monocul.us/de4dot-cex
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update decrypter and version detecter code

Browse Source
This commit is contained in:
de4dot 2011-10-31 00:09:38 +01:00
parent 11781b2875
commit 6b04c23036
2 changed files with 23 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
de4dot.code/deobfuscators/dotNET_Reactor/Deobfuscator.cs
View File

@ -192,7 +192,7 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
return ".NET Reactor 3.9.8.0"; return ".NET Reactor 3.9.8.0";
} }
var compileMethod = findDnrCompileMethod(methodsDecrypter.MethodsDecrypterMethod.DeclaringType); var compileMethod = MethodsDecrypter.findDnrCompileMethod(methodsDecrypter.MethodsDecrypterMethod.DeclaringType);
if (compileMethod == null) if (compileMethod == null)
return ".NET Reactor < 4.0"; return ".NET Reactor < 4.0";
DeobfuscatedFile.deobfuscate(compileMethod); DeobfuscatedFile.deobfuscate(compileMethod);
@ -219,12 +219,8 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
} }
static bool findString(MethodDefinition method, string s) { static bool findString(MethodDefinition method, string s) {
if (method == null || method.Body == null) foreach (var cs in DotNetUtils.getCodeStrings(method)) {
return false; if (cs == s)
foreach (var instr in method.Body.Instructions) {
if (instr.OpCode.Code != Code.Ldstr)
continue;
if (s == (string)instr.Operand)
return true; return true;
} }
return false; return false;
@ -242,19 +238,6 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
return false; return false;
} }
static MethodDefinition findDnrCompileMethod(TypeDefinition type) {
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
if (method.Parameters.Count != 6)
continue;
if (!DotNetUtils.isMethod(method, "System.UInt32", "(System.UInt64&,System.IntPtr,System.IntPtr,System.UInt32,System.IntPtr&,System.UInt32&)"))
continue;
return method;
}
return null;
}
public override bool getDecryptedModule(ref byte[] newFileData, ref Dictionary<uint, DumpedMethod> dumpedMethods) { public override bool getDecryptedModule(ref byte[] newFileData, ref Dictionary<uint, DumpedMethod> dumpedMethods) {
using (var fileStream = new FileStream(module.FullyQualifiedName, FileMode.Open, FileAccess.Read, FileShare.Read)) { using (var fileStream = new FileStream(module.FullyQualifiedName, FileMode.Open, FileAccess.Read, FileShare.Read)) {
fileData = new byte[(int)fileStream.Length]; fileData = new byte[(int)fileStream.Length];

31
de4dot.code/deobfuscators/dotNET_Reactor/MethodsDecrypter.cs
View File

@ -29,8 +29,6 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
class MethodsDecrypter { class MethodsDecrypter {
ModuleDefinition module; ModuleDefinition module;
EncryptedResource encryptedResource; EncryptedResource encryptedResource;
long xorKey;
bool useXorKey;
public bool Detected { public bool Detected {
get { return encryptedResource.ResourceDecrypterMethod != null; } get { return encryptedResource.ResourceDecrypterMethod != null; }
@ -97,13 +95,12 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
return false; return false;
encryptedResource.init(simpleDeobfuscator); encryptedResource.init(simpleDeobfuscator);
initXorKey();
var methodsData = encryptedResource.decrypt(); var methodsData = encryptedResource.decrypt();
ArrayFinder arrayFinder = new ArrayFinder(encryptedResource.ResourceDecrypterMethod); bool hooksJitter = findDnrCompileMethod(encryptedResource.ResourceDecrypterMethod.DeclaringType) != null;
bool hooksJitter = arrayFinder.exists(new byte[] { (byte)'g', (byte)'e', (byte)'t', (byte)'J', (byte)'i', (byte)'t' });
if (useXorKey) { long xorKey;
if (getXorKey(out xorKey)) {
// DNR 4.3, 4.4 // DNR 4.3, 4.4
var stream = new MemoryStream(methodsData); var stream = new MemoryStream(methodsData);
var reader = new BinaryReader(stream); var reader = new BinaryReader(stream);
@ -229,9 +226,7 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
} }
} }
void initXorKey() { bool getXorKey(out long xorKey) {
useXorKey = false;
var instructions = encryptedResource.ResourceDecrypterMethod.Body.Instructions; var instructions = encryptedResource.ResourceDecrypterMethod.Body.Instructions;
for (int i = 0; i < instructions.Count - 1; i++) { for (int i = 0; i < instructions.Count - 1; i++) {
if (instructions[i].OpCode.Code != Code.Ldind_I8) if (instructions[i].OpCode.Code != Code.Ldind_I8)
@ -241,9 +236,23 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
continue; continue;
xorKey = DotNetUtils.getLdcI4Value(ldci4); xorKey = DotNetUtils.getLdcI4Value(ldci4);
useXorKey = true; return true;
return;
} }
xorKey = 0;
return false;
}
public static MethodDefinition findDnrCompileMethod(TypeDefinition type) {
foreach (var method in type.Methods) {
if (!method.IsStatic || method.Body == null)
continue;
if (method.Parameters.Count != 6)
continue;
if (!DotNetUtils.isMethod(method, "System.UInt32", "(System.UInt64&,System.IntPtr,System.IntPtr,System.UInt32,System.IntPtr&,System.UInt32&)"))
continue;
return method;
}
return null;
} }
} }
} }