diff --git a/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypter.cs b/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypter.cs index 47975d08..1b352314 100644 --- a/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypter.cs +++ b/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypter.cs @@ -38,6 +38,7 @@ namespace de4dot.code.deobfuscators.ILProtector { FieldInfo invokerFieldInfo; ModuleDefMD moduleProtect; IDecrypter decrypter; + bool methodReaderHasDelegateTypeFlag; interface IDecrypter { byte[] Decrypt(int methodId, uint rid); @@ -269,7 +270,7 @@ namespace de4dot.code.deobfuscators.ILProtector { } } - // 2.0.9.0 - 2.0.11.0 + // 2.0.9.0 - 2.0.11.1 class DecrypterV2_0_9_0 : DecrypterBase { DecryptMethod decryptMethod; byte[] decryptedData; @@ -299,6 +300,112 @@ namespace de4dot.code.deobfuscators.ILProtector { } } + abstract class DecrypterBaseV2_0_12_x : IDecrypter { + protected readonly DynamicMethodsDecrypter dmd; + protected byte[] currentILBytes; + byte[] decryptedData; + readonly Delegate invoker; + protected readonly IntPtr pGetILBytes; + protected readonly IntPtr pDecryptCallback; + + protected unsafe DecrypterBaseV2_0_12_x(DynamicMethodsDecrypter dmd) { + this.dmd = dmd; + this.invoker = (Delegate)dmd.invokerFieldInfo.GetValue(null); + + byte* p = (byte*)GetStateAddr(invoker.Target); + p += IntPtr.Size * 3; + p = *(byte**)p; + p += 8 + IntPtr.Size * 8; + p = *(byte**)p; + p += IntPtr.Size * 3; + p = *(byte**)p; + pGetILBytes = new IntPtr(p + IntPtr.Size * 39); + pDecryptCallback = new IntPtr(p + IntPtr.Size * 40); + } + + IntPtr GetStateAddr(object obj) { + var flags = BindingFlags.DeclaredOnly | BindingFlags.Instance | BindingFlags.Public | BindingFlags.NonPublic; + foreach (var fi in obj.GetType().GetFields(flags)) { + if (fi.FieldType == typeof(IntPtr)) + return (IntPtr)fi.GetValue(obj); + } + throw new ApplicationException("Could not find an IntPtr field"); + } + + public byte[] Decrypt(int methodId, uint rid) { + decryptedData = null; + currentILBytes = dmd.reflectionModule.ResolveMethod(0x06000000 + (int)rid).GetMethodBody().GetILAsByteArray(); + + invoker.DynamicInvoke(new object[1] { methodId }); + return decryptedData; + } + + protected unsafe void SaveDecryptedData(byte* pMethodCode, int methodSize) { + decryptedData = new byte[methodSize]; + Marshal.Copy(new IntPtr(pMethodCode), decryptedData, 0, decryptedData.Length); + } + } + + // 2.0.12.0 - 2.0.12.2 + class DecrypterV2_0_12_0 : DecrypterBaseV2_0_12_x { + readonly GetCallerMethodAsILByteArrayDelegate getCallerMethodAsILByteArrayDelegate; + readonly DecryptCallbackDelegate decryptCallbackDelegate; + + [return: MarshalAs(UnmanagedType.SafeArray)] + delegate byte[] GetCallerMethodAsILByteArrayDelegate(IntPtr a, int skipFrames); + unsafe delegate bool DecryptCallbackDelegate(IntPtr a, byte* pMethodCode, int methodSize, int methodId); + + public unsafe DecrypterV2_0_12_0(DynamicMethodsDecrypter dmd) + : base(dmd) { + getCallerMethodAsILByteArrayDelegate = GetCallerMethodAsILByteArray; + decryptCallbackDelegate = MyDecryptCallback; + + *(IntPtr*)pGetILBytes = Marshal.GetFunctionPointerForDelegate(getCallerMethodAsILByteArrayDelegate); + *(IntPtr*)pDecryptCallback = Marshal.GetFunctionPointerForDelegate(decryptCallbackDelegate); + } + + byte[] GetCallerMethodAsILByteArray(IntPtr a, int skipFrames) { + return currentILBytes; + } + + unsafe bool MyDecryptCallback(IntPtr a, byte* pMethodCode, int methodSize, int methodId) { + SaveDecryptedData(pMethodCode, methodSize); + return true; + } + } + + // 2.0.12.3 + class DecrypterV2_0_12_3 : DecrypterBaseV2_0_12_x { + readonly GetCallerMethodAsILByteArrayDelegate getCallerMethodAsILByteArrayDelegate; + readonly DecryptCallbackDelegate decryptCallbackDelegate; + + [return: MarshalAs(UnmanagedType.SafeArray)] + delegate byte[] GetCallerMethodAsILByteArrayDelegate(IntPtr a, int skipFrames, IntPtr c, IntPtr d); + unsafe delegate bool DecryptCallbackDelegate(IntPtr a, byte* pMethodCode, int methodSize, int methodId, IntPtr e); + + public unsafe DecrypterV2_0_12_3(DynamicMethodsDecrypter dmd) + : base(dmd) { + getCallerMethodAsILByteArrayDelegate = GetCallerMethodAsILByteArray; + decryptCallbackDelegate = MyDecryptCallback; + + *(IntPtr*)pGetILBytes = Marshal.GetFunctionPointerForDelegate(getCallerMethodAsILByteArrayDelegate); + *(IntPtr*)pDecryptCallback = Marshal.GetFunctionPointerForDelegate(decryptCallbackDelegate); + } + + byte[] GetCallerMethodAsILByteArray(IntPtr a, int skipFrames, IntPtr c, IntPtr d) { + return currentILBytes; + } + + unsafe bool MyDecryptCallback(IntPtr a, byte* pMethodCode, int methodSize, int methodId, IntPtr e) { + SaveDecryptedData(pMethodCode, methodSize); + return true; + } + } + + public bool MethodReaderHasDelegateTypeFlag { + get { return methodReaderHasDelegateTypeFlag; } + } + public DynamicMethodsDecrypter(ModuleDefMD module, Module reflectionModule) { this.module = module; this.reflectionModule = reflectionModule; @@ -338,11 +445,22 @@ namespace de4dot.code.deobfuscators.ILProtector { } IDecrypter CreateDecrypter() { - return CreateDecrypterV1_0_7_0() ?? - CreateDecrypterV2_0_0_0() ?? - CreateDecrypterV2_0_8_0() ?? - CreateDecrypterV2_0_8_5() ?? - CreateDecrypterV2_0_9_0(); + var version = reflectionProtectModule.Assembly.GetName().Version; + if (reflectionProtectModule.Assembly.GetName().Version < new Version(2, 0, 12, 0)) { + return CreateDecrypterV1_0_7_0() ?? + CreateDecrypterV2_0_0_0() ?? + CreateDecrypterV2_0_8_0() ?? + CreateDecrypterV2_0_8_5() ?? + CreateDecrypterV2_0_9_0(); + } + + methodReaderHasDelegateTypeFlag = true; + if (version < new Version(2, 0, 12, 3)) + return CreateDecrypterV2_0_12_0(); + if (version < new Version(2, 0, 12, 4)) + return CreateDecrypterV2_0_12_3(); + + return null; } IDecrypter CreateDecrypterV1_0_7_0() { @@ -385,6 +503,14 @@ namespace de4dot.code.deobfuscators.ILProtector { return new DecrypterV2_0_9_0(this, delegateField); } + IDecrypter CreateDecrypterV2_0_12_0() { + return new DecrypterV2_0_12_0(this); + } + + IDecrypter CreateDecrypterV2_0_12_3() { + return new DecrypterV2_0_12_3(this); + } + static readonly byte[] ilpPublicKeyToken = new byte[8] { 0x20, 0x12, 0xD3, 0xC0, 0x55, 0x1F, 0xE0, 0x3D }; static Assembly GetProtectAssembly() { foreach (var asm in AppDomain.CurrentDomain.GetAssemblies()) { diff --git a/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypterService.cs b/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypterService.cs index ead8f085..a4895cd1 100644 --- a/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypterService.cs +++ b/de4dot.code/deobfuscators/ILProtector/DynamicMethodsDecrypterService.cs @@ -26,9 +26,11 @@ using AssemblyData; namespace de4dot.code.deobfuscators.ILProtector { sealed class DynamicMethodsDecrypterService : IUserGenericService { public const int MSG_DECRYPT_METHODS = 0; + public const int MSG_HAS_DELEGATE_TYPE_FLAG = 1; Module reflObfModule; ModuleDefMD obfModule; + bool hasDelegateTypeFlag; [CreateUserGenericService] public static IUserGenericService Create() { @@ -51,6 +53,9 @@ namespace de4dot.code.deobfuscators.ILProtector { case MSG_DECRYPT_METHODS: return DecryptMethods(args[0] as IList); + case MSG_HAS_DELEGATE_TYPE_FLAG: + return hasDelegateTypeFlag; + default: throw new ApplicationException(string.Format("Invalid msg: {0:X8}", msg)); } @@ -65,6 +70,8 @@ namespace de4dot.code.deobfuscators.ILProtector { for (int i = 0; i < methodIds.Count; i += 2) infos.Add(decrypter.Decrypt(methodIds[i], (uint)methodIds[i + 1])); + hasDelegateTypeFlag = decrypter.MethodReaderHasDelegateTypeFlag; + return infos; } } diff --git a/de4dot.code/deobfuscators/ILProtector/DynamicMethodsRestorer.cs b/de4dot.code/deobfuscators/ILProtector/DynamicMethodsRestorer.cs index c54f007e..8816eb36 100644 --- a/de4dot.code/deobfuscators/ILProtector/DynamicMethodsRestorer.cs +++ b/de4dot.code/deobfuscators/ILProtector/DynamicMethodsRestorer.cs @@ -42,6 +42,7 @@ namespace de4dot.code.deobfuscators.ILProtector { client.GenericService.LoadUserService(typeof(DynamicMethodsDecrypterService), null); client.GenericService.LoadAssembly(module.Location); decryptedData = client.GenericService.SendMessage(DynamicMethodsDecrypterService.MSG_DECRYPT_METHODS, new object[] { GetMethodIds() }) as IList; + MethodReaderHasDelegateTypeFlag = (bool)client.GenericService.SendMessage(DynamicMethodsDecrypterService.MSG_HAS_DELEGATE_TYPE_FLAG, new object[0]); } if (decryptedData == null) diff --git a/de4dot.code/deobfuscators/ILProtector/MethodReader.cs b/de4dot.code/deobfuscators/ILProtector/MethodReader.cs index 004f891a..fe404d89 100644 --- a/de4dot.code/deobfuscators/ILProtector/MethodReader.cs +++ b/de4dot.code/deobfuscators/ILProtector/MethodReader.cs @@ -31,6 +31,7 @@ namespace de4dot.code.deobfuscators.ILProtector { ModuleDefMD module; MethodFlags flags; TypeDef delegateType; + bool hasDelegateTypeFlag; [Flags] enum MethodFlags { @@ -38,6 +39,7 @@ namespace de4dot.code.deobfuscators.ILProtector { HasLocals = 2, HasInstructions = 4, HasExceptionHandlers = 8, + HasDelegateType = 0x10, } public TypeDef DelegateType { @@ -60,6 +62,15 @@ namespace de4dot.code.deobfuscators.ILProtector { get { return (flags & MethodFlags.HasExceptionHandlers) != 0; } } + bool HasDelegateType { + get { return !hasDelegateTypeFlag || (flags & MethodFlags.HasDelegateType) != 0; } + } + + public bool HasDelegateTypeFlag { + get { return hasDelegateTypeFlag; } + set { hasDelegateTypeFlag = value; } + } + public MethodReader(ModuleDefMD module, byte[] data, IList parameters) : base(MemoryImageStream.Create(data), parameters) { this.module = module; @@ -67,9 +78,11 @@ namespace de4dot.code.deobfuscators.ILProtector { public void Read() { flags = (MethodFlags)reader.ReadByte(); - delegateType = Resolve(ReadTypeToken()); - if (!DotNetUtils.DerivesFromDelegate(delegateType)) - throw new ApplicationException("Invalid delegate type"); + if (HasDelegateType) { + delegateType = Resolve(ReadTypeToken()); + if (!DotNetUtils.DerivesFromDelegate(delegateType)) + throw new ApplicationException("Invalid delegate type"); + } if (HasLocals) ReadLocals((int)reader.Read7BitEncodedUInt32()); if (HasInstructions) diff --git a/de4dot.code/deobfuscators/ILProtector/MethodsDecrypterBase.cs b/de4dot.code/deobfuscators/ILProtector/MethodsDecrypterBase.cs index 2ac46930..4b4e12e3 100644 --- a/de4dot.code/deobfuscators/ILProtector/MethodsDecrypterBase.cs +++ b/de4dot.code/deobfuscators/ILProtector/MethodsDecrypterBase.cs @@ -37,6 +37,8 @@ namespace de4dot.code.deobfuscators.ILProtector { get { return delegateTypes; } } + public bool MethodReaderHasDelegateTypeFlag { get; set; } + public MethodsDecrypterBase(ModuleDefMD module, MainType mainType) { this.module = module; this.mainType = mainType; @@ -84,10 +86,12 @@ namespace de4dot.code.deobfuscators.ILProtector { var methodInfo = methodInfos[methodId.Value]; methodInfos.Remove(methodId.Value); var methodReader = new MethodReader(module, methodInfo.data, parameters); + methodReader.HasDelegateTypeFlag = MethodReaderHasDelegateTypeFlag; methodReader.Read(); RestoreMethod(method, methodReader); - delegateTypes.Add(methodReader.DelegateType); + if (methodReader.DelegateType != null) + delegateTypes.Add(methodReader.DelegateType); return true; } diff --git a/de4dot.code/deobfuscators/ILProtector/RuntimeFileInfo.cs b/de4dot.code/deobfuscators/ILProtector/RuntimeFileInfo.cs index 34d5e7fb..2ed5d050 100644 --- a/de4dot.code/deobfuscators/ILProtector/RuntimeFileInfo.cs +++ b/de4dot.code/deobfuscators/ILProtector/RuntimeFileInfo.cs @@ -61,6 +61,9 @@ namespace de4dot.code.deobfuscators.ILProtector { new VersionInfo(new Version(2, 0, 10, 0), new byte[] { 0xE5, 0x8E, 0xEB, 0x26, 0x1A, 0x1C, 0x44, 0xA8, 0xFF, 0x88, 0x14, 0xE7, 0x38, 0x13, 0xE5, 0x6D }), new VersionInfo(new Version(2, 0, 11, 0), new byte[] { 0x67, 0xB8, 0xF7, 0x15, 0x70, 0x1D, 0xF2, 0x57, 0x00, 0x42, 0xF3, 0xA4, 0x83, 0x07, 0x62, 0xA3 }), new VersionInfo(new Version(2, 0, 11, 1), new byte[] { 0x2E, 0xC9, 0x53, 0xA0, 0x3C, 0x9B, 0x08, 0xDA, 0x88, 0x84, 0x37, 0xFC, 0x07, 0xAE, 0x8B, 0xEC }), + new VersionInfo(new Version(2, 0, 12, 0), new byte[] { 0x63, 0x8B, 0x5C, 0xE9, 0x89, 0x83, 0x57, 0x9D, 0xDC, 0xC3, 0xBD, 0xD9, 0xDB, 0x54, 0xBE, 0x66 }), + new VersionInfo(new Version(2, 0, 12, 2), new byte[] { 0xD5, 0x46, 0x38, 0xC7, 0x48, 0xF6, 0x3C, 0x1C, 0x1E, 0x7F, 0x3B, 0x7B, 0x5B, 0xE0, 0x49, 0x46 }), + new VersionInfo(new Version(2, 0, 12, 3), new byte[] { 0x35, 0xA3, 0x53, 0xE9, 0x9E, 0x30, 0x6E, 0x9C, 0x0F, 0x46, 0x20, 0x9A, 0x91, 0xD2, 0x95, 0x18 }), }; static readonly VersionInfo[] versionInfo64 = new VersionInfo[] { @@ -83,6 +86,9 @@ namespace de4dot.code.deobfuscators.ILProtector { new VersionInfo(new Version(2, 0, 10, 0), new byte[] { 0xD8, 0x79, 0x05, 0xC9, 0x2D, 0xA6, 0x5B, 0x7D, 0xEE, 0xA6, 0x13, 0x25, 0x7D, 0x29, 0x73, 0xB4 }), new VersionInfo(new Version(2, 0, 11, 0), new byte[] { 0x49, 0xAD, 0x40, 0x10, 0xD4, 0x03, 0x04, 0xB4, 0x3C, 0xD2, 0x36, 0x67, 0x38, 0x62, 0x9C, 0xE8 }), new VersionInfo(new Version(2, 0, 11, 1), new byte[] { 0x1D, 0x6C, 0xB6, 0xC8, 0xB3, 0x07, 0x53, 0x24, 0x6F, 0xC0, 0xF3, 0x4F, 0x5E, 0x8B, 0x9F, 0xD1 }), + new VersionInfo(new Version(2, 0, 12, 0), new byte[] { 0x5F, 0x42, 0xA5, 0x6C, 0x19, 0xC6, 0x73, 0x9E, 0xE6, 0x74, 0x62, 0x3B, 0x8A, 0x51, 0xBB, 0x93 }), + new VersionInfo(new Version(2, 0, 12, 2), new byte[] { 0x10, 0x91, 0xED, 0x05, 0x9C, 0x31, 0x0B, 0x63, 0x76, 0xD7, 0x4A, 0xEC, 0xDE, 0x99, 0x6D, 0xD0 }), + new VersionInfo(new Version(2, 0, 12, 3), new byte[] { 0x38, 0x86, 0xE0, 0xBF, 0xC6, 0x64, 0xB9, 0xA0, 0x07, 0xED, 0xDB, 0x02, 0x40, 0xD0, 0x57, 0xE8 }), }; public RuntimeFileInfo(MethodDef protectMethod) {