Decrypt CO encrypted methods
This commit is contained in:
parent
0a5973e541
commit
64cc8e3856
|
@ -68,6 +68,8 @@
|
||||||
<Compile Include="deobfuscators\Babel_NET\MethodBodyReader.cs" />
|
<Compile Include="deobfuscators\Babel_NET\MethodBodyReader.cs" />
|
||||||
<Compile Include="deobfuscators\Babel_NET\MethodReferenceReader.cs" />
|
<Compile Include="deobfuscators\Babel_NET\MethodReferenceReader.cs" />
|
||||||
<Compile Include="deobfuscators\CryptoObfuscator\CoUtils.cs" />
|
<Compile Include="deobfuscators\CryptoObfuscator\CoUtils.cs" />
|
||||||
|
<Compile Include="deobfuscators\CryptoObfuscator\MethodBodyReader.cs" />
|
||||||
|
<Compile Include="deobfuscators\CryptoObfuscator\MethodsDecrypter.cs" />
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\v4\ProxyCallFixer.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor\v4\ProxyCallFixer.cs" />
|
||||||
<Compile Include="deobfuscators\ILProtector\MethodReader.cs" />
|
<Compile Include="deobfuscators\ILProtector\MethodReader.cs" />
|
||||||
<Compile Include="deobfuscators\ILProtector\MethodsDecrypter.cs" />
|
<Compile Include="deobfuscators\ILProtector\MethodsDecrypter.cs" />
|
||||||
|
|
|
@ -46,6 +46,10 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public bool Detected {
|
||||||
|
get { return resolverType != null; }
|
||||||
|
}
|
||||||
|
|
||||||
public List<AssemblyInfo> AssemblyInfos {
|
public List<AssemblyInfo> AssemblyInfos {
|
||||||
get { return assemblyInfos; }
|
get { return assemblyInfos; }
|
||||||
}
|
}
|
||||||
|
|
|
@ -68,6 +68,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
bool foundObfuscatedSymbols = false;
|
bool foundObfuscatedSymbols = false;
|
||||||
bool foundObfuscatorUserString = false;
|
bool foundObfuscatorUserString = false;
|
||||||
|
|
||||||
|
MethodsDecrypter methodsDecrypter;
|
||||||
ProxyCallFixer proxyCallFixer;
|
ProxyCallFixer proxyCallFixer;
|
||||||
ResourceDecrypter resourceDecrypter;
|
ResourceDecrypter resourceDecrypter;
|
||||||
ResourceResolver resourceResolver;
|
ResourceResolver resourceResolver;
|
||||||
|
@ -111,7 +112,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
protected override int detectInternal() {
|
protected override int detectInternal() {
|
||||||
int val = 0;
|
int val = 0;
|
||||||
|
|
||||||
int sum = toInt32(stringDecrypter.Detected) +
|
int sum = toInt32(methodsDecrypter.Detected) +
|
||||||
|
toInt32(stringDecrypter.Detected) +
|
||||||
toInt32(tamperDetection.Detected) +
|
toInt32(tamperDetection.Detected) +
|
||||||
toInt32(proxyCallFixer.Detected) +
|
toInt32(proxyCallFixer.Detected) +
|
||||||
toInt32(constantsDecrypter.Detected);
|
toInt32(constantsDecrypter.Detected);
|
||||||
|
@ -134,6 +136,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
if (checkCryptoObfuscator())
|
if (checkCryptoObfuscator())
|
||||||
foundObfuscatedSymbols = true;
|
foundObfuscatedSymbols = true;
|
||||||
|
|
||||||
|
methodsDecrypter = new MethodsDecrypter(module);
|
||||||
|
methodsDecrypter.find();
|
||||||
proxyCallFixer = new ProxyCallFixer(module);
|
proxyCallFixer = new ProxyCallFixer(module);
|
||||||
proxyCallFixer.findDelegateCreator();
|
proxyCallFixer.findDelegateCreator();
|
||||||
stringDecrypter = new StringDecrypter(module);
|
stringDecrypter = new StringDecrypter(module);
|
||||||
|
@ -190,6 +194,14 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
DeobfuscatedFile.stringDecryptersAdded();
|
DeobfuscatedFile.stringDecryptersAdded();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
methodsDecrypter.decrypt(resourceDecrypter);
|
||||||
|
|
||||||
|
if (methodsDecrypter.Detected) {
|
||||||
|
if (!assemblyResolver.Detected)
|
||||||
|
assemblyResolver.find();
|
||||||
|
if (!tamperDetection.Detected)
|
||||||
|
tamperDetection.find();
|
||||||
|
}
|
||||||
antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this);
|
antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this);
|
||||||
antiDebugger.find();
|
antiDebugger.find();
|
||||||
|
|
||||||
|
@ -217,6 +229,9 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
addTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver type");
|
addTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver type");
|
||||||
addTypeToBeRemoved(tamperDetection.Type, "Tamper detection type");
|
addTypeToBeRemoved(tamperDetection.Type, "Tamper detection type");
|
||||||
addTypeToBeRemoved(antiDebugger.Type, "Anti-debugger type");
|
addTypeToBeRemoved(antiDebugger.Type, "Anti-debugger type");
|
||||||
|
addTypeToBeRemoved(methodsDecrypter.Type, "Methods decrypter type");
|
||||||
|
addTypesToBeRemoved(methodsDecrypter.DelegateTypes, "Methods decrypter delegate type");
|
||||||
|
addResourceToBeRemoved(methodsDecrypter.Resource, "Encrypted methods");
|
||||||
|
|
||||||
proxyCallFixer.find();
|
proxyCallFixer.find();
|
||||||
|
|
||||||
|
|
118
de4dot.code/deobfuscators/CryptoObfuscator/MethodBodyReader.cs
Normal file
118
de4dot.code/deobfuscators/CryptoObfuscator/MethodBodyReader.cs
Normal file
|
@ -0,0 +1,118 @@
|
||||||
|
/*
|
||||||
|
Copyright (C) 2011-2012 de4dot@gmail.com
|
||||||
|
|
||||||
|
This file is part of de4dot.
|
||||||
|
|
||||||
|
de4dot is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
de4dot is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
using System;
|
||||||
|
using System.Collections.Generic;
|
||||||
|
using System.IO;
|
||||||
|
using Mono.Cecil;
|
||||||
|
using Mono.Cecil.Cil;
|
||||||
|
using de4dot.blocks;
|
||||||
|
|
||||||
|
namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
|
class MethodBodyReader : MethodBodyReaderBase {
|
||||||
|
ModuleDefinition module;
|
||||||
|
ushort maxStackSize;
|
||||||
|
|
||||||
|
public MethodBodyReader(ModuleDefinition module, BinaryReader reader)
|
||||||
|
: base(reader) {
|
||||||
|
this.module = module;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void read(MethodDefinition method) {
|
||||||
|
this.parameters = getParameters(method);
|
||||||
|
this.Locals = getLocals(method);
|
||||||
|
|
||||||
|
maxStackSize = (ushort)reader.ReadInt32();
|
||||||
|
readInstructionsNumBytes(reader.ReadUInt32());
|
||||||
|
readExceptionHandlers();
|
||||||
|
}
|
||||||
|
|
||||||
|
void readExceptionHandlers() {
|
||||||
|
int totalSize = reader.ReadInt32();
|
||||||
|
if (totalSize == 0)
|
||||||
|
return;
|
||||||
|
reader.ReadInt32();
|
||||||
|
readExceptionHandlers((totalSize - 4) / 24);
|
||||||
|
}
|
||||||
|
|
||||||
|
static IList<ParameterDefinition> getParameters(MethodReference method) {
|
||||||
|
return DotNetUtils.getParameters(method);
|
||||||
|
}
|
||||||
|
|
||||||
|
static IList<VariableDefinition> getLocals(MethodDefinition method) {
|
||||||
|
if (method.Body == null)
|
||||||
|
return new List<VariableDefinition>();
|
||||||
|
return new List<VariableDefinition>(method.Body.Variables);
|
||||||
|
}
|
||||||
|
|
||||||
|
protected override FieldReference readInlineField(Instruction instr) {
|
||||||
|
return (FieldReference)module.LookupToken(reader.ReadInt32());
|
||||||
|
}
|
||||||
|
|
||||||
|
protected override MethodReference readInlineMethod(Instruction instr) {
|
||||||
|
return (MethodReference)module.LookupToken(reader.ReadInt32());
|
||||||
|
}
|
||||||
|
|
||||||
|
protected override CallSite readInlineSig(Instruction instr) {
|
||||||
|
return module.ReadCallSite(new MetadataToken(reader.ReadUInt32()));
|
||||||
|
}
|
||||||
|
|
||||||
|
protected override string readInlineString(Instruction instr) {
|
||||||
|
return module.GetUserString(reader.ReadUInt32());
|
||||||
|
}
|
||||||
|
|
||||||
|
protected override MemberReference readInlineTok(Instruction instr) {
|
||||||
|
return (MemberReference)module.LookupToken(reader.ReadInt32());
|
||||||
|
}
|
||||||
|
|
||||||
|
protected override TypeReference readInlineType(Instruction instr) {
|
||||||
|
return (TypeReference)module.LookupToken(reader.ReadInt32());
|
||||||
|
}
|
||||||
|
|
||||||
|
protected override ExceptionHandler readExceptionHandler() {
|
||||||
|
var eh = new ExceptionHandler((ExceptionHandlerType)reader.ReadInt32());
|
||||||
|
|
||||||
|
int tryOffset = reader.ReadInt32();
|
||||||
|
eh.TryStart = getInstruction(tryOffset);
|
||||||
|
eh.TryEnd = getInstructionOrNull(tryOffset + reader.ReadInt32());
|
||||||
|
|
||||||
|
int handlerOffset = reader.ReadInt32();
|
||||||
|
eh.HandlerStart = getInstruction(handlerOffset);
|
||||||
|
eh.HandlerEnd = getInstructionOrNull(handlerOffset + reader.ReadInt32());
|
||||||
|
|
||||||
|
switch (eh.HandlerType) {
|
||||||
|
case ExceptionHandlerType.Catch:
|
||||||
|
eh.CatchType = (TypeReference)module.LookupToken(reader.ReadInt32());
|
||||||
|
break;
|
||||||
|
|
||||||
|
case ExceptionHandlerType.Filter:
|
||||||
|
eh.FilterStart = getInstruction(reader.ReadInt32());
|
||||||
|
break;
|
||||||
|
|
||||||
|
case ExceptionHandlerType.Finally:
|
||||||
|
case ExceptionHandlerType.Fault:
|
||||||
|
default:
|
||||||
|
reader.ReadInt32();
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
return eh;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
205
de4dot.code/deobfuscators/CryptoObfuscator/MethodsDecrypter.cs
Normal file
205
de4dot.code/deobfuscators/CryptoObfuscator/MethodsDecrypter.cs
Normal file
|
@ -0,0 +1,205 @@
|
||||||
|
/*
|
||||||
|
Copyright (C) 2011-2012 de4dot@gmail.com
|
||||||
|
|
||||||
|
This file is part of de4dot.
|
||||||
|
|
||||||
|
de4dot is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
de4dot is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
using System;
|
||||||
|
using System.Collections.Generic;
|
||||||
|
using System.IO;
|
||||||
|
using Mono.Cecil;
|
||||||
|
using Mono.Cecil.Cil;
|
||||||
|
using de4dot.blocks;
|
||||||
|
|
||||||
|
namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||||
|
class MethodsDecrypter {
|
||||||
|
ModuleDefinition module;
|
||||||
|
TypeDefinition decrypterType;
|
||||||
|
MethodDefinition decryptMethod;
|
||||||
|
MethodDefinition decrypterCctor;
|
||||||
|
EmbeddedResource resource;
|
||||||
|
List<TypeDefinition> delegateTypes = new List<TypeDefinition>();
|
||||||
|
|
||||||
|
public TypeDefinition Type {
|
||||||
|
get { return decrypterType; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public IEnumerable<TypeDefinition> DelegateTypes {
|
||||||
|
get { return delegateTypes; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public EmbeddedResource Resource {
|
||||||
|
get { return resource; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public bool Detected {
|
||||||
|
get { return decrypterType != null; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public MethodsDecrypter(ModuleDefinition module) {
|
||||||
|
this.module = module;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void find() {
|
||||||
|
foreach (var type in module.Types) {
|
||||||
|
if (check(type))
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static readonly string[] requiredFields = new string[] {
|
||||||
|
"System.Byte[]",
|
||||||
|
"System.Collections.Generic.Dictionary`2<System.Int32,System.Int32>",
|
||||||
|
"System.ModuleHandle",
|
||||||
|
};
|
||||||
|
bool check(TypeDefinition type) {
|
||||||
|
if (type.NestedTypes.Count != 1)
|
||||||
|
return false;
|
||||||
|
if (type.Fields.Count != 3)
|
||||||
|
return false;
|
||||||
|
if (!new FieldTypes(type).all(requiredFields))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
var cctor = DotNetUtils.getMethod(type, ".cctor");
|
||||||
|
if (cctor == null)
|
||||||
|
return false;
|
||||||
|
var decryptMethodTmp = findDecryptMethod(type);
|
||||||
|
if (decryptMethodTmp == null)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
decryptMethod = decryptMethodTmp;
|
||||||
|
decrypterCctor = cctor;
|
||||||
|
decrypterType = type;
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
static readonly string[] requiredLocals = new string[] {
|
||||||
|
"System.Delegate",
|
||||||
|
"System.ModuleHandle",
|
||||||
|
"System.Reflection.Emit.DynamicILInfo",
|
||||||
|
"System.Reflection.Emit.DynamicMethod",
|
||||||
|
"System.Reflection.FieldInfo",
|
||||||
|
"System.Reflection.FieldInfo[]",
|
||||||
|
"System.Reflection.MethodBase",
|
||||||
|
"System.Reflection.MethodBody",
|
||||||
|
"System.Type",
|
||||||
|
"System.Type[]",
|
||||||
|
};
|
||||||
|
static MethodDefinition findDecryptMethod(TypeDefinition type) {
|
||||||
|
foreach (var method in type.Methods) {
|
||||||
|
if (!method.IsStatic || method.Body == null)
|
||||||
|
continue;
|
||||||
|
if (!new LocalTypes(method).all(requiredLocals))
|
||||||
|
continue;
|
||||||
|
if (!DotNetUtils.isMethod(method, "System.Void", "(System.Int32,System.Int32,System.Int32)"))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
return method;
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void decrypt(ResourceDecrypter resourceDecrypter) {
|
||||||
|
if (decryptMethod == null)
|
||||||
|
return;
|
||||||
|
|
||||||
|
resource = CoUtils.getResource(module, decrypterCctor);
|
||||||
|
if (resource == null)
|
||||||
|
return;
|
||||||
|
var decrypted = resourceDecrypter.decrypt(resource.GetResourceStream());
|
||||||
|
var reader = new BinaryReader(new MemoryStream(decrypted));
|
||||||
|
int numEncrypted = reader.ReadInt32();
|
||||||
|
Log.v("Restoring {0} encrypted methods", numEncrypted);
|
||||||
|
Log.indent();
|
||||||
|
for (int i = 0; i < numEncrypted; i++) {
|
||||||
|
int delegateTypeToken = reader.ReadInt32();
|
||||||
|
uint codeOffset = reader.ReadUInt32();
|
||||||
|
var origOffset = reader.BaseStream.Position;
|
||||||
|
reader.BaseStream.Position = codeOffset;
|
||||||
|
decrypt(reader, delegateTypeToken);
|
||||||
|
reader.BaseStream.Position = origOffset;
|
||||||
|
}
|
||||||
|
Log.deIndent();
|
||||||
|
}
|
||||||
|
|
||||||
|
void decrypt(BinaryReader reader, int delegateTypeToken) {
|
||||||
|
var delegateType = module.LookupToken(delegateTypeToken) as TypeDefinition;
|
||||||
|
if (delegateType == null)
|
||||||
|
throw new ApplicationException("Couldn't find delegate type");
|
||||||
|
|
||||||
|
int delToken, encMethToken, encDeclToken;
|
||||||
|
if (!getTokens(delegateType, out delToken, out encMethToken, out encDeclToken))
|
||||||
|
throw new ApplicationException("Could not find encrypted method tokens");
|
||||||
|
if (delToken != delegateTypeToken)
|
||||||
|
throw new ApplicationException("Invalid delegate type token");
|
||||||
|
var encType = module.LookupToken(encDeclToken) as TypeReference;
|
||||||
|
if (encType == null)
|
||||||
|
throw new ApplicationException("Invalid declaring type token");
|
||||||
|
var encMethod = module.LookupToken(encMethToken) as MethodDefinition;
|
||||||
|
if (encMethod == null)
|
||||||
|
throw new ApplicationException("Invalid encrypted method token");
|
||||||
|
|
||||||
|
var bodyReader = new MethodBodyReader(module, reader);
|
||||||
|
bodyReader.read(encMethod);
|
||||||
|
bodyReader.restoreMethod(encMethod);
|
||||||
|
Log.v("Restored method {0} ({1:X8}). Instrs:{2}, Locals:{3}, Exceptions:{4}",
|
||||||
|
Utils.removeNewlines(encMethod.FullName),
|
||||||
|
encMethod.MetadataToken.ToInt32(),
|
||||||
|
encMethod.Body.Instructions.Count,
|
||||||
|
encMethod.Body.Variables.Count,
|
||||||
|
encMethod.Body.ExceptionHandlers.Count);
|
||||||
|
delegateTypes.Add(delegateType);
|
||||||
|
}
|
||||||
|
|
||||||
|
bool getTokens(TypeDefinition delegateType, out int delegateToken, out int encMethodToken, out int encDeclaringTypeToken) {
|
||||||
|
delegateToken = 0;
|
||||||
|
encMethodToken = 0;
|
||||||
|
encDeclaringTypeToken = 0;
|
||||||
|
|
||||||
|
var cctor = DotNetUtils.getMethod(delegateType, ".cctor");
|
||||||
|
if (cctor == null)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
var instrs = cctor.Body.Instructions;
|
||||||
|
for (int i = 0; i < instrs.Count - 4; i++) {
|
||||||
|
var ldci4_1 = instrs[i];
|
||||||
|
if (!DotNetUtils.isLdcI4(ldci4_1))
|
||||||
|
continue;
|
||||||
|
var ldci4_2 = instrs[i + 1];
|
||||||
|
if (!DotNetUtils.isLdcI4(ldci4_2))
|
||||||
|
continue;
|
||||||
|
var ldci4_3 = instrs[i + 2];
|
||||||
|
if (!DotNetUtils.isLdcI4(ldci4_3))
|
||||||
|
continue;
|
||||||
|
var call = instrs[i + 3];
|
||||||
|
if (call.OpCode.Code != Code.Call)
|
||||||
|
continue;
|
||||||
|
var calledMethod = call.Operand as MethodDefinition;
|
||||||
|
if (calledMethod == null)
|
||||||
|
continue;
|
||||||
|
if (calledMethod != decryptMethod)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
delegateToken = DotNetUtils.getLdcI4Value(ldci4_1);
|
||||||
|
encMethodToken = DotNetUtils.getLdcI4Value(ldci4_2);
|
||||||
|
encDeclaringTypeToken = DotNetUtils.getLdcI4Value(ldci4_3);
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user