get { return stringResource; }
|
||||
}
|
||||
|
||||
public StringDecrypter(ModuleDefinition module) {
|
||||
public StringDecrypter(ModuleDefMD module) {
|
||||
this.module = module;
|
||||
}
|
||||
|
||||
|
@ -74,9 +74,9 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
}
|
||||
|
||||
string getResourceName() {
|
||||
var defaultName = module.Assembly.Name.Name + module.Assembly.Name.Name;
|
||||
var defaultName = module.Assembly.Name.String + module.Assembly.Name.String;
|
||||
|
||||
var cctor = DotNetUtils.getMethod(stringDecrypterType, ".cctor");
|
||||
var cctor = stringDecrypterType.FindClassConstructor();
|
||||
if (cctor == null)
|
||||
return defaultName;
|
||||
|
||||
|
|
|
@ -22,7 +22,7 @@ using de4dot.blocks;
|
|||
|
||||
namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||
class TamperDetection {
|
||||
ModuleDefinition module;
|
||||
ModuleDefMD module;
|
||||
TypeDef tamperType;
|
||||
MethodDef tamperMethod;
|
||||
FrameworkType frameworkType;
|
||||
|
@ -39,7 +39,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
get { return tamperMethod; }
|
||||
}
|
||||
|
||||
public TamperDetection(ModuleDefinition module) {
|
||||
public TamperDetection(ModuleDefMD module) {
|
||||
this.module = module;
|
||||
frameworkType = DotNetUtils.getFrameworkType(module);
|
||||
}
|
||||
|
|
|
@ -42,8 +42,8 @@ namespace de4dot.cui {
|
|||
new de4dot.code.deobfuscators.CodeFort.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.CodeVeil.DeobfuscatorInfo(),
|
||||
new de4dot.code.deobfuscators.CodeWall.DeobfuscatorInfo(),
|
||||
#if PORT
|
||||
new de4dot.code.deobfuscators.CryptoObfuscator.DeobfuscatorInfo(),
|
||||
#if PORT
|
||||
new de4dot.code.deobfuscators.DeepSea.DeobfuscatorInfo(),
|
||||
#endif
|
||||
new de4dot.code.deobfuscators.Dotfuscator.DeobfuscatorInfo(),
|
||||
|
|
2
dot10
2
dot10
|
@ -1 +1 @@
|
|||
Subproject commit da98052a05288943bcb29e813b3c3ba448ae2101
|
||||
Subproject commit ba1fa2135fec435ecee2ea041c9a7dae56e5dd47
|
Loading…
Reference in New Issue
Block a user