Support ILProtector 2.0.12.0 - 2.0.12.3
This commit is contained in:
de4dot
parent
90c67b2fe9
commit
5d64daefb9
|
|
@ -38,6 +38,7 @@ namespace de4dot.code.deobfuscators.ILProtector {
|
|||
FieldInfo invokerFieldInfo;
|
||||
ModuleDefMD moduleProtect;
|
||||
IDecrypter decrypter;
|
||||
bool methodReaderHasDelegateTypeFlag;
|
||||
|
||||
interface IDecrypter {
|
||||
byte[] Decrypt(int methodId, uint rid);
|
||||
|
|
@ -269,7 +270,7 @@ namespace de4dot.code.deobfuscators.ILProtector {
|
|||
}
|
||||
}
|
||||
|
||||
// 2.0.9.0 - 2.0.11.0
|
||||
// 2.0.9.0 - 2.0.11.1
|
||||
class DecrypterV2_0_9_0 : DecrypterBase {
|
||||
DecryptMethod decryptMethod;
|
||||
byte[] decryptedData;
|
||||
|
|
@ -299,6 +300,112 @@ namespace de4dot.code.deobfuscators.ILProtector {
|
|||
}
|
||||
}
|
||||
|
||||
abstract class DecrypterBaseV2_0_12_x : IDecrypter {
|
||||
protected readonly DynamicMethodsDecrypter dmd;
|
||||
protected byte[] currentILBytes;
|
||||
byte[] decryptedData;
|
||||
readonly Delegate invoker;
|
||||
protected readonly IntPtr pGetILBytes;
|
||||
protected readonly IntPtr pDecryptCallback;
|
||||
|
||||
protected unsafe DecrypterBaseV2_0_12_x(DynamicMethodsDecrypter dmd) {
|
||||
this.dmd = dmd;
|
||||
this.invoker = (Delegate)dmd.invokerFieldInfo.GetValue(null);
|
||||
|
||||
byte* p = (byte*)GetStateAddr(invoker.Target);
|
||||
p += IntPtr.Size * 3;
|
||||
p = *(byte**)p;
|
||||
p += 8 + IntPtr.Size * 8;
|
||||
p = *(byte**)p;
|
||||
p += IntPtr.Size * 3;
|
||||
p = *(byte**)p;
|
||||
pGetILBytes = new IntPtr(p + IntPtr.Size * 39);
|
||||
pDecryptCallback = new IntPtr(p + IntPtr.Size * 40);
|
||||
}
|
||||
|
||||
IntPtr GetStateAddr(object obj) {
|
||||
var flags = BindingFlags.DeclaredOnly | BindingFlags.Instance | BindingFlags.Public | BindingFlags.NonPublic;
|
||||
foreach (var fi in obj.GetType().GetFields(flags)) {
|
||||
if (fi.FieldType == typeof(IntPtr))
|
||||
return (IntPtr)fi.GetValue(obj);
|
||||
}
|
||||
throw new ApplicationException("Could not find an IntPtr field");
|
||||
}
|
||||
|
||||
public byte[] Decrypt(int methodId, uint rid) {
|
||||
decryptedData = null;
|
||||
currentILBytes = dmd.reflectionModule.ResolveMethod(0x06000000 + (int)rid).GetMethodBody().GetILAsByteArray();
|
||||
|
||||
invoker.DynamicInvoke(new object[1] { methodId });
|
||||
return decryptedData;
|
||||
}
|
||||
|
||||
protected unsafe void SaveDecryptedData(byte* pMethodCode, int methodSize) {
|
||||
decryptedData = new byte[methodSize];
|
||||
Marshal.Copy(new IntPtr(pMethodCode), decryptedData, 0, decryptedData.Length);
|
||||
}
|
||||
}
|
||||
|
||||
// 2.0.12.0 - 2.0.12.2
|
||||
class DecrypterV2_0_12_0 : DecrypterBaseV2_0_12_x {
|
||||
readonly GetCallerMethodAsILByteArrayDelegate getCallerMethodAsILByteArrayDelegate;
|
||||
readonly DecryptCallbackDelegate decryptCallbackDelegate;
|
||||
|
||||
[return: MarshalAs(UnmanagedType.SafeArray)]
|
||||
delegate byte[] GetCallerMethodAsILByteArrayDelegate(IntPtr a, int skipFrames);
|
||||
unsafe delegate bool DecryptCallbackDelegate(IntPtr a, byte* pMethodCode, int methodSize, int methodId);
|
||||
|
||||
public unsafe DecrypterV2_0_12_0(DynamicMethodsDecrypter dmd)
|
||||
: base(dmd) {
|
||||
getCallerMethodAsILByteArrayDelegate = GetCallerMethodAsILByteArray;
|
||||
decryptCallbackDelegate = MyDecryptCallback;
|
||||
|
||||
*(IntPtr*)pGetILBytes = Marshal.GetFunctionPointerForDelegate(getCallerMethodAsILByteArrayDelegate);
|
||||
*(IntPtr*)pDecryptCallback = Marshal.GetFunctionPointerForDelegate(decryptCallbackDelegate);
|
||||
}
|
||||
|
||||
byte[] GetCallerMethodAsILByteArray(IntPtr a, int skipFrames) {
|
||||
return currentILBytes;
|
||||
}
|
||||
|
||||
unsafe bool MyDecryptCallback(IntPtr a, byte* pMethodCode, int methodSize, int methodId) {
|
||||
SaveDecryptedData(pMethodCode, methodSize);
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
// 2.0.12.3
|
||||
class DecrypterV2_0_12_3 : DecrypterBaseV2_0_12_x {
|
||||
readonly GetCallerMethodAsILByteArrayDelegate getCallerMethodAsILByteArrayDelegate;
|
||||
readonly DecryptCallbackDelegate decryptCallbackDelegate;
|
||||
|
||||
[return: MarshalAs(UnmanagedType.SafeArray)]
|
||||
delegate byte[] GetCallerMethodAsILByteArrayDelegate(IntPtr a, int skipFrames, IntPtr c, IntPtr d);
|
||||
unsafe delegate bool DecryptCallbackDelegate(IntPtr a, byte* pMethodCode, int methodSize, int methodId, IntPtr e);
|
||||
|
||||
public unsafe DecrypterV2_0_12_3(DynamicMethodsDecrypter dmd)
|
||||
: base(dmd) {
|
||||
getCallerMethodAsILByteArrayDelegate = GetCallerMethodAsILByteArray;
|
||||
decryptCallbackDelegate = MyDecryptCallback;
|
||||
|
||||
*(IntPtr*)pGetILBytes = Marshal.GetFunctionPointerForDelegate(getCallerMethodAsILByteArrayDelegate);
|
||||
*(IntPtr*)pDecryptCallback = Marshal.GetFunctionPointerForDelegate(decryptCallbackDelegate);
|
||||
}
|
||||
|
||||
byte[] GetCallerMethodAsILByteArray(IntPtr a, int skipFrames, IntPtr c, IntPtr d) {
|
||||
return currentILBytes;
|
||||
}
|
||||
|
||||
unsafe bool MyDecryptCallback(IntPtr a, byte* pMethodCode, int methodSize, int methodId, IntPtr e) {
|
||||
SaveDecryptedData(pMethodCode, methodSize);
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
public bool MethodReaderHasDelegateTypeFlag {
|
||||
get { return methodReaderHasDelegateTypeFlag; }
|
||||
}
|
||||
|
||||
public DynamicMethodsDecrypter(ModuleDefMD module, Module reflectionModule) {
|
||||
this.module = module;
|
||||
this.reflectionModule = reflectionModule;
|
||||
|
|
@ -338,11 +445,22 @@ namespace de4dot.code.deobfuscators.ILProtector {
|
|||
}
|
||||
|
||||
IDecrypter CreateDecrypter() {
|
||||
return CreateDecrypterV1_0_7_0() ??
|
||||
CreateDecrypterV2_0_0_0() ??
|
||||
CreateDecrypterV2_0_8_0() ??
|
||||
CreateDecrypterV2_0_8_5() ??
|
||||
CreateDecrypterV2_0_9_0();
|
||||
var version = reflectionProtectModule.Assembly.GetName().Version;
|
||||
if (reflectionProtectModule.Assembly.GetName().Version < new Version(2, 0, 12, 0)) {
|
||||
return CreateDecrypterV1_0_7_0() ??
|
||||
CreateDecrypterV2_0_0_0() ??
|
||||
CreateDecrypterV2_0_8_0() ??
|
||||
CreateDecrypterV2_0_8_5() ??
|
||||
CreateDecrypterV2_0_9_0();
|
||||
}
|
||||
|
||||
methodReaderHasDelegateTypeFlag = true;
|
||||
if (version < new Version(2, 0, 12, 3))
|
||||
return CreateDecrypterV2_0_12_0();
|
||||
if (version < new Version(2, 0, 12, 4))
|
||||
return CreateDecrypterV2_0_12_3();
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
IDecrypter CreateDecrypterV1_0_7_0() {
|
||||
|
|
@ -385,6 +503,14 @@ namespace de4dot.code.deobfuscators.ILProtector {
|
|||
return new DecrypterV2_0_9_0(this, delegateField);
|
||||
}
|
||||
|
||||
IDecrypter CreateDecrypterV2_0_12_0() {
|
||||
return new DecrypterV2_0_12_0(this);
|
||||
}
|
||||
|
||||
IDecrypter CreateDecrypterV2_0_12_3() {
|
||||
return new DecrypterV2_0_12_3(this);
|
||||
}
|
||||
|
||||
static readonly byte[] ilpPublicKeyToken = new byte[8] { 0x20, 0x12, 0xD3, 0xC0, 0x55, 0x1F, 0xE0, 0x3D };
|
||||
static Assembly GetProtectAssembly() {
|
||||
foreach (var asm in AppDomain.CurrentDomain.GetAssemblies()) {
|
||||
|
|
|
|||
|
|
@ -26,9 +26,11 @@ using AssemblyData;
|
|||
namespace de4dot.code.deobfuscators.ILProtector {
|
||||
sealed class DynamicMethodsDecrypterService : IUserGenericService {
|
||||
public const int MSG_DECRYPT_METHODS = 0;
|
||||
public const int MSG_HAS_DELEGATE_TYPE_FLAG = 1;
|
||||
|
||||
Module reflObfModule;
|
||||
ModuleDefMD obfModule;
|
||||
bool hasDelegateTypeFlag;
|
||||
|
||||
[CreateUserGenericService]
|
||||
public static IUserGenericService Create() {
|
||||
|
|
@ -51,6 +53,9 @@ namespace de4dot.code.deobfuscators.ILProtector {
|
|||
case MSG_DECRYPT_METHODS:
|
||||
return DecryptMethods(args[0] as IList<int>);
|
||||
|
||||
case MSG_HAS_DELEGATE_TYPE_FLAG:
|
||||
return hasDelegateTypeFlag;
|
||||
|
||||
default:
|
||||
throw new ApplicationException(string.Format("Invalid msg: {0:X8}", msg));
|
||||
}
|
||||
|
|
@ -65,6 +70,8 @@ namespace de4dot.code.deobfuscators.ILProtector {
|
|||
for (int i = 0; i < methodIds.Count; i += 2)
|
||||
infos.Add(decrypter.Decrypt(methodIds[i], (uint)methodIds[i + 1]));
|
||||
|
||||
hasDelegateTypeFlag = decrypter.MethodReaderHasDelegateTypeFlag;
|
||||
|
||||
return infos;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -42,6 +42,7 @@ namespace de4dot.code.deobfuscators.ILProtector {
|
|||
client.GenericService.LoadUserService(typeof(DynamicMethodsDecrypterService), null);
|
||||
client.GenericService.LoadAssembly(module.Location);
|
||||
decryptedData = client.GenericService.SendMessage(DynamicMethodsDecrypterService.MSG_DECRYPT_METHODS, new object[] { GetMethodIds() }) as IList<DecryptedMethodInfo>;
|
||||
MethodReaderHasDelegateTypeFlag = (bool)client.GenericService.SendMessage(DynamicMethodsDecrypterService.MSG_HAS_DELEGATE_TYPE_FLAG, new object[0]);
|
||||
}
|
||||
|
||||
if (decryptedData == null)
|
||||
|
|
|
|||
|
|
@ -31,6 +31,7 @@ namespace de4dot.code.deobfuscators.ILProtector {
|
|||
ModuleDefMD module;
|
||||
MethodFlags flags;
|
||||
TypeDef delegateType;
|
||||
bool hasDelegateTypeFlag;
|
||||
|
||||
[Flags]
|
||||
enum MethodFlags {
|
||||
|
|
@ -38,6 +39,7 @@ namespace de4dot.code.deobfuscators.ILProtector {
|
|||
HasLocals = 2,
|
||||
HasInstructions = 4,
|
||||
HasExceptionHandlers = 8,
|
||||
HasDelegateType = 0x10,
|
||||
}
|
||||
|
||||
public TypeDef DelegateType {
|
||||
|
|
@ -60,6 +62,15 @@ namespace de4dot.code.deobfuscators.ILProtector {
|
|||
get { return (flags & MethodFlags.HasExceptionHandlers) != 0; }
|
||||
}
|
||||
|
||||
bool HasDelegateType {
|
||||
get { return !hasDelegateTypeFlag || (flags & MethodFlags.HasDelegateType) != 0; }
|
||||
}
|
||||
|
||||
public bool HasDelegateTypeFlag {
|
||||
get { return hasDelegateTypeFlag; }
|
||||
set { hasDelegateTypeFlag = value; }
|
||||
}
|
||||
|
||||
public MethodReader(ModuleDefMD module, byte[] data, IList<Parameter> parameters)
|
||||
: base(MemoryImageStream.Create(data), parameters) {
|
||||
this.module = module;
|
||||
|
|
@ -67,9 +78,11 @@ namespace de4dot.code.deobfuscators.ILProtector {
|
|||
|
||||
public void Read() {
|
||||
flags = (MethodFlags)reader.ReadByte();
|
||||
delegateType = Resolve<TypeDef>(ReadTypeToken());
|
||||
if (!DotNetUtils.DerivesFromDelegate(delegateType))
|
||||
throw new ApplicationException("Invalid delegate type");
|
||||
if (HasDelegateType) {
|
||||
delegateType = Resolve<TypeDef>(ReadTypeToken());
|
||||
if (!DotNetUtils.DerivesFromDelegate(delegateType))
|
||||
throw new ApplicationException("Invalid delegate type");
|
||||
}
|
||||
if (HasLocals)
|
||||
ReadLocals((int)reader.Read7BitEncodedUInt32());
|
||||
if (HasInstructions)
|
||||
|
|
|
|||
|
|
@ -37,6 +37,8 @@ namespace de4dot.code.deobfuscators.ILProtector {
|
|||
get { return delegateTypes; }
|
||||
}
|
||||
|
||||
public bool MethodReaderHasDelegateTypeFlag { get; set; }
|
||||
|
||||
public MethodsDecrypterBase(ModuleDefMD module, MainType mainType) {
|
||||
this.module = module;
|
||||
this.mainType = mainType;
|
||||
|
|
@ -84,10 +86,12 @@ namespace de4dot.code.deobfuscators.ILProtector {
|
|||
var methodInfo = methodInfos[methodId.Value];
|
||||
methodInfos.Remove(methodId.Value);
|
||||
var methodReader = new MethodReader(module, methodInfo.data, parameters);
|
||||
methodReader.HasDelegateTypeFlag = MethodReaderHasDelegateTypeFlag;
|
||||
methodReader.Read();
|
||||
|
||||
RestoreMethod(method, methodReader);
|
||||
delegateTypes.Add(methodReader.DelegateType);
|
||||
if (methodReader.DelegateType != null)
|
||||
delegateTypes.Add(methodReader.DelegateType);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -61,6 +61,9 @@ namespace de4dot.code.deobfuscators.ILProtector {
|
|||
new VersionInfo(new Version(2, 0, 10, 0), new byte[] { 0xE5, 0x8E, 0xEB, 0x26, 0x1A, 0x1C, 0x44, 0xA8, 0xFF, 0x88, 0x14, 0xE7, 0x38, 0x13, 0xE5, 0x6D }),
|
||||
new VersionInfo(new Version(2, 0, 11, 0), new byte[] { 0x67, 0xB8, 0xF7, 0x15, 0x70, 0x1D, 0xF2, 0x57, 0x00, 0x42, 0xF3, 0xA4, 0x83, 0x07, 0x62, 0xA3 }),
|
||||
new VersionInfo(new Version(2, 0, 11, 1), new byte[] { 0x2E, 0xC9, 0x53, 0xA0, 0x3C, 0x9B, 0x08, 0xDA, 0x88, 0x84, 0x37, 0xFC, 0x07, 0xAE, 0x8B, 0xEC }),
|
||||
new VersionInfo(new Version(2, 0, 12, 0), new byte[] { 0x63, 0x8B, 0x5C, 0xE9, 0x89, 0x83, 0x57, 0x9D, 0xDC, 0xC3, 0xBD, 0xD9, 0xDB, 0x54, 0xBE, 0x66 }),
|
||||
new VersionInfo(new Version(2, 0, 12, 2), new byte[] { 0xD5, 0x46, 0x38, 0xC7, 0x48, 0xF6, 0x3C, 0x1C, 0x1E, 0x7F, 0x3B, 0x7B, 0x5B, 0xE0, 0x49, 0x46 }),
|
||||
new VersionInfo(new Version(2, 0, 12, 3), new byte[] { 0x35, 0xA3, 0x53, 0xE9, 0x9E, 0x30, 0x6E, 0x9C, 0x0F, 0x46, 0x20, 0x9A, 0x91, 0xD2, 0x95, 0x18 }),
|
||||
};
|
||||
|
||||
static readonly VersionInfo[] versionInfo64 = new VersionInfo[] {
|
||||
|
|
@ -83,6 +86,9 @@ namespace de4dot.code.deobfuscators.ILProtector {
|
|||
new VersionInfo(new Version(2, 0, 10, 0), new byte[] { 0xD8, 0x79, 0x05, 0xC9, 0x2D, 0xA6, 0x5B, 0x7D, 0xEE, 0xA6, 0x13, 0x25, 0x7D, 0x29, 0x73, 0xB4 }),
|
||||
new VersionInfo(new Version(2, 0, 11, 0), new byte[] { 0x49, 0xAD, 0x40, 0x10, 0xD4, 0x03, 0x04, 0xB4, 0x3C, 0xD2, 0x36, 0x67, 0x38, 0x62, 0x9C, 0xE8 }),
|
||||
new VersionInfo(new Version(2, 0, 11, 1), new byte[] { 0x1D, 0x6C, 0xB6, 0xC8, 0xB3, 0x07, 0x53, 0x24, 0x6F, 0xC0, 0xF3, 0x4F, 0x5E, 0x8B, 0x9F, 0xD1 }),
|
||||
new VersionInfo(new Version(2, 0, 12, 0), new byte[] { 0x5F, 0x42, 0xA5, 0x6C, 0x19, 0xC6, 0x73, 0x9E, 0xE6, 0x74, 0x62, 0x3B, 0x8A, 0x51, 0xBB, 0x93 }),
|
||||
new VersionInfo(new Version(2, 0, 12, 2), new byte[] { 0x10, 0x91, 0xED, 0x05, 0x9C, 0x31, 0x0B, 0x63, 0x76, 0xD7, 0x4A, 0xEC, 0xDE, 0x99, 0x6D, 0xD0 }),
|
||||
new VersionInfo(new Version(2, 0, 12, 3), new byte[] { 0x38, 0x86, 0xE0, 0xBF, 0xC6, 0x64, 0xB9, 0xA0, 0x07, 0xED, 0xDB, 0x02, 0x40, 0xD0, 0x57, 0xE8 }),
|
||||
};
|
||||
|
||||
public RuntimeFileInfo(MethodDef protectMethod) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user