Decrypt CO encrypted methods
This commit is contained in:
parent
0a5973e541
commit
64cc8e3856
|
@ -68,6 +68,8 @@
|
|||
<Compile Include="deobfuscators\Babel_NET\MethodBodyReader.cs" />
|
||||
<Compile Include="deobfuscators\Babel_NET\MethodReferenceReader.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\CoUtils.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\MethodBodyReader.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\MethodsDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\dotNET_Reactor\v4\ProxyCallFixer.cs" />
|
||||
<Compile Include="deobfuscators\ILProtector\MethodReader.cs" />
|
||||
<Compile Include="deobfuscators\ILProtector\MethodsDecrypter.cs" />
|
||||
|
|
|
@ -46,6 +46,10 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
}
|
||||
}
|
||||
|
||||
public bool Detected {
|
||||
get { return resolverType != null; }
|
||||
}
|
||||
|
||||
public List<AssemblyInfo> AssemblyInfos {
|
||||
get { return assemblyInfos; }
|
||||
}
|
||||
|
|
|
@ -68,6 +68,7 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
bool foundObfuscatedSymbols = false;
|
||||
bool foundObfuscatorUserString = false;
|
||||
|
||||
MethodsDecrypter methodsDecrypter;
|
||||
ProxyCallFixer proxyCallFixer;
|
||||
ResourceDecrypter resourceDecrypter;
|
||||
ResourceResolver resourceResolver;
|
||||
|
@ -111,7 +112,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
protected override int detectInternal() {
|
||||
int val = 0;
|
||||
|
||||
int sum = toInt32(stringDecrypter.Detected) +
|
||||
int sum = toInt32(methodsDecrypter.Detected) +
|
||||
toInt32(stringDecrypter.Detected) +
|
||||
toInt32(tamperDetection.Detected) +
|
||||
toInt32(proxyCallFixer.Detected) +
|
||||
toInt32(constantsDecrypter.Detected);
|
||||
|
@ -134,6 +136,8 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
if (checkCryptoObfuscator())
|
||||
foundObfuscatedSymbols = true;
|
||||
|
||||
methodsDecrypter = new MethodsDecrypter(module);
|
||||
methodsDecrypter.find();
|
||||
proxyCallFixer = new ProxyCallFixer(module);
|
||||
proxyCallFixer.findDelegateCreator();
|
||||
stringDecrypter = new StringDecrypter(module);
|
||||
|
@ -190,6 +194,14 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
DeobfuscatedFile.stringDecryptersAdded();
|
||||
}
|
||||
|
||||
methodsDecrypter.decrypt(resourceDecrypter);
|
||||
|
||||
if (methodsDecrypter.Detected) {
|
||||
if (!assemblyResolver.Detected)
|
||||
assemblyResolver.find();
|
||||
if (!tamperDetection.Detected)
|
||||
tamperDetection.find();
|
||||
}
|
||||
antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this);
|
||||
antiDebugger.find();
|
||||
|
||||
|
@ -217,6 +229,9 @@ namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
|||
addTypeToBeRemoved(assemblyResolver.Type, "Assembly resolver type");
|
||||
addTypeToBeRemoved(tamperDetection.Type, "Tamper detection type");
|
||||
addTypeToBeRemoved(antiDebugger.Type, "Anti-debugger type");
|
||||
addTypeToBeRemoved(methodsDecrypter.Type, "Methods decrypter type");
|
||||
addTypesToBeRemoved(methodsDecrypter.DelegateTypes, "Methods decrypter delegate type");
|
||||
addResourceToBeRemoved(methodsDecrypter.Resource, "Encrypted methods");
|
||||
|
||||
proxyCallFixer.find();
|
||||
|
||||
|
|
118
de4dot.code/deobfuscators/CryptoObfuscator/MethodBodyReader.cs
Normal file
118
de4dot.code/deobfuscators/CryptoObfuscator/MethodBodyReader.cs
Normal file
|
@ -0,0 +1,118 @@
|
|||
/*
|
||||
Copyright (C) 2011-2012 de4dot@gmail.com
|
||||
|
||||
This file is part of de4dot.
|
||||
|
||||
de4dot is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
de4dot is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.IO;
|
||||
using Mono.Cecil;
|
||||
using Mono.Cecil.Cil;
|
||||
using de4dot.blocks;
|
||||
|
||||
namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||
class MethodBodyReader : MethodBodyReaderBase {
|
||||
ModuleDefinition module;
|
||||
ushort maxStackSize;
|
||||
|
||||
public MethodBodyReader(ModuleDefinition module, BinaryReader reader)
|
||||
: base(reader) {
|
||||
this.module = module;
|
||||
}
|
||||
|
||||
public void read(MethodDefinition method) {
|
||||
this.parameters = getParameters(method);
|
||||
this.Locals = getLocals(method);
|
||||
|
||||
maxStackSize = (ushort)reader.ReadInt32();
|
||||
readInstructionsNumBytes(reader.ReadUInt32());
|
||||
readExceptionHandlers();
|
||||
}
|
||||
|
||||
void readExceptionHandlers() {
|
||||
int totalSize = reader.ReadInt32();
|
||||
if (totalSize == 0)
|
||||
return;
|
||||
reader.ReadInt32();
|
||||
readExceptionHandlers((totalSize - 4) / 24);
|
||||
}
|
||||
|
||||
static IList<ParameterDefinition> getParameters(MethodReference method) {
|
||||
return DotNetUtils.getParameters(method);
|
||||
}
|
||||
|
||||
static IList<VariableDefinition> getLocals(MethodDefinition method) {
|
||||
if (method.Body == null)
|
||||
return new List<VariableDefinition>();
|
||||
return new List<VariableDefinition>(method.Body.Variables);
|
||||
}
|
||||
|
||||
protected override FieldReference readInlineField(Instruction instr) {
|
||||
return (FieldReference)module.LookupToken(reader.ReadInt32());
|
||||
}
|
||||
|
||||
protected override MethodReference readInlineMethod(Instruction instr) {
|
||||
return (MethodReference)module.LookupToken(reader.ReadInt32());
|
||||
}
|
||||
|
||||
protected override CallSite readInlineSig(Instruction instr) {
|
||||
return module.ReadCallSite(new MetadataToken(reader.ReadUInt32()));
|
||||
}
|
||||
|
||||
protected override string readInlineString(Instruction instr) {
|
||||
return module.GetUserString(reader.ReadUInt32());
|
||||
}
|
||||
|
||||
protected override MemberReference readInlineTok(Instruction instr) {
|
||||
return (MemberReference)module.LookupToken(reader.ReadInt32());
|
||||
}
|
||||
|
||||
protected override TypeReference readInlineType(Instruction instr) {
|
||||
return (TypeReference)module.LookupToken(reader.ReadInt32());
|
||||
}
|
||||
|
||||
protected override ExceptionHandler readExceptionHandler() {
|
||||
var eh = new ExceptionHandler((ExceptionHandlerType)reader.ReadInt32());
|
||||
|
||||
int tryOffset = reader.ReadInt32();
|
||||
eh.TryStart = getInstruction(tryOffset);
|
||||
eh.TryEnd = getInstructionOrNull(tryOffset + reader.ReadInt32());
|
||||
|
||||
int handlerOffset = reader.ReadInt32();
|
||||
eh.HandlerStart = getInstruction(handlerOffset);
|
||||
eh.HandlerEnd = getInstructionOrNull(handlerOffset + reader.ReadInt32());
|
||||
|
||||
switch (eh.HandlerType) {
|
||||
case ExceptionHandlerType.Catch:
|
||||
eh.CatchType = (TypeReference)module.LookupToken(reader.ReadInt32());
|
||||
break;
|
||||
|
||||
case ExceptionHandlerType.Filter:
|
||||
eh.FilterStart = getInstruction(reader.ReadInt32());
|
||||
break;
|
||||
|
||||
case ExceptionHandlerType.Finally:
|
||||
case ExceptionHandlerType.Fault:
|
||||
default:
|
||||
reader.ReadInt32();
|
||||
break;
|
||||
}
|
||||
|
||||
return eh;
|
||||
}
|
||||
}
|
||||
}
|
205
de4dot.code/deobfuscators/CryptoObfuscator/MethodsDecrypter.cs
Normal file
205
de4dot.code/deobfuscators/CryptoObfuscator/MethodsDecrypter.cs
Normal file
|
@ -0,0 +1,205 @@
|
|||
/*
|
||||
Copyright (C) 2011-2012 de4dot@gmail.com
|
||||
|
||||
This file is part of de4dot.
|
||||
|
||||
de4dot is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
de4dot is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.IO;
|
||||
using Mono.Cecil;
|
||||
using Mono.Cecil.Cil;
|
||||
using de4dot.blocks;
|
||||
|
||||
namespace de4dot.code.deobfuscators.CryptoObfuscator {
|
||||
class MethodsDecrypter {
|
||||
ModuleDefinition module;
|
||||
TypeDefinition decrypterType;
|
||||
MethodDefinition decryptMethod;
|
||||
MethodDefinition decrypterCctor;
|
||||
EmbeddedResource resource;
|
||||
List<TypeDefinition> delegateTypes = new List<TypeDefinition>();
|
||||
|
||||
public TypeDefinition Type {
|
||||
get { return decrypterType; }
|
||||
}
|
||||
|
||||
public IEnumerable<TypeDefinition> DelegateTypes {
|
||||
get { return delegateTypes; }
|
||||
}
|
||||
|
||||
public EmbeddedResource Resource {
|
||||
get { return resource; }
|
||||
}
|
||||
|
||||
public bool Detected {
|
||||
get { return decrypterType != null; }
|
||||
}
|
||||
|
||||
public MethodsDecrypter(ModuleDefinition module) {
|
||||
this.module = module;
|
||||
}
|
||||
|
||||
public void find() {
|
||||
foreach (var type in module.Types) {
|
||||
if (check(type))
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
static readonly string[] requiredFields = new string[] {
|
||||
"System.Byte[]",
|
||||
"System.Collections.Generic.Dictionary`2<System.Int32,System.Int32>",
|
||||
"System.ModuleHandle",
|
||||
};
|
||||
bool check(TypeDefinition type) {
|
||||
if (type.NestedTypes.Count != 1)
|
||||
return false;
|
||||
if (type.Fields.Count != 3)
|
||||
return false;
|
||||
if (!new FieldTypes(type).all(requiredFields))
|
||||
return false;
|
||||
|
||||
var cctor = DotNetUtils.getMethod(type, ".cctor");
|
||||
if (cctor == null)
|
||||
return false;
|
||||
var decryptMethodTmp = findDecryptMethod(type);
|
||||
if (decryptMethodTmp == null)
|
||||
return false;
|
||||
|
||||
decryptMethod = decryptMethodTmp;
|
||||
decrypterCctor = cctor;
|
||||
decrypterType = type;
|
||||
return true;
|
||||
}
|
||||
|
||||
static readonly string[] requiredLocals = new string[] {
|
||||
"System.Delegate",
|
||||
"System.ModuleHandle",
|
||||
"System.Reflection.Emit.DynamicILInfo",
|
||||
"System.Reflection.Emit.DynamicMethod",
|
||||
"System.Reflection.FieldInfo",
|
||||
"System.Reflection.FieldInfo[]",
|
||||
"System.Reflection.MethodBase",
|
||||
"System.Reflection.MethodBody",
|
||||
"System.Type",
|
||||
"System.Type[]",
|
||||
};
|
||||
static MethodDefinition findDecryptMethod(TypeDefinition type) {
|
||||
foreach (var method in type.Methods) {
|
||||
if (!method.IsStatic || method.Body == null)
|
||||
continue;
|
||||
if (!new LocalTypes(method).all(requiredLocals))
|
||||
continue;
|
||||
if (!DotNetUtils.isMethod(method, "System.Void", "(System.Int32,System.Int32,System.Int32)"))
|
||||
continue;
|
||||
|
||||
return method;
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
public void decrypt(ResourceDecrypter resourceDecrypter) {
|
||||
if (decryptMethod == null)
|
||||
return;
|
||||
|
||||
resource = CoUtils.getResource(module, decrypterCctor);
|
||||
if (resource == null)
|
||||
return;
|
||||
var decrypted = resourceDecrypter.decrypt(resource.GetResourceStream());
|
||||
var reader = new BinaryReader(new MemoryStream(decrypted));
|
||||
int numEncrypted = reader.ReadInt32();
|
||||
Log.v("Restoring {0} encrypted methods", numEncrypted);
|
||||
Log.indent();
|
||||
for (int i = 0; i < numEncrypted; i++) {
|
||||
int delegateTypeToken = reader.ReadInt32();
|
||||
uint codeOffset = reader.ReadUInt32();
|
||||
var origOffset = reader.BaseStream.Position;
|
||||
reader.BaseStream.Position = codeOffset;
|
||||
decrypt(reader, delegateTypeToken);
|
||||
reader.BaseStream.Position = origOffset;
|
||||
}
|
||||
Log.deIndent();
|
||||
}
|
||||
|
||||
void decrypt(BinaryReader reader, int delegateTypeToken) {
|
||||
var delegateType = module.LookupToken(delegateTypeToken) as TypeDefinition;
|
||||
if (delegateType == null)
|
||||
throw new ApplicationException("Couldn't find delegate type");
|
||||
|
||||
int delToken, encMethToken, encDeclToken;
|
||||
if (!getTokens(delegateType, out delToken, out encMethToken, out encDeclToken))
|
||||
throw new ApplicationException("Could not find encrypted method tokens");
|
||||
if (delToken != delegateTypeToken)
|
||||
throw new ApplicationException("Invalid delegate type token");
|
||||
var encType = module.LookupToken(encDeclToken) as TypeReference;
|
||||
if (encType == null)
|
||||
throw new ApplicationException("Invalid declaring type token");
|
||||
var encMethod = module.LookupToken(encMethToken) as MethodDefinition;
|
||||
if (encMethod == null)
|
||||
throw new ApplicationException("Invalid encrypted method token");
|
||||
|
||||
var bodyReader = new MethodBodyReader(module, reader);
|
||||
bodyReader.read(encMethod);
|
||||
bodyReader.restoreMethod(encMethod);
|
||||
Log.v("Restored method {0} ({1:X8}). Instrs:{2}, Locals:{3}, Exceptions:{4}",
|
||||
Utils.removeNewlines(encMethod.FullName),
|
||||
encMethod.MetadataToken.ToInt32(),
|
||||
encMethod.Body.Instructions.Count,
|
||||
encMethod.Body.Variables.Count,
|
||||
encMethod.Body.ExceptionHandlers.Count);
|
||||
delegateTypes.Add(delegateType);
|
||||
}
|
||||
|
||||
bool getTokens(TypeDefinition delegateType, out int delegateToken, out int encMethodToken, out int encDeclaringTypeToken) {
|
||||
delegateToken = 0;
|
||||
encMethodToken = 0;
|
||||
encDeclaringTypeToken = 0;
|
||||
|
||||
var cctor = DotNetUtils.getMethod(delegateType, ".cctor");
|
||||
if (cctor == null)
|
||||
return false;
|
||||
|
||||
var instrs = cctor.Body.Instructions;
|
||||
for (int i = 0; i < instrs.Count - 4; i++) {
|
||||
var ldci4_1 = instrs[i];
|
||||
if (!DotNetUtils.isLdcI4(ldci4_1))
|
||||
continue;
|
||||
var ldci4_2 = instrs[i + 1];
|
||||
if (!DotNetUtils.isLdcI4(ldci4_2))
|
||||
continue;
|
||||
var ldci4_3 = instrs[i + 2];
|
||||
if (!DotNetUtils.isLdcI4(ldci4_3))
|
||||
continue;
|
||||
var call = instrs[i + 3];
|
||||
if (call.OpCode.Code != Code.Call)
|
||||
continue;
|
||||
var calledMethod = call.Operand as MethodDefinition;
|
||||
if (calledMethod == null)
|
||||
continue;
|
||||
if (calledMethod != decryptMethod)
|
||||
continue;
|
||||
|
||||
delegateToken = DotNetUtils.getLdcI4Value(ldci4_1);
|
||||
encMethodToken = DotNetUtils.getLdcI4Value(ldci4_2);
|
||||
encDeclaringTypeToken = DotNetUtils.getLdcI4Value(ldci4_3);
|
||||
return true;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user