Decrypt some DNR 4.0 non-native obfuscated assemblies
This commit is contained in:
parent
1fbe902ed1
commit
6bde8b8b20
|
@ -70,6 +70,8 @@
|
||||||
<Compile Include="deobfuscators\DeobUtils.cs" />
|
<Compile Include="deobfuscators\DeobUtils.cs" />
|
||||||
<Compile Include="deobfuscators\Dotfuscator\Deobfuscator.cs" />
|
<Compile Include="deobfuscators\Dotfuscator\Deobfuscator.cs" />
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\Deobfuscator.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor\Deobfuscator.cs" />
|
||||||
|
<Compile Include="deobfuscators\dotNET_Reactor\EncryptedResource.cs" />
|
||||||
|
<Compile Include="deobfuscators\dotNET_Reactor\LocalTypes.cs" />
|
||||||
<Compile Include="deobfuscators\dotNET_Reactor\MethodsDecrypter.cs" />
|
<Compile Include="deobfuscators\dotNET_Reactor\MethodsDecrypter.cs" />
|
||||||
<Compile Include="deobfuscators\Eazfuscator\Deobfuscator.cs" />
|
<Compile Include="deobfuscators\Eazfuscator\Deobfuscator.cs" />
|
||||||
<Compile Include="deobfuscators\ExceptionLoggerRemover.cs" />
|
<Compile Include="deobfuscators\ExceptionLoggerRemover.cs" />
|
||||||
|
|
|
@ -86,6 +86,17 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
methodsDecrypter.find();
|
methodsDecrypter.find();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public override byte[] getDecryptedModule() {
|
||||||
|
return methodsDecrypter.decrypt(DeobfuscatedFile);
|
||||||
|
}
|
||||||
|
|
||||||
|
public override IDeobfuscator moduleReloaded(ModuleDefinition module) {
|
||||||
|
var newOne = new Deobfuscator(options);
|
||||||
|
newOne.setModule(module);
|
||||||
|
newOne.methodsDecrypter = new MethodsDecrypter(module, methodsDecrypter);
|
||||||
|
return newOne;
|
||||||
|
}
|
||||||
|
|
||||||
public override void deobfuscateBegin() {
|
public override void deobfuscateBegin() {
|
||||||
base.deobfuscateBegin();
|
base.deobfuscateBegin();
|
||||||
}
|
}
|
||||||
|
|
191
de4dot.code/deobfuscators/dotNET_Reactor/EncryptedResource.cs
Normal file
191
de4dot.code/deobfuscators/dotNET_Reactor/EncryptedResource.cs
Normal file
|
@ -0,0 +1,191 @@
|
||||||
|
/*
|
||||||
|
Copyright (C) 2011 de4dot@gmail.com
|
||||||
|
|
||||||
|
This file is part of de4dot.
|
||||||
|
|
||||||
|
de4dot is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
de4dot is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
using System;
|
||||||
|
using System.IO;
|
||||||
|
using System.Collections.Generic;
|
||||||
|
using System.Security.Cryptography;
|
||||||
|
using Mono.Cecil;
|
||||||
|
using Mono.Cecil.Cil;
|
||||||
|
using de4dot.blocks;
|
||||||
|
using de4dot.blocks.cflow;
|
||||||
|
|
||||||
|
namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
|
class EncryptedResource {
|
||||||
|
ModuleDefinition module;
|
||||||
|
MethodDefinition resourceDecrypterMethod;
|
||||||
|
EmbeddedResource encryptedDataResource;
|
||||||
|
byte[] key, iv;
|
||||||
|
|
||||||
|
public MethodDefinition ResourceDecrypterMethod {
|
||||||
|
get { return resourceDecrypterMethod; }
|
||||||
|
set { resourceDecrypterMethod = value; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public EncryptedResource(ModuleDefinition module) {
|
||||||
|
this.module = module;
|
||||||
|
}
|
||||||
|
|
||||||
|
public EncryptedResource(ModuleDefinition module, EncryptedResource oldOne) {
|
||||||
|
this.module = module;
|
||||||
|
resourceDecrypterMethod = module.LookupToken(oldOne.resourceDecrypterMethod.MetadataToken.ToInt32()) as MethodDefinition;
|
||||||
|
encryptedDataResource = DotNetUtils.getResource(module, oldOne.encryptedDataResource.Name) as EmbeddedResource;
|
||||||
|
key = oldOne.key;
|
||||||
|
iv = oldOne.iv;
|
||||||
|
|
||||||
|
if (resourceDecrypterMethod == null || encryptedDataResource == null || key == null || iv == null)
|
||||||
|
throw new ApplicationException("Could not initialize EncryptedResource");
|
||||||
|
}
|
||||||
|
|
||||||
|
public bool couldBeResourceDecrypter(MethodDefinition method) {
|
||||||
|
if (!method.IsStatic)
|
||||||
|
return false;
|
||||||
|
if (method.Body == null)
|
||||||
|
return false;
|
||||||
|
if (method.Body.Instructions.Count < 1000)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
var localTypes = new LocalTypes(method.Body.Variables);
|
||||||
|
var requiredTypes = new string[] {
|
||||||
|
"System.Byte[]",
|
||||||
|
"System.Diagnostics.StackFrame",
|
||||||
|
"System.IntPtr",
|
||||||
|
"System.IO.BinaryReader",
|
||||||
|
"System.IO.MemoryStream",
|
||||||
|
"System.Reflection.Assembly",
|
||||||
|
"System.Security.Cryptography.CryptoStream",
|
||||||
|
"System.Security.Cryptography.ICryptoTransform",
|
||||||
|
"System.Security.Cryptography.RijndaelManaged",
|
||||||
|
};
|
||||||
|
if (!localTypes.all(requiredTypes))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
if (findMethodsDecrypterResource(method) == null)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void init(ISimpleDeobfuscator simpleDeobfuscator) {
|
||||||
|
if (resourceDecrypterMethod == null)
|
||||||
|
return;
|
||||||
|
|
||||||
|
simpleDeobfuscator.deobfuscate(resourceDecrypterMethod);
|
||||||
|
|
||||||
|
encryptedDataResource = findMethodsDecrypterResource(resourceDecrypterMethod);
|
||||||
|
if (encryptedDataResource == null)
|
||||||
|
throw new ApplicationException("Could not find encrypted resource");
|
||||||
|
|
||||||
|
key = initArray(resourceDecrypterMethod, 32);
|
||||||
|
if (key == null)
|
||||||
|
throw new ApplicationException("Could not find resource decrypter key");
|
||||||
|
iv = initArray(resourceDecrypterMethod, 16);
|
||||||
|
if (iv == null)
|
||||||
|
throw new ApplicationException("Could not find resource decrypter IV");
|
||||||
|
var publicKeyToken = module.Assembly.Name.PublicKeyToken;
|
||||||
|
if (publicKeyToken != null) {
|
||||||
|
for (int i = 0; i < 8; i++)
|
||||||
|
iv[i * 2 + 1] = publicKeyToken[i];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
EmbeddedResource findMethodsDecrypterResource(MethodDefinition method) {
|
||||||
|
foreach (var s in DotNetUtils.getCodeStrings(method)) {
|
||||||
|
var resource = DotNetUtils.getResource(module, s) as EmbeddedResource;
|
||||||
|
if (resource != null)
|
||||||
|
return resource;
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
static byte[] initArray(MethodDefinition method, int arraySize) {
|
||||||
|
int newarrIndex = findNewarr(method, arraySize);
|
||||||
|
if (newarrIndex < 0)
|
||||||
|
return null;
|
||||||
|
|
||||||
|
var resultValueArray = new Value[arraySize];
|
||||||
|
|
||||||
|
var emulator = new InstructionEmulator(method.HasThis, false, method.Parameters, method.Body.Variables);
|
||||||
|
var theArray = new UnknownValue();
|
||||||
|
emulator.push(theArray);
|
||||||
|
|
||||||
|
var instructions = method.Body.Instructions;
|
||||||
|
for (int i = newarrIndex + 1; i < instructions.Count; i++) {
|
||||||
|
var instr = instructions[i];
|
||||||
|
if (instr.OpCode.FlowControl != FlowControl.Next)
|
||||||
|
break;
|
||||||
|
if (instr.OpCode.Code == Code.Newarr)
|
||||||
|
break;
|
||||||
|
|
||||||
|
if (instr.OpCode.Code == Code.Stelem_I1) {
|
||||||
|
var value = emulator.pop();
|
||||||
|
var index = emulator.pop() as Int32Value;
|
||||||
|
var array = emulator.pop();
|
||||||
|
if (ReferenceEquals(array, theArray) && index != null && index.allBitsValid()) {
|
||||||
|
if (0 <= index.value && index.value < resultValueArray.Length)
|
||||||
|
resultValueArray[index.value] = value;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
emulator.emulate(instr);
|
||||||
|
}
|
||||||
|
|
||||||
|
byte[] resultArray = new byte[resultValueArray.Length];
|
||||||
|
for (int i = 0; i < resultArray.Length; i++) {
|
||||||
|
var intValue = resultValueArray[i] as Int32Value;
|
||||||
|
if (intValue == null || !intValue.allBitsValid())
|
||||||
|
return null;
|
||||||
|
resultArray[i] = (byte)intValue.value;
|
||||||
|
}
|
||||||
|
|
||||||
|
return resultArray;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int findNewarr(MethodDefinition method, int arraySize) {
|
||||||
|
var instructions = method.Body.Instructions;
|
||||||
|
for (int i = 0; i < instructions.Count; i++) {
|
||||||
|
var instr = instructions[i];
|
||||||
|
if (instr.OpCode.Code != Code.Newarr || i < 1)
|
||||||
|
continue;
|
||||||
|
var ldci4 = instructions[i - 1];
|
||||||
|
if (!DotNetUtils.isLdcI4(ldci4))
|
||||||
|
continue;
|
||||||
|
if (DotNetUtils.getLdcI4Value(ldci4) != arraySize)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
return i;
|
||||||
|
}
|
||||||
|
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
public byte[] decrypt() {
|
||||||
|
if (encryptedDataResource == null || key == null || iv == null)
|
||||||
|
throw new ApplicationException("Can't decrypt resource");
|
||||||
|
|
||||||
|
using (var aes = new RijndaelManaged()) {
|
||||||
|
aes.Mode = CipherMode.CBC;
|
||||||
|
using (var transform = aes.CreateDecryptor(key, iv)) {
|
||||||
|
var encryptedData = encryptedDataResource.GetResourceData();
|
||||||
|
return transform.TransformFinalBlock(encryptedData, 0, encryptedData.Length);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
55
de4dot.code/deobfuscators/dotNET_Reactor/LocalTypes.cs
Normal file
55
de4dot.code/deobfuscators/dotNET_Reactor/LocalTypes.cs
Normal file
|
@ -0,0 +1,55 @@
|
||||||
|
/*
|
||||||
|
Copyright (C) 2011 de4dot@gmail.com
|
||||||
|
|
||||||
|
This file is part of de4dot.
|
||||||
|
|
||||||
|
de4dot is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
de4dot is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
using System;
|
||||||
|
using System.Collections.Generic;
|
||||||
|
using Mono.Cecil.Cil;
|
||||||
|
|
||||||
|
namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
|
class LocalTypes {
|
||||||
|
Dictionary<string, int> localTypes = new Dictionary<string, int>(StringComparer.Ordinal);
|
||||||
|
|
||||||
|
public LocalTypes(IList<VariableDefinition> locals) {
|
||||||
|
foreach (var local in locals) {
|
||||||
|
var key = local.VariableType.FullName;
|
||||||
|
int count;
|
||||||
|
localTypes.TryGetValue(key, out count);
|
||||||
|
localTypes[key] = count + 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public bool exists(string typeFullName) {
|
||||||
|
return localTypes.ContainsKey(typeFullName);
|
||||||
|
}
|
||||||
|
|
||||||
|
public bool all(string[] types) {
|
||||||
|
foreach (var typeName in types) {
|
||||||
|
if (!exists(typeName))
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
public int count(string typeFullName) {
|
||||||
|
int count;
|
||||||
|
localTypes.TryGetValue(typeFullName, out count);
|
||||||
|
return count;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -19,20 +19,30 @@
|
||||||
|
|
||||||
using System;
|
using System;
|
||||||
using System.Collections.Generic;
|
using System.Collections.Generic;
|
||||||
|
using System.IO;
|
||||||
using Mono.Cecil;
|
using Mono.Cecil;
|
||||||
|
using Mono.Cecil.Cil;
|
||||||
using de4dot.blocks;
|
using de4dot.blocks;
|
||||||
|
|
||||||
namespace de4dot.deobfuscators.dotNET_Reactor {
|
namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
class MethodsDecrypter {
|
class MethodsDecrypter {
|
||||||
ModuleDefinition module;
|
ModuleDefinition module;
|
||||||
MethodDefinition methodsDecrypterMethod;
|
EncryptedResource encryptedResource;
|
||||||
|
long xorKey;
|
||||||
|
bool useXorKey;
|
||||||
|
|
||||||
public bool Detected {
|
public bool Detected {
|
||||||
get { return methodsDecrypterMethod != null; }
|
get { return encryptedResource.ResourceDecrypterMethod != null; }
|
||||||
}
|
}
|
||||||
|
|
||||||
public MethodsDecrypter(ModuleDefinition module) {
|
public MethodsDecrypter(ModuleDefinition module) {
|
||||||
this.module = module;
|
this.module = module;
|
||||||
|
this.encryptedResource = new EncryptedResource(module);
|
||||||
|
}
|
||||||
|
|
||||||
|
public MethodsDecrypter(ModuleDefinition module, MethodsDecrypter oldOne) {
|
||||||
|
this.module = module;
|
||||||
|
this.encryptedResource = new EncryptedResource(module, oldOne.encryptedResource);
|
||||||
}
|
}
|
||||||
|
|
||||||
public void find() {
|
public void find() {
|
||||||
|
@ -40,66 +50,107 @@ namespace de4dot.deobfuscators.dotNET_Reactor {
|
||||||
var callCounter = new CallCounter();
|
var callCounter = new CallCounter();
|
||||||
int typesLeft = 30;
|
int typesLeft = 30;
|
||||||
foreach (var type in module.GetTypes()) {
|
foreach (var type in module.GetTypes()) {
|
||||||
if (typesLeft-- <= 0)
|
|
||||||
break;
|
|
||||||
var cctor = DotNetUtils.getMethod(type, ".cctor");
|
var cctor = DotNetUtils.getMethod(type, ".cctor");
|
||||||
if (cctor == null || cctor.Body == null)
|
if (cctor == null || cctor.Body == null)
|
||||||
continue;
|
continue;
|
||||||
|
if (typesLeft-- <= 0)
|
||||||
|
break;
|
||||||
|
|
||||||
foreach (var info in DotNetUtils.getCalledMethods(module, cctor)) {
|
foreach (var info in DotNetUtils.getCalledMethods(module, cctor)) {
|
||||||
var method = info.Item2;
|
var method = info.Item2;
|
||||||
var key = new MethodReferenceAndDeclaringTypeKey(method);
|
var key = new MethodReferenceAndDeclaringTypeKey(method);
|
||||||
if (!checkedMethods.ContainsKey(key)) {
|
if (!checkedMethods.ContainsKey(key)) {
|
||||||
checkedMethods[key] = true;
|
checkedMethods[key] = true;
|
||||||
if (!couldBeMethodsDecrypter(method))
|
if (!DotNetUtils.isMethod(method, "System.Void", "()"))
|
||||||
|
continue;
|
||||||
|
if (!encryptedResource.couldBeResourceDecrypter(method))
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
callCounter.add(method);
|
callCounter.add(method);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
methodsDecrypterMethod = (MethodDefinition)callCounter.most();
|
encryptedResource.ResourceDecrypterMethod = (MethodDefinition)callCounter.most();
|
||||||
}
|
}
|
||||||
|
|
||||||
bool couldBeMethodsDecrypter(MethodDefinition method) {
|
public byte[] decrypt(ISimpleDeobfuscator simpleDeobfuscator) {
|
||||||
if (!method.IsStatic)
|
if (encryptedResource.ResourceDecrypterMethod == null)
|
||||||
return false;
|
return null;
|
||||||
if (method.Body == null)
|
|
||||||
return false;
|
|
||||||
if (method.Body.Instructions.Count < 2000)
|
|
||||||
return false;
|
|
||||||
|
|
||||||
var localTypes = new Dictionary<string, bool>(StringComparer.Ordinal);
|
encryptedResource.init(simpleDeobfuscator);
|
||||||
foreach (var local in method.Body.Variables)
|
initXorKey();
|
||||||
localTypes[local.VariableType.FullName] = true;
|
var methodsData = encryptedResource.decrypt();
|
||||||
var requiredTypes = new string[] {
|
|
||||||
"System.Byte[]",
|
if (useXorKey) {
|
||||||
"System.Diagnostics.StackFrame",
|
var stream = new MemoryStream(methodsData);
|
||||||
"System.IntPtr",
|
var reader = new BinaryReader(stream);
|
||||||
"System.IO.BinaryReader",
|
var writer = new BinaryWriter(stream);
|
||||||
"System.IO.MemoryStream",
|
int count = methodsData.Length / 8;
|
||||||
"System.Reflection.Assembly",
|
for (int i = 0; i < count; i++) {
|
||||||
"System.Security.Cryptography.CryptoStream",
|
long val = reader.ReadInt64();
|
||||||
"System.Security.Cryptography.ICryptoTransform",
|
val ^= xorKey;
|
||||||
"System.Security.Cryptography.RijndaelManaged",
|
stream.Position -= 8;
|
||||||
};
|
writer.Write(val);
|
||||||
foreach (var typeName in requiredTypes) {
|
}
|
||||||
if (!localTypes.ContainsKey(typeName))
|
|
||||||
return false;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!isResourceString(DotNetUtils.getCodeStrings(method)))
|
using (var fileStream = new FileStream(module.FullyQualifiedName, FileMode.Open, FileAccess.Read, FileShare.Read)) {
|
||||||
return false;
|
byte[] fileData = new byte[(int)fileStream.Length];
|
||||||
|
fileStream.Read(fileData, 0, fileData.Length);
|
||||||
|
var peImage = new PE.PeImage(fileData);
|
||||||
|
|
||||||
return true;
|
var methodsDataReader = new BinaryReader(new MemoryStream(methodsData));
|
||||||
|
int patchCount = methodsDataReader.ReadInt32();
|
||||||
|
int mode = methodsDataReader.ReadInt32();
|
||||||
|
if (!useXorKey || mode == 1) {
|
||||||
|
for (int i = 0; i < patchCount; i++) {
|
||||||
|
uint rva = methodsDataReader.ReadUInt32();
|
||||||
|
uint data = methodsDataReader.ReadUInt32();
|
||||||
|
peImage.write(rva, BitConverter.GetBytes(data));
|
||||||
|
}
|
||||||
|
while (methodsDataReader.BaseStream.Position < methodsData.Length - 1) {
|
||||||
|
uint rva = methodsDataReader.ReadUInt32();
|
||||||
|
uint token = methodsDataReader.ReadUInt32();
|
||||||
|
int size = methodsDataReader.ReadInt32();
|
||||||
|
if (size > 0)
|
||||||
|
peImage.write(rva, methodsDataReader.ReadBytes(size));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
for (int i = 0; i < patchCount; i++) {
|
||||||
|
uint rva = methodsDataReader.ReadUInt32();
|
||||||
|
uint data = methodsDataReader.ReadUInt32();
|
||||||
|
peImage.write(rva, BitConverter.GetBytes(data));
|
||||||
|
}
|
||||||
|
int count = methodsDataReader.ReadInt32();
|
||||||
|
while (methodsDataReader.BaseStream.Position < methodsData.Length - 1) {
|
||||||
|
uint rva = methodsDataReader.ReadUInt32();
|
||||||
|
uint token = methodsDataReader.ReadUInt32();
|
||||||
|
int size = methodsDataReader.ReadInt32();
|
||||||
|
if (size > 0)
|
||||||
|
peImage.write(rva, methodsDataReader.ReadBytes(size));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return fileData;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
bool isResourceString(IList<string> strings) {
|
void initXorKey() {
|
||||||
foreach (var s in strings) {
|
useXorKey = false;
|
||||||
if (DotNetUtils.getResource(module, s) != null)
|
|
||||||
return true;
|
var instructions = encryptedResource.ResourceDecrypterMethod.Body.Instructions;
|
||||||
|
for (int i = 0; i < instructions.Count - 1; i++) {
|
||||||
|
if (instructions[i].OpCode.Code != Code.Ldind_I8)
|
||||||
|
continue;
|
||||||
|
var ldci4 = instructions[i + 1];
|
||||||
|
if (!DotNetUtils.isLdcI4(ldci4))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
xorKey = DotNetUtils.getLdcI4Value(ldci4);
|
||||||
|
useXorKey = true;
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
return false;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user