Update decrypter and version detecter code
This commit is contained in:
parent
11781b2875
commit
6b04c23036
|
@ -192,7 +192,7 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
return ".NET Reactor 3.9.8.0";
|
return ".NET Reactor 3.9.8.0";
|
||||||
}
|
}
|
||||||
|
|
||||||
var compileMethod = findDnrCompileMethod(methodsDecrypter.MethodsDecrypterMethod.DeclaringType);
|
var compileMethod = MethodsDecrypter.findDnrCompileMethod(methodsDecrypter.MethodsDecrypterMethod.DeclaringType);
|
||||||
if (compileMethod == null)
|
if (compileMethod == null)
|
||||||
return ".NET Reactor < 4.0";
|
return ".NET Reactor < 4.0";
|
||||||
DeobfuscatedFile.deobfuscate(compileMethod);
|
DeobfuscatedFile.deobfuscate(compileMethod);
|
||||||
|
@ -219,12 +219,8 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool findString(MethodDefinition method, string s) {
|
static bool findString(MethodDefinition method, string s) {
|
||||||
if (method == null || method.Body == null)
|
foreach (var cs in DotNetUtils.getCodeStrings(method)) {
|
||||||
return false;
|
if (cs == s)
|
||||||
foreach (var instr in method.Body.Instructions) {
|
|
||||||
if (instr.OpCode.Code != Code.Ldstr)
|
|
||||||
continue;
|
|
||||||
if (s == (string)instr.Operand)
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
return false;
|
return false;
|
||||||
|
@ -242,19 +238,6 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
static MethodDefinition findDnrCompileMethod(TypeDefinition type) {
|
|
||||||
foreach (var method in type.Methods) {
|
|
||||||
if (!method.IsStatic || method.Body == null)
|
|
||||||
continue;
|
|
||||||
if (method.Parameters.Count != 6)
|
|
||||||
continue;
|
|
||||||
if (!DotNetUtils.isMethod(method, "System.UInt32", "(System.UInt64&,System.IntPtr,System.IntPtr,System.UInt32,System.IntPtr&,System.UInt32&)"))
|
|
||||||
continue;
|
|
||||||
return method;
|
|
||||||
}
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
|
|
||||||
public override bool getDecryptedModule(ref byte[] newFileData, ref Dictionary<uint, DumpedMethod> dumpedMethods) {
|
public override bool getDecryptedModule(ref byte[] newFileData, ref Dictionary<uint, DumpedMethod> dumpedMethods) {
|
||||||
using (var fileStream = new FileStream(module.FullyQualifiedName, FileMode.Open, FileAccess.Read, FileShare.Read)) {
|
using (var fileStream = new FileStream(module.FullyQualifiedName, FileMode.Open, FileAccess.Read, FileShare.Read)) {
|
||||||
fileData = new byte[(int)fileStream.Length];
|
fileData = new byte[(int)fileStream.Length];
|
||||||
|
|
|
@ -29,8 +29,6 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
class MethodsDecrypter {
|
class MethodsDecrypter {
|
||||||
ModuleDefinition module;
|
ModuleDefinition module;
|
||||||
EncryptedResource encryptedResource;
|
EncryptedResource encryptedResource;
|
||||||
long xorKey;
|
|
||||||
bool useXorKey;
|
|
||||||
|
|
||||||
public bool Detected {
|
public bool Detected {
|
||||||
get { return encryptedResource.ResourceDecrypterMethod != null; }
|
get { return encryptedResource.ResourceDecrypterMethod != null; }
|
||||||
|
@ -97,13 +95,12 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
encryptedResource.init(simpleDeobfuscator);
|
encryptedResource.init(simpleDeobfuscator);
|
||||||
initXorKey();
|
|
||||||
var methodsData = encryptedResource.decrypt();
|
var methodsData = encryptedResource.decrypt();
|
||||||
|
|
||||||
ArrayFinder arrayFinder = new ArrayFinder(encryptedResource.ResourceDecrypterMethod);
|
bool hooksJitter = findDnrCompileMethod(encryptedResource.ResourceDecrypterMethod.DeclaringType) != null;
|
||||||
bool hooksJitter = arrayFinder.exists(new byte[] { (byte)'g', (byte)'e', (byte)'t', (byte)'J', (byte)'i', (byte)'t' });
|
|
||||||
|
|
||||||
if (useXorKey) {
|
long xorKey;
|
||||||
|
if (getXorKey(out xorKey)) {
|
||||||
// DNR 4.3, 4.4
|
// DNR 4.3, 4.4
|
||||||
var stream = new MemoryStream(methodsData);
|
var stream = new MemoryStream(methodsData);
|
||||||
var reader = new BinaryReader(stream);
|
var reader = new BinaryReader(stream);
|
||||||
|
@ -229,9 +226,7 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
void initXorKey() {
|
bool getXorKey(out long xorKey) {
|
||||||
useXorKey = false;
|
|
||||||
|
|
||||||
var instructions = encryptedResource.ResourceDecrypterMethod.Body.Instructions;
|
var instructions = encryptedResource.ResourceDecrypterMethod.Body.Instructions;
|
||||||
for (int i = 0; i < instructions.Count - 1; i++) {
|
for (int i = 0; i < instructions.Count - 1; i++) {
|
||||||
if (instructions[i].OpCode.Code != Code.Ldind_I8)
|
if (instructions[i].OpCode.Code != Code.Ldind_I8)
|
||||||
|
@ -241,9 +236,23 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
xorKey = DotNetUtils.getLdcI4Value(ldci4);
|
xorKey = DotNetUtils.getLdcI4Value(ldci4);
|
||||||
useXorKey = true;
|
return true;
|
||||||
return;
|
|
||||||
}
|
}
|
||||||
|
xorKey = 0;
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
public static MethodDefinition findDnrCompileMethod(TypeDefinition type) {
|
||||||
|
foreach (var method in type.Methods) {
|
||||||
|
if (!method.IsStatic || method.Body == null)
|
||||||
|
continue;
|
||||||
|
if (method.Parameters.Count != 6)
|
||||||
|
continue;
|
||||||
|
if (!DotNetUtils.isMethod(method, "System.UInt32", "(System.UInt64&,System.IntPtr,System.IntPtr,System.UInt32,System.IntPtr&,System.UInt32&)"))
|
||||||
|
continue;
|
||||||
|
return method;
|
||||||
|
}
|
||||||
|
return null;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user